Acquire the necessary information about the Event Categories in Azure

Event categories in the Azure Activity Log help you classify and understand the types of events captured within the log. These categories define the nature of the recorded operations, making it easier to filter, analyze, and act upon the data. Here’s what you need to know about event categories:

Purpose of Event Categories

Event categories allow you to group and filter activity log entries by the type of activity or operation performed.

They provide insight into specific areas like resource management, compliance, security, and Azure service health.

Types of Event Categories

Azure Activity Logs are divided into the following main categories:

1. Administrative

Definition:

Tracks control-plane operations that manage Azure resources.

Examples:

1. Creating, updating, or deleting resources.

2. Assigning roles or updating resource tags.

Use Cases:

1. Auditing changes to resources.

2. Monitoring resource management actions by specific users or roles.

2. Service Health

Definition:

Logs events related to the health of Azure services affecting your subscription.

Examples:

1. Azure service outages or degradations.

2. Planned maintenance notifications.

Use Cases:

1. Troubleshooting service-related performance issues.

2. Keeping stakeholders informed about Azure service impacts.

3. Policy

Definition:

Logs policy-related operations, including evaluations and compliance results.

Examples:

1. A policy denying a resource creation.

2. Policy compliance status updates.

Use Cases:

1. Monitoring Azure Policy compliance.

2. Investigating why a resource creation was blocked by a policy.

4. Security

Definition:

Captures security-related events, such as role assignments or changes in access permissions.

Examples:

1. Assigning Azure RBAC roles.

2. Modifying security rules in a network security group.

Use Cases:

1. Auditing access control changes.

2. Enhancing security posture by identifying risky actions.

5. Resource Health

Definition:

Logs events related to the health of individual Azure resources.

Examples:

1. A virtual machine becoming unavailable.

2. A resource entering a degraded state.

Use Cases:

1. Diagnosing resource-level availability issues.

2. Proactively managing degraded or failed resources.

6. Alert

Definition:

Logs notifications generated by Azure Monitor alerts.

Examples:

1. Alerts triggered by metrics or activity log events.

2. Anomaly detection alerts from Application Insights.

Use Cases:

1. Tracking triggered alerts for critical resources.

2. Reviewing alert history for patterns or recurring issues.

Viewing and Filtering by Event Categories

1. In the Azure Portal:

   • Navigate to Monitor > Activity Log.

   • Use the Event Category filter at the top of the page to select one or more categories.

2. Using Azure CLI:

   • Filter by event category when listing activity logs:

xxxxxxxxxx
3
1
az monitor activity-log list \
2
--event-categories "Administrative" \
3
--start-time "2024-01-01"

3. Using Azure PowerShell:

   • Use the Get-AzLog cmdlet to filter logs by category:

xxxxxxxxxx
3
1
Get-AzLog `
2
-Category "Administrative" `
3
-StartTime (Get-Date).AddDays(-7)

4. Log Analytics Queries:

   • Query exported logs using KQL (Kusto Query Language) to filter by event category:

xxxxxxxxxx
2
1
AzureActivity
2
| where Category == "ServiceHealth"

Use Cases for Event Categories

1. Administrative: Audit resource creation, modification, or deletion. Track actions performed by specific users or roles.

2. Service Health: Identify ongoing Azure service disruptions affecting resources. Plan for downtime due to scheduled maintenance.

3. Policy: Monitor non-compliant resources and enforce organizational policies.

4. Security: Investigate unauthorized access attempts or privilege escalations.

5. Resource Health: Proactively manage degraded or unavailable resources.

6. Alert: Review alert history for operational insights and improvements.

Event Category Integration

1. Alerts: Configure activity log alerts by targeting specific event categories, such as administrative actions or security events.

2. Export Options: Export events filtered by category to:

   • Log Analytics for advanced querying.

   • Storage Accounts for long-term archival.

   • Event Hubs for integration with third-party tools like SIEM systems.

3. Visualization: Use Azure Workbooks or Power BI to create dashboards displaying event trends by category.

Best Practices

1. Focus on Relevant Categories: For compliance, prioritize Policy and Administrative events. For security, emphasize Security and Alert events.

2. Combine Categories with Filters: Pair event categories with filters like Time Range, Resource Group, or Caller for deeper insights.

3. Set Up Alerts: Create alerts for specific event categories to monitor critical actions in real-time.

4. Export for Long-Term Analysis: Use Log Analytics for trend analysis and combining events across categories.

Limitations

Event categories are limited to control-plane operations; they do not capture data-plane events (e.g., file uploads to storage accounts).

Default retention in the portal is 90 days unless exported for extended storage.

Examples

1. Track Resource Deletions:

xxxxxxxxxx
2
1
AzureActivity
2
| where Category == "Administrative" and OperationNameValue == "Microsoft.Resources/subscriptions/resourceGroups/delete"

2. Monitor Policy Violations:

xxxxxxxxxx
2
1
AzureActivity
2
| where Category == "Policy" and ActivityStatusValue == "Failed"

3. Identify Service Health Issues:

xxxxxxxxxx
2
1
AzureActivity
2
| where Category == "ServiceHealth" and Properties contains "Degraded"

Summary

By understanding and effectively using event categories, you can focus on the events most relevant to your monitoring, troubleshooting, and compliance needs.