Azure: Activity logs

Owned by Marlon Morales
Last updated: Mar 04, 2024
16 min read

Overview

The Azure Monitor activity log is a platform log in Azure that provides insight into subscription-level events.

The activity log includes information like when a resource is modified, or a virtual machine is started and entries in the Activity Log are typically a result of changes (create, update or delete operations) or an action having been initiated.

 

Azure Activity: AzureActivity

Entries from the Azure Activity log that provides insight into any subscription-level or management group level events that have occurred in Azure.

 

Log Structure

{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "OperationName",
"type": "string"
},
{
"name": "OperationNameValue",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "ActivityStatus",
"type": "string"
},
{
"name": "ActivityStatusValue",
"type": "string"
},
{
"name": "ActivitySubstatus",
"type": "string"
},
{
"name": "ActivitySubstatusValue",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "Caller",
"type": "string"
},
{
"name": "CallerIpAddress",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "CategoryValue",
"type": "string"
},
{
"name": "HTTPRequest",
"type": "string"
},
{
"name": "Properties",
"type": "string"
},
{
"name": "EventSubmissionTimestamp",
"type": "datetime"
},
{
"name": "Authorization",
"type": "string"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "OperationId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "ResourceProviderValue",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "EventDataId",
"type": "string"
},
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "Authorization_d",
"type": "dynamic"
},
{
"name": "Claims",
"type": "string"
},
{
"name": "Claims_d",
"type": "dynamic"
},
{
"name": "Properties_d",
"type": "dynamic"
},
{
"name": "Hierarchy",
"type": "string"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"",
"MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE",
"Information",
"",
"Start",
"",
"",
"TEST-RESOURCE-GRP",
"658c2909-abec-4f71-8801-65f280edfa33",
"f5ba7bcf-3db9-4835-9ce5-1ab938f9d9bb",
"dummy@testmail.com",
"1.2.3.4",
"",
"Administrative",
"{\"clientIpAddress\":\"1.2.3.4\"}",
"{\r\n \"requestbody\": \"{\\\"properties\\\":{\\\"allowBlobPublicAccess\\\":false,\\\"minimumTlsVersion\\\":\\\"TLS1_1\\\"}}\",\r\n \"eventCategory\": \"Administrative\",\r\n \"entity\": \"/subscriptions/658c2909-abec-4f71-8801-65f280edfa33/resourceGroups/test-resource-grp/providers/Microsoft.Storage/storageAccounts/demostorageaccountsnare\",\r\n \"message\": \"Microsoft.Storage/storageAccounts/write\",\r\n \"hierarchy\": \"658c2909-abec-4f71-8801-65f280edfa33\",\r\n \"caller\": \"dummy@testmail.com\",\r\n \"eventDataId\": \"05455dca-145a-4bba-8359-ab705b2957d5\",\r\n \"eventSubmissionTimestamp\": \"2023-03-23T06:28:51.0915577Z\",\r\n \"httpRequest\": \"{\\\"clientIpAddress\\\":\\\"1.2.3.4\\\"}\",\r\n \"resource\": \"demostorageaccountsnare\",\r\n \"resourceGroup\": \"TEST-RESOURCE-GRP\",\r\n \"resourceProviderValue\": \"MICROSOFT.STORAGE\",\r\n \"subscriptionId\": \"42338A71-59A5-4E21-BEA8-7B0EB361D17C\",\r\n \"activityStatusValue\": \"Start\"\r\n}",
"2023-03-23T06:28:51.0915577Z",
"{\"scope\":\"/subscriptions/658c2909-abec-4f71-8801-65f280edfa33/resourceGroups/test-resource-grp/providers/Microsoft.Storage/storageAccounts/demostorageaccountsnare\",\"action\":\"Microsoft.Storage/storageAccounts/write\",\"evidence\":{\"role\":\"Owner\",\"roleAssignmentScope\":\"/subscriptions/658c2909-abec-4f71-8801-65f280edfa33\",\"roleAssignmentId\":\"fe55814b56b74f258454836743c05ea4\",\"roleDefinitionId\":\"29ea25d75f4f4def9e1dbe9bcb94f6c1\",\"principalId\":\"7068ec0e8c5248d08dd0432d3f971757\",\"principalType\":\"User\"}}",
"",
"",
"",
"MICROSOFT.STORAGE",
"",
"05455dca-145a-4bba-8359-ab705b2957d5",
"676585c2-3a37-4365-8e5e-b6ccb6385b2b",
"2023-03-23T06:28:51.0915577Z",
"Azure",
"{\"scope\":\"/subscriptions/658c2909-abec-4f71-8801-65f280edfa33/resourceGroups/test-resource-grp/providers/Microsoft.Storage/storageAccounts/demostorageaccountsnare\",\"action\":\"Microsoft.Storage/storageAccounts/write\",\"evidence\":{\"role\":\"Owner\",\"roleAssignmentScope\":\"/subscriptions/658c2909-abec-4f71-8801-65f280edfa33\",\"roleAssignmentId\":\"fe55814b56b74f258454836743c05ea4\",\"roleDefinitionId\":\"29ea25d75f4f4def9e1dbe9bcb94f6c1\",\"principalId\":\"7068ec0e8c5248d08dd0432d3f971757\",\"principalType\":\"User\"}}",
"{\"aud\":\"https://management.core.windows.net/\\",\"iss\":\"https://sts.windows.net/e068bbd9-2603-4daa-9568-ed390283e961/\\",\"iat\":\"1679552369\",\"nbf\":\"1679552369\",\"exp\":\"1679557024\",\"http://schemas.microsoft.com/claims/authnclassreference\\":\"1\",\"aio\":\"AVQAq/8TAAAAXiIDyvoEBzWdx4/8l2SD42JidM4hydK4QlXacca+cS/BJ8g6/eZsfEk5G8OB9o6K/PlgjoIKETAaRm9pP+M5yPxxjeWC/JP/b1E2ACIZt5o=\",\"http://schemas.microsoft.com/claims/authnmethodsreferences\\":\"pwd,mfa\",\"appid\":\"0e263dc6-9592-4ff0-b790-c2dd6dbd8ea6\",\"appidacr\":\"2\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\\":\"User\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\\":\"Dummy\",\"groups\":\"7b331b6d-1e92-4c0a-87ab-aa933dc0c56e\",\"ipaddr\":\"1.2.3.4\",\"name\":\"Dummy User\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\\":\"a53d02c4-55fc-4888-a3f0-3caa23b7d258\",\"puid\":\"1003200195C77F20\",\"rh\":\"0.AWcAWSaJC0buO0G_zN2Spik7CkZIf3kAutdPukPawfj2MBNnANk.\",\"http://schemas.microsoft.com/identity/claims/scope\\":\"user_impersonation\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\\":\"MkAFpu3CSOuOIJpm2PbSxjLx2Cxfw9aL7HafN0_YuCk\",\"http://schemas.microsoft.com/identity/claims/tenantid\\":\"e068bbd9-2603-4daa-9568-ed390283e961\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\\":\"dummy@testmail.com\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\\":\"dummy@testmail.com\",\"uti\":\"Xk8eUNue-UiF6-tCnuJaAA\",\"ver\":\"1.0\",\"wids\":\"c347b157-d392-4094-86e8-b17b71d429dd\",\"xms_tcdt\":\"1539903085\"}",
"{\"aud\":\"https://management.core.windows.net/\\",\"iss\":\"https://sts.windows.net/e068bbd9-2603-4daa-9568-ed390283e961/\\",\"iat\":\"1679552369\",\"nbf\":\"1679552369\",\"exp\":\"1679557024\",\"http://schemas.microsoft.com/claims/authnclassreference\\":\"1\",\"aio\":\"AVQAq/8TAAAAXiIDyvoEBzWdx4/8l2SD42JidM4hydK4QlXacca+cS/BJ8g6/eZsfEk5G8OB9o6K/PlgjoIKETAaRm9pP+M5yPxxjeWC/JP/b1E2ACIZt5o=\",\"http://schemas.microsoft.com/claims/authnmethodsreferences\\":\"pwd,mfa\",\"appid\":\"0e263dc6-9592-4ff0-b790-c2dd6dbd8ea6\",\"appidacr\":\"2\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\\":\"User\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\\":\"Dummy\",\"groups\":\"7b331b6d-1e92-4c0a-87ab-aa933dc0c56e\",\"ipaddr\":\"1.2.3.4\",\"name\":\"Dummy User\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\\":\"a53d02c4-55fc-4888-a3f0-3caa23b7d258\",\"puid\":\"1003200195C77F20\",\"rh\":\"0.AWcAWSaJC0buO0G_zN2Spik7CkZIf3kAutdPukPawfj2MBNnANk.\",\"http://schemas.microsoft.com/identity/claims/scope\\":\"user_impersonation\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\\":\"MkAFpu3CSOuOIJpm2PbSxjLx2Cxfw9aL7HafN0_YuCk\",\"http://schemas.microsoft.com/identity/claims/tenantid\\":\"e068bbd9-2603-4daa-9568-ed390283e961\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\\":\"dummy@testmail.com\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\\":\"dummy@testmail.com\",\"uti\":\"Xk8eUNue-UiF6-tCnuJaAA\",\"ver\":\"1.0\",\"wids\":\"c347b157-d392-4094-86e8-b17b71d429dd\",\"xms_tcdt\":\"1539903085\"}",
"{\"requestbody\":\"{\\\"properties\\\":{\\\"allowBlobPublicAccess\\\":false,\\\"minimumTlsVersion\\\":\\\"TLS1_1\\\"}}\",\"eventCategory\":\"Administrative\",\"entity\":\"/subscriptions/658c2909-abec-4f71-8801-65f280edfa33/resourceGroups/test-resource-grp/providers/Microsoft.Storage/storageAccounts/demostorageaccountsnare\",\"message\":\"Microsoft.Storage/storageAccounts/write\",\"hierarchy\":\"658c2909-abec-4f71-8801-65f280edfa33\",\"caller\":\"dummy@testmail.com\",\"eventDataId\":\"05455dca-145a-4bba-8359-ab705b2957d5\",\"eventSubmissionTimestamp\":\"2023-03-23T06:28:51.0915577Z\",\"httpRequest\":\"{\\\"clientIpAddress\\\":\\\"1.2.3.4\\\"}\",\"resource\":\"demostorageaccountsnare\",\"resourceGroup\":\"TEST-RESOURCE-GRP\",\"resourceProviderValue\":\"MICROSOFT.STORAGE\",\"subscriptionId\":\"658c2909-abec-4f71-8801-65f280edfa33\",\"activityStatusValue\":\"Start\"}",
"658c2909-abec-4f71-8801-65f280edfa33",
"AzureActivity",
"/subscriptions/658c2909-abec-4f71-8801-65f280edfa33/resourcegroups/test-resource-grp/providers/microsoft.storage/storageaccounts/demostorageaccountsnare",
"2023-03-23T06:35:37.2382401Z",
"3843811f-577e-41bf-a377-db94caff6daf"
]
]
}
]
}

 

Table Fields

Field

Description

Field

Description

TABLE

AzureActivity is a value derived from TYPE’s value.

SYSTEM

Will base its value on CALLERIPADDRESS if not empty; otherwise, it will use the domain value defined in the configuration.

DATE

Based on the extracted date value from CreatedDateTime.

TIME

Based on the extracted time value from CreatedDateTime.

DATETIME

Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

ACTIVITYSTATUS

Based on ActivityStatus, this field indicates the Status of the operation in display-friendly format.
If ActivityStatus is empty, will use the value from ActivityStatusValue or Properties.activityStatusValue as its value.

AUTHORIZATION

Based on Authorization, this field indicates the blob of RBAC properties of the event.

CALLER

Based on Caller, this field indicates the GUID of the caller.
If Caller is empty, will use the value from Properties.caller as its value.

CALLERIPADDRESS

Based on CallerIpAddress, this field indicates the IP address of the user who has performed the operation UPN claim or SPN claim based on availability.
If CallerIpAddress is empty, will use the value from Properties.httpRequest.clientIpAddress as its value.

CATEGORY

Based on Category, this field indicates the category of the activity log e.g. Administrative, Policy, Security.
If Category is empty, will use the value from CategoryValue or Properties.eventCategory as its value.

CORRELATIONID

Based on CorrelationId, this field indicates a GUID in the string format.

EVENTDATAID

Based on EventDataId, this field indicates a unique identifier of an event.
If EventDataId is empty, will use the value from Properties.eventDataId as its value.

EVENTSUBMISSIONTIMESTAMP

Based on EventSubmissionTimestamp, this field indicates the timestamp when the event became available for querying.
If EventSubmissionTimestamp is empty, will use the value from Properties.eventSubmissionTimestamp as its value.

INGESTIONTIME

Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.

LEVEL

Based on Level, this field indicates the level of the event.

LOGID

Based on LogId, this field indicates a unique identifier for the record or log.

OPERATIONID

Based on OperationId, this field indicates a GUID specific for the operation performed.

OPERATIONNAME

Based on OperationName, this field indicates the name and identifier of the operation performed.
If OperationName is empty, will use the value from OperationNameValue or Properties.message as its value.

PROPERTIES

Based on Properties, this field contains set of <Key Value> pairs (i.e. Dictionary) describing the details of the event.

RESOURCE

Based on Resource, this field indicates the name of the resource involved in the operation.
If Resource is empty, will use the value from Properties.resource as its value.

RESOURCEGROUP

Based on ResourceGroup, this field indicates the resource group name of the impacted resource.
If ResourceGroup is empty, will use the value from Properties.resourceGroup as its value.

RESOURCEID

Based on ResourceId, this field indicates a unique identifier for the resource that the record is associated with.
If ResourceId is empty, will use the value from _ResourceId or Properties.entity as its value.

RESOURCEPROVIDER

Based on ResourceProvider, this field indicates the id of the resource provider for the impacted resource.
If ResourceProvider is empty, will use the value from ResourceProviderValue or Properties.resourceProviderValue as its value.

SOURCESYSTEM

Based on SourceSystem, this field indicates the the type of agent the event was collected by, and Azure will be its value.

SUBSCRIPTIONID

Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.
If SubscriptionId is empty, will use the value from Properties.subscriptionId as its value.

TENANTID

Based on TenantId, this field indicates the Log Analytics workspace ID.

TIMEGENERATED

Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.

TYPE

Based on Type, this field indicates the name of the table.

WORKSPACEID

A value that was derived from TenantId.

SNAREDATAMAP

All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

 

Notes

https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell

https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity