Azure Monitor Alert Series – Part 4


It is time for another part of the blog post series focused on Azure Monitor Alerts. In Part 4 we will take a look at Advisor alerts and Policy alerts. As the previous alerts they are based on records in Azure Activity log.

Let’s first start by listing some important information about Advisor Alerts:

  • The records by the alerts are generated by Azure Advisor recommendations
  • Records are generated only when the actual recommendation is created in Azure Advisor
  • Alerts are generated per instance (per recommendation)
  • You cannot assign severity for the alerts. They get Sev4 automatically.
  • Support common alert schema
  • It is best to create these alerts per subscription

We can create these alerts by ARM Templates and below is example for such one:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "actionGroupResourceId": {
            "type": "string"
        }
    },
    "variables": {
        "apiVersions": {
            "activityLogAlerts": "2017-04-01"
        }
    },
    "resources": [
        {
            "name": "Advisor Recommendation Alert",
            "type": "Microsoft.Insights/activityLogAlerts",
            "apiVersion": "[variables( 'apiVersions' ).activityLogAlerts]",
            "location": "Global",
            "properties": {
                "enabled": true,
                "description": "Advisor log alert sample.",
                "scopes": [
                    "[subscription().id]"
                ],
                "condition": {
                    "allOf": [
                        {
                            "field": "category",
                            "equals": "Recommendation"
                        },
                        {
                            "field": "operationName",
                            "equals": "Microsoft.Advisor/recommendations/available/action"
                        },
                        {
                            "anyOf": [
                                {
                                    "field": "properties.recommendationCategory",
                                    "equals": "Cost"
                                },
                                {
                                    "field": "properties.recommendationCategory",
                                    "equals": "HighAvailability"
                                }
                            ]
                        }
                    ]
                },
                "actions": {
                    "actionGroups": [
                        {
                            "actionGroupId": "[parameters('actionGroupResourceId')]"
                        }
                    ]
                }
            }
        }
    ]
}

The first thing you will notice is that category is Recommendation. We also filter to specific operation. We have anyOf condition where we list two Azure Advisor categories that we want to get alerts from. For recommendationCategory available values are Cost, HighAvailability and Performance. If you want to get alerted on all categories you can remove all the anyOf section. If you want to get alerted on specific category you can remove anyOf section and add the recommendation category filtering to the main part of the condition.

We can look also at the activity log record to see on what kind of properties we can filter more if we want to create more scoped alert:

Recommendation Activity Log

As you can see we can scope also on recommendation impact. The possible values are Low, Medium and High. If you want you can also scope to specific recommendation name. For that of course you need to know all the recommendation names that you want to scope upon.

I would say Recommendations expose all the needed information to provide the most flexibility in alert filtering.

Moving to Policy alerts. As for the other alerts some important information about them:

  • The records by the alerts are generated by Azure Policy Compliance results
  • Records are generated only when policy compliance check is executed
  • Alerts are generated per instance (per resource)
  • You cannot assign severity for the alerts. They get Sev4 automatically.
  • Support common alert schema
  • It is best to create these alerts per subscription

How such alert looks in ARM Template:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "actionGroupResourceId": {
            "type": "string"
        }
    },
    "variables": {
        "apiVersions": {
            "activityLogAlerts": "2017-04-01"
        }
    },
    "resources": [
        {
            "name": "Policy Alert",
            "type": "Microsoft.Insights/activityLogAlerts",
            "apiVersion": "[variables( 'apiVersions' ).activityLogAlerts]",
            "location": "Global",
            "properties": {
                "enabled": true,
                "description": "Policy log alert sample.",
                "scopes": [
                    "[subscription().id]"
                ],
                "condition": {
                    "allOf": [
                        {
                            "field": "category",
                            "equals": "Policy"
                        },
                        {
                            "field": "operationName",
                            "equals": "Microsoft.Authorization/policies/audit/action"
                        },
                        {
                            "field": "properties.isComplianceCheck",
                            "equals": "False"
                        }
                    ]
                },
                "actions": {
                    "actionGroups": [
                        {
                            "actionGroupId": "[parameters('actionGroupResourceId')]"
                        }
                    ]
                }
            }
        }
    ]
}

The ARM template shows that we are filtering to Policy category. I am also filtering to specific operation – Audit. You can filter also on ‘Microsoft.Authorization/policies/deployIfNotExists/action’ operation. isComplianceCheck field filtering is very important. With it we say that we want to get alerted only on non-compliant results.

Let’s have a look at policy record in activity log as well:

Policy Activity Log

As you can probably see in the picture besides the fields I have show you there is nothing more you can filter on. Unfortunately properties.policies is a string in json format. If you have some additional processing after the alert you could process that information but not directly in the alert. Because of that you cannot alert on specific policy. Also you will note that the information in the string is array so there could be more than one policy there. In this case they are two. On the bright side you have all the information in that string like policy definition id, policy definitions name, policy assignment name, policy affect, policy assignment parameters, etc.

I wish this records to be not only per resource but also per policy assignment. Additionally would have been good that policies was json object that you can filter for example on certain policy assignment name. This way the alerts would have been way more useful.

I hope this was education part of the series for you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.