設定 Webhook 以取得活動記錄警示
在定義動作群組的過程中,您可以設定 Webhook 端點以接收活動記錄警示通知。 您可以使用 Webhook 將這些通知路由到其他系統,以進行後置處理或自訂動作。 本文會說明 HTTP POST 至 Webhook 的承載資料樣貌。
如需有關活動記錄警示的詳細資訊,請參閱如何建立 Azure 活動記錄警示。
如需有關動作群組的資訊,請參閱如何建立動作群組。
注意
您也可利用一般警示結構描述來整合 Webhook。 這提供的優勢是,Azure 監視器的所有警示服務擁有單一可延伸及統一的警示承載。 了解常見警示結構描述.
驗證 Webhook
Webhook 可以選擇使用以權杖作為基礎的授權來進行驗證。 Webhook URI 是以權杖識別碼儲存,例如,https://mysamplealert/webcallback?tokenid=sometokenid&someparameter=somevalue。
承載結構描述
POST 操作包含的 JSON 承載會根據承載的data.context.activityLog.eventSource欄位而有所不同。
注意
目前,作為活動記錄事件一部分的說明會複製到觸發的Alert Description屬性。
為使活動記錄承載與其他警示類型一致,自 2021 年 4 月 1 日起,觸發的警示屬性Description會改為包含警示規則說明。
為準備這項變更,我們為活動記錄觸發警示建立了新屬性Activity Log Event Description。 這個新屬性會填入Description屬性,目前已可供使用。 因此,新Activity Log Event Description欄位會包含說明作為活動記錄事件的一部分。
檢閱您的警示規則、動作規則、Webhook、邏輯應用程式或任何其他設定,若您可能正在使用觸發警示的Description屬性。 取代Description屬性為Activity Log Event Description屬性。
若您的動作規則、Webhook、邏輯應用程式或任何其他設定的條件目前是根據活動記錄提醒的Description屬性,則您可能需要將其修改為根據Activity Log Event Description屬性。
若要填入新Description屬性,您可在警示規則定義新增說明。
常見
{
"schemaId": "Microsoft.Insights/activityLogs",
"data": {
"status": "Activated",
"context": {
"activityLog": {
"channels": "Operation",
"correlationId": "aaaa0000-bb11-2222-33cc-444444dddddd",
"eventSource": "Administrative",
"eventTimestamp": "2017-03-29T15:43:08.0019532+00:00",
"eventDataId": "8195a56a-85de-4663-943e-1a2bf401ad94",
"level": "Informational",
"operationName": "Microsoft.Insights/actionGroups/write",
"operationId": "aaaa0000-bb11-2222-33cc-444444dddddd",
"status": "Started",
"subStatus": "",
"subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",
"submissionTimestamp": "2017-03-29T15:43:20.3863637+00:00",
...
}
},
"properties": {}
}
}
系統管理
{
"schemaId": "Microsoft.Insights/activityLogs",
"data": {
"status": "Activated",
"context": {
"activityLog": {
"authorization": {
"action": "Microsoft.Insights/actionGroups/write",
"scope": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/CONTOSO-TEST/providers/Microsoft.Insights/actionGroups/IncidentActions"
},
"claims": "{...}",
"caller": "me@contoso.com",
"description": "",
"httpRequest": "{...}",
"resourceId": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/CONTOSO-TEST/providers/Microsoft.Insights/actionGroups/IncidentActions",
"resourceGroupName": "CONTOSO-TEST",
"resourceProviderName": "Microsoft.Insights",
"resourceType": "Microsoft.Insights/actionGroups"
}
},
"properties": {}
}
}
安全性
{
"schemaId":"Microsoft.Insights/activityLogs",
"data":{"status":"Activated",
"context":{
"activityLog":{
"channels":"Operation",
"correlationId":"2518408115673929999",
"description":"Failed SSH brute force attack. Failed brute force attacks were detected from the following attackers: [\"IP Address: 01.02.03.04\"]. Attackers were trying to access the host with the following user names: [\"root\"].",
"eventSource":"Security",
"eventTimestamp":"2017-06-25T19:00:32.607+00:00",
"eventDataId":"Sec-07f2-4d74-aaf0-03d2f53d5a33",
"level":"Informational",
"operationName":"Microsoft.Security/locations/alerts/activate/action",
"operationId":"Sec-07f2-4d74-aaf0-03d2f53d5a33",
"properties":{
"attackers":"[\"IP Address: 01.02.03.04\"]",
"numberOfFailedAuthenticationAttemptsToHost":"456",
"accountsUsedOnFailedSignInToHostAttempts":"[\"root\"]",
"wasSSHSessionInitiated":"No","endTimeUTC":"06/25/2017 19:59:39",
"actionTaken":"Detected",
"resourceType":"Virtual Machine",
"severity":"Medium",
"compromisedEntity":"LinuxVM1",
"remediationSteps":"[In case this is an Azure virtual machine, add the source IP to NSG block list for 24 hours (see https://azure.microsoft.com/documentation/articles/virtual-networks-nsg/)]",
"attackedResourceType":"Virtual Machine"
},
"resourceId":"/subscriptions/12345-5645-123a-9867-123b45a6789/resourceGroups/contoso/providers/Microsoft.Security/locations/centralus/alerts/Sec-07f2-4d74-aaf0-03d2f53d5a33",
"resourceGroupName":"contoso",
"resourceProviderName":"Microsoft.Security",
"status":"Active",
"subscriptionId":"12345-5645-123a-9867-123b45a6789",
"submissionTimestamp":"2017-06-25T20:23:04.9743772+00:00",
"resourceType":"MICROSOFT.SECURITY/LOCATIONS/ALERTS"
}
},
"properties":{}
}
}
建議
{
"schemaId":"Microsoft.Insights/activityLogs",
"data":{
"status":"Activated",
"context":{
"activityLog":{
"channels":"Operation",
"claims":"{\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\":\"Microsoft.Advisor\"}",
"caller":"Microsoft.Advisor",
"correlationId":"bbbb1111-cc22-3333-44dd-555555eeeeee",
"description":"A new recommendation is available.",
"eventSource":"Recommendation",
"eventTimestamp":"2017-06-29T13:52:33.2742943+00:00",
"httpRequest":"{\"clientIpAddress\":\"0.0.0.0\"}",
"eventDataId":"1bf234ef-e45f-4567-8bba-fb9b0ee1dbcb",
"level":"Informational",
"operationName":"Microsoft.Advisor/recommendations/available/action",
"properties":{
"recommendationSchemaVersion":"1.0",
"recommendationCategory":"HighAvailability",
"recommendationImpact":"Medium",
"recommendationName":"Enable Soft Delete to protect your blob data",
"recommendationResourceLink":"https://portal.azure.com/#blade/Microsoft_Azure_Expert/RecommendationListBlade/recommendationTypeId/12dbf883-5e4b-4f56-7da8-123b45c4b6e6",
"recommendationType":"12dbf883-5e4b-4f56-7da8-123b45c4b6e6"
},
"resourceId":"/subscriptions/12345-5645-123a-9867-123b45a6789/resourceGroups/contoso/providers/microsoft.storage/storageaccounts/contosoStore",
"resourceGroupName":"CONTOSO",
"resourceProviderName":"MICROSOFT.STORAGE",
"status":"Active",
"subStatus":"",
"subscriptionId":"12345-5645-123a-9867-123b45a6789",
"submissionTimestamp":"2017-06-29T13:52:33.2742943+00:00",
"resourceType":"MICROSOFT.STORAGE/STORAGEACCOUNTS"
}
},
"properties":{}
}
}
ServiceHealth
{
"schemaId": "Microsoft.Insights/activityLogs",
"data": {
"status": "Activated",
"context": {
"activityLog": {
"channels": "Admin",
"correlationId": "cccc2222-dd33-4444-55ee-666666ffffff",
"description": "Active: Virtual Machines - Australia East",
"eventSource": "ServiceHealth",
"eventTimestamp": "2017-10-18T23:49:25.3736084+00:00",
"eventDataId": "6fa98c0f-334a-b066-1934-1a4b3d929856",
"level": "Informational",
"operationName": "Microsoft.ServiceHealth/incident/action",
"operationId": "cccc2222-dd33-4444-55ee-666666ffffff",
"properties": {
"title": "Virtual Machines - Australia East",
"service": "Virtual Machines",
"region": "Australia East",
"communication": "Starting at 02:48 UTC on 18 Oct 2017 you have been identified as a customer using Virtual Machines in Australia East who may receive errors starting Dv2 Promo and DSv2 Promo Virtual Machines which are in a stopped "deallocated" or suspended state. Customers can still provision Dv1 and Dv2 series Virtual Machines or try deploying Virtual Machines in other regions, as a possible workaround. Engineers have identified a possible fix for the underlying cause, and are exploring implementation options. The next update will be provided as events warrant.",
"incidentType": "Incident",
"trackingId": "0NIH-U2O",
"impactStartTime": "2017-10-18T02:48:00.0000000Z",
"impactedServices": "[{\"ImpactedRegions\":[{\"RegionName\":\"Australia East\"}],\"ServiceName\":\"Virtual Machines\"}]",
"defaultLanguageTitle": "Virtual Machines - Australia East",
"defaultLanguageContent": "Starting at 02:48 UTC on 18 Oct 2017 you have been identified as a customer using Virtual Machines in Australia East who may receive errors starting Dv2 Promo and DSv2 Promo Virtual Machines which are in a stopped "deallocated" or suspended state. Customers can still provision Dv1 and Dv2 series Virtual Machines or try deploying Virtual Machines in other regions, as a possible workaround. Engineers have identified a possible fix for the underlying cause, and are exploring implementation options. The next update will be provided as events warrant.",
"stage": "Active",
"communicationId": "636439673646212912",
"version": "0.1.1"
},
"status": "Active",
"subscriptionId": "cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a",
"submissionTimestamp": "2017-10-18T23:49:28.7864349+00:00"
}
},
"properties": {}
}
}
如需服務健康狀態通知活動記錄警示的特定結構描述詳細資料,請參閱服務健康狀態通知。 您也可了解如何利用現有的問題管理解決方案來設定服務健康狀況 Webhook 通知。
資源健康狀況
{
"schemaId": "Microsoft.Insights/activityLogs",
"data": {
"status": "Activated",
"context": {
"activityLog": {
"channels": "Admin, Operation",
"correlationId": "dddd3333-ee44-5555-66ff-777777aaaaaa",
"eventSource": "ResourceHealth",
"eventTimestamp": "2018-09-04T23:09:03.343+00:00",
"eventDataId": "2b37e2d0-7bda-4de7-ur8c6-1447d02265b2",
"level": "Informational",
"operationName": "Microsoft.Resourcehealth/healthevent/Activated/action",
"operationId": "2b37e2d0-7bda-489f-81c6-1447d02265b2",
"properties": {
"title": "Virtual Machine health status changed to unavailable",
"details": "Virtual machine has experienced an unexpected event",
"currentHealthStatus": "Unavailable",
"previousHealthStatus": "Available",
"type": "Downtime",
"cause": "PlatformInitiated"
},
"resourceId": "/subscriptions/<subscription Id>/resourceGroups/<resource group>/providers/Microsoft.Compute/virtualMachines/<resource name>",
"resourceGroupName": "<resource group>",
"resourceProviderName": "Microsoft.Resourcehealth/healthevent/action",
"status": "Active",
"subscriptionId": "<subscription Id>",
"submissionTimestamp": "2018-09-04T23:11:06.1607287+00:00",
"resourceType": "Microsoft.Compute/virtualMachines"
}
}
}
}
| 元素名稱 | 描述 |
|---|---|
| status | 用於度量警示。 對於活動記錄警示,一律設定為activated。 |
| 內容 | 事件的內容。 |
| resourceProviderName | 受影響資源的資源提供者。 |
| conditionType | 一律為 Event。 |
| NAME | 警示規則的名稱。 |
| 識別碼 | 警示的資源識別碼。 |
| description | 建立警示時,會設定警示描述。 |
| subscriptionId | Azure 訂用帳戶識別碼。 |
| timestamp | 處理要求的 Azure 服務產生事件的時間。 |
| resourceId | 受影響資源的資源 ID。 |
| resourceGroupName | 受影響資源的資源群組名稱。 |
| 內容 | 一組包含事件相關詳細資料的<Key, Value>配對 (也就是 Dictionary<String, String>)。 |
| event | 包含事件相關中繼資料的元素。 |
| 授權 | 事件的 Azure 角色型存取控制屬性。 這些屬性通常包括動作、角色和範圍。 |
| category | 事件的類別。 支援的值包括 Administrative、Alert、Security、ServiceHealth 和 Recommendation。 |
| 呼叫者 | 已執行作業的使用者的電子郵件地址,根據可用性的 UPN 宣告或 SPN 宣告。 特定系統呼叫可為 Null。 |
| correlationId | 通常是字串格式的 GUID。 correlationId的事件屬於相同的較大動作,通常會共用correlationId。 |
| eventDescription | 事件的靜態文字描述。 |
| eventDataId | 事件的唯一識別碼。 |
| eventSource | 產生事件的 Azure 服務或基礎結構的名稱。 |
| httpRequest | 請求通常會包含clientRequestId、clientIpAddress與 HTTP 方法 (例如 PUT)。 |
| level | 以下的值其中之一:Critical、Error、Warning 與 Informational。 |
| operationId | 通常是在對應於單一操作的事件之間共用的 GUID。 |
| operationName | 作業名稱。 |
| 內容 | 事件的屬性。 |
| status | 字串。 作業的狀態。 常見值包含 Started、In Progress、Succeeded、Failed、Active 與 Resolved。 |
| 子狀態 | 通常包含對應 REST 呼叫的 HTTP 狀態碼。 它也可以包含其他描述子狀態的字串。 常見的子狀態值包含 OK(HTTP 狀態代碼:200),Created(HTTP 狀態代碼:201),Accepted(HTTP 狀態代碼:202),No Content(HTTP 狀態代碼:204),Bad Request(HTTP 狀態代碼:400),Not Found(HTTP 狀態代碼:404),Conflict(HTTP 狀態代碼:409),Internal Server Error(HTTP 狀態代碼:500),Service Unavailable(HTTP 狀態代碼:503) 與 Gateway Timeout(HTTP 狀態碼:504)。 |
如需了解所有其他活動記錄警示的特定結構詳細資料,請參閱 Azure 活動記錄的概觀。
下一步
- 深入了解活動記錄。
- 根據 Azure 提醒執行 Azure 自動化指令碼 (手冊)。
- 使用邏輯應用程式透過 Twilio 從 Azure 警示傳送 SMS。 此範例適用於計量警示,但經過修改後即可用於活動記錄警示。
- 使用邏輯應用程式從 Azure 警示傳送 Slack 訊息。 此範例適用於計量警示,但經過修改後即可用於活動記錄警示。
- 使用邏輯應用程式從 Azure 警示將訊息傳送到 Azure 佇列。 此範例適用於計量警示,但經過修改後即可用於活動記錄警示。