{
	"id": "e17a0775-e5af-4100-a872-aa1ae069d253",
	"created_at": "2026-04-06T01:32:05.229941Z",
	"updated_at": "2026-04-10T03:21:27.949914Z",
	"deleted_at": null,
	"sha1_hash": "1350043561a56bdaf0633cc7d2843331c2dd046c",
	"title": "Azure Monitor activity log - Azure Monitor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 112124,
	"plain_text": "Azure Monitor activity log - Azure Monitor\r\nBy bwren\r\nArchived: 2026-04-06 00:10:36 UTC\r\nAzure Monitor activity logs record management operations on your Azure resources. For example, they record\r\noperations like creating a virtual machine, changing a key vault access policy, or Resource Manager deployment\r\nerrors. These management operations are also called control plane operations. Use the activity log to review or\r\naudit this information, or create an alert to be proactively notified when an event occurs.\r\nAzure Monitor collects activity log entries by default with no required configuration. The system generates these\r\nentries, and you can't change or delete them. Entries typically result from changes (create, update, delete\r\noperations) or an action being initiated. The activity log doesn't typically capture read operations. Activity log\r\nentries are usually available for analysis and alerting within 3 to 20 minutes of the event occurring. For a\r\ndescription of activity log categories, see Azure activity log event schema.\r\nNote\r\nAzure resource logs capture data plane operations performed within a resource. For example, these operations\r\ninclude getting a secret from a key vault or making a request to a database. Resource logs aren't collected by\r\ndefault and require a diagnostic setting.\r\nAzure retains activity log events for 90 days and then deletes them. You aren't charged for entries during this time,\r\nregardless of volume. For more functionality, such as longer retention, create a diagnostic setting and route the\r\nentries to another location based on your needs. One of the most common reasons to extend the retention period is\r\nto preserve resource creator information, which is only available in the activity log.\r\nYou can access the activity log from most menus in the Azure portal. The menu that you open it from determines\r\nits initial filter. If you open it from the Monitor menu, the only filter is on the subscription. If you open it from a\r\nresource's menu, the filter is set to that resource. You can always change the filter to view all other entries. Select\r\nAdd Filter to add more properties to the filter.\r\nScreenshot that shows the activity log.\r\nYou can also access activity log events by using the following methods:\r\nUse the Get-AzLog cmdlet to retrieve the activity log from PowerShell. See Azure Monitor PowerShell\r\nsamples.\r\nUse az monitor activity-log to retrieve the activity log from the CLI. See Azure Monitor CLI samples.\r\nUse the Azure Monitor REST API to retrieve the activity log from a REST client.\r\nUse the Activity Logs REST API to query activity log events programmatically. Include the $filter parameter,\r\nand it must contain at least an eventTimestamp start value. By default, the activity log retains events for 90 days.\r\nhttps://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs\r\nPage 1 of 7\n\nMake sure both the start and end of your time range fall within that 90-day window unless you configure a longer\r\nretention period.\r\nSupported $filter\r\npatterns\r\nDetails\r\ndefault subscription\r\nwith a time range\r\n$filter=eventTimestamp ge '{startTime}' and eventTimestamp le\r\n'{endTime}'\r\nresource group\r\n$filter=eventTimestamp ge '{startTime}' and eventTimestamp le\r\n'{endTime}' and resourceGroupName eq '{resourceGroupName}'\r\nspecific resource\r\n$filter=eventTimestamp ge '{startTime}' and eventTimestamp le\r\n'{endTime}' and resourceUri eq '{resourceURI}'\r\nresource provider\r\n$filter=eventTimestamp ge '{startTime}' and eventTimestamp le\r\n'{endTime}' and resourceProvider eq '{resourceProviderName}'\r\ncorrelation ID\r\n$filter=eventTimestamp ge '{startTime}' and eventTimestamp le\r\n'{endTime}' and correlationId eq '{correlationID}'\r\nAdd resourceGroupName to the filter to scope results to a specific resource group.\r\nAzure CLI\r\nREST API\r\naz rest --method get \\\r\n --uri \"/subscriptions/{subscriptionId}/providers/Microsoft.Insights/eventtypes/management/values?api-version=2\r\nUse the $select parameter to return only specified properties, which reduces the response payload size. The\r\nvalue is a comma-separated list of property names. For more information, see Activity log schema property\r\ndescriptions.\r\nThe Azure CLI is able to dynamically calculate a time range, so the example shows a 30-day window from the\r\ncurrent date.\r\nAzure CLI\r\nREST API\r\nstartDate=$(date -u -d '30 days ago' '+%Y-%m-%dT00:00:00Z')\r\nendDate=$(date -u '+%Y-%m-%dT23:59:59Z')\r\naz rest --method get \\\r\n --uri \"/subscriptions/{subscriptionId}/providers/Microsoft.Insights/eventtypes/management/values?api-version=2\r\nhttps://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs\r\nPage 2 of 7\n\nSubscription level events capture events created directly by resource providers. Tenant level and management\r\ngroup level events only capture Azure Resource Manager events in those hierarchies.\r\nThe following example retrieves activity log events for a subscription during a specific time range. The Azure CLI\r\nis able to dynamically calculate the time range, so the example shows a 14-day window from the current date.\r\nAzure CLI\r\nREST API\r\nTo list activity log events, use the az rest Azure CLI command to invoke the Azure Resource Manager REST API:\r\nstartDate=$(date -u -d '14 days ago' '+%Y-%m-%dT00:00:00Z')\r\nendDate=$(date -u '+%Y-%m-%dT23:59:59Z')\r\naz rest --method get \\\r\n --uri \"/subscriptions/{subscriptionId}/providers/Microsoft.Insights/eventtypes/management/values?api-version=2\r\nTenant-level activity logs typically have limited entries but might include important events such as management\r\ngroup or subscription creation. These events are separate from subscription-level activity logs, but might contain\r\nduplicate resource management events. Use the Tenant Activity Logs REST API to retrieve tenant-level events.\r\nAzure CLI\r\nREST API\r\nTo list tenant-level activity log events, use the az rest Azure CLI command:\r\naz rest --method get \\\r\n --uri \"/providers/Microsoft.Insights/eventtypes/management/values?api-version=2015-04-01\u0026\\$filter=eventTimesta\r\nManagement group-level activity logs capture events scoped to a specific management group, such as policy\r\nassignments and management group membership changes.\r\nAzure CLI\r\nREST API\r\nTo list management group-level activity log events, use the az rest Azure CLI command:\r\naz rest --method get \\\r\n --uri \"/providers/Microsoft.Management/managementGroups/{managementGroupId}/providers/Microsoft.Insights/event\r\nThe following table describes the parameters used in the preceding examples.\r\nParameter Description\r\n{subscriptionId} The ID of the Azure subscription.\r\nhttps://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs\r\nPage 3 of 7\n\nParameter Description\r\n{resourceGroupName} The name of the resource group.\r\n{managementGroupId} The ID of the management group.\r\neventTimestamp ge /\r\nle\r\nThe start and end of the time range in ISO 8601 format. The start date can't\r\nexceed 90 days from the current date unless retention is configured for longer\r\nperiods.\r\nFor some events, you can view the change history, which shows what changes happened during that event time.\r\nSelect an event from the activity log that you want to look at more deeply. Select the Change history tab to view\r\nany changes on the resource up to 30 minutes before and after the time of the operation.\r\nScreenshot that shows the Change history list for an event.\r\nIf any changes are associated with the event, the portal shows you a selectable list of changes. Selecting a change\r\nopens the Change history page. This page displays the changes to the resource.\r\nThe following example shows that the VM changed sizes. The page displays the VM size before the change and\r\nafter the change. To learn more about change history, see Get resource changes.\r\nScreenshot that shows the Change history page showing differences.\r\nActivity log insights is a workbook that provides a set of dashboards that monitor the changes to resources and\r\nresource groups in a subscription. The dashboards also present data about which users or services performed\r\nactivities in the subscription and the activities' status.\r\nTo enable activity log insights, export the activity log to a Log Analytics workspace as described in Export activity\r\nlog. This process sends events to the AzureActivity table, which activity log insights uses.\r\nScreenshot that shows activity log insights dashboards.\r\nYou can open activity log insights at the subscription or resource level. For the subscription, select Activity Logs\r\nInsights from the Workbooks section of the Monitor menu.\r\nScreenshot that shows how to locate and open the Activity Logs Insights workbook on a scale level.\r\nFor an individual resource, select Activity Logs Insights from the Workbooks section of the resource's menu.\r\nScreenshot that shows how to locate and open the Activity Logs Insights workbook on a resource level.\r\nCreate a diagnostic setting to send activity log entries to other destinations for extra retention time and\r\nfunctionality.\r\nDiagram showing collection of activity logs, resource logs, and platform metrics.\r\nhttps://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs\r\nPage 4 of 7\n\nIn the Azure portal, select Activity log on the Azure Monitor menu and then select Export Activity Logs. For\r\nmore information and other methods for creating diagnostic settings, see Diagnostic settings in Azure Monitor.\r\nMake sure you disable any legacy configuration for the activity log.\r\nScreenshot that shows the Azure Monitor menu with Activity log selected and Export activity logs highlighted\r\nin the Monitor-Activity log menu bar.\r\nThe following sections provide details on each configurable destination for resource logs.\r\nLog Analytics workspace\r\nAzure Event Hubs\r\nAzure Storage\r\nSend the activity log to a Log Analytics workspace for the following functionality:\r\nCorrelate activity logs with other log data by using log queries.\r\nCreate log alerts, which can use more complex logic than activity log alerts.\r\nAccess activity log data with Power BI.\r\nRetain activity log data for longer than 90 days.\r\nThere are no data ingestion charges for activity logs. Retention charges for activity logs apply only to the period\r\nextended past the default retention period of 90 days. You can increase the retention period to up to 12 years.\r\nActivity log data in a Log Analytics workspace is stored in a table called AzureActivity. The structure of this table\r\nvaries depending on the category of the log entry.\r\nFor example, to view a count of activity log records for each category, use the following query:\r\nAzureActivity\r\n| summarize count() by CategoryValue\r\nTo retrieve all records in the administrative category, use the following query:\r\nAzureActivity\r\n| where CategoryValue == \"Administrative\"\r\nImportant\r\nIn some scenarios, values in fields of AzureActivity might have different case from otherwise equivalent values.\r\nWhen querying data in AzureActivity , use case-insensitive operators for string comparisons, or use a scalar\r\nfunction to force a field to a uniform casing before any comparisons. For example, use the tolower() function on a\r\nfield to force it to always be lowercase or the =~ operator when performing a string comparison.\r\nWhen you create a diagnostic setting log for a management group, it exports any events for that management\r\ngroup in addition to all management groups under it in the hierarchy. If multiple management groups in the\r\nhttps://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs\r\nPage 5 of 7\n\nhierarchy have diagnostic settings, you receive duplicate events. You only need a diagnostic setting on the highest\r\nlevel management group to capture all events for the hierarchy.\r\nThe management group also collects many of the same events as any subscriptions under it. If the subscription and\r\nmanagement group both have diagnostic settings, you receive duplicate events. Azure Resource Manager includes\r\na hierarchy property when writing events, but it's not a required field. Resource providers outside Azure Resource\r\nManager don't populate it, so their events don't propagate up the hierarchy. Because of this, getting duplicate\r\nevents is better than missing events.\r\nFor example, if you have MG1 which contains MG2 which contains Subscription1, a diagnostic setting on MG1\r\ncaptures all activity log events for MG1, MG2, and many of the events collected by a diagnostic setting on\r\nSubscription1. In this case, no diagnostic setting is needed on MG2 since it would just collect duplicate events.\r\nIf you have duplicate events, combine them by using a query that uses a hash of all fields to identify unique\r\nrecords. The following example Kusto query shows a sample for logs collected in a Log Analytics workspace:\r\nAzureActivity\r\n| extend Hash = hash(dynamic_to_json(pack_all()))\r\n| summarize arg_max(TimeGenerated, *) by Hash\r\nSelect Download as CSV to export the activity log to a CSV file in the Azure portal.\r\nScreenshot that shows the Download as CSV button in the Azure portal activity log.\r\nImportant\r\nExporting a large number of log entries can take a long time. To improve performance, reduce the time range of\r\nthe export. In the Azure portal, set the Timespan setting.\r\nYou can also export the activity log to a CSV file by using PowerShell or the Azure CLI, as shown in the\r\nfollowing examples.\r\nAzure CLI\r\nPowerShell\r\naz monitor activity-log list --start-time \"2024-03-01T00:00:00Z\" --end-time \"2024-03-15T23:59:59Z\" --max-items\r\nThe following example PowerShell script exports the activity log to CSV files in one-hour intervals, each saved to\r\na separate file.\r\n# Parameters\r\n$subscriptionId = \"Subscription ID here\" # Replace with your subscription ID\r\n$startTime = [datetime]\"2025-05-08T00:00:00\" # Adjust as needed\r\n$endTime = [datetime]\"2025-05-08T12:00:00\" # Adjust as needed\r\n$outputFolder = \"\\Logs\" # Change path as needed\r\nhttps://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs\r\nPage 6 of 7\n\n# Ensure output folder exists\r\nif (-not (Test-Path $outputFolder)) {\r\n New-Item -Path $outputFolder -ItemType Directory\r\n}\r\n \r\n# Set subscription context\r\nSet-AzContext -SubscriptionId $subscriptionId\r\n \r\n# Loop through 1-hour intervals\r\n$currentStart = $startTime\r\nwhile ($currentStart -lt $endTime) {\r\n $currentEnd = $currentStart.AddHours(1)\r\n $timestamp = $currentStart.ToString(\"yyyyMMdd-HHmm\")\r\n $csvFile = Join-Path $outputFolder \"ActivityLog_$timestamp.csv\"\r\n \r\n Write-Host \"Fetching logs from $currentStart to $currentEnd...\"\r\n Get-AzActivityLog -StartTime $currentStart -EndTime $currentEnd |\r\n Export-Csv -Path $csvFile -NoTypeInformation\r\n \r\n $currentStart = $currentEnd\r\n}\r\n \r\nWrite-Host \"Export completed. Files saved to $outputFolder.\"\r\nUse the activity log to find out when the system created a resource and who created it. The activity log is the only\r\nplace that stores the creator of a resource. Because the activity log only retains data for 90 days by default, you\r\nmust export the logs to a location that allows you to extend the retention period, like a Log Analytics workspace.\r\nThen find the creator of a resource by querying the AzureActivity table. The data is retained for the duration\r\nyou specified in the retention period for this table.\r\nActivity log event schema\r\nResource logs\r\nDiagnostic settings\r\nSource: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs\r\nhttps://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs"
	],
	"report_names": [
		"view-activity-logs"
	],
	"threat_actors": [],
	"ts_created_at": 1775439125,
	"ts_updated_at": 1775791287,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1350043561a56bdaf0633cc7d2843331c2dd046c.pdf",
		"text": "https://archive.orkl.eu/1350043561a56bdaf0633cc7d2843331c2dd046c.txt",
		"img": "https://archive.orkl.eu/1350043561a56bdaf0633cc7d2843331c2dd046c.jpg"
	}
}