In this blog post, I will show you how to use the KQL query to find out who deleted your Azure Arc node. Last week, I wrote a blog post about using a KQL query to track Azure Arc for Servers Extension installations.
This KQL query uses the AzureActivity table and filters for events where the operation name is “MICROSOFT.HYBRIDCOMPUTE/MACHINES/DELETE” and the activity status is “Success”.
AzureActivity | where OperationNameValue == "MICROSOFT.HYBRIDCOMPUTE/MACHINES/DELETE" and ActivityStatusValue == "Success"
| extend Properties = (parse_json(Properties))
| extend Server = toupper(split(Properties.resource,"/")[0])
| extend User = Properties.caller
| extend ["Resource Group"] = Properties.resourceGroup
| extend ["Susbcription ID"] = Properties.SubscriptionId
| extend ["IP Address"] = CallerIpAddress
| extend ["Activity Status"] = Properties.activityStatusValue
| project TimeGenerated,Server, User, ['Resource Group'], ['Susbcription ID'], ['IP Address'],["Activity Status"]
| sort by TimeGenerated