Hi @laurakate_young
It would be good to know what columns of data you are looking at.
Go to Log Analytics and Run Query
| TenantId |
SourceSystem |
MG |
ManagementGroupName |
TimeGenerated |
Computer |
targetVmNicDetails_s |
PolicyTimeZone_s |
trustedService_s |
audit_schema_version_d |
event_time_t |
sequence_number_d |
succeeded_s |
is_column_permission_s |
session_id_d |
server_principal_id_d |
database_principal_id_d |
target_server_principal_id_d |
target_database_principal_id_d |
object_id_d |
user_defined_event_id_d |
transaction_id_d |
duration_milliseconds_d |
response_rows_d |
affected_rows_d |
action_id_s |
action_name_s |
class_type_s |
class_type_description_s |
securable_class_type_s |
client_ip_s |
permission_bitmask_s |
sequence_group_id_g |
session_server_principal_name_s |
server_principal_name_s |
server_principal_sid_s |
database_principal_name_s |
target_server_principal_name_s |
target_server_principal_sid_s |
target_database_principal_name_s |
server_instance_name_s |
database_name_s |
schema_name_s |
object_name_s |
statement_s |
additional_information_s |
user_defined_information_s |
application_name_s |
data_sensitivity_information_s |
host_name_s |
connection_id_g |
event_id_g |
is_server_level_audit_s |
collectionName_s |
databaseRid_s |
originalHost_s |
keyType_s |
subnetId_s |
lock_mode_s |
resource_owner_type_s |
blocked_process_filtered_s |
trackingReference_s |
DeploymentUnit_s |
InstanceName_s |
Value_s |
multiVmGroupName_s |
lastSuccessfulTestFailoverTime_t |
Level_d |
isRequestSuccess_b |
location_s |
lastError_elapsed_d |
lastError_source_s |
lastError_reason_s |
lastError_message_s |
lastError_section_s |
method_s |
url_s |
responseCode_d |
responseSize_d |
cache_s |
clientTime_d |
clientProtocol_s |
partitionId_s |
activityId_g |
requestResourceType_s |
requestResourceId_s |
collectionRid_s |
statusCode_s |
duration_s |
clientIpAddress_s |
requestCharge_s |
requestLength_s |
responseLength_s |
resourceTokenUserRid_s |
region_s |
partitionId_g |
Tenant_s |
requestBytes_s |
responseBytes_s |
timeTaken_s |
securityProtocol_s |
routingRuleName_s |
httpStatusCode_s |
httpStatusDetails_s |
RunOn_s |
identity_claim_ipaddr_s |
identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s |
tags_businessowner_s |
tags_compositeApp_s |
tags_costCode_s |
error_state_d |
RecoveryJobRPLocation_s |
JobOperationSubType_s |
AlertConsolidationStatus_s |
CountOfAlertsConsolidated_s |
AlertRaisedOn_s |
AlertCode_s |
RecommendedAction_s |
BackupItemAppVersion_s |
BackupItemSourceSize_s |
ProtectedContainerName_g |
resultDescription_ErrorJobs_s |
resultDescription_ChildJobs_s |
ProtectedInstanceCount_s |
StorageUniqueId_s |
StorageConsumedInMBs_s |
OldestRecoveryPointTime_s |
OldestRecoveryPointLocation_s |
LatestRecoveryPointTime_s |
LatestRecoveryPointLocation_s |
StorageType_s |
StorageName_s |
ClusterName_s |
NodeRole_s |
MachineName_s |
AppName_s |
AppTypeName_s |
AdHocOrScheduledJob_s |
ProtectedContainerOSType_s |
ProtectedContainerOSVersion_s |
ProtectedContainerUniqueId_s |
ProtectedContainerFriendlyName_s |
AgentVersion_s |
ProtectedContainerWorkloadType_s |
ProtectedContainerName_s |
ProtectedContainerProtectionState_s |
ProtectedContainerLocation_s |
ProtectedContainerType_s |
BackupItemProtectionState_s |
isAccessPolicyMatch_b |
LogBackupFrequency_s |
LogBackupRetentionDuration_s |
ResourceGroupName_s |
uploadRPOInSeconds_d |
uploadRPOUpdateTime_t |
processedRPOInSeconds_d |
processedRPOUpdateTime_t |
timeStamp_t |
lastRecoveryPoint_t |
latestAppConsistentRecoveryPoint_t |
replicatingDisksCount_d |
tags_LogicAppsCategory_s |
ProviderName_s |
TaskName_s |
keyProperties_type_s |
keyProperties_curve_s |
keyProperties_operations_s |
keyProperties_attributes_enabled_b |
keyProperties_size_d |
keyProperties_attributes_exp_d |
vaultProperties_s |
resultDescription_ChildJobs_ContosoWeb4_Linux_60cf5ef0_42db_4036_bf34_8ad5dfb950f7_g |
resultDescription_ChildJobs_ContosoWeb0_Linux_de6f0bed_8942_4674_9826_7ae305c7d534_g |
resultDescription_ChildJobs_ContosoWeb3_Linux_20a30155_a894_441b_8012_858c00572623_g |
recoveryServicesProviderId_g |
resultDescription_ErrorJobs_G0_Win2016_1_afbdb526_62b5_4d56_a7f6_79ed4440d868_s |
databaseName_s |
metric_s |
impact_s |
detections_s |
rootCauseAnalysis_s |
intervalStartTime_t |
intervalEndTme_t |
issueId_d |
value_d |
user_defined_b |
error_number_d |
Severity |
state_d |
logical_io_writes_d |
max_logical_io_writes_d |
physical_io_reads_d |
max_physical_io_reads_d |
logical_io_reads_d |
max_logical_io_reads_d |
execution_type_d |
cpu_time_d |
max_cpu_time_d |
dop_d |
max_dop_d |
rowcount_d |
max_rowcount_d |
query_max_used_memory_d |
max_query_max_used_memory_d |
duration_d |
max_duration_d |
num_physical_io_reads_d |
max_num_physical_io_reads_d |
log_bytes_used_d |
max_log_bytes_used_d |
wait_type_s |
start_utc_date_t |
end_utc_date_t |
delta_max_wait_time_ms_d |
delta_signal_wait_time_ms_d |
delta_wait_time_ms_d |
delta_waiting_tasks_count_d |
LogicalServerName_s |
ElasticPoolName_s |
DatabaseName_s |
wait_category_s |
is_parameterizable_s |
statement_type_s |
statement_key_hash_s |
query_hash_s |
query_plan_hash_s |
statement_sql_handle_s |
interval_start_time_d |
interval_end_time_d |
exec_type_d |
total_query_wait_time_ms_d |
max_query_wait_time_ms_d |
query_id_d |
plan_id_d |
query_param_type_d |
count_executions_d |
resultDescription_ErrorJobs_ContosoWeb2_ebea0ce7_21cf_4689_8641_e7b2087f188d_s |
resultDescription_ErrorJobs_ContosoWeb3_62ae68a6_a33c_4945_9324_dcb7c7c5c5f8_s |
resultDescription_ErrorJobs_ContosoIT2_c4469c89_da43_40e1_b6d7_b5125f304da6_s |
resultDescription_ErrorJobs_ContosoWeb1_ContosoRetail_com_102df91d_ae46_40ec_a30d_cd690b612b89_s |
resultDescription_ChildJobs_G0_Win2016_1_afbdb526_62b5_4d56_a7f6_79ed4440d868_g |
replicationHealthErrors_s |
eventType_s |
description_s |
healthErrors_s |
logId_g |
timeOfOccurence_t |
recoveryNetworkId_s |
failoverHealthErrors_s |
lastRpoCalculatedTime_t |
rpoInSeconds_d |
agentVersion_s |
recoveryRegion_s |
multiVmGroupCreateOption_s |
targetStorageAccountId_s |
targetStorageAccountName_s |
multiVmSyncStatus_s |
replicationHealth_s |
failoverHealth_s |
name_s |
primaryFabricName_s |
recoveryFabricName_s |
primaryFabricType_s |
recoveryFabricType_s |
primaryContainerName_s |
recoveryContainerName_s |
protectionState_s |
activeLocation_s |
policyName_s |
replicationProviderName_s |
osFamily_s |
itemType_s |
multiVmGroupId_g |
multiVmGroupName_g |
id_g |
lastHeartbeat_t |
initialReplicationProgressPercentage_d |
affectedResourceId_s |
affectedResourceName_s |
affectedResourceType_s |
version_s |
affectedResourceId_g |
logId_d |
host_s |
LogScheduleFreqInMins_s |
LogRetentionType_s |
LogRetentionDuration_s |
resultDescription_ChildJobs_ContosoWeb2_Linux_7dfa0c0e_9b8d_491d_80b8_0c284e85e40c_g |
publicIpAddress_s |
port_d |
totalDipCount_d |
dipDownCount_d |
healthPercentage_d |
resultDescription_ChildJobs_ContosoWeb1_Dev_ca942d23_8d7b_4a08_a7b0_6df217fc60d9_g |
PolicyUniqueId_s |
resultDescription_ChildJobs_ContosoAzADDS1_ContosoRetail_com_69666b76_bf16_4b8a_bce6_00f683865c57_g |
resultDescription_ChildJobs_ContosoADDS1_ContosoRetail_com_6fd68e14_f18a_45de_8d26_50f76855b1ce_g |
resultDescription_ChildJobs_ContosoAzADDS2_e652ac47_3731_480d_8c45_06115a929da3_g |
Region_s |
GatewayId_g |
hsmPoolPropertiesStatus_d |
resultDescription_ChildJobs_Contosoweb_Linux_81422fdd_5aa4_49d9_aa86_5e78139aa8e7_g |
resultDescription_ChildJobs_ContosoIT2_c4469c89_da43_40e1_b6d7_b5125f304da6_g |
retryHistory_s |
error_code_s |
error_message_s |
resultDescription_ChildJobs_ContosoWeb2_Linux_7a1f664e_7e77_413b_b5da_9d01970c781b_g |
workflowId_s |
_schema_s |
status_s |
resource_resourceGroupName_s |
resource_workflowName_s |
resource_runId_s |
resource_originRunId_s |
resource_location_s |
correlation_clientTrackingId_s |
resource_actionName_s |
code_s |
resource_triggerName_s |
resource_subscriptionId_g |
resource_workflowId_g |
correlation_actionTrackingId_g |
startTime_t |
endTime_t |
resultDescription_ChildJobs_Store001Web1_2306024f_1425_42f9_a7c3_e33bcdf13837_g |
resultDescription_ChildJobs_ContosoWeb_0823cacc_acfc_4b50_9695_05f338c05061_g |
resultDescription_ChildJobs_StoreSrv003_394e7211_f2c1_4851_a2ff_efb9b4656ab5_g |
resultDescription_ChildJobs_ContosoWeb2_ebea0ce7_21cf_4689_8641_e7b2087f188d_g |
AlertUniqueId_s |
AlertType_s |
AlertStatus_s |
AlertOccurrenceDateTime_s |
AlertSeverity_s |
CloudStorageInBytes_s |
ProtectedInstances_s |
resultDescription_ChildJobs_ContosoWeb1_Linux_05d47a4f_8462_4dfc_adf3_f0be0f98f926_g |
JobOperation_s |
JobStatus_s |
JobFailureCode_s |
JobStartDateTime_s |
BackupStorageDestination_s |
JobDurationInSecs_s |
DataTransferredInMB_s |
JobUniqueId_g |
PolicyName_s |
BackupFrequency_s |
BackupTimes_s |
BackupDaysOfTheWeek_s |
RetentionDuration_s |
DailyRetentionDuration_s |
DailyRetentionTimes_s |
WeeklyRetentionDuration_s |
WeeklyRetentionTimes_s |
WeeklyRetentionDaysOfTheWeek_s |
MonthlyRetentionDuration_s |
MonthlyRetentionTimes_s |
MonthlyRetentionFormat_s |
MonthlyRetentionDaysOfTheWeek_s |
MonthlyRetentionWeeksOfTheMonth_s |
YearlyRetentionDuration_s |
YearlyRetentionTimes_s |
YearlyRetentionMonthsOfTheYear_s |
YearlyRetentionFormat_s |
YearlyRetentionDaysOfTheWeek_s |
YearlyRetentionWeeksOfTheMonth_s |
VaultName_s |
AzureDataCenter_s |
VaultTags_s |
StorageReplicationType_s |
RegisteredContainerId_s |
ProtectedServerType_s |
ProtectedServerFriendlyName_s |
BackupManagementServerUniqueId_s |
AzureBackupAgentVersion_s |
EventName_s |
BackupItemUniqueId_s |
BackupItemId_s |
BackupItemName_s |
BackupItemFriendlyName_s |
BackupItemType_s |
ProtectedServerName_s |
ProtectionState_s |
SchemaVersion_s |
State_s |
BackupManagementType_s |
Level |
ProtectedServerUniqueId_s |
VaultUniqueId_s |
PolicyUniqueId_g |
EventId_d |
resultDescription_ChildJobs_ContosoWeb3_62ae68a6_a33c_4945_9324_dcb7c7c5c5f8_g |
DscResourceId_s |
DscResourceName_s |
DscResourceStatus_s |
DscModuleName_s |
DscModuleVersion_s |
DscConfigurationName_s |
ErrorCode_s |
ErrorMessage_s |
DscResourceDuration_d |
NodeName_s |
NodeComplianceStatus_s |
DscReportStatus_s |
ConfigurationMode_s |
HostName_s |
IPAddress |
NodeId_g |
DscReportId_g |
LastSeenTime_t |
ReportStartTime_t |
ReportEndTime_t |
NumberOfResources_d |
resultDescription_ChildJobs_ContosoWeb1_ContosoRetail_com_102df91d_ae46_40ec_a30d_cd690b612b89_g |
resultDescription_value_s |
resultDescription_PSComputerName_s |
resultDescription_PSSourceJobInstanceId_g |
resultDescription_PSShowComputerName_b |
resultDescription_Summary_EndDateTimeUtc_t |
resultDescription_Summary_DurationInMinutes_d |
resultDescription_Summary_MachineId_s |
resultDescription_Summary_MachineName_s |
resultDescription_Summary_ScheduleName_s |
resultDescription_Summary_EndDateTimeUtc_s |
resultDescription_Summary_DurationInMinutes_s |
resultDescription_Summary_Status_s |
resultDescription_Summary_StatusDescription_s |
resultDescription_Summary_StartDateTimeUtc_t |
resultDescription_Summary_RebootRequired_b |
resultDescription_Summary_InitialRequiredUpdatesCount_d |
resultDescription_Summary_TotalUpdatesInstalled_d |
resultDescription_Summary_TotalUpdatesFailed_d |
resultDescription_Summary_InstallPercentage_d |
identity_claim_http_schemas_microsoft_com_identity_claims_scope_s |
identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s |
CallerIPAddress |
clientInfo_s |
id_s |
OperationVersion |
ResultSignature |
DurationMs |
identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g |
identity_claim_appid_g |
httpStatusCode_d |
clientIP_s |
httpMethod_s |
requestQuery_s |
userAgent_s |
httpVersion_s |
sslEnabled_s |
clientPort_d |
httpStatus_d |
receivedBytes_d |
sentBytes_d |
timeTaken_d |
clientIp_s |
clientPort_s |
requestUri_s |
ruleSetType_s |
ruleSetVersion_s |
ruleId_s |
Message |
action_s |
site_s |
details_message_s |
details_data_s |
details_file_s |
details_line_s |
conditions_protocols_s |
conditions_destinationPortRange_s |
conditions_sourcePortRange_s |
conditions_sourceIP_s |
conditions_destinationIP_s |
conditions_None_s |
priority_d |
subnetPrefix_s |
macAddress_s |
primaryIPv4Address_s |
ruleName_s |
direction_s |
type_s |
systemId_g |
vnetResourceGuid_g |
matchedConnections_d |
instanceId_s |
healthyHostCount_d |
unHealthyHostCount_d |
requestCount_d |
latency_d |
failedRequestCount_d |
throughput_d |
StreamType_s |
ResourceId |
OperationName |
ResultType |
ResultDescription |
RunbookName_s |
Caller_s |
Category |
SubscriptionId |
ResourceGroup |
ResourceProvider |
Resource |
ResourceType |
Tenant_g |
CorrelationId |
JobId_g |
Type |
_ResourceId |
| b438b4f6-912a-46d5-9cb1-b44069212abc |
Azure |
|
|
2019-11-21T14:15:32.843Z |
|
|
|
|
null |
null |
null |
|
|
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
null |
null |
null |
|
null |
|
|
|
|
|
|
null |
null |
|
null |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
null |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
null |
|
|
|
null |
null |
null |
null |
null |
null |
null |
null |
|
|
|
|
|
|
null |
null |
null |
|
|
|
|
|
|
|
|
|
|
|
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
null |
|
null |
null |
null |
null |
null |
null |
|
|
|
|
|
|
|
|
|
|
null |
null |
null |
null |
null |
null |
null |
null |
null |
|
|
|
|
|
|
|
|
|
|
null |
|
|
null |
null |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
null |
null |
|
|
|
|
|
null |
|
|
|
|
|
|
null |
null |
null |
null |
|
|
|
|
|
|
|
null |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
null |
null |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
null |
|
|
|
|
|
|
|
|
|
null |
|
|
|
|
|
|
|
|
null |
null |
null |
null |
|
|
|
|
null |
null |
null |
|
|
|
|
|
|
|
null |
null |
null |
null |
null |
null |
|
|
|
|
|
|
|
null |
|
|
null |
|
|
|
|
|
|
null |
null |
null |
null |
null |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
null |
10.6.0.0/24 |
00-0D-3A-70-8D-0A |
10.6.0.6 |
DefaultRule_AllowVnetOutBound |
Out |
allow |
a938471e-4080-49a9-9055-b66ec742b7f0 |
01b6eaff-e962-4c22-b5a3-4d54f26adbdc |
18651 |
|
null |
null |
null |
null |
null |
null |
|
/SUBSCRIPTIONS/E4272367-5645-4C4E-9C67-3B74B59A6982/RESOURCEGROUPS/CONTOSOAZUREHQ/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/CONTOSOWEB1NSG |
NetworkSecurityGroupCounters |
|
|
|
|
NetworkSecurityGroupRuleCounter |
e4272367-5645-4c4e-9c67-3b74b59a6982 |
CONTOSOAZUREHQ |
MICROSOFT.NETWORK |
CONTOSOWEB1NSG |
NETWORKSECURITYGROUPS |
|
|
|
AzureDiagnostics |
/subscriptions/e4272367-5645-4c4e-9c67-3b74b59a6982/resourcegroups/contosoazurehq/providers/microsoft.network/networksecuritygroups/contosoweb1nsg |
So you for example the data was in the OperationName column you could do, one of these?
AzureDiagnostics
| where OperatioName == "drop"
AzureDiagnostics
| where OperatioName contains "drop"
or
AzureDiagnostics
| where OperatioName == "drop" or OperatioName == "Insert"
I don't have any MariaDB but you may want to add a check for that - something like this before the query:
AzureDiagnostics
| where Resource == "MariaDB"
...
This article might also help: https://techcommunity.microsoft.com/t5/Azure-Sentinel/Tip-Easily-use-JSON-fields-in-Sentinel/ba-p/76...
and https://docs.microsoft.com/en-gb/azure/azure-monitor/log-query/get-started-portal
