Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.
Display audit events for account (AccountId = <Guid ID>), with an optional filter by user UPN.
VIAudit
| where AccountId == "<AccountId>" // please fill in the accountId <Guid>
// | where Upn == "<Upn>" // to to filter on a specific user upn, uncomment this line
| limit 100
Render timechart of top 10 users by operations, with an optional account id for filtering.
// Trend of top 10 active Upn's
VIAudit
// | where AccountId == "<AccountId>" // to filter on a specific accountId, uncomment this line
| where TimeGenerated > ago(30d)
| summarize count() by Upn
| top 10 by count_ desc
| project Upn
| join (VIAudit
| where TimeGenerated > ago(30d)
| summarize count() by Upn, bin(TimeGenerated,1d)) on Upn
| project TimeGenerated, Upn, count_
| render timechart
Display audit failed events with an optional account id for filtering.
// Project failures with detailed error message.
VIAudit
// | where AccountId == "<AccountId>" // to filter on a specific accountId, uncomment this line
| where Status == "Failure"
| parse Description with "ErrorType: " ErrorType ". Message: " ErrorMessage ". Trace" *
| project TimeGenerated, OperationName, ErrorMessage, ErrorType, CorrelationId, _ResourceId
Display audit logs of all failed operations attempts, with an optional filter by account id and user UPN.
VIAudit
// | where AccountId == "<AccountId>" // to filter on a specific accountId, uncomment this line
// | where Upn == "<Upn>" // to to filter on a specific user upn, uncomment this line
| where Status == "Failure"
| limit 100