This chapter covers the three core alert types in Azure Monitor: Metric Alerts, Log Alerts, and Activity Log Alerts. Understanding their differences, use cases, and configuration is critical for the AZ-104 exam, as monitoring questions comprise approximately 15-20% of the exam. You will be tested on when to use each type, how they differ in latency and cost, and how to interpret alert rules. This chapter provides a deep, mechanistic explanation so you can confidently answer any alert-related question.
Jump to a section
Imagine a large office building with three watchmen: one monitors the front door (Metric Alert), one monitors the phone lines (Log Alert), and one monitors the security camera feed (Activity Log Alert). The front door watchman (Metric Alert) watches for specific conditions like 'more than 50 people enter per minute' — he counts continuously and sounds an alarm when a threshold is exceeded. He doesn't care who the people are or where they go; he only cares about the count. The phone lines watchman (Log Alert) listens to every phone call and records the conversation text (log data). He doesn't sound an alarm based on volume; instead, he triggers an alarm when a call contains specific keywords like 'fire' or 'intruder' — this requires analyzing the content of each call, which takes longer and uses more resources. The security camera watchman (Activity Log Alert) watches only the cameras at the main entrance and the CEO's office — these are the 'control plane' cameras. He doesn't look at every camera feed; he only records when someone enters or exits these specific doors. He sounds an alarm if someone enters the CEO's office at 3 AM (unusual activity). Each watchman has a different purpose, different sensitivity, different latency, and different cost. In Azure, these three alert types correspond to Metric Alerts (fast, numeric threshold-based), Log Alerts (complex, query-based, higher latency), and Activity Log Alerts (service-level events, no resource logs).
What Are Azure Monitor Alerts?
Azure Monitor Alerts are a unified alerting system that proactively notifies you when conditions are met across your Azure resources. The system consists of three distinct alert types: Metric Alerts, Log Alerts, and Activity Log Alerts. Each type monitors a different data source and uses a different evaluation engine. The exam expects you to know exactly which data source feeds each alert type and the associated latency, cost, and configuration nuances.
Metric Alerts: Fast, Numeric, Threshold-Based
Metric Alerts evaluate numeric time-series data collected by Azure Monitor Metrics. Metrics are lightweight, numerical values emitted by Azure resources at regular intervals (typically every 1 minute for most resources, but some emit every 5 minutes or 30 seconds for premium tiers). Metric Alerts can monitor a single metric (e.g., CPU percentage) or multiple metrics using dynamic thresholds. The evaluation engine runs every 1 minute for static thresholds and every 5 minutes for dynamic thresholds. The key characteristics: - Data source: Azure Monitor Metrics (time-series database) - Latency: Alert fires within 1-5 minutes of condition being met (typically <3 minutes) - Cost: Free for basic metrics; additional cost for custom metrics and multi-resource alerts - Supported conditions: Greater than, less than, greater than or equal, less than or equal, between, dynamic threshold (uses machine learning) - Frequency: Evaluation frequency is 1 minute for static thresholds, 5 minutes for dynamic thresholds - Number of dimensions: Up to 10 dimensions per metric - State: Fired/Resolved (stateful) – once fired, it stays fired until the condition is no longer met
Metric Alerts are ideal for real-time performance monitoring where low latency is critical. For example, you want to be alerted within 2 minutes if CPU exceeds 90%. They are not suitable for detecting patterns in log data or monitoring text-based events.
Log Alerts: Complex, Query-Based, Higher Latency
Log Alerts evaluate queries against Log Analytics workspaces. These queries can be complex, using Kusto Query Language (KQL) to search for specific text, aggregate counts, or detect anomalies over time. The evaluation engine runs the query at a defined frequency (from every 5 minutes to every 24 hours) and triggers an alert if the results meet a threshold. Key characteristics: - Data source: Log Analytics workspace (log data from Azure Monitor Logs) - Latency: Alert fires within 5-15 minutes (depends on query complexity and ingestion delay) - Cost: Pay per query execution (based on data scanned and frequency) - Supported conditions: Number of results >, <, =, or based on metric measurement (aggregate values) - Frequency: Configurable from 5 minutes to 24 hours - Query scope: Can span multiple workspaces, resources, or subscriptions using cross-resource queries - State: Stateful (fired/resolved) or stateless (each evaluation is independent) – configurable
Log Alerts are powerful for security monitoring, compliance, and custom scenarios where you need to analyze log content. For example, you might create a log alert that fires when more than 10 failed login attempts occur in 5 minutes. The trade-off is higher latency and cost.
Activity Log Alerts: Service-Level Events, No Resource Logs
Activity Log Alerts monitor events recorded in the Azure Activity Log. The Activity Log is a subscription-level log that records all control plane operations (e.g., create, update, delete resources) and service health events. These alerts do not monitor resource logs (e.g., IIS logs, application logs). Key characteristics: - Data source: Azure Activity Log (subscription-level, control plane) - Latency: Alert fires within 5-15 minutes (typical 5 minutes) - Cost: Free - Supported conditions: Specific operation name, status, resource type, resource group, event severity, and more - Frequency: Not configurable – evaluated continuously as events are written - Scope: Subscription-level or resource group-level - State: Fired/Resolved – stateful for most conditions
Activity Log Alerts are used for operational compliance, security monitoring (e.g., alert when someone deletes a resource), and service health notifications. They do NOT monitor data plane operations (e.g., reading blob data) – only control plane.
How They Work Internally: Evaluation Engines
Each alert type has a separate evaluation engine: - Metric Alerts: The Metric Alerts engine runs inside Azure Monitor and checks the metric time-series data every 1 minute (static) or 5 minutes (dynamic). It uses a sliding window of the last N minutes (defined by the aggregation granularity). If the condition is met for the duration of the window, the alert fires. The engine is stateful: once fired, it remains fired until the metric returns to a non-alerting state. - Log Alerts: The Log Alerts engine submits a KQL query to the Log Analytics workspace at the configured frequency. The query runs against the ingested log data. The engine evaluates the query results (number of rows or a calculated metric) against the threshold. It can be stateful (fires until resolved) or stateless (each evaluation independent). The latency depends on ingestion delay (typically 30 seconds to 15 minutes) plus query execution time. - Activity Log Alerts: The Activity Log Alerts engine is an event-driven system that listens to the Activity Log stream. When a new event is written, it is matched against the alert rule conditions. If matched, the alert fires. There is no periodic evaluation; it is real-time with a small processing delay.
Key Components, Values, Defaults, and Timers
Metric Alert:
- Default evaluation frequency: 1 minute (static), 5 minutes (dynamic) - Default aggregation: Average over the last 5 minutes (configurable) - Cooldown period: None – alert fires immediately when condition is met - Maximum number of conditions per rule: 1 (but you can create multiple rules) - Log Alert:
- Default frequency: 5 minutes - Minimum frequency: 5 minutes (cannot be lower) - Maximum query time range: 1440 minutes (24 hours) - Number of results threshold: >0 by default - Activity Log Alert:
- No configurable frequency – event-driven - Maximum 100 active alert rules per subscription - Can filter by: Operation name, status, severity, resource type, resource group, resource, event initiated by
Configuration and Verification Commands
You can create alerts via Azure portal, CLI, PowerShell, or ARM templates.
Create a Metric Alert using Azure CLI:
az monitor metrics alert create \
--name "High CPU Alert" \
--resource-group "myRG" \
--scopes "/subscriptions/sub-id/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/myVM" \
--condition "avg Percentage CPU > 90" \
--description "Alert when CPU exceeds 90%" \
--action "/subscriptions/sub-id/resourceGroups/myRG/providers/microsoft.insights/actionGroups/myActionGroup"Create a Log Alert using Azure CLI:
az monitor scheduled-query create \
--name "Failed Logins Alert" \
--resource-group "myRG" \
--scopes "/subscriptions/sub-id/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/myWorkspace" \
--condition "count
| where ResultType != 'Success'
| where TimeGenerated > ago(5m)
| count > 10" \
--description "Alert when more than 10 failed logins in 5 minutes" \
--action "/subscriptions/sub-id/resourceGroups/myRG/providers/microsoft.insights/actionGroups/myActionGroup"Create an Activity Log Alert using Azure CLI:
az monitor activity-log alert create \
--name "Delete Resource Alert" \
--resource-group "myRG" \
--scopes "/subscriptions/sub-id" \
--condition category=Administrative operationName=Microsoft.Compute/virtualMachines/delete \
--description "Alert when a VM is deleted" \
--action "/subscriptions/sub-id/resourceGroups/myRG/providers/microsoft.insights/actionGroups/myActionGroup"Interaction with Related Technologies
Alerts are closely integrated with Action Groups, which define the notification actions (email, SMS, webhook, ITSM, etc.). All three alert types can use the same action group. Alerts also integrate with Azure Monitor Workbooks, Dashboards, and Azure Automation runbooks for auto-remediation. For example, a Metric Alert can trigger an Automation runbook to scale out a VMSS.
Trap Patterns on the Exam
Candidates often confuse the data sources:
Metric Alerts use metrics (numerical, time-series) – NOT logs
Log Alerts use log data (text, queries) – NOT metrics
Activity Log Alerts use the Activity Log (control plane) – NOT resource logs
Another common trap: thinking that Activity Log Alerts can monitor data plane operations like blob reads. They cannot; only control plane operations are recorded in the Activity Log. For data plane operations, you need resource logs (diagnostic settings) and Log Alerts.
Also, candidates often think Metric Alerts can evaluate complex KQL queries – they cannot. Metric Alerts only support simple numeric conditions. For complex queries, use Log Alerts.
Finally, latency: Metric Alerts are the fastest (1-5 minutes), Log Alerts are slower (5-15 minutes), and Activity Log Alerts are moderate (5-15 minutes). The exam may ask which alert type is best for time-critical scenarios.
Summary of Differences
| Feature | Metric Alert | Log Alert | Activity Log Alert | |---------|--------------|-----------|-------------------| | Data Source | Metrics | Logs | Activity Log | | Latency | 1-5 min | 5-15 min | 5-15 min | | Cost | Free (basic) | Pay per query | Free | | Complexity | Simple thresholds | Complex KQL queries | Simple filters | | Stateful | Yes | Configurable | Yes | | Use Case | Performance | Security, custom | Compliance, ops |
Identify the monitoring requirement
First, determine what you need to monitor. Is it a numerical performance metric (e.g., CPU utilization, memory usage)? If yes, use Metric Alerts. Is it a pattern in log data (e.g., failed logins, error codes in application logs)? If yes, use Log Alerts. Is it a control plane operation (e.g., resource creation, deletion, or service health event)? If yes, use Activity Log Alerts. This step is critical because choosing the wrong alert type will either not work or incur unnecessary cost.
Configure the data source
For Metric Alerts, ensure the resource emits the required metric (most Azure resources emit metrics automatically). For Log Alerts, you must have a Log Analytics workspace and configure diagnostic settings to send logs to that workspace. For Activity Log Alerts, no additional configuration is needed; the Activity Log is automatically available. However, you may need to enable collection of certain categories (e.g., Service Health) via Azure Monitor settings.
Define the alert rule condition
For Metric Alerts, specify the metric name, aggregation (e.g., average, max), operator (e.g., greater than), threshold value, and evaluation frequency. For Log Alerts, write a KQL query that returns the desired result set, then set the condition (e.g., number of results > 10). For Activity Log Alerts, select the operation name, status, severity, and other filters. Be precise: for example, an Activity Log Alert for 'delete VM' must use the exact operation name 'Microsoft.Compute/virtualMachines/delete'.
Configure the action group
All alert types use Action Groups to define notification actions. Create an Action Group with email, SMS, webhook, or ITSM endpoints. You can also use Azure Functions or Automation Runbooks for auto-remediation. Action Groups can be reused across multiple alert rules. Note that SMS notifications have a limit of 1 SMS per 5 minutes per phone number to prevent spam.
Test and validate the alert
After creating the alert rule, test it by triggering the condition. For Metric Alerts, you can generate load on a VM to increase CPU. For Log Alerts, you can generate log entries (e.g., failed logins). For Activity Log Alerts, you can perform the monitored operation (e.g., delete a test resource). Check the Azure Monitor Alerts page to see if the alert fires within the expected latency. Verify that the action group delivers the notification. If the alert does not fire, check the rule configuration, data source, and latency.
Monitor and tune alert rules
After deployment, monitor alert effectiveness. Metric Alerts may require threshold tuning to avoid noise (false positives). Log Alerts may need query optimization to reduce cost and latency. Activity Log Alerts are generally stable but may need scope adjustments. Use Azure Monitor's 'Alert Rules' page to view fired alerts and adjust rules accordingly. Consider using dynamic thresholds for Metric Alerts to automatically adjust based on historical patterns.
Enterprise Scenario 1: E-commerce Platform Performance Monitoring
A large e-commerce company runs thousands of virtual machines (VMs) in a VMSS behind a load balancer. They need real-time alerts for CPU utilization exceeding 90% and memory usage exceeding 80%. They use Metric Alerts because latency is critical – if a VM is overloaded, they need to scale out within minutes. Each VM has a metric alert rule with a static threshold. They also use dynamic thresholds to automatically adjust for seasonal traffic spikes. In production, they found that static thresholds caused false positives during flash sales, so they switched to dynamic thresholds. The alerts trigger an Automation Runbook that adds more VM instances to the scale set. Misconfiguration: initially, they set the evaluation frequency to 5 minutes, which was too slow; they changed to 1 minute for faster response.
Enterprise Scenario 2: Security Operations Center (SOC) Log Monitoring
A financial institution needs to detect brute-force attacks on their Azure SQL databases. They use Log Alerts because the detection requires analyzing log patterns – failed login attempts over time. They send SQL Server audit logs to a Log Analytics workspace. The alert rule runs a KQL query every 5 minutes that counts failed logins per IP address in the last 5 minutes and alerts if the count exceeds 20. They also set up a stateless alert (each evaluation independent) to avoid missing repeated attacks. In production, the ingestion delay of logs (up to 5 minutes) plus query execution time means alerts fire 10-15 minutes after the attack begins. They accept this latency because the alternative (Metric Alerts) cannot analyze log content. Misconfiguration: they initially used a stateful alert, which caused the alert to not re-fire for the same IP address until resolved, missing subsequent attacks.
Enterprise Scenario 3: Compliance and Governance
A healthcare organization must comply with HIPAA and needs to be alerted whenever a resource group is deleted or a VM is stopped. They use Activity Log Alerts because these are control plane operations recorded in the Activity Log. They create an alert rule that fires when the operation name equals 'Microsoft.Resources/subscriptions/resourceGroups/delete' or 'Microsoft.Compute/virtualMachines/deallocate'. The alert sends an email to the compliance team. In production, they also monitor 'Service Health' events to be notified of Azure outages. Misconfiguration: they tried to monitor blob reads (data plane) using Activity Log Alerts, which failed because data plane operations are not in the Activity Log. They had to use resource logs and Log Alerts instead.
Exam Focus: AZ-104 Objective 5.1
The AZ-104 exam tests your ability to differentiate between Metric Alerts, Log Alerts, and Activity Log Alerts. Specific objective codes: 'Monitor and manage Azure resources' – 'Configure monitoring for resources' – 'Create and configure alerts'. Expect 3-5 questions on this topic. The exam focuses on:
Data Source Identification: You must know which data source each alert type uses. Common wrong answer: 'Activity Log Alerts can monitor resource logs.' Reality: Activity Log Alerts only monitor the Activity Log (control plane). Resource logs require Log Alerts.
Latency and Cost: Metric Alerts are fastest and free (basic). Log Alerts are slower and cost per query. Activity Log Alerts are free and moderate latency. Question: 'Which alert type should you use for real-time performance monitoring?' Answer: Metric Alerts. Wrong answer: Log Alerts (too slow).
Stateful vs Stateless: Log Alerts can be configured as stateful or stateless. The exam may ask: 'You need to alert every time a condition is met, even if it persists. Which setting?' Answer: Stateless (each evaluation independent). Wrong answer: Stateful (only fires once until resolved).
Supported Conditions: Metric Alerts support simple numeric conditions; Log Alerts support complex KQL queries; Activity Log Alerts support filters on operation name, status, etc. Question: 'You need to alert when more than 100 errors occur in a 5-minute window. Which alert type?' Answer: Log Alert (because it requires a query). Wrong answer: Metric Alert (cannot count log entries).
Scope: Metric Alerts can be scoped to a single resource or multiple resources via a resource scope. Log Alerts can span multiple workspaces using cross-resource queries. Activity Log Alerts are scoped to a subscription or resource group. Question: 'You need to alert when any VM in a subscription is deleted. Which alert type and scope?' Answer: Activity Log Alert at subscription scope. Wrong answer: Metric Alert (cannot monitor delete events).
Common Edge Cases:
Metric Alerts cannot monitor custom logs unless they are converted to metrics.
Log Alerts require a Log Analytics workspace and diagnostic settings.
Activity Log Alerts cannot be created for data plane operations (e.g., blob read).
Eliminating Wrong Answers: If the question mentions 'query', 'KQL', or 'log pattern', eliminate Metric Alert and Activity Log Alert. If it mentions 'numerical threshold' and 'low latency', eliminate Log Alert and Activity Log Alert. If it mentions 'control plane', 'resource creation', or 'service health', eliminate Metric Alert and Log Alert.
Metric Alerts evaluate numeric metrics with 1-5 minute latency; use for real-time performance monitoring.
Log Alerts evaluate KQL queries against log data with 5-15 minute latency; use for security and custom patterns.
Activity Log Alerts monitor control plane events (Activity Log) with 5-15 minute latency; use for compliance and resource changes.
Metric Alerts and Activity Log Alerts are free; Log Alerts incur costs based on data scanned and frequency.
Log Alerts can be stateful or stateless; Metric and Activity Log Alerts are always stateful.
Activity Log Alerts cannot monitor data plane operations (e.g., blob reads) – only control plane.
Metric Alerts cannot run KQL queries – only simple numeric conditions.
All alert types use Action Groups for notifications.
Dynamic thresholds in Metric Alerts use machine learning to auto-adjust thresholds.
Log Alerts require a Log Analytics workspace with diagnostic settings enabled.
Activity Log Alerts can filter by operation name, status, severity, resource type, and more.
The exam often tests data source identification and latency differences.
These come up on the exam all the time. Here's how to tell them apart.
Metric Alerts
Data source: Azure Monitor Metrics (time-series numeric data)
Latency: 1-5 minutes (fastest)
Cost: Free for basic metrics
Conditions: Simple numeric thresholds (>, <, =, dynamic)
Stateful: Always stateful (fired/resolved)
Log Alerts
Data source: Log Analytics workspace (log data, text)
Latency: 5-15 minutes (slower due to ingestion and query)
Cost: Pay per query execution
Conditions: Complex KQL queries with thresholds
Stateful: Configurable (stateful or stateless)
Mistake
Activity Log Alerts can monitor data plane operations like reading blobs.
Correct
Activity Log Alerts only monitor control plane operations (e.g., create, delete, update resources) recorded in the Azure Activity Log. Data plane operations (e.g., blob reads) are NOT in the Activity Log; they require resource logs and Log Alerts.
Mistake
Metric Alerts can evaluate complex KQL queries.
Correct
Metric Alerts only support simple numeric conditions (e.g., greater than, less than). They cannot run KQL queries. Complex queries require Log Alerts, which query Log Analytics workspaces using KQL.
Mistake
Log Alerts are faster than Metric Alerts.
Correct
Log Alerts have higher latency (5-15 minutes) due to log ingestion delay and query execution. Metric Alerts are faster (1-5 minutes) because they evaluate time-series data directly.
Mistake
All three alert types are stateful by default.
Correct
Metric Alerts and Activity Log Alerts are stateful (fire until resolved). Log Alerts can be configured as stateful or stateless. Stateless alerts fire every evaluation if the condition is met, regardless of previous state.
Mistake
Activity Log Alerts are free but Metric Alerts cost money.
Correct
Both Activity Log Alerts and basic Metric Alerts are free. Custom metrics and multi-resource metric alerts may incur charges. Log Alerts are pay-per-query.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Metric Alerts monitor numeric time-series data (metrics) with low latency (1-5 minutes) and are free for basic metrics. They support simple threshold conditions (e.g., CPU > 90%). Log Alerts monitor log data in Log Analytics workspaces using KQL queries, with higher latency (5-15 minutes) and cost per query. They support complex conditions like counting failed logins. Use Metric Alerts for real-time performance; use Log Alerts for security and custom patterns.
No. Activity Log Alerts only monitor events in the Azure Activity Log, which records control plane operations (e.g., resource creation, deletion). Resource logs (e.g., IIS logs, application logs) are separate and require diagnostic settings to be sent to a Log Analytics workspace, where they can be monitored using Log Alerts.
Metric Alerts are best because they evaluate numeric metrics with 1-5 minute latency. Log Alerts are too slow (5-15 minutes) and Activity Log Alerts do not monitor CPU metrics. For CPU monitoring, create a Metric Alert with a static or dynamic threshold on the 'Percentage CPU' metric.
First, ensure your resource (e.g., SQL Server, VM) sends logs to a Log Analytics workspace via diagnostic settings. Then create a Log Alert rule with a KQL query like: 'SigninLogs | where ResultType != "Success" | summarize count() by IPAddress | where count_ > 10'. Set the condition to 'Number of results > 0' and frequency to 5 minutes. Configure an Action Group for notifications.
Basic Metric Alerts and Activity Log Alerts are free. Custom metrics and multi-resource metric alerts may incur charges. Log Alerts are pay-per-query, based on the amount of data scanned and the frequency of execution. There is no upfront cost, but costs can add up with frequent, complex queries.
Yes. Action Groups are independent of alert types. You can create an Action Group with email, SMS, webhook, etc., and reuse it across Metric, Log, and Activity Log Alert rules. This simplifies management.
A stateless Log Alert fires every time the query condition is met, regardless of whether the alert previously fired. This is useful for scenarios where you want to be notified of each occurrence, such as repeated security attacks. In contrast, a stateful alert fires once and then only fires again after the condition clears and returns. Use stateless for continuous monitoring.
You've just covered Log Alerts vs Metric Alerts vs Activity Log Alerts — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?