Purpose
An analyst wants to detect abusive resource consumption in Azure Virtual Machines. Using the VM Metrics Azure collector to send CPU and disk usage to Devo, the analyst will find machines with too much resource usage. As a result, the analyst will remove the malicious mining programs, preventing them from degrading service and stealing compute.
Example tables
Table | Description |
|---|---|
cloud.azure.vm.metrics_simple | Virtual machine performance data in Azure |
Authorize It
Microsoft credentials are confusing. Before beginning, be aware of the different credential fields.
In Azure, search for Entra ID.
Click App registrations in the left menu and click the app (or Service Principal) that you are going to use.
Register the application
In the Overview area, find the Application (client) ID and the Directory (tenant) ID.
Click Certificates & Secrets on the menu and create a new client secret by clicking the New client secret button.
Add the secret.
Data loss warning: At the secret expiration time, the collector will stop working until the secret is replaced.
Copy the secret value.
Open Subscriptions.
Select the correct subscription and note the subscription ID.
Select Access control (IAM) in the left menu and click Add and Add role assignment.
Select the Reader role.
Click “Select members” and add the VM Metrics application.
9. Confirm the changes with Review + Assign.
Run It
In the Cloud Collector App, create an Azure Collector instance using this parameters template, replacing the values enclosed in < >.
Secure It
Monitor It
Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue using the query
from TABLE where toktains(hostchain,"collector-") select split(hostchain,"-",1) as collector_id
Set the inactivity alert to keep track of the collector_id.