2 min read

Azure Arc-enabled Servers Azure Activity logs

Azure Arc-enabled Servers Azure Activity logs
Azure Arc-enabled Servers Azure Activity logs

Azure Arc is a new service from Microsoft that enables you to manage and monitor your on-premises and hybrid servers using the same tools and processes as you use for managing Azure resources. With Azure Arc, you can deploy and manage your servers using Azure Resource Manager templates, apply policies and compliance standards to your servers, and monitor and troubleshoot your servers using Azure Monitor and Azure Log Analytics.

Azure Arc is gaining popularity among organizations that want to manage their on-premises and hybrid servers in a consistent and centralized manner and benefit from the advanced features and capabilities of Azure. One of the key features of Azure Arc is the ability to use Azure VM extensions on your own infrastructure, which allows you to extend the functionality of your servers and automate common tasks.

In my recent blog posts, I have described how to use Azure Arc to install the Custom Script Extension for Windows on your Arc-connected nodes. The Custom Script Extension allows you to run PowerShell or Bash scripts on your Azure VMs, and can be used to automate various tasks, such as installing software, configuring settings, and applying updates.

In my blog posts, I provide step-by-step instructions for using the Custom Script Extension with Azure Arc. I recommend reading both of these posts:

Allowing to execute PowerShell scripts from different places comes with higher risks, and that bad guy can do the same. Many companies are already using Microsoft Sentinel for their SIEM and SOAR. If you are not doing that today, I strongly recommend testing it out.

To get visibility from your environment around extension installation etc., I put together the following KQL query. You can use this for Workbooks or for detections.

AzureActivity | where OperationNameValue == "MICROSOFT.HYBRIDCOMPUTE/MACHINES/EXTENSIONS/WRITE" and ResourceProviderValue == "MICROSOFT.HYBRIDCOMPUTE"
| extend Properties = (parse_json(Properties))
| extend Server = split(Properties.resource,"/")[0]
| extend ["Extension Name"] = split(Properties.resource,"/")[1]
| extend User = Properties.caller
| extend ["Resource Group"] = Properties.resourceGroup
| extend ["Susbcription ID"] = Properties.SubscriptionId
| extend ["IP Address"] = CallerIpAddress
| extend ["Activity Status"] = Properties.activityStatusValue
| project TimeGenerated,Server, ['Extension Name'], User, ['Resource Group'], ['Susbcription ID'], ['IP Address'],["Activity Status"]
| sort by TimeGenerated    

From the results, you should see the User, IP Address, Extension Name, Resource Group, and Resource.


Are you ready to take your on-premises servers to the next level with Azure Arc? Contact me today and let me help you implement Azure Arc for your servers and unlock the full potential of your hybrid infrastructure.