Azure Observability topics

Azure VMs host (platform) metrics (not guest metrics) to the log analytics workspace ?

roopesh_shetty — Thu, 09 Apr 2026 15:56:42 GMT

Hi Team,

Can some one help me how to send Azure VMs host (platform) metrics (not guest metrics) to the log analytics workspace ?

Earlier some years ago I used to do it, by clicking on “Diagnostic Settings”, but now if I go to “Diagnostic Settings” tab its asking me to enable guest level monitoring (guest level metrics I don’t want) and pointing to a Storage Account. I don’t see the option to send the these metrics to Log analytics workspace.

I have around 500 azure VMs whose host (platform) metrics (not guest metrics) I want to send it to the log analytics workspace.

Dependency Agent Alternatives

Cory_Matieyshen — Wed, 30 Jul 2025 19:21:45 GMT

Hello. The retirement notice for the Azure Dependency Agent (https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-maps-retirement) recommends selecting an Azure Marketplace product as a replacement but is not specific about what product(s) offer similar functionality. Would appreciate more specific guidance and experiences from the wider community. Thanks.

Recent Logic Apps Failures with Defender ATP Steps – "TimeGenerated" No Longer Recognized

Trevax — Mon, 02 Jun 2025 12:34:19 GMT

Hi everyone,

I’ve recently encountered an issue with Logic Apps failing on Defender ATP steps. Requests containing the TimeGenerated parameter no longer work—the column seems to be unrecognized. My code hasn’t changed at all, and the same queries run successfully in Defender 365’s Advanced Hunting.

For example, this basic KQL query:

Now throws the error:
Failed to resolve column or scalar expression named 'TimeGenerated'. Fix semantic errors in your query.

Removing TimeGenerated makes the query work again, but this isn’t a viable solution. Notably, the identical query still functions in Defender 365’s Advanced Hunting UI.

This issue started affecting a Logic App that runs weekly—it worked on May 11th but failed on May 18th.

Questions:

Has there been a recent schema change or deprecation of TimeGenerated in Defender ATP's KQL for Logic Apps?
Is there an alternative column or syntax we should use now?
Are others experiencing this?

Any insights or workarounds would be greatly appreciated!

AKS Pod resource utilization (CPU/Memory) alert

Ashok42470 — Tue, 13 May 2025 06:58:59 GMT

Hi All,

I am trying to set up an alert for AKS pod CPU/Memory utilization alert when a max utilization hits certain threshold (let's say >95%). Sample query for CPU utilization.

let cpuusage = materialize(Perf
| where ObjectName == 'K8SContainer'
| where CounterName has 'cpuUsageNanoCores'
| extend ContainerNameParts = split(InstanceName, '/')
| extend ContainerNamePartCount = array_length(ContainerNameParts)
| extend
PodUIDIndex = ContainerNamePartCount - 2,
ContainerNameIndex = ContainerNamePartCount - 1
| extend ContainerName = strcat(ContainerNameParts[PodUIDIndex], '/', ContainerNameParts[ContainerNameIndex])
| summarize AggregatedValue=max(CounterValue) by bin(TimeGenerated, 15m), ContainerName
| project TimeGenerated, ContainerName, AggregatedValue
| join kind = inner (
KubePodInventory
| summarize arg_max(TimeGenerated, *) by ContainerName
| project Name, ContainerName, Namespace, ServiceName
)
on ContainerName
| project
TimeGenerated,
Name,
ServiceName,
ContainerName,
Namespace,
CPU_mCores_Usage=AggregatedValue / 1000000);
let cpurequest=materialize(Perf
| where ObjectName == 'K8SContainer'
| where CounterName == 'cpuRequestNanoCores'
| extend ContainerNameParts = split(InstanceName, '/')
| extend ContainerNamePartCount = array_length(ContainerNameParts)
| extend
PodUIDIndex = ContainerNamePartCount - 2,
ContainerNameIndex = ContainerNamePartCount - 1
| extend ContainerName = strcat(ContainerNameParts[PodUIDIndex], '/', ContainerNameParts[ContainerNameIndex])
| project ContainerName, CounterValue
| join kind = inner (KubePodInventory
//| summarize arg_max(TimeGenerated, 24h) by ContainerName, Name, Namespace
| project Name, ContainerName, Namespace
)
on ContainerName
| project Name, Namespace, ContainerName, CpuReq_in_mcores=(CounterValue / 1000000));
let cpulimits = materialize(Perf
| where ObjectName == 'K8SContainer'
| where CounterName == 'cpuLimitNanoCores'
| extend ContainerNameParts = split(InstanceName, '/')
| extend ContainerNamePartCount = array_length(ContainerNameParts)
| extend
PodUIDIndex = ContainerNamePartCount - 2,
ContainerNameIndex = ContainerNamePartCount - 1
| extend ContainerName = strcat(ContainerNameParts[PodUIDIndex], '/', ContainerNameParts[ContainerNameIndex])
| extend CpuNanoCoreLimit= CounterValue
| project ContainerName, CpuNanoCoreLimit
| join kind = inner (
KubePodInventory
| summarize arg_max(TimeGenerated, *) by ContainerName
| project Name, ContainerName, Namespace, ServiceName
)
on ContainerName
| project
Name,
ServiceName,
Namespace,
ContainerName,
CPU_mCores_Limit=CpuNanoCoreLimit / 1000000);
cpulimits
| join cpurequest on ContainerName
| join cpuusage on ContainerName
| order by Namespace asc, ContainerName asc
| extend CName = split(ContainerName, '/')
| extend PodName= Name
| extend Cpu_Perct_utilization=round((CPU_mCores_Usage / CPU_mCores_Limit) * 100, 2)
| project
TimeGenerated,
Namespace,
ServiceName,
PodName,
CPU_mCores_Usage,
CPU_mCores_Limit,
CpuReq_in_mcores,
Cpu_Perct_utilization
| sort by TimeGenerated desc

But just wanted to modify the query little bit, wanted to get an alert only when utilization hits maximum continuously 3 times within 30 minutes (by keeping frequency of evaluation 10 min). Please advise.

Getting empty response while running a kql query using rest api

Ashok42470 — Fri, 07 Mar 2025 10:48:56 GMT

Hello All,

Trying to run a KQL query using power via rest API by passing azure Entra app id and secret key. But we are getting empty response. Log analytics reader role is assigned on LA workspace and able to retrieve access token. When we try to run KQL query manually, we are seeing result. Below is sample snippet that i used, Not sure what is wrong with it? Any help would be highly appreciated.

$tenantId = <Tenant id>
$clientId = <azure entra application app id>
$clientSecret = < app secret key>

# Log Analytics Workspace details
$workspaceId = <workspace ID>

# Acquire a token
$body = @{
client_id = $clientId
scope = "https://api.loganalytics.io/.default"
client_secret = $clientSecret
grant_type = "client_credentials"
}

$query = "AppRequests | limit 10"

$uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$response = Invoke-RestMethod -Uri $uri -Method Post -ContentType "application/x-www-form-urlencoded" -Body $body

$accessToken = $response.access_token

# Define the Log Analytics REST API endpoint
$baseUri = "https://api.loganalytics.io/v1/workspaces/$workspaceId/query"

# Set headers for the query
$headers = @{
Authorization = "Bearer $accessToken"
"Content-Type" = "application/json"
}

# Prepare the request body
$requestbody = @{
query = $query
} | ConvertTo-Json

# Send the request
$response = Invoke-RestMethod -Uri $baseUri -Method Post -Headers $headers -Body $requestbody -Debug

# Display the results
$response

Need assistance on KQL query for pulling AKS Pod logs

Ashok42470 — Thu, 20 Feb 2025 09:59:48 GMT

I am trying to pull historical pod logs using below kql query. Looks like joining the tables; containerlog and KubePodInventory didn't go well as i see lot of duplicates in the output.

ContainerLog
//| project TimeGenerated, ContainerID, LogEntry
| join kind= inner (
KubePodInventory
| where ServiceName == "<<servicename>>"
)
on ContainerID
| project TimeGenerated, Namespace, ContainerID, ServiceName, LogEntrySource, LogEntry, Name1
| sort by TimeGenerated asc

Can someone suggest a better query?

Sentinel Incident Priority Mapping to SIR

AmiShinu — Wed, 05 Feb 2025 19:58:21 GMT

Hi , we are working on implementing SIR module within our ServiceNow platform. And we have 5 level of priority within SIR (Critical, High, moderate, low, Planning) whereas sentinel has only 4 priorities (informational, Low, Medium, High). Interested to know how other organizations have handled and mapped these priorities. Thanks in advance.

Multiple Failed SignIn Events

AmiShinu — Thu, 30 Jan 2025 19:35:48 GMT

I've a user for whom within the last week I'm consistently seeing more than 100 failed login events from this authorized device. And these seems to be something running at the back-end as these logs are within 2/3 mins intervals. The error messages goes as "Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access the resource." Also, the application that shows interrupted are:

- Office Online Maker SSO
- Office Online Core SSO
Office365 Shell WCSS-Client
SharePoint Online Web Client Extensibility->Microsoft Graph

Anyone has any insights into addressing this issue. Thanks

Sentinel Threat Intelligence Detection Rule

AmiShinu — Wed, 29 Jan 2025 00:11:39 GMT

I'm working on connecting various Threat Intelligenece TAXII with our sentinel platform. Does anyone have suggestions on the kind of detection rules using KQL we can build around these TAXII's. Most of the come with IP's, URLS, domain and hash values. Thanks in advance.

Are you getting the most out of your Azure Log Analytics Workspace (LAW) investment?

Adeelaziz — Fri, 17 Jan 2025 14:40:39 GMT

Using a LAW is a great way to consolidate various types of data (performance, events, security, etc.) and signals from multiple sources. That's the easy part - mining this data for actionable insights is often the real challenge.

One way we did this was by surfacing events related to disks across our physical server estate. We were already sending event data to our LAW; it was just a matter of parsing it with KQL and adding to a Power Bi dashboard for additional visibility.

The snippet from the Power Bi dashboard shows when the alert was first triggered and when the disk was eventually replaced.

Here's the KQL query we came up with.

let start_time=ago(30d); let end_time=now(); Event | where TimeGenerated > start_time and TimeGenerated < end_time | where EventLog contains 'System' | where Source contains 'Storage Agents' | where RenderedDescription contains 'Drive Array Physical Drive Status Change' | parse kind=relaxed RenderedDescription with * 'Drive Array Physical Drive Status Change. The ' Drive ' with serial number ""' Serial '"", has a new status of ' Status '. (Drive status values:'* | project Computer, Drive, Serial, Status, TimeGenerated, EventLevelName

You can of course set up alerting with Alerts for Azure Monitor.

I hope this example helps you get more value from your LAW.

Effective Cloud Governance: Leveraging Azure Activity Logs with Power BI

Adeelaziz — Fri, 17 Jan 2025 14:38:11 GMT

We all generally accept that governance in the cloud is a continuous journey, not a destination. There's no one-size-fits-all solution and depending on the size of your Azure cloud estate, staying on top of things can be challenging even at the best of times.

One way of keeping your finger on the pulse is to closely monitor your Azure Activity Log. This log contains a wealth of information ranging from noise to interesting to actionable data. One could set up alerts for delete and update signals however, that can result in a flood of notifications.

To address this challenge, you could develop a Power Bi report, similar to this one, that pulls in the Azure Activity Log and allows you to group and summarize data by various dimensions. You still need someone to review the report regularly however consuming the data this way makes it a whole lot easier. This by no means replaces the need for setting up alerts for key signals, however it does give you a great view of what's happened in your environment.

If you're interested, this is the KQL query I'm using in Power Bi

let start_time = ago(24h); let end_time = now(); AzureActivity | where TimeGenerated > start_time and TimeGenerated < end_time | where OperationNameValue contains 'WRITE' or OperationNameValue contains 'DELETE' | project TimeGenerated, Properties_d.resource, ResourceGroup, OperationNameValue, Authorization_d.scope, Authorization_d.action, Caller, CallerIpAddress, ActivityStatusValue | order by TimeGenerated asc

Azure AD Powershell module logs in sentinel

AmiShinu — Mon, 13 Jan 2025 21:01:15 GMT

Hello Team, As a part of clean up activity, our SOC has been assigned a task to find list of regular users who are using Azure AD Powershell and what activities they're performing as we want that to be limited to only Admin account to manage azure resources.

I was able to find sign in activities for many users to "Azure Active Directory PowerShell" but I'm unable to find what activities they have performed using powershell. Looked under audit logs and other few tables. Can some one tell me under which table or what KQL can I run to see operations logs associated with Azure AD Powershell. Thank in advance.

How to Monitor New Management Group Creation and Deletion.

hemanthselva — Thu, 20 Feb 2025 17:41:07 GMT

I am writing this post to monitor new Management group creation and Deletion using Azure Activity Logs and Trigger Incident in Microsoft Sentinel. You can also use it to Monitor the Subscription Creation as well using this Step.

By default, the Dianostic settings for at the management group level is not enabled. It cannot be enabled using Azure Policy or from the Portal interface. Use the below article to enable the "Management Group Diagnostic Settings"

Management Group Diagnostic Settings - Create Or Update - REST API (Azure Monitor) | Microsoft Learn

Below is the screenshot of message body if you like to forward the logs only to the Log analytic workspace where sentinel is enabled. Also make sure you enable the Diagnostic settings at the tenant management group level to track all changes in your tenant.

{

"properties": {

"workspaceId": "<< replace with workspace resource ID>>",

"logs": [

{

"category": "Administrative",

"enabled": true

{

"category": "Policy",

"enabled": true

}

]

}

Once you have enabled the Diagnostic settings, you can use the below KQL query to monitor the New Management group creation and Deletion using Azure Activity Logs.

//KQL Query to Identify if Management group is deleted

AzureActivity

| where OperationNameValue == "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/DELETE"

| where ActivityStatusValue == "Success"

| extend mg = split(tostring(Properties_d.entity),"/")

| project TimeGenerated, activityStatusValue_ = tostring(Properties_d.activityStatusValue), Managementgroup = mg[4], message_ = tostring(parse_json(Properties).message),

caller_ = tostring(Properties_d.caller)

//KQL Query to Identify if Management group is Created

AzureActivity

| where OperationNameValue == "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/WRITE"

| where ActivityStatusValue == "Success"

| extend mg = split(tostring(Properties_d.entity),"/")

| project TimeGenerated, activityStatusValue_ = tostring(Properties_d.activityStatusValue), Managementgroup = mg[4], message_ = tostring(parse_json(Properties).message),

caller_ = tostring(Properties_d.caller)

This log can also be used to monitor the new subscription creation as well, using the below query

AzureActivity

| where OperationNameValue == "Microsoft.Management" and ActivityStatusValue == "Succeeded" and isnotempty(SubscriptionId)

If you need to trigger incident on sentinel, use the above query in your custom scheduled analytical rule and create alert.

Note: Enabling this API on the Mangement group diagnostic logs will also be inherited by the subscriptions downstream on the specific category.

Integrate Threat Intelligence with Sentinel that have no API

AmiShinu — Fri, 10 Jan 2025 22:31:23 GMT

We receive threat intelligence from a 3rd party vendor through a CSV file to our shared mailbox. As they do not have any API, wondering if there is a way we can automate and have that feeds populate in Sentinel rather than manually entering each IOC's.

Hold user reported Emails to see if later they become malicious.

AmiShinu — Fri, 10 Jan 2025 22:21:28 GMT

Hello Team,

Our Security Operations Center has identified a phishing report from a user. We activated email notifications for users to receive updates from Microsoft about the investigation results. In this case, the user was initially informed that the email was safe, but soon after they received another similar email from the same malicious sender, which was quarantined by ZAP. And after this ZAP went back and quarantined the initial email too.

Even though ZAP and Safe Links continuously re-evaluate emails post-delivery, it's concerning that initially the report came as clean and later it was quarantined based on the investigation done on another email. I would like to know if there are additional measures we can take to detect emails that may turn malicious after delivery, aside from ZAP.

Also, can we implement a mechanism to hold reported emails for 2-3 hours to see if later it becomes malicious and until we assess their safety, preventing users from receiving a false safe notification and later you see ZAP quarantines them? Thanks in advance.

Question about "anomalous token" alert

AmiShinu — Thu, 09 Jan 2025 20:51:22 GMT

Hi Everyone,

I am a security analyst working with Sentinel, and every now and again we get the alert "Anomalous token involving one user". "This detection indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. This detection covers Session Tokens and Refresh Tokens."

I need to understand more about this. I know that malicious actors can possibly spoof these tokens, and abuse them.But I literally have no idea where else to go from here. There's very little support online with regards to further mitigations.

So just wondering if anyone deals with these and what the protocol is at your business? And any controls we can implement to limit such alerts.

Azure Monitor AMA Migration helper workbook question for subscriptions with AKS clusters

KristofferAxelssonACC — Tue, 07 Jan 2025 12:17:57 GMT

Hi,

In an ongoing project, I've been looking into helping a customer updating their agents from the Microsoft Monitoring Agent (MMA) to the new Azure Monitoring Agent (AMA) that consolidates installation and the previous Log Analytics agent, Telegraf agent, diagnostics extension in Azure Event Hubs, Storage etc., and then configure Data Collection Rules (DCRs) to collect data using the new agent.

One of the first steps is of course to identify which resources are affected and that needs to be migrated. There are multiple tools to identify the resources such as this PowerShell script as well as the built-in AMA Migration workbook in Azure Monitor, which is what I used as the initial option at the start of the AMA migration process.

When running the notebook, it will list all VMs, VMSSs etc. in the subscription that do not have the AMA agent installed, e.g., through an Azure Policy or automatically by having configured a DCR, or that do have the old MMA installed, and thus needs to be migrated.

In Azure, Azure Kubernetes Services (AKS), as Kubernetes is a rather specific hosting service, almost like its own mini-ecosystem in regard to networking, storage, scaling etc., enables access and control of the underlying infrastructure composing the cluster created by the AKS and its master node, providing the potential fine-grain and granular control of these resources for IT administrators, power users etc. However, in most typical use cases the underlying AKS infrastructure resources should not be modified as it could break configured SLOs.

When running the Azure Monitor built-in AMA migration workbook, it includes all resources by default that do not have the AMA installed already, no matter what type of resource it is, including potential underlying cluster infrastructure resources created by AKS in the "MC_" resource group(s), such as virtual machine scale sets handling the creation and scaling of nodes and node pools of an AKS cluster. Perhaps the underlying AKS infrastructure resources could be excluded from the AMA migration results of the Azure Monitor workbook by default, or if underlying non-AMA migrated AKS infrastructure resources are found, perhaps accompanied with a text describing potential remediation steps for AMA agent migration for AKS cluster infrastructure resources. Has anyone encountered the same issue and if so how did you work around it? Would be great to hear some input and if there's already some readily available solutions/workaround out there already (if not, I've been thinking perhaps making a proposed PR here with a filter and exclusion added to the default workbook e.g. here https://github.com/microsoft/AzureMonitorCommunity/tree/master/Azure%20Services/Azure%20Monitor/Agents/Migration%20Tools/Migration%20Helper%20Workbook). Thanks!

Behavior when Batch Send Failed

btsui — Mon, 30 Dec 2024 21:00:27 GMT

Hi All,

I am looking to send messages in batches to both Log Analytics and Event Hub services. My solution requires that the sent batches be all-or-none, meaning either all messages are sent successfully, or all messages are dropped in case of failure.

Could you please clarify how Log Analytics and Event Hub handle failures during batch sends?

Symantec software Disabling Recovery Mode during installations

AmiShinu — Wed, 18 Dec 2024 21:38:54 GMT

Security team have been often receiving alert that during the installation of Symantec Encryption Desktop, Windows is using bcdedit.exec to modify the boot configuration, where its disabling windows default system recovery.
It might be an expected behavior to ensure no one can bypass the encryption at boot time and It could be a Defense Mechanism. As we're receiving lots of alerts on this, we want to get to the root cause and ensure this is an expected behavior. That way we can have it documented and fine tune our detection.

Does any one know if it it would interact with system boot configuration and any mention of bcdedit tasks being used during installation.

Command Line: "cmd.exe" /c schtasks.exe /Create /RU %USERNAME% /SC DAILY /TN runBCDEDIT /RL HIGHEST /TR "bcdedit.exe /set recoveryenabled No " & schtasks.exe /run /TN runBCDEDIT & schtasks.exe /Delete /TN runBCDEDIT /F & schtasks.exe /Delete /TN "runBCDEDIT" /F

Has anyone integrated VISA Threat Intelligence with Sentinel or any SIEM.

AmiShinu — Fri, 13 Dec 2024 20:04:18 GMT

I'm looking to integrate threat intelligence from VISA into Microsoft Sentinel directly and automate the ingestion process. Anyone in the community integrated VISA's threat intelligence platform with their SIEM solution? Thanks in advance!!