MicrosoftDocs
diff --git a/‎articles/azure-monitor/alerts/alerts-common-schema-definitions.md
Lines changed: 27 additions & 11 deletions b/‎articles/azure-monitor/alerts/alerts-common-schema-definitions.md
Lines changed: 27 additions & 11 deletions
@@ -1,6 +1,6 @@
 ---
 title: Alert schema definitions in Azure Monitor
-description: Understanding the common alert schema definitions for Azure Monitor
+description: This article explains the common alert schema definitions for Azure Monitor.
 author: ofirmanor
 ms.topic: conceptual
 ms.date: 07/20/2021
@@ -9,13 +9,15 @@ ms.reviewer: ofmanor
 
 # Common alert schema definitions
 
-This article describes the [common alert schema definitions](./alerts-common-schema.md) for Azure Monitor, including those for webhooks, Azure Logic Apps, Azure Functions, and Azure Automation runbooks. 
+This article describes the [common alert schema definitions](./alerts-common-schema.md) for Azure Monitor. It includes the definitions for webhooks, Azure Logic Apps, Azure Functions, and Azure Automation runbooks.
 
 Any alert instance describes the resource that was affected and the cause of the alert. These instances are described in the common schema in the following sections:
-* **Essentials**: A set of standardized fields, common across all alert types, which describe what resource the alert is on, along with additional common alert metadata (for example, severity or description). 
-* **Alert context**: A set of fields that describes the cause of the alert, with fields that vary based on the alert type. For example, a metric alert includes fields like the metric name and metric value in the alert context, whereas an activity log alert has information about the event that generated the alert. 
+
+* **Essentials**: A set of standardized fields that are common across all alert types. Fields describe what resource the alert is on, along with other common alert metadata. Examples are severity or description.
+* **Alert context**: A set of fields that describe the cause of the alert. Fields vary based on the alert type. For example, a metric alert includes fields like the metric name and metric value in the alert context. An activity log alert has information about the event that generated the alert.
 
 **Sample alert payload**
+
 ```json
 {
   "schemaId": "azureMonitorCommonAlertSchema",
@@ -71,14 +73,14 @@ Any alert instance describes the resource that was affected and the cause of the
 
 | Field | Description|
 |:---|:---|
-| alertId | The unique resource ID identifying the alert instance. |
+| alertId | The unique resource ID that identifies the alert instance. |
 | alertRule | The name of the alert rule that generated the alert instance. |
-| Severity | The severity of the alert. Possible values: Sev0, Sev1, Sev2, Sev3, or Sev4. |
-| signalType | Identifies the signal on which the alert rule was defined. Possible values: Metric, Log, or Activity Log. |
+| Severity | The severity of the alert. Possible values are Sev0, Sev1, Sev2, Sev3, or Sev4. |
+| signalType | Identifies the signal on which the alert rule was defined. Possible values are Metric, Log, or Activity Log. |
 | monitorCondition | When an alert fires, the alert's monitor condition is set to **Fired**. When the underlying condition that caused the alert to fire clears, the monitor condition is set to **Resolved**.   |
 | monitoringService | The monitoring service or solution that generated the alert. The fields for the alert context are dictated by the monitoring service. |
 | alertTargetIds | The list of the Azure Resource Manager IDs that are affected targets of an alert. For a log alert defined on a Log Analytics workspace or Application Insights instance, it's the respective workspace or application. |
-| configurationItems |The list of affected resources of an alert.<br>In some cases, the configuration items can be different from the alert targets. For example, in metric-for-log or log alerts defined on a Log Analytics workspace, the configuration items are the actual resources sending the telemetry, and not the workspace.<br><ul><li>In the log alerts API (Scheduled Query Rules) v2021-08-01, the configurationItem values are taken from explicitly defined dimensions in this priority: 'Computer', '_ResourceId', 'ResourceId', 'Resource'.</li><li>In earlier versions of the log alerts API, the configurationItem values are taken implicitly from the results in this priority: 'Computer', '_ResourceId', 'ResourceId', 'Resource'.</li></ul>In ITSM systems, the configurationItems field is used to correlate alerts to resources in a CMDB. |
+| configurationItems |The list of affected resources of an alert.<br>In some cases, the configuration items can be different from the alert targets. For example, in metric-for-log or log alerts defined on a Log Analytics workspace, the configuration items are the actual resources sending the telemetry and not the workspace.<br><ul><li>In the log alerts API (Scheduled Query Rules) v2021-08-01, the `configurationItem` values are taken from explicitly defined dimensions in this priority: `Computer`, `_ResourceId`, `ResourceId`, `Resource`.</li><li>In earlier versions of the log alerts API, the `configurationItem` values are taken implicitly from the results in this priority: `Computer`, `_ResourceId`, `ResourceId`, `Resource`.</li></ul>In ITSM systems, the `configurationItems` field is used to correlate alerts to resources in a configuration management database. |
 | originAlertId | The ID of the alert instance, as generated by the monitoring service generating it. |
 | firedDateTime | The date and time when the alert instance was fired in Coordinated Universal Time (UTC). |
 | resolvedDateTime | The date and time when the monitor condition for the alert instance is set to **Resolved** in UTC. Currently only applicable for metric alerts.|
@@ -87,6 +89,7 @@ Any alert instance describes the resource that was affected and the cause of the
 |alertContextVersion | The version number for the `alertContext` section. |
 
 **Sample values**
+
 ```json
 {
   "essentials": {
@@ -110,11 +113,14 @@ Any alert instance describes the resource that was affected and the cause of the
 
 ## Alert context
 
+The following fields describe the cause of an alert.
+
 ### Metric alerts - Static threshold
 
 #### `monitoringService` = `Platform`
 
 **Sample values**
+
 ```json
 {
   "alertContext": {
@@ -150,6 +156,7 @@ Any alert instance describes the resource that was affected and the cause of the
 #### `monitoringService` = `Platform`
 
 **Sample values**
+
 ```json
 {
   "alertContext": {
@@ -186,6 +193,7 @@ Any alert instance describes the resource that was affected and the cause of the
 #### `monitoringService` = `Platform`
 
 **Sample values**
+
 ```json
 {
   "alertContext": {
@@ -215,11 +223,12 @@ Any alert instance describes the resource that was affected and the cause of the
 ### Log alerts
 
 > [!NOTE]
-> For log alerts that have a custom email subject and/or JSON payload defined, enabling the common schema reverts email subject and/or payload schema to the one described as follows. This means that if you want to have a custom JSON payload defined, the webhook cannot use the common alert schema. Alerts with the common schema enabled have an upper size limit of 256 KB per alert. Search results aren't embedded in the log alerts payload if they cause the alert size to cross this threshold. You can determine this by checking the flag `IncludedSearchResults`. When the search results aren't included, you should use the `LinkToFilteredSearchResultsAPI` or `LinkToSearchResultsAPI` to access query results with the [Log Analytics API](/rest/api/loganalytics/dataaccess/query/get).
+> For log alerts that have a custom email subject and/or JSON payload defined, enabling the common schema reverts email subject and/or payload schema to the one described as follows. This means that if you want to have a custom JSON payload defined, the webhook can't use the common alert schema. Alerts with the common schema enabled have an upper size limit of 256 KB per alert. Search results aren't embedded in the log alerts payload if they cause the alert size to cross this threshold. You can determine this by checking the flag `IncludedSearchResults`. When the search results aren't included, use `LinkToFilteredSearchResultsAPI` or `LinkToSearchResultsAPI` to access query results with the [Log Analytics API](/rest/api/loganalytics/dataaccess/query/get).
 
 #### `monitoringService` = `Log Analytics`
 
 **Sample values**
+
 ```json
 {
   "alertContext": {
@@ -296,6 +305,7 @@ Any alert instance describes the resource that was affected and the cause of the
 #### `monitoringService` = `Application Insights`
 
 **Sample values**
+
 ```json
 {
   "alertContext": {
@@ -368,9 +378,10 @@ Any alert instance describes the resource that was affected and the cause of the
 #### `monitoringService` = `Log Alerts V2`
 
 > [!NOTE]
-> Log alerts rules from API version 2020-05-01 use this payload type, which only supports common schema. Search results aren't embedded in the log alerts payload when using this version. You should use [dimensions](./alerts-unified-log.md#split-by-alert-dimensions) to provide context to fired alerts. You can also use the `LinkToFilteredSearchResultsAPI` or `LinkToSearchResultsAPI` to access query results with the [Log Analytics API](/rest/api/loganalytics/dataaccess/query/get). If you must embed the results, use a logic app with the provided links the generate a custom payload.
+> Log alerts rules from API version 2020-05-01 use this payload type, which only supports common schema. Search results aren't embedded in the log alerts payload when you use this version. Use [dimensions](./alerts-unified-log.md#split-by-alert-dimensions) to provide context to fired alerts. You can also use `LinkToFilteredSearchResultsAPI` or `LinkToSearchResultsAPI` to access query results with the [Log Analytics API](/rest/api/loganalytics/dataaccess/query/get). If you must embed the results, use a logic app with the provided links to generate a custom payload.
 
 **Sample values**
+
 ```json
 {
   "alertContext": {
@@ -418,6 +429,7 @@ Any alert instance describes the resource that was affected and the cause of the
 #### `monitoringService` = `Activity Log - Administrative`
 
 **Sample values**
+
 ```json
 {
   "alertContext": {
@@ -445,6 +457,7 @@ Any alert instance describes the resource that was affected and the cause of the
 #### `monitoringService` = `Activity Log - Policy`
 
 **Sample values**
+
 ```json
 {
   "alertContext": {
@@ -508,6 +521,7 @@ Any alert instance describes the resource that was affected and the cause of the
 #### `monitoringService` = `Activity Log - Security`
 
 **Sample values**
+
 ```json
 {
   "alertContext": {
@@ -541,6 +555,7 @@ Any alert instance describes the resource that was affected and the cause of the
 #### `monitoringService` = `ServiceHealth`
 
 **Sample values**
+
 ```json
 {
   "alertContext": {
@@ -582,9 +597,11 @@ Any alert instance describes the resource that was affected and the cause of the
   }
 }
 ```
+
 #### `monitoringService` = `Resource Health`
 
 **Sample values**
+
 ```json
 {
   "alertContext": {
@@ -610,7 +627,6 @@ Any alert instance describes the resource that was affected and the cause of the
 }
 ```
 
-
 ## Next steps
 
 - Learn more about the [common alert schema](./alerts-common-schema.md).