AzureActivity

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Tables Index

Reference for AzureActivity table in Azure Monitor Logs.

Attribute	Value
Category	Audit, Azure Resources, Security
Basic Logs Eligible	✗ No
Supports Transformations	✗ No
Ingestion API Supported	✗ No
Lake-Only Ingestion	✗ No (source)
Azure Monitor Tables Reference	View Documentation

Schema
Solutions
Connectors
Content Items
Parsers
Resource Types

Schema (37 columns)

Source: Azure Monitor documentation

Column Name	Type	Description
_BilledSize	real	The record size in bytes
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account
_ResourceId	string	A unique identifier for the resource that the record is associated with
_SubscriptionId	string	A unique identifier for the subscription that the record is associated with
ActivityStatus	string
ActivityStatusValue	string	Status of the operation in display-friendly format. Common values include Started, In Progress, Succeeded, Failed, Active, Resolved.
ActivitySubstatus	string
ActivitySubstatusValue	string	Substatus of the operation in display-friendly format. E.g. OK (HTTP Status Code: 200).
Authorization	string	Blob of RBAC properties of the event. Usually includes the "action", "role" and "scope" properties. Stored as string. The use of Authorization_d should be preferred going forward.
Authorization_d	dynamic	Blob of RBAC properties of the event. Usually includes the "action", "role" and "scope" properties. Stored as dynamic column.
Caller	string	GUID of the caller.
CallerIpAddress	string	IP address of the user who has performed the operation UPN claim or SPN claim based on availability.
Category	string
CategoryValue	string	Category of the activity log e.g. Administrative, Policy, Security.
Claims	string	The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager. The use of claims_d should be preferred going forward.
Claims_d	dynamic	The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager.
CorrelationId	string	Usually a GUID in the string format. Events that share a correlationId belong to the same uber action.
EventDataId	string	Unique identifier of an event.
EventSubmissionTimestamp	datetime	Timestamp when the event became available for querying.
Hierarchy	string	Management group hierarchy of the management group or subscription that event belongs to.
HTTPRequest	string	Blob describing the Http Request. Usually includes the "clientRequestId", "clientIpAddress" and "method" (HTTP method. For example, PUT).
Level	string	Level of the event. One of the following values: Critical, Error, Warning, Informational and Verbose.
OperationId	string	GUID of the operation
OperationName	string
OperationNameValue	string	Identifier of the operation e.g. Microsoft.Storage/storageAccounts/listAccountSas/action.
Properties	string	Set of <Key Value> pairs (i.e. Dictionary) describing the details of the event. Stored as string. Usage of Properties_d is recommended instead.
Properties_d	dynamic	Set of <Key Value> pairs (i.e. Dictionary) describing the details of the event. Stored as dynamic column.
Resource	string
ResourceGroup	string	Resource group name of the impacted resource.
ResourceId	string
ResourceProvider	string
ResourceProviderValue	string	Id of the resource provider for the impacted resource - e.g. Microsoft.Storage.
SourceSystem	string	The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics
SubscriptionId	string	Subscription ID of the impacted resource.
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	Timestamp when the event was generated by the Azure service processing the request corresponding the event.
Type	string	The name of the table

Solutions (19)

This table is used by the following solutions:

Connectors (1)

This table is ingested by the following connectors:

Connector	Selection Criteria
Azure Activity

Content Items Using This Table (53)

Analytic Rules (21)

In solution Apache Log4j Vulnerability Detection:

Analytic Rule	Selection Criteria
Log4j vulnerability exploit aka Log4Shell IP IOC

In solution Azure Activity:

Analytic Rule	Selection Criteria
Azure Machine Learning Write Operations	`OperationNameValue !contains "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE"` `OperationNameValue contains "write"` `ResourceProviderValue == "MICROSOFT.MACHINELEARNINGSERVICES"`
Creation of expensive computes in Azure	`ActivityStatusValue startswith "Accept"` `Properties has "vmSize"`
Mass Cloud resource deletions Time Series Anomaly	`OperationNameValue endswith "delete"`
Microsoft Entra ID Hybrid Health AD FS New Server	`CategoryValue == "Administrative"` `OperationNameValue == "Microsoft.ADHybridHealthService/services/servicemembers/action"` `ResourceProviderValue == "Microsoft.ADHybridHealthService"` `_ResourceId has "AdFederationService"`
Microsoft Entra ID Hybrid Health AD FS Service Delete	`CategoryValue == "Administrative"` `OperationNameValue == "Microsoft.ADHybridHealthService/services/delete"` `ResourceProviderValue == "Microsoft.ADHybridHealthService"` `_ResourceId has "AdFederationService"`
Microsoft Entra ID Hybrid Health AD FS Suspicious Application	`CategoryValue == "Administrative"` `ResourceProviderValue == "Microsoft.ADHybridHealthService"` `_ResourceId has "AdFederationService"`
NRT Creation of expensive computes in Azure	`ActivityStatusValue startswith "Accept"` `Properties has "vmSize"`
NRT Microsoft Entra ID Hybrid Health AD FS New Server	`CategoryValue == "Administrative"` `OperationNameValue == "Microsoft.ADHybridHealthService/services/servicemembers/action"` `ResourceProviderValue == "Microsoft.ADHybridHealthService"` `_ResourceId has "AdFederationService"`
New CloudShell User	`ActivityStatusValue == "Success"` `OperationNameValue in "Microsoft.Storage/storageAccounts/listKeys/action,Microsoft.Storage/storageAccounts/write"` `ResourceGroup has "cloud-shell"`
Rare subscription-level operations in Azure
Subscription moved to another tenant	`CategoryValue == "Security"` `OperationNameValue == "Microsoft.Subscription/updateTenant/action"`
Suspicious Resource deployment
Suspicious granting of permissions to an account
Suspicious number of resource creation or deployment activities

In solution MaturityModelForEventLogManagementM2131: ActivityStatusValue == "Succeeded"
OperationNameValue contains "Microsoft.SecurityInsights/dataConnectors/"

Analytic Rule
M2131_DataConnectorAddedChangedRemoved

In solution SecurityThreatEssentialSolution: OperationNameValue endswith "delete"

Analytic Rule
Threat Essentials - Mass Cloud resource deletions Time Series Anomaly

In solution Threat Intelligence:

Analytic Rule	Selection Criteria
TI Map IP Entity to AzureActivity
TI map Email entity to AzureActivity

In solution Threat Intelligence (NEW):

Analytic Rule	Selection Criteria
TI Map IP Entity to AzureActivity
TI map Email entity to AzureActivity

Hunting Queries (17)

In solution Azure Activity:

Hunting Query	Selection Criteria
Anomalous Azure Operation Hunting Model
Azure Machine Learning Write Operations	`OperationNameValue !contains "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE"` `OperationNameValue contains "write"` `ResourceProviderValue == "MICROSOFT.MACHINELEARNINGSERVICES"`
Azure Network Security Group NSG Administrative Operations	`ActivitySubstatusValue in "Accepted,Created,OK"`
Azure VM Run Command executed from Azure IP address	`Authorization has "virtualMachines"` `OperationNameValue == "Microsoft.Compute/virtualMachines/runCommand/action"`
Azure Virtual Network Subnets Administrative Operations	`ActivitySubstatusValue in "Accepted,Created"` `CategoryValue == "Administrative"`
Azure storage key enumeration	`ActivityStatusValue == "Succeeded"` `OperationNameValue == "microsoft.storage/storageaccounts/listkeys/action"`
AzureActivity Administration From VPS Providers	`CategoryValue == "Administrative"`
Common deployed resources	`ActivityStatusValue == "Succeeded"`
Creation of an anomalous number of resources	`ActivityStatusValue == "Succeeded"` `OperationNameValue in "microsoft.compute/virtualMachines/write,microsoft.resources/deployments/write"`
Granting permissions to account	`ActivityStatus == "Succeeded"` `OperationName == "Create role assignment"`
Microsoft Sentinel Analytics Rules Administrative Operations	`ActivitySubstatusValue in "Created,OK"` `CategoryValue == "Administrative"`
Microsoft Sentinel Connectors Administrative Operations	`ActivitySubstatusValue in "Created,OK"`
Microsoft Sentinel Workbooks Administrative Operations	`ActivitySubstatusValue in "Created,OK"`
Port opened for an Azure Resource	`ActivityStatusValue == "Accepted"` `OperationNameValue endswith "write"` `OperationNameValue has_any "ipfilterrules"`
Rare Custom Script Extension	`OperationName == "Create or Update Virtual Machine Extension"`

In solution Cloud Service Threat Protection Essentials: ActivityStatusValue has_any "Succeeded"
Properties contains "publicipaddress"

Hunting Query
Azure Resources Assigned Public IP Addresses

In solution MicrosoftPurviewInsiderRiskManagement: OperationName contains "delete"
OperationName contains "remove"

Hunting Query
Insider Risk_Possible Sabotage

Workbooks (14)

In solution Azure Activity:

Workbook	Selection Criteria
AzureActivity	`Level in "Error,Informational,Warning"`
AzureServiceHealthWorkbook	`CategoryValue == "ServiceHealth"` `Level in "Error,Information,Warning"`

In solution Azure SQL Database solution for sentinel: ActivityStatusValue == "Succeeded"
Caller has "@"

Workbook
Workbook-AzureSQLSecurity

In solution AzureSecurityBenchmark: ActivityStatusValue in "Succeeded,Success"
OperationNameValue contains "recovery"
OperationNameValue startswith "Microsoft.KeyVault"
OperationNameValue startswith "Microsoft.Logic"

Workbook
AzureSecurityBenchmark

In solution ContinuousDiagnostics&Mitigation:

Workbook	Selection Criteria
ContinuousDiagnostics&Mitigation

In solution CybersecurityMaturityModelCertification(CMMC)2.0: OperationNameValue contains "Insights"

Workbook
CybersecurityMaturityModelCertification_CMMCV2

In solution Lumen Defender Threat Feed:

Workbook	Selection Criteria
Lumen-Threat-Feed-Overview

In solution MaturityModelForEventLogManagementM2131: ActivityStatusValue == "Success"
ActivitySubstatusValue in "Created,OK"
OperationNameValue contains "Microsoft.Network/loadBalancers/"
OperationNameValue contains "Network"
ResourceProviderValue in "MICROSOFT.CONTAINERSERVICE,MICROSOFT.LOGIC"

Workbook
MaturityModelForEventLogManagement_M2131

In solution MicrosoftPurviewInsiderRiskManagement: ActivityStatus in "Accepted,Succeeded"
ActivitySubstatusValue in "Created,OK"

Workbook
InsiderRiskManagement

In solution NISTSP80053: ActivityStatusValue in "Succeeded,Success"
OperationNameValue contains "cluster"
OperationNameValue contains "insights"
OperationNameValue contains "storage"
OperationNameValue startswith "Microsoft.Logic"

Workbook
NISTSP80053

In solution SOC Handbook:

Workbook	Selection Criteria
InvestigationInsights

In solution SOX IT Compliance:

Workbook	Selection Criteria
SOXITCompliance

In solution ThreatAnalysis&Response:

Workbook	Selection Criteria
DynamicThreatModeling&Response

In solution ZeroTrust(TIC3.0): ActivityStatusValue in "Succeeded,Success"
OperationNameValue startswith "Microsoft.Logic"

Workbook
ZeroTrustTIC3

Parsers Using This Table (1)

ASIM Parsers (1) — Selection Criteria: `CategoryValue == "Administrative"`

Parser	Schema	Product
ASimAuditEventAzureActivity	AuditEvent	Microsoft Azure

Resource Types

This table collects data from the following Azure resource types:

microsoft.aad/domainservices
microsoft.azureadgraph/tenants
microsoft.containerservice/managedclusters
microsoft.apimanagement/service
microsoft.appconfiguration/configurationstores
microsoft.network/applicationgateways
microsoft.servicenetworking/trafficcontrollers
microsoft.web/sites
microsoft.kubernetes/connectedclusters
microsoft.toolchainorchestrator/diagnostics
microsoft.attestation/attestationproviders
microsoft.cache/redis
microsoft.cdn/profiles
microsoft.hardwaresecuritymodules/cloudhsmclusters
microsoft.communication/communicationservices
microsoft.documentdb/databaseaccounts
microsoft.datacollaboration/workspaces
microsoft.digitaltwins/digitaltwinsinstances
microsoft.network/dnsresolverpolicies
microsoft.eventgrid/namespaces
microsoft.eventgrid/topics
microsoft.eventhub/namespaces
microsoft.network/azurefirewalls
microsoft.dashboard/grafana
microsoft.keyvault/vaults
microsoft.loadtestservice/loadtests
microsoft.managednetworkfabric/networkdevices
microsoft.documentdb/cassandraclusters
microsoft.documentdb/mongoclusters
microsoft.dashboard/dashboard
microsoft.networkcloud/baremetalmachines
microsoft.networkcloud/clustermanagers
microsoft.networkcloud/clusters
microsoft.networkcloud/storageappliances
microsoft.network/loadbalancers
microsoft.purview/accounts
microsoft.quantum/provideraccounts
microsoft.quantum/workspaces
microsoft.recoveryservices/vaults
microsoft.relay/namespaces
microsoft.servicebus/namespaces
microsoft.sql/servers
microsoft.networkfunction/azuretrafficcollectors
microsoft.network/networkmanagers
microsoft.botservice/botservices
microsoft.chaos/experiments
microsoft.cognitiveservices/accounts
microsoft.connectedcache/cachenodes
microsoft.connectedvehicle/platformaccounts
microsoft.network/networkwatchers/connectionmonitors
microsoft.app/managedenvironments
microsoft.d365customerinsights/instances
microsoft.databricks/workspaces
microsoft.dbformysql/flexibleservers
microsoft.dbforpostgresql/flexibleservers
microsoft.devcenter/devcenters
microsoft.devopsinfrastructure/pools
microsoft.discovery/bookshelves
microsoft.discovery/supercomputers
microsoft.discovery/workspaces
microsoft.durabletask/schedulers
microsoft.experimentation/experimentworkspaces
microsoft.hdinsight/clusters
microsoft.compute/virtualmachines
microsoft.logic/integrationaccounts
microsoft.machinelearningservices/workspaces
microsoft.machinelearningservices/registries
microsoft.media/mediaservices
microsoft.azureplaywrightservice/accounts
microsoft.graph/tenants
microsoft.networkanalytics/dataproducts
microsoft.network/networkvirtualappliances
microsoft.onlineexperimentation/workspaces
microsoft.storage/storageaccounts
microsoft.storagecache/amlfilesytems
microsoft.storagemover/storagemovers
microsoft.synapse/workspaces
microsoft.edge/diagnostics
microsoft.desktopvirtualization/hostpools
microsoft.zerotrustsegmentation/segmentationmanagers
default
subscription
resourcegroup
microsoft.signalrservice/webpubsub
microsoft.insights/components
microsoft.desktopvirtualization/applicationgroups
microsoft.desktopvirtualization/workspaces
microsoft.timeseriesinsights/environments
microsoft.workloadmonitor/monitors
microsoft.analysisservices/servers
microsoft.batch/batchaccounts
microsoft.appplatform/spring
microsoft.signalrservice/signalr
microsoft.containerregistry/registries
microsoft.kusto/clusters
microsoft.blockchain/blockchainmembers
microsoft.eventgrid/domains
microsoft.eventgrid/partnernamespaces
microsoft.eventgrid/partnertopics
microsoft.eventgrid/systemtopics
microsoft.conenctedvmwarevsphere/virtualmachines
microsoft.azurestackhci/virtualmachines
microsoft.scvmm/virtualmachines
microsoft.compute/virtualmachinescalesets
microsoft.hybridcontainerservice/provisionedclusters
microsoft.insights/autoscalesettings
microsoft.devices/iothubs
microsoft.servicefabric/clusters
microsoft.logic/workflows
microsoft.automation/automationaccounts
microsoft.datafactory/factories
microsoft.datalakestore/accounts
microsoft.datalakeanalytics/accounts
microsoft.powerbidedicated/capacities
microsoft.datashare/accounts
microsoft.sql/managedinstances
microsoft.sql/servers/databases
microsoft.dbformysql/servers
microsoft.dbforpostgresql/servers
microsoft.dbforpostgresql/serversv2
microsoft.dbformariadb/servers
microsoft.devices/provisioningservices
microsoft.network/expressroutecircuits
microsoft.network/frontdoors
microsoft.network/networkinterfaces
microsoft.network/networksecuritygroups
microsoft.network/publicipaddresses
microsoft.network/trafficmanagerprofiles
microsoft.network/virtualnetworkgateways
microsoft.network/vpngateways
microsoft.network/virtualnetworks
microsoft.search/searchservices
microsoft.streamanalytics/streamingjobs
microsoft.network/bastionhosts
microsoft.healthcareapis/services

Selection Criteria Summary (32 criteria, 38 total references)

References by type: 0 connectors, 37 content items, 1 ASIM parsers, 0 other parsers.

Selection Criteria	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`CategoryValue == "Administrative"` `OperationNameValue == "Microsoft.ADHybridHealthService/services/servicemembers/action"` `ResourceProviderValue == "Microsoft.ADHybridHealthService"` `_ResourceId has "AdFederationService"`	-	2	-	-	2
`ActivityStatusValue startswith "Accept"` `Properties has "vmSize"`	-	2	-	-	2
`OperationNameValue !contains "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE"` `OperationNameValue contains "write"` `ResourceProviderValue == "MICROSOFT.MACHINELEARNINGSERVICES"`	-	2	-	-	2
`OperationNameValue endswith "delete"`	-	2	-	-	2
`CategoryValue == "Administrative"`	-	1	1	-	2
`ActivitySubstatusValue in "Created,OK"`	-	2	-	-	2
`CategoryValue == "Administrative"` `OperationNameValue == "Microsoft.ADHybridHealthService/services/delete"` `ResourceProviderValue == "Microsoft.ADHybridHealthService"` `_ResourceId has "AdFederationService"`	-	1	-	-	1
`CategoryValue == "Administrative"` `ResourceProviderValue == "Microsoft.ADHybridHealthService"` `_ResourceId has "AdFederationService"`	-	1	-	-	1
`ActivityStatusValue == "Success"` `OperationNameValue in "Microsoft.Storage/storageAccounts/listKeys/action,Microsoft.Storage/storageAccounts/write"` `ResourceGroup has "cloud-shell"`	-	1	-	-	1
`CategoryValue == "Security"` `OperationNameValue == "Microsoft.Subscription/updateTenant/action"`	-	1	-	-	1
`ActivityStatusValue == "Succeeded"` `OperationNameValue contains "Microsoft.SecurityInsights/dataConnectors/"`	-	1	-	-	1
`ActivitySubstatusValue in "Created,OK"` `CategoryValue == "Administrative"`	-	1	-	-	1
`ActivityStatusValue == "Succeeded"` `OperationNameValue == "microsoft.storage/storageaccounts/listkeys/action"`	-	1	-	-	1
`ActivitySubstatusValue in "Accepted,Created,OK"`	-	1	-	-	1
`Authorization has "virtualMachines"` `OperationNameValue == "Microsoft.Compute/virtualMachines/runCommand/action"`	-	1	-	-	1
`ActivitySubstatusValue in "Accepted,Created"` `CategoryValue == "Administrative"`	-	1	-	-	1
`ActivityStatusValue == "Succeeded"`	-	1	-	-	1
`ActivityStatusValue == "Succeeded"` `OperationNameValue in "microsoft.compute/virtualMachines/write,microsoft.resources/deployments/write"`	-	1	-	-	1
`ActivityStatus == "Succeeded"` `OperationName == "Create role assignment"`	-	1	-	-	1
`ActivityStatusValue == "Accepted"` `OperationNameValue endswith "write"` `OperationNameValue has_any "ipfilterrules"`	-	1	-	-	1
`OperationName == "Create or Update Virtual Machine Extension"`	-	1	-	-	1
`ActivityStatusValue has_any "Succeeded"` `Properties contains "publicipaddress"`	-	1	-	-	1
`OperationName contains "delete"` `OperationName contains "remove"`	-	1	-	-	1
`Level in "Error,Informational,Warning"`	-	1	-	-	1
`CategoryValue == "ServiceHealth"` `Level in "Error,Information,Warning"`	-	1	-	-	1
`ActivityStatusValue == "Succeeded"` `Caller has "@"`	-	1	-	-	1
`ActivityStatusValue in "Succeeded,Success"` `OperationNameValue contains "recovery"` `OperationNameValue startswith "Microsoft.KeyVault"` `OperationNameValue startswith "Microsoft.Logic"`	-	1	-	-	1
`OperationNameValue contains "Insights"`	-	1	-	-	1
`ActivityStatusValue == "Success"` `ActivitySubstatusValue in "Created,OK"` `OperationNameValue contains "Microsoft.Network/loadBalancers/"` `OperationNameValue contains "Network"` `ResourceProviderValue in "MICROSOFT.CONTAINERSERVICE,MICROSOFT.LOGIC"`	-	1	-	-	1
`ActivityStatus in "Accepted,Succeeded"` `ActivitySubstatusValue in "Created,OK"`	-	1	-	-	1
`ActivityStatusValue in "Succeeded,Success"` `OperationNameValue contains "cluster"` `OperationNameValue contains "insights"` `OperationNameValue contains "storage"` `OperationNameValue startswith "Microsoft.Logic"`	-	1	-	-	1
`ActivityStatusValue in "Succeeded,Success"` `OperationNameValue startswith "Microsoft.Logic"`	-	1	-	-	1
Total	0	37	1	0	38

ActivityStatus

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`Succeeded`	-	2	-	-	2
`Accepted`	-	1	-	-	1

ActivityStatusValue

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`Succeeded`	-	8	-	-	8
`Success`	-	5	-	-	5
`startswith Accept`	-	2	-	-	2
`Accepted`	-	1	-	-	1
`has_any Succeeded`	-	1	-	-	1

ActivitySubstatusValue

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`Created`	-	7	-	-	7
`OK`	-	6	-	-	6
`Accepted`	-	2	-	-	2

Authorization

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`has virtualMachines`	-	1	-	-	1

Caller

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`has @`	-	1	-	-	1

CategoryValue

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`Administrative`	-	7	1	-	8
`Security`	-	1	-	-	1
`ServiceHealth`	-	1	-	-	1

Level

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`Error`	-	2	-	-	2
`Warning`	-	2	-	-	2
`Informational`	-	1	-	-	1
`Information`	-	1	-	-	1

OperationName

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`Create role assignment`	-	1	-	-	1
`Create or Update Virtual Machine Extension`	-	1	-	-	1
`contains delete`	-	1	-	-	1
`contains remove`	-	1	-	-	1

OperationNameValue

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`startswith Microsoft.Logic`	-	3	-	-	3
`Microsoft.ADHybridHealthService/services/servicemembers/action`	-	2	-	-	2
`!contains MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE`	-	2	-	-	2
`contains write`	-	2	-	-	2
`endswith delete`	-	2	-	-	2
`Microsoft.ADHybridHealthService/services/delete`	-	1	-	-	1
`Microsoft.Storage/storageAccounts/listKeys/action`	-	1	-	-	1
`Microsoft.Storage/storageAccounts/write`	-	1	-	-	1
`Microsoft.Subscription/updateTenant/action`	-	1	-	-	1
`contains Microsoft.SecurityInsights/dataConnectors/`	-	1	-	-	1
`microsoft.storage/storageaccounts/listkeys/action`	-	1	-	-	1
`Microsoft.Compute/virtualMachines/runCommand/action`	-	1	-	-	1
`microsoft.compute/virtualMachines/write`	-	1	-	-	1
`microsoft.resources/deployments/write`	-	1	-	-	1
`endswith write`	-	1	-	-	1
`has_any ipfilterrules`	-	1	-	-	1
`contains recovery`	-	1	-	-	1
`startswith Microsoft.KeyVault`	-	1	-	-	1
`contains Insights`	-	1	-	-	1
`contains Microsoft.Network/loadBalancers/`	-	1	-	-	1
`contains Network`	-	1	-	-	1
`contains cluster`	-	1	-	-	1
`contains insights`	-	1	-	-	1
`contains storage`	-	1	-	-	1

Properties

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`has vmSize`	-	2	-	-	2
`contains publicipaddress`	-	1	-	-	1

ResourceGroup

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`has cloud-shell`	-	1	-	-	1

ResourceProviderValue

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`Microsoft.ADHybridHealthService`	-	4	-	-	4
`MICROSOFT.MACHINELEARNINGSERVICES`	-	2	-	-	2
`MICROSOFT.CONTAINERSERVICE`	-	1	-	-	1
`MICROSOFT.LOGIC`	-	1	-	-	1

_ResourceId

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`has AdFederationService`	-	4	-	-	4

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Tables Index

AzureActivity

Contents

Schema (37 columns)

Solutions (19)

Connectors (1)

Content Items Using This Table (53)

Analytic Rules (21)

Hunting Queries (17)

Workbooks (14)

Parsers Using This Table (1)

ASIM Parsers (1) — Selection Criteria: CategoryValue == "Administrative"

Resource Types

Selection Criteria Summary (32 criteria, 38 total references)

ActivityStatus

ActivityStatusValue

ActivitySubstatusValue

Authorization

Caller

CategoryValue

Level

OperationName

OperationNameValue

Properties

ResourceGroup

ResourceProviderValue

_ResourceId

ASIM Parsers (1) — Selection Criteria: `CategoryValue == "Administrative"`