Query Details
Resource Lock Deletion For Azure Monitor Rule
Query
//Attempts to Delete Resource Locks on Azure Monitor Rules for a particular subscription and Resource group. KQL from https://www.linkedin.com/pulse/main-reason-you-shouldnt-exclude-break-glass-group-access-kerai-4dtve/ AzureActivity | where OperationNameValue == "MICROSOFT.AUTHORIZATION/LOCKS/DELETE" | where _ResourceId startswith @"/<SUB ID>/resourcegroups/<RG NAME>/providers/microsoft.insights/scheduledqueryrules" | where ActivityStatusValue == "Start"
Explanation
This KQL query is designed to identify attempts to delete resource locks on Azure Monitor rules within a specific Azure subscription and resource group. Here's a simplified breakdown:
-
Data Source: The query is run against the
AzureActivitylog, which records various activities and operations performed in Azure. -
Operation Filter: It filters for operations where the action is "MICROSOFT.AUTHORIZATION/LOCKS/DELETE". This means it is looking for attempts to delete locks on resources.
-
Resource Filter: It further narrows down the results to only those operations that involve resources within a specific subscription and resource group. The resources of interest are Azure Monitor scheduled query rules, as indicated by the path in the
_ResourceId. -
Status Filter: Finally, it only considers operations where the activity status is "Start", indicating the beginning of a delete operation.
In summary, this query helps monitor and detect when someone tries to delete locks on Azure Monitor rules in a specified subscription and resource group.
Details
Jay Kerai
Released: January 4, 2025
Tables
Keywords
Operators