Query Details
Add Client Data Source
Query
//Identifies who added new Datasources to the client configuration for the Log Analytics workspace AzureActivity | where OperationNameValue has "DATASOURCES/WRITE" | where ResourceProviderValue has "MICROSOFT.OPERATIONALINSIGHTS" | project TimeGenerated, Caller, CallerIpAddress
Explanation
This query identifies the users who added new datasources to the client configuration for the Log Analytics workspace. It filters the Azure activity logs for operations related to writing datasources and the resource provider being Microsoft Operational Insights. The resulting table includes the time the activity occurred, the user who performed the action, and their IP address.
Details
Rod Trent
Released: January 15, 2021
Tables
AzureActivity
Keywords
AzureActivity,OperationNameValue,DATASOURCES/WRITE,ResourceProviderValue,MICROSOFT.OPERATIONALINSIGHTS,TimeGenerated,Caller,CallerIpAddress
Operators
wherehas|project