Custom Alert Rules in Azure Security Center (Preview)

This document helps you to create custom alert rules in Azure Security Center.


Custom alerts will be retired on June 30, 2019.

Retirement of Custom Alert rules in Azure Security Center

The custom alerts experience will be retired June 30th, 2019, due to retirement of the underlying infrastructure it is based on. In the timeframe until deprecation, users will be able to edit existing custom alert rules but will not be able to add new ones. Users are advised to either:

  • Enable Azure Sentinel with one-click onboarding to automatically migrate their existing alerts and create new ones
  • Re-create their alerts with Azure Monitor log alerts

To keep your existing alerts and migrate them to Azure Sentinel, please launch Azure Sentinel. As first step, select the workspace where your custom alerts are stored, and then select the ‘Analytics’ menu item to automatically migrate your alerts.


Custom alerts migration to Azure Sentinel is a one-time migration of all your custom alerts in the selected workspace. After migration is completed, the custom alerts for that selected workspace will not be accessible via Azure Security Center.

Custom alerts using Search or Union statements queries are not supported in Azure Sentinel and will not be migrated. Please edit these alerts before performing the migration.

To re-create your alerts using Azure Monitor log alerts, please see: Create, view, and manage log alerts using Azure Monitor for instructions on how to create log alerts. For general overview of log alerts in Azure Monitor, click here.

What are custom alert rules in Security Center?

Security Center has a set of predefined security alerts, which are triggered when a threat, or suspicious activity takes place. In some scenarios, you may want to create a custom alert to address specific needs of your environment.

Custom alert rules in Security Center allow you to define new security alerts based on data that is already collected from your environment. You can create queries, and the result of these queries can be used as criteria for the custom rule, and once this criteria is matched, the rule is executed. You can use computers security events, partner's security solution logs or data ingested using APIs to create your custom queries.


Custom alerts are not supported in Security Center's investigation feature.

How to create a custom alert rule in Security Center?

Open Security Center dashboard, and follow these steps to create a custom alert rule:

  1. In the left pane, under Detection click Custom alert rules (Preview).

  2. In the Security Center – Custom alert rules (Preview) page click New custom alert rule.

    Custom alert

  3. The Create custom alert rule page appears with the following options:


  4. Type the name for this custom rule in the Name field.

  5. Type a brief description that reflects the intent of this rule in the Description field.

  6. Select the severity level (High, Medium, Low) according to your needs in the Severity field.

  7. Select the subscription in which this rule is applicable in the Subscription field.

  8. Select the workspace that you want to monitor with this rule in the Workspace field, and in the Search Query field, the query that you want to use to obtain the results.


    You need write permission in the workspace that you select to store your custom alert.

    The query’s result triggers the alert. Notice that when you type a valid query, the green check mark appears in the right corner of this field:


  9. Select the time span in which the query above will be executed in the Period field. Notice that the search result in the bottom of this field will change the according to the time span that you select.


  10. In the Evaluation field select the frequency that this rule should be evaluated and executed.

  11. In the Number of results field, select the operator (greater than, or lower than).

  12. In the Threshold field type a number that will be used as reference for the operator that was previous selected.

  13. Enable Suppress Alerts option if you want to set a time to wait before Security Center sends another alert for this rule.

  14. Click OK to finish.

After you finish creating the new alert rule, it will appear in the list of custom alert rules. Once the conditions of that rule are met, a new alert will be triggered, and you can see in the Security Alerts dashboard.


Notice that the parameters (search query, threshold, etc.) that were established during the rule creation are available in the alert for this custom rule.

See also

In this document, you learned how to create a custom alert rule in Azure Security Center. To learn more about Azure Security Center, see the following: