[Question/Feedback]: Error Remediating Alerts of Type, "Log search alert rule" in Azure Gov Cloud

[NathanHodges05]

Check for previous/existing GitHub issues

• [x] I have checked for previous/existing GitHub issues

Description

I keep running into errors when trying to remediate alerts that are Log Search Alert Rules in Azure Gov Cloud. These are Microsoft.Insights/scheduledQueryRules. An example is Deploy-VM-HeartBeat-Alert.json. The query is found on line 445. Another example is Deploy-LAWorkspace-DailyCapLimitReached-Alert.json and that query is on line 364.

The raw error I get when remediating is:

  "message": "{\r\n  \"error\": {\r\n    \"message\": \"The request had some invalid properties\",\r\n    \"code\": \"BadArgumentError\",\r\n    \"correlationId\": \"<correlationId>\",\r\n    \"innererror\": {\r\n      \"code\": \"QueryValidationError\",\r\n      \"message\": \"ADX reference is of incorrect format: \"\r\n    }\r\n  }\r\n}"
}

] }

I get the same error when creating this alert manually in the portal and using that query.

This was NOT an issue when deploying to Azure commercial cloud. Those remediated perfectly fine, and the query runs when testing in the portal as shown below.

Is there a known query that will work in Azure Gov Cloud for these 11 virtual machine policies and the Daily Cap Limit alert policy? // Used in VM Policy Set Definition loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-DataDiskReadLatency-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-DataDiskSpace-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-DataDiskWriteLatency-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-HeartBeat-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-NetworkIn-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-NetworkOut-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-OSDiskReadLatency-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-OSDiskSpace-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-OSDiskWriteLatency-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-PercentCPU-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-PercentMemory-Alert.json') // Used in Management policy definitions only loadTextContent('../../../services/OperationalInsights/workspaces/Deploy-LAWorkspace-DailyCapLimitReached-Alert.json')

Thank you for your assistance.

[Brunoga-MS]

Hello @NathanHodges05 , thanks for your feedback. AMBA-ALZ is not officially supported on AzureGov environment. Unfortunately, there's no alternative to run the queries you are referring to and use the same feature of looking into Azure Graph Explorer. I suspect a different alignment between Azure Public Cloud and Azure Gov for the feature documented at Query data in Azure Resource Graph by using arg() (Preview), which is still preview. Could you please ensure that VMInsights has been correctly configured and clarify if you are using a normal workspace or anything different?

Thanks, Bruno

[Brunoga-MS]

Hello @NathanHodges05 , I haven't heard anything back from you. Unfortunately. there's not that much we can do from the AMBA-ALZ perspective to support ARG queries in AzureGov environments so I am going to close this issue.

Fell free to reopen it or to create a new should it be the case.

Thanks, Bruno.