Azure resource Graph integration

%3CLINGO-SUB%20id%3D%22lingo-sub-1497499%22%20slang%3D%22en-US%22%3EAzure%20resource%20Graph%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1497499%22%20slang%3D%22en-US%22%3EAre%20there%20any%20plans%20to%20integrate%20Azure%20Resource%20Graph%20with%20Log%20Analytics%3F%20Once%20the%20integration%20is%20available%20it%20will%20be%20super%20easy%20to%20setup%20alerts%20based%20on%20resource%20meta%20data%20and%20monitor%20data.%20Since%20both%20using%20Kusto%20language%2C%20it%20should%20be%20easy%20to%20cross%20workspace%20kind%20of%20query%20I%20guess.%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1497499%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ELog%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1499021%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20resource%20Graph%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1499021%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F495351%22%20target%3D%22_blank%22%3E%40shijain13%3C%2FA%3E%26nbsp%3Byea.%20It%20is%20possible.%20But%20how%20do%20you%20combine%20results%20from%20both%20the%20queries.%20(%20join%20kusto%20queries%20%2F%20cross%20workspace%20queries%20%2F%20etc%20).%20Currently%20only%20we%20can%20query%20Log%20analytics%20%2F%20application%20insights.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1499022%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20resource%20Graph%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1499022%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20would%20indeed%20be%20useful%20for%20%3A%3C%2FP%3E%3CUL%3E%3CLI%3EGetting%20information%20of%20tags%20of%20the%20resource%20and%20combine%20that%20in%20a%20query.%3CBR%20%2F%3ETo%20make%20the%20difference%20on%20environment%20for%20example.%3C%2FLI%3E%3CLI%3ELook%20at%20VM%20sizing%20for%20limits%3CBR%20%2F%3EDisk%20throttling%20depending%20on%20size.%3C%2FLI%3E%3CLI%3E...%26nbsp%3B%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1498983%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20resource%20Graph%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1498983%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449749%22%20target%3D%22_blank%22%3E%40yesoreyeram%3C%2FA%3E%26nbsp%3B%20you%20can%20use%20workbooks%20which%20can%20combine%20data%20from%20ARG%20and%20LA%20and%20Kusto%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Are there any plans to integrate Azure Resource Graph with Log Analytics? Once the integration is available it will be super easy to setup alerts based on resource meta data and monitor data. Since both using Kusto language, it should be easy to cross workspace kind of query I guess.

11 Replies

@yesoreyeram  you can use workbooks which can combine data from ARG and LA and Kusto

@shijain13 yea. It is possible. But how do you combine results from both the queries. ( join kusto queries / cross workspace queries / etc ). Currently only we can query Log analytics / application insights.

It would indeed be useful for :

  • Getting information of tags of the resource and combine that in a query.
    To make the difference on environment for example.
  • Look at VM sizing for limits
    Disk throttling depending on size.
  • ... 

 

As @pvyver mentioned, it would open the possibilities like dynamic thresholds in log based queries  based on resource meta data like size, environment etc. @shijain13 

@yesoreyeram  In workbooks we offer merge - in Add Queries you will see this as an option. 

Yes, but not for alerting for example.
It would be useful to read out the tags and set different thresholds for each environment tag.
That's really an useful video. But still the original question was about cross querying both the resources. ( like how we query App insights from Log analytics query using cross workspace query )

@yesoreyeram i see so it becomes tag based management  of alerts config. I believe currently you can use ARE templates for alerts to deploy to different environments. Adding @ofmanor 

@yesoreyeram - this is high on our list, but unfortunately, gets pushed away, as more urgent stuff comes in. But we will get there, we understand the need and will address it.

@OlegAnaniev- I would like to join in a Sentinel workbook an ARG 'resources' query with a Log Analytics 'SecurityAlert' query to produce aggregated output like this:

 

Resource Group          No. of Resources          No. of Alerts

------------------         -------------------         --------------

 

rg_A                                                   50                      1,295

rg_B                                                  125                          96

 

Is that possible?  I have tried the Merge query, however have not found a way to imclude aggregate columns.