Azure Sentinel VM queries

asked 2021-05-06T15:57:40.76+00:00
Dartey Banahene 1 Reputation point

I'm trying to understand why "Some" of the default queries in Azure Sentinel, don't work.

  1. We have a lot of VMs that are functioning and running
  2. Some of the queries work
  3. The ones that don't seem to be CPU Usage, Memory, things of that nature.
  4. Is there some type of setup that needs to happen to pull this particular info in?
  5. Why is it that some information from the VM's come in like Updates that are needed etc. But not the "Hardware" or "Resource" based info?
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
{count} votes

1 answer

Sort by: Most helpful
  1. answered 2021-05-10T07:35:38.577+00:00
    Clive Watson - MSFT 106 Reputation points

    To get Perf data you need to collect that from the agent, typically by going to:

    https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-performance-counters

    or by enabling VM insights.

    https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-overview

    This is data you wouldn't typically put in the same Workspace as Azure Sentinel for cost reasons.

    No comments