Using MSOMS Alerts with Remediation Runbooks

 

Microsoft recently put Operations Management Suite Alerts feature on public preview. Official announcement is here.

One of the greatest features along with alerting itself is the possibility of triggering Azure Automation runbooks to remediate a possible issue found by the alerts.

First of all, make sure you enable the feature since it is a preview:

image

Let’s create a simple alert that will for sure be triggered, in order to have some data. Suppose I want to be alerted when computers talk to more than 5 remote IPs. Ok, I know, it doesn’t make sense, but I want a query that will sure bring data and not a lot.

For example:

Type=WireData Direction=Outbound | measure count() by RemoteIP

Got some interesting numbers:

image

Now, let’s save this search, for future use:

image

After that, we can create an image:

image

Notice you can pick the current search or a previously created search.

Next, you will need to pick a threshold and the window of time for the query. It can’t go further back more than 60 minutes.

image

Notice also that OMS gives you a preview of the results. I love that!

Select the Subject and Recipient of the notification, should you need one, as below:

image

The next is step is to setup some remediation:

image

If you look at the New Azure Portal, you will notice a webhook:

image

If you want your remediation to run on premises, by a Hybrid Worked, you will need to set it up here:

image

And there you have it. Once the alert is triggered, you will see the log:

image

Notice the Input:

image

And there is your data, in a JSON format:

image

image

Now you can grab the data using standard Runbook procedure, as described here.

 

Hope this helps!