9 Audit and log data: Azure Monitor

 

This chapter covers

  • Understanding different log types in Azure
  • Azure Monitor
  • Diagnostic settings
  • Data collection rules
  • Alert rules

As you learned in chapter 8, it’s important to have relevant data sources when detecting threats and investigating incidents. Relevant data sources provide the breadth and depth of data needed to detect potentially malicious activities and signs of compromise. However, relevant data sources can contain data that is both useful and, well, not really useful for your security operations.

To ensure you have the right data from the relevant data sources, it’s important to understand the different log types that are available in Azure. These log types help you determine what data you need to collect and how long you need to keep it. The same goes for performance metrics.

In addition to collecting log data, you can collect specific performance metrics such as CPU usage of Azure virtual machines (VMs), which can be useful in investigating suspicious activities. These performance metrics can be used to create alerts that inform you when a specific threshold is breached, which might be indicative of a suspicious activity.

9.1 Understanding different log types in Azure

9.1.1 Azure tenant logs

9.1.2 Azure subscriptions

9.1.3 Azure resources

9.1.4 Operating system

9.2 Azure Monitor

9.3 Diagnostic settings

9.3.1 Diagnostic settings in action

9.4 Data collection rules

9.4.1 Data collection rules in action

9.5 Alert rules

9.5.1 Types of alerts

9.5.2 Alert rules in action

9.6 Answers to exercises

Exercise 9.1