KQL Search

This KQL (Kusto Query Language) query is designed to filter and retrieve specific records from the AzureActivity table. Here's a simple breakdown of what it does:

1. Source Table: It starts by looking at the AzureActivity table, which contains logs of activities in Azure.

2. First Filter: It filters the records to find those where the Properties field, when parsed as JSON, contains a message that equals "microsoft.insights/scheduledqueryrules/write". This indicates that the activity is related to writing (or creating/updating) scheduled query rules in Azure Monitor.

3. Second Filter: It further filters these records to find those where the enabled property within the requestbody of Properties is set to false. This means it is specifically looking for activities where a scheduled query rule was written with the enabled status set to false, effectively indicating that the rule is being disabled or created in a disabled state.

In summary, this query is identifying activities where scheduled query rules in Azure Monitor are being written with the enabled property set to false.