KQL get a list of all machines not writting to SecurityEvents log

Question

I have created a working KQL query to detect any machine that exists that not writing to the securityevet log

let AllMachines = arg("").Resources
    | where type == "microsoft.compute/virtualmachines"
        and properties.storageProfile.osDisk.osType == 'Windows'
    | where name !contains "X" 
        

| distinct name; 

let LastEvent = SecurityEvent
    | where TimeGenerated >= ago(1d)
    | where Computer contains "XXXXX" 
    | extend Computer = replace(@"XXXXX$", "", Computer) 
    | summarize LstEvent = max(TimeGenerated) by Computer;

let MachinesWithLogs = AllMachines
    | join kind=leftouter (LastEvent) on $left.name == $right.Computer 
    | project
        All_Machines = name, 
        HoursSinceLastLog = datetime_diff('hour', now(), coalesce(LstEvent, now() - 1d));

MachinesWithLogs
| where All_Machines !contains '04'
| summarize trigger=max(HoursSinceLastLog)
    by
    Client='ai Corp',
    Environment='Prod',
    Context= strcat(All_Machines, ' This machine has not written to the SecurityEvents in over 2 Hour')

The KQL returns a result but the alert I've created based on it just does not trigger, even though there are two machines not writing to the log.

So why does referring to ResourceGraphResources break alertin,g and has anyone achieved the goal of alerting against all machines that exist

Answer 1

are cloud service provider answer the question

The KQL is sound by there is alerting permission and we had not added it on the azure resource group