Additional threat protections in Azure Security Center

As well as the built-in Azure Defender protections, Azure Security Center also offers the following threat protection capabilities.


To enable Security Center's threat protection capabilities, you must enable Azure Defender on the subscription containing the applicable workloads.

You can enable threat protection for Azure Database for MariaDB/MySQL/PostgreSQL at the resource level only.

Threat protection for Azure network layer

Security Center network-layer analytics are based on sample IPFIX data, which are packet headers collected by Azure core routers. Based on this data feed, Security Center uses machine learning models to identify and flag malicious traffic activities. Security Center also uses the Microsoft Threat Intelligence database to enrich IP addresses.

Some network configurations restrict Security Center from generating alerts on suspicious network activity. For Security Center to generate network alerts, ensure that:

  • Your virtual machine has a public IP address (or is on a load balancer with a public IP address).
  • Your virtual machine's network egress traffic isn't blocked by an external IDS solution.

For a list of the Azure network layer alerts, see the Reference table of alerts.

Threat protection for Azure Resource Manager (Preview)

Security Center's protection layer based on Azure Resource Manager is currently in preview.

Security Center offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Security Center detects unusual or potentially harmful operations in the Azure subscription environment.

For a list of the Azure Defender for Resource Manager alerts, see the Reference table of alerts.


Several of the preceding analytics are powered by Microsoft Cloud App Security. To benefit from these analytics, you must activate a Cloud App Security license. If you have a Cloud App Security license, then these alerts are enabled by default. To disable the alerts:

  1. From Security Center's menu, select Pricing & settings.
  2. Select the subscription you want to change.
  3. Select Threat detection.
  4. Clear Allow Microsoft Cloud App Security to access my data, and select Save.


Security Center stores security-related customer data in the same geo as its resource. If Microsoft hasn't yet deployed Security Center in the resource's geo, then it stores the data in the United States. When Cloud App Security is enabled, this information is stored in accordance with the geo location rules of Cloud App Security. For more information, see Data storage for non-regional services.

  1. Set the workspace on which you're installing the agent. Make sure the workspace is in the same subscription you use in Security Center and that you have read/write permissions on the workspace.

  2. Enable Azure Defender, and select Save.

Threat protection for Azure Cosmos DB (Preview)

The Azure Cosmos DB alerts are generated by unusual and potentially harmful attempts to access or exploit Azure Cosmos DB accounts.

For more information, see:

Threat protection for other Microsoft services

Threat protection for Azure WAF

Azure Application Gateway offers a web application firewall (WAF) that provides centralized protection of your web applications from common exploits and vulnerabilities.

Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. The Application Gateway WAF is based on Core Rule Set 3.0 or 2.2.9 from the Open Web Application Security Project. The WAF is updated automatically to protect against new vulnerabilities.

If you have a license for Azure WAF, your WAF alerts are streamed to Security Center with no additional configuration needed. For more information on the alerts generated by WAF, see Web application firewall CRS rule groups and rules.

Threat protection for Azure DDoS Protection

Distributed denial of service (DDoS) attacks are known to be easy to execute. They've become a great security concern, particularly if you're moving your applications to the cloud.

A DDoS attack attempts to exhaust an application's resources, making the application unavailable to legitimate users. DDoS attacks can target any endpoint that can be reached through the internet.

To defend against DDoS attacks, purchase a license for Azure DDoS Protection and ensure you're following application design best practices. DDoS Protection provides different service tiers. For more information, see Azure DDoS Protection overview.

For a list of the Azure DDoS Protection alerts, see the Reference table of alerts.

Next steps

To learn more about the security alerts from these threat protection features, see the following articles: