Merge pull request #317 from Azure/dev-alz-pattern

ALZ Pattern Update

.gitignore

@@ -3,3 +3,4 @@
 public
 services/amba-alerts*
 artifacts/*/**
+/.vs

docs/content/patterns/alz/Bring-your-own-Managed-Identity.md → docs/content/patterns/alz/Available_features/Bring-your-own-Managed-Identity.md

@@ -1,12 +1,12 @@
 ---
-title: Bring Your Own User Assigned Managed Identity (BYO UAMI)
+title: Bring Your Own User Assigned Managed Identity
 geekdocCollapseSection: true
-weight: 62
+weight: 95
 ---
 
 # Overview
 
-The ***Bring Your Own User Assigned Managed Identity*** (BYO UAMI) feature, available with release [2024-06-05](../Whats-New#2024-06-05), allows both Greenfield and Brownfield customers to create a new User Assigned Managed Identity (UAMI) during the deployment of AMBA-ALZ. It also allows Brownfield customers, who deployed the ALZ pattern when this feature wasn't available, to use any existing one by configuring a couple of parameters. Thanks to this new feature, it's now possible to query Azure Resource Graph (ARG) using the Kusto Query Language. Log-based search alerts can now be enhanced to include ARG queries looking at resource tags.
+The ***Bring Your Own User Assigned Managed Identity*** (BYO UAMI) feature, available with release [2024-06-05](../../Whats-New#2024-06-05), allows both Greenfield and Brownfield customers to create a new User Assigned Managed Identity (UAMI) during or after the deployment of AMBA-ALZ. It also allows Brownfield customers, who deployed the ALZ pattern when this feature wasn't available, to use any existing one by configuring a couple of parameters. Thanks to this new feature, it's now possible to query Azure Resource Graph (ARG) using the Kusto Query Language. Log-based search alerts can now be enhanced to include ARG queries looking at resource tags.
 
 # How this feature works
 
@@ -23,7 +23,10 @@ The deployment template has conditions that controls what is being deployed acco
 A. ***Customers want to use existing UAMI.*** In this scenario the deployment will:
 
 {{< hint type=Important >}}
-When using an existing UAMI provided by the customer, the customer has to grant the UAMI the ***Monitoring Reader*** role at the pseudo root Management Group level <ins>**before running the deployment.**</ins>
+Before executing the deployment, ensure that the existing UAMI is assigned the ***Monitoring Reader*** role at the pseudo root Management Group.
+
+It is probable that the UAMI you provide is located within the Management subscription beneath the Platform management group, whereas the Policy Assignment resides at the LandingZones management group. In this case, for the deployIfNotExists policies to have permission to assign the UAMI to the scheduled query rule, the ***Managed Identity Operator*** role must be granted to the system Managed Identity of the Initiative Assignment (```Deploy-AMBA-VM``` for the Virtual machine initiative, ```Deploy-AMBA-HybridVM``` for the Arc-enabled Servers initiative) at the UAMI scope.
+
 {{< /hint >}}
 
 - Not deploy any UAMI
@@ -32,7 +35,7 @@ When using an existing UAMI provided by the customer, the customer has to grant
 
 Here's a sample extract of the parameter file with the relevant parameter configuration for this scenario:
 
-  ![Customer defined UAMI](../media/alz-UAMI-Param-Example-1.png)
+  ![Customer defined UAMI](../../media/alz-UAMI-Param-Example-1.png)
 
 B. ***Customers does not have an existing UAMI and want AMBA-ALZ to create a new one.*** In this scenario the deployment will:
 
@@ -46,25 +49,25 @@ When a new UAMI is created by the deployment template, the ***Monitoring Reader*
 
 Here's a sample extract of the parameter file with the relevant parameter configuration for this scenario:
 
-  ![New UAMI deployed by the template](../media/alz-UAMI-Param-Example-2.png)
+  ![New UAMI deployed by the template](../../media/alz-UAMI-Param-Example-2.png)
 
 ## Where is it used
 
 This new feature is used in Log-search based alerts. At the moment of this release, there's one alert using it. The alert is part of the new ***Deploy Azure Monitor Vaseline Alerts for Hybrid VMs*** policySet added to monitor hybrid virtual machine.
 
-![Deploy Azure Monitor Baseline Alerts for Hybrid VMs](../media/deploy-HybridVM-Alerts.png)
+![Deploy Azure Monitor Baseline Alerts for Hybrid VMs](../../media/deploy-HybridVM-Alerts.png)
 
 {{< hint type=Info >}}
 We're planning to use this feature more in the future and to include it as part of other alerts.
 {{< /hint >}}
 
 ## Switching between BYO UAMI and new UAMI
 
-The [conditional deployment behavior](../alz/Bring-your-own-Managed-Identity.md#conditional-deployment-behavior) discussed earlier, allows brownfield customers to switch from a new created UAMI to an existing one and viceversa.
+The [conditional deployment behavior](../../Available_features/Bring-your-own-Managed-Identity#conditional-deployment-behavior) discussed earlier, allows brownfield customers to switch from a new created UAMI to an existing one and viceversa.
 Should customers decide to switch, it will be enough to:
 
 - Change the values in the parameter file to match one of the two scenarios previously discussed
 - Redeploy the AMBA-ALZ pattern
-- Run the remediation for the [Deploy Azure Monitor Baseline Alerts for Hybrid VMs](https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/main/patterns/alz/policySetDefinitions/Deploy-HybridVM-Alerts.json) policy initiative as documented at [Remediate Policies](../deploy/Remediate-Policies)
+- Run the remediation for the [Deploy Azure Monitor Baseline Alerts for Hybrid VMs](https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/main/patterns/alz/policySetDefinitions/Deploy-HybridVM-Alerts.json) policy initiative as documented at [Remediate Policies](../../deploy/Remediate-Policies)
 
 The code will reconfigure the necessary alerts to use either the customer's provided UAMI or the new one created during the deployment.

docs/content/patterns/alz/Bring-your-own-Notifications.md → docs/content/patterns/alz/Available_features/Bring-your-own-Notifications.md

@@ -1,24 +1,24 @@
 ---
-title: Bring Your Own Notifications (BYON)
+title: Bring Your Own Notifications
 geekdocCollapseSection: true
-weight: 61
+weight: 100
 ---
 
 # Overview
 
-The ***Bring Your Own Notifications*** (BYON) feature, available with release [2024-04-12](../Whats-New#2024-04-12), allows brownfield customers to use their existing Action Groups (also known as AGs) and Alert Processing Rule (also known as APR) not forcing the use of notification assets deployed by both the [Notification Assets](https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/main/patterns/alz/policySetDefinitions/Deploy-Notification-Assets.json) initiative and the [Deploy Service Health Action Group](https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/main/services/Resources/subscriptions/Deploy-ServiceHealth-ActionGroups.json) policy definition present in the ALZ pattern. It also allows Brownfield customer who deployed the ALZ pattern when this feature wasn't available, to switch to it.
+The ***Bring Your Own Notifications*** (BYON) feature, available with release [2024-04-12](../../Whats-New#2024-04-12), allows brownfield customers to use their existing Action Groups (also known as AGs) and Alert Processing Rule (also known as APR) not forcing the use of notification assets deployed by both the [Notification Assets](https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/main/patterns/alz/policySetDefinitions/Deploy-Notification-Assets.json) initiative and the [Deploy Service Health Action Group](https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/main/services/Resources/subscriptions/Deploy-ServiceHealth-ActionGroups.json) policy definition present in the ALZ pattern. It also allows Brownfield customer who deployed the ALZ pattern when this feature wasn't available, to switch to it.
 
 # How this feature works
 
 The BYON feature works by setting the necessary parameter values before running the ALZ pattern deployment. Customers have the choice to either specify one or more existing AGs and one APR or to enter target values so the AG and the APR will be created using the actions specified in the parameter file (including the option to not specify any value and creating an empty AG).
 
 Should Brownfield customers decide to use their own notification assets, it will be sufficient to enter the _AG resource IDs_ (separated by comma) and the _APR resource ID_ values in the respective parameters ***BYOActionGroup*** and ***BYOAlertProcessingRule***, leaving the ***ALZMonitorActionGroupEmail***, ***ALZLogicappResourceId***, ***ALZLogicappCallbackUrl***, ***ALZArmRoleId***, ***ALZEventHubResourceId***, ***ALZWebhookServiceUri***, ***ALZFunctionResourceId*** and ***ALZFunctionTriggerUrl*** <ins>***with no values***</ins>:
 
-  ![policyAssignmentParametersBYON section](../../alz/media/BYON_Params.png)
+  ![policyAssignmentParametersBYON section](../../media/BYON_Params.png)
 
 Differently if they decide to use the assets provided by AMBA or if they're Greenfield customers, they'll just leave the ***BYOActionGroup*** and ***BYOAlertProcessingRule*** parameters with no values and populate all the others (***ALZMonitorActionGroupEmail***, ***ALZLogicappResourceId***, ***ALZLogicappCallbackUrl***, ***ALZArmRoleId***, ***ALZEventHubResourceId***, ***ALZWebhookServiceUri***, ***ALZFunctionResourceId*** and ***ALZFunctionTriggerUrl***):
 
-![policyAssignmentParametersNotificationAssets section](../../alz/media/NotificationAssets_Params.png)
+![policyAssignmentParametersNotificationAssets section](../../media/NotificationAssets_Params.png)
 
 ## Conditional deployment behavior
 
@@ -32,7 +32,7 @@ A. ***Use your own AGs with the AMBA APR***. In this scenario, the deployment wi
 
 Here's an example of the parameter file with the relevant sections populated for this scenario:
 
-![policyAssignmentParametersBYON section](../../alz/media/BYON_Params_2.png)
+![policyAssignmentParametersBYON section](../../media/BYON_Params_2.png)
 
 B. ***Use your own AGs and APR***. In this scenario, the deployment will:
 
@@ -41,19 +41,20 @@ B. ***Use your own AGs and APR***. In this scenario, the deployment will:
 
 Here's an example of the parameter file with the relevant sections populated for this scenario:
 
-![policyAssignmentParametersBYON section](../../alz/media/BYON_Params_3.png)
+![policyAssignmentParametersBYON section](../../media/BYON_Params_3.png)
 
 C. ***Use AMBA notification assets***. In this scenario, the deployment will:
 
 - Deploy notification assets for SH alerts and wide notifications.
 
 Here's an example of the parameter file with the relevant sections populated for this scenario:
 
-![policyAssignmentParametersNotificationAssets section](../../alz/media/NotificationAssets_Params_2.png)
+![policyAssignmentParametersNotificationAssets section](../../media/NotificationAssets_Params_2.png)
 
 ## Switching between BYON and Notification Assets
 
-The [conditional deployment behavior](../../alz/Bring-your-own-Notifications#conditional-deployment-behavior) discussed earlier, allows brownfield customers to switch from the initial notification assets scenario (the only one available until release [2024-03-01](../../alz/Whats-New#2024-03-01)) to the new BYON after deployment and viceversa.
+The [conditional deployment behavior](../../Bring-your-own-Notifications#conditional-deployment-behavior) discussed earlier, allows brownfield customers to switch from the initial notification assets scenario (the only one available until release [2024-03-01](../../Whats-New#2024-03-01)) to the new BYON after deployment and viceversa.
+
 Should customers decide to switch, it will be enough to:
 
 - change the values in the parameter file to match one of the three cases previously discussed

docs/content/patterns/alz/Available_features/Log_Search_Alert_Table.md

@@ -0,0 +1,31 @@
+---
+title: Log-search alert table
+geekdocHidden: true
+---
+
+| Resource Type | Alert Name | Alert Type | Override Tag name |
+| ------------- | ---------- | ---------- | ----------------- |
+| Machine - Azure Arc | *```subscription().displayName```*-HybridVMHighDataDiskReadLatencyAlert | _Log search_ | ***\_amba-ReadLatencyMs-Data-threshold-override\_*** |
+| Machine - Azure Arc | *```subscription().displayName```*-HybridVMLowDataDiskSpaceAlert | _Log search_ | ***\_amba-FreeSpacePercentage-Data-threshold-override\_*** |
+| Machine - Azure Arc | *```subscription().displayName```*-HybridVMHighDataDiskWriteLatencyAlert | _Log search_ | ***\_amba-WriteLatencyMs-Data-threshold-override\_*** |
+| Machine - Azure Arc | *```subscription().displayName```*-HybridVMDisconnectedAlert | _Log search_ | ***\_amba-Disconnected-threshold-override\_*** |
+| Machine - Azure Arc | *```subscription().displayName```*-HybridVMHeartBeatAlert | _Log search_ | ***\_amba-Heartbeat-threshold-override\_*** |
+| Machine - Azure Arc | *```subscription().displayName```*-HybridVMHighNetworkInAlert | _Log search_ | ***\_amba-ReadBytesPerSecond-threshold-override\_*** |
+| Machine - Azure Arc | *```subscription().displayName```*-HybridVMHighNetworkOutAlert | _Log search_ | ***\_amba-WriteBytesPerSecond-threshold-override\_*** |
+| Machine - Azure Arc | *```subscription().displayName```*-HybridVMHighOSDiskReadLatencyAlert | _Log search_ | ***\_amba-ReadLatencyMs-OS-threshold-override\_*** |
+| Machine - Azure Arc | *```subscription().displayName```*-HybridVMLowOSDiskSpaceAlert | _Log search_ | ***\_amba-FreeSpacePercentage-OS-threshold-override\_*** |
+| Machine - Azure Arc | *```subscription().displayName```*-HybridVMHighOSDiskWriteLatencyAlert | _Log search_ | ***\_amba-WriteLatencyMs-OS-threshold-override\_*** |
+| Machine - Azure Arc | *```subscription().displayName```*-HybridVMHighCPUAlert | _Log search_ | ***\_amba-UtilizationPercentage-threshold-override\_*** |
+| Machine - Azure Arc | *```subscription().displayName```*-HybridVMLowMemoryAlert | _Log search_ | ***\_amba-AvailableMemoryPercentage-threshold-override\_*** |
+| Virtual machine | *```subscription().displayName```*-VMHighDataDiskReadLatencyAlert | _Log search_ | ***\_amba-ReadLatencyMs-Data-threshold-override\_*** |
+| Virtual machine | *```subscription().displayName```*-VMLowDataDiskSpaceAlert | _Log search_ | ***\_amba-FreeSpacePercentage-Data-threshold-override\_*** |
+| Virtual machine | *```subscription().displayName```*-VMHighDataDiskWriteLatencyAlert | _Log search_ | ***\_amba-WriteLatencyMs-Data-threshold-override\_*** |
+| Virtual machine | *```subscription().displayName```*-VMHeartBeatAlert | _Log search_ | ***\_amba-Heartbeat-threshold-override\_*** |
+| Virtual machine | *```subscription().displayName```*-VMHighNetworkInAlert | _Log search_ | ***\_amba-ReadBytesPerSecond-threshold-override\_*** |
+| Virtual machine | *```subscription().displayName```*-VMHighNetworkOutAlert | _Log search_ | ***\_amba-WriteBytesPerSecond-threshold-override\_*** |
+| Virtual machine | *```subscription().displayName```*-VMHighOSDiskReadLatencyAlert | _Log search_ | ***\_amba-ReadLatencyMs-OS-threshold-override\_*** |
+| Virtual machine | *```subscription().displayName```*-VMLowOSDiskSpaceAlert | _Log search_ | ***\_amba-FreeSpacePercentage-OS-threshold-override\_*** |
+| Virtual machine | *```subscription().displayName```*-VMHighOSDiskWriteLatencyAlert | _Log search_ | ***\_amba-WriteLatencyMs-OS-threshold-override\_*** |
+| Virtual machine | *```subscription().displayName```*-VMHighCPUAlert | _Log search_ | ***\_amba-UtilizationPercentage-threshold-override\_*** |
+| Virtual machine | *```subscription().displayName```*-VMLowMemoryAlert | _Log search_ | ***\_amba-AvailableMemoryPercentage-threshold-override\_*** |
+| Log Analytics workspace | *```resourceName```*-DailyCapLimitReachedAlert | _Log search_ |	***Not available since threshold will always be ```0```*** |