Azure 活動記錄警示的 Webhook

在定義動作群組的過程中,您可以設定 Webhook 端點以接收活動記錄警示通知。 您可以使用 Webhook 將這些通知路由到其他系統,以進行後置處理或自訂動作。 本文會說明 HTTP POST 至 Webhook 的承載資料樣貌。

如需有關活動記錄警示的詳細資訊,請參閱如何建立 Azure 活動記錄警示

如需有關動作群組的資訊,請參閱如何建立動作群組

注意

您也可以使用 常見的警示架構,讓您能夠在 Azure 監視器中的所有警示服務上擁有單一可延伸和整合的警示承載,以供您的 webhook 整合使用。 深入瞭解常見的警示架構定義。

驗證 Webhook

Webhook 可以選擇使用以權杖作為基礎的授權來進行驗證。 Webhook URI 是以權杖識別碼儲存,例如,https://mysamplealert/webcallback?tokenid=sometokenid&someparameter=somevalue

承載結構描述

POST 作業中所包含的 JSON 承載,會根據承載的 data.context.activityLog.eventSource 欄位而有所不同。

注意

目前,屬於活動記錄事件一部分的描述會複製到引發的「 警示描述 」屬性。

為了使活動記錄承載與其他警示類型保持一致,自2021年4月1日起,引發的警示屬性 "Description" 將會改為包含警示規則描述。

為此變更做準備,我們為活動記錄引發的警示建立了新的「 活動記錄事件描述 」屬性。 這個新的屬性將會填入已可供使用的 "Description" 屬性。 這表示新的欄位「 活動記錄事件描述 」將包含屬於活動記錄事件一部分的描述。

請參閱您的警示規則、動作規則、webhook、邏輯應用程式或任何其他設定,也就是您可能會在引發的警示中使用 [ 描述] 屬性,並將它取代為「 活動記錄事件描述 」屬性。

如果您的條件 (在動作規則、webhook、邏輯應用程式或任何其他設定) 目前是以活動記錄警示的 [ Description] 屬性為基礎,您可能需要改為根據 [ 活動記錄檔事件描述] 屬性加以修改。

為了填滿新的 [Description] 屬性,您可以在警示規則定義中加入描述。 引發的活動記錄警示

通用

{
    "schemaId": "Microsoft.Insights/activityLogs",
    "data": {
        "status": "Activated",
        "context": {
            "activityLog": {
                "channels": "Operation",
                "correlationId": "6ac88262-43be-4adf-a11c-bd2179852898",
                "eventSource": "Administrative",
                "eventTimestamp": "2017-03-29T15:43:08.0019532+00:00",
                "eventDataId": "8195a56a-85de-4663-943e-1a2bf401ad94",
                "level": "Informational",
                "operationName": "Microsoft.Insights/actionGroups/write",
                "operationId": "6ac88262-43be-4adf-a11c-bd2179852898",
                "status": "Started",
                "subStatus": "",
                "subscriptionId": "52c65f65-0518-4d37-9719-7dbbfc68c57a",
                "submissionTimestamp": "2017-03-29T15:43:20.3863637+00:00",
                ...
            }
        },
        "properties": {}
    }
}

系統管理

{
    "schemaId": "Microsoft.Insights/activityLogs",
    "data": {
        "status": "Activated",
        "context": {
            "activityLog": {
                "authorization": {
                    "action": "Microsoft.Insights/actionGroups/write",
                    "scope": "/subscriptions/52c65f65-0518-4d37-9719-7dbbfc68c57b/resourceGroups/CONTOSO-TEST/providers/Microsoft.Insights/actionGroups/IncidentActions"
                },
                "claims": "{...}",
                "caller": "me@contoso.com",
                "description": "",
                "httpRequest": "{...}",
                "resourceId": "/subscriptions/52c65f65-0518-4d37-9719-7dbbfc68c57b/resourceGroups/CONTOSO-TEST/providers/Microsoft.Insights/actionGroups/IncidentActions",
                "resourceGroupName": "CONTOSO-TEST",
                "resourceProviderName": "Microsoft.Insights",
                "resourceType": "Microsoft.Insights/actionGroups"
            }
        },
        "properties": {}
    }
}

安全性

{
  "schemaId":"Microsoft.Insights/activityLogs",
  "data":{"status":"Activated",
    "context":{
      "activityLog":{
        "channels":"Operation",
        "correlationId":"2518408115673929999",
        "description":"Failed SSH brute force attack. Failed brute force attacks were detected from the following attackers: [\"IP Address: 01.02.03.04\"].  Attackers were trying to access the host with the following user names: [\"root\"].",
        "eventSource":"Security",
        "eventTimestamp":"2017-06-25T19:00:32.607+00:00",
        "eventDataId":"Sec-07f2-4d74-aaf0-03d2f53d5a33",
        "level":"Informational",
        "operationName":"Microsoft.Security/locations/alerts/activate/action",
        "operationId":"Sec-07f2-4d74-aaf0-03d2f53d5a33",
        "properties":{
          "attackers":"[\"IP Address: 01.02.03.04\"]",
          "numberOfFailedAuthenticationAttemptsToHost":"456",
          "accountsUsedOnFailedSignInToHostAttempts":"[\"root\"]",
          "wasSSHSessionInitiated":"No","endTimeUTC":"06/25/2017 19:59:39",
          "actionTaken":"Detected",
          "resourceType":"Virtual Machine",
          "severity":"Medium",
          "compromisedEntity":"LinuxVM1",
          "remediationSteps":"[In case this is an Azure virtual machine, add the source IP to NSG block list for 24 hours (see https://azure.microsoft.com/documentation/articles/virtual-networks-nsg/)]",
          "attackedResourceType":"Virtual Machine"
        },
        "resourceId":"/subscriptions/12345-5645-123a-9867-123b45a6789/resourceGroups/contoso/providers/Microsoft.Security/locations/centralus/alerts/Sec-07f2-4d74-aaf0-03d2f53d5a33",
        "resourceGroupName":"contoso",
        "resourceProviderName":"Microsoft.Security",
        "status":"Active",
        "subscriptionId":"12345-5645-123a-9867-123b45a6789",
        "submissionTimestamp":"2017-06-25T20:23:04.9743772+00:00",
        "resourceType":"MICROSOFT.SECURITY/LOCATIONS/ALERTS"
      }
    },
    "properties":{}
  }
}

建議

{
  "schemaId":"Microsoft.Insights/activityLogs",
  "data":{
    "status":"Activated",
    "context":{
      "activityLog":{
        "channels":"Operation",
        "claims":"{\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\":\"Microsoft.Advisor\"}",
        "caller":"Microsoft.Advisor",
        "correlationId":"123b4c54-11bb-3d65-89f1-0678da7891bd",
        "description":"A new recommendation is available.",
        "eventSource":"Recommendation",
        "eventTimestamp":"2017-06-29T13:52:33.2742943+00:00",
        "httpRequest":"{\"clientIpAddress\":\"0.0.0.0\"}",
        "eventDataId":"1bf234ef-e45f-4567-8bba-fb9b0ee1dbcb",
        "level":"Informational",
        "operationName":"Microsoft.Advisor/recommendations/available/action",
        "properties":{
          "recommendationSchemaVersion":"1.0",
          "recommendationCategory":"HighAvailability",
          "recommendationImpact":"Medium",
          "recommendationName":"Enable Soft Delete to protect your blob data",
          "recommendationResourceLink":"https://portal.azure.com/#blade/Microsoft_Azure_Expert/RecommendationListBlade/recommendationTypeId/12dbf883-5e4b-4f56-7da8-123b45c4b6e6",
          "recommendationType":"12dbf883-5e4b-4f56-7da8-123b45c4b6e6"
        },
        "resourceId":"/subscriptions/12345-5645-123a-9867-123b45a6789/resourceGroups/contoso/providers/microsoft.storage/storageaccounts/contosoStore",
        "resourceGroupName":"CONTOSO",
        "resourceProviderName":"MICROSOFT.STORAGE",
        "status":"Active",
        "subStatus":"",
        "subscriptionId":"12345-5645-123a-9867-123b45a6789",
        "submissionTimestamp":"2017-06-29T13:52:33.2742943+00:00",
        "resourceType":"MICROSOFT.STORAGE/STORAGEACCOUNTS"
      }
    },
    "properties":{}
  }
}

服務健康狀況

{
    "schemaId": "Microsoft.Insights/activityLogs",
    "data": {
        "status": "Activated",
        "context": {
            "activityLog": {
            "channels": "Admin",
            "correlationId": "bbac944f-ddc0-4b4c-aa85-cc7dc5d5c1a6",
            "description": "Active: Virtual Machines - Australia East",
            "eventSource": "ServiceHealth",
            "eventTimestamp": "2017-10-18T23:49:25.3736084+00:00",
            "eventDataId": "6fa98c0f-334a-b066-1934-1a4b3d929856",
            "level": "Informational",
            "operationName": "Microsoft.ServiceHealth/incident/action",
            "operationId": "bbac944f-ddc0-4b4c-aa85-cc7dc5d5c1a6",
            "properties": {
                "title": "Virtual Machines - Australia East",
                "service": "Virtual Machines",
                "region": "Australia East",
                "communication": "Starting at 02:48 UTC on 18 Oct 2017 you have been identified as a customer using Virtual Machines in Australia East who may receive errors starting Dv2 Promo and DSv2 Promo Virtual Machines which are in a stopped "deallocated" or suspended state. Customers can still provision Dv1 and Dv2 series Virtual Machines or try deploying Virtual Machines in other regions, as a possible workaround. Engineers have identified a possible fix for the underlying cause, and are exploring implementation options. The next update will be provided as events warrant.",
                "incidentType": "Incident",
                "trackingId": "0NIH-U2O",
                "impactStartTime": "2017-10-18T02:48:00.0000000Z",
                "impactedServices": "[{\"ImpactedRegions\":[{\"RegionName\":\"Australia East\"}],\"ServiceName\":\"Virtual Machines\"}]",
                "defaultLanguageTitle": "Virtual Machines - Australia East",
                "defaultLanguageContent": "Starting at 02:48 UTC on 18 Oct 2017 you have been identified as a customer using Virtual Machines in Australia East who may receive errors starting Dv2 Promo and DSv2 Promo Virtual Machines which are in a stopped "deallocated" or suspended state. Customers can still provision Dv1 and Dv2 series Virtual Machines or try deploying Virtual Machines in other regions, as a possible workaround. Engineers have identified a possible fix for the underlying cause, and are exploring implementation options. The next update will be provided as events warrant.",
                "stage": "Active",
                "communicationId": "636439673646212912",
                "version": "0.1.1"
            },
            "status": "Active",
            "subscriptionId": "45529734-0ed9-4895-a0df-44b59a5a07f9",
            "submissionTimestamp": "2017-10-18T23:49:28.7864349+00:00"
        }
    },
    "properties": {}
    }
}

如需服務健康狀態通知活動記錄警示的特定結構描述詳細資料,請參閱服務健康狀態通知。 此外,了解如何使用現有問題管理解決方案來設定服務健康情況的 Webhook 通知

ResourceHealth

{
    "schemaId": "Microsoft.Insights/activityLogs",
    "data": {
        "status": "Activated",
        "context": {
            "activityLog": {
                "channels": "Admin, Operation",
                "correlationId": "a1be61fd-37ur-ba05-b827-cb874708babf",
                "eventSource": "ResourceHealth",
                "eventTimestamp": "2018-09-04T23:09:03.343+00:00",
                "eventDataId": "2b37e2d0-7bda-4de7-ur8c6-1447d02265b2",
                "level": "Informational",
                "operationName": "Microsoft.Resourcehealth/healthevent/Activated/action",
                "operationId": "2b37e2d0-7bda-489f-81c6-1447d02265b2",
                "properties": {
                    "title": "Virtual Machine health status changed to unavailable",
                    "details": "Virtual machine has experienced an unexpected event",
                    "currentHealthStatus": "Unavailable",
                    "previousHealthStatus": "Available",
                    "type": "Downtime",
                    "cause": "PlatformInitiated"
                },
                "resourceId": "/subscriptions/<subscription Id>/resourceGroups/<resource group>/providers/Microsoft.Compute/virtualMachines/<resource name>",
                "resourceGroupName": "<resource group>",
                "resourceProviderName": "Microsoft.Resourcehealth/healthevent/action",
                "status": "Active",
                "subscriptionId": "<subscription Id>",
                "submissionTimestamp": "2018-09-04T23:11:06.1607287+00:00",
                "resourceType": "Microsoft.Compute/virtualMachines"
            }
        }
    }
}
元素名稱 描述
status 用於度量警示。 針對活動記錄警示,一律設為「啟動」。
內容 事件的內容。
resourceProviderName 受影響資源的資源提供者。
conditionType 一律為「事件」。
NAME 警示規則的名稱。
id 警示的資源識別碼。
description 建立警示時,會設定警示描述。
subscriptionId Azure 訂用帳戶識別碼。
timestamp 處理要求的 Azure 服務產生事件的時間。
resourceId 受影響資源的資源識別碼。
resourceGroupName 受影響資源的資源群組的名稱。
properties 一組包含事件相關詳細資料的<Key, Value>配對 (也就是 Dictionary<String, String>)。
event 包含事件相關中繼資料的元素。
授權 事件的 Azure 角色型存取控制屬性。 這些屬性通常包括動作、角色和範圍。
category 事件的類別。 支援值包括「管理」、「警示」、「安全性」、「ServiceHealth」和「建議」。
呼叫者 已執行作業的使用者的電子郵件地址,根據可用性的 UPN 宣告或 SPN 宣告。 特定系統呼叫可為 Null。
correlationId 通常是字串格式的 GUID。 具有屬於同一個較大動作的 correlationId 的事件,且通常會共用 correlationId。
eventDescription 事件的靜態文字描述。
eventDataId 事件的唯一識別碼。
eventSource 產生事件的 Azure 服務或基礎結構的名稱。
httpRequest 要求通常包括 “clientRequestId”、“clientIpAddress” 和 HTTP “method” (例如 PUT)。
等級 下列其中一個值:Critical、Error、Warning 和 Informational。
operationId 通常是對應至單一作業的事件之間共用的 GUID。
operationName 作業名稱。
properties 事件的屬性。
status 字串。 作業的狀態。 常見的值包括︰「已啟動」、「進行中」、「成功」、「失敗」、「使用中」和「已解決」。
子狀態 通常包含對應 REST 呼叫的 HTTP 狀態碼。 它也可以包含其他描述子狀態的字串。 常見子狀態的值包括:確定 (HTTP 狀態碼︰200),已建立 (HTTP 狀態碼︰201)、接受 (HTTP 狀態碼︰202)、沒有內容 (HTTP 狀態碼︰204)、不正確的要求 (HTTP 狀態碼︰400)、找不到 (HTTP 狀態碼︰404),衝突 (HTTP 狀態碼︰409)、內部伺服器錯誤 (HTTP 狀態碼︰500)、服務無法使用 (HTTP 狀態碼︰503) 和閘道逾時 (HTTP 狀態碼︰504)。

如需了解所有其他活動記錄警示的特定結構詳細資料,請參閱 Azure 活動記錄的概觀

下一步