← Back to Explore
kqlHunting
Azure Logic App Disabled or Deleted
Comment out if you want to look for attempts
Detection Query
AzureActivity
| where OperationNameValue == "MICROSOFT.LOGIC/WORKFLOWS/DISABLE/ACTION" or OperationName == "MICROSOFT.LOGIC/WORKFLOWS/DELETE"
| where ActivityStatusValue startswith "Succe" or ActivityStatusValue startswith "accept" // Comment out if you want to look for attempts
//Azure Activity must be enabled https://learn.microsoft.com/en-us/azure/azure-monitor/platform/activity-log?tabs=log-analytics?WT.mc_id=MVP_473477Data Sources
AzureActivity
Tags
azure
Raw Content
AzureActivity
| where OperationNameValue == "MICROSOFT.LOGIC/WORKFLOWS/DISABLE/ACTION" or OperationName == "MICROSOFT.LOGIC/WORKFLOWS/DELETE"
| where ActivityStatusValue startswith "Succe" or ActivityStatusValue startswith "accept" // Comment out if you want to look for attempts
//Azure Activity must be enabled https://learn.microsoft.com/en-us/azure/azure-monitor/platform/activity-log?tabs=log-analytics?WT.mc_id=MVP_473477