Incident Ingest

Azure Monitor + Alert24 Integration: Incidents from Alert Rules

Route Azure Monitor alerts to Alert24 using action groups and a Logic App or Function adapter. Covers the common alert schema, severity mapping, and deduplication.

Azure Monitor action groups support webhook actions that POST an alert payload to any HTTPS URL. Alert24's incidents API accepts Azure Monitor's alert schema with a small Logic App or Function App adapter.

Before you start

You'll need:

  • An Alert24 API key with write or incidents scope (Settings → API Keys)
  • Azure subscription with Azure Monitor alerts configured

Option A: Logic App adapter (no code)

  1. In the Azure portal, create a new Logic App (Consumption tier)
  2. Use the HTTP trigger as the starting step
  3. Add an HTTP action pointing to Alert24:
    • Method: POST
    • URI: https://app.alert24.net/api/v1/incidents
    • Headers: Authorization: Bearer ak_live_YOUR_KEY, Content-Type: application/json
    • Body:
      {
  "title": "@{triggerBody()?['data']?['essentials']?['alertRule']}",
  "description": "@{triggerBody()?['data']?['essentials']?['description']}",
  "severity": "@{if(equals(triggerBody()?['data']?['essentials']?['severity'], 'Sev0'), 'critical', if(equals(triggerBody()?['data']?['essentials']?['severity'], 'Sev1'), 'high', 'medium'))}",
  "alias": "@{concat('azure-', triggerBody()?['data']?['essentials']?['alertId'])}",
  "source": "azure-monitor",
  "tags": ["azure"]
}
  4. Save the Logic App and copy the HTTP trigger URL
  5. In your action group, add a Webhook action pointing to this Logic App URL

Option B: Azure Function (code)

import azure.functions as func
import json
import urllib.request
import os

def main(req: func.HttpRequest) -> func.HttpResponse:
    body = req.get_json()
    essentials = body.get('data', {}).get('essentials', {})

    severity_map = {'Sev0': 'critical', 'Sev1': 'high', 'Sev2': 'medium', 'Sev3': 'low', 'Sev4': 'info'}

    payload = json.dumps({
        'title': f"Azure: {essentials.get('alertRule', 'Alert')}",
        'description': essentials.get('description', ''),
        'severity': severity_map.get(essentials.get('severity', 'Sev2'), 'medium'),
        'alias': f"azure-{essentials.get('alertId', '').replace('/', '-')}",
        'source': 'azure-monitor',
        'tags': ['azure', essentials.get('monitorService', '')],
    }).encode()

    req_out = urllib.request.Request(
        'https://app.alert24.net/api/v1/incidents',
        data=payload,
        headers={
            'Authorization': f"Bearer {os.environ['ALERT24_API_KEY']}",
            'Content-Type': 'application/json',
        },
        method='POST'
    )
    urllib.request.urlopen(req_out)
    return func.HttpResponse('ok', status_code=200)

Create an action group with the webhook

  1. In Azure Monitor, go to Alerts → Action groups → + Create
  2. Set a name (e.g., alert24-incidents)
  3. Under Actions, add an action:
    • Action type: Webhook
    • Name: Alert24
    • URI: your Logic App or Function URL
    • Enable common alert schema: Yes
  4. Save the action group
  5. Attach it to any alert rule under Actions → Select action groups

Tips

  • Common alert schema: Enable this in the action group to get a consistent payload shape across all Azure Monitor alert types (metric alerts, log alerts, activity log alerts). The JSON paths above assume the common schema.
  • Severity mapping: Azure uses Sev0–Sev4; Alert24 uses critical/high/medium/low/info. Sev0 = critical, Sev1 = high, Sev2–4 = medium and below.
  • Deduplication: The alertId from Azure is stable for the lifetime of a single alert firing — using it as the alias deduplicates repeat notifications from the same alert.
Previous
AWS CloudWatch + Alert24 Integration: Create Incidents from Alarms
Next
New Relic + Alert24 Integration: Forward Alerts as Incidents