Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Reference for AzureActivity table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Audit, Azure Resources, Security |
| Basic Logs Eligible | ✗ No |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| ActivityStatus | string | |
| ActivityStatusValue | string | Status of the operation in display-friendly format. Common values include Started, In Progress, Succeeded, Failed, Active, Resolved. |
| ActivitySubstatus | string | |
| ActivitySubstatusValue | string | Substatus of the operation in display-friendly format. E.g. OK (HTTP Status Code: 200). |
| Authorization | string | Blob of RBAC properties of the event. Usually includes the "action", "role" and "scope" properties. Stored as string. The use of Authorization_d should be preferred going forward. |
| Authorization_d | dynamic | Blob of RBAC properties of the event. Usually includes the "action", "role" and "scope" properties. Stored as dynamic column. |
| Caller | string | GUID of the caller. |
| CallerIpAddress | string | IP address of the user who has performed the operation UPN claim or SPN claim based on availability. |
| Category | string | |
| CategoryValue | string | Category of the activity log e.g. Administrative, Policy, Security. |
| Claims | string | The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager. The use of claims_d should be preferred going forward. |
| Claims_d | dynamic | The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager. |
| CorrelationId | string | Usually a GUID in the string format. Events that share a correlationId belong to the same uber action. |
| EventDataId | string | Unique identifier of an event. |
| EventSubmissionTimestamp | datetime | Timestamp when the event became available for querying. |
| Hierarchy | string | Management group hierarchy of the management group or subscription that event belongs to. |
| HTTPRequest | string | Blob describing the Http Request. Usually includes the "clientRequestId", "clientIpAddress" and "method" (HTTP method. For example, PUT). |
| Level | string | Level of the event. One of the following values: Critical, Error, Warning, Informational and Verbose. |
| OperationId | string | GUID of the operation |
| OperationName | string | |
| OperationNameValue | string | Identifier of the operation e.g. Microsoft.Storage/storageAccounts/listAccountSas/action. |
| Properties | string | Set of |
| Properties_d | dynamic | Set of |
| Resource | string | |
| ResourceGroup | string | Resource group name of the impacted resource. |
| ResourceId | string | |
| ResourceProvider | string | |
| ResourceProviderValue | string | Id of the resource provider for the impacted resource - e.g. Microsoft.Storage. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| SubscriptionId | string | Subscription ID of the impacted resource. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Timestamp when the event was generated by the Azure service processing the request corresponding the event. |
| Type | string | The name of the table |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Azure Activity |
In solution Apache Log4j Vulnerability Detection:
| Analytic Rule | Selection Criteria |
|---|---|
| Log4j vulnerability exploit aka Log4Shell IP IOC |
In solution Azure Activity:
In solution MaturityModelForEventLogManagementM2131:
| Analytic Rule | Selection Criteria |
|---|---|
| M2131_DataConnectorAddedChangedRemoved |
In solution SecurityThreatEssentialSolution:
| Analytic Rule | Selection Criteria |
|---|---|
| Threat Essentials - Mass Cloud resource deletions Time Series Anomaly |
In solution Threat Intelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map IP Entity to AzureActivity | |
| TI map Email entity to AzureActivity |
In solution Threat Intelligence (NEW):
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map IP Entity to AzureActivity | |
| TI map Email entity to AzureActivity |
Standalone Content:
In solution Azure Activity:
In solution Cloud Service Threat Protection Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Azure Resources Assigned Public IP Addresses |
In solution MicrosoftPurviewInsiderRiskManagement: OperationName contains "delete"OperationName contains "remove"
| Hunting Query |
|---|
| Insider Risk_Possible Sabotage |
Standalone Content:
| Hunting Query | Selection Criteria |
|---|---|
| Anomalous Resource Creation and related Network Activity | |
| Azure CloudShell Usage | |
| User Granted Access and created resources | OperationName has "Create" |
GitHub Only:
| Hunting Query | Selection Criteria |
|---|---|
| Azure VM Run Command linked with MDE | |
| Storage Account Key Enumeration |
In solution Azure Activity:
| Workbook | Selection Criteria |
|---|---|
| AzureActivity | |
| AzureServiceHealthWorkbook |
In solution Azure SQL Database solution for sentinel:
| Workbook | Selection Criteria |
|---|---|
| Workbook-AzureSQLSecurity |
In solution AzureSecurityBenchmark:
| Workbook | Selection Criteria |
|---|---|
| AzureSecurityBenchmark |
In solution ContinuousDiagnostics&Mitigation:
| Workbook | Selection Criteria |
|---|---|
| ContinuousDiagnostics&Mitigation |
In solution CybersecurityMaturityModelCertification(CMMC)2.0:
| Workbook | Selection Criteria |
|---|---|
| CybersecurityMaturityModelCertification_CMMCV2 |
In solution Lumen Defender Threat Feed:
| Workbook | Selection Criteria |
|---|---|
| Lumen-Threat-Feed-Overview |
In solution MaturityModelForEventLogManagementM2131:
| Workbook | Selection Criteria |
|---|---|
| MaturityModelForEventLogManagement_M2131 |
In solution MicrosoftPurviewInsiderRiskManagement:
| Workbook | Selection Criteria |
|---|---|
| InsiderRiskManagement |
In solution NISTSP80053:
| Workbook | Selection Criteria |
|---|---|
| NISTSP80053 |
In solution SOC Handbook:
| Workbook | Selection Criteria |
|---|---|
| InvestigationInsights |
In solution SOX IT Compliance:
| Workbook | Selection Criteria |
|---|---|
| SOXITCompliance |
In solution ThreatAnalysis&Response:
| Workbook | Selection Criteria |
|---|---|
| DynamicThreatModeling&Response |
In solution ZeroTrust(TIC3.0):
| Workbook | Selection Criteria |
|---|---|
| ZeroTrustTIC3 |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| AzureActivity | |
| AzureLogCoverage | |
| AzureServiceHealthWorkbook | |
| AzureThreatResearchMatrixWorkbook | OperationName in "Add application,Add conditional access policy,Delete conditional access policy,Invite external user,Redeem external user invite,Update application – Certificatessecrets management,Update conditional access policy"OperationName in "Add service principal,Add user,Admin deleted security info,Admin registered security info,Admin updated security info,Register device,Unregister device,User changed default security info,User deleted security info,User registered security info"OperationName has "Add app role assignment to service principal"OperationName has "Add delegated permission grant"OperationName has "Consent to application"OperationName has_any "Update user" |
| CopilotforSecurityMonitoring | |
| DataCollectionHealthMonitoring | |
| Data_Latency_Workbook | ResourceProvider == "Microsoft.HybridCompute" |
| DoDZeroTrustWorkbook | |
| InvestigationInsights | |
| MicrosoftSentinelDeploymentandMigrationTracker | |
| PlaybookHealth | OperationName == "Microsoft.Logic/workflows/workflowRunCompleted"OperationName has "Create"OperationName has "Delete"OperationName has "Disable"OperationName has "Enable"OperationName has "set"OperationName startswith "Microsoft.Logic/workflows/workflowAction"OperationName startswith "Microsoft.Logic/workflows/workflowRun"OperationName startswith "Microsoft.Logic/workflows/workflowRunCompleted"OperationName startswith "Microsoft.Logic/workflows/workflowTrigger" |
| SensitiveOperationsinAzureActivityLogReview | OperationName == "Create or Update Virtual Machine Extension" |
| SentinelWorkspaceReconTools | |
| WorkspaceAuditing | OperationName contains "Create"OperationName contains "Delete"OperationName contains "Update" |
| WorkspaceUsage | OperationName !in "Microsoft.SecurityInsights/Incidents/investigations/write,Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action"ResourceProvider == "Microsoft.SecurityInsights" |
| ZeroTrustStrategyWorkbook |
| Parser | Schema | Product | Selection Criteria |
|---|---|---|---|
| ASimAuditEventAzureActivity | AuditEvent | Microsoft Azure |
This table collects data from the following Azure resource types:
microsoft.aad/domainservicesmicrosoft.azureadgraph/tenantsmicrosoft.containerservice/managedclustersmicrosoft.apimanagement/servicemicrosoft.appconfiguration/configurationstoresmicrosoft.network/applicationgatewaysmicrosoft.servicenetworking/trafficcontrollersmicrosoft.web/sitesmicrosoft.kubernetes/connectedclustersmicrosoft.toolchainorchestrator/diagnosticsmicrosoft.attestation/attestationprovidersmicrosoft.cache/redismicrosoft.cdn/profilesmicrosoft.hardwaresecuritymodules/cloudhsmclustersmicrosoft.communication/communicationservicesmicrosoft.documentdb/databaseaccountsmicrosoft.datacollaboration/workspacesmicrosoft.digitaltwins/digitaltwinsinstancesmicrosoft.network/dnsresolverpoliciesmicrosoft.eventgrid/namespacesmicrosoft.eventgrid/topicsmicrosoft.eventhub/namespacesmicrosoft.network/azurefirewallsmicrosoft.dashboard/grafanamicrosoft.keyvault/vaultsmicrosoft.loadtestservice/loadtestsmicrosoft.managednetworkfabric/networkdevicesmicrosoft.documentdb/cassandraclustersmicrosoft.documentdb/mongoclustersmicrosoft.dashboard/dashboardmicrosoft.networkcloud/baremetalmachinesmicrosoft.networkcloud/clustermanagersmicrosoft.networkcloud/clustersmicrosoft.networkcloud/storageappliancesmicrosoft.network/loadbalancersmicrosoft.purview/accountsmicrosoft.recoveryservices/vaultsmicrosoft.relay/namespacesmicrosoft.servicebus/namespacesmicrosoft.sql/serversmicrosoft.networkfunction/azuretrafficcollectorsmicrosoft.network/networkmanagersmicrosoft.botservice/botservicesmicrosoft.chaos/experimentsmicrosoft.cognitiveservices/accountsmicrosoft.connectedcache/cachenodesmicrosoft.connectedvehicle/platformaccountsmicrosoft.network/networkwatchers/connectionmonitorsmicrosoft.app/managedenvironmentsmicrosoft.d365customerinsights/instancesmicrosoft.databricks/workspacesmicrosoft.dbformysql/flexibleserversmicrosoft.dbforpostgresql/flexibleserversmicrosoft.devcenter/devcentersmicrosoft.devopsinfrastructure/poolsmicrosoft.durabletask/schedulersmicrosoft.experimentation/experimentworkspacesmicrosoft.hdinsight/clustersmicrosoft.compute/virtualmachinesmicrosoft.logic/integrationaccountsmicrosoft.machinelearningservices/workspacesmicrosoft.machinelearningservices/registriesmicrosoft.media/mediaservicesmicrosoft.azureplaywrightservice/accountsmicrosoft.graph/tenantsmicrosoft.networkanalytics/dataproductsmicrosoft.onlineexperimentation/workspacesmicrosoft.storage/storageaccountsmicrosoft.storagecache/amlfilesytemsmicrosoft.storagemover/storagemoversmicrosoft.synapse/workspacesmicrosoft.edge/diagnosticsmicrosoft.desktopvirtualization/hostpoolsmicrosoft.zerotrustsegmentation/segmentationmanagersdefaultsubscriptionresourcegroupmicrosoft.signalrservice/webpubsubmicrosoft.insights/componentsmicrosoft.desktopvirtualization/applicationgroupsmicrosoft.desktopvirtualization/workspacesmicrosoft.timeseriesinsights/environmentsmicrosoft.workloadmonitor/monitorsmicrosoft.analysisservices/serversmicrosoft.batch/batchaccountsmicrosoft.appplatform/springmicrosoft.signalrservice/signalrmicrosoft.containerregistry/registriesmicrosoft.kusto/clustersmicrosoft.blockchain/blockchainmembersmicrosoft.eventgrid/domainsmicrosoft.eventgrid/partnernamespacesmicrosoft.eventgrid/partnertopicsmicrosoft.eventgrid/systemtopicsmicrosoft.conenctedvmwarevsphere/virtualmachinesmicrosoft.azurestackhci/virtualmachinesmicrosoft.scvmm/virtualmachinesmicrosoft.compute/virtualmachinescalesetsmicrosoft.hybridcontainerservice/provisionedclustersmicrosoft.insights/autoscalesettingsmicrosoft.devices/iothubsmicrosoft.servicefabric/clustersmicrosoft.logic/workflowsmicrosoft.automation/automationaccountsmicrosoft.datafactory/factoriesmicrosoft.datalakestore/accountsmicrosoft.datalakeanalytics/accountsmicrosoft.powerbidedicated/capacitiesmicrosoft.datashare/accountsmicrosoft.sql/managedinstancesmicrosoft.sql/servers/databasesmicrosoft.dbformysql/serversmicrosoft.dbforpostgresql/serversmicrosoft.dbforpostgresql/serversv2microsoft.dbformariadb/serversmicrosoft.devices/provisioningservicesmicrosoft.network/expressroutecircuitsmicrosoft.network/frontdoorsmicrosoft.network/networkinterfacesmicrosoft.network/networksecuritygroupsmicrosoft.network/publicipaddressesmicrosoft.network/trafficmanagerprofilesmicrosoft.network/virtualnetworkgatewaysmicrosoft.network/vpngatewaysmicrosoft.network/virtualnetworksmicrosoft.search/searchservicesmicrosoft.streamanalytics/streamingjobsmicrosoft.network/bastionhostsmicrosoft.healthcareapis/servicesReferences by type: 0 connectors, 4 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
OperationName == "Create role assignment" |
- | 1 | - | - | 1 |
OperationName == "Create or Update Virtual Machine Extension" |
- | 1 | - | - | 1 |
OperationName contains "delete"OperationName contains "remove" |
- | 1 | - | - | 1 |
OperationName has "Create" |
- | 1 | - | - | 1 |
| Total | 0 | 4 | 0 | 0 | 4 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Create role assignment |
- | 1 | - | - | 1 |
Create or Update Virtual Machine Extension |
- | 1 | - | - | 1 |
contains delete |
- | 1 | - | - | 1 |
contains remove |
- | 1 | - | - | 1 |
has Create |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊