Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Audit log table tracking all field-level changes to Case Management entities including cases, tasks, comments, attachments, and relations.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Audit |
| Solutions | LogManagement |
| Basic log | Yes |
| Ingestion-time DCR support | No |
| Lake-only ingestion | Yes |
| Sample Queries | Yes |
Columns
| Column | Type | Description |
|---|---|---|
| AadTenantId | string | Azure AD tenant GUID where the change occurred. |
| _BilledSize | real | The record size in bytes |
| EntityCreatedTime | datetime | Original creation timestamp of the entity. |
| EntityId | string | Unique identifier of the changed entity. |
| EntityType | string | Type of entity changed: Case, CaseTask, Comment, Attachment, CaseRelation etc... |
| EventTime | datetime | Timestamp when the change was made in the source system. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| IsDeleted | bool | Indicates if the entity was deleted. |
| ModifiedBy | string | User principal name (UPN) of the user who made the change. |
| NewValues | dynamic | New value(s) after the change. Null for Delete operations. Can be a simple value or JSON object. |
| OperationName | string | Type of operation: Create, Update, Delete, Link, or Unlink. |
| ParentEntityId | string | Parent entity ID. Null for Case entities, contains Case ID for child entities like CaseTask, Comment, Attachment, etc. |
| PreviousValues | dynamic | Previous value(s) before the change. Null for Create operations. Can be a simple value or JSON object. |
| PropertyNames | dynamic | Property name(s) that changed. |
| RecordId | string | Unique identifier for this audit record. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Timestamp when the record was ingested into Log Analytics. |
| Type | string | The name of the table |