Custom Alert Rules in Azure Security Center (Preview)

This document helps you to create custom alert rules in Azure Security Center.

What are custom alert rules in Security Center?

Security Center has a set of predefined security alerts, which are triggered when a threat, or suspicious activity takes place. In some scenarios, you may want to create a custom alert to address specific needs of your environment.

Custom alert rules in Security Center allow you to define new security alerts based on data that is already collected from your environment. You can create queries, and the result of these queries can be used as criteria for the custom rule, and once this criteria is matched, the rule is executed. You can use computers security events, partner's security solution logs or data ingested using APIs to create your custom queries.

Note

Custom alerts are not supported in Security Center's investigation feature.

How to create a custom alert rule in Security Center?

Open Security Center dashboard, and follow these steps to create a custom alert rule:

  1. In the left pane, under Detection click Custom alert rules (Preview).
  2. In the Security Center – Custom alert rules (Preview) page click New custom alert rule.

    Custom alert

  3. The Create custom alert rule page appears with the following options:

    Create

  4. Type the name for this custom rule in the Name field.

  5. Type a brief description that reflects the intent of this rule in the Description field.
  6. Select the severity level (High, Medium, Low) according to your needs in the Severity field.
  7. Select the subscription in which this rule is applicable in the Subscription field.
  8. Select the workspace that you want to monitor with this rule in the Workspace field, and in the Search Query field, the query that you want to use to obtain the results.

    Note

    You need write permission in the workspace that you select to store your custom alert.

    The query’s result triggers the alert. Notice that when you type a valid query, the green check mark appears in the right corner of this field:

    Query

  9. Select the time span in which the query above will be executed in the Period field. Notice that the search result in the bottom of this field will change the according to the time span that you select.

    Period

  10. In the Evaluation field select the frequency that this rule should be evaluated and executed.

  11. In the Number of results field, select the operator (greater than, or lower than).
  12. In the Threshold field type a number that will be used as reference for the operator that was previous selected.
  13. Enable Suppress Alerts option if you want to set a time to wait before Security Center sends another alert for this rule.
  14. Click OK to finish.

After you finish creating the new alert rule, it will appear in the list of custom alert rules. Once the conditions of that rule are met, a new alert will be triggered, and you can see in the Security Alerts dashboard.

Alert

Notice that the parameters (search query, threshold, etc.) that were established during the rule creation are available in the alert for this custom rule.

See also

In this document, you learned how to create a custom alert rule in Azure Security Center. To learn more about Azure Security Center, see the following: