question

Kks-9125 avatar image
0 Votes"
Kks-9125 asked AlistairRoss-msft commented

Need Help on to get the creted by info for azure resources

Hello Team,
We are in process of cleaning up the Azure resources that are not getting used.
we have resources which were created 2 years back like storage accounts resource groups etc

In Activity log we might get info till past 90 days . So in this scenario how to get the mail id of the members who created it as there are no owner tags too for the resources


azure-monitor
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AnuragSingh-MSFT avatar image AnuragSingh-MSFT ·

@Kks-9125, Following up to see if the answer below helps. Do let us know if you have any queries.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

0 Votes 0 ·

1 Answer

AlistairRoss-msft avatar image
1 Vote"
AlistairRoss-msft answered AlistairRoss-msft commented

Short Answer: You cannot.
Long Answer: Unless you have been collecting the activity logs for the period of time you need (up to 2 years in Log Analytics, 90 days for free) or longer by exporting the logs, then you cannot see who created the resources. Azure Resource Manager does not keep historical logs of all events that have occurred, but the state that they are in now and the activity logs.

· 5
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndrewBlumhardt-1137 avatar image AndrewBlumhardt-1137 ·

You might try looking in the Resource Graph: https://docs.microsoft.com/en-us/azure/governance/resource-graph/first-query-portal

0 Votes 0 ·
AlistairRoss-msft avatar image AlistairRoss-msft AndrewBlumhardt-1137 ·

@AndrewBlumhardt-1137, Can you provide an example of this? As far as I know there isn't a "created by " or equivalent property on Azure Resources, therefore I am not sure how Azure Resource Graph would help.

0 Votes 0 ·
AndrewBlumhardt-1137 avatar image AndrewBlumhardt-1137 AlistairRoss-msft ·

Just a hunch. You are correct. That would be nice though. :-)

0 Votes 0 ·
Kks-9125 avatar image Kks-9125 ·

If i have storage accounts data tagged to log analytics workspace what can be the kusto query to see who has created the container or deleted or modified

0 Votes 0 ·
AlistairRoss-msft avatar image AlistairRoss-msft Kks-9125 ·

Hi @Kks-9125.

  1. Ensure your Azure Activity is being sent to a Log Analytics workspace https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log#send-to-log-analytics-workspace

  2. Perform the action you are wishing to audit (such as create a container in a storage account)

  3. Run a query to identify the performed operations

    AzureActivity
    | where OperationNameValue startswith "MICROSOFT.STORAGE"

  4. Identify the required Operation and project the required columns

    AzureActivity
    | where OperationNameValue == "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE"
    | where ActivitySubstatusValue == "Created"
    | where ActivityStatusValue == "Success"
    | extend Resource = tostring(parse_json(Properties).resource)
    | project TimeGenerated, _ResourceId, ResourceGroup, Resource, Caller



0 Votes 0 ·