- Knowledge Base
- Microsoft Azure
- Activity Log
- Create Alert for Service Health Events
Ensure that an Azure activity log alert is fired whenever a Service Health event is triggered within your Microsoft Azure cloud account. An activity log alert gets activated when a new event that matches the condition specified in the alert rule configuration occurs.
Security Monitoring your Microsoft Azure account for Service Health events can give you insight into service issues, planned maintenance, security advisories, and other changes that may affect the Azure cloud services and regions in use.
Audit
To determine if there is an activity log alert created to detect all Service Health events within your Microsoft Azure cloud account, perform the following operations:
Using Azure Console
01 Sign in to the Microsoft Azure Portal.
02 Navigate to Monitor blade available at https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/overview.
03 In the left navigation panel, choose Alerts, then select Alert rules from the console top menu to access the list of alert rules created with Azure Monitor.
04 On the Alert rules page, perform the following filtering operations:
- Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.
- From the Signal type : all filter box, select Service health and choose Apply to list the alert rules created for Service Health events.
- From the Status : all filter box, select Enabled and choose Apply to list the active alert rules created for the specified events.
05 If the filtering process does not return any alert rules and the following confirmation message is displayed: No alert rules found, there are no activity log alerts created for Service Health events within the selected Azure subscription. If the filtering process returns one or more alert rules, check the Condition column for the following condition: Service names=All, Event types=All. If there is no alert rule with the specified condition, there are no activity log alerts created to detect all Service Health events within the selected Azure subscription.
06 Repeat steps no. 4 and 5 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list --query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[ "abcdabcd-1234-abcd-1234-abcdabcdabcd", "abcd1234-abcd-1234-abcd-abcd1234abcd" ]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run monitor activity-log alert list command (Windows/macOS/Linux) with custom output filters to get the identifiers (IDs) of all the active activity log alert rules available in the selected Azure subscription:
az monitor activity-log alert list --query '[?(enabled==`true`)].id'
05 The command output should return the requested alert rule IDs:
[ "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activitylogalerts/Create Update NSG Rule Alert", "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activityLogAlerts/Delete Azure Resource Alert" ]
06 Run monitor activity-log alert show command (Windows/macOS/Linux) with the ID of the activity log alert rule that you want to examine as the identifier parameter and custom output filters to list the conditions defined for the selected alert rule:
az monitor activity-log alert show --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/activitylogalerts/Create Update NSG Rule Alert" --query 'condition'
07 The command output should return the condition(s) configured for the selected alert rule:
{
"allOf": [
{
"containsAny": null,
"equals": "Administrative",
"field": "category",
"odata.type": null
},
{
"containsAny": null,
"equals": "Microsoft.Network/networkSecurityGroups/securityRules/write",
"field": "operationName",
"odata.type": null
}
],
"odata.type": null
}
Check the monitor activity-log alert show command output for the object with the "field" property set to "category" and "equals" property set to "ServiceHealth", i.e., {"equals": "ServiceHealth", "field": "category"}. If no such object is returned by the command output, the selected activity log alert rule is not configured to detect Service Health events in the selected Azure subscription.
08 Repeat steps no. 6 and 7 for each activity log alert rules available in the selected subscription. If none of the rules contain the right condition (i.e., {"equals": "ServiceHealth", "field": "category"}), there are no activity log alerts created to detect all Service Health events in the selected Azure subscription.
09 Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.
Remediation / Resolution
To create an activity log alert rule for all your Service Health events, perform the following operations:
Using Azure Console
01 Sign in to the Microsoft Azure Portal.
02 Navigate to Monitor blade available at https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/overview.
03 In the left navigation panel, choose Alerts, and select Alert rules.
04 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.
05 Choose Create and perform the following actions to create an activity log alert rule for all Service Health events:
- For Scope, choose Select scope, select the Azure subscription that you want to use, and choose Apply. Choose Next: Condition > to continue the setup.
- For Condition, choose See all signals under Signal name, select Service health, and choose Apply. Ensure that all items are selected for Services, Regions, and Event types. Choose Next: Actions > to continue the setup process.
- For Actions, choose Select action groups to select an existing action group to attach to the new alert rule or choose Create action group and follow the setup wizard to create a new one. An action group is a collection of alert notification preferences defined for the selected Azure subscription. Azure Monitor alerts use action groups to notify users that an alert has been triggered. Choose Next: Details > to continue the setup.
- For Details, choose the resource group in which to save the alert rule, and provide a name and a short description for the new rule. Choose Next: Tags > to continue.
- For Tags, use the Name and Value fields to create tags that will help organize the identity of the rule. Choose Review + create to validate the rule setup.
- For Review + create, review the resource configuration details, then choose Create to create your new activity log alert rule.
06 Repeat steps no. 4 and 5 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list --query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[ "abcdabcd-1234-abcd-1234-abcdabcdabcd", "abcd1234-abcd-1234-abcd-abcd1234abcd" ]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run monitor activity-log alert create command (Windows/macOS/Linux) to create a new activity log alert rule that fires whenever a Service Health event is triggered within the selected Azure subscription:
az monitor activity-log alert create --name cc-global-service-health-alert-rule --description "Alert triggered by Service Health events" --resource-group cloud-shell-storage-westeurope --scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd" --action-group "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.insights/actiongroups/cc-project5-action-group" --condition category=ServiceHealth
05 The command output should return the configuration metadata for the new activity log alert:
{
"actions": {
"actionGroups": [
{
"actionGroupId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.insights/actiongroups/cc-project5-action-group",
"webhookProperties": {}
}
]
},
"condition": {
"allOf": [
{
"equals": "ServiceHealth",
"field": "category"
}
]
},
"description": "Alert triggered by Service Health events",
"enabled": true,
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Insights/activityLogAlerts/cc-global-service-health-alert-rule",
"location": "Global",
"name": "cc-global-service-health-alert-rule",
"resourceGroup": "cloud-shell-storage-westeurope",
"scopes": [
"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd"
],
"type": "Microsoft.Insights/ActivityLogAlerts"
}
06 Repeat steps no. 4 and 5 for each subscription created in your Microsoft Azure cloud account.
References
- Azure Official Documentation
- What is Azure Service Health?
- Create Service Health alerts using the Azure portal
- Create or edit an activity log, service health, or resource health alert rule
- Alert processing rules
- Azure Command Line Interface (CLI) Documentation
- az account list
- az account set
- az monitor activity-log alert list
- az monitor activity-log alert show
- az monitor activity-log alert create