Azure Monitor Baseline Alerts
Download AlertsGlossaryGitHubGitHub IssuesToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

subscriptions

NameTypeDescription
Resource Health UnhealthyActivityLogResource Health Unhealthy Alert
Service Health AdvisoryActivityLogService Health Advisory Alert
Service Health IncidentActivityLogService Health Incident Alert
Service Health MaintenanceActivityLogService Health Maintenance Alert
Service Health SecurityActivityLogService Health Security Alert

Dashboards:

Click a tab to view the dashboard template

{
  "__inputs": [],
  "__elements": {},
  "__requires": [
    {
      "type": "panel",
      "id": "bargauge",
      "name": "Bar gauge",
      "version": ""
    },
    {
      "type": "grafana",
      "id": "grafana",
      "name": "Grafana",
      "version": "9.5.12"
    },
    {
      "type": "datasource",
      "id": "grafana-azure-monitor-datasource",
      "name": "Azure Monitor",
      "version": "1.0.0"
    }
  ],
  "title": "Subscriptions",
  "editable": true,
  "links": [],
  "liveNow": false,
  "panels": [
  
  ],
  "refresh": "",
  "schemaVersion": 38,
  "style": "dark",
  "tags": [],
  "templating": {
    "list": [
      {
        "current": {},
        "hide": 0,
        "includeAll": false,
        "label": "Datasource",
        "multi": false,
        "name": "ds",
        "options": [],
        "query": "grafana-azure-monitor-datasource",
        "queryValue": "",
        "refresh": 1,
        "regex": "",
        "skipUrlSync": false,
        "type": "datasource"
      },
      {
        "current": {},
        "datasource": {
          "type": "grafana-azure-monitor-datasource",
          "uid": "${ds}"
        },
        "definition": "",
        "hide": 0,
        "includeAll": false,
        "label": "Subscription",
        "multi": false,
        "name": "sub",
        "options": [],
        "query": {
          "azureLogAnalytics": {
            "query": "",
            "resources": []
          },
          "queryType": "Azure Subscriptions",
          "refId": "A"
        },
        "refresh": 1,
        "regex": "",
        "skipUrlSync": false,
        "sort": 0,
        "type": "query"
      }
    ]
  },
  "time": {
    "from": "now-6h",
    "to": "now"
  },
  "timepicker": {},
  "timezone": "",
  "version": null
}



Resource Health Unhealthy - ActivityLog Alert

Resource Health Unhealthy Alert

Properties:

categoryResourceHealth
causes
[
  "PlatoformInitiated",
  "UserInitiated"
]
currentHealthStatus
[
  "Degraded",
  "Unavailable"
]

References:

Templates:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "alertName": {
      "type": "string",
      "metadata": {
        "description": "Unique name (within the Resource Group) for the Activity log alert."
      }
    },
    "alertDescription": {
      "type": "string",
      "defaultValue": "Resource Health Unhealthy Alert",
      "metadata": {
        "description": "Description of alert"
      }
    },
    "isEnabled": {
      "type": "bool",
      "defaultValue": true,
      "metadata": {
        "description": "Indicates whether or not the alert is enabled."
      }
    },
    "currentDateTimeUtcNow": {
      "type": "string",
      "defaultValue": "[utcNow()]",
      "metadata": {
          "description": "The current date and time using the utcNow function. Used for deployment name uniqueness"
      }
    },
    "telemetryOptOut": {
      "type": "string",
      "defaultValue": "No",
      "allowedValues": [
          "Yes",
          "No"
      ],
      "metadata": {
          "description": "The customer usage identifier used for telemetry purposes. The default value of False enables telemetry. The value of True disables telemetry."
      }
    }
  },
  "variables": {
    "pidDeploymentName": "[take(concat('pid-8bb7cf8a-bcf7-4264-abcb-703ace2fc84d-', uniqueString(resourceGroup().id, parameters('alertName'), parameters('currentDateTimeUtcNow'))), 64)]"
  },
  "resources": [
    {
      "type": "Microsoft.Insights/activityLogAlerts",
      "apiVersion": "2017-04-01",
      "name": "[parameters('alertName')]",
      "location": "Global",
      "tags": {
        "_deployed_by_amba": true
      },
      "properties": {
        "description": "[parameters('alertDescription')]",
        "scopes": [
            "[subscription().id]"
        ],
        "enabled": "[parameters('isEnabled')]",
        "condition": {
          "allOf": [
            {
              "field": "category",
              "equals": "ResourceHealth"
            },
            {
              "anyOf": [
                {
                  "field": "properties.cause",
                  "equals": "PlatoformInitiated"
                },
                {
                  "field": "properties.cause",
                  "equals": "UserInitiated"
                }
              ]
            },
            {
              "anyOf": [
                {
                  "field": "properties.currentHealthStatus",
                  "equals": "Degraded"
                },
                {
                  "field": "properties.currentHealthStatus",
                  "equals": "Unavailable"
                }
              ]
            }
          ]
        }
      }
    },
    {
      "condition": "[equals(parameters('telemetryOptOut'), 'No')]",
      "apiVersion": "2023-07-01",
      "name": "[variables('pidDeploymentName')]",
      "type": "Microsoft.Resources/deployments",
      "properties": {
          "mode": "Incremental",
          "template": {
              "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "resources": []
          }
      }
    }
  ]
}
@description('Unique name (within the Resource Group) for the Activity log alert.')
@minLength(1)
param alertName string

@description('Description of alert')
param alertDescription string = 'Resource Health Unhealthy Alert'

@description('Indicates whether or not the alert is enabled.')
param isEnabled bool = true

@description('"The current date and time using the utcNow function. Used for deployment name uniqueness')
param currentDateTimeUtcNow string = utcNow()

@description('The customer usage identifier used for telemetry purposes. The default value of False enables telemetry. The value of True disables telemetry.')
@allowed([
  'Yes'
  'No'
])
param telemetryOptOut string = 'No'

resource symbolicname 'Microsoft.Insights/activityLogAlerts@2023-01-01-preview' = {
  name: alertName
  location: 'Global'
  tags: {
    _deployed_by_amba: 'true'
  }
  properties: {
    description: alertDescription
    scopes: [
      subscription().id
    ]
    enabled: isEnabled
    condition: {
      allOf: [
        {
          field: 'category'
          equals: 'ResourceHealth'
        }
        {
          anyOf: [
            {
              field: 'properties.cause'
              equals: 'PlatoformInitiated'
            }
            {
              field: 'properties.cause'
              equals: 'UserInitiated'
            }
          ]
        }
        {
          anyOf: [
            {
              field: 'properties.currentHealthStatus'
              equals: 'Degraded'
            }
            {
              field: 'properties.currentHealthStatus'
              equals: 'Unavailable'
            }
          ]
        }
      ]
    }
  }
}

var ambaTelemetryPidName = 'pid-8bb7cf8a-bcf7-4264-abcb-703ace2fc84d-${uniqueString(resourceGroup().id, alertName, currentDateTimeUtcNow)}'
resource ambaTelemetryPid 'Microsoft.Resources/deployments@2023-07-01' =  if (telemetryOptOut == 'No') {
  name: ambaTelemetryPidName
  tags: {
    _deployed_by_amba: 'true'
  }
  properties: {
    mode: 'Incremental'
    template: {
      '$schema': 'https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#'
      contentVersion: '1.0.0.0'
      resources: []
    }
  }
}
{
  "type": "Microsoft.Authorization/policyDefinitions",
  "apiVersion": "2021-06-01",
  "name": "Deploy_activitylog_ResourceHealth_Unhealthy_Alert",
  "properties": {
    "policyType": "Custom",
    "mode": "All",
    "displayName": "Deploy Resource Health Unhealthy Alert",
    "description": "Policy to Deploy Resource Health Unhealthy Alert",
    "metadata": {
      "version": "1.1.0",
      "category": "Monitoring",
      "source": "https://github.com/Azure/azure-monitor-baseline-alerts/",
      "alzCloudEnvironments": [
        "AzureCloud"
      ],
      "_deployed_by_amba": "True"
    },
    "parameters": {
      "enabled": {
        "type": "String",
        "metadata": {
          "displayName": "Alert State",
          "description": "Alert state for the alert"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "true"
      },
      "alertResourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Name",
          "description": "Resource group the alert is placed in"
        },
        "defaultValue": "rg-amba-monitoring-001"
      },
      "alertResourceGroupTags": {
        "type": "Object",
        "metadata": {
          "displayName": "Resource Group Tags",
          "description": "Tags on the Resource group the alert is placed in"
        },
        "defaultValue": {
          "_deployed_by_amba": true
        }
      },
      "alertResourceGroupLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Location",
          "description": "Location of the Resource group the alert is placed in"
        },
        "defaultValue": "centralus"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Effect of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "disabled"
        ],
        "defaultValue": "disabled"
      },
      "MonitorDisable": {
        "type": "String",
        "metadata": {
          "displayName": "Monitoring disabled",
          "description": "Tag name to disable monitoring. Set to true if monitoring should be disabled"
        },
        "defaultValue": "MonitorDisable"
      },
      "BYOActionGroup": {
        "type": "String",
        "metadata": {
          "displayName": "Customer defined Action Group Resource ID",
          "description": "The Resource ID of an existing Action Group already deployed by the customer in his environment"
        },
        "defaultValue": ""
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          },
          {
            "field": "[[concat('tags[', parameters('MonitorDisable'), ']')]",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.Insights/activityLogAlerts",
          "existenceScope": "resourcegroup",
          "resourceGroupName": "[[parameters('alertResourceGroupName')]",
          "deploymentScope": "subscription",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/enabled",
                "equals": "[[parameters('enabled')]"
              },
              {
                "anyOf": [
                  {
                    "allOf": [
                      {
                        "value": "[[empty(parameters('BYOActionGroup'))]",
                        "equals": true
                      },
                      {
                        "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*].actionGroupId",
                        "contains": "ag-AMBA-SH-"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "value": "[[empty(parameters('BYOActionGroup'))]",
                        "equals": false
                      },
                      {
                        "count": {
                          "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*]",
                          "where": {
                            "anyOf": [
                              {
                                "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*].actionGroupId",
                                "contains": "[[split(trim(parameters('BYOActionGroup')),',')[0]]"
                              }
                            ]
                          }
                        },
                        "equals": 1
                      }
                    ]
                  }
                ]
              },
              {
                "count": {
                  "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "category"
                          },
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "ResourceHealth"
                          }
                        ]
                      }
                    ]
                  }
                },
                "equals": 1
              }
            ]
          },
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "alertResourceGroupName": {
                    "type": "string"
                  },
                  "alertResourceGroupTags": {
                    "type": "object"
                  },
                  "alertResourceGroupLocation": {
                    "type": "string"
                  },
                  "enabled": {
                    "type": "string"
                  },
                  "BYOActionGroup": {
                    "type": "String"
                  }
                },
                "variables": {
                  "varBYOActionGroups": "[[split(parameters('BYOActionGroup'), ',')]",
                  "copy": [
                    {
                      "name": "varActionGroupIds",
                      "count": "[[length(variables('varBYOActionGroups'))]",
                      "mode": "serial",
                      "input": {
                        "actionGroupId": "[[trim(variables('varBYOActionGroups')[copyIndex('varActionGroupIds')])]"
                      }
                    }
                  ]
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2021-04-01",
                    "name": "[[parameters('alertResourceGroupName')]",
                    "location": "[[parameters('alertResourceGroupLocation')]",
                    "tags": "[[parameters('alertResourceGroupTags')]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2019-10-01",
                    "name": "ResourceHealtAlert",
                    "resourceGroup": "[[parameters('alertResourceGroupName')]",
                    "dependsOn": [
                      "[[resourceId('Microsoft.Resources/resourceGroups', parameters('alertResourceGroupName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "enabled": {
                            "type": "string"
                          },
                          "alertResourceGroupName": {
                            "type": "string"
                          },
                          "BYOActionGroup": {
                            "type": "String"
                          }
                        },
                        "variables": {},
                        "resources": [
                          {
                            "condition": "[[empty(parameters('BYOActionGroup'))]",
                            "type": "microsoft.insights/activityLogAlerts",
                            "apiVersion": "2020-10-01",
                            "name": "ResourceHealthUnhealthyAlert",
                            "location": "global",
                            "tags": {
                              "_deployed_by_amba": true
                            },
                            "properties": {
                              "actions": {
                                "actionGroups": [
                                  {
                                    "actionGroupId": "[[concat(subscription().Id, '/resourceGroups/', parameters('alertResourceGroupName'), '/providers/microsoft.insights/actionGroups/', 'ag-AMBA-SH-', subscription().displayName, '-001')]",
                                    "webhookProperties": {}
                                  }
                                ]
                              },
                              "description": "Resource Health Unhealthy Alert",
                              "enabled": "[[parameters('enabled')]",
                              "scopes": [
                                "[[subscription().id]"
                              ],
                              "condition": {
                                "allOf": [
                                  {
                                    "field": "category",
                                    "equals": "ResourceHealth"
                                  },
                                  {
                                    "anyOf": [
                                      {
                                        "field": "properties.cause",
                                        "equals": "PlatformInitiated"
                                      },
                                      {
                                        "field": "properties.cause",
                                        "equals": "UserInitiated"
                                      }
                                    ]
                                  },
                                  {
                                    "anyOf": [
                                      {
                                        "field": "properties.currentHealthStatus",
                                        "equals": "Degraded"
                                      },
                                      {
                                        "field": "properties.currentHealthStatus",
                                        "equals": "Unavailable"
                                      }
                                    ]
                                  }
                                ]
                              },
                              "parameters": {
                                "enabled": {
                                  "value": "[[parameters('enabled')]"
                                }
                              }
                            }
                          },
                          {
                            "condition": "[[not(empty(parameters('BYOActionGroup')))]",
                            "type": "microsoft.insights/activityLogAlerts",
                            "apiVersion": "2020-10-01",
                            "name": "ResourceHealthUnhealthyAlert",
                            "location": "global",
                            "tags": {
                              "_deployed_by_amba": true
                            },
                            "properties": {
                              "actions": {
                                "actionGroups": "[[variables('varActionGroupIds')]"
                              },
                              "description": "Resource Health Unhealthy Alert",
                              "enabled": "[[parameters('enabled')]",
                              "scopes": [
                                "[[subscription().id]"
                              ],
                              "condition": {
                                "allOf": [
                                  {
                                    "field": "category",
                                    "equals": "ResourceHealth"
                                  },
                                  {
                                    "anyOf": [
                                      {
                                        "field": "properties.cause",
                                        "equals": "PlatformInitiated"
                                      },
                                      {
                                        "field": "properties.cause",
                                        "equals": "UserInitiated"
                                      }
                                    ]
                                  },
                                  {
                                    "anyOf": [
                                      {
                                        "field": "properties.currentHealthStatus",
                                        "equals": "Degraded"
                                      },
                                      {
                                        "field": "properties.currentHealthStatus",
                                        "equals": "Unavailable"
                                      }
                                    ]
                                  }
                                ]
                              },
                              "parameters": {
                                "enabled": {
                                  "value": "[[parameters('enabled')]"
                                }
                              }
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "enabled": {
                          "value": "[[parameters('enabled')]"
                        },
                        "alertResourceGroupName": {
                          "value": "[[parameters('alertResourceGroupName')]"
                        },
                        "BYOActionGroup": {
                          "value": "[[parameters('BYOActionGroup')]"
                        }
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "enabled": {
                  "value": "[[parameters('enabled')]"
                },
                "alertResourceGroupName": {
                  "value": "[[parameters('alertResourceGroupName')]"
                },
                "alertResourceGroupTags": {
                  "value": "[[parameters('alertResourceGroupTags')]"
                },
                "alertResourceGroupLocation": {
                  "value": "[[parameters('alertResourceGroupLocation')]"
                },
                "BYOActionGroup": {
                  "value": "[[parameters('BYOActionGroup')]"
                }
              }
            }
          }
        }
      }
    }
  }
}



Service Health Advisory - ActivityLog Alert

Service Health Advisory Alert

Properties:

categoryServiceHealth
incidentTypeActionRequired

References:

Templates:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "alertName": {
      "type": "string",
      "metadata": {
        "description": "Unique name (within the Resource Group) for the Activity log alert."
      }
    },
    "alertDescription": {
      "type": "string",
      "defaultValue": "Service Health Advisory Alert",
      "metadata": {
        "description": "Description of alert"
      }
    },
    "isEnabled": {
      "type": "bool",
      "defaultValue": true,
      "metadata": {
        "description": "Indicates whether or not the alert is enabled."
      }
    },
    "currentDateTimeUtcNow": {
      "type": "string",
      "defaultValue": "[utcNow()]",
      "metadata": {
          "description": "The current date and time using the utcNow function. Used for deployment name uniqueness"
      }
    },
    "telemetryOptOut": {
      "type": "string",
      "defaultValue": "No",
      "allowedValues": [
          "Yes",
          "No"
      ],
      "metadata": {
          "description": "The customer usage identifier used for telemetry purposes. The default value of False enables telemetry. The value of True disables telemetry."
      }
    }
  },
  "variables": {
    "pidDeploymentName": "[take(concat('##TELEMETRY_PID-', uniqueString(resourceGroup().id, parameters('alertName'), parameters('currentDateTimeUtcNow'))), 64)]"
  },
  "resources": [
    {
      "type": "Microsoft.Insights/activityLogAlerts",
      "apiVersion": "2017-04-01",
      "name": "[parameters('alertName')]",
      "location": "Global",
      "tags": {
        "_deployed_by_amba": true
      },
      "properties": {
        "description": "[parameters('alertDescription')]",
        "scopes": [
            "[subscription().id]"
        ],
        "enabled": "[parameters('isEnabled')]",
        "condition": {
          "allOf": [
            {
              "field": "category",
              "equals": "ServiceHealth"
            },
            {
              "field": "properties.incidentType",
              "equals": "ActionRequired"
            }
          ]
        }
      }
    },
    {
      "condition": "[equals(parameters('telemetryOptOut'), 'No')]",
      "apiVersion": "2023-07-01",
      "name": "[variables('pidDeploymentName')]",
      "type": "Microsoft.Resources/deployments",
      "properties": {
          "mode": "Incremental",
          "template": {
              "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "resources": []
          }
      }
    }
  ]
}
@description('Unique name (within the Resource Group) for the Activity log alert.')
@minLength(1)
param alertName string

@description('Description of alert')
param alertDescription string = 'Service Health Advisory Alert'

@description('Indicates whether or not the alert is enabled.')
param isEnabled bool = true

@description('"The current date and time using the utcNow function. Used for deployment name uniqueness')
param currentDateTimeUtcNow string = utcNow()

@description('The customer usage identifier used for telemetry purposes. The default value of False enables telemetry. The value of True disables telemetry.')
@allowed([
  'Yes'
  'No'
])
param telemetryOptOut string = 'No'

resource symbolicname 'Microsoft.Insights/activityLogAlerts@2023-01-01-preview' = {
  name: alertName
  location: 'Global'
  tags: {
    _deployed_by_amba: 'true'
  }
  properties: {
    description: alertDescription
    scopes: [
      subscription().id
    ]
    enabled: isEnabled
    condition: {
      allOf: [
        {
          {
            field: 'category'
            equals: 'ServiceHealth'
          }
          {
            field: 'properties.incidentType'
            equals: 'ActionRequired'
          }
        }
      ]
    }
  }
}

var ambaTelemetryPidName = 'pid-8bb7cf8a-bcf7-4264-abcb-703ace2fc84d-${uniqueString(resourceGroup().id, alertName, currentDateTimeUtcNow)}'
resource ambaTelemetryPid 'Microsoft.Resources/deployments@2023-07-01' =  if (telemetryOptOut == 'No') {
  name: ambaTelemetryPidName
  tags: {
    _deployed_by_amba: 'true'
  }
  properties: {
    mode: 'Incremental'
    template: {
      '$schema': 'https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#'
      contentVersion: '1.0.0.0'
      resources: []
    }
  }
}
{
  "type": "Microsoft.Authorization/policyDefinitions",
  "apiVersion": "2021-06-01",
  "name": "Deploy_activitylog_ServiceHealth_HealthAdvisory",
  "properties": {
    "policyType": "Custom",
    "mode": "All",
    "displayName": "Deploy Service Health Advisory Alert",
    "description": "Policy to Deploy Service Health Advisory Alert",
    "metadata": {
      "version": "1.2.0",
      "category": "Monitoring",
      "source": "https://github.com/Azure/azure-monitor-baseline-alerts/",
      "alzCloudEnvironments": [
        "AzureCloud"
      ],
      "_deployed_by_amba": "True"
    },
    "parameters": {
      "enabled": {
        "type": "String",
        "metadata": {
          "displayName": "Alert State",
          "description": "Alert state for the alert"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "true"
      },
      "alertResourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Name",
          "description": "Resource group the alert is placed in"
        },
        "defaultValue": "rg-amba-monitoring-001"
      },
      "alertResourceGroupTags": {
        "type": "Object",
        "metadata": {
          "displayName": "Resource Group Tags",
          "description": "Tags on the Resource group the alert is placed in"
        },
        "defaultValue": {
          "_deployed_by_amba": true
        }
      },
      "alertResourceGroupLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Location",
          "description": "Location of the Resource group the alert is placed in"
        },
        "defaultValue": "centralus"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Effect of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "disabled"
        ],
        "defaultValue": "disabled"
      },
      "MonitorDisable": {
        "type": "String",
        "metadata": {
          "displayName": "Monitoring disabled",
          "description": "Tag name to disable monitoring. Set to true if monitoring should be disabled"
        },
        "defaultValue": "MonitorDisable"
      },
      "ALZMonitorActionGroupEmail": {
        "type": "String",
        "metadata": {
          "displayName": "Action Group Email Addresses",
          "description": "Email addresses to send alerts to"
        },
        "defaultValue": ""
      },
      "BYOActionGroup": {
        "type": "String",
        "metadata": {
          "displayName": "Customer defined Action Group Resource ID",
          "description": "The Resource ID of an existing Action Group already deployed by the customer in his environment"
        },
        "defaultValue": ""
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          },
          {
            "field": "[[concat('tags[', parameters('MonitorDisable'), ']')]",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.Insights/activityLogAlerts",
          "existenceScope": "resourceGroup",
          "resourceGroupName": "[[parameters('alertResourceGroupName')]",
          "deploymentScope": "subscription",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/enabled",
                "equals": "[[parameters('enabled')]"
              },
              {
                "anyOf": [
                  {
                    "allOf": [
                      {
                        "value": "[[empty(parameters('BYOActionGroup'))]",
                        "equals": true
                      },
                      {
                        "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*].actionGroupId",
                        "contains": "ag-AMBA-SH-"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "value": "[[empty(parameters('BYOActionGroup'))]",
                        "equals": false
                      },
                      {
                        "count": {
                          "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*]",
                          "where": {
                            "anyOf": [
                              {
                                "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*].actionGroupId",
                                "contains": "[[split(trim(parameters('BYOActionGroup')),',')[0]]"
                              }
                            ]
                          }
                        },
                        "equals": 1
                      }
                    ]
                  }
                ]
              },
              {
                "count": {
                  "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "category"
                          },
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "ServiceHealth"
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "properties.incidentType"
                          },
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "ActionRequired"
                          }
                        ]
                      }
                    ]
                  }
                },
                "equals": 2
              }
            ]
          },
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "alertResourceGroupName": {
                    "type": "string"
                  },
                  "alertResourceGroupTags": {
                    "type": "object"
                  },
                  "alertResourceGroupLocation": {
                    "type": "string"
                  },
                  "enabled": {
                    "type": "string"
                  },
                  "ALZMonitorActionGroupEmail": {
                    "type": "string"
                  },
                  "BYOActionGroup": {
                    "type": "String"
                  }
                },
                "variables": {
                  "varBYOActionGroups": "[[split(parameters('BYOActionGroup'), ',')]",
                  "copy": [
                    {
                      "name": "varActionGroupIds",
                      "count": "[[length(variables('varBYOActionGroups'))]",
                      "mode": "serial",
                      "input": {
                        "actionGroupId": "[[trim(variables('varBYOActionGroups')[copyIndex('varActionGroupIds')])]"
                      }
                    }
                  ]
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2021-04-01",
                    "name": "[[parameters('alertResourceGroupName')]",
                    "location": "[[parameters('alertResourceGroupLocation')]",
                    "tags": "[[parameters('alertResourceGroupTags')]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2019-10-01",
                    "name": "ServiceHealthHealth",
                    "resourceGroup": "[[parameters('alertResourceGroupName')]",
                    "dependsOn": [
                      "[[resourceId('Microsoft.Resources/resourceGroups', parameters('alertResourceGroupName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "enabled": {
                            "type": "string"
                          },
                          "alertResourceGroupName": {
                            "type": "string"
                          },
                          "ALZMonitorActionGroupEmail": {
                            "type": "string"
                          },
                          "BYOActionGroup": {
                            "type": "String"
                          }
                        },
                        "variables": {},
                        "resources": [
                          {
                            "condition": "[[empty(parameters('BYOActionGroup'))]",
                            "type": "microsoft.insights/activityLogAlerts",
                            "apiVersion": "2020-10-01",
                            "name": "ServiceHealthAdvisoryEvent",
                            "location": "Global",
                            "tags": {
                              "_deployed_by_amba": true
                            },
                            "properties": {
                              "actions": {
                                "actionGroups": [
                                  {
                                    "actionGroupId": "[[concat(subscription().Id, '/resourceGroups/', parameters('alertResourceGroupName'), '/providers/microsoft.insights/actionGroups/', 'ag-AMBA-SH-', subscription().displayName, '-001')]"
                                  }
                                ]
                              },
                              "description": "Service Health Advisory Alert",
                              "enabled": "[[parameters('enabled')]",
                              "scopes": [
                                "[[subscription().id]"
                              ],
                              "condition": {
                                "allOf": [
                                  {
                                    "field": "category",
                                    "equals": "ServiceHealth"
                                  },
                                  {
                                    "field": "properties.incidentType",
                                    "equals": "ActionRequired"
                                  }
                                ]
                              },
                              "parameters": {
                                "enabled": {
                                  "value": "[[parameters('enabled')]"
                                }
                              }
                            }
                          },
                          {
                            "condition": "[[not(empty(parameters('BYOActionGroup')))]",
                            "type": "microsoft.insights/activityLogAlerts",
                            "apiVersion": "2020-10-01",
                            "name": "ServiceHealthAdvisoryEvent",
                            "location": "Global",
                            "tags": {
                              "_deployed_by_amba": true
                            },
                            "properties": {
                              "actions": {
                                "actionGroups": "[[variables('varActionGroupIds')]"
                              },
                              "description": "Service Health Advisory Alert",
                              "enabled": "[[parameters('enabled')]",
                              "scopes": [
                                "[[subscription().id]"
                              ],
                              "condition": {
                                "allOf": [
                                  {
                                    "field": "category",
                                    "equals": "ServiceHealth"
                                  },
                                  {
                                    "field": "properties.incidentType",
                                    "equals": "ActionRequired"
                                  }
                                ]
                              },
                              "parameters": {
                                "enabled": {
                                  "value": "[[parameters('enabled')]"
                                }
                              }
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "enabled": {
                          "value": "[[parameters('enabled')]"
                        },
                        "alertResourceGroupName": {
                          "value": "[[parameters('alertResourceGroupName')]"
                        },
                        "ALZMonitorActionGroupEmail": {
                          "value": "[[parameters('ALZMonitorActionGroupEmail')]"
                        },
                        "BYOActionGroup": {
                          "value": "[[parameters('BYOActionGroup')]"
                        }
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "enabled": {
                  "value": "[[parameters('enabled')]"
                },
                "alertResourceGroupName": {
                  "value": "[[parameters('alertResourceGroupName')]"
                },
                "alertResourceGroupTags": {
                  "value": "[[parameters('alertResourceGroupTags')]"
                },
                "alertResourceGroupLocation": {
                  "value": "[[parameters('alertResourceGroupLocation')]"
                },
                "ALZMonitorActionGroupEmail": {
                  "value": "[[parameters('ALZMonitorActionGroupEmail')]"
                },
                "BYOActionGroup": {
                  "value": "[[parameters('BYOActionGroup')]"
                }
              }
            }
          }
        }
      }
    }
  }
}



Service Health Incident - ActivityLog Alert

Service Health Incident Alert

Properties:

categoryServiceHealth
incidentTypeIncident

References:

Templates:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "alertName": {
      "type": "string",
      "metadata": {
        "description": "Unique name (within the Resource Group) for the Activity log alert."
      }
    },
    "alertDescription": {
      "type": "string",
      "defaultValue": "Service Health Incident Alert",
      "metadata": {
        "description": "Description of alert"
      }
    },
    "isEnabled": {
      "type": "bool",
      "defaultValue": true,
      "metadata": {
        "description": "Indicates whether or not the alert is enabled."
      }
    },
    "currentDateTimeUtcNow": {
      "type": "string",
      "defaultValue": "[utcNow()]",
      "metadata": {
          "description": "The current date and time using the utcNow function. Used for deployment name uniqueness"
      }
    },
    "telemetryOptOut": {
      "type": "string",
      "defaultValue": "No",
      "allowedValues": [
          "Yes",
          "No"
      ],
      "metadata": {
          "description": "The customer usage identifier used for telemetry purposes. The default value of False enables telemetry. The value of True disables telemetry."
      }
    }
  },
  "variables": {
    "pidDeploymentName": "[take(concat('##TELEMETRY_PID-', uniqueString(resourceGroup().id, parameters('alertName'), parameters('currentDateTimeUtcNow'))), 64)]"
  },
  "resources": [
    {
      "type": "Microsoft.Insights/activityLogAlerts",
      "apiVersion": "2017-04-01",
      "name": "[parameters('alertName')]",
      "location": "Global",
      "tags": {
        "_deployed_by_amba": true
      },
      "properties": {
        "description": "[parameters('alertDescription')]",
        "scopes": [
            "[subscription().id]"
        ],
        "enabled": "[parameters('isEnabled')]",
        "condition": {
          "allOf": [
            {
              "field": "category",
              "equals": "ServiceHealth"
            },
            {
              "field": "properties.incidentType",
              "equals": "Incident"
            }
          ]
        }
      }
    },
    {
      "condition": "[equals(parameters('telemetryOptOut'), 'No')]",
      "apiVersion": "2023-07-01",
      "name": "[variables('pidDeploymentName')]",
      "type": "Microsoft.Resources/deployments",
      "properties": {
          "mode": "Incremental",
          "template": {
              "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "resources": []
          }
      }
    }
  ]
}
@description('Unique name (within the Resource Group) for the Activity log alert.')
@minLength(1)
param alertName string

@description('Description of alert')
param alertDescription string = 'Service Health Incident Alert'

@description('Indicates whether or not the alert is enabled.')
param isEnabled bool = true

@description('"The current date and time using the utcNow function. Used for deployment name uniqueness')
param currentDateTimeUtcNow string = utcNow()

@description('The customer usage identifier used for telemetry purposes. The default value of False enables telemetry. The value of True disables telemetry.')
@allowed([
  'Yes'
  'No'
])
param telemetryOptOut string = 'No'

resource symbolicname 'Microsoft.Insights/activityLogAlerts@2023-01-01-preview' = {
  name: alertName
  location: 'Global'
  tags: {
    _deployed_by_amba: 'true'
  }
  properties: {
    description: alertDescription
    scopes: [
      subscription().id
    ]
    enabled: isEnabled
    condition: {
      allOf: [
        {
          {
            field: 'category'
            equals: 'ServiceHealth'
          }
          {
            field: 'properties.incidentType'
            equals: 'Incident'
          }
        }
      ]
    }
  }
}

var ambaTelemetryPidName = 'pid-8bb7cf8a-bcf7-4264-abcb-703ace2fc84d-${uniqueString(resourceGroup().id, alertName, currentDateTimeUtcNow)}'
resource ambaTelemetryPid 'Microsoft.Resources/deployments@2023-07-01' =  if (telemetryOptOut == 'No') {
  name: ambaTelemetryPidName
  tags: {
    _deployed_by_amba: 'true'
  }
  properties: {
    mode: 'Incremental'
    template: {
      '$schema': 'https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#'
      contentVersion: '1.0.0.0'
      resources: []
    }
  }
}
{
  "type": "Microsoft.Authorization/policyDefinitions",
  "apiVersion": "2021-06-01",
  "name": "Deploy_activitylog_ServiceHealth_Incident",
  "properties": {
    "policyType": "Custom",
    "mode": "All",
    "displayName": "Deploy Service Health Incident Alert",
    "description": "Policy to Deploy Service Health Incident Alert",
    "metadata": {
      "version": "1.2.0",
      "category": "Monitoring",
      "source": "https://github.com/Azure/azure-monitor-baseline-alerts/",
      "alzCloudEnvironments": [
        "AzureCloud"
      ],
      "_deployed_by_amba": "True"
    },
    "parameters": {
      "enabled": {
        "type": "String",
        "metadata": {
          "displayName": "Alert State",
          "description": "Alert state for the alert"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "true"
      },
      "alertResourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Name",
          "description": "Resource group the alert is placed in"
        },
        "defaultValue": "rg-amba-monitoring-001"
      },
      "alertResourceGroupTags": {
        "type": "Object",
        "metadata": {
          "displayName": "Resource Group Tags",
          "description": "Tags on the Resource group the alert is placed in"
        },
        "defaultValue": {
          "_deployed_by_amba": true
        }
      },
      "alertResourceGroupLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Location",
          "description": "Location of the Resource group the alert is placed in"
        },
        "defaultValue": "centralus"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Effect of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "disabled"
        ],
        "defaultValue": "disabled"
      },
      "MonitorDisable": {
        "type": "String",
        "metadata": {
          "displayName": "Monitoring disabled",
          "description": "Tag name to disable monitoring. Set to true if monitoring should be disabled"
        },
        "defaultValue": "MonitorDisable"
      },
      "ALZMonitorActionGroupEmail": {
        "type": "String",
        "metadata": {
          "displayName": "Action Group Email Addresses",
          "description": "Email addresses to send alerts to"
        },
        "defaultValue": ""
      },
      "BYOActionGroup": {
        "type": "String",
        "metadata": {
          "displayName": "Customer defined Action Group Resource ID",
          "description": "The Resource ID of an existing Action Group already deployed by the customer in his environment"
        },
        "defaultValue": ""
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          },
          {
            "field": "[[concat('tags[', parameters('MonitorDisable'), ']')]",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.Insights/activityLogAlerts",
          "existenceScope": "resourcegroup",
          "resourceGroupName": "[[parameters('alertResourceGroupName')]",
          "deploymentScope": "subscription",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/enabled",
                "equals": "[[parameters('enabled')]"
              },
              {
                "anyOf": [
                  {
                    "allOf": [
                      {
                        "value": "[[empty(parameters('BYOActionGroup'))]",
                        "equals": true
                      },
                      {
                        "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*].actionGroupId",
                        "contains": "ag-AMBA-SH-"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "value": "[[empty(parameters('BYOActionGroup'))]",
                        "equals": false
                      },
                      {
                        "count": {
                          "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*]",
                          "where": {
                            "anyOf": [
                              {
                                "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*].actionGroupId",
                                "contains": "[[split(trim(parameters('BYOActionGroup')),',')[0]]"
                              }
                            ]
                          }
                        },
                        "equals": 1
                      }
                    ]
                  }
                ]
              },
              {
                "count": {
                  "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "category"
                          },
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "ServiceHealth"
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                            "field": "microsoft.insights/activityLogAlerts/condition.allOf[*].field",
                            "equals": "properties.incidentType"
                          },
                          {
                            "field": "microsoft.insights/activityLogAlerts/condition.allOf[*].equals",
                            "equals": "Incident"
                          }
                        ]
                      }
                    ]
                  }
                },
                "equals": 2
              }
            ]
          },
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "alertResourceGroupName": {
                    "type": "string"
                  },
                  "alertResourceGroupTags": {
                    "type": "object"
                  },
                  "alertResourceGroupLocation": {
                    "type": "string"
                  },
                  "enabled": {
                    "type": "string"
                  },
                  "ALZMonitorActionGroupEmail": {
                    "type": "string"
                  },
                  "BYOActionGroup": {
                    "type": "String"
                  }
                },
                "variables": {
                  "varBYOActionGroups": "[[split(parameters('BYOActionGroup'), ',')]",
                  "copy": [
                    {
                      "name": "varActionGroupIds",
                      "count": "[[length(variables('varBYOActionGroups'))]",
                      "mode": "serial",
                      "input": {
                        "actionGroupId": "[[trim(variables('varBYOActionGroups')[copyIndex('varActionGroupIds')])]"
                      }
                    }
                  ]
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2021-04-01",
                    "name": "[[parameters('alertResourceGroupName')]",
                    "location": "[[parameters('alertResourceGroupLocation')]",
                    "tags": "[[parameters('alertResourceGroupTags')]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2019-10-01",
                    "name": "ServiceHealthIncident",
                    "resourceGroup": "[[parameters('alertResourceGroupName')]",
                    "dependsOn": [
                      "[[resourceId('Microsoft.Resources/resourceGroups', parameters('alertResourceGroupName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "enabled": {
                            "type": "string"
                          },
                          "alertResourceGroupName": {
                            "type": "string"
                          },
                          "ALZMonitorActionGroupEmail": {
                            "type": "string"
                          },
                          "BYOActionGroup": {
                            "type": "String"
                          }
                        },
                        "variables": {},
                        "resources": [
                          {
                            "condition": "[[empty(parameters('BYOActionGroup'))]",
                            "type": "microsoft.insights/activityLogAlerts",
                            "apiVersion": "2020-10-01",
                            "name": "ServiceHealthIncident",
                            "location": "global",
                            "tags": {
                              "_deployed_by_amba": true
                            },
                            "properties": {
                              "actions": {
                                "actionGroups": [
                                  {
                                    "actionGroupId": "[[concat(subscription().Id, '/resourceGroups/', parameters('alertResourceGroupName'), '/providers/microsoft.insights/actionGroups/', 'ag-AMBA-SH-', subscription().displayName, '-001')]"
                                  }
                                ]
                              },
                              "description": "Service Health Incident Alert",
                              "enabled": "[[parameters('enabled')]",
                              "scopes": [
                                "[[subscription().id]"
                              ],
                              "condition": {
                                "allOf": [
                                  {
                                    "field": "category",
                                    "equals": "ServiceHealth"
                                  },
                                  {
                                    "field": "properties.incidentType",
                                    "equals": "Incident"
                                  }
                                ]
                              },
                              "parameters": {
                                "enabled": {
                                  "value": "[[parameters('enabled')]"
                                }
                              }
                            }
                          },
                          {
                            "condition": "[[not(empty(parameters('BYOActionGroup')))]",
                            "type": "microsoft.insights/activityLogAlerts",
                            "apiVersion": "2020-10-01",
                            "name": "ServiceHealthIncident",
                            "location": "global",
                            "tags": {
                              "_deployed_by_amba": true
                            },
                            "properties": {
                              "actions": {
                                "actionGroups": "[[variables('varActionGroupIds')]"
                              },
                              "description": "Service Health Incident Alert",
                              "enabled": "[[parameters('enabled')]",
                              "scopes": [
                                "[[subscription().id]"
                              ],
                              "condition": {
                                "allOf": [
                                  {
                                    "field": "category",
                                    "equals": "ServiceHealth"
                                  },
                                  {
                                    "field": "properties.incidentType",
                                    "equals": "Incident"
                                  }
                                ]
                              },
                              "parameters": {
                                "enabled": {
                                  "value": "[[parameters('enabled')]"
                                }
                              }
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "enabled": {
                          "value": "[[parameters('enabled')]"
                        },
                        "alertResourceGroupName": {
                          "value": "[[parameters('alertResourceGroupName')]"
                        },
                        "ALZMonitorActionGroupEmail": {
                          "value": "[[parameters('ALZMonitorActionGroupEmail')]"
                        },
                        "BYOActionGroup": {
                          "value": "[[parameters('BYOActionGroup')]"
                        }
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "enabled": {
                  "value": "[[parameters('enabled')]"
                },
                "alertResourceGroupName": {
                  "value": "[[parameters('alertResourceGroupName')]"
                },
                "alertResourceGroupTags": {
                  "value": "[[parameters('alertResourceGroupTags')]"
                },
                "alertResourceGroupLocation": {
                  "value": "[[parameters('alertResourceGroupLocation')]"
                },
                "ALZMonitorActionGroupEmail": {
                  "value": "[[parameters('ALZMonitorActionGroupEmail')]"
                },
                "BYOActionGroup": {
                  "value": "[[parameters('BYOActionGroup')]"
                }
              }
            }
          }
        }
      }
    }
  }
}



Service Health Maintenance - ActivityLog Alert

Service Health Maintenance Alert

Properties:

categoryServiceHealth
incidentTypeMaintenance

References:

Templates:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "alertName": {
      "type": "string",
      "metadata": {
        "description": "Unique name (within the Resource Group) for the Activity log alert."
      }
    },
    "alertDescription": {
      "type": "string",
      "defaultValue": "Service Health Maintenance Alert",
      "metadata": {
        "description": "Description of alert"
      }
    },
    "isEnabled": {
      "type": "bool",
      "defaultValue": true,
      "metadata": {
        "description": "Indicates whether or not the alert is enabled."
      }
    },
    "currentDateTimeUtcNow": {
      "type": "string",
      "defaultValue": "[utcNow()]",
      "metadata": {
          "description": "The current date and time using the utcNow function. Used for deployment name uniqueness"
      }
    },
    "telemetryOptOut": {
      "type": "string",
      "defaultValue": "No",
      "allowedValues": [
          "Yes",
          "No"
      ],
      "metadata": {
          "description": "The customer usage identifier used for telemetry purposes. The default value of False enables telemetry. The value of True disables telemetry."
      }
    }
  },
  "variables": {
    "pidDeploymentName": "[take(concat('##TELEMETRY_PID-', uniqueString(resourceGroup().id, parameters('alertName'), parameters('currentDateTimeUtcNow'))), 64)]"
  },
  "resources": [
    {
      "type": "Microsoft.Insights/activityLogAlerts",
      "apiVersion": "2017-04-01",
      "name": "[parameters('alertName')]",
      "location": "Global",
      "tags": {
        "_deployed_by_amba": true
      },
      "properties": {
        "description": "[parameters('alertDescription')]",
        "scopes": [
            "[subscription().id]"
        ],
        "enabled": "[parameters('isEnabled')]",
        "condition": {
          "allOf": [
            {
              "field": "category",
              "equals": "ServiceHealth"
            },
            {
              "field": "properties.incidentType",
              "equals": "Maintenance"
            }
          ]
        }
      }
    },
    {
      "condition": "[equals(parameters('telemetryOptOut'), 'No')]",
      "apiVersion": "2023-07-01",
      "name": "[variables('pidDeploymentName')]",
      "type": "Microsoft.Resources/deployments",
      "properties": {
          "mode": "Incremental",
          "template": {
              "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "resources": []
          }
      }
    }
  ]
}
@description('Unique name (within the Resource Group) for the Activity log alert.')
@minLength(1)
param alertName string

@description('Description of alert')
param alertDescription string = 'Service Health Maintenance Alert'

@description('Indicates whether or not the alert is enabled.')
param isEnabled bool = true

@description('"The current date and time using the utcNow function. Used for deployment name uniqueness')
param currentDateTimeUtcNow string = utcNow()

@description('The customer usage identifier used for telemetry purposes. The default value of False enables telemetry. The value of True disables telemetry.')
@allowed([
  'Yes'
  'No'
])
param telemetryOptOut string = 'No'

resource symbolicname 'Microsoft.Insights/activityLogAlerts@2023-01-01-preview' = {
  name: alertName
  location: 'Global'
  tags: {
    _deployed_by_amba: 'true'
  }
  properties: {
    description: alertDescription
    scopes: [
      subscription().id
    ]
    enabled: isEnabled
    condition: {
      allOf: [
        {
          {
            field: 'category'
            equals: 'ServiceHealth'
          }
          {
            field: 'properties.incidentType'
            equals: 'Maintenance'
          }
        }
      ]
    }
  }
}

var ambaTelemetryPidName = 'pid-8bb7cf8a-bcf7-4264-abcb-703ace2fc84d-${uniqueString(resourceGroup().id, alertName, currentDateTimeUtcNow)}'
resource ambaTelemetryPid 'Microsoft.Resources/deployments@2023-07-01' =  if (telemetryOptOut == 'No') {
  name: ambaTelemetryPidName
  tags: {
    _deployed_by_amba: 'true'
  }
  properties: {
    mode: 'Incremental'
    template: {
      '$schema': 'https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#'
      contentVersion: '1.0.0.0'
      resources: []
    }
  }
}
{
  "type": "Microsoft.Authorization/policyDefinitions",
  "apiVersion": "2021-06-01",
  "name": "Deploy_activitylog_ServiceHealth_Maintenance",
  "properties": {
    "policyType": "Custom",
    "mode": "All",
    "displayName": "Deploy Service Health Maintenance Alert",
    "description": "Policy to Deploy Service Health Maintenance Alert",
    "metadata": {
      "version": "1.2.0",
      "category": "Monitoring",
      "source": "https://github.com/Azure/azure-monitor-baseline-alerts/",
      "alzCloudEnvironments": [
        "AzureCloud"
      ],
      "_deployed_by_amba": "True"
    },
    "parameters": {
      "enabled": {
        "type": "String",
        "metadata": {
          "displayName": "Alert State",
          "description": "Alert state for the alert"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "true"
      },
      "alertResourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Name",
          "description": "Resource group the alert is placed in"
        },
        "defaultValue": "rg-amba-monitoring-001"
      },
      "alertResourceGroupTags": {
        "type": "Object",
        "metadata": {
          "displayName": "Resource Group Tags",
          "description": "Tags on the Resource group the alert is placed in"
        },
        "defaultValue": {
          "_deployed_by_amba": true
        }
      },
      "alertResourceGroupLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Location",
          "description": "Location of the Resource group the alert is placed in"
        },
        "defaultValue": "centralus"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Effect of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "disabled"
        ],
        "defaultValue": "disabled"
      },
      "MonitorDisable": {
        "type": "String",
        "metadata": {
          "displayName": "Monitoring disabled",
          "description": "Tag name to disable monitoring. Set to true if monitoring should be disabled"
        },
        "defaultValue": "MonitorDisable"
      },
      "ALZMonitorActionGroupEmail": {
        "type": "String",
        "metadata": {
          "displayName": "Action Group Email Addresses",
          "description": "Email addresses to send alerts to"
        },
        "defaultValue": ""
      },
      "BYOActionGroup": {
        "type": "String",
        "metadata": {
          "displayName": "Customer defined Action Group Resource ID",
          "description": "The Resource ID of an existing Action Group already deployed by the customer in his environment"
        },
        "defaultValue": ""
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          },
          {
            "field": "[[concat('tags[', parameters('MonitorDisable'), ']')]",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.Insights/activityLogAlerts",
          "existenceScope": "resourcegroup",
          "resourceGroupName": "[[parameters('alertResourceGroupName')]",
          "deploymentScope": "subscription",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/enabled",
                "equals": "[[parameters('enabled')]"
              },
              {
                "anyOf": [
                  {
                    "allOf": [
                      {
                        "value": "[[empty(parameters('BYOActionGroup'))]",
                        "equals": true
                      },
                      {
                        "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*].actionGroupId",
                        "contains": "ag-AMBA-SH-"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "value": "[[empty(parameters('BYOActionGroup'))]",
                        "equals": false
                      },
                      {
                        "count": {
                          "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*]",
                          "where": {
                            "anyOf": [
                              {
                                "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*].actionGroupId",
                                "contains": "[[split(trim(parameters('BYOActionGroup')),',')[0]]"
                              }
                            ]
                          }
                        },
                        "equals": 1
                      }
                    ]
                  }
                ]
              },
              {
                "count": {
                  "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "category"
                          },
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "ServiceHealth"
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                            "field": "microsoft.insights/activityLogAlerts/condition.allOf[*].field",
                            "equals": "properties.incidentType"
                          },
                          {
                            "field": "microsoft.insights/activityLogAlerts/condition.allOf[*].equals",
                            "equals": "Maintenance"
                          }
                        ]
                      }
                    ]
                  }
                },
                "equals": 2
              }
            ]
          },
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "alertResourceGroupName": {
                    "type": "string"
                  },
                  "alertResourceGroupTags": {
                    "type": "object"
                  },
                  "alertResourceGroupLocation": {
                    "type": "string"
                  },
                  "enabled": {
                    "type": "string"
                  },
                  "ALZMonitorActionGroupEmail": {
                    "type": "string"
                  },
                  "BYOActionGroup": {
                    "type": "String"
                  }
                },
                "variables": {
                  "varBYOActionGroups": "[[split(parameters('BYOActionGroup'), ',')]",
                  "copy": [
                    {
                      "name": "varActionGroupIds",
                      "count": "[[length(variables('varBYOActionGroups'))]",
                      "mode": "serial",
                      "input": {
                        "actionGroupId": "[[trim(variables('varBYOActionGroups')[copyIndex('varActionGroupIds')])]"
                      }
                    }
                  ]
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2021-04-01",
                    "name": "[[parameters('alertResourceGroupName')]",
                    "location": "[[parameters('alertResourceGroupLocation')]",
                    "tags": "[[parameters('alertResourceGroupTags')]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2019-10-01",
                    "name": "ServiceHealthMaintenance",
                    "resourceGroup": "[[parameters('alertResourceGroupName')]",
                    "dependsOn": [
                      "[[resourceId('Microsoft.Resources/resourceGroups', parameters('alertResourceGroupName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "enabled": {
                            "type": "string"
                          },
                          "alertResourceGroupName": {
                            "type": "string"
                          },
                          "ALZMonitorActionGroupEmail": {
                            "type": "string"
                          },
                          "BYOActionGroup": {
                            "type": "String"
                          }
                        },
                        "variables": {},
                        "resources": [
                          {
                            "condition": "[[empty(parameters('BYOActionGroup'))]",
                            "type": "microsoft.insights/activityLogAlerts",
                            "apiVersion": "2020-10-01",
                            "name": "ServiceHealthPlannedMaintenance",
                            "location": "global",
                            "tags": {
                              "_deployed_by_amba": true
                            },
                            "properties": {
                              "actions": {
                                "actionGroups": [
                                  {
                                    "actionGroupId": "[[concat(subscription().Id, '/resourceGroups/', parameters('alertResourceGroupName'), '/providers/microsoft.insights/actionGroups/', 'ag-AMBA-SH-', subscription().displayName, '-001')]"
                                  }
                                ]
                              },
                              "description": "Service Health Planned Maintenance Alert",
                              "enabled": "[[parameters('enabled')]",
                              "scopes": [
                                "[[subscription().id]"
                              ],
                              "condition": {
                                "allOf": [
                                  {
                                    "field": "category",
                                    "equals": "ServiceHealth"
                                  },
                                  {
                                    "field": "properties.incidentType",
                                    "equals": "Maintenance"
                                  }
                                ]
                              },
                              "parameters": {
                                "enabled": {
                                  "value": "[[parameters('enabled')]"
                                }
                              }
                            }
                          },
                          {
                            "condition": "[[not(empty(parameters('BYOActionGroup')))]",
                            "type": "microsoft.insights/activityLogAlerts",
                            "apiVersion": "2020-10-01",
                            "name": "ServiceHealthPlannedMaintenance",
                            "location": "global",
                            "tags": {
                              "_deployed_by_amba": true
                            },
                            "properties": {
                              "actions": {
                                "actionGroups": "[[variables('varActionGroupIds')]"
                              },
                              "description": "Service Health Planned Maintenance Alert",
                              "enabled": "[[parameters('enabled')]",
                              "scopes": [
                                "[[subscription().id]"
                              ],
                              "condition": {
                                "allOf": [
                                  {
                                    "field": "category",
                                    "equals": "ServiceHealth"
                                  },
                                  {
                                    "field": "properties.incidentType",
                                    "equals": "Maintenance"
                                  }
                                ]
                              },
                              "parameters": {
                                "enabled": {
                                  "value": "[[parameters('enabled')]"
                                }
                              }
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "enabled": {
                          "value": "[[parameters('enabled')]"
                        },
                        "alertResourceGroupName": {
                          "value": "[[parameters('alertResourceGroupName')]"
                        },
                        "ALZMonitorActionGroupEmail": {
                          "value": "[[parameters('ALZMonitorActionGroupEmail')]"
                        },
                        "BYOActionGroup": {
                          "value": "[[parameters('BYOActionGroup')]"
                        }
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "enabled": {
                  "value": "[[parameters('enabled')]"
                },
                "alertResourceGroupName": {
                  "value": "[[parameters('alertResourceGroupName')]"
                },
                "alertResourceGroupTags": {
                  "value": "[[parameters('alertResourceGroupTags')]"
                },
                "alertResourceGroupLocation": {
                  "value": "[[parameters('alertResourceGroupLocation')]"
                },
                "ALZMonitorActionGroupEmail": {
                  "value": "[[parameters('ALZMonitorActionGroupEmail')]"
                },
                "BYOActionGroup": {
                  "value": "[[parameters('BYOActionGroup')]"
                }
              }
            }
          }
        }
      }
    }
  }
}



Service Health Security - ActivityLog Alert

Service Health Security Alert

Properties:

categoryServiceHealth
incidentTypeSecurity

References:

Templates:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "alertName": {
      "type": "string",
      "metadata": {
        "description": "Unique name (within the Resource Group) for the Activity log alert."
      }
    },
    "alertDescription": {
      "type": "string",
      "defaultValue": "Service Health Security Alert",
      "metadata": {
        "description": "Description of alert"
      }
    },
    "isEnabled": {
      "type": "bool",
      "defaultValue": true,
      "metadata": {
        "description": "Indicates whether or not the alert is enabled."
      }
    },
    "currentDateTimeUtcNow": {
      "type": "string",
      "defaultValue": "[utcNow()]",
      "metadata": {
          "description": "The current date and time using the utcNow function. Used for deployment name uniqueness"
      }
    },
    "telemetryOptOut": {
      "type": "string",
      "defaultValue": "No",
      "allowedValues": [
          "Yes",
          "No"
      ],
      "metadata": {
          "description": "The customer usage identifier used for telemetry purposes. The default value of False enables telemetry. The value of True disables telemetry."
      }
    }
  },
  "variables": {
    "pidDeploymentName": "[take(concat('##TELEMETRY_PID-', uniqueString(resourceGroup().id, parameters('alertName'), parameters('currentDateTimeUtcNow'))), 64)]"
  },
  "resources": [
    {
      "type": "Microsoft.Insights/activityLogAlerts",
      "apiVersion": "2017-04-01",
      "name": "[parameters('alertName')]",
      "location": "Global",
      "tags": {
        "_deployed_by_amba": true
      },
      "properties": {
        "description": "[parameters('alertDescription')]",
        "scopes": [
            "[subscription().id]"
        ],
        "enabled": "[parameters('isEnabled')]",
        "condition": {
          "allOf": [
            {
              "field": "category",
              "equals": "ServiceHealth"
            },
            {
              "field": "properties.incidentType",
              "equals": "Security"
            }
          ]
        }
      }
    },
    {
      "condition": "[equals(parameters('telemetryOptOut'), 'No')]",
      "apiVersion": "2023-07-01",
      "name": "[variables('pidDeploymentName')]",
      "type": "Microsoft.Resources/deployments",
      "properties": {
          "mode": "Incremental",
          "template": {
              "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "resources": []
          }
      }
    }
  ]
}
@description('Unique name (within the Resource Group) for the Activity log alert.')
@minLength(1)
param alertName string

@description('Description of alert')
param alertDescription string = 'Service Health Security Alert'

@description('Indicates whether or not the alert is enabled.')
param isEnabled bool = true

@description('"The current date and time using the utcNow function. Used for deployment name uniqueness')
param currentDateTimeUtcNow string = utcNow()

@description('The customer usage identifier used for telemetry purposes. The default value of False enables telemetry. The value of True disables telemetry.')
@allowed([
  'Yes'
  'No'
])
param telemetryOptOut string = 'No'

resource symbolicname 'Microsoft.Insights/activityLogAlerts@2023-01-01-preview' = {
  name: alertName
  location: 'Global'
  tags: {
    _deployed_by_amba: 'true'
  }
  properties: {
    description: alertDescription
    scopes: [
      subscription().id
    ]
    enabled: isEnabled
    condition: {
      allOf: [
        {
          {
            field: 'category'
            equals: 'ServiceHealth'
          }
          {
            field: 'properties.incidentType'
            equals: 'Security'
          }
        }
      ]
    }
  }
}

var ambaTelemetryPidName = 'pid-8bb7cf8a-bcf7-4264-abcb-703ace2fc84d-${uniqueString(resourceGroup().id, alertName, currentDateTimeUtcNow)}'
resource ambaTelemetryPid 'Microsoft.Resources/deployments@2023-07-01' =  if (telemetryOptOut == 'No') {
  name: ambaTelemetryPidName
  tags: {
    _deployed_by_amba: 'true'
  }
  properties: {
    mode: 'Incremental'
    template: {
      '$schema': 'https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#'
      contentVersion: '1.0.0.0'
      resources: []
    }
  }
}
{
  "type": "Microsoft.Authorization/policyDefinitions",
  "apiVersion": "2021-06-01",
  "name": "Deploy_activitylog_ServiceHealth_SecurityAdvisory",
  "properties": {
    "policyType": "Custom",
    "mode": "All",
    "displayName": "Deploy Service Health Security Advisory Alert",
    "description": "Policy to Deploy Service Health Security Advisory Alert",
    "metadata": {
      "version": "1.2.0",
      "category": "Monitoring",
      "source": "https://github.com/Azure/azure-monitor-baseline-alerts/",
      "alzCloudEnvironments": [
        "AzureCloud"
      ],
      "_deployed_by_amba": "True"
    },
    "parameters": {
      "enabled": {
        "type": "String",
        "metadata": {
          "displayName": "Alert State",
          "description": "Alert state for the alert"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "true"
      },
      "alertResourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Name",
          "description": "Resource group the alert is placed in"
        },
        "defaultValue": "rg-amba-monitoring-001"
      },
      "alertResourceGroupTags": {
        "type": "Object",
        "metadata": {
          "displayName": "Resource Group Tags",
          "description": "Tags on the Resource group the alert is placed in"
        },
        "defaultValue": {
          "_deployed_by_amba": true
        }
      },
      "alertResourceGroupLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Location",
          "description": "Location of the Resource group the alert is placed in"
        },
        "defaultValue": "centralus"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Effect of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "disabled"
        ],
        "defaultValue": "disabled"
      },
      "MonitorDisable": {
        "type": "String",
        "metadata": {
          "displayName": "Monitoring disabled",
          "description": "Tag name to disable monitoring. Set to true if monitoring should be disabled"
        },
        "defaultValue": "MonitorDisable"
      },
      "ALZMonitorActionGroupEmail": {
        "type": "String",
        "metadata": {
          "displayName": "Action Group Email Addresses",
          "description": "Email addresses to send alerts to"
        },
        "defaultValue": ""
      },
      "BYOActionGroup": {
        "type": "String",
        "metadata": {
          "displayName": "Customer defined Action Group Resource ID",
          "description": "The Resource ID of an existing Action Group already deployed by the customer in his environment"
        },
        "defaultValue": ""
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          },
          {
            "field": "[[concat('tags[', parameters('MonitorDisable'), ']')]",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.Insights/activityLogAlerts",
          "existenceScope": "resourcegroup",
          "resourceGroupName": "[[parameters('alertResourceGroupName')]",
          "deploymentScope": "subscription",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/enabled",
                "equals": "[[parameters('enabled')]"
              },
              {
                "anyOf": [
                  {
                    "allOf": [
                      {
                        "value": "[[empty(parameters('BYOActionGroup'))]",
                        "equals": true
                      },
                      {
                        "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*].actionGroupId",
                        "contains": "ag-AMBA-SH-"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "value": "[[empty(parameters('BYOActionGroup'))]",
                        "equals": false
                      },
                      {
                        "count": {
                          "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*]",
                          "where": {
                            "anyOf": [
                              {
                                "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*].actionGroupId",
                                "contains": "[[split(trim(parameters('BYOActionGroup')),',')[0]]"
                              }
                            ]
                          }
                        },
                        "equals": 1
                      }
                    ]
                  }
                ]
              },
              {
                "count": {
                  "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "category"
                          },
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "ServiceHealth"
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                            "field": "microsoft.insights/activityLogAlerts/condition.allOf[*].field",
                            "equals": "properties.incidentType"
                          },
                          {
                            "field": "microsoft.insights/activityLogAlerts/condition.allOf[*].equals",
                            "equals": "Security"
                          }
                        ]
                      }
                    ]
                  }
                },
                "equals": 2
              }
            ]
          },
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "alertResourceGroupName": {
                    "type": "string"
                  },
                  "alertResourceGroupTags": {
                    "type": "object"
                  },
                  "alertResourceGroupLocation": {
                    "type": "string"
                  },
                  "enabled": {
                    "type": "string"
                  },
                  "ALZMonitorActionGroupEmail": {
                    "type": "string"
                  },
                  "BYOActionGroup": {
                    "type": "String"
                  }
                },
                "variables": {
                  "varBYOActionGroups": "[[split(parameters('BYOActionGroup'), ',')]",
                  "copy": [
                    {
                      "name": "varActionGroupIds",
                      "count": "[[length(variables('varBYOActionGroups'))]",
                      "mode": "serial",
                      "input": {
                        "actionGroupId": "[[trim(variables('varBYOActionGroups')[copyIndex('varActionGroupIds')])]"
                      }
                    }
                  ]
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2021-04-01",
                    "name": "[[parameters('alertResourceGroupName')]",
                    "location": "[[parameters('alertResourceGroupLocation')]",
                    "tags": "[[parameters('alertResourceGroupTags')]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2019-10-01",
                    "name": "ServiceSecurityIncident",
                    "resourceGroup": "[[parameters('alertResourceGroupName')]",
                    "dependsOn": [
                      "[[resourceId('Microsoft.Resources/resourceGroups', parameters('alertResourceGroupName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "enabled": {
                            "type": "string"
                          },
                          "alertResourceGroupName": {
                            "type": "string"
                          },
                          "ALZMonitorActionGroupEmail": {
                            "type": "string"
                          },
                          "BYOActionGroup": {
                            "type": "String"
                          }
                        },
                        "variables": {},
                        "resources": [
                          {
                            "condition": "[[empty(parameters('BYOActionGroup'))]",
                            "type": "microsoft.insights/activityLogAlerts",
                            "apiVersion": "2020-10-01",
                            "name": "ServiceHealthSecurityIncident",
                            "location": "global",
                            "tags": {
                              "_deployed_by_amba": true
                            },
                            "properties": {
                              "actions": {
                                "actionGroups": [
                                  {
                                    "actionGroupId": "[[concat(subscription().Id, '/resourceGroups/', parameters('alertResourceGroupName'), '/providers/microsoft.insights/actionGroups/', 'ag-AMBA-SH-', subscription().displayName, '-001')]"
                                  }
                                ]
                              },
                              "description": "Service Health Security Alert",
                              "enabled": "[[parameters('enabled')]",
                              "scopes": [
                                "[[subscription().id]"
                              ],
                              "condition": {
                                "allOf": [
                                  {
                                    "field": "category",
                                    "equals": "ServiceHealth"
                                  },
                                  {
                                    "field": "properties.incidentType",
                                    "equals": "Security"
                                  }
                                ]
                              },
                              "parameters": {
                                "enabled": {
                                  "value": "[[parameters('enabled')]"
                                }
                              }
                            }
                          },
                          {
                            "condition": "[[not(empty(parameters('BYOActionGroup')))]",
                            "type": "microsoft.insights/activityLogAlerts",
                            "apiVersion": "2020-10-01",
                            "name": "ServiceHealthSecurityIncident",
                            "location": "global",
                            "tags": {
                              "_deployed_by_amba": true
                            },
                            "properties": {
                              "actions": {
                                "actionGroups": "[[variables('varActionGroupIds')]"
                              },
                              "description": "Service Health Security Alert",
                              "enabled": "[[parameters('enabled')]",
                              "scopes": [
                                "[[subscription().id]"
                              ],
                              "condition": {
                                "allOf": [
                                  {
                                    "field": "category",
                                    "equals": "ServiceHealth"
                                  },
                                  {
                                    "field": "properties.incidentType",
                                    "equals": "Security"
                                  }
                                ]
                              },
                              "parameters": {
                                "enabled": {
                                  "value": "[[parameters('enabled')]"
                                }
                              }
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "enabled": {
                          "value": "[[parameters('enabled')]"
                        },
                        "alertResourceGroupName": {
                          "value": "[[parameters('alertResourceGroupName')]"
                        },
                        "ALZMonitorActionGroupEmail": {
                          "value": "[[parameters('ALZMonitorActionGroupEmail')]"
                        },
                        "BYOActionGroup": {
                          "value": "[[parameters('BYOActionGroup')]"
                        }
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "enabled": {
                  "value": "[[parameters('enabled')]"
                },
                "alertResourceGroupName": {
                  "value": "[[parameters('alertResourceGroupName')]"
                },
                "alertResourceGroupTags": {
                  "value": "[[parameters('alertResourceGroupTags')]"
                },
                "alertResourceGroupLocation": {
                  "value": "[[parameters('alertResourceGroupLocation')]"
                },
                "ALZMonitorActionGroupEmail": {
                  "value": "[[parameters('ALZMonitorActionGroupEmail')]"
                },
                "BYOActionGroup": {
                  "value": "[[parameters('BYOActionGroup')]"
                }
              }
            }
          }
        }
      }
    }
  }
}