Azure Sentinel VM queries

Dartey Banahene 1 Reputation point
2021-05-06T15:57:40.76+00:00

I'm trying to understand why "Some" of the default queries in Azure Sentinel, don't work.

  1. We have a lot of VMs that are functioning and running
  2. Some of the queries work
  3. The ones that don't seem to be CPU Usage, Memory, things of that nature.
  4. Is there some type of setup that needs to happen to pull this particular info in?
  5. Why is it that some information from the VM's come in like Updates that are needed etc. But not the "Hardware" or "Resource" based info?
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
922 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Clive Watson - MSFT 106 Reputation points
    2021-05-10T07:35:38.577+00:00

    To get Perf data you need to collect that from the agent, typically by going to:

    https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-performance-counters

    or by enabling VM insights.

    https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-overview

    This is data you wouldn't typically put in the same Workspace as Azure Sentinel for cost reasons.

    0 comments No comments