#Connect-AzAccount $access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token $ofs = ', ' function GetSmartDetectorActionGroupIds { param ( [string] $alertRuleName, [string] $resourceGroupName, [string] $subscriptionId ) ## example : GetSmartDetectorActionGroupIds -alertRuleName "Failure Anomalies - authorization-functions-v2" -resourceGroupName "authorization" -subscriptionId "3190b0fd-4a66-4636-a204-5b9f18be78a6" $escapedAlertRuleName = [uri]::EscapeDataString($alertRuleName) $url = "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/microsoft.alertsManagement/smartDetectorAlertRules/$escapedAlertRuleName`?api-version=2019-06-01" $head = @{ Authorization =" Bearer $access_token" } $response = Invoke-RestMethod -Uri $url -Method GET -Headers $head $response | ForEach-Object { $alert = $_ $alert.properties.actionGroups | ForEach-Object { $actionGroup = $_ $_.groupIds | ForEach-Object { [pscustomobject]@{ Id = $alert.id Name = $alert.name Description = $alert.properties.description State = $alert.properties.state Alert = $alert.properties ActionGroups = $alert.actionGroups ActionGroup = $actionGroup ActionGroupId = $_ } } } } } function GetDecentDescription { param ( [string] $description ) if ($null -eq $description) { "" } else { $description.Replace("`n"," - ").Replace("`r"," - ").Replace(" - - "," - ") } } [string] $date = Get-Date -Format "yyyy-MM-dd HHmm" $fileName = ".\$date alert rules.csv" $subscriptions = Get-AzSubscription | Where-Object State -eq "Enabled" class AlertRule { [string] $SubscriptionId = "" [string] $SubscriptionName = "" [string] $Id = "" [string] $ResourceGroupName = "" [string] $Type = "" [string] $Name = "" [string] $Description = "" [string] $State = "" [string] $ActionGroupId = "" [string] $ActionGroupName = "" [string] $ActionGroupResourceGroupName = "" [string] $ActionGroupEnabled = "" [string] $ActionGroupArmRoleReceivers = "" [string] $ActionGroupEmailReceivers = "" [string] $AzureFunctionReceivers = "" [string] $Tag_Team = "" [string] $Tag_Product = "" [string] $Tag_Environment = "" [string] $Tag_Data = "" [string] $Tag_CreatedOnDate = "" [string] $Tag_Deployment = "" } [Microsoft.Azure.Commands.Insights.OutputClasses.PSActionGroupResource[]]$actionGroups = @() foreach ($subscription in $subscriptions) { Set-AzContext -SubscriptionId $subscription.Id | out-null $actionGroups += Get-AzActionGroup } [AlertRule[]]$Result = @() foreach ($subscription in $subscriptions) { Set-AzContext -SubscriptionId $subscription.Id ##Set-AzContext -SubscriptionId "a134faf1-7a89-4f2c-8389-06d00bd5e2a7" # microsoft.alertsmanagement/smartdetectoralertrules $smartDetectorRules = Get-AzResource -ResourceType "microsoft.alertsmanagement/smartdetectoralertrules" foreach ($smartDetectorRule in $smartDetectorRules) { $actions = GetSmartDetectorActionGroupIds -alertRuleName $smartDetectorRule.Name -resourceGroupName $smartDetectorRule.ResourceGroupName -subscriptionId $subscription.Id if (($null -eq $actions) -or ($actions.Length -eq 0)) { [AlertRule] $AlertRule = [AlertRule]::new() $AlertRule.SubscriptionId = $subscription.Id $AlertRule.SubscriptionName = $subscription.Name $AlertRule.Id = $smartDetectorRule.Id $AlertRule.Name = $smartDetectorRule.Name $AlertRule.Type = $smartDetectorRule.ResourceType $AlertRule.ResourceGroupName = $smartDetectorRule.ResourceGroupName $AlertRule.Tag_Team = $smartDetectorRule.Tags.team $AlertRule.Tag_Product = $smartDetectorRule.Tags.product $AlertRule.Tag_Environment = $smartDetectorRule.Tags.environment $AlertRule.Tag_Data = $smartDetectorRule.Tags.data $AlertRule.Tag_CreatedOnDate = $smartDetectorRule.Tags.CreatedOnDate $AlertRule.Tag_Deployment = $smartDetectorRule.Tags.drp_deployment $Result += $AlertRule } else { foreach($action in $actions) { [AlertRule] $AlertRule = [AlertRule]::new() $actionGroup = $actionGroups | where { $_.id -eq [uri]::UnescapeDataString($action.ActionGroupId) } $AlertRule.SubscriptionId = $subscription.Id $AlertRule.SubscriptionName = $subscription.Name $AlertRule.Id = $smartDetectorRule.Id $AlertRule.Name = $smartDetectorRule.Name $AlertRule.Type = $smartDetectorRule.ResourceType $AlertRule.ResourceGroupName = $smartDetectorRule.ResourceGroupName $AlertRule.Description = GetDecentDescription $action.Description $AlertRule.State = $action.State $AlertRule.ActionGroupId = $action.ActionGroupId if ($null -ne $actionGroup) { $AlertRule.ActionGroupName = $actionGroup.Name $AlertRule.ActionGroupResourceGroupName = $actionGroup.ResourceGroupName $AlertRule.ActionGroupEnabled = $actionGroup.Enabled $AlertRule.ActionGroupArmRoleReceivers = [string] ( $actionGroup.ArmRoleReceivers | ForEach-Object { $_.Name } ) $AlertRule.ActionGroupEmailReceivers = [string] ( $actionGroup.EmailReceivers | ForEach-Object { $_.EmailAddress } ) $AlertRule.AzureFunctionReceivers = [string] ($actionGroup.AzureFunctionReceivers | ForEach-Object { $_.FunctionName } ) } $AlertRule.Tag_Team = $smartDetectorRule.Tags.team $AlertRule.Tag_Product = $smartDetectorRule.Tags.product $AlertRule.Tag_Environment = $smartDetectorRule.Tags.environment $AlertRule.Tag_Data = $smartDetectorRule.Tags.data $AlertRule.Tag_CreatedOnDate = $smartDetectorRule.Tags.CreatedOnDate $AlertRule.Tag_Deployment = $smartDetectorRule.Tags.drp_deployment $Result += $AlertRule } } } # microsoft.insights/scheduledqueryrules $scheduledQueryRules = Get-AzScheduledQueryRule $scheduledQueryRulesResources = Get-AzResource -ResourceType "microsoft.insights/scheduledqueryrules" foreach($scheduledQueryRule in $scheduledQueryRules) { $resource = $scheduledQueryRulesResources | where { $_.id -eq $scheduledQueryRule.Id } if (($null -eq $scheduledQueryRule.ActionGroup) -or ($scheduledQueryRule.ActionGroup.Length -eq 0)) { [AlertRule] $AlertRule = [AlertRule]::new() $AlertRule.SubscriptionId = $subscription.Id $AlertRule.SubscriptionName = $subscription.Name $AlertRule.Id = $scheduledQueryRule.Id $AlertRule.Name = $scheduledQueryRule.Name $AlertRule.Type = $scheduledQueryRule.Type $AlertRule.ResourceGroupName = $resource.ResourceGroupName $AlertRule.Description = GetDecentDescription $scheduledQueryRule.Description $AlertRule.State = $scheduledQueryRule.Enabled -eq $true ? "Enabled" : "Disabled" $AlertRule.Tag_Team = $smartDetectorRule.Tags.team $AlertRule.Tag_Product = $smartDetectorRule.Tags.product $AlertRule.Tag_Environment = $smartDetectorRule.Tags.environment $AlertRule.Tag_Data = $smartDetectorRule.Tags.data $AlertRule.Tag_CreatedOnDate = $smartDetectorRule.Tags.CreatedOnDate $AlertRule.Tag_Deployment = $smartDetectorRule.Tags.drp_deployment $Result += $AlertRule } else { foreach($action in $scheduledQueryRule.ActionGroup) { [AlertRule] $AlertRule = [AlertRule]::new() $actionGroup = $actionGroups | where { $_.id -eq [uri]::UnescapeDataString($action) } $AlertRule.SubscriptionId = $subscription.Id $AlertRule.SubscriptionName = $subscription.Name $AlertRule.Id = $scheduledQueryRule.Id $AlertRule.Name = $scheduledQueryRule.Name $AlertRule.Type = $scheduledQueryRule.Type $AlertRule.ResourceGroupName = $resource.ResourceGroupName $AlertRule.Description = GetDecentDescription $scheduledQueryRule.Description $AlertRule.State = $scheduledQueryRule.Enabled -eq $true ? "Enabled" : "Disabled" $AlertRule.ActionGroupId = $action if ($null -ne $actionGroup) { $AlertRule.ActionGroupName = $actionGroup.Name $AlertRule.ActionGroupResourceGroupName = $actionGroup.ResourceGroupName $AlertRule.ActionGroupEnabled = $actionGroup.Enabled $AlertRule.ActionGroupArmRoleReceivers = [string] ( $actionGroup.ArmRoleReceivers | ForEach-Object { $_.Name } ) $AlertRule.ActionGroupEmailReceivers = [string] ( $actionGroup.EmailReceivers | ForEach-Object { $_.EmailAddress } ) $AlertRule.AzureFunctionReceivers = [string] ($actionGroup.AzureFunctionReceivers | ForEach-Object { $_.FunctionName } ) } $AlertRule.Tag_Team = $smartDetectorRule.Tags.team $AlertRule.Tag_Product = $smartDetectorRule.Tags.product $AlertRule.Tag_Environment = $smartDetectorRule.Tags.environment $AlertRule.Tag_Data = $smartDetectorRule.Tags.data $AlertRule.Tag_CreatedOnDate = $smartDetectorRule.Tags.CreatedOnDate $AlertRule.Tag_Deployment = $smartDetectorRule.Tags.drp_deployment $Result += $AlertRule } } } # Microsoft.Insights/metricAlerts $metricAlerts = Get-AzMetricAlertRuleV2 foreach($metricAlert in $metricAlerts) { if (($null -eq $metricAlert.Actions) -or ($metricAlert.Actions.Length -eq 0)) { [AlertRule] $AlertRule = [AlertRule]::new() $AlertRule.SubscriptionId = $subscription.Id $AlertRule.SubscriptionName = $subscription.Name $AlertRule.Id = $metricAlert.Id $AlertRule.Name = $metricAlert.Name $AlertRule.Type = $metricAlert.Type $AlertRule.ResourceGroupName = $metricAlert.ResourceGroup $AlertRule.Description = GetDecentDescription $metricAlert.Description $AlertRule.State = $metricAlert.Enabled -eq $true ? "Enabled" : "Disabled" $AlertRule.Tag_Team = $metricAlert.Tags.team $AlertRule.Tag_Product = $metricAlert.Tags.product $AlertRule.Tag_Environment = $metricAlert.Tags.environment $AlertRule.Tag_Data = $metricAlert.Tags.data $AlertRule.Tag_CreatedOnDate = $metricAlert.Tags.CreatedOnDate $AlertRule.Tag_Deployment = $metricAlert.Tags.drp_deployment $Result += $AlertRule } else { foreach($action in $metricAlert.Actions) { [AlertRule] $AlertRule = [AlertRule]::new() $actionGroup = $actionGroups | where { $_.id -eq [uri]::UnescapeDataString($action.ActionGroupId) } $AlertRule.SubscriptionId = $subscription.Id $AlertRule.SubscriptionName = $subscription.Name $AlertRule.Id = $metricAlert.Id $AlertRule.Name = $metricAlert.Name $AlertRule.Type = $metricAlert.Type $AlertRule.ResourceGroupName = $metricAlert.ResourceGroup $AlertRule.Description = GetDecentDescription $metricAlert.Description $AlertRule.State = $metricAlert.Enabled -eq $true ? "Enabled" : "Disabled" $AlertRule.ActionGroupId = $action.ActionGroupId if ($null -ne $actionGroup) { $AlertRule.ActionGroupName = $actionGroup.Name $AlertRule.ActionGroupResourceGroupName = $actionGroup.ResourceGroupName $AlertRule.ActionGroupEnabled = $actionGroup.Enabled $AlertRule.ActionGroupArmRoleReceivers = [string] ( $actionGroup.ArmRoleReceivers | ForEach-Object { $_.Name } ) $AlertRule.ActionGroupEmailReceivers = [string] ( $actionGroup.EmailReceivers | ForEach-Object { $_.EmailAddress } ) $AlertRule.AzureFunctionReceivers = [string] ($actionGroup.AzureFunctionReceivers | ForEach-Object { $_.FunctionName } ) } $AlertRule.Tag_Team = $metricAlert.Tags.team $AlertRule.Tag_Product = $metricAlert.Tags.product $AlertRule.Tag_Environment = $metricAlert.Tags.environment $AlertRule.Tag_Data = $metricAlert.Tags.data $AlertRule.Tag_CreatedOnDate = $metricAlert.Tags.CreatedOnDate $AlertRule.Tag_Deployment = $metricAlert.Tags.drp_deployment $Result += $AlertRule } } } # Microsoft.Insights/ActivityLogAlerts $activityLogAlerts = Get-AzActivityLogAlert foreach($activityLogAlert in $activityLogAlerts) { if (($null -eq $activityLogAlert.ActionGroup) -or ($activityLogAlert.ActionGroup.Length -eq 0)) { [AlertRule] $AlertRule = [AlertRule]::new() $AlertRule.SubscriptionId = $subscription.Id $AlertRule.SubscriptionName = $subscription.Name $AlertRule.Id = $activityLogAlert.Id $AlertRule.Name = $activityLogAlert.Name $AlertRule.Type = $activityLogAlert.Type $AlertRule.ResourceGroupName = $activityLogAlert.ResourceGroupName $AlertRule.Description = GetDecentDescription $activityLogAlert.Description $AlertRule.State = $activityLogAlert.Enabled -eq $true ? "Enabled" : "Disabled" $AlertRule.Tag_Team = $activityLogAlert.Tags.team $AlertRule.Tag_Product = $activityLogAlert.Tags.product $AlertRule.Tag_Environment = $activityLogAlert.Tags.environment $AlertRule.Tag_Data = $activityLogAlert.Tags.data $AlertRule.Tag_CreatedOnDate = $activityLogAlert.Tags.CreatedOnDate $AlertRule.Tag_Deployment = $activityLogAlert.Tags.drp_deployment $Result += $AlertRule } else { foreach($action in $activityLogAlert.ActionGroup) { [AlertRule] $AlertRule = [AlertRule]::new() $actionGroup = $actionGroups | where { $_.id -eq [uri]::UnescapeDataString($action.Id) } $AlertRule.SubscriptionId = $subscription.Id $AlertRule.SubscriptionName = $subscription.Name $AlertRule.Id = $activityLogAlert.Id $AlertRule.Name = $activityLogAlert.Name $AlertRule.Type = $activityLogAlert.Type $AlertRule.ResourceGroupName = $activityLogAlert.ResourceGroupName $AlertRule.Description = GetDecentDescription $activityLogAlert.Description $AlertRule.State = $activityLogAlert.Enabled -eq $true ? "Enabled" : "Disabled" $AlertRule.ActionGroupId = $action.Id if ($null -ne $actionGroup) { $AlertRule.ActionGroupName = $actionGroup.Name $AlertRule.ActionGroupResourceGroupName = $actionGroup.ResourceGroupName $AlertRule.ActionGroupEnabled = $actionGroup.Enabled $AlertRule.ActionGroupArmRoleReceivers = [string] ( $actionGroup.ArmRoleReceivers | ForEach-Object { $_.Name } ) $AlertRule.ActionGroupEmailReceivers = [string] ( $actionGroup.EmailReceivers | ForEach-Object { $_.EmailAddress } ) $AlertRule.AzureFunctionReceivers = [string] ($actionGroup.AzureFunctionReceivers | ForEach-Object { $_.FunctionName } ) } $AlertRule.Tag_Team = $activityLogAlert.Tags.team $AlertRule.Tag_Product = $activityLogAlert.Tags.product $AlertRule.Tag_Environment = $activityLogAlert.Tags.environment $AlertRule.Tag_Data = $activityLogAlert.Tags.data $AlertRule.Tag_CreatedOnDate = $activityLogAlert.Tags.CreatedOnDate $AlertRule.Tag_Deployment = $activityLogAlert.Tags.drp_deployment $Result += $AlertRule } } } } $Result | Export-Csv -Path $fileName -NoTypeInformation -Force $Result | ft