Can we find Azure portal notifications in logs

%3CLINGO-SUB%20id%3D%22lingo-sub-1475112%22%20slang%3D%22en-US%22%3ECan%20we%20find%20Azure%20portal%20notifications%20in%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1475112%22%20slang%3D%22en-US%22%3EI%20need%20to%20fetch%20the%20Azure%20portal%20notifications%20from%20logs.%20Is%20there%20a%20way%20to%20do%20it%20in%20Azure%20Sentinel.%3F%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1475112%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eazure%20portal%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1476631%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20find%20Azure%20portal%20notifications%20in%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1476631%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F693835%22%20target%3D%22_blank%22%3E%40uditk14%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDo%20you%20mean%2C%20from%20the%20Portal%20blade%20'bell'%20icon%3F%26nbsp%3B%20I'm%20pretty%20sure%20they%20are%20not%20stored%20in%20Logs.%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorClive%20Watson_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-06-19%20102152.jpg%22%20style%3D%22width%3A%20217px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F199671i16D1BCDF7993FB7C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-06-19%20102152.jpg%22%20alt%3D%22Annotation%202020-06-19%20102152.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1476704%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20find%20Azure%20portal%20notifications%20in%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1476704%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B-%20Yes%2C%20I%20want%20the%20bell%20icon%20notifications.%20I%20am%20able%20to%20fetch%20similar%20details%20in%20the%20Azure%20Activity%20but%20I%20wanted%20to%20know%20if%20something%20exists%20directly%20for%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1476811%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20find%20Azure%20portal%20notifications%20in%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1476811%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F693835%22%20target%3D%22_blank%22%3E%40uditk14%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzureActivity%20is%20a%20source%20you%20can%20store%20in%20a%20Log%20Analytics%20workspace%2C%20Azure%20Sentinel%20uses%20Log%20Analytics%20-%20so%20you%20can%20see%20the%20data%20from%20the%20portal%2C%20Log%20Analytics%20or%20Azure%20Sentinel%20-%20providing%20you%20have%20the%20data%20in%20a%20workspace.%26nbsp%3B%20%26nbsp%3BFor%20my%20reference%20what%20Query%20are%20you%20using%20the%20see%20the%20Notifications%20data%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1480211%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20find%20Azure%20portal%20notifications%20in%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1480211%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%3A%20I%20think%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F693835%22%20target%3D%22_blank%22%3E%40uditk14%3C%2FA%3E%26nbsp%3Bwants%20to%20know%20what%20the%20query%20needed%2C%20i.e.%20what%20are%20the%20events%20to%20look%20for%20in%20AzureActivity.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1480267%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20find%20Azure%20portal%20notifications%20in%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1480267%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B-%20Portal%20notifications%20seem%20to%20be%20a%20subset%20of%20Azure%20Activity.%20Usually%2C%20we%20get%20a%20notification%20on%20success%2C%20failure%20of%20activities.%20Some%20filtering%20needs%20to%20applied%20fetching%20the%20notifications%20from%20it.%20trying%20to%20find%20out%20that%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor
I need to fetch the Azure portal notifications from logs. Is there a way to do it in Azure Sentinel.?
5 Replies

@uditk14 

 

Do you mean, from the Portal blade 'bell' icon?  I'm pretty sure they are not stored in Logs.

 

Annotation 2020-06-19 102152.jpg

@Clive Watson - Yes, I want the bell icon notifications. I am able to fetch similar details in the Azure Activity but I wanted to know if something exists directly for this.

 

@uditk14 

 

AzureActivity is a source you can store in a Log Analytics workspace, Azure Sentinel uses Log Analytics - so you can see the data from the portal, Log Analytics or Azure Sentinel - providing you have the data in a workspace.   For my reference what Query are you using the see the Notifications data?

@Clive Watson: I think @uditk14 wants to know what the query needed, i.e. what are the events to look for in AzureActivity. 

@Ofer_Shezaf @Clive Watson - Portal notifications seem to be a subset of Azure Activity. Usually, we get a notification on success, failure of activities. Some filtering needs to applied fetching the notifications from it. trying to find out that