A customer has asked we start tracking user and administration actions on our website for security purposes.
e.g. AdminUser {id: 3} impersonated user {id: 5} on 2015-08-04T12:00:00
The thought was we would publish that data using the Application Insights SDK. Our customer would then be able to monitor these events through the Azure portal.
Given the data retention policies of Application Insights, we would enable Continuous Export of data to table storage if a forensic analysis needed to be conducted past the 30 day cut-off.
Are there any obvious red flags to using Application Insights to provide visibility into these security details?
No, that should just work.
Here is how you create events: https://azure.microsoft.com/en-us/documentation/articles/app-insights-api-custom-events-metrics/
Note that if you also want to add custom properties to events there is a limit on number of unique property names per application. Currently it is 200 but that may decrease in the future.
Related
I have created a bot using azure services i wanted to monitor my active session and number of users to provide a better experience for the user.
It depends on how granular (and how live) you want to go. Application insights is where you want to look. If you set your bot up with AppInsights, you will get the Analytics blade on your bot. This, at the very least, will show you # users, channels being used and retention of users.
If you want more than that, I would ensure your app service code (bot) is setup to use AppInsights as well. Please find more information here.
I want to monitor their on-premise AD infrastructure with Azure Monitor and want to monitor and generate reports on these metrics
a. Details of disabled users currently in in AD
b. Users with password not required
c. Users with password never expiry
d. Users with “Kerberos pre-authentication disabled”
e. Users not logged on for last 90 days
f. Stale computers/Computers inactive for last 90 days
g. Objects trusted to authenticate for delegation
h. Uptime of AD infra (average uptime of all domain controllers)
Does Active Directory health check solution on Log Analytics meets all these expectations?
I don't think the AD Health check solution (which is more of an AD assessment) can help with all of your above tasks.
From what I know, this solution consists of "several health check assessments which run on regular intervals in domain controllers to identify issues and risks and provide recommendations to improve the existing infrastructure up to Microsoft best practices.", as described in this community article.
Possible solution:
If you know where to get all this information from Event Viewer or other log file on the system, you can use the Azure Monitoring Agent or the Log Analytics agent (MMA) to monitor specific events or specific log records/lines from various custom logs on the server.
AMA Agent = https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview?tabs=PowerShellWindows
Data collection for specific events = https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent
If you prefer the classic MMA agent (which will be replaced by the AMA agent above in about 2 years), you can look here:
MMA Agent = https://learn.microsoft.com/en-us/azure/azure-monitor/agents/log-analytics-agent
Custom Log collection = https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-custom-logs
I want to send an alert to application Insight specific user/users(Other then subscription administrator) when daily data volume limit is reached in application Insight.
The current answer: "Not right now"
From the team that owns this functionality:
We will be making this a proper metric that customers can use as a regular metric, then they can do any metric alerts and other scenarios they want to do (including SMS, etc.)
It’s on the backlog to fix this experience correctly.
so right now, no you can't alert on it.
subscription admins should be getting an email when you hit the cap, and if you go to the activity log for that application insights resource, you should be able to see an operational event for it:
Im trying to setup health check alerts for critical functionality across my site. So for things like registrations, payments and critical emails I have started logging custom event telemetry using the telemetry client like so:
var tc = new TelemetryClient();
tc.TrackEvent(emailType.ToString());
This is currently working great and im able to create an Application Insights analytics dashboard out of this data, which form the basis of my alerts.
From the portal i have now started creating alerts on which the criteria is a custom log search (Azure Portal > Application Insights > Alerts > Add New Rule > Add Criteria), shown below:
The problem is the period has a max length of 24 hours which means for an event that fires in-frequently (lets say once over the cource of a week). We would get false alerts on a daily basis.
Question is how can I setup alerting in application insights for events like these?
I prefer if the solution does not require additional webjobs or code crunching numbers to figure out if thresholds are not met, as i feel an alerting system should have as little moving parts as possible.
Update 1
After having contacted Microsoft's alert feedback group they have extended the period dropdown to 48 Hours, however this is still inadequate for my usecase.
I have tried seeking alternative tools like Grafana (with and app insights plugins). However sadly that particular plugin does not support alerting (whilst Grafana does).
In my company we have one Azure subscription and there are two or three users which are added on the same subscription and have right to create any resource on Azure.
Now since three users are working on same subscription and they are independently creating resources, I want to keep track or see which user created what resource on the same subscription.
Please let me know is there any way to see this tracking/activity details corresponding to the user.
Currently all users have administrator role/permission.
You are looking for the Activity Log:
The Azure Activity Log is a log that provides insight into the
operations that were performed on resources in your subscription
The Activity Logs provides customers a Portal and REST API experience to see who performed what management operations (PUT/DELET/POST) through Azure Resource Manager (ARM) for the past 90 days.
For anything older than 90 days, you have the option to archive the data to storage account or stream the data to Event Hub if you would like to ingest this data into your own system.
The Activity Log data is also available through the Operations Management Suite.
http://www.deployazure.com/management/operations-management-suite/azure-activity-log-analytics-alerts-with-operations-management-suite/