Azure Activity Logs
Azure Activity Logs provide a record of operations performed on Azure resources, offering insights into control plane actions such as resource creation, modification, and deletion. These logs include details like the user who initiated the action, the timestamp, and the result of the operation. Azure Activity Logs are crucial for auditing changes, monitoring resource management, and ensuring compliance with organizational governance and security policies.
Ingest Method
Azure activity logs can be ingested using either an Azure storage bucket or pushed to RunReveal using a webhook.
Azure storage buckets are inherently cheaper than using the webhook method but logs can be delayed by up to an hour. The webhook ingestion imports logs as soon as they are generated, but using an event hub can become more expensive if there are lots of logs.
After creating your storage account and other resources, you will need to setup activity logs to forward to it.
On the Activity Log resource page, click on the "Export Activity Logs" button.
On the diagnostic settings page, add a new diagnostic setting. Give the diagnostic setting a name, choose the categories you wish to include in your events, and select "Archive to a storage account" selecting the storage account that was created.
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: azure_activity_logs (50 columns)
azure_activity_logs (50 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | LowCardinality(String) |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
| Column | Type |
|---|---|
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
readOnly | Bool |
rawLog | String |
ReleaseVersion | String |
time | String |
resourceId | String |
operationName | String |
category | String |
resultType | String |
resultSignature | String |
durationMs | String |
RoleLocation | String |
callerIpAddress | String |
correlationId | String |
identity | String |
level | String |
properties | String |
tenantId | String |