SOLVED

Regarding performance impact with Azure sentinel

New Contributor

Hi Team,

 

Is there any performance impact that has been captured with Azure Sentinel deployment/usage.  My team is questioned with the same by our client and we couldnt find any studies or data to answer the same. 

 

I appreciate any help or pointers to get the answer.

 

Regards,

CJ

6 Replies

@CJoshi I'm not sure there is data concerning that, but what areas of performance are you interested in hearing more about? The client? Data Connectors? KQL processing? etc.

@rodtrent Thanks mate for getting back so quick. Honestly wherever possible as being managed service we understand that it analyze the data which is stored in the workspace. But the question is where all can we expect performance challenges, will it be on the clients? I understand and saw a few articles on Kustov logging being memory-intensive but not sure will it play a part in managed resource instance or not.  We will be analyzing the data from 120 VM's and using kustov querries. I'm not sure if we will pursue the path or SOAR in phase 1 so the performance hovering phase1 will be pivotal. Phase 1 is all about collecting data from the 120 VM's and accumulating in a workspace and later querying it via Kustov.

 

@CJoshi Just from the KQL view alone, realize that this query language was developed to be performance kind against large datasets. There are ways to improve performance by honing scripts and developing scripts that product very specific data instead of showing all results, but at its base, KQL was built to be less process intensive. If a query takes longer than 10-20 seconds to run (most are much shorter time than that), you might need to look at reworking the query.

 

Are the VMs you are working with on-premises or running in Azure?

 

 

It's all Azure VM's that we will be targeting to check the compliance requirement. I'm hoping the query won't be trouble then as we don't have too many to be written to fetch the data.

best response confirmed by CJoshi (New Contributor)
Solution

@CJoshi That's awesome. You're good, then. The agent that gets installed once you attach the VMs to the Log Analytics workspace is also very good for performance.

 

I have customers that run the agent on all their on-premises workstations and servers and never see any performance problems. This is ultimately not a best practice, but some require it for reporting reasons.

 

Feel free to reach out if you find any performance issues you might need help resolving. I'd be very interested to know if you do find something that has not been uncovered in my experience with it.

Thanks for simplifying it. I will get back to you if I get stuck.

Cheers,
CJ