Alert validation in Microsoft Defender for Cloud
Note
Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage. Learn more about the recent renaming of Microsoft security services.
This document helps you learn how to verify if your system is properly configured for Microsoft Defender for Cloud alerts.
What are security alerts?
Alerts are the notifications that Defender for Cloud generates when it detects threats on your resources. It prioritizes and lists the alerts along with the information needed to quickly investigate the problem. Defender for Cloud also provides recommendations for how you can remediate an attack. For more information, see Security alerts in Defender for Cloud and Managing and responding to security alerts
Generate sample security alerts
If you're using the new, preview alerts experience as described in Manage and respond to security alerts in Microsoft Defender for Cloud, you can create sample alerts in a few clicks from the security alerts page in the Azure portal.
Use sample alerts to:
- evaluate the value and capabilities of your Microsoft Defender plans
- validate any configurations you've made for your security alerts (such as SIEM integrations, workflow automation, and email notifications)
To create sample alerts:
As a user with the role Subscription Contributor, from the toolbar on the alerts page, select Create sample alerts.
Select the subscription.
Select the relevant Microsoft Defender plan/s for which you want to see alerts.
Select Create sample alerts.
A notification appears letting you know that the sample alerts are being created:
After a few minutes, the alerts appear in the security alerts page. They'll also appear anywhere else that you've configured to receive your Microsoft Defender for Cloud security alerts (connected SIEMs, email notifications, and so on).
Tip
The alerts are for simulated resources.
Simulate alerts on your Azure VMs (Windows)
After the Log Analytics agent is installed on your machine, follow these steps from the computer where you want to be the attacked resource of the alert:
- Copy an executable (for example calc.exe) to the computer's desktop, or other directory of your convenience, and rename it as ASC_AlertTest_662jfi039N.exe.
- Open the command prompt and execute this file with an argument (just a fake argument name), such as:
ASC_AlertTest_662jfi039N.exe -foo - Wait 5 to 10 minutes and open Defender for Cloud Alerts. An alert should appear.
Note
When reviewing this test alert for Windows, make sure the field Arguments Auditing Enabled is true. If it is false, then you need to enable command-line arguments auditing. To enable it, use the following command:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\Audit" /f /v "ProcessCreationIncludeCmdLine_Enabled"
Simulate alerts on your Azure VMs (Linux)
After the Log Analytics agent is installed on your machine, follow these steps from the computer where you want to be the attacked resource of the alert:
Copy an executable to a convenient location and rename it to
./asc_alerttest_662jfi039n. For example:cp /bin/echo ./asc_alerttest_662jfi039nOpen the command prompt and execute this file:
./asc_alerttest_662jfi039n testing eicar pipeWait 5 to 10 minutes and then open Defender for Cloud Alerts. An alert should appear.
Simulate alerts on Kubernetes
If you've integrated Azure Kubernetes Service with Defender for Cloud, you can test that your alerts are working with the following kubectl command:
kubectl get pods --namespace=asc-alerttest-662jfi039n
For more information about defending your Kubernetes nodes and clusters, see Introduction to Microsoft Defender for Containers
Next steps
This article introduced you to the alerts validation process. Now that you're familiar with this validation, try the following articles:
- Validating Azure Key Vault threat detection in Microsoft Defender for Cloud
- Managing and responding to security alerts in Microsoft Defender for Cloud - Learn how to manage alerts, and respond to security incidents in Defender for Cloud.
- Understanding security alerts in Microsoft Defender for Cloud - Learn about the different types of security alerts.