Override alert thresholds
The Alert Threshold Override feature, introduced in the 2024-09-05 release, enables both Greenfield and Brownfield customers to customize alert thresholds for specific resources during or after the deployment of AMBA-ALZ. This feature allows the use of a tag with a specific name and value to override the default alert threshold for designated resources. The new threshold value will apply exclusively to the tagged resources, replacing the global threshold specified in the parameter file.
This feature is applicable exclusively to metrics and log-search alerts, as Activity Log-based alerts do not utilize thresholds and therefore cannot benefit from this enhancement. To use this feature, customers must create a resource tag with a specific name and assign it a desired value. After deploying this release, tags can be created either before or after the remediation task execution. However, the feature’s behavior varies between Metric and Log-search alerts.
If tags are configured before the remediation tasks execution, metric alerts will be created with the specified thresholds for the tagged resources, ensuring that each resource type has the appropriate alert thresholds applied.
If the tags are configured after the remediation tasks have completed, the resource will be marked as non-compliant due to the tag being part of the compliance criteria. Customers will need to remediate the corresponding policy initiative(s) as documented in Remediate Policies to reconfigure existing alerts with the new threshold.
Considering the nature of log-search alerts, where resource information is retrieved at query runtime, it does not matter if the tags are configured before or after the remediation task execution. The log-search alert query is created with a placeholder containing the threshold specified in the parameter file and includes logic to check for the resource-specific override tag. This is made possible by the ability to correlate data in Azure Data Explorer and Azure Resource Graph with data in a Log Analytics workspace. If the specific override tag is present, the query will use the tag value as the new threshold; otherwise, it will use the default threshold from the parameter file.
For a comprehensive list of resource type friendly names, resource provider namespaces, and recommended abbreviations, refer to Abbreviation recommendations for Azure resources.
To ensure proper functionality, this feature requires specific tag names. Flexibility in tag naming is not supported in this case. The tag names must adhere to the following naming convention:
***_amba-<metricName/counterName>-threshold-Override_***
In scenarios where the same metric is used multiple times for the same resource, a differentiator value is implemented immediately after the metric name. This ensures the naming convention follows the format:
***_amba-<metricName/counterName>-<differentiator>-threshold-Override_***
The following table provides a mapping between alert names and the corresponding tag values that need to be created:
| Resource Type | Alert Name | Alert Type | Override Tag name |
|---|---|---|---|
| Machine - Azure Arc | subscription().displayName-HybridVMHighDataDiskReadLatencyAlert | Log search | _amba-ReadLatencyMs-Data-threshold-Override_ |
| Machine - Azure Arc | subscription().displayName-HybridVMLowDataDiskSpaceAlert | Log search | _amba-FreeSpacePercentage-Data-threshold-Override_ |
| Machine - Azure Arc | subscription().displayName-HybridVMHighDataDiskWriteLatencyAlert | Log search | _amba-WriteLatencyMs-Data-threshold-Override_ |
| Machine - Azure Arc | subscription().displayName-HybridVMDisconnectedAlert | Log search | _amba-Disconnected-threshold-Override_ |
| Machine - Azure Arc | subscription().displayName-HybridVMHeartBeatAlert | Log search | _amba-Heartbeat-threshold-Override_ |
| Machine - Azure Arc | subscription().displayName-HybridVMHighNetworkInAlert | Log search | _amba-ReadBytesPerSecond-threshold-Override_ |
| Machine - Azure Arc | subscription().displayName-HybridVMHighNetworkOutAlert | Log search | _amba-WriteBytesPerSecond-threshold-Override_ |
| Machine - Azure Arc | subscription().displayName-HybridVMHighOSDiskReadLatencyAlert | Log search | _amba-ReadLatencyMs-OS-threshold-Override_ |
| Machine - Azure Arc | subscription().displayName-HybridVMLowOSDiskSpaceAlert | Log search | _amba-FreeSpacePercentage-OS-threshold-Override_ |
| Machine - Azure Arc | subscription().displayName-HybridVMHighOSDiskWriteLatencyAlert | Log search | _amba-WriteLatencyMs-OS-threshold-Override_ |
| Machine - Azure Arc | subscription().displayName-HybridVMHighCPUAlert | Log search | _amba-UtilizationPercentage-threshold-Override_ |
| Machine - Azure Arc | subscription().displayName-HybridVMLowMemoryAlert | Log search | _amba-AvailableMemoryPercentage-threshold-Override_ |
| Virtual machine | subscription().displayName-VMHighDataDiskReadLatencyAlert | Log search | _amba-ReadLatencyMs-Data-threshold-Override_ |
| Virtual machine | subscription().displayName-VMLowDataDiskSpaceAlert | Log search | _amba-FreeSpacePercentage-Data-threshold-Override_ |
| Virtual machine | subscription().displayName-VMHighDataDiskWriteLatencyAlert | Log search | _amba-WriteLatencyMs-Data-threshold-Override_ |
| Virtual machine | subscription().displayName-VMHeartBeatAlert | Log search | _amba-Heartbeat-threshold-Override_ |
| Virtual machine | subscription().displayName-VMHighNetworkInAlert | Log search | _amba-ReadBytesPerSecond-threshold-Override_ |
| Virtual machine | subscription().displayName-VMHighNetworkOutAlert | Log search | _amba-WriteBytesPerSecond-threshold-Override_ |
| Virtual machine | subscription().displayName-VMHighOSDiskReadLatencyAlert | Log search | _amba-ReadLatencyMs-OS-threshold-Override_ |
| Virtual machine | subscription().displayName-VMLowOSDiskSpaceAlert | Log search | _amba-FreeSpacePercentage-OS-threshold-Override_ |
| Virtual machine | subscription().displayName-VMHighOSDiskWriteLatencyAlert | Log search | _amba-WriteLatencyMs-OS-threshold-Override_ |
| Virtual machine | subscription().displayName-VMHighCPUAlert | Log search | _amba-UtilizationPercentage-threshold-Override_ |
| Virtual machine | subscription().displayName-VMLowMemoryAlert | Log search | _amba-AvailableMemoryPercentage-threshold-Override_ |
| Log Analytics workspace | resourceName-DailyCapLimitReachedAlert | Log search | Not available as threshold will always be 0 |
| Application Insights | resourceName-ApplicationInsightsThrottlingLimitReachedAlert | Log search | _amba-Throttling-threshold-override_ |
| Resource Type | Alert Name | Alert Type | Override Tag name |
|---|---|---|---|
| Virtual machine | resourceName-AvailableMemoryAlert | Metrics | _amba-AvailableMemoryBytes-threshold-Override_ |
| Automation Account | resourceName-TotalJob | Metrics | _amba-TotalJob-threshold-Override_ |
| Front Door and CDN as | resourceName-OriginHealthPercentage | Metrics | _amba-OriginHealthPercentage-threshold-Override_ |
| Front Door and CDN as | resourceName-OriginLatencyAlert | Metrics | Not available since it uses dynamic thresholds |
| Front Door and CDN as | resourceName-Percentage4XXAlert | Metrics | Not available since it uses dynamic thresholds |
| Front Door and CDN as | resourceName-Percentage5XXAlert | Metrics | Not available since it uses dynamic thresholds |
| Key vault | ActivityKeyVaultDelete | Activity Log | Not available since Activity Log based alerts do not have thresholds |
| Key vault | resourceName-Availability | Metrics | _amba-Availability-threshold-Override_ |
| Key vault | resourceName-CapacityAlert | Metrics | _amba-SaturationShoebox-threshold-Override_ |
| Key vault | resourceName-LatencyAlert | Metrics | _amba-ServiceApiLatency-threshold-Override_ |
| Key vault | resourceName-RequestsAlert | Metrics | Not available since it uses dynamic thresholds |
| Azure Key Vault Managed HSM | ActivityManagedHSMDelete | Activity Log | Not available since Activity Log based alerts do not have thresholds |
| Azure Key Vault Managed HSM | resourceName-Availability | Metrics | _amba-Availability-threshold-Override_ |
| Azure Key Vault Managed HSM | resourceName-LatencyAlert | Metrics | _amba-ServiceApiLatency-threshold-Override_ |
| Application gateway | resourceName-agApplicationGatewayTotalTime | Metrics | Not available since it uses dynamic thresholds |
| Application gateway | resourceName-agBackendLastByteResponseTime | Metrics | Not available since it uses dynamic thresholds |
| Application gateway | resourceName-agCapacityUnits | Metrics | _amba-CapacityUnits-threshold-Override_ |
| Application gateway | resourceName-agComputeUnits | Metrics | _amba-ComputeUnits-threshold-Override_ |
| Application gateway | resourceName-agCpuUtilization | Metrics | _amba-CpuUtilization-threshold-Override_ |
| Application gateway | resourceName-agFailedRequests | Metrics | Not available since it uses dynamic thresholds |
| Application gateway | resourceName-agResponseStatus | Metrics | Not available since it uses dynamic thresholds |
| Application gateway | resourceName-agUnhealthyHostCount | Metrics | _amba-UnhealthyHostCount-threshold-Override_ |
| Firewall | ActivityAzureFirewallDelete | Activity Log | Not available since Activity Log based alerts do not have thresholds |
| Firewall | resourceName-FirewallHealth | Metrics | _amba-FirewallHealth-threshold-Override_ |
| Firewall | resourceName-SNATPortUtilization | Metrics | _amba-SNATPortUtilization-threshold-Override_ |
| ExpressRoute circuit | resourceName-ArpAvailability | Metrics | _amba-ArpAvailability-threshold-Override_ |
| ExpressRoute circuit | resourceName-BgpAvailability | Metrics | _amba-BgpAvailability-threshold-Override_ |
| ExpressRoute circuit | resourceName-QosDropBitsInPerSecond | Metrics | Not available since it uses dynamic thresholds |
| ExpressRoute circuit | resourceName-QosDropBitsOutPerSecond | Metrics | Not available since it uses dynamic thresholds |
| ExpressRoute gateway | resourceName-GatewayERBitsInAlert | Metrics | _amba-ERGatewayConnectionBitsInPerSecond-threshold-Override_ |
| ExpressRoute gateway | resourceName-GatewayERBitsOutAlert | Metrics | _amba-ERGatewayConnectionBitsOutPerSecond-threshold-Override_ |
| ExpressRoute gateway | resourceName-GatewayERCPUAlert | Metrics | _amba-ExpressRouteGatewayCpuUtilization-threshold-Override_ |
| ExpressRoute port | resourceName-DirectERBitsInAlert | Metrics | _amba-PortBitsInPerSecond-threshold-Override_ |
| ExpressRoute port | resourceName-DirectERBitsOutAlert | Metrics | _amba-PortBitsOutPerSecond-threshold-Override_ |
| ExpressRoute port | resourceName-DirectERLineProtocolAlert | Metrics | _amba-LineProtocol-threshold-Override_ |
| ExpressRoute port | resourceName-DirectERRxLightLevelHighAlert | Metrics | _amba-RxLightLevel-High-threshold-Override_ |
| ExpressRoute port | resourceName-DirectERRxLightLevelLowAlert | Metrics | _amba-RxLightLevel-Low-threshold-Override_ |
| ExpressRoute port | resourceName-DirectERTxLightLevelHighAlert | Metrics | _amba-TxLightLevel-High-threshold-Override_ |
| ExpressRoute port | resourceName-DirectERTxLightLevelLowAlert | Metrics | _amba-TxLightLevel-Low-threshold-Override_ |
| Front Door | resourceName-BackendHealthPercentage | Metrics | _amba-BackendHealthPercentage-threshold-Override_ |
| Front Door | resourceName-BackendRequestLatencyAlert | Metrics | Not available since it uses dynamic thresholds |
| Load balancer | resourceName-ALBDataPathAvailability | Metrics | _amba-VipAvailability-threshold-Override_ |
| Load balancer | resourceName-ALBGlobalBackendAvailability | Metrics | _amba-GlobalBackendAvailability-threshold-Override_ |
| Load balancer | resourceName-ALBHealthProbeStatus | Metrics | _amba-DipAvailability-threshold-Override_ |
| Load balancer | resourceName-ALBUsedSNATPorts | Metrics | _amba-UsedSNATPorts-threshold-Override_ |
| Network security group | ActivityNSGDelete | Activity Log | Not available since Activity Log based alerts do not have thresholds |
| Private DNS zone | resourceName-CapacityUtilizationAlert | Metrics | _amba-VirtualNetworkLinkCapacityUtilization-threshold-Override_ |
| Private DNS zone | resourceName-QueryVolumeAlert | Metrics | _amba-QueryVolume-threshold-Override_ |
| Private DNS zone | resourceName-RecordSet_Capacity_Utilization | Metrics | _amba-RecordSetCapacityUtilization-threshold-Override_ |
| Private DNS zone | resourceName-RequestsAlert | Metrics | _amba-VirtualNetworkWithRegistrationCapacityUtilization-threshold-Override_ |
| Public IP address | resourceName-BytesInDDOSAlert | Metrics | _amba-bytesinddos-threshold-Override_ |
| Public IP address | resourceName-DDOS_Attack | Metrics | _amba-ifunderddosattack-threshold-Override_ |
| Public IP address | resourceName-PacketsInDDosAlert | Metrics | _amba-PacketsInDDoS-threshold-Override_ |
| Public IP address | resourceName-VIPAvailabityAlert | Metrics | _amba-VipAvailability-threshold-Override_ |
| Route table | ActivityUDRUpdate | Activity Log | Not available since Activity Log based alerts do not have thresholds |
| Traffic Manager as | resourceName-EndpointHealthAlert | Metrics | _amba-EndpointHealth-threshold-Override_ |
| Virtual network gateway | resourceName-TunnelBandwidthAlert | Metrics | _amba-TunnelAverageBandwidth-threshold-Override_ |
| Virtual network gateway | resourceName-TunnelEgressAlert | Metrics | _amba-TunnelEgressBytes-threshold-Override_ |
| Virtual network gateway | resourceName-TunnelEgressPacketDropCountAlert | Metrics | Not available since it uses dynamic thresholds |
| Virtual network gateway | resourceName-TunnelEgressPacketDropTSMismatchAlert | Metrics | Not available since it uses dynamic thresholds |
| Virtual network gateway | resourceName-GatewayERBitsAlert | Metrics | _amba-ExpressRouteGatewayBitsPerSecond-threshold-Override_ |
| Virtual network gateway | resourceName-GatewayERCPUAlert | Metrics | _amba-ExpressRouteGatewayCpuUtilization-threshold-Override_ |
| Virtual network gateway | resourceName-TunnelIngressAlert | Metrics | _amba-TunnelIngressBytes-threshold-Override_ |
| Virtual network gateway | resourceName-TunnelIngressPacketDropCountAlert | Metrics | Not available since it uses dynamic thresholds |
| Virtual network gateway | resourceName-TunnelIngressPacketDropTSMismatchAlert | Metrics | Not available since it uses dynamic thresholds |
| Virtual network | resourceName-DDOSAttackAlert | Metrics | _amba-ifunderddosattack-threshold-Override_ |
| VPN Gateway | ActivityVPNGatewayDelete | Activity Log | Not available since Activity Log based alerts do not have thresholds |
| VPN Gateway | resourceName-GatewayBandwidthAlert | Metrics | _amba-tunnelaveragebandwidth-threshold-Override_ |
| VPN Gateway | resourceName-BGPPeerStatusAlert | Metrics | _amba-bgppeerstatus-threshold-Override_ |
| VPN Gateway | resourceName-TunnelEgressAlert | Metrics | _amba-tunnelegressbytes-threshold-Override_ |
| VPN Gateway | resourceName-TunnelEgressPacketDropCountAlert | Metrics | Not available since it uses dynamic thresholds |
| VPN Gateway | resourceName-TunnelEgressPacketDropTSMismatchAlert | Metrics | Not available since it uses dynamic thresholds |
| VPN Gateway | resourceName-TunnelIngressAlert | Metrics | _amba-tunnelingressbytes-threshold-Override_ |
| VPN Gateway | resourceName-TunnelIngressPacketDropCount | Metrics | Not available since it uses dynamic thresholds |
| VPN Gateway | resourceName-TunnelIngressPacketDropTSMismatchAlert | Metrics | Not available since it uses dynamic thresholds |
| Log Analytics workspace | ActivityLAWorkspaceDelete | Activity Log | Not available since Activity Log based alerts do not have thresholds |
| Log Analytics workspace | ActivityLAWorkspaceRegenKey | Activity Log | Not available since Activity Log based alerts do not have thresholds |
| Subscription | ResourceHealthUnhealthyAlert | Resource health | Not available since Activity Log based alerts do not have thresholds |
| Subscription | ServiceHealthHealth | Service health | Not available since Activity Log based alerts do not have thresholds |
| Subscription | ServiceHealthIncident | Service health | Not available since Activity Log based alerts do not have thresholds |
| Subscription | ServiceHealthMaintenance | Service health | Not available since Activity Log based alerts do not have thresholds |
| Subscription | ServiceSecurityIncident | Service health | Not available since Activity Log based alerts do not have thresholds |
| Storage account | ActivitySADelete | Activity Log | Not available since Activity Log based alerts do not have thresholds |
| Storage account | resourceName-AvailabilityAlert | Metrics | _amba-Availability-threshold-Override_ |
| App Service plan | resourceName-CpuPercentage | Metrics | _amba-CpuPercentage-threshold-Override_ |
| App Service plan | resourceName-DiskQueueLengthAlert | Metrics | Not available since it uses dynamic thresholds |
| App Service plan | resourceName-HttpQueueLengthAlert | Metrics | Not available since it uses dynamic thresholds |
| App Service plan | resourceName-MemoryPercentage | Metrics | _amba-MemoryPercentage-threshold-Override_ |
| Application Insights | ActivityAppInsightsDelete | Activity Log | Not available since Activity Log based alerts do not have thresholds |