Azure Activity log captures events that have occurred.
Here’s a sample event of NetworkSecurityGroup change: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-schema#sample-event
To capture what happened, an important field to look into is operationName . It usually ends with “write”, “delete” or “action”.
It is easy to assume “action” means “read”. But NO.
Examples
- MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION
This event means someone has listed the access keys or Kerberos keys for the specified storage account.
This is a read action.
2. MICROSOFT.COMPUTE/VIRTUALMACHINES/RESTART/ACTION
Based on the doc below, this action “deletes a managed cluster”. I wonder if the doc needs an update because it reads like “restarts a virtual machine” to me. But in either way, this is definitely not a read action.
I wonder how I could distinguish between read and non read actions. One idea is probably to extract the 2nd last word (the word before “/ACTION”) and anything that starts with ‘READ’ or ‘LIST’ will be classified as read actions.
But ‘listKeys’ is not a read action though it sounds like one. In Storage Accounts ‘listKeys’ is actually a POST request: https://learn.microsoft.com/en-us/rest/api/storagerp/storage-accounts/list-keys?view=rest-storagerp-2023-01-01&tabs=HTTP
