What is the difference between static and dynamic threshold alerts?

Static thresholds trigger when a metric crosses a fixed value you specify (e.g., CPU > 90%). Dynamic thresholds use machine learning to learn the metric's normal behavior pattern and alert when values deviate from the expected range. Dynamic thresholds account for daily and weekly seasonality, trends, and baseline shifts. They are ideal for metrics where normal values change over time or follow cyclical patterns, eliminating the need to manually tune threshold values.

How do action groups work with alert rules?

Action groups define what happens when an alert fires — they can send emails, SMS messages, push notifications, voice calls, or trigger webhooks, Logic Apps, Azure Functions, ITSM connectors, or Automation runbooks. A single action group can contain multiple actions and can be reused across many alert rules. When an alert fires, all actions in the associated group execute simultaneously. You can attach up to five action groups per alert rule.

How often are alert rules evaluated?

Metric alerts are evaluated every 1, 5, 10, or 15 minutes depending on the configuration. Log alerts evaluate their KQL query at intervals of 5, 10, 15, 30, or 60 minutes. Activity log alerts evaluate in near-real-time when matching events occur. The evaluation frequency combined with the look-back period determines how quickly an alert fires and how long a condition must persist. Shorter evaluation periods provide faster alerting but consume more alert rule quota.

Azure Monitor Alert Rule Builder

MonitoringAzure

Build Azure Monitor metric alert rule configurations with criteria and action groups.

Azure Monitor Alert Rule Configuration

Alert Rule Name

Severity (0=Critical, 4=Verbose)

Description (optional)

Evaluation Frequency

Window Size

Scopes (resource IDs, one per line)

Criterion 1

Metric Name

Metric Namespace

Operator

Threshold

Aggregation

Action Group ID (optional)

Enabled Auto Mitigate

Generated Alert Rule Config

Output will appear here...

About This Tool

Azure Monitor alert rules evaluate conditions on metrics, logs, or activity log events and trigger notification actions when thresholds are breached. Alert rules can target specific resources, resource groups, or entire subscriptions, and support dynamic thresholds that use machine learning to detect anomalies. Configuring alert rules requires specifying the signal (metric or log query), condition logic (static threshold, dynamic threshold, or number of results), severity level, evaluation frequency, and action groups for notifications. This builder helps you assemble alert rules with correct KQL queries, metric dimensions, and action group references.

When to Use This Tool

•Building a metric alert rule that fires when VM CPU utilization exceeds 90% for 5 consecutive minutes across all VMs in a resource group
•Creating a log alert rule that triggers when more than 10 HTTP 500 errors appear in Application Insights within a 15-minute window
•Configuring dynamic threshold alerts that detect unusual patterns in API response times without manually setting static thresholds
•Generating activity log alerts that notify the security team when role assignments are modified at the subscription level

Frequently Asked Questions

What is the difference between static and dynamic threshold alerts?: Static thresholds trigger when a metric crosses a fixed value you specify (e.g., CPU > 90%). Dynamic thresholds use machine learning to learn the metric's normal behavior pattern and alert when values deviate from the expected range. Dynamic thresholds account for daily and weekly seasonality, trends, and baseline shifts. They are ideal for metrics where normal values change over time or follow cyclical patterns, eliminating the need to manually tune threshold values.
How do action groups work with alert rules?: Action groups define what happens when an alert fires — they can send emails, SMS messages, push notifications, voice calls, or trigger webhooks, Logic Apps, Azure Functions, ITSM connectors, or Automation runbooks. A single action group can contain multiple actions and can be reused across many alert rules. When an alert fires, all actions in the associated group execute simultaneously. You can attach up to five action groups per alert rule.
How often are alert rules evaluated?: Metric alerts are evaluated every 1, 5, 10, or 15 minutes depending on the configuration. Log alerts evaluate their KQL query at intervals of 5, 10, 15, 30, or 60 minutes. Activity log alerts evaluate in near-real-time when matching events occur. The evaluation frequency combined with the look-back period determines how quickly an alert fires and how long a condition must persist. Shorter evaluation periods provide faster alerting but consume more alert rule quota.

Related Learning Guides

Azure Monitor & Application Insights26 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.