AZ-500 Monitoring Security with Azure Monitor
What are the steps for configuring alerts?
1) Define Alert Rule 2) Define the Action Group 3) Define Alert state to be logged
What are the steps for configuring diagnostic settings?
1) Select whether to route data for platform logs or platform metrics 2) Select the type of data category being collected 3) Select the monitoring data destination (e.g., storage account, Log Analytics workspace, or Event Hubs)
What are the 3 elements of Azure Monitor Logs Architecture?
1) Source of data from either platform (via diagnostic settings) or Log Analytics agent) 2) Log Analytics Workspace - must be created to house all monitoring data 3) Analytics through tools such as Kusto Query Language, Workbooks, and Solutions
Which destinations can we configure a diagnostic setting to route to?
1) Storage account (retain and analyze) 2) Log Analytics workspace (powerful analytics) 3) Event Hubs (stream to external systems)
What does an alert rule use to define when an alert should occur?
1) Targeted resource (and signal) to monitor 2) The criteria/logic for the alert to be triggered
What are the key components of an Azure Monitor alert rule?
1) The (scope) resource to be monitored is the first component of an alert rule. 2) The condition (query) to be used to determine if an alert should be triggered is the second component of an alert rule. 3) The actions to be performed when an alert is triggered are the third component of an alert rule.
What are the key features of Azure Monitor Logs (aka Log Analytics)?
1) Versatile - handles variety of monitoring data types and data sources, include Azure, on-prem and other clouds 2) Analytics capabilities for querying data through Kusto Query Language 3) Monitoring solutions supported (Azure Monitor Insights) - set of pre-packaged tools, queries, reports, visualizations
What are Activity Logs?
Activity Logs are logs of REST API write actions performed on Azure resources (retained for 90 days by default) and are part of the monitoring capabilities of Azure Monitor.
What are Azure Monitor Logs?
Azure Monitor Logs are a monitoring capability of Azure Monitor that allows us to analyze and explore verbose logging info. Azure Monitor Logs can be queried with Kusto Query Language. Also note that Azure Monitor Logs used to be called Azure Log Analytics.
What is the Action Group for alerts?
The Action Group defines the action to take place once the alert triggers (e.g., email alerts, automation runbooks)
What is the purpose of Azure Monitor?
The purpose of Azure Monitor is to provide centralized hybrid monitoring for workloads anywhere and provide capabilities to support acting on monitoring information
What is required to collect operating system-level logs and metrics from an Azure virtual machine?
1) An Azure Monitor agent is required to collect operating system-level logs and metrics from a virtual machine. 2) Diagnostic settings must be configured to collect operating system-level logs and metrics from a virtual machine.
The collection of specific security event IDs from Windows virtual machines can be configured using which of the following?
1) Azure Sentinel can be used to configure the collection of security events, including specific event IDs using data connectors. 2) Azure Security Center can be used to configure the collection of security events, including specific event IDs.
What are the key monitoring capabilities of Azure Monitor?
1) Metrics Explorer 2) Azure Monitor Logs (aka Azure Log Analytics) 3) Activity Logs 4) Application Insights 5) Monitoring Insights 6) Alerts and Action Groups
For Azure Monitor Logs, where does source data typically originate from?
1) Platform (via diagnostic settings) 2) Log Analytics agent
A diagnostic setting can be configure to route data for ____?
1) Platform logs (resource or Activity Log) OR 2) Platform metrics
What is Metrics Explorer?
Metrics Explorer is a monitoring capability of Azure Monitor that allows us to view and graph small, time-based data (e.g., CPU or memory utilization)