Microsoft recently put Operations Management Suite Alerts feature on public preview. Official announcement is here.
One of the greatest features along with alerting itself is the possibility of triggering Azure Automation runbooks to remediate a possible issue found by the alerts.
First of all, make sure you enable the feature since it is a preview:
Let’s create a simple alert that will for sure be triggered, in order to have some data. Suppose I want to be alerted when computers talk to more than 5 remote IPs. Ok, I know, it doesn’t make sense, but I want a query that will sure bring data and not a lot.
Type=WireData Direction=Outbound | measure count() by RemoteIP
Got some interesting numbers:
Now, let’s save this search, for future use:
Notice you can pick the current search or a previously created search.
Next, you will need to pick a threshold and the window of time for the query. It can’t go further back more than 60 minutes.
Notice also that OMS gives you a preview of the results. I love that!
Select the Subject and Recipient of the notification, should you need one, as below:
The next is step is to setup some remediation:
If you look at the New Azure Portal, you will notice a webhook:
If you want your remediation to run on premises, by a Hybrid Worked, you will need to set it up here:
And there you have it. Once the alert is triggered, you will see the log:
Notice the Input:
And there is your data, in a JSON format:
Now you can grab the data using standard Runbook procedure, as described here.
Hope this helps!