Snippets

KQL snippet: isolate Service Bus private endpoint errors

A short query to separate missing connection evidence, identity denial, expired SAS and processing errors during a private Service Bus incident.

15 Jun 2026 azureservice-busprivate-endpointdnskqllogsidentitymonitoringrunbookmessaging

When an application no longer publishes to or consumes from Azure Service Bus through a Private Endpoint, first check whether the namespace actually sees the operations and which denials are attached.

kusto service-bus-private-errors.kql

let Window = 2h;
let Namespace = "sb-prod-orders";
AzureDiagnostics
| where TimeGenerated > ago(Window)
| where ResourceProvider == "MICROSOFT.SERVICEBUS"
| where Resource has Namespace
| where OperationName has_any ("Send", "Receive", "Complete", "Abandon", "DeadLetter", "RenewLock")
 or ResultType !in ("Success", "Succeeded")
| project TimeGenerated,
        Resource,
        OperationName,
        ResultType,
        ResultDescription,
        ActivityId,
        CallerIPAddress,
        Identity=tostring(Identity)
| order by TimeGenerated desc

Quick read:

no line for the test: go back to DNS, Private Endpoint, routing or connection string;
401 or 403: check real identity, Service Bus Data Sender/Receiver role or SAS;
errors after Receive: inspect lock, dead-letter, subscription filter and application processing.