Security alerts map and threat intelligence

This article helps you to use the Azure Security Center security alerts map and security event-based threat intelligence map to address security-related issues.


The Security events map button has been retired on July 31st, 2019. For more information and alternative services, see Retirement of Security Center features (July 2019).

How the security alerts map works

Security Center provides you with a map that helps you identify security threats against the environment. For example, you can identify whether a particular computer is part of a botnet, and where the threat is coming from. Computers can become nodes in a botnet when attackers illicitly install malware that secretly interacts with command and control that manage the botnet.

To build this map, Security Center uses data that comes from multiple sources within Microsoft. Security Center uses this data to map potential threats against your environment.

One of the steps of a security incident response process is to identify the severity of the compromised system(s). In this phase, you should perform the following tasks:

  • Determine the nature of the attack.
  • Determine the point of origin of the attack.
  • Determine the intent of the attack. Was the attack directed at your organization to acquire specific information, or was it random?
  • Identify the systems that were compromised.
  • Identify the files that were accessed and determine the sensitivity of those files.

You can use the Security alerts map in Security Center to help with these tasks.

Access the Security alerts map

To visualize the current threats on your environment, open the Security alerts map:

  1. Open the Security Center dashboard.
  2. In the left pane, under Threat Protection select Security alerts map. The map opens.
  3. To get more information about the alert and receive remediation steps, click on the Alert dot on the map and follow the instructions.

The security alerts map is based on alerts. These alerts are based on activities for which network communication was associated with an IP address that was successfully resolved, whether or not the IP address is a known risky IP address (for example, a known cryptominer) or an IP address that is not recognized previously as risky. The map provides alerts across any subscriptions you previously selected in Azure.

The alerts on the map are displayed according to the geographical location where they are detected as originating from, and they are color coded by severity. Threat intelligence information

See also

In this article, you learned how to use threat intelligence in Security Center to assist you in identifying suspicious activity. To learn more about Security Center, see the following articles: