Exempel på aviseringsnyttolaster
Det vanliga aviseringsschemat standardiserar förbrukningsupplevelsen för aviseringsmeddelanden i Azure. Tidigare hade aktivitetsloggar, mått- och loggsökningsaviseringar sina egna e-postmallar och webhook-scheman. Det gemensamma aviseringsschemat innehåller ett standardiserat schema för alla aviseringsmeddelanden.
Ett standardiserat schema kan hjälpa dig att minimera antalet integreringar, vilket förenklar processen för att hantera och underhålla dina integreringar.
Det vanliga schemat innehåller information om den berörda resursen och orsaken till aviseringen i följande avsnitt:
Essentials: Standardiserade fält som används av alla aviseringstyper som beskriver resursen som påverkas av aviseringen och vanliga aviseringsmetadata, till exempel allvarlighetsgrad eller beskrivning.
Om du vill dirigera aviseringsinstanser till specifika team baserat på kriterier, till exempel en resursgrupp, kan du använda fälten i avsnittet Essentials för att tillhandahålla routningslogik för alla aviseringstyper . De team som tar emot aviseringsmeddelandet kan sedan använda kontextfälten för sin undersökning.
Aviseringskontext: Fält som varierar beroende på typen av avisering. Fälten för aviseringskontexten beskriver orsaken till aviseringen. En måttavisering skulle till exempel ha fält som måttnamnet och måttvärdet i aviseringskontexten. En aktivitetsloggavisering skulle ha information om händelsen som genererade aviseringen.
Anpassade egenskaper: Du kan lägga till mer information i aviseringsnyttolasten genom att lägga till anpassade egenskaper om du har konfigurerat åtgärdsgrupper för en måttaviseringsregel.
Kommentar
Anpassade egenskaper stöds för närvarande endast av måttaviseringar. För alla andra aviseringstyper är fältet för anpassade egenskaper null.
Exempel på aviseringsnyttolast
{
"schemaId": "azureMonitorCommonAlertSchema",
"data": {
"essentials": {
"alertId": "/subscriptions/<subscription ID>/providers/Microsoft.AlertsManagement/alerts/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",
"alertRule": "WCUS-R2-Gen2",
"severity": "Sev3",
"signalType": "Metric",
"monitorCondition": "Resolved",
"monitoringService": "Platform",
"alertTargetIDs": [
"/subscriptions/<subscription ID>/resourcegroups/pipelinealertrg/providers/microsoft.compute/virtualmachines/wcus-r2-gen2"
],
"configurationItems": [
"wcus-r2-gen2"
],
"originAlertId": "3f2d4487-b0fc-4125-8bd5-7ad17384221e_PipeLineAlertRG_microsoft.insights_metricAlerts_WCUS-R2-Gen2_-117781227",
"firedDateTime": "2019-03-22T13:58:24.3713213Z",
"resolvedDateTime": "2019-03-22T14:03:16.2246313Z",
"description": "",
"essentialsVersion": "1.0",
"alertContextVersion": "1.0"
},
"alertContext": {
"properties": null,
"conditionType": "SingleResourceMultipleMetricCriteria",
"condition": {
"windowSize": "PT5M",
"allOf": [
{
"metricName": "Percentage CPU",
"metricNamespace": "Microsoft.Compute/virtualMachines",
"operator": "GreaterThan",
"threshold": "25",
"timeAggregation": "Average",
"dimensions": [
{
"name": "ResourceId",
"value": "3efad9dc-3d50-4eac-9c87-8b3fd6f97e4e"
}
],
"metricValue": 7.727
}
]
}
}
}
}
Exempel på måttaviseringar
Följande är exempel på nyttolaster för måttaviseringar.
Måttavisering med ett statiskt tröskelvärde och monitoringService = Platform
{
"alertContext": {
"properties": null,
"conditionType": "SingleResourceMultipleMetricCriteria",
"condition": {
"windowSize": "PT5M",
"allOf": [
{
"metricName": "Percentage CPU",
"metricNamespace": "Microsoft.Compute/virtualMachines",
"operator": "GreaterThan",
"threshold": "25",
"timeAggregation": "Average",
"dimensions": [
{
"name": "ResourceId",
"value": "3efad9dc-3d50-4eac-9c87-8b3fd6f97e4e"
}
],
"metricValue": 31.1105
}
],
"windowStartTime": "2019-03-22T13:40:03.064Z",
"windowEndTime": "2019-03-22T13:45:03.064Z"
}
}
}
Måttavisering med ett dynamiskt tröskelvärde och monitoringService = Platform
{
"alertContext": {
"properties": null,
"conditionType": "DynamicThresholdCriteria",
"condition": {
"windowSize": "PT5M",
"allOf": [
{
"alertSensitivity": "High",
"failingPeriods": {
"numberOfEvaluationPeriods": 1,
"minFailingPeriodsToAlert": 1
},
"ignoreDataBefore": null,
"metricName": "Egress",
"metricNamespace": "microsoft.storage/storageaccounts",
"operator": "GreaterThan",
"threshold": "47658",
"timeAggregation": "Total",
"dimensions": [],
"metricValue": 50101
}
],
"windowStartTime": "2021-07-20T05:07:26.363Z",
"windowEndTime": "2021-07-20T05:12:26.363Z"
}
}
}
Måttavisering för tillgänglighetstester och monitoringService = Platform
{
"alertContext": {
"properties": null,
"conditionType": "WebtestLocationAvailabilityCriteria",
"condition": {
"windowSize": "PT5M",
"allOf": [
{
"metricName": "Failed Location",
"metricNamespace": null,
"operator": "GreaterThan",
"threshold": "2",
"timeAggregation": "Sum",
"dimensions": [],
"metricValue": 5,
"webTestName": "myAvailabilityTest-myApplication"
}
],
"windowStartTime": "2019-03-22T13:40:03.064Z",
"windowEndTime": "2019-03-22T13:45:03.064Z"
}
}
}
Exempelloggsökningsaviseringar
Kommentar
När du aktiverar det gemensamma schemat återställs fälten i nyttolasten till de vanliga schemafälten. Därför har loggsökningsaviseringar dessa begränsningar för det gemensamma schemat:
- Det gemensamma schemat stöds inte för loggsökningsaviseringar med webhooks med ett anpassat e-postämne och/eller JSON-nyttolast, eftersom det gemensamma schemat skriver över de anpassade konfigurationerna.
- Aviseringar som använder det gemensamma schemat har en övre storleksgräns på 256 KB per avisering. Om nyttolasten för loggsökningsaviseringar innehåller sökresultat som gör att aviseringen överskrider den maximala storleken bäddas sökresultaten inte in i nyttolasten för loggsökningsaviseringar. Du kan kontrollera om nyttolasten innehåller sökresultaten
IncludedSearchResults
med flaggan. AnvändLinkToFilteredSearchResultsAPI
ellerLinkToSearchResultsAPI
för att komma åt frågeresultat med Log Analytics-API:et om sökresultaten inte ingår.
Loggsökningsavisering med monitoringService = Platform
{
"alertContext": {
"SearchQuery": "Perf | where ObjectName == \"Processor\" and CounterName == \"% Processor Time\" | summarize AggregatedValue = avg(CounterValue) by bin(TimeGenerated, 5m), Computer",
"SearchIntervalStartTimeUtc": "3/22/2019 1:36:31 PM",
"SearchIntervalEndtimeUtc": "3/22/2019 1:51:31 PM",
"ResultCount": 2,
"LinkToSearchResults": "https://portal.azure.com/#Analyticsblade/search/index?_timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",
"LinkToFilteredSearchResultsUI": "https://portal.azure.com/#Analyticsblade/search/index?_timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",
"LinkToSearchResultsAPI": "https://api.loganalytics.io/v1/workspaces/workspaceID/query?query=Heartbeat×pan=2020-05-07T18%3a11%3a51.0000000Z%2f2020-05-07T18%3a16%3a51.0000000Z",
"LinkToFilteredSearchResultsAPI": "https://api.loganalytics.io/v1/workspaces/workspaceID/query?query=Heartbeat×pan=2020-05-07T18%3a11%3a51.0000000Z%2f2020-05-07T18%3a16%3a51.0000000Z",
"SeverityDescription": "Warning",
"WorkspaceId": "12345a-1234b-123c-123d-12345678e",
"SearchIntervalDurationMin": "15",
"AffectedConfigurationItems": [
"INC-Gen2Alert"
],
"SearchIntervalInMinutes": "15",
"Threshold": 10000,
"Operator": "Less Than",
"Dimensions": [
{
"name": "Computer",
"value": "INC-Gen2Alert"
}
],
"SearchResults": {
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "$table",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
}
],
"rows": [
[
"Fabrikam",
"33446677a",
"2018-02-02T15:03:12.18Z"
],
[
"Contoso",
"33445566b",
"2018-02-02T15:16:53.932Z"
]
]
}
],
"dataSources": [
{
"resourceId": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourcegroups/test/providers/microsoft.operationalinsights/workspaces/test",
"tables": [
"Heartbeat"
]
}
]
},
"IncludedSearchResults": "True",
"AlertType": "Metric measurement"
}
}
Logga sökavisering med monitoringService = Application Insights
{
"alertContext": {
"SearchQuery": "requests | where resultCode == \"500\" | summarize AggregatedValue = Count by bin(Timestamp, 5m), IP",
"SearchIntervalStartTimeUtc": "3/22/2019 1:36:33 PM",
"SearchIntervalEndtimeUtc": "3/22/2019 1:51:33 PM",
"ResultCount": 2,
"LinkToSearchResults": "https://portal.azure.com/AnalyticsBlade/subscriptions/12345a-1234b-123c-123d-12345678e/?query=search+*+&timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",
"LinkToFilteredSearchResultsUI": "https://portal.azure.com/AnalyticsBlade/subscriptions/12345a-1234b-123c-123d-12345678e/?query=search+*+&timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",
"LinkToSearchResultsAPI": "https://api.applicationinsights.io/v1/apps/0MyAppId0/metrics/requests/count",
"LinkToFilteredSearchResultsAPI": "https://api.applicationinsights.io/v1/apps/0MyAppId0/metrics/requests/count",
"SearchIntervalDurationMin": "15",
"SearchIntervalInMinutes": "15",
"Threshold": 10000.0,
"Operator": "Less Than",
"ApplicationId": "00001111-aaaa-2222-bbbb-3333cccc4444",
"Dimensions": [
{
"name": "IP",
"value": "1.1.1.1"
}
],
"SearchResults": {
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "$table",
"type": "string"
},
{
"name": "Id",
"type": "string"
},
{
"name": "Timestamp",
"type": "datetime"
}
],
"rows": [
[
"Fabrikam",
"33446677a",
"2018-02-02T15:03:12.18Z"
],
[
"Contoso",
"33445566b",
"2018-02-02T15:16:53.932Z"
]
]
}
],
"dataSources": [
{
"resourceId": "/subscriptions/cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a/resourcegroups/test/providers/microsoft.operationalinsights/workspaces/test",
"tables": [
"Heartbeat"
]
}
]
},
"IncludedSearchResults": "True",
"AlertType": "Metric measurement"
}
}
Loggsökningsavisering med monitoringService = Loggaviseringar V2
Kommentar
Aviseringsregler för loggsökning från API version 2020-05-01 använder den här nyttolasttypen, som endast stöder vanligt schema. Sökresultaten är inte inbäddade i nyttolasten för loggsökningsaviseringar när du använder den här versionen. Använd dimensioner för att ge kontext till utlösta aviseringar. Du kan också använda LinkToFilteredSearchResultsAPI
eller LinkToSearchResultsAPI
för att komma åt frågeresultat med Log Analytics-API:et. Om du måste bädda in resultatet använder du en logikapp med de angivna länkarna för att generera en anpassad nyttolast.
{
"alertContext": {
"properties": {
"name1": "value1",
"name2": "value2"
},
"conditionType": "LogQueryCriteria",
"condition": {
"windowSize": "PT10M",
"allOf": [
{
"searchQuery": "Heartbeat",
"metricMeasureColumn": "CounterValue",
"targetResourceTypes": "['Microsoft.Compute/virtualMachines']",
"operator": "LowerThan",
"threshold": "1",
"timeAggregation": "Count",
"dimensions": [
{
"name": "Computer",
"value": "TestComputer"
}
],
"metricValue": 0.0,
"failingPeriods": {
"numberOfEvaluationPeriods": 1,
"minFailingPeriodsToAlert": 1
},
"linkToSearchResultsUI": "https://portal.azure.com#@12345a-1234b-123c-123d-12345678e/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%212345a-1234b-123c-123d-12345678e%2FresourceGroups%2FContoso%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FContoso%22%7D%5D%7D/q/eJzzSE0sKklKTSypUSjPSC1KVQjJzE11T81LLUosSU1RSEotKU9NzdNIAfJKgDIaRgZGBroG5roGliGGxlYmJlbGJnoGEKCpp4dDmSmKMk0A/prettify/1/timespan/2020-07-07T13%3a54%3a34.0000000Z%2f2020-07-09T13%3a54%3a34.0000000Z",
"linkToFilteredSearchResultsUI": "https://portal.azure.com#@12345a-1234b-123c-123d-12345678e/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%212345a-1234b-123c-123d-12345678e%2FresourceGroups%2FContoso%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FContoso%22%7D%5D%7D/q/eJzzSE0sKklKTSypUSjPSC1KVQjJzE11T81LLUosSU1RSEotKU9NzdNIAfJKgDIaRgZGBroG5roGliGGxlYmJlbGJnoGEKCpp4dDmSmKMk0A/prettify/1/timespan/2020-07-07T13%3a54%3a34.0000000Z%2f2020-07-09T13%3a54%3a34.0000000Z",
"linkToSearchResultsAPI": "https://api.loganalytics.io/v1/subscriptions/12345a-1234b-123c-123d-12345678e/resourceGroups/Contoso/providers/Microsoft.Compute/virtualMachines/Contoso/query?query=Heartbeat%7C%20where%20TimeGenerated%20between%28datetime%282020-07-09T13%3A44%3A34.0000000%29..datetime%282020-07-09T13%3A54%3A34.0000000%29%29×pan=2020-07-07T13%3a54%3a34.0000000Z%2f2020-07-09T13%3a54%3a34.0000000Z",
"linkToFilteredSearchResultsAPI": "https://api.loganalytics.io/v1/subscriptions/12345a-1234b-123c-123d-12345678e/resourceGroups/Contoso/providers/Microsoft.Compute/virtualMachines/Contoso/query?query=Heartbeat%7C%20where%20TimeGenerated%20between%28datetime%282020-07-09T13%3A44%3A34.0000000%29..datetime%282020-07-09T13%3A54%3A34.0000000%29%29×pan=2020-07-07T13%3a54%3a34.0000000Z%2f2020-07-09T13%3a54%3a34.0000000Z"
}
],
"windowStartTime": "2020-07-07T13:54:34Z",
"windowEndTime": "2020-07-09T13:54:34Z"
}
}
}
Exempel på aktivitetsloggaviseringar
Aktivitetsloggavisering med monitoringService = Activity Log - Administrative
{
"alertContext": {
"authorization": {
"action": "Microsoft.Compute/virtualMachines/restart/action",
"scope": "/subscriptions/<subscription ID>/resourceGroups/PipeLineAlertRG/providers/Microsoft.Compute/virtualMachines/WCUS-R2-ActLog"
},
"channels": "Operation",
"claims": "{\"aud\":\"https://management.core.windows.net/\",\"iss\":\"https://sts.windows.net/12345a-1234b-123c-123d-12345678e/\",\"iat\":\"1553260826\",\"nbf\":\"1553260826\",\"exp\":\"1553264726\",\"aio\":\"42JgYNjdt+rr+3j/dx68v018XhuFAwA=\",\"appid\":\"11112222-bbbb-3333-cccc-4444dddd5555\",\"appidacr\":\"2\",\"http://schemas.microsoft.com/identity/claims/identityprovider\":\"https://sts.windows.net/12345a-1234b-123c-123d-12345678e/\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"22223333-cccc-4444-dddd-5555eeee6666\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"22223333-cccc-4444-dddd-5555eeee6666\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"12345a-1234b-123c-123d-12345678e\",\"uti\":\"v5wYC9t9ekuA2rkZSVZbAA\",\"ver\":\"1.0\"}",
"caller": "22223333-cccc-4444-dddd-5555eeee6666",
"correlationId": "aaaa0000-bb11-2222-33cc-444444dddddd",
"eventSource": "Administrative",
"eventTimestamp": "2019-03-22T13:56:31.2917159+00:00",
"eventDataId": "161fda7e-1cb4-4bc5-9c90-857c55a8f57b",
"level": "Informational",
"operationName": "Microsoft.Compute/virtualMachines/restart/action",
"operationId": "310db69b-690f-436b-b740-6103ab6b0cba",
"status": "Succeeded",
"subStatus": "",
"submissionTimestamp": "2019-03-22T13:56:54.067593+00:00"
}
}
Aktivitetsloggavisering med monitoringService = Activity Log - Policy
{
"alertContext": {
"authorization": {
"action": "Microsoft.Resources/checkPolicyCompliance/read",
"scope": "/subscriptions/<GUID>"
},
"channels": "Operation",
"claims": "{\"aud\":\"https://management.azure.com/\",\"iss\":\"https://sts.windows.net/<GUID>/\",\"iat\":\"1566711059\",\"nbf\":\"1566711059\",\"exp\":\"1566740159\",\"aio\":\"42FgYOhynHNw0scy3T/bL71+xLyqEwA=\",\"appid\":\"<GUID>\",\"appidacr\":\"2\",\"http://schemas.microsoft.com/identity/claims/identityprovider\":\"https://sts.windows.net/<GUID>/\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"<GUID>\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"<GUID>\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"<GUID>\",\"uti\":\"Miy1GzoAG0Scu_l3m1aIAA\",\"ver\":\"1.0\"}",
"caller": "<GUID>",
"correlationId": "<GUID>",
"eventSource": "Policy",
"eventTimestamp": "2019-08-25T11:11:34.2269098+00:00",
"eventDataId": "<GUID>",
"level": "Warning",
"operationName": "Microsoft.Authorization/policies/audit/action",
"operationId": "<GUID>",
"properties": {
"isComplianceCheck": "True",
"resourceLocation": "eastus2",
"ancestors": "<GUID>",
"policies": "[{\"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/<GUID>/\",\"policySetDefinitionId\":\"/providers/Microsoft.Authorization/policySetDefinitions/<GUID>/\",\"policyDefinitionReferenceId\":\"vulnerabilityAssessmentMonitoring\",\"policySetDefinitionName\":\"<GUID>\",\"policyDefinitionName\":\"<GUID>\",\"policyDefinitionEffect\":\"AuditIfNotExists\",\"policyAssignmentId\":\"/subscriptions/<GUID>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn/\",\"policyAssignmentName\":\"SecurityCenterBuiltIn\",\"policyAssignmentScope\":\"/subscriptions/<GUID>\",\"policyAssignmentSku\":{\"name\":\"A1\",\"tier\":\"Standard\"},\"policyAssignmentParameters\":{}}]"
},
"status": "Succeeded",
"subStatus": "",
"submissionTimestamp": "2019-08-25T11:12:46.1557298+00:00"
}
}
Aktivitetsloggavisering med monitoringService = Activity Log - Autoscale
{
"alertContext": {
"channels": "Admin, Operation",
"claims": "{\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn\":\"Microsoft.Insights/autoscaleSettings\"}",
"caller": "Microsoft.Insights/autoscaleSettings",
"correlationId": "<GUID>",
"eventSource": "Autoscale",
"eventTimestamp": "2019-08-21T16:17:47.1551167+00:00",
"eventDataId": "<GUID>",
"level": "Informational",
"operationName": "Microsoft.Insights/AutoscaleSettings/Scaleup/Action",
"operationId": "<GUID>",
"properties": {
"description": "The autoscale engine attempting to scale resource '/subscriptions/d<GUID>/resourceGroups/testRG/providers/Microsoft.Compute/virtualMachineScaleSets/testVMSS' from 9 instances count to 10 instances count.",
"resourceName": "/subscriptions/<GUID>/resourceGroups/voiceassistancedemo/providers/Microsoft.Compute/virtualMachineScaleSets/alexademo",
"oldInstancesCount": "9",
"newInstancesCount": "10",
"activeAutoscaleProfile": "{\r\n \"Name\": \"Auto created scale condition\",\r\n \"Capacity\": {\r\n \"Minimum\": \"1\",\r\n \"Maximum\": \"10\",\r\n \"Default\": \"1\"\r\n },\r\n \"Rules\": [\r\n {\r\n \"MetricTrigger\": {\r\n \"Name\": \"Percentage CPU\",\r\n \"Namespace\": \"microsoft.compute/virtualmachinescalesets\",\r\n \"Resource\": \"/subscriptions/<GUID>/resourceGroups/testRG/providers/Microsoft.Compute/virtualMachineScaleSets/testVMSS\",\r\n \"ResourceLocation\": \"eastus\",\r\n \"TimeGrain\": \"PT1M\",\r\n \"Statistic\": \"Average\",\r\n \"TimeWindow\": \"PT5M\",\r\n \"TimeAggregation\": \"Average\",\r\n \"Operator\": \"GreaterThan\",\r\n \"Threshold\": 0.0,\r\n \"Source\": \"/subscriptions/<GUID>/resourceGroups/testRG/providers/Microsoft.Compute/virtualMachineScaleSets/testVMSS\",\r\n \"MetricType\": \"MDM\",\r\n \"Dimensions\": [],\r\n \"DividePerInstance\": false\r\n },\r\n \"ScaleAction\": {\r\n \"Direction\": \"Increase\",\r\n \"Type\": \"ChangeCount\",\r\n \"Value\": \"1\",\r\n \"Cooldown\": \"PT1M\"\r\n }\r\n }\r\n ]\r\n}",
"lastScaleActionTime": "Wed, 21 Aug 2019 16:17:47 GMT"
},
"status": "Succeeded",
"submissionTimestamp": "2019-08-21T16:17:47.2410185+00:00"
}
}
Aktivitetsloggavisering med monitoringService = Activity Log - Security
{
"alertContext": {
"channels": "Operation",
"correlationId": "<GUID>",
"eventSource": "Security",
"eventTimestamp": "2019-08-26T08:34:14+00:00",
"eventDataId": "<GUID>",
"level": "Informational",
"operationName": "Microsoft.Security/locations/alerts/activate/action",
"operationId": "<GUID>",
"properties": {
"threatStatus": "Quarantined",
"category": "Virus",
"threatID": "2147519003",
"filePath": "C:\\AlertGeneration\\test.eicar",
"protectionType": "Windows Defender",
"actionTaken": "Blocked",
"resourceType": "Virtual Machine",
"severity": "Low",
"compromisedEntity": "testVM",
"remediationSteps": "[\"No user action is necessary\"]",
"attackedResourceType": "Virtual Machine"
},
"status": "Active",
"submissionTimestamp": "2019-08-26T09:28:58.3019107+00:00"
}
}
Aktivitetsloggavisering med monitoringService = ServiceHealth
{
"alertContext": {
"authorization": null,
"channels": 1,
"claims": null,
"caller": null,
"correlationId": "bbbb1111-cc22-3333-44dd-555555eeeeee",
"eventSource": 2,
"eventTimestamp": "2019-06-24T11:31:19.0312699+00:00",
"httpRequest": null,
"eventDataId": "<GUID>",
"level": 3,
"operationName": "Microsoft.ServiceHealth/maintenance/action",
"operationId": "<GUID>",
"properties": {
"title": "Azure Synapse Analytics Scheduled Maintenance Pending",
"service": "Azure Synapse Analytics",
"region": "East US",
"communication": "<MESSAGE>",
"incidentType": "Maintenance",
"trackingId": "<GUID>",
"impactStartTime": "2019-06-26T04:00:00Z",
"impactMitigationTime": "2019-06-26T12:00:00Z",
"impactedServices": "[{\"ImpactedRegions\":[{\"RegionName\":\"East US\"}],\"ServiceName\":\"Azure Synapse Analytics\"}]",
"impactedServicesTableRows": "<tr>\r\n<td align='center' style='padding: 5px 10px; border-right:1px solid black; border-bottom:1px solid black'>Azure Synapse Analytics</td>\r\n<td align='center' style='padding: 5px 10px; border-bottom:1px solid black'>East US<br></td>\r\n</tr>\r\n",
"defaultLanguageTitle": "Azure Synapse Analytics Scheduled Maintenance Pending",
"defaultLanguageContent": "<MESSAGE>",
"stage": "Planned",
"communicationId": "<GUID>",
"maintenanceId": "<GUID>",
"isHIR": "false",
"version": "0.1.1"
},
"status": "Active",
"subStatus": null,
"submissionTimestamp": "2019-06-24T11:31:31.7147357+00:00",
"ResourceType": null
}
}
Aktivitetsloggavisering med monitoringService = ResourceHealth
{
"alertContext": {
"channels": "Admin, Operation",
"correlationId": "<GUID>",
"eventSource": "ResourceHealth",
"eventTimestamp": "2019-06-24T15:42:54.074+00:00",
"eventDataId": "<GUID>",
"level": "Informational",
"operationName": "Microsoft.Resourcehealth/healthevent/Activated/action",
"operationId": "<GUID>",
"properties": {
"title": "This virtual machine is stopping and deallocating as requested by an authorized user or process",
"details": null,
"currentHealthStatus": "Unavailable",
"previousHealthStatus": "Available",
"type": "Downtime",
"cause": "UserInitiated"
},
"status": "Active",
"submissionTimestamp": "2019-06-24T15:45:20.4488186+00:00"
}
}
Prometheus-exempelavisering
{
"alertContext": {
"interval": "PT1M",
"expression": "sql_up > 0",
"expressionValue": "0",
"for": "PT2M",
"labels": {
"Environment": "Prod",
"cluster": "myCluster1"
},
"annotations": {
"summary": "alert on SQL availability"
},
"ruleGroup": "/subscriptions/<subscription ID>/resourceGroups/myResourceGroup/providers/Microsoft.AlertsManagement/prometheusRuleGroups/myRuleGroup"
}
}
Exempel på nyttolaster för teståtgärder
Exempelteståtgärdsavisering
{
"schemaId": "azureMonitorCommonAlertSchema",
"data": {
"essentials": {
"alertId": "/subscriptions/<subscription ID>/providers/Microsoft.AlertsManagement/alerts/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",
"alertRule": "WCUS-R2-Gen2",
"severity": "Sev3",
"signalType": "Metric",
"monitorCondition": "Resolved",
"monitoringService": "Platform",
"alertTargetIDs": [
"/subscriptions/<subscription ID>/resourcegroups/pipelinealertrg/providers/microsoft.compute/virtualmachines/wcus-r2-gen2"
],
"configurationItems": [
"wcus-r2-gen2"
],
"originAlertId": "3f2d4487-b0fc-4125-8bd5-7ad17384221e_PipeLineAlertRG_microsoft.insights_metricAlerts_WCUS-R2-Gen2_-117781227",
"firedDateTime": "2019-03-22T13:58:24.3713213Z",
"resolvedDateTime": "2019-03-22T14:03:16.2246313Z",
"description": "",
"essentialsVersion": "1.0",
"alertContextVersion": "1.0"
},
"alertContext": {
"properties": null,
"conditionType": "SingleResourceMultipleMetricCriteria",
"condition": {
"windowSize": "PT5M",
"allOf": [
{
"metricName": "Percentage CPU",
"metricNamespace": "Microsoft.Compute/virtualMachines",
"operator": "GreaterThan",
"threshold": "25",
"timeAggregation": "Average",
"dimensions": [
{
"name": "ResourceId",
"value": "3efad9dc-3d50-4eac-9c87-8b3fd6f97e4e"
}
],
"metricValue": 7.727
}
]
}
}
}
}
Exempel på måttaviseringar för teståtgärder
Teståtgärdsmåttavisering med ett statiskt tröskelvärde och monitoringService = Platform
{
"schemaId":"azureMonitorCommonAlertSchema",
"data":{
"essentials":{
"alertId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.AlertsManagement/alerts/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
"alertRule":"test-metricAlertRule",
"severity":"Sev3",
"signalType":"Metric",
"monitorCondition":"Fired",
"monitoringService":"Platform",
"alertTargetIDs":[
"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/Microsoft.Storage/storageAccounts/test-storageAccount"
],
"configurationItems":[
"test-storageAccount"
],
"originAlertId":"11111111-1111-1111-1111-111111111111_test-RG_microsoft.insights_metricAlerts_test-metricAlertRule_1234567890",
"firedDateTime":"2021-11-15T09:35:24.3468506Z",
"description":"Alert rule description",
"essentialsVersion":"1.0",
"alertContextVersion":"1.0"
},
"alertContext":{
"properties":{
"customKey1":"value1",
"customKey2":"value2"
},
"conditionType":"DynamicThresholdCriteria",
"condition":{
"windowSize":"PT15M",
"allOf":[
{
"alertSensitivity":"Low",
"failingPeriods":{
"numberOfEvaluationPeriods":3,
"minFailingPeriodsToAlert":3
},
"ignoreDataBefore":null,
"metricName":"Transactions",
"metricNamespace":"Microsoft.Storage/storageAccounts",
"operator":"GreaterThan",
"threshold":"0.3",
"timeAggregation":"Average",
"dimensions":[
],
"metricValue":78.09,
"webTestName":null
}
],
"windowStartTime":"2021-12-15T01:04:11.719Z",
"windowEndTime":"2021-12-15T01:19:11.719Z"
}
},
"customProperties":{
"customKey1":"value1",
"customKey2":"value2"
}
}
}
Teståtgärdsmåttavisering med dynamiskt tröskelvärde och övervakningService = Platform
{
"schemaId":"azureMonitorCommonAlertSchema",
"data":{
"essentials":{
"alertId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.AlertsManagement/alerts/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
"alertRule":"test-metricAlertRule",
"severity":"Sev3",
"signalType":"Metric",
"monitorCondition":"Fired",
"monitoringService":"Platform",
"alertTargetIDs":[
"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/Microsoft.Storage/storageAccounts/test-storageAccount"
],
"configurationItems":[
"test-storageAccount"
],
"originAlertId":"11111111-1111-1111-1111-111111111111_test-RG_microsoft.insights_metricAlerts_test-metricAlertRule_1234567890",
"firedDateTime":"2021-11-15T09:35:24.3468506Z",
"description":"Alert rule description",
"essentialsVersion":"1.0",
"alertContextVersion":"1.0"
},
"alertContext":{
"properties":{
"customKey1":"value1",
"customKey2":"value2"
},
"conditionType":"DynamicThresholdCriteria",
"condition":{
"windowSize":"PT15M",
"allOf":[
{
"alertSensitivity":"Low",
"failingPeriods":{
"numberOfEvaluationPeriods":3,
"minFailingPeriodsToAlert":3
},
"ignoreDataBefore":null,
"metricName":"Transactions",
"metricNamespace":"Microsoft.Storage/storageAccounts",
"operator":"GreaterThan",
"threshold":"0.3",
"timeAggregation":"Average",
"dimensions":[
],
"metricValue":78.09,
"webTestName":null
}
],
"windowStartTime":"2021-12-15T01:04:11.719Z",
"windowEndTime":"2021-12-15T01:19:11.719Z"
}
},
"customProperties":{
"customKey1":"value1",
"customKey2":"value2"
}
}
}
Exempel på teståtgärdsloggsökningsaviseringar
Teståtgärdsloggsökningsavisering V1 – Mått
{
"schemaId":"azureMonitorCommonAlertSchema",
"data":{
"essentials":{
"alertId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.AlertsManagement/alerts/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
"alertRule":"test-logAlertRule-v1-metricMeasurement",
"severity":"Sev3",
"signalType":"Log",
"monitorCondition":"Fired",
"monitoringService":"Log Analytics",
"alertTargetIDs":[
"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/microsoft.operationalinsights/workspaces/test-logAnalyticsWorkspace"
],
"configurationItems":[
],
"originAlertId":"12345678-4444-4444-4444-1234567890ab",
"firedDateTime":"2021-11-16T15:17:21.9232467Z",
"description":"Alert rule description",
"essentialsVersion":"1.0",
"alertContextVersion":"1.1"
},
"alertContext":{
"SearchQuery":"Heartbeat | summarize AggregatedValue=count() by bin(TimeGenerated, 5m)",
"SearchIntervalStartTimeUtc":"2021-11-15T15:16:49Z",
"SearchIntervalEndtimeUtc":"2021-11-16T15:16:49Z",
"ResultCount":2,
"LinkToSearchResults":"https://portal.azure.com#@aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%2F11111111-1111-1111-1111-111111111111%2FresourceGroups%2Ftest-RG%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Ftest-logAnalyticsWorkspace%22%7D%5D%7D/q/aBcDeFgHi%2BWqUSguzc1NLMqsSlVwTE8vSk1PLElNCUvMKU21Tc4vzSvRaBcDeFgHiaBcDeFgHiaBcDeFgHiaBcDeFgHi/prettify/1/timespan/2021-11-15T15%3a16%3a49.0000000Z%2f2021-11-16T15%3a16%3a49.0000000Z",
"LinkToFilteredSearchResultsUI":"https://portal.azure.com#@aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%2F11111111-1111-1111-1111-111111111111%2FresourceGroups%2Ftest-RG%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Ftest-logAnalyticsWorkspace%22%7D%5D%7D/q/aBcDeFgHiaBcDeFgHiaBcDeFgHiaBcDeFgHiaBcDeFgHidp%2BOPOhDKsHR%2FFeJXsTgzGJRmVui3KF3RpLyEJCX9A2iMl6jgxMn6jRevng3JmIHLdYtKP4DRI9mhc%3D/prettify/1/timespan/2021-11-15T15%3a16%3a49.0000000Z%2f2021-11-16T15%3a16%3a49.0000000Z",
"LinkToSearchResultsAPI":"https://api.loganalytics.io/v1/workspaces/bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb/query?query=Heartbeat%20%0A%7C%20summarize%20AggregatedValue%3Dcount%28%29%20by%20bin%28TimeGenerated%2C%205m%29×pan=2021-11-15T15%3a16%3a49.0000000Z%2f2021-11-16T15%3a16%3a49.0000000Z",
"LinkToFilteredSearchResultsAPI":"https://api.loganalytics.io/v1/workspaces/bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb/query?query=Heartbeat%20%0A%7C%20summarize%20AggregatedValue%3Dcount%28%29%20by%20bin%28TimeGenerated%2C%205m%29%7C%20where%20todouble%28AggregatedValue%29%20%3E%200×pan=2021-11-15T15%3a16%3a49.0000000Z%2f2021-11-16T15%3a16%3a49.0000000Z",
"SeverityDescription":"Informational",
"WorkspaceId":"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
"SearchIntervalDurationMin":"1440",
"AffectedConfigurationItems":[
],
"AlertType":"Metric measurement",
"IncludeSearchResults":true,
"Dimensions":[
],
"SearchIntervalInMinutes":"1440",
"SearchResults":{
"tables":[
{
"name":"PrimaryResult",
"columns":[
{
"name":"TimeGenerated",
"type":"datetime"
},
{
"name":"AggregatedValue",
"type":"long"
}
],
"rows":[
[
"2021-11-16T10:56:49Z",
11
],
[
"2021-11-16T11:56:49Z",
11
]
]
}
],
"dataSources":[
{
"resourceId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/microsoft.operationalinsights/workspaces/test-logAnalyticsWorkspace",
"region":"eastus",
"tables":[
"Heartbeat"
]
}
]
},
"Threshold":0,
"Operator":"Greater Than",
"IncludedSearchResults":"True"
}
}
}
Teståtgärdsloggsökningsavisering V1 – Numresults
{
"schemaId":"azureMonitorCommonAlertSchema",
"data":{
"essentials":{
"alertId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.AlertsManagement/alerts/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
"alertRule":"test-logAlertRule-v1-numResults",
"severity":"Sev3",
"signalType":"Log",
"monitorCondition":"Fired",
"monitoringService":"Log Analytics",
"alertTargetIDs":[
"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/microsoft.operationalinsights/workspaces/test-logAnalyticsWorkspace"
],
"configurationItems":[
"test-computer"
],
"originAlertId":"22222222-2222-2222-2222-222222222222",
"firedDateTime":"2021-11-16T15:15:58.3302205Z",
"description":"Alert rule description",
"essentialsVersion":"1.0",
"alertContextVersion":"1.1"
},
"alertContext":{
"SearchQuery":"Heartbeat",
"SearchIntervalStartTimeUtc":"2021-11-15T15:15:24Z",
"SearchIntervalEndtimeUtc":"2021-11-16T15:15:24Z",
"ResultCount":1,
"LinkToSearchResults":"https://portal.azure.com#@aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%2F11111111-1111-1111-1111-111111111111%2FresourceGroups%2Ftest-RG%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Ftest-logAnalyticsWorkspace%22%7D%5D%7D/q/aBcDeFgHi%2ABCDE%3D%3D/prettify/1/timespan/2021-11-15T15%3a15%3a24.0000000Z%2f2021-11-16T15%3a15%3a24.0000000Z",
"LinkToFilteredSearchResultsUI":"https://portal.azure.com#@aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%2F11111111-1111-1111-1111-111111111111%2FresourceGroups%2Ftest-RG%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Ftest-logAnalyticsWorkspace%22%7D%5D%7D/q/aBcDeFgHi%2ABCDE%3D%3D/prettify/1/timespan/2021-11-15T15%3a15%3a24.0000000Z%2f2021-11-16T15%3a15%3a24.0000000Z",
"LinkToSearchResultsAPI":"https://api.loganalytics.io/v1/workspaces/bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb/query?query=Heartbeat%0A×pan=2021-11-15T15%3a15%3a24.0000000Z%2f2021-11-16T15%3a15%3a24.0000000Z",
"LinkToFilteredSearchResultsAPI":"https://api.loganalytics.io/v1/workspaces/bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb/query?query=Heartbeat%0A×pan=2021-11-15T15%3a15%3a24.0000000Z%2f2021-11-16T15%3a15%3a24.0000000Z",
"SeverityDescription":"Informational",
"WorkspaceId":"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
"SearchIntervalDurationMin":"1440",
"AffectedConfigurationItems":[
"test-computer"
],
"AlertType":"Number of results",
"IncludeSearchResults":true,
"SearchIntervalInMinutes":"1440",
"SearchResults":{
"tables":[
{
"name":"PrimaryResult",
"columns":[
{
"name":"TenantId",
"type":"string"
},
{
"name":"Computer",
"type":"string"
},
{
"name":"TimeGenerated",
"type":"datetime"
}
],
"rows":[
[
"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
"test-computer",
"2021-11-16T12:00:00Z"
]
]
}
],
"dataSources":[
{
"resourceId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/microsoft.operationalinsights/workspaces/test-logAnalyticsWorkspace",
"region":"eastus",
"tables":[
"Heartbeat"
]
}
]
},
"Threshold":0,
"Operator":"Greater Than",
"IncludedSearchResults":"True"
}
}
}
Teståtgärdsloggsökningsavisering V2
Kommentar
Regler för loggsökningsaviseringar från API-version 2020-05-01 använder den här nyttolasttypen, som endast stöder vanligt schema. Sökresultaten är inte inbäddade i nyttolasten för loggsökningsaviseringar när du använder den här versionen. Använd dimensioner för att ge kontext till utlösta aviseringar.
Du kan också använda LinkToFilteredSearchResultsAPI
eller LinkToSearchResultsAPI
för att komma åt frågeresultat med Log Analytics-API:et. Om du måste bädda in resultatet använder du en logikapp med de angivna länkarna för att generera en anpassad nyttolast.
{
"schemaId":"azureMonitorCommonAlertSchema",
"data":{
"essentials":{
"alertId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.AlertsManagement/alerts/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
"alertRule":"test-logAlertRule-v2",
"severity":"Sev3",
"signalType":"Log",
"monitorCondition":"Fired",
"monitoringService":"Log Alerts V2",
"alertTargetIDs":[
"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/microsoft.operationalinsights/workspaces/test-logAnalyticsWorkspace"
],
"configurationItems":[
"test-computer"
],
"originAlertId":"22222222-2222-2222-2222-222222222222",
"firedDateTime":"2021-11-16T11:47:41.4728231Z",
"description":"Alert rule description",
"essentialsVersion":"1.0",
"alertContextVersion":"1.0"
},
"alertContext":{
"properties":{
"customKey1":"value1",
"customKey2":"value2"
},
"conditionType":"LogQueryCriteria",
"condition":{
"windowSize":"PT1H",
"allOf":[
{
"searchQuery":"Heartbeat",
"metricMeasureColumn":null,
"targetResourceTypes":"['Microsoft.OperationalInsights/workspaces']",
"operator":"GreaterThan",
"threshold":"0",
"timeAggregation":"Count",
"dimensions":[
{
"name":"Computer",
"value":"test-computer"
}
],
"metricValue":3.0,
"failingPeriods":{
"numberOfEvaluationPeriods":1,
"minFailingPeriodsToAlert":1
},
"linkToSearchResultsUI":"https://portal.azure.com#@aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%2F11111111-1111-1111-1111-111111111111%2FresourceGroups%2Ftest-RG%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Ftest-logAnalyticsWorkspace%22%7D%5D%7D/q/aBcDeFgHiJkLmNaBcDeFgHiJkLmNaBcDeFgHiJkLmNaBcDeFgHiJkLmN1234567890ZAZBZiaGBlaG5lbKlnAAFRmnp6WNUZoqvTBAA%3D/prettify/1/timespan/2021-11-16T10%3a17%3a39.0000000Z%2f2021-11-16T11%3a17%3a39.0000000Z",
"linkToFilteredSearchResultsUI":"https://portal.azure.com#@aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%2F11111111-1111-1111-1111-111111111111%2FresourceGroups%2Ftest-RG%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Ftest-logAnalyticsWorkspace%22%7D%5D%7D/q/aBcDeFgHiJkLmN%2Fl35oOTZoKioEOouaBcDeFgHiJkLmN%2BaBcDeFgHiJkLmN%2BaBcDeFgHiJkLmN7HHgOCZTR0Ak%2FaBcDeFgHiJkLmN1234567890Ltcw%2FOqZS%2FuX0L5d%2Bx3iMHNzQiu3Y%2BzsjpFSWlOzgA87vAxeHW2MoAtQxe6OUvVrZR3XYZPXrd%2FIE/prettify/1/timespan/2021-11-16T10%3a17%3a39.0000000Z%2f2021-11-16T11%3a17%3a39.0000000Z",
"linkToSearchResultsAPI":"https://api.loganalytics.io/v1/workspaces/bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb/query?query=Heartbeat%7C%20where%20TimeGenerated%20between%28datetime%282021-11-16T10%3A17%3A39.0000000Z%29..datetime%282021-11-16T11%3A17%3A39.0000000Z%29%29×pan=2021-11-16T10%3a17%3a39.0000000Z%2f2021-11-16T11%3a17%3a39.0000000Z",
"linkToFilteredSearchResultsAPI":"https://api.loganalytics.io/v1/workspaces/bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb/query?query=Heartbeat%7C%20where%20TimeGenerated%20between%28datetime%282021-11-16T10%3A17%3A39.0000000Z%29..datetime%282021-11-16T11%3A17%3A39.0000000Z%29%29%7C%20where%20tostring%28Computer%29%20%3D%3D%20%27test-computer%27×pan=2021-11-16T10%3a17%3a39.0000000Z%2f2021-11-16T11%3a17%3a39.0000000Z"
}
],
"windowStartTime":"2021-11-16T10:17:39Z",
"windowEndTime":"2021-11-16T11:17:39Z"
}
}
}
}
Exempel på aviseringar om aktivitetsloggar för teståtgärd
Logga avisering för teståtgärdsaktivitet med MonitoringService = Administrative
{
"schemaId":"azureMonitorCommonAlertSchema",
"data":{
"essentials":{
"alertId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.AlertsManagement/alerts/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
"alertRule":"test-activityLogAlertRule",
"severity":"Sev4",
"signalType":"Activity Log",
"monitorCondition":"Fired",
"monitoringService":"Activity Log - Administrative",
"alertTargetIDs":[
"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/microsoft.compute/virtualmachines/test-VM"
],
"configurationItems":[
"test-VM"
],
"originAlertId":"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb_123456789012345678901234567890ab",
"firedDateTime":"2021-11-16T08:29:01.2932462Z",
"description":"Alert rule description",
"essentialsVersion":"1.0",
"alertContextVersion":"1.0"
},
"alertContext":{
"authorization":{
"action":"Microsoft.Compute/virtualMachines/restart/action",
"scope":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/test-RG/providers/Microsoft.Compute/virtualMachines/test-VM"
},
"channels":"Operation",
"claims":"{}",
"caller":"user-email@domain.com",
"correlationId":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"eventSource":"Administrative",
"eventTimestamp":"2021-11-16T08:27:36.1836909+00:00",
"eventDataId":"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
"level":"Informational",
"operationName":"Microsoft.Compute/virtualMachines/restart/action",
"operationId":"cccccccc-cccc-cccc-cccc-cccccccccccc",
"properties":{
"eventCategory":"Administrative",
"entity":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/test-RG/providers/Microsoft.Compute/virtualMachines/test-VM",
"message":"Microsoft.Compute/virtualMachines/restart/action",
"hierarchy":"22222222-2222-2222-2222-222222222222/CnAIOrchestrationServicePublicCorpprod/33333333-3333-3333-3333-3333333333333/44444444-4444-4444-4444-444444444444/55555555-5555-5555-5555-555555555555/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b"
},
"status":"Succeeded",
"subStatus":"",
"submissionTimestamp":"2021-11-16T08:29:00.141807+00:00",
"Activity Log Event Description":""
}
}
}
Logga avisering för teståtgärdsaktivitet med MonitoringService = ServiceHealth
{
"schemaId":"azureMonitorCommonAlertSchema",
"data":{
"essentials":{
"alertId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.AlertsManagement/alerts/1234abcd5678efgh1234abcd5678efgh1234abcd5678efgh1234abcd5678efgh",
"alertRule":"test-ServiceHealthAlertRule",
"severity":"Sev4",
"signalType":"Activity Log",
"monitorCondition":"Fired",
"monitoringService":"ServiceHealth",
"alertTargetIDs":[
"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b"
],
"originAlertId":"eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
"firedDateTime":"2021-11-17T05:34:48.0623172Z",
"description":"Alert rule description",
"essentialsVersion":"1.0",
"alertContextVersion":"1.0"
},
"alertContext":{
"authorization":null,
"channels":1,
"claims":null,
"caller":null,
"correlationId":"cccc2222-dd33-4444-55ee-666666ffffff",
"eventSource":2,
"eventTimestamp":"2021-11-17T05:34:44.5778226+00:00",
"httpRequest":null,
"eventDataId":"eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
"level":3,
"operationName":"Microsoft.ServiceHealth/incident/action",
"operationId":"cccc2222-dd33-4444-55ee-666666ffffff",
"properties":{
"title":"Test Action Group - Test Service Health Alert",
"service":"Azure Service Name",
"region":"Global",
"communication":"<p><strong>Summary of impact</strong>: This is the impact summary.</p>\n<p><br></p>\n<p><strong>Preliminary Root Cause</strong>: This is the preliminary root cause.</p>\n<p><br></p>\n<p><strong>Mitigation</strong>: Mitigation description.</p>\n<p><br></p>\n<p><strong>Next steps</strong>: These are the next steps. </p>\n<p><br></p>\n<p>Stay informed about Azure service issues by creating custom service health alerts: <a href=\"https://aka.ms/ash-videos\" rel=\"noopener noreferrer\" target=\"_blank\">https://aka.ms/ash-videos</a> for video tutorials and <a href=\"https://aka.ms/ash-alerts%20for%20how-to%20documentation\" rel=\"noopener noreferrer\" target=\"_blank\">https://aka.ms/ash-alerts for how-to documentation</a>.</p>\n<p><br></p>",
"incidentType":"Incident",
"trackingId":"ABC1-DEF",
"impactStartTime":"2021-11-16T20:00:00Z",
"impactMitigationTime":"2021-11-17T01:00:00Z",
"impactedServices":"[{\"ImpactedRegions\":[{\"RegionName\":\"Global\"}],\"ServiceName\":\"Azure Service Name\"}]",
"impactedServicesTableRows":"<tr>\r\n<td align='center' style='padding: 5px 10px; border-right:1px solid black; border-bottom:1px solid black'>Azure Service Name</td>\r\n<td align='center' style='padding: 5px 10px; border-bottom:1px solid black'>Global<br></td>\r\n</tr>\r\n",
"defaultLanguageTitle":"Test Action Group - Test Service Health Alert",
"defaultLanguageContent":"<p><strong>Summary of impact</strong>: This is the impact summary.</p>\n<p><br></p>\n<p><strong>Preliminary Root Cause</strong>: This is the preliminary root cause.</p>\n<p><br></p>\n<p><strong>Mitigation</strong>: Mitigation description.</p>\n<p><br></p>\n<p><strong>Next steps</strong>: These are the next steps. </p>\n<p><br></p>\n<p>Stay informed about Azure service issues by creating custom service health alerts: <a href=\"https://aka.ms/ash-videos\" rel=\"noopener noreferrer\" target=\"_blank\">https://aka.ms/ash-videos</a> for video tutorials and <a href=\"https://aka.ms/ash-alerts%20for%20how-to%20documentation\" rel=\"noopener noreferrer\" target=\"_blank\">https://aka.ms/ash-alerts for how-to documentation</a>.</p>\n<p><br></p>",
"stage":"Resolved",
"communicationId":"11223344556677",
"isHIR":"false",
"IsSynthetic":"True",
"impactType":"SubscriptionList",
"version":"0.1.1"
},
"status":"Resolved",
"subStatus":null,
"submissionTimestamp":"2021-11-17T01:23:45.0623172+00:00",
"ResourceType":null
}
}
}
Logga avisering för teståtgärdsaktivitet med MonitoringService = Resource Health
{
"schemaId":"azureMonitorCommonAlertSchema",
"data":{
"essentials":{
"alertId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.AlertsManagement/alerts/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
"alertRule":"test-ResourceHealthAlertRule",
"severity":"Sev4",
"signalType":"Activity Log",
"monitorCondition":"Fired",
"monitoringService":"Resource Health",
"alertTargetIDs":[
"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/microsoft.compute/virtualmachines/test-VM"
],
"configurationItems":[
"test-VM"
],
"originAlertId":"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb_123456789012345678901234567890ab",
"firedDateTime":"2021-11-16T09:54:08.9938123Z",
"description":"Alert rule description",
"essentialsVersion":"1.0",
"alertContextVersion":"1.0"
},
"alertContext":{
"channels":"Admin, Operation",
"correlationId":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"eventSource":"ResourceHealth",
"eventTimestamp":"2021-11-16T09:50:20.406+00:00",
"eventDataId":"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
"level":"Informational",
"operationName":"Microsoft.Resourcehealth/healthevent/Activated/action",
"operationId":"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
"properties":{
"title":"Rebooted by user",
"details":null,
"currentHealthStatus":"Unavailable",
"previousHealthStatus":"Available",
"type":"Downtime",
"cause":"UserInitiated"
},
"status":"Active",
"submissionTimestamp":"2021-11-16T09:54:08.5303319+00:00",
"Activity Log Event Description":null
}
}
}
Logga avisering för teståtgärdsaktivitet med MonitoringService = Budget
{
"schemaId":"AIP Budget Notification",
"data":{
"SubscriptionName":"test-subscription",
"SubscriptionId":"dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b",
"EnrollmentNumber":"",
"DepartmentName":"test-budgetDepartmentName",
"AccountName":"test-budgetAccountName",
"BillingAccountId":"",
"BillingProfileId":"",
"InvoiceSectionId":"",
"ResourceGroup":"test-RG",
"SpendingAmount":"1111.32",
"BudgetStartDate":"11/17/2021 5:40:29 PM -08:00",
"Budget":"10000",
"Unit":"USD",
"BudgetCreator":"email@domain.com",
"BudgetName":"test-budgetName",
"BudgetType":"Cost",
"NotificationThresholdAmount":"8000.0"
}
}
Logga avisering för teståtgärdsaktivitet med MonitoringService = Actual Cost Budget
{
"schemaId": "azureMonitorCommonAlertSchema",
"data": {
"essentials": {
"monitoringService": "CostAlerts",
"firedDateTime": "2022-12-07T21:13:20.645Z",
"description": "Your spend for budget Test_actual_cost_budget is now $11,111.00 exceeding your specified threshold $25.00.",
"essentialsVersion": "1.0",
"alertContextVersion": "1.0",
"alertId": "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.CostManagement/alerts/Test_Alert",
"alertRule": null,
"severity": null,
"signalType": null,
"monitorCondition": null,
"alertTargetIDs": null,
"configurationItems": [
"budgets"
],
"originAlertId": null
},
"alertContext": {
"AlertCategory": "budgets",
"AlertData": {
"Scope": "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/",
"ThresholdType": "Actual",
"BudgetType": "Cost",
"BudgetThreshold": "$50.00",
"NotificationThresholdAmount": "$25.00",
"BudgetName": "Test_actual_cost_budget",
"BudgetId": "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.Consumption/budgets/Test_actual_cost_budget",
"BudgetStartDate": "2022-11-01",
"BudgetCreator": "test@sample.test",
"Unit": "USD",
"SpentAmount": "$11,111.00"
}
}
}
}
Testa aktivitetsloggaviseringar för åtgärd med MonitoringService = Forecasted Budget
{
"schemaId": "azureMonitorCommonAlertSchema",
"data": {
"essentials": {
"monitoringService": "CostAlerts",
"firedDateTime": "2022-12-07T21:13:29.576Z",
"description": "The total spend for your budget, Test_forcasted_budget, is forecasted to reach $1111.11 before the end of the period. This amount exceeds your specified budget threshold of $50.00.",
"essentialsVersion": "1.0",
"alertContextVersion": "1.0",
"alertId": "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.CostManagement/alerts/Test_Alert",
"alertRule": null,
"severity": null,
"signalType": null,
"monitorCondition": null,
"alertTargetIDs": null,
"configurationItems": [
"budgets"
],
"originAlertId": null
},
"alertContext": {
"AlertCategory": "budgets",
"AlertData": {
"Scope": "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/",
"ThresholdType": "Forecasted",
"BudgetType": "Cost",
"BudgetThreshold": "$50.00",
"NotificationThresholdAmount": "$50.00",
"BudgetName": "Test_forcasted_budget",
"BudgetId": "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.Consumption/budgets/Test_forcasted_budget",
"BudgetStartDate": "2022-11-01",
"BudgetCreator": "test@sample.test",
"Unit": "USD",
"SpentAmount": "$999.99",
"ForecastedTotalForPeriod": "$1111.11"
}
}
}
}
Testa aktivitetsloggaviseringar för åtgärd med MonitoringService = Smart Alert
{
"schemaId":"azureMonitorCommonAlertSchema",
"data":{
"essentials":{
"alertId":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/providers/Microsoft.AlertsManagement/alerts/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c",
"alertRule":"Dependency Latency Degradation - test-applicationInsights",
"severity":"Sev3",
"signalType":"Log",
"monitorCondition":"Fired",
"monitoringService":"SmartDetector",
"alertTargetIDs":[
"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourcegroups/test-RG/providers/microsoft.insights/components/test-applicationInsights"
],
"configurationItems":[
"test-applicationInsights"
],
"originAlertId":"1234abcd5678efgh1234abcd5678efgh1234abcd5678efgh1234abcd5678efgh",
"firedDateTime":"2021-10-28T19:09:09.1115084Z",
"description":"Dependency Latency Degradation notifies you of an unusual increase in response by a dependency your app is calling (e.g. REST API or database)",
"essentialsVersion":"1.0",
"alertContextVersion":"1.0"
},
"alertContext":{
"DetectionSummary":"A degradation in the dependency duration over the last 24 hours",
"FormattedOccurrenceTime":"2021-10-27T23:59:59Z",
"DetectedValue":"0.45 sec",
"NormalValue":"0.27 sec (over the last 7 days)",
"PresentationInsightEventRequest":"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/test-RG/providers/microsoft.insights/components/test-applicationInsights/query?query=systemEvents%0d%0a++++++++++++++++%7c+where+timestamp+%3e%3d+datetime(%272021-10-27T23%3a29%3a59.0000000Z%27)+%0d%0a++++++++++++++++%7c+where+itemType+%3d%3d+%27systemEvent%27+and+name+%3d%3d+%27ProactiveDetectionInsight%27+%0d%0a++++++++++++++++%7c+where+dimensions.InsightType+%3d%3d+3+%0d%0a++++++++++++++++%7c+where+dimensions.InsightVersion+%3d%3d+%27SmartAlert%27%0d%0a++++++++++++++++%7c+where+dimensions.InsightDocumentId+%3d%3d+%2712345678-abcd-1234-5678-abcd12345678%27+%0d%0a++++++++++++++++%7c+project+dimensions.InsightPropertiesTable%2cdimensions.InsightDegradationChart%2cdimensions.InsightCountChart%2cdimensions.InsightLinksTable%0d%0a++++++++++++++++&api-version=2018-04-20",
"SmartDetectorId":"DependencyPerformanceDegradationDetector",
"SmartDetectorName":"Dependency Performance Degradation Detector",
"AnalysisTimestamp":"2021-10-28T19:09:09.1115084Z"
}
}
}