From 240cd7055e2813d8869591792bedc828bc5be71f Mon Sep 17 00:00:00 2001
From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com>
Date: Mon, 3 Oct 2022 16:15:19 +1100
Subject: [PATCH] Create KQL to support new update management heartbeat
 visualisation

---
 kql/windows-software-updates-heartbeat.kql | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 kql/windows-software-updates-heartbeat.kql

diff --git a/kql/windows-software-updates-heartbeat.kql b/kql/windows-software-updates-heartbeat.kql
new file mode 100644
index 0000000..612d948
--- /dev/null
+++ b/kql/windows-software-updates-heartbeat.kql
@@ -0,0 +1,14 @@
+//Note: The following ARG and AML queries are used to create an Azure Monitor Workbooks merge to show update heartbeat with ARG providing inventory
+
+//Summarise the VMs and Arc-enabled VMs according to ARG
+resources
+| where type == "microsoft.compute/virtualmachines" or type == "microsoft.hybridcompute/machines"
+| extend location=iif(type == "microsoft.compute/virtualmachines",location,tags.Datacenter),VMUUID=properties.vmUuid,VMID=properties.vmId
+| extend UpdateUUID=iif(type=="microsoft.compute/virtualmachines",VMID,VMUUID)
+| project id,Name=name,UpdateUUID
+
+//Provides heartbeat time according to Update Management
+Update
+| where TimeGenerated > now(-2days)
+| summarize arg_max(TimeGenerated, *) by VMUUID
+| project ResourceId, VMUUID, UpdateStatusHeartbeatHours = datetime_diff("hour",now(),TimeGenerated)
\ No newline at end of file