Monitoring & Alerts
Log Analytics Workspace
Section titled “Log Analytics Workspace”Every deployment creates a Log Analytics workspace with cost-conscious defaults:
| Setting | Value |
|---|---|
| Name | log-smbrf-smb-{region} |
| SKU | PerGB2018 |
| Daily Cap | 500 MB |
| Retention | 30 days |
| Resource Group | rg-monitor-smb-{region} |
Automation Account
Section titled “Automation Account”An Automation Account (aa-smbrf-smb-{region}) is linked to the Log Analytics workspace with a SystemAssigned managed identity. Use it for operational runbooks such as:
- Automated VM patching schedules
- Custom compliance reporting
- Resource cleanup scripts
Key KQL Queries
Section titled “Key KQL Queries”Firewall Denied Traffic
Section titled “Firewall Denied Traffic”AzureDiagnostics| where Category == "AzureFirewallNetworkRule"| where msg_s contains "Deny"| where TimeGenerated > ago(1h)| summarize DeniedCount = count() by bin(TimeGenerated, 5m), SourceIP = extract(@"(\d+\.\d+\.\d+\.\d+)", 1, msg_s)| order by TimeGenerated descNSG Flow Analysis
Section titled “NSG Flow Analysis”AzureNetworkAnalytics_CL| where TimeGenerated > ago(24h)| where FlowStatus_s == "D" // Denied| summarize Count = count() by DestPort_d, DestIP_s| order by Count desc| take 20Resource Health Overview
Section titled “Resource Health Overview”AzureDiagnostics| where TimeGenerated > ago(24h)| where Level == "Error"| summarize ErrorCount = count() by ResourceType, Resource| order by ErrorCount descBackup Job Status
Section titled “Backup Job Status”AzureDiagnostics| where Category == "AzureBackupReport"| where TimeGenerated > ago(7d)| project TimeGenerated, OperationName, ResultType, Resource| order by TimeGenerated descBudget Alerts
Section titled “Budget Alerts”A $500/month consumption budget is deployed at subscription scope with these notifications:
| Threshold | Type | Action |
|---|---|---|
| 80% ($400) | Forecast | Email to subscription owner |
| 100% ($500) | Actual | Email to subscription owner |
| 110% ($550) | Actual | Email to subscription owner |
Defender for Cloud
Section titled “Defender for Cloud”Defender is configured at the Free tier (CSPM basics only):
| Pricing Plan | Tier | Cost |
|---|---|---|
| VirtualMachines | Free | $0 |
| StorageAccounts | Free | $0 |
| KeyVaults | Free | $0 |
| Arm | Free | $0 |
To enable advanced threat protection, upgrade to Defender for Servers Plan 2 (+$15/VM/month).
Diagnostic Settings
Section titled “Diagnostic Settings”Key resources have diagnostic settings configured to send logs to the Log Analytics workspace:
- Key Vault: Audit events, metrics
- Automation Account: Job logs, DSC logs
- Azure Firewall: Network rules, application rules (when deployed)
Additional resources (VNets, NSGs, storage) rely on Azure Policy (smb-monitoring-01) to audit for missing diagnostic settings.