Policy
Policy Overview:
This category contains records of all effect action operations performed by Azure Policy. Examples of the types of events you would see in this category include Audit and Deny. Every action taken by Policy is modeled as an operation on a resource.
Schema:
authorization
Array of Azure RBAC properties of the event. For new resources, this is the action and scope of the request that triggered evaluation. For existing resources, the action is "Microsoft.Resources/checkPolicyCompliance/read".
caller
For new resources, the identity that initiated a deployment. For existing resources, the GUID of the Microsoft Azure Policy Insights RP.
channels
Policy events use only the "Operation" channel.
claims
The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager.
correlationId
Usually a GUID in the string format. Events that share a correlationId belong to the same uber action.
description
This field is blank for Policy events.
eventDataId
Unique identifier of an event.
eventName
Either "BeginRequest" or "EndRequest". "BeginRequest" is used for delayed auditIfNotExists and deployIfNotExists evaluations and when a deployIfNotExists effect starts a template deployment. All other operations return "EndRequest".
category
Declares the activity log event as belonging to "Policy".
eventTimestamp
Timestamp when the event was generated by the Azure service processing the request corresponding the event.
ID
Unique identifier of the event on the specific resource.
level
Severity level of the event. Audit uses "Warning" and Deny uses "Error". An auditIfNotExists or deployIfNotExists error can generate "Warning" or "Error" depending on severity. All other Policy events use "Informational".
operationId
A GUID shared among the events that correspond to a single operation.
operationName
Name of the operation and directly correlates to the Policy effect.
resourceGroupName
Name of the resource group for the evaluated resource.
resourceProviderName
Name of the resource provider for the evaluated resource.
resourceType
For new resources, it's the type being evaluated. For existing resources, returns "Microsoft.Resources/checkPolicyCompliance".
resourceId
Resource ID of the evaluated resource.
status
String describing the status of the Policy evaluation result. Most Policy evaluations return "Succeeded", but a Deny effect returns "Failed". Errors in auditIfNotExists or deployIfNotExists also return "Failed".
subStatus
Field is blank for Policy events.
submissionTimestamp
Timestamp when the event became available for querying.
subscriptionId
Azure Subscription ID.
properties.isComplianceCheck
Returns "False" when a new resource is deployed or an existing resource's Resource Manager properties are updated. All other evaluation triggers result in "True".
properties.resourceLocation
The Azure region of the resource being evaluated.
properties.ancestors
A comma-separated list of parent management groups ordered from direct parent to farthest grandparent.
properties.policies
Includes details about the policy definition, assignment, effect, and parameters that this Policy evaluation is a result of.
relatedEvents
This field is blank for Policy events.
Last updated