# azure monitor and activity log

SureCloud collects the Azure Activity Log — the subscription-level audit trail that records every control plane operation performed against Azure resources, including who made a change, what resource was affected, and whether the operation succeeded. SureCloud also reviews Diagnostic Settings to verify that Activity Log data is being exported to a retention target (Log Analytics workspace or Storage Account) for long-term preservation. Together, these provide evidence that administrative actions are logged and retained in line with your audit requirements.

## Endpoints

| API Call                                                                            | Use Case                                                                       |
| ----------------------------------------------------------------------------------- | ------------------------------------------------------------------------------ |
| `GET /subscriptions/{id}/providers/microsoft.insights/eventtypes/management/values` | Retrieve Activity Log events for the subscription within the collection window |
| `GET /subscriptions/{id}/providers/microsoft.insights/diagnosticSettings`           | Verify Diagnostic Settings exist and are configured to export Activity Logs    |
| `GET /subscriptions/{id}/providers/Microsoft.Insights/activityLogAlerts`            | List Activity Log alert rules; check for critical-operation alerting coverage  |

## Pagination

The Activity Log events endpoint uses `nextLink` continuation when the result set exceeds one page. SureCloud follows each `nextLink` until the response contains no further continuation token.

```json
{
  "value": [
    {
      "id": "/subscriptions/xxx/resourceGroups/rg1/providers/Microsoft.Insights/...",
      "eventTimestamp": "2025-06-01T12:34:56Z",
      "operationName": { "value": "Microsoft.Authorization/roleAssignments/write" },
      "status": { "value": "Succeeded" }
    }
  ],
  "nextLink": "https://management.azure.com/subscriptions/xxx/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&%24skiptoken=..."
}
```

{% hint style="info" %}
Azure retains Activity Log data for **90 days** natively. SureCloud collects events within a rolling 24-hour window on each polling cycle. To retain evidence beyond 90 days, configure a Diagnostic Setting to export logs to a Log Analytics workspace or Storage Account with a longer retention policy.
{% endhint %}

## Required permissions

The **Reader** role on the subscription is sufficient to read Activity Log events and Diagnostic Settings. No additional monitoring-specific roles are required.

## Troubleshooting

<details>

<summary>Activity Log events are not appearing for a subscription</summary>

The `microsoft.insights/eventtypes/management/values` endpoint requires the Reader role at the subscription scope. A scope limited to a resource group will not return subscription-level Activity Log data.

Confirm the SureCloud Service Principal has the **Reader** role assigned at the **subscription** scope (not resource group), then trigger a manual refresh.

</details>

<details>

<summary>Diagnostic Settings show as not configured</summary>

If no Diagnostic Settings are configured on the subscription, the `diagnosticSettings` endpoint returns an empty array. SureCloud will report this as a finding.

To configure a Diagnostic Setting, navigate to **Azure Portal → Monitor → Activity log → Export Activity Logs → Add diagnostic setting**. Select **ActivityLogs** as the log category and choose a Log Analytics workspace or Storage Account as the destination.

</details>

<details>

<summary>Events older than 90 days are not available</summary>

Azure Activity Log native retention is capped at 90 days. SureCloud cannot retrieve events beyond that window from the Activity Log API.

To maintain a longer audit trail, ensure a Diagnostic Setting is exporting logs to a Log Analytics workspace (configurable up to 2 years) or a Storage Account (configurable up to 7 years). Contact SureCloud support to configure a Log Analytics workspace collection source if needed.

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/azure/azure-monitor-and-activity-log.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.