![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 3%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,799 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 43%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
I haven't experimented with this feature but usually auto resolution requires a threshold or state for a monitoring system to auto resolve. Metrics are easy. When the metric drops the threshold it can be auto resolved. I assume the built-in policy alerts could also auto resolve based on the compliance status. In SCOM we use a timer or positive event to resolve the state.
Stateless and stateful refer to the ability to identify a state (healthy/unhealthy). Stateless is unaware of the state.
Ideally, when the query runs and the results are below the stated threshold the alert will be resolved. You might want to revisit the queries to ensure the outcome is represented as a threshold. In simpler terms it can be number of rows returned. If that is unsuccessful you might try rendering the results as time series (bin) data. Something like the following example; basing the threshold on the count.
SecurityEvent
| summarize count() by bin(TimeGenerated, 1h)
| render timechart