Azure Alerts

Microsoft Azure Pull

Synopsis

Creates an Azure Alerts client that collects alert data from Azure Monitor Alerts Management. Pulls alerts from the specified Azure subscription with configurable filtering options for alert state, severity, monitor service, and target resources.

Schema

- id: <numeric>
  name: <string>
  description: <string>
  type: azalerts
  tags: <string[]>
  pipelines: <pipeline[]>
  status: <boolean>
  properties:
    tenant_id: <string>
    client_id: <string>
    client_secret: <string>
    subscription_id: <string>
    alert_rule: <string>
    alert_state: <string>
    monitor_condition: <string>
    monitor_service: <string>
    severity: <string>
    smart_group_id: <string>
    target_resource: <string>
    target_resource_group: <string>
    target_resource_type: <string>
    batch_size: <numeric>

Configuration

The following fields are used to define the device.

Device

Field	Required	Default	Description
`id`	Y		Unique identifier
`name`	Y		Device name
`description`	N	-	Optional description
`type`	Y		Must be `azalerts`
`tags`	N	-	Optional tags
`pipelines`	N	-	Optional pre-processor pipelines
`status`	N	`true`	Enable/disable the device

Authentication

Field	Required	Description
`tenant_id`	Y	Azure tenant ID
`client_id`	Y	Azure client ID
`client_secret`	Y	Azure client secret
`subscription_id`	Y	Azure subscription ID to query alerts from

Field	Required	Default	Description
`alert_rule`	N	-	Filter by specific alert rule name
`alert_state`	N	-	Filter by alert state: `New`, `Acknowledged`, `Closed`
`monitor_condition`	N	-	Filter by monitor condition: `Fired`, `Resolved`
`monitor_service`	N	-	Filter by monitor service (see values below)
`severity`	N	-	Filter by severity: `Sev0`, `Sev1`, `Sev2`, `Sev3`, `Sev4`
`smart_group_id`	N	-	Filter by smart group ID
`target_resource`	N	-	Filter by specific target resource
`target_resource_group`	N	-	Filter by target resource group
`target_resource_type`	N	-	Filter by target resource type
`batch_size`	N	`250`	Maximum number of alerts per request

Monitor Service Values

ActivityLog Administrative
ActivityLog Autoscale
ActivityLog Policy
ActivityLog Recommendation
ActivityLog Security
Application Insights
Log Analytics
Platform
SCOM
ServiceHealth
SmartDetector
VM Insights
Zabbix

Examples

The following are commonly used configuration types.

Basic

The minimum required configuration:

Collecting all alerts from an Azure subscription...

devices:
  - id: 1
    name: basic_azalerts
    type: azalerts
    properties:
      tenant_id: "00000000-0000-0000-0000-000000000000"
      client_id: "11111111-1111-1111-1111-111111111111"
      client_secret: "your-client-secret"
      subscription_id: "22222222-2222-2222-2222-222222222222"

Active Alerts Only

Filtering for unresolved alerts:

Collecting only new and fired alerts...

devices:
  - id: 2
    name: active_alerts
    type: azalerts
    properties:
      tenant_id: "00000000-0000-0000-0000-000000000000"
      client_id: "11111111-1111-1111-1111-111111111111"
      client_secret: "your-client-secret"
      subscription_id: "22222222-2222-2222-2222-222222222222"
      alert_state: "New"
      monitor_condition: "Fired"

Critical Alerts

Monitoring high-severity alerts:

Targeting critical and error-level alerts...

devices:
  - id: 3
    name: critical_alerts
    type: azalerts
    pipelines:
      - alert_enrichment
    properties:
      tenant_id: "00000000-0000-0000-0000-000000000000"
      client_id: "11111111-1111-1111-1111-111111111111"
      client_secret: "your-client-secret"
      subscription_id: "22222222-2222-2222-2222-222222222222"
      severity: "Sev0"

note

Severity levels range from Sev0 (Critical) to Sev4 (Verbose). Each filter is independent; specify multiple device instances to collect different severity levels separately.

Resource Group Filtering

Scoping alerts to specific resources:

Collecting alerts from a specific resource group and resource type...

devices:
  - id: 4
    name: webapp_alerts
    type: azalerts
    properties:
      tenant_id: "00000000-0000-0000-0000-000000000000"
      client_id: "11111111-1111-1111-1111-111111111111"
      client_secret: "your-client-secret"
      subscription_id: "22222222-2222-2222-2222-222222222222"
      target_resource_group: "production-rg"
      target_resource_type: "Microsoft.Web/sites"
      monitor_service: "Application Insights"

warning

Ensure the service principal has the Reader role or Microsoft.AlertsManagement/alerts/read permission on the target subscription to access alert data.

Synopsis​

Schema​

Configuration​

Device​

Authentication​

Filter Options​

Monitor Service Values​

Examples​

Basic​

Active Alerts Only​

Critical Alerts​

Resource Group Filtering​