@BizzerAdam, thank you for posting this question and sharing this feedback.
You are right, currently we do not have the option to target an alert rule based on no specific tag of the resource.
The following are some of the ways that could be leveraged for this scenario:
- Ensure that these VMs are in a single resource group so that the alert rule can be applied at Resource group level.
- Another option could be to ensure that these VMs of interest are sending data to a single Log Analytics Workspace. If the workspace level isolation is possible such that no other VM sends data to this LA workspace, then Azure Policy could be used to associate these VMs based on tags to pre created Data Collection Rule (DCR). In this case, a single DCR is used to collect data from all VMs matching specific criteria (for example based on specific tag) and sending it to a single LA workspace.
One of the inbuilt Azure Policy definitions that could be used it this case is - Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint
Note that this policy does not filter based on tags, but the definition could be updated to include that as well.
- One more option, in case all the VMs send data to a single LA workspace would be to use "Log based alert rule". In this case, the query could contain a filter to match specific criteria in the name (for example name contains "VIP" etc.). This way, the rule only alerts when required condition is met for these set of VMs.
Hope this helps.
Please let me know if you need more information on any specific methodology.