Logic App Fun – Part 1 – Azure Resource Graph

I will be the first one to admit I am not an expert at Logic Apps, but I love a challenge. I was exploring how to get notifications out of Defender for Cloud recommendations sent to me via email. I am going to make this multiple post, so it is not so long.

In this post I will discuss Azure Resource Graph Explorer or discuss how to use it. If you want to know more about Azure Resource Graph and it capabilities, please check out the official Microsoft Document.

For the premise of this post, we are going to be searching for Security Recommendations if “Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources”
How do we do that? I will show you.

First let’s log onto the Azure Portal and then search for Azure Resource Graph Explorer. This is the blade, Click on the tab titled Table. You can see from here you know see all the different tables. KQL is important to understand in order to accomplish this.

We are going to look at the securityresources table. If you just click on the securityresources it will fill in the screen and you can just click run and you will see the results.

Now let’s get the KQL statement we want out of this. I am not going to detail out the whole statement but at its most basic it’s going to give me the needed information to figure out what resources are unhealthy that require attention.

securityresources 
| where type == ‘microsoft.security/assessments’ 
| extend resourceId = properties.resourceDetails.Id 
| extend resourceName = tostring(split(resourceId, ‘/’)[8]) 
| extend resourceGroup = (split(resourceId, ‘/’)[4]) 
| extend status = properties.status.code 
| extend recommendatioName = properties.displayName 
| where status == ‘Unhealthy’ 
| where recommendatioName == ‘Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources’ 
| project Subscription=subscriptionId, Recomendation=recommendatioName, Name=resourceName, ResourceGroup=resourceGroup, Status=status

We have now a working KQL statement that we can continue on with our Logic App. You can do so much with Azure Resource Graph to get an idea of what you can do with it. Hopefully this was helpful.