Announcing the Public Preview of Alerting on Azure Resource Graph

Azure Resource Graph is an Azure service designed to provide efficient and performant resource exploration with the ability to query at scale across a given set of subscriptions so that you can effectively govern your environment. While customers could provide complex queries to get visibility into their environments, there was no easy way to proactively identify issues and get notified. 

We are happy to announce that you can enable alerts on Azure Resource Graph queries using Azure Monitor alerting. With this feature, you have the option to customize alerts based on the results of your ARG (Azure Resource Graph) queries. This means that not only can you gain insights from your resource data, but you can also take proactive actions when predefined criteria are met.

 

How to Get Started

To create an alert on ARG queries, you need to have a Log Analytics Workspace and a Managed identity with reader permission for the resource.  Here is a basic guide to help you set up your first ARG alert.  

1. Go to Azure portal to access Azure Monitor and click on either Alerts or Logs.  
2. From the Logs query builder, craft Azure Resource Graph queries and execute them to obtain results by utilizing the specified prefix arg("").Table_name as shown in the picture below.
   arg("").resourcechanges | extend Target = tostring(properties.targetResourceType), changeType = tostring(properties.changeType), targetResourceId = tostring(properties.targetResourceId), timestamp = todatetime(properties.changeAttributes.timestamp), correlationId = todatetime(properties.changeAttributes.correlationId) | where changeType == "Delete"
3. After checking the results, click on “New alert rule” and follow the steps from choosing the Log Analytics workspace previously created as the scope of the rule execution to “create” the alert rule. 

Sample Scenarios & Examples  

Alert on Failed update runs

 

arg("").maintenanceresources | extend failed = toint(properties.resourceUpdateSummary.failed), timeout = toint(properties.resourceUpdateSummary.timedout), maintenanceId = tostring(properties.maintenanceConfigurationId), EndTime = todatetime(properties.endDateTime) | where failed > 0 or timeout > 0 | where EndTime > ago(12h) | summarize Failed=count() by maintenanceId

 

 

Alert on VMs (Virtual Machines) needing patches 

 

arg("").patchassessmentresources | where type has "softwarepatches" | extend id = tolower(id) | parse id with resourceId "/patchassessmentresults" * | where isnotnull(properties.kbId) | extend MissingUpdate = tostring(properties.patchName), Classification = tostring(properties.classifications[0]) | extend UpdatesNeeded = pack_array(MissingUpdate, Classification) | summarize UpdatesNeeded = make_set(UpdatesNeeded), Count= count() by resourceId

 

 

Related Resources   

 To learn about this exciting capability, refer to:

• How Azure Resource Graph uses alerts to monitor resources - Azure Resource Graph | Microsoft Learn 
• Create Azure Monitor alert rules - Azure Monitor | Microsoft Learn 
• Troubleshoot Azure Resource Graph alerts - Azure Resource Graph | Microsoft Learn
• Managed identities for Azure resources | Microsoft Learn

 

This is one of many features that we plan to bring to you for rich alerting capabilities on Azure Resource Graph queries. We want to build features that will help you quickly identify issues within your IT landscape, which is why we would appreciate your feedback and collaboration opportunity here . We look forward to working with you as we build out the alerting on Azure Resource Graph capabilities.

 

Happy Alerting!

 

Feedback 

If you have any feedback for Azure Resource Graph service, post your ideas here.   If you're just getting started with Azure Resource Graph, you can learn about the service here and follow us on Twitter for the latest updates.