Merge pull request #224680 from AbbyMSFT/alert-schema

Add alert context fields to common schema and move samples

Author: v-dirichards

.openpublishing.redirection.azure-monitor.json

@@ -3863,12 +3863,12 @@
             "redirect_document_id": false
         },
         {
-            "source_path_from_root": "/articles/azure-monitor/platform/alerts-common-schema-definitions.md",
+            "source_path_from_root": "/articles/azure-monitor/platform/alerts-common-schema.md",
             "redirect_url": "/azure/azure-monitor/alerts/alerts-common-schema",
             "redirect_document_id": false
         },
         {
-            "source_path_from_root": "/articles/azure-monitor/platform/alerts-common-schema.md",
+            "source_path_from_root": "/articles/azure-monitor/platform/alerts-common-schema-definitions.md",
             "redirect_url": "/azure/azure-monitor/alerts/alerts-common-schema",
             "redirect_document_id": false
         },
@@ -3877,6 +3877,11 @@
             "redirect_url": "/azure/azure-monitor/alerts/alerts-common-schema",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-monitor/alerts/alerts-common-schema-test-action-definitions.md",
+            "redirect_url": "/azure/azure-monitor/alerts/alerts-payload-samples",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-monitor/platform/alerts-common-schema-integrations.md",
             "redirect_url": "/azure/azure-monitor/alerts/alerts-common-schema-integrations",

articles/active-directory/app-proxy/application-proxy-configure-complex-application.md

@@ -69,13 +69,13 @@ To publish complex distributed app through Application Proxy with application se
 
 3. On the Manage and configure application segments page, select "+ Add app segment"
 
-    :::image type="content" source="./media/application-proxy-configure-complex-application/add-application-segment-1.png" alt-text="Screenshot pf Manage and configure application segment blade.":::
+    :::image type="content" source="./media/application-proxy-configure-complex-application/add-application-segment-1.png" alt-text="Screenshot of Manage and configure application segment blade.":::
 
 4. In the Internal Url field, enter the internal URL for your app.
 
 5. In the External Url field, drop down the list and select the custom domain you want to use.
 
-6. Add CORS Rules (optional).  For more information see [Configuring CORS Rule](https://learn.microsoft.com/graph/api/resources/corsconfiguration_v2?view=graph-rest-beta)
+6. Add CORS Rules (optional).  For more information see [Configuring CORS Rule](/graph/api/resources/corsconfiguration_v2?view=graph-rest-beta).
 
 7. Select Create.
 

articles/azure-monitor/alerts/action-groups.md

@@ -125,7 +125,7 @@ When you create or update an action group in the Azure portal, you can test the
 
 1. On the page that lists the information you entered, select **Test action group**.
 
-   :::image type="content" source="./media/action-groups/test-action-group.png" alt-text="Screenshot that shows the test action group start page with the Test option.":::
+   :::image type="content" source="./media/action-groups/test-action-group.png" alt-text="Screenshot that shows the test action group page with the Test option.":::
 
 1. Select a sample type and the notification and action types that you want to test. Then select **Test**.
 
@@ -161,7 +161,7 @@ The following table describes the role membership requirements that are needed f
 >
 > When you configure an action group in the portal, you can opt in or out of the common alert schema:
 >
-> - To find common schema samples for all sample types, see [Common alert schema definitions for Test Action Group](./alerts-common-schema-test-action-definitions.md).
+> - To find common schema samples for all sample types, see [Alert payload samples](./alerts-payload-samples.md).
 > - To find non-common schema alert definitions, see [Non-common alert schema definitions for Test Action Group](./alerts-non-common-schema-definitions.md).
 
 ## Create an action group with a Resource Manager template
@@ -479,7 +479,7 @@ If you use the webhook action, your target webhook endpoint must be able to proc
    1. Copy the `$myApp.ObjectId` value that's in the script.
    1. In the webhook action definition, in the **Object Id** box, enter the value that you copied.
 
-   :::image type="content" source="./media/action-groups/action-groups-secure-webhook.png" alt-text="Screenshot that shows the Secured Webhook dialog in the Azure portal with the Object Id box." border="true":::
+   :::image type="content" source="./media/action-groups/action-groups-secure-webhook.png" alt-text="Screenshot that shows the Secured Webhook dialog in the Azure portal with the Object ID box." border="true":::
 
 #### Secure webhook PowerShell script
 

articles/azure-monitor/alerts/activity-log-alerts-webhook.md

@@ -14,7 +14,7 @@ For more information on activity log alerts, see how to [create Azure activity l
 For information on action groups, see how to [create action groups](./action-groups.md).
 
 > [!NOTE]
-> You can also use the [common alert schema](./alerts-common-schema.md) for your webhook integrations. It provides the advantage of having a single extensible and unified alert payload across all the alert services in Azure Monitor. [Learn about the common alert schema definitions](./alerts-common-schema-definitions.md)​.
+> You can also use the [common alert schema](./alerts-common-schema.md) for your webhook integrations. It provides the advantage of having a single extensible and unified alert payload across all the alert services in Azure Monitor. [Learn about the common alert schema](./alerts-common-schema.md)​.
 
 ## Authenticate the webhook
 
@@ -272,7 +272,7 @@ For specific schema details on service health notification activity log alerts,
 | resourceProviderName |The resource provider of the affected resource. |
 | conditionType |Always `Event`. |
 | name |Name of the alert rule. |
-| id |Resource ID of the alert. |
+| ID |Resource ID of the alert. |
 | description |Alert description set when the alert is created. |
 | subscriptionId |Azure subscription ID. |
 | timestamp |Time at which the event was generated by the Azure service that processed the request. |

articles/azure-monitor/alerts/alerts-common-schema.md

@@ -2,15 +2,15 @@
 title: Common alert schema for Azure Monitor alerts
 description: Understand the common alert schema, why you should use it, and how to enable it.
 ms.topic: conceptual
-ms.date: 12/22/2022
+ms.date: 02/16/2023
 ms.reviewer: ofmanor
 author: AbbyMSFT
 ms.author: abbyweisberg
 ---
 
 # Common alert schema
 
-The common alert schema standardizes the consumption experience for alert notifications in Azure. Historically, activity log, metric, and log alerts each had their own email templates and webhook schemas. The common alert schema provides one standardized schema for all alert notifications. 
+The common alert schema standardizes the consumption of Azure Monitor alert notifications. Historically, activity log, metric, and log alerts each had their own email templates and webhook schemas. The common alert schema provides one standardized schema for all alert notifications. 
 
 A standardized schema can help you minimize the number of integrations, which simplifies the process of managing and maintaining your integrations.
 
@@ -21,7 +21,7 @@ The common alert schema provides a consistent structure for:
     - Azure Functions
     - Azure Automation runbook
 
-The new schema enables a richer alert consumption experience across both the Azure portal and the Azure mobile app.
+The new schema enables a richer alert consumption experience in both the Azure portal and the Azure mobile app.
 
 > [!NOTE]
 > Alerts generated by [VM insights](../vm/vminsights-overview.md) do not support the common schema.
@@ -87,6 +87,7 @@ The common schema includes information about the affected resource and the cause
 }
 ```
 
+For sample alerts that use the common schema, see [Sample alert payloads](alerts-payload-samples.md).
 ## Essentials fields
 
 | Field | Description|
@@ -96,7 +97,7 @@ The common schema includes information about the affected resource and the cause
 | Severity | The severity of the alert. Possible values are Sev0, Sev1, Sev2, Sev3, or Sev4. |
 | signalType | Identifies the signal on which the alert rule was defined. Possible values are Metric, Log, or Activity Log. |
 | monitorCondition | When an alert fires, the alert's monitor condition is set to **Fired**. When the underlying condition that caused the alert to fire clears, the monitor condition is set to **Resolved**.   |
-| monitoringService | The monitoring service or solution that generated the alert. The fields for the alert context are dictated by the monitoring service. |
+| monitoringService | The monitoring service or solution that generated the alert. The monitoring service determines which fields are in the alert context. |
 | alertTargetIds | The list of the Azure Resource Manager IDs that are affected targets of an alert. For a log alert defined on a Log Analytics workspace or Application Insights instance, it's the respective workspace or application. |
 | configurationItems |The list of affected resources of an alert.<br>In some cases, the configuration items can be different from the alert targets. For example, in metric-for-log or log alerts defined on a Log Analytics workspace, the configuration items are the actual resources sending the telemetry and not the workspace.<br><ul><li>In the log alerts API (Scheduled Query Rules) v2021-08-01, the `configurationItem` values are taken from explicitly defined dimensions in this priority: `Computer`, `_ResourceId`, `ResourceId`, `Resource`.</li><li>In earlier versions of the log alerts API, the `configurationItem` values are taken implicitly from the results in this priority: `Computer`, `_ResourceId`, `ResourceId`, `Resource`.</li></ul>In ITSM systems, the `configurationItems` field is used to correlate alerts to resources in a configuration management database. |
 | originAlertId | The ID of the alert instance, as generated by the monitoring service generating it. |
@@ -107,9 +108,34 @@ The common schema includes information about the affected resource and the cause
 |alertContextVersion | The version number for the `alertContext` section. |
 
 
-## Alert context fields for metric alerts
-
-### Sample metric alert with a static threshold and the monitoringService = `Platform`
+## Alert context fields for metric alerts 
+
+|Field  |Description  |
+|---------|---------|
+|properties           |(Optional.) A collection of customer-defined properties. |
+|conditionType        |The type of condition selected for the alert rule:<br> - static threshold<br> - dynamic threshold<br> - webtest         |
+|condition            |         |
+|windowSize           |The time period analyzed by the alert rule.|
+|allOf                |Indicates that all conditions defined in the alert rule must be met to trigger an alert.|
+|alertSensitivity     |In an alert rule with a dynamic threshold, indicates how sensitive the rule is, or how much the value can deviate from the upper or lower threshold.|
+|failingPeriods       |In an alert rule with a dynamic threshold, the number of evaluation periods that don't meet the alert threshold that will trigger an alert. For example, you can indicate that an alert is triggered when 3 out of the last five evaluation periods aren't within the alert thresholds. |
+|numberOfEvaluationPeriods|The total number of evaluations.         |
+|minFailingPeriodsToAlert|The minimum number of evaluations that do no meet the alert rule conditions.|
+|ignoreDataBefore     |(Optional.) In an alert rule with a dynamic threshold, the date from which the threshold is calculated. Use this value to indicate that the rule shouldn't calculate the dynamic threshold using data from before the specified date. |
+|metricName           |The name of the metric monitored by the alert rule.         |
+|metricNamespace      |The namespace of the metric monitored by the alert rule.         |
+|operator             |The logical operator of the alert rule.         |
+|threshold            |The threshold defined in the alert rule. For an alert rule with a dynamic threshold, this value is the calculated threshold. |
+|timeAggregation      |The aggregation type of the alert rule. |
+|dimensions           |The metric dimension that triggered the alert.         |
+|name                 |The dimension name.         |
+|value                |The dimension value.         |
+|metricValue          |The metric value at the time that it violated the threshold.         |
+|webTestName          |If the condition type is `webtest`, the name of the webtest.         |
+|windowStartTime      |The start time of the evaluation window in which the alert fired.       |
+|windowEndTime        |The end time of the evaluation window in which the alert fired.         |
+
+### Sample metric alert with a static threshold when the monitoringService = `Platform`
 
 ```json
 {
@@ -141,7 +167,7 @@ The common schema includes information about the affected resource and the cause
 }
 ```
 
-### Sample metric alert with a dynamic threshold and the monitoringService = Platform
+### Sample metric alert with a dynamic threshold when the monitoringService = `Platform`
 
 ```json
 {
@@ -173,7 +199,7 @@ The common schema includes information about the affected resource and the cause
     }
 }
 ```
-### Sample metric alert for availability tests and the monitoringService = Platform
+### Sample metric alert for availability tests when the monitoringService = `Platform`
 
 ```json
 {
@@ -208,6 +234,39 @@ The common schema includes information about the affected resource and the cause
 > - The common schema is not supported for log alerts using webhooks with a custom email subject and/or JSON payload, since the common schema overwrites the custom configurations.
 > - Alerts using the common schema have an upper size limit of 256 KB per alert. If the log alerts payload includes search results that cause the alert to exceed the maximum size, the search results aren't embedded in the log alerts payload. You can check if the payload includes the search results with the `IncludedSearchResults` flag. Use `LinkToFilteredSearchResultsAPI` or `LinkToSearchResultsAPI` to access query results with the [Log Analytics API](/rest/api/loganalytics/dataaccess/query/get) if the search results are not included.
 
+|Field  |Description  |
+|---------|---------|
+|SearchQuery     |The query defined in the alert rule.         |
+|SearchIntervalStartTimeUtc     |The start time of the evaluation window in which the alert fired in UTC.        |
+|SearchIntervalEndTimeUtc     |The end time of the evaluation window in which the alert fired in UTC.         |
+|ResultCount     |The number of records returned by the query. For metric measurement rules, the number or records that match the specific dimension combination.          |
+|LinkToSearchResults     |A link to the search results.         |
+|LinkToFilteredSearchResultsUI    |For metric measurement rules, the link to the search results after they've been filtered by the dimension combinations.         |
+|LinkToSearchResultsAPI     |A link to the query results using the Log Analytics API.          |
+|LinkToFilteredSearchResultsAPI     |For metric measurement rules, the link to the search results using the Log Analytics API after they've been filtered by the dimension combinations.         |
+|SearchIntervalDurationMin     |The total number of minutes in the search interval.          |
+|SearchIntervalInMin     |The total number of minutes in the search interval.         |
+|Threshold     |The threshold defined in the alert rule.        |
+|Operator     |The operator defined in the alert rule.         |
+|ApplicationID     |The Application Insights ID on which the alert was triggered.        |
+|Dimensions     |For metric measurement rules, the metric dimensions on which the alert was triggered.         |
+|name     |The dimension name.        |
+|value     |The dimension value.         |
+|SearchResults     |The complete search results.         |
+|table     |The table of results in the search results.         |
+|name     |The name of the table in the search results.         |
+|columns     |The columns in the table.         |
+|name     |The name of the column.         |
+|type     |The type of the column.         |
+|rows     |The rows in the table.         |
+|DataSources     |The data sources on which the alert was triggered.         |
+|resourceID     |The resource ID affected by the alert.         |
+|tables     |The draft response tables included in the query.         |
+|IncludedSearchResults     | Flag that indicates if the payload should contain the results.        |
+|AlertType     |The alert type:<br> - Metric Measurement<br> - Number Of Results |
+
+
+
 ### Sample log alert when the monitoringService = Platform
 
 ```json
@@ -352,7 +411,6 @@ The common schema includes information about the affected resource and the cause
   }
 }
 ```
-
 ### Sample log alert when the monitoringService = Log Alerts V2
 
 > [!NOTE]
@@ -399,9 +457,9 @@ The common schema includes information about the affected resource and the cause
   }
 }
 ```
-
 ## Alert context fields for activity log alerts
 
+See [Azure activity log event schema](../essentials/activity-log-schema.md) for detailed information about the fields in activity log alerts.
 ### Sample activity log alert when the monitoringService = Activity Log - Administrative
 
 ```json
@@ -427,7 +485,6 @@ The common schema includes information about the affected resource and the cause
     }
 }
 ```
-
 ### Sample activity log alert when the monitoringService = Activity Log - Policy
 
 ```json
@@ -459,7 +516,6 @@ The common schema includes information about the affected resource and the cause
   }
 }
 ```
-
 ### Sample activity log alert when the monitoringService = Activity Log - Autoscale
 
 ```json
@@ -488,7 +544,6 @@ The common schema includes information about the affected resource and the cause
   }
 }
 ```
-
 ### Sample activity log alert when the monitoringService = Activity Log - Security
 
 ```json
@@ -520,7 +575,6 @@ The common schema includes information about the affected resource and the cause
   }
 }
 ```
-
 ### Sample activity log alert when the monitoringService = ServiceHealth
 
 ```json
@@ -564,7 +618,6 @@ The common schema includes information about the affected resource and the cause
   }
 }
 ```
-
 ### Sample activity log alert when the monitoringService = ResourceHealth
 
 ```json
@@ -591,9 +644,9 @@ The common schema includes information about the affected resource and the cause
   }
 }
 ```
-
 ## Alert context fields for Prometheus alerts
 
+See [Azure Monitor managed service for Prometheus rule groups (preview)](../essentials/prometheus-rule-groups.md) for detailed information about the fields in Prometheus alerts.
 ### Sample Prometheus alert
 
 ```json
@@ -614,7 +667,6 @@ The common schema includes information about the affected resource and the cause
   }
 }
 ```
-
 ## Enable the common alert schema
 
 Use action groups in the Azure portal or use the REST API to enable the common alert schema. Schemas are defined at the action level. For example, you must separately enable the schema for an email action and a webhook action.
@@ -628,14 +680,11 @@ Use action groups in the Azure portal or use the REST API to enable the common a
 
 1. Open any existing action or a new action in an action group.
 1. Select **Yes** to enable the common alert schema.
-
 ### Enable the common schema using the REST API
 
 You can also use the [Action Groups API](/rest/api/monitor/actiongroups) to opt in to the common alert schema. In the [create or update](/rest/api/monitor/actiongroups/createorupdate) REST API call,
 - Set the "useCommonAlertSchema" flag to `true` to enable the common schema
 - Set the "useCommonAlertSchema" flag to `false` to use the non-common schema for email, webhook, Logic Apps, Azure Functions, or Automation runbook actions.
-
-
 #### Sample REST API call for using the common schema
 
 The following [create or update](/rest/api/monitor/actiongroups/createorupdate) REST API request:
@@ -685,7 +734,6 @@ The following [create or update](/rest/api/monitor/actiongroups/createorupdate)
   "tags": {}
 }
 ```
-
 ## Next steps
 
 - [Learn how to create a logic app that uses the common alert schema to handle all your alerts](./alerts-common-schema-integrations.md)