steampipe plugin install azure

Table: azure_alert_management - Query Azure Alert Management using SQL

Azure Alert Management is a service within Microsoft Azure that offers a set of tools for monitoring and responding to issues across various Azure resources. It enables users to set up and manage alerts for resources such as virtual machines, databases, web applications, and more. The service helps maintain awareness of the health and performance of Azure resources and facilitates appropriate actions when predefined conditions are met.

Table Usage Guide

The azure_alert_management table provides insights into the alert management system within Microsoft Azure. As a system administrator, you can explore alert-specific details through this table, including alert status, severity, and associated metadata. Use it to identify and respond to potential issues across your Azure resources, ensuring optimal performance and security.

Important notes:

  • This table offers access to alert management details for the past 30 days. If no value is specified in the query parameter (time_range) within the where clause, the default value will be set to 1d(One Day).
  • For improved performance, it is advised that you use the optional qual to limit the result set.
  • This table supports optional quals. Queries with optional quals are optimized to use Alert Management filters. Optional quals are supported for the following columns:
    • target_resource: Filter by the target resource (full ARM ID). The default value selects all resources.
    • target_resource_type: Filter by target resource type. The default value selects all resource types.
    • resource_group: Filter by target resource group name. The default value selects all resource groups.
    • alert_rule: Filter by a specific alert rule. The default value selects all rules.
    • smart_group_id: Filter the alerts list by the Smart Group ID. The default value is none.
    • sort_order: Sort the query results in ascending or descending order. The default value is 'desc' for time fields and 'asc' for others.
    • custom_time_range: Filter by a custom time range in the format (ISO-8601 format). Permissible values are within 30 days from the query time. Either timeRange or customTimeRange can be used, but not both. The default is none.
    • sort_by: Sort the query results by input field. The default value is 'lastModifiedDateTime'. For available fields, refer to the API documentation.
    • monitor_service: Filter by the monitor service that generates the alert instance. The default value selects all services. For available services, refer to the API documentation.
    • monitor_condition: Filter by the monitor condition, which is either 'Fired' or 'Resolved'. The default value selects all conditions.
    • severity: Filter by severity. The default value selects all severities. For details, refer to the severity documentation.
    • alert_state: Filter by the state of the alert instance. The default value selects all states. For details, refer to the alert state documentation.
    • time_range: Filter by the time range, choosing from the listed values in the API documentation. The default value is 1 day. v

Examples

Basic info

Determine the areas in which Azure's alert management system is currently active. This allows you to understand the overall health and status of your alerts, helping you to manage and respond to potential issues more effectively.

select
name,
id,
type,
target_resource,
signal_type,
alert_state,
monitor_condition
from
azure_alert_management;
select
name,
id,
type,
target_resource,
signal_type,
alert_state,
monitor_condition
from
azure_alert_management;

List fired alerts

Explore which alerts have been triggered in your Azure environment to gain insights into potential issues or areas of concern. This helps in proactive problem management and maintaining system stability.

select
name,
id,
type,
signal_type,
alert_state,
monitor_service,
monitor_condition
from
azure_alert_management
where
monitor_condition = 'Fired';
select
name,
id,
type,
signal_type,
alert_state,
monitor_service,
monitor_condition
from
azure_alert_management
where
monitor_condition = 'Fired';

List alerts within the last 7 days

Explore recent alerts by identifying those that have been generated within the last week. This is useful for maintaining awareness of recent activity and potential issues in your Azure environment.

select
name,
id,
target_resource,
target_resource_type,
alert_rule,
time_range
from
azure_alert_management
where
time_range = '7d';
select
name,
id,
target_resource,
target_resource_type,
alert_rule,
time_range
from
azure_alert_management
where
time_range = '7d';

List critical alerts

Determine the areas in which critical alerts are present in your Azure resources. This is beneficial for prioritizing and addressing issues that have the highest severity level.

select
name,
id,
target_resource,
target_resource_type,
severity,
alert_state,
monitor_service
from
azure_alert_management
where
severity = 'Sev0';
select
name,
id,
target_resource,
target_resource_type,
severity,
alert_state,
monitor_service
from
azure_alert_management
where
severity = 'Sev0';

List alerts of VMInsights monitoring service

This example allows users to identify any alerts associated with the VMInsights monitoring service in Azure. This can be useful for administrators who need to quickly assess the status and details of these alerts for troubleshooting or system management purposes.

select
name,
id,
target_resource,
monitor_service,
alert_rule,
alert_state,
source_created_id
from
azure_alert_management
where
monitor_service = 'VMInsights';
select
name,
id,
target_resource,
monitor_service,
alert_rule,
alert_state,
source_created_id
from
azure_alert_management
where
monitor_service = 'VMInsights';

Schema for azure_alert_management

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
alert_ruletext=Rule(monitor) which fired alert instance. Depending on the monitor service, this would be ARM ID or name of the rule.
alert_statetext=Alert object state, which can be modified by the user. Possible values include: 'AlertStateNew', 'AlertStateAcknowledged', 'AlertStateClosed'.
cloud_environmenttextThe Azure Cloud Environment.
contexttextThe context of the alert management.
custom_time_rangetext=Filter by custom time range in the format <start-time>/<end-time> where time is in (ISO-8601 format).
egress_configtextThe egress config for the context management.
idtext=Azure resource ID.
last_modified_date_timetimestamp with time zoneLast modification time(ISO-8601 format) of alert instance.
last_modified_user_nametextUser who last modified the alert, in case of monitor service updates user would be 'system', otherwise name of the user.
monitor_conditiontext=Can be 'Fired' or 'Resolved', which represents whether the underlying conditions have crossed the defined alert rule thresholds. Possible values include: 'Fired', 'Resolved'.
monitor_condition_resolved_date_timetimestamp with time zoneResolved time(ISO-8601 format) of alert instance. This will be updated when monitor service resolves the alert instance because the rule condition is no longer met.
monitor_servicetext=Monitor service on which the rule(monitor) is set. Possible values include: 'ApplicationInsights', 'ActivityLogAdministrative', 'ActivityLogSecurity', 'ActivityLogRecommendation', 'ActivityLogPolicy', 'ActivityLogAutoscale', 'LogAnalytics', 'Nagios', 'Platform', 'SCOM', 'ServiceHealth', 'SmartDetector', 'VMInsights', 'Zabbix', 'ResourceHealth'.
nametextA friendly name that identifies an Alert management service.
resource_grouptext=The resource group which holds this resource.
severitytext=Severity of alert Sev0 being highest and Sev4 being lowest. Possible values include: 'Sev0', 'Sev1', 'Sev2', 'Sev3', 'Sev4'.
signal_typetextThe type of signal the alert is based on, which could be metrics, logs or activity logs. Possible values include: 'Metric', 'Log', 'Unknown'.
smart_group_idtext=Unique ID of the smart group.
smart_grouping_reasontextVerbose reason describing the reason why this alert instance is added to a smart group.
sort_bytext=Sort the query results by input field, default value is 'lastModifiedDateTime'.
sort_ordertext=Sort order of the alert management.
source_created_idtextUnique ID created by monitor service for each alert instance. This could be used to track the issue at the monitor service, in case of Nagios, Zabbix, SCOM, etc.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
start_date_timetimestamp with time zoneCreation time(ISO-8601 format) of alert instance.
subscription_idtext=, !=, ~~, ~~*, !~~, !~~*The Azure Subscription ID in which the resource is located.
target_resourcetext=Target ARM resource, on which alert got created.
target_resource_nametextName of the target ARM resource, on which alert got created.
target_resource_typetext=Resource type of target ARM resource, on which alert got created.
time_rangetext=Filter by time range. Possible values are '1h', '1d', '7d' or '30d'.
titletextTitle of the resource.
typetextType of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure

You can pass the configuration to the command with the --config argument:

steampipe_export_azure --config '<your_config>' azure_alert_management