How to find list of all resources created in the last month in Azure using KQL and Log analytics?
I want to get a list of all new resources created in my azure subscription in the last month, I have been trying to get it through Log analytics, but I am having problems as to which specific operation I need to pinpoint on for resource creation in Azure. I am confused about what value in the OperationNameValue column should I use in the AzureActivity table.
When I was exploring Azure Monitor and Log analytics, I found that on creating a resource, The OperationNameValue is coming as "Microsoft.Resource/Deployments/Write". Is this the correct OperationNameValue to focus on? Because I cant find the same in the logs when a new storage account was created. Also, in the activity logs, there are some entries where the OperationNameValue is "MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE" and in some entries its "Microsoft.Resource/Deployments/Write". What is the difference between the two?
I'm new to azure with only a few months of experience so I still have quite a few knowledge gaps in this, but I really need to find this out quickly so any insight or help would be greatly appreciated.
Here is the query I have made for reference
AzureActivity
| where TimeGenerated between (startofday(ago(30d)) ..startofday(now()) )
|where OperationNameValue == "MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE"
| parse tolower(\_ResourceId) with "/subscriptions/" subscriptionId "/resourcegroups/"
resourceGroup "/providers/" provider "/" resourceType "/" resourceName
|where ActivityStatusValue == "Success"
|project TimeGenerated,OperationNameValue,ActivityStatusValue,Caller,resourceName,ResourceGroup
|order by TimeGenerated desc
There are some entries where the OperationNameValue is "MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE" and in some entries its "Microsoft.Resource/Deployments/Write". What is the difference between the two?
There is not much difference between two. Due to case sensitivity of few operations while querying the Azure activity logs it may appear as "Microsoft.Resource/Deployments/Write".
I tried the same query as you and it retrieved all the results with the Operation Name value as "MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE".
AzureActivity
|where OperationNameValue == "MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE"
| parse tolower(_ResourceId) with "/subscriptions/" subscriptionId "/resourcegroups/"
resourceGroup "/providers/" provider "/" resourceType "/" resourceName
|where ActivityStatusValue == "Success"
|project TimeGenerated,OperationNameValue,ActivityStatusValue,Caller,resourceName,ResourceGroup
|order by TimeGenerated desc
But to deal with this inconsistent behavior, you can use tolower() to change the operation name to lowercase for comparison to avoid any conflicts.
AzureActivity
|where tolower(OperationNameValue) == "MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE"
| parse tolower(_ResourceId) with "/subscriptions/" subscriptionId "/resourcegroups/"
resourceGroup "/providers/" provider "/" resourceType "/" resourceName
|where ActivityStatusValue == "Success"
|project TimeGenerated,OperationNameValue,ActivityStatusValue,Caller,resourceName,ResourceGroup
|order by TimeGenerated desc
- Azure Service Plan - Convert Consumption App to Premium App
- No PK or FK when exporting SQL Server database
- Assigning a Token Lifetime Policy to an application in Microsoft EntraID seems to have no effect
- How to create a dataset for Azure custom speech using spx (speechCLI)
- Azure App Service Autoscale Fails to Scale In
- Azure Scale Out on Memory keeps flapping (not scaling in)
- Setting a server minimum for Azure Web App when using automatic scaling, from Bicep
- A keyvault created with access policy using BICEP creates compound identity
- Azure Loadbalancer with public IP forward traffic to Container Apps
- How to grant a Managed Identity permissions to an Azure SQL Database using IaC?
- What means skipNegotiation in SignalR HubConnection?
- Azure ClientCertificateCredential - Using SNI
- Azure AI Search MultiIndex / Conditional Semantic search
- MSAL Node service & The Partner Center API
- Load Registered Component in Azure ML for Pipeline using Python sdk v2
- Azure Blob:- How to automate Azure Archive Storage to Cool/Hot tier conversion, send download link once it's avaible , and re-archive after 72 hours?
- Azure App Service Custom Backup to Firewall Enabled Storage Account not working as expected
- How to take max value and replace it in drived column in data factory
- Synapse/ ADF - How to Truncate table if dynamic config column is True in pre-copy script
- Azure Cost Management - track costs associated with Databricks job
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How to check Debug.Writeline() output in VS code?
- C# API - Provide download of files from Azure Blobstorage
- localhost:300/api is not working : "This page isn’t working"
- Creating an Azure Linux VM with Ubuntu 20.04 with Terraform
- Failed to deploy path that does not exist
- Using Azure WAF for my server(not in Azure)
- How and where to define an environment variable on Azure
- Azure Data Factory - Unable to preview data
- Azure yaml trigger pipeline every 14 days on a Saturday