KQL – Identify Failed Azure Arc-enabled Servers Update Management Deployments

Introduction

Azure Update Management Center is a service that helps you manage and apply updates to your Azure and hybrid servers. It’s built on top of Azure Arc for Servers, which enables you to manage and monitor servers that are running in other clouds. Using Azure Update Management Center, you can schedule update deployments, track their progress, and troubleshoot any issues that arise.

Revolutionize Your Security Operations with Microsoft Sentinel

Discover the Next-Generation SIEM Solution: Contact Us to Learn How Microsoft Sentinel Can Transform Your Security Operations
Call to Action

The KQL query is used to identify failed update deployments in Azure Update Management Center. The query filters for operation names that include “Microsoft.Compute/virtualMachines/installPatches/action” and activity statuses that are “Failed,” indicating that the update deployment did not succeed.

				
					AzureActivity | where OperationNameValue == "Microsoft.Compute/virtualMachines/installPatches/action" and ActivityStatusValue == "Failed"
| where ResourceProviderValue == "MICROSOFT.HYBRIDCOMPUTE"
| extend Server = Properties_d.resource
| extend ["Resource Group"] = Properties_d.resourceGroup
| extend ["Subscription ID"] = Properties_d.subscriptionId
| project TimeGenerated,Server,['Resource Group'],['Subscription ID']
| sort by TimeGenerated
				
			

Results

Leave a Reply

Contact me

If you’re interested in learning about KQL – Identify Failed Azure Arc-enabled Servers Update Management Deployments. I can help you understand how this solution can benefit your organization and provide a customized solution tailored to your specific needs.

Table of Contents