Azure Kusto Query Language hot tip: Finding out who deleted locks

By /

The locks feature in Microsoft Azure is important to protect provisioned resources and should be monitored accordingly. We can use Azure Kusto Query Language to retrieve the last successful attempts of locks deletion in a few lines.

The result of the query that we will be working on today is depicted in the image below, where we can spot in a single glance the most important questions that we need to investigate/audit locks. They are: when, who, and what was deleted.

The query required to provide that output is listed below.

AzureActivity
| where TimeGenerated > ago(24h)
| where OperationNameValue == 'MICROSOFT.AUTHORIZATION/LOCKS/DELETE'
| where ActivityStatusValue == 'Success'
| order by TimeGenerated desc
| project  TimeGenerated, Caller, ResourceProviderValue, resource = parse_json(Properties).resource, SubscriptionId, ResourceGroup, OperationNameValue,  ActivityStatusValue, ActivitySubstatusValue

 

About The Author

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides of the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange, CISSP and several other certifications. Anderson contributes to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at Techgenix.com, MSExchange.org, ITPROCentral.com and Anderson Patricio.org (Portuguese).

Read Next

Static vs Dynamic IP Address

Static vs Dynamic IP Address

Most people are familiar with Internet Protocol (IP) Addresses, but many people don’t know you have 2 types. In this article, you’ll learn about static…

Read More »

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top