1
00:00:00,940 --> 00:00:05,110
One neat thing you can do with Log Analytics is that you can

2
00:00:05,110 --> 00:00:09,160
create alert definitions in Azure that fire when,

3
00:00:09,160 --> 00:00:13,030
for example, rows are returned in your Kusto query.

4
00:00:13,030 --> 00:00:16,840
Now alerting is something that goes across all of Azure Resource Manager,

5
00:00:16,840 --> 00:00:20,510
but here I want to constrain our discussion to log search queries.

6
00:00:20,510 --> 00:00:23,140
That's what I'll actually do my demo on.

7
00:00:23,140 --> 00:00:27,180
However, this slide describes the object model for all Azure alerts,

8
00:00:27,180 --> 00:00:29,030
so let's make sure we understand it.

9
00:00:29,030 --> 00:00:29,330
In Azure,

10
00:00:29,330 --> 00:00:32,630
we define an alert rule where we specify what

11
00:00:32,630 --> 00:00:37,880
resources or resources we're examining, what signal logic we're concerned with.

12
00:00:37,880 --> 00:00:40,260
This could be a metric value, for instance,

13
00:00:40,260 --> 00:00:45,910
CPU utilization on a virtual machine, or it could be an activity log event,

14
00:00:45,910 --> 00:00:50,140
fire the alert when a VM is in a stopped state or,

15
00:00:50,140 --> 00:00:54,770
as I mentioned, you can write a KQL, a Kusto Query Language query,

16
00:00:54,770 --> 00:00:57,210
to serve as the signal logic and criteria.

17
00:00:57,210 --> 00:01:00,320
Once that criteria reaches fruition, as it were,

18
00:01:00,320 --> 00:01:02,560
in other words, once the alert rule is triggered,

19
00:01:02,560 --> 00:01:05,540
you then invoke what's called an action group,

20
00:01:05,540 --> 00:01:08,900
and these include things like traditional notifications,

21
00:01:08,900 --> 00:01:09,950
as well as actions.

22
00:01:09,950 --> 00:01:13,740
I'll give you the options on that in the next slide, actually.

23
00:01:13,740 --> 00:01:19,340
Now in order to keep your compliance and keep alert of these alerts,

24
00:01:19,340 --> 00:01:20,560
you've got statuses.

25
00:01:20,560 --> 00:01:24,920
The alert has 1, 2, 3 states New, Acknowledged, and Closed.

26
00:01:24,920 --> 00:01:30,640
So, this allows you and your team to track these alerts historically,

27
00:01:30,640 --> 00:01:34,600
you also can hinge other operations on alerts.

28
00:01:34,600 --> 00:01:35,040
For example,

29
00:01:35,040 --> 00:01:39,450
in Azure DevOps, you can configure a gate on your release

30
00:01:39,450 --> 00:01:44,580
pipeline to check whether there are any open alerts on those

31
00:01:44,580 --> 00:01:47,340
Azure resources that you're deploying to,

32
00:01:47,340 --> 00:01:53,140
and if so, that would stop the release from happening in Azure Pipelines.

33
00:01:53,140 --> 00:01:56,940
The action group's pretty powerful because it goes beyond

34
00:01:56,940 --> 00:02:00,540
simple email and text‑based notifications.

35
00:02:00,540 --> 00:02:04,470
You can configure push notifications to your IT staff and

36
00:02:04,470 --> 00:02:07,240
development staff's mobile devices,

37
00:02:07,240 --> 00:02:13,740
and you can also run code potentially to remediate the firing of that alert.

38
00:02:13,740 --> 00:02:15,440
Options for that include, say,

39
00:02:15,440 --> 00:02:18,410
a Python or a PowerShell script that you're hosting

40
00:02:18,410 --> 00:02:20,840
as an Azure Automation runbook.

41
00:02:20,840 --> 00:02:24,450
It could be a C# or JavaScript file that you're running in

42
00:02:24,450 --> 00:02:28,460
Azure Functions, or it could be a stepwise workflow that

43
00:02:28,460 --> 00:02:31,140
you've created in Logic Apps, you see?

44
00:02:31,140 --> 00:02:34,320
There is an IT Service Management connector that you can

45
00:02:34,320 --> 00:02:36,420
optionally onboard in your subscription,

46
00:02:36,420 --> 00:02:41,840
that as long as you're ITSM platform supports the connector will allow the

47
00:02:41,840 --> 00:02:46,340
Action group in Azure to create a new ticket automatically.

48
00:02:46,340 --> 00:02:51,940
And lastly, there is a generic option to do an HTTP or HTTP webhook.

49
00:02:51,940 --> 00:02:58,140
This allows you to call an API that's located within Azure or outside of Azure,

50
00:02:58,140 --> 00:03:01,370
and it's your generic option in order to do some kind of

51
00:03:01,370 --> 00:03:08,000
automation handling if any of the preceding options isn't what you need specifically.