KQL Query – Who deleted my Azure Arc-enabled Server

In this blog post, I will show you how to use the KQL query to find out who deleted your Azure Arc node. Last week, I wrote a blog post about using a KQL query to track Azure Arc for Servers Extension installations.

This KQL query uses the AzureActivity table and filters for events where the operation name is “MICROSOFT.HYBRIDCOMPUTE/MACHINES/DELETE” and the activity status is “Success”.

				
					AzureActivity | where OperationNameValue == "MICROSOFT.HYBRIDCOMPUTE/MACHINES/DELETE" and ActivityStatusValue == "Success"
| extend Properties = (parse_json(Properties))
| extend Server = toupper(split(Properties.resource,"/")[0])
| extend User = Properties.caller
| extend ["Resource Group"] = Properties.resourceGroup
| extend ["Susbcription ID"] = Properties.SubscriptionId
| extend ["IP Address"] = CallerIpAddress
| extend ["Activity Status"] = Properties.activityStatusValue
| project TimeGenerated,Server, User, ['Resource Group'], ['Susbcription ID'], ['IP Address'],["Activity Status"]
| sort by TimeGenerated

Results

You should see the Server Name, User, Resource Group, IP Address and Activity Status.

Contact me

If you’re interested in learning about KQL Query – Who deleted my Azure Arc-enabled Server. I can help you understand how this solution can benefit your organization and provide a customized solution tailored to your specific needs.