Computer groups in Azure Monitor log queries - Azure Monitor (2023)

  • Article
  • 6 minutes to read

Computer groups in Azure Monitor allow you to scope log queries to a particular set of computers. Each group is populated with computers either using a query that you define or by importing groups from different sources. When the group is included in a log query, the results are limited to records that match the computers in the group.

Note

This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. We are updating the terminology to better reflect the role of logs in Azure Monitor. See Azure Monitor terminology changes for details.

Creating a computer group

You can create a computer group in Azure Monitor using any of the methods in the following table. Details on each method are provided in the sections below.

MethodDescription
Log queryCreate a log query that returns a list of computers.
Log Search APIUse the Log Search API to programmatically create a computer group based on the results of a log query.
Active DirectoryAutomatically scan the group membership of any agent computers that are members of an Active Directory domain and create a group in Azure Monitor for each security group. (Windows machines only)
Configuration ManagerImport collections from Microsoft Endpoint Configuration Manager and create a group in Azure Monitor for each.
Windows Server Update ServicesAutomatically scan WSUS servers or clients for targeting groups and create a group in Azure Monitor for each.

Log query

Computer groups created from a log query contain all of the computers returned by a query that you define. This query is run every time the computer group is used so that any changes since the group was created is reflected.

You can use any query for a computer group, but it must return a distinct set of computers by using distinct Computer. Following is a typical example query that you could use for as a computer group.

Heartbeat | where Computer contains "srv" | distinct Computer

Use the following procedure to create a computer group from a log search in the Azure portal.

  1. Click Logs in the Azure Monitor menu in the Azure portal.
  2. Create and run a query that returns the computers that you want in the group.
  3. Click Save at the top of the screen.
  4. Change Save as to Function and select Save this query as a computer group.
  5. Provide values for each property for the computer group described in the table and click Save.

The following table describes the properties that define a computer group.

PropertyDescription
NameName of the query to display in the portal.
Function aliasA unique alias used to identify the computer group in a query.
CategoryCategory to organize the queries in the portal.

Active Directory

When you configure Azure Monitor to import Active Directory group memberships, it analyzes the group membership of any Windows domain joined computers with the Log Analytics agent. A computer group is created in Azure Monitor for each security group in Active Directory, and each Windows computer is added to the computer groups corresponding to the security groups they are members of. This membership is continuously updated every 4 hours.

You configure Azure Monitor to import Active Directory security groups from the Computer Groups menu item in your Log Analytics workspace in the Azure portal. Select the Active Directory tab, and then Import Active Directory group memberships from computers. When groups have been imported, the menu lists the number of computers with group membership detected and the number of groups imported. You can click on either of these links to return the ComputerGroup records with this information.

Windows Server Update Service

When you configure Azure Monitor to import WSUS group memberships, it analyzes the targeting group membership of any computers with the Log Analytics agent. If you are using client-side targeting, any computer that is connected to Azure Monitor and is part of any WSUS targeting groups has its group membership imported to Azure Monitor. If you are using server-side targeting, the Log Analytics agent should be installed on the WSUS server in order for the group membership information to be imported to Azure Monitor. This membership is continuously updated every 4 hours.

You configure Azure Monitor to import WSUS groups from the Computer Groups menu item in your Log Analytics workspace in the Azure portal. Select the Windows Server Update Service tab, and then Import WSUS group memberships. When groups have been imported, the menu lists the number of computers with group membership detected and the number of groups imported. You can click on either of these links to return the ComputerGroup records with this information.

Configuration Manager

When you configure Azure Monitor to import Configuration Manager collection memberships, it creates a computer group for each collection. The collection membership information is retrieved every 3 hours to keep the computer groups current. Before you can import Configuration Manager collections, you must connect Configuration Manager to Azure Monitor.

You configure Azure Monitor to import WSUS groups from the Computer Groups menu item in your Log Analytics workspace in the Azure portal. Select the System Center Configuration Manager tab, and then Import Configuration Manager collection memberships. When collections have been imported, the menu lists the number of computers with group membership detected and the number of groups imported. You can click on either of these links to return the ComputerGroup records with this information.

Managing computer groups

You can view computer groups that were created from a log query or the Log Search API from the Computer Groups menu item in your Log Analytics workspace in the Azure portal. Select the Saved Groups tab to view the list of groups.

Click the x in the Remove column to delete the computer group. Click the View members icon for a group to run the group's log search that returns its members. You can't modify a computer group but instead must delete and then recreate it with the modified settings.

Computer groups in Azure Monitor log queries - Azure Monitor (1)

Using a computer group in a log query

You use a Computer group created from a log query in a query by treating its alias as a function, typically with the following syntax:

Table | where Computer in (ComputerGroup)

For example, you could use the following to return UpdateSummary records for only computers in a computer group called mycomputergroup.

UpdateSummary | where Computer in (mycomputergroup)

Imported computer groups and their included computers are stored in the ComputerGroup table. For example, the following query would return a list of computers in the Domain Computers group from Active Directory.

ComputerGroup | where GroupSource == "ActiveDirectory" and Group == "Domain Computers" | distinct Computer

The following query would return UpdateSummary records for only computers in Domain Computers.

let ADComputers = ComputerGroup | where GroupSource == "ActiveDirectory" and Group == "Domain Computers" | distinct Computer; UpdateSummary | where Computer in (ADComputers)

Computer group records

A record is created in the Log Analytics workspace for each computer group membership created from Active Directory or WSUS. These records have a type of ComputerGroup and have the properties in the following table. Records are not created for computer groups based on log queries.

PropertyDescription
TypeComputerGroup
SourceSystemSourceSystem
ComputerName of the member computer.
GroupName of the group.
GroupFullNameFull path to the group including the source and source name.
GroupSourceSource that group was collected from.

ActiveDirectory
WSUS
WSUSClientTargeting

GroupSourceNameName of the source that the group was collected from. For Active Directory, this is the domain name.
ManagementGroupNameName of the management group for SCOM agents. For other agents, this is AOI-<workspace ID>
TimeGeneratedDate and time the computer group was created or updated.

Next steps

  • Learn about log queries to analyze the data collected from data sources and solutions.
Top Articles
Latest Posts
Article information

Author: Sen. Ignacio Ratke

Last Updated: 01/26/2023

Views: 6148

Rating: 4.6 / 5 (56 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Sen. Ignacio Ratke

Birthday: 1999-05-27

Address: Apt. 171 8116 Bailey Via, Roberthaven, GA 58289

Phone: +2585395768220

Job: Lead Liaison

Hobby: Lockpicking, LARPing, Lego building, Lapidary, Macrame, Book restoration, Bodybuilding

Introduction: My name is Sen. Ignacio Ratke, I am a adventurous, zealous, outstanding, agreeable, precious, excited, gifted person who loves writing and wants to share my knowledge and understanding with you.