Monitor virtual machines with Azure Monitor: Security monitoring

This article is part of the scenario Monitor virtual machines and their workloads in Azure Monitor. It describes the Azure services for monitoring security for your virtual machines and how they relate to Azure Monitor. Azure Monitor was designed to monitor the availability and performance of your virtual machines and other cloud resources. While the operational data stored in Azure Monitor might be useful for investigating security incidents, other services in Azure were designed to monitor security.


The security services have their own cost independent of Azure Monitor. Before you configure these services, refer to their pricing information to determine your appropriate investment in their usage.

Azure services for security monitoring

Azure Monitor focuses on operational data like Activity logs, Metrics, and Log Analytics supported sources, including Windows Events (excluding security events), performance counters, logs, and Syslog. Security monitoring in Azure is performed by Azure Security Center and Azure Sentinel. These services each have additional cost, so you should determine their value in your environment before you implement them.

Integration with Azure Monitor

The following table lists the integration points for Azure Monitor with the security services. All the services use the same Log Analytics agent, which reduces complexity because there are no other components being deployed to your virtual machines. Security Center and Azure Sentinel store their data in a Log Analytics workspace so that you can use log queries to correlate data collected by the different services. Or you can create a custom workbook that combines security data and availability and performance data in a single view.

Integration point Azure Monitor Azure Security Center Azure Sentinel Defender for Endpoint
Collects security events X X X
Stores data in Log Analytics workspace X X X
Uses Log Analytics agent X X X X

Agent deployment

You can configure Security Center to automatically deploy the Log Analytics agent to Azure virtual machines. While this might seem redundant with Azure Monitor deploying the same agent, you'll most likely want to enable both because they'll each perform their own configuration. For example, if Security Center attempts to provision a machine that's already being monitored by Azure Monitor, it will use the agent that's already installed and add the configuration for the Security Center workspace.

Next steps