Document toolboxDocument toolbox

Microsoft Azure collector

Service description

Microsoft Azure is an ever-expanding set of cloud computing services to help your organization meet its business challenges. Azure gives you the freedom to build, manage, and deploy applications on a massive, global network using your preferred tools and frameworks.

Data source description

You can use the Microsoft Azure collector to send the following types of data to your Devo domain. Once the gathered information arrives at Devo, it will be processed and included in different tables in the associated Devo domain. 

Virtual Machine metrics

With the advantages of the Microsoft Azure API, one can obtain metrics about the deployed Virtual Machines, gathering them on our platform, making it easier to query and analyze in the Devo platform and Activeboards.

Virtual Machine metric events are sent to the cloud.azure.vm.metrics_simple Devo table.

Event Hub Services

Many of the available Microsoft Azure services can generate some type of execution information to be sent to an EventHub service. This type of data can be categorized as events or metrics. The events, in turn, can be from different subtypes: audits, status, logs, etc.

All such data will be gathered by Devo’s Microsoft Azure collector and sent to our platform, where message auto-categorization functionality is enabled for sending the messages to relevant Devo tables in an automatic way.

Although EventHub is the service used for centralizing Azure services' data, it also generates information that can be sent to itself.

In case the amount of egress data exceeds Throughput per Unit limits set by Azure (2 MB/s or 4096 events per second), it won’t be possible for Devo to continue reliable ingestion of data. You can monitor ingress/egress throughput in Azure Portal EventHub Namespace, and based on trends/alerts, you can add another EventHub to resolve this. To avoid this from happening in the first place, please follow scalability guidance provided by Microsoft in their technical documentation.

Auto-categorization of Microsoft Azure service messages

In the table below are listed the patterns that will be used for detecting the message type, the Provider, Service, and Category pattern values would be used to route the message to the proper Devo table.

Each message stored in an EventHub service is generated by one data Provider and also by one Service, and finally, it's also having a Category field, which all together determine the message type.

Over time, the auto-categorization patterns have been improved and expanded in the different collector versions, the tables below contain the pattern values released in each version.

The collector versions not mentioned here are having changes not related to event mapping for auto-categorization functionality.

Provider

Service

Category

Devo table

Since version

Provider

Service

Category

Devo table

Since version

Microsoft.ContainerService

MANAGEDCLUSTERS

kube-audit

cloud.azure.aks.kube_audit

1.0.16

kube-audit-admin

cloud.azure.aks.kube_audit_admin

1.0.16

kube-controller-manager

cloud.azure.aks.kube_controller_manager

1.0.16

kube-scheduler

cloud.azure.aks.kube_scheduler

1.0.16

cluster-autoscaler

cloud.azure.aks.cluster_autoscaler

1.0.16

guard

cloud.azure.aks.guard

1.0.16

Policy

cloud.azure.aks.policy

1.0.16

Administrative

cloud.azure.aks.administrative

1.0.16

Microsoft.Network

APPLICATIONGATEWAYS

ApplicationGatewayAccessLog

cloud.azure.appgateway.access_log

1.0.16

ApplicationGatewayFirewallLog

cloud.azure.appgateway.firewall_log

1.0.16

Policy

cloud.azure.appgateway.policy

1.0.16

Administrative

cloud.azure.appgateway.administrative

1.0.16

AZUREFIREWALLS

AzureFirewallApplicationRule

cloud.azure.firewall.application_rule

1.0.16

AzureFirewallNetworkRule

cloud.azure.firewall.network_rule

1.0.16

AzureFirewallDnsProxy

cloud.azure.firewall.dns_proxy

1.0.16

FRONTDOORS

FrontdoorAccessLog

cloud.azure.frontdoor.access

1.0.24

FrontdoorWebApplicationFirewallLog

cloud.azure.frontdoor.waf

1.0.24

NETWORKSECURITYGROUPS

NetworkSecurityGroupEvent

cloud.azure.virtualnetwork.net_sec_group_event

1.0.25

NetworkSecurityGroupRuleCounter

cloud.azure.virtualnetwork.net_sec_group_rule_counter

1.0.25

VIRTUALNETWORKGATEWAYS

IKEDiagnosticLog

cloud.azure.vngateways.ikediagnos

1.0.25

Microsoft.Storage

STORAGEACCOUNTS

Administrative

cloud.azure.storage.administrative

1.0.16

ResourceHealth

cloud.azure.storage.resourcehealth

1.0.16

Microsoft.Web

SITES

Administrative

cloud.azure.appservice.calculated_category

1.0.16

Policy

cloud.azure.appservice.policy

1.0.16

Microsoft.ContainerRegistry

REGISTRIES

ContainerRegistryLoginEvents

cloud.azure.contregistry.login

1.0.16

Microsoft.DBforPostgreSQL

SERVERS

PostgreSQLLogs

cloud.azure.postgresql.events

1.0.16

Microsoft.Compute

VIRTUALMACHINES

Administrative

cloud.azure.vm.administrative

1.0.16

ResourceHealth

cloud.azure.vm.resourcehealth

 

Policy

cloud.azure.vm.policy

1.0.16

Recommendation

cloud.azure.vm.recommendation

1.0.16

SecurityEvent

cloud.azure.vm.securityevent

1.3.0

Syslog

cloud.azure.vm.unix

1.3.0

VIRTUALMACHINESCALESETS

Administrative

cloud.azure.vmscalesets.administrative

1.0.16

ResourceHealth

cloud.azure.vmscalesets.resourcehealth

1.0.16

Policy

cloud.azure.vmscalesets.policy

1.0.16

Autoscale

cloud.azure.vmscalesets.autoscale

1.0.16

Microsoft.DataFactory

FACTORIES

Administrative

cloud.azure.datafactory.administrative

1.0.16

Microsoft.Insights

ACTIVITYLOGALERTS

Alert

cloud.azure.monitor.alert

1.0.16

Microsoft.Security

LOCATIONS

Security

cloud.azure.securitycenter.security

1.0.16

Microsoft.KeyVault

VAULTS

AuditEvent

cloud.azure.keyvault.audit

1.0.16

Administrative

cloud.azure.keyvault.administrative

1.0.16

Policy

cloud.azure.keyvault.policy

1.0.16

AzurePolicyEvaluationDetails

cloud.azure.keyvault.policy_evaluation_details

1.2.0

Microsoft.aadiam

<empty>

SignInLogs

cloud.azure.ad.signin

1.0.16

AuditLogs

cloud.azure.ad.audit

1.0.16

NonInteractiveUserSignInLogs

cloud.azure.ad.noninteractive_user_signin

1.0.24

ServicePrincipalSignInLogs

cloud.azure.ad.service_principal_signin

1.0.17

ProvisioningLogs

cloud.azure.ad.provisioning

1.0.17

ManagedIdentitySignInLogs

cloud.azure.ad.managed_identity_signin

1.0.24

UserRiskEvents

cloud.azure.ad.user_risk_events

1.2.0

RiskyUsers

cloud.azure.ad.risky_users

1.2.0

ServicePrincipalRiskEvents

cloud.azure.ad.service_principal_risk_events

1.2.0

RiskyServicePrincipals

cloud.azure.ad.risky_service_principals

1.2.0

Microsoft.OperationalInsights

WORKSPACES

Audit

cloud.azure.monitor.audit

1.0.17

MICROSOFT.SQL

SERVERS

AutomaticTuning

cloud.azure.sql.automatic_tuning

1.0.24

QueryStoreRuntimeStatistics

cloud.azure.sql.query_store_runtime

1.0.24

MANAGEDINSTANCES

resourceusagestats

cloud.azure.sql.resourceusagestats

1.0.69

sqlsecurityauditevents

cloud.azure.sql.securityauditevents

1.0.69

MICROSOFT.RECOVERYSERVICES

VAULTS

AddonAzureBackupJobs

cloud.azure.siterecovery.addon_backup_jobs

1.0.25

AddonAzureBackupPolicy

cloud.azure.siterecovery.addon_backup_policy

1.0.25

AddonAzureBackupProtectedInstance

cloud.azure.siterecovery.addon_backup_protected_inst

1.0.25

AddonAzureBackupStorage

cloud.azure.siterecovery.addon_backup_storage

1.0.25

AzureBackupReport

cloud.azure.siterecovery.backup_report

1.0.25

AzureSiteRecoveryRecoveryPoints

cloud.azure.siterecovery.site_rec_recovery_points

1.0.25

AzureSiteRecoveryReplicatedItems

cloud.azure.siterecovery.site_rec_replicated_items

1.0.25

AzureSiteRecoveryReplicationStats

cloud.azure.siterecovery.site_rec_rep_stats

1.0.25

CoreAzureBackup

cloud.azure.siterecovery.core_backup

1.0.25

MICROSOFT.DESKTOPVIRTUALIZATION

HOSTPOOLS

agenthealthstatus

cloud.azure.hostpools.agenthealthstatus

1.0.69

connection

cloud.azure.hostpools.connection

1.0.69

checkpoint

cloud.azure.hostpools.checkpoint

1.0.69

error

cloud.azure.hostpools.error

1.0.69

management

cloud.azure.hostpools.management

1.0.69

MICROSOFT.SERVICEBUS

<empty>

<empty>

cloud.azure.servicebus.metrics

1.2.0

OperationalLogs

cloud.azure.servicebus.operational

1.2.0

MICROSOFT.DOCUMENTDB

<empty>

ControlPlaneRequests

cloud.azure.cosmosdb.control_plane_requests

1.2.0

DataPlaneRequests

cloud.azure.cosmosdb.data_plane_requests

1.2.0

MongoRequests

cloud.azure.cosmosdb.mongo_requests

1.2.0

PartitionKeyRUConsumption

cloud.azure.cosmosdb.partition_key_ru_consumption

1.2.0

PartitionKeyStatistics

cloud.azure.cosmosdb.partitionkey_statistics

1.2.0

QueryRuntimeStatistics

cloud.azure.cosmosdb.query_runtime_statistics

1.2.0

If none of the previous patterns are matched, the following ones will be applied:

Provider

Service

Category

Devo table

Provider

Service

Category

Devo table

*

*

Administrative

cloud.azure.others.administrative

Autoscale

cloud.azure.others.autoscale

Policy

cloud.azure.others.policy

Recommendation

cloud.azure.others.recommendation

ResourceHealth

cloud.azure.others.resourcehealth

The basic type detection will be applied for other values:

Message type

Devo table

Message type

Devo table

event

cloud.azure.others.events

metric

cloud.azure.eh.metrics

 

Provider

Service

Category

Devo table

Since version

Provider

Service

Category

Devo table

Since version

Microsoft.ContainerService

MANAGEDCLUSTERS

kube-audit

cloud.azure.aks.kube_audit

1.0.16

kube-audit-admin

cloud.azure.aks.kube_audit_admin

1.0.16

kube-controller-manager

cloud.azure.aks.kube_controller_manager

1.0.16

kube-scheduler

cloud.azure.aks.kube_scheduler

1.0.16

cluster-autoscaler

cloud.azure.aks.cluster_autoscaler

1.0.16

guard

cloud.azure.aks.guard

1.0.16

Policy

cloud.azure.aks.policy

1.0.16

Administrative

cloud.azure.aks.administrative

1.0.16

Microsoft.Network

APPLICATIONGATEWAYS

ApplicationGatewayAccessLog

cloud.azure.appgateway.access_log

1.0.16

ApplicationGatewayFirewallLog

cloud.azure.appgateway.firewall_log

1.0.16

Policy

cloud.azure.appgateway.policy

1.0.16

Administrative

cloud.azure.appgateway.administrative

1.0.16

AZUREFIREWALLS

AzureFirewallApplicationRule

cloud.azure.firewall.application_rule

1.0.16

AzureFirewallNetworkRule

cloud.azure.firewall.network_rule

1.0.16

AzureFirewallDnsProxy

cloud.azure.firewall.dns_proxy

1.0.16

FRONTDOORS

FrontdoorAccessLog

cloud.azure.frontdoor.access

1.0.24

FrontdoorWebApplicationFirewallLog

cloud.azure.frontdoor.waf

1.0.24

NETWORKSECURITYGROUPS

NetworkSecurityGroupEvent

cloud.azure.virtualnetwork.net_sec_group_event

1.0.25

NetworkSecurityGroupRuleCounter

cloud.azure.virtualnetwork.net_sec_group_rule_counter

1.0.25

VIRTUALNETWORKGATEWAYS

IKEDiagnosticLog

cloud.azure.vngateways.ikediagnos

1.0.25

Microsoft.Storage

STORAGEACCOUNTS

Administrative

cloud.azure.storage.administrative

1.0.16

ResourceHealth

cloud.azure.storage.resourcehealth

1.0.16

Microsoft.Web

SITES

Administrative

cloud.azure.appservice.calculated_category

1.0.16

Policy

cloud.azure.appservice.policy

1.0.16

Microsoft.ContainerRegistry

REGISTRIES

ContainerRegistryLoginEvents

cloud.azure.contregistry.login

1.0.16

Microsoft.DBforPostgreSQL

SERVERS

PostgreSQLLogs

cloud.azure.postgresql.events

1.0.16

Microsoft.Compute

VIRTUALMACHINES

Administrative

cloud.azure.vm.administrative

1.0.16

ResourceHealth

cloud.azure.vm.resourcehealth

1.0.16

Policy

cloud.azure.vm.policy

1.0.16

Recommendation

cloud.azure.vm.recommendation

1.0.16

VIRTUALMACHINESCALESETS

Administrative

cloud.azure.vmscalesets.administrative

1.0.16

ResourceHealth

cloud.azure.vmscalesets.resourcehealth

1.0.16

Policy

cloud.azure.vmscalesets.policy

1.0.16

Autoscale

cloud.azure.vmscalesets.autoscale

1.0.16

Microsoft.DataFactory

FACTORIES

Administrative

cloud.azure.datafactory.administrative

1.0.16

Microsoft.Insights

ACTIVITYLOGALERTS

Alert

cloud.azure.monitor.alert

1.0.16

Microsoft.Security

LOCATIONS

Security

cloud.azure.securitycenter.security

1.0.16

Microsoft.KeyVault

VAULTS

AuditEvent

cloud.azure.keyvault.audit

1.0.16

Administrative

cloud.azure.keyvault.administrative

1.0.16

Policy

cloud.azure.keyvault.policy

1.0.16

AzurePolicyEvaluationDetails

cloud.azure.keyvault.policy_evaluation_details

1.2.0

Microsoft.aadiam

<empty>

SignInLogs

cloud.azure.ad.signin

1.0.16

AuditLogs

cloud.azure.ad.audit

1.0.16

NonInteractiveUserSignInLogs

cloud.azure.ad.noninteractive_user_signin

1.0.24

ServicePrincipalSignInLogs

cloud.azure.ad.service_principal_signin

1.0.17

ProvisioningLogs

cloud.azure.ad.provisioning

1.0.17

ManagedIdentitySignInLogs

cloud.azure.ad.managed_identity_signin

1.0.24

UserRiskEvents

cloud.azure.ad.user_risk_events

1.2.0

RiskyUsers

cloud.azure.ad.risky_users

1.2.0

ServicePrincipalRiskEvents

cloud.azure.ad.service_principal_risk_events

1.2.0

RiskyServicePrincipals

cloud.azure.ad.risky_service_principals

1.2.0

Microsoft.OperationalInsights

WORKSPACES

Audit

cloud.azure.monitor.audit

1.0.17

MICROSOFT.SQL

SERVERS

AutomaticTuning

cloud.azure.sql.automatic_tuning

1.0.24

QueryStoreRuntimeStatistics

cloud.azure.sql.query_store_runtime

1.0.24

MANAGEDINSTANCES

resourceusagestats

cloud.azure.sql.resourceusagestats

1.0.69

sqlsecurityauditevents

cloud.azure.sql.securityauditevents

1.0.69

MICROSOFT.RECOVERYSERVICES

VAULTS

AddonAzureBackupJobs

cloud.azure.siterecovery.addon_backup_jobs

1.0.25

AddonAzureBackupPolicy

cloud.azure.siterecovery.addon_backup_policy

1.0.25

AddonAzureBackupProtectedInstance

cloud.azure.siterecovery.addon_backup_protected_inst

1.0.25

AddonAzureBackupStorage

cloud.azure.siterecovery.addon_backup_storage

1.0.25

AzureBackupReport

cloud.azure.siterecovery.backup_report

1.0.25

AzureSiteRecoveryRecoveryPoints

cloud.azure.siterecovery.site_rec_recovery_points

1.0.25

AzureSiteRecoveryReplicatedItems

cloud.azure.siterecovery.site_rec_replicated_items

1.0.25

AzureSiteRecoveryReplicationStats

cloud.azure.siterecovery.site_rec_rep_stats

1.0.25

CoreAzureBackup

cloud.azure.siterecovery.core_backup

1.0.25

MICROSOFT.DESKTOPVIRTUALIZATION

HOSTPOOLS

agenthealthstatus

cloud.azure.hostpools.agenthealthstatus

1.0.69

connection

cloud.azure.hostpools.connection

1.0.69

checkpoint

cloud.azure.hostpools.checkpoint

1.0.69

error

cloud.azure.hostpools.error

1.0.69

management

cloud.azure.hostpools.management

1.0.69

MICROSOFT.SERVICEBUS

<empty>

<empty>

cloud.azure.servicebus.metrics

1.2.0

OperationalLogs

cloud.azure.servicebus.operational

1.2.0

MICROSOFT.DOCUMENTDB

<empty>

ControlPlaneRequests

cloud.azure.cosmosdb.control_plane_requests

1.2.0

DataPlaneRequests

cloud.azure.cosmosdb.data_plane_requests

1.2.0

MongoRequests

cloud.azure.cosmosdb.mongo_requests

1.2.0

PartitionKeyRUConsumption

cloud.azure.cosmosdb.partition_key_ru_consumption

1.2.0

PartitionKeyStatistics

cloud.azure.cosmosdb.partitionkey_statistics

1.2.0

QueryRuntimeStatistics

cloud.azure.cosmosdb.query_runtime_statistics

1.2.0

If none of the previous patterns are matched, the following ones will be applied:

Provider

Service

Category

Devo table

Provider

Service

Category

Devo table

*

*

Administrative

cloud.azure.others.administrative

Autoscale

cloud.azure.others.autoscale

Policy

cloud.azure.others.policy

Recommendation

cloud.azure.others.recommendation

ResourceHealth

cloud.azure.others.resourcehealth

The basic type detection will be applied for other values:

Message type

Devo table

Message type

Devo table

event

cloud.azure.others.events

metric

cloud.azure.eh.metrics

 

Provider

Service

Category

Devo table

Since version

Provider

Service

Category

Devo table

Since version

Microsoft.ContainerService

MANAGEDCLUSTERS

kube-audit

cloud.azure.aks.kube_audit

1.0.16

kube-audit-admin

cloud.azure.aks.kube_audit_admin

1.0.16

kube-controller-manager

cloud.azure.aks.kube_controller_manager

1.0.16

kube-scheduler

cloud.azure.aks.kube_scheduler

1.0.16

cluster-autoscaler

cloud.azure.aks.cluster_autoscaler

1.0.16

guard

cloud.azure.aks.guard

1.0.16

Policy

cloud.azure.aks.policy

1.0.16

Administrative

cloud.azure.aks.administrative

1.0.16

Microsoft.Network

APPLICATIONGATEWAYS

ApplicationGatewayAccessLog

cloud.azure.appgateway.access_log

1.0.16

ApplicationGatewayFirewallLog

cloud.azure.appgateway.firewall_log

1.0.16

Policy

cloud.azure.appgateway.policy

1.0.16

Administrative

cloud.azure.appgateway.administrative

1.0.16

AZUREFIREWALLS

AzureFirewallApplicationRule

cloud.azure.firewall.application_rule

1.0.16

AzureFirewallNetworkRule

cloud.azure.firewall.network_rule

1.0.16

AzureFirewallDnsProxy

cloud.azure.firewall.dns_proxy

1.0.16

FRONTDOORS

FrontdoorAccessLog

cloud.azure.frontdoor.access

1.0.24

FrontdoorWebApplicationFirewallLog

cloud.azure.frontdoor.waf

1.0.24

NETWORKSECURITYGROUPS

NetworkSecurityGroupEvent

cloud.azure.virtualnetwork.net_sec_group_event

1.0.25

NetworkSecurityGroupRuleCounter

cloud.azure.virtualnetwork.net_sec_group_rule_counter

1.0.25

VIRTUALNETWORKGATEWAYS

IKEDiagnosticLog

cloud.azure.vngateways.ikediagnos

1.0.25

Microsoft.Storage

STORAGEACCOUNTS

Administrative

cloud.azure.storage.administrative

1.0.16

ResourceHealth

cloud.azure.storage.resourcehealth

1.0.16

Microsoft.Web

SITES

Administrative

cloud.azure.appservice.calculated_category

1.0.16

Policy

cloud.azure.appservice.policy

1.0.16

Microsoft.ContainerRegistry

REGISTRIES

ContainerRegistryLoginEvents

cloud.azure.contregistry.login

1.0.16

Microsoft.DBforPostgreSQL

SERVERS

PostgreSQLLogs

cloud.azure.postgresql.events

1.0.16

Microsoft.Compute

VIRTUALMACHINES

Administrative

cloud.azure.vm.administrative

1.0.16

ResourceHealth

cloud.azure.vm.resourcehealth

1.0.16

Policy

cloud.azure.vm.policy

1.0.16

Recommendation

cloud.azure.vm.recommendation

1.0.16

VIRTUALMACHINESCALESETS

Administrative

cloud.azure.vmscalesets.administrative

1.0.16

ResourceHealth

cloud.azure.vmscalesets.resourcehealth

1.0.16

Policy

cloud.azure.vmscalesets.policy

1.0.16

Autoscale

cloud.azure.vmscalesets.autoscale

1.0.16

Microsoft.DataFactory

FACTORIES

Administrative

cloud.azure.datafactory.administrative

1.0.16

Microsoft.Insights

ACTIVITYLOGALERTS

Alert

cloud.azure.monitor.alert

1.0.16

Microsoft.Security

LOCATIONS

Security

cloud.azure.securitycenter.security

1.0.16

Microsoft.KeyVault

VAULTS

AuditEvent

cloud.azure.keyvault.audit

1.0.16

Administrative

cloud.azure.keyvault.administrative

1.0.16

Policy

cloud.azure.keyvault.policy

1.0.16

Microsoft.aadiam

<empty>

SignInLogs

cloud.azure.ad.signin

1.0.16

AuditLogs

cloud.azure.ad.audit

1.0.16

NonInteractiveUserSignInLogs

cloud.azure.ad.noninteractive_user_signin

1.0.24

ServicePrincipalSignInLogs

cloud.azure.ad.service_principal_signin

1.0.17

ProvisioningLogs

cloud.azure.ad.provisioning

1.0.17

ManagedIdentitySignInLogs

cloud.azure.ad.managed_identity_signin

1.0.24

Microsoft.OperationalInsights

WORKSPACES

Audit

cloud.azure.monitor.audit

1.0.17

MICROSOFT.SQL

SERVERS

AutomaticTuning

cloud.azure.sql.automatic_tuning

1.0.24

QueryStoreRuntimeStatistics

cloud.azure.sql.query_store_runtime

1.0.24

MANAGEDINSTANCES

resourceusagestats

cloud.azure.sql.resourceusagestats

1.0.69

sqlsecurityauditevents

cloud.azure.sql.securityauditevents

1.0.69

MICROSOFT.RECOVERYSERVICES

VAULTS

AddonAzureBackupJobs

cloud.azure.siterecovery.addon_backup_jobs

1.0.25

AddonAzureBackupPolicy

cloud.azure.siterecovery.addon_backup_policy

1.0.25

AddonAzureBackupProtectedInstance

cloud.azure.siterecovery.addon_backup_protected_inst

1.0.25

AddonAzureBackupStorage

cloud.azure.siterecovery.addon_backup_storage

1.0.25

AzureBackupReport

cloud.azure.siterecovery.backup_report

1.0.25

AzureSiteRecoveryRecoveryPoints

cloud.azure.siterecovery.site_rec_recovery_points

1.0.25

AzureSiteRecoveryReplicatedItems

cloud.azure.siterecovery.site_rec_replicated_items

1.0.25

AzureSiteRecoveryReplicationStats

cloud.azure.siterecovery.site_rec_rep_stats

1.0.25

CoreAzureBackup

cloud.azure.siterecovery.core_backup

1.0.25

MICROSOFT.DESKTOPVIRTUALIZATION

HOSTPOOLS

agenthealthstatus

cloud.azure.hostpools.agenthealthstatus

1.0.69

connection

cloud.azure.hostpools.connection

1.0.69

checkpoint

cloud.azure.hostpools.checkpoint

1.0.69

error

cloud.azure.hostpools.error

1.0.69

management

cloud.azure.hostpools.management

1.0.69

If none of the previous patterns are matched, the following ones will be applied:

Provider

Service

Category

Devo table

Provider

Service

Category

Devo table

*

*

Administrative

cloud.azure.others.administrative

Autoscale

cloud.azure.others.autoscale

Policy

cloud.azure.others.policy

Recommendation

cloud.azure.others.recommendation

ResourceHealth

cloud.azure.others.resourcehealth

The basic type detection will be applied for other values:

Message type

Devo table

Message type

Devo table

event

cloud.azure.others.events

metric

cloud.azure.eh.metrics

 

Provider

Service

Category

Devo table

Since version

Provider

Service

Category

Devo table

Since version

Microsoft.ContainerService

MANAGEDCLUSTERS

kube-audit

cloud.azure.aks.kube_audit

1.0.16

kube-audit-admin

cloud.azure.aks.kube_audit_admin

1.0.16

kube-controller-manager

cloud.azure.aks.kube_controller_manager

1.0.16

kube-scheduler

cloud.azure.aks.kube_scheduler

1.0.16

cluster-autoscaler

cloud.azure.aks.cluster_autoscaler

1.0.16

guard

cloud.azure.aks.guard

1.0.16

Policy

cloud.azure.aks.policy

1.0.16

Administrative

cloud.azure.aks.administrative

1.0.16

Microsoft.Network

APPLICATIONGATEWAYS

ApplicationGatewayAccessLog

cloud.azure.appgateway.access_log

1.0.16

ApplicationGatewayFirewallLog

cloud.azure.appgateway.firewall_log

1.0.16

Policy

cloud.azure.appgateway.policy

1.0.16

Administrative

cloud.azure.appgateway.administrative

1.0.16

AZUREFIREWALLS

AzureFirewallApplicationRule

cloud.azure.firewall.application_rule

1.0.16

AzureFirewallNetworkRule

cloud.azure.firewall.network_rule

1.0.16

AzureFirewallDnsProxy

cloud.azure.firewall.dns_proxy

1.0.16

FRONTDOORS

FrontdoorAccessLog

cloud.azure.frontdoor.access

1.0.24

FrontdoorWebApplicationFirewallLog

cloud.azure.frontdoor.waf

1.0.24

NETWORKSECURITYGROUPS

NetworkSecurityGroupEvent

cloud.azure.virtualnetwork.net_sec_group_event

1.0.25

NetworkSecurityGroupRuleCounter

cloud.azure.virtualnetwork.net_sec_group_rule_counter

1.0.25

VIRTUALNETWORKGATEWAYS

IKEDiagnosticLog

cloud.azure.vngateways.ikediagnos

1.0.25

Microsoft.Storage

STORAGEACCOUNTS

Administrative

cloud.azure.storage.administrative

1.0.16

ResourceHealth

cloud.azure.storage.resourcehealth

1.0.16

Microsoft.Web

SITES

Administrative

cloud.azure.appservice.calculated_category

1.0.16

Policy

cloud.azure.appservice.policy

1.0.16

Microsoft.ContainerRegistry

REGISTRIES

ContainerRegistryLoginEvents

cloud.azure.contregistry.login

1.0.16

Microsoft.DBforPostgreSQL

SERVERS

PostgreSQLLogs

cloud.azure.postgresql.events

1.0.16

Microsoft.Compute

VIRTUALMACHINES

Administrative

cloud.azure.vm.administrative

1.0.16

ResourceHealth

cloud.azure.vm.resourcehealth

1.0.16

Policy

cloud.azure.vm.policy

1.0.16

Recommendation

cloud.azure.vm.recommendation

1.0.16

VIRTUALMACHINESCALESETS

Administrative

cloud.azure.vmscalesets.administrative

1.0.16

ResourceHealth

cloud.azure.vmscalesets.resourcehealth

1.0.16

Policy

cloud.azure.vmscalesets.policy

1.0.16

Autoscale

cloud.azure.vmscalesets.autoscale

1.0.16

Microsoft.DataFactory

FACTORIES

Administrative

cloud.azure.datafactory.administrative

1.0.16

Microsoft.Insights

ACTIVITYLOGALERTS

Alert

cloud.azure.monitor.alert

1.0.16

Microsoft.Security

LOCATIONS

Security

cloud.azure.securitycenter.security

1.0.16

Microsoft.KeyVault

VAULTS

AuditEvent

cloud.azure.keyvault.audit

1.0.16

Administrative

cloud.azure.keyvault.administrative

1.0.16

Policy

cloud.azure.keyvault.policy

1.0.16

AzurePolicyEvaluationDetails

cloud.azure.keyvault.policy_evaluation_details

1.2.0

Microsoft.aadiam

<empty>

SignInLogs

cloud.azure.ad.signin

1.0.16

AuditLogs

cloud.azure.ad.audit

1.0.16

NonInteractiveUserSignInLogs

cloud.azure.ad.noninteractive_user_signin

1.0.24

ServicePrincipalSignInLogs

cloud.azure.ad.service_principal_signin

1.0.17

ProvisioningLogs

cloud.azure.ad.provisioning

1.0.17

ManagedIdentitySignInLogs

cloud.azure.ad.managed_identity_signin

1.0.24

UserRiskEvents

cloud.azure.ad.user_risk_events

1.2.0

RiskyUsers

cloud.azure.ad.risky_users

1.2.0

ServicePrincipalRiskEvents

cloud.azure.ad.service_principal_risk_events

1.2.0

RiskyServicePrincipals

cloud.azure.ad.risky_service_principals

1.2.0

Microsoft.OperationalInsights

WORKSPACES

Audit

cloud.azure.monitor.audit

1.0.17

MICROSOFT.SQL

SERVERS

AutomaticTuning

cloud.azure.sql.automatic_tuning

1.0.24

QueryStoreRuntimeStatistics

cloud.azure.sql.query_store_runtime

1.0.24

MANAGEDINSTANCES

resourceusagestats

cloud.azure.sql.resourceusagestats

1.0.69

sqlsecurityauditevents

cloud.azure.sql.securityauditevents

1.0.69

MICROSOFT.RECOVERYSERVICES

VAULTS

AddonAzureBackupJobs

cloud.azure.siterecovery.addon_backup_jobs

1.0.25

AddonAzureBackupPolicy

cloud.azure.siterecovery.addon_backup_policy

1.0.25

AddonAzureBackupProtectedInstance

cloud.azure.siterecovery.addon_backup_protected_inst

1.0.25

AddonAzureBackupStorage

cloud.azure.siterecovery.addon_backup_storage

1.0.25

AzureBackupReport

cloud.azure.siterecovery.backup_report

1.0.25

AzureSiteRecoveryRecoveryPoints

cloud.azure.siterecovery.site_rec_recovery_points

1.0.25

AzureSiteRecoveryReplicatedItems

cloud.azure.siterecovery.site_rec_replicated_items

1.0.25

AzureSiteRecoveryReplicationStats

cloud.azure.siterecovery.site_rec_rep_stats

1.0.25

CoreAzureBackup

cloud.azure.siterecovery.core_backup

1.0.25

MICROSOFT.DESKTOPVIRTUALIZATION

HOSTPOOLS

agenthealthstatus

cloud.azure.hostpools.agenthealthstatus

1.0.69

connection

cloud.azure.hostpools.connection

1.0.69

checkpoint

cloud.azure.hostpools.checkpoint

1.0.69

error

cloud.azure.hostpools.error

1.0.69

management

cloud.azure.hostpools.management

1.0.69

MICROSOFT.SERVICEBUS

<empty>

<empty>

cloud.azure.servicebus.metrics

1.2.0

OperationalLogs

cloud.azure.servicebus.operational

1.2.0

MICROSOFT.DOCUMENTDB

<empty>

ControlPlaneRequests

cloud.azure.cosmosdb.control_plane_requests

1.2.0

DataPlaneRequests

cloud.azure.cosmosdb.data_plane_requests

1.2.0

MongoRequests

cloud.azure.cosmosdb.mongo_requests

1.2.0

PartitionKeyRUConsumption

cloud.azure.cosmosdb.partition_key_ru_consumption

1.2.0

PartitionKeyStatistics

cloud.azure.cosmosdb.partitionkey_statistics

1.2.0

QueryRuntimeStatistics

cloud.azure.cosmosdb.query_runtime_statistics

1.2.0

If none of the previous patterns are matched, the following ones will be applied:

Provider

Service

Category

Devo table

Provider

Service

Category

Devo table

*

*

Administrative

cloud.azure.others.administrative

Autoscale

cloud.azure.others.autoscale

Policy

cloud.azure.others.policy

Recommendation

cloud.azure.others.recommendation

ResourceHealth

cloud.azure.others.resourcehealth

The basic type detection will be applied for other values:

Message type

Devo table

Message type

Devo table

event

cloud.azure.others.events

metric

cloud.azure.eh.metrics

 

Provider

Service

Category

Devo table

Since version

Provider

Service

Category

Devo table

Since version

Microsoft.ContainerService

MANAGEDCLUSTERS

kube-audit

cloud.azure.aks.kube_audit

1.0.16

kube-audit-admin

cloud.azure.aks.kube_audit_admin

1.0.16

kube-controller-manager

cloud.azure.aks.kube_controller_manager

1.0.16

kube-scheduler

cloud.azure.aks.kube_scheduler

1.0.16

cluster-autoscaler

cloud.azure.aks.cluster_autoscaler

1.0.16

guard

cloud.azure.aks.guard

1.0.16

Policy

cloud.azure.aks.policy

1.0.16

Administrative

cloud.azure.aks.administrative

1.0.16

Microsoft.Network

APPLICATIONGATEWAYS

ApplicationGatewayAccessLog

cloud.azure.appgateway.access_log

1.0.16

ApplicationGatewayFirewallLog

cloud.azure.appgateway.firewall_log

1.0.16

Policy

cloud.azure.appgateway.policy

1.0.16

Administrative

cloud.azure.appgateway.administrative

1.0.16

AZUREFIREWALLS

AzureFirewallApplicationRule

cloud.azure.firewall.application_rule

1.0.16

AzureFirewallNetworkRule

cloud.azure.firewall.network_rule

1.0.16

AzureFirewallDnsProxy

cloud.azure.firewall.dns_proxy

1.0.16

FRONTDOORS

FrontdoorAccessLog

cloud.azure.frontdoor.access

1.0.24

FrontdoorWebApplicationFirewallLog

cloud.azure.frontdoor.waf

1.0.24

NETWORKSECURITYGROUPS

NetworkSecurityGroupEvent

cloud.azure.virtualnetwork.net_sec_group_event

1.0.25

NetworkSecurityGroupRuleCounter

cloud.azure.virtualnetwork.net_sec_group_rule_counter

1.0.25

VIRTUALNETWORKGATEWAYS

IKEDiagnosticLog

cloud.azure.vngateways.ikediagnos

1.0.25

Microsoft.Storage

STORAGEACCOUNTS

Administrative

cloud.azure.storage.administrative

1.0.16

ResourceHealth

cloud.azure.storage.resourcehealth

1.0.16

Microsoft.Web

SITES

Administrative

cloud.azure.appservice.calculated_category

1.0.16

Policy

cloud.azure.appservice.policy

1.0.16

Microsoft.ContainerRegistry

REGISTRIES

ContainerRegistryLoginEvents

cloud.azure.contregistry.login

1.0.16

Microsoft.DBforPostgreSQL

SERVERS

PostgreSQLLogs

cloud.azure.postgresql.events

1.0.16

Microsoft.Compute

VIRTUALMACHINES

Administrative

cloud.azure.vm.administrative

1.0.16

ResourceHealth

cloud.azure.vm.resourcehealth

1.0.16

Policy

cloud.azure.vm.policy

1.0.16

Recommendation

cloud.azure.vm.recommendation

1.0.16

VIRTUALMACHINESCALESETS

Administrative

cloud.azure.vmscalesets.administrative

1.0.16

ResourceHealth

cloud.azure.vmscalesets.resourcehealth

1.0.16

Policy

cloud.azure.vmscalesets.policy

1.0.16

Autoscale

cloud.azure.vmscalesets.autoscale

1.0.16

Microsoft.DataFactory

FACTORIES

Administrative

cloud.azure.datafactory.administrative

1.0.16

Microsoft.Insights

ACTIVITYLOGALERTS

Alert

cloud.azure.monitor.alert

1.0.16

Microsoft.Security

LOCATIONS

Security

cloud.azure.securitycenter.security

1.0.16

Microsoft.KeyVault

VAULTS

AuditEvent

cloud.azure.keyvault.audit

1.0.16

Administrative

cloud.azure.keyvault.administrative

1.0.16

Policy

cloud.azure.keyvault.policy

1.0.16

Microsoft.aadiam

<empty>

SignInLogs

cloud.azure.ad.signin

1.0.16

AuditLogs

cloud.azure.ad.audit

1.0.16

NonInteractiveUserSignInLogs

cloud.azure.ad.noninteractive_user_signin

1.0.24

ServicePrincipalSignInLogs

cloud.azure.ad.service_principal_signin

1.0.17

ProvisioningLogs

cloud.azure.ad.provisioning

1.0.17

ManagedIdentitySignInLogs

cloud.azure.ad.managed_identity_signin

1.0.24

Microsoft.OperationalInsights

WORKSPACES

Audit

cloud.azure.monitor.audit

1.0.17

MICROSOFT.SQL

SERVERS

AutomaticTuning

cloud.azure.sql.automatic_tuning

1.0.24

QueryStoreRuntimeStatistics

cloud.azure.sql.query_store_runtime

1.0.24

MICROSOFT.RECOVERYSERVICES

VAULTS

AddonAzureBackupJobs

cloud.azure.siterecovery.addon_backup_jobs

1.0.25

AddonAzureBackupPolicy

cloud.azure.siterecovery.addon_backup_policy

1.0.25

AddonAzureBackupProtectedInstance

cloud.azure.siterecovery.addon_backup_protected_inst

1.0.25

AddonAzureBackupStorage

cloud.azure.siterecovery.addon_backup_storage

1.0.25

AzureBackupReport

cloud.azure.siterecovery.backup_report

1.0.25

AzureSiteRecoveryRecoveryPoints

cloud.azure.siterecovery.site_rec_recovery_points

1.0.25

AzureSiteRecoveryReplicatedItems

cloud.azure.siterecovery.site_rec_replicated_items

1.0.25

AzureSiteRecoveryReplicationStats

cloud.azure.siterecovery.site_rec_rep_stats

1.0.25

CoreAzureBackup

cloud.azure.siterecovery.core_backup

1.0.25

If none of the previous patterns are matched, the following ones will be applied:

Provider

Service

Category

Devo table

Provider

Service

Category

Devo table

*

*

Administrative

cloud.azure.others.administrative

Autoscale

cloud.azure.others.autoscale

Policy

cloud.azure.others.policy

Recommendation

cloud.azure.others.recommendation

ResourceHealth

cloud.azure.others.resourcehealth

The basic type detection will be applied for other values:

Message type

Devo table

Message type

Devo table

event

cloud.azure.others.events

metric

cloud.azure.eh.metrics

 

Setup

The Microsoft Azure collector centralizes the data with an Event Hub using the Azure SDK. To use it, you need to configure the resources in the Azure Portal and set the right permissions to access the information.

Virtual Machine metrics

Getting credentials

To log in to the Azure subscription, the collector uses a Service Principal object. You need to get the subscription ID, Active Directory ID, Application ID (service principal identification), and the client secret (service principal "password"). To get them, follow these steps:

  1. Log in to your Azure account and search for Azure Active Directory.

  2. Now, click App registrations in the left menu and click the app (or Service Principal) that you are going to use.

  3. In the Overview area, find the Application (client) ID and the Directory (tenant) ID.

  4. Now click Certificates & Secrets on the menu and create a new client secret by clicking the New client secret button.

    Don't forget to save the client secret value, it will be only shown upon creation.

  5. Get the subscription ID by searching for Subscriptions on the home page.

  6. Find the correct subscription and note down the subscription ID.

Setting up permissions

  1. After creating the App registration (or Service Principal), go to the desired Resource Group (or subscription if you want to retrieve metrics from all the available virtual machines).

  2. Select Access control (IAM) in the left menu and click Add.

  3. Select at least the Reader role and choose the previously created App registration.

  4. Confirm the changes.

Event Hub events

Getting credentials

  1. In your Azure account, search for the Event Hubs service and click on it. 

  2. Create an Event Hub resource per region (repeat the steps below for each region):

    • Click Add.

    • Fill the mandatory fields keeping in mind that the Event Hub must be in the same region as the resources that you are going to monitor (and only need one per region). The Throughput Units option refers to the ingress/egress limit in MB/s (each unit is 1 MB/s or 1000 events/second ingress, 2 MB/s, or 4096 events/second egress). You should adjust it according to the data volume (this can be modified later).

    • The previous steps create an EventHub namespace; now go to Event Hubs, search the created one and click on it.

    • Now click on the + Event Hub button and create a new resource. You only need to fill the Name and Partition Count fields (the Partition Count field will divide the data into different partitions to make it easier to read large volumes of data). Write down the EventHub name to be used later in the configuration file.

    • Once the Event Hub is created in the namespace, click it and select Consumer Group in the left menu. Note that a dedicated Consumer Group for Devo needs to be created if the existing consumer groups are already in use.

    • Here you will see the Event Hub consumer groups. This will be used by the collector (or other applications) for reading data from the Event Hub. Write down the Consumer group name that you will use later in the configuration file.

    • Now, in the Event Hub Namespace, click on Shared access policies, search the default policy named RootManageSharedAccessKey and click it.

    • Copy and write down the primary (or secondary) connection string to be used later in the configuration file.

Setting up the Event Hubs

  1. Now, search the Monitor service and click on it.

  2. Click the Diagnostic Settings option in the left area.

  3. A list of the deployed resources will be shown. Search for the resources that you want to monitor, select them, and click Add diagnostic setting.

  4. Type a name for the rule and check the required category details (logs will be sent to the cloud.azure.eh.events table, and metrics will be sent to the cloud.azure.eh.metrics table).

  5. Check Stream to an Event Hub, and select the corresponding Event hub namespace, Event hub name, and Event hub policy name.

  6. Click Save to finish the process.

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).