Share via

is the alert monitor condition overwritten to resolved (from fired)in AlertsManagementResources table in AzureResourceGraph

Anjali Gobari 60 Reputation points
2025-04-04T12:00:11.3133333+00:00

Hi i have been working on creating a workbook for monitoring the alerts that are fired. However i see the history of last 24 hours and all the alerts seems to be resolved and unique alert id.

my question is as follows:

  1. Is the monitor condition of fired alert being changed from fired to resolved, and the logs are also overwritten (with new alertID), since i don't see any alertID repeating which shouldnt be the case in the alert lifecycle. ideally the same alertID should be logged with a different states (fired and resolved )if there is no overwriting happening. but i only see resolved alerts in the history.
  2. how is the alert metadata logged?
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,566 questions
0 comments
Accepted answer
  1. Vinodh247 32,281 Reputation points MVP
    2025-04-05T10:38:17.89+00:00

    Hi ,

    Thanks for reaching out to Microsoft Q&A.

    You are asking a very relevant question when it comes to understanding Azure Monitor alert lifecycle tracking using Azure Resource Graph, specifically the AlertsManagementResources table.

    Here is a clear breakdown to address your concern:

    1. Alert Lifecycle and monitorCondition Behavior
    • In Azure Monitor, each alert instance is identified by a unique alertId.

    The monitorCondition typically reflects the current state of the alert: either "Fired" or "Resolved".

    • ARG does not log historical state transitions. It always returns the latest snapshot of each alert. So: If the alert was fired and then resolved within the query time range, you will only see it with monitorCondition = "Resolved".
      • The same alertId will not appear twice in the results with both fired and resolved, it shows only the latest state.

    Hence, you are not seeing overwritten logs, but ARG is giving you the latest state only.

    1. Why Only Resolved Alerts Are Visible
    • This likely means:
      • All alerts fired and then resolved within the 24hr window you are querying.
      • ARG only shows the current state per alert, so if it was resolved, you see that state, not the previous "Fired" state.
      If the alert fired and has not yet resolved, you would see it with "monitorCondition": "Fired".
    1. What About Alert History and Full Lifecycle?
    • If you want full lifecycle tracking (both fired and resolved events with timestamps), you should not rely solely on ARG.
    • Instead, use:
      • Azure Monitor Activity Logs (AzureDiagnostics table)
      • Log Analytics with alert rule diagnostics enabled (this logs all state transitions)
      • Or push alert lifecycle to Log Analytics using Action Groups (via Logic Apps or Azure Functions)

    Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.