Query Details
Azure VM Creation Using Resource Graph
Query
//Could be useful as part of rogue VM creation hunting, could add queries to check the tags and ensure is compliant with Org Tagging resources | extend OS_Name = properties['extended']['instanceView']['osName'] | extend Created_Time = properties['timeCreated'] | where type == "microsoft.compute/virtualmachines" | project name, type, OS_Name, Created_Time, resourceGroup, subscriptionId, location, id, tags, properties // | where todatetime(Created_Time) > ago(1d)
Explanation
This query is designed to help identify potentially unauthorized or "rogue" virtual machines (VMs) that were created within the last day. Here's a simple breakdown of what it does:
-
Data Source: It starts by looking at a dataset called
resources, which contains information about various resources, including virtual machines. -
Extract Information: It extracts specific details about each VM, such as the operating system name (
OS_Name) and the time it was created (Created_Time). -
Filter for VMs: It filters the data to only include resources that are virtual machines, identified by the type "microsoft.compute/virtualmachines".
-
Select Relevant Fields: It selects and displays specific fields for each VM, including the name, type, operating system, creation time, resource group, subscription ID, location, ID, tags, and other properties.
-
Recent Creations: Finally, it further filters the results to show only those VMs that were created within the last day.
This query can be useful for monitoring and ensuring compliance with organizational policies, such as checking if newly created VMs have the correct tags.
Details
Jay Kerai
Released: June 5, 2026
Tables
Keywords
Operators