Azure Monitor Process Information

%3CLINGO-SUB%20id%3D%22lingo-sub-1865612%22%20slang%3D%22en-US%22%3EAzure%20Monitor%20Process%20Information%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1865612%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20All%2C%3CBR%20%2F%3E%3CBR%20%2F%3EBeen%20working%20with%20Azure%20monitor%20and%20I'm%20trying%20to%20add%20some%20improvements%20to%20some%20existing%20queries%20that%20I%20have.%20One%20bit%20of%20information%20I%20am%20looking%20for%20is%20capturing%20what%20account%20is%20running%20a%20process.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20turned%20on%20all%20of%20the%20counters%20for%20process%20and%20processor%2C%20however%20when%20I%20do%20something%20as%20simple%20as%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EPerf%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20CounterName%20%3C%2FSPAN%3E%3CSPAN%3Econtains%3C%2FSPAN%3E%20%3CSPAN%3E%22process%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20CounterName%20%3C%2FSPAN%3E%3CSPAN%3Econtains%3C%2FSPAN%3E%20%3CSPAN%3E%22processor%22%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3EI%20don't%20see%20any%20information%20RE%20what%20user%20account%20is%20running%20said%20processes.%20I%20also%20had%20a%20bit%20of%20a%20play%20around%20in%20windows%20performance%20monitor%20and%20could%20not%20obtain%20the%20information%20I%20was%20looking%20for%20via%20there.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20someone%20could%20help%20out%20here%2C%20that%20would%20be%20great%2C%20just%20trying%20to%20get%20the%20user%20information%20in%20azure%20monitor%20like%20you%20can%20in%20task%20manager%20so%20that%20I%20can%20enhance%20my%20queries%20to%20show%20what%20user%20was%20running%20a%20process%20at%20the%20time%20of%20an%20issue.%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1894881%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Monitor%20Process%20Information%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1894881%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F861982%22%20target%3D%22_blank%22%3E%40pager2055%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3EAFAIK%20Perf%20doesn't%20hold%20that%20data%2C%20but%20the%20SecurityEvent%20table%20(built%20by%20the%20security%20solution)%20will%20create%20it%20and%20collect%20user%20data%20as%20well%3A%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorNoa%20Kuperberg_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22secevent.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F234114i6C01ABE6070E9FE2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22secevent.png%22%20alt%3D%22secevent.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hey All,

Been working with Azure monitor and I'm trying to add some improvements to some existing queries that I have. One bit of information I am looking for is capturing what account is running a process.

I have turned on all of the counters for process and processor, however when I do something as simple as 

Perf
| where CounterName contains "process"
| where CounterName contains "processor"


I don't see any information RE what user account is running said processes. I also had a bit of a play around in windows performance monitor and could not obtain the information I was looking for via there.

If someone could help out here, that would be great, just trying to get the user information in azure monitor like you can in task manager so that I can enhance my queries to show what user was running a process at the time of an issue. 
3 Replies

@pager2055 ,

AFAIK Perf doesn't hold that data, but the SecurityEvent table (built by the security solution) will create it and collect user data as well:

 

secevent.png

@Noa Kuperberg 

Thanks for that :D

So the security event table, would I be able to match up the process ID's to something in the security table in order to match the processes to users? 

@pager2055In theory, yes, by the use of "union" / "join" to combine data from two separate tables.
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplor...