KQL Query – Identify new Azure Arc-enabled Server Onboardings

This KQL (Kusto Query Language) query detects new Azure Arc Onboarding Nodes in Microsoft Sentinel. It filters the AzureActivity events by OperationNameValue, ActivityStatusValue, and ActivitySubstatusValue.

The query searches for events with an OperationNameValue of "MICROSOFT.HYBRIDCOMPUTE/MACHINES/WRITE" and an ActivityStatusValue of "Success" and an ActivitySubstatusValue of "OK", which indicates that a new Azure Arc Onboarding Node was added successfully.

AzureActivity | where  OperationNameValue == "MICROSOFT.HYBRIDCOMPUTE/MACHINES/WRITE"
| where  ActivityStatusValue == "Success" and ActivitySubstatusValue == "OK"
| extend Properties = (parse_json(Properties))
| extend Server = toupper(split(Properties.resource,"/")[0])
| extend User = Properties.caller
| extend ["Resource Group"] = Properties.resourceGroup
| extend ["Susbcription ID"] = Properties.SubscriptionId
| extend ["Activity Status"] = Properties.activityStatusValue
| project TimeGenerated,Server, User, ['Resource Group'],['Susbcription ID'],["Activity Status"]
| sort by TimeGenerated

Results

Summary

Are you ready to take your on-premises servers to the next level with Azure Arc? Contact me today and let me help you implement Azure Arc for your servers and unlock the full potential of your hybrid infrastructure.