Problem
Only 4.3% (54/1,255) of resources have `lastModified` timestamps from ARM properties. The `coalesce()` across property name variants helps but most resource providers simply don't expose modification timestamps.
Meanwhile, Phase 2 already collects 10,000+ Activity Log records but only tracks them at the resource group level. The data to determine per-resource last-touch exists — we're just not using it.
Current State
| Data Source |
Coverage |
Granularity |
| `properties.changedTime` (query 01) |
4.3% of resources |
Per-resource |
| `properties.creationTime` variants |
24.5% of resources |
Per-resource |
| Activity Log (Phase 2) |
All resources with ARM operations |
Per-RG only (gap!) |
Proposed Solution
After Phase 2 collects activity logs, build a per-resource last-touch index:
```powershell
In Phase 2, after collecting all logs, index per-resource
$resourceLastTouch = @{}
foreach ($log in $allLogs) {
if ($null -eq $log.ResourceId) { continue }
$rid = $log.ResourceId.ToLower()
if (-not $resourceLastTouch.ContainsKey($rid) -or $log.EventTimestamp -gt $resourceLastTouch[$rid].Timestamp) {
$resourceLastTouch[$rid] = @{
Timestamp = $log.EventTimestamp
Operation = $log.OperationName.Value
Caller = $log.Caller
}
}
}
```
Then export as `resource-last-touch.csv`:
| ResourceId | LastTouchTime | DaysSinceTouch | LastOperation | LastCaller |
Cross-Reference in XLSX
Join resource inventory with last-touch data to add columns:
- `LastArmOperation` — when the resource was last touched via ARM
- `LastArmCaller` — who did it
- `DaysSinceArmTouch` — staleness signal
Why This Is Better Than changedTime
- Covers 100% of resources that had any ARM operation in the lookback period
- Activity Log captures operations that don't change `properties` (reads, failed writes, policy evaluations)
- Cross-referenced with cost and metrics, this completes the staleness picture
Acceptance Criteria
Problem
Only 4.3% (54/1,255) of resources have `lastModified` timestamps from ARM properties. The `coalesce()` across property name variants helps but most resource providers simply don't expose modification timestamps.
Meanwhile, Phase 2 already collects 10,000+ Activity Log records but only tracks them at the resource group level. The data to determine per-resource last-touch exists — we're just not using it.
Current State
Proposed Solution
After Phase 2 collects activity logs, build a per-resource last-touch index:
```powershell
In Phase 2, after collecting all logs, index per-resource
$resourceLastTouch = @{}
foreach ($log in $allLogs) {
if ($null -eq $log.ResourceId) { continue }
$rid = $log.ResourceId.ToLower()
if (-not $resourceLastTouch.ContainsKey($rid) -or $log.EventTimestamp -gt $resourceLastTouch[$rid].Timestamp) {
$resourceLastTouch[$rid] = @{
Timestamp = $log.EventTimestamp
Operation = $log.OperationName.Value
Caller = $log.Caller
}
}
}
```
Then export as `resource-last-touch.csv`:
| ResourceId | LastTouchTime | DaysSinceTouch | LastOperation | LastCaller |
Cross-Reference in XLSX
Join resource inventory with last-touch data to add columns:
Why This Is Better Than changedTime
Acceptance Criteria