diff --git a/patterns/alz/policyDefinitions/policies-Compute.json b/patterns/alz/policyDefinitions/policies-Compute.json index c6574515c..da4dd143b 100644 --- a/patterns/alz/policyDefinitions/policies-Compute.json +++ b/patterns/alz/policyDefinitions/policies-Compute.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.33.13.18514", - "templateHash": "12409927451780141086" + "templateHash": "10009254483749121546" } }, "parameters": { @@ -115,8 +115,8 @@ "input": "[json(variables('processPolicySetDefinitionsAzureUSGovernment')[copyIndex('policySetDefinitionsAzureUSGovernment')])]" } ], - "$fxv#0": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_dataDiskReadLatency_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM Data Disk Read Latency Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM dataDiskReadLatency Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.8.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"30\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\",\r\n \"metadata\": {\r\n \"displayName\": \"Computers to be included to be monitored\",\r\n \"description\": \"Array of Computer to be monitored\"\r\n },\r\n \"defaultValue\": [\r\n \"*\"\r\n ]\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMHighDataDiskReadLatencyAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"ReadLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadLatencyMs-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-ReadLatency_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"VMdataDiskReadLatencyAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMHighDataDiskReadLatencyAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMHighDataDiskReadLatencyAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine dataDiskReadLatency\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"ReadLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadLatencyMs-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-ReadLatency_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": \"[[parameters('computersToInclude')]\"\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", - "$fxv#1": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_dataDiskSpace_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM Data Disk Space Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM data Disk Space Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.8.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\",\r\n \"metadata\": {\r\n \"displayName\": \"Computers to be included to be monitored\",\r\n \"description\": \"Array of Computer to be monitored\"\r\n },\r\n \"defaultValue\": [\r\n \"*\"\r\n ]\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMLowDataDiskSpaceAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"FreeSpacePercentage\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-FreeSpacePercentage-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-DiskSpace_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"VMdataDiskSpaceAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMLowDataDiskSpaceAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMLowDataDiskSpaceAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine dataDiskSpace\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"FreeSpacePercentage\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-FreeSpacePercentage-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-DiskSpace_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": \"[[parameters('computersToInclude')]\"\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", + "$fxv#0": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_dataDiskReadLatency_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM Data Disk Read Latency Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM dataDiskReadLatency Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.8.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"30\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMHighDataDiskReadLatencyAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"ReadLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadLatencyMs-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-ReadLatency_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"VMdataDiskReadLatencyAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMHighDataDiskReadLatencyAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMHighDataDiskReadLatencyAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine dataDiskReadLatency\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"ReadLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadLatencyMs-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-ReadLatency_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", + "$fxv#1": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_dataDiskSpace_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM Data Disk Space Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM data Disk Space Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.8.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMLowDataDiskSpaceAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"FreeSpacePercentage\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-FreeSpacePercentage-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-DiskSpace_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"VMdataDiskSpaceAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMLowDataDiskSpaceAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMLowDataDiskSpaceAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine dataDiskSpace\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"FreeSpacePercentage\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-FreeSpacePercentage-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-DiskSpace_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", "$fxv#10": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_Memory_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM Memory Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM Memory Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.7.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMLowMemoryAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Memory\\\" and Name == \\\"AvailableMB\\\" | extend TotalMemory = toreal(todynamic(Tags)[\\\"vm.azm.ms/memorySizeMB\\\"]) | extend AvailableMemoryPercentage = (toreal(Val) / TotalMemory) * 100.0 | summarize AggregatedValue = avg(AvailableMemoryPercentage) by bin(TimeGenerated, 15m), Computer, _ResourceId | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, AggregatedValue, appliedThreshold', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-AvailableMemoryPercentage-threshold-Override_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"VMMemoryAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMLowMemoryAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMLowMemoryAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine Memory\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Memory\\\" and Name == \\\"AvailableMB\\\" | extend TotalMemory = toreal(todynamic(Tags)[\\\"vm.azm.ms/memorySizeMB\\\"]) | extend AvailableMemoryPercentage = (toreal(Val) / TotalMemory) * 100.0 | summarize AggregatedValue = avg(AvailableMemoryPercentage) by bin(TimeGenerated, 15m), Computer, _ResourceId | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, AggregatedValue, appliedThreshold', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-AvailableMemoryPercentage-threshold-Override_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", "$fxv#11": { "type": "Microsoft.Authorization/policySetDefinitions", @@ -335,16 +335,6 @@ "description": "Time Aggregation for the alert" } }, - "VMHeartBeatRGComputersToInclude": { - "type": "array", - "defaultValue": [ - "*" - ], - "metadata": { - "displayName": "VM Heart Beat RG Computers To Include", - "description": "Computers To Include for the alert" - } - }, "VMHeartBeatRGFailingPeriods": { "type": "string", "defaultValue": "1", @@ -499,16 +489,6 @@ "description": "Failing Periods for the alert" } }, - "VMNetworkInComputersToInclude": { - "type": "array", - "defaultValue": [ - "*" - ], - "metadata": { - "displayName": "VM Network In Computers To Include", - "description": "Computers To Include for the alert" - } - }, "VMNetworkOutAlertSeverity": { "type": "String", "defaultValue": "2", @@ -655,16 +635,6 @@ "description": "Failing Periods for the alert" } }, - "VMNetworkOutComputersToInclude": { - "type": "array", - "defaultValue": [ - "*" - ], - "metadata": { - "displayName": "VM Network Out Computers To Include", - "description": "Computers To Include for the alert" - } - }, "VMOSDiskReadLatencyAlertSeverity": { "type": "String", "defaultValue": "2", @@ -811,16 +781,6 @@ "description": "Failing Periods for the alert" } }, - "VMOSDiskReadLatencyComputersToInclude": { - "type": "array", - "defaultValue": [ - "*" - ], - "metadata": { - "displayName": "VM OS Disk Read Latency Computers To Include", - "description": "Computers To Include for the alert" - } - }, "VMOSDiskWriteLatencyAlertSeverity": { "type": "String", "defaultValue": "2", @@ -967,16 +927,6 @@ "description": "Failing Periods for the alert" } }, - "VMOSDiskWriteLatencyComputersToInclude": { - "type": "array", - "defaultValue": [ - "*" - ], - "metadata": { - "displayName": "VM OS Disk Write Latency Computers To Include", - "description": "Computers To Include for the alert" - } - }, "VMOSDiskSpaceAlertSeverity": { "type": "String", "defaultValue": "2", @@ -1123,16 +1073,6 @@ "description": "Failing Periods for the alert" } }, - "VMOSDiskSpaceComputersToInclude": { - "type": "array", - "defaultValue": [ - "*" - ], - "metadata": { - "displayName": "VM OS Disk Space Computers To Include", - "description": "Computers To Include for the alert" - } - }, "VMPercentCPUAlertSeverity": { "type": "String", "defaultValue": "2", @@ -1567,16 +1507,6 @@ "description": "Failing Periods for the alert" } }, - "VMDataDiskSpaceComputersToInclude": { - "type": "array", - "defaultValue": [ - "*" - ], - "metadata": { - "displayName": "VM Data Disk Space Computers To Include", - "description": "Computers To Include for the alert" - } - }, "VMDataDiskReadLatencyAlertSeverity": { "type": "String", "defaultValue": "2", @@ -1723,16 +1653,6 @@ "description": "Failing Periods for the alert" } }, - "VMDataDiskReadLatencyComputersToInclude": { - "type": "array", - "defaultValue": [ - "*" - ], - "metadata": { - "displayName": "VM Data Disk Read Latency Computers To Include", - "description": "Computers To Include for the alert" - } - }, "VMDataDiskWriteLatencyAlertSeverity": { "type": "String", "defaultValue": "2", @@ -1878,16 +1798,6 @@ "displayName": "VM Data Disk Write Latency Failing Periods", "description": "Failing Periods for the alert" } - }, - "VMDataDiskWriteLatencyComputersToInclude": { - "type": "array", - "defaultValue": [ - "*" - ], - "metadata": { - "displayName": "VM Data Disk Write Latency Computers To Include", - "description": "Computers To Include for the alert" - } } }, "policyDefinitions": [ @@ -2613,13 +2523,13 @@ "policyDefinitionGroups": null } }, - "$fxv#2": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_dataDiskWriteLatency_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM Data Disk Write Latency Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM dataDiskWriteLatency Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.8.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"30\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\",\r\n \"metadata\": {\r\n \"displayName\": \"Computers to be included to be monitored\",\r\n \"description\": \"Array of Computer to be monitored\"\r\n },\r\n \"defaultValue\": [\r\n \"*\"\r\n ]\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMHighDataDiskWriteLatencyAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"WriteLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteLatencyMs-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-WriteLatency_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"VMdataDiskWriteLatencyAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMHighDataDiskWriteLatencyAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMHighDataDiskWriteLatencyAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine dataDiskWriteLatency\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"WriteLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteLatencyMs-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-WriteLatency_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": \"[[parameters('computersToInclude')]\"\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", - "$fxv#3": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_HeartBeat_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM HeartBeat Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM HeartBeat Alert for all VMs in the subscription\",\r\n \"metadata\": {\r\n \"version\": \"1.7.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"1\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT6H\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\",\r\n \"metadata\": {\r\n \"displayName\": \"Computers to be included to be monitored\",\r\n \"description\": \"Array of Computer to be monitored\"\r\n },\r\n \"defaultValue\": [\r\n \"*\"\r\n ]\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMHeartBeatAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); Heartbeat | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | summarize TimeGenerated=max(TimeGenerated) by Computer, _ResourceId | extend Duration = datetime_diff(\\\"minute\\\",now(),TimeGenerated) | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where Duration > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Duration, appliedThreshold', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-Heartbeat-threshold-Override_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HeartBeatAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMHeartBeatAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMHeartBeatAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine Heartbeat\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); Heartbeat | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | summarize TimeGenerated=max(TimeGenerated) by Computer, _ResourceId | extend Duration = datetime_diff(\\\"minute\\\",now(),TimeGenerated) | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where Duration > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Duration, appliedThreshold', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-Heartbeat-threshold-Override_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": \"[[parameters('computersToInclude')]\"\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", - "$fxv#4": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_NetworkIn_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM Network Read Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM Network Read Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.7.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10000000\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\",\r\n \"metadata\": {\r\n \"displayName\": \"Computers to be included to be monitored\",\r\n \"description\": \"Array of Computer to be monitored\"\r\n },\r\n \"defaultValue\": [\r\n \"*\"\r\n ]\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMHighNetworkInAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Network\\\" and Name == \\\"ReadBytesPerSecond\\\" | extend NetworkInterface=tostring(todynamic(Tags)[\\\"vm.azm.ms/networkDeviceId\\\"]) | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, NetworkInterface | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, NetworkInterface, AggregatedValue, appliedThreshold' , parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadBytesPerSecond-threshold-Override_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"VMNetworkInAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMHighNetworkInAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMHighNetworkInAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine NetworkIn\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Network\\\" and Name == \\\"ReadBytesPerSecond\\\" | extend NetworkInterface=tostring(todynamic(Tags)[\\\"vm.azm.ms/networkDeviceId\\\"]) | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, NetworkInterface | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, NetworkInterface, AggregatedValue, appliedThreshold' , parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadBytesPerSecond-threshold-Override_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": \"[[parameters('computersToInclude')]\"\r\n },\r\n {\r\n \"name\": \"NetworkInterface\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", - "$fxv#5": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_NetworkOut_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM Network Write Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM Network Out Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.7.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10000000\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\",\r\n \"metadata\": {\r\n \"displayName\": \"Computers to be included to be monitored\",\r\n \"description\": \"Array of Computer to be monitored\"\r\n },\r\n \"defaultValue\": [\r\n \"*\"\r\n ]\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMHighNetworkOutAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Network\\\" and Name == \\\"WriteBytesPerSecond\\\" | extend NetworkInterface=tostring(todynamic(Tags)[\\\"vm.azm.ms/networkDeviceId\\\"]) | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, NetworkInterface | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, NetworkInterface, AggregatedValue, appliedThreshold' , parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteBytesPerSecond-threshold-Override_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"VMNetworkOutAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMHighNetworkOutAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMHighNetworkOutAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine NetworkOut\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Network\\\" and Name == \\\"WriteBytesPerSecond\\\" | extend NetworkInterface=tostring(todynamic(Tags)[\\\"vm.azm.ms/networkDeviceId\\\"]) | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, NetworkInterface | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, NetworkInterface, AggregatedValue, appliedThreshold' , parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteBytesPerSecond-threshold-Override_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": \"[[parameters('computersToInclude')]\"\r\n },\r\n {\r\n \"name\": \"NetworkInterface\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", - "$fxv#6": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_OSDiskreadLatency_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM OS Disk Read Latency Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM OSDiskreadLatency Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.8.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"30\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\",\r\n \"metadata\": {\r\n \"displayName\": \"Computers to be included to be monitored\",\r\n \"description\": \"Array of Computer to be monitored\"\r\n },\r\n \"defaultValue\": [\r\n \"*\"\r\n ]\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMHighOSDiskReadLatencyAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"ReadLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadLatencyMs-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-ReadLatency_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"VMOSDiskreadLatencyAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMHighOSDiskReadLatencyAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMHighOSDiskReadLatencyAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine OSDiskreadLatency\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"ReadLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadLatencyMs-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-ReadLatency_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": \"[[parameters('computersToInclude')]\"\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", - "$fxv#7": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_OSDiskSpace_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM OS Disk Space Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM OSDiskSpace Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.8.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\",\r\n \"metadata\": {\r\n \"displayName\": \"Computers to be included to be monitored\",\r\n \"description\": \"Array of Computer to be monitored\"\r\n },\r\n \"defaultValue\": [\r\n \"*\"\r\n ]\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMLowOSDiskSpaceAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"FreeSpacePercentage\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-FreeSpacePercentage-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-DiskSpace_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"VMOSDiskSpaceAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMLowOSDiskSpaceAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMLowOSDiskSpaceAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine OSDiskSpace\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"FreeSpacePercentage\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-FreeSpacePercentage-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-DiskSpace_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": \"[[parameters('computersToInclude')]\"\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", - "$fxv#8": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_OSDiskwriteLatency_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM OS Disk Write Latency Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM OSDiskwriteLatency Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.8.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"30\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\",\r\n \"metadata\": {\r\n \"displayName\": \"Computers to be included to be monitored\",\r\n \"description\": \"Array of Computer to be monitored\"\r\n },\r\n \"defaultValue\": [\r\n \"*\"\r\n ]\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMHighOSDiskWriteLatencyAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"WriteLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteLatencyMs-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-WriteLatency_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"VMOSDiskwriteLatencyAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMHighOSDiskWriteLatencyAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMHighOSDiskWriteLatencyAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine OSDiskwriteLatency\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"WriteLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteLatencyMs-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-WriteLatency_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": \"[[parameters('computersToInclude')]\"\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", + "$fxv#2": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_dataDiskWriteLatency_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM Data Disk Write Latency Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM dataDiskWriteLatency Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.8.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"30\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMHighDataDiskWriteLatencyAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"WriteLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteLatencyMs-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-WriteLatency_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"VMdataDiskWriteLatencyAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMHighDataDiskWriteLatencyAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMHighDataDiskWriteLatencyAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine dataDiskWriteLatency\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"WriteLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteLatencyMs-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-WriteLatency_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", + "$fxv#3": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_HeartBeat_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM HeartBeat Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM HeartBeat Alert for all VMs in the subscription\",\r\n \"metadata\": {\r\n \"version\": \"1.7.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"1\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT6H\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMHeartBeatAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); Heartbeat | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | summarize TimeGenerated=max(TimeGenerated) by Computer, _ResourceId | extend Duration = datetime_diff(\\\"minute\\\",now(),TimeGenerated) | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where Duration > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Duration, appliedThreshold', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-Heartbeat-threshold-Override_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HeartBeatAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMHeartBeatAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMHeartBeatAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine Heartbeat\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); Heartbeat | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | summarize TimeGenerated=max(TimeGenerated) by Computer, _ResourceId | extend Duration = datetime_diff(\\\"minute\\\",now(),TimeGenerated) | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where Duration > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Duration, appliedThreshold', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-Heartbeat-threshold-Override_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", + "$fxv#4": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_NetworkIn_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM Network Read Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM Network Read Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.7.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10000000\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMHighNetworkInAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Network\\\" and Name == \\\"ReadBytesPerSecond\\\" | extend NetworkInterface=tostring(todynamic(Tags)[\\\"vm.azm.ms/networkDeviceId\\\"]) | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, NetworkInterface | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, NetworkInterface, AggregatedValue, appliedThreshold' , parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadBytesPerSecond-threshold-Override_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"VMNetworkInAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMHighNetworkInAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMHighNetworkInAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine NetworkIn\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Network\\\" and Name == \\\"ReadBytesPerSecond\\\" | extend NetworkInterface=tostring(todynamic(Tags)[\\\"vm.azm.ms/networkDeviceId\\\"]) | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, NetworkInterface | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, NetworkInterface, AggregatedValue, appliedThreshold' , parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadBytesPerSecond-threshold-Override_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n },\r\n {\r\n \"name\": \"NetworkInterface\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", + "$fxv#5": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_NetworkOut_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM Network Write Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM Network Out Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.7.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10000000\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMHighNetworkOutAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Network\\\" and Name == \\\"WriteBytesPerSecond\\\" | extend NetworkInterface=tostring(todynamic(Tags)[\\\"vm.azm.ms/networkDeviceId\\\"]) | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, NetworkInterface | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, NetworkInterface, AggregatedValue, appliedThreshold' , parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteBytesPerSecond-threshold-Override_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"VMNetworkOutAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMHighNetworkOutAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMHighNetworkOutAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine NetworkOut\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Network\\\" and Name == \\\"WriteBytesPerSecond\\\" | extend NetworkInterface=tostring(todynamic(Tags)[\\\"vm.azm.ms/networkDeviceId\\\"]) | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, NetworkInterface | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, NetworkInterface, AggregatedValue, appliedThreshold' , parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteBytesPerSecond-threshold-Override_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n },\r\n {\r\n \"name\": \"NetworkInterface\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", + "$fxv#6": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_OSDiskreadLatency_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM OS Disk Read Latency Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM OSDiskreadLatency Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.8.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"30\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMHighOSDiskReadLatencyAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"ReadLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadLatencyMs-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-ReadLatency_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"VMOSDiskreadLatencyAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMHighOSDiskReadLatencyAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMHighOSDiskReadLatencyAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine OSDiskreadLatency\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"ReadLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadLatencyMs-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-ReadLatency_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", + "$fxv#7": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_OSDiskSpace_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM OS Disk Space Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM OSDiskSpace Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.8.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMLowOSDiskSpaceAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"FreeSpacePercentage\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-FreeSpacePercentage-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-DiskSpace_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"VMOSDiskSpaceAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMLowOSDiskSpaceAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMLowOSDiskSpaceAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine OSDiskSpace\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"FreeSpacePercentage\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-FreeSpacePercentage-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-DiskSpace_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", + "$fxv#8": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_OSDiskwriteLatency_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM OS Disk Write Latency Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM OSDiskwriteLatency Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.8.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"30\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMHighOSDiskWriteLatencyAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"WriteLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteLatencyMs-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-WriteLatency_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"VMOSDiskwriteLatencyAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMHighOSDiskWriteLatencyAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMHighOSDiskWriteLatencyAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine OSDiskwriteLatency\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"WriteLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteLatencyMs-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-WriteLatency_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", "$fxv#9": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_VM_CPU_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Azure VM CPU Alert\",\r\n \"description\": \"Policy to audit/deploy Azure VM CPU Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.6.0\",\r\n \"category\": \"Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"85\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.Compute/virtualMachines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-VMHighCPUAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Processor\\\" and Name == \\\"UtilizationPercentage\\\" | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, AggregatedValue, appliedThreshold', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-UtilizationPercentage-threshold-Override_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"VMCPUAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-VMHighCPUAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-VMHighCPUAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine CPU\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.Compute/virtualMachines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.Compute/virtualMachines\\\" | where isempty(properties.virtualMachineScaleSet) | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.Compute/virtualMachines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Processor\\\" and Name == \\\"UtilizationPercentage\\\" | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, AggregatedValue, appliedThreshold', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-UtilizationPercentage-threshold-Override_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", "cloudEnv": "[environment().name]", "defaultDeploymentLocationByCloudType": { diff --git a/patterns/alz/policyDefinitions/policies-Hybrid.json b/patterns/alz/policyDefinitions/policies-Hybrid.json index 1f06b5661..acba80771 100644 --- a/patterns/alz/policyDefinitions/policies-Hybrid.json +++ b/patterns/alz/policyDefinitions/policies-Hybrid.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.33.13.18514", - "templateHash": "18095540096972315968" + "templateHash": "11639493171656436066" } }, "parameters": { @@ -115,8 +115,8 @@ "input": "[json(variables('processPolicySetDefinitionsAzureUSGovernment')[copyIndex('policySetDefinitionsAzureUSGovernment')])]" } ], - "$fxv#0": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_dataDiskReadLatency_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM Data Disk Read Latency Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM Disk Read Latency Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.6.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"30\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\",\r\n \"metadata\": {\r\n \"displayName\": \"Computers to be included to be monitored\",\r\n \"description\": \"Array of Computer to be monitored\"\r\n },\r\n \"defaultValue\": [\r\n \"*\"\r\n ]\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMHighDataDiskReadLatencyAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"ReadLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadLatencyMs-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-ReadLatency_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMdataDiskReadLatencyAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMHighDataDiskReadLatencyAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMHighDataDiskReadLatencyAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine dataDiskReadLatency\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"ReadLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadLatencyMs-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-ReadLatency_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": \"[[parameters('computersToInclude')]\"\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", - "$fxv#1": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_dataDiskSpace_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM Data Disk Space Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM Data Disk Space Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.6.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\",\r\n \"metadata\": {\r\n \"displayName\": \"Computers to be included to be monitored\",\r\n \"description\": \"Array of Computer to be monitored\"\r\n },\r\n \"defaultValue\": [\r\n \"*\"\r\n ]\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMLowDataDiskSpaceAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"FreeSpacePercentage\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-FreeSpacePercentage-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-DiskSpace_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMdataDiskSpaceAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMLowDataDiskSpaceAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMLowDataDiskSpaceAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine dataDiskSpace\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"FreeSpacePercentage\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-FreeSpacePercentage-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-DiskSpace_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": \"[[parameters('computersToInclude')]\"\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", + "$fxv#0": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_dataDiskReadLatency_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM Data Disk Read Latency Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM Disk Read Latency Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.6.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"30\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMHighDataDiskReadLatencyAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"ReadLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadLatencyMs-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-ReadLatency_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMdataDiskReadLatencyAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMHighDataDiskReadLatencyAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMHighDataDiskReadLatencyAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine dataDiskReadLatency\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"ReadLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadLatencyMs-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-ReadLatency_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", + "$fxv#1": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_dataDiskSpace_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM Data Disk Space Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM Data Disk Space Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.6.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMLowDataDiskSpaceAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"FreeSpacePercentage\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-FreeSpacePercentage-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-DiskSpace_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMdataDiskSpaceAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMLowDataDiskSpaceAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMLowDataDiskSpaceAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine dataDiskSpace\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"FreeSpacePercentage\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-FreeSpacePercentage-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-DiskSpace_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", "$fxv#10": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_Memory_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM Memory Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM Memory Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.5.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMLowMemoryAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Memory\\\" and Name == \\\"AvailableMB\\\" | extend TotalMemory = toreal(todynamic(Tags)[\\\"vm.azm.ms/memorySizeMB\\\"]) | extend AvailableMemoryPercentage = (toreal(Val) / TotalMemory) * 100.0 | summarize AggregatedValue = avg(AvailableMemoryPercentage) by bin(TimeGenerated, 15m), Computer, _ResourceId | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, AggregatedValue, appliedThreshold', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-AvailableMemoryPercentage-threshold-Override_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMMemoryAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMLowMemoryAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMLowMemoryAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine Memory\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Memory\\\" and Name == \\\"AvailableMB\\\" | extend TotalMemory = toreal(todynamic(Tags)[\\\"vm.azm.ms/memorySizeMB\\\"]) | extend AvailableMemoryPercentage = (toreal(Val) / TotalMemory) * 100.0 | summarize AggregatedValue = avg(AvailableMemoryPercentage) by bin(TimeGenerated, 15m), Computer, _ResourceId | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, AggregatedValue, appliedThreshold', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-AvailableMemoryPercentage-threshold-Override_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", "$fxv#11": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_Disconnected_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM Disconnected Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM Disconnected Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.7.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"1\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT12H\",\r\n \"P1D\"\r\n ],\r\n \"defaultValue\": \"P1D\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT10M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT2H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"P1D\"\r\n ],\r\n \"defaultValue\": \"PT10M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"defaultValue\": \"10m\",\r\n \"allowedValues\": [\r\n \"5m\",\r\n \"10m\",\r\n \"15m\",\r\n \"30m\",\r\n \"1h\",\r\n \"2h\",\r\n \"3h\",\r\n \"6h\",\r\n \"12h\",\r\n \"1d\",\r\n \"2d\",\r\n \"3d\",\r\n \"7d\"\r\n ],\r\n \"metadata\": {\r\n \"displayName\": \"Hybrid VM Disconnected Threshold (expressed in timespan)\",\r\n \"description\": \"Threshold in timespan value for the Hybrid VM Disconnected alert\"\r\n }\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMDisconnectedAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; arg(\\\"\\\").resources | where type == \\\"microsoft.hybridcompute/machines\\\" | where tostring(tags.[\\\"{1}\\\"]) !in~ (\\\"{2}\\\") | where tostring(properties.status) == \\\"Disconnected\\\" | extend lastContactedDate = todatetime(properties.lastStatusChange) | where lastContactedDate <= ago(totimespan(policyThresholdString)) | extend status = tostring(properties.status) | project id, Computer=name, status, lastContactedDate', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'))]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMDisconnectedAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMDisconnectedAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMDisconnectedAlert')]\",\r\n \"description\": \"Hybrid VM in disconnected state. Not being connected, prevents extensions to be correctly managed from the portal and Azure policies to be correctly applied. Ensure that both server the specific service (Azure Hybrid Instance Metadata Service on Windows or azcmagent on Linux) are running.\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; arg(\\\"\\\").resources | where type == \\\"microsoft.hybridcompute/machines\\\" | where tostring(tags.[\\\"{1}\\\"]) !in~ (\\\"{2}\\\") | where tostring(properties.status) == \\\"Disconnected\\\" | extend lastContactedDate = todatetime(properties.lastStatusChange) | where lastContactedDate <= ago(totimespan(policyThresholdString)) | extend status = tostring(properties.status) | project id, Computer=name, status, lastContactedDate', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'))]\",\r\n \"resourceIdColumn\": \"id\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", "$fxv#12": { @@ -336,16 +336,6 @@ "description": "Time Aggregation for the alert" } }, - "HybridVMHeartBeatRGComputersToInclude": { - "type": "array", - "defaultValue": [ - "*" - ], - "metadata": { - "displayName": "Hybrid VM Heart Beat RG Computers To Include", - "description": "Computers To Include for the alert" - } - }, "HybridVMHeartBeatRGFailingPeriods": { "type": "string", "defaultValue": "1", @@ -500,16 +490,6 @@ "description": "Failing Periods for the alert" } }, - "HybridVMNetworkInComputersToInclude": { - "type": "array", - "defaultValue": [ - "*" - ], - "metadata": { - "displayName": "Hybrid VM Network In Computers To Include", - "description": "Computers To Include for the alert" - } - }, "HybridVMNetworkOutAlertSeverity": { "type": "String", "defaultValue": "2", @@ -656,16 +636,6 @@ "description": "Failing Periods for the alert" } }, - "HybridVMNetworkOutComputersToInclude": { - "type": "array", - "defaultValue": [ - "*" - ], - "metadata": { - "displayName": "Hybrid VM Network Out Computers To Include", - "description": "Computers To Include for the alert" - } - }, "HybridVMOSDiskReadLatencyAlertSeverity": { "type": "String", "defaultValue": "2", @@ -812,16 +782,6 @@ "description": "Failing Periods for the alert" } }, - "HybridVMOSDiskReadLatencyComputersToInclude": { - "type": "array", - "defaultValue": [ - "*" - ], - "metadata": { - "displayName": "Hybrid VM OS Disk Read Latency Computers To Include", - "description": "Computers To Include for the alert" - } - }, "HybridVMOSDiskWriteLatencyAlertSeverity": { "type": "String", "defaultValue": "2", @@ -968,16 +928,6 @@ "description": "Failing Periods for the alert" } }, - "HybridVMOSDiskWriteLatencyComputersToInclude": { - "type": "array", - "defaultValue": [ - "*" - ], - "metadata": { - "displayName": "Hybrid VM OS Disk Write Latency Computers To Include", - "description": "Computers To Include for the alert" - } - }, "HybridVMOSDiskSpaceAlertSeverity": { "type": "String", "defaultValue": "2", @@ -1124,16 +1074,6 @@ "description": "Failing Periods for the alert" } }, - "HybridVMOSDiskSpaceComputersToInclude": { - "type": "array", - "defaultValue": [ - "*" - ], - "metadata": { - "displayName": "Hybrid VM OS Disk Space Computers To Include", - "description": "Computers To Include for the alert" - } - }, "HybridVMPercentCPUAlertSeverity": { "type": "String", "defaultValue": "2", @@ -1556,16 +1496,6 @@ "description": "Failing Periods for the alert" } }, - "HybridVMDataDiskSpaceComputersToInclude": { - "type": "array", - "defaultValue": [ - "*" - ], - "metadata": { - "displayName": "Hybrid VM Data Disk Space Computers To Include", - "description": "Computers To Include for the alert" - } - }, "HybridVMDataDiskReadLatencyAlertSeverity": { "type": "String", "defaultValue": "2", @@ -1712,16 +1642,6 @@ "description": "Failing Periods for the alert" } }, - "HybridVMDataDiskReadLatencyComputersToInclude": { - "type": "array", - "defaultValue": [ - "*" - ], - "metadata": { - "displayName": "Hybrid VM Data Disk Read Latency Computers To Include", - "description": "Computers To Include for the alert" - } - }, "HybridVMDataDiskWriteLatencyAlertSeverity": { "type": "String", "defaultValue": "2", @@ -1868,16 +1788,6 @@ "description": "Failing Periods for the alert" } }, - "HybridVMDataDiskWriteLatencyComputersToInclude": { - "type": "array", - "defaultValue": [ - "*" - ], - "metadata": { - "displayName": "Hybrid VM Data Disk Write Latency Computers To Include", - "description": "Computers To Include for the alert" - } - }, "HybridVMDisconnectedAlertSeverity": { "type": "String", "defaultValue": "1", @@ -2805,13 +2715,13 @@ "policyDefinitionGroups": null } }, - "$fxv#2": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_dataDiskWriteLatency_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM Data Disk Write Latency Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM Data Disk Write Latency Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.6.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"30\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\",\r\n \"metadata\": {\r\n \"displayName\": \"Computers to be included to be monitored\",\r\n \"description\": \"Array of Computer to be monitored\"\r\n },\r\n \"defaultValue\": [\r\n \"*\"\r\n ]\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMHighDataDiskWriteLatencyAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"WriteLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteLatencyMs-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-WriteLatency_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMdataDiskWriteLatencyAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMHighDataDiskWriteLatencyAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMHighDataDiskWriteLatencyAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine dataDiskWriteLatency\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"WriteLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteLatencyMs-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-WriteLatency_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": \"[[parameters('computersToInclude')]\"\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", - "$fxv#3": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_HeartBeat_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM HeartBeat Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM HeartBeat Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.5.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"1\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT6H\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\",\r\n \"metadata\": {\r\n \"displayName\": \"Computers to be included to be monitored\",\r\n \"description\": \"Array of Computer to be monitored\"\r\n },\r\n \"defaultValue\": [\r\n \"*\"\r\n ]\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMHeartBeatAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); Heartbeat | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | summarize TimeGenerated=max(TimeGenerated) by Computer, _ResourceId | extend Duration = datetime_diff(\\\"minute\\\",now(),TimeGenerated) | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where Duration > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Duration, appliedThreshold', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-Heartbeat-threshold-Override_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMHeartBeatAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMHeartBeatAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMHeartBeatAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine Heartbeat\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); Heartbeat | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | summarize TimeGenerated=max(TimeGenerated) by Computer, _ResourceId | extend Duration = datetime_diff(\\\"minute\\\",now(),TimeGenerated) | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where Duration > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Duration, appliedThreshold', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-Heartbeat-threshold-Override_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": \"[[parameters('computersToInclude')]\"\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", - "$fxv#4": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_NetworkIn_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM Network Read Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM Nework Read Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.5.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10000000\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\",\r\n \"metadata\": {\r\n \"displayName\": \"Computers to be included to be monitored\",\r\n \"description\": \"Array of Computer to be monitored\"\r\n },\r\n \"defaultValue\": [\r\n \"*\"\r\n ]\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMHighNetworkInAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Network\\\" and Name == \\\"ReadBytesPerSecond\\\" | extend NetworkInterface=tostring(todynamic(Tags)[\\\"vm.azm.ms/networkDeviceId\\\"]) | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, NetworkInterface | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, NetworkInterface, AggregatedValue, appliedThreshold' , parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadBytesPerSecond-threshold-Override_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMVMNetworkInAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMHighNetworkInAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMHighNetworkInAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine NetworkIn\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Network\\\" and Name == \\\"ReadBytesPerSecond\\\" | extend NetworkInterface=tostring(todynamic(Tags)[\\\"vm.azm.ms/networkDeviceId\\\"]) | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, NetworkInterface | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, NetworkInterface, AggregatedValue, appliedThreshold' , parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadBytesPerSecond-threshold-Override_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": \"[[parameters('computersToInclude')]\"\r\n },\r\n {\r\n \"name\": \"NetworkInterface\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", - "$fxv#5": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_NetworkOut_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM Network Write Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM Network Out Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.5.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10000000\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\",\r\n \"metadata\": {\r\n \"displayName\": \"Computers to be included to be monitored\",\r\n \"description\": \"Array of Computer to be monitored\"\r\n },\r\n \"defaultValue\": [\r\n \"*\"\r\n ]\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMHighNetworkOutAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Network\\\" and Name == \\\"WriteBytesPerSecond\\\" | extend NetworkInterface=tostring(todynamic(Tags)[\\\"vm.azm.ms/networkDeviceId\\\"]) | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, NetworkInterface | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, NetworkInterface, AggregatedValue, appliedThreshold' , parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteBytesPerSecond-threshold-Override_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMVMNetworkOutAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMHighNetworkOutAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMHighNetworkOutAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine NetworkOut\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Network\\\" and Name == \\\"WriteBytesPerSecond\\\" | extend NetworkInterface=tostring(todynamic(Tags)[\\\"vm.azm.ms/networkDeviceId\\\"]) | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, NetworkInterface | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, NetworkInterface, AggregatedValue, appliedThreshold' , parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteBytesPerSecond-threshold-Override_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": \"[[parameters('computersToInclude')]\"\r\n },\r\n {\r\n \"name\": \"NetworkInterface\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", - "$fxv#6": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_OSDiskreadLatency_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM OS Disk Read Latency Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM OS Disk Read Latency Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.6.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"30\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\",\r\n \"metadata\": {\r\n \"displayName\": \"Computers to be included to be monitored\",\r\n \"description\": \"Array of Computer to be monitored\"\r\n },\r\n \"defaultValue\": [\r\n \"*\"\r\n ]\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMHighOSDiskReadLatencyAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"ReadLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadLatencyMs-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-ReadLatency_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMOSDiskreadLatencyAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMHighOSDiskReadLatencyAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMHighOSDiskReadLatencyAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine OSDiskreadLatency\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"ReadLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadLatencyMs-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-ReadLatency_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": \"[[parameters('computersToInclude')]\"\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", - "$fxv#7": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_OSDiskSpace_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM OS Disk Space Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM OS Disk Space Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.6.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\",\r\n \"metadata\": {\r\n \"displayName\": \"Computers to be included to be monitored\",\r\n \"description\": \"Array of Computer to be monitored\"\r\n },\r\n \"defaultValue\": [\r\n \"*\"\r\n ]\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMLowOSDiskSpaceAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"FreeSpacePercentage\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-FreeSpacePercentage-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-DiskSpace_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMOSDiskSpaceAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMLowOSDiskSpaceAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMLowOSDiskSpaceAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine OSDiskSpace\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"FreeSpacePercentage\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-FreeSpacePercentage-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-DiskSpace_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": \"[[parameters('computersToInclude')]\"\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", - "$fxv#8": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_OSDiskwriteLatency_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM OS Disk Write Latency Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM OS Disk Write Latency Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.6.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"30\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\",\r\n \"metadata\": {\r\n \"displayName\": \"Computers to be included to be monitored\",\r\n \"description\": \"Array of Computer to be monitored\"\r\n },\r\n \"defaultValue\": [\r\n \"*\"\r\n ]\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMHighOSDiskWriteLatencyAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"WriteLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteLatencyMs-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-WriteLatency_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"computersToInclude\": {\r\n \"type\": \"array\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMOSDiskwriteLatencyAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMHighOSDiskWriteLatencyAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMHighOSDiskWriteLatencyAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine OSDiskwriteLatency\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"WriteLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteLatencyMs-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-WriteLatency_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": \"[[parameters('computersToInclude')]\"\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"computersToInclude\": {\r\n \"value\": \"[[parameters('computersToInclude')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", + "$fxv#2": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_dataDiskWriteLatency_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM Data Disk Write Latency Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM Data Disk Write Latency Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.6.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"30\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMHighDataDiskWriteLatencyAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"WriteLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteLatencyMs-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-WriteLatency_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMdataDiskWriteLatencyAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMHighDataDiskWriteLatencyAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMHighDataDiskWriteLatencyAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine dataDiskWriteLatency\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"WriteLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteLatencyMs-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-WriteLatency_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", + "$fxv#3": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_HeartBeat_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM HeartBeat Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM HeartBeat Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.5.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"1\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT6H\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMHeartBeatAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); Heartbeat | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | summarize TimeGenerated=max(TimeGenerated) by Computer, _ResourceId | extend Duration = datetime_diff(\\\"minute\\\",now(),TimeGenerated) | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where Duration > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Duration, appliedThreshold', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-Heartbeat-threshold-Override_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMHeartBeatAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMHeartBeatAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMHeartBeatAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine Heartbeat\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); Heartbeat | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | summarize TimeGenerated=max(TimeGenerated) by Computer, _ResourceId | extend Duration = datetime_diff(\\\"minute\\\",now(),TimeGenerated) | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where Duration > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Duration, appliedThreshold', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-Heartbeat-threshold-Override_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", + "$fxv#4": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_NetworkIn_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM Network Read Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM Nework Read Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.5.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10000000\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMHighNetworkInAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Network\\\" and Name == \\\"ReadBytesPerSecond\\\" | extend NetworkInterface=tostring(todynamic(Tags)[\\\"vm.azm.ms/networkDeviceId\\\"]) | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, NetworkInterface | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, NetworkInterface, AggregatedValue, appliedThreshold' , parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadBytesPerSecond-threshold-Override_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMVMNetworkInAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMHighNetworkInAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMHighNetworkInAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine NetworkIn\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Network\\\" and Name == \\\"ReadBytesPerSecond\\\" | extend NetworkInterface=tostring(todynamic(Tags)[\\\"vm.azm.ms/networkDeviceId\\\"]) | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, NetworkInterface | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, NetworkInterface, AggregatedValue, appliedThreshold' , parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadBytesPerSecond-threshold-Override_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n },\r\n {\r\n \"name\": \"NetworkInterface\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", + "$fxv#5": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_NetworkOut_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM Network Write Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM Network Out Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.5.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10000000\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMHighNetworkOutAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Network\\\" and Name == \\\"WriteBytesPerSecond\\\" | extend NetworkInterface=tostring(todynamic(Tags)[\\\"vm.azm.ms/networkDeviceId\\\"]) | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, NetworkInterface | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, NetworkInterface, AggregatedValue, appliedThreshold' , parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteBytesPerSecond-threshold-Override_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMVMNetworkOutAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMHighNetworkOutAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMHighNetworkOutAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine NetworkOut\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Network\\\" and Name == \\\"WriteBytesPerSecond\\\" | extend NetworkInterface=tostring(todynamic(Tags)[\\\"vm.azm.ms/networkDeviceId\\\"]) | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, NetworkInterface | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, NetworkInterface, AggregatedValue, appliedThreshold' , parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteBytesPerSecond-threshold-Override_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n },\r\n {\r\n \"name\": \"NetworkInterface\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", + "$fxv#6": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_OSDiskreadLatency_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM OS Disk Read Latency Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM OS Disk Read Latency Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.6.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"30\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMHighOSDiskReadLatencyAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"ReadLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadLatencyMs-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-ReadLatency_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMOSDiskreadLatencyAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMHighOSDiskReadLatencyAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMHighOSDiskReadLatencyAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine OSDiskreadLatency\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"ReadLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-ReadLatencyMs-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-ReadLatency_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", + "$fxv#7": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_OSDiskSpace_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM OS Disk Space Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM OS Disk Space Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.6.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"10\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMLowOSDiskSpaceAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"FreeSpacePercentage\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-FreeSpacePercentage-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-DiskSpace_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMOSDiskSpaceAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMLowOSDiskSpaceAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMLowOSDiskSpaceAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine OSDiskSpace\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"FreeSpacePercentage\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-FreeSpacePercentage-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-DiskSpace_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", + "$fxv#8": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_OSDiskwriteLatency_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM OS Disk Write Latency Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM OS Disk Write Latency Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.6.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"30\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMHighOSDiskWriteLatencyAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"WriteLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteLatencyMs-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-WriteLatency_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMOSDiskwriteLatencyAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMHighOSDiskWriteLatencyAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMHighOSDiskWriteLatencyAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine OSDiskwriteLatency\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"WriteLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\\\"{4}\\\"]),resourceTags.[\\\"{4}\\\"], \\\"No logical volumes excluded\\\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-WriteLatencyMs-OS-threshold-Override_', '_amba-ExcludedLogicalVolumes-WriteLatency_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n },\r\n {\r\n \"name\": \"Disk\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", "$fxv#9": "{\r\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\r\n \"apiVersion\": \"2021-06-01\",\r\n \"name\": \"Deploy_Hybrid_VM_CPU_Alert\",\r\n \"properties\": {\r\n \"policyType\": \"Custom\",\r\n \"mode\": \"All\",\r\n \"displayName\": \"Deploy Hybrid VM CPU Alert\",\r\n \"description\": \"Policy to audit/deploy Hybrid VM CPU Alert\",\r\n \"metadata\": {\r\n \"version\": \"1.5.0\",\r\n \"category\": \"Hybrid Compute\",\r\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\r\n \"alzCloudEnvironments\": [\r\n \"AzureCloud\"\r\n ],\r\n \"_deployed_by_amba\": \"True\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Name\",\r\n \"description\": \"Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"rg-amba-monitoring-001\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"Object\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Tags\",\r\n \"description\": \"Tags on the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": {\r\n \"Project\": \"amba-monitoring\"\r\n }\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Resource Group Location\",\r\n \"description\": \"Location of the Resource group the alert is placed in\"\r\n },\r\n \"defaultValue\": \"centralus\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\",\r\n \"defaultValue\": \"\",\r\n \"metadata\": {\r\n \"description\": \"The resource Id of the user assigned managed identity.\",\r\n \"displayName\": \"User Assigned managed Identity resource Id.\"\r\n }\r\n },\r\n \"severity\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Severity\",\r\n \"description\": \"Severity of the Alert\"\r\n },\r\n \"allowedValues\": [\r\n \"0\",\r\n \"1\",\r\n \"2\",\r\n \"3\",\r\n \"4\"\r\n ],\r\n \"defaultValue\": \"2\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Operator\"\r\n },\r\n \"allowedValues\": [\r\n \"GreaterThan\"\r\n ],\r\n \"defaultValue\": \"GreaterThan\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"TimeAggregation\"\r\n },\r\n \"allowedValues\": [\r\n \"Count\"\r\n ],\r\n \"defaultValue\": \"Count\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Window Size\",\r\n \"description\": \"Window size for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\",\r\n \"PT6H\",\r\n \"PT12H\",\r\n \"PT24H\"\r\n ],\r\n \"defaultValue\": \"PT15M\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Frequency\",\r\n \"description\": \"Evaluation frequency for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"PT5M\",\r\n \"PT15M\",\r\n \"PT30M\",\r\n \"PT1H\"\r\n ],\r\n \"defaultValue\": \"PT5M\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Mitigate\",\r\n \"description\": \"Auto Mitigate for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Require a workspace linked storage\",\r\n \"description\": \"Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys).\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"false\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Auto Resolve\",\r\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\r\n },\r\n \"defaultValue\": \"true\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Alert State\",\r\n \"description\": \"Alert state for the alert\"\r\n },\r\n \"allowedValues\": [\r\n \"true\",\r\n \"false\"\r\n ],\r\n \"defaultValue\": \"true\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Threshold\",\r\n \"description\": \"Threshold for the alert\"\r\n },\r\n \"defaultValue\": \"85\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Failing Periods\",\r\n \"description\": \"Number of failing periods before alert is fired\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Evaluation Periods\",\r\n \"description\": \"The number of aggregated lookback points.\"\r\n },\r\n \"defaultValue\": \"1\"\r\n },\r\n \"effect\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"Effect\",\r\n \"description\": \"Effect of the policy\"\r\n },\r\n \"allowedValues\": [\r\n \"deployIfNotExists\",\r\n \"disabled\"\r\n ],\r\n \"defaultValue\": \"deployIfNotExists\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag name\",\r\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\r\n },\r\n \"defaultValue\": \"MonitorDisable\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\",\r\n \"metadata\": {\r\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\r\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\r\n },\r\n \"defaultValue\": [\r\n \"true\",\r\n \"Test\",\r\n \"Dev\",\r\n \"Sandbox\"\r\n ]\r\n }\r\n },\r\n \"policyRule\": {\r\n \"if\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"type\",\r\n \"equals\": \"Microsoft.HybridCompute/machines\"\r\n },\r\n {\r\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\r\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n ]\r\n },\r\n \"then\": {\r\n \"effect\": \"[[parameters('effect')]\",\r\n \"details\": {\r\n \"roleDefinitionIds\": [\r\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\r\n ],\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"existenceScope\": \"resourceGroup\",\r\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\r\n \"deploymentScope\": \"subscription\",\r\n \"existenceCondition\": {\r\n \"allOf\": [\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\r\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMHighCPUAlert')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\r\n \"equals\": \"[[subscription().id]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\r\n \"equals\": \"[[parameters('enabled')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\r\n \"equals\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\r\n \"equals\": \"[[parameters('windowSize')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\r\n \"equals\": \"[[parameters('severity')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\r\n \"equals\": \"[[parameters('autoMitigate')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured\",\r\n \"equals\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\r\n \"equals\": \"[[parameters('operator')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\r\n \"equals\": \"[[parameters('timeAggregation')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\r\n \"equals\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\r\n \"equals\": \"[[parameters('failingPeriods')]\"\r\n },\r\n {\r\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\r\n \"equals\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Processor\\\" and Name == \\\"UtilizationPercentage\\\" | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, AggregatedValue, appliedThreshold', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-UtilizationPercentage-threshold-Override_')]\"\r\n },\r\n {\r\n \"field\": \"identity.userAssignedIdentities\",\r\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n ]\r\n },\r\n \"deployment\": {\r\n \"location\": \"northeurope\",\r\n \"properties\": {\r\n \"mode\": \"incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"type\": \"object\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n },\r\n \"severity\": {\r\n \"type\": \"String\"\r\n },\r\n \"windowSize\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoMitigate\": {\r\n \"type\": \"String\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolve\": {\r\n \"type\": \"String\"\r\n },\r\n \"autoResolveTime\": {\r\n \"type\": \"String\"\r\n },\r\n \"enabled\": {\r\n \"type\": \"String\"\r\n },\r\n \"threshold\": {\r\n \"type\": \"String\"\r\n },\r\n \"operator\": {\r\n \"type\": \"String\"\r\n },\r\n \"timeAggregation\": {\r\n \"type\": \"String\"\r\n },\r\n \"failingPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"type\": \"String\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"type\": \"Array\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/resourceGroups\",\r\n \"apiVersion\": \"2021-04-01\",\r\n \"name\": \"[[parameters('alertResourceGroupName')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/deployments\",\r\n \"apiVersion\": \"2019-10-01\",\r\n \"name\": \"HybridVMCPUAlert\",\r\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\r\n \"dependsOn\": [\r\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\r\n ],\r\n \"properties\": {\r\n \"mode\": \"Incremental\",\r\n \"template\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"1.0.0.0\",\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"type\": \"string\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"type\": \"string\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"type\": \"string\"\r\n }\r\n },\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\r\n \"apiVersion\": \"2022-08-01-preview\",\r\n \"name\": \"[[concat(subscription().displayName, '-HybridVMHighCPUAlert')]\",\r\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\r\n \"identity\": {\r\n \"type\": \"UserAssigned\",\r\n \"userAssignedIdentities\": {\r\n \"[[parameters('UAMIResourceId')]\": {}\r\n }\r\n },\r\n \"tags\": {\r\n \"_deployed_by_amba\": true\r\n },\r\n \"properties\": {\r\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMHighCPUAlert')]\",\r\n \"description\": \"Log Alert for Virtual Machine CPU\",\r\n \"severity\": \"[[parameters('severity')]\",\r\n \"enabled\": \"[[parameters('enabled')]\",\r\n \"scopes\": [\r\n \"[[subscription().Id]\"\r\n ],\r\n \"targetResourceTypes\": [\r\n \"Microsoft.HybridCompute/machines\"\r\n ],\r\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\r\n \"windowSize\": \"[[parameters('windowSize')]\",\r\n \"criteria\": {\r\n \"allOf\": [\r\n {\r\n \"query\": \"[[format('let policyThresholdString = \\\"{0}\\\"; let resourceTagging = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | where tags.[\\\"{1}\\\"] !in~ (\\\"{2}\\\") | project _ResourceId = tolower(id), resourceTags = tags); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Processor\\\" and Name == \\\"UtilizationPercentage\\\" | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId | join hint.remote=left kind=inner (resourceTagging ) on _ResourceId | project-away _ResourceId1 | extend newThresholdString = tostring(resourceTags.[\\\"{3}\\\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, AggregatedValue, appliedThreshold', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), '_amba-UtilizationPercentage-threshold-Override_')]\",\r\n \"threshold\": 0,\r\n \"operator\": \"[[parameters('operator')]\",\r\n \"resourceIdColumn\": \"_ResourceId\",\r\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\r\n \"dimensions\": [\r\n {\r\n \"name\": \"Computer\",\r\n \"operator\": \"Include\",\r\n \"values\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"failingPeriods\": {\r\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\r\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\r\n \"checkWorkspaceAlertsStorageConfigured\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\",\r\n \"ruleResolveConfiguration\": {\r\n \"autoResolved\": \"[[parameters('autoResolve')]\",\r\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"parameters\": {\r\n \"alertResourceGroupName\": {\r\n \"value\": \"[[parameters('alertResourceGroupName')]\"\r\n },\r\n \"alertResourceGroupTags\": {\r\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\r\n },\r\n \"alertResourceGroupLocation\": {\r\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\r\n },\r\n \"UAMIResourceId\": {\r\n \"value\": \"[[parameters('UAMIResourceId')]\"\r\n },\r\n \"severity\": {\r\n \"value\": \"[[parameters('severity')]\"\r\n },\r\n \"windowSize\": {\r\n \"value\": \"[[parameters('windowSize')]\"\r\n },\r\n \"evaluationFrequency\": {\r\n \"value\": \"[[parameters('evaluationFrequency')]\"\r\n },\r\n \"autoMitigate\": {\r\n \"value\": \"[[parameters('autoMitigate')]\"\r\n },\r\n \"checkWorkspaceAlertsStorageConfigured\": {\r\n \"value\": \"[[parameters('checkWorkspaceAlertsStorageConfigured')]\"\r\n },\r\n \"autoResolve\": {\r\n \"value\": \"[[parameters('autoResolve')]\"\r\n },\r\n \"autoResolveTime\": {\r\n \"value\": \"[[parameters('autoResolveTime')]\"\r\n },\r\n \"enabled\": {\r\n \"value\": \"[[parameters('enabled')]\"\r\n },\r\n \"threshold\": {\r\n \"value\": \"[[parameters('threshold')]\"\r\n },\r\n \"operator\": {\r\n \"value\": \"[[parameters('operator')]\"\r\n },\r\n \"timeAggregation\": {\r\n \"value\": \"[[parameters('timeAggregation')]\"\r\n },\r\n \"failingPeriods\": {\r\n \"value\": \"[[parameters('failingPeriods')]\"\r\n },\r\n \"evaluationPeriods\": {\r\n \"value\": \"[[parameters('evaluationPeriods')]\"\r\n },\r\n \"MonitorDisableTagName\": {\r\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\r\n },\r\n \"MonitorDisableTagValues\": {\r\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n", "cloudEnv": "[environment().name]", "defaultDeploymentLocationByCloudType": { diff --git a/patterns/alz/policyDefinitions/policySets.json b/patterns/alz/policyDefinitions/policySets.json index 9f50678ea..7cfcca2d0 100644 --- a/patterns/alz/policyDefinitions/policySets.json +++ b/patterns/alz/policyDefinitions/policySets.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.33.13.18514", - "templateHash": "14673214159201572916" + "templateHash": "10089845342868886825" } }, "parameters": { @@ -6283,4 +6283,4 @@ } } } -} +} \ No newline at end of file