├── Azure Services ├── API Management services │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Diagnostics │ │ │ ├── Cache hit ratio.kql │ │ │ └── Client TLS versions.kql │ │ ├── Errors │ │ │ ├── Error reasons breakdown.kql │ │ │ ├── Get failed requests due to issues not related to the backend.kql │ │ │ ├── Get failed requests due to issues related to the backend.kql │ │ │ └── Last 100 failed requests.kql │ │ ├── Latency │ │ │ ├── Backend latency.kql │ │ │ ├── Client latency.kql │ │ │ └── Overall latency.kql │ │ ├── Performance │ │ │ └── Bandwidth consumed.kql │ │ ├── README │ │ └── Usage │ │ │ ├── Logs of the last 100 calls.kql │ │ │ ├── Number of calls by APIs.kql │ │ │ ├── Number of requests.kql │ │ │ ├── Request sizes.kql │ │ │ └── Response sizes.kql │ └── Workbooks │ │ └── README ├── App Services │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── App Logs │ │ │ ├── App logs for each App Service.kql │ │ │ ├── Count app logs by severity.kql │ │ │ ├── Error and exception count.kql │ │ │ ├── Show application logs from Function Apps.kql │ │ │ └── Show logs with warnings or exceptions.kql │ │ ├── Audit Logs │ │ │ ├── Audit Logs relating to unexpected users.kql │ │ │ └── File Audit Logs relating to a Delete operation.kql │ │ ├── Azure Metrics │ │ │ ├── Line chart of response times.kql │ │ │ └── Pie chart of HTTP response codes.kql │ │ ├── Console logs │ │ │ └── Find console logs relating to application startup.kql │ │ ├── Incoming requests │ │ │ ├── App Service Health.kql │ │ │ ├── Failure Categorization.kql │ │ │ ├── Response times of requests.kql │ │ │ ├── Top 5 Clients.kql │ │ │ └── Top 5 Machines.kql │ │ ├── README │ │ ├── Security │ │ │ └── Count of denied access from IP Security Audit Logs by resource in the last 7 days.kql │ │ └── Usage and Performance │ │ │ ├── Function Error rate.kql │ │ │ ├── Function activity over time.kql │ │ │ ├── Function results.kql │ │ │ └── Slow Functions.kql │ └── Workbooks │ │ └── README ├── Application Insights │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Browsing data │ │ │ ├── Page views trend.kql │ │ │ ├── Slowest pages.kql │ │ │ └── Top 3 browser exceptions.kql │ │ ├── Performance │ │ │ ├── Operations performance.kql │ │ │ ├── Request count trend.kql │ │ │ ├── Response time buckets.kql │ │ │ ├── Response time trend.kql │ │ │ └── Top 10 countries by traffic.kql │ │ ├── README │ │ └── Reports failures │ │ │ ├── Exceptions causing request failures.kql │ │ │ ├── Failed operations.kql │ │ │ ├── Failed requests top 10.kql │ │ │ └── Failing dependencies.kql │ └── Workbooks │ │ └── README ├── Application gateways │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Analytics │ │ │ ├── Errors by URI.kql │ │ │ ├── Errors by user agent.kql │ │ │ ├── Top 10 Client IPs.kql │ │ │ └── Top HTTP versions.kql │ │ ├── Incoming requests │ │ │ ├── Failed requests per hour.kql │ │ │ ├── NonSSL requests per hour.kql │ │ │ └── Requests per hour.kql │ │ └── README │ └── Workbooks │ │ ├── AzureApplicationGatewayInsights.md │ │ ├── AzureApplicationGatewayInsights.workbook │ │ └── README ├── Automation accounts │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Automation Jobs │ │ │ ├── Azure Automation jobs that are Completed.kql │ │ │ ├── Azure Automation jobs that are failed suspended or stopped.kql │ │ │ ├── Find logs reporting errors in automation jobs from the last day.kql │ │ │ ├── Runbook completed successfully with errors.kql │ │ │ └── View historical job status.kql │ │ ├── Azure Update Management │ │ │ ├── Computers list.kql │ │ │ ├── Missing updates list.kql │ │ │ ├── Missing updates summary.kql │ │ │ ├── Patch installation failure for your machines.kql │ │ │ ├── Summary of updates available across machines.kql │ │ │ ├── Updates available for Linux machines.kql │ │ │ └── Updates available for Windows machines.kql │ │ └── README │ └── Workbooks │ │ ├── Change Tracking │ │ ├── armtemplate │ │ │ └── template.json │ │ └── gallerytemplate │ │ │ └── template.json │ │ ├── README │ │ ├── Update Management │ │ ├── armTemplates │ │ │ ├── enhancedupdatemanagement.json │ │ │ ├── linux.json │ │ │ ├── linuxwindows.json │ │ │ └── windows.json │ │ └── galleryTemplates │ │ │ ├── enhancedupdatemanagement.json │ │ │ ├── linux.json │ │ │ ├── linuxwindows.json │ │ │ └── windows.json │ │ └── UpdateManagement.json ├── Azure AD Domain Services │ ├── Alerts │ │ └── README │ ├── Queries │ │ └── Preview Data │ │ │ ├── Show logs from AADDomainServicesAccountLogon table.kql │ │ │ ├── Show logs from AADDomainServicesAccountManagement table.kql │ │ │ ├── Show logs from AADDomainServicesDirectoryServiceAccess table.kql │ │ │ ├── Show logs from AADDomainServicesLogonLogoff table.kql │ │ │ ├── Show logs from AADDomainServicesPolicyChange table.kql │ │ │ ├── Show logs from AADDomainServicesPrivilegeUse table.kql │ │ │ ├── Show logs from AADDomainServicesSystemSecurity table.kql │ │ │ ├── Show logs from AzureActivity table.kql │ │ │ └── Show logs from AzureMetrics table.kql │ └── Workbooks │ │ └── README ├── Azure Active Directory Logs │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Audit │ │ │ ├── Provisioned objects by day.kql │ │ │ ├── Provisioning actions for the last week.kql │ │ │ └── Provisioning errors.kql │ │ └── Security │ │ │ ├── Inactive Service Principals.kql │ │ │ ├── Most active IP Addresses.kql │ │ │ ├── Most active Managed Identities.kql │ │ │ ├── Most active Service Principals.kql │ │ │ └── Users with multiple cities.kql │ └── Workbooks │ │ └── README ├── Azure Active Directory │ ├── Alerts │ │ └── README │ ├── Queries │ │ └── README │ └── Workbooks │ │ └── README ├── Azure Activity logs │ ├── Alerts │ │ ├── README │ │ ├── deployNSGAlert.json │ │ ├── deployNSGAlertCreate.parameters.json │ │ └── deployNSGAlertUpdate.parameters.json │ ├── Queries │ │ ├── Activity logs │ │ │ ├── ExtractIsGuestAndDomain │ │ │ ├── Failed operations.kql │ │ │ ├── Latest 50 logs.kql │ │ │ ├── NSGCreateOpenAllowAll.kql │ │ │ ├── NSGUpdateOpenAllowAll.kql │ │ │ ├── Operations status.kql │ │ │ ├── Recent Azure Activity logs.kql │ │ │ └── resource write operations.kql │ │ └── README │ └── Workbooks │ │ └── README ├── Azure Arc │ ├── Alerts │ │ └── README │ ├── Queries │ │ └── README │ └── Workbooks │ │ ├── Azure Arc for Servers │ │ ├── Azure ARC for Servers.workbook │ │ └── AzureArcServers&VMsExtensionsMonitor.workbook │ │ └── README ├── Azure Container Apps │ ├── Alerts │ │ └── README │ ├── Queries │ │ └── Most recent container log entries.kql │ └── Workbooks │ │ └── README ├── Azure Database for MariaDB servers │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Audit │ │ │ └── Review audit log events.kql │ │ ├── Performance │ │ │ ├── Execution time exceeding a threshold.kql │ │ │ ├── Show Querys statistics.kql │ │ │ └── Show the Slowest queries.kql │ │ └── README │ └── Workbooks │ │ └── README ├── Azure Database for MySQL servers │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Audit │ │ │ └── Review audit log events.kql │ │ ├── Performance │ │ │ ├── Execution time exceeding a threshold.kql │ │ │ ├── Show Querys statistics.kql │ │ │ └── Show the Slowest queries.kql │ │ └── README │ └── Workbooks │ │ └── README ├── Azure Database for PostgreSQL servers │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Audit Logs │ │ │ ├── Audit logs for tables and event types.kql │ │ │ └── Audit logs.kql │ │ ├── Diagnostics │ │ │ ├── Autovacuum events.kql │ │ │ ├── Deadlocks.kql │ │ │ ├── Execution count trends.kql │ │ │ ├── Lock contention.kql │ │ │ ├── Query statistics.kql │ │ │ ├── Server restarts.kql │ │ │ ├── Top wait events.kql │ │ │ └── Wait event trends.kql │ │ ├── Errors │ │ │ └── Find Errors.kql │ │ ├── Performance │ │ │ ├── Queries waiting.kql │ │ │ ├── Queries with execution time exceeding a threshold.kql │ │ │ └── Slowest queries.kql │ │ ├── README │ │ └── Troubleshooting │ │ │ ├── Compare two periods for query execution times.kql │ │ │ └── Unauthorized connections.kql │ └── Workbooks │ │ └── README ├── Azure Databricks │ ├── Alerts │ │ └── README │ ├── Queries │ │ └── Jobs │ │ │ └── Job run times.kql │ └── Workbooks │ │ └── README ├── Azure Digital Twins │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Diagnostics │ │ │ ├── DigitalTwin API Latency.kql │ │ │ ├── Model API Latency.kql │ │ │ └── Query API Latency.kql │ │ ├── Errors │ │ │ ├── DigitalTwin Error Summary.kql │ │ │ ├── Model Error Summary.kql │ │ │ └── Query Error Summary.kql │ │ └── Usage │ │ │ ├── DigitalTwin API Usage.kql │ │ │ ├── EventRoutes API Usage.kql │ │ │ └── Model API Usage.kql │ └── Workbooks │ │ └── README ├── Azure Managed HSMs │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── README │ │ └── Usage and Diagnostics │ │ │ ├── Are there any failures.kql │ │ │ ├── Are there any slow requests.kql │ │ │ ├── How active has this MHSM pool been.kql │ │ │ ├── How fast is this MHSM pool serving requests.kql │ │ │ ├── What changes occurred last month.kql │ │ │ └── Who is calling this MHSM pool.kql │ └── Workbooks │ │ └── README ├── Azure Monitor autoscale settings │ ├── Alerts │ │ └── README │ ├── Queries │ │ └── Autoscale │ │ │ ├── Autoscale failed operations.kql │ │ │ ├── Autoscale operation status.kql │ │ │ ├── Display top Autoscale 50 logs.kql │ │ │ └── Review Autoscale evaluations.kql │ └── Workbooks │ │ └── README ├── Azure Monitor │ ├── Agents │ │ ├── Migration Tools │ │ │ ├── DCR Config Generator │ │ │ │ ├── CHANGELOG.md │ │ │ │ ├── CTDcrGenerator │ │ │ │ │ ├── CTDCRGenerator-README.md │ │ │ │ │ └── CTWorkSpaceSettingstoDCR.ps1 │ │ │ │ ├── README.md │ │ │ │ └── WorkspaceConfigToDCRMigrationTool.ps1 │ │ │ └── Migration Helper Workbook │ │ │ │ └── AMA Migration Helper.workbook │ │ └── README │ ├── Alerts │ │ ├── ODFB share to everyone alert │ │ └── README │ ├── Queries │ │ └── README │ └── Workbooks │ │ ├── Alerts Management.workbook │ │ ├── AzMon Dedicated Cluster.workbook │ │ ├── Azure Arc-enabled server & Microsoft Defender for Cloud assessment.workbook │ │ ├── Azure Network Monitoring.workbook │ │ ├── Network Communication flow.workbook │ │ ├── Workspace & Application Insights Inventory.workbook │ │ ├── armTemplates │ │ ├── Alerts Management.json │ │ ├── DynamicApplication.json │ │ ├── LogAnalytics.json │ │ ├── LogAnalyticsAppInsights.json │ │ └── Subscriptions.json │ │ └── galleryTemplates │ │ ├── Alerts Management.workbook │ │ ├── DynamicApplication.json │ │ ├── LogAnalytics.json │ │ ├── LogAnalyticsAppInsights.json │ │ └── Subscriptions.json ├── Azure NetApp Files │ ├── Alerts │ │ └── README │ ├── Queries │ │ └── README │ ├── README.md │ └── Workbooks │ │ ├── Azure NetApp Files overview.workbook │ │ └── img │ │ ├── overview001.png │ │ ├── overview002.png │ │ ├── overview003.png │ │ └── overview004.png ├── Azure Operator Nexus │ ├── Alerts │ │ └── Preview │ │ │ └── armTemplates │ │ │ ├── Queries │ │ │ └── README │ │ │ ├── activityLogAlerts │ │ │ └── arcKubernetes.json │ │ │ ├── deployActivityLogAlerts.sh │ │ │ ├── deployNexusBareMetalMachineMetricAlerts.sh │ │ │ ├── deployNexusClusterMetricAlerts.sh │ │ │ ├── deployNexusStorageApplianceMetricAlerts.sh │ │ │ ├── deployk8sClusterMetricAlerts.sh │ │ │ ├── k8sMetricAlerts │ │ │ ├── averageCpuUtilizationContainer.json │ │ │ ├── averageCpuUtilizationNode.json │ │ │ ├── averageMainMemoryUsageContainer.json │ │ │ ├── averageMainMemoryUsageNode.json │ │ │ ├── averagePVUsage.json │ │ │ ├── averageWorkingSetMemoryContainer.json │ │ │ ├── averageWorkingSetMemoryNode.json │ │ │ ├── failedPodCount.json │ │ │ ├── kubeletTooManyPods.json │ │ │ ├── nodeNotReady.json │ │ │ └── oomKilledContainer.json │ │ │ ├── nexusMetricAlerts │ │ │ ├── bareMetalMachine │ │ │ │ ├── availableSwapSpace.json │ │ │ │ ├── entropyAvailability.json │ │ │ │ ├── filespaceMountUsage.json │ │ │ │ └── zombieProcessCount.json │ │ │ ├── cluster │ │ │ │ ├── containerTerminated.json │ │ │ │ ├── containerWaitingStatus.json │ │ │ │ ├── daemonSetNotScheduled.json │ │ │ │ ├── deploymentReplicasUnavailable.json │ │ │ │ ├── etcdLeaderMissing.json │ │ │ │ ├── jobStatusFailed.json │ │ │ │ ├── kubevirtVMIMemory.json │ │ │ │ ├── podPhase.json │ │ │ │ ├── podTerminatingStatus.json │ │ │ │ └── statefulSetReplicaCount.json │ │ │ └── storageAppliance │ │ │ │ ├── purefaArrayCapacity60.json │ │ │ │ ├── purefaArrayCapacity80.json │ │ │ │ ├── purefaArrayCapacity90.json │ │ │ │ ├── purefaArrayLatency.json │ │ │ │ ├── purefaChassisHardwareTemp.json │ │ │ │ ├── purefaChassisHealth.json │ │ │ │ ├── purefaControllerHardwareTempMax.json │ │ │ │ ├── purefaControllerHardwareTempMin.json │ │ │ │ ├── purefaControllerHealth.json │ │ │ │ ├── purefaHostCapacity60.json │ │ │ │ ├── purefaHostCapacity80.json │ │ │ │ ├── purefaHostCapacity90.json │ │ │ │ ├── purefaHostLatency.json │ │ │ │ ├── purefaVolumeCapacity60.json │ │ │ │ ├── purefaVolumeCapacity80.json │ │ │ │ ├── purefaVolumeCapacity90.json │ │ │ │ └── purefaVolumeLatency.json │ │ │ └── templates │ │ │ ├── activityLogAlerts.bicep │ │ │ ├── k8sMetricAlerts.bicep │ │ │ ├── nexusMetricAlerts.bicep │ │ │ └── nexusMetricAlertsAcrossSubscription.bicep │ └── README.md ├── Azure Resource Graph │ └── Workbooks │ │ ├── armTemplate │ │ └── template.json │ │ └── galleryTemplate │ │ └── template.json ├── Azure Spring Cloud │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── App Logs │ │ │ ├── Show the application logs which contain the error or exception terms.kql │ │ │ └── Show the error and exception number of each application.kql │ │ ├── README │ │ └── System Logs │ │ │ └── Show the config server logs.kql │ └── Workbooks │ │ └── README ├── Batch accounts │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Pools │ │ │ ├── Pool resize failures.kql │ │ │ └── Pool resizes.kql │ │ ├── README │ │ └── Tasks │ │ │ ├── Failed tasks per job.kql │ │ │ ├── Successful tasks per job.kql │ │ │ └── Task durations.kql │ └── Workbooks │ │ └── README ├── Bot Services │ ├── Alerts │ │ └── README │ ├── Queries │ │ └── Diagnostics │ │ │ ├── DisplayDirectLineChannelResponseCodesLineChart.kql │ │ │ ├── DisplayRequestsDurationLineChart.kql │ │ │ ├── DisplayResponseCodesLineChart.kql │ │ │ ├── DisplayResponseCodesPieChart.kql │ │ │ ├── GetChannelToBotRequestsLogs.kql │ │ │ ├── GetDirectLineChannelLogs.kql │ │ │ ├── GetFailedChannelsToBotRequests.kql │ │ │ ├── GetFailedRequestsToDependencies.kql │ │ │ └── GetRequestsToDependenciesLogs.kql │ └── Workbooks │ │ └── README ├── CDN profiles │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Errors │ │ │ ├── 4XX error rate by URL.kql │ │ │ └── Request errors by user agent.kql │ │ ├── README │ │ └── Usage │ │ │ ├── Requests per hour.kql │ │ │ ├── Top 10 URL request count.kql │ │ │ ├── Top 10 client Ips and http versions.kql │ │ │ ├── Traffic by URL.kql │ │ │ └── Unique IP request count.kql │ └── Workbooks │ │ └── README ├── Communication Services │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Audit │ │ │ ├── List Distinct Chat Operations.kql │ │ │ └── List Distinct SMS Operations.kql │ │ ├── Diagnostics │ │ │ ├── Chat Operation Result Counts.kql │ │ │ └── SMS Operation Result Counts.kql │ │ ├── Errors │ │ │ ├── Chat Operational Errors.kql │ │ │ └── SMS Operational Errors.kql │ │ ├── Performance │ │ │ ├── Calculate Chat Operation Duration Percentiles.kql │ │ │ └── Calculate SMS Operation Duration Percentiles.kql │ │ └── Usage │ │ │ ├── Get Long Calls.kql │ │ │ ├── Top 5 IP Addresses per Chat Operation.kql │ │ │ ├── Top 5 IP Addresses per SMS Operation.kql │ │ │ ├── Weekly Record Count Breakdown.kql │ │ │ └── Weekly Usage Breakdown.kql │ └── Workbooks │ │ ├── Call_Diagnostics_LogAnalytics.workbook │ │ └── README ├── Container registries │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── App Logs │ │ │ ├── Show login events reported over the last hour.kql │ │ │ └── Show registry events reported over the last hour.kql │ │ ├── Preview Data │ │ │ └── Which tables have logs.kql │ │ └── README │ └── Workbooks │ │ └── README ├── Cosmos DB │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Diagnostics │ │ │ ├── Collections with throttles 429 in past 24 hours.kql │ │ │ ├── Consumed RUs in last 24 hours.kql │ │ │ ├── Top logical partition keys by storage.kql │ │ │ ├── Top operations by consumed Request Units RUs in last 24 hours.kql │ │ │ └── Top queries by consumed Request Units RUs in last 24 hours.kql │ │ └── README │ └── Workbooks │ │ └── README ├── Data Shares │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Audit │ │ │ ├── Chart of daily received snapshots.kql │ │ │ ├── Chart of daily sent snapshots.kql │ │ │ └── List sent snapshots by duration.kql │ │ ├── Errors │ │ │ ├── Count failed received snapshots.kql │ │ │ ├── Count failed sent snapshots.kql │ │ │ ├── Frequent errors in received snapshots.kql │ │ │ └── Frequent errors in sent snapshots.kql │ │ ├── Performance │ │ │ └── List received snapshots by duration.kql │ │ └── README │ └── Workbooks │ │ └── README ├── Data factories │ ├── Alerts │ │ ├── Failed or canceled pipelines.kql │ │ ├── Long running pipelines.kql │ │ ├── Pipeline changed.kql │ │ └── README │ ├── Queries │ │ ├── Availability │ │ │ ├── Activity Runs Availability.kql │ │ │ ├── PipelineRuns Availability.kql │ │ │ └── TriggerRuns Availability.kql │ │ ├── Diagnostics │ │ │ ├── Activity runs Top 5 Failures.kql │ │ │ ├── Pipeline runs Top 5 Failures.kql │ │ │ └── Trigger runs Top 5 Failures.kql │ │ └── Performance │ │ │ ├── Activity runs latest Status.kql │ │ │ ├── Pipeline runs latest Status.kql │ │ │ └── Trigger runs latest Status.kql │ └── Workbooks │ │ └── README ├── Dataverse │ ├── Alerts │ │ └── README │ ├── Dashboards │ │ ├── AzureDashboards │ │ │ └── Dynamics 365 Organization Health.json │ │ └── AzureDataExplorer │ │ │ └── PowerPlatfomAdminCenterAnalytics.json │ ├── Queries │ │ ├── API Activity │ │ │ ├── API Requests Being Throttled.kql │ │ │ ├── Power Platform Admin Center Analytics - API Calls.kql │ │ │ ├── Power Platform Admin Center Analytics - API Pass Rate.kql │ │ │ ├── Power Platform Admin Center Analytics - Most Used Entities.kql │ │ │ ├── Power Platform Admin Center Analytics - Most active users performing operations.kql │ │ │ ├── Power Platform Admin Center Analytics - Plug-In Executions.kql │ │ │ ├── Power Platform Admin Center Analytics - Top plug-ins by failures.kql │ │ │ └── Power Platform Admin Center Analytics - Total Operations.kql │ │ ├── Other errors and failures │ │ │ ├── ServiceBus Exceptions with Column Chart.kql │ │ │ ├── Timeout Correlation IDs by Table.kql │ │ │ ├── Timeouts Per Day Per Hour.kql │ │ │ ├── Timeouts Per Hour Per Table.kql │ │ │ ├── Timeouts and Distinct Users by Table.kql │ │ │ └── Timeouts by Table and UserId.kql │ │ ├── Page performance │ │ │ ├── API Pass Rate.kql │ │ │ ├── Summary of mobile page load duration in percentiles.kql │ │ │ ├── Summary of page load duration in percentiles.kql │ │ │ ├── Top 10 Slowest Pages last 30 days.kql │ │ │ └── Warm and Cold Form Load Data by Table.kql │ │ ├── Request diagnostics │ │ │ ├── Count Request Operation Verbs by User last 24 hours.kql │ │ │ ├── Count Request Operation Verbs last 24 hours.kql │ │ │ ├── Dependency Performance by Country.kql │ │ │ └── Timechart of CRUD Operations over last 24 hours.kql │ │ ├── Request failures │ │ │ ├── API Pass Rate.kql │ │ │ ├── Failed Power Automate to Dataverse Requests.kql │ │ │ ├── Summary of Plugins by Total Execution, Errors and Duration.kql │ │ │ ├── Top 10 Failing Dependencies.kql │ │ │ └── Top Plug-Ins by Failures.kql │ │ ├── Session diagnostics │ │ │ ├── Unique session count by user over last 24 hours.kql │ │ │ └── Unique user count over last 24 hours.kql │ │ ├── Usage │ │ │ ├── Active Users by Browser.kql │ │ │ ├── Active Users.kql │ │ │ ├── Most Active Users Performing Operations.kql │ │ │ └── Total Operations.kql │ │ └── User Activity │ │ │ ├── Power Platform Admin Center Analytics - Active Users by Browser.kql │ │ │ └── Power Platform Admin Center Analytics - Active Users.kql │ └── Workbooks │ │ ├── README │ │ └── Workitems │ │ └── KeyPerformanceIndicators │ │ └── Work Item with UCI Custom Dimensions.workbook ├── Event Grid Domains │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Diagnostics │ │ │ ├── Delivery failures by domain and error.kql │ │ │ └── Publish failures by domain and error.kql │ │ ├── Performance │ │ │ └── Domains Average Delivery Latency.kql │ │ └── README │ └── Workbooks │ │ └── README ├── Event Grid Topics │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Diagnostics │ │ │ ├── Delivery failures by topic and error.kql │ │ │ └── Publish failures by topic and error.kql │ │ ├── Performance │ │ │ └── Topics Average Delivery Latency.kql │ │ └── README │ └── Workbooks │ │ └── README ├── Event Hubs │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Errors │ │ │ ├── Access to keyvault key not found.kql │ │ │ ├── Duration of Capture failure.kql │ │ │ └── Errors in the last 7 days.kql │ │ ├── Kafka │ │ │ └── Join request for client.kql │ │ ├── README │ │ └── Usage │ │ │ └── Operation performed with keyvault.kql │ └── Workbooks │ │ └── README ├── ExpressRoute circuits │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Diagnostics │ │ │ ├── BGP informational messages.kql │ │ │ ├── BGP route table.kql │ │ │ ├── ExpressRoute Circuit ArpAvailablility graph.kql │ │ │ ├── ExpressRoute Circuit BGP availability.kql │ │ │ ├── ExpressRoute Circuit BitsInPerSecond traffic graph.kql │ │ │ └── ExpressRoute Circuit BitsOutPerSecond traffic graph.kql │ │ └── README │ └── Workbooks │ │ └── README ├── File Sync │ └── Workbooks │ │ ├── armTemplates │ │ └── template.json │ │ └── galleryTemplates │ │ └── template.json ├── Firewalls │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Firewall Logs │ │ │ ├── Application rule log data.kql │ │ │ ├── Network rule log data.kql │ │ │ └── Threat Intelligence rule log data.kql │ │ └── README │ └── Workbooks │ │ └── README ├── Front Doors │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Errors │ │ │ ├── Request errors by host and path.kql │ │ │ └── Request errors by user agent.kql │ │ ├── Firewall Audit │ │ │ ├── Firewall blocked request count per hour.kql │ │ │ ├── Firewall request count by host path rule and action.kql │ │ │ └── Top 20 blocked clients by IP and rule.kql │ │ ├── README │ │ └── Usage and Diagnostics │ │ │ ├── Forwarded backend requests by routing rule.kql │ │ │ ├── Requests per hour.kql │ │ │ └── Top 10 client IPs and http versions.kql │ └── Workbooks │ │ └── README ├── HDInsight Clusters │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── README │ │ └── Workloads │ │ │ ├── Active Topologies Summary.kql │ │ │ ├── Current number of Storm Supervisors.kql │ │ │ ├── HMaster Error Logs.kql │ │ │ ├── Hadoop And Yarn Metrics List.kql │ │ │ ├── Hadoop and Yarn Log Types List.kql │ │ │ ├── Hive And LLAP Metrics List.kql │ │ │ ├── Hive Server 2 Log Level Count List.kql │ │ │ ├── Hive Server 2 Metrics View.kql │ │ │ ├── Hive and LLAP Log Types List.kql │ │ │ ├── Kafka Messages In Per Second.kql │ │ │ ├── Kafka Server Error Logs.kql │ │ │ ├── Kafka Server Log Level Counts.kql │ │ │ ├── Kafka Underreplicated Partitions.kql │ │ │ ├── List HBase Log Types.kql │ │ │ ├── List Kafka Log Types.kql │ │ │ ├── List Storm Log Types.kql │ │ │ ├── List all HBase Metrics.kql │ │ │ ├── List all Kafka Metrics.kql │ │ │ ├── Number of Active Hive Sources.kql │ │ │ ├── Number of Completed Spark Applications.kql │ │ │ ├── Number of Unhealthy Node Managers.kql │ │ │ ├── Number of dead region servers.kql │ │ │ ├── Region Server Log LevelCounts.kql │ │ │ ├── Region Server Metrics View.kql │ │ │ ├── Resource Manager Log Level Count List.kql │ │ │ ├── Resource Manager Metrics View.kql │ │ │ ├── Spark Application Deploy Mode And Master Summary.kql │ │ │ ├── Spark Driver Log Level Count List.kql │ │ │ ├── Spark Executor Max Core Usage.kql │ │ │ ├── Spark Executor Max Memory.kql │ │ │ ├── Spark Job Statuses.kql │ │ │ ├── Spark Log Types List.kql │ │ │ ├── Spark SQL Query Status Summary.kql │ │ │ ├── Spark Stage Status Summary.kql │ │ │ ├── Spark Stage Task Metrics.kql │ │ │ ├── Spark Task Result Summary.kql │ │ │ ├── Storm Nimbus Error Logs.kql │ │ │ └── Storm Nimbus Log Level Counts.kql │ └── Workbooks │ │ └── README ├── IoT Hub │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Availability │ │ │ └── Dead endpoints.kql │ │ ├── Diagnostics │ │ │ └── SDK version of devices.kql │ │ ├── Errors │ │ │ ├── Connectvity errors.kql │ │ │ ├── Devices with most throttling errors.kql │ │ │ └── Error summary.kql │ │ ├── README │ │ └── Usage │ │ │ └── Recently connected devices.kql │ └── Workbooks │ │ └── README ├── Key vaults │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Input data Errors │ │ │ └── List all input deserialization errors.kql │ │ ├── README │ │ └── Usage and Diagnostics │ │ │ ├── Are there any failures.kql │ │ │ ├── Are there any slow requests.kql │ │ │ ├── How active has this KeyVault been.kql │ │ │ ├── How fast is this KeyVault serving requests.kql │ │ │ ├── What changes occurred last month.kql │ │ │ └── Who is calling this KeyVault.kql │ └── Workbooks │ │ └── README ├── Kubernetes services │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Audit │ │ │ ├── Container Lifecycle Information.kql │ │ │ └── kube-audit.kql │ │ ├── Availability │ │ │ ├── List all the pods count with phase.kql │ │ │ └── Readiness status per Node.kql │ │ ├── Container Logs │ │ │ └── List container logs per namespace.kql │ │ ├── Costing │ │ │ ├── Billable Log Data by logtype.kql │ │ │ ├── Billable Log Data pernamespace.kql │ │ │ ├── Container Insight solution billable data.kql │ │ │ ├── Environment variable enriching.kql │ │ │ └── View data ingested by completed jobs.kql │ │ ├── Diagnostics │ │ │ ├── Image inventory.kql │ │ │ ├── Instances Avg CPU usage growth from last week.kql │ │ │ ├── Kubernetes events.kql │ │ │ └── Prometheus disk read per second per node.kql │ │ ├── Performance │ │ │ ├── Avg node CPU usage percentage per minute.kql │ │ │ ├── Avg node memory usage percentage per minute.kql │ │ │ ├── Container CPU.kql │ │ │ ├── Container memory.kql │ │ │ └── Maximum node disk.kql │ │ └── README │ └── Workbooks │ │ ├── README.md │ │ ├── armTemplates │ │ └── AzureKubernetes.json │ │ └── galleryTemplates │ │ └── AzureKubernetes.json ├── Log Analytics workspaces │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Audit │ │ │ ├── Most Requested ResourceIds.kql │ │ │ ├── Request Count by ResponseCode.kql │ │ │ ├── Throttled Users.kql │ │ │ ├── Top 10 longest time range queries.kql │ │ │ ├── Top 10 resource intensive queries.kql │ │ │ └── Unauthorized Users.kql │ │ ├── README │ │ └── Usage │ │ │ ├── Most used tables.kql │ │ │ ├── Number of queries run over a set time frame.kql │ │ │ ├── Top 10 users by tables access.kql │ │ │ ├── Top 10 users by total access.kql │ │ │ └── Users who ran queries.kql │ └── Workbooks │ │ └── Workspace Audit.json ├── Logic Apps │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Costing │ │ │ └── Total billable executions.kql │ │ ├── Diagnostics │ │ │ ├── Logic App execution distribution by status.kql │ │ │ └── Logic App execution distribution by workflows.kql │ │ ├── Errors │ │ │ └── Triggered failuers count.kql │ │ └── README │ └── Workbooks │ │ ├── README │ │ ├── armTemplates │ │ └── template.json │ │ └── galleryTemplates │ │ └── template.json ├── Network Watcher - Connection Monitor │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Audit │ │ │ ├── Connection_monitor_status.kql │ │ │ └── Failed tests.kql │ │ ├── Diagnostics │ │ │ └── Path diagnostics.kql │ │ ├── Performance │ │ │ └── Tests performance.kql │ │ └── README │ └── Workbooks │ │ ├── README │ │ └── galleryTemplate │ │ └── ConnectioMonitorStatus │ │ ├── connectionMonitorStatus.png │ │ └── workbook.json ├── Network Watcher │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── README │ │ └── Traffic Analytics │ │ │ ├── Inactive NSG Rules.txt │ │ │ └── Inactive Rule Count per Active NSG.txt │ └── Workbooks │ │ ├── NSG Flow Log │ │ ├── NSG Flow Log Analysis.workbook │ │ └── readme.md │ │ ├── README │ │ └── Traffic Analytics │ │ └── Inactive NSG Rules Analysis.workbook ├── Power Platform │ └── Power Automate │ │ ├── Dashboards │ │ └── README.md │ │ ├── Queries │ │ └── Analytics │ │ │ ├── Cloud flow runs with direct link to flow run.kql │ │ │ ├── Cloud flows in use.kql │ │ │ ├── Failed cloud flows.kql │ │ │ ├── Summary of flow runs statuses.kql │ │ │ └── Types of cloud flows in use.kql │ │ └── Workbooks │ │ ├── Microsoft Power Automate Analytics Runs Workbook.workbook │ │ ├── Microsoft Power Automate Analytics Usage Workbook.workbook │ │ ├── Microsoft Power Automate Analytics Workbook.workbook │ │ └── Microsoft Power Automate Performance Workbook.workbook ├── Recovery Services vaults │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Backup Items │ │ │ └── Backup Items by Vault and Backup item type.kql │ │ ├── Backup Settings Changes │ │ │ ├── Backup Items with Protection Status modified.kql │ │ │ └── Policies with retention duration modified.kql │ │ ├── Jobs │ │ │ ├── All Failed Jobs.kql │ │ │ ├── All Successful Jobs.kql │ │ │ ├── Distribution of Backup Jobs by Status.kql │ │ │ └── Distribution of Restore Jobs by Status.kql │ │ ├── README │ │ └── Usage │ │ │ ├── Cloud Storage Consumed per Backup Item.kql │ │ │ └── Trend of total Cloud Storage consumed.kql │ └── Workbooks │ │ ├── Backup Configuration Status │ │ └── Backup Configuration Status.workbook │ │ ├── Backup Job History │ │ └── Backup Job History.workbook │ │ ├── Backup Schedule and Retention │ │ └── Backup Schedule and Retention.workbook │ │ ├── FAQ │ │ ├── Backup Instances Shown │ │ │ └── Backup Instances Shown.workbook │ │ ├── Customize ARG Queries │ │ │ └── Customize ARG Queries.workbook │ │ ├── Customize LA Queries │ │ │ └── Customize LA Queries.workbook │ │ ├── Export as Excel │ │ │ └── Export as Excel.workbook │ │ ├── Resources Shown │ │ │ └── Resources Shown.workbook │ │ ├── Reuse a View │ │ │ └── Reuse a View.workbook │ │ ├── Troubleshoot │ │ │ └── Troubleshoot.workbook │ │ ├── VMs Shown │ │ │ └── VMs Shown.workbook │ │ └── Vaults Shown │ │ │ └── Vaults Shown.workbook │ │ ├── README │ │ ├── SiteRecoveryWorkbook.json │ │ └── User Triggered Operations │ │ └── User Triggered Operations.workbook ├── SQL Servers │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Diagnostics │ │ │ ├── Loading Data.kql │ │ │ └── Wait stats.kql │ │ └── Performance │ │ │ ├── Avg CPU usage.kql │ │ │ └── Performance troubleshooting.kql │ └── Workbooks │ │ └── README ├── SQL databases │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Diagnostics │ │ │ ├── Loading Data.kql │ │ │ └── Wait stats.kql │ │ ├── Performance │ │ │ ├── Avg CPU usage.kql │ │ │ └── Performance troubleshooting.kql │ │ └── README │ └── Workbooks │ │ ├── ADS │ │ ├── ADS.PNG │ │ ├── readme.md │ │ └── workbook.json │ │ ├── README │ │ └── galleryTemplate │ │ └── sql.json ├── SQL managed instances │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Intelligent insights │ │ │ ├── Display all active intelligent insights.kql │ │ │ └── Workload continously hitting CPU limits.kql │ │ ├── README │ │ └── Utilization │ │ │ ├── CPU utilization threshold above 95 on managed instances.kql │ │ │ └── Storage on managed instances above 90.kql │ └── Workbooks │ │ └── README ├── Service Bus │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Diagnostics │ │ │ ├── Keyvault access attempt key not found.kql │ │ │ └── Management operations in the last 7 days.kql │ │ ├── Errors │ │ │ └── Errors summary.kql │ │ ├── README │ │ ├── Security │ │ │ └── Keyvault performed operational.kql │ │ └── Usage │ │ │ └── AutoDeleted entities.kql │ └── Workbooks │ │ ├── README │ │ └── Service Bus Overview.workbook ├── Storage accounts │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Audit │ │ │ ├── Frequent operations chart.kql │ │ │ └── Show anonymous requests.kql │ │ ├── Errors │ │ │ ├── Most common errors.kql │ │ │ ├── Operations causing most errors.kql │ │ │ └── Operations causing server side throttling.kql │ │ ├── Performance │ │ │ └── Operations with the highest latency.kql │ │ └── README │ └── Workbooks │ │ └── README ├── Stream Analytics jobs │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Input data Errors │ │ │ ├── Events that arrived early.kql │ │ │ ├── Events that arrived late.kql │ │ │ ├── Events that arrived out of order.kql │ │ │ ├── List all InvalidInputTimeStamp errors.kql │ │ │ ├── List all InvalidInputTimeStampKey errors.kql │ │ │ ├── List all input data errors.kql │ │ │ └── List all input deserialization errors.kql │ │ ├── Other errors and failures │ │ │ ├── All logs with level Error.kql │ │ │ ├── Operations that have Failed.kql │ │ │ ├── Output Throttling logs Cosmos DB Power BI Event Hubs.kql │ │ │ ├── Summary of Failed operations in the last 7 days.kql │ │ │ ├── Summary of all data errors in the last 7 days.kql │ │ │ ├── Summary of all errors in the last 7 days.kql │ │ │ └── Transient input and output errors.kql │ │ ├── Output data errors │ │ │ ├── All output data errors.kql │ │ │ ├── List all ColumnNameInvalid errors.kql │ │ │ ├── List all DuplicateKey errors.kql │ │ │ ├── List all RecordExceededSizeLimit errors.kql │ │ │ ├── List all RequiredColumnMissing errors.kql │ │ │ └── List all TypeConversionError errors.kql │ │ └── README │ └── Workbooks │ │ └── README ├── Traffic Manager profiles │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Diagnostics │ │ │ └── Endpoints with monitoring Status down.kql │ │ └── README │ └── Workbooks │ │ └── README ├── Virtual Network Gateways │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Diagnostics │ │ │ ├── BGP route updates.kql │ │ │ ├── Failed P2S connections.kql │ │ │ ├── Gateway configuration changes.kql │ │ │ ├── IKE log events.kql │ │ │ ├── S2S tunnel connect and disconnect events.kql │ │ │ └── Successful P2S connections.kql │ │ ├── Performance │ │ │ ├── Gateway throughput.kql │ │ │ ├── P2S bandwidth utilization.kql │ │ │ └── P2S connection count.kql │ │ ├── README │ │ └── VPN Gateway │ │ │ ├── BGP route updates.kql │ │ │ ├── Failed P2S connections.kql │ │ │ ├── Gateway configuration changes.kql │ │ │ ├── Gateway throughput.kql │ │ │ ├── P2S bandwidth utilization.kql │ │ │ ├── P2S connection count.kql │ │ │ ├── S2S tunnel connetdisconnect events.kql │ │ │ └── Successful P2S connections.kql │ └── Workbooks │ │ └── README ├── Virtual Network │ ├── Alerts │ │ └── readme.md │ ├── Queries │ │ └── readme.md │ └── Workbooks │ │ └── Virtual Network list │ │ ├── README.md │ │ └── Virtual Network List.workbook ├── Virtual machine scale sets │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Availability │ │ │ └── Track VM Availability using Heartbeat.kql │ │ ├── Performance │ │ │ ├── Bottom 10 Free disk space .kql │ │ │ ├── Chart CPU usage trends by computer.kql │ │ │ ├── Logical disk space below threshold.kql │ │ │ ├── Top 10 Virtual Machines by CPU utilization.kql │ │ │ ├── Virtual Machine available memory.kql │ │ │ ├── Virtual Machine free disk space.kql │ │ │ └── What data is being collected.kql │ │ └── README │ └── Workbooks │ │ └── README ├── Virtual machines │ ├── Alerts │ │ ├── Check running process by name.kql │ │ └── README │ ├── Queries │ │ ├── Availability │ │ │ ├── Not reporting VMs.kql │ │ │ ├── Shut down Virtual Machines.kql │ │ │ └── Track VM availability.kql │ │ ├── Diagnostics │ │ │ ├── Automatic update configuration is disabled.kql │ │ │ ├── Automatic update configuration.kql │ │ │ ├── Computer with missing updates.kql │ │ │ ├── Distinct missing updates cross computers.kql │ │ │ ├── Find Linux kernel events.kql │ │ │ ├── Malware detection.kql │ │ │ ├── Missing critical security updates.kql │ │ │ ├── Missing required updates for server.kql │ │ │ ├── Missing security or critical where update is manual.kql │ │ │ ├── Missing update rollups.kql │ │ │ ├── Missing update specific product.kql │ │ │ ├── Protection Status updates.kql │ │ │ ├── Search in multiple tables.kql │ │ │ ├── Show the trend of a selected event.kql │ │ │ ├── Signatures out of date.kql │ │ │ ├── Stopped Windows services.kql │ │ │ └── Using wildcards.kql │ │ ├── Errors │ │ │ ├── Error event on computer missing security co critical update.kql │ │ │ └── Reported errors.kql │ │ ├── Performance │ │ │ ├── Bottom 10 Free disk space .kql │ │ │ ├── Chart CPU usage trends.kql │ │ │ ├── Logical disk space below threshold.kql │ │ │ ├── Top 10 Virtual Machines by CPU utilization.kql │ │ │ ├── Virtual Machine available memory.kql │ │ │ ├── Virtual Machine free disk space.kql │ │ │ └── What data is being collected.kql │ │ ├── README │ │ └── Security │ │ │ ├── Linux failed logins.kql │ │ │ ├── Members added to security groups.kql │ │ │ ├── Missing security or critical updates.kql │ │ │ ├── Uses of clear text password.kql │ │ │ └── Windows failed logins.kql │ └── Workbooks │ │ ├── Antimalware Assessment.workbook │ │ ├── CPU Credits Remaining.workbook │ │ ├── Disk Space Report with Trend.workbook │ │ ├── LOG ANALITYCS GATEWAY.workbook │ │ ├── OMI Vulnerabilities - Rapid Check.workbook │ │ ├── SQL Server Audit.workbook │ │ ├── Syslog.workbook │ │ ├── Top processes on VMs with High CPU.workbook │ │ ├── Update Assessment.workbook │ │ ├── Virtual Machine Uptime.workbook │ │ ├── Virtual Machines - Vital Signs.workbook │ │ └── Windows event logs.workbook ├── Windows Virtual Desktop - Application groups │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Errors │ │ │ ├── Connection Errors.kql │ │ │ ├── Top 10 Connection Errors.kql │ │ │ └── Top 10 Feed Errors.kql │ │ ├── README │ │ └── Usage │ │ │ └── Published applications used.kql │ └── Workbooks │ │ └── README ├── Windows Virtual Desktop - FSLogix │ └── Queries │ │ ├── Event log │ │ └── Eventlog Parsing.kql │ │ └── Performance │ │ ├── Profile Load Time by SessionHost.kql │ │ ├── Profile Load Time by User.kql │ │ └── Profile Load Time on specific hostpool.kql ├── Windows Virtual Desktop - Host pools │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Errors │ │ │ ├── Connection Errors.kql │ │ │ ├── Top 10 Connection Errors.kql │ │ │ └── Top 10 Feed Errors.kql │ │ ├── Performance │ │ │ └── Average session logon time.kql │ │ ├── README │ │ └── Usage │ │ │ ├── Average Session Duration by hostpool.kql │ │ │ ├── Client OS.kql │ │ │ ├── Published applications used.kql │ │ │ ├── RD Client version.kql │ │ │ ├── Session duration.kql │ │ │ ├── Top 10 average session duration by user.kql │ │ │ └── Top 10 most active users.kql │ └── Workbooks │ │ └── README └── Windows Virtual Desktop - Workspaces │ ├── Alerts │ └── README │ ├── Queries │ ├── Errors │ │ ├── Connection Errors.kql │ │ ├── Top 10 Connection Errors.kql │ │ └── Top 10 Feed Errors.kql │ ├── README │ └── Usage │ │ └── Published applications used.kql │ └── Workbooks │ └── README ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── SECURITY.md ├── Scenarios ├── How to add a Workbook using Templates │ ├── ReadMe.md │ ├── withHelp.workbook │ ├── withHelpandTabs.workbook │ └── withHelpandTabsandGroups.workbook ├── How to analyze Azure diagnostics │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Common categories in Azure diagnostics.kql │ │ ├── Errors in automation jobs.kql │ │ ├── Failed backup jobs.kql │ │ ├── Latest metrics.kql │ │ └── Network security events.kql │ └── Workbooks │ │ ├── AzureDisgnostics │ │ └── README ├── How to analyze VM availability across a workspace │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Availability rate.kql │ │ ├── Computers availability today.kql │ │ ├── Last heartbeat of each computer.kql │ │ ├── List heartbeats.kql │ │ └── Unavailable computers.kql │ └── Workbooks │ │ └── README ├── How to analyze VM performance across a workspace │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── CPU usage trends over the last day.kql │ │ ├── Memory and CPU usage.kql │ │ ├── Top 10 computers with the highest disk space.kql │ │ └── What data is being collected.kql │ └── Workbooks │ │ └── README ├── How to analyze log ingestion and billing │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Billable performance data.kql │ │ ├── Datatype consumed per specific Computer │ │ ├── Ingested volume spikes and slopes by Azure resource.kql │ │ ├── Ingestion volume spikes by Solution and data type.kql │ │ ├── Total workspace ingestion over the last 24 hours.kql │ │ ├── Total workspace ingestion volume timechart last day.kql │ │ ├── Usage by data types.kql │ │ └── Volume of solutions data.kql │ └── Workbooks │ │ └── AzureMonitorDataIngestionEstimation.json ├── How to evaluate LA agent and workspace health │ ├── Alerts │ │ └── README │ ├── Queries │ │ ├── Agent latency spikes Heartbeat table.kql │ │ ├── Agent latency spikes by data type.kql │ │ ├── Ingestion latency endtoend spikes Heartbeat table.kql │ │ ├── Ingestion latency endtoend spikes by data type.kql │ │ ├── Ingestion latency endtoend timechart Event table.kql │ │ └── Total agent latency timechart last day.kql │ └── Workbooks │ │ └── README ├── How to extract the Resource Group ID and subscription from _ResourceId │ └── Queries │ │ └── ExtractExamples.kql ├── How to get insights into App Control (WDAC) events │ ├── DCR-WDAC.json │ ├── picture │ │ └── LogAnalytics.png │ ├── readme.md │ └── workbook.json ├── How to prepare for migration from MMA to AMA │ └── Workbooks │ │ ├── AzureMonitorAgentExtensionStatus.json │ │ └── readme.md └── How to run search queries │ ├── Alerts │ └── README │ ├── Queries │ ├── Run a casesensitive search.kql │ ├── Search a table for a specific term.kql │ ├── Search a term through all logs.kql │ ├── Search in multiple tables.kql │ ├── Search multiple terms.kql │ └── Show latest logs from all tables.kql │ └── Workbooks │ └── README └── Solutions ├── ADAssessment ├── Alerts │ └── README ├── Queries │ ├── Diagnostics │ │ ├── AD Recommendations by AffectedObjectType.kql │ │ ├── AD Recommendations by Computer.kql │ │ ├── AD Recommendations by Domain.kql │ │ ├── AD Recommendations by DomainController.kql │ │ ├── AD Recommendations by Focus Area.kql │ │ ├── AD Recommendations by Forest.kql │ │ └── How many times did each unique AD Recommendation trigger.kql │ └── Security │ │ └── High priority AD Assessment security recommendations.kql └── Workbooks │ └── README ├── ChangeTracking ├── Alerts │ └── README ├── Queries │ └── Diagnostics │ │ ├── All configuration changes.kql │ │ ├── Recent stopped auto services.kql │ │ ├── Removed software changes.kql │ │ ├── Service changes.kql │ │ ├── Software change count per category.kql │ │ ├── Software change type per computer.kql │ │ ├── Software changes.kql │ │ └── Stopped services.kql └── Workbooks │ └── README ├── ContainerInsights ├── Alerts │ └── README ├── Queries │ └── Costing │ │ └── Container Insight solution billable data.kql └── Workbooks │ └── README ├── DnsAnalytics ├── Alerts │ └── README ├── Queries │ └── Security │ │ └── Distinct Clients Resolving Malicious Domains.kql └── Workbooks │ └── README ├── LogManagement ├── Alerts │ └── README ├── Queries │ ├── Diagnostics │ │ ├── All Events in the past hour.kql │ │ ├── All Syslog by facility.kql │ │ ├── All Syslog by process name.kql │ │ ├── All Syslog.kql │ │ ├── Computers restartsshutdowns.kql │ │ ├── Count IIS log entries by HTTP request method.kql │ │ ├── Count IIS log entries by client IP address.kql │ │ ├── Count of IIS log entries by URL.kql │ │ ├── Count of IIS log entries by host.kql │ │ ├── Count of warning events.kql │ │ ├── Display breakdown respond codes.kql │ │ ├── Events by event ID.kql │ │ ├── Events by event source.kql │ │ ├── Events in OM between 2000 to 3000.kql │ │ ├── Events started.kql │ │ ├── IIS log entries for client IP.kql │ │ ├── List IIS log entries.kql │ │ ├── Show 404 pages list.kql │ │ ├── Warning events.kql │ │ ├── Windows Firewall policy settings changed by machines.kql │ │ └── Windows Firewall policy settings.kql │ ├── Errors │ │ ├── All Syslog with errors.kql │ │ └── Servers with internal server error.kql │ ├── Performance │ │ ├── Average HTTP request time by client IP.kql │ │ ├── Average HTTP request time.kql │ │ └── Maximum time taken for each page.kql │ └── Usage │ │ ├── Bytes received by each IIS computer.kql │ │ ├── Bytes responded to clients by each IIS server IP.kql │ │ ├── Count IIS log entries by HTTP user agent.kql │ │ └── Total bytes traffic by client IP.kql └── Workbooks │ └── README ├── LogicAppB2B ├── Alerts │ └── README ├── Queries │ ├── AS2 Message │ │ ├── Failed AS2 Messages by Receive Partner.kql │ │ ├── Failed AS2 Messages by Send Partner.kql │ │ └── Failed AS2 Messages by Workflow.kql │ └── X12 Message │ │ ├── Failed X12 Messages by Receive Partner.kql │ │ ├── Failed X12 Messages by Send Partner.kql │ │ └── Failed X12 Messages by Workflow.kql └── Workbooks │ └── README ├── SAP-SCP-Monitoring ├── Alerts │ └── README ├── CPI-monitor-Az-overview.png ├── Queries │ └── README ├── README.md ├── Workbooks │ └── Az-Monitor-SAP-CPI-Workbook.json └── az-moni-workbook.png ├── SQLAssessment ├── Alerts │ └── README ├── Queries │ ├── Diagnostics │ │ ├── How many times did each unique SQL Recommendation trigger.kql │ │ ├── SQL Recommendations by AffectedObjectType.kql │ │ ├── SQL Recommendations by Computer.kql │ │ ├── SQL Recommendations by Database.kql │ │ ├── SQL Recommendations by Focus Area.kql │ │ └── SQL Recommendations by Instance.kql │ └── Security │ │ └── High priority SQL Assessment recommendations.kql └── Workbooks │ └── README ├── SecurityInsights ├── Alerts │ └── README ├── Queries │ ├── Security logon │ │ ├── Accounts Failed to Logon.kql │ │ ├── Computers With Failed Ssh Logons.kql │ │ ├── Computers With Failed Su Logons.kql │ │ ├── Computers With Failed Sudo Logons.kql │ │ ├── Computers With Guest Account Logons.kql │ │ ├── Logon Activity by Account.kql │ │ ├── Logon Activity by Device With More Than 10 Logons.kql │ │ ├── Logon Activity by Device.kql │ │ ├── Logon Activity for Users With 5 times Activity.kql │ │ ├── Logons With Clear Text Password.kql │ │ └── Remoted Logged Accounts on Devices.kql │ └── Security │ │ ├── Accounts Who Terminated Microsoft Antimalware.kql │ │ ├── All Security Activities.kql │ │ ├── Change or Reset Passwords Attempts.kql │ │ ├── Computers With Cleaned Event Logs.kql │ │ ├── Computers With Failed Linux User Password Change.kql │ │ ├── Computers With New Linux Group Created.kql │ │ ├── Computers With System Audit Policy Changes.kql │ │ ├── Computers With Users Added to Linux Group.kql │ │ ├── Devices Where Hash Was Executed.kql │ │ ├── Devices Where The Microsoft Antimalware Process Terminated.kql │ │ ├── Devices With Security Log Cleared.kql │ │ ├── Distinct Malicious IP Addresses Accessed.kql │ │ ├── Domain Security Policy Changes.kql │ │ ├── Groups Created or Modified.kql │ │ ├── Locked Accounts.kql │ │ ├── Members Added to Security Enabled Groups.kql │ │ ├── Process Names Executed.kql │ │ ├── Remote Procedure Call Attempts.kql │ │ ├── Security Activities on the Device for Admin.kql │ │ ├── Security Activities on the Device.kql │ │ ├── Suspicious Executables.kql │ │ └── User Accounts Changed.kql └── Workbooks │ └── README ├── ServiceDesk ├── Alerts │ └── README ├── Queries │ └── Usage │ │ ├── All incidents created today.kql │ │ ├── All incidents.kql │ │ ├── All security incidents.kql │ │ ├── All work items created today.kql │ │ └── All work items.kql └── Workbooks │ └── README ├── SurfaceHub ├── Alerts │ └── README ├── Queries │ ├── Diagnostics │ │ ├── Hardware Alert.kql │ │ └── Hardware Minor.kql │ └── Error │ │ ├── Cleanup Failure.kql │ │ ├── Exchange Error.kql │ │ ├── Skype Error.kql │ │ └── Software Alert.kql └── Workbooks │ └── README ├── WaaSUpdateInsights ├── Alerts │ └── README ├── Queries │ ├── Diagnostics │ │ ├── Devices pending reboot to complete update.kql │ │ ├── Distribution of device OS Edition.kql │ │ ├── Distribution of device Servicing Branch.kql │ │ ├── Feature Update Deferral Configurations.kql │ │ ├── Feature Update Pause Configurations.kql │ │ ├── Quality Update Deferral Configurations.kql │ │ ├── Quality Update Pause Configurations.kql │ │ └── Update deployment failures.kql │ └── Errors │ │ ├── Devices with a Safeguard Hold.kql │ │ └── Target build distribution of devices with a safeguard hold.kql └── Workbooks │ └── README └── WireData2 ├── Alerts └── README ├── Queries └── Diagnostics │ ├── Agents that provide wire data.kql │ ├── All Outbound communications by Remote IP Address.kql │ ├── Amount of Network Traffic by Process.kql │ ├── Bytes received by Protocol Name.kql │ ├── Bytes sent by Application Protocol.kql │ ├── IP Addresses of the agents providing wire data.kql │ ├── Processes that initiated or received network traffic.kql │ ├── Remote IP addresses that have communicated with agents on the subnet 100008 any direction.kql │ └── Total bytes by IP version.kql └── Workbooks └── README /Azure Services/API Management services/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/API Management services/Queries/Diagnostics/Client TLS versions.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Client TLS versions 3 | // Description: Breakdown of client TLS versions in the last 24 hours. 4 | // Categories: Azure Resources 5 | // Resource types: API Management services 6 | // Topic: Diagnostics 7 | 8 | ApiManagementGatewayLogs 9 | | where TimeGenerated > ago(1d) 10 | | summarize count(CorrelationId) by ClientTlsVersion, _ResourceId -------------------------------------------------------------------------------- /Azure Services/API Management services/Queries/Errors/Error reasons breakdown.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Error reasons breakdown 3 | // Description: Breakdown of all error reasons in the last 24 hours. 4 | // Categories: Azure Resources 5 | // Resource types: API Management services 6 | // Topic: Errors 7 | 8 | ApiManagementGatewayLogs 9 | | where TimeGenerated > ago(1d) 10 | | where IsRequestSuccess == false 11 | | summarize count(CorrelationId) by LastErrorReason, _ResourceId -------------------------------------------------------------------------------- /Azure Services/API Management services/Queries/Errors/Get failed requests due to issues related to the backend.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Get failed requests due to issues related to the backend 3 | // Description: Get the logs of failed requests due to backend issues. 4 | // Categories: Azure Resources 5 | // Resource types: API Management services 6 | // Topic: Errors 7 | 8 | ApiManagementGatewayLogs 9 | | where TimeGenerated > ago(1d) 10 | | where IsRequestSuccess == false 11 | | where BackendResponseCode >= 400 -------------------------------------------------------------------------------- /Azure Services/API Management services/Queries/Errors/Last 100 failed requests.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Last 100 failed requests 3 | // Description: Get the logs of the last 100 failed requests. 4 | // Categories: Azure Resources 5 | // Resource types: API Management services 6 | // Topic: Errors 7 | 8 | ApiManagementGatewayLogs 9 | | where TimeGenerated > ago(1d) 10 | | where IsRequestSuccess == false 11 | | top 100 by TimeGenerated desc| where ResponseCode >= 400 -------------------------------------------------------------------------------- /Azure Services/API Management services/Queries/Latency/Backend latency.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Backend latency 3 | // Description: Statistics of time (in miliseconds) spent in backend IO. 4 | // Categories: Azure Resources 5 | // Resource types: API Management services 6 | // Topic: Latency 7 | 8 | ApiManagementGatewayLogs 9 | | where TimeGenerated > ago(1d) 10 | | summarize Average=avg(BackendTime), Median=percentile(BackendTime, 50), 90th_Percentile=percentile(BackendTime, 90) by bin(TimeGenerated, 15m) 11 | | render timechart -------------------------------------------------------------------------------- /Azure Services/API Management services/Queries/Latency/Client latency.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Client latency 3 | // Description: Statistics of time (in miliseconds) spent in client IO. 4 | // Categories: Azure Resources 5 | // Resource types: API Management services 6 | // Topic: Latency 7 | 8 | ApiManagementGatewayLogs 9 | | where TimeGenerated > ago(1d) 10 | | summarize Average=avg(ClientTime), Median=percentile(ClientTime, 50), 90th_Percentile=percentile(ClientTime, 90) by bin(TimeGenerated, 15m) 11 | | render timechart -------------------------------------------------------------------------------- /Azure Services/API Management services/Queries/Performance/Bandwidth consumed.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Bandwidth consumed 3 | // Description: Total bandwidth consumed in the last 24 hours. 4 | // Categories: Azure Resources 5 | // Resource types: API Management services 6 | // Topic: Performance 7 | 8 | ApiManagementGatewayLogs 9 | | where TimeGenerated > ago(1d) 10 | | extend bandwidth = RequestSize + ResponseSize 11 | | summarize sum(bandwidth) by bin(TimeGenerated, 15m), _ResourceId 12 | | render timechart -------------------------------------------------------------------------------- /Azure Services/API Management services/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/API Management services/Queries/Usage/Logs of the last 100 calls.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Logs of the last 100 calls 3 | // Description: Get the logs of the most recent 100 calls in the last 24 hours. 4 | // Categories: Azure Resources 5 | // Resource types: API Management services 6 | // Topic: Usage 7 | 8 | ApiManagementGatewayLogs 9 | | top 100 by TimeGenerated desc -------------------------------------------------------------------------------- /Azure Services/API Management services/Queries/Usage/Number of calls by APIs.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Number of calls by APIs 3 | // Description: View the number of calls per API in the last 24 hours. 4 | // Categories: Azure Resources 5 | // Resource types: API Management services 6 | // Topic: Usage 7 | 8 | //Calls by API ID 9 | ApiManagementGatewayLogs 10 | | where TimeGenerated > ago(1d) 11 | | summarize count(CorrelationId) by ApiId -------------------------------------------------------------------------------- /Azure Services/API Management services/Queries/Usage/Number of requests.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Number of requests 3 | // Description: Count the total number of calls across all APIs in the last 24 hours. 4 | // Categories: Azure Resources 5 | // Resource types: API Management services 6 | // Topic: Usage 7 | 8 | //Total number of call per resource 9 | ApiManagementGatewayLogs 10 | | where TimeGenerated > ago(1d) 11 | | summarize count(CorrelationId) by _ResourceId -------------------------------------------------------------------------------- /Azure Services/API Management services/Queries/Usage/Request sizes.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Request sizes 3 | // Description: Statistics of request sizes in the last 24 hours. 4 | // Categories: Azure Resources 5 | // Resource types: API Management services 6 | // Topic: Usage 7 | 8 | ApiManagementGatewayLogs 9 | | where TimeGenerated > ago(1d) 10 | | summarize Average=avg(RequestSize), Median=percentile(RequestSize, 50), 90th_Percentile=percentile(RequestSize, 90) by bin(TimeGenerated, 5m) 11 | | render timechart -------------------------------------------------------------------------------- /Azure Services/API Management services/Queries/Usage/Response sizes.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Response sizes 3 | // Description: Statistics of response sizes in the last 24 hours. 4 | // Categories: Azure Resources 5 | // Resource types: API Management services 6 | // Topic: Usage 7 | 8 | ApiManagementGatewayLogs 9 | | where TimeGenerated > ago(1d) 10 | | summarize Average=avg(ResponseSize), Median=percentile(ResponseSize, 50), 90th_Percentile=percentile(ResponseSize, 90) by bin(TimeGenerated, 5m) 11 | | render timechart -------------------------------------------------------------------------------- /Azure Services/API Management services/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/App Services/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/App Services/Queries/App Logs/App logs for each App Service.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: App logs for each App Service 3 | // Description: Breakdown of log levels for each App Service. 4 | // Categories: Azure Resources 5 | // Resource types: App Services 6 | // Topic: App Logs 7 | 8 | AppServiceAppLogs 9 | | project CustomLevel, _ResourceId 10 | | summarize count() by CustomLevel, _ResourceId -------------------------------------------------------------------------------- /Azure Services/App Services/Queries/App Logs/Count app logs by severity.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Count app logs by severity 3 | // Description: Bar chart of app log severities over time. 4 | // Categories: Azure Resources 5 | // Resource types: App Services 6 | // Topic: App Logs 7 | 8 | AppServiceAppLogs 9 | | summarize count() by CustomLevel, bin(TimeGenerated, 1h), _ResourceId 10 | | render barchart -------------------------------------------------------------------------------- /Azure Services/App Services/Queries/App Logs/Show application logs from Function Apps.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Show application logs from Function Apps 3 | // Description: A list of application logs, sorted by time (latest logs shown first). 4 | // Categories: Azure Resources,Applications 5 | // Resource types: App Services 6 | // Topic: App Logs 7 | 8 | FunctionAppLogs 9 | | project TimeGenerated, HostInstanceId, Message, _ResourceId 10 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Azure Services/App Services/Queries/App Logs/Show logs with warnings or exceptions.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Show logs with warnings or exceptions 3 | // Description: A list of logs which contain warnings or exceptions (latest logs shown first). 4 | // Categories: Azure Resources,Applications 5 | // Resource types: App Services 6 | // Topic: App Logs 7 | 8 | FunctionAppLogs 9 | | where Level == "Warning" or Level == "Error" 10 | | project TimeGenerated, HostInstanceId, Level, Message, _ResourceId 11 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Azure Services/App Services/Queries/Audit Logs/Audit Logs relating to unexpected users.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Audit Logs relating to unexpected users 3 | // Description: List Audit Logs for users who logged in that aren't a listed user. 4 | // Categories: Azure Resources 5 | // Resource types: App Services 6 | // Topic: Audit Logs 7 | 8 | AppServiceAuditLogs 9 | | where UserDisplayName != "user@company.com" -------------------------------------------------------------------------------- /Azure Services/App Services/Queries/Audit Logs/File Audit Logs relating to a Delete operation.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: File Audit Logs relating to a "Delete" operation 3 | // Description: List File Audit Logs that has a "Delete" operation. 4 | // Categories: Azure Resources 5 | // Resource types: App Services 6 | // Topic: Audit Logs 7 | 8 | AppServiceFileAuditLogs 9 | | where OperationName == "Delete" -------------------------------------------------------------------------------- /Azure Services/App Services/Queries/Azure Metrics/Pie chart of HTTP response codes.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Pie chart of HTTP response codes 3 | // Description: Breakdown of response codes for each metric, over the last 12 hours. 4 | // Categories: Azure Resources 5 | // Resource types: App Services 6 | // Topic: Azure Metrics 7 | 8 | AzureMetrics 9 | | where TimeGenerated > ago(12h) 10 | | where MetricName in ("Http2xx", "Http3xx", "Http4xx", "Http5xx") 11 | | summarize sum(Total) by MetricName 12 | | render piechart -------------------------------------------------------------------------------- /Azure Services/App Services/Queries/Console logs/Find console logs relating to application startup.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Find console logs relating to application startup 3 | // Description: List console logs that contain the term "starting". 4 | // Categories: Azure Resources 5 | // Resource types: App Services 6 | // Topic: Console Logs 7 | 8 | AppServiceConsoleLogs 9 | | where tolower(ResultDescription) contains "starting" -------------------------------------------------------------------------------- /Azure Services/App Services/Queries/Incoming requests/App Service Health.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: App Service Health 3 | // Description: Time series of App Service Health (over 5 minute intervals). 4 | // Categories: Azure Resources 5 | // Resource types: App Services 6 | // Topic: Incoming requests 7 | 8 | AppServiceHTTPLogs 9 | | summarize (count() - countif(ScStatus >= 500)) * 100.0 / count() by bin(TimeGenerated, 5m), _ResourceId 10 | | render timechart -------------------------------------------------------------------------------- /Azure Services/App Services/Queries/Incoming requests/Failure Categorization.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Failure Categorization 3 | // Description: Categorize all requests which resulted in 5xx. 4 | // Categories: Azure Resources 5 | // Resource types: App Services 6 | // Topic: Incoming requests 7 | 8 | AppServiceHTTPLogs 9 | //| where ResourceId = "MyResourceId" // Uncomment to get results for a specific resource Id when querying over a group of Apps 10 | | where ScStatus >= 500 11 | | reduce by strcat(CsMethod, ':\\', CsUriStem) -------------------------------------------------------------------------------- /Azure Services/App Services/Queries/Incoming requests/Response times of requests.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Response times of requests 3 | // Description: Avg & 90, 95 and 99 percentile response times (in milliseconds) per App Service. 4 | // Categories: Azure Resources 5 | // Resource types: App Services 6 | // Topic: Incoming requests 7 | 8 | AppServiceHTTPLogs 9 | | summarize avg(TimeTaken), percentiles(TimeTaken, 90, 95, 99) by _ResourceId -------------------------------------------------------------------------------- /Azure Services/App Services/Queries/Incoming requests/Top 5 Clients.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Top 5 Clients 3 | // Description: Top 5 clients which are generating traffic. 4 | // Categories: Azure Resources 5 | // Resource types: App Services 6 | // Topic: Incoming requests 7 | 8 | AppServiceHTTPLogs 9 | | top-nested of _ResourceId by dummy=max(0), // Display results for each resource (App) 10 | top-nested 5 of UserAgent by count() 11 | | project-away dummy // Remove dummy line from the result set -------------------------------------------------------------------------------- /Azure Services/App Services/Queries/Incoming requests/Top 5 Machines.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Top 5 Machines 3 | // Description: Top 5 machines which are generating traffic. 4 | // Categories: Azure Resources 5 | // Resource types: App Services 6 | // Topic: Incoming requests 7 | 8 | AppServiceHTTPLogs 9 | | top-nested of _ResourceId by dummy=max(0), // Display results for each resource (App) 10 | top-nested 5 of CIp by count() 11 | | project-away dummy // Remove dummy line from the result set -------------------------------------------------------------------------------- /Azure Services/App Services/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/App Services/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Application Insights/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Application Insights/Queries/Browsing data/Page views trend.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Page views trend 3 | // Description: Chart the page views count, during the last day. 4 | // Categories: Applications 5 | // Resource types: Application Insights 6 | // Topic: Browsing data 7 | 8 | AppPageViews 9 | | where ClientType == 'Browser' 10 | | summarize count_sum = sum(ItemCount) by bin(TimeGenerated,30m), _ResourceId 11 | | render timechart -------------------------------------------------------------------------------- /Azure Services/Application Insights/Queries/Browsing data/Slowest pages.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Slowest pages 3 | // Description: What are the 3 slowest pages, and how slow are they? 4 | // Categories: Applications 5 | // Resource types: Application Insights 6 | // Topic: Browsing data 7 | 8 | AppPageViews 9 | | where notempty(DurationMs) and ClientType == 'Browser' 10 | | extend total_duration=DurationMs*ItemCount 11 | | summarize avg_duration=(sum(total_duration)/sum(ItemCount)) by OperationName 12 | | top 3 by avg_duration desc -------------------------------------------------------------------------------- /Azure Services/Application Insights/Queries/Browsing data/Top 3 browser exceptions.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Top 3 browser exceptions 3 | // Description: What were the highest reported exceptions today? 4 | // Categories: Applications 5 | // Resource types: Application Insights 6 | // Topic: Browsing data 7 | 8 | AppExceptions 9 | | where notempty(ClientBrowser) and ClientType == 'Browser' 10 | | summarize total_exceptions = sum(ItemCount) by ProblemId 11 | | top 3 by total_exceptions desc -------------------------------------------------------------------------------- /Azure Services/Application Insights/Queries/Performance/Request count trend.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Request count trend 3 | // Description: Chart Request count over the last day. 4 | // Categories: Applications 5 | // Resource types: Application Insights 6 | // Topic: Performance 7 | 8 | AppRequests 9 | | summarize totalCount=sum(ItemCount) by bin(TimeGenerated, 30m), _ResourceId 10 | | render timechart -------------------------------------------------------------------------------- /Azure Services/Application Insights/Queries/Performance/Response time trend.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Response time trend 3 | // Description: Chart request duration over the last 12 hours. 4 | // Categories: Applications 5 | // Resource types: Application Insights 6 | // Topic: Performance 7 | 8 | AppRequests 9 | | where TimeGenerated > ago(12h) 10 | | summarize avgRequestDuration=avg(DurationMs) by bin(TimeGenerated, 10m), _ResourceId // use a time grain of 10 minutes 11 | | render timechart -------------------------------------------------------------------------------- /Azure Services/Application Insights/Queries/Performance/Top 10 countries by traffic.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Top 10 countries by traffic 3 | // Description: Chart the amount of requests from the top 10 countries. 4 | // Categories: Applications 5 | // Resource types: Application Insights 6 | // Topic: Performance 7 | 8 | AppRequests 9 | | summarize CountByCountry=count() by ClientCountryOrRegion 10 | | top 10 by CountByCountry 11 | | render piechart -------------------------------------------------------------------------------- /Azure Services/Application Insights/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Application Insights/Queries/Reports failures/Failed operations.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Failed operations 3 | // Description: Calculate how many times operations failed, and how many users were impacted. 4 | // Categories: Applications 5 | // Resource types: Application Insights 6 | // Topic: Reports failures 7 | 8 | AppRequests 9 | | where Success == false 10 | | summarize failedCount=sum(ItemCount), impactedUsers=dcount(UserId) by OperationName, _ResourceId 11 | | order by failedCount desc -------------------------------------------------------------------------------- /Azure Services/Application Insights/Queries/Reports failures/Failed requests top 10.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Failed requests – top 10 3 | // Description: What are the 3 slowest pages, and how slow are they? 4 | // Categories: Applications 5 | // Resource types: Application Insights 6 | // Topic: Reports failures 7 | 8 | AppRequests 9 | | where Success == false 10 | | summarize failedCount=sum(ItemCount) by Name 11 | | top 10 by failedCount desc 12 | | render barchart -------------------------------------------------------------------------------- /Azure Services/Application Insights/Queries/Reports failures/Failing dependencies.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Failing dependencies 3 | // Description: Which 5 dependencies failed the most today? 4 | // Categories: Applications 5 | // Resource types: Application Insights 6 | // Topic: Reports failures 7 | 8 | AppDependencies 9 | | where Success == false 10 | | summarize totalCount=sum(ItemCount) by DependencyType 11 | | top 5 by totalCount desc -------------------------------------------------------------------------------- /Azure Services/Application Insights/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Application gateways/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Application gateways/Queries/Analytics/Errors by URI.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Errors by URI 3 | // Description: Number of errors by URI. 4 | // Categories: Network 5 | // Resource types: Application gateways 6 | // Topic: Analytics 7 | 8 | AzureDiagnostics 9 | | where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" and httpStatus_d > 399 10 | | summarize AggregatedValue = count() by requestUri_s, _ResourceId 11 | | sort by AggregatedValue desc -------------------------------------------------------------------------------- /Azure Services/Application gateways/Queries/Analytics/Errors by user agent.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Errors by user agent 3 | // Description: Number of errors by user agent. 4 | // Categories: Network 5 | // Resource types: Application gateways 6 | // Topic: Analytics 7 | 8 | AzureDiagnostics 9 | | where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" and httpStatus_d > 399 10 | | summarize AggregatedValue = count() by userAgent_s, _ResourceId 11 | | sort by AggregatedValue desc -------------------------------------------------------------------------------- /Azure Services/Application gateways/Queries/Analytics/Top 10 Client IPs.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Top 10 Client IPs 3 | // Description: Count of requests per client IP. 4 | // Categories: Network 5 | // Resource types: Application gateways 6 | // Topic: Analytics 7 | 8 | AzureDiagnostics 9 | | where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" 10 | | summarize AggregatedValue = count() by clientIP_s 11 | | top 10 by AggregatedValue -------------------------------------------------------------------------------- /Azure Services/Application gateways/Queries/Analytics/Top HTTP versions.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Top HTTP versions 3 | // Description: Count of request per HTTP version. 4 | // Categories: Network 5 | // Resource types: Application gateways 6 | // Topic: Analytics 7 | 8 | AzureDiagnostics 9 | | where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" 10 | | summarize AggregatedValue = count() by httpVersion_s 11 | | top 10 by AggregatedValue -------------------------------------------------------------------------------- /Azure Services/Application gateways/Queries/Incoming requests/Requests per hour.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Requests per hour 3 | // Description: Count of the incoming requests on the Application Gateway. 4 | // Categories: Network 5 | // Resource types: Application gateways 6 | // Topic: Incoming requests 7 | 8 | AzureDiagnostics 9 | | where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" 10 | | summarize AggregatedValue = count() by bin(TimeGenerated, 1h), _ResourceId 11 | | render timechart -------------------------------------------------------------------------------- /Azure Services/Application gateways/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Application gateways/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Automation accounts/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Automation accounts/Queries/Automation Jobs/View historical job status.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: View historical job status 3 | // Description: List all automation jobs. 4 | // Categories: Azure Resources 5 | // Resource types: Automation accounts 6 | // Topic: Automation Jobs 7 | 8 | AzureDiagnostics 9 | | where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "JobLogs" and ResultType != "started" 10 | | summarize AggregatedValue = count() by ResultType, bin(TimeGenerated, 1h) , RunbookName_s , JobId_g, _ResourceId -------------------------------------------------------------------------------- /Azure Services/Automation accounts/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Automation accounts/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Azure AD Domain Services/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Azure AD Domain Services/Queries/Preview Data/Show logs from AADDomainServicesAccountLogon table.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Show logs from AADDomainServicesAccountLogon table 3 | // Description: Lists the latest logs in AADDomainServicesAccountLogon table, sorted by time (latest first). 4 | // Categories: Azure Resources 5 | // Resource types: Azure AD Domain Services 6 | // Topic: Preview Data 7 | 8 | AADDomainServicesAccountLogon 9 | | top 10 by TimeGenerated -------------------------------------------------------------------------------- /Azure Services/Azure AD Domain Services/Queries/Preview Data/Show logs from AADDomainServicesAccountManagement table.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Show logs from AADDomainServicesAccountManagement table 3 | // Description: Lists the latest logs in AADDomainServicesAccountManagement table, sorted by time (latest first). 4 | // Categories: Azure Resources 5 | // Resource types: Azure AD Domain Services 6 | // Topic: Preview Data 7 | 8 | AADDomainServicesAccountManagement 9 | | top 10 by TimeGenerated -------------------------------------------------------------------------------- /Azure Services/Azure AD Domain Services/Queries/Preview Data/Show logs from AADDomainServicesDirectoryServiceAccess table.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Show logs from AADDomainServicesDirectoryServiceAccess table 3 | // Description: Lists the latest logs in AADDomainServicesDirectoryServiceAccess table, sorted by time (latest first). 4 | // Categories: Azure Resources 5 | // Resource types: Azure AD Domain Services 6 | // Topic: Preview Data 7 | 8 | AADDomainServicesDirectoryServiceAccess 9 | | top 10 by TimeGenerated -------------------------------------------------------------------------------- /Azure Services/Azure AD Domain Services/Queries/Preview Data/Show logs from AADDomainServicesLogonLogoff table.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Show logs from AADDomainServicesLogonLogoff table 3 | // Description: Lists the latest logs in AADDomainServicesLogonLogoff table, sorted by time (latest first). 4 | // Categories: Azure Resources 5 | // Resource types: Azure AD Domain Services 6 | // Topic: Preview Data 7 | 8 | AADDomainServicesLogonLogoff 9 | | top 10 by TimeGenerated -------------------------------------------------------------------------------- /Azure Services/Azure AD Domain Services/Queries/Preview Data/Show logs from AADDomainServicesPolicyChange table.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Show logs from AADDomainServicesPolicyChange table 3 | // Description: Lists the latest logs in AADDomainServicesPolicyChange table, sorted by time (latest first). 4 | // Categories: Azure Resources 5 | // Resource types: Azure AD Domain Services 6 | // Topic: Preview Data 7 | 8 | AADDomainServicesPolicyChange 9 | | top 10 by TimeGenerated -------------------------------------------------------------------------------- /Azure Services/Azure AD Domain Services/Queries/Preview Data/Show logs from AADDomainServicesPrivilegeUse table.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Show logs from AADDomainServicesPrivilegeUse table 3 | // Description: Lists the latest logs in AADDomainServicesPrivilegeUse table, sorted by time (latest first). 4 | // Categories: Azure Resources 5 | // Resource types: Azure AD Domain Services 6 | // Topic: Preview Data 7 | 8 | AADDomainServicesPrivilegeUse 9 | | top 10 by TimeGenerated -------------------------------------------------------------------------------- /Azure Services/Azure AD Domain Services/Queries/Preview Data/Show logs from AADDomainServicesSystemSecurity table.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Show logs from AADDomainServicesSystemSecurity table 3 | // Description: Lists the latest logs in AADDomainServicesSystemSecurity table, sorted by time (latest first). 4 | // Categories: Azure Resources 5 | // Resource types: Azure AD Domain Services 6 | // Topic: Preview Data 7 | 8 | AADDomainServicesSystemSecurity 9 | | top 10 by TimeGenerated -------------------------------------------------------------------------------- /Azure Services/Azure AD Domain Services/Queries/Preview Data/Show logs from AzureActivity table.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Show logs from AzureActivity table 3 | // Description: Lists the latest logs in AzureActivity table, sorted by time (latest first). 4 | // Categories: Azure Resources 5 | // Resource types: Azure AD Domain Services 6 | // Topic: Preview Data 7 | 8 | AzureActivity 9 | | top 10 by TimeGenerated -------------------------------------------------------------------------------- /Azure Services/Azure AD Domain Services/Queries/Preview Data/Show logs from AzureMetrics table.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Show logs from AzureMetrics table 3 | // Description: Lists the latest logs in AzureMetrics table, sorted by time (latest first). 4 | // Categories: Azure Resources 5 | // Resource types: Azure AD Domain Services 6 | // Topic: Preview Data 7 | 8 | AzureMetrics 9 | | top 10 by TimeGenerated -------------------------------------------------------------------------------- /Azure Services/Azure AD Domain Services/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Active Directory Logs/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Active Directory Logs/Queries/Audit/Provisioning errors.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Provisioning errors 3 | // Description: Shows the count per error code and when were they last seen. 4 | // Categories: Audit 5 | // Resource types: Azure Active Directory Logs 6 | // Topic: Audit 7 | 8 | AADProvisioningLogs 9 | | where ResultType == "Failure" 10 | | summarize Occurrences=count(), LastSeen=max(TimeGenerated) by ResultSignature 11 | | order by LastSeen -------------------------------------------------------------------------------- /Azure Services/Azure Active Directory Logs/Queries/Security/Inactive Service Principals.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Inactive Service Principals 3 | // Description: Service principals that had no sign-ins for the last 30d. 4 | // Categories: Security 5 | // Resource types: Azure Active Directory Logs 6 | // Topic: Security 7 | 8 | AADServicePrincipalSignInLogs 9 | | where TimeGenerated > ago(90d) 10 | | where ResultType == 0 11 | | summarize LastSignIn = max(TimeGenerated) by ServicePrincipalId 12 | | where LastSignIn < ago(30d) -------------------------------------------------------------------------------- /Azure Services/Azure Active Directory Logs/Queries/Security/Most active IP Addresses.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Most active IP Addresses 3 | // Description: Get list of top 100 most active IP addresses for the last day. 4 | // Categories: Security 5 | // Resource types: Azure Active Directory Logs 6 | // Topic: Security 7 | 8 | AADNonInteractiveUserSignInLogs 9 | | where TimeGenerated > ago(1d) 10 | | summarize CountPerIPAddress = count() by IPAddress 11 | | order by CountPerIPAddress desc 12 | | take 100 -------------------------------------------------------------------------------- /Azure Services/Azure Active Directory Logs/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Active Directory/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder 2 | -------------------------------------------------------------------------------- /Azure Services/Azure Active Directory/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder 2 | -------------------------------------------------------------------------------- /Azure Services/Azure Active Directory/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder 2 | -------------------------------------------------------------------------------- /Azure Services/Azure Activity logs/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder 2 | 3 | ## deployNSGAlert.json 4 | Since json doesn't have comments, I'll put them here. This ARM would deploy the alert to go with the two parameters files that start with the deployNSGAlert. -------------------------------------------------------------------------------- /Azure Services/Azure Activity logs/Queries/Activity logs/Failed operations.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Failed operations 3 | // Description: List all reports of failed operations, over the past hour. 4 | // Categories: audit 5 | // Resource types: Azure Activity logs 6 | // Topic: Activity logs 7 | 8 | AzureActivity 9 | | where TimeGenerated > ago(1h) 10 | | where ActivityStatus == "Failed" -------------------------------------------------------------------------------- /Azure Services/Azure Activity logs/Queries/Activity logs/Latest 50 logs.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Latest 50 logs 3 | // Description: Show the latest Azure Activity logs for this resource. 4 | // Categories: audit 5 | // Resource types: Azure Activity logs 6 | // Topic: Activity logs 7 | 8 | AzureActivity 9 | | top 50 by TimeGenerated desc -------------------------------------------------------------------------------- /Azure Services/Azure Activity logs/Queries/Activity logs/Operations status.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Operations' status 3 | // Description: Show the latest Azure activity log for each operation. 4 | // Categories: audit 5 | // Resource types: Azure Activity logs 6 | // Topic: Activity logs 7 | 8 | AzureActivity 9 | | summarize arg_max(TimeGenerated, *) by OperationName -------------------------------------------------------------------------------- /Azure Services/Azure Activity logs/Queries/Activity logs/Recent Azure Activity logs.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Recent Azure Activity logs 3 | // Description: Display all Azure Activity logs from the last hour. 4 | // Categories: audit 5 | // Resource types: Azure Activity logs 6 | // Topic: Activity logs 7 | 8 | AzureActivity 9 | | where Level == "Error" or Level == "Warning" 10 | | project TimeGenerated, Level, ResourceProvider, ActivityStatus, Caller, Category, Properties, CorrelationId -------------------------------------------------------------------------------- /Azure Services/Azure Activity logs/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Activity logs/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Arc/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Arc/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Arc/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Container Apps/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Container Apps/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Database for MariaDB servers/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Database for MariaDB servers/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Database for MariaDB servers/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Database for MySQL servers/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Database for MySQL servers/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Database for MySQL servers/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Database for PostgreSQL servers/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Database for PostgreSQL servers/Queries/Audit Logs/Audit logs.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Audit logs 3 | // Description: Get all audit logs. It requires audit logs to be enabled [https://docs.microsoft.com/azure/postgresql/concepts-audit]. 4 | // Categories: Workloads,Audit 5 | // Resource types: Azure Database for PostgreSQL servers 6 | // Topic: Audit Logs 7 | 8 | AzureDiagnostics 9 | | where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL" 10 | | where Category == "PostgreSQLLogs" 11 | | where Message contains "AUDIT:" -------------------------------------------------------------------------------- /Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Deadlocks.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Deadlocks 3 | // Description: Search for deadlock events. 4 | // Categories: Workloads 5 | // Resource types: Azure Database for PostgreSQL servers 6 | // Topic: Diagnostics 7 | 8 | AzureDiagnostics 9 | | where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL" 10 | | where Category == "PostgreSQLLogs" 11 | | where Message contains "deadlock detected" -------------------------------------------------------------------------------- /Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Lock contention.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Lock contention 3 | // Description: Search for lock contention. It requires log_lock_waits=ON and depends on deadlock_timeout setting. 4 | // Categories: Workloads 5 | // Resource types: Azure Database for PostgreSQL servers 6 | // Topic: Diagnostics 7 | 8 | AzureDiagnostics 9 | | where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL" 10 | | where Message contains "still waiting for ShareLock on transaction" -------------------------------------------------------------------------------- /Azure Services/Azure Database for PostgreSQL servers/Queries/Errors/Find Errors.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Find Errors 3 | // Description: Search for errors in the last 6 hours. 4 | // Categories: Workloads 5 | // Resource types: Azure Database for PostgreSQL servers 6 | // Topic: Errors 7 | 8 | AzureDiagnostics 9 | | where TimeGenerated > ago(6h) 10 | | where Category == "PostgreSQLLogs" 11 | | where errorLevel_s contains "error" -------------------------------------------------------------------------------- /Azure Services/Azure Database for PostgreSQL servers/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Database for PostgreSQL servers/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Databricks/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Databricks/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Digital Twins/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Digital Twins/Queries/Diagnostics/DigitalTwin API Latency.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: DigitalTwin API Latency 3 | // Description: Time to complete DigitalTwin operations by type over time. 4 | // Categories: Audit,Azure Monitor 5 | // Resource types: Azure Digital Twins 6 | // Topic: Diagnostics 7 | 8 | let grain = 5m; 9 | ADTDigitalTwinsOperation 10 | | summarize avg(toint(DurationMs)) by OperationName, bin(TimeGenerated, grain) 11 | | render timechart -------------------------------------------------------------------------------- /Azure Services/Azure Digital Twins/Queries/Diagnostics/Model API Latency.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Model API Latency 3 | // Description: Time to complete Model operations by type over time. 4 | // Categories: Audit,Azure Monitor 5 | // Resource types: Azure Digital Twins 6 | // Topic: Diagnostics 7 | 8 | let grain = 5m; 9 | ADTModelsOperation 10 | | summarize avg(toint(DurationMs)) by OperationName, bin(TimeGenerated, grain) 11 | | render timechart -------------------------------------------------------------------------------- /Azure Services/Azure Digital Twins/Queries/Diagnostics/Query API Latency.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Query API Latency 3 | // Description: Time to complete Query operations by type over time. 4 | // Categories: Audit,Azure Monitor 5 | // Resource types: Azure Digital Twins 6 | // Topic: Diagnostics 7 | 8 | let grain = 5m; 9 | ADTQueryOperation 10 | | summarize avg(toint(DurationMs)) by OperationName, bin(TimeGenerated, grain) 11 | | render timechart -------------------------------------------------------------------------------- /Azure Services/Azure Digital Twins/Queries/Errors/DigitalTwin Error Summary.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: DigitalTwin Error Summary 3 | // Description: List of all DigitalTwin call errors. 4 | // Categories: Audit,Azure Monitor 5 | // Resource types: Azure Digital Twins 6 | // Topic: Errors 7 | 8 | ADTDigitalTwinsOperation 9 | | where ResultType != 'Success' -------------------------------------------------------------------------------- /Azure Services/Azure Digital Twins/Queries/Errors/Model Error Summary.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Model Error Summary 3 | // Description: List of all Model call errors. 4 | // Categories: Audit,Azure Monitor 5 | // Resource types: Azure Digital Twins 6 | // Topic: Errors 7 | 8 | ADTModelsOperation 9 | | where ResultType != 'Success' -------------------------------------------------------------------------------- /Azure Services/Azure Digital Twins/Queries/Errors/Query Error Summary.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Query Error Summary 3 | // Description: List of all Query call errors. 4 | // Categories: Audit,Azure Monitor 5 | // Resource types: Azure Digital Twins 6 | // Topic: Errors 7 | 8 | ADTQueryOperation 9 | | where ResultType != 'Success' -------------------------------------------------------------------------------- /Azure Services/Azure Digital Twins/Queries/Usage/DigitalTwin API Usage.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: DigitalTwin API Usage 3 | // Description: Count of DigitalTwin APIs by type (read, write and delete). 4 | // Categories: Audit,Azure Monitor 5 | // Resource types: Azure Digital Twins 6 | // Topic: Usage 7 | 8 | ADTDigitalTwinsOperation 9 | | summarize count() by OperationName 10 | | render piechart -------------------------------------------------------------------------------- /Azure Services/Azure Digital Twins/Queries/Usage/EventRoutes API Usage.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: EventRoutes API Usage 3 | // Description: Count of EventRoute APIs by type (read, write and delete). 4 | // Categories: Audit,Azure Monitor 5 | // Resource types: Azure Digital Twins 6 | // Topic: Usage 7 | 8 | ADTEventRoutesOperation 9 | | summarize count() by OperationName 10 | | render piechart -------------------------------------------------------------------------------- /Azure Services/Azure Digital Twins/Queries/Usage/Model API Usage.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Model API Usage 3 | // Description: Count of Model APIs by type (read, write and delete). 4 | // Categories: Audit,Azure Monitor 5 | // Resource types: Azure Digital Twins 6 | // Topic: Usage 7 | 8 | ADTModelsOperation 9 | | summarize count() by OperationName 10 | | render piechart -------------------------------------------------------------------------------- /Azure Services/Azure Digital Twins/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Managed HSMs/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Managed HSMs/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Managed HSMs/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Monitor autoscale settings/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Monitor autoscale settings/Queries/Autoscale/Autoscale failed operations.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Autoscale failed operations 3 | // Description: List all reports of failed operations, over the last day. 4 | // Categories: Azure Monitor,Audit 5 | // Resource types: Azure Monitor autoscale settings 6 | // Topic: Autoscale 7 | 8 | AutoscaleScaleActionsLog 9 | | where TimeGenerated > ago(24h) 10 | | where ResultType == "Failed" -------------------------------------------------------------------------------- /Azure Services/Azure Monitor autoscale settings/Queries/Autoscale/Autoscale operation status.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Autoscale operation status 3 | // Description: Lists latest Autoscale operations, scale direction, instance count and it's status. 4 | // Categories: Azure Monitor 5 | // Resource types: Azure Monitor autoscale settings 6 | // Topic: Autoscale 7 | 8 | AutoscaleScaleActionsLog 9 | | project TimeGenerated, ResourceId, CurrentInstanceCount, NewInstanceCount, ScaleDirection, ResultType 10 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Azure Services/Azure Monitor autoscale settings/Queries/Autoscale/Display top Autoscale 50 logs.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Display top Autoscale 50 logs 3 | // Description: Show the latest Azure Autoscale logs in the last 24 hours. 4 | // Categories: Azure Monitor 5 | // Resource types: Azure Monitor autoscale settings 6 | // Topic: Autoscale 7 | 8 | AutoscaleScaleActionsLog 9 | | where TimeGenerated > ago(24h) 10 | | limit 50 -------------------------------------------------------------------------------- /Azure Services/Azure Monitor autoscale settings/Queries/Autoscale/Review Autoscale evaluations.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Review Autoscale evaluations 3 | // Description: Counts Autoscale evaluations in the last hour. 4 | // Categories: Azure Monitor 5 | // Resource types: Azure Monitor autoscale settings 6 | // Topic: Autoscale 7 | 8 | AutoscaleEvaluationsLog 9 | | where TimeGenerated > ago(1h) 10 | | summarize count() by ResourceId, Profile, OperationName, EvaluationResult -------------------------------------------------------------------------------- /Azure Services/Azure Monitor autoscale settings/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Monitor/Agents/Migration Tools/DCR Config Generator/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | All notable changes to the script will be documented in this file. 4 | 5 | ## [1.0.1] - 2024-08-01 6 | 7 | ### Changed 8 | - Now using the latest DCR Api version 2023-03-11. 9 | - Update one of the console messages. 10 | 11 | ## [1.0.0] - 2023-12-06 12 | 13 | ### Added 14 | - Initial release of the script with support for Perf counters,syslog, windows event logs, iis logs, log files, extensions data source 15 | -------------------------------------------------------------------------------- /Azure Services/Azure Monitor/Agents/README: -------------------------------------------------------------------------------- 1 | Put agent related community artifacts here. 2 | 3 | For queries, email obs-agent-pms@microsoft.com -------------------------------------------------------------------------------- /Azure Services/Azure Monitor/Alerts/ODFB share to everyone alert: -------------------------------------------------------------------------------- 1 | //Looks for sharing activity if someone shares from OneDrive to Everyone 2 | //Replace "YourTenantName" with the name of your tenant 3 | OfficeActivity | where Operation == 'SharingSet' | where Site_Url has "https://YourTenantName-my.sharepoint.com/personal" | where TargetUserOrGroupName has "Everyone 4 | -------------------------------------------------------------------------------- /Azure Services/Azure Monitor/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Monitor/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Azure NetApp Files/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Azure NetApp Files/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Azure NetApp Files/Workbooks/img/overview001.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/AzureMonitorCommunity/96bcca345b3621cb2840a9bc67664247d6cad828/Azure Services/Azure NetApp Files/Workbooks/img/overview001.png -------------------------------------------------------------------------------- /Azure Services/Azure NetApp Files/Workbooks/img/overview002.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/AzureMonitorCommunity/96bcca345b3621cb2840a9bc67664247d6cad828/Azure Services/Azure NetApp Files/Workbooks/img/overview002.png -------------------------------------------------------------------------------- /Azure Services/Azure NetApp Files/Workbooks/img/overview003.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/AzureMonitorCommunity/96bcca345b3621cb2840a9bc67664247d6cad828/Azure Services/Azure NetApp Files/Workbooks/img/overview003.png -------------------------------------------------------------------------------- /Azure Services/Azure NetApp Files/Workbooks/img/overview004.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/AzureMonitorCommunity/96bcca345b3621cb2840a9bc67664247d6cad828/Azure Services/Azure NetApp Files/Workbooks/img/overview004.png -------------------------------------------------------------------------------- /Azure Services/Azure Operator Nexus/Alerts/Preview/armTemplates/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Operator Nexus/Alerts/Preview/armTemplates/activityLogAlerts/arcKubernetes.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "alertName": { 6 | "value": "Arc Kubernetes Disconnected" 7 | }, 8 | "alertDescription": { 9 | "value": "Kubernetes cluster is disconnected from Arc" 10 | }, 11 | "resourceType": { 12 | "value": "microsoft.kubernetes/connectedclusters" 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /Azure Services/Azure Spring Cloud/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Spring Cloud/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Azure Spring Cloud/Queries/System Logs/Show the config server logs.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Show the config server logs 3 | // Description: Filter the config server logs with the log level. 4 | // Categories: Azure Resources 5 | // Resource types: Azure Spring Cloud 6 | // Topic: System Logs 7 | 8 | AppPlatformSystemLogs 9 | | where TimeGenerated > ago(1h) 10 | | where LogType == "ConfigServer" and Level in ("WARN", "ERROR") 11 | | project TimeGenerated , Level , ServiceName , Thread , Stack , Log , _ResourceId -------------------------------------------------------------------------------- /Azure Services/Azure Spring Cloud/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Batch accounts/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Batch accounts/Queries/Pools/Pool resize failures.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Pool resize failures 3 | // Description: List pool resize failures by error code and time. 4 | // Categories: Azure Resources 5 | // Resource types: Batch accounts 6 | // Topic: Pools 7 | 8 | AzureDiagnostics 9 | | where OperationName=="PoolResizeCompleteEvent" 10 | | where resultCode_s=="Failure" // Filter only on failed pool resizes 11 | | summarize by poolName=id_s, resultCode=resultCode_s, resultMessage=resultMessage_s, operationTime=startTime_s -------------------------------------------------------------------------------- /Azure Services/Batch accounts/Queries/Pools/Pool resizes.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Pool resizes 3 | // Description: List resize times by pool and result code (success or failure). 4 | // Categories: Azure Resources 5 | // Resource types: Batch accounts 6 | // Topic: Pools 7 | 8 | AzureDiagnostics 9 | | where OperationName=="PoolResizeCompleteEvent" 10 | | summarize operationTimes=make_list(startTime_s) by poolName=id_s, resultCode=resultCode_s -------------------------------------------------------------------------------- /Azure Services/Batch accounts/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Batch accounts/Queries/Tasks/Failed tasks per job.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Failed tasks per job 3 | // Description: Lists failed tasks by parent job. 4 | // Categories: Azure Resources 5 | // Resource types: Batch accounts 6 | // Topic: Tasks 7 | 8 | AzureDiagnostics 9 | | where OperationName=="TaskFailEvent" 10 | | summarize failedTaskList=make_list(id_s) by jobId=jobId_s -------------------------------------------------------------------------------- /Azure Services/Batch accounts/Queries/Tasks/Successful tasks per job.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Successful tasks per job 3 | // Description: Provides the number of successful tasks per job. 4 | // Categories: Azure Resources 5 | // Resource types: Batch accounts 6 | // Topic: Tasks 7 | 8 | AzureDiagnostics 9 | | where OperationName=="TaskCompleteEvent" 10 | | where executionInfo_exitCode_d==0 // Your application may use an exit code other than 0 to denote a successful operation 11 | | summarize successfulTasks=count(id_s) by jobId=jobId_s -------------------------------------------------------------------------------- /Azure Services/Batch accounts/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Bot Services/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Bot Services/Queries/Diagnostics/DisplayResponseCodesLineChart.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: DisplayResponseCodesLineChart 3 | // Description: Display a Line Chart showing requests response status codes over a period of time. 4 | // Categories: Azure Resources 5 | // Resource types: Bot Services 6 | // Topic: Diagnostics 7 | 8 | ABSBotRequests 9 | | where TimeGenerated > ago(6h) 10 | | summarize count() by ResultCode, bin(TimeGenerated, 10m) 11 | | render timechart -------------------------------------------------------------------------------- /Azure Services/Bot Services/Queries/Diagnostics/DisplayResponseCodesPieChart.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: DisplayResponseCodesPieChart 3 | // Description: Display a Pie Chart showing requests response status codes. 4 | // Categories: Azure Resources 5 | // Resource types: Bot Services 6 | // Topic: Diagnostics 7 | 8 | ABSBotRequests 9 | | where TimeGenerated > ago(12h) 10 | | summarize count() by resultCode 11 | | render piechart -------------------------------------------------------------------------------- /Azure Services/Bot Services/Queries/Diagnostics/GetChannelToBotRequestsLogs.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: GetChannelToBotRequestsLogs 3 | // Description: Gets a distinct list of all the requests from Direct Line channels to the bot. 4 | // Categories: Azure Resources 5 | // Resource types: Bot Services 6 | // Topic: Diagnostics 7 | 8 | ABSBotRequests 9 | | where TimeGenerated > ago(6h) 10 | | where Category == 'ABSChannelToBotRequests' 11 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Azure Services/Bot Services/Queries/Diagnostics/GetFailedChannelsToBotRequests.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: GetFailedChannelsToBotRequests 3 | // Description: Gets a distinct list of all the unsuccessful requests to bot from channels. 4 | // Categories: Azure Resources 5 | // Resource types: Bot Services 6 | // Topic: Diagnostics 7 | 8 | ABSBotRequests 9 | | where TimeGenerated > ago(12h) 10 | | where ResultCode !startswith "2" 11 | | where Category == 'ABSChannelToBotRequests' 12 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Azure Services/Bot Services/Queries/Diagnostics/GetFailedRequestsToDependencies.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: GetFailedRequestsToDependencies 3 | // Description: Gets a distinct list of all the unsuccessful requests to dependencies. 4 | // Categories: Azure Resources 5 | // Resource types: Bot Services 6 | // Topic: Diagnostics 7 | 8 | ABSBotRequests 9 | | where TimeGenerated > ago(12h) 10 | | where ResultCode !startswith "2" 11 | | where Category == 'ABSDependenciesRequests' 12 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Azure Services/Bot Services/Queries/Diagnostics/GetRequestsToDependenciesLogs.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: GetRequestsToDependenciesLogs 3 | // Description: Gets a distinct list of all the requests to dependencies. 4 | // Categories: Azure Resources 5 | // Resource types: Bot Services 6 | // Topic: Diagnostics 7 | 8 | ABSBotRequests 9 | | where TimeGenerated > ago(6h) 10 | | where Category == 'ABSDependenciesRequests' 11 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Azure Services/Bot Services/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/CDN profiles/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/CDN profiles/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/CDN profiles/Queries/Usage/Unique IP request count.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Unique IP request count 3 | // Description: Show Unique IP request count. 4 | // Categories: Network 5 | // Resource types: CDN profiles 6 | // Topic: Usage 7 | 8 | AzureDiagnostics 9 | | where OperationName == "Microsoft.Cdn/Profiles/AccessLog/Write"and Category == "AzureCdnAccessLog" 10 | | where isReceivedFromClient_b == true 11 | | summarize dcount(clientIp_s) by bin(TimeGenerated, 1h) 12 | | render timechart -------------------------------------------------------------------------------- /Azure Services/CDN profiles/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Communication Services/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Communication Services/Queries/Audit/List Distinct Chat Operations.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: List Distinct Chat Operations 3 | // Description: Returns all distinct combinations of Chat operation / version pairs. 4 | // Categories: Azure Resources 5 | // Resource types: Communication Services 6 | // Topic: Audit 7 | 8 | ACSChatIncomingOperations 9 | | distinct OperationName, OperationVersion -------------------------------------------------------------------------------- /Azure Services/Communication Services/Queries/Audit/List Distinct SMS Operations.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: List Distinct SMS Operations 3 | // Description: Returns all distinct combinations of SMS operation / version pairs. 4 | // Categories: Azure Resources 5 | // Resource types: Communication Services 6 | // Topic: Audit 7 | 8 | ACSSMSIncomingOperations 9 | | distinct OperationName, OperationVersion -------------------------------------------------------------------------------- /Azure Services/Communication Services/Queries/Errors/Chat Operational Errors.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Chat Operational Errors 3 | // Description: List every Chat error ordered by recency. 4 | // Categories: Azure Resources 5 | // Resource types: Communication Services 6 | // Topic: Errors 7 | 8 | ACSChatIncomingOperations 9 | | where ResultType == "Failed" 10 | | project TimeGenerated, OperationName, OperationVersion, ResultSignature, ResultDescription 11 | | order by TimeGenerated desc -------------------------------------------------------------------------------- /Azure Services/Communication Services/Queries/Errors/SMS Operational Errors.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: SMS Operational Errors 3 | // Description: List every SMS error ordered by recency. 4 | // Categories: Azure Resources 5 | // Resource types: Communication Services 6 | // Topic: Errors 7 | 8 | ACSSMSIncomingOperations 9 | | where ResultType == "Failed" 10 | | project TimeGenerated, OperationName, OperationVersion, ResultSignature, ResultDescription 11 | | order by TimeGenerated desc -------------------------------------------------------------------------------- /Azure Services/Communication Services/Queries/Usage/Get Long Calls.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Get Long Calls 3 | // Description: Retrive all the calls that lasted longer than an hours. 4 | // Categories: Azure Resources 5 | // Resource types: Communication Services 6 | // Topic: Usage 7 | 8 | ACSBillingUsage 9 | | where tolower(UsageType) == "audio" // only look at records that are calls 10 | | extend Length = EndTime - StartTime 11 | | where Length > 1h // return if the call is greater than an hour 12 | -------------------------------------------------------------------------------- /Azure Services/Communication Services/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Container registries/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Container registries/Queries/App Logs/Show login events reported over the last hour.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Show login events reported over the last hour 3 | // Description: A list of login event logs, sorted by time (earliest logs shown first). 4 | // Categories: Containers 5 | // Resource types: Container registries 6 | // Topic: App Logs 7 | 8 | ContainerRegistryLoginEvents 9 | | where TimeGenerated > ago(1h) 10 | | sort by TimeGenerated asc -------------------------------------------------------------------------------- /Azure Services/Container registries/Queries/App Logs/Show registry events reported over the last hour.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Show registry events reported over the last hour 3 | // Description: A list of registry event logs, sorted by time (earliest logs shown first). 4 | // Categories: Containers 5 | // Resource types: Container registries 6 | // Topic: App Logs 7 | 8 | ContainerRegistryRepositoryEvents 9 | | where TimeGenerated > ago(1h) 10 | | sort by TimeGenerated asc -------------------------------------------------------------------------------- /Azure Services/Container registries/Queries/Preview Data/Which tables have logs.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Which tables have logs? 3 | // Description: Lists all tables that contain logs. 4 | // Categories: Azure Resources 5 | // Resource types: Container registries 6 | // Topic: Preview Data 7 | 8 | // If no results were found, try selecting another time range using the Time Picker in the top bar 9 | union withsource = Tables * 10 | | where TimeGenerated > ago(24h) 11 | | distinct Tables -------------------------------------------------------------------------------- /Azure Services/Container registries/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Container registries/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Cosmos DB/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Cosmos DB/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Cosmos DB/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Data Shares/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Data Shares/Queries/Errors/Count failed received snapshots.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Count failed received snapshots 3 | // Description: Count of failed snapshots over the last 7 days. 4 | // Categories: Audit 5 | // Resource types: Data Shares 6 | // Topic: Errors 7 | 8 | MicrosoftDataShareReceivedSnapshotLog 9 | | where TimeGenerated > ago(7d) 10 | | where Status == "Failed" 11 | | summarize count() by _ResourceId -------------------------------------------------------------------------------- /Azure Services/Data Shares/Queries/Errors/Count failed sent snapshots.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Count failed sent snapshots 3 | // Description: Total count of failed snapshots over the last 7 days. 4 | // Categories: Audit 5 | // Resource types: Data Shares 6 | // Topic: Errors 7 | 8 | MicrosoftDataShareSentSnapshotLog 9 | | where TimeGenerated > ago(7d) 10 | | where Status == "Failed" 11 | | summarize count() by _ResourceId -------------------------------------------------------------------------------- /Azure Services/Data Shares/Queries/Errors/Frequent errors in received snapshots.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Frequent errors in received snapshots 3 | // Description: Top 10 most frequent errors over the last 7 days. 4 | // Categories: Audit 5 | // Resource types: Data Shares 6 | // Topic: Errors 7 | 8 | MicrosoftDataShareReceivedSnapshotLog 9 | | where TimeGenerated > ago(7d) 10 | | where Status == "Failed" 11 | | summarize count() by _ResourceId, DataSetType // Counting failed logs per datasettype 12 | | top 10 by count_ desc nulls last -------------------------------------------------------------------------------- /Azure Services/Data Shares/Queries/Errors/Frequent errors in sent snapshots.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Frequent errors in sent snapshots 3 | // Description: List top 10 errors over the last 7 days. 4 | // Categories: Audit 5 | // Resource types: Data Shares 6 | // Topic: Errors 7 | 8 | MicrosoftDataShareSentSnapshotLog 9 | | where TimeGenerated > ago(7d) 10 | | where Status == "Failed" 11 | | summarize count() by _ResourceId, DataSetType// Counting failed logs per datasettype 12 | | top 10 by count_ desc nulls last -------------------------------------------------------------------------------- /Azure Services/Data Shares/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Data Shares/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Data factories/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Data factories/Queries/Performance/Activity runs latest Status.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Activity runs latest Status 3 | // Description: Returns latest Status of Activity runs. 4 | // Categories: Azure Resources 5 | // Resource types: Data factories 6 | // Topic: Performance 7 | 8 | ADFActivityRun 9 | | summarize argmax(TimeGenerated, * ) by ActivityRunId, Status, _ResourceId -------------------------------------------------------------------------------- /Azure Services/Data factories/Queries/Performance/Pipeline runs latest Status.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Pipeline runs latest Status 3 | // Description: Returns latest Status of pipeline runs. 4 | // Categories: Azure Resources 5 | // Resource types: Data factories 6 | // Topic: Performance 7 | 8 | ADFPipelineRun 9 | | summarize argmax(TimeGenerated, * ) by RunId, Status, _ResourceId -------------------------------------------------------------------------------- /Azure Services/Data factories/Queries/Performance/Trigger runs latest Status.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Trigger runs latest Status 3 | // Description: Returns latest Status of Trigger runs. 4 | // Categories: Azure Resources 5 | // Resource types: Data factories 6 | // Topic: Performance 7 | 8 | ADFTriggerRun 9 | | summarize argmax(TimeGenerated, * ) by TriggerId, Status, _ResourceId -------------------------------------------------------------------------------- /Azure Services/Data factories/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Dataverse/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Dataverse/Queries/API Activity/API Requests Being Throttled.kql: -------------------------------------------------------------------------------- 1 | // Author: aliyoussefi 2 | // Display name: API Requests Being Throttled 3 | // Description: Count of API calls over a given amount of time. Variables are of type datetime 4 | // Categories: Dataverse 5 | // Resource types: Dataverse 6 | // Topic: API, Health, Resiliency 7 | 8 | requests 9 | | where timestamp between (_fromStartTime .. _toEndTime) //datetime 10 | | where resultCode == "429" and success == "False" -------------------------------------------------------------------------------- /Azure Services/Dataverse/Queries/API Activity/Power Platform Admin Center Analytics - API Calls.kql: -------------------------------------------------------------------------------- 1 | // Author: aliyoussefi 2 | // Display name: Power Platform Admin Center Analytics - API Calls 3 | // Description: Count of API calls over a given amount of time. Variables are of type datetime 4 | // Categories: Power Platform Admin Center Analytics 5 | // Resource types: Dataverse 6 | // Topic: API 7 | 8 | requests 9 | | where timestamp between (_fromStartTime .. _toEndTime) //datetime 10 | | count -------------------------------------------------------------------------------- /Azure Services/Dataverse/Queries/API Activity/Power Platform Admin Center Analytics - Plug-In Executions.kql: -------------------------------------------------------------------------------- 1 | // Author: aliyoussefi 2 | // Display name: Power Platform Admin Center Analytics - Plug-In Executions 3 | // Description: Count of Plug-in executions over a given amount of time. Variables are datetime 4 | // Categories: Power Platform Admin Center Analytics 5 | // Resource types: Dataverse 6 | // Topic: API 7 | dependencies 8 | | where timestamp between (_fromStartTime .. _toEndTime) //datetime 9 | | where type == "Plugin" 10 | | count -------------------------------------------------------------------------------- /Azure Services/Dataverse/Queries/Other errors and failures/Timeouts Per Day Per Hour.kql: -------------------------------------------------------------------------------- 1 | // Author: Jeff Thompson and Darrin Devine 2 | // Display name: timeouts per day per hour 3 | // Description: timeouts per day per hour 4 | // Categories: Dataverse 5 | // Resource types: Dataverse 6 | // Topic: Other errors and failures 7 | 8 | exceptions 9 | | where timestamp >= ago(14d) 10 | | where outerMessage has "timeout" 11 | | summarize count() by bin(timestamp,1h) 12 | | render timechart 13 | 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /Azure Services/Dataverse/Queries/Request failures/API Pass Rate.kql: -------------------------------------------------------------------------------- 1 | // Author: aliyoussefi 2 | // Display name: Top 10 Failing Dependencies 3 | // Description: Summary of failing dependencies 4 | // Categories: Dataverse 5 | // Resource types: Dataverse 6 | // Topic: Other errors and failures 7 | 8 | dependencies 9 | | where timestamp > ago(7d) 10 | | where success == false 11 | | summarize ['Failing Dependencies'] = count() by ['Dependency'] = name 12 | | top 10 by ['Failing Dependencies'] desc -------------------------------------------------------------------------------- /Azure Services/Dataverse/Queries/Request failures/Top 10 Failing Dependencies.kql: -------------------------------------------------------------------------------- 1 | // Author: aliyoussefi 2 | // Display name: Top 10 Failing Dependencies 3 | // Description: Summary of failing dependencies 4 | // Categories: Dataverse 5 | // Resource types: Dataverse 6 | // Topic: Other errors and failures 7 | 8 | dependencies 9 | | where timestamp > ago(7d) 10 | | where success == false 11 | | summarize ['Failing Dependencies'] = count() by ['Dependency'] = name 12 | | top 10 by ['Failing Dependencies'] desc -------------------------------------------------------------------------------- /Azure Services/Dataverse/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Event Grid Domains/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Event Grid Domains/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Event Grid Domains/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Event Grid Topics/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Event Grid Topics/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Event Grid Topics/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Event Hubs/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Event Hubs/Queries/Errors/Access to keyvault key not found.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Access to keyvault - key not found 3 | // Description: Summarizes the access to keyvault when key is not found. 4 | // Categories: Azure Resources 5 | // Resource types: Event Hubs 6 | // Topic: Errors 7 | 8 | AzureDiagnostics 9 | | where ResourceProvider == "MICROSOFT.EVENTHUB" 10 | | where Category == "Error" and OperationName == "wrapkey" 11 | | project Message -------------------------------------------------------------------------------- /Azure Services/Event Hubs/Queries/Errors/Duration of Capture failure.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Duration of Capture failure 3 | // Description: Summarizes the duaration of failure on Capture. 4 | // Categories: Azure Resources 5 | // Resource types: Event Hubs 6 | // Topic: Errors 7 | 8 | AzureDiagnostics 9 | | where ResourceProvider == "MICROSOFT.EVENTHUB" 10 | | where Category == "ArchiveLogs" 11 | | summarize count() by "failures", "durationInSeconds" -------------------------------------------------------------------------------- /Azure Services/Event Hubs/Queries/Errors/Errors in the last 7 days.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Errors in the last 7 days 3 | // Description: This lists all the errors for the last 7 days. 4 | // Categories: Azure Resources 5 | // Resource types: Event Hubs 6 | // Topic: Errors 7 | 8 | AzureDiagnostics 9 | | where TimeGenerated > ago(7d) 10 | | where ResourceProvider =="MICROSOFT.EVENTHUB" 11 | | where Category == "OperationalLogs" 12 | | summarize count() by "EventName" -------------------------------------------------------------------------------- /Azure Services/Event Hubs/Queries/Kafka/Join request for client.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Join request for client 3 | // Description: Summarized the status of join request for client. 4 | // Categories: Azure Resources 5 | // Resource types: Event Hubs 6 | // Topic: Kafka 7 | 8 | AzureDiagnostics // Need to turn on the Capture for this 9 | | where ResourceProvider == "MICROSOFT.EVENTHUB" 10 | | project "OperationName" -------------------------------------------------------------------------------- /Azure Services/Event Hubs/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Event Hubs/Queries/Usage/Operation performed with keyvault.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Operation performed with keyvault 3 | // Description: Summarizes the operation performed with keyvault to disable or restore the key. 4 | // Categories: Azure Resources 5 | // Resource types: Event Hubs 6 | // Topic: Usage 7 | 8 | AzureDiagnostics 9 | | where ResourceProvider == "MICROSOFT.EVENTHUB" 10 | | where Category == "info" and OperationName == "disable" or OperationName == "restore" 11 | | project Message -------------------------------------------------------------------------------- /Azure Services/Event Hubs/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/ExpressRoute circuits/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/ExpressRoute circuits/Queries/Diagnostics/BGP informational messages.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: BGP informational messages 3 | // Description: BGP informational messages by level, resource type and network. 4 | // Categories: Network 5 | // Resource types: ExpressRoute circuits 6 | // Topic: Diagnostics 7 | 8 | AzureDiagnostics 9 | | where Level == "Informational" 10 | | project TimeGenerated , ResourceId, Level, ResourceType , network_s , path_s -------------------------------------------------------------------------------- /Azure Services/ExpressRoute circuits/Queries/Diagnostics/BGP route table.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: BGP route table 3 | // Description: BPG route table learned over last 12 hours. 4 | // Categories: Network 5 | // Resource types: ExpressRoute circuits 6 | // Topic: Diagnostics 7 | 8 | AzureDiagnostics 9 | | where TimeGenerated > ago(12h) 10 | | where ResourceType == "EXPRESSROUTECIRCUITS" 11 | | project TimeGenerated , ResourceType , network_s , path_s , OperationName -------------------------------------------------------------------------------- /Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit ArpAvailablility graph.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: ExpressRoute Circuit ArpAvailablility graph 3 | // Description: Traffic graph for ArpAvailability (5 minutes). 4 | // Categories: Azure Monitor,Network 5 | // Resource types: ExpressRoute circuits 6 | // Topic: Diagnostics 7 | 8 | AzureMetrics 9 | | where MetricName == "ArpAvailability" 10 | | summarize by Average, bin(TimeGenerated, 5m), Resource 11 | | render timechart -------------------------------------------------------------------------------- /Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit BGP availability.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: ExpressRoute Circuit BGP availability 3 | // Description: Traffic graph for BgpAvailability (5 minutes). 4 | // Categories: Azure Monitor,Network 5 | // Resource types: ExpressRoute circuits 6 | // Topic: Diagnostics 7 | 8 | AzureMetrics 9 | | where MetricName == "BgpAvailability" 10 | | summarize by Average, bin(TimeGenerated, 5m), Resource 11 | | render timechart -------------------------------------------------------------------------------- /Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit BitsInPerSecond traffic graph.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: ExpressRoute Circuit BitsInPerSecond traffic graph 3 | // Description: Traffic graph BitsInPerSecond (last one hour). 4 | // Categories: Azure Monitor,Network 5 | // Resource types: ExpressRoute circuits 6 | // Topic: Diagnostics 7 | 8 | AzureMetrics 9 | | where MetricName == "BitsInPerSecond" 10 | | summarize by Average, bin(TimeGenerated, 1h), Resource 11 | | render timechart -------------------------------------------------------------------------------- /Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit BitsOutPerSecond traffic graph.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: ExpressRoute Circuit BitsOutPerSecond traffic graph 3 | // Description: Traffic graph BitsOutPerSecond (last one hour). 4 | // Categories: Azure Monitor,Network 5 | // Resource types: ExpressRoute circuits 6 | // Topic: Diagnostics 7 | 8 | AzureMetrics 9 | | where MetricName == "BitsOutPerSecond" 10 | | summarize by Average, bin(TimeGenerated, 1h), Resource 11 | | render timechart -------------------------------------------------------------------------------- /Azure Services/ExpressRoute circuits/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/ExpressRoute circuits/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Firewalls/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Firewalls/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Firewalls/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Front Doors/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Front Doors/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Front Doors/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/HDInsight Clusters/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/HDInsight Clusters/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/HDInsight Clusters/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/IoT Hub/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/IoT Hub/Queries/Errors/Connectvity errors.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Connectivity errors 3 | // Description: Identify device connection errors. 4 | // Categories: Azure Resources 5 | // Resource types: IoT Hub 6 | // Topic: Errors 7 | 8 | AzureDiagnostics 9 | | where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS" 10 | | where Category == "Connections" and Level == "Error" 11 | -------------------------------------------------------------------------------- /Azure Services/IoT Hub/Queries/Errors/Error summary.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Error summary 3 | // Description: Count of errors across all operations by type. 4 | // Categories: Azure Resources 5 | // Resource types: IoT Hub 6 | // Topic: Errors 7 | 8 | AzureDiagnostics 9 | | where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS" 10 | | where Level == "Error" 11 | | summarize count() by ResultType, ResultDescription, Category, _ResourceId -------------------------------------------------------------------------------- /Azure Services/IoT Hub/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/IoT Hub/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Key vaults/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Key vaults/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Key vaults/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Kubernetes services/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Kubernetes services/Queries/Audit/Container Lifecycle Information.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Container Lifecycle Information 3 | // Description: List all of a container's lifecycle information. 4 | // Categories: Containers,Azure Resources 5 | // Resource types: Kubernetes services 6 | // Solutions: ContainerInsights 7 | // Topic: Audit 8 | 9 | ContainerInventory 10 | | project Computer, Name, Image, ImageTag, ContainerState, CreatedTime, StartedTime, FinishedTime 11 | | top 200 by FinishedTime desc -------------------------------------------------------------------------------- /Azure Services/Kubernetes services/Queries/Costing/Environment variable enriching.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Environment variable enriching 3 | // Description: View data ingested by environment variables per hour. 4 | // Categories: Containers 5 | // Resource types: Kubernetes services 6 | // Solutions: ContainerInsights 7 | // Topic: Costing 8 | 9 | //Update the TimeGenerated to customize the timerange 10 | ContainerInventory 11 | | where TimeGenerated > ago(1h) 12 | | summarize envvarsMB = sum(string_size(EnvironmentVar)) / (1000. * 1000.) -------------------------------------------------------------------------------- /Azure Services/Kubernetes services/Queries/Diagnostics/Image inventory.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Image inventory 3 | // Description: Lists all the container image with their status. 4 | // Categories: Containers,Azure Resources 5 | // Resource types: Kubernetes services 6 | // Solutions: ContainerInsights 7 | // Topic: Diagnostics 8 | 9 | ContainerImageInventory 10 | | summarize AggregatedValue = count() by Image, ImageTag, Running, _ResourceId -------------------------------------------------------------------------------- /Azure Services/Kubernetes services/Queries/Diagnostics/Kubernetes events.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Kubernetes events 3 | // Description: Lists all the Kubernetes events. 4 | // Categories: Containers,Azure Resources 5 | // Resource types: Kubernetes services 6 | // Solutions: ContainerInsights 7 | // Topic: Diagnostics 8 | 9 | KubeEvents 10 | | where TimeGenerated > ago(7d) 11 | | where not(isempty(Namespace)) 12 | | top 200 by TimeGenerated desc -------------------------------------------------------------------------------- /Azure Services/Kubernetes services/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Kubernetes services/Workbooks/README.md: -------------------------------------------------------------------------------- 1 | # Azure Kubernetes Workbook 2 | 3 | Requires that Azure Kubernetes is logging to a Log Analytics Workspace. There is also an additional tab for monitoring Azure Gateway Ingress Controller. The App Gateway must be logging to the same Log Analytics Workspace as Kubernetes in order to show up in the drop down. -------------------------------------------------------------------------------- /Azure Services/Log Analytics workspaces/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Log Analytics workspaces/Queries/Audit/Request Count by ResponseCode.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Request Count by ResponseCode 3 | // Description: Request count by response code within 1 min buckets in last 1 hour. 4 | // Categories: Audit,Azure Monitor 5 | // Resource types: Log Analytics workspaces 6 | // Topic: Audit 7 | 8 | LAQueryLogs 9 | | where TimeGenerated > ago(1h) 10 | | summarize count() by tostring(ResponseCode), bin(TimeGenerated, 1m) 11 | | render columnchart with (kind=stacked) -------------------------------------------------------------------------------- /Azure Services/Log Analytics workspaces/Queries/Audit/Throttled Users.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Throttled Users 3 | // Description: Get a list of throttled users with their request count in last 24 hours. 4 | // Categories: Audit,Azure Monitor 5 | // Resource types: Log Analytics workspaces 6 | // Topic: Audit 7 | 8 | LAQueryLogs 9 | | where ResponseCode == "429" 10 | | summarize reqCount = count() by AADObjectId 11 | | order by reqCount desc -------------------------------------------------------------------------------- /Azure Services/Log Analytics workspaces/Queries/Audit/Top 10 resource intensive queries.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Top 10 resource intensive queries 3 | // Description: Get top 10 resource intesive queries (based on CPU consumption) in last 24 hours. 4 | // Categories: Audit,Azure Monitor 5 | // Resource types: Log Analytics workspaces 6 | // Topic: Audit 7 | 8 | LAQueryLogs 9 | | top 10 by StatsCPUTimeMs desc nulls last -------------------------------------------------------------------------------- /Azure Services/Log Analytics workspaces/Queries/Audit/Unauthorized Users.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Unauthorized Users 3 | // Description: Get a list of unauthorized users with their request count in last 24 hours. 4 | // Categories: Audit,Azure Monitor 5 | // Resource types: Log Analytics workspaces 6 | // Topic: Audit 7 | 8 | LAQueryLogs 9 | | where ResponseCode == "403" 10 | | summarize reqCount = count() by AADObjectId 11 | | order by reqCount desc -------------------------------------------------------------------------------- /Azure Services/Log Analytics workspaces/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Log Analytics workspaces/Queries/Usage/Users who ran queries.kql: -------------------------------------------------------------------------------- 1 | // Author: Evgeny Ternovsky, Rafi Rabo 2 | // Display name: Users who ran queries 3 | // Description: Lists all users who ran any number of queries in the last 24 hours. 4 | // Categories: Audit,Azure Monitor 5 | // Resource types: Log Analytics workspaces 6 | // Topic: Usage 7 | 8 | LAQueryLogs 9 | | where TimeGenerated > ago(24h) 10 | | distinct AADEmail -------------------------------------------------------------------------------- /Azure Services/Logic Apps/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Logic Apps/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Logic Apps/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Network Watcher - Connection Monitor/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Network Watcher - Connection Monitor/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Network Watcher - Connection Monitor/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Network Watcher - Connection Monitor/Workbooks/galleryTemplate/ConnectioMonitorStatus/connectionMonitorStatus.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/AzureMonitorCommunity/96bcca345b3621cb2840a9bc67664247d6cad828/Azure Services/Network Watcher - Connection Monitor/Workbooks/galleryTemplate/ConnectioMonitorStatus/connectionMonitorStatus.png -------------------------------------------------------------------------------- /Azure Services/Network Watcher/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Network Watcher/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Network Watcher/Workbooks/NSG Flow Log/readme.md: -------------------------------------------------------------------------------- 1 | # v1.1 2021-04-14 2 | 3 | # Installation to your workbook 4 | ---- 5 | 1. Copy & Paste "NSG Flow Log Analysis.workbook" to your workbook 6 | 2. Select a workspace 7 | ![workspace](https://user-images.githubusercontent.com/32254293/114658217-6f845f00-9d2c-11eb-9c43-bf064970d181.png) 8 | 9 | 4. Explorer your data!! 10 | ![3 functions](https://user-images.githubusercontent.com/32254293/113842500-ace96980-97cd-11eb-90f3-a1115206aaf7.gif) -------------------------------------------------------------------------------- /Azure Services/Network Watcher/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Power Platform/Power Automate/Dashboards/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/AzureMonitorCommunity/96bcca345b3621cb2840a9bc67664247d6cad828/Azure Services/Power Platform/Power Automate/Dashboards/README.md -------------------------------------------------------------------------------- /Azure Services/Power Platform/Power Automate/Queries/Analytics/Types of cloud flows in use.kql: -------------------------------------------------------------------------------- 1 | // Author: aliyoussefi 2 | // Display name: Display types of triggers used over a span of time 3 | // Description: Summary of Power Automate triggers by trigger type over timespan. 4 | // Categories: Power Platform 5 | // Resource types: Power Automate 6 | // Topic: Usage Analytics 7 | 8 | dependencies 9 | | where timestamp {_TimeRange:value} 10 | | where type == "Cloud Flow/Cloud flow triggers" 11 | | summarize count() by name -------------------------------------------------------------------------------- /Azure Services/Recovery Services vaults/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Recovery Services vaults/Queries/Jobs/All Failed Jobs.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: All Failed Jobs 3 | // Description: View all failed jobs in the selected time range. 4 | // Categories: Audit 5 | // Resource types: Recovery Services vaults 6 | // Topic: Jobs 7 | 8 | AddonAzureBackupJobs 9 | | summarize arg_max(TimeGenerated,*) by JobUniqueId 10 | | where JobStatus == "Failed" -------------------------------------------------------------------------------- /Azure Services/Recovery Services vaults/Queries/Jobs/All Successful Jobs.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: All Successful Jobs 3 | // Description: View all successful jobs in the selected time range. 4 | // Categories: Audit 5 | // Resource types: Recovery Services vaults 6 | // Topic: Jobs 7 | 8 | AddonAzureBackupJobs 9 | | summarize arg_max(TimeGenerated,*) by JobUniqueId 10 | | where JobStatus == "Completed" -------------------------------------------------------------------------------- /Azure Services/Recovery Services vaults/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Recovery Services vaults/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/SQL Servers/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/SQL Servers/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/SQL databases/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/SQL databases/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/SQL databases/Workbooks/ADS/ADS.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/AzureMonitorCommunity/96bcca345b3621cb2840a9bc67664247d6cad828/Azure Services/SQL databases/Workbooks/ADS/ADS.PNG -------------------------------------------------------------------------------- /Azure Services/SQL databases/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/SQL managed instances/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/SQL managed instances/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/SQL managed instances/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Service Bus/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Service Bus/Queries/Diagnostics/Keyvault access attempt key not found.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Keyvault access attempt - key not found 3 | // Description: Summarizes the access to keyvault when key is not found. 4 | // Categories: Security 5 | // Resource types: Service Bus 6 | // Topic: Diagnostics 7 | 8 | AzureDiagnostics 9 | | where ResourceProvider == "MICROSOFT.SERVICEBUS" 10 | | where Category == "Error" and OperationName == "wrapkey" 11 | | project Message, _ResourceId -------------------------------------------------------------------------------- /Azure Services/Service Bus/Queries/Diagnostics/Management operations in the last 7 days.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Management operations in the last 7 days 3 | // Description: This lists all the management calls for the last 7 days. 4 | // Categories: Azure Monitor 5 | // Resource types: Service Bus 6 | // Topic: Diagnostics 7 | 8 | AzureDiagnostics 9 | | where TimeGenerated > ago(7d) 10 | | where ResourceProvider =="MICROSOFT.SERVICEBUS" 11 | | where Category == "OperationalLogs" 12 | | summarize count() by EventName_s, _ResourceId -------------------------------------------------------------------------------- /Azure Services/Service Bus/Queries/Errors/Errors summary.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Errors summary 3 | // Description: Summarizes all the errors seen in the last 7 days. 4 | // Categories: Azure Monitor 5 | // Resource types: Service Bus 6 | // Topic: Errors 7 | 8 | AzureDiagnostics 9 | | where TimeGenerated > ago(7d) 10 | | where ResourceProvider =="MICROSOFT.SERVICEBUS" 11 | | where Category == "Error" 12 | | summarize count() by EventName_s, _ResourceId -------------------------------------------------------------------------------- /Azure Services/Service Bus/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Service Bus/Queries/Security/Keyvault performed operational.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Keyvault performed operational 3 | // Description: Summarizes the operation performed with keyvault to disable or restore the key. 4 | // Categories: Security 5 | // Resource types: Service Bus 6 | // Topic: Security 7 | 8 | AzureDiagnostics 9 | | where ResourceProvider == "MICROSOFT.SERVICEBUS" 10 | | where (Category == "info" and (OperationName == "disable" or OperationName == "restore")) 11 | | project Message, _ResourceId -------------------------------------------------------------------------------- /Azure Services/Service Bus/Queries/Usage/AutoDeleted entities.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: AutoDeleted entities 3 | // Description: Summary of all the entities that have been auto-deleted. 4 | // Categories: Audit 5 | // Resource types: Service Bus 6 | // Topic: Usage 7 | 8 | AzureDiagnostics 9 | | where ResourceProvider == "MICROSOFT.SERVICEBUS" 10 | | where Category == "OperationalLogs" 11 | | where EventName_s startswith "AutoDelete" 12 | | summarize count() by EventName_s, _ResourceId -------------------------------------------------------------------------------- /Azure Services/Service Bus/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Storage accounts/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Storage accounts/Queries/Audit/Frequent operations chart.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Frequent operations chart 3 | // Description: A pie chart of operations used over the last 3 days. 4 | // Categories: IT & Management Tools 5 | // Resource types: Storage accounts 6 | // Topic: Audit 7 | 8 | StorageBlobLogs 9 | | where TimeGenerated > ago(3d) 10 | | summarize count() by OperationName 11 | | sort by count_ desc 12 | | render piechart -------------------------------------------------------------------------------- /Azure Services/Storage accounts/Queries/Audit/Show anonymous requests.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Show anonymous requests 3 | // Description: List all requests with anonymous access over the last 3 days. 4 | // Categories: IT & Management Tools 5 | // Resource types: Storage accounts 6 | // Topic: Audit 7 | 8 | StorageBlobLogs 9 | | where TimeGenerated > ago(3d) and AuthenticationType == "Anonymous" 10 | | project TimeGenerated, OperationName, AuthenticationType, Uri -------------------------------------------------------------------------------- /Azure Services/Storage accounts/Queries/Errors/Most common errors.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Most common errors 3 | // Description: List 10 most common errors over the last 3 days. 4 | // Categories: IT & Management Tools 5 | // Resource types: Storage accounts 6 | // Topic: Errors 7 | 8 | StorageBlobLogs 9 | | where TimeGenerated > ago(3d) and StatusText !contains "Success" 10 | | summarize count() by StatusText 11 | | top 10 by count_ desc -------------------------------------------------------------------------------- /Azure Services/Storage accounts/Queries/Errors/Operations causing most errors.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Operations causing most errors 3 | // Description: List top 10 operations causing the most errors over the last 3 days. 4 | // Categories: IT & Management Tools 5 | // Resource types: Storage accounts 6 | // Topic: Errors 7 | 8 | StorageBlobLogs 9 | | where TimeGenerated > ago(3d) and StatusText !contains "Success" 10 | | summarize count() by OperationName 11 | | top 10 by count_ desc -------------------------------------------------------------------------------- /Azure Services/Storage accounts/Queries/Errors/Operations causing server side throttling.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Operations causing server side throttling 3 | // Description: List all operations causing server side throttling errors over the last 3 days. 4 | // Categories: IT & Management Tools 5 | // Resource types: Storage accounts 6 | // Topic: Errors 7 | 8 | StorageBlobLogs 9 | | where TimeGenerated > ago(3d) and StatusText contains "ServerBusy" 10 | | project TimeGenerated, OperationName, StatusCode, StatusText -------------------------------------------------------------------------------- /Azure Services/Storage accounts/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Storage accounts/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Stream Analytics jobs/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Stream Analytics jobs/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Stream Analytics jobs/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Traffic Manager profiles/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Traffic Manager profiles/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Traffic Manager profiles/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Virtual Network Gateways/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Virtual Network Gateways/Queries/Diagnostics/BGP route updates.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: BGP route updates 3 | // Description: BGP route updates over the last 24 hours. 4 | // Categories: Network 5 | // Resource types: Virtual Network Gateways 6 | // Topic: Diagnostics 7 | 8 | AzureDiagnostics 9 | | where TimeGenerated > ago(24h) 10 | | where Category == "RouteDiagnosticLog" and OperationName == "BgpRouteUpdate" -------------------------------------------------------------------------------- /Azure Services/Virtual Network Gateways/Queries/Diagnostics/Failed P2S connections.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Failed P2S connections 3 | // Description: Failed P2S connections in the last 12 hours. 4 | // Categories: Network 5 | // Resource types: Virtual Network Gateways 6 | // Topic: Diagnostics 7 | 8 | AzureDiagnostics 9 | | where TimeGenerated > ago(12h) 10 | | where Category == "P2SDiagnosticLog" and Message has "Connection failed" 11 | | project TimeGenerated, Resource ,Message -------------------------------------------------------------------------------- /Azure Services/Virtual Network Gateways/Queries/Diagnostics/Successful P2S connections.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Successful P2S connections 3 | // Description: Successful P2S connections in the last 12 hours. 4 | // Categories: Network 5 | // Resource types: Virtual Network Gateways 6 | // Topic: Diagnostics 7 | 8 | AzureDiagnostics 9 | | where TimeGenerated > ago(12h) 10 | | where Category == "P2SDiagnosticLog" and Message has "Connection successful" 11 | | project TimeGenerated, Resource ,Message -------------------------------------------------------------------------------- /Azure Services/Virtual Network Gateways/Queries/Performance/Gateway throughput.kql: -------------------------------------------------------------------------------- 1 | 2 | // Author: Microsoft Azure 3 | // Display name: Gateway throughput 4 | // Description: Aggregate gateway throughput in Bytes/sec. 5 | // Categories: Network 6 | // Resource types: Virtual Network Gateways 7 | // Topic: Performance 8 | AzureMetrics 9 | | where TimeGenerated > ago(24h) 10 | | where MetricName == "AverageBandwidth" 11 | | summarize by Average, bin(TimeGenerated, 1h), Resource 12 | | render timechart -------------------------------------------------------------------------------- /Azure Services/Virtual Network Gateways/Queries/Performance/P2S bandwidth utilization.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: P2S bandwidth utilization 3 | // Description: Average P2S bandwidth utilization during the last 12 hours in bits/second. 4 | // Categories: Network 5 | // Resource types: Virtual Network Gateways 6 | // Topic: Performance 7 | 8 | AzureMetrics 9 | | where TimeGenerated > ago(24h) 10 | | where MetricName == "P2SBandwidth" 11 | | summarize by Average, bin(TimeGenerated, 1h), Resource 12 | | render timechart -------------------------------------------------------------------------------- /Azure Services/Virtual Network Gateways/Queries/Performance/P2S connection count.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: P2S connection count 3 | // Description: Active P2S connection count for the last 30 days. 4 | // Categories: Network 5 | // Resource types: Virtual Network Gateways 6 | // Topic: Performance 7 | 8 | AzureMetrics 9 | | where TimeGenerated > ago(30d) 10 | | where MetricName == "P2SConnectionCount" 11 | | summarize by Maximum, bin(TimeGenerated,1h), Resource 12 | | render timechart 13 | -------------------------------------------------------------------------------- /Azure Services/Virtual Network Gateways/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Virtual Network Gateways/Queries/VPN Gateway/BGP route updates.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: BGP route updates 3 | // Description: BGP route updates over the last 24 hours. 4 | // Categories: Network 5 | // Resource types: Virtual Network Gateways 6 | // Topic: VPN Gateway 7 | 8 | AzureDiagnostics 9 | | where TimeGenerated > ago(24h) 10 | | where Category == "RouteDiagnosticLog" and OperationName == "BgpRouteUpdate" -------------------------------------------------------------------------------- /Azure Services/Virtual Network Gateways/Queries/VPN Gateway/Failed P2S connections.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Failed P2S connections 3 | // Description: Failed P2S connections in the last 12 hours. 4 | // Categories: Network 5 | // Resource types: Virtual Network Gateways 6 | // Topic: VPN Gateway 7 | 8 | AzureDiagnostics 9 | | where TimeGenerated > ago(12h) 10 | | where Category == "P2SDiagnosticLog" and Message has "Connection failed" 11 | | project TimeGenerated, Resource ,Message -------------------------------------------------------------------------------- /Azure Services/Virtual Network Gateways/Queries/VPN Gateway/Gateway throughput.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Gateway throughput 3 | // Description: Aggregate gateway throughput in Bytes/sec. 4 | // Categories: Network 5 | // Resource types: Virtual Network Gateways 6 | // Topic: VPN Gateway 7 | 8 | AzureMetrics 9 | | where TimeGenerated > ago(24h) 10 | | where MetricName == "AverageBandwidth" 11 | | summarize by Average, bin(TimeGenerated, 1h), Resource 12 | | render timechart -------------------------------------------------------------------------------- /Azure Services/Virtual Network Gateways/Queries/VPN Gateway/P2S bandwidth utilization.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: P2S bandwidth utilization 3 | // Description: Average P2S bandwidth utilization during the last 12 hours in bits/second. 4 | // Categories: Network 5 | // Resource types: Virtual Network Gateways 6 | // Topic: VPN Gateway 7 | 8 | AzureMetrics 9 | | where TimeGenerated > ago(24h) 10 | | where MetricName == "P2SBandwidth" 11 | | summarize by Average, bin(TimeGenerated, 1h), Resource 12 | | render timechart -------------------------------------------------------------------------------- /Azure Services/Virtual Network Gateways/Queries/VPN Gateway/P2S connection count.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: P2S connection count 3 | // Description: Active P2S connection count for the last 30 days. 4 | // Categories: Network 5 | // Resource types: Virtual Network Gateways 6 | // Topic: VPN Gateway 7 | 8 | AzureMetrics 9 | | where TimeGenerated > ago(30d) 10 | | where MetricName == "P2SConnectionCount" 11 | | summarize by Maximum, bin(TimeGenerated,1h), Resource 12 | | render timechart -------------------------------------------------------------------------------- /Azure Services/Virtual Network Gateways/Queries/VPN Gateway/Successful P2S connections.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Successful P2S connections 3 | // Description: Successful P2S connections in the last 12 hours. 4 | // Categories: Network 5 | // Resource types: Virtual Network Gateways 6 | // Topic: VPN Gateway 7 | 8 | AzureDiagnostics 9 | | where TimeGenerated > ago(12h) 10 | | where Category == "P2SDiagnosticLog" and Message has "Connection successful" 11 | | project TimeGenerated, Resource ,Message -------------------------------------------------------------------------------- /Azure Services/Virtual Network Gateways/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Virtual Network/Alerts/readme.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/AzureMonitorCommunity/96bcca345b3621cb2840a9bc67664247d6cad828/Azure Services/Virtual Network/Alerts/readme.md -------------------------------------------------------------------------------- /Azure Services/Virtual Network/Queries/readme.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/AzureMonitorCommunity/96bcca345b3621cb2840a9bc67664247d6cad828/Azure Services/Virtual Network/Queries/readme.md -------------------------------------------------------------------------------- /Azure Services/Virtual Network/Workbooks/Virtual Network list/README.md: -------------------------------------------------------------------------------- 1 | # Installation to your workbook 2 | ---- 3 | 1. Copy & Paste "NSG Flow Log Analysis.workbook" to your workbook 4 | 5 | 2. Explorer your data!! 6 | ![data](https://user-images.githubusercontent.com/32254293/114487058-e39a0680-9c49-11eb-9a7c-aa8dbc7462ee.png)

7 | ![virtualNetwork](https://user-images.githubusercontent.com/32254293/114486658-417a1e80-9c49-11eb-8055-3e04f7f63a23.gif) -------------------------------------------------------------------------------- /Azure Services/Virtual machine scale sets/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Virtual machine scale sets/Queries/Performance/What data is being collected.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: What data is being collected? 3 | // Description: List the collected performance counters and object types. 4 | // Categories: Virtual Machines 5 | // Resource types: Virtual machine scale sets 6 | // Topic: Performance 7 | 8 | InsightsMetrics 9 | | where Origin == "vm.azm.ms" 10 | | summarize by Namespace, Name -------------------------------------------------------------------------------- /Azure Services/Virtual machine scale sets/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Virtual machine scale sets/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Virtual machines/Alerts/Check running process by name.kql: -------------------------------------------------------------------------------- 1 | // Author: Rafael Canto @ KXP Consulting 2 | // Display name: Check running process by name 3 | // Description: Query process by name (can be used to verify if it's running). Example using mysqld can be used to monitor the service. 4 | // Categories: virtual machines,resources 5 | // Resource types: Virtual Machines 6 | // Topic: Alert 7 | 8 | VMProcess 9 | | where TimeGenerated > ago(1h) and DisplayName == "mysqld" -------------------------------------------------------------------------------- /Azure Services/Virtual machines/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Virtual machines/Queries/Availability/Not reporting VMs.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Not reporting VMs 3 | // Description: VMs that have not reported a heartbeat in the last 5 minutes. 4 | // Categories: Virtual Machines 5 | // Resource types: Virtual machines 6 | // Topic: Availability 7 | 8 | Heartbeat 9 | | where TimeGenerated > ago(24h) 10 | | summarize LastCall = max(TimeGenerated) by Computer, _ResourceId 11 | | where LastCall < ago(5m) -------------------------------------------------------------------------------- /Azure Services/Virtual machines/Queries/Availability/Shut down Virtual Machines.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Shut down Virtual Machines 3 | // Description: Virtual Machines successfully shut down in the last 10 minutes. 4 | // Categories: Virtual Machines 5 | // Resource types: Virtual machines 6 | // Topic: Availability 7 | 8 | AzureActivity 9 | | where TimeGenerated > ago(10m) 10 | | where OperationName == "Deallocate Virtual Machine" and ActivityStatus == "Succeeded" -------------------------------------------------------------------------------- /Azure Services/Virtual machines/Queries/Diagnostics/Automatic update configuration is disabled.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Automatic update configuration is disabled 3 | // Description: Computers with automatic update disabled. 4 | // Categories: IT & Management Tools 5 | // Resource types: Virtual machines 6 | // Solutions: Updates 7 | // Topic: Diagnostics 8 | 9 | UpdateSummary 10 | | where WindowsUpdateSetting == "Manual" 11 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Azure Services/Virtual machines/Queries/Diagnostics/Automatic update configuration.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Automatic update configuration 3 | // Description: Automatic update configuration. 4 | // Categories: IT & Management Tools 5 | // Resource types: Virtual machines 6 | // Solutions: Updates 7 | // Topic: Diagnostics 8 | 9 | UpdateSummary 10 | | summarize AggregatedValue = count() by WindowsUpdateSetting, Computer, _ResourceId -------------------------------------------------------------------------------- /Azure Services/Virtual machines/Queries/Diagnostics/Distinct missing updates cross computers.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Distinct missing updates cross computers 3 | // Description: Distinct missing updates across all computers. 4 | // Categories: IT & Management Tools 5 | // Resource types: Virtual machines 6 | // Solutions: Updates 7 | // Topic: Diagnostics 8 | 9 | Update 10 | | where OSType != "Linux" and UpdateState == "Needed" and Optional == "false" 11 | | distinct Title, Computer, _ResourceId -------------------------------------------------------------------------------- /Azure Services/Virtual machines/Queries/Diagnostics/Find Linux kernel events.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Find Linux kernel events 3 | // Description: Find events reported by Linux kernel process, regarding killed processes. 4 | // Categories: Virtual Machines 5 | // Resource types: Virtual machines 6 | // Topic: Diagnostics 7 | 8 | Syslog 9 | | where ProcessName == "kernel" and SyslogMessage contains "Killed process" -------------------------------------------------------------------------------- /Azure Services/Virtual machines/Queries/Diagnostics/Malware detection.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Malware detection 3 | // Description: Malware detected grouped by threat. 4 | // Categories: Security 5 | // Resource types: Virtual machines 6 | // Solutions: AntiMalware 7 | // Topic: Diagnostics 8 | 9 | ProtectionStatus 10 | | where ThreatStatus != "No threats detected" 11 | | summarize AggregatedValue = count() by Threat, Computer, _ResourceId -------------------------------------------------------------------------------- /Azure Services/Virtual machines/Queries/Diagnostics/Missing update specific product.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Missing update specific product 3 | // Description: WSUS computer membership. 4 | // Categories: IT & Management Tools 5 | // Resource types: Virtual machines 6 | // Solutions: Updates 7 | // Topic: Diagnostics 8 | 9 | UpdateSummary 10 | | summarize AggregatedValue = count() by WSUSServer, Computer, _ResourceId -------------------------------------------------------------------------------- /Azure Services/Virtual machines/Queries/Diagnostics/Protection Status updates.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Protection Status updates 3 | // Description: Protection Status updates per day. 4 | // Categories: Security 5 | // Resource types: Virtual machines 6 | // Solutions: AntiMalware 7 | // Topic: Diagnostics 8 | 9 | ProtectionStatus 10 | | summarize AggregatedValue = count(ScanDate) by bin(TimeGenerated, 1d), Computer, _ResourceId 11 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Azure Services/Virtual machines/Queries/Diagnostics/Search in multiple tables.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Search in multiple tables 3 | // Description: Search both Syslog and Event tables for the term "login". 4 | // Categories: Virtual Machines 5 | // Resource types: Virtual machines 6 | // Topic: Diagnostics 7 | 8 | search in (Syslog, Event) "login" 9 | | where TimeGenerated > ago(1h) // return records from the last hour -------------------------------------------------------------------------------- /Azure Services/Virtual machines/Queries/Diagnostics/Signatures out of date.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Signatures out of date 3 | // Description: Devices with Signatures out of date. 4 | // Categories: Security 5 | // Resource types: Virtual machines 6 | // Solutions: AntiMalware 7 | // Topic: Diagnostics 8 | 9 | ProtectionStatus 10 | | summarize Rank = max(ProtectionStatusRank) by Computer, _ResourceId 11 | | where Rank == "250" -------------------------------------------------------------------------------- /Azure Services/Virtual machines/Queries/Diagnostics/Using wildcards.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Using wild-cards 3 | // Description: Search for terms that follow the pattern "corp*.com". 4 | // Categories: Virtual Machines 5 | // Resource types: Virtual machines 6 | // Topic: Diagnostics 7 | 8 | search in (Event) "corp*.com" // Search terms that follow the pattern "corp"-something-".com", such as "corp.mydomain.com" 9 | | take 50 // return only 50 results (not guaranteed to be the latest) -------------------------------------------------------------------------------- /Azure Services/Virtual machines/Queries/Performance/What data is being collected.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: What data is being collected? 3 | // Description: List the collected performance counters and object types (Process, Memory, Processor…) 4 | // Categories: Virtual Machines 5 | // Resource types: Virtual machines 6 | // Topic: Performance 7 | 8 | Perf 9 | | summarize by ObjectName, CounterName -------------------------------------------------------------------------------- /Azure Services/Virtual machines/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Virtual machines/Queries/Security/Linux failed logins.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Linux failed logins 3 | // Description: Find reports of Linux accounts that failed to login. 4 | // Categories: Virtual Machines,Security 5 | // Resource types: Virtual machines 6 | // Topic: Security 7 | 8 | LinuxAuditLog 9 | | where RecordType == 'user_login' and res != 'success' 10 | | summarize count() by acct // count the reported security events for each account 11 | // This query requires the Security solution -------------------------------------------------------------------------------- /Azure Services/Virtual machines/Queries/Security/Windows failed logins.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Windows failed logins 3 | // Description: Find reports of Windows accounts that failed to login. 4 | // Categories: Virtual Machines,Security 5 | // Resource types: Virtual machines 6 | // Topic: Security 7 | 8 | SecurityEvent 9 | | where EventID == 4625 10 | | summarize count() by TargetAccount, Computer, _ResourceId // count the reported security events for each account 11 | // This query requires the Security solution -------------------------------------------------------------------------------- /Azure Services/Windows Virtual Desktop - Application groups/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Windows Virtual Desktop - Application groups/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Windows Virtual Desktop - Application groups/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Windows Virtual Desktop - FSLogix/Queries/Event log/Eventlog Parsing.kql: -------------------------------------------------------------------------------- 1 | // Author: Billy York www.cloudsma.com 2 | // Display name: FSLogix Profile Event Log 3 | // Description: parsing the FSLogix Event Log 4 | // Categories: Windows Virtual Desktop 5 | // Resource types: Windows Virtual Desktop - FSLogix 6 | // Topic: Event log 7 | Event 8 | | where Source == 'FSLogix-Apps' 9 | | where EventID == 25 10 | | parse RenderedDescription with * "Username: " UserName:string " "* -------------------------------------------------------------------------------- /Azure Services/Windows Virtual Desktop - Host pools/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Windows Virtual Desktop - Host pools/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Windows Virtual Desktop - Host pools/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Azure Services/Windows Virtual Desktop - Workspaces/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Azure Services/Windows Virtual Desktop - Workspaces/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Azure Services/Windows Virtual Desktop - Workspaces/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Microsoft Open Source Code of Conduct 2 | 3 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 4 | 5 | Resources: 6 | 7 | - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/) 8 | - [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) 9 | - Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns 10 | -------------------------------------------------------------------------------- /Scenarios/How to analyze Azure diagnostics/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Scenarios/How to analyze Azure diagnostics/Queries/Common categories in Azure diagnostics.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Common categories in Azure diagnostics 3 | // Description: Count the number of logs reported per category. 4 | // Categories: resources 5 | // Resource types: Azure Monitor 6 | // Topic: Azure diagnostics 7 | 8 | AzureDiagnostics 9 | | summarize countLogsPerCategory=count() by Category 10 | | sort by countLogsPerCategory -------------------------------------------------------------------------------- /Scenarios/How to analyze Azure diagnostics/Queries/Errors in automation jobs.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Errors in automation jobs 3 | // Description: Find logs reporting errors in automation jobs from the last day. 4 | // Categories: resources 5 | // Resource types: Azure Monitor 6 | // Topic: Azure diagnostics 7 | 8 | AzureDiagnostics 9 | | where ResourceProvider == "MICROSOFT.AUTOMATION" 10 | | where StreamType_s == "Error" 11 | | project TimeGenerated, Category, JobId_g, OperationName, RunbookName_s, ResultDescription -------------------------------------------------------------------------------- /Scenarios/How to analyze Azure diagnostics/Queries/Latest metrics.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Latest metrics 3 | // Description: Show the latest metrics reports for each reported metric. 4 | // Categories: resources 5 | // Resource types: Azure Monitor 6 | // Topic: Azure diagnostics 7 | 8 | AzureMetrics 9 | | summarize arg_max(TimeGenerated, UnitName, Total, Count, Maximum, Minimum, Average) by MetricName -------------------------------------------------------------------------------- /Scenarios/How to analyze Azure diagnostics/Queries/Network security events.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Network security events 3 | // Description: Find Network security events reporting blocked incoming traffic. 4 | // Categories: resources 5 | // Resource types: Azure Monitor 6 | // Topic: Azure diagnostics 7 | 8 | AzureDiagnostics 9 | | where ResourceProvider == "MICROSOFT.NETWORK" 10 | | where Category == "NetworkSecurityGroupEvent" 11 | | where direction_s == "In" and type_s == "block" -------------------------------------------------------------------------------- /Scenarios/How to analyze Azure diagnostics/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Scenarios/How to analyze VM availability across a workspace/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Scenarios/How to analyze VM availability across a workspace/Queries/Computers availability today.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Computers availability today 3 | // Description: Chart the number of computers sending logs, each hour. 4 | // Categories: monitor 5 | // Resource types: Azure Monitor 6 | // Solutions: LogManagement 7 | // Topic: Availability 8 | 9 | Heartbeat 10 | | summarize dcount(ComputerIP) by bin(TimeGenerated, 1h) 11 | | render timechart -------------------------------------------------------------------------------- /Scenarios/How to analyze VM availability across a workspace/Queries/Last heartbeat of each computer.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Last heartbeat of each computer 3 | // Description: Show the last heartbeat sent by each computer. 4 | // Categories: monitor 5 | // Resource types: Azure Monitor 6 | // Solutions: LogManagement 7 | // Topic: Availability 8 | 9 | Heartbeat 10 | | summarize arg_max(TimeGenerated, *) by Computer -------------------------------------------------------------------------------- /Scenarios/How to analyze VM availability across a workspace/Queries/List heartbeats.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: List heartbeats 3 | // Description: List all computer heartbeats from the last hour. 4 | // Categories: monitor 5 | // Resource types: Azure Monitor 6 | // Solutions: LogManagement 7 | // Topic: Availability 8 | 9 | Heartbeat 10 | | where TimeGenerated > ago(1h) -------------------------------------------------------------------------------- /Scenarios/How to analyze VM availability across a workspace/Queries/Unavailable computers.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Unavailable computers 3 | // Description: List all known computers that didn't send a heartbeat in the last 5 hours. 4 | // Categories: monitor 5 | // Resource types: Azure Monitor 6 | // Solutions: LogManagement 7 | // Topic: Availability 8 | 9 | Heartbeat 10 | | summarize LastHeartbeat=max(TimeGenerated) by Computer 11 | | where LastHeartbeat < ago(5h) -------------------------------------------------------------------------------- /Scenarios/How to analyze VM availability across a workspace/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Scenarios/How to analyze VM performance across a workspace/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Scenarios/How to analyze VM performance across a workspace/Queries/What data is being collected.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: What data is being collected? 3 | // Description: List the collected performance counters and object types (Process, Memory, Processor). 4 | // Categories: monitor 5 | // Resource types: Azure Monitor 6 | // Solutions: LogManagement 7 | // Topic: Performance 8 | 9 | Perf 10 | | summarize by ObjectName, CounterName -------------------------------------------------------------------------------- /Scenarios/How to analyze VM performance across a workspace/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Scenarios/How to analyze log ingestion and billing/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Scenarios/How to analyze log ingestion and billing/Queries/Billable performance data.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Billable performance data 3 | // Description: Calculate the volume of billable data (in GB) for Perf data, over the last day. 4 | // Categories: monitor 5 | // Resource types: Azure Monitor 6 | // Solutions: LogManagement 7 | // Topic: Usage 8 | 9 | Usage 10 | | where TimeGenerated > ago(1d) 11 | | where IsBillable == true 12 | | where DataType == "Perf" 13 | | summarize TotalVolumeGB = sum(Quantity) / 1024 -------------------------------------------------------------------------------- /Scenarios/How to analyze log ingestion and billing/Queries/Total workspace ingestion over the last 24 hours.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Total workspace ingestion over the last 24 hours 3 | // Description: Volume (GB) of all data ingested to this workspace, over the last 24 hours. 4 | // Categories: monitor 5 | // Resource types: Azure Monitor 6 | // Solutions: LogManagement 7 | // Topic: Usage 8 | 9 | Usage 10 | |where TimeGenerated > ago(24h) 11 | |summarize TotalIngestionVolGB = sum(Quantity)/1024.0 -------------------------------------------------------------------------------- /Scenarios/How to analyze log ingestion and billing/Queries/Total workspace ingestion volume timechart last day.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Total workspace ingestion volume timechart, last day 3 | // Description: Chart the workspace ingestion volume of the last day. 4 | // Categories: monitor 5 | // Resource types: Azure Monitor 6 | // Solutions: LogManagement 7 | // Topic: Usage 8 | 9 | union * 10 | | where TimeGenerated > ago(1d) 11 | | summarize TotalVolumeGB = sum(_BilledSize)/1024/1024/1024 by bin(TimeGenerated,10m) 12 | | render timechart -------------------------------------------------------------------------------- /Scenarios/How to analyze log ingestion and billing/Queries/Usage by data types.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Usage by data types 3 | // Description: Chart the amount of logs reported for each data type, today. 4 | // Categories: monitor 5 | // Resource types: Azure Monitor 6 | // Solutions: LogManagement 7 | // Topic: Usage 8 | 9 | Usage 10 | | summarize count_per_type=count() by DataType 11 | | sort by count_per_type desc 12 | | render piechart -------------------------------------------------------------------------------- /Scenarios/How to analyze log ingestion and billing/Queries/Volume of solutions data.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Volume of solutions' data 3 | // Description: Chart the volume of data (in Mb) sent by each solution. 4 | // Categories: monitor 5 | // Resource types: Azure Monitor 6 | // Solutions: LogManagement 7 | // Topic: Usage 8 | 9 | Usage 10 | | summarize total_MBytes=sum(Quantity) by Solution 11 | | sort by total_MBytes desc nulls last 12 | | render barchart -------------------------------------------------------------------------------- /Scenarios/How to evaluate LA agent and workspace health/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Scenarios/How to evaluate LA agent and workspace health/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Scenarios/How to get insights into App Control (WDAC) events/picture/LogAnalytics.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/AzureMonitorCommunity/96bcca345b3621cb2840a9bc67664247d6cad828/Scenarios/How to get insights into App Control (WDAC) events/picture/LogAnalytics.png -------------------------------------------------------------------------------- /Scenarios/How to prepare for migration from MMA to AMA/Workbooks/readme.md: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Scenarios/How to run search queries/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Scenarios/How to run search queries/Queries/Run a casesensitive search.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Run a case-sensitive search 3 | // Description: Search the AzureDiagnostics table for logs that contain the term "JIT". 4 | // Categories: resources 5 | // Resource types: Azure Monitor 6 | // Topic: Search through the logs 7 | 8 | search kind=case_sensitive in (AzureDiagnostics) "*JIT*" -------------------------------------------------------------------------------- /Scenarios/How to run search queries/Queries/Search a table for a specific term.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Search a table for a specific term 3 | // Description: Search AzureMetrics table for the term "CPU". 4 | // Categories: resources 5 | // Resource types: Azure Monitor 6 | // Topic: Search through the logs 7 | 8 | search in (AzureMetrics) "CPU"// search is case-insensitive -------------------------------------------------------------------------------- /Scenarios/How to run search queries/Queries/Search a term through all logs.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Search a term through all logs 3 | // Description: Search the term "Network" across all tables. 4 | // Categories: resources 5 | // Resource types: Azure Monitor 6 | // Topic: Search through the logs 7 | 8 | search "Network"// search is case-insensitive 9 | | where TimeGenerated > ago(30m) -------------------------------------------------------------------------------- /Scenarios/How to run search queries/Queries/Search in multiple tables.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Search in multiple tables 3 | // Description: Search AzureDiagnostics, AzureMetrics and AzureActivity for logs that contain "fail". 4 | // Categories: resources 5 | // Resource types: Azure Monitor 6 | // Topic: Search through the logs 7 | 8 | search in (AzureDiagnostics, AzureMetrics, AzureActivity) "*fail*" -------------------------------------------------------------------------------- /Scenarios/How to run search queries/Queries/Search multiple terms.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Search multiple terms 3 | // Description: Search the AzureActivity table for logs that contain "err" or "warn". 4 | // Categories: resources 5 | // Resource types: Azure Monitor 6 | // Topic: Search through the logs 7 | 8 | search in (AzureActivity) "*err*" or "*warn*" 9 | | where TimeGenerated > ago(1h) -------------------------------------------------------------------------------- /Scenarios/How to run search queries/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Solutions/ADAssessment/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Solutions/ADAssessment/Queries/Diagnostics/AD Recommendations by AffectedObjectType.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: AD Recommendations by AffectedObjectType 3 | // Description: Count AD recommendations with failed result by affected object type. 4 | // Categories: workloads 5 | // Solutions: ADAssessment 6 | // Topic: Diagnostics 7 | 8 | ADAssessmentRecommendation 9 | | where RecommendationResult == "Failed" 10 | | summarize AggregatedValue = count() by AffectedObjectType -------------------------------------------------------------------------------- /Solutions/ADAssessment/Queries/Diagnostics/AD Recommendations by Computer.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: AD Recommendations by Computer 3 | // Description: Count AD recommendations with failed result by computer. 4 | // Categories: workloads 5 | // Solutions: ADAssessment 6 | // Topic: Diagnostics 7 | 8 | ADAssessmentRecommendation 9 | | where RecommendationResult == "Failed" 10 | | summarize AggregatedValue = count() by Computer -------------------------------------------------------------------------------- /Solutions/ADAssessment/Queries/Diagnostics/AD Recommendations by Domain.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: AD Recommendations by Domain 3 | // Description: Count AD recommendations with failed result by domain. 4 | // Categories: workloads 5 | // Solutions: ADAssessment 6 | // Topic: Diagnostics 7 | 8 | ADAssessmentRecommendation 9 | | where RecommendationResult == "Failed" 10 | | summarize AggregatedValue = count() by Domain -------------------------------------------------------------------------------- /Solutions/ADAssessment/Queries/Diagnostics/AD Recommendations by DomainController.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: AD Recommendations by DomainController 3 | // Description: Count AD recommendations with failed result by domain controller. 4 | // Categories: workloads 5 | // Solutions: ADAssessment 6 | // Topic: Diagnostics 7 | 8 | ADAssessmentRecommendation 9 | | where RecommendationResult == "Failed" 10 | | summarize AggregatedValue = count() by DomainController -------------------------------------------------------------------------------- /Solutions/ADAssessment/Queries/Diagnostics/AD Recommendations by Focus Area.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: AD Recommendations by Focus Area 3 | // Description: Count all AD reccomendations by focus area. 4 | // Categories: workloads 5 | // Solutions: ADAssessment 6 | // Topic: Diagnostics 7 | 8 | ADAssessmentRecommendation 9 | | summarize AggregatedValue = count() by FocusArea -------------------------------------------------------------------------------- /Solutions/ADAssessment/Queries/Diagnostics/AD Recommendations by Forest.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: AD Recommendations by Forest 3 | // Description: Count AD recommendations with failed result by forest. 4 | // Categories: workloads 5 | // Solutions: ADAssessment 6 | // Topic: Diagnostics 7 | 8 | ADAssessmentRecommendation 9 | | where RecommendationResult == "Failed" 10 | | summarize AggregatedValue = count() by Forest -------------------------------------------------------------------------------- /Solutions/ADAssessment/Queries/Diagnostics/How many times did each unique AD Recommendation trigger.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: How many times did each unique AD Recommendation trigger? 3 | // Description: Count AD recommendations with failed result by recommendation. 4 | // Categories: workloads 5 | // Solutions: ADAssessment 6 | // Topic: Diagnostics 7 | 8 | ADAssessmentRecommendation 9 | | where RecommendationResult == "Failed" 10 | | summarize AggregatedValue = count() by Recommendation -------------------------------------------------------------------------------- /Solutions/ADAssessment/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Solutions/ChangeTracking/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Solutions/ChangeTracking/Queries/Diagnostics/All configuration changes.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: All configuration changes 3 | // Description: Lists all configuration changes sorted by time (newest first). 4 | // Categories: management 5 | // Solutions: ChangeTracking 6 | // Topic: Diagnostics 7 | 8 | ConfigurationChange 9 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/ChangeTracking/Queries/Diagnostics/Recent stopped auto services.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Recent stopped auto services 3 | // Description: Shows most recent services that were set to Auto but reported as being stopped. 4 | // Categories: management 5 | // Solutions: ChangeTracking 6 | // Topic: Diagnostics 7 | 8 | ConfigurationData 9 | | where ConfigDataType == "WindowsServices" and SvcStartupType == "Auto" 10 | | where SvcState == "Stopped" 11 | | summarize arg_max(TimeGenerated, *) by SoftwareName, Computer -------------------------------------------------------------------------------- /Solutions/ChangeTracking/Queries/Diagnostics/Removed software changes.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Removed software changes 3 | // Description: Shows change records for removed software. 4 | // Categories: management 5 | // Solutions: ChangeTracking 6 | // Topic: Diagnostics 7 | 8 | ConfigurationChange 9 | | where ConfigChangeType == "Software" and ChangeCategory == "Removed" 10 | | order by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/ChangeTracking/Queries/Diagnostics/Service changes.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Service changes 3 | // Description: Lists service changes sorted by time (newest first). 4 | // Categories: management 5 | // Solutions: ChangeTracking 6 | // Topic: Diagnostics 7 | 8 | ConfigurationChange 9 | | where ConfigChangeType == "Services" 10 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/ChangeTracking/Queries/Diagnostics/Software change count per category.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Software change count per category 3 | // Description: Count software changes by change category. 4 | // Categories: management 5 | // Solutions: ChangeTracking 6 | // Topic: Diagnostics 7 | 8 | ConfigurationChange 9 | | where ConfigChangeType == "Software" 10 | | summarize AggregatedValue = count() by ChangeCategory -------------------------------------------------------------------------------- /Solutions/ChangeTracking/Queries/Diagnostics/Software change type per computer.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Software change type per computer 3 | // Description: Count software changes by computer. 4 | // Categories: management 5 | // Solutions: ChangeTracking 6 | // Topic: Diagnostics 7 | 8 | ConfigurationChange 9 | | where ConfigChangeType == "Software" 10 | | summarize AggregatedValue = count() by Computer -------------------------------------------------------------------------------- /Solutions/ChangeTracking/Queries/Diagnostics/Software changes.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Software changes 3 | // Description: Lists software changes sorted by time (newest first). 4 | // Categories: management 5 | // Solutions: ChangeTracking 6 | // Topic: Diagnostics 7 | 8 | ConfigurationChange 9 | | where ConfigChangeType == "Software" 10 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/ChangeTracking/Queries/Diagnostics/Stopped services.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Stopped services 3 | // Description: Lists stopped service changes sorted by time. 4 | // Categories: management 5 | // Solutions: ChangeTracking 6 | // Topic: Diagnostics 7 | 8 | ConfigurationChange 9 | | where ConfigChangeType == "WindowsServices" and SvcState == "Stopped" 10 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/ChangeTracking/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Solutions/ContainerInsights/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Solutions/ContainerInsights/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Solutions/DnsAnalytics/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Solutions/DnsAnalytics/Queries/Security/Distinct Clients Resolving Malicious Domains.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Distinct Clients Resolving Malicious Domains 3 | // Description: Distinct clients resolving malicious domains. 4 | // Categories: security 5 | // Solutions: DnsAnalytics 6 | // Topic: Security 7 | 8 | DnsEvents 9 | | where SubType == 'LookupQuery' and isnotempty(MaliciousIP) 10 | | summarize count() by ClientIP -------------------------------------------------------------------------------- /Solutions/DnsAnalytics/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Solutions/LogManagement/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/All Events in the past hour.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: All Events in the past hour 3 | // Description: All Events in the past hour. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | Event 9 | | where TimeGenerated > ago(1h) 10 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/All Syslog by facility.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: All Syslog by facility 3 | // Description: All Syslog by facility. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | Syslog 9 | | summarize count() by Facility -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/All Syslog by process name.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: All Syslog by process name 3 | // Description: All Syslog by process name. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | Syslog 9 | | summarize count() by ProcessName -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/All Syslog.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: All Syslog 3 | // Description: Last 100 Syslog. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | Syslog 9 | | top 100 by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/Computers restartsshutdowns.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Computers restarts/shutdowns 3 | // Description: List restart and shutdowns events for all monitor computers. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | Event 9 | | where EventLog == "System" and Source == "User32" and EventID == 1074 10 | | search "shutdown" 11 | | sort by TimeGenerated desc 12 | | project TimeGenerated, Computer -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/Count IIS log entries by HTTP request method.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Count IIS log entries by HTTP request method 3 | // Description: Count IIS log entries by HTTP request method. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | W3CIISLog 9 | | summarize count() by csMethod -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/Count IIS log entries by client IP address.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Count IIS log entries by client IP address 3 | // Description: Count IIS log entries by client IP address. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | W3CIISLog 9 | | summarize count() by cIP -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/Count of IIS log entries by URL.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Count of IIS log entries by URL 3 | // Description: Count of IIS log entries by URL requested by client. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | W3CIISLog 9 | | summarize count() by csUriStem -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/Count of IIS log entries by host.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Count of IIS log entries by host 3 | // Description: Count of IIS log entries by host requested by client. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | W3CIISLog 9 | | summarize count() by csHost -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/Count of warning events.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Count of warning events 3 | // Description: Count of warning events by event ID. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | Event 9 | | where EventLevelName == "warning" 10 | | summarize count() by EventID -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/Display breakdown respond codes.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Display breakdown respond codes 3 | // Description: Display breakdown respond codes. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | W3CIISLog 9 | | summarize count() by scStatus -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/Events by event ID.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Events by event ID 3 | // Description: Top 10 events by event ID. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | Event 9 | | summarize count() by EventID 10 | | top 10 by count_ -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/Events by event source.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Events by event source 3 | // Description: Events by event source. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | Event 9 | | summarize count() by Source -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/Events in OM between 2000 to 3000.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Events in OM between 2000 to 3000 3 | // Description: Operation manger events with IDs in range of 2000 to 3000. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | Event 9 | | where EventLog == "Operations Manager" and (EventID >= 2000 and EventID <= 3000) 10 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/Events started.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Events started 3 | // Description: Events started by event ID. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | Event 9 | | where RenderedDescription contains "started" 10 | | summarize count() by EventID -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/IIS log entries for client IP.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: IIS log entries for client IP 3 | // Description: IIS log entries for a client IP. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | W3CIISLog 9 | | where cIP == "192.168.0.1" // Enter Client IP here 10 | | project csUriStem, scBytes, csBytes, TimeTaken, scStatus, TimeGenerated 11 | | top 100 by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/List IIS log entries.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: List IIS log entries 3 | // Description: Last 50 IIS log entries. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | W3CIISLog 9 | | top 50 by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/Show 404 pages list.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Show 404 pages list 3 | // Description: Show 404 pages list. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | W3CIISLog 9 | | where scStatus == 404 10 | | summarize count() by csUriStem 11 | | sort by count_ desc -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/Warning events.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Warning events 3 | // Description: Warning events sortd by time. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | Event 9 | | where EventLevelName == "warning" 10 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/Windows Firewall policy settings changed by machines.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Windows Firewall policy settings changed by machines 3 | // Description: Windows Firewall policy settings changed by machines. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | Event 9 | | where EventLog == "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" and EventID == 2008 10 | | summarize count() by Computer 11 | | limit 10000 12 | -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Diagnostics/Windows Firewall policy settings.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Windows Firewall policy settings 3 | // Description: Windows Firewall policy settings changed. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Diagnostics 7 | 8 | Event 9 | | where EventLog == "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" and EventID == 2008 10 | | sort by TimeGenerated desc 11 | -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Errors/All Syslog with errors.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: All Syslog with errors 3 | // Description: Last 100 Syslog with erros. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Errors 7 | 8 | Syslog 9 | | where SeverityLevel == "err" or SeverityLevel == "error" 10 | | top 100 by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Errors/Servers with internal server error.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Servers with internal server error 3 | // Description: Show servers throwing internal server error. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Errors 7 | 8 | W3CIISLog 9 | | where scStatus == "500" 10 | | summarize count() by sComputerName -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Performance/Average HTTP request time by client IP.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Average HTTP request time by client IP 3 | // Description: Average HTTP request time by client IP address. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Performance 7 | 8 | W3CIISLog 9 | | summarize avg(TimeTaken) by cIP -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Performance/Average HTTP request time.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Average HTTP request time 3 | // Description: Average HTTP request time for HTTP method. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Performance 7 | 8 | W3CIISLog 9 | | summarize avg(TimeTaken) by csMethod -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Performance/Maximum time taken for each page.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Maximum time taken for each page 3 | // Description: Find maximum time taken for each page. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Performance 7 | 8 | W3CIISLog 9 | | summarize max(TimeTaken) by csUriStem -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Usage/Bytes received by each IIS computer.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Bytes received by each IIS computer 3 | // Description: Total bytes received by each IIS computer. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Usage 7 | 8 | W3CIISLog 9 | | summarize sum_csBytes = sum(csBytes) by Computer 10 | | top 500 by sum_csBytes desc -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Usage/Bytes responded to clients by each IIS server IP.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Bytes responded to clients by each IIS server IP 3 | // Description: Total bytes responded to clients by each IIS server IP address. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Usage 7 | 8 | W3CIISLog 9 | | summarize sum(scBytes) by sIP -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Usage/Count IIS log entries by HTTP user agent.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Count IIS log entries by HTTP user agent 3 | // Description: Count IIS log entries by HTTP user agent. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Usage 7 | 8 | W3CIISLog 9 | | summarize count() by csUserAgent -------------------------------------------------------------------------------- /Solutions/LogManagement/Queries/Usage/Total bytes traffic by client IP.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Total bytes traffic by client IP 3 | // Description: Total bytes sent and received by client IP address. 4 | // Categories: virtualmachines 5 | // Solutions: LogManagement 6 | // Topic: Usage 7 | 8 | W3CIISLog 9 | | summarize BytesSent = sum(csBytes), BytesReceived = sum(scBytes) by cIP -------------------------------------------------------------------------------- /Solutions/LogManagement/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Solutions/LogicAppB2B/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Solutions/LogicAppB2B/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Solutions/SAP-SCP-Monitoring/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Solutions/SAP-SCP-Monitoring/CPI-monitor-Az-overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/AzureMonitorCommunity/96bcca345b3621cb2840a9bc67664247d6cad828/Solutions/SAP-SCP-Monitoring/CPI-monitor-Az-overview.png -------------------------------------------------------------------------------- /Solutions/SAP-SCP-Monitoring/Queries/README: -------------------------------------------------------------------------------- 1 | Put queries in this folder -------------------------------------------------------------------------------- /Solutions/SAP-SCP-Monitoring/az-moni-workbook.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/AzureMonitorCommunity/96bcca345b3621cb2840a9bc67664247d6cad828/Solutions/SAP-SCP-Monitoring/az-moni-workbook.png -------------------------------------------------------------------------------- /Solutions/SQLAssessment/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Solutions/SQLAssessment/Queries/Diagnostics/How many times did each unique SQL Recommendation trigger.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: How many times did each unique SQL Recommendation trigger? 3 | // Description: Count SQL recommendations with failed result by recommendation. 4 | // Categories: workloads 5 | // Solutions: SQLAssessment 6 | // Topic: Diagnostics 7 | 8 | SQLAssessmentRecommendation 9 | | where RecommendationResult == "Failed" 10 | | summarize AggregatedValue = count() by Recommendation -------------------------------------------------------------------------------- /Solutions/SQLAssessment/Queries/Diagnostics/SQL Recommendations by AffectedObjectType.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: SQL Recommendations by AffectedObjectType 3 | // Description: Count SQL recommendations with failed result by affected object type. 4 | // Categories: workloads 5 | // Solutions: SQLAssessment 6 | // Topic: Diagnostics 7 | 8 | SQLAssessmentRecommendation 9 | | where RecommendationResult == "Failed" 10 | | summarize AggregatedValue = count() by AffectedObjectType -------------------------------------------------------------------------------- /Solutions/SQLAssessment/Queries/Diagnostics/SQL Recommendations by Computer.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: SQL Recommendations by Computer 3 | // Description: Count SQL recommendations with failed result by computer. 4 | // Categories: workloads 5 | // Solutions: SQLAssessment 6 | // Topic: Diagnostics 7 | 8 | SQLAssessmentRecommendation 9 | | where RecommendationResult == "Failed" 10 | | summarize AggregatedValue = count() by Computer -------------------------------------------------------------------------------- /Solutions/SQLAssessment/Queries/Diagnostics/SQL Recommendations by Database.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: SQL Recommendations by Database 3 | // Description: Count SQL recommendations with failed result by database. 4 | // Categories: workloads 5 | // Solutions: SQLAssessment 6 | // Topic: Diagnostics 7 | 8 | SQLAssessmentRecommendation 9 | | where RecommendationResult == "Failed" 10 | | summarize AggregatedValue = count() by DatabaseName -------------------------------------------------------------------------------- /Solutions/SQLAssessment/Queries/Diagnostics/SQL Recommendations by Focus Area.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: SQL Recommendations by Focus Area 3 | // Description: Count all SQL reccomendations by focus area. 4 | // Categories: workloads 5 | // Solutions: SQLAssessment 6 | // Topic: Diagnostics 7 | 8 | SQLAssessmentRecommendation 9 | | summarize AggregatedValue = count() by FocusArea -------------------------------------------------------------------------------- /Solutions/SQLAssessment/Queries/Diagnostics/SQL Recommendations by Instance.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: SQL Recommendations by Instance 3 | // Description: Count SQL recommendations with failed result by instance. 4 | // Categories: workloads 5 | // Solutions: SQLAssessment 6 | // Topic: Diagnostics 7 | 8 | SQLAssessmentRecommendation 9 | | where RecommendationResult == "Failed" 10 | | summarize AggregatedValue = count() by SqlInstanceName -------------------------------------------------------------------------------- /Solutions/SQLAssessment/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security logon/Accounts Failed to Logon.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Accounts Failed to Logon 3 | // Description: Counts failed logons by target account. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security logon 7 | 8 | SecurityEvent 9 | | where EventID == 4625 10 | | summarize count() by TargetAccount -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security logon/Computers With Failed Su Logons.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Computers With Failed Su Logons 3 | // Description: Lists computers with failed su logons. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security logon 7 | 8 | Syslog 9 | | where (Facility == 'authpriv' and SyslogMessage has 'su:auth' and SyslogMessage has 'authentication failure') or (Facility == 'auth' and SyslogMessage has 'FAILED SU') 10 | | summarize count() by Computer -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security logon/Computers With Guest Account Logons.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Computers With Guest Account Logons 3 | // Description: Computers with logons from guest accounts. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security logon 7 | 8 | SecurityEvent 9 | | where EventID == 4624 and TargetUserName == 'Guest' and LogonType in (10, 3) 10 | | summarize count() by Computer -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security logon/Logon Activity by Account.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Logon Activity by Account 3 | // Description: Logon activity by account. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security logon 7 | 8 | SecurityEvent 9 | | where EventID == 4624 10 | | summarize LogonCount = count() by Account -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security logon/Logon Activity by Device With More Than 10 Logons.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Logon Activity by Device With More Than 10 Logons 3 | // Description: Counts logon activities per devices with more than 10 logons. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security logon 7 | 8 | SecurityEvent 9 | | where EventID == 4624 10 | | summarize LogonCount = count() by Computer 11 | | where LogonCount > 10 -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security logon/Logon Activity by Device.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Logon Activity by Device 3 | // Description: Counts logon activities per device. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security logon 7 | 8 | SecurityEvent 9 | | where EventID == 4624 10 | | summarize LogonCount = count() by Computer -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security logon/Logon Activity for Users With 5 times Activity.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Logon Activity for Users With 5 times Activity 3 | // Description: Logon activity for accounts with less than 5 logons. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security logon 7 | 8 | SecurityEvent 9 | | where EventID == 4624 10 | | summarize LogonCount = count() by Account 11 | | where LogonCount < 5 -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security logon/Logons With Clear Text Password.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Logons With Clear Text Password 3 | // Description: Logons with clear text password by target account. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security logon 7 | 8 | SecurityEvent 9 | | where EventID == 4624 and LogonType == 8 10 | | summarize count() by TargetAccount -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security/Accounts Who Terminated Microsoft Antimalware.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Accounts Who Terminated Microsoft Antimalware 3 | // Description: Accounts which terminated Microsoft Antimalware. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security 7 | 8 | SecurityEvent 9 | | where EventID == 4689 10 | | where Process has "MsMpEng.exe" or ParentProcessName has "MsMpEng.exe" 11 | | summarize TerminationCount = count() by Account -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security/All Security Activities.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: All Security Activities 3 | // Description: Security activities sorted by time (newest first). 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security 7 | 8 | SecurityEvent 9 | | project TimeGenerated, Account, Activity, Computer 10 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security/Change or Reset Passwords Attempts.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Change or Reset Passwords Attempts 3 | // Description: Counts change/reset paswords attempts per target account. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security 7 | 8 | SecurityEvent 9 | | where EventID in (4723, 4724) 10 | | summarize count() by TargetAccount -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security/Computers With Cleaned Event Logs.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Computers With Cleaned Event Logs 3 | // Description: Computers with cleaned event logs. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security 7 | 8 | SecurityEvent 9 | | where EventID in (1102, 517) and EventSourceName == 'Microsoft-Windows-Eventlog' 10 | | summarize count() by Computer -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security/Computers With New Linux Group Created.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Computers With New Linux Group Created 3 | // Description: Lists computers with new Linux group created. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security 7 | 8 | Syslog 9 | | where Facility == 'authpriv' and SyslogMessage has 'new group' 10 | | summarize count() by Computer -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security/Computers With System Audit Policy Changes.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Computers With System Audit Policy Changes 3 | // Description: System audit policy changed events by computer. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security 7 | 8 | SecurityEvent 9 | | where EventID == 4719 10 | | summarize count() by Computer -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security/Computers With Users Added to Linux Group.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Computers With Users Added to Linux Group 3 | // Description: Lists computers with users added to Linux group. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security 7 | 8 | Syslog 9 | | where Facility == 'authpriv' and SyslogMessage has 'to group' and (SyslogMessage has 'add' or SyslogMessage has 'added') 10 | | summarize by Computer -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security/Devices Where Hash Was Executed.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Devices Where Hash Was Executed 3 | // Description: Devices where hash.exe was executed more than 5 times. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security 7 | 8 | SecurityEvent 9 | | where EventID == 4688 10 | | where Process has "hash.exe" or ParentProcessName has "hash.exe" 11 | | summarize ExecutionCount = count() by Computer 12 | | where ExecutionCount > 5 -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security/Devices Where The Microsoft Antimalware Process Terminated.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Devices Where The Microsoft Antimalware Process Terminated 3 | // Description: Devices which terminated Microsoft Antimalware. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security 7 | 8 | SecurityEvent 9 | | where EventID == 4689 10 | | where Process has "MsMpEng.exe" or ParentProcessName has "MsMpEng.exe" 11 | | summarize TerminationCount = count() by Computer -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security/Devices With Security Log Cleared.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Devices With Security Log Cleared 3 | // Description: Devices with securtiy log cleared. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security 7 | 8 | SecurityEvent 9 | | where EventID == 1102 10 | | summarize LogClearedCount = count() by Computer -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security/Domain Security Policy Changes.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Domain Security Policy Changes 3 | // Description: Counts events of domain policy changed. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security 7 | 8 | SecurityEvent 9 | | where EventID == 4739 10 | | summarize count() by DomainPolicyChanged -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security/Groups Created or Modified.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Groups Created or Modified 3 | // Description: Groups created or modified per target account. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security 7 | 8 | SecurityEvent 9 | | where EventID in (4727, 4731, 4735, 4737, 4754, 4755) 10 | | summarize count() by TargetAccount -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security/Locked Accounts.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Locked Accounts 3 | // Description: Counts locked acounts by target account. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security 7 | 8 | SecurityEvent 9 | | where EventID == 4740 10 | | summarize count() by TargetAccount -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security/Members Added to Security Enabled Groups.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Members Added to Security Enabled Groups 3 | // Description: Members added to the security enabled groups. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security 7 | 8 | SecurityEvent 9 | | where EventID in (4728, 4732, 4756) 10 | | summarize count() by SubjectAccount -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security/Process Names Executed.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Process Names Executed 3 | // Description: Lists number of executions per process. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security 7 | 8 | SecurityEvent 9 | | where EventID == 4688 10 | | summarize ExecutionCount = count() by NewProcessName -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security/Remote Procedure Call Attempts.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Remote Procedure Call Attempts 3 | // Description: Counts remote procedure call attempts per computer. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security 7 | 8 | SecurityEvent 9 | | where EventID == 5712 10 | | summarize count() by Computer -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security/Security Activities on the Device.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Security Activities on the Device 3 | // Description: Security activities on a specific device sorted by time (newest first). 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security 7 | 8 | SecurityEvent 9 | //| where Computer == "COMPUTER01.contoso.com" // Replace with a specific computer name 10 | | project TimeGenerated, Account, Activity, Computer 11 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security/Suspicious Executables.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Suspicious Executables 3 | // Description: Lists suspicious executables. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security 7 | 8 | SecurityEvent 9 | | where EventID == 8002 and Fqbn == '-' 10 | | summarize ExecutionCountHash=count() by FileHash 11 | | where ExecutionCountHash <= 5 -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Queries/Security/User Accounts Changed.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: User Accounts Changed 3 | // Description: Counts user account changes per target account. 4 | // Categories: security 5 | // Solutions: SecurityInsights 6 | // Topic: Security 7 | 8 | SecurityEvent 9 | | where EventID in (4720, 4722) 10 | | summarize by TargetAccount -------------------------------------------------------------------------------- /Solutions/SecurityInsights/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Solutions/ServiceDesk/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Solutions/ServiceDesk/Queries/Usage/All incidents created today.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: All incidents created today 3 | // Description: Retrieves all Incident work items generated in this solution during the last day. 4 | // Categories: management 5 | // Solutions: ServiceDesk 6 | // Topic: Usage 7 | 8 | ServiceDesk_CL 9 | |where ServiceDeskWorkItemType_s == "Incident" and CreatedDate_t > bin(now(), 1d) 10 | | summarize arg_max(TimeGenerated, *) by ServiceDeskId_s 11 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/ServiceDesk/Queries/Usage/All incidents.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: All incidents 3 | // Description: Retrieves all Incident work items generated in this solution. 4 | // Categories: management 5 | // Solutions: ServiceDesk 6 | // Topic: Usage 7 | 8 | ServiceDesk_CL 9 | | where ServiceDeskWorkItemType_s == "Incident" 10 | | summarize arg_max(TimeGenerated, *) by ServiceDeskId_s 11 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/ServiceDesk/Queries/Usage/All security incidents.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: All security incidents 3 | // Description: Retrieves all Security Incident work items generated in this solution. 4 | // Categories: management 5 | // Solutions: ServiceDesk 6 | // Topic: Usage 7 | 8 | ServiceDesk_CL 9 | | where ServiceDeskWorkItemType_s == "SecurityIncident" 10 | | summarize arg_max(TimeGenerated, *) by ServiceDeskId_s 11 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/ServiceDesk/Queries/Usage/All work items created today.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: All work items created today 3 | // Description: Retrieves all work items generated in this solution during the last day. 4 | // Categories: management 5 | // Solutions: ServiceDesk 6 | // Topic: Usage 7 | 8 | ServiceDesk_CL 9 | | where CreatedDate_t > bin(now(), 1d) 10 | | summarize arg_max(TimeGenerated, *) by ServiceDeskId_s 11 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/ServiceDesk/Queries/Usage/All work items.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: All work items 3 | // Description: Retrieves all work items generated in this solution. 4 | // Categories: management 5 | // Solutions: ServiceDesk 6 | // Topic: Usage 7 | 8 | ServiceDesk_CL 9 | | summarize arg_max(TimeGenerated, *) by ServiceDeskId_s 10 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/ServiceDesk/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Solutions/SurfaceHub/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Solutions/SurfaceHub/Queries/Error/Cleanup Failure.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Cleanup Failure 3 | // Description: SurfaceHub cleanup failure. 4 | // Categories: workloads 5 | // Solutions: SurfaceHub 6 | // Topic: Error 7 | 8 | DeviceCleanup 9 | | where State == "Fatal" 10 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/SurfaceHub/Queries/Error/Exchange Error.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Exchange Error 3 | // Description: SurfaceHub Exchange error. 4 | // Categories: workloads 5 | // Solutions: SurfaceHub 6 | // Topic: Error 7 | 8 | DeviceCalendar 9 | | where EventName == "activesynchealth" and SyncStatus != "Healthy" 10 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/SurfaceHub/Queries/Error/Skype Error.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Skype Error 3 | // Description: SurfaceHub Skype error. 4 | // Categories: workloads 5 | // Solutions: SurfaceHub 6 | // Topic: Error 7 | 8 | DeviceSkypeHeartbeat 9 | | where State == "Unhealthy" 10 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/SurfaceHub/Queries/Error/Software Alert.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Software Alert 3 | // Description: SurfaceHub software error. 4 | // Categories: workloads 5 | // Solutions: SurfaceHub 6 | // Topic: Error 7 | 8 | DeviceHealth 9 | | where EventName == "CriticalProcessStatus" and State == "Unhealthy" 10 | | sort by TimeGenerated desc -------------------------------------------------------------------------------- /Solutions/SurfaceHub/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Solutions/WaaSUpdateInsights/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Solutions/WaaSUpdateInsights/Queries/Diagnostics/Distribution of device OS Edition.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Distribution of device OS Edition 3 | // Description: Counts devices by OS edition. 4 | // Categories: desktopanalytics 5 | // Solutions: WaaSUpdateInsights 6 | // Topic: Diagnostics 7 | 8 | WaaSUpdateStatus 9 | | summarize arg_max(TimeGenerated, *) by ComputerID 10 | | project TimeGenerated, ComputerID, OSEdition 11 | | summarize dcount(ComputerID) by OSEdition -------------------------------------------------------------------------------- /Solutions/WaaSUpdateInsights/Queries/Diagnostics/Distribution of device Servicing Branch.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Distribution of device Servicing Branch 3 | // Description: Pie chart of devices distribution by servicing branch. 4 | // Categories: desktopanalytics 5 | // Solutions: WaaSUpdateInsights 6 | // Topic: Diagnostics 7 | 8 | WaaSUpdateStatus 9 | | summarize arg_max(TimeGenerated, *) by ComputerID 10 | | project ComputerID, OSServicingBranch 11 | | summarize dcount(ComputerID) by OSServicingBranch 12 | | render piechart -------------------------------------------------------------------------------- /Solutions/WaaSUpdateInsights/Queries/Diagnostics/Feature Update Pause Configurations.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Feature Update Pause Configurations 3 | // Description: Count devices by feature update pause configurations. 4 | // Categories: desktopanalytics 5 | // Solutions: WaaSUpdateInsights 6 | // Topic: Diagnostics 7 | 8 | WaaSUpdateStatus 9 | | summarize arg_max(TimeGenerated, *) by ComputerID 10 | | project TimeGenerated, ComputerID, FeaturePauseState 11 | | summarize dcount(ComputerID) by FeaturePauseState -------------------------------------------------------------------------------- /Solutions/WaaSUpdateInsights/Queries/Diagnostics/Quality Update Pause Configurations.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Quality Update Pause Configurations 3 | // Description: Count devices by quality update pause configurations. 4 | // Categories: desktopanalytics 5 | // Solutions: WaaSUpdateInsights 6 | // Topic: Diagnostics 7 | 8 | WaaSUpdateStatus 9 | | summarize arg_max(TimeGenerated, *) by ComputerID 10 | | project TimeGenerated, ComputerID, QualityPauseState 11 | | summarize dcount(ComputerID) by QualityPauseState -------------------------------------------------------------------------------- /Solutions/WaaSUpdateInsights/Queries/Errors/Target build distribution of devices with a safeguard hold.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Target build distribution of devices with a safeguard hold 3 | // Description: Pie chart of target build distribution of devices impacted by safeguards. 4 | // Categories: desktopanalytics 5 | // Solutions: WaaSUpdateInsights 6 | // Topic: Errors 7 | 8 | WaaSDeploymentStatus 9 | | where DetailedStatus == "Safeguard Hold" 10 | | summarize count(ComputerID) by TargetBuild 11 | | render piechart -------------------------------------------------------------------------------- /Solutions/WaaSUpdateInsights/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder -------------------------------------------------------------------------------- /Solutions/WireData2/Alerts/README: -------------------------------------------------------------------------------- 1 | Put alerts in this folder -------------------------------------------------------------------------------- /Solutions/WireData2/Queries/Diagnostics/Agents that provide wire data.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Agents that provide wire data 3 | // Description: Agents providing wire data and sum of total bytes for each agent. 4 | // Categories: virtualmachines 5 | // Solutions: WireData2 6 | // Topic: Diagnostics 7 | 8 | WireData 9 | | summarize sum(TotalBytes) by Computer -------------------------------------------------------------------------------- /Solutions/WireData2/Queries/Diagnostics/All Outbound communications by Remote IP Address.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: All Outbound communications by Remote IP Address 3 | // Description: All Outbound communications by Remote IP Address. 4 | // Categories: virtualmachines 5 | // Solutions: WireData2 6 | // Topic: Diagnostics 7 | 8 | WireData 9 | | where Direction == "Outbound" 10 | | summarize count() by RemoteIP -------------------------------------------------------------------------------- /Solutions/WireData2/Queries/Diagnostics/Amount of Network Traffic by Process.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Amount of Network Traffic by Process 3 | // Description: Amount of Network Traffic (in Bytes) by Process. 4 | // Categories: virtualmachines 5 | // Solutions: WireData2 6 | // Topic: Diagnostics 7 | 8 | WireData 9 | | summarize sum(TotalBytes) by ProcessName -------------------------------------------------------------------------------- /Solutions/WireData2/Queries/Diagnostics/Bytes received by Protocol Name.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Bytes received by Protocol Name 3 | // Description: Bytes received by Protocol Name (transport-level protocol, only some are recognized). 4 | // Categories: virtualmachines 5 | // Solutions: WireData2 6 | // Topic: Diagnostics 7 | 8 | WireData 9 | | where Direction == "Inbound" 10 | | summarize sum(ReceivedBytes) by ProtocolName -------------------------------------------------------------------------------- /Solutions/WireData2/Queries/Diagnostics/Bytes sent by Application Protocol.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Bytes sent by Application Protocol 3 | // Description: Bytes sent by Application Protocol. 4 | // Categories: virtualmachines 5 | // Solutions: WireData2 6 | // Topic: Diagnostics 7 | 8 | WireData 9 | | where Direction == "Outbound" 10 | | summarize sum(SentBytes) by ApplicationProtocol -------------------------------------------------------------------------------- /Solutions/WireData2/Queries/Diagnostics/IP Addresses of the agents providing wire data.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: IP Addresses of the agents providing wire data 3 | // Description: IP Addresses of the agents providing wire data. 4 | // Categories: virtualmachines 5 | // Solutions: WireData2 6 | // Topic: Diagnostics 7 | 8 | WireData 9 | | summarize count() by LocalIP -------------------------------------------------------------------------------- /Solutions/WireData2/Queries/Diagnostics/Processes that initiated or received network traffic.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Processes that initiated or received network traffic 3 | // Description: Processes that initiated or received network traffic. 4 | // Categories: virtualmachines 5 | // Solutions: WireData2 6 | // Topic: Diagnostics 7 | 8 | WireData 9 | | distinct ProcessName -------------------------------------------------------------------------------- /Solutions/WireData2/Queries/Diagnostics/Total bytes by IP version.kql: -------------------------------------------------------------------------------- 1 | // Author: Microsoft Azure 2 | // Display name: Total bytes by IP version 3 | // Description: Total bytes by IP version (IPv4 or IPv6). 4 | // Categories: virtualmachines 5 | // Solutions: WireData2 6 | // Topic: Diagnostics 7 | 8 | WireData 9 | | summarize sum(TotalBytes) by IPVersion -------------------------------------------------------------------------------- /Solutions/WireData2/Workbooks/README: -------------------------------------------------------------------------------- 1 | Put workbooks in this folder --------------------------------------------------------------------------------