cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Monitoring creation of costly vms

Daniel_Iten
Occasional Contributor

‎Mar 13 2022 05:58 AM

‎Mar 13 2022 05:58 AM

Monitoring creation of costly vms

Hi, 

I'm grappling with an issue - i want to create an analytics rule in sentinel to monitor the creation of anomalous - more expensive than usual - virtual machines. 

However, I cant seem to find any cost data that i can feed into the sentinel's log analytics workspace.

How can I monitor for such things?

Labels:
648 Views
0 Likes
5 Replies
Reply
5 Replies
Clive_Watson

‎Mar 13 2022 03:53 PM

‎Mar 13 2022 03:53 PM

Re: Monitoring creation of costly vms

I've used this in the past https://azureprice.net/ you can download a CSV file, so it could be a watchlist or something to access with the externaldata operator?
0 Likes
Reply
Phil007

‎Mar 13 2022 08:30 PM

‎Mar 13 2022 08:30 PM

Re: Monitoring creation of costly vms

Are you specifically wanting it in logs or are you wanting to prevent someone from being able to spin up a expensive machine?
0 Likes
Reply
Daniel_Iten

‎Mar 15 2022 01:36 AM

‎Mar 15 2022 01:36 AM

Re: Monitoring creation of costly vms

@Phil007 

I specifically want to have in the logs so that i'll be able to create an analytics rule to monitor the spin up of expensive vms.

preventing it is the next step.

0 Likes
Reply
Daniel_Iten

‎Mar 15 2022 01:38 AM

‎Mar 15 2022 01:38 AM

Re: Monitoring creation of costly vms

Hmm that might be an option, I'll look into it, thanks.
0 Likes
Reply
best response confirmed by Daniel_Iten (Occasional Contributor)
mikhailf

‎Mar 15 2022 10:59 AM

‎Mar 15 2022 10:59 AM

Solution

Re: Monitoring creation of costly vms

Hello Daniel,

You can use this rule from GitHub https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creation_of_Expensive_C...
to monitor creation of expensive VMs. The "tokens" array contains VM types that you can define and get alerts based on creation of them.
You can take examples of the array parameters from here: https://docs.microsoft.com/en-us/azure/virtual-machines/vm-naming-conventions or from the link that Clive_Watson sent.
1 Like
Reply