1 min read

KQL Query – Who deleted my Azure Arc-enabled Server

KQL Query – Who deleted my Azure Arc-enabled Server
KQL Query – Who deleted my Azure Arc-enabled Server

In this blog post, I will show you how to use the KQL query to find out who deleted your Azure Arc node. Last week, I wrote a blog post about using a KQL query to track Azure Arc for Servers Extension installations.

This KQL query uses the AzureActivity table and filters for events where the operation name is "MICROSOFT.HYBRIDCOMPUTE/MACHINES/DELETE" and the activity status is "Success"

AzureActivity | where OperationNameValue == "MICROSOFT.HYBRIDCOMPUTE/MACHINES/DELETE" and ActivityStatusValue == "Success"
| extend Properties = (parse_json(Properties))
| extend Server = toupper(split(Properties.resource,"/")[0])
| extend User = Properties.caller
| extend ["Resource Group"] = Properties.resourceGroup
| extend ["Susbcription ID"] = Properties.SubscriptionId
| extend ["IP Address"] = CallerIpAddress
| extend ["Activity Status"] = Properties.activityStatusValue
| project TimeGenerated,Server, User, ['Resource Group'], ['Susbcription ID'], ['IP Address'],["Activity Status"]
| sort by TimeGenerated

Results

You should see the Server Name, User, Resource Group, IP Address and Activity Status.

AzureActivity | where OperationNameValue == "MICROSOFT.HYBRIDCOMPUTE/MACHINES/DELETE"

Summary

Are you ready to take your on-premises servers to the next level with Azure Arc? Contact me today and let me help you implement Azure Arc for your servers and unlock the full potential of your hybrid infrastructure.