Azure 活动日志警报的 WebhookWebhooks for Azure activity log alerts

作为操作组定义的一部分,可以配置 webhook 终结点以接收活动日志警报通知。As part of the definition of an action group, you can configure webhook endpoints to receive activity log alert notifications. 通过 webhook 可以将这些通知路由到其他系统,以便进行后续处理或自定义操作。With webhooks, you can route these notifications to other systems for post-processing or custom actions. 本文介绍针对 webhook 发出的 HTTP POST 的有效负载的大致形式。This article shows what the payload for the HTTP POST to a webhook looks like.

有关活动日志警报的详细信息,请参阅如何创建 Azure 活动日志警报For more information on activity log alerts, see how to create Azure activity log alerts.

有关操作组的信息,请参阅如何创建操作组For information on action groups, see how to create action groups.

备注

还可以使用常见警报架构,它的优点是可以跨 Azure Monitor 中的所有警报服务提供单个可扩展且统一的警报有效负载,用于 Webhook 集成。You can also use the common alert schema, which provides the advantage of having a single extensible and unified alert payload across all the alert services in Azure Monitor, for your webhook integrations. 了解常见的警报架构定义。Learn about the common alert schema definitions.

对 webhook 进行身份验证Authenticate the webhook

Webhook 可以选择使用基于令牌的授权进行身份验证。The webhook can optionally use token-based authorization for authentication. 保存的 webhook URI 具有令牌 ID,例如,https://mysamplealert/webcallback?tokenid=sometokenid&someparameter=somevalueThe webhook URI is saved with a token ID, for example, https://mysamplealert/webcallback?tokenid=sometokenid&someparameter=somevalue.

负载架构Payload schema

根据有效负载的 data.context.activityLog.eventSource 字段,POST 操作中包含的 JSON 有效负载会有所不同。The JSON payload contained in the POST operation differs based on the payload's data.context.activityLog.eventSource field.

通用Common

{
    "schemaId": "Microsoft.Insights/activityLogs",
    "data": {
        "status": "Activated",
        "context": {
            "activityLog": {
                "channels": "Operation",
                "correlationId": "6ac88262-43be-4adf-a11c-bd2179852898",
                "eventSource": "Administrative",
                "eventTimestamp": "2017-03-29T15:43:08.0019532+00:00",
                "eventDataId": "8195a56a-85de-4663-943e-1a2bf401ad94",
                "level": "Informational",
                "operationName": "Microsoft.Insights/actionGroups/write",
                "operationId": "6ac88262-43be-4adf-a11c-bd2179852898",
                "status": "Started",
                "subStatus": "",
                "subscriptionId": "52c65f65-0518-4d37-9719-7dbbfc68c57a",
                "submissionTimestamp": "2017-03-29T15:43:20.3863637+00:00",
                ...
            }
        },
        "properties": {}
    }
}

管理Administrative

{
    "schemaId": "Microsoft.Insights/activityLogs",
    "data": {
        "status": "Activated",
        "context": {
            "activityLog": {
                "authorization": {
                    "action": "Microsoft.Insights/actionGroups/write",
                    "scope": "/subscriptions/52c65f65-0518-4d37-9719-7dbbfc68c57b/resourceGroups/CONTOSO-TEST/providers/Microsoft.Insights/actionGroups/IncidentActions"
                },
                "claims": "{...}",
                "caller": "me@contoso.com",
                "description": "",
                "httpRequest": "{...}",
                "resourceId": "/subscriptions/52c65f65-0518-4d37-9719-7dbbfc68c57b/resourceGroups/CONTOSO-TEST/providers/Microsoft.Insights/actionGroups/IncidentActions",
                "resourceGroupName": "CONTOSO-TEST",
                "resourceProviderName": "Microsoft.Insights",
                "resourceType": "Microsoft.Insights/actionGroups"
            }
        },
        "properties": {}
    }
}

安全性Security

{
    "schemaId":"Microsoft.Insights/activityLogs",
    "data":{"status":"Activated",
        "context":{
            "activityLog":{
                "channels":"Operation",
                "correlationId":"2518408115673929999",
                "description":"Failed SSH brute force attack. Failed brute force attacks were detected from the following attackers: [\"IP Address: 01.02.03.04\"].  Attackers were trying to access the host with the following user names: [\"root\"].",
                "eventSource":"Security",
                "eventTimestamp":"2017-06-25T19:00:32.607+00:00",
                "eventDataId":"Sec-07f2-4d74-aaf0-03d2f53d5a33",
                "level":"Informational",
                "operationName":"Microsoft.Security/locations/alerts/activate/action",
                "operationId":"Sec-07f2-4d74-aaf0-03d2f53d5a33",
                "properties":{
                    "attackers":"[\"IP Address: 01.02.03.04\"]",
                    "numberOfFailedAuthenticationAttemptsToHost":"456",
                    "accountsUsedOnFailedSignInToHostAttempts":"[\"root\"]",
                    "wasSSHSessionInitiated":"No","endTimeUTC":"06/25/2017 19:59:39",
                    "actionTaken":"Detected",
                    "resourceType":"Virtual Machine",
                    "severity":"Medium",
                    "compromisedEntity":"LinuxVM1",
                    "remediationSteps":"[In case this is an Azure virtual machine, add the source IP to NSG block list for 24 hours (see https://docs.azure.cn/virtual-network/virtual-network-vnet-plan-design-arm)]",
                    "attackedResourceType":"Virtual Machine"
                },
                "resourceId":"/subscriptions/12345-5645-123a-9867-123b45a6789/resourceGroups/contoso/providers/Microsoft.Security/locations/chinaeast/alerts/Sec-07f2-4d74-aaf0-03d2f53d5a33",
                "resourceGroupName":"contoso",
                "resourceProviderName":"Microsoft.Security",
                "status":"Active",
                "subscriptionId":"12345-5645-123a-9867-123b45a6789",
                "submissionTimestamp":"2017-06-25T20:23:04.9743772+00:00",
                "resourceType":"MICROSOFT.SECURITY/LOCATIONS/ALERTS"
            }
        },
        "properties":{}
    }
}

建议Recommendation

{
    "schemaId":"Microsoft.Insights/activityLogs",
    "data":{
        "status":"Activated",
        "context":{
            "activityLog":{
                "channels":"Operation",
                "claims":"{\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\":\"Microsoft.Advisor\"}",
                "caller":"Microsoft.Advisor",
                "correlationId":"123b4c54-11bb-3d65-89f1-0678da7891bd",
                "description":"A new recommendation is available.",
                "eventSource":"Recommendation",
                "eventTimestamp":"2017-06-29T13:52:33.2742943+00:00",
                "httpRequest":"{\"clientIpAddress\":\"0.0.0.0\"}",
                "eventDataId":"1bf234ef-e45f-4567-8bba-fb9b0ee1dbcb",
                "level":"Informational",
                "operationName":"Microsoft.Advisor/recommendations/available/action",
                "properties":{
                    "recommendationSchemaVersion":"1.0",
                    "recommendationCategory":"HighAvailability",
                    "recommendationImpact":"Medium",
                    "recommendationName":"Enable Soft Delete to protect your blob data",
                    "recommendationResourceLink":"https://portal.azure.cn/#blade/Microsoft_Azure_Expert/RecommendationListBlade/recommendationTypeId/12dbf883-5e4b-4f56-7da8-123b45c4b6e6",
                    "recommendationType":"12dbf883-5e4b-4f56-7da8-123b45c4b6e6"
                },
                "resourceId":"/subscriptions/12345-5645-123a-9867-123b45a6789/resourceGroups/contoso/providers/microsoft.storage/storageaccounts/contosoStore",
                "resourceGroupName":"CONTOSO",
                "resourceProviderName":"MICROSOFT.STORAGE",
                "status":"Active",
                "subStatus":"",
                "subscriptionId":"12345-5645-123a-9867-123b45a6789",
                "submissionTimestamp":"2017-06-29T13:52:33.2742943+00:00",
                "resourceType":"MICROSOFT.STORAGE/STORAGEACCOUNTS"
            }
        },
        "properties":{}
    }
}

ServiceHealthServiceHealth

{
    "schemaId": "Microsoft.Insights/activityLogs",
    "data": {
        "status": "Activated",
        "context": {
            "activityLog": {
            "channels": "Admin",
            "correlationId": "bbac944f-ddc0-4b4c-aa85-cc7dc5d5c1a6",
            "description": "Active: Virtual Machines - China East",
            "eventSource": "ServiceHealth",
            "eventTimestamp": "2017-10-18T23:49:25.3736084+00:00",
            "eventDataId": "6fa98c0f-334a-b066-1934-1a4b3d929856",
            "level": "Informational",
            "operationName": "Microsoft.ServiceHealth/incident/action",
            "operationId": "bbac944f-ddc0-4b4c-aa85-cc7dc5d5c1a6",
            "properties": {
                "title": "Virtual Machines - China East",
                "service": "Virtual Machines",
                "region": "China East",
                "communication": "Starting at 02:48 UTC on 18 Oct 2017 you have been identified as a customer using Virtual Machines in Australia East who may receive errors starting Dv2 Promo and DSv2 Promo Virtual Machines which are in a stopped "deallocated" or suspended state. Customers can still provision Dv1 and Dv2 series Virtual Machines or try deploying Virtual Machines in other regions, as a possible workaround. Engineers have identified a possible fix for the underlying cause, and are exploring implementation options. The next update will be provided as events warrant.",
                "incidentType": "Incident",
                "trackingId": "0NIH-U2O",
                "impactStartTime": "2017-10-18T02:48:00.0000000Z",
                "impactedServices": "[{\"ImpactedRegions\":[{\"RegionName\":\"China East\"}],\"ServiceName\":\"Virtual Machines\"}]",
                "defaultLanguageTitle": "Virtual Machines - China East",
                "defaultLanguageContent": "Starting at 02:48 UTC on 18 Oct 2017 you have been identified as a customer using Virtual Machines in Australia East who may receive errors starting Dv2 Promo and DSv2 Promo Virtual Machines which are in a stopped "deallocated" or suspended state. Customers can still provision Dv1 and Dv2 series Virtual Machines or try deploying Virtual Machines in other regions, as a possible workaround. Engineers have identified a possible fix for the underlying cause, and are exploring implementation options. The next update will be provided as events warrant.",
                "stage": "Active",
                "communicationId": "636439673646212912",
                "version": "0.1.1"
            },
            "status": "Active",
            "subscriptionId": "45529734-0ed9-4895-a0df-44b59a5a07f9",
            "submissionTimestamp": "2017-10-18T23:49:28.7864349+00:00"
        }
    },
    "properties": {}
    }
}

有关服务运行状况通知活动日志警报的特定架构详细信息,请参阅服务运行状况通知For specific schema details on service health notification activity log alerts, see Service health notifications. 此外,请了解如何使用现有的问题管理解决方案配置服务运行状况 Webhook 通知Additionally, learn how to configure service health webhook notifications with your existing problem management solutions.

ResourceHealthResourceHealth

{
    "schemaId": "Microsoft.Insights/activityLogs",
    "data": {
        "status": "Activated",
        "context": {
            "activityLog": {
                "channels": "Admin, Operation",
                "correlationId": "a1be61fd-37ur-ba05-b827-cb874708babf",
                "eventSource": "ResourceHealth",
                "eventTimestamp": "2018-09-04T23:09:03.343+00:00",
                "eventDataId": "2b37e2d0-7bda-4de7-ur8c6-1447d02265b2",
                "level": "Informational",
                "operationName": "Microsoft.Resourcehealth/healthevent/Activated/action",
                "operationId": "2b37e2d0-7bda-489f-81c6-1447d02265b2",
                "properties": {
                    "title": "Virtual Machine health status changed to unavailable",
                    "details": "Virtual machine has experienced an unexpected event",
                    "currentHealthStatus": "Unavailable",
                    "previousHealthStatus": "Available",
                    "type": "Downtime",
                    "cause": "PlatformInitiated"
                },
                "resourceId": "/subscriptions/<subscription Id>/resourceGroups/<resource group>/providers/Microsoft.Compute/virtualMachines/<resource name>",
                "resourceGroupName": "<resource group>",
                "resourceProviderName": "Microsoft.Resourcehealth/healthevent/action",
                "status": "Active",
                "subscriptionId": "<subscription Id>",
                "submissionTimestamp": "2018-09-04T23:11:06.1607287+00:00",
                "resourceType": "Microsoft.Compute/virtualMachines"
            }
        }
    }
}
元素名称Element name 说明Description
statusstatus 用于度量值警报。Used for metric alerts. 对于活动日志警报,始终设置为“已激活”。Always set to "activated" for activity log alerts.
上下文context 事件的上下文。Context of the event.
resourceProviderNameresourceProviderName 受影响资源的资源提供程序。The resource provider of the impacted resource.
conditionTypeconditionType 始终为“事件”。Always "Event."
namename 警报规则的名称。Name of the alert rule.
idid 警报的资源 ID。Resource ID of the alert.
descriptiondescription 创建警报时设置警报说明。Alert description set when the alert is created.
subscriptionIdsubscriptionId Azure 订阅 ID。Azure subscription ID.
timestamptimestamp 处理请求的 Azure 服务生成事件的时间。Time at which the event was generated by the Azure service that processed the request.
resourceIdresourceId 受影响资源的资源 ID。Resource ID of the impacted resource.
resourceGroupNameresourceGroupName 受影响资源的资源组的名称。Name of the resource group for the impacted resource.
propertiesproperties 一组包含事件详细信息的 <Key, Value> 对(即 Dictionary<String, String>)。Set of <Key, Value> pairs (that is, Dictionary<String, String>) that includes details about the event.
eventevent 包含有关事件的元数据的元素。Element that contains metadata about the event.
authorizationauthorization 事件的 Azure 基于角色的访问控制属性。The Azure role-based access control properties of the event. 这些属性通常包括“action”、“role”和“scope”。These properties usually include the action, the role, and the scope.
categorycategory 事件的类别。Category of the event. 支持的值包括“Administrative”、“Alert”、“Security”、“ServiceHealth”和“Recommendation”。Supported values include Administrative, Alert, Security, ServiceHealth, and Recommendation.
callercaller 执行操作的用户的电子邮件地址(基于可用性的 UPN 声明或 SPN 声明)。Email address of the user who performed the operation, UPN claim, or SPN claim based on availability. 对于某些系统调用可以为 null。Can be null for certain system calls.
correlationIdcorrelationId 通常是字符串格式的 GUID。Usually a GUID in string format. 具有属于同一较大操作的 correlationId 的事件,通常共享 correlationId。Events with correlationId belong to the same larger action and usually share a correlationId.
eventDescriptioneventDescription 事件的静态文本说明。Static text description of the event.
eventDataIdeventDataId 事件的唯一标识符。Unique identifier for the event.
eventSourceeventSource 生成事件的 Azure 服务或基础结构的名称。Name of the Azure service or infrastructure that generated the event.
httpRequesthttpRequest 请求通常包括“clientRequestId”、“clientIpAddress”和“HTTP method”(例如 PUT)。The request usually includes the clientRequestId, clientIpAddress, and HTTP method (for example, PUT).
级别level 以下值之一:“Critical”、“Error”、“Warning”和“Informational”。One of the following values: Critical, Error, Warning and Informational.
operationIdoperationId 通常是在与单个操作对应的事件之间共享的 GUID。Usually a GUID shared among the events corresponding to single operation.
operationNameoperationName 操作的名称。Name of the operation.
propertiesproperties 事件的属性。Properties of the event.
statusstatus 字符串。String. 操作的状态。Status of the operation. 常见值包括“Started”、“In Progress”、“Succeeded”、“Failed”、“Active”和“Resolved”。Common values include Started, In Progress, Succeeded, Failed, Active, and Resolved.
subStatussubStatus 通常包含对应 REST 调用的 HTTP 状态代码。Usually includes the HTTP status code of the corresponding REST call. 它还可能包含描述子状态的其他字符串。It might also include other strings that describe a substatus. 常见子状态值包括 OK(HTTP 状态代码:200)、Created(HTTP 状态代码:201)、Accepted(HTTP 状态代码:202)、No Content(HTTP 状态代码:204)、Bad Request(HTTP 状态代码:400)、Not Found(HTTP 状态代码:404)、Conflict(HTTP 状态代码:409)、Internal Server Error(HTTP 状态代码:500)、Service Unavailable(HTTP 状态代码:503)和 Gateway Timeout(HTTP 状态代码:504)。Common substatus values include OK (HTTP Status Code: 200), Created (HTTP Status Code: 201), Accepted (HTTP Status Code: 202), No Content (HTTP Status Code: 204), Bad Request (HTTP Status Code: 400), Not Found (HTTP Status Code: 404), Conflict (HTTP Status Code: 409), Internal Server Error (HTTP Status Code: 500), Service Unavailable (HTTP Status Code: 503), and Gateway Timeout (HTTP Status Code: 504).

有关所有其他活动日志警报的特定架构的详细信息,请参阅 Azure 活动日志概述For specific schema details on all other activity log alerts, see Overview of the Azure activity log.

后续步骤Next steps