Azure Monitor Baseline Alerts
Download AlertsGlossaryGitHubGitHub IssuesToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Subscriptions

NameTypeDescription
Resource Health UnhealthyActivityLogResource Health Unhealthy Alert
Service Health AdvisoryActivityLogService Health Advisory Alert
Service Health IncidentActivityLogService Health Incident Alert
Service Health MaintenanceActivityLogService Health Maintenance Alert
Service Health SecurityActivityLogService Health Security Alert

Dashboards:

Click a tab to view the dashboard template

{
  "__inputs": [],
  "__elements": {},
  "__requires": [
    {
      "type": "panel",
      "id": "bargauge",
      "name": "Bar gauge",
      "version": ""
    },
    {
      "type": "grafana",
      "id": "grafana",
      "name": "Grafana",
      "version": "9.5.12"
    },
    {
      "type": "datasource",
      "id": "grafana-azure-monitor-datasource",
      "name": "Azure Monitor",
      "version": "1.0.0"
    }
  ],
  "title": "Subscriptions",
  "editable": true,
  "links": [],
  "liveNow": false,
  "panels": [
  
  ],
  "refresh": "",
  "schemaVersion": 38,
  "style": "dark",
  "tags": [],
  "templating": {
    "list": [
      {
        "current": {},
        "hide": 0,
        "includeAll": false,
        "label": "Datasource",
        "multi": false,
        "name": "ds",
        "options": [],
        "query": "grafana-azure-monitor-datasource",
        "queryValue": "",
        "refresh": 1,
        "regex": "",
        "skipUrlSync": false,
        "type": "datasource"
      },
      {
        "current": {},
        "datasource": {
          "type": "grafana-azure-monitor-datasource",
          "uid": "${ds}"
        },
        "definition": "",
        "hide": 0,
        "includeAll": false,
        "label": "Subscription",
        "multi": false,
        "name": "sub",
        "options": [],
        "query": {
          "azureLogAnalytics": {
            "query": "",
            "resources": []
          },
          "queryType": "Azure Subscriptions",
          "refId": "A"
        },
        "refresh": 1,
        "regex": "",
        "skipUrlSync": false,
        "sort": 0,
        "type": "query"
      }
    ]
  },
  "time": {
    "from": "now-6h",
    "to": "now"
  },
  "timepicker": {},
  "timezone": "",
  "version": null
}



Resource Health Unhealthy - ActivityLog Alert

Resource Health Unhealthy Alert

Recommended Properties:

categoryResourceHealth
causes
[
  "PlatoformInitiated",
  "UserInitiated"
]
currentHealthStatus
[
  "Degraded",
  "Unavailable"
]

References:

Templates:

Click a tab to view the template

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "activityLogAlertName": {
      "type": "string",
      "metadata": {
        "description": "Unique name (within the Resource Group) for the Activity log alert."
      }
    },
    "alertDescription": {
      "type": "string",
      "defaultValue": "Resource Health Unhealthy Alert",
      "metadata": {
        "description": "Description of alert"
      }
    },
    "activityLogAlertEnabled": {
      "type": "bool",
      "defaultValue": true,
      "metadata": {
        "description": "Indicates whether or not the alert is enabled."
      }
    },
    "actionGroupResourceId": {
      "type": "string",
      "metadata": {
        "description": "Resource Id for the Action group."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Insights/activityLogAlerts",
      "apiVersion": "2017-04-01",
      "name": "[parameters('activityLogAlertName')]",
      "location": "Global",
      "tags": {
        "_deployed_by_amba": true
      },
      "properties": {
        "description": "[parameters('alertDescription')]",
        "scopes": [
            "[subscription().id]"
        ],
        "enabled": "[parameters('activityLogAlertEnabled')]",
        "condition": {
          "allOf": [
            {
              "field": "category",
              "equals": "ResourceHealth"
            },
            {
              "anyOf": [
                {
                  "field": "properties.cause",
                  "equals": "PlatoformInitiated"
                },
                {
                  "field": "properties.cause",
                  "equals": "UserInitiated"
                }
              ]
            },
            {
              "anyOf": [
                {
                  "field": "properties.currentHealthStatus",
                  "equals": "Degraded"
                },
                {
                  "field": "properties.currentHealthStatus",
                  "equals": "Unavailable"
                }
              ]
            }
          ]
        },
        "actions": {
          "actionGroups":
          [
            {
              "actionGroupId": "[parameters('actionGroupResourceId')]"
            }
          ]
        }
      }
    }
  ]
}
@description('Unique name (within the Resource Group) for the Activity log alert.')
@minLength(1)
param activityLogAlertName string

@description('Description of alert')
param alertDescription string = 'Resource Health Unhealthy Alert'

@description('Indicates whether or not the alert is enabled.')
param activityLogAlertEnabled bool = true

@description('The ID of the action group that is triggered when the alert is activated or deactivated')
param actionGroupId string = ''

resource symbolicname 'Microsoft.Insights/activityLogAlerts@2023-01-01-preview' = {
  name: activityLogAlertName
  location: 'Global'
  tags: {
    '_deployed_by_amba': true
  }
  properties: {
    description: alertDescription
    scopes: [
      subscription().id
    ]
    enabled: bool
    condition: {
      allOf: [
        {
          field: 'category'
          equals: 'ResourceHealth'
        }
        {
          anyOf: [
          
            {
              field: 'properties.cause'
              equals: 'PlatoformInitiated'
            }
          
            {
              field: 'properties.cause'
              equals: 'UserInitiated'
            }
          
          ]
        }
        {
          anyOf: [
          
            {
              field: 'properties.currentHealthStatus'
              equals: 'Degraded'
            }
          
            {
              field: 'properties.currentHealthStatus'
              equals: 'Unavailable'
            }
          
          ]
        }
      ]
    }
    actions: {
      actionGroups: [
        {
          actionGroupId: actionGroupId
        }
      ]
    }
  }
}
NameDeploy Resource Health Unhealthy Alert
TemplateDeploy-ActivityLog-ResourceHealth-UnHealthly-Alert.json (Download)
Tagsalz
PropertiesalertName: ResourceHealthUnhealthyAlert
documented: true
policyScope: managementGroup
scope: Subscription
{
  "type": "Microsoft.Authorization/policyDefinitions",
  "apiVersion": "2021-06-01",
  "name": "Deploy_activitylog_ResourceHealth_Unhealthy_Alert",
  "properties": {
    "policyType": "Custom",
    "mode": "All",
    "displayName": "Deploy Resource Health Unhealthy Alert",
    "description": "Policy to Deploy Resource Health Unhealthy Alert",
    "metadata": {
      "version": "1.0.3",
      "category": "Monitoring",
      "source": "https://github.com/Azure/azure-monitor-baseline-alerts/",
      "alzCloudEnvironments": [
        "AzureCloud"
      ],
      "_deployed_by_amba": "True"
    },
    "parameters": {
      "enabled": {
        "type": "String",
        "metadata": {
          "displayName": "Alert State",
          "description": "Alert state for the alert"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "true"
      },
      "alertResourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Name",
          "description": "Resource group the alert is placed in"
        },
        "defaultValue": "rg-amba-monitoring-001"
      },
      "alertResourceGroupTags": {
        "type": "Object",
        "metadata": {
          "displayName": "Resource Group Tags",
          "description": "Tags on the Resource group the alert is placed in"
        },
        "defaultValue": {
          "_deployed_by_amba": true
        }
      },
      "alertResourceGroupLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Location",
          "description": "Location of the Resource group the alert is placed in"
        },
        "defaultValue": "centralus"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Effect of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "disabled"
        ],
        "defaultValue": "disabled"
      },
      "MonitorDisable": {
        "type": "String",
        "metadata": {
          "displayName": "Monitoring disabled",
          "description": "Tag name to disable monitoring. Set to true if monitoring should be disabled"
        },
        "defaultValue": "MonitorDisable"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          },
          {
            "field": "[[concat('tags[', parameters('MonitorDisable'), ']')]",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.Insights/activityLogAlerts",
          "existenceScope": "resourcegroup",
          "resourceGroupName": "[[parameters('alertResourceGroupName')]",
          "deploymentScope": "subscription",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/enabled",
                "equals": "[[parameters('enabled')]"
              },
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*].actionGroupId",
                "contains": "ag-AMBA-SH-"
              },
              {
                "count": {
                  "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "category"
                          },
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "ResourceHealth"
                          }
                        ]
                      }
                    ]
                  }
                },
                "equals": 1
              }
            ]
          },
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "alertResourceGroupName": {
                    "type": "string"
                  },
                  "alertResourceGroupTags": {
                    "type": "object"
                  },
                  "alertResourceGroupLocation": {
                    "type": "string"
                  },
                  "enabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2021-04-01",
                    "name": "[[parameters('alertResourceGroupName')]",
                    "location": "[[parameters('alertResourceGroupLocation')]",
                    "tags": "[[parameters('alertResourceGroupTags')]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2019-10-01",
                    "name": "ResourceHealtAlert",
                    "resourceGroup": "[[parameters('alertResourceGroupName')]",
                    "dependsOn": [
                      "[[resourceId('Microsoft.Resources/resourceGroups', parameters('alertResourceGroupName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "enabled": {
                            "type": "string"
                          },
                          "alertResourceGroupName": {
                            "type": "string"
                          }
                        },
                        "variables": {},
                        "resources": [
                          {
                            "type": "microsoft.insights/activityLogAlerts",
                            "apiVersion": "2020-10-01",
                            "name": "ResourceHealthUnhealthyAlert",
                            "location": "global",
                            "tags": {
                              "_deployed_by_amba": true
                            },
                            "properties": {
                              "actions": {
                                "actionGroups": [
                                  {
                                    "actionGroupId": "[[concat(subscription().Id, '/resourceGroups/', parameters('alertResourceGroupName'), '/providers/microsoft.insights/actionGroups/', 'ag-AMBA-SH-', subscription().displayName, '-001')]",
                                    "webhookProperties": {}
                                  }
                                ]
                              },
                              "description": "Resource Health Unhealthy Alert",
                              "enabled": "[[parameters('enabled')]",
                              "scopes": [
                                "[[subscription().id]"
                              ],
                              "condition": {
                                "allOf": [
                                  {
                                    "field": "category",
                                    "equals": "ResourceHealth"
                                  },
                                  {
                                    "anyOf": [
                                      {
                                        "field": "properties.cause",
                                        "equals": "PlatformInitiated"
                                      },
                                      {
                                        "field": "properties.cause",
                                        "equals": "UserInitiated"
                                      }
                                    ]
                                  },
                                  {
                                    "anyOf": [
                                      {
                                        "field": "properties.currentHealthStatus",
                                        "equals": "Degraded"
                                      },
                                      {
                                        "field": "properties.currentHealthStatus",
                                        "equals": "Unavailable"
                                      }
                                    ]
                                  }
                                ]
                              },
                              "parameters": {
                                "enabled": {
                                  "value": "[[parameters('enabled')]"
                                }
                              }
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "enabled": {
                          "value": "[[parameters('enabled')]"
                        },
                        "alertResourceGroupName": {
                          "value": "[[parameters('alertResourceGroupName')]"
                        }
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "enabled": {
                  "value": "[[parameters('enabled')]"
                },
                "alertResourceGroupName": {
                  "value": "[[parameters('alertResourceGroupName')]"
                },
                "alertResourceGroupTags": {
                  "value": "[[parameters('alertResourceGroupTags')]"
                },
                "alertResourceGroupLocation": {
                  "value": "[[parameters('alertResourceGroupLocation')]"
                }
              }
            }
          }
        }
      }
    }
  }
}



Service Health Advisory - ActivityLog Alert

Service Health Advisory Alert

Recommended Properties:

categoryServiceHealth
incidentTypeActionRequired

References:

Templates:

Click a tab to view the template

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "activityLogAlertName": {
      "type": "string",
      "metadata": {
        "description": "Unique name (within the Resource Group) for the Activity log alert."
      }
    },
    "alertDescription": {
      "type": "string",
      "defaultValue": "Service Health Advisory Alert",
      "metadata": {
        "description": "Description of alert"
      }
    },
    "activityLogAlertEnabled": {
      "type": "bool",
      "defaultValue": true,
      "metadata": {
        "description": "Indicates whether or not the alert is enabled."
      }
    },
    "actionGroupResourceId": {
      "type": "string",
      "metadata": {
        "description": "Resource Id for the Action group."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Insights/activityLogAlerts",
      "apiVersion": "2017-04-01",
      "name": "[parameters('activityLogAlertName')]",
      "location": "Global",
      "tags": {
        "_deployed_by_amba": true
      },
      "properties": {
        "description": "[parameters('alertDescription')]",
        "scopes": [
            "[subscription().id]"
        ],
        "enabled": "[parameters('activityLogAlertEnabled')]",
        "condition": {
          "allOf": [
            {
              "field": "category",
              "equals": "ServiceHealth"
            },
            {
              "field": "properties.incidentType",
              "equals": "ActionRequired"
            }
          ]
        },
        "actions": {
          "actionGroups":
          [
            {
              "actionGroupId": "[parameters('actionGroupResourceId')]"
            }
          ]
        }
      }
    }
  ]
}
@description('Unique name (within the Resource Group) for the Activity log alert.')
@minLength(1)
param activityLogAlertName string

@description('Description of alert')
param alertDescription string = 'Service Health Advisory Alert'

@description('Indicates whether or not the alert is enabled.')
param activityLogAlertEnabled bool = true

@description('The ID of the action group that is triggered when the alert is activated or deactivated')
param actionGroupId string = ''

resource symbolicname 'Microsoft.Insights/activityLogAlerts@2023-01-01-preview' = {
  name: activityLogAlertName
  location: 'Global'
  tags: {
    '_deployed_by_amba': true
  }
  properties: {
    description: alertDescription
    scopes: [
      subscription().id
    ]
    enabled: bool
    condition: {
      allOf: [
        {
          {
            field: 'category'
            equals: 'ServiceHealth'
          }
          {
            field: 'properties.incidentType'
            equals: 'ActionRequired'
          }
        }
      ]
    }
    actions: {
      actionGroups: [
        {
          actionGroupId: actionGroupId
        }
      ]
    }
  }
}
NameDeploy Service Health Advisory Alert
TemplateDeploy-ActivityLog-ServiceHealth-Health.json (Download)
Tagsalz
PropertiesalertName: ServiceHealthAdvisoryEvent
documented: true
policyScope: managementGroup
scope: Subscription
{
  "type": "Microsoft.Authorization/policyDefinitions",
  "apiVersion": "2021-06-01",
  "name": "Deploy_activitylog_ServiceHealth_HealthAdvisory",
  "properties": {
    "policyType": "Custom",
    "mode": "All",
    "displayName": "Deploy Service Health Advisory Alert",
    "description": "Policy to Deploy Service Health Advisory Alert",
    "metadata": {
      "version": "1.1.2",
      "category": "Monitoring",
      "source": "https://github.com/Azure/azure-monitor-baseline-alerts/",
      "alzCloudEnvironments": [
        "AzureCloud"
      ],
      "_deployed_by_amba": "True"
    },
    "parameters": {
      "enabled": {
        "type": "String",
        "metadata": {
          "displayName": "Alert State",
          "description": "Alert state for the alert"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "true"
      },
      "alertResourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Name",
          "description": "Resource group the alert is placed in"
        },
        "defaultValue": "rg-amba-monitoring-001"
      },
      "alertResourceGroupTags": {
        "type": "Object",
        "metadata": {
          "displayName": "Resource Group Tags",
          "description": "Tags on the Resource group the alert is placed in"
        },
        "defaultValue": {
          "_deployed_by_amba": true
        }
      },
      "alertResourceGroupLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Location",
          "description": "Location of the Resource group the alert is placed in"
        },
        "defaultValue": "centralus"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Effect of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "disabled"
        ],
        "defaultValue": "disabled"
      },
      "MonitorDisable": {
        "type": "String",
        "metadata": {
          "displayName": "Monitoring disabled",
          "description": "Tag name to disable monitoring. Set to true if monitoring should be disabled"
        },
        "defaultValue": "MonitorDisable"
      },
      "ALZMonitorActionGroupEmail": {
        "type": "String",
        "metadata": {
          "displayName": "Action Group Email Addresses",
          "description": "Email addresses to send alerts to"
        },
        "defaultValue": "action@mail.com"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          },
          {
            "field": "[[concat('tags[', parameters('MonitorDisable'), ']')]",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.Insights/activityLogAlerts",
          "existenceScope": "resourceGroup",
          "resourceGroupName": "[[parameters('alertResourceGroupName')]",
          "deploymentScope": "subscription",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/enabled",
                "equals": "[[parameters('enabled')]"
              },
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*].actionGroupId",
                "contains": "ag-AMBA-SH-"
              },
              {
                "count": {
                  "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "category"
                          },
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "ServiceHealth"
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "properties.incidentType"
                          },
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "ActionRequired"
                          }
                        ]
                      }
                    ]
                  }
                },
                "equals": 2
              }
            ]
          },
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "alertResourceGroupName": {
                    "type": "string"
                  },
                  "alertResourceGroupTags": {
                    "type": "object"
                  },
                  "alertResourceGroupLocation": {
                    "type": "string"
                  },
                  "enabled": {
                    "type": "string"
                  },
                  "ALZMonitorActionGroupEmail": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2021-04-01",
                    "name": "[[parameters('alertResourceGroupName')]",
                    "location": "[[parameters('alertResourceGroupLocation')]",
                    "tags": "[[parameters('alertResourceGroupTags')]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2019-10-01",
                    "name": "ServiceHealthHealth",
                    "resourceGroup": "[[parameters('alertResourceGroupName')]",
                    "dependsOn": [
                      "[[resourceId('Microsoft.Resources/resourceGroups', parameters('alertResourceGroupName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "enabled": {
                            "type": "string"
                          },
                          "alertResourceGroupName": {
                            "type": "string"
                          },
                          "ALZMonitorActionGroupEmail": {
                            "type": "string"
                          }
                        },
                        "variables": {},
                        "resources": [
                          {
                            "type": "microsoft.insights/activityLogAlerts",
                            "apiVersion": "2020-10-01",
                            "name": "ServiceHealthAdvisoryEvent",
                            "location": "Global",
                            "tags": {
                              "_deployed_by_amba": true
                            },
                            "properties": {
                              "actions": {
                                "actionGroups": [
                                  {
                                    "actionGroupId": "[[concat(subscription().Id, '/resourceGroups/', parameters('alertResourceGroupName'), '/providers/microsoft.insights/actionGroups/', 'ag-AMBA-SH-', subscription().displayName, '-001')]"
                                  }
                                ]
                              },
                              "description": "Service Health Advisory Alert",
                              "enabled": "[[parameters('enabled')]",
                              "scopes": [
                                "[[subscription().id]"
                              ],
                              "condition": {
                                "allOf": [
                                  {
                                    "field": "category",
                                    "equals": "ServiceHealth"
                                  },
                                  {
                                    "field": "properties.incidentType",
                                    "equals": "ActionRequired"
                                  }
                                ]
                              },
                              "parameters": {
                                "enabled": {
                                  "value": "[[parameters('enabled')]"
                                }
                              }
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "enabled": {
                          "value": "[[parameters('enabled')]"
                        },
                        "alertResourceGroupName": {
                          "value": "[[parameters('alertResourceGroupName')]"
                        },
                        "ALZMonitorActionGroupEmail": {
                          "value": "[[parameters('ALZMonitorActionGroupEmail')]"
                        }
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "enabled": {
                  "value": "[[parameters('enabled')]"
                },
                "alertResourceGroupName": {
                  "value": "[[parameters('alertResourceGroupName')]"
                },
                "alertResourceGroupTags": {
                  "value": "[[parameters('alertResourceGroupTags')]"
                },
                "alertResourceGroupLocation": {
                  "value": "[[parameters('alertResourceGroupLocation')]"
                },
                "ALZMonitorActionGroupEmail": {
                  "value": "[[parameters('ALZMonitorActionGroupEmail')]"
                }
              }
            }
          }
        }
      }
    }
  }
}



Service Health Incident - ActivityLog Alert

Service Health Incident Alert

Recommended Properties:

categoryServiceHealth
incidentTypeIncident

References:

Templates:

Click a tab to view the template

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "activityLogAlertName": {
      "type": "string",
      "metadata": {
        "description": "Unique name (within the Resource Group) for the Activity log alert."
      }
    },
    "alertDescription": {
      "type": "string",
      "defaultValue": "Service Health Incident Alert",
      "metadata": {
        "description": "Description of alert"
      }
    },
    "activityLogAlertEnabled": {
      "type": "bool",
      "defaultValue": true,
      "metadata": {
        "description": "Indicates whether or not the alert is enabled."
      }
    },
    "actionGroupResourceId": {
      "type": "string",
      "metadata": {
        "description": "Resource Id for the Action group."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Insights/activityLogAlerts",
      "apiVersion": "2017-04-01",
      "name": "[parameters('activityLogAlertName')]",
      "location": "Global",
      "tags": {
        "_deployed_by_amba": true
      },
      "properties": {
        "description": "[parameters('alertDescription')]",
        "scopes": [
            "[subscription().id]"
        ],
        "enabled": "[parameters('activityLogAlertEnabled')]",
        "condition": {
          "allOf": [
            {
              "field": "category",
              "equals": "ServiceHealth"
            },
            {
              "field": "properties.incidentType",
              "equals": "Incident"
            }
          ]
        },
        "actions": {
          "actionGroups":
          [
            {
              "actionGroupId": "[parameters('actionGroupResourceId')]"
            }
          ]
        }
      }
    }
  ]
}
@description('Unique name (within the Resource Group) for the Activity log alert.')
@minLength(1)
param activityLogAlertName string

@description('Description of alert')
param alertDescription string = 'Service Health Incident Alert'

@description('Indicates whether or not the alert is enabled.')
param activityLogAlertEnabled bool = true

@description('The ID of the action group that is triggered when the alert is activated or deactivated')
param actionGroupId string = ''

resource symbolicname 'Microsoft.Insights/activityLogAlerts@2023-01-01-preview' = {
  name: activityLogAlertName
  location: 'Global'
  tags: {
    '_deployed_by_amba': true
  }
  properties: {
    description: alertDescription
    scopes: [
      subscription().id
    ]
    enabled: bool
    condition: {
      allOf: [
        {
          {
            field: 'category'
            equals: 'ServiceHealth'
          }
          {
            field: 'properties.incidentType'
            equals: 'Incident'
          }
        }
      ]
    }
    actions: {
      actionGroups: [
        {
          actionGroupId: actionGroupId
        }
      ]
    }
  }
}
NameDeploy Service Health Incident Alert
TemplateDeploy-ActivityLog-ServiceHealth-Incident.json (Download)
Tagsalz
PropertiesalertName: ServiceHealthIncident
documented: true
policyScope: managementGroup
scope: Subscription
{
  "type": "Microsoft.Authorization/policyDefinitions",
  "apiVersion": "2021-06-01",
  "name": "Deploy_activitylog_ServiceHealth_Incident",
  "properties": {
    "policyType": "Custom",
    "mode": "All",
    "displayName": "Deploy Service Health Incident Alert",
    "description": "Policy to Deploy Service Health Incident Alert",
    "metadata": {
      "version": "1.1.3",
      "category": "Monitoring",
      "source": "https://github.com/Azure/azure-monitor-baseline-alerts/",
      "alzCloudEnvironments": [
        "AzureCloud"
      ],
      "_deployed_by_amba": "True"
    },
    "parameters": {
      "enabled": {
        "type": "String",
        "metadata": {
          "displayName": "Alert State",
          "description": "Alert state for the alert"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "true"
      },
      "alertResourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Name",
          "description": "Resource group the alert is placed in"
        },
        "defaultValue": "rg-amba-monitoring-001"
      },
      "alertResourceGroupTags": {
        "type": "Object",
        "metadata": {
          "displayName": "Resource Group Tags",
          "description": "Tags on the Resource group the alert is placed in"
        },
        "defaultValue": {
          "_deployed_by_amba": true
        }
      },
      "alertResourceGroupLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Location",
          "description": "Location of the Resource group the alert is placed in"
        },
        "defaultValue": "centralus"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Effect of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "disabled"
        ],
        "defaultValue": "disabled"
      },
      "MonitorDisable": {
        "type": "String",
        "metadata": {
          "displayName": "Monitoring disabled",
          "description": "Tag name to disable monitoring. Set to true if monitoring should be disabled"
        },
        "defaultValue": "MonitorDisable"
      },
      "ALZMonitorActionGroupEmail": {
        "type": "String",
        "metadata": {
          "displayName": "Action Group Email Addresses",
          "description": "Email addresses to send alerts to"
        },
        "defaultValue": "action@mail.com"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          },
          {
            "field": "[[concat('tags[', parameters('MonitorDisable'), ']')]",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.Insights/activityLogAlerts",
          "existenceScope": "resourcegroup",
          "resourceGroupName": "[[parameters('alertResourceGroupName')]",
          "deploymentScope": "subscription",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/enabled",
                "equals": "[[parameters('enabled')]"
              },
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*].actionGroupId",
                "contains": "ag-AMBA-SH-"
              },
              {
                "count": {
                  "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "category"
                          },
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "ServiceHealth"
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                            "field": "microsoft.insights/activityLogAlerts/condition.allOf[*].field",
                            "equals": "properties.incidentType"
                          },
                          {
                            "field": "microsoft.insights/activityLogAlerts/condition.allOf[*].equals",
                            "equals": "Incident"
                          }
                        ]
                      }
                    ]
                  }
                },
                "equals": 2
              }
            ]
          },
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "alertResourceGroupName": {
                    "type": "string"
                  },
                  "alertResourceGroupTags": {
                    "type": "object"
                  },
                  "alertResourceGroupLocation": {
                    "type": "string"
                  },
                  "enabled": {
                    "type": "string"
                  },
                  "ALZMonitorActionGroupEmail": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2021-04-01",
                    "name": "[[parameters('alertResourceGroupName')]",
                    "location": "[[parameters('alertResourceGroupLocation')]",
                    "tags": "[[parameters('alertResourceGroupTags')]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2019-10-01",
                    "name": "ServiceHealthIncident",
                    "resourceGroup": "[[parameters('alertResourceGroupName')]",
                    "dependsOn": [
                      "[[resourceId('Microsoft.Resources/resourceGroups', parameters('alertResourceGroupName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "enabled": {
                            "type": "string"
                          },
                          "alertResourceGroupName": {
                            "type": "string"
                          },
                          "ALZMonitorActionGroupEmail": {
                            "type": "string"
                          }
                        },
                        "variables": {},
                        "resources": [
                          {
                            "type": "microsoft.insights/activityLogAlerts",
                            "apiVersion": "2020-10-01",
                            "name": "ServiceHealthIncident",
                            "location": "global",
                            "tags": {
                              "_deployed_by_amba": true
                            },
                            "properties": {
                              "actions": {
                                "actionGroups": [
                                  {
                                    "actionGroupId": "[[concat(subscription().Id, '/resourceGroups/', parameters('alertResourceGroupName'), '/providers/microsoft.insights/actionGroups/', 'ag-AMBA-SH-', subscription().displayName, '-001')]"
                                  }
                                ]
                              },
                              "description": "ServiceHealthIncidentAlert",
                              "enabled": "[[parameters('enabled')]",
                              "scopes": [
                                "[[subscription().id]"
                              ],
                              "condition": {
                                "allOf": [
                                  {
                                    "field": "category",
                                    "equals": "ServiceHealth"
                                  },
                                  {
                                    "field": "properties.incidentType",
                                    "equals": "Incident"
                                  }
                                ]
                              },
                              "parameters": {
                                "enabled": {
                                  "value": "[[parameters('enabled')]"
                                }
                              }
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "enabled": {
                          "value": "[[parameters('enabled')]"
                        },
                        "alertResourceGroupName": {
                          "value": "[[parameters('alertResourceGroupName')]"
                        },
                        "ALZMonitorActionGroupEmail": {
                          "value": "[[parameters('ALZMonitorActionGroupEmail')]"
                        }
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "enabled": {
                  "value": "[[parameters('enabled')]"
                },
                "alertResourceGroupName": {
                  "value": "[[parameters('alertResourceGroupName')]"
                },
                "alertResourceGroupTags": {
                  "value": "[[parameters('alertResourceGroupTags')]"
                },
                "alertResourceGroupLocation": {
                  "value": "[[parameters('alertResourceGroupLocation')]"
                },
                "ALZMonitorActionGroupEmail": {
                  "value": "[[parameters('ALZMonitorActionGroupEmail')]"
                }
              }
            }
          }
        }
      }
    }
  }
}



Service Health Maintenance - ActivityLog Alert

Service Health Maintenance Alert

Recommended Properties:

categoryServiceHealth
incidentTypeMaintenance

References:

Templates:

Click a tab to view the template

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "activityLogAlertName": {
      "type": "string",
      "metadata": {
        "description": "Unique name (within the Resource Group) for the Activity log alert."
      }
    },
    "alertDescription": {
      "type": "string",
      "defaultValue": "Service Health Maintenance Alert",
      "metadata": {
        "description": "Description of alert"
      }
    },
    "activityLogAlertEnabled": {
      "type": "bool",
      "defaultValue": true,
      "metadata": {
        "description": "Indicates whether or not the alert is enabled."
      }
    },
    "actionGroupResourceId": {
      "type": "string",
      "metadata": {
        "description": "Resource Id for the Action group."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Insights/activityLogAlerts",
      "apiVersion": "2017-04-01",
      "name": "[parameters('activityLogAlertName')]",
      "location": "Global",
      "tags": {
        "_deployed_by_amba": true
      },
      "properties": {
        "description": "[parameters('alertDescription')]",
        "scopes": [
            "[subscription().id]"
        ],
        "enabled": "[parameters('activityLogAlertEnabled')]",
        "condition": {
          "allOf": [
            {
              "field": "category",
              "equals": "ServiceHealth"
            },
            {
              "field": "properties.incidentType",
              "equals": "Maintenance"
            }
          ]
        },
        "actions": {
          "actionGroups":
          [
            {
              "actionGroupId": "[parameters('actionGroupResourceId')]"
            }
          ]
        }
      }
    }
  ]
}
@description('Unique name (within the Resource Group) for the Activity log alert.')
@minLength(1)
param activityLogAlertName string

@description('Description of alert')
param alertDescription string = 'Service Health Maintenance Alert'

@description('Indicates whether or not the alert is enabled.')
param activityLogAlertEnabled bool = true

@description('The ID of the action group that is triggered when the alert is activated or deactivated')
param actionGroupId string = ''

resource symbolicname 'Microsoft.Insights/activityLogAlerts@2023-01-01-preview' = {
  name: activityLogAlertName
  location: 'Global'
  tags: {
    '_deployed_by_amba': true
  }
  properties: {
    description: alertDescription
    scopes: [
      subscription().id
    ]
    enabled: bool
    condition: {
      allOf: [
        {
          {
            field: 'category'
            equals: 'ServiceHealth'
          }
          {
            field: 'properties.incidentType'
            equals: 'Maintenance'
          }
        }
      ]
    }
    actions: {
      actionGroups: [
        {
          actionGroupId: actionGroupId
        }
      ]
    }
  }
}
NameDeploy Service Health Maintenance Alert
TemplateDeploy-ActivityLog-ServiceHealth-Maintenance.json (Download)
Tagsalz
PropertiesalertName: ServiceHealthPlannedMaintenance
documented: true
policyScope: managementGroup
scope: Subscription
{
  "type": "Microsoft.Authorization/policyDefinitions",
  "apiVersion": "2021-06-01",
  "name": "Deploy_activitylog_ServiceHealth_Maintenance",
  "properties": {
    "policyType": "Custom",
    "mode": "All",
    "displayName": "Deploy Service Health Maintenance Alert",
    "description": "Policy to Deploy Service Health Maintenance Alert",
    "metadata": {
      "version": "1.1.2",
      "category": "Monitoring",
      "source": "https://github.com/Azure/azure-monitor-baseline-alerts/",
      "alzCloudEnvironments": [
        "AzureCloud"
      ],
      "_deployed_by_amba": "True"
    },
    "parameters": {
      "enabled": {
        "type": "String",
        "metadata": {
          "displayName": "Alert State",
          "description": "Alert state for the alert"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "true"
      },
      "alertResourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Name",
          "description": "Resource group the alert is placed in"
        },
        "defaultValue": "rg-amba-monitoring-001"
      },
      "alertResourceGroupTags": {
        "type": "Object",
        "metadata": {
          "displayName": "Resource Group Tags",
          "description": "Tags on the Resource group the alert is placed in"
        },
        "defaultValue": {
          "_deployed_by_amba": true
        }
      },
      "alertResourceGroupLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Location",
          "description": "Location of the Resource group the alert is placed in"
        },
        "defaultValue": "centralus"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Effect of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "disabled"
        ],
        "defaultValue": "disabled"
      },
      "MonitorDisable": {
        "type": "String",
        "metadata": {
          "displayName": "Monitoring disabled",
          "description": "Tag name to disable monitoring. Set to true if monitoring should be disabled"
        },
        "defaultValue": "MonitorDisable"
      },
      "ALZMonitorActionGroupEmail": {
        "type": "String",
        "metadata": {
          "displayName": "Action Group Email Addresses",
          "description": "Email addresses to send alerts to"
        },
        "defaultValue": "action@mail.com"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          },
          {
            "field": "[[concat('tags[', parameters('MonitorDisable'), ']')]",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.Insights/activityLogAlerts",
          "existenceScope": "resourcegroup",
          "resourceGroupName": "[[parameters('alertResourceGroupName')]",
          "deploymentScope": "subscription",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/enabled",
                "equals": "[[parameters('enabled')]"
              },
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*].actionGroupId",
                "contains": "ag-AMBA-SH-"
              },
              {
                "count": {
                  "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "category"
                          },
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "ServiceHealth"
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                            "field": "microsoft.insights/activityLogAlerts/condition.allOf[*].field",
                            "equals": "properties.incidentType"
                          },
                          {
                            "field": "microsoft.insights/activityLogAlerts/condition.allOf[*].equals",
                            "equals": "Maintenance"
                          }
                        ]
                      }
                    ]
                  }
                },
                "equals": 2
              }
            ]
          },
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "alertResourceGroupName": {
                    "type": "string"
                  },
                  "alertResourceGroupTags": {
                    "type": "object"
                  },
                  "alertResourceGroupLocation": {
                    "type": "string"
                  },
                  "enabled": {
                    "type": "string"
                  },
                  "ALZMonitorActionGroupEmail": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2021-04-01",
                    "name": "[[parameters('alertResourceGroupName')]",
                    "location": "[[parameters('alertResourceGroupLocation')]",
                    "tags": "[[parameters('alertResourceGroupTags')]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2019-10-01",
                    "name": "ServiceHealthMaintenance",
                    "resourceGroup": "[[parameters('alertResourceGroupName')]",
                    "dependsOn": [
                      "[[resourceId('Microsoft.Resources/resourceGroups', parameters('alertResourceGroupName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "enabled": {
                            "type": "string"
                          },
                          "alertResourceGroupName": {
                            "type": "string"
                          },
                          "ALZMonitorActionGroupEmail": {
                            "type": "string"
                          }
                        },
                        "variables": {},
                        "resources": [
                          {
                            "type": "microsoft.insights/activityLogAlerts",
                            "apiVersion": "2020-10-01",
                            "name": "ServiceHealthPlannedMaintenance",
                            "location": "global",
                            "tags": {
                              "_deployed_by_amba": true
                            },
                            "properties": {
                              "actions": {
                                "actionGroups": [
                                  {
                                    "actionGroupId": "[[concat(subscription().Id, '/resourceGroups/', parameters('alertResourceGroupName'), '/providers/microsoft.insights/actionGroups/', 'ag-AMBA-SH-', subscription().displayName, '-001')]"
                                  }
                                ]
                              },
                              "description": "ServiceHealthPlannedMaintenance Alert",
                              "enabled": "[[parameters('enabled')]",
                              "scopes": [
                                "[[subscription().id]"
                              ],
                              "condition": {
                                "allOf": [
                                  {
                                    "field": "category",
                                    "equals": "ServiceHealth"
                                  },
                                  {
                                    "field": "properties.incidentType",
                                    "equals": "Maintenance"
                                  }
                                ]
                              },
                              "parameters": {
                                "enabled": {
                                  "value": "[[parameters('enabled')]"
                                }
                              }
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "enabled": {
                          "value": "[[parameters('enabled')]"
                        },
                        "alertResourceGroupName": {
                          "value": "[[parameters('alertResourceGroupName')]"
                        },
                        "ALZMonitorActionGroupEmail": {
                          "value": "[[parameters('ALZMonitorActionGroupEmail')]"
                        }
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "enabled": {
                  "value": "[[parameters('enabled')]"
                },
                "alertResourceGroupName": {
                  "value": "[[parameters('alertResourceGroupName')]"
                },
                "alertResourceGroupTags": {
                  "value": "[[parameters('alertResourceGroupTags')]"
                },
                "alertResourceGroupLocation": {
                  "value": "[[parameters('alertResourceGroupLocation')]"
                },
                "ALZMonitorActionGroupEmail": {
                  "value": "[[parameters('ALZMonitorActionGroupEmail')]"
                }
              }
            }
          }
        }
      }
    }
  }
}



Service Health Security - ActivityLog Alert

Service Health Security Alert

Recommended Properties:

categoryServiceHealth
incidentTypeSecurity

References:

Templates:

Click a tab to view the template

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "activityLogAlertName": {
      "type": "string",
      "metadata": {
        "description": "Unique name (within the Resource Group) for the Activity log alert."
      }
    },
    "alertDescription": {
      "type": "string",
      "defaultValue": "Service Health Security Alert",
      "metadata": {
        "description": "Description of alert"
      }
    },
    "activityLogAlertEnabled": {
      "type": "bool",
      "defaultValue": true,
      "metadata": {
        "description": "Indicates whether or not the alert is enabled."
      }
    },
    "actionGroupResourceId": {
      "type": "string",
      "metadata": {
        "description": "Resource Id for the Action group."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Insights/activityLogAlerts",
      "apiVersion": "2017-04-01",
      "name": "[parameters('activityLogAlertName')]",
      "location": "Global",
      "tags": {
        "_deployed_by_amba": true
      },
      "properties": {
        "description": "[parameters('alertDescription')]",
        "scopes": [
            "[subscription().id]"
        ],
        "enabled": "[parameters('activityLogAlertEnabled')]",
        "condition": {
          "allOf": [
            {
              "field": "category",
              "equals": "ServiceHealth"
            },
            {
              "field": "properties.incidentType",
              "equals": "Security"
            }
          ]
        },
        "actions": {
          "actionGroups":
          [
            {
              "actionGroupId": "[parameters('actionGroupResourceId')]"
            }
          ]
        }
      }
    }
  ]
}
@description('Unique name (within the Resource Group) for the Activity log alert.')
@minLength(1)
param activityLogAlertName string

@description('Description of alert')
param alertDescription string = 'Service Health Security Alert'

@description('Indicates whether or not the alert is enabled.')
param activityLogAlertEnabled bool = true

@description('The ID of the action group that is triggered when the alert is activated or deactivated')
param actionGroupId string = ''

resource symbolicname 'Microsoft.Insights/activityLogAlerts@2023-01-01-preview' = {
  name: activityLogAlertName
  location: 'Global'
  tags: {
    '_deployed_by_amba': true
  }
  properties: {
    description: alertDescription
    scopes: [
      subscription().id
    ]
    enabled: bool
    condition: {
      allOf: [
        {
          {
            field: 'category'
            equals: 'ServiceHealth'
          }
          {
            field: 'properties.incidentType'
            equals: 'Security'
          }
        }
      ]
    }
    actions: {
      actionGroups: [
        {
          actionGroupId: actionGroupId
        }
      ]
    }
  }
}
NameDeploy Service Health Security Advisory Alert
TemplateDeploy-ActivityLog-ServiceHealth-Security.json (Download)
Tagsalz
PropertiesalertName: ServiceHealthSecurityIncident
documented: true
policyScope: managementGroup
scope: Subscription
{
  "type": "Microsoft.Authorization/policyDefinitions",
  "apiVersion": "2021-06-01",
  "name": "Deploy_activitylog_ServiceHealth_SecurityAdvisory",
  "properties": {
    "policyType": "Custom",
    "mode": "All",
    "displayName": "Deploy Service Health Security Advisory Alert",
    "description": "Policy to Deploy Service Health Security Advisory Alert",
    "metadata": {
      "version": "1.1.2",
      "category": "Monitoring",
      "source": "https://github.com/Azure/azure-monitor-baseline-alerts/",
      "alzCloudEnvironments": [
        "AzureCloud"
      ],
      "_deployed_by_amba": "True"
    },
    "parameters": {
      "enabled": {
        "type": "String",
        "metadata": {
          "displayName": "Alert State",
          "description": "Alert state for the alert"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "true"
      },
      "alertResourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Name",
          "description": "Resource group the alert is placed in"
        },
        "defaultValue": "rg-amba-monitoring-001"
      },
      "alertResourceGroupTags": {
        "type": "Object",
        "metadata": {
          "displayName": "Resource Group Tags",
          "description": "Tags on the Resource group the alert is placed in"
        },
        "defaultValue": {
          "_deployed_by_amba": true
        }
      },
      "alertResourceGroupLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Location",
          "description": "Location of the Resource group the alert is placed in"
        },
        "defaultValue": "centralus"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Effect of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "disabled"
        ],
        "defaultValue": "disabled"
      },
      "MonitorDisable": {
        "type": "String",
        "metadata": {
          "displayName": "Monitoring disabled",
          "description": "Tag name to disable monitoring. Set to true if monitoring should be disabled"
        },
        "defaultValue": "MonitorDisable"
      },
      "ALZMonitorActionGroupEmail": {
        "type": "String",
        "metadata": {
          "displayName": "Action Group Email Addresses",
          "description": "Email addresses to send alerts to"
        },
        "defaultValue": "action@mail.com"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          },
          {
            "field": "[[concat('tags[', parameters('MonitorDisable'), ']')]",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.Insights/activityLogAlerts",
          "existenceScope": "resourcegroup",
          "resourceGroupName": "[[parameters('alertResourceGroupName')]",
          "deploymentScope": "subscription",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/enabled",
                "equals": "[[parameters('enabled')]"
              },
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/actions.actionGroups[*].actionGroupId",
                "contains": "ag-AMBA-SH-"
              },
              {
                "count": {
                  "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "category"
                          },
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "ServiceHealth"
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                            "field": "microsoft.insights/activityLogAlerts/condition.allOf[*].field",
                            "equals": "properties.incidentType"
                          },
                          {
                            "field": "microsoft.insights/activityLogAlerts/condition.allOf[*].equals",
                            "equals": "Security"
                          }
                        ]
                      }
                    ]
                  }
                },
                "equals": 2
              }
            ]
          },
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "alertResourceGroupName": {
                    "type": "string"
                  },
                  "alertResourceGroupTags": {
                    "type": "object"
                  },
                  "alertResourceGroupLocation": {
                    "type": "string"
                  },
                  "enabled": {
                    "type": "string"
                  },
                  "ALZMonitorActionGroupEmail": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2021-04-01",
                    "name": "[[parameters('alertResourceGroupName')]",
                    "location": "[[parameters('alertResourceGroupLocation')]",
                    "tags": "[[parameters('alertResourceGroupTags')]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2019-10-01",
                    "name": "ServiceSecurityIncident",
                    "resourceGroup": "[[parameters('alertResourceGroupName')]",
                    "dependsOn": [
                      "[[resourceId('Microsoft.Resources/resourceGroups', parameters('alertResourceGroupName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "enabled": {
                            "type": "string"
                          },
                          "alertResourceGroupName": {
                            "type": "string"
                          },
                          "ALZMonitorActionGroupEmail": {
                            "type": "string"
                          }
                        },
                        "variables": {},
                        "resources": [
                          {
                            "type": "microsoft.insights/activityLogAlerts",
                            "apiVersion": "2020-10-01",
                            "name": "ServiceHealthSecurityIncident",
                            "location": "global",
                            "tags": {
                              "_deployed_by_amba": true
                            },
                            "properties": {
                              "actions": {
                                "actionGroups": [
                                  {
                                    "actionGroupId": "[[concat(subscription().Id, '/resourceGroups/', parameters('alertResourceGroupName'), '/providers/microsoft.insights/actionGroups/', 'ag-AMBA-SH-', subscription().displayName, '-001')]"
                                  }
                                ]
                              },
                              "description": "Service Health Security Alert",
                              "enabled": "[[parameters('enabled')]",
                              "scopes": [
                                "[[subscription().id]"
                              ],
                              "condition": {
                                "allOf": [
                                  {
                                    "field": "category",
                                    "equals": "ServiceHealth"
                                  },
                                  {
                                    "field": "properties.incidentType",
                                    "equals": "Security"
                                  }
                                ]
                              },
                              "parameters": {
                                "enabled": {
                                  "value": "[[parameters('enabled')]"
                                }
                              }
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "enabled": {
                          "value": "[[parameters('enabled')]"
                        },
                        "alertResourceGroupName": {
                          "value": "[[parameters('alertResourceGroupName')]"
                        },
                        "ALZMonitorActionGroupEmail": {
                          "value": "[[parameters('ALZMonitorActionGroupEmail')]"
                        }
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "enabled": {
                  "value": "[[parameters('enabled')]"
                },
                "alertResourceGroupName": {
                  "value": "[[parameters('alertResourceGroupName')]"
                },
                "alertResourceGroupTags": {
                  "value": "[[parameters('alertResourceGroupTags')]"
                },
                "alertResourceGroupLocation": {
                  "value": "[[parameters('alertResourceGroupLocation')]"
                },
                "ALZMonitorActionGroupEmail": {
                  "value": "[[parameters('ALZMonitorActionGroupEmail')]"
                }
              }
            }
          }
        }
      }
    }
  }
}