Azure subscription has an enabled Activity Log alert for Service Health incidents
monitor_alert_service_health_exists
Azure Monitor Activity Log alert is configured for Service Health notifications where category is ServiceHealth and properties.incidentType is Incident, with the rule enabled.
Risk
Without alerts for Service Health incidents, teams may miss Azure outages or degradations, harming availability and delaying failover. Unseen incidents can cause cascading errors, timeouts, deployment failures, and SLA breaches across dependent workloads.
prowler azure --checks monitor_alert_service_health_exists
Recommendation
Create and maintain an enabled Activity Log alert for Service Health Incident events.
- Route via Action Groups to on-call channels
- Filter to critical services/regions
- Test routing and refine recipients regularly
- Integrate with incident response and defense-in-depth monitoring
Remediation
az monitor activity-log alert create --resource-group <resource-group> --name <alert-rule> --scopes /subscriptions/<subscription-id> --condition "category=ServiceHealth and properties.incidentType=Incident"
- In the Azure portal, go to Service Health > Health alerts > Create service health alert
- Scope: select your Subscription and choose the Resource group to save the alert
- Event types: select only Service issues (Incidents)
- Leave other filters as default, ensure Enable rule is On, then click Create
Source Code
Resource Type
microsoft.insights/activitylogalerts
References
- https://learn.microsoft.com/en-us/azure/service-health/service-health-notifications-properties
- https://learn.microsoft.com/en-us/azure/service-health/alerts-activity-log-service-notifications-portal
- https://learn.microsoft.com/en-us/azure/service-health/overview
- https://learn.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-schema
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/ActivityLog/service-health-alert.html