Manage Security Operations (part 2 of 3)

By Ashwin Venugopal -

 



To read part 1 please click here
To read part 3 please click here


Metrics and Logs

All data that Azure Monitor collects fits into one of the two fundamental type- metrics or logs.

What are metrics?

Metrics are numerical values that describes some aspect of a system at a particular time and are also collected at regular intervals as well as useful for alerting because they can be sampled frequently, and an alert can be fired quickly with relatively simple logic. 

Different ways of using metric data in Azure Monitor:

  • Analyze- You can use metric explorer to analyze collected metrics on a chart and compare metrics from different resources. 

  • Visualize- Pin a chart from metrics explorer to an Azure dashboard and create a workbook to combine with the multiple sets of the data in an interactive report. Export the results of a query to Grafana to leverage its dashboarding and combine with other data sources.

  • Alert- Configure a metric alert rule that sends a notification or takes automated action when the metric value crosses a threshold.

  • Automate- Use Autoscale to increase or decrease resources based on a metric value crossing a threshold.

  • Export- Route Metrics to Logs to analyze data in Azure Monitor Metrics together with data in Azure Monitor Logs and to store metric values for longer than 93 days. 

  • Retrieve- Access metric values from a command line using PowerShell cmdlets and from custom application using REST API. 

  • Archive- Archive the performance or health history of your resource for compliance, auditing, or offline reporting purposes.

What are Azure Monitor Logs?

Logs in Azure Monitor contains all the different kinds of data organized into records with different sets of properties for each type while also containing the numeric values like Azure Monitor Metrics but typically contains text data with detailed descriptions; they also vary from metrics in their structures and they are often not collected at regular intervals.

A common type of log entry is an event, which is collected sporadically. Metric data can also be stored in the logs to combine them with the other monitoring data for trending and other data analysis.

Different ways of using Logs in Azure Monitor:

  

  • Analyze- You can use Log Analytics in the Azure portal to write log queries and interactively analyze log data using the powerful Data Explorer analysis engine, whereas the Application Insights Analytic console in the Azure portal can be used to write log queries and interactively analyze log data from Application Insights.

  • Visualize- Pin query results rendered as tables or charts to an Azure dashboard and create a workbook to combine with the multiple sets of data in an interactive report. 

  • *AlertConfigure a log alert rule that sends a notification or takes automated action when the results of the  query match a particular result. 

  • Export- Build a workflow to retrieve log data and copy to an external location using Logic Apps.  

  • Retrieve- Access log query results from a command line using Azure CLI, PowerShell cmdlets, and from a custom application using REST API.

Log Analytics

Log Analytics is a part of Microsoft Azure's overall monitoring solution which helps you to monitor cloud and on-premises environments to maintain availability and performance and is the primary tool in the Azure portal for writing log queries as well as interactively analyzing their results.

In addition to interactively working with log queries and their results in Log Analytics, areas in Azure Monitor where you will use queries include the following:

  • Alert rules- They proactively identify issues from data in your workspace and each alert rule is based on a log search that is automatically run at the regular intervals. 

  • Dashboards- You can pin the results of any query into an Azure Dashboard which allows you to visualize log and metric data together as well as optionally share with the other Azure users.

  • Views- You can easily create the visualizations of the data to be included in user dashboards with the View Designer. Log queries provides the data used by tiles and visualization parts in each view.

  • Export- When you import the log data from Azure Monitor into Excel or Power BI, you create a log query to define the data to export.

  • PowerShell- You can run a PowerShell script from a command line or an Azure Automation runbook that uses Get-AzOperationlInsightsSearchResults to retrieve the log data from the Azure monitor. This cmdlet requires a query to determine the data to retrieve.

  • Azure Monitor Logs API- It allows any REST API client to retrieve log data from the workspace. The API request includes a query that is run against Azure Monitor to determine the data to retrieve.      

At the center of the Log Analytics is the Log Analytics Workspace, which is hosted in Azure. you can use the Log Analytics Workspaces menu to create a Log analytics Workspace using the Azure portal. Each workspace has its own data repository as well as configuration, and data sources and solutions are configured to store their data in a particular workspace. You will require a Log Analytics Workspace if you intend on collecting data from the following sources:

  • Azure resources in your subscription
  • On-premises computers monitored by System Center Operations Manager  
  • Device collections from Configuration Manager
  • Diagnostics and log data from Azure Storage




To read part 1 please click here
To read part 3 please click here


Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more