From c3e1574f52aba05ea5d758e20256cdd8df085ad2 Mon Sep 17 00:00:00 2001 From: noakup Date: Tue, 23 Jun 2020 16:08:14 +0300 Subject: [PATCH] Adding example queries --- .../API Management services/Alerts/README | 1 + .../Queries/Diagnostics/Cache hit ratio.txt | 12 +++++ .../Diagnostics/Client TLS versions.txt | 9 ++++ .../Errors/Error reasons breakdown.txt | 10 ++++ ...e to issues not related to the backend.txt | 11 +++++ ...s due to issues related to the backend.txt | 10 ++++ .../Errors/Last 100 failed requests.txt | 10 ++++ .../Queries/Latency/Backend latency.txt | 10 ++++ .../Queries/Latency/Client latency.txt | 10 ++++ .../Queries/Latency/Overall latency.txt | 10 ++++ .../Performance/Bandwidth consumed.txt | 11 +++++ .../API Management services/Queries/README | 1 + .../Usage/Logs of the last 100 calls.txt | 8 ++++ .../Queries/Usage/Number of calls by APIs.txt | 10 ++++ .../Queries/Usage/Number of requests.txt | 10 ++++ .../Queries/Usage/Request sizes.txt | 10 ++++ .../Queries/Usage/Response sizes.txt | 10 ++++ .../API Management services/Workbooks/README | 1 + Azure Services/App Services/Alerts/README | 1 + .../App logs for each App Service.txt | 9 ++++ .../App Logs/Count app logs by severity.txt | 9 ++++ ...udit Logs relating to unexpected users.txt | 8 ++++ ...it Logs relating to a Delete operation.txt | 8 ++++ .../Line chart of response times.txt | 11 +++++ .../Pie chart of HTTP response codes.txt | 11 +++++ ...e logs relating to application startup.txt | 8 ++++ Azure Services/App Services/Queries/README | 1 + Azure Services/App Services/Workbooks/README | 1 + .../Application Insights/Alerts/README | 1 + .../Browsing data/Page views trend.txt | 10 ++++ .../Queries/Browsing data/Slowest pages.txt | 11 +++++ .../Top 3 browser exceptions.txt | 10 ++++ .../Performance/Operations performance.txt | 9 ++++ .../Performance/Request count trend.txt | 9 ++++ .../Performance/Response time buckets.txt | 11 +++++ .../Performance/Response time trend.txt | 10 ++++ .../Top 10 countries by traffic.txt | 10 ++++ .../Application Insights/Queries/README | 1 + .../Exceptions causing request failures.txt | 13 +++++ .../Reports failures/Failed operations.txt | 10 ++++ .../Failed requests top 10.txt | 11 +++++ .../Reports failures/Failing dependencies.txt | 10 ++++ .../Application Insights/Workbooks/README | 1 + .../Application gateways/Alerts/README | 1 + .../Queries/Analytics/Errors by URI.txt | 10 ++++ .../Analytics/Errors by user agent.txt | 10 ++++ .../Queries/Analytics/Top 10 Client IPs.txt | 10 ++++ .../Queries/Analytics/Top HTTP versions.txt | 10 ++++ .../Failed requests per hour.txt | 10 ++++ .../NonSSL requests per hour.txt | 10 ++++ .../Incoming requests/Requests per hour.txt | 10 ++++ .../Application gateways/Queries/README | 1 + .../Application gateways/Workbooks/README | 1 + .../Automation accounts/Alerts/README | 1 + ...ure Automation jobs that are Completed.txt | 9 ++++ ...s that are failed suspended or stopped.txt | 9 ++++ ...s in automation jobs from the last day.txt | 10 ++++ ...ook completed successfully with errors.txt | 9 ++++ .../View historical job status.txt | 9 ++++ .../Computers list.txt | 48 +++++++++++++++++++ .../Missing updates list.txt | 29 +++++++++++ .../Missing updates summary.txt | 25 ++++++++++ ...installation failure for your machines.txt | 18 +++++++ ...y of updates available across machines.txt | 9 ++++ .../Updates available for Linux machines.txt | 10 ++++ ...Updates available for Windows machines.txt | 10 ++++ .../Automation accounts/Queries/README | 1 + .../Automation accounts/Workbooks/README | 1 + .../Azure Activity logs/Alerts/README | 1 + .../Activity logs/Failed operations.txt | 9 ++++ .../Queries/Activity logs/Latest 50 logs.txt | 8 ++++ .../Activity logs/Operations status.txt | 8 ++++ .../Recent Azure Activity logs.txt | 9 ++++ .../Azure Activity logs/Queries/README | 1 + .../Azure Activity logs/Workbooks/README | 1 + .../Alerts/README | 1 + ...w audit log events in CONNECTION class.txt | 11 +++++ ...view audit log events in GENERAL class.txt | 11 +++++ .../Execution time exceeding a threshold.txt | 11 +++++ .../Performance/Show Querys statistics.txt | 12 +++++ .../Performance/Show the Slowest queries.txt | 11 +++++ .../Queries/README | 1 + .../Workbooks/README | 1 + .../Alerts/README | 1 + ...w audit log events in CONNECTION class.txt | 11 +++++ ...view audit log events in GENERAL class.txt | 11 +++++ .../Execution time exceeding a threshold.txt | 11 +++++ .../Performance/Show Querys statistics.txt | 12 +++++ .../Performance/Show the Slowest queries.txt | 11 +++++ .../Queries/README | 1 + .../Workbooks/README | 1 + .../Alerts/README | 1 + .../Audit logs for tables and event types.txt | 11 +++++ .../Queries/Audit Logs/Audit logs.txt | 10 ++++ .../Queries/Diagnostics/Autovacuum events.txt | 11 +++++ .../Queries/Diagnostics/Deadlocks.txt | 10 ++++ .../Diagnostics/Execution count trends.txt | 12 +++++ .../Queries/Diagnostics/Lock contention.txt | 9 ++++ .../Queries/Diagnostics/Query statistics.txt | 12 +++++ .../Queries/Diagnostics/Server restarts.txt | 11 +++++ .../Queries/Diagnostics/Top wait events.txt | 13 +++++ .../Queries/Diagnostics/Wait event trends.txt | 13 +++++ .../Queries/Errors/Find Errors.txt | 10 ++++ .../Queries/Performance/Queries waiting.txt | 22 +++++++++ ...h execution time exceeding a threshold.txt | 12 +++++ .../Queries/Performance/Slowest queries.txt | 12 +++++ .../Queries/README | 1 + ... two periods for query execution times.txt | 31 ++++++++++++ .../Unauthorized connections.txt | 10 ++++ .../Workbooks/README | 1 + Azure Services/Azure Monitor/Alerts/README | 1 + .../Availability/Availability rate.txt | 13 +++++ .../Computers availability today.txt | 10 ++++ .../Last heartbeat of each computer.txt | 9 ++++ .../Queries/Availability/List heartbeats.txt | 9 ++++ .../Availability/Unavailable computers.txt | 10 ++++ ...Common categories in Azure diagnostics.txt | 9 ++++ .../Errors in automation jobs.txt | 10 ++++ .../Azure diagnostics/Failed backup jobs.txt | 10 ++++ .../Azure diagnostics/Latest metrics.txt | 8 ++++ .../Network security events.txt | 10 ++++ .../Agent latency spikes Heartbeat table.txt | 23 +++++++++ .../Agent latency spikes by data type.txt | 22 +++++++++ ...tency endtoend spikes Heartbeat table.txt | 23 +++++++++ ... latency endtoend spikes by data type.txt | 22 +++++++++ ...atency endtoend timechart Event table.txt | 11 +++++ ...Total agent latency timechart last day.txt | 12 +++++ .../CPU usage trends over the last day.txt | 11 +++++ .../Performance/Memory and CPU usage.txt | 13 +++++ ... computers with the highest disk space.txt | 11 +++++ .../What data is being collected.txt | 9 ++++ Azure Services/Azure Monitor/Queries/README | 1 + .../Run a casesensitive search.txt | 7 +++ .../Search a table for a specific term.txt | 7 +++ .../Search a term through all logs.txt | 8 ++++ .../Search in multiple tables.txt | 7 +++ .../Search multiple terms.txt | 8 ++++ .../Show latest logs from all tables.txt | 9 ++++ .../Usage/Billable performance data.txt | 12 +++++ ...e spikes and slopes by Azure resource.txt | 22 +++++++++ ...lume spikes by Solution and data type.txt | 20 ++++++++ ...space ingestion over the last 24 hours.txt | 10 ++++ ...ce ingestion volume timechart last day.txt | 11 +++++ .../Queries/Usage/Usage by data types.txt | 11 +++++ .../Usage/Volume of solutions data.txt | 11 +++++ Azure Services/Azure Monitor/Workbooks/README | 1 + .../Azure Spring Cloud/Alerts/README | 1 + ...h contain the error or exception terms.txt | 10 ++++ ...d exception number of each application.txt | 13 +++++ .../Azure Spring Cloud/Queries/README | 1 + .../Show the config server logs.txt | 10 ++++ .../Azure Spring Cloud/Workbooks/README | 1 + Azure Services/Batch accounts/Alerts/README | 1 + .../Queries/Pools/Pool resize failures.txt | 10 ++++ .../Queries/Pools/Pool resizes.txt | 9 ++++ Azure Services/Batch accounts/Queries/README | 1 + .../Queries/Tasks/Failed tasks per job.txt | 9 ++++ .../Tasks/Successful tasks per job.txt | 10 ++++ .../Queries/Tasks/Task durations.txt | 10 ++++ .../Batch accounts/Workbooks/README | 1 + .../Container registries/Alerts/README | 1 + ...gin events reported over the last hour.txt | 9 ++++ ...try events reported over the last hour.txt | 9 ++++ .../Container registries/Queries/README | 1 + .../Container registries/Workbooks/README | 1 + Azure Services/Cosmos DB/Alerts/README | 1 + ...ns with throttles 429 in past 24 hours.txt | 12 +++++ .../Consumed RUs in last 24 hours.txt | 14 ++++++ .../Top logical partition keys by storage.txt | 12 +++++ ...med Request Units RUs in last 24 hours.txt | 12 +++++ ...med Request Units RUs in last 24 hours.txt | 17 +++++++ Azure Services/Cosmos DB/Queries/README | 1 + Azure Services/Cosmos DB/Workbooks/README | 1 + Azure Services/Data Shares/Alerts/README | 1 + .../Chart of daily received snapshots.txt | 11 +++++ .../Audit/Chart of daily sent snapshots.txt | 11 +++++ .../Audit/List sent snapshots by duration.txt | 11 +++++ .../Count failed received snapshots.txt | 10 ++++ .../Errors/Count failed sent snapshots.txt | 10 ++++ .../Frequent errors in received snapshots.txt | 11 +++++ .../Frequent errors in sent snapshots.txt | 11 +++++ .../List received snapshots by duration.txt | 11 +++++ Azure Services/Data Shares/Queries/README | 1 + Azure Services/Data Shares/Workbooks/README | 1 + .../Event Grid Domains/Alerts/README | 1 + .../Delivery failures by domain and error.txt | 11 +++++ .../Publish failures by domain and error.txt | 11 +++++ .../Event Grid Domains/Queries/README | 1 + .../Event Grid Domains/Workbooks/README | 1 + .../Event Grid Topics/Alerts/README | 1 + .../Delivery failures by topic and error.txt | 11 +++++ .../Publish failures by topic and error.txt | 11 +++++ .../Event Grid Topics/Queries/README | 1 + .../Event Grid Topics/Workbooks/README | 1 + Azure Services/Event Hubs/Alerts/README | 1 + .../Access to keyvault key not found.txt | 10 ++++ .../Errors/Duration of Capture failure.txt | 10 ++++ .../Errors/Errors in the last 7 days.txt | 11 +++++ .../Queries/Kafka/Join request for client.txt | 9 ++++ Azure Services/Event Hubs/Queries/README | 1 + .../Operation performed with keyvault.txt | 10 ++++ Azure Services/Event Hubs/Workbooks/README | 1 + .../ExpressRoute circuits/Alerts/README | 1 + .../BGP informational messages.txt | 9 ++++ .../Queries/Diagnostics/BGP route table.txt | 10 ++++ ...ssRoute Circuit ArpAvailablility graph.txt | 10 ++++ .../ExpressRoute Circuit BGP availability.txt | 10 ++++ ... Circuit BitsInPerSecond traffic graph.txt | 10 ++++ ...Circuit BitsOutPerSecond traffic graph.txt | 10 ++++ .../ExpressRoute circuits/Queries/README | 1 + .../ExpressRoute circuits/Workbooks/README | 1 + Azure Services/Firewalls/Alerts/README | 1 + .../Application rule log data.txt | 34 +++++++++++++ .../Firewall Logs/Network rule log data.txt | 38 +++++++++++++++ .../Threat Intelligence rule log data.txt | 15 ++++++ Azure Services/Firewalls/Queries/README | 1 + Azure Services/Firewalls/Workbooks/README | 1 + Azure Services/Front Doors/Alerts/README | 1 + .../Request errors by host and path.txt | 13 +++++ .../Errors/Request errors by user agent.txt | 12 +++++ ...irewall blocked request count per hour.txt | 12 +++++ ...est count by host path rule and action.txt | 12 +++++ .../Top 20 blocked clients by IP and rule.txt | 13 +++++ Azure Services/Front Doors/Queries/README | 1 + ...arded backend requests by routing rule.txt | 11 +++++ .../Requests per hour.txt | 11 +++++ .../Top 10 client IPs and http versions.txt | 12 +++++ Azure Services/Front Doors/Workbooks/README | 1 + Azure Services/IoT Hub/Alerts/README | 1 + .../Queries/Availability/Dead endpoints.txt | 13 +++++ .../Diagnostics/SDK version of devices.txt | 13 +++++ .../Queries/Errors/Connectvity errors.txt | 9 ++++ .../Devices with most throttling errors.txt | 12 +++++ .../IoT Hub/Queries/Errors/Error summary.txt | 10 ++++ Azure Services/IoT Hub/Queries/README | 1 + .../Usage/Recently connected devices.txt | 11 +++++ Azure Services/IoT Hub/Workbooks/README | 1 + Azure Services/Key vaults/Alerts/README | 1 + .../List all input deserialization errors.txt | 9 ++++ Azure Services/Key vaults/Queries/README | 1 + .../Are there any failures.txt | 13 +++++ .../Are there any slow requests.txt | 11 +++++ .../How active has this KeyVault been.txt | 12 +++++ ...fast is this KeyVault serving requests.txt | 13 +++++ .../What changes occurred last month.txt | 13 +++++ .../Who is calling this KeyVault.txt | 11 +++++ Azure Services/Key vaults/Workbooks/README | 1 + .../Kubernetes services/Alerts/README | 1 + .../Audit/Container Lifecycle Information.txt | 9 ++++ .../List all the pods count with phase.txt | 36 ++++++++++++++ .../Readiness status per Node.txt | 28 +++++++++++ .../List container logs per namespace.txt | 11 +++++ .../Costing/Billable Log Data by logtype.txt | 13 +++++ .../Billable Log Data pernamespace.txt | 12 +++++ ...ntainer Insight solution billable data.txt | 12 +++++ .../Environment variable enriching.txt | 10 ++++ .../View data ingested by completed jobs.txt | 29 +++++++++++ .../Queries/Diagnostics/Image inventory.txt | 8 ++++ ...es Avg CPU usage growth from last week.txt | 25 ++++++++++ .../Queries/Diagnostics/Kubernetes events.txt | 11 +++++ ...ometheus disk read per second per node.txt | 23 +++++++++ ...g node CPU usage percentage per minute.txt | 38 +++++++++++++++ ...ode memory usage percentage per minute.txt | 37 ++++++++++++++ .../Queries/Performance/Container CPU.txt | 10 ++++ .../Queries/Performance/Container memory.txt | 13 +++++ .../Queries/Performance/Maximum node disk.txt | 11 +++++ .../Kubernetes services/Queries/README | 1 + .../Kubernetes services/Workbooks/README | 1 + Azure Services/Logic Apps/Alerts/README | 1 + .../Costing/Total billable executions.txt | 12 +++++ ...c App execution distribution by status.txt | 12 +++++ ...pp execution distribution by workflows.txt | 13 +++++ .../Errors/Triggered failuers count.txt | 16 +++++++ Azure Services/Logic Apps/Queries/README | 1 + Azure Services/Logic Apps/Workbooks/README | 1 + .../Recovery Services vaults/Alerts/README | 1 + ...up Items by Vault and Backup item type.txt | 13 +++++ ... Items with Protection Status modified.txt | 22 +++++++++ ...icies with retention duration modified.txt | 22 +++++++++ .../Queries/Jobs/All Failed Jobs.txt | 9 ++++ .../Queries/Jobs/All Successful Jobs.txt | 9 ++++ .../Distribution of Backup Jobs by Status.txt | 13 +++++ ...Distribution of Restore Jobs by Status.txt | 13 +++++ .../Recovery Services vaults/Queries/README | 1 + ...Cloud Storage Consumed per Backup Item.txt | 18 +++++++ .../Trend of total Cloud Storage consumed.txt | 14 ++++++ .../Recovery Services vaults/Workbooks/README | 1 + Azure Services/SQL databases/Alerts/README | 1 + .../Queries/Diagnostics/Loading Data.txt | 12 +++++ .../Queries/Diagnostics/Wait stats.txt | 11 +++++ .../Queries/Performance/Avg CPU usage.txt | 13 +++++ .../Performance troubleshooting.txt | 13 +++++ Azure Services/SQL databases/Queries/README | 1 + Azure Services/SQL databases/Workbooks/README | 1 + .../SQL managed instances/Alerts/README | 1 + ...isplay all active intelligent insights.txt | 9 ++++ ...orkload continously hitting CPU limits.txt | 13 +++++ .../SQL managed instances/Queries/README | 1 + ...treshold above 95 on managed instances.txt | 12 +++++ .../Storage on managed instances above 90.txt | 12 +++++ .../SQL managed instances/Workbooks/README | 1 + Azure Services/Service Bus/Alerts/README | 1 + ...Keyvault access attempt key not found.txt | 10 ++++ ...nagement operations in the last 7 days.txt | 10 ++++ .../Queries/Errors/Errors summary.txt | 10 ++++ Azure Services/Service Bus/Queries/README | 1 + .../Keyvault performed operational.txt | 10 ++++ .../Queries/Usage/AutoDeleted entities.txt | 11 +++++ Azure Services/Service Bus/Workbooks/README | 1 + Azure Services/Storage accounts/Alerts/README | 1 + .../Audit/Frequent operations chart.txt | 11 +++++ .../Queries/Audit/Show anonymous requests.txt | 9 ++++ .../Queries/Errors/Most common errors.txt | 10 ++++ .../Errors/Operations causing most errors.txt | 10 ++++ ...rations causing server side throttling.txt | 9 ++++ .../Operations with the highest latency.txt | 10 ++++ .../Storage accounts/Queries/README | 1 + .../Storage accounts/Workbooks/README | 1 + .../Stream Analytics jobs/Alerts/README | 1 + .../Events that arrived early.txt | 9 ++++ .../Events that arrived late.txt | 9 ++++ .../Events that arrived out of order.txt | 9 ++++ .../List all InvalidInputTimeStamp errors.txt | 9 ++++ ...st all InvalidInputTimeStampKey errors.txt | 9 ++++ .../List all input data errors.txt | 9 ++++ .../List all input deserialization errors.txt | 9 ++++ .../All logs with level Error.txt | 9 ++++ .../Operations that have Failed.txt | 9 ++++ ...ing logs Cosmos DB Power BI Event Hubs.txt | 9 ++++ ...f Failed operations in the last 7 days.txt | 10 ++++ ... of all data errors in the last 7 days.txt | 11 +++++ ...mmary of all errors in the last 7 days.txt | 11 +++++ .../Transient input and output errors.txt | 9 ++++ .../All output data errors.txt | 9 ++++ .../List all ColumnNameInvalid errors.txt | 9 ++++ .../List all DuplicateKey errors.txt | 9 ++++ ...ist all RecordExceededSizeLimit errors.txt | 9 ++++ .../List all RequiredColumnMissing errors.txt | 9 ++++ .../List all TypeConversionError errors.txt | 9 ++++ .../Stream Analytics jobs/Queries/README | 1 + .../Stream Analytics jobs/Workbooks/README | 1 + .../Traffic Manager profiles/Alerts/README | 1 + .../Endpoints with monitoring Status down.txt | 10 ++++ .../Traffic Manager profiles/Queries/README | 1 + .../Traffic Manager profiles/Workbooks/README | 1 + Azure Services/Virtual machines/Alerts/README | 1 + .../Availability/Not reporting VMs.txt | 9 ++++ .../Shut down Virtual Machines.txt | 9 ++++ .../Availability/Track VM availability.txt | 10 ++++ ...matic update configuration is disabled.txt | 10 ++++ .../Automatic update configuration.txt | 9 ++++ .../Computer with missing updates.txt | 11 +++++ ...stinct missing updates cross computers.txt | 10 ++++ .../Diagnostics/Find Linux kernel events.txt | 8 ++++ .../Queries/Diagnostics/Malware detection.txt | 10 ++++ .../Missing critical security updates.txt | 10 ++++ .../Missing required updates for server.txt | 12 +++++ ...ity or critical where update is manual.txt | 12 +++++ .../Diagnostics/Missing update rollups.txt | 11 +++++ .../Missing update specific product.txt | 9 ++++ .../Diagnostics/Protection Status updates.txt | 10 ++++ .../Diagnostics/Search in multiple tables.txt | 8 ++++ .../Show the trend of a selected event.txt | 10 ++++ .../Diagnostics/Signatures out of date.txt | 10 ++++ .../Diagnostics/Stopped Windows services.txt | 10 ++++ .../Queries/Diagnostics/Using wildcards.txt | 8 ++++ ...er missing security co critical update.txt | 11 +++++ .../Queries/Errors/Reported errors.txt | 10 ++++ .../Bottom 10 Free disk space .txt | 12 +++++ .../Performance/Chart CPU usage trends.txt | 14 ++++++ .../Logical disk space below threshold.txt | 12 +++++ ...10 Virtual Machines by CPU utilization.txt | 12 +++++ .../Virtual Machine available memory.txt | 13 +++++ .../Virtual Machine free disk space.txt | 12 +++++ .../What data is being collected.txt | 8 ++++ .../Virtual machines/Queries/README | 1 + .../Queries/Security/Linux failed logins.txt | 10 ++++ .../Members added to security groups.txt | 10 ++++ .../Missing security or critical updates.txt | 11 +++++ .../Security/Uses of clear text password.txt | 11 +++++ .../Security/Windows failed logins.txt | 10 ++++ .../Virtual machines/Workbooks/README | 1 + Solutions/SurfaceHub/Alerts/README | 1 + .../Queries/Diagnostics/Hardware Alert.txt | 9 ++++ .../Queries/Diagnostics/Hardware Minor.txt | 9 ++++ .../Queries/Error/Cleanup Failure.txt | 9 ++++ .../Queries/Error/Exchange Error.txt | 9 ++++ .../SurfaceHub/Queries/Error/Skype Error.txt | 9 ++++ .../Queries/Error/Software Alert.txt | 9 ++++ Solutions/SurfaceHub/Queries/README | 1 + Solutions/SurfaceHub/Workbooks/README | 1 + 391 files changed, 3525 insertions(+) create mode 100644 Azure Services/API Management services/Alerts/README create mode 100644 Azure Services/API Management services/Queries/Diagnostics/Cache hit ratio.txt create mode 100644 Azure Services/API Management services/Queries/Diagnostics/Client TLS versions.txt create mode 100644 Azure Services/API Management services/Queries/Errors/Error reasons breakdown.txt create mode 100644 Azure Services/API Management services/Queries/Errors/Get failed requests due to issues not related to the backend.txt create mode 100644 Azure Services/API Management services/Queries/Errors/Get failed requests due to issues related to the backend.txt create mode 100644 Azure Services/API Management services/Queries/Errors/Last 100 failed requests.txt create mode 100644 Azure Services/API Management services/Queries/Latency/Backend latency.txt create mode 100644 Azure Services/API Management services/Queries/Latency/Client latency.txt create mode 100644 Azure Services/API Management services/Queries/Latency/Overall latency.txt create mode 100644 Azure Services/API Management services/Queries/Performance/Bandwidth consumed.txt create mode 100644 Azure Services/API Management services/Queries/README create mode 100644 Azure Services/API Management services/Queries/Usage/Logs of the last 100 calls.txt create mode 100644 Azure Services/API Management services/Queries/Usage/Number of calls by APIs.txt create mode 100644 Azure Services/API Management services/Queries/Usage/Number of requests.txt create mode 100644 Azure Services/API Management services/Queries/Usage/Request sizes.txt create mode 100644 Azure Services/API Management services/Queries/Usage/Response sizes.txt create mode 100644 Azure Services/API Management services/Workbooks/README create mode 100644 Azure Services/App Services/Alerts/README create mode 100644 Azure Services/App Services/Queries/App Logs/App logs for each App Service.txt create mode 100644 Azure Services/App Services/Queries/App Logs/Count app logs by severity.txt create mode 100644 Azure Services/App Services/Queries/Audit Logs/Audit Logs relating to unexpected users.txt create mode 100644 Azure Services/App Services/Queries/Audit Logs/File Audit Logs relating to a Delete operation.txt create mode 100644 Azure Services/App Services/Queries/Azure Metrics/Line chart of response times.txt create mode 100644 Azure Services/App Services/Queries/Azure Metrics/Pie chart of HTTP response codes.txt create mode 100644 Azure Services/App Services/Queries/Console logs/Find console logs relating to application startup.txt create mode 100644 Azure Services/App Services/Queries/README create mode 100644 Azure Services/App Services/Workbooks/README create mode 100644 Azure Services/Application Insights/Alerts/README create mode 100644 Azure Services/Application Insights/Queries/Browsing data/Page views trend.txt create mode 100644 Azure Services/Application Insights/Queries/Browsing data/Slowest pages.txt create mode 100644 Azure Services/Application Insights/Queries/Browsing data/Top 3 browser exceptions.txt create mode 100644 Azure Services/Application Insights/Queries/Performance/Operations performance.txt create mode 100644 Azure Services/Application Insights/Queries/Performance/Request count trend.txt create mode 100644 Azure Services/Application Insights/Queries/Performance/Response time buckets.txt create mode 100644 Azure Services/Application Insights/Queries/Performance/Response time trend.txt create mode 100644 Azure Services/Application Insights/Queries/Performance/Top 10 countries by traffic.txt create mode 100644 Azure Services/Application Insights/Queries/README create mode 100644 Azure Services/Application Insights/Queries/Reports failures/Exceptions causing request failures.txt create mode 100644 Azure Services/Application Insights/Queries/Reports failures/Failed operations.txt create mode 100644 Azure Services/Application Insights/Queries/Reports failures/Failed requests top 10.txt create mode 100644 Azure Services/Application Insights/Queries/Reports failures/Failing dependencies.txt create mode 100644 Azure Services/Application Insights/Workbooks/README create mode 100644 Azure Services/Application gateways/Alerts/README create mode 100644 Azure Services/Application gateways/Queries/Analytics/Errors by URI.txt create mode 100644 Azure Services/Application gateways/Queries/Analytics/Errors by user agent.txt create mode 100644 Azure Services/Application gateways/Queries/Analytics/Top 10 Client IPs.txt create mode 100644 Azure Services/Application gateways/Queries/Analytics/Top HTTP versions.txt create mode 100644 Azure Services/Application gateways/Queries/Incoming requests/Failed requests per hour.txt create mode 100644 Azure Services/Application gateways/Queries/Incoming requests/NonSSL requests per hour.txt create mode 100644 Azure Services/Application gateways/Queries/Incoming requests/Requests per hour.txt create mode 100644 Azure Services/Application gateways/Queries/README create mode 100644 Azure Services/Application gateways/Workbooks/README create mode 100644 Azure Services/Automation accounts/Alerts/README create mode 100644 Azure Services/Automation accounts/Queries/Automation Jobs/Azure Automation jobs that are Completed.txt create mode 100644 Azure Services/Automation accounts/Queries/Automation Jobs/Azure Automation jobs that are failed suspended or stopped.txt create mode 100644 Azure Services/Automation accounts/Queries/Automation Jobs/Find logs reporting errors in automation jobs from the last day.txt create mode 100644 Azure Services/Automation accounts/Queries/Automation Jobs/Runbook completed successfully with errors.txt create mode 100644 Azure Services/Automation accounts/Queries/Automation Jobs/View historical job status.txt create mode 100644 Azure Services/Automation accounts/Queries/Azure Update Management/Computers list.txt create mode 100644 Azure Services/Automation accounts/Queries/Azure Update Management/Missing updates list.txt create mode 100644 Azure Services/Automation accounts/Queries/Azure Update Management/Missing updates summary.txt create mode 100644 Azure Services/Automation accounts/Queries/Azure Update Management/Patch installation failure for your machines.txt create mode 100644 Azure Services/Automation accounts/Queries/Azure Update Management/Summary of updates available across machines.txt create mode 100644 Azure Services/Automation accounts/Queries/Azure Update Management/Updates available for Linux machines.txt create mode 100644 Azure Services/Automation accounts/Queries/Azure Update Management/Updates available for Windows machines.txt create mode 100644 Azure Services/Automation accounts/Queries/README create mode 100644 Azure Services/Automation accounts/Workbooks/README create mode 100644 Azure Services/Azure Activity logs/Alerts/README create mode 100644 Azure Services/Azure Activity logs/Queries/Activity logs/Failed operations.txt create mode 100644 Azure Services/Azure Activity logs/Queries/Activity logs/Latest 50 logs.txt create mode 100644 Azure Services/Azure Activity logs/Queries/Activity logs/Operations status.txt create mode 100644 Azure Services/Azure Activity logs/Queries/Activity logs/Recent Azure Activity logs.txt create mode 100644 Azure Services/Azure Activity logs/Queries/README create mode 100644 Azure Services/Azure Activity logs/Workbooks/README create mode 100644 Azure Services/Azure Database for MariaDB servers/Alerts/README create mode 100644 Azure Services/Azure Database for MariaDB servers/Queries/Audit/Review audit log events in CONNECTION class.txt create mode 100644 Azure Services/Azure Database for MariaDB servers/Queries/Audit/Review audit log events in GENERAL class.txt create mode 100644 Azure Services/Azure Database for MariaDB servers/Queries/Performance/Execution time exceeding a threshold.txt create mode 100644 Azure Services/Azure Database for MariaDB servers/Queries/Performance/Show Querys statistics.txt create mode 100644 Azure Services/Azure Database for MariaDB servers/Queries/Performance/Show the Slowest queries.txt create mode 100644 Azure Services/Azure Database for MariaDB servers/Queries/README create mode 100644 Azure Services/Azure Database for MariaDB servers/Workbooks/README create mode 100644 Azure Services/Azure Database for MySQL servers/Alerts/README create mode 100644 Azure Services/Azure Database for MySQL servers/Queries/Audit/Review audit log events in CONNECTION class.txt create mode 100644 Azure Services/Azure Database for MySQL servers/Queries/Audit/Review audit log events in GENERAL class.txt create mode 100644 Azure Services/Azure Database for MySQL servers/Queries/Performance/Execution time exceeding a threshold.txt create mode 100644 Azure Services/Azure Database for MySQL servers/Queries/Performance/Show Querys statistics.txt create mode 100644 Azure Services/Azure Database for MySQL servers/Queries/Performance/Show the Slowest queries.txt create mode 100644 Azure Services/Azure Database for MySQL servers/Queries/README create mode 100644 Azure Services/Azure Database for MySQL servers/Workbooks/README create mode 100644 Azure Services/Azure Database for PostgreSQL servers/Alerts/README create mode 100644 Azure Services/Azure Database for PostgreSQL servers/Queries/Audit Logs/Audit logs for tables and event types.txt create mode 100644 Azure Services/Azure Database for PostgreSQL servers/Queries/Audit Logs/Audit logs.txt create mode 100644 Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Autovacuum events.txt create mode 100644 Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Deadlocks.txt create mode 100644 Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Execution count trends.txt create mode 100644 Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Lock contention.txt create mode 100644 Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Query statistics.txt create mode 100644 Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Server restarts.txt create mode 100644 Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Top wait events.txt create mode 100644 Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Wait event trends.txt create mode 100644 Azure Services/Azure Database for PostgreSQL servers/Queries/Errors/Find Errors.txt create mode 100644 Azure Services/Azure Database for PostgreSQL servers/Queries/Performance/Queries waiting.txt create mode 100644 Azure Services/Azure Database for PostgreSQL servers/Queries/Performance/Queries with execution time exceeding a threshold.txt create mode 100644 Azure Services/Azure Database for PostgreSQL servers/Queries/Performance/Slowest queries.txt create mode 100644 Azure Services/Azure Database for PostgreSQL servers/Queries/README create mode 100644 Azure Services/Azure Database for PostgreSQL servers/Queries/Troubleshooting/Compare two periods for query execution times.txt create mode 100644 Azure Services/Azure Database for PostgreSQL servers/Queries/Troubleshooting/Unauthorized connections.txt create mode 100644 Azure Services/Azure Database for PostgreSQL servers/Workbooks/README create mode 100644 Azure Services/Azure Monitor/Alerts/README create mode 100644 Azure Services/Azure Monitor/Queries/Availability/Availability rate.txt create mode 100644 Azure Services/Azure Monitor/Queries/Availability/Computers availability today.txt create mode 100644 Azure Services/Azure Monitor/Queries/Availability/Last heartbeat of each computer.txt create mode 100644 Azure Services/Azure Monitor/Queries/Availability/List heartbeats.txt create mode 100644 Azure Services/Azure Monitor/Queries/Availability/Unavailable computers.txt create mode 100644 Azure Services/Azure Monitor/Queries/Azure diagnostics/Common categories in Azure diagnostics.txt create mode 100644 Azure Services/Azure Monitor/Queries/Azure diagnostics/Errors in automation jobs.txt create mode 100644 Azure Services/Azure Monitor/Queries/Azure diagnostics/Failed backup jobs.txt create mode 100644 Azure Services/Azure Monitor/Queries/Azure diagnostics/Latest metrics.txt create mode 100644 Azure Services/Azure Monitor/Queries/Azure diagnostics/Network security events.txt create mode 100644 Azure Services/Azure Monitor/Queries/Health/Agent latency spikes Heartbeat table.txt create mode 100644 Azure Services/Azure Monitor/Queries/Health/Agent latency spikes by data type.txt create mode 100644 Azure Services/Azure Monitor/Queries/Health/Ingestion latency endtoend spikes Heartbeat table.txt create mode 100644 Azure Services/Azure Monitor/Queries/Health/Ingestion latency endtoend spikes by data type.txt create mode 100644 Azure Services/Azure Monitor/Queries/Health/Ingestion latency endtoend timechart Event table.txt create mode 100644 Azure Services/Azure Monitor/Queries/Health/Total agent latency timechart last day.txt create mode 100644 Azure Services/Azure Monitor/Queries/Performance/CPU usage trends over the last day.txt create mode 100644 Azure Services/Azure Monitor/Queries/Performance/Memory and CPU usage.txt create mode 100644 Azure Services/Azure Monitor/Queries/Performance/Top 10 computers with the highest disk space.txt create mode 100644 Azure Services/Azure Monitor/Queries/Performance/What data is being collected.txt create mode 100644 Azure Services/Azure Monitor/Queries/README create mode 100644 Azure Services/Azure Monitor/Queries/Search through the logs/Run a casesensitive search.txt create mode 100644 Azure Services/Azure Monitor/Queries/Search through the logs/Search a table for a specific term.txt create mode 100644 Azure Services/Azure Monitor/Queries/Search through the logs/Search a term through all logs.txt create mode 100644 Azure Services/Azure Monitor/Queries/Search through the logs/Search in multiple tables.txt create mode 100644 Azure Services/Azure Monitor/Queries/Search through the logs/Search multiple terms.txt create mode 100644 Azure Services/Azure Monitor/Queries/Search through the logs/Show latest logs from all tables.txt create mode 100644 Azure Services/Azure Monitor/Queries/Usage/Billable performance data.txt create mode 100644 Azure Services/Azure Monitor/Queries/Usage/Ingested volume spikes and slopes by Azure resource.txt create mode 100644 Azure Services/Azure Monitor/Queries/Usage/Ingestion volume spikes by Solution and data type.txt create mode 100644 Azure Services/Azure Monitor/Queries/Usage/Total workspace ingestion over the last 24 hours.txt create mode 100644 Azure Services/Azure Monitor/Queries/Usage/Total workspace ingestion volume timechart last day.txt create mode 100644 Azure Services/Azure Monitor/Queries/Usage/Usage by data types.txt create mode 100644 Azure Services/Azure Monitor/Queries/Usage/Volume of solutions data.txt create mode 100644 Azure Services/Azure Monitor/Workbooks/README create mode 100644 Azure Services/Azure Spring Cloud/Alerts/README create mode 100644 Azure Services/Azure Spring Cloud/Queries/App Logs/Show the application logs which contain the error or exception terms.txt create mode 100644 Azure Services/Azure Spring Cloud/Queries/App Logs/Show the error and exception number of each application.txt create mode 100644 Azure Services/Azure Spring Cloud/Queries/README create mode 100644 Azure Services/Azure Spring Cloud/Queries/System Logs/Show the config server logs.txt create mode 100644 Azure Services/Azure Spring Cloud/Workbooks/README create mode 100644 Azure Services/Batch accounts/Alerts/README create mode 100644 Azure Services/Batch accounts/Queries/Pools/Pool resize failures.txt create mode 100644 Azure Services/Batch accounts/Queries/Pools/Pool resizes.txt create mode 100644 Azure Services/Batch accounts/Queries/README create mode 100644 Azure Services/Batch accounts/Queries/Tasks/Failed tasks per job.txt create mode 100644 Azure Services/Batch accounts/Queries/Tasks/Successful tasks per job.txt create mode 100644 Azure Services/Batch accounts/Queries/Tasks/Task durations.txt create mode 100644 Azure Services/Batch accounts/Workbooks/README create mode 100644 Azure Services/Container registries/Alerts/README create mode 100644 Azure Services/Container registries/Queries/App Logs/Show login events reported over the last hour.txt create mode 100644 Azure Services/Container registries/Queries/App Logs/Show registry events reported over the last hour.txt create mode 100644 Azure Services/Container registries/Queries/README create mode 100644 Azure Services/Container registries/Workbooks/README create mode 100644 Azure Services/Cosmos DB/Alerts/README create mode 100644 Azure Services/Cosmos DB/Queries/Diagnostics/Collections with throttles 429 in past 24 hours.txt create mode 100644 Azure Services/Cosmos DB/Queries/Diagnostics/Consumed RUs in last 24 hours.txt create mode 100644 Azure Services/Cosmos DB/Queries/Diagnostics/Top logical partition keys by storage.txt create mode 100644 Azure Services/Cosmos DB/Queries/Diagnostics/Top operations by consumed Request Units RUs in last 24 hours.txt create mode 100644 Azure Services/Cosmos DB/Queries/Diagnostics/Top queries by consumed Request Units RUs in last 24 hours.txt create mode 100644 Azure Services/Cosmos DB/Queries/README create mode 100644 Azure Services/Cosmos DB/Workbooks/README create mode 100644 Azure Services/Data Shares/Alerts/README create mode 100644 Azure Services/Data Shares/Queries/Audit/Chart of daily received snapshots.txt create mode 100644 Azure Services/Data Shares/Queries/Audit/Chart of daily sent snapshots.txt create mode 100644 Azure Services/Data Shares/Queries/Audit/List sent snapshots by duration.txt create mode 100644 Azure Services/Data Shares/Queries/Errors/Count failed received snapshots.txt create mode 100644 Azure Services/Data Shares/Queries/Errors/Count failed sent snapshots.txt create mode 100644 Azure Services/Data Shares/Queries/Errors/Frequent errors in received snapshots.txt create mode 100644 Azure Services/Data Shares/Queries/Errors/Frequent errors in sent snapshots.txt create mode 100644 Azure Services/Data Shares/Queries/Performance/List received snapshots by duration.txt create mode 100644 Azure Services/Data Shares/Queries/README create mode 100644 Azure Services/Data Shares/Workbooks/README create mode 100644 Azure Services/Event Grid Domains/Alerts/README create mode 100644 Azure Services/Event Grid Domains/Queries/Diagnostics/Delivery failures by domain and error.txt create mode 100644 Azure Services/Event Grid Domains/Queries/Diagnostics/Publish failures by domain and error.txt create mode 100644 Azure Services/Event Grid Domains/Queries/README create mode 100644 Azure Services/Event Grid Domains/Workbooks/README create mode 100644 Azure Services/Event Grid Topics/Alerts/README create mode 100644 Azure Services/Event Grid Topics/Queries/Diagnostics/Delivery failures by topic and error.txt create mode 100644 Azure Services/Event Grid Topics/Queries/Diagnostics/Publish failures by topic and error.txt create mode 100644 Azure Services/Event Grid Topics/Queries/README create mode 100644 Azure Services/Event Grid Topics/Workbooks/README create mode 100644 Azure Services/Event Hubs/Alerts/README create mode 100644 Azure Services/Event Hubs/Queries/Errors/Access to keyvault key not found.txt create mode 100644 Azure Services/Event Hubs/Queries/Errors/Duration of Capture failure.txt create mode 100644 Azure Services/Event Hubs/Queries/Errors/Errors in the last 7 days.txt create mode 100644 Azure Services/Event Hubs/Queries/Kafka/Join request for client.txt create mode 100644 Azure Services/Event Hubs/Queries/README create mode 100644 Azure Services/Event Hubs/Queries/Usage/Operation performed with keyvault.txt create mode 100644 Azure Services/Event Hubs/Workbooks/README create mode 100644 Azure Services/ExpressRoute circuits/Alerts/README create mode 100644 Azure Services/ExpressRoute circuits/Queries/Diagnostics/BGP informational messages.txt create mode 100644 Azure Services/ExpressRoute circuits/Queries/Diagnostics/BGP route table.txt create mode 100644 Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit ArpAvailablility graph.txt create mode 100644 Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit BGP availability.txt create mode 100644 Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit BitsInPerSecond traffic graph.txt create mode 100644 Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit BitsOutPerSecond traffic graph.txt create mode 100644 Azure Services/ExpressRoute circuits/Queries/README create mode 100644 Azure Services/ExpressRoute circuits/Workbooks/README create mode 100644 Azure Services/Firewalls/Alerts/README create mode 100644 Azure Services/Firewalls/Queries/Firewall Logs/Application rule log data.txt create mode 100644 Azure Services/Firewalls/Queries/Firewall Logs/Network rule log data.txt create mode 100644 Azure Services/Firewalls/Queries/Firewall Logs/Threat Intelligence rule log data.txt create mode 100644 Azure Services/Firewalls/Queries/README create mode 100644 Azure Services/Firewalls/Workbooks/README create mode 100644 Azure Services/Front Doors/Alerts/README create mode 100644 Azure Services/Front Doors/Queries/Errors/Request errors by host and path.txt create mode 100644 Azure Services/Front Doors/Queries/Errors/Request errors by user agent.txt create mode 100644 Azure Services/Front Doors/Queries/Firewall Audit/Firewall blocked request count per hour.txt create mode 100644 Azure Services/Front Doors/Queries/Firewall Audit/Firewall request count by host path rule and action.txt create mode 100644 Azure Services/Front Doors/Queries/Firewall Audit/Top 20 blocked clients by IP and rule.txt create mode 100644 Azure Services/Front Doors/Queries/README create mode 100644 Azure Services/Front Doors/Queries/Usage and Diagnostics/Forwarded backend requests by routing rule.txt create mode 100644 Azure Services/Front Doors/Queries/Usage and Diagnostics/Requests per hour.txt create mode 100644 Azure Services/Front Doors/Queries/Usage and Diagnostics/Top 10 client IPs and http versions.txt create mode 100644 Azure Services/Front Doors/Workbooks/README create mode 100644 Azure Services/IoT Hub/Alerts/README create mode 100644 Azure Services/IoT Hub/Queries/Availability/Dead endpoints.txt create mode 100644 Azure Services/IoT Hub/Queries/Diagnostics/SDK version of devices.txt create mode 100644 Azure Services/IoT Hub/Queries/Errors/Connectvity errors.txt create mode 100644 Azure Services/IoT Hub/Queries/Errors/Devices with most throttling errors.txt create mode 100644 Azure Services/IoT Hub/Queries/Errors/Error summary.txt create mode 100644 Azure Services/IoT Hub/Queries/README create mode 100644 Azure Services/IoT Hub/Queries/Usage/Recently connected devices.txt create mode 100644 Azure Services/IoT Hub/Workbooks/README create mode 100644 Azure Services/Key vaults/Alerts/README create mode 100644 Azure Services/Key vaults/Queries/Input data Errors/List all input deserialization errors.txt create mode 100644 Azure Services/Key vaults/Queries/README create mode 100644 Azure Services/Key vaults/Queries/Usage and Diagnostics/Are there any failures.txt create mode 100644 Azure Services/Key vaults/Queries/Usage and Diagnostics/Are there any slow requests.txt create mode 100644 Azure Services/Key vaults/Queries/Usage and Diagnostics/How active has this KeyVault been.txt create mode 100644 Azure Services/Key vaults/Queries/Usage and Diagnostics/How fast is this KeyVault serving requests.txt create mode 100644 Azure Services/Key vaults/Queries/Usage and Diagnostics/What changes occurred last month.txt create mode 100644 Azure Services/Key vaults/Queries/Usage and Diagnostics/Who is calling this KeyVault.txt create mode 100644 Azure Services/Key vaults/Workbooks/README create mode 100644 Azure Services/Kubernetes services/Alerts/README create mode 100644 Azure Services/Kubernetes services/Queries/Audit/Container Lifecycle Information.txt create mode 100644 Azure Services/Kubernetes services/Queries/Availability/List all the pods count with phase.txt create mode 100644 Azure Services/Kubernetes services/Queries/Availability/Readiness status per Node.txt create mode 100644 Azure Services/Kubernetes services/Queries/Container Logs/List container logs per namespace.txt create mode 100644 Azure Services/Kubernetes services/Queries/Costing/Billable Log Data by logtype.txt create mode 100644 Azure Services/Kubernetes services/Queries/Costing/Billable Log Data pernamespace.txt create mode 100644 Azure Services/Kubernetes services/Queries/Costing/Container Insight solution billable data.txt create mode 100644 Azure Services/Kubernetes services/Queries/Costing/Environment variable enriching.txt create mode 100644 Azure Services/Kubernetes services/Queries/Costing/View data ingested by completed jobs.txt create mode 100644 Azure Services/Kubernetes services/Queries/Diagnostics/Image inventory.txt create mode 100644 Azure Services/Kubernetes services/Queries/Diagnostics/Instances Avg CPU usage growth from last week.txt create mode 100644 Azure Services/Kubernetes services/Queries/Diagnostics/Kubernetes events.txt create mode 100644 Azure Services/Kubernetes services/Queries/Diagnostics/Prometheus disk read per second per node.txt create mode 100644 Azure Services/Kubernetes services/Queries/Performance/Avg node CPU usage percentage per minute.txt create mode 100644 Azure Services/Kubernetes services/Queries/Performance/Avg node memory usage percentage per minute.txt create mode 100644 Azure Services/Kubernetes services/Queries/Performance/Container CPU.txt create mode 100644 Azure Services/Kubernetes services/Queries/Performance/Container memory.txt create mode 100644 Azure Services/Kubernetes services/Queries/Performance/Maximum node disk.txt create mode 100644 Azure Services/Kubernetes services/Queries/README create mode 100644 Azure Services/Kubernetes services/Workbooks/README create mode 100644 Azure Services/Logic Apps/Alerts/README create mode 100644 Azure Services/Logic Apps/Queries/Costing/Total billable executions.txt create mode 100644 Azure Services/Logic Apps/Queries/Diagnostics/Logic App execution distribution by status.txt create mode 100644 Azure Services/Logic Apps/Queries/Diagnostics/Logic App execution distribution by workflows.txt create mode 100644 Azure Services/Logic Apps/Queries/Errors/Triggered failuers count.txt create mode 100644 Azure Services/Logic Apps/Queries/README create mode 100644 Azure Services/Logic Apps/Workbooks/README create mode 100644 Azure Services/Recovery Services vaults/Alerts/README create mode 100644 Azure Services/Recovery Services vaults/Queries/Backup Items/Backup Items by Vault and Backup item type.txt create mode 100644 Azure Services/Recovery Services vaults/Queries/Backup Settings Changes/Backup Items with Protection Status modified.txt create mode 100644 Azure Services/Recovery Services vaults/Queries/Backup Settings Changes/Policies with retention duration modified.txt create mode 100644 Azure Services/Recovery Services vaults/Queries/Jobs/All Failed Jobs.txt create mode 100644 Azure Services/Recovery Services vaults/Queries/Jobs/All Successful Jobs.txt create mode 100644 Azure Services/Recovery Services vaults/Queries/Jobs/Distribution of Backup Jobs by Status.txt create mode 100644 Azure Services/Recovery Services vaults/Queries/Jobs/Distribution of Restore Jobs by Status.txt create mode 100644 Azure Services/Recovery Services vaults/Queries/README create mode 100644 Azure Services/Recovery Services vaults/Queries/Usage/Cloud Storage Consumed per Backup Item.txt create mode 100644 Azure Services/Recovery Services vaults/Queries/Usage/Trend of total Cloud Storage consumed.txt create mode 100644 Azure Services/Recovery Services vaults/Workbooks/README create mode 100644 Azure Services/SQL databases/Alerts/README create mode 100644 Azure Services/SQL databases/Queries/Diagnostics/Loading Data.txt create mode 100644 Azure Services/SQL databases/Queries/Diagnostics/Wait stats.txt create mode 100644 Azure Services/SQL databases/Queries/Performance/Avg CPU usage.txt create mode 100644 Azure Services/SQL databases/Queries/Performance/Performance troubleshooting.txt create mode 100644 Azure Services/SQL databases/Queries/README create mode 100644 Azure Services/SQL databases/Workbooks/README create mode 100644 Azure Services/SQL managed instances/Alerts/README create mode 100644 Azure Services/SQL managed instances/Queries/Intelligent insights/Display all active intelligent insights.txt create mode 100644 Azure Services/SQL managed instances/Queries/Intelligent insights/Workload continously hitting CPU limits.txt create mode 100644 Azure Services/SQL managed instances/Queries/README create mode 100644 Azure Services/SQL managed instances/Queries/Utilization/CPU utilization treshold above 95 on managed instances.txt create mode 100644 Azure Services/SQL managed instances/Queries/Utilization/Storage on managed instances above 90.txt create mode 100644 Azure Services/SQL managed instances/Workbooks/README create mode 100644 Azure Services/Service Bus/Alerts/README create mode 100644 Azure Services/Service Bus/Queries/Diagnostics/Keyvault access attempt key not found.txt create mode 100644 Azure Services/Service Bus/Queries/Diagnostics/Management operations in the last 7 days.txt create mode 100644 Azure Services/Service Bus/Queries/Errors/Errors summary.txt create mode 100644 Azure Services/Service Bus/Queries/README create mode 100644 Azure Services/Service Bus/Queries/Security/Keyvault performed operational.txt create mode 100644 Azure Services/Service Bus/Queries/Usage/AutoDeleted entities.txt create mode 100644 Azure Services/Service Bus/Workbooks/README create mode 100644 Azure Services/Storage accounts/Alerts/README create mode 100644 Azure Services/Storage accounts/Queries/Audit/Frequent operations chart.txt create mode 100644 Azure Services/Storage accounts/Queries/Audit/Show anonymous requests.txt create mode 100644 Azure Services/Storage accounts/Queries/Errors/Most common errors.txt create mode 100644 Azure Services/Storage accounts/Queries/Errors/Operations causing most errors.txt create mode 100644 Azure Services/Storage accounts/Queries/Errors/Operations causing server side throttling.txt create mode 100644 Azure Services/Storage accounts/Queries/Performance/Operations with the highest latency.txt create mode 100644 Azure Services/Storage accounts/Queries/README create mode 100644 Azure Services/Storage accounts/Workbooks/README create mode 100644 Azure Services/Stream Analytics jobs/Alerts/README create mode 100644 Azure Services/Stream Analytics jobs/Queries/Input data Errors/Events that arrived early.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/Input data Errors/Events that arrived late.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/Input data Errors/Events that arrived out of order.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/Input data Errors/List all InvalidInputTimeStamp errors.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/Input data Errors/List all InvalidInputTimeStampKey errors.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/Input data Errors/List all input data errors.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/Input data Errors/List all input deserialization errors.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/Other errors and failures/All logs with level Error.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Operations that have Failed.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Output Throttling logs Cosmos DB Power BI Event Hubs.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Summary of Failed operations in the last 7 days.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Summary of all data errors in the last 7 days.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Summary of all errors in the last 7 days.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Transient input and output errors.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/Output data errors/All output data errors.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/Output data errors/List all ColumnNameInvalid errors.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/Output data errors/List all DuplicateKey errors.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/Output data errors/List all RecordExceededSizeLimit errors.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/Output data errors/List all RequiredColumnMissing errors.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/Output data errors/List all TypeConversionError errors.txt create mode 100644 Azure Services/Stream Analytics jobs/Queries/README create mode 100644 Azure Services/Stream Analytics jobs/Workbooks/README create mode 100644 Azure Services/Traffic Manager profiles/Alerts/README create mode 100644 Azure Services/Traffic Manager profiles/Queries/Diagnostics/Endpoints with monitoring Status down.txt create mode 100644 Azure Services/Traffic Manager profiles/Queries/README create mode 100644 Azure Services/Traffic Manager profiles/Workbooks/README create mode 100644 Azure Services/Virtual machines/Alerts/README create mode 100644 Azure Services/Virtual machines/Queries/Availability/Not reporting VMs.txt create mode 100644 Azure Services/Virtual machines/Queries/Availability/Shut down Virtual Machines.txt create mode 100644 Azure Services/Virtual machines/Queries/Availability/Track VM availability.txt create mode 100644 Azure Services/Virtual machines/Queries/Diagnostics/Automatic update configuration is disabled.txt create mode 100644 Azure Services/Virtual machines/Queries/Diagnostics/Automatic update configuration.txt create mode 100644 Azure Services/Virtual machines/Queries/Diagnostics/Computer with missing updates.txt create mode 100644 Azure Services/Virtual machines/Queries/Diagnostics/Distinct missing updates cross computers.txt create mode 100644 Azure Services/Virtual machines/Queries/Diagnostics/Find Linux kernel events.txt create mode 100644 Azure Services/Virtual machines/Queries/Diagnostics/Malware detection.txt create mode 100644 Azure Services/Virtual machines/Queries/Diagnostics/Missing critical security updates.txt create mode 100644 Azure Services/Virtual machines/Queries/Diagnostics/Missing required updates for server.txt create mode 100644 Azure Services/Virtual machines/Queries/Diagnostics/Missing security or critical where update is manual.txt create mode 100644 Azure Services/Virtual machines/Queries/Diagnostics/Missing update rollups.txt create mode 100644 Azure Services/Virtual machines/Queries/Diagnostics/Missing update specific product.txt create mode 100644 Azure Services/Virtual machines/Queries/Diagnostics/Protection Status updates.txt create mode 100644 Azure Services/Virtual machines/Queries/Diagnostics/Search in multiple tables.txt create mode 100644 Azure Services/Virtual machines/Queries/Diagnostics/Show the trend of a selected event.txt create mode 100644 Azure Services/Virtual machines/Queries/Diagnostics/Signatures out of date.txt create mode 100644 Azure Services/Virtual machines/Queries/Diagnostics/Stopped Windows services.txt create mode 100644 Azure Services/Virtual machines/Queries/Diagnostics/Using wildcards.txt create mode 100644 Azure Services/Virtual machines/Queries/Errors/Error event on computer missing security co critical update.txt create mode 100644 Azure Services/Virtual machines/Queries/Errors/Reported errors.txt create mode 100644 Azure Services/Virtual machines/Queries/Performance/Bottom 10 Free disk space .txt create mode 100644 Azure Services/Virtual machines/Queries/Performance/Chart CPU usage trends.txt create mode 100644 Azure Services/Virtual machines/Queries/Performance/Logical disk space below threshold.txt create mode 100644 Azure Services/Virtual machines/Queries/Performance/Top 10 Virtual Machines by CPU utilization.txt create mode 100644 Azure Services/Virtual machines/Queries/Performance/Virtual Machine available memory.txt create mode 100644 Azure Services/Virtual machines/Queries/Performance/Virtual Machine free disk space.txt create mode 100644 Azure Services/Virtual machines/Queries/Performance/What data is being collected.txt create mode 100644 Azure Services/Virtual machines/Queries/README create mode 100644 Azure Services/Virtual machines/Queries/Security/Linux failed logins.txt create mode 100644 Azure Services/Virtual machines/Queries/Security/Members added to security groups.txt create mode 100644 Azure Services/Virtual machines/Queries/Security/Missing security or critical updates.txt create mode 100644 Azure Services/Virtual machines/Queries/Security/Uses of clear text password.txt create mode 100644 Azure Services/Virtual machines/Queries/Security/Windows failed logins.txt create mode 100644 Azure Services/Virtual machines/Workbooks/README create mode 100644 Solutions/SurfaceHub/Alerts/README create mode 100644 Solutions/SurfaceHub/Queries/Diagnostics/Hardware Alert.txt create mode 100644 Solutions/SurfaceHub/Queries/Diagnostics/Hardware Minor.txt create mode 100644 Solutions/SurfaceHub/Queries/Error/Cleanup Failure.txt create mode 100644 Solutions/SurfaceHub/Queries/Error/Exchange Error.txt create mode 100644 Solutions/SurfaceHub/Queries/Error/Skype Error.txt create mode 100644 Solutions/SurfaceHub/Queries/Error/Software Alert.txt create mode 100644 Solutions/SurfaceHub/Queries/README create mode 100644 Solutions/SurfaceHub/Workbooks/README diff --git a/Azure Services/API Management services/Alerts/README b/Azure Services/API Management services/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/API Management services/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/API Management services/Queries/Diagnostics/Cache hit ratio.txt b/Azure Services/API Management services/Queries/Diagnostics/Cache hit ratio.txt new file mode 100644 index 00000000..2b36d919 --- /dev/null +++ b/Azure Services/API Management services/Queries/Diagnostics/Cache hit ratio.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Cache hit ratio +// Description: Statistics of Cache hit/miss ratio. +// Categories: ['resources'] +// Resource types: ['API Management services'] +// Topic: Diagnostics +ApiManagementGatewayLogs +| where TimeGenerated > ago(1d) +| summarize Cache_Miss=countif(Cache == "miss"), Cache_Hit=countif(Cache == "hit") by bin(TimeGenerated, 15m) +| extend Ratio=Cache_Hit / (Cache_Hit + Cache_Miss) +| project-away Cache_Hit , Cache_Miss +| render timechart \ No newline at end of file diff --git a/Azure Services/API Management services/Queries/Diagnostics/Client TLS versions.txt b/Azure Services/API Management services/Queries/Diagnostics/Client TLS versions.txt new file mode 100644 index 00000000..38fc8e01 --- /dev/null +++ b/Azure Services/API Management services/Queries/Diagnostics/Client TLS versions.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Client TLS versions +// Description: Breakdown of client TLS versions in the last 24 hours. +// Categories: ['resources'] +// Resource types: ['API Management services'] +// Topic: Diagnostics +ApiManagementGatewayLogs +| where TimeGenerated > ago(1d) +| summarize count(CorrelationId) by ClientTlsVersion, _ResourceId \ No newline at end of file diff --git a/Azure Services/API Management services/Queries/Errors/Error reasons breakdown.txt b/Azure Services/API Management services/Queries/Errors/Error reasons breakdown.txt new file mode 100644 index 00000000..152b5f78 --- /dev/null +++ b/Azure Services/API Management services/Queries/Errors/Error reasons breakdown.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Error reasons breakdown +// Description: Breakdown of all error reasons in the last 24 hours. +// Categories: ['resources'] +// Resource types: ['API Management services'] +// Topic: Errors +ApiManagementGatewayLogs +| where TimeGenerated > ago(1d) +| where IsRequestSuccess == false +| summarize count(CorrelationId) by LastErrorReason, _ResourceId \ No newline at end of file diff --git a/Azure Services/API Management services/Queries/Errors/Get failed requests due to issues not related to the backend.txt b/Azure Services/API Management services/Queries/Errors/Get failed requests due to issues not related to the backend.txt new file mode 100644 index 00000000..84fe330b --- /dev/null +++ b/Azure Services/API Management services/Queries/Errors/Get failed requests due to issues not related to the backend.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Get failed requests due to issues not related to the backend +// Description: Get the logs of failed requests due to issues not related to the backend (e.g., API Mangement policies configuration, rate limit exceeded, client disconnection). +// Categories: ['resources'] +// Resource types: ['API Management services'] +// Topic: Errors +ApiManagementGatewayLogs +| where TimeGenerated > ago(1d) +| where IsRequestSuccess == false +| where isnull(BackendResponseCode) or BackendResponseCode < 400 +| where ResponseCode >= 400 \ No newline at end of file diff --git a/Azure Services/API Management services/Queries/Errors/Get failed requests due to issues related to the backend.txt b/Azure Services/API Management services/Queries/Errors/Get failed requests due to issues related to the backend.txt new file mode 100644 index 00000000..77f9dc95 --- /dev/null +++ b/Azure Services/API Management services/Queries/Errors/Get failed requests due to issues related to the backend.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Get failed requests due to issues related to the backend +// Description: Get the logs of failed requests due to backend issues. +// Categories: ['resources'] +// Resource types: ['API Management services'] +// Topic: Errors +ApiManagementGatewayLogs +| where TimeGenerated > ago(1d) +| where IsRequestSuccess == false +| where BackendResponseCode >= 400 \ No newline at end of file diff --git a/Azure Services/API Management services/Queries/Errors/Last 100 failed requests.txt b/Azure Services/API Management services/Queries/Errors/Last 100 failed requests.txt new file mode 100644 index 00000000..d902dabb --- /dev/null +++ b/Azure Services/API Management services/Queries/Errors/Last 100 failed requests.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Last 100 failed requests +// Description: Get the logs of the last 100 failed requests. +// Categories: ['resources'] +// Resource types: ['API Management services'] +// Topic: Errors +ApiManagementGatewayLogs +| where TimeGenerated > ago(1d) +| where IsRequestSuccess == false +| top 100 by TimeGenerated desc| where ResponseCode >= 400 \ No newline at end of file diff --git a/Azure Services/API Management services/Queries/Latency/Backend latency.txt b/Azure Services/API Management services/Queries/Latency/Backend latency.txt new file mode 100644 index 00000000..80d43f45 --- /dev/null +++ b/Azure Services/API Management services/Queries/Latency/Backend latency.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Backend latency +// Description: Statistics of time (in miliseconds) spent in backend IO. +// Categories: ['resources'] +// Resource types: ['API Management services'] +// Topic: Latency +ApiManagementGatewayLogs +| where TimeGenerated > ago(1d) +| summarize Average=avg(BackendTime), Median=percentile(BackendTime, 50), 90th_Percentile=percentile(BackendTime, 90) by bin(TimeGenerated, 15m) +| render timechart \ No newline at end of file diff --git a/Azure Services/API Management services/Queries/Latency/Client latency.txt b/Azure Services/API Management services/Queries/Latency/Client latency.txt new file mode 100644 index 00000000..0f95eb13 --- /dev/null +++ b/Azure Services/API Management services/Queries/Latency/Client latency.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Client latency +// Description: Statistics of time (in miliseconds) spent in client IO. +// Categories: ['resources'] +// Resource types: ['API Management services'] +// Topic: Latency +ApiManagementGatewayLogs +| where TimeGenerated > ago(1d) +| summarize Average=avg(ClientTime), Median=percentile(ClientTime, 50), 90th_Percentile=percentile(ClientTime, 90) by bin(TimeGenerated, 15m) +| render timechart \ No newline at end of file diff --git a/Azure Services/API Management services/Queries/Latency/Overall latency.txt b/Azure Services/API Management services/Queries/Latency/Overall latency.txt new file mode 100644 index 00000000..dbb023ed --- /dev/null +++ b/Azure Services/API Management services/Queries/Latency/Overall latency.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Overall latency +// Description: Statistics of overall latency (in miliseconds) between the time API Mangement starts receiving a request and the time API Management finishes sending the response back to the client. +// Categories: ['resources'] +// Resource types: ['API Management services'] +// Topic: Latency +ApiManagementGatewayLogs +| where TimeGenerated > ago(1d) +| summarize Average=avg(TotalTime), Median=percentile(TotalTime, 50), 90th_Percentile=percentile(TotalTime, 90) by bin(TimeGenerated, 15m) +| render timechart \ No newline at end of file diff --git a/Azure Services/API Management services/Queries/Performance/Bandwidth consumed.txt b/Azure Services/API Management services/Queries/Performance/Bandwidth consumed.txt new file mode 100644 index 00000000..cfa086b2 --- /dev/null +++ b/Azure Services/API Management services/Queries/Performance/Bandwidth consumed.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Bandwidth consumed +// Description: Total bandwidth consumed in the last 24 hours. +// Categories: ['resources'] +// Resource types: ['API Management services'] +// Topic: Performance +ApiManagementGatewayLogs +| where TimeGenerated > ago(1d) +| extend bandwidth = RequestSize + ResponseSize +| summarize sum(bandwidth) by bin(TimeGenerated, 1m), _ResourceId +| render timechart \ No newline at end of file diff --git a/Azure Services/API Management services/Queries/README b/Azure Services/API Management services/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/API Management services/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/API Management services/Queries/Usage/Logs of the last 100 calls.txt b/Azure Services/API Management services/Queries/Usage/Logs of the last 100 calls.txt new file mode 100644 index 00000000..587c956a --- /dev/null +++ b/Azure Services/API Management services/Queries/Usage/Logs of the last 100 calls.txt @@ -0,0 +1,8 @@ +// Author: Microsoft Azure +// Display name: Logs of the last 100 calls +// Description: Get the logs of the most recent 100 calls in the last 24 hours. +// Categories: ['resources'] +// Resource types: ['API Management services'] +// Topic: Usage +ApiManagementGatewayLogs +| top 100 by TimeGenerated desc \ No newline at end of file diff --git a/Azure Services/API Management services/Queries/Usage/Number of calls by APIs.txt b/Azure Services/API Management services/Queries/Usage/Number of calls by APIs.txt new file mode 100644 index 00000000..5ea9d2a5 --- /dev/null +++ b/Azure Services/API Management services/Queries/Usage/Number of calls by APIs.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Number of calls by APIs +// Description: View the number of calls per API in the last 24 hours. +// Categories: ['resources'] +// Resource types: ['API Management services'] +// Topic: Usage +//Calls by API ID +ApiManagementGatewayLogs +| where TimeGenerated > ago(1d) +| summarize count(CorrelationId) by ApiId \ No newline at end of file diff --git a/Azure Services/API Management services/Queries/Usage/Number of requests.txt b/Azure Services/API Management services/Queries/Usage/Number of requests.txt new file mode 100644 index 00000000..c605e91a --- /dev/null +++ b/Azure Services/API Management services/Queries/Usage/Number of requests.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Number of requests +// Description: Count the total number of calls across all APIs in the last 24 hours. +// Categories: ['resources'] +// Resource types: ['API Management services'] +// Topic: Usage +//Total number of call per resource +ApiManagementGatewayLogs +| where TimeGenerated > ago(1d) +| summarize count(CorrelationId) by _ResourceId \ No newline at end of file diff --git a/Azure Services/API Management services/Queries/Usage/Request sizes.txt b/Azure Services/API Management services/Queries/Usage/Request sizes.txt new file mode 100644 index 00000000..fe8a2fce --- /dev/null +++ b/Azure Services/API Management services/Queries/Usage/Request sizes.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Request sizes +// Description: Statistics of request sizes in the last 24 hours. +// Categories: ['resources'] +// Resource types: ['API Management services'] +// Topic: Usage +ApiManagementGatewayLogs +| where TimeGenerated > ago(1d) +| summarize Average=avg(RequestSize), Median=percentile(RequestSize, 50), 90th_Percentile=percentile(RequestSize, 90) by bin(TimeGenerated, 1m) +| render timechart \ No newline at end of file diff --git a/Azure Services/API Management services/Queries/Usage/Response sizes.txt b/Azure Services/API Management services/Queries/Usage/Response sizes.txt new file mode 100644 index 00000000..b52a45eb --- /dev/null +++ b/Azure Services/API Management services/Queries/Usage/Response sizes.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Response sizes +// Description: Statistics of response sizes in the last 24 hours. +// Categories: ['resources'] +// Resource types: ['API Management services'] +// Topic: Usage +ApiManagementGatewayLogs +| where TimeGenerated > ago(1d) +| summarize Average=avg(ResponseSize), Median=percentile(ResponseSize, 50), 90th_Percentile=percentile(ResponseSize, 90) by bin(TimeGenerated, 1m) +| render timechart \ No newline at end of file diff --git a/Azure Services/API Management services/Workbooks/README b/Azure Services/API Management services/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/API Management services/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/App Services/Alerts/README b/Azure Services/App Services/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/App Services/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/App Services/Queries/App Logs/App logs for each App Service.txt b/Azure Services/App Services/Queries/App Logs/App logs for each App Service.txt new file mode 100644 index 00000000..29d17f08 --- /dev/null +++ b/Azure Services/App Services/Queries/App Logs/App logs for each App Service.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: App logs for each App Service +// Description: Breakdown of log levels for each App Service. +// Categories: ['resources'] +// Resource types: ['App Services'] +// Topic: App Logs +AppServiceAppLogs +| project AppName = extract("(/[A-Z0-9-]+$)", 0, _ResourceId ), CustomLevel +| summarize count() by CustomLevel, AppName \ No newline at end of file diff --git a/Azure Services/App Services/Queries/App Logs/Count app logs by severity.txt b/Azure Services/App Services/Queries/App Logs/Count app logs by severity.txt new file mode 100644 index 00000000..7ae61030 --- /dev/null +++ b/Azure Services/App Services/Queries/App Logs/Count app logs by severity.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Count app logs by severity +// Description: Bar chart of app log severities over time. +// Categories: ['resources'] +// Resource types: ['App Services'] +// Topic: App Logs +AppServiceAppLogs +| summarize count() by CustomLevel, bin(TimeGenerated, 1h) +| render barchart \ No newline at end of file diff --git a/Azure Services/App Services/Queries/Audit Logs/Audit Logs relating to unexpected users.txt b/Azure Services/App Services/Queries/Audit Logs/Audit Logs relating to unexpected users.txt new file mode 100644 index 00000000..ca5d4374 --- /dev/null +++ b/Azure Services/App Services/Queries/Audit Logs/Audit Logs relating to unexpected users.txt @@ -0,0 +1,8 @@ +// Author: Microsoft Azure +// Display name: Audit Logs relating to unexpected users +// Description: List Audit Logs for users who logged in that aren't a listed user. +// Categories: ['resources'] +// Resource types: ['App Services'] +// Topic: Audit Logs +AppServiceAuditLogs +| where UserDisplayName != "user@company.com" \ No newline at end of file diff --git a/Azure Services/App Services/Queries/Audit Logs/File Audit Logs relating to a Delete operation.txt b/Azure Services/App Services/Queries/Audit Logs/File Audit Logs relating to a Delete operation.txt new file mode 100644 index 00000000..f7fca61c --- /dev/null +++ b/Azure Services/App Services/Queries/Audit Logs/File Audit Logs relating to a Delete operation.txt @@ -0,0 +1,8 @@ +// Author: Microsoft Azure +// Display name: File Audit Logs relating to a "Delete" operation +// Description: List File Audit Logs that has a "Delete" operation. +// Categories: ['resources'] +// Resource types: ['App Services'] +// Topic: Audit Logs +AppServiceFileAuditLogs +| where OperationName == "Delete" \ No newline at end of file diff --git a/Azure Services/App Services/Queries/Azure Metrics/Line chart of response times.txt b/Azure Services/App Services/Queries/Azure Metrics/Line chart of response times.txt new file mode 100644 index 00000000..ee5fc6d2 --- /dev/null +++ b/Azure Services/App Services/Queries/Azure Metrics/Line chart of response times.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Line chart of response times +// Description: Time series of mean response time (over 5 minute intervals). +// Categories: ['resources'] +// Resource types: ['App Services'] +// Topic: Azure Metrics +AzureMetrics +| extend timeBin = bin(TimeGenerated, 5m) +| summarize ResponseTime = sumif(Average, MetricName=="AverageResponseTime") by timeBin, bin(TimeGenerated, 1h) +| sort by TimeGenerated desc +| render timechart \ No newline at end of file diff --git a/Azure Services/App Services/Queries/Azure Metrics/Pie chart of HTTP response codes.txt b/Azure Services/App Services/Queries/Azure Metrics/Pie chart of HTTP response codes.txt new file mode 100644 index 00000000..3686582f --- /dev/null +++ b/Azure Services/App Services/Queries/Azure Metrics/Pie chart of HTTP response codes.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Pie chart of HTTP response codes +// Description: Breakdown of response codes for each metric, over the last 12 hours. +// Categories: ['resources'] +// Resource types: ['App Services'] +// Topic: Azure Metrics +AzureMetrics +| where TimeGenerated > ago(12h) +| where MetricName in ("Http2xx", "Http3xx", "Http4xx", "Http5xx") +| summarize sum(Total) by MetricName +| render piechart \ No newline at end of file diff --git a/Azure Services/App Services/Queries/Console logs/Find console logs relating to application startup.txt b/Azure Services/App Services/Queries/Console logs/Find console logs relating to application startup.txt new file mode 100644 index 00000000..54c06ea3 --- /dev/null +++ b/Azure Services/App Services/Queries/Console logs/Find console logs relating to application startup.txt @@ -0,0 +1,8 @@ +// Author: Microsoft Azure +// Display name: Find console logs relating to application startup +// Description: List console logs that contain the term "starting". +// Categories: ['resources'] +// Resource types: ['App Services'] +// Topic: Console logs +AppServiceConsoleLogs +| where tolower(ResultDescription) contains "starting" \ No newline at end of file diff --git a/Azure Services/App Services/Queries/README b/Azure Services/App Services/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/App Services/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/App Services/Workbooks/README b/Azure Services/App Services/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/App Services/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Application Insights/Alerts/README b/Azure Services/Application Insights/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Application Insights/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Application Insights/Queries/Browsing data/Page views trend.txt b/Azure Services/Application Insights/Queries/Browsing data/Page views trend.txt new file mode 100644 index 00000000..743fc786 --- /dev/null +++ b/Azure Services/Application Insights/Queries/Browsing data/Page views trend.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Page views trend +// Description: Chart the page views count, during the last day. +// Categories: ['applications'] +// Resource types: ['Application Insights'] +// Topic: Browsing data +pageViews +| where client_Type == 'Browser' +| summarize count_sum = sum(itemCount) by bin(timestamp,30m) +| render timechart \ No newline at end of file diff --git a/Azure Services/Application Insights/Queries/Browsing data/Slowest pages.txt b/Azure Services/Application Insights/Queries/Browsing data/Slowest pages.txt new file mode 100644 index 00000000..f64ce88c --- /dev/null +++ b/Azure Services/Application Insights/Queries/Browsing data/Slowest pages.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Slowest pages +// Description: What are the 3 slowest pages, and how slow are they? +// Categories: ['applications'] +// Resource types: ['Application Insights'] +// Topic: Browsing data +pageViews +| where notempty(duration) and client_Type == 'Browser' +| extend total_duration=duration*itemCount +| summarize avg_duration=(sum(total_duration)/sum(itemCount)) by operation_Name +| top 3 by avg_duration desc \ No newline at end of file diff --git a/Azure Services/Application Insights/Queries/Browsing data/Top 3 browser exceptions.txt b/Azure Services/Application Insights/Queries/Browsing data/Top 3 browser exceptions.txt new file mode 100644 index 00000000..a752df03 --- /dev/null +++ b/Azure Services/Application Insights/Queries/Browsing data/Top 3 browser exceptions.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Top 3 browser exceptions +// Description: What were the highest reported exceptions today? +// Categories: ['applications'] +// Resource types: ['Application Insights'] +// Topic: Browsing data +exceptions +| where notempty(client_Browser) and client_Type == 'Browser' +| summarize total_exceptions = sum(itemCount) by problemId +| top 3 by total_exceptions desc \ No newline at end of file diff --git a/Azure Services/Application Insights/Queries/Performance/Operations performance.txt b/Azure Services/Application Insights/Queries/Performance/Operations performance.txt new file mode 100644 index 00000000..7ca6d50b --- /dev/null +++ b/Azure Services/Application Insights/Queries/Performance/Operations performance.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Operations performance +// Description: Calculate request count and duration by operations. +// Categories: ['applications'] +// Resource types: ['Application Insights'] +// Topic: Performance +requests +| summarize RequestsCount=sum(itemCount), AverageDuration=avg(duration), percentiles(duration, 50, 95, 99) by operation_Name // you can replace 'operation_Name' with another value to segment by a different property +| order by RequestsCount desc // order from highest to lower (descending) \ No newline at end of file diff --git a/Azure Services/Application Insights/Queries/Performance/Request count trend.txt b/Azure Services/Application Insights/Queries/Performance/Request count trend.txt new file mode 100644 index 00000000..57d0b62c --- /dev/null +++ b/Azure Services/Application Insights/Queries/Performance/Request count trend.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Request count trend +// Description: Chart Request count over the last day. +// Categories: ['applications'] +// Resource types: ['Application Insights'] +// Topic: Performance +requests +| summarize totalCount=sum(itemCount) by bin(timestamp, 30m) +| render timechart \ No newline at end of file diff --git a/Azure Services/Application Insights/Queries/Performance/Response time buckets.txt b/Azure Services/Application Insights/Queries/Performance/Response time buckets.txt new file mode 100644 index 00000000..44e5a543 --- /dev/null +++ b/Azure Services/Application Insights/Queries/Performance/Response time buckets.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Response time buckets +// Description: Show how many requests are in each performance-bucket. +// Categories: ['applications'] +// Resource types: ['Application Insights'] +// Topic: Performance +requests +| summarize requestCount=sum(itemCount), avgDuration=avg(duration) by performanceBucket +| order by avgDuration asc // sort by average request duration +| project-away avgDuration // no need to display avgDuration, we used it only for sorting results +| render barchart \ No newline at end of file diff --git a/Azure Services/Application Insights/Queries/Performance/Response time trend.txt b/Azure Services/Application Insights/Queries/Performance/Response time trend.txt new file mode 100644 index 00000000..df4c2eee --- /dev/null +++ b/Azure Services/Application Insights/Queries/Performance/Response time trend.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Response time trend +// Description: Chart request duration over the last 12 hours. +// Categories: ['applications'] +// Resource types: ['Application Insights'] +// Topic: Performance +requests +| where timestamp > ago(12h) +| summarize avgRequestDuration=avg(duration) by bin(timestamp, 10m) // use a time grain of 10 minutes +| render timechart \ No newline at end of file diff --git a/Azure Services/Application Insights/Queries/Performance/Top 10 countries by traffic.txt b/Azure Services/Application Insights/Queries/Performance/Top 10 countries by traffic.txt new file mode 100644 index 00000000..733b31ec --- /dev/null +++ b/Azure Services/Application Insights/Queries/Performance/Top 10 countries by traffic.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Top 10 countries by traffic +// Description: Chart the amount of requests from the top 10 countries. +// Categories: ['applications'] +// Resource types: ['Application Insights'] +// Topic: Performance +requests +| summarize CountByCountry=count() by client_CountryOrRegion +| top 10 by CountByCountry +| render piechart \ No newline at end of file diff --git a/Azure Services/Application Insights/Queries/README b/Azure Services/Application Insights/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Application Insights/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Application Insights/Queries/Reports failures/Exceptions causing request failures.txt b/Azure Services/Application Insights/Queries/Reports failures/Exceptions causing request failures.txt new file mode 100644 index 00000000..23000387 --- /dev/null +++ b/Azure Services/Application Insights/Queries/Reports failures/Exceptions causing request failures.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Exceptions causing request failures +// Description: Find which exceptions led to failed requests in the past hour. +// Categories: ['applications'] +// Resource types: ['Application Insights'] +// Topic: Reports failures +requests +| where timestamp > ago(1h) and success == false +| join kind= inner ( +exceptions +| where timestamp > ago(1h) +) on operation_Id +| project exceptionType = type, failedMethod = method, requestName = name, requestDuration = duration \ No newline at end of file diff --git a/Azure Services/Application Insights/Queries/Reports failures/Failed operations.txt b/Azure Services/Application Insights/Queries/Reports failures/Failed operations.txt new file mode 100644 index 00000000..681868bf --- /dev/null +++ b/Azure Services/Application Insights/Queries/Reports failures/Failed operations.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Failed operations +// Description: Calculate how many times operations failed, and how many users were impacted. +// Categories: ['applications'] +// Resource types: ['Application Insights'] +// Topic: Reports failures +requests +| where success == false +| summarize failedCount=sum(itemCount), impactedUsers=dcount(user_Id) by operation_Name +| order by failedCount desc \ No newline at end of file diff --git a/Azure Services/Application Insights/Queries/Reports failures/Failed requests top 10.txt b/Azure Services/Application Insights/Queries/Reports failures/Failed requests top 10.txt new file mode 100644 index 00000000..e4f9e0a3 --- /dev/null +++ b/Azure Services/Application Insights/Queries/Reports failures/Failed requests top 10.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Failed requests – top 10 +// Description: What are the 3 slowest pages, and how slow are they? +// Categories: ['applications'] +// Resource types: ['Application Insights'] +// Topic: Reports failures +requests +| where success == false +| summarize failedCount=sum(itemCount) by name +| top 10 by failedCount desc +| render barchart \ No newline at end of file diff --git a/Azure Services/Application Insights/Queries/Reports failures/Failing dependencies.txt b/Azure Services/Application Insights/Queries/Reports failures/Failing dependencies.txt new file mode 100644 index 00000000..4b6b6db8 --- /dev/null +++ b/Azure Services/Application Insights/Queries/Reports failures/Failing dependencies.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Failing dependencies +// Description: Which 5 dependencies failed the most today? +// Categories: ['applications'] +// Resource types: ['Application Insights'] +// Topic: Reports failures +dependencies +| where success == false +| summarize totalCount=sum(itemCount) by type +| top 5 by totalCount desc \ No newline at end of file diff --git a/Azure Services/Application Insights/Workbooks/README b/Azure Services/Application Insights/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Application Insights/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Application gateways/Alerts/README b/Azure Services/Application gateways/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Application gateways/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Application gateways/Queries/Analytics/Errors by URI.txt b/Azure Services/Application gateways/Queries/Analytics/Errors by URI.txt new file mode 100644 index 00000000..c14421f9 --- /dev/null +++ b/Azure Services/Application gateways/Queries/Analytics/Errors by URI.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Errors by URI +// Description: Number of errors by URI. +// Categories: ['network'] +// Resource types: ['Application gateways'] +// Topic: Analytics +AzureDiagnostics +| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" and httpStatus_d > 399 +| summarize AggregatedValue = count() by requestUri_s +| sort by AggregatedValue desc \ No newline at end of file diff --git a/Azure Services/Application gateways/Queries/Analytics/Errors by user agent.txt b/Azure Services/Application gateways/Queries/Analytics/Errors by user agent.txt new file mode 100644 index 00000000..272a9b2d --- /dev/null +++ b/Azure Services/Application gateways/Queries/Analytics/Errors by user agent.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Errors by user agent +// Description: Number of errors by user agent. +// Categories: ['network'] +// Resource types: ['Application gateways'] +// Topic: Analytics +AzureDiagnostics +| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" and httpStatus_d > 399 +| summarize AggregatedValue = count() by userAgent_s +| sort by AggregatedValue desc \ No newline at end of file diff --git a/Azure Services/Application gateways/Queries/Analytics/Top 10 Client IPs.txt b/Azure Services/Application gateways/Queries/Analytics/Top 10 Client IPs.txt new file mode 100644 index 00000000..80b40096 --- /dev/null +++ b/Azure Services/Application gateways/Queries/Analytics/Top 10 Client IPs.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Top 10 Client IPs +// Description: Count of requests per client IP. +// Categories: ['network'] +// Resource types: ['Application gateways'] +// Topic: Analytics +AzureDiagnostics +| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" +| summarize AggregatedValue = count() by clientIP_s +| top 10 by AggregatedValue \ No newline at end of file diff --git a/Azure Services/Application gateways/Queries/Analytics/Top HTTP versions.txt b/Azure Services/Application gateways/Queries/Analytics/Top HTTP versions.txt new file mode 100644 index 00000000..8bad3e23 --- /dev/null +++ b/Azure Services/Application gateways/Queries/Analytics/Top HTTP versions.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Top HTTP versions +// Description: Count of request per HTTP version. +// Categories: ['network'] +// Resource types: ['Application gateways'] +// Topic: Analytics +AzureDiagnostics +| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" +| summarize AggregatedValue = count() by httpVersion_s +| top 10 by AggregatedValue \ No newline at end of file diff --git a/Azure Services/Application gateways/Queries/Incoming requests/Failed requests per hour.txt b/Azure Services/Application gateways/Queries/Incoming requests/Failed requests per hour.txt new file mode 100644 index 00000000..29257447 --- /dev/null +++ b/Azure Services/Application gateways/Queries/Incoming requests/Failed requests per hour.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Failed requests per hour +// Description: Count of requests to which Application Gateway responded with an error. +// Categories: ['network'] +// Resource types: ['Application gateways'] +// Topic: Incoming requests +AzureDiagnostics +| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" and httpStatus_d > 399 +| summarize AggregatedValue = count() by bin(TimeGenerated, 1h) +| render timechart \ No newline at end of file diff --git a/Azure Services/Application gateways/Queries/Incoming requests/NonSSL requests per hour.txt b/Azure Services/Application gateways/Queries/Incoming requests/NonSSL requests per hour.txt new file mode 100644 index 00000000..46be2eea --- /dev/null +++ b/Azure Services/Application gateways/Queries/Incoming requests/NonSSL requests per hour.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Non-SSL requests per hour +// Description: Count of the Non-SSL requests on the Application Gateway. +// Categories: ['network'] +// Resource types: ['Application gateways'] +// Topic: Incoming requests +AzureDiagnostics +| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" and sslEnabled_s == "off" +| summarize AggregatedValue = count() by bin(TimeGenerated, 1h) +| render timechart \ No newline at end of file diff --git a/Azure Services/Application gateways/Queries/Incoming requests/Requests per hour.txt b/Azure Services/Application gateways/Queries/Incoming requests/Requests per hour.txt new file mode 100644 index 00000000..db4a177a --- /dev/null +++ b/Azure Services/Application gateways/Queries/Incoming requests/Requests per hour.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Requests per hour +// Description: Count of the incoming requests on the Application Gateway. +// Categories: ['network'] +// Resource types: ['Application gateways'] +// Topic: Incoming requests +AzureDiagnostics +| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" +| summarize AggregatedValue = count() by bin(TimeGenerated, 1h) +| render timechart \ No newline at end of file diff --git a/Azure Services/Application gateways/Queries/README b/Azure Services/Application gateways/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Application gateways/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Application gateways/Workbooks/README b/Azure Services/Application gateways/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Application gateways/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Automation accounts/Alerts/README b/Azure Services/Automation accounts/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Automation accounts/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Automation accounts/Queries/Automation Jobs/Azure Automation jobs that are Completed.txt b/Azure Services/Automation accounts/Queries/Automation Jobs/Azure Automation jobs that are Completed.txt new file mode 100644 index 00000000..42d17b3c --- /dev/null +++ b/Azure Services/Automation accounts/Queries/Automation Jobs/Azure Automation jobs that are Completed.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Azure Automation jobs that are Completed +// Description: List all automation jobs that got completed. +// Categories: ['resources'] +// Resource types: ['Automation accounts'] +// Topic: Automation Jobs +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "JobLogs" and ResultType == "Completed" +| project TimeGenerated , RunbookName_s , ResultType , _ResourceId , JobId_g \ No newline at end of file diff --git a/Azure Services/Automation accounts/Queries/Automation Jobs/Azure Automation jobs that are failed suspended or stopped.txt b/Azure Services/Automation accounts/Queries/Automation Jobs/Azure Automation jobs that are failed suspended or stopped.txt new file mode 100644 index 00000000..bad0f164 --- /dev/null +++ b/Azure Services/Automation accounts/Queries/Automation Jobs/Azure Automation jobs that are failed suspended or stopped.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Azure Automation jobs that are failed, suspended, or stopped +// Description: List all the automation jobs that failed , suspended or stopped. +// Categories: ['resources'] +// Resource types: ['Automation accounts'] +// Topic: Automation Jobs +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "JobLogs" and (ResultType == "Failed" or ResultType == "Stopped" or ResultType == "Suspended") +| project TimeGenerated , RunbookName_s , ResultType , _ResourceId , JobId_g \ No newline at end of file diff --git a/Azure Services/Automation accounts/Queries/Automation Jobs/Find logs reporting errors in automation jobs from the last day.txt b/Azure Services/Automation accounts/Queries/Automation Jobs/Find logs reporting errors in automation jobs from the last day.txt new file mode 100644 index 00000000..ef4b0246 --- /dev/null +++ b/Azure Services/Automation accounts/Queries/Automation Jobs/Find logs reporting errors in automation jobs from the last day.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Find logs reporting errors in automation jobs from the last day +// Description: List all the errors in the automation jobs. +// Categories: ['resources'] +// Resource types: ['Automation accounts'] +// Topic: Automation Jobs +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.AUTOMATION" +| where StreamType_s == "Error" +| project TimeGenerated, Category, JobId_g, OperationName, RunbookName_s, ResultDescription, _ResourceId \ No newline at end of file diff --git a/Azure Services/Automation accounts/Queries/Automation Jobs/Runbook completed successfully with errors.txt b/Azure Services/Automation accounts/Queries/Automation Jobs/Runbook completed successfully with errors.txt new file mode 100644 index 00000000..6c289a3a --- /dev/null +++ b/Azure Services/Automation accounts/Queries/Automation Jobs/Runbook completed successfully with errors.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Runbook completed successfully with errors +// Description: List all jobs that completed with errors. +// Categories: ['resources'] +// Resource types: ['Automation accounts'] +// Topic: Automation Jobs +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "JobStreams" and StreamType_s == "Error" +| project TimeGenerated , RunbookName_s , StreamType_s , _ResourceId , ResultDescription , JobId_g \ No newline at end of file diff --git a/Azure Services/Automation accounts/Queries/Automation Jobs/View historical job status.txt b/Azure Services/Automation accounts/Queries/Automation Jobs/View historical job status.txt new file mode 100644 index 00000000..6ed6a5b2 --- /dev/null +++ b/Azure Services/Automation accounts/Queries/Automation Jobs/View historical job status.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: View historical job status +// Description: List all automation jobs. +// Categories: ['resources'] +// Resource types: ['Automation accounts'] +// Topic: Automation Jobs +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "JobLogs" and ResultType != "started" +| summarize AggregatedValue = count() by ResultType, bin(TimeGenerated, 1h) , RunbookName_s , JobId_g, _ResourceId \ No newline at end of file diff --git a/Azure Services/Automation accounts/Queries/Azure Update Management/Computers list.txt b/Azure Services/Automation accounts/Queries/Azure Update Management/Computers list.txt new file mode 100644 index 00000000..614eb303 --- /dev/null +++ b/Azure Services/Automation accounts/Queries/Azure Update Management/Computers list.txt @@ -0,0 +1,48 @@ +// Author: Microsoft Azure +// Display name: Computers list +// Description: List of computers with Azure Update Management deployed. +// Categories: ['resources'] +// Resource types: ['Automation accounts'] +// Topic: Azure Update Management +Heartbeat +| where TimeGenerated>ago(12h) and OSType=="Linux" and notempty(Computer) +| summarize arg_max(TimeGenerated, Solutions, Computer, ResourceId, ComputerEnvironment, VMUUID) by SourceComputerId +| where Solutions has "updates" +| extend vmuuId=VMUUID, azureResourceId=ResourceId, osType=1, environment=iff(ComputerEnvironment=~"Azure", 1, 2), scopedToUpdatesSolution=true, lastUpdateAgentSeenTime="" +| join kind=leftouter +( + Update + | where TimeGenerated>ago(5h) and OSType=="Linux" and SourceComputerId in ((Heartbeat + | where TimeGenerated>ago(12h) and OSType=="Linux" and notempty(Computer) + | summarize arg_max(TimeGenerated, Solutions) by SourceComputerId + | where Solutions has "updates" + | distinct SourceComputerId)) + | summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Product, Computer, ComputerEnvironment) by SourceComputerId, Product, ProductArch + | summarize Computer=any(Computer), ComputerEnvironment=any(ComputerEnvironment), missingCriticalUpdatesCount=countif(Classification has "Critical" and UpdateState=~"Needed"), missingSecurityUpdatesCount=countif(Classification has "Security" and UpdateState=~"Needed"), missingOtherUpdatesCount=countif(Classification !has "Critical" and Classification !has "Security" and UpdateState=~"Needed"), lastAssessedTime=max(TimeGenerated), lastUpdateAgentSeenTime="" by SourceComputerId + | extend compliance=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0, 2, 1) + | extend ComplianceOrder=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0 or missingOtherUpdatesCount > 0, 1, 3) +) +on SourceComputerId +| project id=SourceComputerId, displayName=Computer, sourceComputerId=SourceComputerId, scopedToUpdatesSolution=true, missingCriticalUpdatesCount=coalesce(missingCriticalUpdatesCount, -1), missingSecurityUpdatesCount=coalesce(missingSecurityUpdatesCount, -1), missingOtherUpdatesCount=coalesce(missingOtherUpdatesCount, -1), compliance=coalesce(compliance, 4), lastAssessedTime, lastUpdateAgentSeenTime, osType=1, environment=iff(ComputerEnvironment=~"Azure", 1, 2), ComplianceOrder=coalesce(ComplianceOrder, 2) +| union(Heartbeat +| where TimeGenerated>ago(12h) and OSType=~"Windows" and notempty(Computer) +| summarize arg_max(TimeGenerated, Solutions, Computer, ResourceId, ComputerEnvironment, VMUUID) by SourceComputerId +| where Solutions has "updates" +| extend vmuuId=VMUUID, azureResourceId=ResourceId, osType=2, environment=iff(ComputerEnvironment=~"Azure", 1, 2), scopedToUpdatesSolution=true, lastUpdateAgentSeenTime="" +| join kind=leftouter +( + Update + | where TimeGenerated>ago(14h) and OSType!="Linux" and SourceComputerId in ((Heartbeat + | where TimeGenerated>ago(12h) and OSType=~"Windows" and notempty(Computer) + | summarize arg_max(TimeGenerated, Solutions) by SourceComputerId + | where Solutions has "updates" + | distinct SourceComputerId)) + | summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Title, Optional, Approved, Computer, ComputerEnvironment) by Computer, SourceComputerId, UpdateID + | summarize Computer=any(Computer), ComputerEnvironment=any(ComputerEnvironment), missingCriticalUpdatesCount=countif(Classification has "Critical" and UpdateState=~"Needed" and Approved!=false), missingSecurityUpdatesCount=countif(Classification has "Security" and UpdateState=~"Needed" and Approved!=false), missingOtherUpdatesCount=countif(Classification !has "Critical" and Classification !has "Security" and UpdateState=~"Needed" and Optional==false and Approved!=false), lastAssessedTime=max(TimeGenerated), lastUpdateAgentSeenTime="" by SourceComputerId + | extend compliance=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0, 2, 1) + | extend ComplianceOrder=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0 or missingOtherUpdatesCount > 0, 1, 3) +) +on SourceComputerId +| project id=SourceComputerId, displayName=Computer, sourceComputerId=SourceComputerId, scopedToUpdatesSolution=true, missingCriticalUpdatesCount=coalesce(missingCriticalUpdatesCount, -1), missingSecurityUpdatesCount=coalesce(missingSecurityUpdatesCount, -1), missingOtherUpdatesCount=coalesce(missingOtherUpdatesCount, -1), compliance=coalesce(compliance, 4), lastAssessedTime, lastUpdateAgentSeenTime, osType=2, environment=iff(ComputerEnvironment=~"Azure", 1, 2), ComplianceOrder=coalesce(ComplianceOrder, 2)) +| order by ComplianceOrder asc, missingCriticalUpdatesCount desc, missingSecurityUpdatesCount desc, missingOtherUpdatesCount desc, displayName asc +| project-away ComplianceOrder \ No newline at end of file diff --git a/Azure Services/Automation accounts/Queries/Azure Update Management/Missing updates list.txt b/Azure Services/Automation accounts/Queries/Azure Update Management/Missing updates list.txt new file mode 100644 index 00000000..dd1a04f4 --- /dev/null +++ b/Azure Services/Automation accounts/Queries/Azure Update Management/Missing updates list.txt @@ -0,0 +1,29 @@ +// Author: Microsoft Azure +// Display name: Missing updates list +// Description: Get a list of all updates that are missing. +// Categories: ['resources'] +// Resource types: ['Automation accounts'] +// Topic: Azure Update Management +Update +| where TimeGenerated>ago(5h) and OSType=="Linux" and SourceComputerId in ((Heartbeat +| where TimeGenerated>ago(12h) and OSType=="Linux" and notempty(Computer) +| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId +| where Solutions has "updates" +| distinct SourceComputerId)) +| summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, BulletinUrl, BulletinID) by SourceComputerId, Product, ProductArch +| where UpdateState=~"Needed" +| project-away UpdateState, TimeGenerated +| summarize computersCount=dcount(SourceComputerId, 2), ClassificationWeight=max(iff(Classification has "Critical", 4, iff(Classification has "Security", 2, 1))) by id=strcat(Product, "_", ProductArch), displayName=Product, productArch=ProductArch, classification=Classification, InformationId=BulletinID, InformationUrl=tostring(split(BulletinUrl, ";", 0)[0]), osType=1 +| union(Update +| where TimeGenerated>ago(14h) and OSType!="Linux" and (Optional==false or Classification has "Critical" or Classification has "Security") and SourceComputerId in ((Heartbeat +| where TimeGenerated>ago(12h) and OSType=~"Windows" and notempty(Computer) +| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId +| where Solutions has "updates" +| distinct SourceComputerId)) +| summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Title, KBID, PublishedDate, Approved) by Computer, SourceComputerId, UpdateID +| where UpdateState=~"Needed" and Approved!=false +| project-away UpdateState, Approved, TimeGenerated +| summarize computersCount=dcount(SourceComputerId, 2), displayName=any(Title), publishedDate=min(PublishedDate), ClassificationWeight=max(iff(Classification has "Critical", 4, iff(Classification has "Security", 2, 1))) by id=strcat(UpdateID, "_", KBID), classification=Classification, InformationId=strcat("KB", KBID), InformationUrl=iff(isnotempty(KBID), strcat("https://support.microsoft.com/kb/", KBID), ""), osType=2) +| sort by ClassificationWeight desc, computersCount desc, displayName asc +| extend informationLink=(iff(isnotempty(InformationId) and isnotempty(InformationUrl), toobject(strcat('{ "uri": "', InformationUrl, '", "text": "', InformationId, '", "target": "blank" }')), toobject(''))) +| project-away ClassificationWeight, InformationId, InformationUrl \ No newline at end of file diff --git a/Azure Services/Automation accounts/Queries/Azure Update Management/Missing updates summary.txt b/Azure Services/Automation accounts/Queries/Azure Update Management/Missing updates summary.txt new file mode 100644 index 00000000..b7298d0c --- /dev/null +++ b/Azure Services/Automation accounts/Queries/Azure Update Management/Missing updates summary.txt @@ -0,0 +1,25 @@ +// Author: Microsoft Azure +// Display name: Missing updates summary +// Description: Get a summary of missing updates by category. +// Categories: ['resources'] +// Resource types: ['Automation accounts'] +// Topic: Azure Update Management +Update +| where TimeGenerated>ago(5h) and OSType=="Linux" and SourceComputerId in ((Heartbeat +| where TimeGenerated>ago(12h) and OSType=="Linux" and notempty(Computer) +| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId +| where Solutions has "updates" +| distinct SourceComputerId)) +| summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification) by Computer, SourceComputerId, Product, ProductArch +| where UpdateState=~"Needed" +| summarize by Product, ProductArch, Classification +| union (Update +| where TimeGenerated>ago(14h) and OSType!="Linux" and (Optional==false or Classification has "Critical" or Classification has "Security") and SourceComputerId in ((Heartbeat +| where TimeGenerated>ago(12h) and OSType=~"Windows" and notempty(Computer) +| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId +| where Solutions has "updates" +| distinct SourceComputerId)) +| summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Approved) by Computer, SourceComputerId, UpdateID +| where UpdateState=~"Needed" and Approved!=false +| summarize by UpdateID, Classification ) +| summarize allUpdatesCount=count(), criticalUpdatesCount=countif(Classification has "Critical"), securityUpdatesCount=countif(Classification has "Security"), otherUpdatesCount=countif(Classification !has "Critical" and Classification !has "Security") \ No newline at end of file diff --git a/Azure Services/Automation accounts/Queries/Azure Update Management/Patch installation failure for your machines.txt b/Azure Services/Automation accounts/Queries/Azure Update Management/Patch installation failure for your machines.txt new file mode 100644 index 00000000..76ecd232 --- /dev/null +++ b/Azure Services/Automation accounts/Queries/Azure Update Management/Patch installation failure for your machines.txt @@ -0,0 +1,18 @@ +// Author: Microsoft Azure +// Display name: Patch installation failure for your machines +// Description: List for each machine the installation status of the updates where the installation was not successful. +// Categories: ['virtualmachines', 'security'] +// Resource types: ['Automation accounts'] +// Topic: Azure Update Management +UpdateRunProgress +| where TimeGenerated>ago(1d) +| where InstallationStatus == "NotStarted" +| summarize by Title, InstallationStatus, SourceComputerId, UpdateId, Computer +| join kind= inner ( + UpdateRunProgress + | where TimeGenerated>ago(1d) + | where InstallationStatus != "NotStarted" + | summarize by Title, InstallationStatus, SourceComputerId, UpdateId, Computer +) on UpdateId +| where InstallationStatus1 != "Succeed" +| summarize by Title, InstallationStatus, Computer diff --git a/Azure Services/Automation accounts/Queries/Azure Update Management/Summary of updates available across machines.txt b/Azure Services/Automation accounts/Queries/Azure Update Management/Summary of updates available across machines.txt new file mode 100644 index 00000000..5f40c0e4 --- /dev/null +++ b/Azure Services/Automation accounts/Queries/Azure Update Management/Summary of updates available across machines.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Summary of updates available across machines +// Description: Count of updates available under various categories for each machine. +// Categories: ['virtualmachines', 'security'] +// Resource types: ['Automation accounts'] +// Topic: Azure Update Management +UpdateSummary +| where TimeGenerated>ago(14h) +| summarize by Computer, CriticalUpdatesMissing, SecurityUpdatesMissing, OtherUpdatesMissing, TotalUpdatesMissing \ No newline at end of file diff --git a/Azure Services/Automation accounts/Queries/Azure Update Management/Updates available for Linux machines.txt b/Azure Services/Automation accounts/Queries/Azure Update Management/Updates available for Linux machines.txt new file mode 100644 index 00000000..3c8e8c17 --- /dev/null +++ b/Azure Services/Automation accounts/Queries/Azure Update Management/Updates available for Linux machines.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Updates available for Linux machines +// Description: List the Linux package version updates available by their classification and for each Computer. +// Categories: ['virtualmachines', 'security'] +// Resource types: ['Automation accounts'] +// Topic: Azure Update Management +Update +| where TimeGenerated>ago(14h) +| where UpdateState =~ "Needed" and OSType == "Linux" +| summarize by Computer, Classification, Product, ProductVersion \ No newline at end of file diff --git a/Azure Services/Automation accounts/Queries/Azure Update Management/Updates available for Windows machines.txt b/Azure Services/Automation accounts/Queries/Azure Update Management/Updates available for Windows machines.txt new file mode 100644 index 00000000..d5c3b632 --- /dev/null +++ b/Azure Services/Automation accounts/Queries/Azure Update Management/Updates available for Windows machines.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Updates available for Windows machines +// Description: List the Windows update KBIDs available by their classification and for each Computer. +// Categories: ['virtualmachines', 'security'] +// Resource types: ['Automation accounts'] +// Topic: Azure Update Management +Update +| where TimeGenerated>ago(14h) +| where UpdateState =~ "Needed" and OSType != "Linux" +| summarize by Computer, Classification, Product, KBID \ No newline at end of file diff --git a/Azure Services/Automation accounts/Queries/README b/Azure Services/Automation accounts/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Automation accounts/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Automation accounts/Workbooks/README b/Azure Services/Automation accounts/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Automation accounts/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Azure Activity logs/Alerts/README b/Azure Services/Azure Activity logs/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Azure Activity logs/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Azure Activity logs/Queries/Activity logs/Failed operations.txt b/Azure Services/Azure Activity logs/Queries/Activity logs/Failed operations.txt new file mode 100644 index 00000000..7cdf1c85 --- /dev/null +++ b/Azure Services/Azure Activity logs/Queries/Activity logs/Failed operations.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Failed operations +// Description: List all reports of failed operations, over the past hour. +// Categories: ['audit'] +// Resource types: ['Azure Activity logs'] +// Topic: Activity logs +AzureActivity +| where TimeGenerated > ago(1h) +| where ActivityStatus == "Failed" \ No newline at end of file diff --git a/Azure Services/Azure Activity logs/Queries/Activity logs/Latest 50 logs.txt b/Azure Services/Azure Activity logs/Queries/Activity logs/Latest 50 logs.txt new file mode 100644 index 00000000..fa4e85a2 --- /dev/null +++ b/Azure Services/Azure Activity logs/Queries/Activity logs/Latest 50 logs.txt @@ -0,0 +1,8 @@ +// Author: Microsoft Azure +// Display name: Latest 50 logs +// Description: Show the latest Azure Activity logs for this resource. +// Categories: ['audit'] +// Resource types: ['Azure Activity logs'] +// Topic: Activity logs +AzureActivity +| top 50 by TimeGenerated desc \ No newline at end of file diff --git a/Azure Services/Azure Activity logs/Queries/Activity logs/Operations status.txt b/Azure Services/Azure Activity logs/Queries/Activity logs/Operations status.txt new file mode 100644 index 00000000..e7746e66 --- /dev/null +++ b/Azure Services/Azure Activity logs/Queries/Activity logs/Operations status.txt @@ -0,0 +1,8 @@ +// Author: Microsoft Azure +// Display name: Operations' status +// Description: Show the latest Azure activity log for each operation. +// Categories: ['audit'] +// Resource types: ['Azure Activity logs'] +// Topic: Activity logs +AzureActivity +| summarize arg_max(TimeGenerated, *) by OperationName \ No newline at end of file diff --git a/Azure Services/Azure Activity logs/Queries/Activity logs/Recent Azure Activity logs.txt b/Azure Services/Azure Activity logs/Queries/Activity logs/Recent Azure Activity logs.txt new file mode 100644 index 00000000..f3bba8a5 --- /dev/null +++ b/Azure Services/Azure Activity logs/Queries/Activity logs/Recent Azure Activity logs.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Recent Azure Activity logs +// Description: Display all Azure Activity logs from the last hour. +// Categories: ['audit'] +// Resource types: ['Azure Activity logs'] +// Topic: Activity logs +AzureActivity +| where Level == "Error" or Level == "Warning" +| project TimeGenerated, Level, ResourceProvider, ActivityStatus, Caller, Category, Properties, CorrelationId \ No newline at end of file diff --git a/Azure Services/Azure Activity logs/Queries/README b/Azure Services/Azure Activity logs/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Azure Activity logs/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Azure Activity logs/Workbooks/README b/Azure Services/Azure Activity logs/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Azure Activity logs/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Azure Database for MariaDB servers/Alerts/README b/Azure Services/Azure Database for MariaDB servers/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Azure Database for MariaDB servers/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Azure Database for MariaDB servers/Queries/Audit/Review audit log events in CONNECTION class.txt b/Azure Services/Azure Database for MariaDB servers/Queries/Audit/Review audit log events in CONNECTION class.txt new file mode 100644 index 00000000..77986d84 --- /dev/null +++ b/Azure Services/Azure Database for MariaDB servers/Queries/Audit/Review audit log events in CONNECTION class.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Review audit log events in CONNECTION class +// Description: Identify connection related events for your server. +// Categories: ['workloads', 'audit'] +// Resource types: ['Azure Database for MariaDB servers'] +// Topic: Audit +AzureDiagnostics +| where ResourceProvider =="MICROSOFT.DBFORMARIADB" +| where Category == 'MySqlAuditLogs' and event_class_s == "connection_log" +| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s +| order by TimeGenerated asc \ No newline at end of file diff --git a/Azure Services/Azure Database for MariaDB servers/Queries/Audit/Review audit log events in GENERAL class.txt b/Azure Services/Azure Database for MariaDB servers/Queries/Audit/Review audit log events in GENERAL class.txt new file mode 100644 index 00000000..0b26d440 --- /dev/null +++ b/Azure Services/Azure Database for MariaDB servers/Queries/Audit/Review audit log events in GENERAL class.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Review audit log events in GENERAL class +// Description: Identify general class events for your server. +// Categories: ['workloads', 'audit'] +// Resource types: ['Azure Database for MariaDB servers'] +// Topic: Audit +AzureDiagnostics +| where ResourceProvider =="MICROSOFT.DBFORMARIADB" +| where Category == 'MySqlAuditLogs' and event_class_s == "general_log" +| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s +| order by TimeGenerated asc \ No newline at end of file diff --git a/Azure Services/Azure Database for MariaDB servers/Queries/Performance/Execution time exceeding a threshold.txt b/Azure Services/Azure Database for MariaDB servers/Queries/Performance/Execution time exceeding a threshold.txt new file mode 100644 index 00000000..8999abb7 --- /dev/null +++ b/Azure Services/Azure Database for MariaDB servers/Queries/Performance/Execution time exceeding a threshold.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Execution time exceeding a threshold +// Description: Identify queries that their run time exceeds 10 seconds. +// Categories: ['workloads'] +// Resource types: ['Azure Database for MariaDB servers'] +// Topic: Performance +AzureDiagnostics +| where ResourceProvider =="MICROSOFT.DBFORMARIADB" +| where Category == 'MySqlSlowLogs' +| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s +| where query_time_d > 10 // You may change the time threshold \ No newline at end of file diff --git a/Azure Services/Azure Database for MariaDB servers/Queries/Performance/Show Querys statistics.txt b/Azure Services/Azure Database for MariaDB servers/Queries/Performance/Show Querys statistics.txt new file mode 100644 index 00000000..1e85726d --- /dev/null +++ b/Azure Services/Azure Database for MariaDB servers/Queries/Performance/Show Querys statistics.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Show Query's statistics +// Description: Construct a summary statistics table by query. +// Categories: ['workloads'] +// Resource types: ['Azure Database for MariaDB servers'] +// Topic: Performance +AzureDiagnostics +| where ResourceProvider =="MICROSOFT.DBFORMARIADB" +| where Category == 'MySqlSlowLogs' +| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s +| summarize count(), min(query_time_d), max(query_time_d), avg(query_time_d), stdev(query_time_d), percentile(query_time_d, 95) by LogicalServerName_s ,sql_text_s +| top 50 by percentile_query_time_d_95 desc \ No newline at end of file diff --git a/Azure Services/Azure Database for MariaDB servers/Queries/Performance/Show the Slowest queries.txt b/Azure Services/Azure Database for MariaDB servers/Queries/Performance/Show the Slowest queries.txt new file mode 100644 index 00000000..652fcfb7 --- /dev/null +++ b/Azure Services/Azure Database for MariaDB servers/Queries/Performance/Show the Slowest queries.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Show the Slowest queries +// Description: Identify top 5 slowest queries. +// Categories: ['workloads'] +// Resource types: ['Azure Database for MariaDB servers'] +// Topic: Performance +AzureDiagnostics +| where ResourceProvider =="MICROSOFT.DBFORMARIADB" +| where Category == 'MySqlSlowLogs' +| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s +| top 5 by query_time_d desc \ No newline at end of file diff --git a/Azure Services/Azure Database for MariaDB servers/Queries/README b/Azure Services/Azure Database for MariaDB servers/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Azure Database for MariaDB servers/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Azure Database for MariaDB servers/Workbooks/README b/Azure Services/Azure Database for MariaDB servers/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Azure Database for MariaDB servers/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Azure Database for MySQL servers/Alerts/README b/Azure Services/Azure Database for MySQL servers/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Azure Database for MySQL servers/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Azure Database for MySQL servers/Queries/Audit/Review audit log events in CONNECTION class.txt b/Azure Services/Azure Database for MySQL servers/Queries/Audit/Review audit log events in CONNECTION class.txt new file mode 100644 index 00000000..1f746d24 --- /dev/null +++ b/Azure Services/Azure Database for MySQL servers/Queries/Audit/Review audit log events in CONNECTION class.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Review audit log events in CONNECTION class +// Description: Identify connection related events for your server. +// Categories: ['workloads', 'audit'] +// Resource types: ['Azure Database for MySQL servers'] +// Topic: Audit +AzureDiagnostics +| where ResourceProvider =="MICROSOFT.DBFORMYSQL" +| where Category == 'MySqlAuditLogs' and event_class_s == "connection_log" +| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s +| order by TimeGenerated asc \ No newline at end of file diff --git a/Azure Services/Azure Database for MySQL servers/Queries/Audit/Review audit log events in GENERAL class.txt b/Azure Services/Azure Database for MySQL servers/Queries/Audit/Review audit log events in GENERAL class.txt new file mode 100644 index 00000000..5916db4f --- /dev/null +++ b/Azure Services/Azure Database for MySQL servers/Queries/Audit/Review audit log events in GENERAL class.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Review audit log events in GENERAL class +// Description: Identify general class events for your server. +// Categories: ['workloads', 'audit'] +// Resource types: ['Azure Database for MySQL servers'] +// Topic: Audit +AzureDiagnostics +| where ResourceProvider =="MICROSOFT.DBFORMYSQL" +| where Category == 'MySqlAuditLogs' and event_class_s == "general_log" +| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s +| order by TimeGenerated asc \ No newline at end of file diff --git a/Azure Services/Azure Database for MySQL servers/Queries/Performance/Execution time exceeding a threshold.txt b/Azure Services/Azure Database for MySQL servers/Queries/Performance/Execution time exceeding a threshold.txt new file mode 100644 index 00000000..9c70d5c5 --- /dev/null +++ b/Azure Services/Azure Database for MySQL servers/Queries/Performance/Execution time exceeding a threshold.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Execution time exceeding a threshold +// Description: Identify queries that their run time exceeds 10 seconds. +// Categories: ['workloads'] +// Resource types: ['Azure Database for MySQL servers'] +// Topic: Performance +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.DBFORMYSQL" +| where Category == 'MySqlSlowLogs' +| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s +| where query_time_d > 10 //You may change the time threshold \ No newline at end of file diff --git a/Azure Services/Azure Database for MySQL servers/Queries/Performance/Show Querys statistics.txt b/Azure Services/Azure Database for MySQL servers/Queries/Performance/Show Querys statistics.txt new file mode 100644 index 00000000..27532fb4 --- /dev/null +++ b/Azure Services/Azure Database for MySQL servers/Queries/Performance/Show Querys statistics.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Show Query's statistics +// Description: Construct a summary statistics table by query. +// Categories: ['workloads'] +// Resource types: ['Azure Database for MySQL servers'] +// Topic: Performance +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.DBFORMYSQL" +| where Category == 'MySqlSlowLogs' +| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s +| summarize count(), min(query_time_d), max(query_time_d), avg(query_time_d), stdev(query_time_d), percentile(query_time_d, 95) by LogicalServerName_s ,sql_text_s +| top 50 by percentile_query_time_d_95 desc \ No newline at end of file diff --git a/Azure Services/Azure Database for MySQL servers/Queries/Performance/Show the Slowest queries.txt b/Azure Services/Azure Database for MySQL servers/Queries/Performance/Show the Slowest queries.txt new file mode 100644 index 00000000..d7905716 --- /dev/null +++ b/Azure Services/Azure Database for MySQL servers/Queries/Performance/Show the Slowest queries.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Show the Slowest queries +// Description: Identify top 5 slowest queries. +// Categories: ['workloads'] +// Resource types: ['Azure Database for MySQL servers'] +// Topic: Performance +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.DBFORMYSQL" +| where Category == 'MySqlSlowLogs' +| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s +| top 5 by query_time_d desc \ No newline at end of file diff --git a/Azure Services/Azure Database for MySQL servers/Queries/README b/Azure Services/Azure Database for MySQL servers/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Azure Database for MySQL servers/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Azure Database for MySQL servers/Workbooks/README b/Azure Services/Azure Database for MySQL servers/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Azure Database for MySQL servers/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Azure Database for PostgreSQL servers/Alerts/README b/Azure Services/Azure Database for PostgreSQL servers/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Azure Database for PostgreSQL servers/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Azure Database for PostgreSQL servers/Queries/Audit Logs/Audit logs for tables and event types.txt b/Azure Services/Azure Database for PostgreSQL servers/Queries/Audit Logs/Audit logs for tables and event types.txt new file mode 100644 index 00000000..34740354 --- /dev/null +++ b/Azure Services/Azure Database for PostgreSQL servers/Queries/Audit Logs/Audit logs for tables and event types.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Audit logs for table(s) and event type(s) +// Description: Search for audit logs for a specific table and event type DDL. Other event types are READ, WRITE, FUNCTION, MISC. It requires audit logs enabled. [https://docs.microsoft.com/azure/postgresql/concepts-audit]. +// Categories: ['workloads', 'audit'] +// Resource types: ['Azure Database for PostgreSQL servers'] +// Topic: Audit Logs +AzureDiagnostics +| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL" +| where Category == "PostgreSQLLogs" +| where Message contains "AUDIT:" +| where Message contains "table name" and Message contains "DDL" \ No newline at end of file diff --git a/Azure Services/Azure Database for PostgreSQL servers/Queries/Audit Logs/Audit logs.txt b/Azure Services/Azure Database for PostgreSQL servers/Queries/Audit Logs/Audit logs.txt new file mode 100644 index 00000000..642d878e --- /dev/null +++ b/Azure Services/Azure Database for PostgreSQL servers/Queries/Audit Logs/Audit logs.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Audit logs +// Description: Get all audit logs. It requires audit logs to be enabled [https://docs.microsoft.com/azure/postgresql/concepts-audit]. +// Categories: ['workloads', 'audit'] +// Resource types: ['Azure Database for PostgreSQL servers'] +// Topic: Audit Logs +AzureDiagnostics +| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL" +| where Category == "PostgreSQLLogs" +| where Message contains "AUDIT:" \ No newline at end of file diff --git a/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Autovacuum events.txt b/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Autovacuum events.txt new file mode 100644 index 00000000..f52c34d5 --- /dev/null +++ b/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Autovacuum events.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Autovacuum events +// Description: Search for autovacuum events over the last 24 hours. It requires parameter 'log_autovacuum_min_duration' enabled. +// Categories: ['workloads'] +// Resource types: ['Azure Database for PostgreSQL servers'] +// Topic: Diagnostics +AzureDiagnostics +| where TimeGenerated > ago(1d) +| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL" +| where Category == "PostgreSQLLogs" +| where Message contains "automatic vacuum" diff --git a/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Deadlocks.txt b/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Deadlocks.txt new file mode 100644 index 00000000..08ca5f66 --- /dev/null +++ b/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Deadlocks.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Deadlocks +// Description: Search for deadlock events. +// Categories: ['workloads'] +// Resource types: ['Azure Database for PostgreSQL servers'] +// Topic: Diagnostics +AzureDiagnostics +| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL" +| where Category == "PostgreSQLLogs" +| where Message contains "deadlock detected" \ No newline at end of file diff --git a/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Execution count trends.txt b/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Execution count trends.txt new file mode 100644 index 00000000..06c258fe --- /dev/null +++ b/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Execution count trends.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Execution count trends +// Description: Execution trend by query aggregated by 15 minute-intervals. +// Categories: ['workloads'] +// Resource types: ['Azure Database for PostgreSQL servers'] +// Topic: Diagnostics +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL" +| where Category == "QueryStoreRuntimeStatistics" +| where user_id_s != "10" //exclude azure system user +| summarize sum(toint(calls_s)) by tostring(query_id_d), bin(TimeGenerated, 15m) +| render timechart \ No newline at end of file diff --git a/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Lock contention.txt b/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Lock contention.txt new file mode 100644 index 00000000..7e5286e9 --- /dev/null +++ b/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Lock contention.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Lock contention +// Description: Search for lock contention. It requires log_lock_waits=ON and depends on deadlock_timeout setting. +// Categories: ['workloads'] +// Resource types: ['Azure Database for PostgreSQL servers'] +// Topic: Diagnostics +AzureDiagnostics +| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL" +| where Message contains "still waiting for ShareLock on transaction" \ No newline at end of file diff --git a/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Query statistics.txt b/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Query statistics.txt new file mode 100644 index 00000000..d38f1ed4 --- /dev/null +++ b/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Query statistics.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Query statistics +// Description: Construct a summary statistics table by query. +// Categories: ['workloads'] +// Resource types: ['Azure Database for PostgreSQL servers'] +// Topic: Diagnostics +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL" +| where Category == "QueryStoreRuntimeStatistics" +| where user_id_s != "10" //exclude azure system user +| summarize sum(toint(calls_s)), min(todouble(min_time_s)),max(todouble(max_time_s)),avg(todouble(mean_time_s)),percentile(todouble(mean_time_s),95) by db_id_s ,query_id_d +| order by percentile_mean_time_s_95 desc nulls last \ No newline at end of file diff --git a/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Server restarts.txt b/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Server restarts.txt new file mode 100644 index 00000000..e038c650 --- /dev/null +++ b/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Server restarts.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Server restarts +// Description: Search for server shut down and server ready events. +// Categories: ['workloads'] +// Resource types: ['Azure Database for PostgreSQL servers'] +// Topic: Diagnostics +AzureDiagnostics +| where TimeGenerated > ago(7d) +| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL" +| where Category == "PostgreSQLLogs" +| where Message contains "database system was shut down at" or Message contains "database system is ready to accept" diff --git a/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Top wait events.txt b/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Top wait events.txt new file mode 100644 index 00000000..8b191ca5 --- /dev/null +++ b/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Top wait events.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Top wait events +// Description: Identify top 5 wait events by queries. +// Categories: ['workloads'] +// Resource types: ['Azure Database for PostgreSQL servers'] +// Topic: Diagnostics +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL" +| where Category == "QueryStoreWaitStatistics" +| where user_id_s != "10" //exclude azure system user +| where query_id_d != 0 +| summarize sum(toint(calls_s)) by event_s, query_id_d, bin(TimeGenerated, 15m) +| top 5 by sum_calls_s desc nulls last \ No newline at end of file diff --git a/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Wait event trends.txt b/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Wait event trends.txt new file mode 100644 index 00000000..80d13f74 --- /dev/null +++ b/Azure Services/Azure Database for PostgreSQL servers/Queries/Diagnostics/Wait event trends.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Wait event trends +// Description: Display wait event trends over time. +// Categories: ['workloads'] +// Resource types: ['Azure Database for PostgreSQL servers'] +// Topic: Diagnostics +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL" +| where Category == "QueryStoreWaitStatistics" +| where user_id_s != "10" //exclude azure system user +| extend query_id_s = tostring(query_id_d) +| summarize sum(toint(calls_s)) by event_s, query_id_s, bin(TimeGenerated, 15m) // You may change the time threshold +| render timechart \ No newline at end of file diff --git a/Azure Services/Azure Database for PostgreSQL servers/Queries/Errors/Find Errors.txt b/Azure Services/Azure Database for PostgreSQL servers/Queries/Errors/Find Errors.txt new file mode 100644 index 00000000..89b3702b --- /dev/null +++ b/Azure Services/Azure Database for PostgreSQL servers/Queries/Errors/Find Errors.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Find Errors +// Description: Search for errors in the last 6 hours. +// Categories: ['workloads'] +// Resource types: ['Azure Database for PostgreSQL servers'] +// Topic: Errors +AzureDiagnostics +| where TimeGenerated > ago(6h) +| where Category == "PostgreSQLLogs" +| where errorLevel_s contains "error" diff --git a/Azure Services/Azure Database for PostgreSQL servers/Queries/Performance/Queries waiting.txt b/Azure Services/Azure Database for PostgreSQL servers/Queries/Performance/Queries waiting.txt new file mode 100644 index 00000000..147190d0 --- /dev/null +++ b/Azure Services/Azure Database for PostgreSQL servers/Queries/Performance/Queries waiting.txt @@ -0,0 +1,22 @@ +// Author: Microsoft Azure +// Display name: Queries waiting +// Description: Identify if slowest queries wait on anything. +// Categories: ['workloads'] +// Resource types: ['Azure Database for PostgreSQL servers'] +// Topic: Performance +let top5 = AzureDiagnostics +| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL" +//| where LogicalServerName_s == "your server name" // you can run this query for a specific server +| where Category == "QueryStoreRuntimeStatistics" +| where user_id_s != "10" //exclude azure system user +| summarize avg(todouble(mean_time_s)) by event_class_s , db_id_s ,query_id_d +| order by avg_mean_time_s desc nulls last +| project query_id_d , db_id_s +| take 5; +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL" +| where Category == "QueryStoreWaitStatistics" +| extend query_id_s = tostring(query_id_d) +| join top5 on query_id_d +| summarize sum(toint(calls_s)) by event_s, query_id_s, bin(TimeGenerated, 15m) +| render timechart \ No newline at end of file diff --git a/Azure Services/Azure Database for PostgreSQL servers/Queries/Performance/Queries with execution time exceeding a threshold.txt b/Azure Services/Azure Database for PostgreSQL servers/Queries/Performance/Queries with execution time exceeding a threshold.txt new file mode 100644 index 00000000..8ae131e3 --- /dev/null +++ b/Azure Services/Azure Database for PostgreSQL servers/Queries/Performance/Queries with execution time exceeding a threshold.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Queries with execution time exceeding a threshold +// Description: Identify queries that take longer than 10 seconds. The query store normalizes actual queries to aggregate similar queries. By default, entries are aggregated every 15 mins. Query utilizes mean execution time every 15 mins and other query statistics such as max, min can be used as appropriate. +// Categories: ['workloads'] +// Resource types: ['Azure Database for PostgreSQL servers'] +// Topic: Performance +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL" +| where Category == "QueryStoreRuntimeStatistics" +| where user_id_s != "10" //exclude azure system user +| project TimeGenerated, LogicalServerName_s, event_class_s , mean_time_s , db_id_s , start_time_t , query_id_d +| where todouble(mean_time_s) > 10000 // You may change the time threshold \ No newline at end of file diff --git a/Azure Services/Azure Database for PostgreSQL servers/Queries/Performance/Slowest queries.txt b/Azure Services/Azure Database for PostgreSQL servers/Queries/Performance/Slowest queries.txt new file mode 100644 index 00000000..fcd01214 --- /dev/null +++ b/Azure Services/Azure Database for PostgreSQL servers/Queries/Performance/Slowest queries.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Slowest queries +// Description: Identify top 5 slowest queries. +// Categories: ['workloads'] +// Resource types: ['Azure Database for PostgreSQL servers'] +// Topic: Performance +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL" +| where Category == "QueryStoreRuntimeStatistics" +| where user_id_s != "10" //exclude azure system user +| summarize avg(todouble(mean_time_s)) by event_class_s , db_id_s ,query_id_d +| top 5 by avg_mean_time_s desc diff --git a/Azure Services/Azure Database for PostgreSQL servers/Queries/README b/Azure Services/Azure Database for PostgreSQL servers/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Azure Database for PostgreSQL servers/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Azure Database for PostgreSQL servers/Queries/Troubleshooting/Compare two periods for query execution times.txt b/Azure Services/Azure Database for PostgreSQL servers/Queries/Troubleshooting/Compare two periods for query execution times.txt new file mode 100644 index 00000000..9a336f2b --- /dev/null +++ b/Azure Services/Azure Database for PostgreSQL servers/Queries/Troubleshooting/Compare two periods for query execution times.txt @@ -0,0 +1,31 @@ +// Author: Microsoft Azure +// Display name: Compare two periods for query execution times +// Description: Identify queries that have a latency difference exceeding a threshold. +// Categories: ['workloads'] +// Resource types: ['Azure Database for PostgreSQL servers'] +// Topic: Troubleshooting +let queryExecutionPrev24h = AzureDiagnostics +| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL" +| where Category == "QueryStoreRuntimeStatistics" +//| where LogicalServerName_s == "your server name" // you can run this query for a specific server | extend timestamp_new = make_datetime(start_time_t) +// change range of baseline period based on your needs +| where timestamp_new >= ago(48h) and timestamp_new < ago(24h) +| summarize prevTimeAvg = avg(todecimal(mean_time_s)), prevTimeMax=max(todecimal(mean_time_s)), prevTimeMinTimeStamp=min(timestamp_new), prevTimeMaxTimeStamp=max(timestamp_new), prevTimeExecutionCount=sum(toint(calls_s)) by query_id_d; +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL" +| where Category == "QueryStoreRuntimeStatistics" +//| where LogicalServerName_s == "your server name" // you can run this query for a specific server +| extend timestamp_new = make_datetime(start_time_t) +// change range of current period based on your needs +| where timestamp_new >= ago(24h) +| summarize currentTimeAvg=avg(todecimal(mean_time_s)), max(todecimal(mean_time_s)), min(timestamp_new), max(timestamp_new) , currentTimeExecutionCount = sum(toint(calls_s)) by query_id_d +| join kind=inner + queryExecutionPrev24h +on query_id_d +| extend latencyDiff = currentTimeAvg - prevTimeAvg +| extend latencyDiffPercent = (((prevTimeAvg-currentTimeAvg)/prevTimeAvg)*100) +| extend executionCountDiff = (((todecimal(prevTimeExecutionCount)-todecimal(currentTimeExecutionCount))/todecimal(prevTimeExecutionCount)))*100 +| project query_id_d, latencyDiff, latencyDiffPercent, currentTimeAvg, prevTimeAvg, currentTimeExecutionCount, prevTimeExecutionCount,executionCountDiff +// change your threshold of difference between two periods based on your needs +| where latencyDiffPercent < -10 +| order by latencyDiffPercent desc \ No newline at end of file diff --git a/Azure Services/Azure Database for PostgreSQL servers/Queries/Troubleshooting/Unauthorized connections.txt b/Azure Services/Azure Database for PostgreSQL servers/Queries/Troubleshooting/Unauthorized connections.txt new file mode 100644 index 00000000..47b1ca59 --- /dev/null +++ b/Azure Services/Azure Database for PostgreSQL servers/Queries/Troubleshooting/Unauthorized connections.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Unauthorized connections +// Description: Search for unauthorized (rejected) connection attempts. +// Categories: ['workloads', 'security'] +// Resource types: ['Azure Database for PostgreSQL servers'] +// Topic: Troubleshooting +AzureDiagnostics +| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL" +| where Category == "PostgreSQLLogs" +| where Message contains "password authentication failed" or Message contains "no pg_hba.conf entry for host" \ No newline at end of file diff --git a/Azure Services/Azure Database for PostgreSQL servers/Workbooks/README b/Azure Services/Azure Database for PostgreSQL servers/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Azure Database for PostgreSQL servers/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Alerts/README b/Azure Services/Azure Monitor/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Azure Monitor/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Availability/Availability rate.txt b/Azure Services/Azure Monitor/Queries/Availability/Availability rate.txt new file mode 100644 index 00000000..847898b1 --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Availability/Availability rate.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Availability rate +// Description: Calculate the availability rate of each connected computer. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Availability +Heartbeat +// bin_at is used to set the time grain to 1 hour, starting exactly 24 hours ago +| summarize heartbeatPerHour = count() by bin_at(TimeGenerated, 1h, ago(24h)), Computer +| extend availablePerHour = iff(heartbeatPerHour > 0, true, false) +| summarize totalAvailableHours = countif(availablePerHour == true) by Computer +| extend availabilityRate = totalAvailableHours*100.0/24 \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Availability/Computers availability today.txt b/Azure Services/Azure Monitor/Queries/Availability/Computers availability today.txt new file mode 100644 index 00000000..225c7162 --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Availability/Computers availability today.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Computers availability today +// Description: Chart the number of computers sending logs, each hour. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Availability +Heartbeat +| summarize dcount(ComputerIP) by bin(TimeGenerated, 1h) +| render timechart \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Availability/Last heartbeat of each computer.txt b/Azure Services/Azure Monitor/Queries/Availability/Last heartbeat of each computer.txt new file mode 100644 index 00000000..1684d9ae --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Availability/Last heartbeat of each computer.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Last heartbeat of each computer +// Description: Show the last heartbeat sent by each computer. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Availability +Heartbeat +| summarize arg_max(TimeGenerated, *) by Computer \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Availability/List heartbeats.txt b/Azure Services/Azure Monitor/Queries/Availability/List heartbeats.txt new file mode 100644 index 00000000..0268b21f --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Availability/List heartbeats.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: List heartbeats +// Description: List all computer heartbeats from the last hour. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Availability +Heartbeat +| where TimeGenerated > ago(1h) \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Availability/Unavailable computers.txt b/Azure Services/Azure Monitor/Queries/Availability/Unavailable computers.txt new file mode 100644 index 00000000..d511e791 --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Availability/Unavailable computers.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Unavailable computers +// Description: List all known computers that didn't send a heartbeat in the last 5 hours. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Availability +Heartbeat +| summarize LastHeartbeat=max(TimeGenerated) by Computer +| where LastHeartbeat < ago(5h) \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Azure diagnostics/Common categories in Azure diagnostics.txt b/Azure Services/Azure Monitor/Queries/Azure diagnostics/Common categories in Azure diagnostics.txt new file mode 100644 index 00000000..e305a57b --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Azure diagnostics/Common categories in Azure diagnostics.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Common categories in Azure diagnostics +// Description: Count the number of logs reported per category. +// Categories: ['resources'] +// Resource types: ['Azure Monitor'] +// Topic: Azure diagnostics +AzureDiagnostics +| summarize countLogsPerCategory=count() by Category +| sort by countLogsPerCategory \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Azure diagnostics/Errors in automation jobs.txt b/Azure Services/Azure Monitor/Queries/Azure diagnostics/Errors in automation jobs.txt new file mode 100644 index 00000000..16801598 --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Azure diagnostics/Errors in automation jobs.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Errors in automation jobs +// Description: Find logs reporting errors in automation jobs from the last day. +// Categories: ['resources'] +// Resource types: ['Azure Monitor'] +// Topic: Azure diagnostics +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.AUTOMATION" +| where StreamType_s == "Error" +| project TimeGenerated, Category, JobId_g, OperationName, RunbookName_s, ResultDescription \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Azure diagnostics/Failed backup jobs.txt b/Azure Services/Azure Monitor/Queries/Azure diagnostics/Failed backup jobs.txt new file mode 100644 index 00000000..cc7763c7 --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Azure diagnostics/Failed backup jobs.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Failed backup jobs +// Description: Find logs reported failed backup jobs from the last day. +// Categories: ['resources'] +// Resource types: ['Azure Monitor'] +// Topic: Azure diagnostics +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.RECOVERYSERVICES" and Category == "AzureBackupReport" +| where OperationName == "Job" and JobOperation_s == "Backup" and JobStatus_s == "Failed" +| project TimeGenerated, JobUniqueId_g, JobStartDateTime_s, JobOperation_s, JobOperationSubType_s, JobStatus_s , JobFailureCode_s, JobDurationInSecs_s , AdHocOrScheduledJob_s \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Azure diagnostics/Latest metrics.txt b/Azure Services/Azure Monitor/Queries/Azure diagnostics/Latest metrics.txt new file mode 100644 index 00000000..86a497c2 --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Azure diagnostics/Latest metrics.txt @@ -0,0 +1,8 @@ +// Author: Microsoft Azure +// Display name: Latest metrics +// Description: Show the latest metrics reports for each reported metric. +// Categories: ['resources'] +// Resource types: ['Azure Monitor'] +// Topic: Azure diagnostics +AzureMetrics +| summarize arg_max(TimeGenerated, UnitName, Total, Count, Maximum, Minimum, Average) by MetricName \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Azure diagnostics/Network security events.txt b/Azure Services/Azure Monitor/Queries/Azure diagnostics/Network security events.txt new file mode 100644 index 00000000..ad9d1bbc --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Azure diagnostics/Network security events.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Network security events +// Description: Find Network security events reporting blocked incoming traffic. +// Categories: ['resources'] +// Resource types: ['Azure Monitor'] +// Topic: Azure diagnostics +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.NETWORK" +| where Category == "NetworkSecurityGroupEvent" +| where direction_s == "In" and type_s == "block" \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Health/Agent latency spikes Heartbeat table.txt b/Azure Services/Azure Monitor/Queries/Health/Agent latency spikes Heartbeat table.txt new file mode 100644 index 00000000..c7255896 --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Health/Agent latency spikes Heartbeat table.txt @@ -0,0 +1,23 @@ +// Author: Microsoft Azure +// Display name: Agent latency spikes - Heartbeat table +// Description: Check for agent latency spikes in the ingestion of Heartbeats in the last 24 hour. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Health +// This query calculates ingestion duration every 10 minutes, and looks for spikes +let StartTime = ago(24h); +let EndTime = now(); +let MinRSquare = 0.9; // Tune the sensitivity of the detection sensor. Higher numbers make the detector more sensitive +Heartbeat +| where TimeGenerated between (StartTime .. EndTime) +// calculate ingestion duration in seconds +| extend AgentLatencySeconds = (_TimeReceived()-TimeGenerated)/1s +// Create a time series +| make-series RatioSeries=avg(AgentLatencySeconds) default=0 on TimeGenerated in range(StartTime , EndTime,10m) +// Apply a 2-line regression to the time series +| extend (RSquare2, SplitIdx, Variance2, RVariance2, LineFit2) = series_fit_2lines(RatioSeries) +// Find out if our 2-line is trending up or down +|extend (Slope, Interception, RSquare, Variance, RVariance, LineFit) = series_fit_line(LineFit2) +// Check whether the line fit reaches the threshold, and if the spike represents an increase (rather than a decrease) +| project PatternMatch = iff(RSquare2 > MinRSquare and Slope>0, "Spike detected", "No spike") \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Health/Agent latency spikes by data type.txt b/Azure Services/Azure Monitor/Queries/Health/Agent latency spikes by data type.txt new file mode 100644 index 00000000..5442ecc6 --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Health/Agent latency spikes by data type.txt @@ -0,0 +1,22 @@ +// Author: Microsoft Azure +// Display name: Agent latency spikes - by data type +// Description: Check for agent latency spikes per data type, in the last 24 hour. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Health +let StartTime = ago(24h); +let EndTime = now(); +let MinRSquare = 0.8; // Tune the sensitivity of the detection sensor +union withsource=source_table * +| where TimeGenerated between (StartTime .. EndTime) +// calculate ingestion duration in seconds +| extend AgentLatencySeconds = (_TimeReceived()-TimeGenerated)/1s +// Create a time series for each source table +| make-series RatioSeries=avg(AgentLatencySeconds) default=0 on TimeGenerated in range(StartTime, EndTime,10m) by source_table +// Apply a 2-line regression to the time series +| extend (RSquare2, SplitIdx, Variance2, RVariance2, LineFit2) = series_fit_2lines(RatioSeries) +// Find out if our 2-line is trending up or down +| extend (Slope, Interception, RSquare, Variance, RVariance, LineFit) = series_fit_line(LineFit2) +// Check whether the line fit reaches the threshold, and if the spike represents an increase (rather than a decrease) +| project source_table, PatternMatch = iff(RSquare2 > MinRSquare and Slope>0, "Spike detected", "No spike") \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Health/Ingestion latency endtoend spikes Heartbeat table.txt b/Azure Services/Azure Monitor/Queries/Health/Ingestion latency endtoend spikes Heartbeat table.txt new file mode 100644 index 00000000..bc76b117 --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Health/Ingestion latency endtoend spikes Heartbeat table.txt @@ -0,0 +1,23 @@ +// Author: Microsoft Azure +// Display name: Ingestion latency (end-to-end) spikes - Heartbeat table +// Description: Check for latency spikes in the ingestion of Heartbeats in the last 24 hour. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Health +// This query calculates ingestion duration every 10 minutes, and looks for spikes +let StartTime = ago(24h); +let EndTime = now(); +let MinRSquare = 0.9; // Tune the sensitivity of the detection sensor. Higher numbers make the detector more sensitive +Heartbeat +| where TimeGenerated between (StartTime .. EndTime) +// calculate ingestion duration in seconds +| extend IngestionDurationSeconds = (ingestion_time()-TimeGenerated)/1s +// Create a time series +| make-series RatioSeries=avg(IngestionDurationSeconds) default=0 on TimeGenerated in range(StartTime , EndTime,10m) +// Apply a 2-line regression to the time series +| extend (RSquare2, SplitIdx, Variance2, RVariance2, LineFit2) = series_fit_2lines(RatioSeries) +// Find out if our 2-line is trending up or down +|extend (Slope, Interception, RSquare, Variance, RVariance, LineFit) = series_fit_line(LineFit2) +// Check whether the line fit reaches the threshold, and if the spike represents an increase (rather than a decrease) +| project PatternMatch = iff(RSquare2 > MinRSquare and Slope>0, "Spike detected", "No spike") \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Health/Ingestion latency endtoend spikes by data type.txt b/Azure Services/Azure Monitor/Queries/Health/Ingestion latency endtoend spikes by data type.txt new file mode 100644 index 00000000..c48cb97f --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Health/Ingestion latency endtoend spikes by data type.txt @@ -0,0 +1,22 @@ +// Author: Microsoft Azure +// Display name: Ingestion latency (end-to-end) spikes - by data type +// Description: Check for ingestion latency spikes per data type, in the last 24 hour. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Health +let StartTime = ago(24h); +let EndTime = now(); +let MinRSquare = 0.8; // Tune the sensitivity of the detection sensor +union withsource=source_table * +| where TimeGenerated between (StartTime .. EndTime) +// calculate ingestion duration in seconds +| extend IngestionDurationSeconds = (ingestion_time()-TimeGenerated)/1s +// Create a time series for each source table +| make-series RatioSeries=avg(IngestionDurationSeconds) default=0 on TimeGenerated in range(StartTime, EndTime,10m) by source_table +// Apply a 2-line regression to the time series +| extend (RSquare2, SplitIdx, Variance2, RVariance2, LineFit2) = series_fit_2lines(RatioSeries) +// Find out if our 2-line is trending up or down +| extend (Slope, Interception, RSquare, Variance, RVariance, LineFit) = series_fit_line(LineFit2) +// Check whether the line fit reaches the threshold, and if the spike represents an increase (rather than a decrease) +| project source_table, PatternMatch = iff(RSquare2 > MinRSquare and Slope>0, "Spike detected", "No spike") \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Health/Ingestion latency endtoend timechart Event table.txt b/Azure Services/Azure Monitor/Queries/Health/Ingestion latency endtoend timechart Event table.txt new file mode 100644 index 00000000..c57e89a4 --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Health/Ingestion latency endtoend timechart Event table.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Ingestion latency (end-to-end) timechart - Event table +// Description: Chart the latency of ingestion to the Event table in the last 1 day. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Health +Event +| where TimeGenerated > ago(1d) +| project TimeGenerated, IngestionDurationSeconds = (ingestion_time()-TimeGenerated)/1s +| render timechart title = "Ingestion latency: Event table" \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Health/Total agent latency timechart last day.txt b/Azure Services/Azure Monitor/Queries/Health/Total agent latency timechart last day.txt new file mode 100644 index 00000000..6b5caf8a --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Health/Total agent latency timechart last day.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Total agent latency timechart, last day +// Description: Chart the median (50th percentile) agent latency over the last day. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Health +union * +| where TimeGenerated > ago(1d) +| extend AgentLatencySeconds = (_TimeReceived()-TimeGenerated)/1s +| summarize percentile(AgentLatencySeconds, 50) by bin(TimeGenerated,1h) +| render timechart \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Performance/CPU usage trends over the last day.txt b/Azure Services/Azure Monitor/Queries/Performance/CPU usage trends over the last day.txt new file mode 100644 index 00000000..1860f03f --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Performance/CPU usage trends over the last day.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: CPU usage trends over the last day +// Description: Calculate CPU usage patterns across all computers, chart by percentiles. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Performance +Perf +| where ObjectName == "Processor" and CounterName == "% Processor Time" and InstanceName == "_Total" +| summarize percentiles(CounterValue, 50, 90, 99) by bin(TimeGenerated, 1h) +| render timechart \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Performance/Memory and CPU usage.txt b/Azure Services/Azure Monitor/Queries/Performance/Memory and CPU usage.txt new file mode 100644 index 00000000..0abe5d42 --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Performance/Memory and CPU usage.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Memory and CPU usage +// Description: Chart all computers' used memory and CPU, over the last hour. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Performance +Perf +| where TimeGenerated > ago(1h) +| where (CounterName == "% Processor Time" and InstanceName == "_Total") or CounterName == "% Used Memory" +| project TimeGenerated, CounterName, CounterValue +| summarize avg(CounterValue) by CounterName, bin(TimeGenerated, 1m) +| render timechart \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Performance/Top 10 computers with the highest disk space.txt b/Azure Services/Azure Monitor/Queries/Performance/Top 10 computers with the highest disk space.txt new file mode 100644 index 00000000..62e3c94c --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Performance/Top 10 computers with the highest disk space.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Top 10 computers with the highest disk space +// Description: Show the top 10 computers with the highest available disk space. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Performance +Perf +| where CounterName == "Free Megabytes" and InstanceName == "_Total" +| summarize arg_max(TimeGenerated, *) by Computer +| top 10 by CounterValue \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Performance/What data is being collected.txt b/Azure Services/Azure Monitor/Queries/Performance/What data is being collected.txt new file mode 100644 index 00000000..1122df32 --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Performance/What data is being collected.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: What data is being collected? +// Description: List the collected performance counters and object types (Process, Memory, Processor). +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Performance +Perf +| summarize by ObjectName, CounterName \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/README b/Azure Services/Azure Monitor/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Search through the logs/Run a casesensitive search.txt b/Azure Services/Azure Monitor/Queries/Search through the logs/Run a casesensitive search.txt new file mode 100644 index 00000000..5b0e465a --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Search through the logs/Run a casesensitive search.txt @@ -0,0 +1,7 @@ +// Author: Microsoft Azure +// Display name: Run a case-sensitive search +// Description: Search the AzureDiagnostics table for logs that contain the term "JIT". +// Categories: ['resources'] +// Resource types: ['Azure Monitor'] +// Topic: Search through the logs +search kind=case_sensitive in (AzureDiagnostics) "*JIT*" \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Search through the logs/Search a table for a specific term.txt b/Azure Services/Azure Monitor/Queries/Search through the logs/Search a table for a specific term.txt new file mode 100644 index 00000000..5f945d2b --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Search through the logs/Search a table for a specific term.txt @@ -0,0 +1,7 @@ +// Author: Microsoft Azure +// Display name: Search a table for a specific term +// Description: Search AzureMetrics table for the term "CPU". +// Categories: ['resources'] +// Resource types: ['Azure Monitor'] +// Topic: Search through the logs +search in (AzureMetrics) "CPU"// search is case-insensitive \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Search through the logs/Search a term through all logs.txt b/Azure Services/Azure Monitor/Queries/Search through the logs/Search a term through all logs.txt new file mode 100644 index 00000000..38d3898e --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Search through the logs/Search a term through all logs.txt @@ -0,0 +1,8 @@ +// Author: Microsoft Azure +// Display name: Search a term through all logs +// Description: Search the term "Network" across all tables. +// Categories: ['resources'] +// Resource types: ['Azure Monitor'] +// Topic: Search through the logs +search "Network"// search is case-insensitive +| where TimeGenerated > ago(30m) \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Search through the logs/Search in multiple tables.txt b/Azure Services/Azure Monitor/Queries/Search through the logs/Search in multiple tables.txt new file mode 100644 index 00000000..5a378270 --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Search through the logs/Search in multiple tables.txt @@ -0,0 +1,7 @@ +// Author: Microsoft Azure +// Display name: Search in multiple tables +// Description: Search AzureDiagnostics, AzureMetrics and AzureActivity for logs that contain "fail". +// Categories: ['resources'] +// Resource types: ['Azure Monitor'] +// Topic: Search through the logs +search in (AzureDiagnostics, AzureMetrics, AzureActivity) "*fail*" \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Search through the logs/Search multiple terms.txt b/Azure Services/Azure Monitor/Queries/Search through the logs/Search multiple terms.txt new file mode 100644 index 00000000..68e58d1d --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Search through the logs/Search multiple terms.txt @@ -0,0 +1,8 @@ +// Author: Microsoft Azure +// Display name: Search multiple terms +// Description: Search the AzureActivity table for logs that contain "err" or "warn". +// Categories: ['resources'] +// Resource types: ['Azure Monitor'] +// Topic: Search through the logs +search in (AzureActivity) "*err*" or "*warn*" +| where TimeGenerated > ago(1h) \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Search through the logs/Show latest logs from all tables.txt b/Azure Services/Azure Monitor/Queries/Search through the logs/Show latest logs from all tables.txt new file mode 100644 index 00000000..6963371a --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Search through the logs/Show latest logs from all tables.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Show latest logs from all tables +// Description: Search all logs from all tables, and return the last 500 logs. +// Categories: ['resources'] +// Resource types: ['Azure Monitor'] +// Topic: Search through the logs +// returns every column from every table. We recommend you always scope your queries to specific tables or time range. Un-scoped queries may take a while to complete and may return too many results. +search * +| top 500 by TimeGenerated// return the latest 500 results \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Usage/Billable performance data.txt b/Azure Services/Azure Monitor/Queries/Usage/Billable performance data.txt new file mode 100644 index 00000000..cd2af0e7 --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Usage/Billable performance data.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Billable performance data +// Description: Calculate the volume of billable data (in GB) for Perf data, over the last day. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Usage +Usage +| where TimeGenerated > ago(1d) +| where IsBillable == true +| where DataType == "Perf" +| summarize TotalVolumeGB = sum(Quantity) / 1024 \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Usage/Ingested volume spikes and slopes by Azure resource.txt b/Azure Services/Azure Monitor/Queries/Usage/Ingested volume spikes and slopes by Azure resource.txt new file mode 100644 index 00000000..882503a4 --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Usage/Ingested volume spikes and slopes by Azure resource.txt @@ -0,0 +1,22 @@ +// Author: Microsoft Azure +// Display name: Ingested volume spikes and slopes - by Azure resource +// Description: List the identified ingestion volume spikes and the slope of each spike (positive is upward spike, negative is downward). +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Usage +let StartTime = ago(6h); +let EndTime = now(); +let MinRSquare = 0.8; // Tune the sensitivity of the detection sensor +union * +| where TimeGenerated between (StartTime .. EndTime) +// Create a time series of data volume by resource id +| where isempty(_ResourceId) == False +| make-series RatioSeries=sum(_BilledSize) default=0 on TimeGenerated in range(StartTime, EndTime, 10m) by _ResourceId +// Apply a 2-line regression to the time series +| extend (RSquare2, SplitIdx, Variance2, RVariance2, LineFit2) = series_fit_2lines(RatioSeries) +// Find out if our 2-line is trending up or down +| extend (Slope, Interception, RSquare, Variance, RVariance, LineFit) = series_fit_line(LineFit2) +// Check whether the line fit reaches the threshold +| where RSquare2 > MinRSquare and Slope != 0 +| project _ResourceId, Slope \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Usage/Ingestion volume spikes by Solution and data type.txt b/Azure Services/Azure Monitor/Queries/Usage/Ingestion volume spikes by Solution and data type.txt new file mode 100644 index 00000000..0ea1c34a --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Usage/Ingestion volume spikes by Solution and data type.txt @@ -0,0 +1,20 @@ +// Author: Microsoft Azure +// Display name: Ingestion volume spikes - by Solution and data type +// Description: Check for ingestion volume spikes per Solution and data type, in the last 24 hour. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Usage +let StartTime = ago(24h); +let EndTime = now(); +let MinRSquare =0.8; // Tune the sensitivity of the detection sensor +Usage +| where TimeGenerated between (StartTime .. EndTime) +// Create a time series of data volume by solution and data type +| make-series RatioSeries=sum(Quantity/1024) default=0 on TimeGenerated in range(StartTime, EndTime,10m) by Solution, DataType +// Apply a 2-line regression to the time series +| extend (RSquare2, SplitIdx, Variance2, RVariance2, LineFit2) = series_fit_2lines(RatioSeries) +// Find out if our 2-line is trending up or down +| extend (Slope, Interception, RSquare, Variance, RVariance, LineFit) = series_fit_line(LineFit2) +// Check whether the line fit reaches the threshold +| project Solution, DataType, Spike = iff(RSquare2 > MinRSquare and Slope != 0, "Spike detected", "No spike") \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Usage/Total workspace ingestion over the last 24 hours.txt b/Azure Services/Azure Monitor/Queries/Usage/Total workspace ingestion over the last 24 hours.txt new file mode 100644 index 00000000..795e2a7b --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Usage/Total workspace ingestion over the last 24 hours.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Total workspace ingestion over the last 24 hours +// Description: Volume (GB) of all data ingested to this workspace, over the last 24 hours. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Usage +Usage +|where TimeGenerated > ago(24h) +|summarize TotalIngestionVolGB = sum(Quantity)/1024.0 \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Usage/Total workspace ingestion volume timechart last day.txt b/Azure Services/Azure Monitor/Queries/Usage/Total workspace ingestion volume timechart last day.txt new file mode 100644 index 00000000..92ff3213 --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Usage/Total workspace ingestion volume timechart last day.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Total workspace ingestion volume timechart, last day +// Description: Chart the workspace ingestion volume of the last day. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Usage +union * +| where TimeGenerated > ago(1d) +| summarize TotalVolumeGB = sum(_BilledSize)/1024/1024/1024 by bin(TimeGenerated,10m) +| render timechart \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Usage/Usage by data types.txt b/Azure Services/Azure Monitor/Queries/Usage/Usage by data types.txt new file mode 100644 index 00000000..3e602a43 --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Usage/Usage by data types.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Usage by data types +// Description: Chart the amount of logs reported for each data type, today. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Usage +Usage +| summarize count_per_type=count() by DataType +| sort by count_per_type desc +| render piechart \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Queries/Usage/Volume of solutions data.txt b/Azure Services/Azure Monitor/Queries/Usage/Volume of solutions data.txt new file mode 100644 index 00000000..de66d156 --- /dev/null +++ b/Azure Services/Azure Monitor/Queries/Usage/Volume of solutions data.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Volume of solutions' data +// Description: Chart the volume of data (in Mb) sent by each solution. +// Categories: ['monitor'] +// Resource types: ['Azure Monitor'] +// Solutions: ['LogManagement'] +// Topic: Usage +Usage +| summarize total_MBytes=sum(Quantity) by Solution +| sort by total_MBytes desc nulls last +| render barchart \ No newline at end of file diff --git a/Azure Services/Azure Monitor/Workbooks/README b/Azure Services/Azure Monitor/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Azure Monitor/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Azure Spring Cloud/Alerts/README b/Azure Services/Azure Spring Cloud/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Azure Spring Cloud/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Azure Spring Cloud/Queries/App Logs/Show the application logs which contain the error or exception terms.txt b/Azure Services/Azure Spring Cloud/Queries/App Logs/Show the application logs which contain the error or exception terms.txt new file mode 100644 index 00000000..fc98d94d --- /dev/null +++ b/Azure Services/Azure Spring Cloud/Queries/App Logs/Show the application logs which contain the error or exception terms.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Show the application logs which contain the "error" or "exception" terms +// Description: Show the application logs which contain the "error" or "exception" terms in the last hour. +// Categories: ['resources'] +// Resource types: ['Azure Spring Cloud'] +// Topic: App Logs +AppPlatformLogsforSpring +| where TimeGenerated > ago(1h) +| where Log contains "error" or Log contains "exception" +| project TimeGenerated , ServiceName , AppName , InstanceName , Log , _ResourceId \ No newline at end of file diff --git a/Azure Services/Azure Spring Cloud/Queries/App Logs/Show the error and exception number of each application.txt b/Azure Services/Azure Spring Cloud/Queries/App Logs/Show the error and exception number of each application.txt new file mode 100644 index 00000000..2f518454 --- /dev/null +++ b/Azure Services/Azure Spring Cloud/Queries/App Logs/Show the error and exception number of each application.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Show the error and exception number of each application +// Description: Show a pie chart of the number of the logs containing the "error" or "exception" terms in the last 24 hours, per application. +// Categories: ['resources'] +// Resource types: ['Azure Spring Cloud'] +// Topic: App Logs +AppPlatformLogsforSpring +| where TimeGenerated > ago(24h) +| where Log contains "error" or Log contains "exception" +| extend FullAppName = strcat(ServiceName, "/", AppName) +| summarize count_per_app = count() by FullAppName, ServiceName, AppName, _ResourceId +| sort by count_per_app desc +| render piechart \ No newline at end of file diff --git a/Azure Services/Azure Spring Cloud/Queries/README b/Azure Services/Azure Spring Cloud/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Azure Spring Cloud/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Azure Spring Cloud/Queries/System Logs/Show the config server logs.txt b/Azure Services/Azure Spring Cloud/Queries/System Logs/Show the config server logs.txt new file mode 100644 index 00000000..2471befb --- /dev/null +++ b/Azure Services/Azure Spring Cloud/Queries/System Logs/Show the config server logs.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Show the config server logs +// Description: Filter the config server logs with the log level. +// Categories: ['resources'] +// Resource types: ['Azure Spring Cloud'] +// Topic: System Logs +AppPlatformSystemLogs +| where TimeGenerated > ago(1h) +| where LogType == "ConfigServer" and Level in ("WARN", "ERROR") +| project TimeGenerated , Level , ServiceName , Thread , Stack , Log , _ResourceId \ No newline at end of file diff --git a/Azure Services/Azure Spring Cloud/Workbooks/README b/Azure Services/Azure Spring Cloud/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Azure Spring Cloud/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Batch accounts/Alerts/README b/Azure Services/Batch accounts/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Batch accounts/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Batch accounts/Queries/Pools/Pool resize failures.txt b/Azure Services/Batch accounts/Queries/Pools/Pool resize failures.txt new file mode 100644 index 00000000..1f337d22 --- /dev/null +++ b/Azure Services/Batch accounts/Queries/Pools/Pool resize failures.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Pool resize failures +// Description: List pool resize failures by error code and time. +// Categories: ['resources'] +// Resource types: ['Batch accounts'] +// Topic: Pools +AzureDiagnostics +| where OperationName=="PoolResizeCompleteEvent" +| where resultCode_s=="Failure" // Filter only on failed pool resizes +| summarize by poolName=id_s, resultCode=resultCode_s, resultMessage=resultMessage_s, operationTime=startTime_s \ No newline at end of file diff --git a/Azure Services/Batch accounts/Queries/Pools/Pool resizes.txt b/Azure Services/Batch accounts/Queries/Pools/Pool resizes.txt new file mode 100644 index 00000000..17755b0e --- /dev/null +++ b/Azure Services/Batch accounts/Queries/Pools/Pool resizes.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Pool resizes +// Description: List resize times by pool and result code (success or failure). +// Categories: ['resources'] +// Resource types: ['Batch accounts'] +// Topic: Pools +AzureDiagnostics +| where OperationName=="PoolResizeCompleteEvent" +| summarize operationTimes=make_list(startTime_s) by poolName=id_s, resultCode=resultCode_s \ No newline at end of file diff --git a/Azure Services/Batch accounts/Queries/README b/Azure Services/Batch accounts/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Batch accounts/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Batch accounts/Queries/Tasks/Failed tasks per job.txt b/Azure Services/Batch accounts/Queries/Tasks/Failed tasks per job.txt new file mode 100644 index 00000000..b74f3575 --- /dev/null +++ b/Azure Services/Batch accounts/Queries/Tasks/Failed tasks per job.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Failed tasks per job +// Description: Lists failed tasks by parent job. +// Categories: ['resources'] +// Resource types: ['Batch accounts'] +// Topic: Tasks +AzureDiagnostics +| where OperationName=="TaskFailEvent" +| summarize failedTaskList=make_list(id_s) by jobId=jobId_s \ No newline at end of file diff --git a/Azure Services/Batch accounts/Queries/Tasks/Successful tasks per job.txt b/Azure Services/Batch accounts/Queries/Tasks/Successful tasks per job.txt new file mode 100644 index 00000000..550bb86b --- /dev/null +++ b/Azure Services/Batch accounts/Queries/Tasks/Successful tasks per job.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Successful tasks per job +// Description: Provides the number of successful tasks per job. +// Categories: ['resources'] +// Resource types: ['Batch accounts'] +// Topic: Tasks +AzureDiagnostics +| where OperationName=="TaskCompleteEvent" +| where executionInfo_exitCode_d==0 // Your application may use an exit code other than 0 to denote a successful operation +| summarize successfulTasks=count(id_s) by jobId=jobId_s \ No newline at end of file diff --git a/Azure Services/Batch accounts/Queries/Tasks/Task durations.txt b/Azure Services/Batch accounts/Queries/Tasks/Task durations.txt new file mode 100644 index 00000000..573b6a98 --- /dev/null +++ b/Azure Services/Batch accounts/Queries/Tasks/Task durations.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Task durations +// Description: Gives the elapsed time of tasks in seconds, from task start to task complete. +// Categories: ['resources'] +// Resource types: ['Batch accounts'] +// Topic: Tasks +AzureDiagnostics +| where OperationName=="TaskCompleteEvent" +| extend taskId=id_s, ElapsedTime=datetime_diff('second', executionInfo_endTime_t, executionInfo_startTime_t) // For longer running tasks, consider changing 'second' to 'minute' or 'hour' +| summarize taskList=make_list(taskId) by ElapsedTime \ No newline at end of file diff --git a/Azure Services/Batch accounts/Workbooks/README b/Azure Services/Batch accounts/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Batch accounts/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Container registries/Alerts/README b/Azure Services/Container registries/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Container registries/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Container registries/Queries/App Logs/Show login events reported over the last hour.txt b/Azure Services/Container registries/Queries/App Logs/Show login events reported over the last hour.txt new file mode 100644 index 00000000..2258683c --- /dev/null +++ b/Azure Services/Container registries/Queries/App Logs/Show login events reported over the last hour.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Show login events reported over the last hour +// Description: A list of login event logs, sorted by time (earliest logs shown first). +// Categories: ['container'] +// Resource types: ['Container registries'] +// Topic: App Logs +ContainerRegistryLoginEvents +| where TimeGenerated > ago(1h) +| sort by TimeGenerated asc \ No newline at end of file diff --git a/Azure Services/Container registries/Queries/App Logs/Show registry events reported over the last hour.txt b/Azure Services/Container registries/Queries/App Logs/Show registry events reported over the last hour.txt new file mode 100644 index 00000000..50bb709f --- /dev/null +++ b/Azure Services/Container registries/Queries/App Logs/Show registry events reported over the last hour.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Show registry events reported over the last hour +// Description: A list of registry event logs, sorted by time (earliest logs shown first). +// Categories: ['container'] +// Resource types: ['Container registries'] +// Topic: App Logs +ContainerRegistryRepositoryEvents +| where TimeGenerated > ago(1h) +| sort by TimeGenerated asc \ No newline at end of file diff --git a/Azure Services/Container registries/Queries/README b/Azure Services/Container registries/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Container registries/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Container registries/Workbooks/README b/Azure Services/Container registries/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Container registries/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Cosmos DB/Alerts/README b/Azure Services/Cosmos DB/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Cosmos DB/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Cosmos DB/Queries/Diagnostics/Collections with throttles 429 in past 24 hours.txt b/Azure Services/Cosmos DB/Queries/Diagnostics/Collections with throttles 429 in past 24 hours.txt new file mode 100644 index 00000000..c8b15ddc --- /dev/null +++ b/Azure Services/Cosmos DB/Queries/Diagnostics/Collections with throttles 429 in past 24 hours.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Collections with throttles (429) in past 24 hours +// Description: Identify collections and operations that have received 429 (throttles), which occur when consumed throughput (RU/s) exceeds provisioned throughput. +// Categories: ['resources'] +// Resource types: ['Cosmos DB'] +// Topic: Diagnostics +AzureDiagnostics +| where TimeGenerated >= ago(24hr) +| where Category == "DataPlaneRequests" +| where statusCode_s == 429 +| summarize numberOfThrottles = count() by databaseName_s, collectionName_s, requestResourceType_s, _ResourceId, bin(TimeGenerated, 1hr) +| order by numberOfThrottles \ No newline at end of file diff --git a/Azure Services/Cosmos DB/Queries/Diagnostics/Consumed RUs in last 24 hours.txt b/Azure Services/Cosmos DB/Queries/Diagnostics/Consumed RUs in last 24 hours.txt new file mode 100644 index 00000000..142e6b38 --- /dev/null +++ b/Azure Services/Cosmos DB/Queries/Diagnostics/Consumed RUs in last 24 hours.txt @@ -0,0 +1,14 @@ +// Author: Microsoft Azure +// Display name: Consumed RU/s in last 24 hours +// Description: Identify consumed RU/s on Cosmos databases and collections. +// Categories: ['resources'] +// Resource types: ['Cosmos DB'] +// Topic: Diagnostics +//You can compare the RU/s consumption with your provisioned RU/s to determine if you should scale up or down RU/s based on your workload. +AzureDiagnostics +| where TimeGenerated >= ago(24hr) +| where Category == "DataPlaneRequests" +//| where collectionName_s == "CollectionToAnalyze" //Replace to target the query to a collection +| summarize ConsumedRUsPerSecond = sum(todouble(requestCharge_s)) by collectionName_s, _ResourceId, bin(TimeGenerated, 1sec) +| project TimeGenerated , ConsumedRUsPerSecond , collectionName_s, _ResourceId +| render timechart \ No newline at end of file diff --git a/Azure Services/Cosmos DB/Queries/Diagnostics/Top logical partition keys by storage.txt b/Azure Services/Cosmos DB/Queries/Diagnostics/Top logical partition keys by storage.txt new file mode 100644 index 00000000..ab92c528 --- /dev/null +++ b/Azure Services/Cosmos DB/Queries/Diagnostics/Top logical partition keys by storage.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Top logical partition keys by storage +// Description: Identify largest logical partition key values. PartitionKeyStatistics will emit data for top logical partition keys by storage. +// Categories: ['resources'] +// Resource types: ['Cosmos DB'] +// Topic: Diagnostics +AzureDiagnostics +| where Category == "PartitionKeyStatistics" +//| where collectionName_s == "CollectionToAnalyze" //Replace to target the query to a collection +| summarize arg_max(TimeGenerated, *) by databaseName_s, collectionName_s, partitionKey_s, _ResourceId //Get the latest storage size +| extend utilizationOf20GBLogicalPartition = sizeKb_d / 20000000 //20GB +| project TimeGenerated, databaseName_s , collectionName_s , partitionKey_s, sizeKb_d, utilizationOf20GBLogicalPartition, _ResourceId \ No newline at end of file diff --git a/Azure Services/Cosmos DB/Queries/Diagnostics/Top operations by consumed Request Units RUs in last 24 hours.txt b/Azure Services/Cosmos DB/Queries/Diagnostics/Top operations by consumed Request Units RUs in last 24 hours.txt new file mode 100644 index 00000000..df20dfb6 --- /dev/null +++ b/Azure Services/Cosmos DB/Queries/Diagnostics/Top operations by consumed Request Units RUs in last 24 hours.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Top operations by consumed Request Units (RUs) in last 24 hours +// Description: Identify top operations on Cosmos resources by count and consumed RU per operation. +// Categories: ['resources'] +// Resource types: ['Cosmos DB'] +// Topic: Diagnostics +AzureDiagnostics +| where TimeGenerated >= ago(24h) +| where Category == "DataPlaneRequests" +| summarize numberOfOperations = count(), totalConsumedRU = sum(todouble(requestCharge_s)) by databaseName_s, collectionName_s, OperationName, requestResourceType_s, requestResourceId_s, _ResourceId +| extend averageRUPerOperation = totalConsumedRU / numberOfOperations +| order by numberOfOperations \ No newline at end of file diff --git a/Azure Services/Cosmos DB/Queries/Diagnostics/Top queries by consumed Request Units RUs in last 24 hours.txt b/Azure Services/Cosmos DB/Queries/Diagnostics/Top queries by consumed Request Units RUs in last 24 hours.txt new file mode 100644 index 00000000..187c7f96 --- /dev/null +++ b/Azure Services/Cosmos DB/Queries/Diagnostics/Top queries by consumed Request Units RUs in last 24 hours.txt @@ -0,0 +1,17 @@ +// Author: Microsoft Azure +// Display name: Top queries by consumed Request Units (RUs) in last 24 hours +// Description: Identify top queries on Cosmos resources by count and RU charge of each query. +// Categories: ['resources'] +// Resource types: ['Cosmos DB'] +// Topic: Diagnostics +let queryRUChargeData = AzureDiagnostics +| where Category == "DataPlaneRequests" +| where OperationName == "Query" +| summarize by requestCharge_s, activityId_g, databaseName_s, collectionName_s, requestResourceType_s, requestResourceId_s, OperationName, TimeGenerated, callerId_s, clientIpAddress_s, userAgent_s; +AzureDiagnostics +| where TimeGenerated >= ago(24hr) +| where Category == "QueryRuntimeStatistics" +| join queryRUChargeData on $left.activityId_g == $right.activityId_g +| summarize numberOfTimesRun = count(), totalConsumedRU = sum(todouble(requestCharge_s1)) by databaseName_s, collectionName_s, OperationName1, requestResourceType_s1, requestResourceId_s1, querytext_s, callerId_s1, clientIpAddress_s1, userAgent_s1, _ResourceId, bin(TimeGenerated1, 1min) //bin by 1 minute +| extend averageRUPerExecution = totalConsumedRU / numberOfTimesRun +| order by averageRUPerExecution desc \ No newline at end of file diff --git a/Azure Services/Cosmos DB/Queries/README b/Azure Services/Cosmos DB/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Cosmos DB/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Cosmos DB/Workbooks/README b/Azure Services/Cosmos DB/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Cosmos DB/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Data Shares/Alerts/README b/Azure Services/Data Shares/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Data Shares/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Data Shares/Queries/Audit/Chart of daily received snapshots.txt b/Azure Services/Data Shares/Queries/Audit/Chart of daily received snapshots.txt new file mode 100644 index 00000000..0c88b1c9 --- /dev/null +++ b/Azure Services/Data Shares/Queries/Audit/Chart of daily received snapshots.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Chart of daily received snapshots +// Description: A time chart of the daily snapshots count, over the past week. +// Categories: ['audit'] +// Resource types: ['Data Shares'] +// Topic: Audit +// Failed, In Progress and Succeeded Received Snapshots +MicrosoftDataShareReceivedSnapshotLog +| where TimeGenerated > ago(7d) +| summarize count() by bin(TimeGenerated, 1d), Status , _ResourceId // Aggregating by day //Click "Table" to see resource's name. +| render timechart \ No newline at end of file diff --git a/Azure Services/Data Shares/Queries/Audit/Chart of daily sent snapshots.txt b/Azure Services/Data Shares/Queries/Audit/Chart of daily sent snapshots.txt new file mode 100644 index 00000000..7abf04e1 --- /dev/null +++ b/Azure Services/Data Shares/Queries/Audit/Chart of daily sent snapshots.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Chart of daily sent snapshots +// Description: A time chart of recent snapshots count, succeeded VS failed. +// Categories: ['audit'] +// Resource types: ['Data Shares'] +// Topic: Audit +//Succeeded VS Failed +MicrosoftDataShareSentSnapshotLog +| where TimeGenerated > ago(30d) +| summarize count() by bin(TimeGenerated, 1d), Status, _ResourceId // Aggregating by day //Click "Table" to see resource's name. +| render timechart \ No newline at end of file diff --git a/Azure Services/Data Shares/Queries/Audit/List sent snapshots by duration.txt b/Azure Services/Data Shares/Queries/Audit/List sent snapshots by duration.txt new file mode 100644 index 00000000..56ac5a68 --- /dev/null +++ b/Azure Services/Data Shares/Queries/Audit/List sent snapshots by duration.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: List sent snapshots by duration +// Description: A list of the snapshots sorted by duration time over the last 7 days. +// Categories: ['audit'] +// Resource types: ['Data Shares'] +// Topic: Audit +MicrosoftDataShareSentSnapshotLog +| where TimeGenerated > ago(7d) +| where StartTime != "" and EndTime != "" +| project StartTime , EndTime , DurationSeconds =(todatetime(EndTime)-todatetime(StartTime))/1s , ResourceName = split(_ResourceId,"/accounts/",1) +| sort by DurationSeconds desc nulls last diff --git a/Azure Services/Data Shares/Queries/Errors/Count failed received snapshots.txt b/Azure Services/Data Shares/Queries/Errors/Count failed received snapshots.txt new file mode 100644 index 00000000..ab807d7d --- /dev/null +++ b/Azure Services/Data Shares/Queries/Errors/Count failed received snapshots.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Count failed received snapshots +// Description: Count of failed snapshots over the last 7 days. +// Categories: ['audit'] +// Resource types: ['Data Shares'] +// Topic: Errors +MicrosoftDataShareReceivedSnapshotLog +| where TimeGenerated > ago(7d) +| where Status == "Failed" +| summarize count() by _ResourceId \ No newline at end of file diff --git a/Azure Services/Data Shares/Queries/Errors/Count failed sent snapshots.txt b/Azure Services/Data Shares/Queries/Errors/Count failed sent snapshots.txt new file mode 100644 index 00000000..1147ccf9 --- /dev/null +++ b/Azure Services/Data Shares/Queries/Errors/Count failed sent snapshots.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Count failed sent snapshots +// Description: Total count of failed snapshots over the last 7 days. +// Categories: ['audit'] +// Resource types: ['Data Shares'] +// Topic: Errors +MicrosoftDataShareSentSnapshotLog +| where TimeGenerated > ago(7d) +| where Status == "Failed" +| summarize count() by _ResourceId \ No newline at end of file diff --git a/Azure Services/Data Shares/Queries/Errors/Frequent errors in received snapshots.txt b/Azure Services/Data Shares/Queries/Errors/Frequent errors in received snapshots.txt new file mode 100644 index 00000000..10db98ca --- /dev/null +++ b/Azure Services/Data Shares/Queries/Errors/Frequent errors in received snapshots.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Frequent errors in received snapshots +// Description: Top 10 most frequent errors over the last 7 days. +// Categories: ['audit'] +// Resource types: ['Data Shares'] +// Topic: Errors +MicrosoftDataShareReceivedSnapshotLog +| where TimeGenerated > ago(7d) +| where Status == "Failed" +| summarize count() by _ResourceId, DataSetType // Counting failed logs per datasettype +| top 10 by count_ desc nulls last \ No newline at end of file diff --git a/Azure Services/Data Shares/Queries/Errors/Frequent errors in sent snapshots.txt b/Azure Services/Data Shares/Queries/Errors/Frequent errors in sent snapshots.txt new file mode 100644 index 00000000..7f936151 --- /dev/null +++ b/Azure Services/Data Shares/Queries/Errors/Frequent errors in sent snapshots.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Frequent errors in sent snapshots +// Description: List top 10 errors over the last 7 days. +// Categories: ['audit'] +// Resource types: ['Data Shares'] +// Topic: Errors +MicrosoftDataShareSentSnapshotLog +| where TimeGenerated > ago(7d) +| where Status == "Failed" +| summarize count() by _ResourceId, DataSetType// Counting failed logs per datasettype +| top 10 by count_ desc nulls last \ No newline at end of file diff --git a/Azure Services/Data Shares/Queries/Performance/List received snapshots by duration.txt b/Azure Services/Data Shares/Queries/Performance/List received snapshots by duration.txt new file mode 100644 index 00000000..57132e74 --- /dev/null +++ b/Azure Services/Data Shares/Queries/Performance/List received snapshots by duration.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: List received snapshots by duration +// Description: A list of the snapshots sorted by duration time, over the last 7 days. +// Categories: ['audit'] +// Resource types: ['Data Shares'] +// Topic: Performance +MicrosoftDataShareReceivedSnapshotLog +| where TimeGenerated > ago(7d) +| where StartTime != "" and EndTime != "" +| project StartTime , EndTime , DurationSeconds =(todatetime(EndTime)-todatetime(StartTime))/1s, ResourceName = split(_ResourceId,"/accounts/",1)// use split to get a part of the _ResourceId +| sort by DurationSeconds desc nulls last \ No newline at end of file diff --git a/Azure Services/Data Shares/Queries/README b/Azure Services/Data Shares/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Data Shares/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Data Shares/Workbooks/README b/Azure Services/Data Shares/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Data Shares/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Event Grid Domains/Alerts/README b/Azure Services/Event Grid Domains/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Event Grid Domains/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Event Grid Domains/Queries/Diagnostics/Delivery failures by domain and error.txt b/Azure Services/Event Grid Domains/Queries/Diagnostics/Delivery failures by domain and error.txt new file mode 100644 index 00000000..184faba6 --- /dev/null +++ b/Azure Services/Event Grid Domains/Queries/Diagnostics/Delivery failures by domain and error.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Delivery failures by domain and error +// Description: Delivery failures logs by domain name and error message. +// Categories: ['resources'] +// Resource types: ['Event Grid Domains'] +// Topic: Diagnostics +AegDeliveryFailureLogs +| parse Message with * ", httpStatusCode=" HttpStatusCode "," * "., errorMessage=" ErrorMessage "," * +| parse _ResourceId with * "/domains/" DomainName +| project TimeGenerated, _ResourceId, DomainName, TenantId, EventSubscriptionName, OperationName, HttpStatusCode, ErrorMessage +| summarize by _ResourceId, DomainName, SubResourceName, EventSubscriptionName, ErrorMessage \ No newline at end of file diff --git a/Azure Services/Event Grid Domains/Queries/Diagnostics/Publish failures by domain and error.txt b/Azure Services/Event Grid Domains/Queries/Diagnostics/Publish failures by domain and error.txt new file mode 100644 index 00000000..9ce99601 --- /dev/null +++ b/Azure Services/Event Grid Domains/Queries/Diagnostics/Publish failures by domain and error.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Publish failures by domain and error +// Description: Publish failures logs by domain name and error message. +// Categories: ['resources'] +// Resource types: ['Event Grid Domains'] +// Topic: Diagnostics +AegPublishFailureLogs +| parse Message with * "), httpStatusCode=" HttpStatusCode "," * ", errorMessage=" ErrorMessage +| parse _ResourceId with * "/domains/" DomainName +| project TimeGenerated, _ResourceId, DomainName, TenantId, OperationName, HttpStatusCode, ErrorMessage +| summarize by _ResourceId, DomainName, HttpStatusCode, ErrorMessage \ No newline at end of file diff --git a/Azure Services/Event Grid Domains/Queries/README b/Azure Services/Event Grid Domains/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Event Grid Domains/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Event Grid Domains/Workbooks/README b/Azure Services/Event Grid Domains/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Event Grid Domains/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Event Grid Topics/Alerts/README b/Azure Services/Event Grid Topics/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Event Grid Topics/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Event Grid Topics/Queries/Diagnostics/Delivery failures by topic and error.txt b/Azure Services/Event Grid Topics/Queries/Diagnostics/Delivery failures by topic and error.txt new file mode 100644 index 00000000..55dabfab --- /dev/null +++ b/Azure Services/Event Grid Topics/Queries/Diagnostics/Delivery failures by topic and error.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Delivery failures by topic and error +// Description: Delivery failures logs by topic name and error message. +// Categories: ['resources'] +// Resource types: ['Event Grid Topics'] +// Topic: Diagnostics +AegDeliveryFailureLogs +| parse Message with * ", httpStatusCode=" HttpStatusCode "," * "., errorMessage=" ErrorMessage "," * +| parse _ResourceId with * "/topics/" TopicName +| project TimeGenerated, _ResourceId, TopicName, TenantId, EventSubscriptionName, OperationName, HttpStatusCode, ErrorMessage +| summarize by _ResourceId, TopicName, ErrorMessage \ No newline at end of file diff --git a/Azure Services/Event Grid Topics/Queries/Diagnostics/Publish failures by topic and error.txt b/Azure Services/Event Grid Topics/Queries/Diagnostics/Publish failures by topic and error.txt new file mode 100644 index 00000000..abb9e835 --- /dev/null +++ b/Azure Services/Event Grid Topics/Queries/Diagnostics/Publish failures by topic and error.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Publish failures by topic and error +// Description: Publish failures logs by topic name and error message. +// Categories: ['resources'] +// Resource types: ['Event Grid Topics'] +// Topic: Diagnostics +AegPublishFailureLogs +| parse Message with * "), httpStatusCode=" HttpStatusCode "," * ", errorMessage=" ErrorMessage +| parse _ResourceId with * "/topics/" TopicName +| project TimeGenerated, _ResourceId, TopicName, TenantId, OperationName, HttpStatusCode, ErrorMessage +| summarize by _ResourceId, TopicName, HttpStatusCode, ErrorMessage \ No newline at end of file diff --git a/Azure Services/Event Grid Topics/Queries/README b/Azure Services/Event Grid Topics/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Event Grid Topics/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Event Grid Topics/Workbooks/README b/Azure Services/Event Grid Topics/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Event Grid Topics/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Event Hubs/Alerts/README b/Azure Services/Event Hubs/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Event Hubs/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Event Hubs/Queries/Errors/Access to keyvault key not found.txt b/Azure Services/Event Hubs/Queries/Errors/Access to keyvault key not found.txt new file mode 100644 index 00000000..33947e83 --- /dev/null +++ b/Azure Services/Event Hubs/Queries/Errors/Access to keyvault key not found.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Access to keyvault - key not found +// Description: Summarizes the access to keyvault when key is not found. +// Categories: ['resources'] +// Resource types: ['Event Hubs'] +// Topic: Errors +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.EVENTHUB" +| where Category == "Error" and Operation == "wrapkey" +| project message \ No newline at end of file diff --git a/Azure Services/Event Hubs/Queries/Errors/Duration of Capture failure.txt b/Azure Services/Event Hubs/Queries/Errors/Duration of Capture failure.txt new file mode 100644 index 00000000..c6223ded --- /dev/null +++ b/Azure Services/Event Hubs/Queries/Errors/Duration of Capture failure.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Duration of Capture failure +// Description: Summarizes the duaration of failure on Capture. +// Categories: ['resources'] +// Resource types: ['Event Hubs'] +// Topic: Errors +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.EVENTHUB" +| where Category == "ArchiveLogs" +| summarize count() by "failures", "durationInSeconds" \ No newline at end of file diff --git a/Azure Services/Event Hubs/Queries/Errors/Errors in the last 7 days.txt b/Azure Services/Event Hubs/Queries/Errors/Errors in the last 7 days.txt new file mode 100644 index 00000000..c2be91c8 --- /dev/null +++ b/Azure Services/Event Hubs/Queries/Errors/Errors in the last 7 days.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Errors in the last 7 days +// Description: This lists all the errors for the last 7 days. +// Categories: ['resources'] +// Resource types: ['Event Hubs'] +// Topic: Errors +AzureDiagnostics +| where TimeGenerated > ago(7d) +| where ResourceProvider =="MICROSOFT.EVENTHUB" +| where Category == "OperationalLogs" +| summarize count() by "EventName" \ No newline at end of file diff --git a/Azure Services/Event Hubs/Queries/Kafka/Join request for client.txt b/Azure Services/Event Hubs/Queries/Kafka/Join request for client.txt new file mode 100644 index 00000000..b3644a68 --- /dev/null +++ b/Azure Services/Event Hubs/Queries/Kafka/Join request for client.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Join request for client +// Description: Summarized the status of join request for client. +// Categories: ['resources'] +// Resource types: ['Event Hubs'] +// Topic: Kafka +AzureDiagnostics // Need to turn on the Capture for this +| where ResourceProvider == "MICROSOFT.EVENTHUB" +| project "OperationName" \ No newline at end of file diff --git a/Azure Services/Event Hubs/Queries/README b/Azure Services/Event Hubs/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Event Hubs/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Event Hubs/Queries/Usage/Operation performed with keyvault.txt b/Azure Services/Event Hubs/Queries/Usage/Operation performed with keyvault.txt new file mode 100644 index 00000000..c098581e --- /dev/null +++ b/Azure Services/Event Hubs/Queries/Usage/Operation performed with keyvault.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Operation performed with keyvault +// Description: Summarizes the operation performed with keyvault to disable or restore the key. +// Categories: ['resources'] +// Resource types: ['Event Hubs'] +// Topic: Usage +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.EVENTHUB" +| where Category == "info" and Operation == "disable" or Operation == "restore" +| project message \ No newline at end of file diff --git a/Azure Services/Event Hubs/Workbooks/README b/Azure Services/Event Hubs/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Event Hubs/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/ExpressRoute circuits/Alerts/README b/Azure Services/ExpressRoute circuits/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/ExpressRoute circuits/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/ExpressRoute circuits/Queries/Diagnostics/BGP informational messages.txt b/Azure Services/ExpressRoute circuits/Queries/Diagnostics/BGP informational messages.txt new file mode 100644 index 00000000..50b6fe91 --- /dev/null +++ b/Azure Services/ExpressRoute circuits/Queries/Diagnostics/BGP informational messages.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: BGP informational messages +// Description: BGP informational messages by level, resource type and network. +// Categories: ['network'] +// Resource types: ['ExpressRoute circuits'] +// Topic: Diagnostics +AzureDiagnostics +| where Level == "Informational" +| project TimeGenerated , ResourceId, Level, ResourceType , network_s , path_s \ No newline at end of file diff --git a/Azure Services/ExpressRoute circuits/Queries/Diagnostics/BGP route table.txt b/Azure Services/ExpressRoute circuits/Queries/Diagnostics/BGP route table.txt new file mode 100644 index 00000000..0878485a --- /dev/null +++ b/Azure Services/ExpressRoute circuits/Queries/Diagnostics/BGP route table.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: BGP route table +// Description: BPG route table learned over last 12 hours. +// Categories: ['network'] +// Resource types: ['ExpressRoute circuits'] +// Topic: Diagnostics +AzureDiagnostics +| where TimeGenerated > ago(12h) +| where ResourceType == "EXPRESSROUTECIRCUITS" +| project TimeGenerated , ResourceType , network_s , path_s , OperationName \ No newline at end of file diff --git a/Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit ArpAvailablility graph.txt b/Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit ArpAvailablility graph.txt new file mode 100644 index 00000000..5a595077 --- /dev/null +++ b/Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit ArpAvailablility graph.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: ExpressRoute Circuit ArpAvailablility graph +// Description: Traffic graph for ArpAvailability (5 minutes). +// Categories: ['monitor', 'network'] +// Resource types: ['ExpressRoute circuits'] +// Topic: Diagnostics +AzureMetrics +| where MetricName == "ArpAvailability" +| summarize by Average, bin(TimeGenerated, 5m), Resource +| render timechart \ No newline at end of file diff --git a/Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit BGP availability.txt b/Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit BGP availability.txt new file mode 100644 index 00000000..85a425c4 --- /dev/null +++ b/Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit BGP availability.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: ExpressRoute Circuit BGP availability +// Description: Traffic graph for BgpAvailability (5 minutes). +// Categories: ['monitor', 'network'] +// Resource types: ['ExpressRoute circuits'] +// Topic: Diagnostics +AzureMetrics +| where MetricName == "BgpAvailability" +| summarize by Average, bin(TimeGenerated, 5m), Resource +| render timechart \ No newline at end of file diff --git a/Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit BitsInPerSecond traffic graph.txt b/Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit BitsInPerSecond traffic graph.txt new file mode 100644 index 00000000..01bc69ae --- /dev/null +++ b/Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit BitsInPerSecond traffic graph.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: ExpressRoute Circuit BitsInPerSecond traffic graph +// Description: Traffic graph BitsInPerSecond (last one hour). +// Categories: ['monitor', 'network'] +// Resource types: ['ExpressRoute circuits'] +// Topic: Diagnostics +AzureMetrics +| where MetricName == "BitsInPerSecond" +| summarize by Average, bin(TimeGenerated, 1h), Resource +| render timechart \ No newline at end of file diff --git a/Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit BitsOutPerSecond traffic graph.txt b/Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit BitsOutPerSecond traffic graph.txt new file mode 100644 index 00000000..c135bba3 --- /dev/null +++ b/Azure Services/ExpressRoute circuits/Queries/Diagnostics/ExpressRoute Circuit BitsOutPerSecond traffic graph.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: ExpressRoute Circuit BitsOutPerSecond traffic graph +// Description: Traffic graph BitsOutPerSecond (last one hour). +// Categories: ['monitor', 'network'] +// Resource types: ['ExpressRoute circuits'] +// Topic: Diagnostics +AzureMetrics +| where MetricName == "BitsOutPerSecond" +| summarize by Average, bin(TimeGenerated, 1h), Resource +| render timechart \ No newline at end of file diff --git a/Azure Services/ExpressRoute circuits/Queries/README b/Azure Services/ExpressRoute circuits/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/ExpressRoute circuits/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/ExpressRoute circuits/Workbooks/README b/Azure Services/ExpressRoute circuits/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/ExpressRoute circuits/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Firewalls/Alerts/README b/Azure Services/Firewalls/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Firewalls/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Firewalls/Queries/Firewall Logs/Application rule log data.txt b/Azure Services/Firewalls/Queries/Firewall Logs/Application rule log data.txt new file mode 100644 index 00000000..7433a81e --- /dev/null +++ b/Azure Services/Firewalls/Queries/Firewall Logs/Application rule log data.txt @@ -0,0 +1,34 @@ +// Author: Microsoft Azure +// Display name: Application rule log data +// Description: Parses the application rule log data. +// Categories: ['network', 'security'] +// Resource types: ['Firewalls'] +// Topic: Firewall Logs +AzureDiagnostics +| where Category == "AzureFirewallApplicationRule" +//using :int makes it easier to pars but later we'll convert to string +//as we're not interested to do mathematical functions on these fields +//this first parse statement is valid for all entries as they all start with this format +| parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " " TempDetails +//case 1: for records that end with: "was denied. Reason: SNI TLS extension was missing." +| parse TempDetails with "was " Action1 ". Reason: " Rule1 +//case 2: for records that end with +//"to ocsp.digicert.com:80. Action: Allow. Rule Collection: RC1. Rule: Rule1" +//"to v10.vortex-win.data.microsoft.com:443. Action: Deny. No rule matched. Proceeding with default action" +| parse TempDetails with "to " FQDN ":" TargetPortInt:int ". Action: " Action2 "." * +//case 2a: for records that end with: +//"to ocsp.digicert.com:80. Action: Allow. Rule Collection: RC1. Rule: Rule1" +| parse TempDetails with * ". Rule Collection: " RuleCollection2a ". Rule:" Rule2a +//case 2b: for records that end with: +//for records that end with: "to v10.vortex-win.data.microsoft.com:443. Action: Deny. No rule matched. Proceeding with default action" +| parse TempDetails with * "Deny." RuleCollection2b ". Proceeding with" Rule2b +| extend SourcePort = tostring(SourcePortInt) +|extend TargetPort = tostring(TargetPortInt) +//make sure we only have Allowed / Deny in the Action Field + | extend Action1 = case(Action1 == "Deny","Deny","Unknown Action") +| extend Action = case(Action2 == "",Action1,Action2), + Rule = case(Rule2a == "",case(Rule1 == "",case(Rule2b == "","N/A", Rule2b),Rule1),Rule2a), + RuleCollection = case(RuleCollection2b == "",case(RuleCollection2a == "","No rule matched",RuleCollection2a),RuleCollection2b), + FQDN = case(FQDN == "", "N/A", FQDN), + TargetPort = case(TargetPort == "", "N/A", TargetPort) +| project TimeGenerated, msg_s, Protocol, SourceIP, SourcePort, FQDN, TargetPort, Action ,RuleCollection, Rule \ No newline at end of file diff --git a/Azure Services/Firewalls/Queries/Firewall Logs/Network rule log data.txt b/Azure Services/Firewalls/Queries/Firewall Logs/Network rule log data.txt new file mode 100644 index 00000000..f0787a44 --- /dev/null +++ b/Azure Services/Firewalls/Queries/Firewall Logs/Network rule log data.txt @@ -0,0 +1,38 @@ +// Author: Microsoft Azure +// Display name: Network rule log data +// Description: Parses the network rule log data. +// Categories: ['network', 'security'] +// Resource types: ['Firewalls'] +// Topic: Firewall Logs +AzureDiagnostics +| where Category == "AzureFirewallNetworkRule" +//using :int makes it easier to pars but later we'll convert to string as we're not interested to do mathematical functions on these fields +//case 1: for records that look like this: +//TCP request from 10.0.2.4:51990 to 13.69.65.17:443. Action: Deny//Allow +//UDP request from 10.0.3.4:123 to 51.141.32.51:123. Action: Deny/Allow +//TCP request from 193.238.46.72:50522 to 40.119.154.83:3389 was DNAT'ed to 10.0.2.4:3389 +| parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int * +//case 1a: for regular network rules +//TCP request from 10.0.2.4:51990 to 13.69.65.17:443. Action: Deny/Allow +//UDP request from 10.0.3.4:123 to 51.141.32.51:123. Action: Deny/Allow +| parse msg_s with * ". Action: " Action1a +//case 1b: for NAT rules +//TCP request from 193.238.46.72:50522 to 40.119.154.83:3389 was DNAT'ed to 10.0.2.4:3389 +| parse msg_s with * " was " Action1b " to " NatDestination +//case 2: for ICMP records +//ICMP request from 10.0.2.4 to 10.0.3.4. Action: Allow +| parse msg_s with Protocol2 " request from " SourceIP2 " to " TargetIP2 ". Action: " Action2 +| extend +SourcePort = tostring(SourcePortInt), +TargetPort = tostring(TargetPortInt) +| extend + Action = case(Action1a == "", case(Action1b == "",Action2,Action1b), Action1a), + Protocol = case(Protocol == "", Protocol2, Protocol), + SourceIP = case(SourceIP == "", SourceIP2, SourceIP), + TargetIP = case(TargetIP == "", TargetIP2, TargetIP), + //ICMP records don't have port information + SourcePort = case(SourcePort == "", "N/A", SourcePort), +TargetPort = case(TargetPort == "", "N/A", TargetPort), + //Regular network rules don't have a DNAT destination + NatDestination = case(NatDestination == "", "N/A", NatDestination) +| project TimeGenerated, msg_s, Protocol, SourceIP,SourcePort,TargetIP,TargetPort,Action, NatDestination \ No newline at end of file diff --git a/Azure Services/Firewalls/Queries/Firewall Logs/Threat Intelligence rule log data.txt b/Azure Services/Firewalls/Queries/Firewall Logs/Threat Intelligence rule log data.txt new file mode 100644 index 00000000..77310bca --- /dev/null +++ b/Azure Services/Firewalls/Queries/Firewall Logs/Threat Intelligence rule log data.txt @@ -0,0 +1,15 @@ +// Author: Microsoft Azure +// Display name: Threat Intelligence rule log data +// Description: Parses the Threat Intelligence rule log data. +// Categories: ['network', 'security'] +// Resource types: ['Firewalls'] +// Topic: Firewall Logs +AzureDiagnostics +| where OperationName == "AzureFirewallThreatIntelLog" +| parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int * +| parse msg_s with * ". Action: " Action "." Message +| parse msg_s with Protocol2 " request from " SourceIP2 " to " TargetIP2 ". Action: " Action2 +| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) +| extend Protocol = case(Protocol == "", Protocol2, Protocol),SourceIP = case(SourceIP == "", SourceIP2, SourceIP),TargetIP = case(TargetIP == "", TargetIP2, TargetIP),SourcePort = case(SourcePort == "", "N/A", SourcePort),TargetPort = case(TargetPort == "", "N/A", TargetPort) +| sort by TimeGenerated desc +| project TimeGenerated, msg_s, Protocol, SourceIP,SourcePort,TargetIP,TargetPort,Action,Message \ No newline at end of file diff --git a/Azure Services/Firewalls/Queries/README b/Azure Services/Firewalls/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Firewalls/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Firewalls/Workbooks/README b/Azure Services/Firewalls/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Firewalls/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Front Doors/Alerts/README b/Azure Services/Front Doors/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Front Doors/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Front Doors/Queries/Errors/Request errors by host and path.txt b/Azure Services/Front Doors/Queries/Errors/Request errors by host and path.txt new file mode 100644 index 00000000..7bf5eb90 --- /dev/null +++ b/Azure Services/Front Doors/Queries/Errors/Request errors by host and path.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Request errors by host and path +// Description: Count number of requests with error responses by host and path. +// Categories: ['network'] +// Resource types: ['Front Doors'] +// Topic: Errors +// Summarize number of requests by host, path, and status codes >= 400 +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog" +| where toint(httpStatusCode_s) >= 400 +| extend ParsedUrl = parseurl(requestUri_s) +| summarize RequestCount = count() by Host = tostring(ParsedUrl.Host), Path = tostring(ParsedUrl.Path), StatusCode = httpStatusCode_s +| order by RequestCount desc \ No newline at end of file diff --git a/Azure Services/Front Doors/Queries/Errors/Request errors by user agent.txt b/Azure Services/Front Doors/Queries/Errors/Request errors by user agent.txt new file mode 100644 index 00000000..3b5c5c6e --- /dev/null +++ b/Azure Services/Front Doors/Queries/Errors/Request errors by user agent.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Request errors by user agent +// Description: Count number of requests with error responses by user agent. +// Categories: ['network'] +// Resource types: ['Front Doors'] +// Topic: Errors +// Summarize number of requests per user agent and status codes >= 400 +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog" +| where toint(httpStatusCode_s) >= 400 +| summarize RequestCount = count() by UserAgent = userAgent_s, StatusCode = httpStatusCode_s , Resource +| order by RequestCount desc \ No newline at end of file diff --git a/Azure Services/Front Doors/Queries/Firewall Audit/Firewall blocked request count per hour.txt b/Azure Services/Front Doors/Queries/Firewall Audit/Firewall blocked request count per hour.txt new file mode 100644 index 00000000..49c37e47 --- /dev/null +++ b/Azure Services/Front Doors/Queries/Firewall Audit/Firewall blocked request count per hour.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Firewall blocked request count per hour +// Description: Count number of firewall blocked requests per hour. +// Categories: ['network', 'security'] +// Resource types: ['Front Doors'] +// Topic: Firewall Audit +// Summarize number of firewall blocked requests per hour by policy +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorWebApplicationFirewallLog" +| where action_s == "Block" +| summarize RequestCount = count() by bin(TimeGenerated, 1h), Policy = policy_s, PolicyMode = policyMode_s, Resource +| order by RequestCount desc \ No newline at end of file diff --git a/Azure Services/Front Doors/Queries/Firewall Audit/Firewall request count by host path rule and action.txt b/Azure Services/Front Doors/Queries/Firewall Audit/Firewall request count by host path rule and action.txt new file mode 100644 index 00000000..1b969722 --- /dev/null +++ b/Azure Services/Front Doors/Queries/Firewall Audit/Firewall request count by host path rule and action.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Firewall request count by host, path, rule, and action +// Description: Count firewall processed requests by host, path, rule, and action taken. +// Categories: ['network', 'security'] +// Resource types: ['Front Doors'] +// Topic: Firewall Audit +// Summarize request count by host, path, rule, and action +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorWebApplicationFirewallLog" +| extend ParsedUrl = parseurl(requestUri_s) +| summarize RequestCount = count() by Host = tostring(ParsedUrl.Host), Path = tostring(ParsedUrl.Path), RuleName = ruleName_s, Action = action_s +| order by RequestCount desc \ No newline at end of file diff --git a/Azure Services/Front Doors/Queries/Firewall Audit/Top 20 blocked clients by IP and rule.txt b/Azure Services/Front Doors/Queries/Firewall Audit/Top 20 blocked clients by IP and rule.txt new file mode 100644 index 00000000..0e5315e9 --- /dev/null +++ b/Azure Services/Front Doors/Queries/Firewall Audit/Top 20 blocked clients by IP and rule.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Top 20 blocked clients by IP and rule +// Description: Show top 20 blocked clients by IP and rule name. +// Categories: ['network', 'security'] +// Resource types: ['Front Doors'] +// Topic: Firewall Audit +// Summarize top 20 blocked clients by IP and rule +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorWebApplicationFirewallLog" +| where action_s == "Block" +| summarize RequestCount = count() by ClientIP = clientIP_s, UserAgent = userAgent_s, RuleName = ruleName_s ,Resource +| top 20 by RequestCount +| order by RequestCount desc \ No newline at end of file diff --git a/Azure Services/Front Doors/Queries/README b/Azure Services/Front Doors/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Front Doors/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Front Doors/Queries/Usage and Diagnostics/Forwarded backend requests by routing rule.txt b/Azure Services/Front Doors/Queries/Usage and Diagnostics/Forwarded backend requests by routing rule.txt new file mode 100644 index 00000000..68ca3e7e --- /dev/null +++ b/Azure Services/Front Doors/Queries/Usage and Diagnostics/Forwarded backend requests by routing rule.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Forwarded backend requests by routing rule +// Description: Count number of requests for each routing rule and backend host per minute. +// Categories: ['network'] +// Resource types: ['Front Doors'] +// Topic: Usage and Diagnostics +// Summarize number of requests per minute for each routing rule and backend host +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog" +| summarize RequestCount = count() by bin(TimeGenerated, 1m), Resource, + RoutingRuleName = routingRuleName_s, BackendHostname = backendHostname_s \ No newline at end of file diff --git a/Azure Services/Front Doors/Queries/Usage and Diagnostics/Requests per hour.txt b/Azure Services/Front Doors/Queries/Usage and Diagnostics/Requests per hour.txt new file mode 100644 index 00000000..3ae26274 --- /dev/null +++ b/Azure Services/Front Doors/Queries/Usage and Diagnostics/Requests per hour.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Requests per hour +// Description: Render line chart showing total requests per hour for each FrontDoor resource. +// Categories: ['network'] +// Resource types: ['Front Doors'] +// Topic: Usage and Diagnostics +// Summarize number of requests per hour for each FrontDoor resource +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog" +| summarize RequestCount = count() by bin(TimeGenerated, 1h), Resource +| render timechart \ No newline at end of file diff --git a/Azure Services/Front Doors/Queries/Usage and Diagnostics/Top 10 client IPs and http versions.txt b/Azure Services/Front Doors/Queries/Usage and Diagnostics/Top 10 client IPs and http versions.txt new file mode 100644 index 00000000..4aba3a3f --- /dev/null +++ b/Azure Services/Front Doors/Queries/Usage and Diagnostics/Top 10 client IPs and http versions.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Top 10 client IPs and http versions +// Description: Show top 10 client IPs and http versions. +// Categories: ['network'] +// Resource types: ['Front Doors'] +// Topic: Usage and Diagnostics +// Summarize top 10 client ips and http versions +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog" +| summarize RequestCount = count() by ClientIP = clientIp_s, HttpVersion = httpVersion_s, Resource +| top 10 by RequestCount +| order by RequestCount desc \ No newline at end of file diff --git a/Azure Services/Front Doors/Workbooks/README b/Azure Services/Front Doors/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Front Doors/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/IoT Hub/Alerts/README b/Azure Services/IoT Hub/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/IoT Hub/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/IoT Hub/Queries/Availability/Dead endpoints.txt b/Azure Services/IoT Hub/Queries/Availability/Dead endpoints.txt new file mode 100644 index 00000000..a72ab8e7 --- /dev/null +++ b/Azure Services/IoT Hub/Queries/Availability/Dead endpoints.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Dead endpoints +// Description: Identify dead or unhealthy endpoints byt the number times the issue was reported, as well as the reason why. +// Categories: ['resources'] +// Resource types: ['IoT Hub'] +// Topic: Availability +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS" +| where Category == "Routes" and OperationName in ("endpointDead", "endpointUnhealthy") +| extend parsed_json = parse_json(properties_s) +| extend Endpoint = tostring(parsed_json.endpointName), Reason =tostring(parsed_json.details) +| summarize count() by Endpoint, OperationName, Reason, _ResourceId +| order by count_ desc \ No newline at end of file diff --git a/Azure Services/IoT Hub/Queries/Diagnostics/SDK version of devices.txt b/Azure Services/IoT Hub/Queries/Diagnostics/SDK version of devices.txt new file mode 100644 index 00000000..b88b0ecc --- /dev/null +++ b/Azure Services/IoT Hub/Queries/Diagnostics/SDK version of devices.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: SDK version of devices +// Description: List of devices and their SDK versions. +// Categories: ['resources'] +// Resource types: ['IoT Hub'] +// Topic: Diagnostics +// this query only works if your device uses device to cloud twin operations +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS" +| where Category == "D2CTwinOperations" +| extend parsed_json = parse_json(properties_s) +| extend SDKVersion = tostring(parsed_json.sdkVersion) , DeviceId = tostring(parsed_json.deviceId) +| distinct DeviceId, SDKVersion, TimeGenerated, _ResourceId \ No newline at end of file diff --git a/Azure Services/IoT Hub/Queries/Errors/Connectvity errors.txt b/Azure Services/IoT Hub/Queries/Errors/Connectvity errors.txt new file mode 100644 index 00000000..a41eb7ce --- /dev/null +++ b/Azure Services/IoT Hub/Queries/Errors/Connectvity errors.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Connectvity errors +// Description: Identify device connection errors. +// Categories: ['resources'] +// Resource types: ['IoT Hub'] +// Topic: Errors +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS" +| where Category == "Connections" and Level == "Error" \ No newline at end of file diff --git a/Azure Services/IoT Hub/Queries/Errors/Devices with most throttling errors.txt b/Azure Services/IoT Hub/Queries/Errors/Devices with most throttling errors.txt new file mode 100644 index 00000000..978e6ed4 --- /dev/null +++ b/Azure Services/IoT Hub/Queries/Errors/Devices with most throttling errors.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Devices with most throttling errors +// Description: Identify devices that made the most requests resulting in throttling errors. +// Categories: ['resources'] +// Resource types: ['IoT Hub'] +// Topic: Errors +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS" +| where ResultType == "429001" +| extend DeviceId = tostring(parse_json(properties_s).deviceId) +| summarize count() by DeviceId, Category , _ResourceId +| order by count_ desc \ No newline at end of file diff --git a/Azure Services/IoT Hub/Queries/Errors/Error summary.txt b/Azure Services/IoT Hub/Queries/Errors/Error summary.txt new file mode 100644 index 00000000..1f159941 --- /dev/null +++ b/Azure Services/IoT Hub/Queries/Errors/Error summary.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Error summary +// Description: Count of errors across all operations by type. +// Categories: ['resources'] +// Resource types: ['IoT Hub'] +// Topic: Errors +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS" +| where Level == "Error" +| summarize count() by ResultType, ResultDescription, Category, _ResourceId \ No newline at end of file diff --git a/Azure Services/IoT Hub/Queries/README b/Azure Services/IoT Hub/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/IoT Hub/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/IoT Hub/Queries/Usage/Recently connected devices.txt b/Azure Services/IoT Hub/Queries/Usage/Recently connected devices.txt new file mode 100644 index 00000000..b136dfc2 --- /dev/null +++ b/Azure Services/IoT Hub/Queries/Usage/Recently connected devices.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Recently connected devices +// Description: List of devices that IoT Hub saw connect in the specified time period. +// Categories: ['resources'] +// Resource types: ['IoT Hub'] +// Topic: Usage +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS" +| where Category == "Connections" and OperationName == "deviceConnect" +| extend DeviceId = tostring(parse_json(properties_s).deviceId) +| summarize max(TimeGenerated) by DeviceId, _ResourceId \ No newline at end of file diff --git a/Azure Services/IoT Hub/Workbooks/README b/Azure Services/IoT Hub/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/IoT Hub/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Key vaults/Alerts/README b/Azure Services/Key vaults/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Key vaults/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Key vaults/Queries/Input data Errors/List all input deserialization errors.txt b/Azure Services/Key vaults/Queries/Input data Errors/List all input deserialization errors.txt new file mode 100644 index 00000000..c83ca5b6 --- /dev/null +++ b/Azure Services/Key vaults/Queries/Input data Errors/List all input deserialization errors.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: List all input deserialization errors +// Description: Shows errors caused due to malformed events that could not be deserialized by the job. +// Categories: ['security'] +// Resource types: ['Key vaults'] +// Topic: Input data Errors +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType in ("InputDeserializerError.InvalidData", "InputDeserializerError.TypeConversionError", "InputDeserializerError.MissingColumns", "InputDeserializerError.InvalidHeader", "InputDeserializerError.InvalidCompressionType") +| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level \ No newline at end of file diff --git a/Azure Services/Key vaults/Queries/README b/Azure Services/Key vaults/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Key vaults/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Key vaults/Queries/Usage and Diagnostics/Are there any failures.txt b/Azure Services/Key vaults/Queries/Usage and Diagnostics/Are there any failures.txt new file mode 100644 index 00000000..2862eca2 --- /dev/null +++ b/Azure Services/Key vaults/Queries/Usage and Diagnostics/Are there any failures.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Are there any failures? +// Description: Count of failed KeyVault requests by status code. +// Categories: ['security'] +// Resource types: ['Key vaults'] +// Topic: Usage and Diagnostics +AzureDiagnostics +| where ResourceProvider =="MICROSOFT.KEYVAULT" +| where httpStatusCode_d >= 300 and not(OperationName == "Authentication" and httpStatusCode_d == 401) +| summarize count() by requestUri_s, ResultSignature +// ResultSignature contains HTTP status, e.g. "OK" or "Forbidden" +// httpStatusCode_d contains HTTP status code returned by the request (e.g. 200, 300 or 401) +// requestUri_s contains the URI of the request \ No newline at end of file diff --git a/Azure Services/Key vaults/Queries/Usage and Diagnostics/Are there any slow requests.txt b/Azure Services/Key vaults/Queries/Usage and Diagnostics/Are there any slow requests.txt new file mode 100644 index 00000000..1b9bd2c6 --- /dev/null +++ b/Azure Services/Key vaults/Queries/Usage and Diagnostics/Are there any slow requests.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Are there any slow requests? +// Description: List of KeyVault requests that took longer than 1sec. +// Categories: ['security'] +// Resource types: ['Key vaults'] +// Topic: Usage and Diagnostics +let threshold=1000; // let operator defines a constant that can be further used in the query +AzureDiagnostics +| where ResourceProvider =="MICROSOFT.KEYVAULT" +| where DurationMs > threshold +| summarize count() by OperationName \ No newline at end of file diff --git a/Azure Services/Key vaults/Queries/Usage and Diagnostics/How active has this KeyVault been.txt b/Azure Services/Key vaults/Queries/Usage and Diagnostics/How active has this KeyVault been.txt new file mode 100644 index 00000000..375e9331 --- /dev/null +++ b/Azure Services/Key vaults/Queries/Usage and Diagnostics/How active has this KeyVault been.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: How active has this KeyVault been? +// Description: Line chart showing trend of KeyVault requests volume, per operation over time. +// Categories: ['security'] +// Resource types: ['Key vaults'] +// Topic: Usage and Diagnostics +// KeyVault diagnostic currently stores logs in AzureDiagnostics table which stores logs for multiple services. +// Filter on ResourceProvider for logs specific to a service. +AzureDiagnostics +| where ResourceProvider =="MICROSOFT.KEYVAULT" +| summarize count() by bin(TimeGenerated, 1h), OperationName // Aggregate by hour +| render timechart \ No newline at end of file diff --git a/Azure Services/Key vaults/Queries/Usage and Diagnostics/How fast is this KeyVault serving requests.txt b/Azure Services/Key vaults/Queries/Usage and Diagnostics/How fast is this KeyVault serving requests.txt new file mode 100644 index 00000000..b227ea27 --- /dev/null +++ b/Azure Services/Key vaults/Queries/Usage and Diagnostics/How fast is this KeyVault serving requests.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: How fast is this KeyVault serving requests? +// Description: Line chart showing trend of request duration over time using different aggregations. +// Categories: ['security'] +// Resource types: ['Key vaults'] +// Topic: Usage and Diagnostics +AzureDiagnostics +| where ResourceProvider =="MICROSOFT.KEYVAULT" +| where httpStatusCode_d >= 300 and not(OperationName == "Authentication" and httpStatusCode_d == 401) +| summarize count() by requestUri_s, ResultSignature +// ResultSignature contains HTTP status such as "OK" or "Forbidden". +// httpStatusCode_d contains HTTP status code returned by the request such as 200 or 401. +// requestUri_s contains the URI of the request. \ No newline at end of file diff --git a/Azure Services/Key vaults/Queries/Usage and Diagnostics/What changes occurred last month.txt b/Azure Services/Key vaults/Queries/Usage and Diagnostics/What changes occurred last month.txt new file mode 100644 index 00000000..8392f42f --- /dev/null +++ b/Azure Services/Key vaults/Queries/Usage and Diagnostics/What changes occurred last month.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: What changes occurred last month? +// Description: Lists all update and patch requests from the last 30 days. +// Categories: ['security'] +// Resource types: ['Key vaults'] +// Topic: Usage and Diagnostics +// KeyVault diagnostic currently stores logs in AzureDiagnostics table which stores logs for multiple services. +// Filter on ResourceProvider for logs specific to a service. +AzureDiagnostics +| where TimeGenerated > ago(30d) // Time range specified in the query. Overrides time picker in portal. +| where ResourceProvider =="MICROSOFT.KEYVAULT" +| where OperationName == "VaultPut" or OperationName == "VaultPatch" +| sort by TimeGenerated desc \ No newline at end of file diff --git a/Azure Services/Key vaults/Queries/Usage and Diagnostics/Who is calling this KeyVault.txt b/Azure Services/Key vaults/Queries/Usage and Diagnostics/Who is calling this KeyVault.txt new file mode 100644 index 00000000..993c25f3 --- /dev/null +++ b/Azure Services/Key vaults/Queries/Usage and Diagnostics/Who is calling this KeyVault.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Who is calling this KeyVault? +// Description: List of callers identified by their IP address with their request count. +// Categories: ['security'] +// Resource types: ['Key vaults'] +// Topic: Usage and Diagnostics +// KeyVault diagnostic currently stores logs in AzureDiagnostics table which stores logs for multiple services. +// Filter on ResourceProvider for logs specific to a service. +AzureDiagnostics +| where ResourceProvider =="MICROSOFT.KEYVAULT" +| summarize count() by CallerIPAddress \ No newline at end of file diff --git a/Azure Services/Key vaults/Workbooks/README b/Azure Services/Key vaults/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Key vaults/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Alerts/README b/Azure Services/Kubernetes services/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Kubernetes services/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Queries/Audit/Container Lifecycle Information.txt b/Azure Services/Kubernetes services/Queries/Audit/Container Lifecycle Information.txt new file mode 100644 index 00000000..d2ceb5eb --- /dev/null +++ b/Azure Services/Kubernetes services/Queries/Audit/Container Lifecycle Information.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Container Lifecycle Information +// Description: List all of a container's lifecycle information. +// Categories: ['container', 'resources'] +// Resource types: ['Kubernetes services'] +// Topic: Audit +ContainerInventory +| project Computer, Name, Image, ImageTag, ContainerState, CreatedTime, StartedTime, FinishedTime +| top 200 by FinishedTime desc \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Queries/Availability/List all the pods count with phase.txt b/Azure Services/Kubernetes services/Queries/Availability/List all the pods count with phase.txt new file mode 100644 index 00000000..f5d10f01 --- /dev/null +++ b/Azure Services/Kubernetes services/Queries/Availability/List all the pods count with phase.txt @@ -0,0 +1,36 @@ +// Author: Microsoft Azure +// Display name: List all the pods count with phase +// Description: View pod phase counts based on all phases: Failed, Pending, Unknown, Running, or Succeeded. +// Categories: ['container'] +// Resource types: ['Kubernetes services'] +// Solutions: ['ContainerInsights'] +// Topic: Availability +//Customize endDateTime, startDateTime to select different time range + let endDateTime = now(); + let startDateTime = ago(1h); + let trendBinSize = 1m; + KubePodInventory + | where TimeGenerated < endDateTime + | where TimeGenerated >= startDateTime + | distinct ClusterName, TimeGenerated + | summarize ClusterSnapshotCount = count() by bin(TimeGenerated, trendBinSize), ClusterName + | join hint.strategy=broadcast ( + KubePodInventory + | where TimeGenerated < endDateTime + | where TimeGenerated >= startDateTime + | distinct ClusterName, Computer, PodUid, TimeGenerated, PodStatus + | summarize TotalCount = count(), //Calculating count for per pod status + PendingCount = sumif(1, PodStatus =~ 'Pending'), + RunningCount = sumif(1, PodStatus =~ 'Running'), + SucceededCount = sumif(1, PodStatus =~ 'Succeeded'), + FailedCount = sumif(1, PodStatus =~ 'Failed') + by ClusterName, bin(TimeGenerated, trendBinSize) + ) on ClusterName, TimeGenerated + | extend UnknownCount = TotalCount - PendingCount - RunningCount - SucceededCount - FailedCount + | project TimeGenerated, + TotalCount = todouble(TotalCount) / ClusterSnapshotCount, + PendingCount = todouble(PendingCount) / ClusterSnapshotCount, + RunningCount = todouble(RunningCount) / ClusterSnapshotCount, + SucceededCount = todouble(SucceededCount) / ClusterSnapshotCount, + FailedCount = todouble(FailedCount) / ClusterSnapshotCount, + UnknownCount = todouble(UnknownCount) / ClusterSnapshotCount \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Queries/Availability/Readiness status per Node.txt b/Azure Services/Kubernetes services/Queries/Availability/Readiness status per Node.txt new file mode 100644 index 00000000..cbba942f --- /dev/null +++ b/Azure Services/Kubernetes services/Queries/Availability/Readiness status per Node.txt @@ -0,0 +1,28 @@ +// Author: Microsoft Azure +// Display name: Readiness status per Node +// Description: For all your cluster view count of all the nodes by readiness. +// Categories: ['container'] +// Resource types: ['Kubernetes services'] +// Solutions: ['ContainerInsights'] +// Topic: Availability +//Customize startDateTime, endDateTime to select custom time range +let endDateTime = now(); +let startDateTime = ago(1h); +let trendBinSize = 1m; +KubeNodeInventory +| where TimeGenerated < endDateTime +| where TimeGenerated >= startDateTime +| distinct ClusterName, Computer, TimeGenerated +| summarize ClusterSnapshotCount = count() by bin(TimeGenerated, trendBinSize), ClusterName, Computer +| join hint.strategy=broadcast kind=inner ( + KubeNodeInventory //this calculating ready node count. + | where TimeGenerated < endDateTime + | where TimeGenerated >= startDateTime + | summarize TotalCount = count(), ReadyCount = sumif(1, Status contains ('Ready')) + by ClusterName, Computer, bin(TimeGenerated, trendBinSize) //calculating NotReadyCount + | extend NotReadyCount = TotalCount - ReadyCount +) on ClusterName, Computer, TimeGenerated + //projecting all the fields +| project TimeGenerated, ClusterName, Computer, ReadyCount = todouble(ReadyCount) / ClusterSnapshotCount, + NotReadyCount = todouble(NotReadyCount) / ClusterSnapshotCount +| order by ClusterName asc, Computer asc, TimeGenerated desc \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Queries/Container Logs/List container logs per namespace.txt b/Azure Services/Kubernetes services/Queries/Container Logs/List container logs per namespace.txt new file mode 100644 index 00000000..97cd1605 --- /dev/null +++ b/Azure Services/Kubernetes services/Queries/Container Logs/List container logs per namespace.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: List container logs per namespace +// Description: View container logs from all the namespaces in the cluster. +// Categories: ['container'] +// Resource types: ['Kubernetes services'] +// Topic: Container Logs +ContainerLog +|join(KubePodInventory| where TimeGenerated > startofday(ago(1h)))//KubePodInventory Contains namespace information +on ContainerID +|where TimeGenerated > startofday(ago(1h)) +| project TimeGenerated ,Namespace , LogEntrySource , LogEntry \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Queries/Costing/Billable Log Data by logtype.txt b/Azure Services/Kubernetes services/Queries/Costing/Billable Log Data by logtype.txt new file mode 100644 index 00000000..73d934f8 --- /dev/null +++ b/Azure Services/Kubernetes services/Queries/Costing/Billable Log Data by logtype.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Billable Log Data by log-type +// Description: See container logs billable data for the last 7d ,segregated by log-type. +// Categories: ['container', 'resources'] +// Resource types: ['Kubernetes services'] +// Topic: Costing +// Set the requested time, anytime greater than 15d can take longer +let billableTimeView = 7d; +//Join ContainerLog on KubePodInventory for LogEntry source +ContainerLog +| join(KubePodInventory | where TimeGenerated > startofday(ago(billableTimeView)))on ContainerID +| where TimeGenerated > startofday(ago(billableTimeView)) +| summarize Total=sum(_BilledSize)/ 1000 by bin(TimeGenerated, 1d), LogEntrySource \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Queries/Costing/Billable Log Data pernamespace.txt b/Azure Services/Kubernetes services/Queries/Costing/Billable Log Data pernamespace.txt new file mode 100644 index 00000000..bf289db7 --- /dev/null +++ b/Azure Services/Kubernetes services/Queries/Costing/Billable Log Data pernamespace.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Billable Log Data per-namespace +// Description: See container logs billable data for the last 7d, segregated by namespace. +// Categories: ['container', 'resources'] +// Resource types: ['Kubernetes services'] +// Topic: Costing +let billableTimeView = 7d; // Set the requested time - 30d can take some time. +ContainerLog +|join(KubePodInventory | where TimeGenerated > startofday(ago(billableTimeView))) +on ContainerID +|where TimeGenerated > startofday(ago(billableTimeView)) +| summarize Total=sum(_BilledSize)/ 1000 by bin(TimeGenerated, 1d), Namespace \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Queries/Costing/Container Insight solution billable data.txt b/Azure Services/Kubernetes services/Queries/Costing/Container Insight solution billable data.txt new file mode 100644 index 00000000..5c7b7b51 --- /dev/null +++ b/Azure Services/Kubernetes services/Queries/Costing/Container Insight solution billable data.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Container Insight solution billable data +// Description: See total billable data from Container Insights solution. +// Categories: ['container', 'resources'] +// Resource types: ['Kubernetes services'] +// Topic: Costing +//This includes billable data for all solutions in the workspace, see for Container Insights solution +Usage +| where TimeGenerated > startofday(ago(30d)) +| where IsBillable == true +| summarize TotalVolumeGB = sum(Quantity) / 1000 by bin(TimeGenerated, 1d), Solution +| render barchart \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Queries/Costing/Environment variable enriching.txt b/Azure Services/Kubernetes services/Queries/Costing/Environment variable enriching.txt new file mode 100644 index 00000000..015665dd --- /dev/null +++ b/Azure Services/Kubernetes services/Queries/Costing/Environment variable enriching.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Environment variable enriching +// Description: View data ingested by environment variables per hour. +// Categories: ['container'] +// Resource types: ['Kubernetes services'] +// Topic: Costing +//Update the TimeGenerated to customize the timerange +ContainerInventory +| where TimeGenerated > ago(1h) +| summarize envvarsMB = sum(string_size(EnvironmentVar)) / (1000. * 1000.) \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Queries/Costing/View data ingested by completed jobs.txt b/Azure Services/Kubernetes services/Queries/Costing/View data ingested by completed jobs.txt new file mode 100644 index 00000000..3c0df946 --- /dev/null +++ b/Azure Services/Kubernetes services/Queries/Costing/View data ingested by completed jobs.txt @@ -0,0 +1,29 @@ +// Author: Microsoft Azure +// Display name: View data ingested by completed jobs +// Description: View data ingested size by jobs that are completed. +// Categories: ['container', 'workloads', 'resources'] +// Resource types: ['Kubernetes services'] +// Solutions: ['ContainerInsights'] +// Topic: Costing +//Modify StartTime to customize TimeRange for completedjobs inventory. +let startTime = ago(1h); +//Find all the jobs which are completed +let kpi = KubePodInventory +| where TimeGenerated > startTime +| where _IsBillable == true +| where PodStatus in ("Succeeded", "Failed") +| where ControllerKind == "Job"; +//Find the the billable data for the jobs +let containerInventory = ContainerInventory +| where TimeGenerated > startTime +| where _IsBillable == true +| summarize BillableDataMBytes = sum(_BilledSize)/ (1000. * 1000.) by ContainerID; +//Join on both the tables to calculate the billable data +let containerInventoryMB = containerInventory +| join kpi on $left.ContainerID == $right.ContainerID +| summarize MB=sum(BillableDataMBytes); +let kpiMB = kpi +| summarize MB = sum(_BilledSize)/ (1000. * 1000.); +union +(containerInventoryMB),(kpiMB) +| summarize doneJobsInventoryMB=sum(MB) \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Queries/Diagnostics/Image inventory.txt b/Azure Services/Kubernetes services/Queries/Diagnostics/Image inventory.txt new file mode 100644 index 00000000..a46b4346 --- /dev/null +++ b/Azure Services/Kubernetes services/Queries/Diagnostics/Image inventory.txt @@ -0,0 +1,8 @@ +// Author: Microsoft Azure +// Display name: Image inventory +// Description: Lists all the container image with their status. +// Categories: ['container', 'resources'] +// Resource types: ['Kubernetes services'] +// Topic: Diagnostics +ContainerImageInventory +| summarize AggregatedValue = count() by Image, ImageTag, Running, _ResourceId \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Queries/Diagnostics/Instances Avg CPU usage growth from last week.txt b/Azure Services/Kubernetes services/Queries/Diagnostics/Instances Avg CPU usage growth from last week.txt new file mode 100644 index 00000000..74013ce1 --- /dev/null +++ b/Azure Services/Kubernetes services/Queries/Diagnostics/Instances Avg CPU usage growth from last week.txt @@ -0,0 +1,25 @@ +// Author: Microsoft Azure +// Display name: Instances Avg CPU usage growth from last week +// Description: Show Avg CPU growth by instance in the last week by descending order. +// Categories: ['container', 'resources'] +// Resource types: ['Kubernetes services'] +// Topic: Diagnostics +//Show which instances grew CPU usage from last week to current +Perf +| where TimeGenerated > ago(7d) //This week Average CPU Usage Nano Cores +| where ObjectName == "K8SContainer" and CounterName == "cpuUsageNanoCores" +| summarize ThisWeekAvgCPU = avg(CounterValue) by InstanceName +| join kind= leftouter ( + //Previous week Average CPU Usage Nano Cores + Perf + | where TimeGenerated > ago(14d) and TimeGenerated <= ago(7d) + | where ObjectName == "K8SContainer" and CounterName == "cpuUsageNanoCores" + | summarize PrevWeekAvgCPU = avg(CounterValue) by InstanceName +) on InstanceName +| extend InstanceNameParts = split(InstanceName, "/") //array of the parts of the instance name +| extend ShortInstanceName = InstanceNameParts[(array_length(InstanceNameParts)-1)] //extract the last part of the instance name +| extend ThisWeekAvgCPU = round(ThisWeekAvgCPU,0) +| extend PrevWeekAvgCPU = round(iff(isempty(PrevWeekAvgCPU),0.0,PrevWeekAvgCPU),0) //When doing join with kind=leftouter, missing matches has empty value. To calculate growth, it should be converted to zero. In this case, empty value means that instance did not exist in the previous week +| extend AvgCPUGrowth = round(ThisWeekAvgCPU - PrevWeekAvgCPU , 0) //Calculate growth +| project-away InstanceName1,InstanceNameParts //Remove redundant fields +| order by AvgCPUGrowth desc \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Queries/Diagnostics/Kubernetes events.txt b/Azure Services/Kubernetes services/Queries/Diagnostics/Kubernetes events.txt new file mode 100644 index 00000000..cde301cc --- /dev/null +++ b/Azure Services/Kubernetes services/Queries/Diagnostics/Kubernetes events.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Kubernetes events +// Description: Lists all the Kubernetes events. +// Categories: ['container', 'resources'] +// Resource types: ['Kubernetes services'] +// Solutions: ['Containers'] +// Topic: Diagnostics +KubeEvents +| where TimeGenerated > ago(7d) +| where not(isempty(Namespace)) +| top 200 by TimeGenerated desc \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Queries/Diagnostics/Prometheus disk read per second per node.txt b/Azure Services/Kubernetes services/Queries/Diagnostics/Prometheus disk read per second per node.txt new file mode 100644 index 00000000..cd151735 --- /dev/null +++ b/Azure Services/Kubernetes services/Queries/Diagnostics/Prometheus disk read per second per node.txt @@ -0,0 +1,23 @@ +// Author: Microsoft Azure +// Display name: Prometheus disk read per second per node +// Description: View Prometheus disk read metrics from the default kubernetes namespace as timechart. +// Categories: ['container', 'workloads', 'resources'] +// Resource types: ['Kubernetes services'] +// Topic: Diagnostics +// Update TimeGenerated field for custom time range +InsightsMetrics +| where Namespace == 'container.azm.ms/diskio' +| where TimeGenerated > ago(1h) +| where Name == 'reads' +| extend Tags = todynamic(Tags) +| extend HostName = tostring(Tags.hostName), Device = Tags.name +| extend NodeDisk = strcat(Device, "/", HostName) +| order by NodeDisk asc, TimeGenerated asc +| serialize //calculating the PreVal, PrevTimeGenerated to render the chart. +| extend PrevVal = iif(prev(NodeDisk) != NodeDisk, 0.0, prev(Val)), PrevTimeGenerated = iif(prev(NodeDisk) != NodeDisk, datetime(null), prev(TimeGenerated)) +| where isnotnull(PrevTimeGenerated) and PrevTimeGenerated != TimeGenerated +//Calculating the rate for disk using PreVal +| extend Rate = iif(PrevVal > Val, Val / (datetime_diff('Second', TimeGenerated, PrevTimeGenerated) * 1), iif(PrevVal == Val, 0.0, (Val - PrevVal) / (datetime_diff('Second', TimeGenerated, PrevTimeGenerated) * 1))) +| where isnotnull(Rate) +| project TimeGenerated, NodeDisk, Rate +| render timechart \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Queries/Performance/Avg node CPU usage percentage per minute.txt b/Azure Services/Kubernetes services/Queries/Performance/Avg node CPU usage percentage per minute.txt new file mode 100644 index 00000000..4d8963ec --- /dev/null +++ b/Azure Services/Kubernetes services/Queries/Performance/Avg node CPU usage percentage per minute.txt @@ -0,0 +1,38 @@ +// Author: Microsoft Azure +// Display name: Avg node CPU usage percentage per minute +// Description: For your cluster view avg node CPU usage percentage per minute over the last hour. +// Categories: ['container'] +// Resource types: ['Kubernetes services'] +// Solutions: ['ContainerInsights'] +// Topic: Performance +//Modify the startDateTime & endDateTime to customize the timerange +let endDateTime = now(); +let startDateTime = ago(1h); +let trendBinSize = 1m; +let capacityCounterName = 'cpuCapacityNanoCores'; +let usageCounterName = 'cpuUsageNanoCores'; +KubeNodeInventory +| where TimeGenerated < endDateTime +| where TimeGenerated >= startDateTime +// cluster filter would go here if multiple clusters are reporting to the same Log Analytics workspace +| distinct ClusterName, Computer +| join hint.strategy=shuffle ( + Perf + | where TimeGenerated < endDateTime + | where TimeGenerated >= startDateTime + | where ObjectName == 'K8SNode' + | where CounterName == capacityCounterName + | summarize LimitValue = max(CounterValue) by Computer, CounterName, bin(TimeGenerated, trendBinSize) + | project Computer, CapacityStartTime = TimeGenerated, CapacityEndTime = TimeGenerated + trendBinSize, LimitValue +) on Computer +| join kind=inner hint.strategy=shuffle ( + Perf + | where TimeGenerated < endDateTime + trendBinSize + | where TimeGenerated >= startDateTime - trendBinSize + | where ObjectName == 'K8SNode' + | where CounterName == usageCounterName + | project Computer, UsageValue = CounterValue, TimeGenerated +) on Computer +| where TimeGenerated >= CapacityStartTime and TimeGenerated < CapacityEndTime +| project ClusterName, Computer, TimeGenerated, UsagePercent = UsageValue * 100.0 / LimitValue +| summarize AggregatedValue = avg(UsagePercent) by bin(TimeGenerated, trendBinSize), ClusterName \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Queries/Performance/Avg node memory usage percentage per minute.txt b/Azure Services/Kubernetes services/Queries/Performance/Avg node memory usage percentage per minute.txt new file mode 100644 index 00000000..2263be9e --- /dev/null +++ b/Azure Services/Kubernetes services/Queries/Performance/Avg node memory usage percentage per minute.txt @@ -0,0 +1,37 @@ +// Author: Microsoft Azure +// Display name: Avg node memory usage percentage per minute +// Description: For your cluster view avg node memory usage percentage per minute over the last hour. +// Categories: ['container'] +// Resource types: ['Kubernetes services'] +// Solutions: ['ContainerInsights'] +// Topic: Performance +let endDateTime = now(); +let startDateTime = ago(1h); +let trendBinSize = 1m; +let capacityCounterName = 'memoryCapacityBytes'; +let usageCounterName = 'memoryRssBytes'; +KubeNodeInventory +| where TimeGenerated < endDateTime +| where TimeGenerated >= startDateTime +// cluster filter would go here if multiple clusters are reporting to the same Log Analytics workspace +| distinct ClusterName, Computer +| join hint.strategy=shuffle ( + Perf + | where TimeGenerated < endDateTime + | where TimeGenerated >= startDateTime + | where ObjectName == 'K8SNode' + | where CounterName == capacityCounterName + | summarize LimitValue = max(CounterValue) by Computer, CounterName, bin(TimeGenerated, trendBinSize) + | project Computer, CapacityStartTime = TimeGenerated, CapacityEndTime = TimeGenerated + trendBinSize, LimitValue +) on Computer +| join kind=inner hint.strategy=shuffle ( + Perf + | where TimeGenerated < endDateTime + trendBinSize + | where TimeGenerated >= startDateTime - trendBinSize + | where ObjectName == 'K8SNode' + | where CounterName == usageCounterName + | project Computer, UsageValue = CounterValue, TimeGenerated +) on Computer +| where TimeGenerated >= CapacityStartTime and TimeGenerated < CapacityEndTime +| project ClusterName, Computer, TimeGenerated, UsagePercent = UsageValue * 100.0 / LimitValue +| summarize AggregatedValue = avg(UsagePercent) by bin(TimeGenerated, trendBinSize), ClusterName \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Queries/Performance/Container CPU.txt b/Azure Services/Kubernetes services/Queries/Performance/Container CPU.txt new file mode 100644 index 00000000..c7d3f665 --- /dev/null +++ b/Azure Services/Kubernetes services/Queries/Performance/Container CPU.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Container CPU +// Description: View all the container CPU usage averaged over 30mins. +// Categories: ['container', 'resources'] +// Resource types: ['Kubernetes services'] +// Topic: Performance +//Select the Line chart display option: can we calculate percentage? +Perf +| where ObjectName == "K8SContainer" and CounterName == "cpuUsageNanoCores" +| summarize AvgCPUUsageNanoCores = avg(CounterValue) by bin(TimeGenerated, 30m), InstanceName \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Queries/Performance/Container memory.txt b/Azure Services/Kubernetes services/Queries/Performance/Container memory.txt new file mode 100644 index 00000000..7a69ce94 --- /dev/null +++ b/Azure Services/Kubernetes services/Queries/Performance/Container memory.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Container memory +// Description: View container CPU averaged over 30 mins intervals. +// Categories: ['container', 'resources'] +// Resource types: ['Kubernetes services'] +// Topic: Performance +//Select the Line chart display option: can we calculate percentage? +let threshold = 75000000; // choose a threshold +Perf +| where ObjectName == "K8SContainer" and CounterName == "memoryRssBytes" +| summarize AvgUsedRssMemoryBytes = avg(CounterValue) by bin(TimeGenerated, 30m), InstanceName +| where AvgUsedRssMemoryBytes > threshold +| render timechart \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Queries/Performance/Maximum node disk.txt b/Azure Services/Kubernetes services/Queries/Performance/Maximum node disk.txt new file mode 100644 index 00000000..24f21e32 --- /dev/null +++ b/Azure Services/Kubernetes services/Queries/Performance/Maximum node disk.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Maximum node disk +// Description: Max node disk usage averaged over 30 mins intervals. +// Categories: ['container', 'resources'] +// Resource types: ['Kubernetes services'] +// Topic: Performance +//InsightMetrics contains all the custom metrics for Container Insights solution +InsightsMetrics // Replace Name with your custom metric +| where Name == "used_percent" and Namespace == "container.azm.ms/disk" +| summarize val= max(Val) by bin(TimeGenerated, 15m) +| render timechart \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Queries/README b/Azure Services/Kubernetes services/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Kubernetes services/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Kubernetes services/Workbooks/README b/Azure Services/Kubernetes services/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Kubernetes services/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Logic Apps/Alerts/README b/Azure Services/Logic Apps/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Logic Apps/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Logic Apps/Queries/Costing/Total billable executions.txt b/Azure Services/Logic Apps/Queries/Costing/Total billable executions.txt new file mode 100644 index 00000000..f890c953 --- /dev/null +++ b/Azure Services/Logic Apps/Queries/Costing/Total billable executions.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Total billable executions +// Description: Total billable executions by operation name. +// Categories: ['resources'] +// Resource types: ['Logic Apps'] +// Topic: Costing +// Total billable executions +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.LOGIC" +| where Category == "WorkflowRuntime" +| where OperationName has "workflowTriggerStarted" or OperationName has "workflowActionStarted" +| summarize dcount(resource_runId_s) by OperationName, resource_workflowName_s \ No newline at end of file diff --git a/Azure Services/Logic Apps/Queries/Diagnostics/Logic App execution distribution by status.txt b/Azure Services/Logic Apps/Queries/Diagnostics/Logic App execution distribution by status.txt new file mode 100644 index 00000000..1e3609f5 --- /dev/null +++ b/Azure Services/Logic Apps/Queries/Diagnostics/Logic App execution distribution by status.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Logic App execution distribution by status +// Description: Completed executions by workflow,status and error. +// Categories: ['resources'] +// Resource types: ['Logic Apps'] +// Topic: Diagnostics +//logic app execution status summary +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.LOGIC" +| where OperationName has "workflowRunCompleted" +| summarize dcount(resource_runId_s) by resource_workflowName_s, status_s, error_code_s +| project LogicAppName = resource_workflowName_s , NumberOfExecutions = dcount_resource_runId_s , RunStatus = status_s , Error = error_code_s \ No newline at end of file diff --git a/Azure Services/Logic Apps/Queries/Diagnostics/Logic App execution distribution by workflows.txt b/Azure Services/Logic Apps/Queries/Diagnostics/Logic App execution distribution by workflows.txt new file mode 100644 index 00000000..732ce631 --- /dev/null +++ b/Azure Services/Logic Apps/Queries/Diagnostics/Logic App execution distribution by workflows.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Logic App execution distribution by workflows +// Description: Hourly timechart for Logic App execution, distribution by workflows. +// Categories: ['resources'] +// Resource types: ['Logic Apps'] +// Topic: Diagnostics +// Hourly Time chart for Logic App execution distribution by workflows +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.LOGIC" +| where Category == "WorkflowRuntime" +| where OperationName has "workflowRunStarted" +| summarize dcount(resource_runId_s) by bin(TimeGenerated, 1h), resource_workflowName_s +| render timechart \ No newline at end of file diff --git a/Azure Services/Logic Apps/Queries/Errors/Triggered failuers count.txt b/Azure Services/Logic Apps/Queries/Errors/Triggered failuers count.txt new file mode 100644 index 00000000..89a81828 --- /dev/null +++ b/Azure Services/Logic Apps/Queries/Errors/Triggered failuers count.txt @@ -0,0 +1,16 @@ +// Author: Microsoft Azure +// Display name: Triggered failuers count +// Description: Show Action/Trigger failures for all Logic App executions by Resource name. +// Categories: ['resources'] +// Resource types: ['Logic Apps'] +// Topic: Errors +//Action/Trigger failures for all Logic App executions +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.LOGIC" +| where Category == "WorkflowRuntime" +| where status_s == "Failed" +| where OperationName has "workflowActionCompleted" or OperationName has "workflowTriggerCompleted" +| extend ResourceName = coalesce(resource_actionName_s, resource_triggerName_s) +| extend ResourceCategory = substring(OperationName, 34, strlen(OperationName) - 43) | summarize dcount(resource_runId_s) by code_s, ResourceName, resource_workflowName_s, ResourceCategory +| project ResourceCategory, ResourceName , FailureCount = dcount_resource_runId_s , ErrorCode = code_s, LogicAppName = resource_workflowName_s +| order by FailureCount desc \ No newline at end of file diff --git a/Azure Services/Logic Apps/Queries/README b/Azure Services/Logic Apps/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Logic Apps/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Logic Apps/Workbooks/README b/Azure Services/Logic Apps/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Logic Apps/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Recovery Services vaults/Alerts/README b/Azure Services/Recovery Services vaults/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Recovery Services vaults/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Recovery Services vaults/Queries/Backup Items/Backup Items by Vault and Backup item type.txt b/Azure Services/Recovery Services vaults/Queries/Backup Items/Backup Items by Vault and Backup item type.txt new file mode 100644 index 00000000..7dd0e070 --- /dev/null +++ b/Azure Services/Recovery Services vaults/Queries/Backup Items/Backup Items by Vault and Backup item type.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Backup Items by Vault and Backup item type +// Description: View the different types of items being backed up. +// Categories: ['management'] +// Resource types: ['Recovery Services vaults'] +// Topic: Backup Items +CoreAzureBackup +//get all backup items +| where OperationName == "BackupItem" +//remove duplicate records if any +| summarize arg_max(TimeGenerated, *) by BackupItemUniqueId, ResourceId +// summarize backup items by type +| summarize NumberOfItems=count(BackupItemUniqueId) by BackupItemType \ No newline at end of file diff --git a/Azure Services/Recovery Services vaults/Queries/Backup Settings Changes/Backup Items with Protection Status modified.txt b/Azure Services/Recovery Services vaults/Queries/Backup Settings Changes/Backup Items with Protection Status modified.txt new file mode 100644 index 00000000..b54d5447 --- /dev/null +++ b/Azure Services/Recovery Services vaults/Queries/Backup Settings Changes/Backup Items with Protection Status modified.txt @@ -0,0 +1,22 @@ +// Author: Microsoft Azure +// Display name: Backup Items with Protection Status modified +// Description: Find out if the protection status for any Backup Item has been modified in the selected time range. +// Categories: ['management', 'security'] +// Resource types: ['Recovery Services vaults'] +// Topic: Backup Settings Changes +//Get Backup Items and their Protection State at the start of the selected time range. +let BackupItemsAtStartOfPeriod = CoreAzureBackup +| where OperationName == "BackupItem" +| summarize arg_min(TimeGenerated, *) by BackupItemUniqueId +| project BackupItemUniqueId , OldProtectionState=BackupItemProtectionState; + +//Get Backup Items and their Protection State at the end of the selected time range. +let BackupItemsAtEndOfPeriod = CoreAzureBackup +| where OperationName == "BackupItem" +| summarize arg_max(TimeGenerated, *) by BackupItemUniqueId +| project BackupItemUniqueId , NewProtectionState=BackupItemProtectionState; + +//List Backup Items for which Protection State has been modified in the selected time range. +BackupItemsAtStartOfPeriod +| join (BackupItemsAtEndOfPeriod) on BackupItemUniqueId +| where OldProtectionState != NewProtectionState \ No newline at end of file diff --git a/Azure Services/Recovery Services vaults/Queries/Backup Settings Changes/Policies with retention duration modified.txt b/Azure Services/Recovery Services vaults/Queries/Backup Settings Changes/Policies with retention duration modified.txt new file mode 100644 index 00000000..ce87c019 --- /dev/null +++ b/Azure Services/Recovery Services vaults/Queries/Backup Settings Changes/Policies with retention duration modified.txt @@ -0,0 +1,22 @@ +// Author: Microsoft Azure +// Display name: Policies with retention duration modified +// Description: Find out if the retention duration of any policy has been modified in the selected time range. +// Categories: ['management', 'security'] +// Resource types: ['Recovery Services vaults'] +// Topic: Backup Settings Changes +//Get all Policies by Vault and Retention Duration, at the start of the selected time range. +let PoliciesAtStartOfPeriod = AddonAzureBackupPolicy +| where OperationName == "Policy" +| summarize arg_min(TimeGenerated, *) by PolicyUniqueId,ResourceId +| project PolicyUniqueId, ResourceId, DailyRetentionDuration1=DailyRetentionDuration, WeeklyRetentionDuration1=WeeklyRetentionDuration, MonthlyRetentionDuration1=MonthlyRetentionDuration, YearlyRetentionDuration1=YearlyRetentionDuration; + +//Get all Policies by Vault and Retention Duration, at the end of the selected time range +let PoliciesAtEndOfPeriod = AddonAzureBackupPolicy +| where OperationName == "Policy" +| summarize arg_max(TimeGenerated, *) by PolicyUniqueId,ResourceId +| project PolicyUniqueId, ResourceId, DailyRetentionDuration2=DailyRetentionDuration, WeeklyRetentionDuration2=WeeklyRetentionDuration, MonthlyRetentionDuration2=MonthlyRetentionDuration, YearlyRetentionDuration2=YearlyRetentionDuration; + +//Get all Policies for which Daily/Weekly/Monthly/Yearly Retention Duration has been modified in the selected time range +PoliciesAtStartOfPeriod +| join (PoliciesAtEndOfPeriod) on PolicyUniqueId, ResourceId + | where DailyRetentionDuration1!=DailyRetentionDuration2 or WeeklyRetentionDuration1!=WeeklyRetentionDuration2 or MonthlyRetentionDuration1!=MonthlyRetentionDuration2 or YearlyRetentionDuration1!=YearlyRetentionDuration2 \ No newline at end of file diff --git a/Azure Services/Recovery Services vaults/Queries/Jobs/All Failed Jobs.txt b/Azure Services/Recovery Services vaults/Queries/Jobs/All Failed Jobs.txt new file mode 100644 index 00000000..f98a785f --- /dev/null +++ b/Azure Services/Recovery Services vaults/Queries/Jobs/All Failed Jobs.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: All Failed Jobs +// Description: View all failed jobs in the selected time range. +// Categories: ['audit'] +// Resource types: ['Recovery Services vaults'] +// Topic: Jobs +AddonAzureBackupJobs +| summarize arg_max(TimeGenerated,*) by JobUniqueId +| where JobStatus == "Failed" \ No newline at end of file diff --git a/Azure Services/Recovery Services vaults/Queries/Jobs/All Successful Jobs.txt b/Azure Services/Recovery Services vaults/Queries/Jobs/All Successful Jobs.txt new file mode 100644 index 00000000..7ad4b5a3 --- /dev/null +++ b/Azure Services/Recovery Services vaults/Queries/Jobs/All Successful Jobs.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: All Successful Jobs +// Description: View all successful jobs in the selected time range. +// Categories: ['audit'] +// Resource types: ['Recovery Services vaults'] +// Topic: Jobs +AddonAzureBackupJobs +| summarize arg_max(TimeGenerated,*) by JobUniqueId +| where JobStatus == "Completed" \ No newline at end of file diff --git a/Azure Services/Recovery Services vaults/Queries/Jobs/Distribution of Backup Jobs by Status.txt b/Azure Services/Recovery Services vaults/Queries/Jobs/Distribution of Backup Jobs by Status.txt new file mode 100644 index 00000000..a80d0231 --- /dev/null +++ b/Azure Services/Recovery Services vaults/Queries/Jobs/Distribution of Backup Jobs by Status.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Distribution of Backup Jobs by Status +// Description: View the number of completed and failed Backup Jobs in the selected time range. +// Categories: ['management'] +// Resource types: ['Recovery Services vaults'] +// Topic: Jobs +AddonAzureBackupJobs +//Get all Backup Jobs +| where JobOperation == "Backup" +//Remove duplicate records if any +| summarize arg_max(TimeGenerated, *) by JobUniqueId +//Summarize by Job Status +| summarize count(JobUniqueId) by JobStatus \ No newline at end of file diff --git a/Azure Services/Recovery Services vaults/Queries/Jobs/Distribution of Restore Jobs by Status.txt b/Azure Services/Recovery Services vaults/Queries/Jobs/Distribution of Restore Jobs by Status.txt new file mode 100644 index 00000000..01f0b269 --- /dev/null +++ b/Azure Services/Recovery Services vaults/Queries/Jobs/Distribution of Restore Jobs by Status.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Distribution of Restore Jobs by Status +// Description: View the number of completed and failed Restore Jobs in the selected time range. +// Categories: ['management'] +// Resource types: ['Recovery Services vaults'] +// Topic: Jobs +AddonAzureBackupJobs +//Get all Restore Jobs +| where JobOperation in~ ("Restore","Recovery") +//Remove duplicate records if any +| summarize arg_max(TimeGenerated, *) by JobUniqueId +//Summarize by Job Status +| summarize count(JobUniqueId) by JobStatus \ No newline at end of file diff --git a/Azure Services/Recovery Services vaults/Queries/README b/Azure Services/Recovery Services vaults/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Recovery Services vaults/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Recovery Services vaults/Queries/Usage/Cloud Storage Consumed per Backup Item.txt b/Azure Services/Recovery Services vaults/Queries/Usage/Cloud Storage Consumed per Backup Item.txt new file mode 100644 index 00000000..e9971ff4 --- /dev/null +++ b/Azure Services/Recovery Services vaults/Queries/Usage/Cloud Storage Consumed per Backup Item.txt @@ -0,0 +1,18 @@ +// Author: Microsoft Azure +// Display name: Cloud Storage Consumed per Backup Item +// Description: View the total Cloud Storage consumed by each Backup Item. +// Categories: ['management'] +// Resource types: ['Recovery Services vaults'] +// Topic: Usage +CoreAzureBackup +//Get all Backup Items +| where OperationName == "BackupItem" +//Get distinct Backup Items +| distinct BackupItemUniqueId, BackupItemFriendlyName +| join kind=leftouter(AddonAzureBackupStorage +| where OperationName == "StorageAssociation" +//Get latest record for each Backup Item +| summarize arg_max(TimeGenerated, *) by BackupItemUniqueId +| project BackupItemUniqueId , StorageConsumedInMBs) on BackupItemUniqueId +| project BackupItemUniqueId , BackupItemFriendlyName , StorageConsumedInMBs +| sort by StorageConsumedInMBs desc \ No newline at end of file diff --git a/Azure Services/Recovery Services vaults/Queries/Usage/Trend of total Cloud Storage consumed.txt b/Azure Services/Recovery Services vaults/Queries/Usage/Trend of total Cloud Storage consumed.txt new file mode 100644 index 00000000..75d9b477 --- /dev/null +++ b/Azure Services/Recovery Services vaults/Queries/Usage/Trend of total Cloud Storage consumed.txt @@ -0,0 +1,14 @@ +// Author: Microsoft Azure +// Display name: Trend of total Cloud Storage consumed +// Description: View the daily trend of total (cumulative) Cloud Storage consumed. +// Categories: ['management'] +// Resource types: ['Recovery Services vaults'] +// Topic: Usage +AddonAzureBackupStorage +| where OperationName == "StorageAssociation" +//Get total Cloud Storage being consumed per Backup Item at the end of each day +| summarize TotalStoragePerBackupItemPerDay=sum(StorageConsumedInMBs) by BackupItemUniqueId, Day=bin(TimeGenerated,1d) +//Get total Cloud Storage being consumed at the end of each day +| summarize TotalStorage=sum(TotalStoragePerBackupItemPerDay) by Day +| sort by Day asc +| render timechart \ No newline at end of file diff --git a/Azure Services/Recovery Services vaults/Workbooks/README b/Azure Services/Recovery Services vaults/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Recovery Services vaults/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/SQL databases/Alerts/README b/Azure Services/SQL databases/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/SQL databases/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/SQL databases/Queries/Diagnostics/Loading Data.txt b/Azure Services/SQL databases/Queries/Diagnostics/Loading Data.txt new file mode 100644 index 00000000..95df91a2 --- /dev/null +++ b/Azure Services/SQL databases/Queries/Diagnostics/Loading Data.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Loading Data +// Description: Monitor data loading in the last hour. +// Categories: ['databases'] +// Resource types: ['SQL databases'] +// Topic: Diagnostics +AzureMetrics +| where ResourceProvider == "MICROSOFT.SQL" +| where TimeGenerated >= ago(60min) +| where MetricName in ('log_write_percent') +| parse _ResourceId with * "/microsoft.sql/servers/" Resource// subtract Resource name for _ResourceId +| summarize Log_Maximum_last60mins = max(Maximum), Log_Minimum_last60mins = min(Minimum), Log_Average_last60mins = avg(Average) by Resource, MetricName \ No newline at end of file diff --git a/Azure Services/SQL databases/Queries/Diagnostics/Wait stats.txt b/Azure Services/SQL databases/Queries/Diagnostics/Wait stats.txt new file mode 100644 index 00000000..887df088 --- /dev/null +++ b/Azure Services/SQL databases/Queries/Diagnostics/Wait stats.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Wait stats +// Description: Wait stats over the last hour, by Logical Server and Database. +// Categories: ['databases'] +// Resource types: ['SQL databases'] +// Topic: Diagnostics +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.SQL" +| where TimeGenerated >= ago(60min) +| parse _ResourceId with * "/microsoft.sql/servers/" LogicalServerName "/databases/" DatabaseName +| summarize Total_count_60mins = sum(delta_waiting_tasks_count_d) by LogicalServerName, DatabaseName, wait_type_s \ No newline at end of file diff --git a/Azure Services/SQL databases/Queries/Performance/Avg CPU usage.txt b/Azure Services/SQL databases/Queries/Performance/Avg CPU usage.txt new file mode 100644 index 00000000..ce529e9c --- /dev/null +++ b/Azure Services/SQL databases/Queries/Performance/Avg CPU usage.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Avg CPU usage +// Description: Avg CPU usage in the last hour by resource name. +// Categories: ['databases'] +// Resource types: ['SQL databases'] +// Topic: Performance +//consistently high averages could indicate a customer needs to move to a larger SKU +AzureMetrics +| where ResourceProvider == "MICROSOFT.SQL" // /DATABASES +| where TimeGenerated >= ago(60min) +| where MetricName in ('cpu_percent') +| parse _ResourceId with * "/microsoft.sql/servers/" Resource // subtract Resource name for _ResourceId +| summarize CPU_Maximum_last15mins = max(Maximum), CPU_Minimum_last15mins = min(Minimum), CPU_Average_last15mins = avg(Average) by Resource , MetricName \ No newline at end of file diff --git a/Azure Services/SQL databases/Queries/Performance/Performance troubleshooting.txt b/Azure Services/SQL databases/Queries/Performance/Performance troubleshooting.txt new file mode 100644 index 00000000..aadd3511 --- /dev/null +++ b/Azure Services/SQL databases/Queries/Performance/Performance troubleshooting.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Performance troubleshooting +// Description: Potentially query or deadlock on the system that could lead to poor performance. +// Categories: ['databases'] +// Resource types: ['SQL databases'] +// Topic: Performance +//potentially a query or deadlock on the system that could lead to poor performance +AzureMetrics +| where ResourceProvider == "MICROSOFT.SQL" +| where TimeGenerated >=ago(60min) +| where MetricName in ('deadlock') +| parse _ResourceId with * "/microsoft.sql/servers/" Resource // subtract Resource name for _ResourceId +| summarize Deadlock_max_60Mins = max(Maximum) by Resource, MetricName \ No newline at end of file diff --git a/Azure Services/SQL databases/Queries/README b/Azure Services/SQL databases/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/SQL databases/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/SQL databases/Workbooks/README b/Azure Services/SQL databases/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/SQL databases/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/SQL managed instances/Alerts/README b/Azure Services/SQL managed instances/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/SQL managed instances/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/SQL managed instances/Queries/Intelligent insights/Display all active intelligent insights.txt b/Azure Services/SQL managed instances/Queries/Intelligent insights/Display all active intelligent insights.txt new file mode 100644 index 00000000..92fa0040 --- /dev/null +++ b/Azure Services/SQL managed instances/Queries/Intelligent insights/Display all active intelligent insights.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Display all active intelligent insights +// Description: Display all active performance issues detected by intelligent insights. Please note that SQLInsights log needs to be enabled for each database monitored. +// Categories: ['management'] +// Resource types: ['SQL managed instances'] +// Topic: Intelligent insights +AzureDiagnostics +| where Category == "SQLInsights" and status_s == "Active" +| distinct rootCauseAnalysis_s \ No newline at end of file diff --git a/Azure Services/SQL managed instances/Queries/Intelligent insights/Workload continously hitting CPU limits.txt b/Azure Services/SQL managed instances/Queries/Intelligent insights/Workload continously hitting CPU limits.txt new file mode 100644 index 00000000..31b9a65b --- /dev/null +++ b/Azure Services/SQL managed instances/Queries/Intelligent insights/Workload continously hitting CPU limits.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Workload continously hitting CPU limits +// Description: Intelligent insights report detecting the workload behavor as continously hitting CPU limits. Please note that SQLInsights log needs to be enabled for each database monitored. +// Categories: ['management'] +// Resource types: ['SQL managed instances'] +// Topic: Intelligent insights +let alert_run_interval = 1h; +let insights_string = "hitting its CPU limits"; +AzureDiagnostics +| where Category == "SQLInsights" and status_s == "Active" +| where TimeGenerated > ago(alert_run_interval) +| where rootCauseAnalysis_s contains insights_string +| distinct _ResourceId \ No newline at end of file diff --git a/Azure Services/SQL managed instances/Queries/README b/Azure Services/SQL managed instances/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/SQL managed instances/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/SQL managed instances/Queries/Utilization/CPU utilization treshold above 95 on managed instances.txt b/Azure Services/SQL managed instances/Queries/Utilization/CPU utilization treshold above 95 on managed instances.txt new file mode 100644 index 00000000..ab9a80e0 --- /dev/null +++ b/Azure Services/SQL managed instances/Queries/Utilization/CPU utilization treshold above 95 on managed instances.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: CPU utilization treshold above 95% on managed instances +// Description: Display all managed instances with CPU treshold being over 95% of treshold. +// Categories: ['management'] +// Resource types: ['SQL managed instances'] +// Topic: Utilization +let cpu_percentage_threshold = 95; +let time_threshold = ago(1h); +AzureDiagnostics +| where Category == "ResourceUsageStats" and TimeGenerated > time_threshold +| summarize avg_cpu = max(todouble(avg_cpu_percent_s)) by _ResourceId +| where avg_cpu > cpu_percentage_threshold \ No newline at end of file diff --git a/Azure Services/SQL managed instances/Queries/Utilization/Storage on managed instances above 90.txt b/Azure Services/SQL managed instances/Queries/Utilization/Storage on managed instances above 90.txt new file mode 100644 index 00000000..dcc89715 --- /dev/null +++ b/Azure Services/SQL managed instances/Queries/Utilization/Storage on managed instances above 90.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Storage on managed instances above 90% +// Description: Display all managed instances with storage utilization above 90%. +// Categories: ['management'] +// Resource types: ['SQL managed instances'] +// Topic: Utilization +let storage_percentage_threshold = 90; +AzureDiagnostics +| where Category =="ResourceUsageStats" +| summarize (TimeGenerated, calculated_storage_percentage) = arg_max(TimeGenerated, todouble(storage_space_used_mb_s) *100 / todouble (reserved_storage_mb_s)) + by _ResourceId +| where calculated_storage_percentage > storage_percentage_threshold \ No newline at end of file diff --git a/Azure Services/SQL managed instances/Workbooks/README b/Azure Services/SQL managed instances/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/SQL managed instances/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Service Bus/Alerts/README b/Azure Services/Service Bus/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Service Bus/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Service Bus/Queries/Diagnostics/Keyvault access attempt key not found.txt b/Azure Services/Service Bus/Queries/Diagnostics/Keyvault access attempt key not found.txt new file mode 100644 index 00000000..dafcdf51 --- /dev/null +++ b/Azure Services/Service Bus/Queries/Diagnostics/Keyvault access attempt key not found.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Keyvault access attempt - key not found +// Description: Summarizes the access to keyvault when key is not found. +// Categories: ['security'] +// Resource types: ['Service Bus'] +// Topic: Diagnostics +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.SERVICEBUS" +| where Category == "Error" and Operation == "wrapkey" +| project message \ No newline at end of file diff --git a/Azure Services/Service Bus/Queries/Diagnostics/Management operations in the last 7 days.txt b/Azure Services/Service Bus/Queries/Diagnostics/Management operations in the last 7 days.txt new file mode 100644 index 00000000..c9ee8363 --- /dev/null +++ b/Azure Services/Service Bus/Queries/Diagnostics/Management operations in the last 7 days.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Management operations in the last 7 days +// Description: This lists all the management calls for the last 7 days. +// Categories: ['monitor'] +// Resource types: ['Service Bus'] +// Topic: Diagnostics +AzureDiagnostics +| where ResourceProvider =="MICROSOFT.SERVICEBUS" +| where Category == "OperationalLogs" +| summarize count() by EventName_s, Resource \ No newline at end of file diff --git a/Azure Services/Service Bus/Queries/Errors/Errors summary.txt b/Azure Services/Service Bus/Queries/Errors/Errors summary.txt new file mode 100644 index 00000000..23b140fd --- /dev/null +++ b/Azure Services/Service Bus/Queries/Errors/Errors summary.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Errors summary +// Description: Summarizes all the errors seen in the last 7 days. +// Categories: ['monitor'] +// Resource types: ['Service Bus'] +// Topic: Errors +AzureDiagnostics +| where ResourceProvider =="MICROSOFT.SERVICEBUS" +| where Category == "Error" +| summarize count() by EventName_s, Resource \ No newline at end of file diff --git a/Azure Services/Service Bus/Queries/README b/Azure Services/Service Bus/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Service Bus/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Service Bus/Queries/Security/Keyvault performed operational.txt b/Azure Services/Service Bus/Queries/Security/Keyvault performed operational.txt new file mode 100644 index 00000000..e7d2b6c1 --- /dev/null +++ b/Azure Services/Service Bus/Queries/Security/Keyvault performed operational.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Keyvault performed operational +// Description: Summarizes the operation performed with keyvault to disable or restore the key. +// Categories: ['security'] +// Resource types: ['Service Bus'] +// Topic: Security +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.SERVICEBUS" +| where (Category == "info" and (Operation == "disable" or Operation == "restore")) +| project message \ No newline at end of file diff --git a/Azure Services/Service Bus/Queries/Usage/AutoDeleted entities.txt b/Azure Services/Service Bus/Queries/Usage/AutoDeleted entities.txt new file mode 100644 index 00000000..dc363f4c --- /dev/null +++ b/Azure Services/Service Bus/Queries/Usage/AutoDeleted entities.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: AutoDeleted entities +// Description: Summary of all the entities that have been auto-deleted. +// Categories: ['audit'] +// Resource types: ['Service Bus'] +// Topic: Usage +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.SERVICEBUS" +| where Category == "OperationalLogs" +| where EventName_s startswith "AutoDelete" +| summarize count() by EventName_s \ No newline at end of file diff --git a/Azure Services/Service Bus/Workbooks/README b/Azure Services/Service Bus/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Service Bus/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Storage accounts/Alerts/README b/Azure Services/Storage accounts/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Storage accounts/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Storage accounts/Queries/Audit/Frequent operations chart.txt b/Azure Services/Storage accounts/Queries/Audit/Frequent operations chart.txt new file mode 100644 index 00000000..a1fc8976 --- /dev/null +++ b/Azure Services/Storage accounts/Queries/Audit/Frequent operations chart.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Frequent operations chart +// Description: A pie chart of operations used over the last 3 days. +// Categories: ['management'] +// Resource types: ['Storage accounts'] +// Topic: Audit +StorageBlobLogs +| where TimeGenerated > ago(3d) +| summarize count() by OperationName +| sort by count_ desc +| render piechart \ No newline at end of file diff --git a/Azure Services/Storage accounts/Queries/Audit/Show anonymous requests.txt b/Azure Services/Storage accounts/Queries/Audit/Show anonymous requests.txt new file mode 100644 index 00000000..5065fb26 --- /dev/null +++ b/Azure Services/Storage accounts/Queries/Audit/Show anonymous requests.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Show anonymous requests +// Description: List all requests with anonymous access over the last 3 days. +// Categories: ['management'] +// Resource types: ['Storage accounts'] +// Topic: Audit +StorageBlobLogs +| where TimeGenerated > ago(3d) and AuthenticationType == "Anonymous" +| project TimeGenerated, OperationName, AuthenticationType, Uri \ No newline at end of file diff --git a/Azure Services/Storage accounts/Queries/Errors/Most common errors.txt b/Azure Services/Storage accounts/Queries/Errors/Most common errors.txt new file mode 100644 index 00000000..e7fb76fd --- /dev/null +++ b/Azure Services/Storage accounts/Queries/Errors/Most common errors.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Most common errors +// Description: List 10 most common errors over the last 3 days. +// Categories: ['management'] +// Resource types: ['Storage accounts'] +// Topic: Errors +StorageBlobLogs +| where TimeGenerated > ago(3d) and StatusText !contains "Success" +| summarize count() by StatusText +| top 10 by count_ desc \ No newline at end of file diff --git a/Azure Services/Storage accounts/Queries/Errors/Operations causing most errors.txt b/Azure Services/Storage accounts/Queries/Errors/Operations causing most errors.txt new file mode 100644 index 00000000..d970c848 --- /dev/null +++ b/Azure Services/Storage accounts/Queries/Errors/Operations causing most errors.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Operations causing most errors +// Description: List top 10 operations causing the most errors over the last 3 days. +// Categories: ['management'] +// Resource types: ['Storage accounts'] +// Topic: Errors +StorageBlobLogs +| where TimeGenerated > ago(3d) and StatusText !contains "Success" +| summarize count() by OperationName +| top 10 by count_ desc \ No newline at end of file diff --git a/Azure Services/Storage accounts/Queries/Errors/Operations causing server side throttling.txt b/Azure Services/Storage accounts/Queries/Errors/Operations causing server side throttling.txt new file mode 100644 index 00000000..b2378425 --- /dev/null +++ b/Azure Services/Storage accounts/Queries/Errors/Operations causing server side throttling.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Operations causing server side throttling +// Description: List all operations causing server side throttling errors over the last 3 days. +// Categories: ['management'] +// Resource types: ['Storage accounts'] +// Topic: Errors +StorageBlobLogs +| where TimeGenerated > ago(3d) and StatusText contains "ServerBusy" +| project TimeGenerated, OperationName, StatusCode, StatusText \ No newline at end of file diff --git a/Azure Services/Storage accounts/Queries/Performance/Operations with the highest latency.txt b/Azure Services/Storage accounts/Queries/Performance/Operations with the highest latency.txt new file mode 100644 index 00000000..ef4a7e1f --- /dev/null +++ b/Azure Services/Storage accounts/Queries/Performance/Operations with the highest latency.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Operations with the highest latency +// Description: List top 10 operations with the longest end to end latency over the last 3 days. +// Categories: ['management'] +// Resource types: ['Storage accounts'] +// Topic: Performance +StorageBlobLogs +| where TimeGenerated > ago(3d) +| top 10 by DurationMs desc +| project TimeGenerated, OperationName, DurationMs, ServerLatencyMs, ClientLatencyMs = DurationMs - ServerLatencyMs \ No newline at end of file diff --git a/Azure Services/Storage accounts/Queries/README b/Azure Services/Storage accounts/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Storage accounts/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Storage accounts/Workbooks/README b/Azure Services/Storage accounts/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Storage accounts/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Alerts/README b/Azure Services/Stream Analytics jobs/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Input data Errors/Events that arrived early.txt b/Azure Services/Stream Analytics jobs/Queries/Input data Errors/Events that arrived early.txt new file mode 100644 index 00000000..e59dd1f0 --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Input data Errors/Events that arrived early.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Events that arrived early +// Description: Shows errors due to events where difference between Application time and Arrival time is greater than 5 minutes. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Input data Errors +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "EarlyInputEvent" +| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Input data Errors/Events that arrived late.txt b/Azure Services/Stream Analytics jobs/Queries/Input data Errors/Events that arrived late.txt new file mode 100644 index 00000000..4688896b --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Input data Errors/Events that arrived late.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Events that arrived late +// Description: Shows errors due to events where difference between application time and arrival time is greater than the late arrival policy. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Input data Errors +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "LateInputEvent" +| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Input data Errors/Events that arrived out of order.txt b/Azure Services/Stream Analytics jobs/Queries/Input data Errors/Events that arrived out of order.txt new file mode 100644 index 00000000..21857c5c --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Input data Errors/Events that arrived out of order.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Events that arrived out of order +// Description: Shows errors due to events that arrive out of order according to the out-of-order policy. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Input data Errors +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "OutOfOrderEvent" +| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Input data Errors/List all InvalidInputTimeStamp errors.txt b/Azure Services/Stream Analytics jobs/Queries/Input data Errors/List all InvalidInputTimeStamp errors.txt new file mode 100644 index 00000000..a2de6d02 --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Input data Errors/List all InvalidInputTimeStamp errors.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: List all InvalidInputTimeStamp errors +// Description: Shows errors caused due to events where value of the TIMESTAMP BY expression can't be converted to datetime. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Input data Errors +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "InvalidInputTimeStamp" +| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Input data Errors/List all InvalidInputTimeStampKey errors.txt b/Azure Services/Stream Analytics jobs/Queries/Input data Errors/List all InvalidInputTimeStampKey errors.txt new file mode 100644 index 00000000..9336f4a2 --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Input data Errors/List all InvalidInputTimeStampKey errors.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: List all InvalidInputTimeStampKey errors +// Description: Shows errors caused due to events where value of the TIMESTAMP BY OVER timestampColumn is NULL. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Input data Errors +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "InvalidInputTimeStampKey" +| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Input data Errors/List all input data errors.txt b/Azure Services/Stream Analytics jobs/Queries/Input data Errors/List all input data errors.txt new file mode 100644 index 00000000..2906c7a1 --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Input data Errors/List all input data errors.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: List all input data errors +// Description: Shows all errors that occurred while processing the data from inputs. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Input data Errors +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).Type == "DataError" +| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Input data Errors/List all input deserialization errors.txt b/Azure Services/Stream Analytics jobs/Queries/Input data Errors/List all input deserialization errors.txt new file mode 100644 index 00000000..0d1ebb46 --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Input data Errors/List all input deserialization errors.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: List all input deserialization errors +// Description: Shows errors caused due to malformed events that could not be deserialized by the job. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Input data Errors +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType in ("InputDeserializerError.InvalidData", "InputDeserializerError.TypeConversionError", "InputDeserializerError.MissingColumns", "InputDeserializerError.InvalidHeader", "InputDeserializerError.InvalidCompressionType") +| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/All logs with level Error.txt b/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/All logs with level Error.txt new file mode 100644 index 00000000..427a7e4c --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/All logs with level Error.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: All logs with level "Error" +// Description: Shows all logs that are likely to have negatively impacted your job. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Other errors and failures +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and Level == "Error" +| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Operations that have Failed.txt b/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Operations that have Failed.txt new file mode 100644 index 00000000..758d7330 --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Operations that have Failed.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Operations that have "Failed" +// Description: Shows all operations on your job that have resulted in a failure. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Other errors and failures +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and status_s == "Failed" +| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Output Throttling logs Cosmos DB Power BI Event Hubs.txt b/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Output Throttling logs Cosmos DB Power BI Event Hubs.txt new file mode 100644 index 00000000..4b0094aa --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Output Throttling logs Cosmos DB Power BI Event Hubs.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Output Throttling logs (Cosmos DB, Power BI, Event Hubs) +// Description: Shows all instances where writing to one of your outputs was throttled by the destination service. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Other errors and failures +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).Type in ("DocumentDbOutputAdapterWriteThrottlingError", "EventHubOutputAdapterEventHubThrottlingError", "PowerBIServiceThrottlingError", "PowerBIServiceThrottlingError") +| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Summary of Failed operations in the last 7 days.txt b/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Summary of Failed operations in the last 7 days.txt new file mode 100644 index 00000000..195a678e --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Summary of Failed operations in the last 7 days.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Summary of 'Failed' operations in the last 7 days +// Description: Summary of 'Failed' operations in the last 7 days. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Other errors and failures +AzureDiagnostics +| where TimeGenerated > ago(7d) //last 7 days +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and status_s == "Failed" +| summarize Count=count(), sampleEvent=any(properties_s) by JobName=Resource \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Summary of all data errors in the last 7 days.txt b/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Summary of all data errors in the last 7 days.txt new file mode 100644 index 00000000..2aba83f1 --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Summary of all data errors in the last 7 days.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Summary of all data errors in the last 7 days +// Description: Summary of all data errors in the last 7 days. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Other errors and failures +AzureDiagnostics +| where TimeGenerated > ago(7d) //last 7 days +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).Type == "DataError" +| extend DataErrorType = tostring(parse_json(properties_s).DataErrorType) +| summarize Count=count(), sampleEvent=any(properties_s) by DataErrorType, JobName=Resource \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Summary of all errors in the last 7 days.txt b/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Summary of all errors in the last 7 days.txt new file mode 100644 index 00000000..6b3531e0 --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Summary of all errors in the last 7 days.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Summary of all errors in the last 7 days +// Description: Summary of all errors in the last 7 days. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Other errors and failures +AzureDiagnostics +| where TimeGenerated > ago(7d) //last 7 days +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" +| extend ErrorType = tostring(parse_json(properties_s).Type) +| summarize Count=count(), sampleEvent=any(properties_s) by ErrorType, JobName=Resource \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Transient input and output errors.txt b/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Transient input and output errors.txt new file mode 100644 index 00000000..5e1ab62b --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Other errors and failures/Transient input and output errors.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Transient input and output errors +// Description: Shows all errors related to input and output that are intermittent in nature. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Other errors and failures +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).Type in ("AzureFunctionOutputAdapterTransientError", "BlobInputAdapterTransientError", "DataLakeOutputAdapterTransientError", "DocumentDbOutputAdapterTransientError", "EdgeHubOutputAdapterEdgeHubTransientError", "EventHubBasedInputInvalidOperationTransientError", "EventHubBasedInputOperationCanceledTransientError", "EventHubBasedInputTimeoutTransientError", "EventHubBasedInputTransientError", "EventHubOutputAdapterEventHubTransientError", "InputProcessorTransientFailure", "OutputProcessorTransientError", "ReferenceDataInputAdapterTransientError", "ServiceBusOutputAdapterTransientError", "TableOutputAdapterTransientError") +| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Output data errors/All output data errors.txt b/Azure Services/Stream Analytics jobs/Queries/Output data errors/All output data errors.txt new file mode 100644 index 00000000..bfc063b0 --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Output data errors/All output data errors.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: All output data errors +// Description: Shows all errors that occurred while writing the results of the query to the outputs in your job. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Output data errors +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType in ("OutputDataConversionError.RequiredColumnMissing", "OutputDataConversionError.ColumnNameInvalid", "OutputDataConversionError.TypeConversionError", "OutputDataConversionError.RecordExceededSizeLimit", "OutputDataConversionError.DuplicateKey") +| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Output data errors/List all ColumnNameInvalid errors.txt b/Azure Services/Stream Analytics jobs/Queries/Output data errors/List all ColumnNameInvalid errors.txt new file mode 100644 index 00000000..21bd9f2a --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Output data errors/List all ColumnNameInvalid errors.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: List all ColumnNameInvalid errors +// Description: Shows errors where the output record produced by your job has a column name that doesn't map to a column in your output. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Output data errors +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "OutputDataConversionError.ColumnNameInvalid" +| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Output data errors/List all DuplicateKey errors.txt b/Azure Services/Stream Analytics jobs/Queries/Output data errors/List all DuplicateKey errors.txt new file mode 100644 index 00000000..56cad015 --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Output data errors/List all DuplicateKey errors.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: List all DuplicateKey errors +// Description: Shows errors where the output record produced by job contains a column with the same name as a System column. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Output data errors +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "OutputDataConversionError.DuplicateKey" +| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Output data errors/List all RecordExceededSizeLimit errors.txt b/Azure Services/Stream Analytics jobs/Queries/Output data errors/List all RecordExceededSizeLimit errors.txt new file mode 100644 index 00000000..b0c8e928 --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Output data errors/List all RecordExceededSizeLimit errors.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: List all RecordExceededSizeLimit errors +// Description: Shows errors where the size of the output record produced by your job is greater than the supported output size. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Output data errors +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "OutputDataConversionError.RecordExceededSizeLimit" +| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Output data errors/List all RequiredColumnMissing errors.txt b/Azure Services/Stream Analytics jobs/Queries/Output data errors/List all RequiredColumnMissing errors.txt new file mode 100644 index 00000000..61012931 --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Output data errors/List all RequiredColumnMissing errors.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: List all RequiredColumnMissing errors +// Description: Shows all errors where the output record produced by your job has a missing column. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Output data errors +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "OutputDataConversionError.RequiredColumnMissing" +| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/Output data errors/List all TypeConversionError errors.txt b/Azure Services/Stream Analytics jobs/Queries/Output data errors/List all TypeConversionError errors.txt new file mode 100644 index 00000000..c22ba5a8 --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/Output data errors/List all TypeConversionError errors.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: List all TypeConversionError errors +// Description: Shows errors where the output record produced by your job has a column can't be converted to a valid type in the output. +// Categories: ['resources'] +// Resource types: ['Stream Analytics jobs'] +// Topic: Output data errors +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "OutputDataConversionError.TypeConversionError" +| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Queries/README b/Azure Services/Stream Analytics jobs/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Stream Analytics jobs/Workbooks/README b/Azure Services/Stream Analytics jobs/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Stream Analytics jobs/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Traffic Manager profiles/Alerts/README b/Azure Services/Traffic Manager profiles/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Traffic Manager profiles/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Traffic Manager profiles/Queries/Diagnostics/Endpoints with monitoring Status down.txt b/Azure Services/Traffic Manager profiles/Queries/Diagnostics/Endpoints with monitoring Status down.txt new file mode 100644 index 00000000..1d2ef992 --- /dev/null +++ b/Azure Services/Traffic Manager profiles/Queries/Diagnostics/Endpoints with monitoring Status down.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Endpoints with monitoring Status down +// Description: Find the reason why the monitoring status of Azure Traffic Manager endpoints is down. +// Categories: ['network'] +// Resource types: ['Traffic Manager profiles'] +// Topic: Diagnostics +AzureDiagnostics +| where ResourceType == "TRAFFICMANAGERPROFILES" and Category == "ProbeHealthStatusEvents" +| where Status_s == "Down" +| project TimeGenerated, EndpointName_s, Status_s, ResultDescription, SubscriptionId , _ResourceId \ No newline at end of file diff --git a/Azure Services/Traffic Manager profiles/Queries/README b/Azure Services/Traffic Manager profiles/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Traffic Manager profiles/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Traffic Manager profiles/Workbooks/README b/Azure Services/Traffic Manager profiles/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Traffic Manager profiles/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Azure Services/Virtual machines/Alerts/README b/Azure Services/Virtual machines/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Azure Services/Virtual machines/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Availability/Not reporting VMs.txt b/Azure Services/Virtual machines/Queries/Availability/Not reporting VMs.txt new file mode 100644 index 00000000..4ce9de8c --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Availability/Not reporting VMs.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Not reporting VMs +// Description: VMs that have not reported a heartbeat in the last 5 minutes. +// Categories: ['virtualmachines'] +// Resource types: ['Virtual machines'] +// Topic: Availability +Heartbeat +| summarize LastCall = max(TimeGenerated) by Computer +| where LastCall < ago(5m) diff --git a/Azure Services/Virtual machines/Queries/Availability/Shut down Virtual Machines.txt b/Azure Services/Virtual machines/Queries/Availability/Shut down Virtual Machines.txt new file mode 100644 index 00000000..3d714b62 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Availability/Shut down Virtual Machines.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Shut down Virtual Machines +// Description: Virtual Machines successfully shut down in the last 10 minutes. +// Categories: ['virtualmachines'] +// Resource types: ['Virtual machines'] +// Topic: Availability +AzureActivity +| where TimeGenerated > ago(10m) +| where OperationName == "Deallocate Virtual Machine" and ActivityStatus == "Succeeded" diff --git a/Azure Services/Virtual machines/Queries/Availability/Track VM availability.txt b/Azure Services/Virtual machines/Queries/Availability/Track VM availability.txt new file mode 100644 index 00000000..76328fa9 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Availability/Track VM availability.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Track VM availability +// Description: Display the VM's reported availability during the last day. +// Categories: ['virtualmachines'] +// Resource types: ['Virtual machines'] +// Topic: Availability +Heartbeat +| summarize heartbeat_count = count() by bin(TimeGenerated, 30m) // bin is used to set the time grain to 30 minutes +| extend alive=iff(heartbeat_count > 0, true, false) +| sort by TimeGenerated asc // sort the results by time (ascending order) \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Diagnostics/Automatic update configuration is disabled.txt b/Azure Services/Virtual machines/Queries/Diagnostics/Automatic update configuration is disabled.txt new file mode 100644 index 00000000..f04e2191 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Diagnostics/Automatic update configuration is disabled.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Automatic update configuration is disabled +// Description: Computers with automatic update disabled. +// Categories: ['management'] +// Resource types: ['Virtual machines'] +// Solutions: ['Updates'] +// Topic: Diagnostics +UpdateSummary +| where WindowsUpdateSetting == "Manual" +| sort by TimeGenerated desc \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Diagnostics/Automatic update configuration.txt b/Azure Services/Virtual machines/Queries/Diagnostics/Automatic update configuration.txt new file mode 100644 index 00000000..cef389ff --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Diagnostics/Automatic update configuration.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Automatic update configuration +// Description: Automatic update configuration. +// Categories: ['management'] +// Resource types: ['Virtual machines'] +// Solutions: ['Updates'] +// Topic: Diagnostics +UpdateSummary +| summarize AggregatedValue = count() by WindowsUpdateSetting \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Diagnostics/Computer with missing updates.txt b/Azure Services/Virtual machines/Queries/Diagnostics/Computer with missing updates.txt new file mode 100644 index 00000000..171c4f0e --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Diagnostics/Computer with missing updates.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Computer with missing updates +// Description: All computers with missing updates. +// Categories: ['management'] +// Resource types: ['Virtual machines'] +// Solutions: ['Updates'] +// Topic: Diagnostics +Update +|where OSType != "Linux" and UpdateState == "Needed" and Optional == "false" +| project Computer, Title, KBID, Classification, UpdateSeverity, PublishedDate +| sort by TimeGenerated desc \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Diagnostics/Distinct missing updates cross computers.txt b/Azure Services/Virtual machines/Queries/Diagnostics/Distinct missing updates cross computers.txt new file mode 100644 index 00000000..e7b2a924 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Diagnostics/Distinct missing updates cross computers.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Distinct missing updates cross computers +// Description: Distinct missing updates across all computers. +// Categories: ['management'] +// Resource types: ['Virtual machines'] +// Solutions: ['Updates'] +// Topic: Diagnostics +Update +| where OSType != "Linux" and UpdateState == "Needed" and Optional == "false" +| distinct Title \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Diagnostics/Find Linux kernel events.txt b/Azure Services/Virtual machines/Queries/Diagnostics/Find Linux kernel events.txt new file mode 100644 index 00000000..4fa66ea5 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Diagnostics/Find Linux kernel events.txt @@ -0,0 +1,8 @@ +// Author: Microsoft Azure +// Display name: Find Linux kernel events +// Description: Find events reported by Linux kernel process, regarding killed processes. +// Categories: ['virtualmachines'] +// Resource types: ['Virtual machines'] +// Topic: Diagnostics +Syslog +| where ProcessName == "kernel" and SyslogMessage contains "Killed process" \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Diagnostics/Malware detection.txt b/Azure Services/Virtual machines/Queries/Diagnostics/Malware detection.txt new file mode 100644 index 00000000..c1eed993 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Diagnostics/Malware detection.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Malware detection +// Description: Malware detected grouped by threat. +// Categories: ['security'] +// Resource types: ['Virtual machines'] +// Solutions: ['AntiMalware'] +// Topic: Diagnostics +ProtectionStatus +| where ThreatStatus != "No threats detected" +| summarize AggregatedValue = count() by Threat \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Diagnostics/Missing critical security updates.txt b/Azure Services/Virtual machines/Queries/Diagnostics/Missing critical security updates.txt new file mode 100644 index 00000000..e29bb492 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Diagnostics/Missing critical security updates.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Missing critical security updates +// Description: All computers that are missing critical updates or security updates. +// Categories: ['management'] +// Resource types: ['Virtual machines'] +// Solutions: ['Updates'] +// Topic: Diagnostics +Update +|where OSType != "Linux" and UpdateState == "Needed" and Optional == "false" and (Classification == "Security Updates" or Classification == "Critical Updates") +| sort by TimeGenerated desc \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Diagnostics/Missing required updates for server.txt b/Azure Services/Virtual machines/Queries/Diagnostics/Missing required updates for server.txt new file mode 100644 index 00000000..5d10dc6d --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Diagnostics/Missing required updates for server.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Missing required updates for server +// Description: Missing updates for a specific computer "ComputerName" (replace with your own computer name). +// Categories: ['management'] +// Resource types: ['Virtual machines'] +// Solutions: ['Updates'] +// Topic: Diagnostics +let ComputerName = "Enter your computer name here"; +Update +|where OSType != "Linux" and UpdateState == "Needed" and Optional == "false" and Computer == ComputerName +| project Computer, Title, KBID, Product, UpdateSeverity, PublishedDate +| sort by TimeGenerated desc \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Diagnostics/Missing security or critical where update is manual.txt b/Azure Services/Virtual machines/Queries/Diagnostics/Missing security or critical where update is manual.txt new file mode 100644 index 00000000..837bfb17 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Diagnostics/Missing security or critical where update is manual.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Missing security or critical where update is manual +// Description: Critical or security updates needed by machines where updates are manually applied. +// Categories: ['management'] +// Resource types: ['Virtual machines'] +// Solutions: ['Updates'] +// Topic: Diagnostics +Update +|where OSType != "Linux" and UpdateState == "Needed" and Optional == "false" +|where (Classification == "Security Updates" or Classification == "Critical Updates") +| join kind=inner (UpdateSummary |where WindowsUpdateSetting == "Manual" |distinct Computer) on Computer +| distinct KBID \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Diagnostics/Missing update rollups.txt b/Azure Services/Virtual machines/Queries/Diagnostics/Missing update rollups.txt new file mode 100644 index 00000000..9c1ed286 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Diagnostics/Missing update rollups.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Missing update rollups +// Description: All computers with missing update rollups. +// Categories: ['management'] +// Resource types: ['Virtual machines'] +// Solutions: ['Updates'] +// Topic: Diagnostics +Update +| where OSType != "Linux" and Optional == "false" and Classification == "Update Rollups" and UpdateState == "Needed" +| project Computer, Title, KBID, Classification, UpdateSeverity, PublishedDate +| sort by TimeGenerated desc \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Diagnostics/Missing update specific product.txt b/Azure Services/Virtual machines/Queries/Diagnostics/Missing update specific product.txt new file mode 100644 index 00000000..2a96b9b1 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Diagnostics/Missing update specific product.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Missing update specific product +// Description: WSUS computer membership. +// Categories: ['management'] +// Resource types: ['Virtual machines'] +// Solutions: ['Updates'] +// Topic: Diagnostics +UpdateSummary +| summarize AggregatedValue = count() by WSUSServer \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Diagnostics/Protection Status updates.txt b/Azure Services/Virtual machines/Queries/Diagnostics/Protection Status updates.txt new file mode 100644 index 00000000..c79b4b16 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Diagnostics/Protection Status updates.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Protection Status updates +// Description: Protection Status updates per day. +// Categories: ['security'] +// Resource types: ['Virtual machines'] +// Solutions: ['AntiMalware'] +// Topic: Diagnostics +ProtectionStatus +| summarize AggregatedValue = count(ScanDate) by bin(TimeGenerated, 1d) +| sort by TimeGenerated desc \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Diagnostics/Search in multiple tables.txt b/Azure Services/Virtual machines/Queries/Diagnostics/Search in multiple tables.txt new file mode 100644 index 00000000..dd5180d1 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Diagnostics/Search in multiple tables.txt @@ -0,0 +1,8 @@ +// Author: Microsoft Azure +// Display name: Search in multiple tables +// Description: Search both Syslog and Event tables for the term "login". +// Categories: ['virtualmachines'] +// Resource types: ['Virtual machines'] +// Topic: Diagnostics +search in (Syslog, Event) "login" +| where TimeGenerated > ago(1h) // return records from the last hour \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Diagnostics/Show the trend of a selected event.txt b/Azure Services/Virtual machines/Queries/Diagnostics/Show the trend of a selected event.txt new file mode 100644 index 00000000..f5288a21 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Diagnostics/Show the trend of a selected event.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Show the trend of a selected event +// Description: Chart how many times an event was reported along the last day. +// Categories: ['virtualmachines'] +// Resource types: ['Virtual machines'] +// Topic: Diagnostics +Event +| where EventID == 9642 // this ID indicates a specific SQL server error occurred +| summarize count() by bin_at(TimeGenerated, 1h, ago(24h)) // bin_at is used to set the time grain to 1 hour, starting exactly 24 hours ago +| render barchart \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Diagnostics/Signatures out of date.txt b/Azure Services/Virtual machines/Queries/Diagnostics/Signatures out of date.txt new file mode 100644 index 00000000..1225d230 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Diagnostics/Signatures out of date.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Signatures out of date +// Description: Devices with Signatures out of date. +// Categories: ['security'] +// Resource types: ['Virtual machines'] +// Solutions: ['AntiMalware'] +// Topic: Diagnostics +ProtectionStatus +| summarize Rank = max(ProtectionStatusRank) by Computer +| where Rank == "250" \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Diagnostics/Stopped Windows services.txt b/Azure Services/Virtual machines/Queries/Diagnostics/Stopped Windows services.txt new file mode 100644 index 00000000..0bbcfdce --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Diagnostics/Stopped Windows services.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Stopped Windows services +// Description: Find all windows services that stopped in the last 30 minutes. +// Categories: ['virtualmachines'] +// Resource types: ['Virtual machines'] +// Topic: Diagnostics +ConfigurationChange // (relies on the Change Tracking solution): +| where ConfigChangeType == "WindowsServices" and SvcChangeType == "State" +| where SvcPreviousState == "Running" and SvcState == "Stopped" +| where SvcStartupType == "Auto" and TimeGenerated > ago(30m) \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Diagnostics/Using wildcards.txt b/Azure Services/Virtual machines/Queries/Diagnostics/Using wildcards.txt new file mode 100644 index 00000000..47fd7ce4 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Diagnostics/Using wildcards.txt @@ -0,0 +1,8 @@ +// Author: Microsoft Azure +// Display name: Using wild-cards +// Description: Search for terms that follow the pattern "corp*.com". +// Categories: ['virtualmachines'] +// Resource types: ['Virtual machines'] +// Topic: Diagnostics +search in (Event) "corp*.com" // Search terms that follow the pattern "corp"-something-".com", such as "corp.mydomain.com" +| take 50 // return only 50 results (not guaranteed to be the latest) \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Errors/Error event on computer missing security co critical update.txt b/Azure Services/Virtual machines/Queries/Errors/Error event on computer missing security co critical update.txt new file mode 100644 index 00000000..dbac426b --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Errors/Error event on computer missing security co critical update.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Error event on computer missing security co critical update +// Description: Error events for machines that are missing critical or security required updates. +// Categories: ['management'] +// Resource types: ['Virtual machines'] +// Solutions: ['Updates'] +// Topic: Errors +Event +| where EventLevelName == "error" + | join kind=inner (Update |where (Classification == "Security Updates" or Classification == "Critical Updates") and UpdateState == "Needed" and Optional == "false" | distinct Computer) on Computer + | sort by TimeGenerated desc \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Errors/Reported errors.txt b/Azure Services/Virtual machines/Queries/Errors/Reported errors.txt new file mode 100644 index 00000000..ced06655 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Errors/Reported errors.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Reported errors +// Description: Show error events from the last hour. +// Categories: ['virtualmachines'] +// Resource types: ['Virtual machines'] +// Topic: Errors +union Event, Syslog // Event table stores Windows event records, Syslog stores Linux records +| where TimeGenerated > ago(1h) +| where EventLevelName == "Error" // EventLevelName is used in the Event (Windows) records +or SeverityLevel== "err" // SeverityLevel is used in Syslog (Linux) records \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Performance/Bottom 10 Free disk space .txt b/Azure Services/Virtual machines/Queries/Performance/Bottom 10 Free disk space .txt new file mode 100644 index 00000000..9271deb3 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Performance/Bottom 10 Free disk space .txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Bottom 10 Free disk space % +// Description: Bottom 10 Free disk space % by computer, for the last 7 days. +// Categories: ['virtualmachines'] +// Resource types: ['Virtual machines'] +// Topic: Performance +Perf +| where TimeGenerated > ago(7d) +| where (ObjectName == "Logical Disk" or ObjectName == "LogicalDisk") and CounterName contains "%" and InstanceName != "_Total" and InstanceName != "HarddiskVolume1" +| project TimeGenerated, Computer, ObjectName, CounterName, InstanceName, CounterValue +| summarize arg_max(TimeGenerated, *) by Computer +| top 10 by CounterValue desc \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Performance/Chart CPU usage trends.txt b/Azure Services/Virtual machines/Queries/Performance/Chart CPU usage trends.txt new file mode 100644 index 00000000..7e5b69b6 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Performance/Chart CPU usage trends.txt @@ -0,0 +1,14 @@ +// Author: Microsoft Azure +// Display name: Chart CPU usage trends +// Description: Calculate CPU usage patterns over the last day, chart by percentiles. +// Categories: ['virtualmachines'] +// Resource types: ['Virtual machines'] +// Topic: Performance +Perf +| where CounterName == "% Processor Time" +| where ObjectName == "Processor" +| summarize avg(CounterValue) by bin(TimeGenerated, 15min) // bin is used to set the time grain to 15 minutes +| render timechart +// Perf table stores performance counters for Windows and Linux computers +// Counters are specified using ObjectName (performance object), InstanceName and CounterName +// % Processor Time captures CPU activity, ObjectNames can be Processor, Process and Process Information \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Performance/Logical disk space below threshold.txt b/Azure Services/Virtual machines/Queries/Performance/Logical disk space below threshold.txt new file mode 100644 index 00000000..24592d61 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Performance/Logical disk space below threshold.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Logical disk space % below threshold: +// Description: Show avg % of free Logical disk space over 10 minutes. +// Categories: ['virtualmachines'] +// Resource types: ['Virtual machines'] +// Topic: Performance +let _minValue = 10; // Set the minValue according to your needs +Perf +| where ObjectName == "LogicalDisk" and CounterName == "% Free Space" // the object name used in Windows records +| where TimeGenerated >= ago(30m) // choose time to observe +| where CounterValue <= _minValue +| summarize avg(CounterValue) by bin(TimeGenerated, 10m), Computer, InstanceName \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Performance/Top 10 Virtual Machines by CPU utilization.txt b/Azure Services/Virtual machines/Queries/Performance/Top 10 Virtual Machines by CPU utilization.txt new file mode 100644 index 00000000..4eef6281 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Performance/Top 10 Virtual Machines by CPU utilization.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Top 10 Virtual Machines by CPU utilization +// Description: Find top 10 VM by CPU utilization in the last 7 days. +// Categories: ['virtualmachines'] +// Resource types: ['Virtual machines'] +// Topic: Performance +Perf +| where TimeGenerated > ago(7d) +| where CounterName == "% Processor Time" and InstanceName == "_Total" +| project TimeGenerated, Computer, ObjectName, CounterName, InstanceName, round(CounterValue, 2) +| summarize arg_max(TimeGenerated, *) by Computer +| top 10 by CounterValue \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Performance/Virtual Machine available memory.txt b/Azure Services/Virtual machines/Queries/Performance/Virtual Machine available memory.txt new file mode 100644 index 00000000..061c4ade --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Performance/Virtual Machine available memory.txt @@ -0,0 +1,13 @@ +// Author: Microsoft Azure +// Display name: Virtual Machine available memory +// Description: Chart the VM's available memory over the last hour. +// Categories: ['virtualmachines'] +// Resource types: ['Virtual machines'] +// Topic: Performance +Perf +| where TimeGenerated > ago(1h) +| where ObjectName == "Memory" and +(CounterName == "Available MBytes Memory" or // the name used in Linux records +CounterName == "Available MBytes") // the name used in Windows records +| project TimeGenerated, CounterName, CounterValue +| render timechart \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Performance/Virtual Machine free disk space.txt b/Azure Services/Virtual machines/Queries/Performance/Virtual Machine free disk space.txt new file mode 100644 index 00000000..7779445e --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Performance/Virtual Machine free disk space.txt @@ -0,0 +1,12 @@ +// Author: Microsoft Azure +// Display name: Virtual Machine free disk space +// Description: Show the latest report of free disk space, per instance. +// Categories: ['virtualmachines'] +// Resource types: ['Virtual machines'] +// Topic: Performance +Perf +| where ObjectName == "LogicalDisk" or // the object name used in Windows records +ObjectName == "Logical Disk" // the object name used in Linux records +| where CounterName == "Free Megabytes" +| summarize arg_max(TimeGenerated, *) by InstanceName // arg_max over TimeGenerated returns the latest record +| project TimeGenerated, InstanceName, CounterValue \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Performance/What data is being collected.txt b/Azure Services/Virtual machines/Queries/Performance/What data is being collected.txt new file mode 100644 index 00000000..79d267cd --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Performance/What data is being collected.txt @@ -0,0 +1,8 @@ +// Author: Microsoft Azure +// Display name: What data is being collected? +// Description: List the collected performance counters and object types (Process, Memory, Processor…) +// Categories: ['virtualmachines'] +// Resource types: ['Virtual machines'] +// Topic: Performance +Perf +| summarize by ObjectName, CounterName \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/README b/Azure Services/Virtual machines/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Azure Services/Virtual machines/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Security/Linux failed logins.txt b/Azure Services/Virtual machines/Queries/Security/Linux failed logins.txt new file mode 100644 index 00000000..2bac5726 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Security/Linux failed logins.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Linux failed logins +// Description: Find reports of Linux accounts that failed to login. +// Categories: ['virtualmachines', 'security'] +// Resource types: ['Virtual machines'] +// Topic: Security +LinuxAuditLog +| where RecordType == 'user_login' and res != 'success' +| summarize count() by acct // count the reported security events for each account +// This query requires the Security solution \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Security/Members added to security groups.txt b/Azure Services/Virtual machines/Queries/Security/Members added to security groups.txt new file mode 100644 index 00000000..11a44d88 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Security/Members added to security groups.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Members added to security groups +// Description: Who was added to security-enabled group over the last day? +// Categories: ['virtualmachines', 'security'] +// Resource types: ['Virtual machines'] +// Topic: Security +SecurityEvent +| where EventID in (4728, 4732, 4756) // these event IDs indicate a member was added to a security-enabled group +| summarize count() by SubjectAccount +// This query requires the Security solution \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Security/Missing security or critical updates.txt b/Azure Services/Virtual machines/Queries/Security/Missing security or critical updates.txt new file mode 100644 index 00000000..10a362f9 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Security/Missing security or critical updates.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Missing security or critical updates +// Description: Count how many security or other critical updates are missing. +// Categories: ['virtualmachines', 'security'] +// Resource types: ['Virtual machines'] +// Topic: Security +Update +| where Classification in ("Security Updates", "Critical Updates") +| where UpdateState == 'Needed' and Optional == false and Approved == true +| summarize count() by Classification +// This query requires the Security or Update solutions \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Security/Uses of clear text password.txt b/Azure Services/Virtual machines/Queries/Security/Uses of clear text password.txt new file mode 100644 index 00000000..32691e0b --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Security/Uses of clear text password.txt @@ -0,0 +1,11 @@ +// Author: Microsoft Azure +// Display name: Uses of clear text password +// Description: List all accounts that logged on using a clear-text password over the last day. +// Categories: ['virtualmachines', 'security'] +// Resource types: ['Virtual machines'] +// Topic: Security +SecurityEvent +| where EventID == 4624 // event ID 4624: "an account was successfully logged on", +| where LogonType == 8 // logon type 8: "NetworkCleartext" +| summarize count() by TargetAccount // count the reported security events for each account +// This query requires the Security solution \ No newline at end of file diff --git a/Azure Services/Virtual machines/Queries/Security/Windows failed logins.txt b/Azure Services/Virtual machines/Queries/Security/Windows failed logins.txt new file mode 100644 index 00000000..ed230ae1 --- /dev/null +++ b/Azure Services/Virtual machines/Queries/Security/Windows failed logins.txt @@ -0,0 +1,10 @@ +// Author: Microsoft Azure +// Display name: Windows failed logins +// Description: Find reports of Windows accounts that failed to login. +// Categories: ['virtualmachines', 'security'] +// Resource types: ['Virtual machines'] +// Topic: Security +SecurityEvent +| where EventID == 4625 +| summarize count() by TargetAccount // count the reported security events for each account +// This query requires the Security solution \ No newline at end of file diff --git a/Azure Services/Virtual machines/Workbooks/README b/Azure Services/Virtual machines/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Azure Services/Virtual machines/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file diff --git a/Solutions/SurfaceHub/Alerts/README b/Solutions/SurfaceHub/Alerts/README new file mode 100644 index 00000000..e7cf202f --- /dev/null +++ b/Solutions/SurfaceHub/Alerts/README @@ -0,0 +1 @@ +Put alerts in this folder \ No newline at end of file diff --git a/Solutions/SurfaceHub/Queries/Diagnostics/Hardware Alert.txt b/Solutions/SurfaceHub/Queries/Diagnostics/Hardware Alert.txt new file mode 100644 index 00000000..c8f10262 --- /dev/null +++ b/Solutions/SurfaceHub/Queries/Diagnostics/Hardware Alert.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Hardware Alert +// Description: SurfaceHubHardwareAlert. +// Categories: ['workloads'] +// Solutions: ['SurfaceHub'] +// Topic: Diagnostics +DeviceHardwareHealth +|where EventName == "CameraInUnexpectedState" or EventName == "WiredIngestInUnexpectedState" or EventName == "WiredTouchInUnexpectedState" or EventName == "WifiDirectInUnexpectedState" or EventName == "MicInUnexpectedState" or EventName == "WiredTouchInUnexpectedState" or EventName == "SpeakersInUnexpectedState" or EventName == "WirelessCardInUnexpectedState" +| sort by TimeGenerated desc \ No newline at end of file diff --git a/Solutions/SurfaceHub/Queries/Diagnostics/Hardware Minor.txt b/Solutions/SurfaceHub/Queries/Diagnostics/Hardware Minor.txt new file mode 100644 index 00000000..0fb6c4c1 --- /dev/null +++ b/Solutions/SurfaceHub/Queries/Diagnostics/Hardware Minor.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Hardware Minor +// Description: SurfaceHub hardware minor. +// Categories: ['workloads'] +// Solutions: ['SurfaceHub'] +// Topic: Diagnostics +DeviceHardwareHealth +|where EventName != "CameraInUnexpectedState" and EventName != "WiredIngestInUnexpectedState" and EventName != "WiredTouchInUnexpectedState" and EventName != "WifiDirectInUnexpectedState" and EventName != "MicInUnexpectedState" and EventName != "WiredTouchInUnexpectedState" and EventName != "SpeakersInUnexpectedState" and EventName != "WirelessCardInUnexpectedState" +| sort by TimeGenerated des \ No newline at end of file diff --git a/Solutions/SurfaceHub/Queries/Error/Cleanup Failure.txt b/Solutions/SurfaceHub/Queries/Error/Cleanup Failure.txt new file mode 100644 index 00000000..7ea06b9b --- /dev/null +++ b/Solutions/SurfaceHub/Queries/Error/Cleanup Failure.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Cleanup Failure +// Description: SurfaceHub cleanup failure. +// Categories: ['workloads'] +// Solutions: ['SurfaceHub'] +// Topic: Error +DeviceCleanup +| where State == "Fatal" +| sort by TimeGenerated desc \ No newline at end of file diff --git a/Solutions/SurfaceHub/Queries/Error/Exchange Error.txt b/Solutions/SurfaceHub/Queries/Error/Exchange Error.txt new file mode 100644 index 00000000..168575f8 --- /dev/null +++ b/Solutions/SurfaceHub/Queries/Error/Exchange Error.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Exchange Error +// Description: SurfaceHub Exchange error. +// Categories: ['workloads'] +// Solutions: ['SurfaceHub'] +// Topic: Error +DeviceCalendar +| where EventName == "activesynchealth" and SyncStatus != "Healthy" +| sort by TimeGenerated desc \ No newline at end of file diff --git a/Solutions/SurfaceHub/Queries/Error/Skype Error.txt b/Solutions/SurfaceHub/Queries/Error/Skype Error.txt new file mode 100644 index 00000000..c9cd1a7f --- /dev/null +++ b/Solutions/SurfaceHub/Queries/Error/Skype Error.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Skype Error +// Description: SurfaceHub Skype error. +// Categories: ['workloads'] +// Solutions: ['SurfaceHub'] +// Topic: Error +DeviceSkypeHeartbeat +| where State == "Unhealthy" +| sort by TimeGenerated desc \ No newline at end of file diff --git a/Solutions/SurfaceHub/Queries/Error/Software Alert.txt b/Solutions/SurfaceHub/Queries/Error/Software Alert.txt new file mode 100644 index 00000000..b90b6e63 --- /dev/null +++ b/Solutions/SurfaceHub/Queries/Error/Software Alert.txt @@ -0,0 +1,9 @@ +// Author: Microsoft Azure +// Display name: Software Alert +// Description: SurfaceHub software error. +// Categories: ['workloads'] +// Solutions: ['SurfaceHub'] +// Topic: Error +DeviceHealth +| where EventName == "CriticalProcessStatus" and State == "Unhealthy" +| sort by TimeGenerated desc \ No newline at end of file diff --git a/Solutions/SurfaceHub/Queries/README b/Solutions/SurfaceHub/Queries/README new file mode 100644 index 00000000..f121024f --- /dev/null +++ b/Solutions/SurfaceHub/Queries/README @@ -0,0 +1 @@ +Put queries in this folder \ No newline at end of file diff --git a/Solutions/SurfaceHub/Workbooks/README b/Solutions/SurfaceHub/Workbooks/README new file mode 100644 index 00000000..7b19c105 --- /dev/null +++ b/Solutions/SurfaceHub/Workbooks/README @@ -0,0 +1 @@ +Put workbooks in this folder \ No newline at end of file