Enable diagnostic settings

az monitor diagnostic-settings create
--name audit-logs
--resource /subscriptions/{sub}/resourceGroups/{rg}/providers/...
--logs '[{"category":"AuditEvent","enabled":true}]'
--workspace /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.OperationalInsights/workspaces/{workspace}

Activity Log Export

Export activity log to Log Analytics

az monitor diagnostic-settings subscription create
--name activity-log-export
--location global
--logs '[{"category":"Administrative","enabled":true},{"category":"Security","enabled":true}]'
--workspace /subscriptions/.../workspaces/audit-workspace

Log Analytics Queries

// Failed login attempts AuditLogs | where TimeGenerated > ago(24h) | where ResultType != "0" | project TimeGenerated, Identity, ResultDescription, IPAddress

// Administrative changes AzureActivity | where CategoryValue == "Administrative" | where OperationNameValue contains "write" or OperationNameValue contains "delete" | project TimeGenerated, Caller, OperationNameValue, ResourceGroup

Best Practices

Centralize to Log Analytics
Long-term archive to Storage
Configure alerts
Regular query reviews

azure-monitor-audit

Safety Notice

Copy this and send it to your AI assistant to learn

Enable diagnostic settings

Export activity log to Log Analytics

Source Transparency

Related Skills

linux-administration

sops-encryption

linux-hardening

windows-server