Query Details
Azure Resource Lock Addedor Removed
Query
//Detect when a resource lock is added or removed from an Azure resource
//Data connector required for this query - Azure Activity
AzureActivity
| where OperationNameValue in ("MICROSOFT.AUTHORIZATION/LOCKS/WRITE", "MICROSOFT.AUTHORIZATION/LOCKS/DELETE")
| where ActivityStatusValue == "Success"
| extend Activity = case(OperationNameValue == "MICROSOFT.AUTHORIZATION/LOCKS/WRITE", strcat("Resource Lock Added"),
OperationNameValue == "MICROSOFT.AUTHORIZATION/LOCKS/DELETE", strcat("Resource Lock Removed"),
"unknown")
| extend ResourceGroup = tostring(parse_json(Properties).resourceGroup)
| extend AzureResource = tostring(parse_json(Properties).resourceProviderValue)
| extend x = tostring(parse_json(Properties).resource)
| parse x with ResourceName "/" *
| parse x with * "microsoft.authorization/" LockName
| project
TimeGenerated,
Activity,
ResourceName,
['Azure Resource']=AzureResource,
['Azure Subscription Id']=SubscriptionId,
['Azure Resource Group']=ResourceGroup,
LockNameExplanation
This query detects when a resource lock is added or removed from an Azure resource. It uses the Azure Activity data connector and filters for specific operation names related to adding or removing locks. It also checks for a successful activity status. The query then extends the activity field to indicate whether a lock was added or removed. It extracts the resource group, Azure resource, and lock name from the properties field. Finally, it projects the relevant fields including the time generated, activity, resource name, Azure resource, subscription ID, resource group, and lock name.
Details
Matt Zorich
Released: June 17, 2022
Tables
AzureActivity
Keywords
AzureActivity,OperationNameValue,ActivityStatusValue,ResourceLockAdded,ResourceLockRemoved,unknown,ResourceGroup,AzureResource,x,ResourceName,LockName
Operators
wherein==extendcasestrcattostringparse_jsonparsewithproject