Manage Security Operations (part 3 of 3)

By Ashwin Venugopal -

 


To read part 1 please click here
To read part 2 please click here

Connected Sources

The Azure Log Analytics agent was developed for comprehensive management across virtual machines in any cloud on-premises machines, and those monitored by System Center Operations Manager and also supports insights and the other services in Azure Monitor such as Azure Monitor for VMs, Azure Security Center, and Azure Automation.

Comparison to Azure diagnostics extension 

The Azure diagnostics extension in Azure monitor can also be used to collect the monitoring data from the guest operating system of Azure VMs. The key differences to consider are:

  • Azure Diagnostics Extension can be used only with Azure VMs, while the Log Analytics Agent can be used with VMs in Azure, other clouds, and on-premises.

  • Azure Diagnostics Extension sends the data to Azure Storage, Azure Monitor Metrics (Windows only), and Event hubs, while the Log Analytics Agent collects data to Azure Monitor Logs.

  • The Log analytics Agent is required for solutions, Azure Monitor for VMs, and other services such as Azure Security Center.   

Azure Monitor Alerts

Alerts in the Azure monitor can proactively notify you of the critical conditions and potentially attempt to take corrective action and the alert rules in Azure monitor use action groups, which contains unique sets of recipients and actions that can be shared across multiple rules. The unified alert experience in the Azure Monitor includes alerts that were previously managed by Log Analytics and Application Insights. Overtime, Azure improved and combined both the user interface and different methods of alerting. The consolidation is still in progress.

Overview of alerts in Azure

The diagram below represents the flow of alerts:



Alert rules are separated from alerts and the actions taken when an alert fires. The following are the key attributes of an alert rule as shown:
  • Target resource- It defines the scope and signals available for alerting. A target can be any Azure resource. for certain resources like VMs, you can specify multiple resources as the target of the alert rule.

  • Signal- Emitted by the target resource, signals can be of the types like- metric, activity log, Application Insights, and log.

  • Criteria- It is a combination of signal and logic applied on a target resource.

  • Alert name- A specific name for the alert rule configured by the user.

  • Alert description- A description for the alert rule configured by the user.

  • Severity- The severity of the alert after the criteria specified in the alert rule is met. It can range from 0 to 4.

  • Action- A specific action taken when the alert is fired.

Diagnostic logging

Azure monitor Diagnostic Logs are the logs produced by an Azure service that provides rich, frequently collected data about the operation of that service. Azure monitor makes two types of diagnostic logs available:

  • Tenant logs- These logs comes from tenant-level services that exist outside an Azure subscription, such as Azure AD.

  • Resource logs- These logs comes from Azure services thet deploy resources within an Azure subscription, such as Network Security Groups (NSGs) or storage accounts. 

These differ from activity logs which provides insights into operations, such as creating a VM or deleting a logic app, that Azure resource Manager performed on resources in your subscription. They also differ from guest operating system (OS)-level diagnostic logs which are those collected by an agent running inside a VM or other supported resource type. 

Use for diagnostic logs

Here are some of the things you can do with the diagnostic logs:

  • Save them to a storage account for auditing or manual inspection. You can also specify the retention time (in days) by using resource diagnostic settings.

  • You can stream them to event hubs for ingestion by a third-party service or custom analytics solution, such as Power BI.

  • Analyze them with the Azure Monitor, such that the data can be immediately written to the Azure Monitor with no need to first write the data to storage.  

Streaming of the diagnostic logs can be enabled programmatically, via the portal, or using the Azure Monitor REST APIs. An event hub is created in the namespace for each log category you enable. A diagnostic log category is known as a type of log that a resource may collect.



To read part 1 please click here
To read part 2 please click here



Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more