Forum Topic

Thanks for your participation and contribution.


Back to Log Analytics

Azure Graph Queries Collection

Post a reply
374 views
i90runner1
i90runner1

Source : [https://www.cloudsma.com/2021/02/find-orphaned-azure-resources/]

[https://docs.microsoft.com/en-us/azure/governance/resource-graph/samples/advanced?tabs=azure-cli#join-sql]

[https://github.com/scautomation/AzureResourceGraph-Examples]

Find Orphaned Disks

Resources
| where type has "microsoft.compute/disks"
| extend diskState = tostring(properties.diskState)
| where managedBy == ""
or diskState == 'Unattached'
| project id, diskState, resourceGroup, location, subscriptionId , sku.tier , properties.diskSizeGB

Find Orphaned NICs

Resources
| where type has "microsoft.network/networkinterfaces"
| where "{nicWithPrivateEndpoints}" !has id
| where properties !has 'virtualmachine'
| project id, resourceGroup, location, subscriptionId

NSGs

This query isn’t technically an orphaned resource, however if you make an NSG you typically want it applied to a NIC or subnet. This query looks through the Network/networksecuritygroups resource type and looks for null network interfaces and subnets under the properties.

Resources
| where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets)
| project Resource=id, resourceGroup, subscriptionId, location

NSGs across subscriptions

Resources
| where type =~ "microsoft.network/networksecuritygroups"
| join kind=leftouter (ResourceContainers | where type=='microsoft.resources/subscriptions' | project SubcriptionName=name, subscriptionId) on subscriptionId
//| where resourceGroup == 'production' or resourceGroup == 'testing'
// Only if you don't want to see all, add more resourceGroups as needed: or resourceGroup == 'xxx'
| mv-expand rules=properties.securityRules
| extend direction = tostring(rules.properties.direction)
| extend priority = toint(rules.properties.priority)
| extend description = rules.properties.description
| extend destprefix = rules.properties.destinationAddressPrefix
| extend destport = rules.properties.destinationPortRange
| extend sourceprefix = rules.properties.sourceAddressPrefix
| extend sourceport = rules.properties.sourcePortRange
| extend subnet_name = split((split(tostring(properties.subnets), '/'))[10], '"')[0]
//| where destprefix == '*'
| project SubcriptionName, resourceGroup, subnet_name, name, direction, priority, destprefix, destport, sourceprefix, sourceport, description //, subscriptionId, rules.properties
| sort by SubcriptionName, resourceGroup asc, name, direction asc, priority asc

Last updated

1-1 of 1

Reply to this discussion

You cannot edit posts or make replies: You should be logged in before you can post.