Get Azure alert details using KQL

Question

Get Azure alert details using KQL

SujinaSJ-1789 271

Hi All,

Can we get the alert details (alert name, Fired time, resolved time etc.) using KQL? If yes, what configuration is required and which table to query?

SwathiDhanwada-MSFT 18,911 Reputation points

2023-08-08T12:58:41.9033333+00:00

@SujinaSJ-1789 Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.

Accepted answer

1 additional answer

Your answer

SwathiDhanwada-MSFT 18,911 Reputation points

2023-08-08T12:58:41.9033333+00:00

@SujinaSJ-1789 Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.

Answer 1

You can Azure Resource Graph service to query the alerts triggered within your subscription. Below sample query gets all Azure Monitor alerts that were fired in the last 12 hours and extracts commonly used properties for your reference. You can modify it based on your requirement.

alertsmanagementresources
| where properties.essentials.startDateTime > ago(12h)
| project
  alertId = id,
  name,
  monitorCondition = tostring(properties.essentials.monitorCondition),
  severity = tostring(properties.essentials.severity),
  monitorService = tostring(properties.essentials.monitorService),
  alertState = tostring(properties.essentials.alertState),
  targetResourceType = tostring(properties.essentials.targetResourceType),
  targetResource = tostring(properties.essentials.targetResource),
  subscriptionId,
  startDateTime = todatetime(properties.essentials.startDateTime),
  lastModifiedDateTime = todatetime(properties.essentials.lastModifiedDateTime),
  dimensions = properties.context.context.condition.allOf[0].dimensions, properties

Answer 2

Bhardwaj, Rajeev 110

Yes, it can be.

Different services store alert data in different tables. You need to determine which table holds the relevant data for the alerts you're interested in.

For example, you can use below for Security Events:

SecurityAlert

| project AlertName, AlertStartTime, AlertEndTime, ResolutionTime

| where TimeGenerated >= datetime(2023-07-01) and TimeGenerated <= datetime(2023-08-01)

Please confirm if it works for you.

SujinaSJ-1789 271 Reputation points

2023-08-07T02:51:03.65+00:00

Thanks for the answer @Bhardwaj, Rajeev. I am looking for alert details related to Application Gateway. To be specific, I need the alert fired and resolved time when the backend host goes down. I checked the Alert table but didn't get any result eventhough we had alerts in fired state. Any lead would be of great help. TYIA

Share via

Get Azure alert details using KQL

1 additional answer

Your answer