Snippets

KQL snippet: detect authentication errors after secret rotation

A short query to watch 401, 403, and 500 errors after rotating an application secret or service identity.

04 Jun 2026 kqlidentitylogsmonitoringrunbookrollback

After a secret rotation, deployment success is not enough. Check that real consumers do not start producing authentication errors in the window after cutover.

kusto auth-errors-after-secret-rotation.kql

let RotationStart = datetime(2026-06-04T08:00:00Z);
AppServiceHTTPLogs
| where TimeGenerated > RotationStart
| where ScStatus in (401, 403, 500)
| summarize errors=count() by bin(TimeGenerated, 5m), CsHost, CsUriStem, ScStatus
| order by TimeGenerated desc

Use it as a revocation check: if errors rise after cutover, keep the previous version available, identify the failing consumer, then replay the test before final deletion.