Can we find Azure portal notifications in logs

%3CLINGO-SUB%20id%3D%22lingo-sub-1475112%22%20slang%3D%22en-US%22%3ECan%20we%20find%20Azure%20portal%20notifications%20in%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1475112%22%20slang%3D%22en-US%22%3EI%20need%20to%20fetch%20the%20Azure%20portal%20notifications%20from%20logs.%20Is%20there%20a%20way%20to%20do%20it%20in%20Azure%20Sentinel.%3F%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1475112%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eazure%20portal%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1476631%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20find%20Azure%20portal%20notifications%20in%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1476631%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F693835%22%20target%3D%22_blank%22%3E%40uditk14%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDo%20you%20mean%2C%20from%20the%20Portal%20blade%20'bell'%20icon%3F%26nbsp%3B%20I'm%20pretty%20sure%20they%20are%20not%20stored%20in%20Logs.%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorClive%20Watson_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-06-19%20102152.jpg%22%20style%3D%22width%3A%20217px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F199671i16D1BCDF7993FB7C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-06-19%20102152.jpg%22%20alt%3D%22Annotation%202020-06-19%20102152.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1476704%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20find%20Azure%20portal%20notifications%20in%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1476704%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B-%20Yes%2C%20I%20want%20the%20bell%20icon%20notifications.%20I%20am%20able%20to%20fetch%20similar%20details%20in%20the%20Azure%20Activity%20but%20I%20wanted%20to%20know%20if%20something%20exists%20directly%20for%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1476811%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20find%20Azure%20portal%20notifications%20in%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1476811%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F693835%22%20target%3D%22_blank%22%3E%40uditk14%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzureActivity%20is%20a%20source%20you%20can%20store%20in%20a%20Log%20Analytics%20workspace%2C%20Azure%20Sentinel%20uses%20Log%20Analytics%20-%20so%20you%20can%20see%20the%20data%20from%20the%20portal%2C%20Log%20Analytics%20or%20Azure%20Sentinel%20-%20providing%20you%20have%20the%20data%20in%20a%20workspace.%26nbsp%3B%20%26nbsp%3BFor%20my%20reference%20what%20Query%20are%20you%20using%20the%20see%20the%20Notifications%20data%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1480211%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20find%20Azure%20portal%20notifications%20in%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1480211%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%3A%20I%20think%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F693835%22%20target%3D%22_blank%22%3E%40uditk14%3C%2FA%3E%26nbsp%3Bwants%20to%20know%20what%20the%20query%20needed%2C%20i.e.%20what%20are%20the%20events%20to%20look%20for%20in%20AzureActivity.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1480267%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20find%20Azure%20portal%20notifications%20in%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1480267%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B-%20Portal%20notifications%20seem%20to%20be%20a%20subset%20of%20Azure%20Activity.%20Usually%2C%20we%20get%20a%20notification%20on%20success%2C%20failure%20of%20activities.%20Some%20filtering%20needs%20to%20applied%20fetching%20the%20notifications%20from%20it.%20trying%20to%20find%20out%20that%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor
I need to fetch the Azure portal notifications from logs. Is there a way to do it in Azure Sentinel.?
5 Replies

@uditk14 

 

Do you mean, from the Portal blade 'bell' icon?  I'm pretty sure they are not stored in Logs.

 

Annotation 2020-06-19 102152.jpg

@CliveWatson - Yes, I want the bell icon notifications. I am able to fetch similar details in the Azure Activity but I wanted to know if something exists directly for this.

 

@uditk14 

 

AzureActivity is a source you can store in a Log Analytics workspace, Azure Sentinel uses Log Analytics - so you can see the data from the portal, Log Analytics or Azure Sentinel - providing you have the data in a workspace.   For my reference what Query are you using the see the Notifications data?

@CliveWatson: I think @uditk14 wants to know what the query needed, i.e. what are the events to look for in AzureActivity. 

@Ofer_Shezaf @CliveWatson - Portal notifications seem to be a subset of Azure Activity. Usually, we get a notification on success, failure of activities. Some filtering needs to applied fetching the notifications from it. trying to find out that

We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE