activity_dashboard_logs_by_actoractivity_dashboard_logs_by_eventactivity_dashboard_logs_by_resource_groupactivity_dashboard_logs_by_serviceactivity_dashboard_logs_by_source_ipactivity_dashboard_logs_by_subscriptionactivity_dashboard_total_logsautomation_account_runbook_deletedcompute_disk_deletedcompute_snapshot_deletedcompute_vm_role_assignment_created_or_updatedcontainer_registry_deletedevent_hub_namespace_deletedevent_hub_namespace_rule_authorizedfront_door_firewall_policy_deletediam_role_assignment_created_or_updatedkey_vault_access_policy_created_or_updatedkey_vault_deletedkubernetes_cluster_deletedmonitor_diagnostic_setting_deletednetwork_application_gateway_deletednetwork_application_security_group_deletednetwork_dns_zone_deletednetwork_firewall_deletednetwork_firewall_policy_deletednetwork_firewall_rule_created_or_updatednetwork_firewall_rule_deletednetwork_security_group_created_or_updatednetwork_security_group_deletednetwork_virtual_network_created_or_updatednetwork_virtual_network_deletednetwork_vpn_connection_created_or_updatednetwork_vpn_connection_deletednetwork_watcher_deletedresource_group_deletedsql_database_deletedsql_database_tde_created_or_updatedsql_server_deletedsql_server_firewall_rule_created_or_updatedsql_server_role_assignment_created_or_updatedstorage_account_deletedstorage_account_key_regeneratedstorage_account_lifecycle_policy_updated
Queries in Azure Activity Log Detections
The Azure Activity Log Detections mod includes 43 queries:
- activity_dashboard_logs_by_actor
- activity_dashboard_logs_by_event
- activity_dashboard_logs_by_resource_group
- activity_dashboard_logs_by_service
- activity_dashboard_logs_by_source_ip
- activity_dashboard_logs_by_subscription
- activity_dashboard_total_logs
- automation_account_runbook_deleted
- compute_disk_deleted
- compute_snapshot_deleted
- compute_vm_role_assignment_created_or_updated
- container_registry_deleted
- event_hub_namespace_deleted
- event_hub_namespace_rule_authorized
- front_door_firewall_policy_deleted
- iam_role_assignment_created_or_updated
- key_vault_access_policy_created_or_updated
- key_vault_deleted
- kubernetes_cluster_deleted
- monitor_diagnostic_setting_deleted
- network_application_gateway_deleted
- network_application_security_group_deleted
- network_dns_zone_deleted
- network_firewall_deleted
- network_firewall_policy_deleted
- network_firewall_rule_created_or_updated
- network_firewall_rule_deleted
- network_security_group_created_or_updated
- network_security_group_deleted
- network_virtual_network_created_or_updated
- network_virtual_network_deleted
- network_vpn_connection_created_or_updated
- network_vpn_connection_deleted
- network_watcher_deleted
- resource_group_deleted
- sql_database_deleted
- sql_database_tde_created_or_updated
- sql_server_deleted
- sql_server_firewall_rule_created_or_updated
- sql_server_role_assignment_created_or_updated
- storage_account_deleted
- storage_account_key_regenerated
- storage_account_lifecycle_policy_updated