Query Details
Azure Activity Az Diag Settings Deleted
Query
AzureActivity
| where OperationNameValue =~ "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE"
| summarize
TimeGenerated = arg_max(TimeGenerated, Properties),
ActivityStatusValue = make_list(ActivityStatusValue),
take_any(Caller, CallerIpAddress, OperationName, ResourceGroup, Resource)
by CorrelationId, _ResourceId, OperationNameValue
| extend ResourceHierarchy = split(_ResourceId, "/")
| extend MonitoredResourcePath = strcat_array(array_slice(ResourceHierarchy, 0, array_length(ResourceHierarchy) - 5), "/")
| join kind=leftanti (
AzureActivity
| where OperationNameValue !~ "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and OperationNameValue endswith "/DELETE" and ActivityStatusValue has_any ("Success", "Succeeded")
| project _ResourceId
) on $left.MonitoredResourcePath == $right._ResourceId
| project
TimeGenerated,
Caller,
CallerIpAddress,
OperationNameValue,
OperationName,
ActivityStatusValue,
ResourceGroup,
MonitoredResourcePath,
Resource,
Properties,
_ResourceId,
CorrelationId
Explanation
This query is looking at Azure activity logs for any instances where diagnostic settings were deleted. It then summarizes this information by the time the activity was generated, the status of the activity, and various other details such as the caller, IP address, operation name, resource group, and resource.
The query also splits the resource ID into a hierarchy and creates a path for the monitored resource. It then checks to see if there were any other delete operations that were successful but did not involve deleting diagnostic settings.
Finally, it projects or displays the gathered and processed information, including the time the activity was generated, the caller, IP address, operation name, activity status, resource group, monitored resource path, resource, properties, resource ID, and correlation ID.
Details
Jose Sebastián Canós
Released: February 15, 2023
Tables
Keywords
Operators