Find SKU of deployed resources in Log Analytics - Azure Activity

0
votes

I have configured the following Kusto query to gather info of Azure deployments in our subscription.

AzureActivity 
| where ResourceProviderValue startswith "Microsoft.resources" 
| where ActivitySubstatusValue contains "Created"

This query will display various information about new deployments across all resource providers. These are the columns that are included when running the query:

TenantId, SourceSystem, CallerIpAddress, CategoryValue, CorrelationId, Authorization, Authorization_d, Claims, Claims_d, Level, OperationNameValue, Properties, Properties_d, Caller, EventDataId, EventSubmissionTimestamp, HTTPRequest, OperationId, ResourceGroup, ResourceProviderValue, ActivityStatusValue, ActivitySubstatusValue, Hierarchy, TimeGenerated, SubscriptionId, OperationName, ActivityStatus, ActivitySubstatus, Category, ResourceId, ResourceProvider, Resource, Type, _ResourceId

however not the SKU of the deployed resource.

I want to monitor the deployed resources in a subscription, including SKU's. Is it possible to include the SKU of deployed resources of all resource providers in a Log Analytics query from Azure Activity logs?

1
azureazure-log-analytics
Could please help us with some insights on what kind of resource provider resources(like key vault, VM's ,Storage ) you want to pull the SKU Names using the log analytics query or Could please help us with explaining some brief what exactly you are looking for ?VenkateshDodda-MT
The query gathers information about deployed resources across all resource providers. What i'm looking for is to include the type of SKU of the deployed resource. When a user would deploy lets say a load balancer, I want to include in the data if it's a basic or standard load balancer. Same goes for disks, compute and various other resource providers.Smeerpijp

1 Answers

1
votes

We have tested this in our local environment , Below analysis are based on our observations.

The Activity log is a platform log in Azure that provides insight into subscription-level events. This includes such information as when a resource is modified or when a virtual machine is started.

Is it possible to include the SKU of deployed resources of all resource providers in a Log Analytics query from Azure Activity logs?

No it is not possible,To validate this we have created a NetworkSecurityGroup & DataDisk in our subscription.

when we are trying to fetch those resources logs using AzureActivity table & applying a filter of ResourceProviderValue == "MICROSOFT.RESOURCES" the actual Names for those resources that are passed by the user while creating are not getting populated as shown below.

enter image description here

Instead of using ResourceProviderValue == "MICROSOFT.RESOURCES" if you use the resource specific resource provider of the resource that you are deploying then you will be able to pull the SKU of that resource.

Here Disk comes under Microsoft.Compute resource provider if we apply some additional filters to the above AzureActivity log we can pull the sku of the particular resource.

enter image description here