How to get logs and metrics ingested and displayed with actionable alerts
- Service Health
- Azure Monitor
- Live Log Streaming
- Azure Resource Graph Explorer
- Kusto Query Language (KQL)
- Metrics (performance data)
- Event Hubs
- Cost Management and Billing
- Azure Security Center
- Azure Defender CWPP
- Just-In-Time VM access
- Azure Sentinel (SIEM)
- Azure ML
- Microsoft Defender
- Stay Up to Date
- Metrics Explorer
- Metrics Advisor
- Load Testing Azure
- More on Azure
- More about Azure
NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.
Several Azure services are related to all the monitoring happening within Azure:
- Metrics Explorer receives metrics
Log Analytics Workspaces (LAW)
- Azure Security Center
- Azure Defender
- Azure Application Insights
- Azure Event Hubs
- Microsoft Defender
- Azure Sentinel (SIEM like Splunk) which also uses LAW.
- Azure Network Performance Monitor
Dynatrace (for additional price) provides comprehensive monitoring support for Azure services, by integration with both OneAgent and Azure Monitor.
VIDEO: “What to use for monitoring your applications in Azure”</a> by Azure Barry (Luijbregts)
Issues to monitor for:
- poor response times,
- changing usage rates,
- security risks,
- capacity limits,
- suspicious activity.
- In Portal GUI Service Health
- Health alerts, “+ Add Service health alert”
“Add Action Groups”, Subscription, “+ Create action group”
- Automation Runbook
- Azure Function
- Logic App
- Secure Webhook
The Azure Monitor service home screen is at https://docs.microsoft.com/en-us/azure/azure-monitor/overview
Get to Monitor service from the Home menu, Search, or Favorites.
You can return to this page by clicking “Overview” in the Monitor menu.
Click the “What’s new” tab.
PROTIP: These can be viewed at https://aka.ms/AzMonUpdates - Azure Monitoring Updates
Between new product announcements occur in March each year at Microsoft’s Ignite conference, Kayode Prince videos about Azure Monitor.
VIDEO What is Azure Monitor? from Microsoft:
DEFINITION: Azure Monitor collects two fundamental types of data:
- logs and
- metrics (which include Service Health)
Insights are elicited from:
- Virtual Machines (IaaS) which uses the Azure Diagnostics Extension
- Storage accounts
- Azure Cosmos DB
- Key Vaults
- Azure Cache for Redis
- Insights Hub
Developers can code .NET Framework, Node.js, or Python to call the Data Collector API to send data to Azure Monitor from custom sources such as a web app, an Azure function, or a mobile app.
- Metrics Explorer analyzes collected metrics on a chart and compare metrics from different resources.
- Log Analytics
- Export: route Metrics to Logs to analyze data in Azure Monitor Metrics together with data in Azure Monitor Logs and to store metric values for longer than 93 days.
- pin a chart from metrics explorer to an Azure Dashboard. Export the results of a query to Grafana to leverage its dashboarding and combined with other data sources.
- pin a chart from metrics explorer to an Azure Dashboard. Export the results of a query to Grafana to leverage its dashboarding and combined with other data sources. VIDEO
- To Respond:
- in Alerts, configure metric alert rules to send notifications or takes automated action when some metric value crosses a threshold.
- use Autoscale to increase or decrease resources based on a metric value crossing a threshold. Automate!
- Action Groups.
- To Integrate:
- Stream Metrics to an Event Hub to route them to external systems.
- Logic apps
- Ingest & Export APIs
Metric values can be accessed:
- from a command line using PowerShell cmdlets
- from custom application using REST API.
- from a command line using CLI.
Also, archive performance / health history of resources for compliance, auditing, or offline reporting.
??? The agent for Linux and Windows isn’t only for connecting to Azure Monitor, it also supports Azure Automation hosts the Hybrid Runbook worker role and other services such as Change Tracking, Update Management, and Azure Security Center.
Live Log Streaming
Start the log streaming service to show a duplicate of what is saved to log files for a single app instance. So it’s only good for initial debugging, to quick feedback on server issues.
az webapp log tail --name $app_name --resource-group $resource_group_name
To stop viewing live logs, press Ctrl+C.
HANDS-ON Exercise in Sandbox - Create basic Azure Monitor log queries to extract information from log data
Type a KQL to take the last 10 records from SecurityEvent logs. Click Run:
SecurityEvent | take 10
Logs are organized into records. Each type of record have different sets of properties. Logs typically contain text data with detailed descriptions that contain numeric values.
- Time Generated is for the UTC time zone
- Account Type is Machine or User
- Event Source Name
- Channel: “Security”,”Microsoft-Windows-AppLocker/…”
- Level: “4”, “8”, “16”
- Fqbn (Fully qualified b name)
- ImpersonationLevel “%%1833” is for English
- IpPort “58710”
Logs differ from metrics in that their record structure can vary and are often not collected at regular intervals. Applications can create custom logs by using the structure each needs.
Look at events collected sporadically.
Event | where EventLog == "Application" | where TimeGenerated > ago(24h)
Events created by an application or service typically include enough information to provide complete context on their own. For example, an event can indicate that a particular resource was created or modified, a new host started in response to increased traffic, or an error was detected in an application.
Display heartbeat events generated by computers, rendered as a bar chart each week (for the last three weeks):
Heartbeat | where TimeGenerated >= startofweek(ago(21d)) | summarize dcount(Computer) by endofweek(TimeGenerated) | render barchart kind=default
Telemetry such as events and traces are stored as logs in addition to performance data so that thet can all be combined for analysis.
- From the Azure Portal menu, select “Monitor”.
PROTIP: Click the “«” icon above the Portal menu to make room.
- Click “Logs” in the Log Queries menu.
PROTIP: Click the “«” icon above the Monitor menu to make room.
Observe that specific log queries (to run) on the right are grouped according to the left menu: Access -> ACCESS, Activity log -> ACTIVITY LOG, etc.
- Click to open the Topics menu, which groups specific log queries differently (in 4 dimensions):
- Category (of architecture)
- Resource Type
Click “Community Git repo” on the upper-right for a new browser tab showing:
Workbooks provide a flexible canvas for data analysis. It combines multiple sources/sets of data in an interactive report (visualization).
- Azure Resource Graph
- Workload health
- Azure Resource Health
- Azure Data Explorer
See the Gallery:
Workbooks support visualization types: Text, Charts, Grids, Tiles, Trees, Graphs
Start with a template.
Azure App Insights
When an app is connected
installs an instrumentation package in your app
Application Insights Dashboard
SDK analyzes your app for a typology, to identify connection to resources.
Tracks availability of app
Folders in the repo have different items than in groupings Portal GUI:
Same In Portal GUI In repo * Solution(s) - see comparion table below * Category (of architecture)
* Resource Type
* Azure Services
* Scenarios (How to's)
Same In Portal GUI In repo * Change Tracking
* Active Directory health check
* Azure Monitor for VMs
* Network Performance Monitor
* Security and Audit
* Update Management
* Custom Logs
In the repo README file, click “Log Analytics Demo environment” to open a new Portal tab:
- Click “Query explorer” tab at the right.
Expand “Solution Queries”:
- Active Directory Health Check
- Alert Management
- Antimalware Assessment
- Change Tracking
- Security and Audit
- SQL Health Check
- Update Management
- Wire data
- All Syslog records with errors
- Available memory (MB) per hour for computers that are named “Contoso*”
- Find out which computers haven’t sent any data in the past 12 hours
- Security events count by Computer during the last 12 hours
- See the stream of data collected in the last 24 hour in intervals of one hour
- Usage data volume per data type
- Which computers sent a heartbeat in the last hour, and when they last sent it
Log Analytics (LA)
VIDEO, VIDEO: How to get started with Azure Monitor Log Analytics
Log Analytics reads data sources to create virtual tables in workspaces for use by KQL queries.
How you start Log Analytics within Azure Portal limits the scope of data available: ???
- From Log Analytics workspaces menu
- From an Application Insights application Overview page, select “Analytics”.
- From an Azure resource menu, select “Logs”.
- In Portal search for “Log Analytics workspaces”.
- Create (previously Add) an instance.
- Specify the resource group you defined earlier.
- Type name based on your Naming Guidelines.
- Next: Pricing
Review + Create, Create.
“OMS” (Operations Management Suite) is legacy branding which hasn’t been updated.
- Go to Resource.
- Click “«” at the top of the Portal menu to hide it for more room.
- Scroll down to “Workspace Data Sources” -> Virtual machines.
- Click a VM running.
TASK: Connect Activity Logs from various Subscriptions to a Azure Montitor Logs (prev. aka Log Analytics) for up to 90 days.
From the “Monitor” menu, select “Logs” for “Log Analytics”.
Log Analytics monitors cloud and on-premises environments (to maintain availability and performance).
- Azure Monitor (pane of glass for monitoring on Azure),
- Azure Log Analytics (log ingestion and IaaS monitoring), and
- Application Insights (application performance monitoring including availability, performance, and exception information)
Click Monitor “Usage and estimated costs” : https://portal.loganalytics.io/demo
??? In each workspace, Log Analytics collects data from connected sources by configuring data sources and adding solutions to your subscription. ???
Each workspace has its own data repository and configuration, and data sources and solutions are configured to store their data in a particular workspace.
A Log Analytics workspace collects data from:
- Azure resources under a subscription
- On-premises computers monitored by System Center Operations Manager
- Configuration Manager Device collections
- Azure storage Diagnostics log data
Data sources and solutions each create different record types, each with its own set of properties. But you can still analyze sources and solutions together in queries to the workspace. This capability allows you to use the same tools and methods to work with a variety of data collected by a variety of sources.
Azure Traffic Analytics
Network Performance Monitor (NPM)
- ”+ Create a resource”.
- In Search in the Marketplace, type enough of “Network Performance Monitor” to select it. Notice it’s “Solarwinds”.
- Click the blue Create.
Create new Resource Group and define a VM server.
- Get connected to a valid workspace.
In a Log Analytics workspace, click General: Solutions.
Download Windows Agent into each subnet.
… synthetic transactions
The full list of columns in table “NetworkMonitoring” is
Azure Resource Graph Explorer
- Click on “All Resources” powers
Click “Open Query” at the top for a dialog to specify Kusto Query Language (KQL) for resource discovery and inventory.
“Graph” refers to the relationship between resource entities, not visual graphics.
Kusto Query Language (KQL)
See my Kusto
Metrics (performance data)
Some metric data can be stored in Logs to combine them with other monitoring data for trending and other data analysis.
Service Health metrics
Dashboard for Metrics
- Click “Monitor” among Portal FAVORITES.
Click “Dashboard” at the top.
Note Dashboard display resources.
Application Insights is an “APM” (Application Performance Management) service: it collects log, performance, and error data.
An Application Insights resource is created by default when a Function app is created.
App Insights have additional costs: https://portal.loganalytics.io/demo
Types of diagnostic logs:
Tenant logs come from tenant-level services such as Azure Active Directory (Azure AD) which exist outside Azure subscriptions and their resources.
Resource-level logs come from Azure services under a subscription’s resources, such as rule counters by NSGs (Network Security Groups), Azure Key Vault audits, and storage accounts. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself.
??? Diagnostic logs differ from activity logs . Activity logs provide insight into operations such as creating a VM or deleting a logic app, that Azure Resource Manager performed on resources in your subscription using. The activity log is a subscription-level log.
??? These logs also differ from guest operating system (OS)–level diagnostic logs. Guest OS diagnostic logs are those collected by an agent running inside a VM or other supported resource type. Resource-level diagnostic logs require no agent and capture resource-specific data from the Azure platform itself, whereas guest OS–level diagnostic logs capture data from the OS and applications running on a VM.
Diagnostic Log Settings can be configured by:
- Azure Portal GUI
- Azure CLI
- Rest API calls
Save Diagnostic logs to a storage account for auditing or manual inspection. Specify retention time (in days).
Stream Diagnostic logs to Event Hubs for ingestion by a third-party service or custom analytics solution, such as Power BI. An event hub is created in the namespace for each log category you enable. A diagnostic log category is a type of log that a resource may collect.
Analyze them with Azure Monitor, so they are immediately written to Azure Monitor with no need to first write the data to storage.
??? Logs are streamed to:
- Azure Storage
- Log Analytics workspaces
- Azure Monitor Logs (previously called “”).
- Event Hubs
PowerShell: Set-AZDiagnosticSetting -ResourceID $ -WorkspaceID $ -Categories $list -Enabled $true
VIDEO: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-monitoring Install Diagnostics extension -> Enable guest-level monitoring (into a storage account)
Pluralsight: Monitoring Microsoft Azure Resources and Workloads by Tim Warner
Log alerts can come from any Azure resource:
- server logs,
- application server logs,
az webapp log config --application-logging true --level verbose \ --name $app-name \ --resource-group $resource-group-name
There is currently no way to disable application logging by using Azure CLI commands; however, the following command resets file system logging to error-level only.
az webapp log config –application-logging false –name <app-name> –resource-group
To view the current logging status for an app, use this command.
az webapp log show –name <app-name> –resource-group <resource-group-name>
HANDS-ON LAB: Enable and Configure App Service Application Logging using the Azure Portal
gitRepo=https://github.com/MicrosoftDocs/mslearn-capture-application-logs-app-service Based on:
- Tests for web site availability
- Metric values threshold for metric alerts
- Log search values
- Activity Log events
FREE HANDS-ON LAB: Use metric alerts to alert on performance issues with an Azure environment resource-group shown as “MICROSOFT LEARN SANDBOX” subscription paid by Microsoft at https://portal.azure.com/learn.docs.microsoft.com.
In the Portal Azure Cloud Shell, define custom-data in a file which generates enough stress on the CPU (1=100% usage) which trigger an alert:
cat <<EOF > stress-cpu1.txt #cloud-config package_upgrade: true packages: - stress runcmd: - sudo stress --cpu 1 EOF
Set up an Ubuntu Linux VM with a custom-data configuration file:
az vm create \ --resource-group learn-af57b7f1-6591-4a7d-8880-6f5db0c162d5 \ --name vm1 \ --image UbuntuLTS \ --custom-data stress-cpu1.txt \ --generate-ssh-keys
“SSH key files ‘/home/wilsonmar/.ssh/id_rsa’ and ‘/home/wilsonmar/.ssh/id_rsa.pub’ have been generated under ~/.ssh to allow SSH access to the VM. If using machines without permanent storage, back up your keys to a safe location.
In Monitoring Overview, “+ New alert rule”.
Under Scope, select Select resource. The Select a resource pane appears. The Filter by subscription dropdown list should already be populated with Concierge Subscription. In the Filter by resource type enough of “Virtual machines” to select it. Select the vm1 virtual machine under resource group:
Select Done at the bottom of the pane.
Under the Condition (conditional logic) section, select Add condition for the Configure signal logic pane to appear. For Signal type, type “m” to select Metrics. For Monitor service, select All.
In the “Search by signal name”, type list of available signals will change depending on the selected signal type. From the list of available signal types, select Percentage CPU.
In the Configure signal logic pane, enter the following values for each setting.
Every log alert has an associated search rule. The composition of these rules is:
- Log query: Query that runs every time the alert rule fires.
- Time period: Time range for the query.
- Frequency: How often the query should run.
- Threshold: Trigger point for an alert to be created.
- Send an email.
- Send an SMS message.
- Create an Azure app push notification.
- Make a voice call to a number.
- Call an Azure function.
- Trigger a logic app.
- Send a notification to a webhook.
- Create an ITSM ticket. (Service Now)
- Use a runbook (to restart a VM, or scale a VM up or down).
- Menu: alert
- CONDITION: Configure signal logic (124 signals) : Signal Type Activity Log
- Monitor service: Administrative, etc.
- Alert Level: All, Critical, Error, Warning, Informational, Verbose
- Status: Failed, Started, Succeeded
- ACTION Group Type: REMEMBER sets of notification preferences – VIDEO
- Azure Function
- Automation Runbook
Severity Level 0 lowest, 4 highest
Alerts can be Enabled or Disabled at any time.
Learn Module: Handle transient errors in your app
- Analyze using Metrics Explorer
- Automate using AutoScale
Within Azure Monitor using Azure Log Analytics,
Event | search "error" | take 10or
search in (Event) "error"
Heartbeat | summarize LastHeartbeat-max(TimeGenerated) by Computer | where LastHeartbeat < ago(5h)
CAUTION: Kusto language keywords are case-sensitive
Cost Management and Billing
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources Use tags to organize your Azure resources
(Get-AzResourceGroup -Name examplegroup).tags
https://www.youtube.com/watch?v=Zr7LcSr6Ooo What to use for monitoring your applications in Azure | Azure Friday
Azure Security Center
Azure Security Center is a CSPM (Cloud Security Posture Management) solution. It lists prioritized security alerts and recommendations for attack investigation and remediation. It summarizes a tenant’s security posture with a “Secure Score” s based on the percentage of recommendations implemented.
DEFINITION: “Security posture” refers to cybersecurity policies and controls, as well as how well you can predict, prevent, and respond to security threats.
Host recommendations: Every VM includes vulnerability assessment from Qualys.
- OS security settings configuration rules
- System security & critical updates missing
- Endpoint protection recommendations
- Disk encryption validation
- Remediate vulnerabilities assessment
- Threat detection
Each can be exempted.
### Install agent
From the network; and connected partner solutions, like firewall and endpoint protection solutions, Security Center automatically collects, analyzes, and integrates log data from Azure resources to detect real threats and reduce false positives.
- Click “Getting Started” menu. Click “Install agent” for data collection on VMs.
- Click “Install agents” button to install on all VMs.
“Pricing & settings” menu
“Standard” tier includes threat protection, network hardening and VM EDR.
Scroll down to see each resource can be enabled or disabled for security.
Each machine is $15/month.
By default, Azure Security Center stores data that it collects from agents in a Log Analytics workspace where it can be analyzed with other log data.
Processed events that Azure Security Center produces are published to the Azure activity log, one of the log types available through Azure Monitor.
To stream log data from Azure Monitor to a SIEM tool (Azure Sentinel or Splunk), use Azure Event Hubs - a streaming platform and event ingestion service that transforms and stores data by using any real-time analytics provider or batching/storage adapters.
Azure Monitor offers a consolidated pipeline for routing any of your monitoring data into a SIEM tool. This is done by streaming that data to an event hub, where it can then be pulled into a partner tool. This pipe uses the Azure Monitor single pipeline for getting access to the monitoring data from your Azure environment. This allows you to easily set up SIEMs and monitoring tools to consume the data. Currently, the exposed security data from Azure Security Center to a SIEM consists of security alerts.”
Security Center “Adaptive network hardening” are recommendations about how NSGs should be locked down with remediation steps.
Adaptive application controls which applications uses machine learning to alert about unauthorized applications that are running on its VMs, by creating exception rules for each resource group that holds the VMs.
See code at https://github.com/ned1313/Monitor-Security-with-Azure-Security-Center
Azure Defender CWPP
Azure Defender is Security Center’s integrated Cloud Workload Protection Platform (CWPP). In addition to the built-in policies, custom policies and initiatives can be added – regulatory standards such as NIST and Azure CIS as well as the Azure Security Benchmark.
INTRO VIDEO at Ignite 2019 by Yinon Costica (@c0stica), Director PM, Cloud Security Group.
Several 3rd-party vendors also provide CWPP with recommendations:
CWPP (Cloud Workload Protection Platform) aims to block the “Kill Chain” - see my notes on Kill Chain.
PROTIP: Don’t set permissons for Local Admin on a laptop.
To protect containers in AKS:
Security Center social
user Forum, Blog, Feature suggestion, documentation, API documentation
https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview Security alerts and incidents in Azure Security CenterLearn how Azure Security Center generates security alerts and correlates them into incidents.docs.microsoft.com[12:42 PM] Ken Lawson
https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview Security alerts and incidents in Azure Security CenterLearn how Azure Security Center generates security alerts and correlates them into incidents.docs.microsoft.com[12:45 PM] Ken Lawson
https://docs.microsoft.com/en-us/azure/sentinel/create-incidents-from-alerts Create incidents from alerts in Azure SentinelLearn how to create incidents from alerts in Azure Sentinel.docs.microsoft.com[12:46 PM] Ken Lawson
https://docs.microsoft.com/en-us/azure/logic-apps/quickstart-create-first-logic-app-workflow Quickstart - Create your first Logic Apps workflow - Azure portal - Azure Logic AppsBuild your first automated Logic Apps workflow in the Azure portal using this quickstart guide. Learn the basics of system integration and enterprise application integration (EAI) solutions in Logi…docs.microsoft.com[12:>”X?51 PM] Ken Lawson
Just-In-Time VM access
To reduce the attack surface, protect network ports by opening network traffic to VMs only during time of need:
- In Security Center, Configured tab, click the checkbox for a Virtual machine;
- Click “Request access” button.
Toggle On/Off and select amount in Time range to allow.
Azure Sentinel (SIEM)
DEPRECATION: Custom alert rules were retired from Azure Security Center on June 30, 2019 so they can be in the new Azure Sentinel product.
Azure Sentinal competes with Splunk and others to provide a SIEM (Security Information and Event Management) solution that collects monitor data to provide a centralized analysis and visualization for SOC (Security Operations Center).
Sentinal is called a SOAR (Security Orchestration Automated Response) solution because ???
Azure Sentinel stores data from data sources into a Log Analytics workspace.
Charges for Azure Sentinel are based on a fixed Capacity Reservation “commitment tiers” (in Log Analytics), from $123 per day for increments of 100GB, with overage beyond $2.46 per GB-ingested. WestUS costs 30% more than EastUS.
To onboard Azure Sentinel:
Enable Azure Sentinel in Portal.
Define subscriptions handled by each playbook.
A Sentinel playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. Each Sentinel playbook can handle several subscriptions at once.
Connect data sources.
Investigation graph for visualizing and traversing the connections between entities like users, assets, applications, or URLs and related activities like logins, data transfers, or application usage to rapidly understand the scope and impact of an incident.
Azure Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft Threat Protection solutions, Microsoft 365 sources, including Microsoft 365, Azure AD, Azure ATP, Microsoft Cloud App Security, etc.
In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use common event format, Syslog or REST-API to connect your data sources with Azure Sentinel.
Microsoft’s security researchers built the Azure Sentinel GitHub repository at https://github.com/Azure/Azure-Sentinel to cover 400 detection, exploratory, and hunting queries, plus Jupyter Notebooks samples and related Python libraries, playbooks samples, and parsers.
- Select from a gallery of dashboards to surface insights based on custom data.
Customize your dashboard.
??? Incident detailed information includes severity, summary of the number of entities involved, the raw events that triggered this incident, and the incident’s unique ID.
Alerts can be triggered by a single event, be based on a threshold, by correlating different datasets, or by using built-in machine learning algorithms.
Azure Sentinal makes use of AI Machine Learning.
Azure Sentinel has more than 100 built-in alert rules, or you can create your own.
Define a notebook.
A notebook is a step-by-step playbook where one can walk through the steps of an investigation and hunt.
Assign owner to incidents.
Sentinel built-in roles are reader, responder, and contributor.
All incidents start as unassigned. Add comments so that other analysts will be able to understand what was investigated and what concerns are around the incident.
Linking O365 to Log Analytics - https://docs.microsoft.com/en-us/azure/azure-monitor/insights/solution-office-365 Office 365 management solution in Azure - Azure MonitorThis article provides details on configuration and use of the Office 365 solution in Azure. It includes detailed description of the Office 365 records created in Azure Monitor.docs.microsoft.com
Linking O365 to Sentinel - https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365 Connect Office 365 logs to Azure SentinelLearn to use the Office 365 log connector to bring in information about ongoing user and admin activities in Exchange, Teams, and SharePoint, including OneDrive.docs.microsoft.com
https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-designing-an-azure-sentinel-or-azure-security/ba-p/832574 Best practices for designing an Azure Sentinel or Azure Security Center Log Analytics workspace Note: alot has be updated since this article: we now have official guidelines in the documentation: Extend Azure Sentinel across workspaces and tenants. You may also want to review the Webinar on…techcommunity.microsoft.com
MS LEARN: Threat Modeling Fundamentals:
READ: Intro to Threat Modeling
BOOK Learn Azure Sentinel
The JuPyter notebooks link to an Azure ML workspace
https://docs.microsoft.com/en-us/azure/machine-learning/how-to-run-jupyter-notebooks#:~:text=How%20to%20run%20Jupyter%20Notebooks%20in%20your%20workspace,experiment.%20…%205%20Change%20the%20notebook%20environment. Run Jupyter notebooks in your workspace - Azure Machine LearningLearn how run a Jupyter notebook without leaving your workspace in Azure Machine Learning studio.docs.microsoft.com
- Endpoint forensic analyzes communication patterns
- Cloud App Security (Caspia???) analyzes apps, conditional access proxies (DLP?). Was ATP
security.microsoft.com Office 365 Security Centerintegrates “Microsoft Defender for Endpoint” and “Microsoft Defender for Office 365”. It provides eXtended Detection and Response (XDR): incident management, automatic investigation and remediation, Microsoft Threat Experts, threat analytics, and cross-domain proactive hunting. Phishing protection. Provides a Secure Score summary metric; email threat alert policies.
Microsoft InTune policy engine manages Windows 10 & macOS client (device) security. Includes MDM (Mobile Device Management) can wipe entire device. MAM (Application) with app allow/deny policies.
compliance.microsoft.com has data classification and data connectors shown a Compliance Manager by Solution:
- Catalog (of risks)
- Audit (can go to 10 years with additional licensing)
- Content search
- Communication compliance (profanity, etc.)
- Data loss prevention (DLP) exfiltration, watermarkx
- Data subject requests
- eDiscovery (hold)
- Information governance
- Information protection
- Insider risk management
- Records management
Privilege Access Management - task scope
Customer Lockbox in Office 365 to transfer files to Microsoft engineers.
Twitter @MSThreatProtect (integrated SIEM and XDR), @MsftSecIntel (Microsoft Security Intelligence)
Stay Up to Date
Azure Monitor: The essentials every admin should know by KnowOps
Microsoft’s YouTube channel for Azure Monitoring
VIDEO COURSE: Microsoft Azure IaaS Monitoring & Management
SCOM (System Center Operations Manager) monitoring tool have management packs for managing specific products
Monitor alerts - Actionable or noise happens..
Sev (Severity) levels:
Sev 0 = Critical
Sev 1 = Error
Sev 2 = Warning
Sev 3 = Informational
Sev 4 = Verbose
Analyze collected data using Metrics Explorer for charting and visual correlation and Log Analytics for ad-hoc queries, trending, and pattern recognition.
Azure Monitor allows you to manage and create alerts, notifications, and actions such as runbooks and autoscale based on metrics and logs.
Integrate Azure Monitor with other tools using Event Hubs to export data or APIs for ingestion and export.
VIDEO: Metrics Advisor comes up with anomaly detection without you having to setup Machine Learning.
Load Testing Azure
HIGHLY RECOMMENDED: LAB: Become an Azure Security Center Ninja by Yuri Diogenes, Principal Program Manager at C+AI Security CxE Team at Microsoft
- Microsoft CxE (Compliance and E): Protect, Detect, Defend
LEARN: Design a holistic monitoring strategy on Azure
Azure Metrics Advisor client library samples for Java
https://github.com/Azure/Azure-Security-Center by Azure’s largest customers contains best practices and tools
More on Azure
This is one of a series on Azure:
- ci-cd (Continuous Integration and Continuous Delivery)
- User Stories for DevOps
- Git and GitHub vs File Archival
- Git Commands and Statuses
- Git Commit, Tag, Push
- Git Utilities
- Data Security GitHub
- GitHub API
- Choices for DevOps Technologies
- Pulumi Infrastructure as Code (IaC)
- Java DevOps Workflow
- AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
- AWS server deployment options
- Cloud services comparisons (across vendors)
- Cloud regions (across vendors)
- Azure Cloud Onramp (Subscriptions, Portal GUI, CLI)
- Azure Certifications
- Azure Cloud Powershell
- Bash Windows using Microsoft’s WSL (Windows Subsystem for Linux)
- Azure Networking
- Azure Storage
- Azure Compute
- Digital Ocean
- Packer automation to build Vagrant images
- Terraform multi-cloud provisioning automation
Hashicorp Vault and Consul to generate and hold secrets
- Powershell Ecosystem
- Powershell on MacOS
- Jenkins Server Setup
- Jenkins Plug-ins
- Jenkins Freestyle jobs
- Docker (Glossary, Ecosystem, Certification)
- Make Makefile for Docker
- Docker Setup and run Bash shell script
- Bash coding
- Docker Setup
- Dockerize apps
- Kubernetes Operators
- Threat Modeling
- API Management Microsoft
- Scenarios for load
- Chaos Engineering
User Defined Routes and NVA (Network V A)
Alternatives to monitoring:
- New Relic
More about Azure
This is one of a series about Azure cloud:
- Azure cloud introduction
- Azure Cloud Onramp (Subscriptions, Portal GUI, CLI)
- RDP client to access servers
- Bash Windows using Microsoft’s WSL (Windows Subsystem for Linux)
- Microsoft PowerShell ecosystem
- Azure Cloud Powershell
- PowerShell DSC (Desired State Configuration)
- PowerShell Modules
- Azure Networking
- Azure Storage
- Azure Compute
- Azure cloud DevOps
- Dockerize apps
- Kubernetes container engine
- Hashicorp Vault and Consul for keeping secrets
- Hashicorp Terraform
- Microsoft AI in Azure cloud
- Azure Monitoring
- Azure KSQL (Kusto Query Language) for Azure Monitor, etc.
- Dynatrace cloud monitoring
- Cloud Performance testing/engineering
- Cloud JMeter