You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
The Azure Activity Log and diagnostic settings provide visibility into what is happening at the infrastructure level — who created or deleted resources, what configuration changes were made, and how the Azure platform itself is behaving. This layer of monitoring is essential for security auditing, compliance, and operational troubleshooting.
The Activity Log records control-plane operations — actions performed against Azure resources through Azure Resource Manager (ARM):
| Category | Examples |
|---|---|
| Administrative | Create VM, delete resource group, assign RBAC role |
| Service Health | Azure service outages and planned maintenance |
| Resource Health | Changes in the health state of your resources |
| Alert | Alert rule activations |
| Autoscale | Scale-up and scale-down events |
| Recommendation | Azure Advisor recommendation changes |
| Security | Microsoft Defender for Cloud alerts |
| Policy | Azure Policy evaluation results |
Each entry contains:
| Field | Description | Example |
|---|---|---|
| Caller | Who performed the operation | user@example.com, service principal |
| OperationName | The ARM operation | Microsoft.Compute/virtualMachines/write |
| Status | Result of the operation | Succeeded, Failed, Started |
| TimeGenerated | When the operation occurred | 2025-03-15T14:30:00Z |
| ResourceGroup | Target resource group | rg-production |
| CorrelationId | Links related operations | GUID |
| Level | Severity level | Informational, Warning, Error, Critical |
The Activity Log retains events for 90 days by default. For longer retention, you must export it to a Log Analytics workspace or storage account.
Exporting to Log Analytics enables KQL queries, alerting, and correlation with other data sources:
# Create a diagnostic setting to export the Activity Log
az monitor diagnostic-settings create \
--name "activity-log-to-law" \
--resource "/subscriptions/<subscription-id>" \
--workspace /subscriptions/<sub>/resourceGroups/rg-monitoring/providers/Microsoft.OperationalInsights/workspaces/law-production \
--logs '[
{"category": "Administrative", "enabled": true},
{"category": "Security", "enabled": true},
{"category": "ServiceHealth", "enabled": true},
{"category": "Alert", "enabled": true},
{"category": "Recommendation", "enabled": true},
{"category": "Policy", "enabled": true},
{"category": "Autoscale", "enabled": true},
{"category": "ResourceHealth", "enabled": true}
]'
Export to a storage account for long-term archival and compliance:
Stream to Event Hubs for real-time processing:
The Activity Log blade lets you filter by:
Once exported to Log Analytics, you can query the AzureActivity table:
// All resource deletions in the last 7 days
AzureActivity
| where TimeGenerated > ago(7d)
| where OperationNameValue endswith "delete"
| where ActivityStatusValue == "Success"
| project TimeGenerated, Caller, ResourceGroup, OperationNameValue, _ResourceId
| order by TimeGenerated desc
// RBAC role assignments in the last 30 days
AzureActivity
| where TimeGenerated > ago(30d)
| where OperationNameValue == "Microsoft.Authorization/roleAssignments/write"
| where ActivityStatusValue == "Success"
| project TimeGenerated, Caller, Properties_d
| order by TimeGenerated desc
// Failed operations by caller
AzureActivity
| where TimeGenerated > ago(24h)
| where ActivityStatusValue == "Failed"
| summarize FailedOps = count() by Caller
| order by FailedOps desc
| take 10
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.