Working with Security Alerts
Threat protection product names from Microsoft are changing. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.
The Azure ATP features explained on this page are also accessible using the new portal.
This article explains the basics of how to work with Azure ATP security alerts.
After logging in to the Azure ATP portal, you're automatically taken to the open Security Alerts Timeline. Security alerts are listed in chronological order, with the newest alert on the top of the timeline.
Each security alert has the following information:
Entities involved, including users, computers, servers, domain controllers, and resources.
Times and time frame of the suspicious activities which initiated the security alert.
Severity of the alert: High, Medium, or Low.
Status: Open, closed, or suppressed.
Share the security alert with other people in your organization via email.
Download the security alert in Excel format.
- When you hover your mouse over a user or computer, a mini entity profile is displayed. The mini-profile provides additional information about the entity and includes the number of security alerts that the entity is linked to.
- Clicking on an entity, takes you to the entity profile of the user or computer.
Security alert categories
Azure ATP security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain.
- Reconnaissance alerts
- Compromised credential alerts
- Lateral movement alerts
- Domain dominance alerts
- Exfiltration alerts
The Azure ATP research team constantly works on implementing new detections for newly discovered attacks. Because Azure ATP is a cloud service, new detections are released quickly to enable Azure ATP customers to benefit from new detections as soon as possible.
These detections are tagged with a preview badge, to help you identify the new detections and know that they are new to the product. If you turn off preview detections, they will not be displayed in the Azure ATP console - not in the timeline or in entity profiles - and new alerts won’t be opened.
By default, preview detections are enabled in Azure ATP.
To disable preview detections:
- In the Azure ATP console, click the settings cog.
- In the left menu, under Preview, click Detections.
- Use the slider to turn the preview detections on and off.
Filter security alerts list
To filter the security alert list:
In the Filter by pane on the left side of the screen, select one of the following options: All, Open, Closed, or Suppressed.
To further filter the list, select High, Medium, or Low.
Suspicious activity severity
Indicates activities that can lead to attacks designed for malicious users or software to gain access to organizational data.
Indicates activities that can put specific identities at risk for more severe attacks that could result in identity theft or privileged escalation
Indicates activities that can lead to identity theft, privilege escalation, or other high-impact attacks
Managing security alerts
You can change the status of a security alert by clicking the current status of the security alert and selecting one of the following Open, Suppressed, Closed, or Deleted. To do this, click the three dots at the top right corner of a specific alert to reveal the list of available actions.
Security alert status
Open: All new security alerts appear in this list.
Close: Is used to track security alerts that you identified, researched, and fixed for mitigated.
Suppress: Suppressing an alert means you want to ignore it for now, and only be alerted again if there's a new instance. This means that if there's a similar alert Azure ATP doesn't reopen it. But if the alert stops for seven days, and is then seen again, a new alert is opened.
Delete: If you Delete an alert, it is deleted from the system, from the database and you will NOT be able to restore it. After you click delete, you'll be able to delete all security alerts of the same type.
Exclude: The ability to exclude an entity from raising more of a certain type of alerts. For example, you can set Azure ATP to exclude a specific entity (user or computer) from alerting again for a certain type of activity, such as a specific admin who runs remote code or a security scanner that does DNS reconnaissance. In addition to being able to add exclusions directly on the security alert as it is detected in the time line, you can also go to the Configuration page to Exclusions, and for each security alert you can manually add and remove excluded entities or subnets (for example for Pass-the-Ticket).
The configuration pages can only be modified by Azure ATP admins.