> For the complete documentation index, see [llms.txt](https://docs.itoc360.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.itoc360.com/integrations/inbound-integrations/cloud-monitoring/azure-activity-logs-integration.md).

# Azure Activity Logs Integration

Azure Activity Logs track operations performed across your subscription — things like resource creation, deletion, configuration changes, and access events. This integration forwards those events to ITOC360 as alerts so your on-call team gets notified when something significant happens in your Azure environment.

### How it works

Azure Monitor watches for activity log events that match your alert rule. When a match is found, it fires a webhook to ITOC360 via an Action Group. The platform parses the incoming payload and creates an alert automatically.

Since Activity Log alerts don't have a "resolved" state — each event is a one-time occurrence rather than an ongoing condition — every incoming webhook creates a new alert.

### Prerequisites

* An active Azure subscription
* Access to Azure Monitor with sufficient permissions to create alert rules and action groups
* [https://api.itoc360.app/functions/v1/events?token=\<x-itoc-360>](https://api.itoc360.app/functions/v1/events?token=<x-itoc-360>) \
  (available from the Sources page in ITOC360)

### Setup

#### Step 1 — Create an alert rule

Go to **Azure Portal → Monitor → Alerts** and click **+ Create → Alert rule**.

On the **Scope** tab, set the scope level to **Subscription** and select your subscription from the resource browser. Click **Apply**.<br>

<figure><img src="/files/bZNayINuZZmyYcOnUO9p" alt=""><figcaption></figcaption></figure>

#### Step 2 — Configure the condition

On the **Condition** tab, choose **All Administrative operations** as the signal. This covers the broadest range of activity log events. You can narrow it down later if needed — for example, filtering by a specific operation or resource type.

Leave Event Level, Status, and Event initiated by at their defaults unless you want to filter further.<br>

<figure><img src="/files/CiHuNdSxUbr94mXdMGnT" alt=""><figcaption></figcaption></figure>

#### Step 3 — Create an Action Group

On the **Actions** tab, select **Use action groups** and then click **+ Create action group**.

Fill in the basics:

* **Action group name** — something descriptive like `oncall-webhook`
* **Display name** — max 12 characters, e.g. `oncall`
* **Region** — Global works fine here

Move to the **Actions** tab within the action group wizard. Set the action type to **Webhook**, give it a name, and paste your ITOC360 webhook URL:

```
https://api.itoc360.app/functions/v1/events?token=<x-itoc-360>
```

**Important:** Make sure **Enable the common alert schema** is set to **Yes**. If this is left off, the payload structure will differ and the integration won't parse correctly.

Click **OK**, then complete the action group creation.<br>

<figure><img src="/files/nUQIgvOvDisPdjU0Grm6" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/NxhzPrxEPcw7CDzPJGlN" alt=""><figcaption></figcaption></figure>

#### Step 4 — Finish the alert rule

Back on the alert rule wizard, give your rule a name under the **Details** tab — something like `activity-log-oncall`. Set the severity level if relevant (it doesn't affect routing in ITOC360 but helps with Azure's own alerting view).

Click **Review + create**, then **Create**.

Once created, you should see the rule listed as **Enabled** in the alert rules list.<br>

<figure><img src="/files/G4VPN5Co2gHoL88B2MbH" alt=""><figcaption></figcaption></figure>

### Verifying the integration

The easiest way to test without waiting for a real event is to perform any operation in Azure — editing a resource tag, changing a setting, or similar. This triggers an Administrative activity log event and should fire the webhook within a minute or two.

You can also test directly with a curl request:

```bash
curl -X POST "https://api.itoc360.app/functions/v1/events?token=<x-itoc-360>" \
  -H "Content-Type: application/json" \
  -d '{
    "schemaId": "Microsoft.Insights/activityLogs",
    "data": {
      "status": "Activated",
      "context": {
        "activityLog": {
          "eventSource": "Administrative",
          "eventDataId": "8195a56a-85de-4663-943e-1a2bf401ad94",
          "level": "Warning",
          "operationName": "Microsoft.Insights/actionGroups/write",
          "status": "Started",
          "subscriptionId": "your-subscription-id"
        }
      }
    }
  }'
```

A successful response returns the created event object with a 200 status.

***

### Field mappings

Azure Activity Log alerts use the Common Alert Schema. The platform reads the following fields:

| Azure Field                              | Platform Field                             |
| ---------------------------------------- | ------------------------------------------ |
| `data.context.activityLog.eventDataId`   | Fingerprint — ties together related events |
| `data.context.activityLog.level`         | Priority                                   |
| `data.context.activityLog.operationName` | Alert title                                |
| `data.context.activityLog.eventSource`   | Alert context                              |

#### Level to priority mapping

| Azure Level   | Platform Priority |
| ------------- | ----------------- |
| Critical      | CRITICAL          |
| Error         | HIGH              |
| Warning       | MEDIUM            |
| Informational | LOW               |

***

### Notes

Activity Log alerts don't resolve automatically. Each event is a discrete occurrence, so alerts created from this integration will need to be acknowledged or closed manually in itoc360.

If you want to limit alerts to a specific operation type — for example, only fire when a virtual machine is deleted — you can do so by selecting a more specific signal in the Condition step instead of "All Administrative operations".


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.itoc360.com/integrations/inbound-integrations/cloud-monitoring/azure-activity-logs-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.