What is the difference between static and dynamic threshold alerts?

Static thresholds trigger when a metric crosses a fixed value you specify (e.g., CPU > 90%). Dynamic thresholds use machine learning to learn the metric's normal behavior pattern and alert when values deviate from the expected range. Dynamic thresholds account for daily and weekly seasonality, trends, and baseline shifts. They are ideal for metrics where normal values change over time or follow cyclical patterns, eliminating the need to manually tune threshold values.

How do action groups work with alert rules?

Action groups define what happens when an alert fires — they can send emails, SMS messages, push notifications, voice calls, or trigger webhooks, Logic Apps, Azure Functions, ITSM connectors, or Automation runbooks. A single action group can contain multiple actions and can be reused across many alert rules. When an alert fires, all actions in the associated group execute simultaneously. You can attach up to five action groups per alert rule.

How often are alert rules evaluated?

Metric alerts are evaluated every 1, 5, 10, or 15 minutes depending on the configuration. Log alerts evaluate their KQL query at intervals of 5, 10, 15, 30, or 60 minutes. Activity log alerts evaluate in near-real-time when matching events occur. The evaluation frequency combined with the look-back period determines how quickly an alert fires and how long a condition must persist. Shorter evaluation periods provide faster alerting but consume more alert rule quota.

Azure Monitor Alert Rule Builder

MonitoringAzure

Build Azure Monitor metric alert rule configurations with criteria and action groups.

Last verified: May 2026

Azure Monitor Alert Rule Configuration

Alert Rule Name

Severity (0=Critical, 4=Verbose)

Description (optional)

Evaluation Frequency

Window Size

Scopes (resource IDs, one per line)

Criterion 1

Metric Name

Metric Namespace

Operator

Threshold

Aggregation

Action Group ID (optional)

Enabled Auto Mitigate

Generated Alert Rule Config

Output will appear here...

About This Tool

Azure Monitor alert rules evaluate conditions on metrics, logs, or activity log events and trigger notification actions when thresholds are breached. Alert rules can target specific resources, resource groups, or entire subscriptions, and support dynamic thresholds that use machine learning to detect anomalies. Configuring alert rules requires specifying the signal (metric or log query), condition logic (static threshold, dynamic threshold, or number of results), severity level, evaluation frequency, and action groups for notifications. This builder helps you assemble alert rules with correct KQL queries, metric dimensions, and action group references.

Real-World Scenario

Your platform team's Azure environment has 200+ alert rules across 30 resource groups, almost all using static thresholds. The result: 80% false positive rate, on-call team is desensitized to alerts. The builder helps you migrate the 30 most-noisy alerts to dynamic thresholds. Within a week, false positive rate drops to ~15%, real alerts get faster response, and team morale improves measurably.

When to Use This Tool

•Building a metric alert rule that fires when VM CPU utilization exceeds 90% for 5 consecutive minutes across all VMs in a resource group
•Creating a log alert rule that triggers when more than 10 HTTP 500 errors appear in Application Insights within a 15-minute window
•Configuring dynamic threshold alerts that detect unusual patterns in API response times without manually setting static thresholds
•Generating activity log alerts that notify the security team when role assignments are modified at the subscription level

Pro Tips

TIP

Dynamic threshold alerts are dramatically better than static thresholds for metrics with daily/weekly patterns (CPU during business hours, queue depth, etc.). Static thresholds either miss anomalies during peak (because the threshold is set high enough for normal peaks) or fire constantly during peaks (because it's set low enough for off-peak). Dynamic learns the pattern and only alerts on real deviations.

TIP

Action groups support webhook actions that POST to any HTTPS endpoint — including PagerDuty, Opsgenie, Slack, or your own incident management system. This is more flexible than the built-in email/SMS actions and lets you route alerts to your existing on-call infrastructure.

TIP

Log alert rules charge per execution (each KQL query run). A 5-minute evaluation interval = 8,640 query runs/month per alert rule. Across 50 alert rules, that's 430K queries/month. The bill adds up — consolidate similar alerts where possible and use longer intervals for non-critical rules.

How It Works Under the Hood

The builder generates Azure Monitor alert rules across three types: metric alerts (signal: metric, condition: static or dynamic threshold, frequency, evaluation periods), log alerts (signal: KQL query against Log Analytics, threshold: number of results, frequency), and activity log alerts (signal: activity log event filter). Each connects to one or more action groups. Output is generated as az monitor metrics alert / log alert create commands and Terraform azurerm_monitor_metric_alert / azurerm_monitor_scheduled_query_rules_alert_v2 resources.

Frequently Asked Questions

What is the difference between static and dynamic threshold alerts?: Static thresholds trigger when a metric crosses a fixed value you specify (e.g., CPU > 90%). Dynamic thresholds use machine learning to learn the metric's normal behavior pattern and alert when values deviate from the expected range. Dynamic thresholds account for daily and weekly seasonality, trends, and baseline shifts. They are ideal for metrics where normal values change over time or follow cyclical patterns, eliminating the need to manually tune threshold values.
How do action groups work with alert rules?: Action groups define what happens when an alert fires — they can send emails, SMS messages, push notifications, voice calls, or trigger webhooks, Logic Apps, Azure Functions, ITSM connectors, or Automation runbooks. A single action group can contain multiple actions and can be reused across many alert rules. When an alert fires, all actions in the associated group execute simultaneously. You can attach up to five action groups per alert rule.
How often are alert rules evaluated?: Metric alerts are evaluated every 1, 5, 10, or 15 minutes depending on the configuration. Log alerts evaluate their KQL query at intervals of 5, 10, 15, 30, or 60 minutes. Activity log alerts evaluate in near-real-time when matching events occur. The evaluation frequency combined with the look-back period determines how quickly an alert fires and how long a condition must persist. Shorter evaluation periods provide faster alerting but consume more alert rule quota.

Related Learning Guides

Azure Monitor & Application Insights26 min read

Was this tool helpful?

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.