1 min read

KQL Query – Who removed Azure Monitoring Agent Extension

KQL Query – Who removed Azure Monitoring Agent Extension
Who removed Azure Monitoring Agent Extension

Azure Monitoring Agent (AMA) allows us to collect logs and other performance and diagnostic data from our Windows or Linux machines. If you are using Microsoft Sentinel to monitor your hybrid-cloud environment, you may have already enabled the Azure Monitoring Agent Extension on your servers to collect data from these machines.

As an administrator, it is super important that the AMA Extension is installed on every server.

If you are responsible for managing Microsoft Sentinel in your organization, you can configure the following detection rule to detect instances of the AMA (Azure Monitoring Agent) Extension being uninstalled. You can scope this rule to apply only to specific nodes or other resources if necessary.

In this KQL query I’m using the AzureActivity table and filtering data based on the OperationNameValue. OperationNameValue must be "MICROSOFT.HYBRIDCOMPUTE/MACHINES/EXTENSIONS/DELETE"

AzureActivity | where OperationNameValue == "MICROSOFT.HYBRIDCOMPUTE/MACHINES/EXTENSIONS/DELETE" and ActivityStatusValue == "Success"
| extend Properties = (parse_json(Properties))
| extend Server = toupper(split(Properties.resource,"/")[0])
| extend ["Extension Name"] = split(Properties.resource,"/")[1]
| extend User = Properties.caller
| extend ["Resource Group"] = Properties.resourceGroup
| extend ["Susbcription ID"] = Properties.SubscriptionId
| extend ["IP Address"] = CallerIpAddress
| extend ["Activity Status"] = Properties.activityStatusValue
| where ['Extension Name'] == "amawindows" or ['Extension Name'] == "azuremonitorwindowsagent"
| project TimeGenerated,Server, User, ['Resource Group'],["Extension Name"],['Susbcription ID'], ['IP Address'],["Activity Status"]
| sort by TimeGenerated
AMA Extension Query


Are you ready to take your on-premises servers to the next level with Azure Arc? Contact me today and let me help you implement Azure Arc for your servers and unlock the full potential of your hybrid infrastructure.