Managing and responding to security alerts in Azure Security Center

This document helps you use Azure Security Center to manage and respond to security alerts.

Note

To enable advanced detections, upgrade to Azure Security Center Standard. A free trial is available. To upgrade, select Pricing Tier in the Security Policy. See Azure Security Center pricing to learn more.

What are security alerts?

Security Center automatically collects, analyzes, and integrates log data from your Azure resources, the network, and connected partner solutions, like firewall and endpoint protection solutions, to detect real threats and reduce false positives. A list of prioritized security alerts is shown in Security Center along with the information you need to quickly investigate the problem and recommendations for how to remediate an attack.

Note

For more information about how Security Center detection capabilities work, read Azure Security Center Detection Capabilities.

Managing security alerts

You can review your current alerts by looking at the Security alerts tile. Follow the steps below to see more details about each alert:

  1. On the Security Center dashboard, you see the Security alerts tile.

    Security alerts tile in Security Center

  2. Click the tile to open the Security alerts to see more details about the alerts.

    The Security alerts in Security Center

In the bottom part of this page are the details for each alert. To sort, click the column that you want to sort by. The definition for each column is given below:

  • Description: A brief explanation of the alert.
  • Count: A list of all alerts of this specific type that were detected on a specific day.
  • Detected by: The service that was responsible for triggering the alert.
  • Date: The date that the event occurred.
  • State: The current state for that alert. There are two types of states:
    • Active: The security alert has been detected.
    • Dismissed: The security alert has been dismissed by the user. This status is typically used for alerts that were investigated and either mitigated or found not to be an actual attack.
  • Severity: The severity level, which can be high, medium or low.

Note

Security alerts generated by Security Center will also appear under Azure Activity Log. For more information about how to access Azure Activity Log, read View activity logs to audit actions on resources.

Alert severity

Note

Alert severity is displayed differently in the portal and the REST API, the differences are noted in the list below.

  • High: There is a high probability that your resource is compromised. You should look into it right away. Security Center has high confidence in both the malicious intent and in the findings used to issue the alert. For example, an alert that detects the execution of a known malicious tool such as Mimikatz, a common tool used for credential theft.
  • Medium (Low in the REST API): This is probably a suspicious activity that may indicate that a resource is compromised. Security Center’s confidence in the analytic or finding is medium and the confidence of the malicious intent is medium to high. These would usually be machine learning or anomaly based detections. For example, a sign in attempt from an anomalous location.
  • Low (Information in the REST API): This might be a benign positive or a blocked attack.
    • Security Center is not confident enough that the intent is malicious and the activity may be innocent. For example, log clear is an action that may happen when an attacker tries to hide their tracks, but in many cases is a routine operation performed by admins.
    • Security Center doesn’t usually tell you when attacks were blocked, unless it’s an interesting case that we suggest you look into.
  • Informational (Silent in the REST API): You will only see informational alerts when you drill down into a security incident, or if you use the REST API with a specific alert ID. An incident is typically made up of a number of alerts, some of which may appear on their own to be only informational, but in the context of the other alerts may be worthy of a closer look.

Filtering alerts

You can filter alerts based on date, state, and severity. Filtering alerts can be useful for scenarios where you need to narrow the scope of security alerts show. For example, you might you want to address security alerts that occurred in the last 24 hours because you are investigating a potential breach in the system.

  1. Click Filter on the Security Alerts. The Filter opens and you select the date, state, and severity values you wish to see.

    Filtering alerts in Security Center

Respond to security alerts

Select a security alert to learn more about the event(s) that triggered the alert and what, if any, steps you need to take to remediate an attack. Security alerts are grouped by type and date. Clicking a security alert opens a page containing a list of the grouped alerts.

Respond to security alerts in Azure Security Center

In this case, the alerts that were triggered refer to suspicious Remote Desktop Protocol (RDP) activity. The first column shows which resources were attacked; the second shows how many times the resource was attacked; the third shows the time of the attack; the fourth shows state of the alert; and the fifth shows the severity of the attack. After reviewing this information, click the resource that was attacked.

Suggestions for what to do about security alerts in Azure Security Center

In the Description field you find more details about this event. These additional details offer insight into what triggered the security alert, the target resource, when applicable the source IP address, and recommendations about how to remediate. In some instances, the source IP address is empty (not available) because not all Windows security events logs include the IP address.

The remediation suggested by Security Center vary according to the security alert. In some cases, you may have to use other Azure capabilities to implement the recommended remediation. For example, the remediation for this attack is to blacklist the IP address that is generating this attack by using a network ACL or a network security group rule. For more information on the different types of alerts, read Security Alerts by Type in Azure Security Center.

Note

Security Center has released to limited preview a new set of detections that leverage auditd records, a common auditing framework, to detect malicious behaviors on Linux machines. Please send an email with your subscription IDs to us to join the preview.

See also

In this document, you learned how to configure security policies in Security Center. To learn more about Security Center, see the following: