KQL Search

Query Details

HomeAI ToolsDevice Query

Machine Onboarded

Query

# Machine Onboarded Azure Arc

## Query Information

#### Description
Lists the onboarded machines to Azure Arc. The HostName is the hostname that is used within Azure and Defender For Endpoint, this may differ from the actual hostname of the local system.

## Sentinel
```KQL
AzureActivity
| where OperationNameValue =~ "MICROSOFT.HYBRIDCOMPUTE/MACHINES/WRITE"
| where ActivityStatusValue =~ "Success"
| extend HostName = tostring(parse_json(Properties).resource)
| project-reorder TimeGenerated, Caller, HostName, ResourceGroup
```

Explanation

This KQL query is designed to list machines that have been successfully onboarded to Azure Arc. Here's a simple breakdown of what the query does:

  1. Data Source: The query pulls data from the AzureActivity table, which logs various activities and operations within Azure.

  2. Filter Operations:

    • It filters the data to include only those operations where the OperationNameValue is "MICROSOFT.HYBRIDCOMPUTE/MACHINES/WRITE". This operation indicates that a machine has been written (or onboarded) to Azure Arc.
    • It further filters to include only those activities where the ActivityStatusValue is "Success", ensuring that only successful onboardings are considered.

  3. Extract HostName:

    • The query extracts the HostName from the Properties field by parsing it as JSON and converting it to a string. This HostName is the name used within Azure and Defender for Endpoint, which might differ from the local system's actual hostname.

  4. Select and Order Columns:

    • Finally, it selects and orders the columns to display: TimeGenerated (when the activity was logged), Caller (who initiated the operation), HostName (the name of the onboarded machine), and ResourceGroup (the Azure resource group associated with the machine).

In summary, this query provides a list of machines successfully onboarded to Azure Arc, along with details about when the onboarding occurred, who initiated it, the machine's Azure hostname, and the associated resource group.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: January 4, 2025

Tables

AzureActivity

Keywords

AzureActivityMachinesHostNameResourceGroup

Operators

where=~extendtostringparse_jsonproject-reorder

Actions