Nov 08 2020
04:26 PM
- last edited on
Apr 08 2022
10:40 AM
by
TechCommunityAP
Nov 08 2020
04:26 PM
- last edited on
Apr 08 2022
10:40 AM
by
TechCommunityAP
Hey All,
Been working with Azure monitor and I'm trying to add some improvements to some existing queries that I have. One bit of information I am looking for is capturing what account is running a process.
I have turned on all of the counters for process and processor, however when I do something as simple as
Nov 17 2020 04:34 AM
AFAIK Perf doesn't hold that data, but the SecurityEvent table (built by the security solution) will create it and collect user data as well:
Nov 17 2020 08:32 PM
@Noa Kuperberg
Thanks for that :D
So the security event table, would I be able to match up the process ID's to something in the security table in order to match the processes to users?
Nov 19 2020 03:16 PM
@pager2055In theory, yes, by the use of "union" / "join" to combine data from two separate tables.
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplor...