Introduction
Centralized logging and analysis of security data are essential for effective threat detection and response in cloud environments. Azure provides a powerful tool called Log Analytics workspace that enables organizations to collect, analyze, and monitor data from various sources. In this training module, we will explore how to utilize Azure to create a Log Analytics workspace specifically for Microsoft Defender for Cloud, a comprehensive security solution for cloud environments.
Scenario
Imagine you are a security analyst for a large enterprise that utilizes Microsoft Defender for Cloud to monitor and protect their Azure environment. To enhance your security operations, you need to set up a centralized logging solution using Azure Log Analytics workspace specifically for Microsoft Defender for Cloud.
Learning Objectives
By the end of this training module, participants will:
- Understand the importance of a centralized logging solution like Azure Log Analytics workspace for Microsoft Defender for Cloud.
- Learn how to create and configure a Log Analytics workspace in Azure.
- Gain insights into collecting and analyzing security data from Microsoft Defender for Cloud within the Log Analytics workspace.
- Understand how to create custom queries and alerts to proactively detect security threats and incidents.
- Recognize the benefits of integrating Log Analytics workspace with other Azure services and tools.
Goals
- Enable participants to create a dedicated Log Analytics workspace for Microsoft Defender for Cloud in Azure.
- Enhance participants’ understanding of the capabilities and benefits of a centralized logging solution.
- Provide participants with hands-on experience in configuring and managing Log Analytics workspace.
- Empower participants to effectively collect, analyze, and monitor security data from Microsoft Defender for Cloud.
- Improve participants’ ability to proactively detect and respond to security threats by leveraging custom queries and alerts.
- Highlight the advantages of integrating Log Analytics workspace with other Azure services and tools for comprehensive security operations.
Defender for Cloud monitoring components
You might see the term Microsoft Sentinel workspace used in Microsoft Sentinel documentation. This workspace is the same Log Analytics workspace described in this module, but it’s enabled for Microsoft Sentinel.
You can use a single workspace for all your data collection. You can also create multiple workspaces based on requirements such as:
- The geographic location of the data.
- Access rights that define which users can access data.
- Configuration settings like pricing tiers and data retention.
Data structure
Each workspace contains multiple tables that are organized into separate columns with multiple rows of data. Each table is defined by a unique set of columns. Rows of data provided by the data source share those columns. Log queries define columns of data to retrieve and provide output to different features of Azure Monitor and other services that use workspaces.
Cost
There’s no direct cost for creating or maintaining a workspace. You’re charged for the data sent to it, which is also known as data ingestion. You’re charged for how long that data is stored, which is otherwise known as data retention. These costs might vary based on the log data plan of each table, as described in Log data plan.
Workspace transformation DCR
Data collection rules (DCRs) that define data coming into Azure Monitor can include transformations that allow you to filter and transform data before it’s ingested into the workspace. Since all data sources don’t yet support DCRs, each workspace can have a workspace transformation DCR.
Transformations in the workspace transformation DCR are defined for each table in a workspace and apply to all data sent to that table, even if sent from multiple sources. These transformations only apply to workflows that don’t already use a DCR. For example, Azure Monitor agent uses a DCR to define data collected from virtual machines. This data won’t be subject to any ingestion-time transformations defined in the workspace.
For example, you might have diagnostic settings that send resource logs for different Azure resources to your workspace. You can create a transformation for the table that collects the resource logs that filters this data for only records that you want. This method saves you the ingestion cost for records you don’t need. You might also want to extract important data from certain columns and store it in other columns in the workspace to support simpler queries.
Data retention and archive
Data in each table in a Log Analytics workspace is retained for a specified period of time after which it’s either removed or archived with a reduced retention fee. Set the retention time to balance your requirement for having data available with reducing your cost for data retention.
To access archived data, you must first retrieve data from it in an Analytics Logs table by using one of the following methods:
| Method | Description |
|---|---|
| Search jobs | Retrieve data matching particular criteria. |
| Restore | Retrieve data from a particular time range. |
Permissions
Permission to access data in a Log Analytics workspace is defined by the access control mode, which is a setting on each workspace. You can give users explicit access to the workspace by using a built-in or custom role. Or, you can allow access to data collected for Azure resources to users with access to those resources.