KQL Query – Identifying Failed Azure Arc-enabled Servers Extension Installations

If you’re using Azure Arc for Servers, you may have encountered instances where the Extension failed to install correctly.

We can use the following KQL query in Sentinel or Log Analytics. By running the following query, you can quickly see which servers have failed Azure Arc for Servers Extension installations:

				
					AzureActivity | where OperationNameValue == "MICROSOFT.HYBRIDCOMPUTE/MACHINES/EXTENSIONS/WRITE" and ActivityStatusValue == "Failure"
| extend Properties = (parse_json(Properties))
| extend Server = toupper(split(Properties.resource,"/")[0])
| extend ["Extension Name"] = split(Properties.resource,"/")[1]
| extend User = Properties.caller
| extend ["Resource Group"] = Properties.resourceGroup
| extend ["Susbcription ID"] = Properties.SubscriptionId
| extend ["IP Address"] = CallerIpAddress
| extend ["Activity Status"] = Properties.activityStatusValue
| project TimeGenerated,Server, User, ['Resource Group'],["Extension Name"],['Susbcription ID'], ['IP Address'],["Activity Status"]
| sort by TimeGenerated

Revolutionize Your Security Operations with Microsoft Sentinel

Discover the Next-Generation SIEM Solution: Contact Us to Learn How Microsoft Sentinel Can Transform Your Security Operations

Schedule a Call

Call to Action

Results

This query will return a list of all the servers that have experienced failed Azure Arc for Servers Extension installations.

Contact me

If you’re interested in learning about KQL Query – Identifying Failed Azure Arc-enabled Servers Extension Installations. I can help you understand how this solution can benefit your organization and provide a customized solution tailored to your specific needs.