Probably, most of you know that when you enable Azure Activity connector in Azure Sentinel Connector’ s blade almost every audit log generated from Azure resources is saved in the AzureActivity Table.
Well, almost does not mean all :) In fact, from the Azure portal we can only manage the subscriptions level, but some audits created by the Root management group are not collected by default by the Azure Sentinel collectors.
For example, operations logged by the Microsoft.Management resource provider are not available at root level as creation/move/delete of subscriptions.
To keep under control these logs we can configure the audit using the Azure Monitor REST API following the steps below:
Under management groups take the “tenant root group ID” (ManagementGroupID)and Name
I hope it will help you, save some time as well as some headaches!
See you next time!
Disclaimer The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.