Query Details
Policy Exemptions
Query
AzureActivity | where OperationNameValue contains "MICROSOFT.AUTHORIZATION/POLICYEXEMPTIONS" | where ActivityStatusValue == "Start" or ActivityStatusValue == "Success" | extend resource_ = tostring(parse_json(Properties).resource) | project Caller, CallerIpAddress, resource_
Explanation
This query retrieves Azure activity logs where the operation name contains "MICROSOFT.AUTHORIZATION/POLICYEXEMPTIONS" and the activity status is either "Start" or "Success". It then extracts the resource information from the properties and displays the caller, caller IP address, and resource in the result.
Details
Rod Trent
Released: May 3, 2021
Tables
AzureActivity
Keywords
AzureActivity,OperationNameValue,MICROSOFT.AUTHORIZATION/POLICYEXEMPTIONS,ActivityStatusValue,Start,Success,resource_,Caller,CallerIpAddress
Operators
wherecontains==orextendtostringparse_jsonproject