{ "version": "Notebook/1.0", "items": [ { "type": 11, "content": { "version": "LinkItem/1.0", "style": "tabs", "links": [ { "id": "4df9243a-749d-4698-98f6-188e0b687e13", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Servers and extensions installed", "subTarget": "ServersExtensions", "style": "link" }, { "id": "4c0faa80-5c85-4d02-989d-37921b12ae87", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Data Collection Rules under Subscription", "subTarget": "DCRs", "style": "link" }, { "id": "ffceb6e6-3756-466e-860b-c017f0421e9f", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "VMs with AMA", "subTarget": "AMAvms", "style": "link" } ] }, "name": "links - 19" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "cd3be59c-92d1-4c08-945e-bd9420459a0a", "version": "KqlParameterItem/1.0", "name": "Subscription", "label": "Subscriptions", "type": 6, "multiSelect": true, "quote": "'", "delimiter": ",", "value": [ ], "typeSettings": { "additionalResourceOptions": [], "includeAll": true, "showDefault": false }, "timeContext": { "durationMs": 86400000 } } ], "style": "pills", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ServersExtensions" }, "name": "parameters - 21 - only one" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "bcd3ee68-9319-4de6-8904-eae492693e64", "version": "KqlParameterItem/1.0", "name": "Subscription2", "label": "Subscription", "type": 6, "isRequired": true, "value": [], "typeSettings": { "additionalResourceOptions": [], "includeAll": false }, "timeContext": { "durationMs": 86400000 } } ], "style": "pills", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isNotEqualTo", "value": "ServersExtensions" }, "name": "parameters - 21 " }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "521cf079-688f-4f0c-b446-64a353ac8aa1", "version": "KqlParameterItem/1.0", "name": "InternalWSs", "type": 1, "query": "SecurityIncident\r\n| take 1\r\n| parse IncidentUrl with * \"/workspaces/\" Workspace \"/\" *\r\n| project Workspace", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "value": null }, { "id": "eaa69221-591b-448c-b18b-5828487030ab", "version": "KqlParameterItem/1.0", "name": "Workspace", "type": 5, "isRequired": true, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "where type =~ \"microsoft.operationalinsights/workspaces\"\r\n| project value =id, label = name, selected = iff(name =~ '{InternalWSs}', true, false)", "crossComponentResources": [ "value::all" ], "value": [ "value::all" ], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "showDefault": false }, "timeContext": { "durationMs": 86400000 }, "defaultValue": "value::all", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "8f323b26-e505-40f3-8ea8-4d0fd69dcc9b", "version": "KqlParameterItem/1.0", "name": "InternalRG", "type": 1, "query": "where type =~ \"microsoft.operationalinsights/workspaces\"\r\n| where id =~ \"{Workspace}\"\r\n| project resourceGroup", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "2209d79a-3a7d-4840-a45e-579b98c35cfc", "version": "KqlParameterItem/1.0", "name": "resourceGroup", "label": "Resource group", "type": 2, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "Resources\r\n| summarize Count = count() by subscriptionId, resourceGroup\r\n| order by Count desc\r\n| extend Rank = row_number()\r\n| project value = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup), label = resourceGroup, selected = false", "crossComponentResources": [ "{Subscription}" ], "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "value": null }, { "id": "4335a281-83dd-4a49-91e8-4f93a4241ca2", "version": "KqlParameterItem/1.0", "name": "Help", "label": "Show Help", "type": 10, "description": "This will show some help information to help you understand the page you are on", "isRequired": true, "value": "Yes", "typeSettings": { "additionalResourceOptions": [] }, "jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n { \"value\": \"No\", \"label\": \"No\", \"selected\":true }\r\n]" } ], "style": "pills", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 1 - Copy" }, { "type": 1, "content": { "json": "Use this section to see all the servers (either from Azure, other clouds, on-prem and Arc enabled (prerequisite to install the Azure Monitoring agent) under the selected subscription.\r\nUse the Subscription and Resource group filters to narrow down your results.", "style": "info" }, "conditionalVisibilities": [ { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ServersExtensions" } ], "name": "text - 18" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources\r\n| where \"{Subscription:Id}\" has subscriptionId or \"{Subscription}\" == \"\"\r\n| where \"{resourceGroup:label}\" contains resourceGroup or \"{resourceGroup}\" == \"\"\r\n| where type == \"microsoft.compute/virtualmachines\"\r\n| summarize TotalCountofVMs = count()", "size": 4, "title": "Current VMs in {Subscription:label}", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Subscription}" ], "visualization": "tiles", "tileSettings": { "titleContent": {}, "leftContent": { "columnMatch": "TotalCountofVMs", "formatter": 3, "formatOptions": { "palette": "blue" } }, "showBorder": false } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ServersExtensions" }, "customWidth": "20", "name": "query - 0" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Heartbeat\r\n| where isempty(_ResourceId) == true or ResourceProvider =~ \"microsoft.hybridcompute\"\r\n| distinct Computer\r\n| summarize count()", "size": 4, "title": "Arc or non-Azure with Heartbeat", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "tiles", "tileSettings": { "titleContent": {}, "leftContent": { "columnMatch": "count_", "formatter": 3, "formatOptions": { "palette": "blue" } }, "showBorder": false } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ServersExtensions" }, "customWidth": "20", "name": "query - 5" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources\r\n| where \"{Subscription:Id}\" has subscriptionId or \"{Subscription}\" == \"\"\r\n| where \"{resourceGroup:label}\" contains resourceGroup or \"{resourceGroup}\" == \"\"\r\n| where type has 'microsoft.compute/virtualmachines/extensions' or type has 'microsoft.hybridcompute/machines/extensions'\r\n| where name has 'MicrosoftMonitoringAgent' or name has 'OmsAgentForLinux' \r\n| extend Computer = extract('virtualMachines/(.*)/extensions',1,id) \r\n| summarize count()", "size": 4, "title": "Machines with MMA", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Subscription}" ], "visualization": "tiles", "tileSettings": { "titleContent": {}, "leftContent": { "columnMatch": "count_", "formatter": 3, "formatOptions": { "palette": "blue" } }, "showBorder": false } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ServersExtensions" }, "customWidth": "20", "name": "query - 6" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources \r\n| where \"{Subscription:Id}\" has subscriptionId or \"{Subscription}\" == \"\"\r\n| where type has 'microsoft.compute/virtualmachines/extensions' or type has 'microsoft.hybridcompute/machines/extensions'\r\n| where name has 'AzureMonitorWindowsAgent' or name has 'AzureMonitorLinuxAgent' \r\n| extend AzureVM = extract('virtualMachines/(.*)/extensions',1,id), ArcVM = extract('machines/(.*)/extensions',1,id) \r\n| summarize count() by AzureVM, ArcVM, subscriptionId, resourceGroup \r\n| project AzureVM, ArcVM, resourceGroup\r\n| summarize count()", "size": 4, "title": "Machines with AMA", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Subscription}" ], "visualization": "tiles", "tileSettings": { "titleContent": {}, "leftContent": { "columnMatch": "count_", "formatter": 3, "formatOptions": { "palette": "blue" } }, "showBorder": false } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ServersExtensions" }, "customWidth": "20", "name": "query - 4" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources\r\n| where \"{Subscription:Id}\" has subscriptionId or \"{Subscription}\" == \"\"\r\n| where type has 'microsoft.compute/virtualmachines/extensions' or type has 'microsoft.hybridcompute/machines/extensions'\r\n| where name has 'MicrosoftMonitoringAgent' or name has 'OmsAgentForLinux' or name has 'AzureMonitorWindowsAgent' or name has 'AzureMonitorLinuxAgent'\r\n| extend AzureVM = extract('virtualMachines/(.*)/extensions',1,id), ArcVM = extract('machines/(.*)/extensions',1,id)\r\n| summarize count() by AzureVM=tolower(AzureVM), ArcVM=tolower(ArcVM), subscriptionId, resourceGroup \r\n| extend hasBoth = iff(count_ > 1, 'Yes', 'No') | where count_ > 1 \r\n|where hasBoth == 'Yes' \r\n| summarize count()", "size": 4, "title": "Machines with Both Agents", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Subscription}" ], "visualization": "tiles", "tileSettings": { "titleContent": {}, "leftContent": { "columnMatch": "count_", "formatter": 3, "formatOptions": { "palette": "blue" } }, "showBorder": false } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ServersExtensions" }, "customWidth": "20", "name": "query - 7" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 11, "content": { "version": "LinkItem/1.0", "style": "tabs", "links": [ { "id": "ba5c2789-99fc-4a62-bfa7-a145dd3e0855", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Azure machines within {Subscription:label}", "subTarget": "AzMachines", "style": "link" }, { "id": "34116526-233e-417e-966f-df3bf94fe65c", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Arc machines within {Subscription:label}", "subTarget": "ArcMachines", "style": "link" }, { "id": "c3d204ef-88d2-487b-86d0-0d854aac4389", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Azure or Arc machines with MMA", "subTarget": "MMA", "style": "link" }, { "id": "eec95288-367a-4ecd-a359-7f1bf22beb9c", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Machines with AMA", "subTarget": "AMA", "style": "link" }, { "id": "d0e07018-4d0d-4caf-b0a6-1d1b67becb84", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Machines with Both Agents under any RG", "subTarget": "Both", "style": "link" }, { "id": "cfe87184-be1d-4a06-a87b-f5fbd310d7e7", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Non-Azure or hybrid VMs under any RG reporting to {Workspace:label} in the last 30d", "subTarget": "NAorHybrid", "style": "link" } ] }, "name": "Selection of Machines Tabs" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources\r\n| where \"{Subscription:Id}\" has subscriptionId or \"{Subscription}\" == \"\"\r\n| where \"{resourceGroup:label}\" contains resourceGroup or \"{resourceGroup}\" == \"\"\r\n| where type == \"microsoft.compute/virtualmachines\"\r\n| extend PowerStatus = properties.extended.instanceView.powerState.displayStatus,\r\n\tOSType = properties.storageProfile.osDisk.osType\r\n| project name, VM=id, location, ResourceGroup=resourceGroup, PowerStatus, OSType\r\n| join kind=leftouter (\r\nresources\r\n| where type contains \"microsoft.compute/virtualmachines/extensions\" and (name == \"MicrosoftMonitoringAgent\" or name == \"OmsAgentForLinux\" or name == \"MMAExtension\")\r\n| parse id with * \"/virtualMachines/\" ComputerName \"/\" *\r\n| extend extensionType = properties.type, \r\n\tstatus = properties.provisioningState,\r\n\tversion = properties.typeHandlerVersion\r\n| project ComputerName, MMA = name, status, version\r\n) on $left.name == $right.ComputerName\r\n| join kind=leftouter (\r\nresources\r\n| where type contains \"microsoft.compute/virtualmachines/extensions\" and (name == \"AzureMonitorWindowsAgent\" or name == \"AzureMonitorLinuxAgent\")\r\n| parse id with * \"/virtualMachines/\" ComputerName \"/\" *\r\n| extend extensionType = properties.type, \r\n\tstatus = properties.provisioningState,\r\n\tversion = properties.typeHandlerVersion\r\n| project ComputerName, AMA = name, status, version\r\n) on $left.name == $right.ComputerName", "size": 2, "showAnalytics": true, "noDataMessage": "No Azure Virtual Machines in the selected subscriptions. Please select the subscription(s) that contain your virtual machine(s)", "showRefreshButton": true, "showExportToExcel": true, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Subscription}" ], "gridSettings": { "formatters": [ { "columnMatch": "name", "formatter": 5 }, { "columnMatch": "location", "formatter": 17 }, { "columnMatch": "resourceGroup", "formatter": 14, "formatOptions": { "linkTarget": null, "showIcon": true } }, { "columnMatch": "PowerStatus", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "VM running", "representation": "Available", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "2", "text": "{0}{1}" } ] } }, { "columnMatch": "OSType", "formatter": 1 }, { "columnMatch": "ComputerName", "formatter": 5 }, { "columnMatch": "MMA", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "contains", "thresholdValue": "Agent", "representation": "success", "text": "Deployed" }, { "operator": "contains", "thresholdValue": "MMA", "representation": "success", "text": "Deployed" }, { "operator": "Default", "thresholdValue": null, "representation": "Unavailable", "text": "Not Deployed" } ] } }, { "columnMatch": "status", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Failed", "representation": "3", "text": "{0}{1}" }, { "operator": "is Empty", "representation": "Blank", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}{1}" } ] } }, { "columnMatch": "version", "formatter": 1 }, { "columnMatch": "ComputerName1", "formatter": 5 }, { "columnMatch": "AMA", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "contains", "thresholdValue": "Agent", "representation": "success", "text": "Deployed" }, { "operator": "Default", "thresholdValue": null, "representation": "unknown", "text": "Not Deployed" } ] } }, { "columnMatch": "status1", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Failed", "representation": "3", "text": "{0}{1}" }, { "operator": "is Empty", "representation": "Blank", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}{1}" } ] } }, { "columnMatch": "version1", "formatter": 1 } ], "rowLimit": 5000, "filter": true, "sortBy": [ { "itemKey": "$gen_thresholds_AMA_11", "sortOrder": 2 } ], "labelSettings": [ { "columnId": "location", "label": "Location" }, { "columnId": "PowerStatus", "label": "VM Status" }, { "columnId": "status", "label": "Status" }, { "columnId": "version", "label": "Version" }, { "columnId": "status1", "label": "Status" }, { "columnId": "version1", "label": "Version" } ] }, "sortBy": [ { "itemKey": "$gen_thresholds_AMA_11", "sortOrder": 2 } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "AzMachines" }, "name": "azurevmquery-arg" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Heartbeat\r\n| where ResourceProvider == \"Microsoft.HybridCompute\" and _ResourceId != \"\"\r\n| summarize LastHeartBeat = arg_max(TimeGenerated, *) by _ResourceId\r\n| extend TimeFromNow = now() - LastHeartBeat\r\n| extend [\"TimeAgo\"] = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n| project LastHeartBeat, [\"Time\"]=strcat('🕒 ', TimeAgo), _ResourceId, ResourceGroup, Computer, ManagementGroupName, OSName, Agent=Category, Version=Version", "size": 0, "title": "Arc machines within {Subscription:label}", "timeContext": { "durationMs": 604800000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "0", "comparison": "isEqualTo", "value": "0" }, "name": "Arc-Heartbeats" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources\r\n| where type == \"microsoft.hybridcompute/machines\"\r\n| extend provisioningState = properties.provisioningState,\r\n\tstatus = properties.status,\r\n\tagentVersion = properties.agentVersion,\r\n\tlastStatusChange = properties.lastStatusChange,\r\n\terrorDetails = properties.errorDetails,\r\n\tosName = properties.osName,\r\n\tosSku = properties.osSku\r\n| extend name = tolower(name)\r\n| project id, name, location, resourceGroup, provisioningState, status, agentVersion, lastStatusChange, osName, osSku\r\n| join kind=leftouter (\r\nresources\r\n| where type contains \"microsoft.hybridcompute/machines/extensions\" and (name == \"MicrosoftMonitoringAgent\" or name == \"OmsAgentForLinux\" or name == \"OMSAgentForLinux\")\r\n| parse id with * \"/machines/\" ComputerName \"/\" *\r\n| extend extensionType = properties.type, \r\n\tstatus = properties.provisioningState,\r\n\tversion = properties.typeHandlerVersion\r\n| extend ComputerName = tolower(ComputerName)\r\n| project ComputerName, name, status, version\r\n| order by ComputerName, name\r\n) on $left.name == $right.ComputerName\r\n| join kind=leftouter (\r\nresources\r\n| where type contains \"microsoft.hybridcompute/machines/extensions\" and (name == \"AzureMonitorWindowsAgent\" or name == \"AzureMonitorLinuxAgent\")\r\n| parse id with * \"/machines/\" ComputerName \"/\" *\r\n| extend extensionType = properties.type, \r\n\tstatus = properties.provisioningState,\r\n\tversion = properties.typeHandlerVersion\r\n| extend ComputerName = tolower(ComputerName)\r\n| project ComputerName, name, status, version\r\n| order by ComputerName, name\r\n) on $left.name == $right.ComputerName", "size": 1, "showAnalytics": true, "noDataMessage": "No Arc-enabled Virtual Machines in the selected subscriptions. Please select the subscription(s) that contain your Arc-enabled virtual machine(s)", "noDataMessageStyle": 2, "showRefreshButton": true, "showExportToExcel": true, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Subscription}" ], "gridSettings": { "formatters": [ { "columnMatch": "name", "formatter": 5 }, { "columnMatch": "location", "formatter": 17 }, { "columnMatch": "provisioningState", "formatter": 5 }, { "columnMatch": "status", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Connected", "representation": "success", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "Disconnected", "representation": "warning", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "Expired", "representation": "Degraded", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "Blank", "text": "{0}{1}" } ] } }, { "columnMatch": "agentVersion", "formatter": 1 }, { "columnMatch": "lastStatusChange", "formatter": 6, "dateFormat": { "formatName": "longDatePattern" } }, { "columnMatch": "osName", "formatter": 1 }, { "columnMatch": "osSku", "formatter": 5 }, { "columnMatch": "ComputerName", "formatter": 5 }, { "columnMatch": "name1", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "contains", "thresholdValue": "Agent", "representation": "success", "text": "Deployed" }, { "operator": "Default", "thresholdValue": null, "representation": "Blank", "text": "Not Deployed" } ] } }, { "columnMatch": "status1", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Succeeded", "representation": "success", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "Failed", "representation": "3", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "Blank", "text": "{0}{1}" } ] } }, { "columnMatch": "version", "formatter": 1 }, { "columnMatch": "ComputerName1", "formatter": 5 }, { "columnMatch": "name2", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "contains", "thresholdValue": "Agent", "representation": "success", "text": "Deployed" }, { "operator": "Default", "thresholdValue": null, "representation": "Blank", "text": "Not Deployed" } ] } }, { "columnMatch": "status2", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Succeeded", "representation": "success", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "Failed", "representation": "3", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "Blank", "text": "{0}{1}" } ] } }, { "columnMatch": "version1", "formatter": 1 } ], "rowLimit": 5000, "labelSettings": [ { "columnId": "id", "label": "Server Name" }, { "columnId": "location", "label": "Location" }, { "columnId": "status", "label": "Arc Status" }, { "columnId": "name1", "label": "MMA" }, { "columnId": "status1", "label": "Status" }, { "columnId": "version", "label": "Version" }, { "columnId": "name2", "label": "AMA" }, { "columnId": "status2", "label": "Status" }, { "columnId": "version1", "label": "Version" } ] } }, "conditionalVisibility": { "parameterName": "0", "comparison": "isEqualTo", "value": "0" }, "name": "ArcVMQuery-arg" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\",\"mergeType\":\"leftouter\",\"leftTable\":\"Arc-Heartbeats\",\"rightTable\":\"ArcVMQuery-arg\",\"leftColumn\":\"_ResourceId\",\"rightColumn\":\"id\"}],\"projectRename\":[{\"originalName\":\"[ArcVMQuery-arg].id\",\"mergedName\":\"Server Name\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[Arc-Heartbeats].ManagementGroupName\",\"mergedName\":\"ManagementGroupName\",\"fromId\":\"unknown\"},{\"originalName\":\"[Arc-Heartbeats].Time\",\"mergedName\":\"Time\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[Arc-Heartbeats]._ResourceId\",\"mergedName\":\"_ResourceId\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[Arc-Heartbeats].Computer\",\"mergedName\":\"Computer\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[Arc-Heartbeats].LastHeartBeat\",\"mergedName\":\"LastHeartBeat\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[ArcVMQuery-arg].name\",\"mergedName\":\"name\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[ArcVMQuery-arg].location\",\"mergedName\":\"Location\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[ArcVMQuery-arg].resourceGroup\",\"mergedName\":\"resourceGroup\",\"fromId\":\"unknown\"},{\"originalName\":\"[ArcVMQuery-arg].provisioningState\",\"mergedName\":\"provisioningState\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[ArcVMQuery-arg].status\",\"mergedName\":\"Arc Status\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[ArcVMQuery-arg].agentVersion\",\"mergedName\":\"agentVersion\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[ArcVMQuery-arg].lastStatusChange\",\"mergedName\":\"lastStatusChange\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[ArcVMQuery-arg].osName\",\"mergedName\":\"osName\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[ArcVMQuery-arg].osSku\",\"mergedName\":\"osSku\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[ArcVMQuery-arg].ComputerName\",\"mergedName\":\"ComputerName\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[ArcVMQuery-arg].name1\",\"mergedName\":\"MMA\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[ArcVMQuery-arg].status1\",\"mergedName\":\"Status\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[ArcVMQuery-arg].version\",\"mergedName\":\"Version\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[ArcVMQuery-arg].ComputerName1\",\"mergedName\":\"ComputerName1\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[ArcVMQuery-arg].name2\",\"mergedName\":\"AMA\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[ArcVMQuery-arg].status2\",\"mergedName\":\"Status1\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[ArcVMQuery-arg].version1\",\"mergedName\":\"Version1\",\"fromId\":\"fec3768e-dd50-424e-a15f-0919f1cc2122\"},{\"originalName\":\"[Arc-Heartbeats].ResourceGroup\",\"mergedName\":\"ResourceGroup\",\"fromId\":\"unknown\"},{\"originalName\":\"[Arc-Heartbeats].OSName\",\"mergedName\":\"OSName\",\"fromId\":\"unknown\"},{\"originalName\":\"[Arc-Heartbeats].Agent\",\"mergedName\":\"Agent\",\"fromId\":\"unknown\"},{\"originalName\":\"[Arc-Heartbeats].Version\",\"mergedName\":\"Version\",\"fromId\":\"unknown\"}]}", "size": 0, "title": "{$rowCount} Azure Arc-enabled servers", "noDataMessage": "No Arc-enabled Virtual Machines with a relationship to the selected workspace. Please select the workspace that contain your Arc-enabled virtual machine(s)", "showRefreshButton": true, "showExportToExcel": true, "queryType": 7, "gridSettings": { "formatters": [ { "columnMatch": "Server Name", "formatter": 13, "formatOptions": { "linkTarget": "Resource", "linkIsContextBlade": true, "showIcon": true } }, { "columnMatch": "ManagementGroupName", "formatter": 5 }, { "columnMatch": "_ResourceId", "formatter": 5 }, { "columnMatch": "Computer", "formatter": 5 }, { "columnMatch": "LastHeartBeat", "formatter": 5 }, { "columnMatch": "name", "formatter": 5 }, { "columnMatch": "Location", "formatter": 17 }, { "columnMatch": "resourceGroup", "formatter": 14, "formatOptions": { "linkTarget": null, "showIcon": true } }, { "columnMatch": "provisioningState", "formatter": 5 }, { "columnMatch": "Arc Status", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Expired", "representation": "2", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "Disconnected", "representation": "3", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}{1}" } ] } }, { "columnMatch": "agentVersion", "formatter": 1 }, { "columnMatch": "lastStatusChange", "formatter": 6 }, { "columnMatch": "osName", "formatter": 5 }, { "columnMatch": "osSku", "formatter": 1 }, { "columnMatch": "ComputerName", "formatter": 5 }, { "columnMatch": "MMA", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "contains", "thresholdValue": "Agent", "representation": "success", "text": "Deployed" }, { "operator": "Default", "thresholdValue": null, "representation": "unknown", "text": "Not Deployed" } ] } }, { "columnMatch": "Status", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "contains", "thresholdValue": "Succeeded", "representation": "success", "text": "{0}{1}" }, { "operator": "is Empty", "representation": "Blank", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "2", "text": "{0}{1}" } ] } }, { "columnMatch": "Version", "formatter": 1 }, { "columnMatch": "ComputerName1", "formatter": 5 }, { "columnMatch": "AMA", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "contains", "thresholdValue": "Agent", "representation": "success", "text": "Deployed" }, { "operator": "Default", "thresholdValue": null, "representation": "unknown", "text": "Not Deployed" } ] } }, { "columnMatch": "Status1", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "is Empty", "representation": "Blank", "text": "{0}{1}" }, { "operator": "contains", "thresholdValue": "Succeeded", "representation": "success", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "2", "text": "{0}{1}" } ] } }, { "columnMatch": "Version1", "formatter": 1 } ], "rowLimit": 5000, "filter": true, "labelSettings": [ { "columnId": "Time", "label": "Last Heartbeat" }, { "columnId": "resourceGroup", "label": "Resource Group" }, { "columnId": "osSku", "label": "Operating System" }, { "columnId": "Status", "label": "MMA Status" }, { "columnId": "Status1", "label": "AMA Status" }, { "columnId": "Version1", "label": "Version" } ] } }, "name": "ArcAgents-Full" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ArcMachines" }, "name": "Arc tab" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources\r\n| where \"{Subscription:Id}\" has subscriptionId or \"{Subscription}\" == \"\"\r\n| where \"{resourceGroup:label}\" contains resourceGroup or \"{resourceGroup}\" == \"\" \r\n| where type has 'microsoft.compute/virtualmachines/extensions' or type has 'microsoft.hybridcompute/machines/extensions'\r\n| where name has 'MicrosoftMonitoringAgent' or name has 'OmsAgentForLinux' \r\n| extend Server = extract('(.*)/extensions',1,id)\r\n| extend Subscription = extract('(/subscriptions/.*)/resource.*',1,id)\r\n| summarize count() by Server, subscriptionId, resourceGroup, Subscription\r\n| project Server, resourceGroup, Subscription\r\n| sort by Server asc", "size": 0, "title": "Azure or Arc machines with MMA", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Subscription}" ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "MMA" }, "name": "query - 1" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources \r\n| where \"{Subscription:Id}\" has subscriptionId or \"{Subscription}\" == \"\"\r\n| where \"{resourceGroup:label}\" contains resourceGroup or \"{resourceGroup}\" == \"\"\r\n| where type has 'microsoft.compute/virtualmachines/extensions' or type has 'microsoft.hybridcompute/machines/extensions'\r\n| where name has 'AzureMonitorWindowsAgent' or name has 'AzureMonitorLinuxAgent' \r\n| extend VM = extract('(/subscriptions.*)/extensions',1,id)\r\n| extend Subscription = extract('(/subscriptions/.*)/resource.*',1,id)\r\n| summarize count() by VM, subscriptionId, resourceGroup, Subscription\r\n| project VM, resourceGroup, Subscription\r\n| sort by VM asc", "size": 0, "title": "Machines with AMA", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Subscription}" ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "AMA" }, "name": "query - 2" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources\r\n| where \"{resourceGroup:label}\" contains resourceGroup or \"{resourceGroup}\" == \"\"\r\n| where type has 'microsoft.compute/virtualmachines/extensions' or type has 'microsoft.hybridcompute/machines/extensions'\r\n| where name has 'MicrosoftMonitoringAgent' or name has 'OmsAgentForLinux' or name has 'AzureMonitorWindowsAgent' or name has 'AzureMonitorLinuxAgent'\r\n| extend AzureVM = extract('virtualmachines|virtualMachines/(.*)/extensions',1,id), ArcVM = extract('machines/(.*)/extensions',1,id)\r\n| summarize count() by AzureVM=tolower(AzureVM), ArcVM=tolower(ArcVM), subscriptionId, resourceGroup \r\n| extend hasBoth = iff(count_ > 1, 'Yes', 'No') | where count_ > 1 \r\n| join (resources | where \"{resourceGroup:label}\" contains resourceGroup or \"{resourceGroup}\" == \"\" | where type has 'microsoft.compute/virtualmachines/extensions' or type has 'microsoft.hybridcompute/machines/extensions'\r\n| where name has 'MicrosoftMonitoringAgent' or name has 'OmsAgentForLinux' \r\n| extend AzureVM = extract('virtualmachines|virtualMachines/(.*)/extensions',1,id)) on AzureVM \r\n| project AzureVM, ArcVM, resourceGroup, MMAVersion=name, hasBoth", "size": 0, "title": "Machines with Both Agents under any RG", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Both" }, "name": "query - 3" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let onprem = Heartbeat | where isempty(_ResourceId) == true;\r\nlet Arc = Heartbeat | where ResourceProvider =~ \"microsoft.hybridcompute\";\r\nunion withsource=\"Heartbeat\"\r\nonprem, Arc\r\n| summarize by Computer, OSType, ResourceProvider", "size": 0, "title": "Non-Azure or hybrid VMs under any RG reporting to {Workspace:label} in the last 30d", "timeContext": { "durationMs": 2592000000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "sortBy": [ { "itemKey": "ResourceProvider", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "ResourceProvider", "sortOrder": 2 } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "NAorHybrid" }, "name": "query - 9" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ServersExtensions" }, "name": "Selection of Machines" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription2:Id}/providers/Microsoft.Insights/dataCollectionRules\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2019-11-01-preview\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"name\",\"columnid\":\"Name\"},{\"path\":\"$..workspaceResourceId\",\"columnid\":\"Workspace\"},{\"path\":\"kind\",\"columnid\":\"OS\"},{\"path\":\"properties.dataFlows[*].streams[0]\",\"columnid\":\"Streams\",\"substringRegexMatch\":\"(Microsoft-)*(\\\\w+)\",\"substringReplace\":\"$2\"},{\"path\":\"$..xPathQueries\",\"columnid\":\"xPath\"},{\"path\":\"location\",\"columnid\":\"Location\"},{\"path\":\"$..facilityNames\",\"columnid\":\"SyslogFacilities\"}]}}]}", "size": 0, "title": "Get all DCRs under {Subscription:label}", "exportedParameters": [ { "fieldName": "Name", "parameterName": "dcrName", "parameterType": 1 }, { "fieldName": "resourceGroup", "parameterName": "resourceGroup", "parameterType": 1 } ], "queryType": 12, "gridSettings": { "formatters": [ { "columnMatch": "workspace2", "formatter": 5 } ] } }, "conditionalVisibility": { "parameterName": "0", "comparison": "isEqualTo", "value": "0" }, "name": "Get DCRs and associations" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources\r\n| where type has 'microsoft.insights/datacollectionrules'\r\n| extend Subscription = extract('(/subscriptions/.*)/resource.*',1,id)\r\n| project name, Subscription, resourceGroup", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "value::all" ] }, "conditionalVisibility": { "parameterName": "0", "comparison": "isEqualTo", "value": "0" }, "name": "Get DCRs from Graph" }, { "type": 1, "content": { "json": "Use this section to see all the DCRs under the selected subscription. You will find Streams and the xPath query.\r\nThe stream will normally match the destination table in the Microsoft Sentinel workspace. If it starts with \"Microsoft-\", the destination table is what comes after. For example, if the stream says \"Microsoft-Perf\", then the destination table is \"Perf\".\r\nClick on the DCRs to see associated VMs.", "style": "info" }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DCRs" }, "name": "Help tab 2" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"bee4471d-99cc-4c86-9f3a-1e4f0a05e32a\",\"mergeType\":\"leftouter\",\"leftTable\":\"Get DCRs and associations\",\"rightTable\":\"Get DCRs from Graph\",\"leftColumn\":\"Name\",\"rightColumn\":\"name\"}],\"projectRename\":[{\"originalName\":\"[Get DCRs and associations].Name\",\"mergedName\":\"Name\",\"fromId\":\"bee4471d-99cc-4c86-9f3a-1e4f0a05e32a\"},{\"originalName\":\"[Get DCRs and associations].Workspace\",\"mergedName\":\"Workspace\",\"fromId\":\"bee4471d-99cc-4c86-9f3a-1e4f0a05e32a\"},{\"originalName\":\"[Get DCRs and associations].OS\",\"mergedName\":\"OS\",\"fromId\":\"bee4471d-99cc-4c86-9f3a-1e4f0a05e32a\"},{\"originalName\":\"[Get DCRs and associations].Streams\",\"mergedName\":\"Streams\",\"fromId\":\"bee4471d-99cc-4c86-9f3a-1e4f0a05e32a\"},{\"originalName\":\"[Get DCRs and associations].xPath\",\"mergedName\":\"xPath\",\"fromId\":\"bee4471d-99cc-4c86-9f3a-1e4f0a05e32a\"},{\"originalName\":\"[Get DCRs and associations].Location\",\"mergedName\":\"Location\",\"fromId\":\"bee4471d-99cc-4c86-9f3a-1e4f0a05e32a\"},{\"originalName\":\"[Get DCRs and associations].SyslogFacilities\",\"mergedName\":\"SyslogFacilities\",\"fromId\":\"bee4471d-99cc-4c86-9f3a-1e4f0a05e32a\"},{\"originalName\":\"[Get DCRs from Graph].id\",\"mergedName\":\"id\",\"fromId\":\"bee4471d-99cc-4c86-9f3a-1e4f0a05e32a\"},{\"originalName\":\"[Get DCRs from Graph].name\",\"mergedName\":\"name\",\"fromId\":\"bee4471d-99cc-4c86-9f3a-1e4f0a05e32a\"},{\"originalName\":\"[Get DCRs from Graph].kind\",\"mergedName\":\"kind\",\"fromId\":\"bee4471d-99cc-4c86-9f3a-1e4f0a05e32a\"},{\"originalName\":\"[Get DCRs from Graph].resourceGroup\",\"mergedName\":\"resourceGroup\",\"fromId\":\"bee4471d-99cc-4c86-9f3a-1e4f0a05e32a\"},{\"originalName\":\"[Get DCRs from Graph].Subscription\",\"mergedName\":\"Subscription\",\"fromId\":\"unknown\"}]}", "size": 0, "title": "Select a DCR to view associated VMs", "exportedParameters": [ { "fieldName": "Name", "parameterName": "DCR", "parameterType": 1 }, { "fieldName": "resourceGroup", "parameterName": "DCRrg", "parameterType": 1 } ], "queryType": 7 }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DCRs" }, "name": "Merge - DCRs and RG" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription2:Id}/resourceGroups/{DCRrg}/providers/Microsoft.Insights/dataCollectionRules/{DCR}/associations\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2019-11-01-preview\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"id\",\"columnid\":\"VMs\",\"columnType\":\"string\",\"substringRegexMatch\":\"(\\\\/subscriptions.*)(\\\\/providers.*|Providers.*)\",\"substringReplace\":\"$1\"}]}}]}", "size": 4, "title": "VMs associated to the selected DCR", "noDataMessage": "No VMs found or no DCR selected above", "queryType": 12 }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "DCRs" }, "name": "query - 18" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "View all VMs with AMA under the {Subscription:label} subscription and their data collection rules", "items": [ { "type": 1, "content": { "json": "These are all the servers with AMA installed. Select each one individually to see the Data Collection Rules associated to them.
You will find information such as what is being collected and to what workspace those logs are being sent. The stream will normally match the destination table in the Microsoft Sentinel workspace. If it starts with \"Microsoft-\", the destination table is what comes after. For example, if the stream says \"Microsoft-Perf\", then the destination table is \"Perf\".
To learn more about DCRs, please check https://docs.microsoft.com/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent", "style": "info" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "AMAvms" }, { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" } ], "name": "text - 19" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources\r\n| where type has 'microsoft.compute/virtualmachines' or type has \"microsoft.hybridcompute/machines\" \r\n| project Computer=tolower(name)\r\n| join (resources | where type has 'microsoft.compute/virtualmachines/extensions' \r\n| where name has 'azuremonitorwindowsagent' or name has 'azuremonitorlinuxagent' \r\n| extend type, temp = extract('virtualmachines|virtualMachines/(.*)/extensions',1,id), vmid = extract('(/subscriptions/.*achines/.*)(/extensions*)',1,id)\r\n| extend Subscription = extract('(/subscriptions/.*)/resource.*',1,id)\r\n| extend Computer = tolower(temp)\r\n)\r\non Computer\r\n| union (resources | where type has 'microsoft.hybridcompute/machines/extensions'\r\n| where name has 'azuremonitorwindowsagent' or name has 'azuremonitorlinuxagent'\r\n| extend id, Computer = extract('machines/(.*)/extensions',1,id), vmid = extract('(/subscriptions/.*achines/.*)(/extensions*)',1,id))\r\n| project vmid, Computer, resourceGroup, location, Subscription", "size": 0, "title": "Get Azure and hybrid VMs with AMA", "exportedParameters": [ { "fieldName": "Computer", "parameterName": "vmname", "parameterType": 1 }, { "fieldName": "resourceGroup", "parameterName": "vmrg", "parameterType": 1 }, { "fieldName": "vmid", "parameterName": "vmid1", "parameterType": 1 } ], "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Subscription}" ], "gridSettings": { "formatters": [ { "columnMatch": "vmname", "formatter": 5 } ], "sortBy": [ { "itemKey": "$gen_link_vmid_0", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_link_vmid_0", "sortOrder": 2 } ] }, "name": "Azure and hybrid VMs with AMA" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources \r\n| where type has 'microsoft.compute/virtualmachines/extensions' or type has 'microsoft.hybridcompute/machines/extensions'\r\n| where name has 'AzureMonitorWindowsAgent' or name has 'AzureMonitorLinuxAgent' \r\n| extend AzureVM = extract('virtualMachines/(.*)/extensions',1,id), ArcVM = extract('machines/(.*)/extensions',1,id) \r\n| summarize count() by AzureVM, ArcVM, subscriptionId, resourceGroup \r\n| project AzureVM, ArcVM, resourceGroup", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, "conditionalVisibility": { "parameterName": "0", "comparison": "isEqualTo", "value": "0" }, "name": "Azure or Arc machines with AMA" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/{vmid1}/providers/Microsoft.Insights/dataCollectionRuleAssociations\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2019-11-01-preview\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"$..dataCollectionRuleId\",\"columnid\":\"DCRname\",\"substringRegexMatch\":\"\\\\/subscriptions\\\\/[A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12}\\\\/\\\\w+\\\\/[a-zA-Z0-9\\\\.\\\\_\\\\-\\\\(\\\\)]{1,90}\\\\/providers\\\\/\\\\w+\\\\.\\\\w+\\\\/\\\\w+\\\\/([a-zA-Z0-9\\\\.\\\\_\\\\-\\\\(\\\\)]{1,64})\",\"substringReplace\":\"$1\"},{\"path\":\"$..dataCollectionRuleId\",\"columnid\":\"DCR\"},{\"path\":\"$..dataCollectionRuleId\",\"columnid\":\"DCRrg\",\"substringRegexMatch\":\"\\\\/.*\\\\/resource.*s\\\\/(.*)\\\\/providers.*\",\"substringReplace\":\"$1\"}]}}]}", "size": 0, "exportedParameters": [ { "fieldName": "DCRname", "parameterName": "DCRname", "parameterType": 1 }, { "fieldName": "DCRrg", "parameterName": "DCRrg", "parameterType": 1 } ], "queryType": 12 }, "conditionalVisibility": { "parameterName": "a", "comparison": "isEqualTo", "value": "a" }, "name": "Get DCR associations for a given VM" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription2:Id}/providers/Microsoft.Insights/dataCollectionRules\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2019-11-01-preview\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"name\",\"columnid\":\"Name\"},{\"path\":\"properties.dataFlows[*].streams[0]\",\"columnid\":\"Streams\",\"substringRegexMatch\":\"(Microsoft-)*(\\\\w+)\",\"substringReplace\":\"$2\"},{\"path\":\"$..workspaceResourceId\",\"columnid\":\"Workspace\"},{\"path\":\"kind\",\"columnid\":\"OS\"},{\"path\":\"$..xPathQueries\",\"columnid\":\"xPath\",\"columnType\":\"string\"},{\"path\":\"$..facilityNames\",\"columnid\":\"SyslogFacilities\"},{\"path\":\"$..counterSpecifiers\",\"columnid\":\"CounterSpecifiers\"},{\"path\":\"properties.dataFlows[*].streams[0]\",\"columnid\":\"Custom\"}]}}]}", "size": 0, "queryType": 12 }, "conditionalVisibility": { "parameterName": "a", "comparison": "isEqualTo", "value": "a" }, "name": "Get ALL DCRs under subscription" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"24881457-2964-4063-b883-330dad837178\",\"mergeType\":\"innerunique\",\"leftTable\":\"Get DCR associations for a given VM\",\"rightTable\":\"Get ALL DCRs under subscription\",\"leftColumn\":\"DCRname\",\"rightColumn\":\"Name\"}],\"projectRename\":[{\"originalName\":\"[Get DCR associations for a given VM].DCR\",\"mergedName\":\"DCR\",\"fromId\":\"24881457-2964-4063-b883-330dad837178\"},{\"originalName\":\"[Get DCR associations for a given VM].DCRrg\",\"mergedName\":\"DCR RG\",\"fromId\":\"24881457-2964-4063-b883-330dad837178\"},{\"originalName\":\"[Get ALL DCRs under subscription].OS\",\"mergedName\":\"OS\",\"fromId\":\"24881457-2964-4063-b883-330dad837178\"},{\"originalName\":\"[Get ALL DCRs under subscription].Workspace\",\"mergedName\":\"Workspace\",\"fromId\":\"24881457-2964-4063-b883-330dad837178\"},{\"originalName\":\"[Get ALL DCRs under subscription].Streams\",\"mergedName\":\"Streams\",\"fromId\":\"24881457-2964-4063-b883-330dad837178\"},{\"originalName\":\"[Get ALL DCRs under subscription].xPath\",\"mergedName\":\"xPath\",\"fromId\":\"24881457-2964-4063-b883-330dad837178\"},{\"originalName\":\"[Get ALL DCRs under subscription].SyslogFacilities\",\"mergedName\":\"SyslogFacilities\",\"fromId\":\"24881457-2964-4063-b883-330dad837178\"},{\"originalName\":\"[Get ALL DCRs under subscription].CounterSpecifiers\",\"mergedName\":\"CounterSpecifiers\",\"fromId\":\"24881457-2964-4063-b883-330dad837178\"},{\"originalName\":\"[Get ALL DCRs under subscription].Parsed streams\",\"mergedName\":\"Parsed streams\",\"fromId\":\"unknown\"},{\"originalName\":\"[Get ALL DCRs under subscription].ParsedStreams\",\"mergedName\":\"ParsedStreams\",\"fromId\":\"unknown\"},{\"originalName\":\"[Get ALL DCRs under subscription].test\",\"mergedName\":\"test\",\"fromId\":\"unknown\"},{\"originalName\":\"[Get ALL DCRs under subscription].WindowsStreams\",\"mergedName\":\"WindowsStreams\",\"fromId\":\"unknown\"},{\"originalName\":\"[Get ALL DCRs under subscription].SyslogStreams\",\"mergedName\":\"SyslogStreams\",\"fromId\":\"unknown\"},{\"originalName\":\"[Get ALL DCRs under subscription].DataFlows\",\"mergedName\":\"DataFlows\",\"fromId\":\"unknown\"},{\"originalName\":\"[Get ALL DCRs under subscription].LinuxStreams\",\"mergedName\":\"LinuxStreams\",\"fromId\":\"unknown\"},{\"originalName\":\"[Get DCR associations for a given VM].DCRname\"},{\"originalName\":\"[Get ALL DCRs under subscription].Name\"},{\"originalName\":\"[Get ALL DCRs under subscription].Custom\"},{\"originalName\":\"[Get ALL DCRs under subscription].Streams2\"},{\"originalName\":\"[Get ALL DCRs under subscription].StreamsRegex\"}]}", "size": 1, "queryType": 7 }, "showPin": false, "name": "query - 4" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "beb26b8d-3f76-4177-8dac-5c7f7e19791d", "version": "KqlParameterItem/1.0", "name": "TimeRange", "label": "Time range", "type": 4, "isRequired": true, "value": { "durationMs": 2592000000 }, "typeSettings": { "selectableValues": [ { "durationMs": 86400000 }, { "durationMs": 259200000 }, { "durationMs": 604800000 }, { "durationMs": 1209600000 }, { "durationMs": 2592000000 }, { "durationMs": 7776000000 } ], "allowCustom": true }, "timeContext": { "durationMs": 86400000 } } ], "style": "pills", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "AMAvms" }, "name": "Time Picker" }, { "type": 1, "content": { "json": "Below you can find the number of events submitted by the selected VM to some of the main native tables in Microsoft Sentinel and Log Analytics.
The first graph includes events logged in the tables: SecurityEvent, Heartbeat, Perf and Event.
The second graph shows the number of events forwarded by the selected VM to the WindowsEvent table if you are using the Windows Forwarded Events connector.
Note that if the selected VM also has MMA installed, the logs could come from either one of the agents, AMA or MMA", "style": "info" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "AMAvms" }, { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" } ], "name": "text - 19 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityEvent | union Heartbeat, Event, Perf\r\n| extend _ResourceId, WEC = extract('Machines|machines/(.*)',1,_ResourceId)\r\n| where TimeGenerated {TimeRange} and Computer == \"{vmname}\" or WEC == \"{vmname}\"\r\n| summarize count() by bin(TimeGenerated, 1d), Type\r\n| project Table=Type, TimeGenerated, count_", "size": 0, "title": "{TimeRange:label}: Number of events in {Workspace:label} in for {vmname} in the SecurityEvent, Heartbeat, Perf or Event tables", "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "linechart", "chartSettings": { "showLegend": true } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "AMAvms" }, "name": "LA volume by Table" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "WindowsEvent\r\n| extend _ResourceId, WEC = extract('Machines|machines/(.*)',1,_ResourceId)\r\n| where TimeGenerated {TimeRange} and WEC == \"{vmname}\"\r\n| summarize count() by bin(TimeGenerated, 1d)\r\n| project TimeGenerated, count_", "size": 0, "title": "{TimeRange:label}: Number of WEF events in {Workspace:label} forwarded by {vmname} to the WindowsEvent table", "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "linechart", "chartSettings": { "showLegend": true } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "AMAvms" }, "name": "WEF" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "AMAvms" }, "name": "VMs and DCRA" } ], "fallbackResourceIds": [ ], "fromTemplateId": "sentinel-AMAmigrationTracker", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" }