4.Infrastructure: Design a holistic monitoring strategy on Azure

Question 1

What is Azure Monitor?

Answer 1

• Azure Monitor is a service for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments.
• And it also supports operational workflows with alerts and automated actions
• enables you to create visualizations such as dashboards and reports.

Question 2

What data does Azure monitor collect and where is the data stored?

Answer 2

Azure Monitor starts with collecting telemetry, this data includes application layer data and infrastructure performance data from VM guest operating systems and containers. Additionally, Azure Monitor collects directly from the Azure platform resources, and you can also ingest your own custom data using APIs. The collected data is stored two centralized and fully managed data stores, Azure Monitor Metrics for numerical time-series values and Azure Monitor Log Analytics workspaces for resource logs. Metrics are automatically collected and stored for Azure resources, but user configuration is required to send and store resource logs. After the data is collected, you can choose how you consume, analyze, and respond.

Question 3

What is Azure Security Center?

Answer 3

Azure Security Center is a service that manages the security of your infrastructure from a centralized location.

Question 4

Can security center monitor resources in the cloud and on-premises?

Answer 4

Yes, Azure security center can monitor resources in the cloud as well as on-premises

Question 5

What is Azure Sentinel?

Answer 5

• Use Azure Sentinel to collect data on the devices, users, infrastructure, and applications across your enterprise.
• Built-in threat intelligence for detection and investigation can help reduce false positives.
• Use Sentinel to proactively hunt for threats and anomalies, and respond by using orchestration and automation.

Question 6

What data sources can be connected to Azure sentinel?

Answer 6

• Office 365
• Azure advanced thread protection
• External sources
  - AWS cloudtrail
  - On-premises resources

Question 7

What are playbooks?

Answer 7

• Use playbooks to automate your response to alerts in Sentinel.
• You configure playbooks by using Azure Logic Apps.
• Your playbook details the steps to take when an alert is triggered in Sentinel.

Question 8

What are hunting queries?

Answer 8

• Use hunting queries to look for threats across your enterprise before alerts are raised.
• Microsoft security researchers maintain built-in hunting queries that act as a base for you to build your own queries.

Question 9

What are notebooks?

Answer 9

Use notebooks to automate your investigations.

Notebooks are playbooks that can consist of investigation or hunting steps that you reuse or share with others.

Use Azure Notebooks for Azure Sentinel to develop and run your notebooks. For example, you might use the Guided hunting - Anomalous Office365 Exchange Sessions notebook to hunt for anomalous activities in Office 365 across your enterprise.

Question 10

What does Azure sentinel and Azure security center use as their underlying data platform?

Answer 10

Azure monitor logs

Question 11

What are log analytics workspaces?

Answer 11

Azure sentinel and Azure security center store their data in Log Analytics workspaces, which are centralized storage and management locations where your app, infrastructure, and security logs are collected and aggregated for analysis, troubleshooting, and auditing.

Question 12

What is Azure monitor?

Answer 12

Microsoft Azure provides a robust alerting and monitoring solution, called Azure Monitor. You use Azure Monitor to configure notifications and alerts for your key systems and applications. These alerts will ensure that the correct team knows when a problem arises.

Question 13

Where does Azure monitor receive data from?

Answer 13

Azure Monitor receives data from target resources like applications, operating systems, Azure resources, Azure subscriptions, and Azure tenants.

Question 14

What data types are their for Azure monitor?

Answer 14

• metrics - The focus for metric-based data types is the numerical time-sensitive values that represent some aspect of the target resource
• logs - The focus for log-based data types is the querying of content data held in structured, record-based log files that are relevant to the target resource.
• metrics and logs

Question 15

What are the 3 signal types used for creating alerts

Answer 15

metric alerts - alerts based on a metric such as CPU % going above 95%
log alerts - alerts based on log content such as alerts based on web server logs receiving a certain number of 500 errors
Activity log alerts - alerts based on a resource changing state such as the resource being deleted

Question 16

What 4 things comprises an alert rule?

Answer 16

Resource - The target resource used for the alert rule
Condition - The signal type to be used to assess the rule. The signal type can be a metric, an activity log, or logs.
Actions - sending an email, sending an SMS message, or using a webhook.
Alert detail - An alert name and an alert description that should specify the alert’s purpose.
The severity of the alert if the criteria or logic test evaluates true. The five severity levels are:
0: Critical
1: Error
2: Warning
3: Informational
4: Verbose