Resource Graph Alert - query does not work through log analytics workspace
Hi,
I'm trying to come up with an Azure Monitor alert, which will notify me if there have been any non-compliant resources deployed in the last few hours.
I have a query that works perfectly in Resource Graph Explorer:
policyresources
| where type =~ 'Microsoft.PolicyInsights/PolicyStates'
| extend
resourceId = tostring(properties.resourceId),
compliance = properties.complianceState,
policyAssignment = tostring(properties.policyAssignmentName),
policyDefinition = tostring(properties.policyDefinitionName)
| where compliance == 'NonCompliant'
| project policyDefinition, policyAssignment, compliance, resourceId
| join kind = inner (
policyresources
| where type =~ 'microsoft.authorization/policydefinitions'
| extend
policyId = tostring(name),
policyName = tostring(properties.displayName)
| project policyId, policyName
) on $left.policyDefinition == $right.policyId
| join kind = inner (
resources
| extend
resourceId = tolower(tostring(id)),
createdTime = todatetime(properties.creationTime),
resourceName = tostring(name)
| where createdTime >= ago(4h)
| project resourceId, resourceName, type, resourceGroup, createdTime
) on resourceId
| project-away policyDefinition, resourceId, resourceId1
| project resourceName, type, resourceGroup, policyName, policyAssignment, compliance
But when I try to use it in an Azure Monitor alert, I get errors:
arg("").policyresources
| where type =~ 'Microsoft.PolicyInsights/PolicyStates'
| extend
resourceId = tostring(properties.resourceId),
compliance = properties.complianceState,
policyAssignment = tostring(properties.policyAssignmentName),
policyDefinition = tostring(properties.policyDefinitionName)
| where compliance == 'NonCompliant'
| project policyDefinition, policyAssignment, compliance, resourceId
| join kind = inner (
arg("").policyresources
| where type =~ 'microsoft.authorization/policydefinitions'
| extend
policyId = tostring(name),
policyName = tostring(properties.displayName)
| project policyId, policyName
) on $left.policyDefinition == $right.policyId
| join kind = inner (
arg("").resources
| extend
resourceId = tolower(tostring(id)),
createdTime = todatetime(properties.creationTime),
resourceName = tostring(name)
| where createdTime >= ago(4h)
| project resourceId, resourceName, type, resourceGroup, createdTime
) on resourceId
| project-away policyDefinition, resourceId, resourceId1
| project resourceName, type, resourceGroup, policyName, policyAssignment, compliance
Custom join strategy or custom join remote strategy is not allowed. Please refer to the documentation for the Azure Resource Graph service and fix the error before retrying (https://aka.ms/LAProxy). If the issue persists, please open a support ticket. Request id: 1547e647-4d35-4acc-a422-31bea5118279
Is there any way I can get this to work?
Regards.