The locks feature in Microsoft Azure is important to protect provisioned resources and should be monitored accordingly. We can use Azure Kusto Query Language to retrieve the last successful attempts of locks deletion in a few lines.
The result of the query that we will be working on today is depicted in the image below, where we can spot in a single glance the most important questions that we need to investigate/audit locks. They are: when, who, and what was deleted.
The query required to provide that output is listed below.
AzureActivity | where TimeGenerated > ago(24h) | where OperationNameValue == 'MICROSOFT.AUTHORIZATION/LOCKS/DELETE' | where ActivityStatusValue == 'Success' | order by TimeGenerated desc | project TimeGenerated, Caller, ResourceProviderValue, resource = parse_json(Properties).resource, SubscriptionId, ResourceGroup, OperationNameValue, ActivityStatusValue, ActivitySubstatusValue