Deploying Azure Monitor to Track and Respond to Security Events Across Windows, Linux VMs, and Cloud Apps

Introduction

In this lab, we will explore and configure Azure Monitor: The Azure cloud solution for collecting, analyzing and responding to telemetry data from both our on-premises and cloud solutions. Our focus here will be telemetry from virtual machines and web applications hosted on Azure cloud, where we will configure Azure Monitor’s Log Analytics Workspaces to collect and analyze logs collected from these resources. We will deploy the following resources on Azure cloud: Windows Server VM, Linux Server VM, Web App with an SQL database and a Linux Web App. Thereafter, we will configure both the resources and the Log Analytics workspaces to collect and analyze telemetry allowing us to demonstrate:

• Configuration of Application Insights — an extension of Azure Monitor — to provide Application Performance Monitoring (APM) features to allow us to monitor our Web App with an SQL database’s performance proactively, to understand how the app is performing and reactively, to review the application execution data in case of a security incident.
• Remote monitoring of telemetry data from the SQL database hosted within the web app using SQL Insights that is built on top of Azure Monitor and uses monitoring agents.
• Change analysis management of our Linux Web App — We track the historical record of how the Azure resources that host your application changed over time by querying the Azure Resource Manager, capturing the configuration settings that set using the bicep template and capturing the configuration state of a web application e.g. application environment variables, configuration files after every 30 minutes.
• Tracking how our applications are accessed from the internet via the HTTP protocol.
• Collecting logs from a Windows web server i.e. Windows Event Logs for the Windows VM itself and IIS (Internet Information Services) server logs for the web server software.
• The monitoring and diagnosis of the network health of our IaaS virtual machine i.e. the Linux VM. We will use Network watcher to monitor the connections (service endpoints) of our IaaS Linux VM.

In conclusion, we will perform a few intrusion operations to exploit our resources in order to see how this data is presented in Azure Monitor dashboards. Finally, based on these exploits, we will set up alerts to the relevant persons to investigate and remediate. Azure Sentinel can be integrated for further simulation of a SIEM in action but it is beyond the scope of this lab.

The ports and protocols we should be aware of before we proceed are:

• Windows Server VM: Remote connects via RDP port 3389.
• Linux Server VM: Remote connects via SSH port 22.
• Azure & Linux Web Apps: Accessed via standard web protocol TCP ports 80 HTTP, 443 HTTPS.
• SQL Database: Connects via TCP port 1433.

Lab Architecture

Below is the topology diagram to give you a clear picture of the cloud infrastructure we will be deploying.

What is Azure Monitor?

Azure Monitor is a comprehensive solution that collects, analyzes, and responds to telemetry data from both on-premises and cloud environments. The service features help you understand how your applications are performing. You can use Azure Monitor to proactively identify issues that affect your apps and resources, and take action to maximize their availability and performance.

Azure Monitor allows you to:

• Monitor and visualize numerical metric values from your Azure resources to help you understand the health, operation, and performance of your system.
• Query logs i.e. activity logs, diagnostic logs, and telemetry information from your monitoring solutions and analyze the logs to help with troubleshooting of your Azure resources.
• Set up alerts for your gathered data to notify you when critical conditions arise and thereafter configure actions based on the alert conditions.

Azure Monitor collects metrics and logs from:

• The Azure Platform, e.g. Azure AD audit logs, Activity logs for service health and configuration changes information and Resource logs and platform metrics which provide details to the operation and performance of each resource.
• Infrastructure i.e. your compute resources e.g. Virtual Machines in your infrastructure.
• Applications hosted in the Azure cloud via application insights to show the operations and performance of an app.
• Custom sources e.g. a REST API client.

The metrics and logs are stored in repositories within Azure Monitor allowing you to centrally analyze log and metric data from different sources in a centralized location. It is important to distinguish the difference between metrics and logs as follows:

• Metrics are stored in a Time Series database, are lightweight and capable of supporting near to real-time scenarios; making them useful for alerting and fast detection of issues.
• Logs contain different types of data that you can analyze together with a powerful query language. Useful for performing complex analysis across data from different sources.

After collecting, aggregation and storing metric and log data, we need to make use of the data. The following data operations can then be performed on metrics and logs:

• Analyze: Metric Explorer enables you to analyze metrics form a single resource or combine metrics form different resources. Log Analytics enables you to write queries that lets you analyze all of your log data and interactively work with the results.
• Visualize: Add metric graphs and log output from your log queries to Azure Dashboards to visualize them with other data. Workbooks combines text, queries, metrics, and parameters into interactive reports. You can also use Power BI with Azure workbooks.
• Respond: Azure Monitor can proactively Alert you when the metrics or the results of a log query indicate a problem. You can define automated Actions e.g. Calling a webhook, launching an automation runbook or Azure function, or starting an Azure Logic app which are all fully integrated with Azure Monitor’s data. Use Autoscale to automatically add or remove compute resources, based on the load measured biometric values.
• Insights: Provide a customized monitoring experience built on Azure Monitor data and features, for particular applications and services. Application Insights is the most expensive and provides a sophisticated set of features for monitoring usage and performance data via the Application Performance Monitoring (APM), in addition of identifying exceptions throughout all of the components of your applications. Microsoft also provides insights for common Azure services that provide additional value beyond the standard Azure Monitor features used to monitor these services. Examples include: VMs, Containers and Networks.

The diagram below summaries Azure Monitor components as highlighted above:

This project aims to allow us to practice and validate the skills of configuring monitoring of various workloads and infrastructure services using Azure Monitor. The skills we will gain include:

• Deploying and configuring Log Analytics: Log Analytics is the Microsoft cloud environment that stores all the logs from multiple resources. It allows collection, storage and analysis of our resources and infrastructure logs and metrics. In future labs, we will see how Log Analytics provide the core support for Microsoft Defender for Cloud and Microsoft Sentinel.
• Configuring monitoring for Web apps: We basically answer the question “How do we enable our web apps to send their logs to a central location for analysis?”
• Monitoring compute and networking services: We will see how we can collect logs and metrics for Azure IaaS resources specifically virtual machines hosted on cloud.
• Configuring alerts: We will look at a brief example of how an authorized person will receive a notification if there is an incident in the environment based on predefined conditions.

This project is meant for cloud admin and security learners who want to practice monitoring of cloud resources in Microsoft Azure. It is therefore a requirement that you have an Azure subscription before we continue. Azure offers a Free Tier for new accounts where you get access to multiple Azure resources for free for 30 days and $200 credit, whichever comes first. You can open a free account on Azure by following this link

https://azure.microsoft.com/en-us/pricing/purchase-options/azure-account?icid=azurefreeaccount

Thereafter, you need to subscribe to a Pay-as-you-go subscription where you get access to a few common Azure resources for 12 months and pay for your usage for resources not available for free. If you already have an Azure Pay-as-you-go subscription, login to your Azure portal here.

Microsoft Azure

NOTE: This lab assumes that you have global administrator permissions to your Azure subscription and the default region where we will deploy our resources is the UK South region.

Prepare your Azure environment

The first step of this lab exercise is to deploy the resources that we intend to gather metrics and logs from to feed into Azure Monitor and the Log Analytics workspace that we will create. The resources we will deploy are: Windows server VM, Linux Server VM, Web app with SQL database, Linux web app.

Create the resource group to hold all our resources

1. In the Azure Portal Search Bar, enter Resource Groups and select Resource groups from the list of results.
2. On the Resource Groups page, select Create.
3. On the Create a Resource Group page, select your subscription and enter the name AzureMonitor-RG. Set the region to UK South, choose Review + Create.

4. Then choose Create. Your resource group should appear in your list of Resource Groups.

Create a security group

The next step is to create an Entra ID security group for your subscription. Microsoft Entra groups allow you can grant access and permissions to a group of users instead of for each individual user. Limiting access to Microsoft Entra resources to only those users who need access is one of the core security principles of Zero Trust.

There are two Entra ID security group types:

• Security: Used to manage user and computer access to shared resources e.g. You can have all the members of a group have the same security permissions. Members can include users, devices, service principals (the local representation of an application object in a tenant or directory. It is created in each tenant where the application is used and references the globally unique application object), and other nested groups which define access policy and permissions.
• Microsoft 365: Provides collaboration opportunities by giving group members access to a shared mailbox, calendar, files, SharePoint sites, and more. This allows you to give people outside of your organization access to the group. Members of a Microsoft 365 group can only include users. Owners of a Microsoft 365 group can include users and service principals.

1. In the Azure Portal Search Bar, enter Entra ID and select Microsoft Entra ID from the list of results.
2. On the Default Directory page, select Groups.

3. On the Groups page, choose New Group.

4. On the New Group page, provide the values as in the image below and choose Create.

Deploy a windows server virtual machine

1. In the Azure Portal Search Bar, enter Virtual Machines and select Virtual Machines from the list of results.
2. On the Virtual Machines page, choose Create and select Azure Virtual Machine.
3. On the Basics page of the Create a Virtual Machine wizard, select the following settings and then choose Review + Create.

4. Select Review + create then select Create.

5. Wait for the deployment to complete. Once deployment completes choose Go to resource.

6. On the WindowsServer-VM properties page, under Networking, select Network settings.

7. On the Network settings page, select the RDP rule.

8. On the RDP rule space, change the Source to My IP address and choose Save. This updates the security rule and restricts incoming RDP connections to the IP address you’re currently using.

9. Select the Create port rule dropdown and choose Add inbound port rule.

10. On the Add inbound security rule page, configure the following settings and choose Add.

You should now have two active inbound network rules as follows:

11. Click the Overview button the WindowsServer-VM page left pane and choose Connect.

12. Under Native RDP, choose Select.

13. On the Native RDP page, choose Download RDP file and then open the file. Opening the RDP file opens the Remote Desktop Connection dialog box.

14. On the dialog box, select Connect.

15. The username will be automatically input as Robert (for my case, otherwise [your username]). Enter the password as the secure password you chose in Step 3, and choose OK.

16. Click Yes on the dialog box that warns that the identity of the remote computer cannot be identified.

17. When signed into the Windows Server virtual machine, right-click on the Start hint and then choose Windows PowerShell (Admin).

18. We should then proceed to install the IIS web server module to our VM. At the elevated command prompt, type the following command and press Enter. Install-WindowsFeature Web-Server -IncludeAllSubFeature -IncludeManagementTools

To confirm that the IIS server has been successfully installed open your VM browser and type localhost. The following page should open.

19. When the installation completes run the following command to change to the web server root directory. cd c:\inetpub\wwwroot\

20. Run the following command. wget https://raw.githubusercontent.com/Azure-Samples/html-docs-hello-world/master/index.html -OutFile index.html

The command will replace the IIS homepage to give the screen below. (wget command is a powerful command-line tool used in Linux and Unix-based systems to retrieve files from the internet via HTTP, HTTPS, and FTP protocols)

Deploy a Linux virtual machine

1. In the Azure Portal Search Bar, enter Virtual Machines and select Virtual Machines from the list of results.
2. On the Virtual Machines page, choose Create and select Azure Virtual Machine.
3. On the Basics page of the Create A Virtual Machine wizard, select the following settings and then choose Review + Create.

4. Click Review + create, review the information and then choose Create.

5. After the VM deploys, open the VM properties page and choose Extensions + Applications under Settings.

6. Choose Add and select the Network Watcher Agent for Linux. This is a network performance, monitoring, diagnostic and analytics service that allows us to monitor the network in our Linux VM. Choose Next and then choose Review and Create. Choose Create.

NB: PowerShell code to install Network Watcher Agent for Linux in our Linux VM:

Set-AzVMExtension -Name ‘AzureNetworkWatcherExtension’ -Publisher ‘Microsoft.Azure.NetworkWatcher’ -ExtensionType ‘NetworkWatcherAgentLinux’ -EnableAutomaticUpgrade 1 -TypeHandlerVersion ‘1.4’ -ResourceGroupName ‘AzureMonitor-RG’ -VMName ‘Linux-VM’

Deploy a web app with an SQL Database

We are going to deploy a web app from an Azure template hosted on GitHub.

1. Ensure that you’re signed into the Azure Portal.
2. In your browser, open a new browser tab and navigate to:

https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/web-app-sql-database.

3. On the GitHub page, choose Deploy to Azure.

4. A new tab opens. If necessary, re-sign into Azure with the account that has Global Administrator privileges.

5. On the Basics page, select Edit template.

6. In the template editor, delete the contents of lines 158 to 174 inclusive and delete the “,” on line 157. This deletes Application Insights from the template since we want to manually configure it for our lab. Choose Save.

7. On the Basics page, provide the following information and choose Next.

8. Select Review + create and then select Create.

9. After the deployment completes, choose Go to resource group.

Deploy a Linux web app

We are going to deploy a web app from an Azure template hosted on Microsoft Learn.

1. Ensure that you’re signed into the Azure Portal.
2. In your browser, open a new browser tab and navigate to:

Deploy a basic Linux web app - Code Samples

3. On the GitHub page, choose Deploy to Azure.

4. On the Basics page, provide the following information and choose Next.

5. Review the information and choose Create.

Deploy Log Analytics

The next step is to create a Log Analytics workspace, configure Log Analytics data retention and archive policies and finally enable access to the Log Analytics workspace.

Create a Log Analytics workspace

1. In the Azure Portal Search Bar, enter Log Analytics and select Log Analytics workspaces from the list of results.
2. On the Log Analytics workspaces page, choose Create.
3. On the Basics page of the Create Log Analytics workspace wizard, provide the following information and choose Review + Create.

4. Review the information and choose Create.

Configure Log Analytics data retention and archive polices

1. In the Azure Portal Search Bar, enter Log Analytics and select Log Analytics workspaces from the list of results.
2. On the Log Analytics workspaces page, choose MonitorLearn-LAW.
3. On the Log Analytics workspace page for MonitorLearn-LAW, choose Usage and estimated costs.

4. Select Data Retention and set the slider to 60 days. Choose OK. During this period — the interactive retention period which we’ve now set to 60 — you can retrieve the data from the table through queries, and the data is available for visualizations, alerts, and other features and services, based on the table plan.

5. On the same menu, select Daily cap. Choose On. Set the daily cap to 10 GB and choose OK.

Enable access to a Log Analytics workspace

This next step is essentially only allowing members of the App Log Examiners security group access to the Log Analytics workspace as part of our Identity and Access Management engineering practice. In a real-world scenario, we would add for example SOC analysts and Security Engineers to this security group for easier management of access permissions across the entire organization’s user set. For additional rights, we could assign Team Leads to the Log Analytics Contributor role for example.

1. While in the MonitorLearn-LAW, select Access control (IAM).
2. Choose Add and then choose Add role assignment.
3. On the list of roles, select Log Analytics Reader and choose Next.

4. On the Members page, choose Select Members and choose the App Log Examiners security group. Choose Select.

5. On the Members space, choose Review + Assign.

Monitor web apps

Next, we need to do the following:

• Enable Application Insights.
• Disable logging for .NET core snapshot debugger.
• Configure web app HTTP logs to be written to a Log Analytics workspace.
• Configure SQL Insights data to be written to a Log Analytics workspace.
• Enable file and configuration change tracking for web apps.

Enable Application Insights

1. In the Azure Portal Search Bar, enter Resource Group and select AzureMonitor-RG from the list of results.
2. From the list of items in the resource group, choose the App Service for the Web App with an SQL Database. In my case, my web app’s name is website2rqipwy3rxkes.
3. Under Monitoring choose Application Insights.

4. On the Application Insights page, choose Turn On Application Insights.

5. On the Application Insights page, ensure that Create a new resource is selected (To create the Application Insights resource for our WebApp) and that the Log Analytics Workspace is set to MonitorLearn-LAW. You can select an identifiable name for the new resource i.e. WebApp-SQLDB-AppInsights. Choose Apply.

6. On the Apply monitoring settings dialog, choose Yes. This redeploys your website and connects it to the new Application Insights resource.

Disable logging for .NET core snapshot debugger

Snapshot debugging lets you inspect code execution and variables in the production environment on a cloud service for a specified user session. It allows a delegated admin to record AL code that runs on the server, and once it has run, debug the recorded snapshot in Visual Studio Code. We need to disable this to reduce the complexity of our project as we do not need to debug our web applications.

1. From the above steps, you should get the notification that your validation has passed. While still in the Application Insights page, scroll down to proceed with the following next steps.
2. Under Instrument your application, choose .NET Core and then set the Snapshot Debugger setting to Off. Choose Apply. Instrumentation refers to enabling the collection of monitoring data from your app by using an agent or an SDK. The approach to instrumentation varies depending on your application’s language and platform. In our lab, we are turning off the .NET debugger agent for our Web App as explained above.
3. On the Apply Monitoring Settings dialog box, choose Yes.

Configure web app HTTP logs to be written to a Log Analytics workspace

1. While still in our WebApp with SQL DB, under Monitoring, choose Diagnostic settings.
2. On the Diagnostic settings page, select + Add diagnostic settings.

3. On the Diagnostic settings page, choose the following and select Save.

Configure SQL Insights data to be written to a Log Analytics workspace

1. In the Azure Portal Search Bar, enter resource groups and select AzureMonitor-RG from the list of results.
2. From the list of items in the resource group, choose the sample SQL database.

3. Under Monitoring, choose Diagnostic settings.

4. On the Diagnostic settings page, choose Add diagnostic setting.

5. On the Diagnostic setting page, provide the following information and choose Save.

Enable file and configuration change tracking for web apps

Change analysis provides a historical record of how the Azure resources that host our application changed over time. For example, it can detect and tracks changes in the application environment variables and configuration files.

1. In the Azure Portal Search Bar, enter AzureMonitor-RG and select AzureMonitor-RG from the list of results.
2. From the list of items in the resource group, choose the AzureLinuxApp0000-webapp.
3. Choose Diagnose and Solve Problems.
4. In the search dialog box, type Application Changes.
5. On the Change Analysis page, choose Enable now.
6. On the Enable file and configuration change tracking page, change the Status slider to On and then choose Save.

Configure monitoring for compute services

In this step, we will configure monitoring for compute services and perform tasks related to integrating IaaS virtual machines with Azure Monitor. We will complete the following tasks:

• Create a data collection endpoint and a data collection rule to collect Windows Event logs.
• Add an existing IIS log collection to the data collection rule.
• Configure Network Connection Monitor for a Linux IaaS virtual machine.

Create a data collection endpoint

1. In the Azure Portal Search Bar, enter Monitor and select Monitor from the list of results.
2. In the Monitor page, under Settings, choose Data Collection Endpoints.
3. On the Data Collection Endpoints page, choose Create.
4. On the Create Data Collection Endpoint page, provide the following settings and then choose Review + Create.

5. Review the settings and choose Create.

Create a data collection rule

Data collection rules (DCRs) define the data collection process in Azure Monitor by specifying what data should be collected, how to transform that data, and where to send that data. It is important to always create the data collection rule in the same region as your Log Analytics workspace.

1. Proceed to choose Data Collection Rules in the same Azure Monitor page.
2. On the Data Collection Rules page, choose Create.
3. On the Create Data Collection Rule page, configure the following settings and choose Next.

4. On the Resources page, choose Add Resources.

5. On the Select a scope page, enable the WindowsServer-VM checkbox and choose Apply.

6. Choose Next : Collect and Deliver page, choose Add data source.

7. On the Add data source page, select Windows Event Logs. In the Application category enable the Critical and Error categories. In the Security category, choose the Audit Failure category. In the System category, enable the Critical and Error categories.

8. Choose Next : Destination.

9. On the Destination page, configure the following settings:

10. Choose Add data source.

11. Choose Review + Create and then choose Create.

Add an IIS log collection to an existing data collection rule

1. In the Azure Portal Search Bar, enter Monitor and select Monitor from the list of results.
2. In the Monitor page, under Settings, choose Data Collection Rules.
3. Choose the WinVM-DRC rule in AzureMonitor-RG.
4. Under Configuration, choose Data Sources.

5. On the Data Sources page, choose Add.

6. On the Add Data Source page, select IIS Logs. You only need to specify a file pattern to identify the directory where the log files are located if they are stored in a different location than configured in IIS. In this case like in most, we will leave this value blank since we didn’t change the defaults. Choose Next.

7. On the Destination page, configure the following settings:

8. Choose Add data source.

Configure Network Connection Monitor for a Linux IaaS virtual machine

Azure Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end-to-end network level view. In other words, Network Watcher is designed to monitor and repair the network health of IaaS products which includes Virtual Machines, Virtual Networks, Application Gateways, and Load Balancers.

Network Watcher allows you to:

• Automate remote network and diagnosis monitoring without logging into your VMs with packet capture by setting alerts and gaining access to performance metrics in real-time.
• Understand your network traffic patterns and network security profile using information gathered by Network Security Group flow logs for compliance and auditing purposes.
• Diagnose VPN connectivity issues.

In the steps below, we will focus on one of the Network Watcher features, Connection Monitor, which provides unified end-to-end connection monitoring in Azure Network Watcher for both hybrid and cloud deployments.

We will configure and use connection monitor to ascertain whether our two VMs can communicate specifically if our Linux VM can reach the Windows Server-VM via HTTP. This is a test of the inbound rule we created while deploying the Windows Server VM. Form this we can stem multiple use cases for Connection Monitor e.g. Test whether your front-end web server VM communicates with a database server VM by checking the network connectivity, check and compare network connectivity bandwidths between your on-premises infrastructure in different locations and Microsoft 365 SaaS applications hosted on cloud via Microsoft 365 URLs etc.

Proceed with the steps below to create a connection monitor where the source is the Linux VM and destination WindowsServer-VM where we specifically test the HTTP protocol connectivity for the Windows Server:

1. In the Azure Portal Search Bar, enter Network Watcher and select Network Watcher from the list of results.
2. Under Monitoring, choose Connection Monitor.
3. On the Connection Monitor page, choose Create.
4. On the Basics page of the Create Connection Monitor wizard, provide the following information and choose Next.

5. On the Add test group details page, enter the name LinuxPublicIPTest and choose Add sources.

6. On the Add Sources page, select Azure Endpoints and set the type to Virtual machines. Select Subnet and then enable the Linux-VM checkbox. Choose Add Endpoints.

7. Choose Add Test Configuration.

8. On the Add Test Configuration page, enter the name DefaultHTTP and then choose Add Test Configuration.

9. Choose Add Destinations. Select Azure Endpoints and set the type to Virtual machines. Select Subnet and then enable the WindowsServer-VM checkbox. Select Add Endpoints.

10. Choose Add Test Group.

11. Choose Next : Workspace. Select Custom Workspace bullet then ensure that the MonitorLearn-LAW is selected.

12. Choose Review and Create and then choose Create.

Configure alerts

In this final step, we will configure Azure Monitor alerts which we can specify conditions such as virtual machine CPU utilization that will trigger an action for example send an email alert to a specific person to investigate and deal with the issue. Alert rules and action rules dictate how to handle alerts. We will proceed to create an alert for one event, High CPU Utilization of our Linux VM as an example. This process is replicable to all our deployed resources.

Create an action group to send an email

1. In the Azure Portal Search Bar, enter Monitor and select Monitor from the list of results.
2. Select Alerts in the navigation menu.
3. Choose Action Groups.

4. On the Action Groups page, choose Create.

5. On the Basics page of the Create Action Group wizard, configure the following settings and choose Next.

6. On the Notifications page, set the notification type to Email/SMS message/Push/Voice and the Name to NotificationEmail. Choose the Edit (pencil) icon.

7. On the Email/SMS message/Push/Voice enable the email checkbox and enter the email address you’d like to receive the notifications. Choose OK.

8. Choose Review and Create. Choose Create.

Create an alert for virtual machine CPU utilization

1. In the Azure Portal Search Bar, enter AzureMonitor-RG and select AzureMonitor-RG from the list of results.
2. From the list of items in the resource group, choose Linux-VM.
3. On the Linux-VM properties page, choose Alerts under Monitoring.
4. On the Alerts page, choose Create and then choose Alert rule.

5. On the Condition page of the Create an Alert Rule wizard, set the Signal name to Percentage CPU. Use the default settings and choose Next.

6. On the Actions page, choose Select Action Group.

7. On the Select Action Groups page, choose NotifyCPU and choose Select.

8. On the Details page enter the Alert rule name HighCPUUtilization. Choose Review and Create and then choose Create.

Review and Conclusion

Let’s complete the lab by seeing some of the reports we get based on our cloud deployments.

Confirmation of our VM connections via Connection Monitor

Navigate to the connection monitor as described above. You should see the following dashboard indicating that the connection between our VMs with the Linux server as the source and the Windows Server is up and running. You can see how simple future tracking will be for all your connections i.e. Connection monitor runs a series of checks for the source-destination pair. These checks run according to the test frequency that you select.

Web App with SQL Database Live Metrics

We can track the health of our Web App and the SQL Database hosted within by navigating to the application insights deployment then checking on Live Metrics as you can see below. The web app is up and running.

Log Analytics Workspace queries using KQL

We can also see the performance of our Web Application from the Log Analytics workspace. For example, running the query below shows the average response time of the requests to our application.

Below are is an example query we can run to see the performance values of our Web App. Remember we configured it to send both HTTP and SQL logs to the Log Analytics Workspace.

Finally, we can see the Windows Event Logs from our Windows Server Virtual Machine from the Log Analytics Workspace.

Clean up subscription

To clean up the subscription, delete resource group AzureMonitor-RG and delete App Log Examiners security group.

References

Introduction - Training | Microsoft Learn

Configure Azure Monitor - Training

Learn about groups and group membership - Microsoft Entra

What is IIS (Internet Information Services) and How Does it Work?

Use Change Analysis (classic) - Azure Monitor

Collect IIS logs with Azure Monitor Agent - Azure Monitor

Manage Network Watcher Agent VM extension - Linux