Azure Resource Graph Examples and Github Repo

Today I’m releasing my Azure Resource Graph examples repo. This has been an internal repo I created and shared internally late 2019. Now everyone gets to benefit!

Bonus, I have taken every query out of my Ultimate Azure Inventory workbook and added them to the repo as well.

TLDR you can find the Azure Resource Graph Examples repo here

Resource Graph Examples Repo

The repo is broken out much like my Azure Inventory Dashboard workbook, by resource types.

Overview queries https://github.com/scautomation/AzureResourceGraph-Examples/blob/master/resourceQueries/Overview.MD

PaaS https://github.com/scautomation/AzureResourceGraph-Examples/tree/master/resourceQueries/PaaS

Compute https://github.com/scautomation/AzureResourceGraph-Examples/tree/master/resourceQueries/Compute

Monitor and Security https://github.com/scautomation/AzureResourceGraph-Examples/blob/master/resourceQueries/Monitor%20and%20Security/Monitor.MD

Networking https://github.com/scautomation/AzureResourceGraph-Examples/blob/master/resourceQueries/Networking/Networking.MD

Orhaned Resources https://github.com/scautomation/AzureResourceGraph-Examples/blob/master/resourceQueries/Orphaned%20Resources/OrphanedResource.MD

Resource Tagging https://github.com/scautomation/AzureResourceGraph-Examples/tree/master/tagQueries

Examples

Some of my favorite azure resource graph examples

Finding enabled log analytics solutions on all workspaces. I like this one because Azure Sentinel and Security Center currently aren’t true Azure Resources, they are “solutions” installed on top of Log Analytics.

resources
| where type == "microsoft.operationsmanagement/solutions"
| project Solution=plan.name, Workspace=tolower(tostring(properties.workspaceResourceId)), subscriptionId
| join kind=leftouter(
resources
| where type =~ 'microsoft.operationalinsights/workspaces'
| project Workspace=tolower(tostring(id)),subscriptionId) on Workspace
| summarize Solutions = strcat_array (make_list(Solution), ",") by Workspace, subscriptionId
| extend AzureSecurityCenter = iif(Solutions has 'Security','Enabled','Not Enabled')
| extend AzureSecurityCenterFree = iif(Solutions has 'SecurityCenterFree','Enabled','Not Enabled')
| extend AzureSentinel = iif(Solutions has "SecurityInsights",'Enabled','Not Enabled')
| extend AzureMonitorVMs = iif(Solutions has "VMInsights",'Enabled','Not Enabled')
| extend ServiceDesk = iif(Solutions has "ITSM Connector",'Enabled','Not Enabled')
| extend AzureAutomation = iif(Solutions has "AzureAutomation",'Enabled','Not Enabled')
| extend ChangeTracking = iif(Solutions has 'ChangeTracking','Enabled','Not Enabled')
| extend UpdateManagement = iif(Solutions has 'Updates','Enabled','Not Enabled')
| extend UpdateCompliance = iif(Solutions has 'WaaSUpdateInsights','Enabled','Not Enabled')
| extend AzureMonitorContainers = iif(Solutions has 'ContainerInsights','Enabled','Not Enabled')
| extend KeyVaultAnalytics = iif(Solutions has 'KeyVaultAnalytics','Enabled','Not Enabled')
| extend SQLHealthCheck = iif(Solutions has 'SQLAssessment','Enabled','Not Enabled')

 

Joining NICS and PublicIPs with VMs


Resources
| where type =~ 'microsoft.compute/virtualmachines'
| extend nics=array_length(properties.networkProfile.networkInterfaces)
| mv-expand nic=properties.networkProfile.networkInterfaces
| where nics == 1 or nic.properties.primary =~ 'true' or isempty(nic)
| project vmId = id, vmName = name, vmSize=tostring(properties.hardwareProfile.vmSize), nicId = tostring(nic.id)
| join kind=leftouter (
Resources
| where type =~ 'microsoft.network/networkinterfaces'
| extend ipConfigsCount=array_length(properties.ipConfigurations)
| mv-expand ipconfig=properties.ipConfigurations
| where ipConfigsCount == 1 or ipconfig.properties.primary =~ 'true'
| project nicId = id, privateIP= tostring(ipconfig.properties.privateIPAddress), publicIpId = tostring(ipconfig.properties.publicIPAddress.id), subscriptionId)
on nicId
| project-away nicId1
| summarize by vmId, vmSize, nicId, privateIP, publicIpId, subscriptionId
| join kind=leftouter (
Resources
| where type =~ 'microsoft.network/publicipaddresses'
| project publicIpId = id, publicIpAddress = tostring(properties.ipAddress)) on publicIpId
| project-away publicIpId1
| sort by publicIpAddress desc

 

Contribute

Please feel free to clone, fork and contribute with your own examples. With the community we are better together.

Leave a Comment