Queries for the CHSMManagementAuditLogs table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Aggregate operations query

List logs for specific HSM partition operations.

CHSMManagementAuditLogs
| where OperationName == "END_MARKER_OPCODE (0xffff)/SPECIAL (0xffff)" 
| where OperationName == "CN_GENERATE_KEY_PAIR (0x19)/CN_MGMT_CMD (0x0)"
| sort by TimeGenerated desc 
| limit 100

Failed operations count

Count of failed HSM partition operations requests by userId, operationName and opCode.

CHSMManagementAuditLogs
| where not(Response contains "FAIL")
| summarize count() by TimeGenerated, UserId, OperationName, Opcode

Operations per user

Count of total HSM partition operations performed per user.

CHSMManagementAuditLogs
| summarize count() by UserId