9 Audit and log data: Azure Monitor

 

This chapter covers

  • Understanding different log types in Azure
  • Azure Monitor
  • Diagnostic settings
  • Data Collection Rules
  • Alert rules

As you learned in chapter 8, it’s important to have relevant data sources when detecting threats and investigating incidents. Relevant data sources provide you with enough breadth and depth of data needed to detect potentially malicious activities and signs of compromise. However, relevant data sources can contain data that is both useful in your security operations and… well, not really useful. To ensure you have the ‘right’ data from the relevant data sources, it’s important to understand the different log types that are available in Azure. These log types help you determine what data you need to collect and for how long you need to keep it. The same goes for performance metrics.

In addition to collecting log data, you can collect specific performance metrics like CPU usage of Azure VMs, which can be useful in your investigation of suspicious activities. These performance metrics can be used to create alerts, informing you when a specific threshold is breached, which might be indicative of a suspicious activity.

9.1 Understanding different log types in Azure

 
 
 

9.1.1 Azure tenant logs

 
 
 

9.1.2 Azure subscription

 
 
 
 

9.1.3 Azure resources

 
 

9.1.4 Operating system

 
 
 

9.2 Azure Monitor

 
 
 

9.3 Diagnostic settings

 
 
 

9.3.1 Diagnostic settings in action

 

9.4 Data collection rules

 
 

9.4.1 Data Collection Rules in action

 
 
 

9.5 Alert rules

 
 
 

9.5.1 Alert rules in action

 
 
 
 

9.6 Summary

 
 
 
sitemap

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage
test yourself with a liveTest