StratoLens LogoStratoLens

Exploring Activity

The Activity Explorer page lets you find Azure operations across your environment using a column-based hierarchy and three filters. Open it from the left sidebar under Azure Logs > Activity Logs.

On This Page

Prerequisites

Permission and data required

  • Your StratoLens role must include Activity Log: Read. Without it, the page shows an access-denied message instead of the explorer.
  • At least one scan must have collected activity data for the time range you're inspecting. See Automated Scanning for how that data gets populated.

Filters and Time Range

Three filters scope everything on the page: Start/End, User, and Types. Changing any filter recomputes the operation-count badges on every column and re-filters the details panel immediately, so you can verify a filter is taking effect without refreshing.

Defaults

Start
Previous day at 00:00:00 (local time)
End
Today at 23:59:59 (local time)
User
All users
Types
All five types selected (Create, Update, Delete, Action, RBAC)

User dropdown

The User dropdown lists every user who appears in operations within the current time range. A user who was active last week won't appear if your range is set to today, so widen the time range first if you can't find someone.

Operation types

Types is a multi-select with five values:

Create
Resource or scope creation.
Update
Configuration or property changes (including tag writes).
Delete
Resource or scope deletion.
Action
Anything that isn't a create, update, delete, or RBAC. Examples: starting a VM, restarting an app, or any custom resource action.
RBAC
Role assignments and removals.

Browsing the Hierarchy

The left side of the page is built from three columns: Subscriptions (which also includes management groups at the top), Resource Groups, and Resources. Click an item to expand the next level, or click a magnifying-glass icon to open scope-level details for that item.

Only entities with activity appear

Subscriptions and management groups only show up in the column if they have at least one operation in the current time range and filters. The same applies as you drill in: empty resource groups and resources are hidden. If something you expect is missing, widen the Start date or relax your filters.

Operation-count badges

Each row carries colored circles showing how many operations of each type fall under it in the current time range and filters. The order is green (Create), orange (Update), red (Delete), blue (Action), purple (RBAC). Hover for a tooltip like "5 create operations". A single gray 0 appears if there are none.

Badge counts are cumulative

A subscription's badges include all operations under it across resource groups and resources. A resource's badges only count that resource. Compare the two carefully when a number looks off.

The View details icon

A magnifying-glass View details icon appears on a subscription or resource group row only when there are operations targeting that scope itself: a subscription move, a tag write at the subscription level, or an RBAC change at the resource group level. Click it to open the details panel for that entity without changing which children are expanded.

If a subscription or resource group has no scope-level operations of its own, the icon is hidden and clicking the row only expands its children.

Management groups

Management groups appear at the top of the Subscriptions column, separated from subscriptions by a thin divider. They never expand into child columns in this view, clicking a management group row immediately opens its details panel.

Collapsing columns on narrow screens

Once a column has a selection, a small left-chevron appears in its header. Click it to collapse the column to a narrow vertical strip with the selected name written sideways, useful when you want to see the next column without losing your place. Click the right-chevron to expand the column again. Collapsing doesn't change which entity is selected.

The Details Panel

The right side of the page is the Activity Details panel. It lists operation cards for whatever is currently selected in the columns. Before any selection, the panel shows the prompt "Explore Azure activity logs using the columns on the left."

View in Explorer

For subscriptions, resource groups, and resources, a View in Explorer button appears at the top-right of the panel. Click it to open the same entity in the main Explorer page with the current context preserved. Management groups don't have this button.

Pagination

Operations are sorted by timestamp, most recent first. The panel shows up to 25 operations per page. When there's more than one page, the footer shows Previous, numbered page buttons, and Next; otherwise a single line reads "Showing N operations for ENTITY."

Click-to-deselect

Clicking the same management group, scope-level icon, or resource a second time deselects it and clears the panel.

Operation Cards

Each operation in the details panel is rendered as a card. The collapsed card shows a friendly name on top (the resource name for create/update/delete/action, or a parsed summary for RBAC and subscription-move events), the operation type in parentheses, the raw operation name like Microsoft.Compute/virtualMachines/write, the timestamp, the user, and a category and status badge.

Click a card to expand it. The expansion shows a property table that depends on the operation type, plus a Show Raw JSON button that toggles the full Activity Log entry.

Status badges

Succeeded
The default success badge.
Started
The operation began but a terminal status hasn't been recorded yet.
Accepted
Azure accepted the request, completion is asynchronous.
Failed
Shown in red. The operation didn't complete successfully.

Other statuses appear in gray with the raw value.

Category badges

Administrative
Resource and configuration changes.
Security
Security-related events from Azure.
Policy
Azure Policy evaluations and compliance events.
Service Health
Azure service-health notifications.

Anything outside these four shows the raw category in gray.

Caller and source IP

The card prefers a resolved display name (the User field). When the original Azure caller (a UPN, service principal ID, and so on) differs from the resolved user, both are shown. The source IP appears underneath when Azure recorded one.

RBAC and Subscription Moves

Two operation types get extra parsing because their raw payloads aren't self-explanatory.

RBAC operations

Role assignments and removals appear with a friendly headline like "Role X assigned to Y" or "Role X removed from Y." Expanding the card reveals a Role Assignment Details table with the role, the principal, the principal type, and the scope.

Subscription moves

When a subscription is moved between management groups, the card headline reads "Subscription 'X' moved from 'A' to 'B'." The expanded view shows a Subscription Move Details table with the source and target management groups.

Sharing a View

The current selection, time range, and filters are stored in the URL. Bookmark the page once you've set things up, or copy the URL to a teammate, the page reopens in the same state. The browser's Back button reverses filter and selection changes.

Troubleshooting

My filters return zero results

Check the time range first

The User dropdown only lists users seen in operations within the current time range. A user who was active last week won't appear if your range is set to today. Widen the Start date and re-check.

The page shows "Error Loading Activity Data"

Adjust filters and try again

A backend error occurred while fetching the hierarchy. The columns stay visible underneath the overlay so you can change filters and try again without losing your place.

First-time install shows no subscriptions or management groups

No data has been collected yet

If no scans have completed yet, the columns will say "No management groups or subscriptions found for the selected filters." This is expected. See Automated Scanning for how to run a scan.

← Back to Overview