Merge pull request #252319 from AbbyMSFT/api-dep

prmerger-automator[bot] · web-flow · commit dafbfe3804ef · 2023-09-20T20:26:38.000Z
Add sample ARG queries for getting Azure monitor alerts
diff --git a/articles/governance/resource-graph/samples/starter.md b/articles/governance/resource-graph/samples/starter.md
@@ -31,6 +31,9 @@ This article uses the following starter queries:
 - [List all storage accounts with specific tag value](#list-specific-tag)
 - [List all tags and their values](#list-all-tag-values)
 - [Show unassociated network security groups](#unassociated-nsgs)
+- [List alerts by severity](#alerts-severity)
+- [List alerts by severity and resource type](#alerts-severity-state)
+- [List alerts by severity and resource type with a specific tag](#alerts-severity-service-type)
 
 If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free)
 before you begin.
@@ -654,6 +657,44 @@ Search-AzGraph -Query "Resources | where type =~ 'microsoft.network/networksecur
 
 ---
 
+## <a name="alerts-severity"></a>List alerts ordered by severity
+
+```kusto
+alertsmanagementresources  
+| where type =~ 'microsoft.alertsmanagement/alerts'   
+| where todatetime(properties.essentials.startDateTime) >= ago(2h) and todatetime(properties.essentials.startDateTime) < now()  
+| project Severity = tostring(properties.essentials.severity) 
+| summarize AlertsCount = count() by Severity
+ 
+```
+## <a name="alerts-severity-state"></a>List alerts ordered by severity and alert state
+
+```kusto
+alertsmanagementresources
+| where type =~ 'microsoft.alertsmanagement/alerts'   
+| where todatetime(properties.essentials.startDateTime) >= ago(2h) and todatetime(properties.essentials.startDateTime) < now()  
+| project Severity = tostring(properties.essentials.severity), 
+    AlertState= tostring(properties.essentials.alertState) 
+| summarize AlertsCount = count() by Severity, AlertState
+```
+
+## <a name="alerts-severity-service-type"></a>List alerts ordered by severity, monitor service, and target resource type 
+
+```kusto
+alertsmanagementresources  
+| where type =~ 'microsoft.alertsmanagement/alerts'   
+| where todatetime(properties.essentials.startDateTime) >= ago(2h) and todatetime(properties.essentials.startDateTime) < now()  
+| project Severity = tostring(properties.essentials.severity),  
+MonitorCondition = tostring(properties.essentials.monitorCondition),  
+ObjectState = tostring(properties.essentials.alertState),  
+MonitorService = tostring(properties.essentials.monitorService),  
+AlertRuleId = tostring(properties.essentials.alertRule),  
+SignalType = tostring(properties.essentials.signalType),  
+TargetResource = tostring(properties.essentials.targetResourceName), 
+TargetResourceType = tostring(properties.essentials.targetResourceName), id 
+| summarize AlertsCount = count() by Severity, MonitorService , TargetResourceType
+```
+
 ## Next steps
 
 - Learn more about the [query language](../concepts/query-language.md).
