9 Audit and log data: Azure Monitor
This chapter covers
- Understanding different log types in Azure
- Azure Monitor
- Diagnostic settings
- Data Collection Rules
- Alert rules
As you learned in chapter 8, it’s important to have relevant data sources when detecting threats and investigating incidents. Relevant data sources provide you with enough breadth and depth of data needed to detect potentially malicious activities and signs of compromise. However, relevant data sources can contain data that is both useful in your security operations and… well, not really useful. To ensure you have the ‘right’ data from the relevant data sources, it’s important to understand the different log types that are available in Azure. These log types help you determine what data you need to collect and for how long you need to keep it. The same goes for performance metrics.
In addition to collecting log data, you can collect specific performance metrics like CPU usage of Azure VMs, which can be useful in your investigation of suspicious activities. These performance metrics can be used to create alerts, informing you when a specific threshold is breached, which might be indicative of a suspicious activity.