KQL Azure Monitor Queries

Azure Monitor Tables

Table Content

Table	Content
`AzureActivity`	Management plane operations (create, delete, update resources)
`AzureDiagnostics`	Resource-level diagnostic logs
`AzureMetrics`	Performance metrics from Azure resources
`Heartbeat`	Agent health check (1-minute intervals)
`Usage`	Log Analytics workspace data volume
`Operation`	Data collection operations and errors

AzureActivity

Management plane operations (create, delete, update resources)

AzureDiagnostics

Resource-level diagnostic logs

AzureMetrics

Performance metrics from Azure resources

Heartbeat

Agent health check (1-minute intervals)

Usage

Log Analytics workspace data volume

Operation

Data collection operations and errors

Resource Monitoring

Unhealthy agents (no heartbeat in 15 min)

Heartbeat
| summarize LastHeartbeat = max(TimeGenerated) by Computer, OSType
| where LastHeartbeat < ago(15m)
| sort by LastHeartbeat asc

Azure resource changes (last 24h)

AzureActivity
| where TimeGenerated > ago(24h)
| where OperationNameValue endswith "write" or OperationNameValue endswith "delete"
| summarize count() by Caller, OperationNameValue, ActivityStatusValue
| sort by count_ desc

Failed Azure operations

AzureActivity
| where TimeGenerated > ago(24h)
| where ActivityStatusValue == "Failed"
| summarize count() by OperationNameValue, Caller, Properties_d.statusMessage
| sort by count_ desc

Workspace Usage

Data volume by table (last 24h)

Usage
| where TimeGenerated > ago(24h)
| summarize DataGB = sum(Quantity) / 1024 by DataType
| sort by DataGB desc
| take 20

Ingestion anomalies (spikes)

Usage
| where TimeGenerated > ago(7d)
| summarize DailyGB = sum(Quantity) / 1024 by bin(TimeGenerated, 1d), DataType
| where DailyGB > 1
| render timechart

Alert Rules

Fired alerts summary

SecurityAlert
| where TimeGenerated > ago(24h)
| summarize count() by AlertName, AlertSeverity, ProviderName
| sort by count_ desc