For a clearer picture

Part 3 – Azure Activity Logs

Part 3 – Azure Activity Logs

Key Information

Activity Log data is retained for 90 days. You can export this e.g. to Azure Storage but that will start incurring charges which breaks our “free” criteria.

Azure Activity Logs action operations (PUT, POST, DELETE) as listed here.

So if I want to find out who deleted one of my Azure Application Insight web tests, I filtered on the resource group in the last month with delete as part of the operation.

I can download this data to csv free of charge but the two other options listed – Export to Event Hub and Logs (Log Analytics) – will incur charges so we will park those for a later article.

If you select an entry then in the bottom half of the portal you will be able to see more detailed summary details plus take an extract of the audit in json format which will give you more details about the activity e.g. the IP address from where the delete took place:

{
"authorization": {
"action": "microsoft.insights/webtests/delete",
"scope": "/subscriptions/**Sub ID**/ai-scomgsm-prod-rg/providers/microsoft.insights/webtests/MyWebTest"
},
"caller": "graham@mcinsight.co.uk",
"channels": "Operation",
"claims": {
"aud": "https://management.core.windows.net/",
"iss": "https://sts.windows.net/** Tenant Id **/",
"iat": "**",
"nbf": "**",
"exp": "**",
"http://schemas.microsoft.com/claims/authnclassreference": "1",
"aio": "**",
"http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd",
"appid": "**",
"appidacr": "2",
"e_exp": "262800",
"groups": "**",
"ipaddr": "** IP Address **",
"name": "** User **",
"http://schemas.microsoft.com/identity/claims/tenantid": "** Tenant Id **",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "** User **",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "** User **",
"uti": "JZLmyAWzPkqofdcUdSYCAA",
"ver": "1.0",
"wids": "62e90394-69f5-4237-9190-012177145e10"
},
"correlationId": "24f963b3-701e-4e71-80ae-6123bc0aba8b",
"description": "",
"eventDataId": "fb1f9e5f-39ca-4db4-9410-1d0a247d86d7",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2018-09-19T19:57:51.6021772Z",
"id": "/subscriptions/**Sub ID**/resourcegroups/ai-scomgsm-prod-rg/providers/microsoft.insights/webtests/MyWebTest/events/fb1f9e5f-39ca-4db4-9410-1d0a247d86d7/ticks/636729838716021772",
"level": "Informational",
"operationId": "3b93f5a5-feb5-4b6d-b16b-5dbef60e4e51",
"operationName": {
"value": "microsoft.insights/webtests/delete",
"localizedValue": "Delete web test"
},
"resourceGroupName": "ai-scomgsm-prod-rg",
"resourceProviderName": {
"value": "microsoft.insights",
"localizedValue": "Microsoft Insights"
},
"resourceType": {
"value": "microsoft.insights/webtests",
"localizedValue": "microsoft.insights/webtests"
},
"resourceId": "/subscriptions/**Sub ID**/resourcegroups/ai-scomgsm-prod-rg/providers/microsoft.insights/webtests/MyWebTest",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "",
"localizedValue": ""
},
"submissionTimestamp": "2018-09-19T19:58:19.1075243Z",
"subscriptionId": "**Sub ID**",
"properties": {
"statusCode": "OK",
"serviceRequestId": "29756e97-65ce-436f-b2ec-3f83d31a600a"
},
"relatedEvents": []
}

In the middle of the json; you’ll see category: administrative. There are a variety of different categories available which are discussed in detail here.

There is also another in depth knowledge article here – https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-audit – so I’m not going to go into any more detail at this stage. These are very thorough articles which delve deep into what you can do with the Activity Log data that is available.


Leave a Reply

Your email address will not be published. Required fields are marked *