You manage an Azure subscription that contains multiple Azure Virtual Machines (VMs). You enable diagnostics settings on all Azure VMs and configure a Log Analytics workspace as the diagnostics destination.
Your company asks you to generate a security report to:
1. Identify which users deleted Azure VMs up to four weeks ago.
2. List security events on Azure VMs that run Windows Server 2016.
You need to implement the security report.
What should you use?
You should use the Activity log to identify which users deleted Azure VMs up to four weeks ago. Activity logs provide insight into operations that were performed on resources in your Azure subscription, enabling you to determine which user deleted a VM and other actions. Azure stores Activity logs by default for 90 days. For longer retention, you can archive the Activity logs in a Storage account or send them to a Log Analytics workspace.
You should use a Log Analytics query to list security events on Azure VMs that run Windows Server 2016. Azure Monitor collects logs from a variety of sources, consolidating the data in a Log Analytics workspace, including security events collected by diagnostics settings on all Azure VMs. You can use a Log Analytics query to select these security events and filter them for VMs running Windows Server 2016.
You should not use Azure Monitor Metrics. You can use metrics to monitor particular aspects of a resource, like CPU usage, disk operations per second, and network usage for an Azure VM. Metrics are represented by a numerical value over time.
You should not use Service Health. You can use Service Health to monitor the health of Azure services in a region and be notified about ongoing service issues, planned maintenance, or region outages.