¿Cómo enviar a un azure web apps el payload de una alerta con el resultado del kql del AzureActivity Log?

Question

Tengo configurada una alerta del tipo Búsqueda de Registros Personalizada en donde se ejecuta el query Kql sobre AzureActivity cada 5 minutos.

AzureActivity| where TimeGenerated > ago(1h)| where ActivityStatus == "Succeeded" and OperationName in('Add API to product','Add backend or Update backend',    'Associate group with product')

En el grupo de acciones se configuro el Comportamiento del tipo de acción webhook para enviar el payload de la alerta a un azure web apps y poder obtener campos como "Caller", "ResourceId", etc. del registro AzureActivity Log, sin embargo el payload recibido no contiene esta información.

Trate de incluir campos personalizados desactivando el esquema común de alerta, pero no funciona.

Por favor ayuda para resolver este tema!

Muchas gracias.

Ejemplo del json con el payload de la alerta recibida en el web apps

{ "schemaId": "azureMonitorCommonAlertSchema", "data": { "essentials": { "alertId": "/subscriptions/5666275e-b163-4b30-a831-76ec556e59ba/providers/Microsoft.AlertsManagement/alerts/bea116e4-bb6f-a13a-08bb-4ff597e00004", "alertRule": "Actualización de API - Test API PAPI - 3", "severity": "Sev3", "signalType": "Log", "monitorCondition": "Fired", "monitoringService": "Log Alerts V2", "alertTargetIDs": [ "/subscriptions/5666275e-b163-4b30-a831-76ec556e59ba/resourcegroups/rsgreu2apigp01/providers/microsoft.apimanagement/service/apimeu2apigp01" ], "configurationItems": [ "/subscriptions/5666275e-b163-4b30-a831-76ec556e59ba/resourceGroups/RSGREU2APIGP01/providers/Microsoft.ApiManagement/service/apimeu2apigp01" ], "originAlertId": "41de512b-ff6a-169e-200e-12a3bbe87797", "firedDateTime": "2024-05-07T19:46:59.3592947Z", "description": "Actualización de API - Test API PAPI - 3", "essentialsVersion": "1.0", "alertContextVersion": "1.0" }, "alertContext": { "properties": { "AlertDimensions": "${data.alertContext.Dimensions}", "AlertSearchQuery": "${data.alertContext.SearchQuery}", "AlertAffectedConfigurationItems": "${data.alertContext.AffectedConfigurationItems}", "AletresourceID": "${data.alertContext.resourceID}", "AlertTargetIDs": "Actualización de API - Test API PAPI - 3", "AlertRule": "Actualización de API - Test API PAPI - 3", "SearchResult": "${data.alertContext.IncludeSearchResults}" }, "conditionType": "LogQueryCriteria", "condition": { "windowSize": "PT30M", "allOf": [ { "searchQuery": "AzureActivity | where TimeGenerated > ago(72h) | where ActivityStatus == "Succeeded" and OperationName in('Create API or Update API','Set API policy configuration')", "metricMeasureColumn": null, "targetResourceTypes": "['Microsoft.ApiManagement/service']", "operator": "GreaterThanOrEqual", "threshold": "1", "timeAggregation": "Count", "dimensions": [], "metricValue": 2, "failingPeriods": { "numberOfEvaluationPeriods": 1, "minFailingPeriodsToAlert": 1 }, "linkToSearchResultsUI": "https://portal.azure.com#@5d93ebcc-f769-4380-8b7e-289fc972da1b/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%2F5666275e-b163-4b30-a831-76ec556e59ba%2FresourceGroups%2FRSGREU2APIGP01%2Fproviders%2FMicrosoft.ApiManagement%2Fservice%2Fapimeu2apigp01%22%7D%5D%7D/q/eJw9jbEKwjAYhHef4qdLWrASQ7VYqFAcxEWF1sUtJL82YJMSE6Xiw9ta9Ka7g7uveHmLhXDqoVw3ecOzRotQqQa3qNFyhxLWEMreuL4MGWVJTBcxTav5KkuWGVvO6KhzBDGkrI7%2BN7%2Ff0nHn75DnEJReCESJMgCuJRzagaGM3vMGQemQbCz2LCiOOzAWTu1AHhKZkhLdt2%2FNTYkOhNEXdfXjnkQf/prettify/1/timespan/2024-05-05T19%3a46%3a26.0000000Z%2f2024-05-07T19%3a46%3a26.0000000Z", "linkToFilteredSearchResultsUI": "https://portal.azure.com#@5d93ebcc-f769-4380-8b7e-289fc972da1b/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%2F5666275e-b163-4b30-a831-76ec556e59ba%2FresourceGroups%2FRSGREU2APIGP01%2Fproviders%2FMicrosoft.ApiManagement%2Fservice%2Fapimeu2apigp01%22%7D%5D%7D/q/eJw9jbEKwjAYhHef4qdLWrASQ7VYqFAcxEWF1sUtJL82YJMSE6Xiw9ta9Ka7g7uveHmLhXDqoVw3ecOzRotQqQa3qNFyhxLWEMreuL4MGWVJTBcxTav5KkuWGVvO6KhzBDGkrI7%2BN7%2Ff0nHn75DnEJReCESJMgCuJRzagaGM3vMGQemQbCz2LCiOOzAWTu1AHhKZkhLdt2%2FNTYkOhNEXdfXjnkQf/prettify/1/timespan/2024-05-05T19%3a46%3a26.0000000Z%2f2024-05-07T19%3a46%3a26.0000000Z", "linkToSearchResultsAPI": "https://api.loganalytics.io/v1/subscriptions/5666275e-b163-4b30-a831-76ec556e59ba/resourceGroups/RSGREU2APIGP01/providers/Microsoft.ApiManagement/service/apimeu2apigp01/query?query=AzureActivity%0A%7C%20where%20TimeGenerated%20%3E%20%28datetime%282024-05-07T19%3A46%3A26.0000000Z%29%20-%2072h%29%0A%7C%20where%20ActivityStatus%20%3D%3D%20%22Succeeded%22%20and%20OperationName%20in%28%27Create%20API%20or%20Update%20API%27%2C%27Set%20API%20policy%20configuration%27%29×pan=2024-05-05T19%3a46%3a26.0000000Z%2f2024-05-07T19%3a46%3a26.0000000Z", "linkToFilteredSearchResultsAPI": "https://api.loganalytics.io/v1/subscriptions/5666275e-b163-4b30-a831-76ec556e59ba/resourceGroups/RSGREU2APIGP01/providers/Microsoft.ApiManagement/service/apimeu2apigp01/query?query=AzureActivity%0A%7C%20where%20TimeGenerated%20%3E%20%28datetime%282024-05-07T19%3A46%3A26.0000000Z%29%20-%2072h%29%0A%7C%20where%20ActivityStatus%20%3D%3D%20%22Succeeded%22%20and%20OperationName%20in%28%27Create%20API%20or%20Update%20API%27%2C%27Set%20API%20policy%20configuration%27%29×pan=2024-05-05T19%3a46%3a26.0000000Z%2f2024-05-07T19%3a46%3a26.0000000Z", "event": null } ], "windowStartTime": "2024-05-05T19:46:26Z", "windowEndTime": "2024-05-07T19:46:26Z" } }, "customProperties": { "AlertDimensions": "${data.alertContext.Dimensions}", "AlertSearchQuery": "${data.alertContext.SearchQuery}", "AlertAffectedConfigurationItems": "${data.alertContext.AffectedConfigurationItems}", "AletresourceID": "${data.alertContext.resourceID}", "AlertTargetIDs": "Actualización de API - Test API PAPI - 3", "AlertRule": "Actualización de API - Test API PAPI - 3", "SearchResult": "${data.alertContext.IncludeSearchResults}" } } }

Share via

¿Cómo enviar a un azure web apps el payload de una alerta con el resultado del kql del AzureActivity Log?