Udostępnij za pośrednictwem


Przykładowe ładunki alertów

Typowy schemat alertu standandaryzuje środowisko użycia dla powiadomień o alertach na platformie Azure. W przeszłości dziennik aktywności, metryka i alerty przeszukiwania dzienników miały własne szablony wiadomości e-mail i schematy elementów webhook. Wspólny schemat alertu zawiera jeden ustandaryzowany schemat dla wszystkich powiadomień o alertach.

Ustandaryzowany schemat może pomóc zminimalizować liczbę integracji, co upraszcza proces zarządzania i obsługi integracji.

Wspólny schemat zawiera informacje o zasobie, którego dotyczy problem, oraz przyczynę alertu w poniższych sekcjach:

  • Podstawowe informacje: pola ustandaryzowane, używane przez wszystkie typy alertów, które opisują zasób, na który ma wpływ alert i typowe metadane alertu, takie jak ważność lub opis.

    Jeśli chcesz kierować wystąpienia alertów do określonych zespołów na podstawie kryteriów, takich jak grupa zasobów, możesz użyć pól w sekcji Podstawy, aby zapewnić logikę routingu dla wszystkich typów alertów . Zespoły, które otrzymają powiadomienie o alercie, mogą następnie używać pól kontekstu do badania.

  • Kontekst alertu: pola, które różnią się w zależności od typu alertu. Pola kontekstu alertu opisują przyczynę alertu. Na przykład alert metryki będzie zawierać pola, takie jak nazwa metryki i wartość metryki w kontekście alertu. Alert dziennika aktywności zawiera informacje o zdarzeniu, które wygenerowało alert.

  • Właściwości niestandardowe: możesz dodać więcej informacji do ładunku alertu, dodając właściwości niestandardowe, jeśli skonfigurowano grupy akcji dla reguły alertu dotyczącego metryki.

    Uwaga

    Właściwości niestandardowe są obecnie obsługiwane tylko przez alerty metryk. W przypadku wszystkich innych typów alertów pole właściwości niestandardowych ma wartość null.

Przykładowy ładunek alertu

{
  "schemaId": "azureMonitorCommonAlertSchema",
  "data": {
    "essentials": {
      "alertId": "/subscriptions/<subscription ID>/providers/Microsoft.AlertsManagement/alerts/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",
      "alertRule": "WCUS-R2-Gen2",
      "severity": "Sev3",
      "signalType": "Metric",
      "monitorCondition": "Resolved",
      "monitoringService": "Platform",
      "alertTargetIDs": [
        "/subscriptions/<subscription ID>/resourcegroups/pipelinealertrg/providers/microsoft.compute/virtualmachines/wcus-r2-gen2"
      ],
      "configurationItems": [
        "wcus-r2-gen2"
      ],
      "originAlertId": "3f2d4487-b0fc-4125-8bd5-7ad17384221e_PipeLineAlertRG_microsoft.insights_metricAlerts_WCUS-R2-Gen2_-117781227",
      "firedDateTime": "2019-03-22T13:58:24.3713213Z",
      "resolvedDateTime": "2019-03-22T14:03:16.2246313Z",
      "description": "",
      "essentialsVersion": "1.0",
      "alertContextVersion": "1.0"
    },
    "alertContext": {
      "properties": null,
      "conditionType": "SingleResourceMultipleMetricCriteria",
      "condition": {
        "windowSize": "PT5M",
        "allOf": [
          {
            "metricName": "Percentage CPU",
            "metricNamespace": "Microsoft.Compute/virtualMachines",
            "operator": "GreaterThan",
            "threshold": "25",
            "timeAggregation": "Average",
            "dimensions": [
              {
                "name": "ResourceId",
                "value": "3efad9dc-3d50-4eac-9c87-8b3fd6f97e4e"
              }
            ],
            "metricValue": 7.727
          }
        ]
      }
    }
  }
}

Przykładowe alerty metryk

Poniżej przedstawiono przykładowe ładunki alertów dotyczących metryk.

Alert dotyczący metryki z progiem statycznym i wartością monitoringService = Platform

{
  "alertContext": {
      "properties": null,
      "conditionType": "SingleResourceMultipleMetricCriteria",
      "condition": {
        "windowSize": "PT5M",
        "allOf": [
          {
            "metricName": "Percentage CPU",
            "metricNamespace": "Microsoft.Compute/virtualMachines",
            "operator": "GreaterThan",
            "threshold": "25",
            "timeAggregation": "Average",
            "dimensions": [
              {
                "name": "ResourceId",
                "value": "3efad9dc-3d50-4eac-9c87-8b3fd6f97e4e"
              }
            ],
            "metricValue": 31.1105
          }
        ],
        "windowStartTime": "2019-03-22T13:40:03.064Z",
        "windowEndTime": "2019-03-22T13:45:03.064Z"
      }
    }
}

Alert metryki z progiem dynamicznym i monitorService = Platforma

{
  "alertContext": {
      "properties": null,
      "conditionType": "DynamicThresholdCriteria",
      "condition": {
        "windowSize": "PT5M",
        "allOf": [
          {
            "alertSensitivity": "High",
            "failingPeriods": {
              "numberOfEvaluationPeriods": 1,
              "minFailingPeriodsToAlert": 1
            },
            "ignoreDataBefore": null,
            "metricName": "Egress",
            "metricNamespace": "microsoft.storage/storageaccounts",
            "operator": "GreaterThan",
            "threshold": "47658",
            "timeAggregation": "Total",
            "dimensions": [],
            "metricValue": 50101
          }
        ],
        "windowStartTime": "2021-07-20T05:07:26.363Z",
        "windowEndTime": "2021-07-20T05:12:26.363Z"
      }
    }
}

Alert dotyczący metryk dla testów dostępności i monitorService = Platforma

{
  "alertContext": {
      "properties": null,
      "conditionType": "WebtestLocationAvailabilityCriteria",
      "condition": {
        "windowSize": "PT5M",
        "allOf": [
          {
            "metricName": "Failed Location",
            "metricNamespace": null,
            "operator": "GreaterThan",
            "threshold": "2",
            "timeAggregation": "Sum",
            "dimensions": [],
            "metricValue": 5,
            "webTestName": "myAvailabilityTest-myApplication"
          }
        ],
        "windowStartTime": "2019-03-22T13:40:03.064Z",
        "windowEndTime": "2019-03-22T13:45:03.064Z"
      }
    }
}

Przykładowe alerty przeszukiwania dzienników

Uwaga

Po włączeniu wspólnego schematu pola w ładunku są resetowane do typowych pól schematu. W związku z tym alerty przeszukiwania dzienników mają następujące ograniczenia dotyczące wspólnego schematu:

  • Wspólny schemat nie jest obsługiwany w przypadku alertów przeszukiwania dzienników przy użyciu elementów webhook z niestandardowym tematem wiadomości e-mail i/lub ładunkiem JSON, ponieważ wspólny schemat zastępuje konfiguracje niestandardowe.
  • Alerty korzystające ze wspólnego schematu mają górny limit rozmiaru 256 KB na alert. Jeśli ładunek alertów przeszukiwania dzienników zawiera wyniki wyszukiwania, które powodują przekroczenie maksymalnego rozmiaru alertu, wyniki wyszukiwania nie są osadzone w ładunku alertów przeszukiwania dzienników. Możesz sprawdzić, czy ładunek zawiera wyniki wyszukiwania z flagą IncludedSearchResults . Użyj LinkToFilteredSearchResultsAPI polecenia lub LinkToSearchResultsAPI , aby uzyskać dostęp do wyników zapytania za pomocą interfejsu API usługi Log Analytics, jeśli wyniki wyszukiwania nie są uwzględnione.

Alert przeszukiwania dzienników z usługą monitoringService = Platforma

{
  "alertContext": {
    "SearchQuery": "Perf | where ObjectName == \"Processor\" and CounterName == \"% Processor Time\" | summarize AggregatedValue = avg(CounterValue) by bin(TimeGenerated, 5m), Computer",
    "SearchIntervalStartTimeUtc": "3/22/2019 1:36:31 PM",
    "SearchIntervalEndtimeUtc": "3/22/2019 1:51:31 PM",
    "ResultCount": 2,
    "LinkToSearchResults": "https://portal.azure.com/#Analyticsblade/search/index?_timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",
    "LinkToFilteredSearchResultsUI": "https://portal.azure.com/#Analyticsblade/search/index?_timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",
    "LinkToSearchResultsAPI": "https://api.loganalytics.io/v1/workspaces/workspaceID/query?query=Heartbeat&timespan=2020-05-07T18%3a11%3a51.0000000Z%2f2020-05-07T18%3a16%3a51.0000000Z",
    "LinkToFilteredSearchResultsAPI": "https://api.loganalytics.io/v1/workspaces/workspaceID/query?query=Heartbeat&timespan=2020-05-07T18%3a11%3a51.0000000Z%2f2020-05-07T18%3a16%3a51.0000000Z",
    "SeverityDescription": "Warning",
    "WorkspaceId": "12345a-1234b-123c-123d-12345678e",
    "SearchIntervalDurationMin": "15",
    "AffectedConfigurationItems": [
      "INC-Gen2Alert"
    ],
    "SearchIntervalInMinutes": "15",
    "Threshold": 10000,
    "Operator": "Less Than",
    "Dimensions": [
      {
        "name": "Computer",
        "value": "INC-Gen2Alert"
      }
    ],
    "SearchResults": {
      "tables": [
        {
          "name": "PrimaryResult",
          "columns": [
            {
              "name": "$table",
              "type": "string"
            },
            {
              "name": "Computer",
              "type": "string"
            },
            {
              "name": "TimeGenerated",
              "type": "datetime"
            }
          ],
          "rows": [
            [
              "Fabrikam",
              "33446677a",
              "2018-02-02T15:03:12.18Z"
            ],
            [
              "Contoso",
              "33445566b",
              "2018-02-02T15:16:53.932Z"
            ]
          ]
        }
      ],
      "dataSources": [
        {
          "resourceId": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourcegroups/test/providers/microsoft.operationalinsights/workspaces/test",
          "tables": [
            "Heartbeat"
          ]
        }
      ]
    },
    "IncludedSearchResults": "True",
    "AlertType": "Metric measurement"
  }
}

Alert przeszukiwania dzienników z usługą monitoringService = Application Insights

{
  "alertContext": {
    "SearchQuery": "requests | where resultCode == \"500\" | summarize AggregatedValue = Count by bin(Timestamp, 5m), IP",
    "SearchIntervalStartTimeUtc": "3/22/2019 1:36:33 PM",
    "SearchIntervalEndtimeUtc": "3/22/2019 1:51:33 PM",
    "ResultCount": 2,
    "LinkToSearchResults": "https://portal.azure.com/AnalyticsBlade/subscriptions/12345a-1234b-123c-123d-12345678e/?query=search+*+&timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",
    "LinkToFilteredSearchResultsUI": "https://portal.azure.com/AnalyticsBlade/subscriptions/12345a-1234b-123c-123d-12345678e/?query=search+*+&timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",
    "LinkToSearchResultsAPI": "https://api.applicationinsights.io/v1/apps/0MyAppId0/metrics/requests/count",
    "LinkToFilteredSearchResultsAPI": "https://api.applicationinsights.io/v1/apps/0MyAppId0/metrics/requests/count",
    "SearchIntervalDurationMin": "15",
    "SearchIntervalInMinutes": "15",
    "Threshold": 10000.0,
    "Operator": "Less Than",
    "ApplicationId": "00001111-aaaa-2222-bbbb-3333cccc4444",
    "Dimensions": [
      {
        "name": "IP",
        "value": "1.1.1.1"
      }
    ],
    "SearchResults": {
      "tables": [
        {
          "name": "PrimaryResult",
          "columns": [
            {
              "name": "$table",
              "type": "string"
            },
            {
              "name": "Id",
              "type": "string"
            },
            {
              "name": "Timestamp",
              "type": "datetime"
            }
          ],
          "rows": [
            [
              "Fabrikam",
              "33446677a",
              "2018-02-02T15:03:12.18Z"
            ],
            [
              "Contoso",
              "33445566b",
              "2018-02-02T15:16:53.932Z"
            ]
          ]
        }
      ],
      "dataSources": [
        {
          "resourceId": "/subscriptions/cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a/resourcegroups/test/providers/microsoft.operationalinsights/workspaces/test",
          "tables": [
            "Heartbeat"
          ]
        }
      ]
    },
    "IncludedSearchResults": "True",
    "AlertType": "Metric measurement"
  }
}

Alert przeszukiwania dzienników z usługą monitoringService = Alerty dzienników w wersji 2

Uwaga

Reguły alertów przeszukiwania dzienników z interfejsu API w wersji 2020-05-01 używają tego typu ładunku, który obsługuje tylko wspólny schemat. Wyniki wyszukiwania nie są osadzone w ładunku alertów przeszukiwania dzienników podczas korzystania z tej wersji. Użyj wymiarów , aby zapewnić kontekst wyzwalanych alertów. Możesz również użyć LinkToFilteredSearchResultsAPI funkcji lub LinkToSearchResultsAPI uzyskać dostęp do wyników zapytań za pomocą interfejsu API usługi Log Analytics. Jeśli musisz osadzić wyniki, użyj aplikacji logiki z podanymi linkami, aby wygenerować niestandardowy ładunek.

{
  "alertContext": {
    "properties": {
      "name1": "value1",
      "name2": "value2"
    },
    "conditionType": "LogQueryCriteria",
    "condition": {
      "windowSize": "PT10M",
      "allOf": [
        {
          "searchQuery": "Heartbeat",
          "metricMeasureColumn": "CounterValue",
          "targetResourceTypes": "['Microsoft.Compute/virtualMachines']",
          "operator": "LowerThan",
          "threshold": "1",
          "timeAggregation": "Count",
          "dimensions": [
            {
              "name": "Computer",
              "value": "TestComputer"
            }
          ],
          "metricValue": 0.0,
          "failingPeriods": {
            "numberOfEvaluationPeriods": 1,
            "minFailingPeriodsToAlert": 1
          },
          "linkToSearchResultsUI": "https://portal.azure.com#@12345a-1234b-123c-123d-12345678e/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%212345a-1234b-123c-123d-12345678e%2FresourceGroups%2FContoso%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FContoso%22%7D%5D%7D/q/eJzzSE0sKklKTSypUSjPSC1KVQjJzE11T81LLUosSU1RSEotKU9NzdNIAfJKgDIaRgZGBroG5roGliGGxlYmJlbGJnoGEKCpp4dDmSmKMk0A/prettify/1/timespan/2020-07-07T13%3a54%3a34.0000000Z%2f2020-07-09T13%3a54%3a34.0000000Z",
          "linkToFilteredSearchResultsUI": "https://portal.azure.com#@12345a-1234b-123c-123d-12345678e/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%212345a-1234b-123c-123d-12345678e%2FresourceGroups%2FContoso%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FContoso%22%7D%5D%7D/q/eJzzSE0sKklKTSypUSjPSC1KVQjJzE11T81LLUosSU1RSEotKU9NzdNIAfJKgDIaRgZGBroG5roGliGGxlYmJlbGJnoGEKCpp4dDmSmKMk0A/prettify/1/timespan/2020-07-07T13%3a54%3a34.0000000Z%2f2020-07-09T13%3a54%3a34.0000000Z",
          "linkToSearchResultsAPI": "https://api.loganalytics.io/v1/subscriptions/12345a-1234b-123c-123d-12345678e/resourceGroups/Contoso/providers/Microsoft.Compute/virtualMachines/Contoso/query?query=Heartbeat%7C%20where%20TimeGenerated%20between%28datetime%282020-07-09T13%3A44%3A34.0000000%29..datetime%282020-07-09T13%3A54%3A34.0000000%29%29&timespan=2020-07-07T13%3a54%3a34.0000000Z%2f2020-07-09T13%3a54%3a34.0000000Z",
          "linkToFilteredSearchResultsAPI": "https://api.loganalytics.io/v1/subscriptions/12345a-1234b-123c-123d-12345678e/resourceGroups/Contoso/providers/Microsoft.Compute/virtualMachines/Contoso/query?query=Heartbeat%7C%20where%20TimeGenerated%20between%28datetime%282020-07-09T13%3A44%3A34.0000000%29..datetime%282020-07-09T13%3A54%3A34.0000000%29%29&timespan=2020-07-07T13%3a54%3a34.0000000Z%2f2020-07-09T13%3a54%3a34.0000000Z"
        }
      ],
      "windowStartTime": "2020-07-07T13:54:34Z",
      "windowEndTime": "2020-07-09T13:54:34Z"
    }
  }
}

Przykładowe alerty dziennika aktywności

Alert dziennika aktywności z usługą monitoringService = Activity Log - Administrative

{
  "alertContext": {
      "authorization": {
        "action": "Microsoft.Compute/virtualMachines/restart/action",
        "scope": "/subscriptions/<subscription ID>/resourceGroups/PipeLineAlertRG/providers/Microsoft.Compute/virtualMachines/WCUS-R2-ActLog"
      },
      "channels": "Operation",
      "claims": "{\"aud\":\"https://management.core.windows.net/\",\"iss\":\"https://sts.windows.net/12345a-1234b-123c-123d-12345678e/\",\"iat\":\"1553260826\",\"nbf\":\"1553260826\",\"exp\":\"1553264726\",\"aio\":\"42JgYNjdt+rr+3j/dx68v018XhuFAwA=\",\"appid\":\"11112222-bbbb-3333-cccc-4444dddd5555\",\"appidacr\":\"2\",\"http://schemas.microsoft.com/identity/claims/identityprovider\":\"https://sts.windows.net/12345a-1234b-123c-123d-12345678e/\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"22223333-cccc-4444-dddd-5555eeee6666\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"22223333-cccc-4444-dddd-5555eeee6666\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"12345a-1234b-123c-123d-12345678e\",\"uti\":\"v5wYC9t9ekuA2rkZSVZbAA\",\"ver\":\"1.0\"}",
      "caller": "22223333-cccc-4444-dddd-5555eeee6666",
      "correlationId": "aaaa0000-bb11-2222-33cc-444444dddddd",
      "eventSource": "Administrative",
      "eventTimestamp": "2019-03-22T13:56:31.2917159+00:00",
      "eventDataId": "161fda7e-1cb4-4bc5-9c90-857c55a8f57b",
      "level": "Informational",
      "operationName": "Microsoft.Compute/virtualMachines/restart/action",
      "operationId": "310db69b-690f-436b-b740-6103ab6b0cba",
      "status": "Succeeded",
      "subStatus": "",
      "submissionTimestamp": "2019-03-22T13:56:54.067593+00:00"
    }
}

Alert dziennika aktywności z usługą monitoringService = Activity Log - Policy

{
  "alertContext": {
    "authorization": {
      "action": "Microsoft.Resources/checkPolicyCompliance/read",
      "scope": "/subscriptions/<GUID>"
    },
    "channels": "Operation",
    "claims": "{\"aud\":\"https://management.azure.com/\",\"iss\":\"https://sts.windows.net/<GUID>/\",\"iat\":\"1566711059\",\"nbf\":\"1566711059\",\"exp\":\"1566740159\",\"aio\":\"42FgYOhynHNw0scy3T/bL71+xLyqEwA=\",\"appid\":\"<GUID>\",\"appidacr\":\"2\",\"http://schemas.microsoft.com/identity/claims/identityprovider\":\"https://sts.windows.net/<GUID>/\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"<GUID>\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"<GUID>\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"<GUID>\",\"uti\":\"Miy1GzoAG0Scu_l3m1aIAA\",\"ver\":\"1.0\"}",
    "caller": "<GUID>",
    "correlationId": "<GUID>",
    "eventSource": "Policy",
    "eventTimestamp": "2019-08-25T11:11:34.2269098+00:00",
    "eventDataId": "<GUID>",
    "level": "Warning",
    "operationName": "Microsoft.Authorization/policies/audit/action",
    "operationId": "<GUID>",
    "properties": {
      "isComplianceCheck": "True",
      "resourceLocation": "eastus2",
      "ancestors": "<GUID>",
      "policies": "[{\"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/<GUID>/\",\"policySetDefinitionId\":\"/providers/Microsoft.Authorization/policySetDefinitions/<GUID>/\",\"policyDefinitionReferenceId\":\"vulnerabilityAssessmentMonitoring\",\"policySetDefinitionName\":\"<GUID>\",\"policyDefinitionName\":\"<GUID>\",\"policyDefinitionEffect\":\"AuditIfNotExists\",\"policyAssignmentId\":\"/subscriptions/<GUID>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn/\",\"policyAssignmentName\":\"SecurityCenterBuiltIn\",\"policyAssignmentScope\":\"/subscriptions/<GUID>\",\"policyAssignmentSku\":{\"name\":\"A1\",\"tier\":\"Standard\"},\"policyAssignmentParameters\":{}}]"
    },
    "status": "Succeeded",
    "subStatus": "",
    "submissionTimestamp": "2019-08-25T11:12:46.1557298+00:00"
  }
}

Alert dziennika aktywności z usługą monitoringService = Activity Log - Autoscale

{
  "alertContext": {
    "channels": "Admin, Operation",
    "claims": "{\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn\":\"Microsoft.Insights/autoscaleSettings\"}",
    "caller": "Microsoft.Insights/autoscaleSettings",
    "correlationId": "<GUID>",
    "eventSource": "Autoscale",
    "eventTimestamp": "2019-08-21T16:17:47.1551167+00:00",
    "eventDataId": "<GUID>",
    "level": "Informational",
    "operationName": "Microsoft.Insights/AutoscaleSettings/Scaleup/Action",
    "operationId": "<GUID>",
    "properties": {
      "description": "The autoscale engine attempting to scale resource '/subscriptions/d<GUID>/resourceGroups/testRG/providers/Microsoft.Compute/virtualMachineScaleSets/testVMSS' from 9 instances count to 10 instances count.",
      "resourceName": "/subscriptions/<GUID>/resourceGroups/voiceassistancedemo/providers/Microsoft.Compute/virtualMachineScaleSets/alexademo",
      "oldInstancesCount": "9",
      "newInstancesCount": "10",
      "activeAutoscaleProfile": "{\r\n  \"Name\": \"Auto created scale condition\",\r\n  \"Capacity\": {\r\n    \"Minimum\": \"1\",\r\n    \"Maximum\": \"10\",\r\n    \"Default\": \"1\"\r\n  },\r\n  \"Rules\": [\r\n    {\r\n      \"MetricTrigger\": {\r\n        \"Name\": \"Percentage CPU\",\r\n        \"Namespace\": \"microsoft.compute/virtualmachinescalesets\",\r\n        \"Resource\": \"/subscriptions/<GUID>/resourceGroups/testRG/providers/Microsoft.Compute/virtualMachineScaleSets/testVMSS\",\r\n        \"ResourceLocation\": \"eastus\",\r\n        \"TimeGrain\": \"PT1M\",\r\n        \"Statistic\": \"Average\",\r\n        \"TimeWindow\": \"PT5M\",\r\n        \"TimeAggregation\": \"Average\",\r\n        \"Operator\": \"GreaterThan\",\r\n        \"Threshold\": 0.0,\r\n        \"Source\": \"/subscriptions/<GUID>/resourceGroups/testRG/providers/Microsoft.Compute/virtualMachineScaleSets/testVMSS\",\r\n        \"MetricType\": \"MDM\",\r\n        \"Dimensions\": [],\r\n        \"DividePerInstance\": false\r\n      },\r\n      \"ScaleAction\": {\r\n        \"Direction\": \"Increase\",\r\n        \"Type\": \"ChangeCount\",\r\n        \"Value\": \"1\",\r\n        \"Cooldown\": \"PT1M\"\r\n      }\r\n    }\r\n  ]\r\n}",
      "lastScaleActionTime": "Wed, 21 Aug 2019 16:17:47 GMT"
    },
    "status": "Succeeded",
    "submissionTimestamp": "2019-08-21T16:17:47.2410185+00:00"
  }
}

Alert dziennika aktywności z usługą monitoringService = Activity Log - Security

{
  "alertContext": {
    "channels": "Operation",
    "correlationId": "<GUID>",
    "eventSource": "Security",
    "eventTimestamp": "2019-08-26T08:34:14+00:00",
    "eventDataId": "<GUID>",
    "level": "Informational",
    "operationName": "Microsoft.Security/locations/alerts/activate/action",
    "operationId": "<GUID>",
    "properties": {
      "threatStatus": "Quarantined",
      "category": "Virus",
      "threatID": "2147519003",
      "filePath": "C:\\AlertGeneration\\test.eicar",
      "protectionType": "Windows Defender",
      "actionTaken": "Blocked",
      "resourceType": "Virtual Machine",
      "severity": "Low",
      "compromisedEntity": "testVM",
      "remediationSteps": "[\"No user action is necessary\"]",
      "attackedResourceType": "Virtual Machine"
    },
    "status": "Active",
    "submissionTimestamp": "2019-08-26T09:28:58.3019107+00:00"
  }
}

Alert dziennika aktywności z monitoringService = ServiceHealth

{
  "alertContext": {
    "authorization": null,
    "channels": 1,
    "claims": null,
    "caller": null,
    "correlationId": "bbbb1111-cc22-3333-44dd-555555eeeeee",
    "eventSource": 2,
    "eventTimestamp": "2019-06-24T11:31:19.0312699+00:00",
    "httpRequest": null,
    "eventDataId": "<GUID>",
    "level": 3,
    "operationName": "Microsoft.ServiceHealth/maintenance/action",
    "operationId": "<GUID>",
    "properties": {
      "title": "Azure Synapse Analytics Scheduled Maintenance Pending",
      "service": "Azure Synapse Analytics",
      "region": "East US",
      "communication": "<MESSAGE>",
      "incidentType": "Maintenance",
      "trackingId": "<GUID>",
      "impactStartTime": "2019-06-26T04:00:00Z",
      "impactMitigationTime": "2019-06-26T12:00:00Z",
      "impactedServices": "[{\"ImpactedRegions\":[{\"RegionName\":\"East US\"}],\"ServiceName\":\"Azure Synapse Analytics\"}]",
      "impactedServicesTableRows": "<tr>\r\n<td align='center' style='padding: 5px 10px; border-right:1px solid black; border-bottom:1px solid black'>Azure Synapse Analytics</td>\r\n<td align='center' style='padding: 5px 10px; border-bottom:1px solid black'>East US<br></td>\r\n</tr>\r\n",
      "defaultLanguageTitle": "Azure Synapse Analytics Scheduled Maintenance Pending",
      "defaultLanguageContent": "<MESSAGE>",
      "stage": "Planned",
      "communicationId": "<GUID>",
      "maintenanceId": "<GUID>",
      "isHIR": "false",
      "version": "0.1.1"
    },
    "status": "Active",
    "subStatus": null,
    "submissionTimestamp": "2019-06-24T11:31:31.7147357+00:00",
    "ResourceType": null
  }
}

Alert dziennika aktywności z usługą monitoringService = ResourceHealth

{
  "alertContext": {
    "channels": "Admin, Operation",
    "correlationId": "<GUID>",
    "eventSource": "ResourceHealth",
    "eventTimestamp": "2019-06-24T15:42:54.074+00:00",
    "eventDataId": "<GUID>",
    "level": "Informational",
    "operationName": "Microsoft.Resourcehealth/healthevent/Activated/action",
    "operationId": "<GUID>",
    "properties": {
      "title": "This virtual machine is stopping and deallocating as requested by an authorized user or process",
      "details": null,
      "currentHealthStatus": "Unavailable",
      "previousHealthStatus": "Available",
      "type": "Downtime",
      "cause": "UserInitiated"
    },
    "status": "Active",
    "submissionTimestamp": "2019-06-24T15:45:20.4488186+00:00"
  }
}

Przykładowy alert Prometheus

{
  "alertContext": {
    "interval": "PT1M",
    "expression": "sql_up > 0",
    "expressionValue": "0",
    "for": "PT2M",
    "labels": {
      "Environment": "Prod",
      "cluster": "myCluster1"
    },
    "annotations": {
      "summary": "alert on SQL availability"
    },
    "ruleGroup": "/subscriptions/<subscription ID>/resourceGroups/myResourceGroup/providers/Microsoft.AlertsManagement/prometheusRuleGroups/myRuleGroup"
  }
}

Przykładowe ładunki dla akcji testowych

Przykładowy alert akcji testu

{
  "schemaId": "azureMonitorCommonAlertSchema",
  "data": {
    "essentials": {
      "alertId": "/subscriptions/<subscription ID>/providers/Microsoft.AlertsManagement/alerts/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",
      "alertRule": "WCUS-R2-Gen2",
      "severity": "Sev3",
      "signalType": "Metric",
      "monitorCondition": "Resolved",
      "monitoringService": "Platform",
      "alertTargetIDs": [
        "/subscriptions/<subscription ID>/resourcegroups/pipelinealertrg/providers/microsoft.compute/virtualmachines/wcus-r2-gen2"
      ],
      "configurationItems": [
        "wcus-r2-gen2"
      ],
      "originAlertId": "3f2d4487-b0fc-4125-8bd5-7ad17384221e_PipeLineAlertRG_microsoft.insights_metricAlerts_WCUS-R2-Gen2_-117781227",
      "firedDateTime": "2019-03-22T13:58:24.3713213Z",
      "resolvedDateTime": "2019-03-22T14:03:16.2246313Z",
      "description": "",
      "essentialsVersion": "1.0",
      "alertContextVersion": "1.0"
    },
    "alertContext": {
      "properties": null,
      "conditionType": "SingleResourceMultipleMetricCriteria",
      "condition": {
        "windowSize": "PT5M",
        "allOf": [
          {
            "metricName": "Percentage CPU",
            "metricNamespace": "Microsoft.Compute/virtualMachines",
            "operator": "GreaterThan",
            "threshold": "25",
            "timeAggregation": "Average",
            "dimensions": [
              {
                "name": "ResourceId",
                "value": "3efad9dc-3d50-4eac-9c87-8b3fd6f97e4e"
              }
            ],
            "metricValue": 7.727
          }
        ]
      }
    }
  }
}

Przykładowe alerty metryk akcji testu

Testowanie alertu metryki akcji ze statycznym progiem i wartością monitoringService = Platform

{
   "schemaId":"azureMonitorCommonAlertSchema",
   "data":{
      "essentials":{
         "alertId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.AlertsManagement/alerts/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
         "alertRule":"test-metricAlertRule",
         "severity":"Sev3",
         "signalType":"Metric",
         "monitorCondition":"Fired",
         "monitoringService":"Platform",
         "alertTargetIDs":[
            "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/Microsoft.Storage/storageAccounts/test-storageAccount"
         ],
         "configurationItems":[
            "test-storageAccount"
         ],
         "originAlertId":"11111111-1111-1111-1111-111111111111_test-RG_microsoft.insights_metricAlerts_test-metricAlertRule_1234567890",
         "firedDateTime":"2021-11-15T09:35:24.3468506Z",
         "description":"Alert rule description",
         "essentialsVersion":"1.0",
         "alertContextVersion":"1.0"
      },
      "alertContext":{
         "properties":{
            "customKey1":"value1",
            "customKey2":"value2"
         },
         "conditionType":"DynamicThresholdCriteria",
         "condition":{
            "windowSize":"PT15M",
            "allOf":[
               {
                  "alertSensitivity":"Low",
                  "failingPeriods":{
                     "numberOfEvaluationPeriods":3,
                     "minFailingPeriodsToAlert":3
                  },
                  "ignoreDataBefore":null,
                  "metricName":"Transactions",
                  "metricNamespace":"Microsoft.Storage/storageAccounts",
                  "operator":"GreaterThan",
                  "threshold":"0.3",
                  "timeAggregation":"Average",
                  "dimensions":[
                     
                  ],
                  "metricValue":78.09,
                  "webTestName":null
               }
            ],
            "windowStartTime":"2021-12-15T01:04:11.719Z",
            "windowEndTime":"2021-12-15T01:19:11.719Z"
         }
      },
      "customProperties":{
         "customKey1":"value1",
         "customKey2":"value2"
      }
   }
}

Testowanie alertu metryki akcji z progiem dynamicznym i monitorowaniemService = Platform

{
   "schemaId":"azureMonitorCommonAlertSchema",
   "data":{
      "essentials":{
         "alertId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.AlertsManagement/alerts/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
         "alertRule":"test-metricAlertRule",
         "severity":"Sev3",
         "signalType":"Metric",
         "monitorCondition":"Fired",
         "monitoringService":"Platform",
         "alertTargetIDs":[
            "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/Microsoft.Storage/storageAccounts/test-storageAccount"
         ],
         "configurationItems":[
            "test-storageAccount"
         ],
         "originAlertId":"11111111-1111-1111-1111-111111111111_test-RG_microsoft.insights_metricAlerts_test-metricAlertRule_1234567890",
         "firedDateTime":"2021-11-15T09:35:24.3468506Z",
         "description":"Alert rule description",
         "essentialsVersion":"1.0",
         "alertContextVersion":"1.0"
      },
      "alertContext":{
         "properties":{
            "customKey1":"value1",
            "customKey2":"value2"
         },
         "conditionType":"DynamicThresholdCriteria",
         "condition":{
            "windowSize":"PT15M",
            "allOf":[
               {
                  "alertSensitivity":"Low",
                  "failingPeriods":{
                     "numberOfEvaluationPeriods":3,
                     "minFailingPeriodsToAlert":3
                  },
                  "ignoreDataBefore":null,
                  "metricName":"Transactions",
                  "metricNamespace":"Microsoft.Storage/storageAccounts",
                  "operator":"GreaterThan",
                  "threshold":"0.3",
                  "timeAggregation":"Average",
                  "dimensions":[
                     
                  ],
                  "metricValue":78.09,
                  "webTestName":null
               }
            ],
            "windowStartTime":"2021-12-15T01:04:11.719Z",
            "windowEndTime":"2021-12-15T01:19:11.719Z"
         }
      },
      "customProperties":{
         "customKey1":"value1",
         "customKey2":"value2"
      }
   }
}

Przykładowe alerty przeszukiwania dzienników akcji testu

Testowanie alertu przeszukiwania dziennika akcji w wersji 1 — metryka

{
   "schemaId":"azureMonitorCommonAlertSchema",
   "data":{
      "essentials":{
         "alertId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.AlertsManagement/alerts/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
         "alertRule":"test-logAlertRule-v1-metricMeasurement",
         "severity":"Sev3",
         "signalType":"Log",
         "monitorCondition":"Fired",
         "monitoringService":"Log Analytics",
         "alertTargetIDs":[
            "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/microsoft.operationalinsights/workspaces/test-logAnalyticsWorkspace"
         ],
         "configurationItems":[
            
         ],
         "originAlertId":"12345678-4444-4444-4444-1234567890ab",
         "firedDateTime":"2021-11-16T15:17:21.9232467Z",
         "description":"Alert rule description",
         "essentialsVersion":"1.0",
         "alertContextVersion":"1.1"
      },
      "alertContext":{
         "SearchQuery":"Heartbeat | summarize AggregatedValue=count() by bin(TimeGenerated, 5m)",
         "SearchIntervalStartTimeUtc":"2021-11-15T15:16:49Z",
         "SearchIntervalEndtimeUtc":"2021-11-16T15:16:49Z",
         "ResultCount":2,
         "LinkToSearchResults":"https://portal.azure.com#@aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%2F11111111-1111-1111-1111-111111111111%2FresourceGroups%2Ftest-RG%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Ftest-logAnalyticsWorkspace%22%7D%5D%7D/q/aBcDeFgHi%2BWqUSguzc1NLMqsSlVwTE8vSk1PLElNCUvMKU21Tc4vzSvRaBcDeFgHiaBcDeFgHiaBcDeFgHiaBcDeFgHi/prettify/1/timespan/2021-11-15T15%3a16%3a49.0000000Z%2f2021-11-16T15%3a16%3a49.0000000Z",
         "LinkToFilteredSearchResultsUI":"https://portal.azure.com#@aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%2F11111111-1111-1111-1111-111111111111%2FresourceGroups%2Ftest-RG%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Ftest-logAnalyticsWorkspace%22%7D%5D%7D/q/aBcDeFgHiaBcDeFgHiaBcDeFgHiaBcDeFgHiaBcDeFgHidp%2BOPOhDKsHR%2FFeJXsTgzGJRmVui3KF3RpLyEJCX9A2iMl6jgxMn6jRevng3JmIHLdYtKP4DRI9mhc%3D/prettify/1/timespan/2021-11-15T15%3a16%3a49.0000000Z%2f2021-11-16T15%3a16%3a49.0000000Z",
         "LinkToSearchResultsAPI":"https://api.loganalytics.io/v1/workspaces/bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb/query?query=Heartbeat%20%0A%7C%20summarize%20AggregatedValue%3Dcount%28%29%20by%20bin%28TimeGenerated%2C%205m%29&timespan=2021-11-15T15%3a16%3a49.0000000Z%2f2021-11-16T15%3a16%3a49.0000000Z",
         "LinkToFilteredSearchResultsAPI":"https://api.loganalytics.io/v1/workspaces/bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb/query?query=Heartbeat%20%0A%7C%20summarize%20AggregatedValue%3Dcount%28%29%20by%20bin%28TimeGenerated%2C%205m%29%7C%20where%20todouble%28AggregatedValue%29%20%3E%200&timespan=2021-11-15T15%3a16%3a49.0000000Z%2f2021-11-16T15%3a16%3a49.0000000Z",
         "SeverityDescription":"Informational",
         "WorkspaceId":"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
         "SearchIntervalDurationMin":"1440",
         "AffectedConfigurationItems":[
            
         ],
         "AlertType":"Metric measurement",
         "IncludeSearchResults":true,
         "Dimensions":[
            
         ],
         "SearchIntervalInMinutes":"1440",
         "SearchResults":{
            "tables":[
               {
                  "name":"PrimaryResult",
                  "columns":[
                     {
                        "name":"TimeGenerated",
                        "type":"datetime"
                     },
                     {
                        "name":"AggregatedValue",
                        "type":"long"
                     }
                  ],
                  "rows":[
                     [
                        "2021-11-16T10:56:49Z",
                        11
                     ],
                     [
                        "2021-11-16T11:56:49Z",
                        11
                     ]
                  ]
               }
            ],
            "dataSources":[
               {
                  "resourceId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/microsoft.operationalinsights/workspaces/test-logAnalyticsWorkspace",
                  "region":"eastus",
                  "tables":[
                     "Heartbeat"
                  ]
               }
            ]
         },
         "Threshold":0,
         "Operator":"Greater Than",
         "IncludedSearchResults":"True"
      }
   }
}

Testowanie alertu przeszukiwania dziennika akcji W wersji 1 — liczba

{
   "schemaId":"azureMonitorCommonAlertSchema",
   "data":{
      "essentials":{
         "alertId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.AlertsManagement/alerts/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
         "alertRule":"test-logAlertRule-v1-numResults",
         "severity":"Sev3",
         "signalType":"Log",
         "monitorCondition":"Fired",
         "monitoringService":"Log Analytics",
         "alertTargetIDs":[
            "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/microsoft.operationalinsights/workspaces/test-logAnalyticsWorkspace"
         ],
         "configurationItems":[
            "test-computer"
         ],
         "originAlertId":"22222222-2222-2222-2222-222222222222",
         "firedDateTime":"2021-11-16T15:15:58.3302205Z",
         "description":"Alert rule description",
         "essentialsVersion":"1.0",
         "alertContextVersion":"1.1"
      },
      "alertContext":{
         "SearchQuery":"Heartbeat",
         "SearchIntervalStartTimeUtc":"2021-11-15T15:15:24Z",
         "SearchIntervalEndtimeUtc":"2021-11-16T15:15:24Z",
         "ResultCount":1,
         "LinkToSearchResults":"https://portal.azure.com#@aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%2F11111111-1111-1111-1111-111111111111%2FresourceGroups%2Ftest-RG%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Ftest-logAnalyticsWorkspace%22%7D%5D%7D/q/aBcDeFgHi%2ABCDE%3D%3D/prettify/1/timespan/2021-11-15T15%3a15%3a24.0000000Z%2f2021-11-16T15%3a15%3a24.0000000Z",
         "LinkToFilteredSearchResultsUI":"https://portal.azure.com#@aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%2F11111111-1111-1111-1111-111111111111%2FresourceGroups%2Ftest-RG%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Ftest-logAnalyticsWorkspace%22%7D%5D%7D/q/aBcDeFgHi%2ABCDE%3D%3D/prettify/1/timespan/2021-11-15T15%3a15%3a24.0000000Z%2f2021-11-16T15%3a15%3a24.0000000Z",
         "LinkToSearchResultsAPI":"https://api.loganalytics.io/v1/workspaces/bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb/query?query=Heartbeat%0A&timespan=2021-11-15T15%3a15%3a24.0000000Z%2f2021-11-16T15%3a15%3a24.0000000Z",
         "LinkToFilteredSearchResultsAPI":"https://api.loganalytics.io/v1/workspaces/bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb/query?query=Heartbeat%0A&timespan=2021-11-15T15%3a15%3a24.0000000Z%2f2021-11-16T15%3a15%3a24.0000000Z",
         "SeverityDescription":"Informational",
         "WorkspaceId":"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
         "SearchIntervalDurationMin":"1440",
         "AffectedConfigurationItems":[
            "test-computer"
         ],
         "AlertType":"Number of results",
         "IncludeSearchResults":true,
         "SearchIntervalInMinutes":"1440",
         "SearchResults":{
            "tables":[
               {
                  "name":"PrimaryResult",
                  "columns":[
                     {
                        "name":"TenantId",
                        "type":"string"
                     },
                     {
                        "name":"Computer",
                        "type":"string"
                     },
                     {
                        "name":"TimeGenerated",
                        "type":"datetime"
                     }
                  ],
                  "rows":[
                     [
                        "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
                        "test-computer",
                        "2021-11-16T12:00:00Z"
                     ]
                  ]
               }
            ],
            "dataSources":[
               {
                  "resourceId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/microsoft.operationalinsights/workspaces/test-logAnalyticsWorkspace",
                  "region":"eastus",
                  "tables":[
                     "Heartbeat"
                  ]
               }
            ]
         },
         "Threshold":0,
         "Operator":"Greater Than",
         "IncludedSearchResults":"True"
      }
   }
}

Testowanie alertu przeszukiwania dziennika akcji w wersji 2

Uwaga

Reguły alertów przeszukiwania dzienników z interfejsu API w wersji 2020-05-01 używają tego typu ładunku, który obsługuje tylko wspólny schemat. Wyniki wyszukiwania nie są osadzone w ładunku alertów przeszukiwania dzienników podczas korzystania z tej wersji. Użyj wymiarów , aby zapewnić kontekst wyzwalanych alertów.

Możesz również użyć LinkToFilteredSearchResultsAPI funkcji lub LinkToSearchResultsAPI uzyskać dostęp do wyników zapytań za pomocą interfejsu API usługi Log Analytics. Jeśli musisz osadzić wyniki, użyj aplikacji logiki z podanymi linkami, aby wygenerować niestandardowy ładunek.

{
   "schemaId":"azureMonitorCommonAlertSchema",
   "data":{
      "essentials":{
         "alertId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.AlertsManagement/alerts/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
         "alertRule":"test-logAlertRule-v2",
         "severity":"Sev3",
         "signalType":"Log",
         "monitorCondition":"Fired",
         "monitoringService":"Log Alerts V2",
         "alertTargetIDs":[
            "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/microsoft.operationalinsights/workspaces/test-logAnalyticsWorkspace"
         ],
         "configurationItems":[
            "test-computer"
         ],
         "originAlertId":"22222222-2222-2222-2222-222222222222",
         "firedDateTime":"2021-11-16T11:47:41.4728231Z",
         "description":"Alert rule description",
         "essentialsVersion":"1.0",
         "alertContextVersion":"1.0"
      },
      "alertContext":{
         "properties":{
            "customKey1":"value1",
            "customKey2":"value2"
         },
         "conditionType":"LogQueryCriteria",
         "condition":{
            "windowSize":"PT1H",
            "allOf":[
               {
                  "searchQuery":"Heartbeat",
                  "metricMeasureColumn":null,
                  "targetResourceTypes":"['Microsoft.OperationalInsights/workspaces']",
                  "operator":"GreaterThan",
                  "threshold":"0",
                  "timeAggregation":"Count",
                  "dimensions":[
                     {
                        "name":"Computer",
                        "value":"test-computer"
                     }
                  ],
                  "metricValue":3.0,
                  "failingPeriods":{
                     "numberOfEvaluationPeriods":1,
                     "minFailingPeriodsToAlert":1
                  },
                  "linkToSearchResultsUI":"https://portal.azure.com#@aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%2F11111111-1111-1111-1111-111111111111%2FresourceGroups%2Ftest-RG%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Ftest-logAnalyticsWorkspace%22%7D%5D%7D/q/aBcDeFgHiJkLmNaBcDeFgHiJkLmNaBcDeFgHiJkLmNaBcDeFgHiJkLmN1234567890ZAZBZiaGBlaG5lbKlnAAFRmnp6WNUZoqvTBAA%3D/prettify/1/timespan/2021-11-16T10%3a17%3a39.0000000Z%2f2021-11-16T11%3a17%3a39.0000000Z",
                  "linkToFilteredSearchResultsUI":"https://portal.azure.com#@aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%2F11111111-1111-1111-1111-111111111111%2FresourceGroups%2Ftest-RG%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Ftest-logAnalyticsWorkspace%22%7D%5D%7D/q/aBcDeFgHiJkLmN%2Fl35oOTZoKioEOouaBcDeFgHiJkLmN%2BaBcDeFgHiJkLmN%2BaBcDeFgHiJkLmN7HHgOCZTR0Ak%2FaBcDeFgHiJkLmN1234567890Ltcw%2FOqZS%2FuX0L5d%2Bx3iMHNzQiu3Y%2BzsjpFSWlOzgA87vAxeHW2MoAtQxe6OUvVrZR3XYZPXrd%2FIE/prettify/1/timespan/2021-11-16T10%3a17%3a39.0000000Z%2f2021-11-16T11%3a17%3a39.0000000Z",
                  "linkToSearchResultsAPI":"https://api.loganalytics.io/v1/workspaces/bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb/query?query=Heartbeat%7C%20where%20TimeGenerated%20between%28datetime%282021-11-16T10%3A17%3A39.0000000Z%29..datetime%282021-11-16T11%3A17%3A39.0000000Z%29%29&timespan=2021-11-16T10%3a17%3a39.0000000Z%2f2021-11-16T11%3a17%3a39.0000000Z",
                  "linkToFilteredSearchResultsAPI":"https://api.loganalytics.io/v1/workspaces/bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb/query?query=Heartbeat%7C%20where%20TimeGenerated%20between%28datetime%282021-11-16T10%3A17%3A39.0000000Z%29..datetime%282021-11-16T11%3A17%3A39.0000000Z%29%29%7C%20where%20tostring%28Computer%29%20%3D%3D%20%27test-computer%27&timespan=2021-11-16T10%3a17%3a39.0000000Z%2f2021-11-16T11%3a17%3a39.0000000Z"
               }
            ],
            "windowStartTime":"2021-11-16T10:17:39Z",
            "windowEndTime":"2021-11-16T11:17:39Z"
         }
      }
   }
}

Przykładowe alerty dziennika aktywności akcji testu

Testowy alert dziennika aktywności akcji za pomocą polecenia MonitoringService = Administrative

{
   "schemaId":"azureMonitorCommonAlertSchema",
   "data":{
      "essentials":{
         "alertId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.AlertsManagement/alerts/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
         "alertRule":"test-activityLogAlertRule",
         "severity":"Sev4",
         "signalType":"Activity Log",
         "monitorCondition":"Fired",
         "monitoringService":"Activity Log - Administrative",
         "alertTargetIDs":[
            "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/microsoft.compute/virtualmachines/test-VM"
         ],
         "configurationItems":[
            "test-VM"
         ],
         "originAlertId":"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb_123456789012345678901234567890ab",
         "firedDateTime":"2021-11-16T08:29:01.2932462Z",
         "description":"Alert rule description",
         "essentialsVersion":"1.0",
         "alertContextVersion":"1.0"
      },
      "alertContext":{
         "authorization":{
            "action":"Microsoft.Compute/virtualMachines/restart/action",
            "scope":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/test-RG/providers/Microsoft.Compute/virtualMachines/test-VM"
         },
         "channels":"Operation",
         "claims":"{}",
         "caller":"user-email@domain.com",
         "correlationId":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
         "eventSource":"Administrative",
         "eventTimestamp":"2021-11-16T08:27:36.1836909+00:00",
         "eventDataId":"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
         "level":"Informational",
         "operationName":"Microsoft.Compute/virtualMachines/restart/action",
         "operationId":"cccccccc-cccc-cccc-cccc-cccccccccccc",
         "properties":{
            "eventCategory":"Administrative",
            "entity":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/test-RG/providers/Microsoft.Compute/virtualMachines/test-VM",
            "message":"Microsoft.Compute/virtualMachines/restart/action",
            "hierarchy":"22222222-2222-2222-2222-222222222222/CnAIOrchestrationServicePublicCorpprod/33333333-3333-3333-3333-3333333333333/44444444-4444-4444-4444-444444444444/55555555-5555-5555-5555-555555555555/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b"
         },
         "status":"Succeeded",
         "subStatus":"",
         "submissionTimestamp":"2021-11-16T08:29:00.141807+00:00",
         "Activity Log Event Description":""
      }
   }
}

Testowy alert dziennika aktywności akcji za pomocą polecenia MonitoringService = ServiceHealth

{
   "schemaId":"azureMonitorCommonAlertSchema",
   "data":{
      "essentials":{
         "alertId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.AlertsManagement/alerts/1234abcd5678efgh1234abcd5678efgh1234abcd5678efgh1234abcd5678efgh",
         "alertRule":"test-ServiceHealthAlertRule",
         "severity":"Sev4",
         "signalType":"Activity Log",
         "monitorCondition":"Fired",
         "monitoringService":"ServiceHealth",
         "alertTargetIDs":[
            "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b"
         ],
         "originAlertId":"eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
         "firedDateTime":"2021-11-17T05:34:48.0623172Z",
         "description":"Alert rule description",
         "essentialsVersion":"1.0",
         "alertContextVersion":"1.0"
      },
      "alertContext":{
         "authorization":null,
         "channels":1,
         "claims":null,
         "caller":null,
         "correlationId":"cccc2222-dd33-4444-55ee-666666ffffff",
         "eventSource":2,
         "eventTimestamp":"2021-11-17T05:34:44.5778226+00:00",
         "httpRequest":null,
         "eventDataId":"eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
         "level":3,
         "operationName":"Microsoft.ServiceHealth/incident/action",
         "operationId":"cccc2222-dd33-4444-55ee-666666ffffff",
         "properties":{
            "title":"Test Action Group - Test Service Health Alert",
            "service":"Azure Service Name",
            "region":"Global",
            "communication":"<p><strong>Summary of impact</strong>:&nbsp;This is the impact summary.</p>\n<p><br></p>\n<p><strong>Preliminary Root Cause</strong>: This is the preliminary root cause.</p>\n<p><br></p>\n<p><strong>Mitigation</strong>:&nbsp;Mitigation description.</p>\n<p><br></p>\n<p><strong>Next steps</strong>: These are the next steps.&nbsp;</p>\n<p><br></p>\n<p>Stay informed about Azure service issues by creating custom service health alerts: <a href=\"https://aka.ms/ash-videos\" rel=\"noopener noreferrer\" target=\"_blank\">https://aka.ms/ash-videos</a> for video tutorials and <a href=\"https://aka.ms/ash-alerts%20for%20how-to%20documentation\" rel=\"noopener noreferrer\" target=\"_blank\">https://aka.ms/ash-alerts for how-to documentation</a>.</p>\n<p><br></p>",
            "incidentType":"Incident",
            "trackingId":"ABC1-DEF",
            "impactStartTime":"2021-11-16T20:00:00Z",
            "impactMitigationTime":"2021-11-17T01:00:00Z",
            "impactedServices":"[{\"ImpactedRegions\":[{\"RegionName\":\"Global\"}],\"ServiceName\":\"Azure Service Name\"}]",
            "impactedServicesTableRows":"<tr>\r\n<td align='center' style='padding: 5px 10px; border-right:1px solid black; border-bottom:1px solid black'>Azure Service Name</td>\r\n<td align='center' style='padding: 5px 10px; border-bottom:1px solid black'>Global<br></td>\r\n</tr>\r\n",
            "defaultLanguageTitle":"Test Action Group - Test Service Health Alert",
            "defaultLanguageContent":"<p><strong>Summary of impact</strong>:&nbsp;This is the impact summary.</p>\n<p><br></p>\n<p><strong>Preliminary Root Cause</strong>: This is the preliminary root cause.</p>\n<p><br></p>\n<p><strong>Mitigation</strong>:&nbsp;Mitigation description.</p>\n<p><br></p>\n<p><strong>Next steps</strong>: These are the next steps.&nbsp;</p>\n<p><br></p>\n<p>Stay informed about Azure service issues by creating custom service health alerts: <a href=\"https://aka.ms/ash-videos\" rel=\"noopener noreferrer\" target=\"_blank\">https://aka.ms/ash-videos</a> for video tutorials and <a href=\"https://aka.ms/ash-alerts%20for%20how-to%20documentation\" rel=\"noopener noreferrer\" target=\"_blank\">https://aka.ms/ash-alerts for how-to documentation</a>.</p>\n<p><br></p>",
            "stage":"Resolved",
            "communicationId":"11223344556677",
            "isHIR":"false",
            "IsSynthetic":"True",
            "impactType":"SubscriptionList",
            "version":"0.1.1"
         },
         "status":"Resolved",
         "subStatus":null,
         "submissionTimestamp":"2021-11-17T01:23:45.0623172+00:00",
         "ResourceType":null
      }
   }
}

Testowy alert dziennika aktywności akcji za pomocą polecenia MonitoringService = Resource Health

{
   "schemaId":"azureMonitorCommonAlertSchema",
   "data":{
      "essentials":{
         "alertId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.AlertsManagement/alerts/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
         "alertRule":"test-ResourceHealthAlertRule",
         "severity":"Sev4",
         "signalType":"Activity Log",
         "monitorCondition":"Fired",
         "monitoringService":"Resource Health",
         "alertTargetIDs":[
            "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/microsoft.compute/virtualmachines/test-VM"
         ],
         "configurationItems":[
            "test-VM"
         ],
         "originAlertId":"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb_123456789012345678901234567890ab",
         "firedDateTime":"2021-11-16T09:54:08.9938123Z",
         "description":"Alert rule description",
         "essentialsVersion":"1.0",
         "alertContextVersion":"1.0"
      },
      "alertContext":{
         "channels":"Admin, Operation",
         "correlationId":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
         "eventSource":"ResourceHealth",
         "eventTimestamp":"2021-11-16T09:50:20.406+00:00",
         "eventDataId":"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
         "level":"Informational",
         "operationName":"Microsoft.Resourcehealth/healthevent/Activated/action",
         "operationId":"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
         "properties":{
            "title":"Rebooted by user",
            "details":null,
            "currentHealthStatus":"Unavailable",
            "previousHealthStatus":"Available",
            "type":"Downtime",
            "cause":"UserInitiated"
         },
         "status":"Active",
         "submissionTimestamp":"2021-11-16T09:54:08.5303319+00:00",
         "Activity Log Event Description":null
      }
   }
}

Testowy alert dziennika aktywności akcji za pomocą polecenia MonitoringService = Budget

{
   "schemaId":"AIP Budget Notification",
   "data":{
      "SubscriptionName":"test-subscription",
      "SubscriptionId":"dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b",
      "EnrollmentNumber":"",
      "DepartmentName":"test-budgetDepartmentName",
      "AccountName":"test-budgetAccountName",
      "BillingAccountId":"",
      "BillingProfileId":"",
      "InvoiceSectionId":"",
      "ResourceGroup":"test-RG",
      "SpendingAmount":"1111.32",
      "BudgetStartDate":"11/17/2021 5:40:29 PM -08:00",
      "Budget":"10000",
      "Unit":"USD",
      "BudgetCreator":"email@domain.com",
      "BudgetName":"test-budgetName",
      "BudgetType":"Cost",
      "NotificationThresholdAmount":"8000.0"
   }
}

Testowy alert dziennika aktywności akcji za pomocą polecenia MonitoringService = Actual Cost Budget

{
   "schemaId": "azureMonitorCommonAlertSchema",
   "data": {
      "essentials": {
         "monitoringService": "CostAlerts",
         "firedDateTime": "2022-12-07T21:13:20.645Z",
         "description": "Your spend for budget Test_actual_cost_budget is now $11,111.00 exceeding your specified threshold $25.00.",
         "essentialsVersion": "1.0",
         "alertContextVersion": "1.0",
         "alertId": "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.CostManagement/alerts/Test_Alert",
         "alertRule": null,
         "severity": null,
         "signalType": null,
         "monitorCondition": null,
         "alertTargetIDs": null,
         "configurationItems": [
            "budgets"
         ],
         "originAlertId": null
      },
      "alertContext": {
         "AlertCategory": "budgets",
         "AlertData": {
            "Scope": "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/",
            "ThresholdType": "Actual",
            "BudgetType": "Cost",
            "BudgetThreshold": "$50.00",
            "NotificationThresholdAmount": "$25.00",
            "BudgetName": "Test_actual_cost_budget",
            "BudgetId": "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.Consumption/budgets/Test_actual_cost_budget",
            "BudgetStartDate": "2022-11-01",
            "BudgetCreator": "test@sample.test",
            "Unit": "USD",
            "SpentAmount": "$11,111.00"
         }
      }
   }
}

Testowanie alertów dziennika aktywności akcji za pomocą polecenia MonitoringService = Forecasted Budget

{
   "schemaId": "azureMonitorCommonAlertSchema",
   "data": {
      "essentials": {
         "monitoringService": "CostAlerts",
         "firedDateTime": "2022-12-07T21:13:29.576Z",
         "description": "The total spend for your budget, Test_forcasted_budget, is forecasted to reach $1111.11 before the end of the period. This amount exceeds your specified budget threshold of $50.00.",
         "essentialsVersion": "1.0",
         "alertContextVersion": "1.0",
         "alertId": "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.CostManagement/alerts/Test_Alert",
         "alertRule": null,
         "severity": null,
         "signalType": null,
         "monitorCondition": null,
         "alertTargetIDs": null,
         "configurationItems": [
            "budgets"
         ],
         "originAlertId": null
      },
      "alertContext": {
         "AlertCategory": "budgets",
         "AlertData": {
            "Scope": "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/",
            "ThresholdType": "Forecasted",
            "BudgetType": "Cost",
            "BudgetThreshold": "$50.00",
            "NotificationThresholdAmount": "$50.00",
            "BudgetName": "Test_forcasted_budget",
            "BudgetId": "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.Consumption/budgets/Test_forcasted_budget",
            "BudgetStartDate": "2022-11-01",
            "BudgetCreator": "test@sample.test",
            "Unit": "USD",
            "SpentAmount": "$999.99",
            "ForecastedTotalForPeriod": "$1111.11"
         }
      }
   }
}

Testowanie alertów dziennika aktywności akcji za pomocą polecenia MonitoringService = Smart Alert

{
   "schemaId":"azureMonitorCommonAlertSchema",
   "data":{
      "essentials":{
         "alertId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.AlertsManagement/alerts/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
         "alertRule":"Dependency Latency Degradation - test-applicationInsights",
         "severity":"Sev3",
         "signalType":"Log",
         "monitorCondition":"Fired",
         "monitoringService":"SmartDetector",
         "alertTargetIDs":[
            "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/microsoft.insights/components/test-applicationInsights"
         ],
         "configurationItems":[
            "test-applicationInsights"
         ],
         "originAlertId":"1234abcd5678efgh1234abcd5678efgh1234abcd5678efgh1234abcd5678efgh",
         "firedDateTime":"2021-10-28T19:09:09.1115084Z",
         "description":"Dependency Latency Degradation notifies you of an unusual increase in response by a dependency your app is calling (e.g. REST API or database)",
         "essentialsVersion":"1.0",
         "alertContextVersion":"1.0"
      },
      "alertContext":{
         "DetectionSummary":"A degradation in the dependency duration over the last 24 hours",
         "FormattedOccurrenceTime":"2021-10-27T23:59:59Z",
         "DetectedValue":"0.45 sec",
         "NormalValue":"0.27 sec (over the last 7 days)",
         "PresentationInsightEventRequest":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/test-RG/providers/microsoft.insights/components/test-applicationInsights/query?query=systemEvents%0d%0a++++++++++++++++%7c+where+timestamp+%3e%3d+datetime(%272021-10-27T23%3a29%3a59.0000000Z%27)+%0d%0a++++++++++++++++%7c+where+itemType+%3d%3d+%27systemEvent%27+and+name+%3d%3d+%27ProactiveDetectionInsight%27+%0d%0a++++++++++++++++%7c+where+dimensions.InsightType+%3d%3d+3+%0d%0a++++++++++++++++%7c+where+dimensions.InsightVersion+%3d%3d+%27SmartAlert%27%0d%0a++++++++++++++++%7c+where+dimensions.InsightDocumentId+%3d%3d+%2712345678-abcd-1234-5678-abcd12345678%27+%0d%0a++++++++++++++++%7c+project+dimensions.InsightPropertiesTable%2cdimensions.InsightDegradationChart%2cdimensions.InsightCountChart%2cdimensions.InsightLinksTable%0d%0a++++++++++++++++&api-version=2018-04-20",
         "SmartDetectorId":"DependencyPerformanceDegradationDetector",
         "SmartDetectorName":"Dependency Performance Degradation Detector",
         "AnalysisTimestamp":"2021-10-28T19:09:09.1115084Z"
      }
   }
}

Następne kroki