← Back to Explore
kqlHunting
Azure Monitor Rule Disabled
Detection Query
AzureActivity
| where parse_json(Properties).message == "microsoft.insights/scheduledqueryrules/write"
| where parse_json(tostring(parse_json(tostring(Properties_d.requestbody)).properties)).enabled == falseData Sources
AzureActivity
Tags
azure
Raw Content
AzureActivity
| where parse_json(Properties).message == "microsoft.insights/scheduledqueryrules/write"
| where parse_json(tostring(parse_json(tostring(Properties_d.requestbody)).properties)).enabled == false