0
# Activity Log Monitoring
1

2
Azure Activity Logs provide subscription-level administrative and operational events. This module enables querying activity logs, managing activity log alert rules, and accessing tenant-level activity logs for comprehensive monitoring of Azure resource operations.
3

4
## Capabilities
5

6
### Activity Log Querying
7

8
Retrieve activity log events with filtering and selection capabilities for subscription-level monitoring.
9

10
```python { .api }
11
def list(filter: str, select: Optional[str] = None, **kwargs: Any) -> ItemPaged[EventData]:
12
    """
13
    Provides the list of records from the activity logs with optional filtering and selection.
14
    
15
    Parameters:
16
    - filter: str - OData filter for activity log events (required)
17
    - select: Optional[str] - OData select clause for specific properties
18
    
19
    Returns:
20
    ItemPaged[EventData] - Paginated collection of activity log events
21
    """
22
```
23

24
### Activity Log Alert Management
25

26
Create and manage alert rules that trigger on specific activity log events and administrative operations.
27

28
```python { .api }
29
def create_or_update(resource_group_name: str, activity_log_alert_name: str, activity_log_alert_rule: ActivityLogAlertResource, **kwargs: Any) -> ActivityLogAlertResource:
30
    """
31
    Create or update an Activity Log Alert rule.
32
    
33
    Parameters:
34
    - resource_group_name: str - Name of the resource group
35
    - activity_log_alert_name: str - Name of the alert rule
36
    - activity_log_alert_rule: ActivityLogAlertResource - Alert rule configuration
37
    
38
    Returns:
39
    ActivityLogAlertResource - The created or updated alert rule
40
    """
41

42
def get(resource_group_name: str, activity_log_alert_name: str, **kwargs: Any) -> ActivityLogAlertResource:
43
    """
44
    Get an Activity Log Alert rule.
45
    
46
    Parameters:
47
    - resource_group_name: str - Name of the resource group
48
    - activity_log_alert_name: str - Name of the alert rule
49
    
50
    Returns:
51
    ActivityLogAlertResource - The alert rule details
52
    """
53

54
def delete(resource_group_name: str, activity_log_alert_name: str, **kwargs: Any) -> None:
55
    """
56
    Delete an Activity Log Alert rule.
57
    
58
    Parameters:
59
    - resource_group_name: str - Name of the resource group
60
    - activity_log_alert_name: str - Name of the alert rule
61
    """
62

63
def update(resource_group_name: str, activity_log_alert_name: str, activity_log_alert_rule_patch: AlertRulePatchObject, **kwargs: Any) -> ActivityLogAlertResource:
64
    """
65
    Update an Activity Log Alert rule.
66
    
67
    Parameters:
68
    - resource_group_name: str - Name of the resource group
69
    - activity_log_alert_name: str - Name of the alert rule
70
    - activity_log_alert_rule_patch: AlertRulePatchObject - Properties to update
71
    
72
    Returns:
73
    ActivityLogAlertResource - The updated alert rule
74
    """
75
```
76

77
### Activity Log Alert Listing
78

79
List activity log alert rules within subscriptions and resource groups.
80

81
```python { .api }
82
def list_by_subscription_id(**kwargs: Any) -> ItemPaged[ActivityLogAlertResource]:
83
    """
84
    Get a list of all Activity Log Alert rules in a subscription.
85
    
86
    Returns:
87
    ItemPaged[ActivityLogAlertResource] - Paginated list of alert rules
88
    """
89

90
def list_by_resource_group(resource_group_name: str, **kwargs: Any) -> ItemPaged[ActivityLogAlertResource]:
91
    """
92
    Get a list of all Activity Log Alert rules in a resource group.
93
    
94
    Parameters:
95
    - resource_group_name: str - Name of the resource group
96
    
97
    Returns:
98
    ItemPaged[ActivityLogAlertResource] - Paginated list of alert rules
99
    """
100
```
101

102
### Tenant Activity Logs
103

104
Access tenant-level activity logs for organization-wide administrative operations.
105

106
```python { .api }
107
def list(filter: Optional[str] = None, select: Optional[str] = None, **kwargs: Any) -> ItemPaged[EventData]:
108
    """
109
    Gets the Activity Logs for the Tenant with optional OData filter.
110
    
111
    Parameters:
112
    - filter: Optional[str] - OData filter for tenant activity log events
113
    - select: Optional[str] - OData select clause for specific properties
114
    
115
    Returns:
116
    ItemPaged[EventData] - Paginated collection of tenant activity log events
117
    """
118
```
119

120
### Event Categories
121

122
Retrieve available event categories for activity log filtering.
123

124
```python { .api }
125
def list(**kwargs: Any) -> ItemPaged[LocalizableString]:
126
    """
127
    Get the list of available event categories supported in the Activity Logs Service.
128
    
129
    Returns:
130
    ItemPaged[LocalizableString] - Available event categories
131
    """
132
```
133

134
### Alert Rule Incidents
135

136
Manage and retrieve incidents for classic alert rules. Incidents represent the activation status of alert rules.
137

138
```python { .api }
139
def get(resource_group_name: str, rule_name: str, incident_name: str, **kwargs: Any) -> Incident:
140
    """
141
    Gets an incident associated to an alert rule.
142
    
143
    Parameters:
144
    - resource_group_name: str - Name of the resource group
145
    - rule_name: str - Name of the alert rule
146
    - incident_name: str - Name of the incident to retrieve
147
    
148
    Returns:
149
    Incident - The incident details
150
    """
151

152
def list_by_alert_rule(resource_group_name: str, rule_name: str, **kwargs: Any) -> ItemPaged[Incident]:
153
    """
154
    Gets a list of incidents associated to an alert rule.
155
    
156
    Parameters:
157
    - resource_group_name: str - Name of the resource group
158
    - rule_name: str - Name of the alert rule
159
    
160
    Returns:
161
    ItemPaged[Incident] - Paginated list of incidents for the alert rule
162
    """
163
```
164

165
## Usage Examples
166

167
### Querying Activity Logs
168

169
```python
170
from datetime import datetime, timedelta
171

172
# Query activity logs for the last 24 hours
173
end_time = datetime.utcnow()
174
start_time = end_time - timedelta(days=1)
175

176
filter_expression = f"eventTimestamp ge '{start_time.isoformat()}Z' and eventTimestamp le '{end_time.isoformat()}Z'"
177

178
activity_events = client.activity_logs.list(
179
    filter=filter_expression,
180
    select="eventName,operationName,resourceGroupName,status"
181
)
182

183
for event in activity_events:
184
    print(f"Operation: {event.operation_name}, Status: {event.status}")
185
```
186

187
### Creating Activity Log Alert
188

189
```python
190
from azure.mgmt.monitor.models import (
191
    ActivityLogAlertResource, AlertRuleAllOfCondition, 
192
    AlertRuleAnyOfOrLeafCondition, AlertRuleLeafCondition
193
)
194

195
# Define alert conditions for VM deletion
196
conditions = AlertRuleAllOfCondition(
197
    all_of=[
198
        AlertRuleLeafCondition(
199
            field="category",
200
            equals="Administrative"
201
        ),
202
        AlertRuleLeafCondition(
203
            field="operationName", 
204
            equals="Microsoft.Compute/virtualMachines/delete"
205
        )
206
    ]
207
)
208

209
# Create activity log alert
210
alert_rule = ActivityLogAlertResource(
211
    location="global",
212
    scopes=[f"/subscriptions/{subscription_id}"],
213
    condition=conditions,
214
    actions={
215
        "action_groups": [f"/subscriptions/{subscription_id}/resourceGroups/monitoring-rg/providers/microsoft.insights/actionGroups/admin-alerts"]
216
    },
217
    enabled=True,
218
    description="Alert when VMs are deleted"
219
)
220

221
result = client.activity_log_alerts.create_or_update(
222
    resource_group_name="monitoring-rg",
223
    activity_log_alert_name="vm-deletion-alert",
224
    activity_log_alert_rule=alert_rule
225
)
226
```
227

228
### Filtering by Resource Group and Operation
229

230
```python
231
# Query for specific resource operations
232
resource_group = "production-rg"
233
filter_expression = f"resourceGroupName eq '{resource_group}' and operationName.value eq 'Microsoft.Compute/virtualMachines/write'"
234

235
events = client.activity_logs.list(filter=filter_expression)
236

237
for event in events:
238
    print(f"Resource: {event.resource_id}, Time: {event.event_timestamp}")
239
```
240

241
## Types
242

243
```python { .api }
244
class EventData:
245
    """Activity log event data."""
246
    authorization: Optional[SenderAuthorization]  # Authorization information
247
    caller: Optional[str]  # Caller identity
248
    category: Optional[LocalizableString]  # Event category
249
    correlation_id: Optional[str]  # Correlation identifier
250
    description: Optional[str]  # Event description
251
    event_data_id: Optional[str]  # Event data identifier
252
    event_name: Optional[LocalizableString]  # Event name
253
    event_timestamp: Optional[datetime]  # Event timestamp
254
    http_request: Optional[HttpRequestInfo]  # HTTP request info for API calls
255
    level: Optional[EventLevel]  # Event level (Critical, Error, Warning, Informational)
256
    operation_id: Optional[str]  # Operation identifier
257
    operation_name: Optional[LocalizableString]  # Operation name
258
    resource_group_name: Optional[str]  # Resource group name
259
    resource_id: Optional[str]  # Resource identifier
260
    resource_provider_name: Optional[LocalizableString]  # Resource provider
261
    resource_type: Optional[LocalizableString]  # Resource type
262
    status: Optional[LocalizableString]  # Operation status
263
    sub_status: Optional[LocalizableString]  # Operation sub-status
264
    subscription_id: Optional[str]  # Subscription identifier
265
    tenant_id: Optional[str]  # Tenant identifier
266

267
class ActivityLogAlertResource:
268
    """Activity log alert rule resource."""
269
    location: str  # Resource location
270
    scopes: List[str]  # Alert rule scopes (subscription/resource group IDs)
271
    condition: AlertRuleAllOfCondition  # Alert conditions
272
    actions: Actions  # Actions to take when alert fires
273
    enabled: Optional[bool]  # Whether alert is enabled
274
    description: Optional[str]  # Alert description
275

276
class AlertRuleAllOfCondition:
277
    """Alert rule condition requiring all criteria to match."""
278
    all_of: List[AlertRuleAnyOfOrLeafCondition]  # List of conditions (AND logic)
279

280
class AlertRuleLeafCondition:
281
    """Individual alert rule condition."""
282
    field: str  # Field name to evaluate
283
    equals: Optional[str]  # Equals comparison value
284
    contains_any: Optional[List[str]]  # Contains any of these values
285

286
class Actions:
287
    """Actions to execute when alert fires."""
288
    action_groups: Optional[List[str]]  # Action group resource IDs
289

290
class SenderAuthorization:
291
    """Authorization details for the operation."""
292
    action: Optional[str]  # Authorized action
293
    role: Optional[str]  # Authorization role
294
    scope: Optional[str]  # Authorization scope
295

296
class HttpRequestInfo:
297
    """HTTP request information for API operations."""
298
    client_request_id: Optional[str]  # Client request identifier
299
    client_ip_address: Optional[str]  # Client IP address
300
    method: Optional[str]  # HTTP method
301
    uri: Optional[str]  # Request URI
302

303
class LocalizableString:
304
    """Localizable string value."""
305
    value: str  # String value
306
    localized_value: Optional[str]  # Localized string value
307

308
class Incident:
309
    """Alert rule incident representing activation status."""
310
    name: Optional[str]  # Incident name
311
    rule_name: Optional[str]  # Associated alert rule name
312
    is_active: Optional[bool]  # Whether incident is currently active
313
    activated_time: Optional[datetime]  # When incident was activated
314
    resolved_time: Optional[datetime]  # When incident was resolved
315

316
EventLevel = Union["Critical", "Error", "Warning", "Informational", "Verbose"]  # Event severity levels
317
```