Query Details
Retention Per Table
Query
//Show when data retention is changed per table, who did it and their IP address AzureActivity | where OperationNameValue == "MICROSOFT.OPERATIONALINSIGHTS/WORKSPACES/TABLES/WRITE" | extend table = parse_json(Properties).entity | parse-where table with * "/tables/" Changed_Table | distinct Changed_Table, Changed_by = Caller, User_IP = CallerIpAddress, Time_it_Happened = TimeGenerated
Explanation
This query shows when the data retention is changed for each table in an Azure workspace. It also provides information about who made the change and their IP address.
Details
Rod Trent
Released: August 30, 2022
Tables
AzureActivity
Keywords
AzureActivity,MICROSOFT.OPERATIONALINSIGHTS/WORKSPACES/TABLES/WRITE,Properties,Caller,CallerIpAddress,TimeGenerated
Operators
whereextendparse_jsonparse-wheredistinct