Query Details
Azure Tag Search
Query
# Function: AzureTagSearch()
## Query Information
#### Description
This function returns all resources based on the *SearchTag* variable that has been used as input. Note that only the resources that your account has access to are returned.
#### References
- https://learn.microsoft.com/en-us/azure/governance/resource-graph/overview
- https://learn.microsoft.com/en-us/azure/governance/resource-graph/samples/starter?tabs=azure-portal
## Log Analytics (Sentinel)
```
let AzureTagSearch = (SearchTag: string) {
arg("").Resources
| extend StringTags = tolower(tostring(tags))
| extend SearchTagToLower = SearchTag
| where StringTags has SearchTagToLower
| project tags, type, name, kind, resourceGroup
};
AzureTagSearch("Test")
```
Explanation
The query is a function called AzureTagSearch that takes a SearchTag as input. It returns all resources that have a tag matching the SearchTag. The function uses the arg("") function to get all resources, then converts the tags to lowercase and compares them to the lowercase SearchTag. The query returns the tags, type, name, kind, and resource group of the matching resources. In this example, the SearchTag used is "Test".
Details
Bert-Jan Pals
Released: September 21, 2023
Tables
arg("").Resources
Keywords
Devices,Intune,User
Operators
argResourcesextendtolowertostringwherehasproject