KQL Search

Query Details

HomeAI ToolsDevice Query

Identify Activities In Log Analytics Workspace Resource Locks

Query

# Identify activities in log analytics workspace resource locks

# Description

The following query which would identify activities related to your log analytics workspace relevant resource group locks. That way if someone decides to either edit or delete your lock, you would be able to detect it.

### Microsoft Sentinel
```
let LAWResourceGroup = @"<your log analytics workspace resource group here>"; // Define Resource Group containing Sentinel's LAW
AzureActivity
| where ResourceGroup == LAWResourceGroup
| where OperationNameValue startswith "MICROSOFT.AUTHORIZATION/LOCKS"
| where ActivityStatusValue == "Success"
| extend EventSubmissionTimeStamp = tostring(parse_json(Properties).eventSubmissionTimestamp)
| extend EventCaller = tostring(parse_json(Properties).caller)
| extend EventCallerIPAddress = tostring(parse_json(tostring(parse_json(Properties).httpRequest)).clientIpAddress)
| extend EventMessage = tostring(parse_json(Properties).message)
| extend LocksAction = extract(@"Microsoft\.Authorization\/locks\/(\w+)", 1, EventMessage)
| extend EventRoleDefinitionId = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).Properties)).RoleDefinitionId)
| project EventSubmissionTimeStamp, EventCaller, EventCallerIPAddress, LocksAction
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 30/06/2025    | Initial publish                        |

Explanation

This query is designed to monitor and identify activities related to resource locks within a specific Log Analytics Workspace's resource group in Microsoft Sentinel. Here's a simplified breakdown of what the query does:

  1. Define the Resource Group: It starts by specifying the resource group that contains the Log Analytics Workspace (LAW) you want to monitor.

  2. Filter Activities: The query searches through Azure Activity logs for actions related to resource locks within the specified resource group. It specifically looks for operations that start with "MICROSOFT.AUTHORIZATION/LOCKS" and have a status of "Success," indicating successful lock-related actions.

  3. Extract Details: For each relevant activity, the query extracts and formats several pieces of information:

    • EventSubmissionTimeStamp: The time when the event was submitted.
    • EventCaller: The identity of the person or service that initiated the action.
    • EventCallerIPAddress: The IP address from which the action was initiated.
    • LocksAction: The specific action taken on the lock (e.g., create, delete).
    • EventRoleDefinitionId: The role definition ID associated with the request, though this is extracted but not projected in the final output.

  4. Project Results: Finally, it displays a table with the timestamp, caller, caller IP address, and the action taken on the locks.

This query helps in auditing and detecting any changes made to resource locks, ensuring that unauthorized modifications can be quickly identified and addressed.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: June 30, 2025

Tables

AzureActivity

Keywords

AzureActivityResourceGroupLocksEventSubmissionTimeStampEventCallerEventCallerIPAddressEventMessageLocksActionEventRoleDefinitionId

Operators

letwherestartswithextendtostringparse_jsonextractproject

Actions