KQL Query – Who deleted my Azure Arc-enabled Server
In this blog post, I will show you how to use the KQL query to find out who deleted your Azure Arc node. Last week, I wrote a blog post about using a KQL query to track Azure Arc for Servers Extension installations.
This KQL query uses the AzureActivity table and filters for events where the operation name is "MICROSOFT.HYBRIDCOMPUTE/MACHINES/DELETE" and the activity status is "Success"
AzureActivity | where OperationNameValue == "MICROSOFT.HYBRIDCOMPUTE/MACHINES/DELETE" and ActivityStatusValue == "Success" | extend Properties = (parse_json(Properties)) | extend Server = toupper(split(Properties.resource,"/")) | extend User = Properties.caller | extend ["Resource Group"] = Properties.resourceGroup | extend ["Susbcription ID"] = Properties.SubscriptionId | extend ["IP Address"] = CallerIpAddress | extend ["Activity Status"] = Properties.activityStatusValue | project TimeGenerated,Server, User, ['Resource Group'], ['Susbcription ID'], ['IP Address'],["Activity Status"] | sort by TimeGenerated
You should see the Server Name, User, Resource Group, IP Address and Activity Status.
Are you ready to take your on-premises servers to the next level with Azure Arc? Contact me today and let me help you implement Azure Arc for your servers and unlock the full potential of your hybrid infrastructure.