Query Details
Playbook Activity
Query
//Watch Playbook execution and display Playbook name, which action was invoked, and who did it AzureDiagnostics | join AzureActivity on ResourceGroup | where ResourceProvider == "MICROSOFT.LOGIC" | extend PlaybookName = resource_workflowName_s | extend Action = Resource | distinct Caller, PlaybookName, Action, CallerIpAddress
Explanation
This query is looking at Azure diagnostics and Azure activity logs to track the execution of a playbook. It retrieves the playbook name, the action that was invoked, and the person who performed the action. It also includes the IP address of the person who performed the action.
Details
Rod Trent
Released: March 10, 2023
Tables
AzureDiagnosticsAzureActivity
Keywords
Watch,Playbook,Execution,Display,Name,Action,Invoked,Who,AzureDiagnostics,Join,AzureActivity,ResourceGroup,Where,ResourceProvider,MICROSOFT.LOGIC,Extend,PlaybookName,resource_workflowName_s,Caller,CallerIpAddress
Operators
joinwhereextenddistinct