Forum Discussion
"Azure Monitor for VMs" causing huge data volumes in Sentinel
There isn't currently a way of filtering out what should not be processed by Sentinel. For this reason, you should probably consider using different workspaces for Azure Monitor for VMs and Sentinel.
If you are collecting other data from your VMs besides Performance metrics that you consider useful for Sentinel (e.g., Azure Security Center Standard security events, other system events, custom logs, etc.), then you will need to implement multi-homing (i.e., the same Log Analytics agent sending different data with different purposes to different workspaces). This is however not supported yet for Linux machines.
I recommend you to read this nice article about Sentinel/ASC workspace design, as it might give some more insights: https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-designing-an-azure-sentinel-or-azure-security/ba-p/832574
- hspinto
Microsoft
There isn't currently a way of filtering out what should not be processed by Sentinel. For this reason, you should probably consider using different workspaces for Azure Monitor for VMs and Sentinel.
If you are collecting other data from your VMs besides Performance metrics that you consider useful for Sentinel (e.g., Azure Security Center Standard security events, other system events, custom logs, etc.), then you will need to implement multi-homing (i.e., the same Log Analytics agent sending different data with different purposes to different workspaces). This is however not supported yet for Linux machines.
I recommend you to read this nice article about Sentinel/ASC workspace design, as it might give some more insights: https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-designing-an-azure-sentinel-or-azure-security/ba-p/832574
hspintoMultihoming really seems to solve my problem!
I have environments with 50+ VMs, and since I no longer seems to be able to throttle the sampe interval of performance analytics after moving to Azure Monitor for VMs, they each generate ~100MB of perf data per day; so that's 150 gigs of data that I really don't want ingested into Sentinel at an additional $2.30/GB/month ($345).
Thank you very much for taking the time to reply. I've skimmed the article and will read it more carefully, it seems to cover a lot of the stuff I need.
My two insights:
- Log Analytics and Sentinel could really use some basic filtering options.
- Azure Monitor for VMs should have a way to lower the sample interval, like the "old" perfmon ingestion into Log Analytics does. I definitely do not need 1 min sample interval for all my VMs.
Have a great weekend!