AZ-500 Microsoft Azure Security Technologies Exam

Are you a guardian of your domain? Lean how to leverage your aptitude in security to protect Microsoft Azure technologies, with a goal of earning the Microsoft Certified: Azure Security Engineer Associate certification!

Practice Test

Expert
Exam

Configure security monitoring for Azure Container Instances

Plan and implement advanced security for compute

Configure Diagnostic Settings and Custom Alerts

Enabling diagnostic settings on Azure Container Instances lets you send both ContainerInstanceLogs and ContainerInstanceMetrics to a Log Analytics workspace. You configure a diagnostic setting on each container group, capturing stdout, stderr, and performance counters. You can stream data to multiple destinations, such as Azure Monitor metrics and storage accounts, for long-term retention. This setup is critical for tracking container behavior and spotting security issues early.

Once diagnostic settings are active, use a data collection rule to route and transform logs before they land in your workspace. Applying workspace transformations helps filter out unneeded categories and focuses on the most relevant data. This approach reduces storage costs and streamlines monitoring. For instance, you might only collect logs tied to authentication failures or unexpected restarts.

To detect anomalies or malicious behavior, write Kusto Query Language (KQL) queries against your container logs tables. These queries search for patterns like repeated login failures or containers exiting unexpectedly. By scheduling these queries, you automate continuous monitoring without manual checks. Example query targets include:

  • Failed container restarts
  • Unauthorized access attempts
  • High CPU or memory usage spikes

After you define queries, set up scheduled query rules and metric alerts for proactive incident response. Scheduled query rules run KQL queries at set intervals and fire alerts when results meet certain thresholds. Metric alerts watch live metrics—such as CPU percentage—and can focus on one or multiple container instances. Connect these alerts to action groups to notify teams via email, SMS, or automated workflows.

As best practices, focus on collecting only necessary logs and metrics to manage costs. Consider:

  • Stream container logs only for security-relevant events
  • Convert to basic logs where possible to save costs
  • Limit the collection of unneeded resource logs
  • Use workspace transformations for granular filtering
    Following these steps ensures proactive incident response and helps maintain a secure posture for your Azure Container Instances.

Conclusion

In this section, you learned how to enable diagnostic settings on Azure Container Instances to stream logs and metrics into a Log Analytics workspace. You discovered how to use data collection rules and workspace transformations to focus on the most relevant security data. You also saw how to write KQL queries, schedule query rules, and configure metric alerts for real-time incident response. Finally, applying best practices helps you reduce noise, lower costs, and keep your container instances secure.

Configure authentication for AKSConfigure security monitoring for Azure Container Apps