Administrative Event Schema

Overview:

This section provides an deeper explanation of the Administrative events as well as the associated schema.

Azure Activity Log: Administrative Events

The Administrative category in the Azure Activity Log records all create, update, delete, and action operations performed through Azure Resource Manager. This includes actions like creating a virtual machine or deleting a network security group. Every operation initiated by a user or application on a resource is logged, capturing both the start and the outcome (success or failure) of the action. Additionally, this category logs any changes made to Azure role-based access control within a subscription.

Schema for Administrative Events

Element Name Description

Element Name	Description
authorization	Blob of Azure RBAC properties of the event. Usually includes the “action”, “role” and “scope” properties.
caller	Email address of the user who has performed the operation, UPN claim, or SPN claim based on availability.
channels	One of the following values: “Admin”, “Operation”
claims	The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager.
correlationId	Usually a GUID in the string format. Events that share a correlationId belong to the same uber action.
description	Static text description of an event.
eventDataId	Unique identifier of an event.
eventName	Friendly name of the Administrative event.
category	Always "Administrative"
httpRequest	Blob describing the Http Request. Usually includes the “clientRequestId”, “clientIpAddress” and “method” (HTTP method. For example, PUT).
level	Severity level of the event.
resourceGroupName	Name of the resource group for the impacted resource.
resourceProviderName	Name of the resource provider for the impacted resource
resourceType	The type of resource affected by an Administrative event.
resourceId	Resource ID of the impacted resource.
operationId	A GUID shared among the events that correspond to a single operation.
operationName	Name of the operation.
properties	Set of `<Key, Value>` pairs (that is, a Dictionary) describing the details of the event.
status	String describing the status of the operation. Some common values are: Started, In Progress, Succeeded, Failed, Active, Resolved.
subStatus	Usually the HTTP status code of the corresponding REST call, but can also include other strings describing a subStatus, such as these common values: OK (HTTP Status Code: 200), Created (HTTP Status Code: 201), Accepted (HTTP Status Code: 202), No Content (HTTP Status Code: 204), Bad Request (HTTP Status Code: 400), Not Found (HTTP Status Code: 404), Conflict (HTTP Status Code: 409), Internal Server Error (HTTP Status Code: 500), Service Unavailable (HTTP Status Code: 503), Gateway Timeout (HTTP Status Code: 504).
eventTimestamp	Timestamp when the event was generated by the Azure service processing the request corresponding the event.
submissionTimestamp	Timestamp when the event became available for querying.
subscriptionId	Azure Subscription ID.

authorization

Blob of Azure RBAC properties of the event. Usually includes the “action”, “role” and “scope” properties.

caller

Email address of the user who has performed the operation, UPN claim, or SPN claim based on availability.

channels

One of the following values: “Admin”, “Operation”

claims

The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager.

correlationId

Usually a GUID in the string format. Events that share a correlationId belong to the same uber action.

description

Static text description of an event.

eventDataId

Unique identifier of an event.

eventName

Friendly name of the Administrative event.

category

Always "Administrative"

httpRequest

Blob describing the Http Request. Usually includes the “clientRequestId”, “clientIpAddress” and “method” (HTTP method. For example, PUT).

level

Severity level of the event.

resourceGroupName

Name of the resource group for the impacted resource.

resourceProviderName

Name of the resource provider for the impacted resource

resourceType

The type of resource affected by an Administrative event.

resourceId

Resource ID of the impacted resource.

operationId

A GUID shared among the events that correspond to a single operation.

operationName

Name of the operation.

properties

Set of <Key, Value> pairs (that is, a Dictionary) describing the details of the event.

status

String describing the status of the operation. Some common values are: Started, In Progress, Succeeded, Failed, Active, Resolved.

subStatus

Usually the HTTP status code of the corresponding REST call, but can also include other strings describing a subStatus, such as these common values: OK (HTTP Status Code: 200), Created (HTTP Status Code: 201), Accepted (HTTP Status Code: 202), No Content (HTTP Status Code: 204), Bad Request (HTTP Status Code: 400), Not Found (HTTP Status Code: 404), Conflict (HTTP Status Code: 409), Internal Server Error (HTTP Status Code: 500), Service Unavailable (HTTP Status Code: 503), Gateway Timeout (HTTP Status Code: 504).

eventTimestamp

Timestamp when the event was generated by the Azure service processing the request corresponding the event.

submissionTimestamp

Timestamp when the event became available for querying.

subscriptionId

Azure Subscription ID.

Last updated 2 months ago