Using KQL Queries for Identifying New Onboardings
KQL or Kusto Query Language, is a read-only language used to query Azure’s scalable log database, Azure Data Explorer. You can use a KQL query in Sentinel or Log Analytics to quickly identify new Azure Arc-enabled Server onboardings. The query filters by OperationNameValue, ActivityStatusValue, and ActivitySubstatusValue, providing a comprehensive view of all new onboardings.
Revolutionize Your Security Operations with Microsoft Sentinel
Implementing the KQL Query
After setting up your KQL query, you can implement it to track new Azure Arc-enabled Server onboardings. The query will return the Server Name, User, Resource Group, Subscription ID, and Activity Status. This information can help you identify new onboardings and ensure that the onboarding process is running smoothly.
AzureActivity | where OperationNameValue == "MICROSOFT.HYBRIDCOMPUTE/MACHINES/WRITE" | where ActivityStatusValue == "Success" and ActivitySubstatusValue == "OK" | extend Properties = (parse_json(Properties)) | extend Server = toupper(split(Properties.resource,"/")) | extend User = Properties.caller | extend ["Resource Group"] = Properties.resourceGroup | extend ["Susbcription ID"] = Properties.SubscriptionId | extend ["Activity Status"] = Properties.activityStatusValue | project TimeGenerated,Server, User, ['Resource Group'],['Susbcription ID'],["Activity Status"] | sort by TimeGenerated