Manage Security Operations (part 3 of 3)

 


To read part 1 please click here
To read part 2 please click here

Connected Sources

The Azure Log Analytics agent was developed for comprehensive management across virtual machines in any cloud on-premises machines, and those monitored by System Center Operations Manager and also supports insights and the other services in Azure Monitor such as Azure Monitor for VMs, Azure Security Center, and Azure Automation.

Comparison to Azure diagnostics extension 

The Azure diagnostics extension in Azure monitor can also be used to collect the monitoring data from the guest operating system of Azure VMs. The key differences to consider are:

  • Azure Diagnostics Extension can be used only with Azure VMs, while the Log Analytics Agent can be used with VMs in Azure, other clouds, and on-premises.

  • Azure Diagnostics Extension sends the data to Azure Storage, Azure Monitor Metrics (Windows only), and Event hubs, while the Log Analytics Agent collects data to Azure Monitor Logs.

  • The Log analytics Agent is required for solutions, Azure Monitor for VMs, and other services such as Azure Security Center.   

Azure Monitor Alerts

Alerts in the Azure monitor can proactively notify you of the critical conditions and potentially attempt to take corrective action and the alert rules in Azure monitor use action groups, which contains unique sets of recipients and actions that can be shared across multiple rules. The unified alert experience in the Azure Monitor includes alerts that were previously managed by Log Analytics and Application Insights. Overtime, Azure improved and combined both the user interface and different methods of alerting. The consolidation is still in progress.

Overview of alerts in Azure

The diagram below represents the flow of alerts:



Alert rules are separated from alerts and the actions taken when an alert fires. The following are the key attributes of an alert rule as shown:
  • Target resource- It defines the scope and signals available for alerting. A target can be any Azure resource. for certain resources like VMs, you can specify multiple resources as the target of the alert rule.

  • Signal- Emitted by the target resource, signals can be of the types like- metric, activity log, Application Insights, and log.

  • Criteria- It is a combination of signal and logic applied on a target resource.

  • Alert name- A specific name for the alert rule configured by the user.

  • Alert description- A description for the alert rule configured by the user.

  • Severity- The severity of the alert after the criteria specified in the alert rule is met. It can range from 0 to 4.

  • Action- A specific action taken when the alert is fired.

Diagnostic logging

Azure monitor Diagnostic Logs are the logs produced by an Azure service that provides rich, frequently collected data about the operation of that service. Azure monitor makes two types of diagnostic logs available:

  • Tenant logs- These logs comes from tenant-level services that exist outside an Azure subscription, such as Azure AD.

  • Resource logs- These logs comes from Azure services thet deploy resources within an Azure subscription, such as Network Security Groups (NSGs) or storage accounts. 

These differ from activity logs which provides insights into operations, such as creating a VM or deleting a logic app, that Azure resource Manager performed on resources in your subscription. They also differ from guest operating system (OS)-level diagnostic logs which are those collected by an agent running inside a VM or other supported resource type. 

Use for diagnostic logs

Here are some of the things you can do with the diagnostic logs:

  • Save them to a storage account for auditing or manual inspection. You can also specify the retention time (in days) by using resource diagnostic settings.

  • You can stream them to event hubs for ingestion by a third-party service or custom analytics solution, such as Power BI.

  • Analyze them with the Azure Monitor, such that the data can be immediately written to the Azure Monitor with no need to first write the data to storage.  

Streaming of the diagnostic logs can be enabled programmatically, via the portal, or using the Azure Monitor REST APIs. An event hub is created in the namespace for each log category you enable. A diagnostic log category is known as a type of log that a resource may collect.



To read part 1 please click here
To read part 2 please click here



Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)