Forum Discussion
Monitoring creation of costly vms
Hi,
I'm grappling with an issue - i want to create an analytics rule in sentinel to monitor the creation of anomalous - more expensive than usual - virtual machines.
However, I cant seem to find any cost data that i can feed into the sentinel's log analytics workspace.
How can I monitor for such things?
- Hello Daniel,
You can use this rule from GitHub https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creation_of_Expensive_Computes_in_Azure.yaml
to monitor creation of expensive VMs. The "tokens" array contains VM types that you can define and get alerts based on creation of them.
You can take examples of the array parameters from here: https://docs.microsoft.com/en-us/azure/virtual-machines/vm-naming-conventions or from the link that Clive_Watson sent.
- Hello Daniel,
You can use this rule from GitHub https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creation_of_Expensive_Computes_in_Azure.yaml
to monitor creation of expensive VMs. The "tokens" array contains VM types that you can define and get alerts based on creation of them.
You can take examples of the array parameters from here: https://docs.microsoft.com/en-us/azure/virtual-machines/vm-naming-conventions or from the link that Clive_Watson sent. - I've used this in the past https://azureprice.net/ you can download a CSV file, so it could be a watchlist or something to access with the externaldata operator?
- Are you specifically wanting it in logs or are you wanting to prevent someone from being able to spin up a expensive machine?
I specifically want to have in the logs so that i'll be able to create an analytics rule to monitor the spin up of expensive vms.
preventing it is the next step.
- Hmm that might be an option, I'll look into it, thanks.
