question

DarteyBanahene-4041 avatar image
0 Votes"
DarteyBanahene-4041 asked SaurabhSharma-msft commented

Azure Sentinel VM queries

I'm trying to understand why "Some" of the default queries in Azure Sentinel, don't work.

  1. We have a lot of VMs that are functioning and running

  2. Some of the queries work

  3. The ones that don't seem to be CPU Usage, Memory, things of that nature.

  4. Is there some type of setup that needs to happen to pull this particular info in?

  5. Why is it that some information from the VM's come in like Updates that are needed etc. But not the "Hardware" or "Resource" based info?


microsoft-sentinel
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @DarteyBanahene-4041,


We haven't heard back from you. Just wanted to check if the below reply is useful. If so, please mark as accepted answer.

Thanks
Saurabh

0 Votes 0 ·

1 Answer

CliveWatson-3295 avatar image
0 Votes"
CliveWatson-3295 answered

To get Perf data you need to collect that from the agent, typically by going to:

https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-performance-counters

or by enabling VM insights.

https://docs.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-overview

This is data you wouldn't typically put in the same Workspace as Azure Sentinel for cost reasons.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.