Azure Administrator Part 6
Azure Monitor
- A service for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments - It helps you maximize the availability and performance of your applications and services - Enables you to detect and diagnose application, infrastructure, and platform issues - You can analyze metrics and logs from monitored resources, and it also supports operational workflows with alerts and automated actions, and enables you to create visualizations such as dashboards and reports - Starts with collecting telemetry; this data includes application layer data and infrastructure performance data from VM guest operating systems and containers - Collects directly from the Azure platform resources, and you can also ingest your own custom data using APIs - The collected data is stored two centralized and fully managed data stores, Azure Monitor Metrics for numerical time-series values and Azure Monitor Log Analytics workspaces for resource logs - Metrics are automatically collected and stored for Azure resources, but user configuration is required to send and store resource logs - After the data is collected, you can choose how you consume, analyze, and respond - In most cases, you should start with Insights, which are guided monitoring and troubleshooting experiences for Azure resources - You may also visualize the data yourself with Azure dashboards in Portal, create business views with Power BI, or create interactive reports using workbooks - Use Azure Monitor for a detailed view of your application's health, along with the health of your infrastructure on a single screen - You can further analyze the collected data using Metrics Explorer for charting and visual correlation and Log Analytics for ad hoc queries, trending, and pattern recognition - Enables you to manage and create alerts, notifications, and actions such as runbooks and autoscale based on metrics and logs - It's also possible to integrate this with other tools using Event Hubs to export data or APIs for ingestion and export - Collects two fundamental types of data: metrics and logs
Azure Security Center
- A service that manages the security of your infrastructure from a centralized location - Ensures that you are making the security configuration of your resources as secure as possible - Monitors the security of your workloads, whether they're on-premises or in the cloud - Attacks are becoming more intelligent, and the number of people with the right security skills is low; Security Center helps you deal with these challenges because it provides you with tools that improve your protection against security threats - Monitors the health of your resources and implements recommendations - Natively integrated with other Azure services, such as PaaS services like Azure SQL Database - For IaaS services, enable automatic provisioning in this - Creates an agent on each supported virtual machine as it's created, and then automatically starts collecting data from the machine > This reduces the complexity of configuring security - Gives detailed analyses of different components of your environment, which include data security, network security, identity and access, and application security, to help you understand the security of your architecture to then build and maintain better infrastructures - Collects data from your machines to monitor for security vulnerabilities and threats using Azure Monitor Logs - Data is collected using the Log Analytics agent, which reads various security-related configurations and event logs from the machine, and copies the data to your Log Analytics workspace for analysis
Composition of an activity log alert
- Activity log alerts will monitor events only in the subscription where the log alert was created - Activity log alerts are based on events - The best approach for defining them is to use Azure Monitor to filter all the events in your subscription - until you find the one that you want - Activity log alerts have their own attributes: > Category: Administrative, service health, autoscale, policy, or recommendation > Scope: Resource level, resource group level, or subscription level > Resource group: Where the alert rule is saved > Resource type: Namespace for the target of the alert > Operation name > Level: Verbose, informational, warning, error, or critical > Status: Started, failed, or succeeded > Event initiated by: Email address or Azure Active Directory identifier (known as the "caller") for the user
Application Insights
- An Azure service that helps you to monitor the performance and behavior of web applications - An extensible Application Performance Management (APM) service for developers and DevOps professionals - Monitors live web applications and you can enable it for many Azure App Service web apps without modifying any of the app's code - Works for apps on a wide variety of platforms including .NET, Node.js, Java, and Python hosted on-premises, hybrid, or any public cloud - It mostly captures two kinds of data: events and metrics
Smart groups
- An automatic feature of Azure Monitor - By using machine learning algorithms, Azure Monitor joins alerts based on repeat occurrence or similarity - Enable you to address a group of alerts instead of each alert individually - The name of this (its taxonomy), is assigned automatically, and is the name of the first alert in the group I- t's important to assign meaningful names to each alert that you create, because the name of the smart group can't be changed or amended
Azure Monitor Application Insights usages
- Analyze and address issues and problems that affect your application's health and performance - Improve your application's development lifecycle - Measure your user experience, and analyze users' behavior
Application Insights resources
- Application Insights is represented in Azure as a resource deployed to one of your subscriptions - Each Application Insights resource you create is a repository for application telemetry data - It includes the various displays and configuration tools that you can view from the Azure portal - To send telemetry data to an Application Insights resource from an app, you need to configure the app with the instrumentation key of the Application Insights resource - After the resource starts to receive telemetry data, you can use the Azure portal to explore and analyze it
Specific operations
- Apply to resources within your Azure subscription, and often have a scope with specific resources or a resource group - You use this type when you need to receive an alert that reports a change to an aspect of your subscription - E.g. You can receive an alert if a VM is deleted or new roles are assigned to a user
Kusto syntax and operators
- At its core, a Kusto query is a read-only request that processes data and returns results - The request comes back in plain text, which makes the data easy to read - Each query uses schema entities that are organized into a hierarchy similar to SQL: databases, tables, and columns - Basically almost similar to Splunk queries in terms of syntax > Tabular operators will predominantly be the way you interact with and query monitoring data Tabular operators such as count, distinct, evaluate, join, limit, and project are all relevant in formulating queries - Since the KQL was originally written for Azure Data Explorer, there are a number of additional ways to manipulate data that are outside the scope of this Learn module - KQL is case sensitive
Relationship between all the Azure native monitoring tools
- Azure Monitor becomes the service at the top, which spans across all monitoring tools, while everything else lives underneath, which collects and analyzes data generated from Azure resources - Azure Monitor captures monitoring data from the following sources: > Application > Guest OS > Azure resources > Azure subscriptions > Azure tenant
Scale metric alerts
- Azure Monitor supports the creation of metric alerts that, like dimensions, monitor multiple resources - Scaling is currently limited to Azure virtual machines, but a single metric alert can monitor resources in one Azure region - Creating scaling metric alert rules to monitor multiple resources is no different than creating any other metric alert rule
Static threshold metric alerts
- Based on simple static conditions and thresholds that you define - You specify the threshold that will be used to trigger the alert or notification
Log alerts
- Based on things written to log files - E.g. This can notify you when a web server has returned a number of 404 or 500 responses
Client-side instrumentation
- Captures information about the user experience of the app, including page load times, details of browser exceptions, and performance data about AJAX calls - You can enable this for an app by including a standard Application Insights JavaScript library in pages delivered to your app's users - You can configure Azure App Service web apps to automatically inject the client SDK and capture many client-side metrics - Enables displays like usage analysis
Azure Monitor Logs
- Collects and organizes log data generated from Azure resources - Log data is stored in a Log Analytics workspace, and data living in the workspace can be queried for trend analysis, reporting, and alerting > E.g. Windows event logs, Heartbeat logs, performance data, and Syslogs - Several Azure services use this to store data and use the Kusto Query Language (KQL) to extract data - Based on Azure Data Explorer
Number of records
- Consider using this type of log search when you're working with an event or event-driven data > E.g. syslog and web app responses - This type of log search returns a single alert when the number of records in a search result reaches or exceeds the value for the number of records (threshold) > E.g. When the threshold for the search rule is greater or equal to five, the query results have to return five or more rows of data before the alert is triggered
Logs
- Contain time-stamped information about changes made to resources - The type of information recorded varies by log source - The data is organized into records, with different sets of properties for each type of record - Can include numeric values such as Azure Monitor metrics, but most include text data rather than numeric values - The most common type of log entry records an event, which can occur sporadically rather than at fixed intervals or according to a schedule > Events are created by applications and services, which provide the context for the events - You can store metric data in logs to combine them with other monitoring data for analysis
Diagnostic data case studies
- DDoS attack > You don't have to install the Azure Diagnostics extension to be alerted about DDoS attacks > The alert is on the public IP address resource, not the VM - Increased CPU load > Monitor CPU activity and memory availability to see if you need to scale up your web server > To respond to a high load, you can create an alert rule for the virtual machine with a condition for the CPU metric (E.g. You might monitor to see if the average value over any 15 minutes is higher than 85 percent)
Build-time instrumentation
- Developers add a server-side SDK to the web app's code - E.g. In an ASP.NET Core app, a developer could reference a NuGet package to access the SDK - When you instrument your app with the Application Insights SDK, you can enable full functionality and the richest set of visualizations in Application Insights - This type of instrumentation also enables you to add custom events and telemetry to your code to monitor unusual or unique behavior
Why monitor your applications
- Different kinds of issues can affect your infrastructure, such as performance issues, or problems that could render your services unreachable or entire infrastructure unavailable > Any of these issues can result in decreased productivity, financial loss, or damage to your organization's reputation - You want to deal with any issues that arise in a timely and effective way by configuring alerts on your infrastructure to monitor for various issues - Example: > Resource utilization of your infrastructure > Availability and health of your infrastructure > Occurrence of a specific event at the Operating System level - You'll also want to use the data for operational analysis and capacity planning
Dimensions
- Enable monitoring data to be supplied from multiple target instances - Used to define one metric alert rule, and have it applied to multiple related instances - E.g. You can monitor CPU utilization across all the servers running your app, and then receive an individual notification for each server instance when the rule conditions are triggered
Extend the data that Azure Monitor collects
- Enabling diagnostics: > For some resources, such as Azure SQL Database, you receive full information about a resource only after you have enabled diagnostic logging for it > You can use the Azure portal, the Azure CLI, or PowerShell to enable diagnostics - Adding an agent: > For virtual machines, you can install the Log Analytics agent and configure it to send data to a Log Analytics workspace > This agent increases the amount of information that's sent to Azure Monitor
Azure Sentinel usages
- Get a detailed overview of your organization, potentially across multiple clouds and on-premises locations - Avoid reliance on complex and disparate tools - Use enterprise-grade AI, built by experts, to identify and handle threats across your organization
Why monitor your Azure platform resources
- In addition to monitoring your deployed applications and infrastructure resources, you should also use Azure's built-in capabilities to monitor your Azure platform resources > Azure resources such as Storage Accounts, Key Vaults, Cosmos DBs all have performance metrics and resource logs that can be viewed and analyzed to track performance and availability > Additionally, many Azure resources have dedicated Insights that offer pre-defined monitoring experiences across multiple subscriptions, resource groups and resources for the specific resource type > A full stack monitoring solution includes visibility into Azure platform resources on which your application and infrastructure depend
Events
- Individual data points that can represent any kind of event that occurs in an app - Can be technical events that occur within the application runtime or those that are related to the business domain of the application or actions taken by users
Why perform security monitoring
- It is essential to monitor the security of your applications and infrastructure to ensure that they always remain protected and available - For example, you should monitor and alert on: > Risks to the security of your infrastructure, such as suspicious user accounts or malicious IP addresses > Data exfiltration - Your security monitoring solution should include strong automated anomaly detection and event management to combine multiple related events into a single actionable alert
Azure Monitor Metrics
- Lightweight numerical values stored in a time-series database that can be used for near real time alerting - E.g. IOPS percentages and CPU cycles
Application Insights visualizations
- Live metrics streams: Charts that display performance values as they vary in near-real time - Metrics explorer: Tool that shows how metrics vary over time - Alerts: Messages automatically sent to app admins when target metrics exceed specified thresholds, and can be used to ensure your team is aware of critical issues immediately - Profiler: Shows how a set of requests, like those for a single web page, were delivered (e.g. you can use these profiles to see which page elements load slowly) - Application Map: Displays the components of an application and how they link to each other, and you can use the data shown with each component to diagnose performance bottlenecks and failure hotspots - Usage analysis: Information about your app's users (e.g. you can see numbers of unique users and sessions and information about user retention)
When to use log alerts
- Log alerts use log data to assess the rule logic and, if necessary, trigger an alert - This data can come from any Azure resource: server logs, application server logs, or application logs - By its nature, log data is historical. So usage is focused on analytics and trends - E.g. You use these types of logs to assess if any of your servers have exceeded their CPU utilization by a given threshold during the last 30 minutes, or you can evaluate response codes issued on your web application server in the last hour
Composition of log search rules
- Log query: Query that runs every time the alert rule fires - Time period: Time range for the query - Frequency: How often the query should run - Threshold: Trigger point for an alert to be created
Alert states in the resolution process
- New: The issue has been detected, but not yet reviewed - Acknowledged: An admin has reviewed the alert, and is working on it - Closed: When the issue is resolved
Activity log alerts
- Notify you when Azure resources change state - E.g. This alert can notify you when a resource is deleted
Azure metrics
- Numerical values available from the Azure portal that help you understand the health, operation, and performance of your VMs - Complement boot diagnostics, which can display a screenshot of the boot sequence of the VM, and you can view the serial log - Azure captures all these metrics without installing extensions on the VM - You do need to create a storage account to store the boot diagnostics data, boot screenshots, and logs
Metrics
- Numerical values that help you understand the health, operation, and performance of your VMs - For Azure BMs, by default you can get data like: > CPU usage > Network traffic > OS disk usage > Boot success - When enabled, you can: > Know when your VMs are reaching their disk and CPU limits > Detect trends > Control your operational costs by sizing according to usage and demand - Azure Monitor can capture metrics in near real time > The metrics are collected at regular intervals and are useful for alerting because of their frequent sampling - You can use a variety of algorithms to compare a metric to other metrics and observe trends over time - Stored in a time-series database; this data store is most effective for analyzing time-stamped data - Suited for alerting and fast detection of issues - They can tell you about system performance and, if needed, you can combine them with logs to identify the root cause of issues
Metric measurement
- Offer the same basic functionality as metric alert logs - Unlike number-of-records search logs, these logs require additional criteria to be set: >Aggregate function: The calculation that will be made against the result data (e.g. count, average) > Group field: A field by which the result will be grouped; this criterion is used in conjunction with the aggregated value (e.g. you might specify that you want the average grouped by computer) > Interval: The time interval by which data is aggregated (e.g. if you specify 10 minutes, an alert record is created for each aggregated block of 10 minutes) > Threshold: A point defined by an aggregated value and the total number of breaches - Consider using this type of alert when you need to add a level of tolerance to the results found - One use for this type of alert is to respond if a particular trend or pattern is found > E.g. if the number of breaches is five, and any server in your group exceeds 85 percent CPU utilization more than five times within the given time period, an alert is fired - Metric measurements greatly reduce the volume of alerts that are produced, but give careful consideration when you're setting the threshold parameters to avoid missing critical alerts
Metric alerts
- Provide an alert trigger when a specified threshold is exceeded - E.g. This alert can notify you when CPU usage is greater than 95 percent
Platform logs
- Provide comprehensive diagnostic and auditing information for Azure resources and the underlying Azure platform - Are resource logs (formerly known as diagnostic logs), activity logs, and Azure Active Directory logs - All resources automatically generate platform logs - Administrators might need to configure certain platform logs to be forwarded to one or more destinations (like Log Analytics) in order to be kept
Composition of an alert rule
- RESOURCE > The target resource to be used for the alert rule > It's possible to assign multiple target resources to a single alert rule > The type of resource will define the available signal types - CONDITION > The signal type to be used to assess the rule can be a metric, an activity log, or logs > The alert logic applied to the data that's supplied via the signal type > The structure of the alert logic will change depending on the signal type - ACTIONS > The action, like sending an email, sending an SMS message, or using a webhook > An action group, which typically contains a unique set of recipients for the action - ALERT DETAILS - An alert name and an alert description that should specify the alert's purpose - The severity of the alert if the criteria or logic test evaluates true
Web app requirements
- Runtime instrumentation and automatic client-side instrumentation is supported only on Windows web apps - These features rely on capabilities of IIS, the web server technology that powers Windows apps on App Service - The use of Application Insights in Linux apps is fully supported, but you need to modify application code to reference the Application Insights SDK
Smart group states
- Smart groups, like regular alerts, have their own state which shows the progress of the smart group in the resolution process - Changing the state of a smart group doesn't alter the state of the individual alerts - States: > New: The smart group has been created with a collection of alerts, but it hasn't yet been addressed > Acknowledged: When an admin starts the resolution process, they change the state to this > Closed: When the source of the alert is fixed, the admin changes the state to this
Filtering alerts
- Smart groups: You can select this filter if it's enabled - Resource type: Applies only when it's used with a resource group - Resource: Applies only when a resource type has been specified - Severity: Identifies the severity assigned by the alert rule - Monitor condition: Set by the system and indicates if the alert is fired or resolved - Alert state: Typically, finds the New and Acknowledged alerts
When to use smart groups
- Think of smart groups as a dynamic filter applied to all the alerts in Azure Monitor - The machine learning algorithm in Azure Monitor joins alerts based on information, such as historical patterns, similar properties, or structure - Using smart groups can reduce alert noise by more than 90 percent
Azure Diagnostics extension and Log Analytics agent
- To get a full set of metrics when installed directly on the VM - Usages: > You can access near real-time metric alerts > Investigate boot issues with enhanced boot diagnostics > Archive logs and metrics for future analysis > Autoscale virtual machine scale sets, depending on VM performance > Get app-level metrics by using Application Insights > Automate OS updates > Track VM configuration changes over time
Azure Security Center usages
- Understand the security posture of your architecture - Identify and address risks and threats to your infrastructure - Need the traditional in-house skills and capital to secure a complex infrastructure - Secure an infrastructure that consists of on-premises and cloud resources
Dynamic threshold metric alerts
- Use machine learning tools that Azure provides to automatically improve the accuracy of the thresholds defined by the initial rule - There's no hard threshold in dynamic metrics, but you'll need to define 2 more parameters: > Look-back period: Defines how many previous periods need to be evaluated > Number of violations: Expresses how many times the logic condition has to deviate from the expected behavior before the alert rule fires a notification
Azure Sentinel
- Used to collect data on the devices, users, infrastructure, and applications across your enterprise - Built-in threat intelligence for detection and investigation can help reduce false positives - Used to proactively hunt for threats and anomalies, and respond by using orchestration and automation - You connect your data sources to Sentinel, which include Microsoft services such as Office 365 and Azure Advanced Threat Protection, as well as external solutions, such as AWS CloudTrail or on-premises sources - This and Azure Security Center use Azure Monitor Logs as their underlying logging data platform > These security solutions store their data in Log Analytics workspaces, which are centralized storage and management locations where your app, infrastructure, and security logs are collected and aggregated for analysis, troubleshooting, and auditing > This centralized approach enables you to perform correlation and run investigations across application performance, infrastructure performance, and security logs within the same data analytics service with a single user interface using the same query language
Kusto Query language
- Used to query log information for your services running in Azure - To retrieve, consolidate, and analyze data, you specify a query to run in Azure Monitor logs - You write a log query with the Kusto query language, which is also used by Azure Data Explorer - Log queries can be tested in the Azure portal so you can work with them interactively > You typically start with basic queries and then progress to more advanced functions as your requirements become more complex - In the Azure portal, you can create custom dashboards, which are targeted displays of resources and data > Azure Monitor provides tiles that you can add to dashboards > By using Azure dashboards, you can combine various kinds of data, including both logs and metrics, into a single pane in the Azure portal
Azure Monitor container insights usages
- View the health and performance of your Kubernetes workloads at-scale across multiple subscriptions and resource groups - Want visibility into memory and processor performance metrics from controllers, nodes, and containers - Want view and store container logs for real time and historical analysis
Azure Monitor VM insights usages
- View the health and performance of your VMs - Monitor your VMs at-scale across multiple subscriptions and resource groups - Want a topology view that shows the processes, and network connection details of your VMs and scale sets
Actions when an alert happens
- When any event is triggered, you can create an associated action in an action group - You can run one or more actions for each triggered alert Available actions: > Send an email > Send an SMS message > Create an Azure app push notification > Make a voice call to a number > Call an Azure function > Trigger a logic app > Send a notification to a webhook > Create an ITSM ticket > Use a runbook (to restart a VM, or scale a VM up or down) - You can also reuse action groups on multiple alerts, after you've created them > E.g. After you've created an action to email your company's operations team, you can add that action group to all the service health events - You can add or create action groups at the same time that you create your alert - You can also edit an existing alert to add an action group after you've created it
Managing alert rules
- With Azure Monitor, you can specify one or more alert rules, and enable or disable them, as needed > You would use Azure Monitor to enable tightly-focused and specific alerts before any application change; then you would disable the alerts after a successful deployment
When to use metric alerts
- You can use metric alerts to achieve regular threshold monitoring of Azure resources - When the evaluation is true, Azure Monitor sends a notification - Metric alerts are stateful, and Azure Monitor will send a notification only when the prerequisite conditions are met - Metric alerts can be useful if, for instance, you need to know when your server CPU utilization is reaching a critical threshold of 90 percent > You can be alerted when your database storage is getting too low, or when network latency is about to reach unacceptable levels
c. Create a workspace, and then add that workspace to Azure Sentinel.
How do you set up Azure Sentinel on Azure? a. Create an Azure Sentinel instance, and then add Azure Sentinel to a workspace. b. Connect your data source, create a workspace, and then add Azure Sentinel to that workspace. c. Create a workspace, and then add that workspace to Azure Sentinel.
a. Azure Monitor organizes log data into tables.
How does Azure Monitor organize log data for queries? a. Azure Monitor organizes log data into tables. b. Azure Monitor organizes log data into tabular operators. c. Azure Monitor organizes log data into the Kusto Query Language.
Metric alert condition types
Static threshold metric alerts Dynamic threshold metric alerts
b. A series of tables logically grouped together, which allow for an easy understanding behind how Log Analytics stores logs
What is the schema? a. Azure Data Explorer b. A series of tables logically grouped together, which allow for an easy understanding behind how Log Analytics stores logs c. Metrics
a. Metrics and logs
What two fundamental types of data does Azure Monitor collect? a. Metrics and logs b. Username and password c. Email notifications and errors
c. Resource, condition, actions, alert details
What's the composition of an alert rule? a. Resource, condition, log, alert type b. Metrics, logs, application, operating system c. Resource, condition, actions, alert details
Azure Monitor Insights usage
When you want to monitor resource utilization and performance at-scale with guided troubleshooting to triage and isolate issues
c. Azure Monitor virtual machine insights
Where can IT Operations teams find a topology view with network connection details of their VMs and scale sets? a. Azure Dashboards b. Azure Monitor Metrics Explorer c. Azure Monitor virtual machine insights
c. During development and while in production
Where should DevOps teams implement application monitoring to improve application health and performance? a. During development only b. In production only c. During development and while in production
b. Resource-context
You start out by talking to individual business units about monitoring wants and needs at the start of your assignment. You determine each business unit only needs to query logs generated from their resources. Which access model would you select for your Log Analytics deployment? a. Workspace-context b. Resource-context c. Table-level RBAC
a. View the metrics for the virtual machine on the Overview page and set the range to the last seven days.
You want to track the average CPU usage of your Azure virtual machine over the last seven days. What is the most straightforward way to do this? a. View the metrics for the virtual machine on the Overview page and set the range to the last seven days. b. View the metrics for the virtual machine each day and store the values for each of the last seven days in a spreadsheet. c. View the metric in the Monitor section by creating a graph and set the range to the last seven days.
a. Failed
Which of the following is NOT a state of a smart group alert? a. Failed b. New c. Acknowledged d. Closed
b. HTTP response records
Which of the following is an example of a log data type? a. Percentage of CPU over time b. HTTP response records c. Database tables d. Website requests per hour
c. Use playbooks to automate your response to alerts.
Which tool allows you to automate your responses to alerts? a. Use just-in-time access to automate your response to alerts. b. Use adaptive controls to automate your response to alerts. c. Use playbooks to automate your response to alerts.
c. You want to analyze and address problems that affect your application's health.
Why would you use Azure Application Insights? a. You want to analyze and address problems that affect your cloud infrastructure's security. b. You want to analyze and address problems that affect your on-premises infrastructure's security. c. You want to analyze and address problems that affect your application's health.
a. You want to secure an infrastructure that consists of on-premises and cloud resources.
Why would you use Azure Security Center? a. You want to secure an infrastructure that consists of on-premises and cloud resources. b. You want to secure an infrastructure that consists of only cloud resources. c. You want to secure an infrastructure that consists of only on-premises resources.
b. You want a detailed overview of your enterprise, potentially across multiple clouds, and on-premises locations.
Why would you use Azure Sentinel? a. You want to improve the development lifecycle for an application that spans across on-premises and the cloud. b. You want a detailed overview of your enterprise, potentially across multiple clouds, and on-premises locations. c. You want to be able to cross-query over data collected from multiple sources that span on-premises and the cloud.
Runtime instrumentation
- Captures telemetry without requiring you to change the web app's source code - Use this method when you want to set up Application Insights without involving developers or when code management policies prevent you from changing the app's source code - Note that some advanced data displays aren't available when you use only runtime instrumentation
Full stack monitoring
- A complete approach to the monitoring, triage, and diagnosis of application, infrastructure, and security issues that includes telemetry collection, tracking key performance indicators and the capability to isolate problems and perform root cause analysis - Your applications and the infrastructure might face different kinds of potentially damaging issues, such as poor response times, changing usage rates, exceptions, and security risks > Your response must be appropriate to the kind of issue (i.e. scaling up capacity to meet increases load, etc.) - By monitoring your applications and infrastructure with this approach, you respond to changes and issues appropriately and on time - Over time, your organization will become more productive, cost-effective, secure, and competitive - Taking a full stack approach to monitoring your applications and infrastructure in this way helps you respond appropriately and more effectively to issues - It also helps you gain situational awareness, and you'll learn from the issues that affect your environment You can strengthen your protection and build improved applications and infrastructure
Azure Monitor for VMs
- A feature of Azure Monitor that relies on Azure Monitor Logs - Like a feature that provides a predefined, curated monitoring experience, with little configuration required - Uses a table named InsightsMetrics > Administrators can query performance and usage for virtual machines in near real time by using that table - Administrators can also use Azure Monitor for VMs to process log data without exposing the underlying queries
Kusto query
- A read-only request to process data and return results - You state the query in plain text, by using a data-flow model that's designed to make the syntax easy to read, write, and automate - The query uses schema entities that are organized in a hierarchy similar to that of Azure SQL Database: databases, tables, and columns - Consists of a sequence of query statements, delimited by a semicolon (;) - At least one statement is a tabular expression statement, which formats the data arranged as a table of columns and rows
Schema
- A series of tables logically grouped together - Allows for an easy understanding behind how Log Analytics stores data - Displays on the schema pane located on the far left of a Log Analytics workspace - Helpful when you craft queries - You don't have to build a query from scratch as you're able to: > Identify a table as a favorite > Change scopes so you only see the relevant tables for the resources you select > Display metadata to easily find what you need
Log Analytics workspaces
- Containers where Azure Monitor data is collected, aggregated, and analyzed - Provide different levels of access control for the collected logs - Azure Security Center, Azure Sentinel, and Azure Monitor Application Insights all use this to store and query logs - The equivalent of a database inside Azure Data Explorer
Azure Monitor Metrics vs. Azure Monitor Logs
- The structure of data generated > Azure Monitor Metrics only store numeric data using a specific structure > Azure Monitor Logs can store Azure Monitor Metrics data and a variety of other data types, each using their own structure
Stateless nature of log alerts
A log alert will generate new alerts every time the rule criteria are triggered, regardless of whether the alert was previously recorded
Log queries can be used in the following areas
Alert rules Dashboards Export PowerShell Azure Monitor Logs API
Azure Diagnostics extension
Allows you to collect real-time performance metrics from the guest operating system, along with log events, and store the results in an Azure storage account
Types of activity log alerts
Specific operations Service health events
a. Azure Monitor Insights
Which Azure capability offers operations teams a pre-defined monitoring experience across multiple resources? a. Azure Monitor Insights b. Key Vaults c. Azure Monitor Logs
b. Azure Sentinel
Which Azure service incorporates threat intelligence for detection and investigation in their enterprise environment? a. Azure Monitor b. Azure Sentinel c. Azure Monitor Application Insights
Playbooks
Can help you automatically respond to threats in Sentinel
Action groups
Enable you to define actions that will be run
Instrumentation
Enabling the collection of monitoring data from your app by using an agent or an SDK
c. Automatically, using machine learning algorithms.
How are smart groups created? a. Through a template deployment. b. Through the Azure CLI. c. Automatically, using machine learning algorithms.
a. Use availability tests to continuously monitor your application from different geographic locations.
How can you continuously monitor your applications from different geographic locations? a. Use availability tests to continuously monitor your application from different geographic locations. b. Use an instrumentation key to continuously monitor your application from different geographic locations. c. Use Log Analytics to continuously monitor your application from different geographic locations.
b. Use just-in-time access to prevent persistent access.
How can you prevent persistent access to your virtual machines by using Azure Security Center? a. Use playbooks to block access. b. Use just-in-time access to prevent persistent access. c. Use automation and orchestration to block access.
Service health events
Include notice of incidents and maintenance of target resources
Signal types that can be used to monitor environment
Metric alerts Activity log alerts Log alerts
Scope of alert rules
Metric values Log search queries Activity log events Health of the underlying Azure platform Tests for website availability
Types of log search results
Number of records Metric measurement
Ways to configure your app to send data to Application Insights
Runtime instrumentation Build-time instrumentation
b. Use the investigation map, drill down into the incident, and look for user entities affected by the alert.
Sentinel has raised an incident. How can you investigate which users have been affected? a. Use the investigation map, drill down into the incident, and look for data sources. b. Use the investigation map, drill down into the incident, and look for user entities affected by the alert. c. Use the investigation map, drill down into the incident, and look for playbooks.
When to use activity log alerts
Typically, you create this type of log to receive notifications when specific changes occur on a resource within your Azure subscription
b. User behavior and usage patterns for your application
What aspect of application performance can be monitored by DevOps teams when using Azure Monitor Application Insights? a. Key Vault latency b. User behavior and usage patterns for your application c. Types of network delay
a. Data from a variety of sources, such as the application event log, the operating system (Windows and Linux), Azure resources, and custom data sources
What data does Azure Monitor collect? a. Data from a variety of sources, such as the application event log, the operating system (Windows and Linux), Azure resources, and custom data sources b. Azure billing details c. Backups of database transaction logs
c. An Azure storage account.
What do you have to install or create to store simple boot diagnostics in Azure? a. Install the Azure Diagnostics extension. b. You don't have to install or create anything additional to store diagnostic logs in Azure. c. An Azure storage account.
c. Provides access to log data without exposing the user to underlying queries
What does Azure Monitor for VMs provide? a. Provides insight into operations performed on Azure resources. b. Provides access to create, read, update, and delete (CRUD) events. c. Provides access to log data without exposing the user to underlying queries
b. Azure Monitor Logs
What is the shared underlying logging data platform for Azure Sentinel and Azure Security Center? a. Diagnostic Setting b. Azure Monitor Logs c. Activity Logs