abeylisco
Reputation: 1
Azure KQL Query on Dashboard
KQL query to reveal Azure Activity actions which should include users management activities based on any change performed by a users (create, update &delete) &identify the user by email/profile, tenant ID, subscription, activity logs under a tenant subscription
i got a query but could not identify user which perform a task.
Upvotes: 0
Views: 113
Answers (1)
Jahnavi
Reputation: 7828
Use below KQL query to meet your requirements.
AzureActivity
| where ActivityStatus == "Succeeded"
| where ResourceProvider == "Microsoft.Authorization" and TenantId == "xxxx"
| extend properties = todynamic(tostring(Properties))
| extend tenantID = properties["tenantId"]
| extend subscriptionID = properties["subscriptionId"]
| extend activity = parse_json(properties["activityLogs"])
| project Caller, TenantId
Output:
Upvotes: 0
Related Questions
- Subscription offer, Access to Azure Active Directory, is being deprecated
- Azure log analytics - get logs for all users in global administrator role
- How to check user activity logs from Azure AD
- How can I have multiple Azure user info on a single server?
- How to delete a user from Azure AD B2C using the portal?
- export audit log from azure ad b2c
- Azure authentication for management utility
- How are calls to Azure management API authorized?
- Azure AD User management delegation
- Authenticate users and manage their resources in Microsoft Azure