Announcing the Public Preview of Alerting on Azure Resource Graph

Posted by

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Azure Resource Graph is an Azure service designed to provide efficient and performant resource exploration with the ability to query at scale across a given set of subscriptions so that you can effectively govern your environment. While customers could provide complex queries to get visibility into their environments, there was no easy way to proactively identify issues and get notified. 

We are happy to announce that you can enable alerts on Azure Resource Graph queries using Azure Monitor alerting. With this feature, you have the option to customize alerts based on the results of your ARG (Azure Resource Graph) queries. This means that not only can you gain insights from your resource data, but you can also take proactive actions when predefined criteria are met.


How to Get Started

To create an alert on ARG queries, you need to have a Log Analytics Workspace and a Managed identity with reader permission for the resource.  Here is a basic guide to help you set up your first ARG alert.  

  1. Go to Azure portal to access Azure Monitor and click on either Alerts or Logs.  
  2. From the Logs query builder, craft Azure Resource Graph queries and execute them to obtain results by utilizing the specified prefix arg("").Table_name as shown in the picture below.
    | extend Target = tostring(properties.targetResourceType),
            changeType = tostring(properties.changeType),
            targetResourceId = tostring(properties.targetResourceId),
            timestamp = todatetime(properties.changeAttributes.timestamp),
            correlationId = todatetime(properties.changeAttributes.correlationId)
    | where changeType == "Delete"
  3. After checking the results, click on “New alert rule” and follow the steps from choosing the Log Analytics workspace previously created as the scope of the rule execution to “create” the alert rule. 

Sample Scenarios & Examples 

Alert on Failed update runs


| extend failed = toint(properties.resourceUpdateSummary.failed), 
        timeout = toint(properties.resourceUpdateSummary.timedout), 
        maintenanceId = tostring(properties.maintenanceConfigurationId),
        EndTime = todatetime(properties.endDateTime)
| where failed > 0 or timeout > 0 
| where EndTime > ago(12h)
| summarize Failed=count() by maintenanceId



Alert on VMs (Virtual Machines) needing patches


| where type has "softwarepatches"
| extend id = tolower(id)
| parse id with resourceId "/patchassessmentresults" *
| where isnotnull(properties.kbId)
| extend
    MissingUpdate = tostring(properties.patchName),
    Classification = tostring(properties.classifications[0])
| extend UpdatesNeeded = pack_array(MissingUpdate, Classification)
| summarize UpdatesNeeded = make_set(UpdatesNeeded), Count= count() by resourceId



Related Resources 

To learn about this exciting capability, refer to:


This is one of many features that we plan to bring to you for rich alerting capabilities on Azure Resource Graph queries. We want to build featuresthat will help you quickly identify issues within your IT landscape, whichis why we would appreciate your feedback and collaboration opportunity here. We look forward toworkingwith you as we build out the alerting on Azure Resource Graph capabilities.


Happy Alerting!



If you have any feedback for Azure Resource Graph service, post your ideas here. If you're just getting started with Azure Resource Graph, you can learn about the service hereand follow us on Twitter for the latest updates.  

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.