Security alerts map and threat intelligence
This article helps you to use the Azure Security Center security alerts map and security event-based threat intelligence map to address security-related issues.
The Security events map button has been retired on July 31st, 2019. For more information and alternative services, see Retirement of Security Center features (July 2019).
How the security alerts map works
Security Center provides you with a map that helps you identify security threats against the environment. For example, you can identify whether a particular computer is part of a botnet, and where the threat is coming from. Computers can become nodes in a botnet when attackers illicitly install malware that secretly interacts with command and control that manage the botnet.
To build this map, Security Center uses data that comes from multiple sources within Microsoft. Security Center uses this data to map potential threats against your environment.
One of the steps of a security incident response process is to identify the severity of the compromised system(s). In this phase, you should perform the following tasks:
- Determine the nature of the attack.
- Determine the point of origin of the attack.
- Determine the intent of the attack. Was the attack directed at your organization to acquire specific information, or was it random?
- Identify the systems that were compromised.
- Identify the files that were accessed and determine the sensitivity of those files.
You can use the Security alerts map in Security Center to help with these tasks.
Access the Security alerts map
To visualize the current threats on your environment, open the Security alerts map:
- Open the Security Center dashboard.
- In the left pane, under Threat Protection select Security alerts map. The map opens.
- To get more information about the alert and receive remediation steps, click on the Alert dot on the map and follow the instructions.
The security alerts map is based on alerts. These alerts are based on activities for which network communication was associated with an IP address that was successfully resolved, whether or not the IP address is a known risky IP address (for example, a known cryptominer) or an IP address that is not recognized previously as risky. The map provides alerts across any subscriptions you previously selected in Azure.
The alerts on the map are displayed according to the geographical location where they are detected as originating from, and they are color coded by severity.
In this article, you learned how to use threat intelligence in Security Center to assist you in identifying suspicious activity. To learn more about Security Center, see the following articles:
- Manage and respond to security alerts in Azure Security Center. Learn how to manage alerts and respond to security incidents in Security Center.
- Security health monitoring in Azure Security Center. Learn how to monitor the health of your Azure resources.
- Understand security alerts in Azure Security Center. Learn about the different types of security alerts.
- Azure Security Center troubleshooting guide. Learn how to troubleshoot common issues in Security Center.
- Azure Security Center FAQ. Find answers to frequently asked questions about using the service.
- Azure security blog. Find blog posts about Azure security and compliance.