Today I’m releasing my Azure Resource Graph examples repo. This has been an internal repo I created and shared internally late 2019. Now everyone gets to benefit!
Bonus, I have taken every query out of my Ultimate Azure Inventory workbook and added them to the repo as well.
TLDR you can find the Azure Resource Graph Examples repo here
Resource Graph Examples Repo
The repo is broken out much like my Azure Inventory Dashboard workbook, by resource types.
Overview queries https://github.com/scautomation/AzureResourceGraph-Examples/blob/master/resourceQueries/Overview.MD
Monitor and Security https://github.com/scautomation/AzureResourceGraph-Examples/blob/master/resourceQueries/Monitor%20and%20Security/Monitor.MD
Orhaned Resources https://github.com/scautomation/AzureResourceGraph-Examples/blob/master/resourceQueries/Orphaned%20Resources/OrphanedResource.MD
Resource Tagging https://github.com/scautomation/AzureResourceGraph-Examples/tree/master/tagQueries
Some of my favorite azure resource graph examples
Finding enabled log analytics solutions on all workspaces. I like this one because Azure Sentinel and Security Center currently aren’t true Azure Resources, they are “solutions” installed on top of Log Analytics.
resources | where type == "microsoft.operationsmanagement/solutions" | project Solution=plan.name, Workspace=tolower(tostring(properties.workspaceResourceId)), subscriptionId | join kind=leftouter( resources | where type =~ 'microsoft.operationalinsights/workspaces' | project Workspace=tolower(tostring(id)),subscriptionId) on Workspace | summarize Solutions = strcat_array (make_list(Solution), ",") by Workspace, subscriptionId | extend AzureSecurityCenter = iif(Solutions has 'Security','Enabled','Not Enabled') | extend AzureSecurityCenterFree = iif(Solutions has 'SecurityCenterFree','Enabled','Not Enabled') | extend AzureSentinel = iif(Solutions has "SecurityInsights",'Enabled','Not Enabled') | extend AzureMonitorVMs = iif(Solutions has "VMInsights",'Enabled','Not Enabled') | extend ServiceDesk = iif(Solutions has "ITSM Connector",'Enabled','Not Enabled') | extend AzureAutomation = iif(Solutions has "AzureAutomation",'Enabled','Not Enabled') | extend ChangeTracking = iif(Solutions has 'ChangeTracking','Enabled','Not Enabled') | extend UpdateManagement = iif(Solutions has 'Updates','Enabled','Not Enabled') | extend UpdateCompliance = iif(Solutions has 'WaaSUpdateInsights','Enabled','Not Enabled') | extend AzureMonitorContainers = iif(Solutions has 'ContainerInsights','Enabled','Not Enabled') | extend KeyVaultAnalytics = iif(Solutions has 'KeyVaultAnalytics','Enabled','Not Enabled') | extend SQLHealthCheck = iif(Solutions has 'SQLAssessment','Enabled','Not Enabled')
Joining NICS and PublicIPs with VMs
Resources | where type =~ 'microsoft.compute/virtualmachines' | extend nics=array_length(properties.networkProfile.networkInterfaces) | mv-expand nic=properties.networkProfile.networkInterfaces | where nics == 1 or nic.properties.primary =~ 'true' or isempty(nic) | project vmId = id, vmName = name, vmSize=tostring(properties.hardwareProfile.vmSize), nicId = tostring(nic.id) | join kind=leftouter ( Resources | where type =~ 'microsoft.network/networkinterfaces' | extend ipConfigsCount=array_length(properties.ipConfigurations) | mv-expand ipconfig=properties.ipConfigurations | where ipConfigsCount == 1 or ipconfig.properties.primary =~ 'true' | project nicId = id, privateIP= tostring(ipconfig.properties.privateIPAddress), publicIpId = tostring(ipconfig.properties.publicIPAddress.id), subscriptionId) on nicId | project-away nicId1 | summarize by vmId, vmSize, nicId, privateIP, publicIpId, subscriptionId | join kind=leftouter ( Resources | where type =~ 'microsoft.network/publicipaddresses' | project publicIpId = id, publicIpAddress = tostring(properties.ipAddress)) on publicIpId | project-away publicIpId1 | sort by publicIpAddress desc
Please feel free to clone, fork and contribute with your own examples. With the community we are better together.