Deploy Azure Monitor Baseline Alerts (AMBA-ALZ) - PIP Packets in DDoS Attack Alert - Deploy_PublicIp_PacketsInDDoSAttack

Deploy Azure Monitor Baseline Alerts (AMBA-ALZ) - PIP Packets in DDoS Attack Alert

Azure Monitor Baseline Alerts (AMBA) Policy definition

Alias

Namespace

ResourceType

Path

PathIsDefault

DefaultPath

Modifiable

Microsoft.Insights/metricAlerts/autoMitigate

microsoft.insights

metricalerts

properties.autoMitigate

True

False

Microsoft.Insights/metricAlerts/criteria.Microsoft-Azure-Monitor-SingleResourceMultipleMetricCriteria.allOf[*].metricName

microsoft.insights

metricalerts

properties.criteria.allOf[*].metricName

True

False

Microsoft.Insights/metricAlerts/criteria.Microsoft-Azure-Monitor-SingleResourceMultipleMetricCriteria.allOf[*].metricNamespace

microsoft.insights

metricalerts

properties.criteria.allOf[*].metricNamespace

True

False

Microsoft.Insights/metricAlerts/criteria.Microsoft-Azure-Monitor-SingleResourceMultipleMetricCriteria.allOf[*].operator

microsoft.insights

metricalerts

properties.criteria.allOf[*].operator

True

False

Microsoft.Insights/metricAlerts/criteria.Microsoft-Azure-Monitor-SingleResourceMultipleMetricCriteria.allOf[*].threshold

microsoft.insights

metricalerts

properties.criteria.allOf[*].threshold

True

False

Microsoft.Insights/metricAlerts/criteria.Microsoft-Azure-Monitor-SingleResourceMultipleMetricCriteria.allOf[*].timeAggregation

microsoft.insights

metricalerts

properties.criteria.allOf[*].timeAggregation

True

False

Microsoft.Insights/metricAlerts/enabled

microsoft.insights

metricalerts

properties.enabled

True

False

Microsoft.Insights/metricAlerts/evaluationFrequency

microsoft.insights

metricalerts

properties.evaluationFrequency

True

False

Microsoft.Insights/metricalerts/scopes[*]

microsoft.insights

metricalerts

properties.scopes[*]

True

False

Microsoft.Insights/metricalerts/severity

microsoft.insights

metricalerts

properties.severity

True

False

Microsoft.Insights/metricAlerts/windowSize

microsoft.insights

metricalerts

properties.windowSize

True

False

Rows: 1-3 / 3

Records:

Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

Page of 1

Initiative DisplayName

Initiative Id

Initiative Category

State

[Deprecated]: Deploy Azure Monitor Baseline Alerts for Landing Zone

Alerting-LandingZone

Monitoring

Deprecated

Deploy Azure Monitor Baseline Alerts (AMBA-ALZ) for Connectivity

Alerting-Connectivity

Monitoring

Deploy Azure Monitor Baseline Alerts (AMBA-ALZ) for Load Balancing

Alerting-LoadBalancing

Monitoring

{

policyType: "Custom",
mode: "All",
displayName: "Deploy Azure Monitor Baseline Alerts (AMBA-ALZ) - PIP Packets in DDoS Attack Alert",
description: "Policy to audit/deploy PIP Packets in DDoS Attack Alert",
metadata: {5 items
- version: "1.2.1",
- category: "Network",
- source: "https://github.com/Azure/azure-monitor-baseline-alerts/",
- alzCloudEnvironments: [1 item
  - "AzureCloud"
  ],
- _deployed_by_amba: "True"
},
parameters: {9 items
- severity: {4 items
  - type: "String",
  - metadata: {2 items
    - displayName: "Severity",
    - description: "Severity of the Alert"
    },
  - allowedValues: [5 items
    - "0",
    - "1",
    - "2",
    - "3",
    - "4"
    ],
  - defaultValue: "4"
  },
- windowSize: {4 items
  - type: "String",
  - metadata: {2 items
    - displayName: "Window Size",
    - description: "Window size for the alert"
    },
  - allowedValues: [8 items
    - "PT1M",
    - "PT5M",
    - "PT15M",
    - "PT30M",
    - "PT1H",
    - "PT6H",
    - "PT12H",
    - "P1D"
    ],
  - defaultValue: "PT5M"
  },
- evaluationFrequency: {4 items
  - type: "String",
  - metadata: {2 items
    - displayName: "Evaluation Frequency",
    - description: "Evaluation frequency for the alert"
    },
  - allowedValues: [5 items
    - "PT1M",
    - "PT5M",
    - "PT15M",
    - "PT30M",
    - "PT1H"
    ],
  - defaultValue: "PT5M"
  },
- autoMitigate: {4 items
  - type: "String",
  - metadata: {2 items
    - displayName: "Auto Mitigate",
    - description: "Auto Mitigate for the alert"
    },
  - allowedValues: [2 items
    - "true",
    - "false"
    ],
  - defaultValue: "true"
  },
- enabled: {4 items
  - type: "String",
  - metadata: {2 items
    - displayName: "Alert State",
    - description: "Alert state for the alert"
    },
  - allowedValues: [2 items
    - "true",
    - "false"
    ],
  - defaultValue: "true"
  },
- threshold: {3 items
  - type: "String",
  - metadata: {2 items
    - displayName: "Threshold",
    - description: "Threshold for the alert"
    },
  - defaultValue: "40000"
  },
- effect: {4 items
  - type: "String",
  - metadata: {2 items
    - displayName: "Effect",
    - description: "Effect of the policy"
    },
  - allowedValues: [2 items
    - "deployIfNotExists",
    - "disabled"
    ],
  - defaultValue: "disabled"
  },
- MonitorDisableTagName: {3 items
  - type: "String",
  - metadata: {2 items
    - displayName: "ALZ Monitoring disabled tag name",
    - description: "Tag name used to disable monitoring at the resource level. Set to true if monitoring should be disabled."
    },
  - defaultValue: "MonitorDisable"
  },
- MonitorDisableTagValues: {3 items
  - type: "Array",
  - metadata: {2 items
    - displayName: "ALZ Monitoring disabled tag values(s)",
    - description: "Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled."
    },
  - defaultValue: [4 items
    - "true",
    - "Test",
    - "Dev",
    - "Sandbox"
    ]
  }
},
policyRule: {2 items
- if: {1 item
  - allOf: [2 items
    - {2 items
      - field: "type",
      - equals: "Microsoft.Network/publicIPAddresses"
      },
    - {2 items
      - field: "[ concat( 'tags[ ', parameters('MonitorDisableTagName'), ' ]' ) ]",
      - notIn: "[parameters('MonitorDisableTagValues')]"
      }
    ]
  },
- then: {2 items
  - effect: "[parameters('effect')]",
  - details: {4 items
    - roleDefinitionIds: [1 item
      - "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" Contributor
      ],
    - type: "Microsoft.Insights/metricAlerts",
    - existenceCondition: {1 item
      - allOf: [11 items
        {2 items
        field: "Microsoft.Insights/metricAlerts/criteria.Microsoft-Azure-Monitor-SingleResourceMultipleMetricCriteria.allOf[*].metricNamespace",
        equals: "Microsoft.Network/publicIPAddresses"
        },
        {2 items
        field: "Microsoft.Insights/metricAlerts/criteria.Microsoft-Azure-Monitor-SingleResourceMultipleMetricCriteria.allOf[*].metricName",
        equals: "PacketsInDDoS"
        },
        {2 items
        field: "Microsoft.Insights/metricalerts/scopes[*]",
        equals: 🔍"[ concat( subscription().id, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/publicIPAddresses/', field('fullName') ) ]"
        },
        {2 items
        field: "Microsoft.Insights/metricAlerts/enabled",
        equals: "[parameters('enabled')]"
        },
        {2 items
        field: "Microsoft.Insights/metricAlerts/evaluationFrequency",
        equals: "[parameters('evaluationFrequency')]"
        },
        {2 items
        field: "Microsoft.Insights/metricAlerts/windowSize",
        equals: "[parameters('windowSize')]"
        },
        {2 items
        field: "Microsoft.Insights/metricalerts/severity",
        equals: "[parameters('severity')]"
        },
        {2 items
        field: "Microsoft.Insights/metricAlerts/autoMitigate",
        equals: "[parameters('autoMitigate')]"
        },
        {2 items
        field: "Microsoft.Insights/metricAlerts/criteria.Microsoft-Azure-Monitor-SingleResourceMultipleMetricCriteria.allOf[*].timeAggregation",
        equals: "Total"
        },
        {2 items
        field: "Microsoft.Insights/metricAlerts/criteria.Microsoft-Azure-Monitor-SingleResourceMultipleMetricCriteria.allOf[*].operator",
        equals: "GreaterThanOrEqual"
        },
        {2 items
        field: "Microsoft.Insights/metricAlerts/criteria.Microsoft-Azure-Monitor-SingleResourceMultipleMetricCriteria.allOf[*].threshold",
        equals: "[ if( contains( field('tags'), '_amba-PacketsInDDoS-threshold-Override_' ), field('tags._amba-PacketsInDDoS-threshold-Override_'), parameters('threshold') ) ]"
        }
        ]
      },
    - deployment: {1 item
      - properties: {3 items
        mode: "incremental",
        template: {5 items
        $schema: "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
        contentVersion: "1.0.0.0",
        parameters: {8 items
        resourceName: {2 items
        type: "String",
        metadata: {2 items
        displayName: "resourceName",
        description: "Name of the resource"
        }
        },
        resourceId: {2 items
        type: "String",
        metadata: {2 items
        displayName: "resourceId",
        description: "Resource ID of the resource emitting the metric that will be used for the comparison"
        }
        },
        severity: {1 item
        type: "String"
        },
        windowSize: {1 item
        type: "String"
        },
        evaluationFrequency: {1 item
        type: "String"
        },
        autoMitigate: {1 item
        type: "String"
        },
        enabled: {1 item
        type: "String"
        },
        threshold: {1 item
        type: "String"
        }
        },
        variables: {},
        resources: [1 item
        {6 items
        type: "Microsoft.Insights/metricAlerts",
        apiVersion: "2018-03-01",
        name: 🔍"[ concat( parameters('resourceName'), '-PacketsInDDosAlert' ) ]",
        location: "global",
        tags: {1 item
        _deployed_by_amba: true
        },
        properties: {9 items
        description: "Metric Alert for Public IP Address Packets IN DDOS",
        severity: "[parameters('severity')]",
        enabled: "[parameters('enabled')]",
        scopes: [1 item
        "[parameters('resourceId')]"
        ],
        evaluationFrequency: "[parameters('evaluationFrequency')]",
        windowSize: "[parameters('windowSize')]",
        criteria: {2 items
        allOf: [1 item
        {7 items
        name: "PacketsInDDoS",
        metricNamespace: "Microsoft.Network/publicIPAddresses",
        metricName: "PacketsInDDoS",
        operator: "GreaterThanOrEqual",
        threshold: "[parameters('threshold')]",
        timeAggregation: "Total",
        criterionType: "StaticThresholdCriterion"
        }
        ],
        odata.type: "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria"
        },
        autoMitigate: "[parameters('autoMitigate')]",
        parameters: {6 items
        severity: {1 item
        value: "[parameters('severity')]"
        },
        windowSize: {1 item
        value: "[parameters('windowSize')]"
        },
        evaluationFrequency: {1 item
        value: "[parameters('evaluationFrequency')]"
        },
        autoMitigate: {1 item
        value: "[parameters('autoMitigate')]"
        },
        enabled: {1 item
        value: "[parameters('enabled')]"
        },
        threshold: {1 item
        value: "[parameters('threshold')]"
        }
        }
        }
        }
        ]
        },
        parameters: {8 items
        resourceName: {1 item
        value: "[field('name')]"
        },
        resourceId: {1 item
        value: "[field('id')]"
        },
        severity: {1 item
        value: "[parameters('severity')]"
        },
        windowSize: {1 item
        value: "[parameters('windowSize')]"
        },
        evaluationFrequency: {1 item
        value: "[parameters('evaluationFrequency')]"
        },
        autoMitigate: {1 item
        value: "[parameters('autoMitigate')]"
        },
        enabled: {1 item
        value: "[parameters('enabled')]"
        },
        threshold: {1 item
        value: "[ if( contains( field('tags'), '_amba-PacketsInDDoS-threshold-Override_' ), field('tags._amba-PacketsInDDoS-threshold-Override_'), parameters('threshold') ) ]"
        }
        }
        }
      }
    }
  }
}

}