|
| 1 | +--- |
| 2 | +title: Azure Resource Graph alerts sample queries |
| 3 | +description: Sample queries that can be used to create alerts for your Azure resources using an Azure Resource Graph query and a Log Analytics workspace. |
| 4 | +ms.date: 03/20/2024 |
| 5 | +ms.topic: sample |
| 6 | +--- |
| 7 | + |
| 8 | +# Azure Resource Graph alerts sample queries |
| 9 | + |
| 10 | +This article includes sample queries that can be used to create alerts for Azure resources using Azure Resource Graph and a Log Analytics workspace. The samples must be run from a Log Analytics workspace. |
| 11 | + |
| 12 | +For more information about alert queries, go to [Quickstart: Create alerts with Azure Resource Graph and Log Analytics](../alerts-query-quickstart.md). |
| 13 | + |
| 14 | +> [!NOTE] |
| 15 | +> Azure Resource Graph alerts integration with Log Analytics is in public preview. |
| 16 | +
|
| 17 | +## Verify virtual machines health |
| 18 | + |
| 19 | +This query finds virtual machines marked as critical that had a heartbeat more than 24 hours ago, but with no heartbeat in the last two minutes. Replace `11111111-1111-1111-1111-111111111111` with your Azure subscription ID. |
| 20 | + |
| 21 | +```kusto |
| 22 | +arg("").Resources |
| 23 | +| where type == "microsoft.compute/virtualmachines" |
| 24 | +| where tags.BusinessCriticality =~ 'critical' and subscriptionId == '11111111-1111-1111-1111-111111111111' |
| 25 | +| join kind=leftouter ( |
| 26 | + Heartbeat |
| 27 | + | where TimeGenerated > ago(24h) |
| 28 | + ) |
| 29 | + on $left.name == $right.Resource |
| 30 | +| summarize LastCall = max(case(isnull(TimeGenerated), make_datetime(1970, 1, 1), TimeGenerated)) by name, id |
| 31 | +| extend SystemDown = case(LastCall < ago(2m), 1, 0) |
| 32 | +| where SystemDown == 1 |
| 33 | +``` |
| 34 | + |
| 35 | +## Filter virtual machines to monitor |
| 36 | + |
| 37 | +This query filters virtual machines that need to be monitored. |
| 38 | + |
| 39 | +```kusto |
| 40 | +let RuleGroupTags = dynamic(['Linux']); |
| 41 | +Perf | where ObjectName == 'Processor' and CounterName == '% Idle Time' and (InstanceName in ('Total','total')) |
| 42 | +| extend CpuUtilisation = (100 - CounterValue) |
| 43 | +| join kind=inner hint.remote=left (arg("").Resources |
| 44 | + | where type =~ 'Microsoft.Compute/virtualMachines' |
| 45 | + | project _ResourceId=tolower(id), tags |
| 46 | + ) |
| 47 | + on _ResourceId |
| 48 | +| project-away _ResourceId1 |
| 49 | +| where (tostring(tags.monitorRuleGroup) in (RuleGroupTags)) |
| 50 | +``` |
| 51 | + |
| 52 | +## Find resources with certificates |
| 53 | + |
| 54 | +This query finds resources with certificates that expire within 30 days. |
| 55 | + |
| 56 | +```kusto |
| 57 | +arg("").Resources |
| 58 | +| where type == "microsoft.web/certificates" |
| 59 | +| extend ExpirationDate = todatetime(properties.expirationDate) |
| 60 | +| project ExpirationDate, name, resourceGroup, properties.expirationDate |
| 61 | +| where ExpirationDate < now() + 30d |
| 62 | +| order by ExpirationDate asc |
| 63 | +``` |
| 64 | + |
| 65 | +## Alerts when new resource created in subscription |
| 66 | + |
| 67 | +This query alerts when a new resource is created in an Azure subscription. |
| 68 | + |
| 69 | +```kusto |
| 70 | +arg("").resourcechanges |
| 71 | +| extend changeTime = todatetime(properties.changeAttributes.timestamp), |
| 72 | + changeType = tostring(properties.changeType),targetResourceType = tostring(properties.targetResourceType), |
| 73 | + changedBy = tostring(properties.changeAttributes.changedBy) |
| 74 | +| where changeType == "Create" and changeTime <ago(1h) |
| 75 | +| project changeTime, targetResourceType, changedBy |
| 76 | +``` |
| 77 | + |
| 78 | +## Next steps |
| 79 | + |
| 80 | +For more information about the query language or how to explore resources, go to the following articles. |
| 81 | + |
| 82 | +- [Understanding the Azure Resource Graph query language](../concepts/query-language.md) |
| 83 | +- [Explore your Azure resources with Resource Graph](../concepts/explore-resources.md) |
0 commit comments