Query Details
Automation Rule Delete
Query
//Who deleted an Automation Rule AzureActivity | where OperationNameValue == "MICROSOFT.SECURITYINSIGHTS/AUTOMATIONRULES/DELETE" | project TimeGenerated, Caller, CallerIpAddress
Explanation
This query is looking for information about who deleted an Automation Rule in Azure. It retrieves the time the deletion occurred, the person who performed the deletion, and their IP address.
Details
Rod Trent
Released: October 21, 2022
Tables
AzureActivity
Keywords
AzureActivity,OperationNameValue,MICROSOFT.SECURITYINSIGHTS/AUTOMATIONRULES/DELETE,TimeGenerated,Caller,CallerIpAddress
Operators
where==project