Threat protection in Azure Security Center

When Security Center detects a threat in any area of your environment, it generates an alert. These alerts describe details of the affected resources, suggested remediation steps, and in some cases an option to trigger a logic app in response.

Azure Security Center's threat protection provides comprehensive defenses for your environment:

  • Threat protection for Azure compute resources: Windows machines, Linux machines, Azure App Service, and Azure containers

  • Threat protection for Azure data resources: SQL Database and SQL Data Warehouse, Azure Storage, and Azure Cosmos DB

  • Threat protection for Azure service layers: Azure network layer, Azure management layer (Azure Resource Manager) (Preview), and Azure Key Vault (Preview)

Whether an alert is generated by Security Center, or received by Security Center from a different security product, you can export it. To export your alerts to Azure Sentinel (or a third-party SIEM) or any other external tool, follow the instructions in Exporting alerts to a SIEM.

Threat protection for Windows machines

Azure Security Center integrates with Azure services to monitor and protect your Windows-based machines. Security Center presents the alerts and remediation suggestions from all of these services in an easy-to-use format.

  • Microsoft Defender ATP - Security Center extends its cloud workload protection platforms by integrating with Microsoft Defender Advanced Threat Protection (ATP). Together, they provide comprehensive endpoint detection and response (EDR) capabilities.

    Important

    The Microsoft Defender ATP sensor is automatically enabled on Windows servers that use Security Center.

    When Microsoft Defender ATP detects a threat, it triggers an alert. The alert is shown on the Security Center dashboard. From the dashboard, you can pivot to the Microsoft Defender ATP console, and perform a detailed investigation to uncover the scope of the attack. For more information about Microsoft Defender ATP, see Onboard servers to the Microsoft Defender ATP service.

  • Crash dump analysis - When software crashes, a crash dump captures a portion of memory at the time of the crash.

    A crash might have been caused by malware or contain malware. To avoid being detected by security products, various forms of malware use a fileless attack, which avoids writing to disk or encrypting software components written to disk. This type of attack is difficult to detect by using traditional disk-based approaches.

    However, by using memory analysis, you can detect this kind of attack. By analyzing the memory in the crash dump, Security Center can detect the techniques the attack is using. For example, the attack might be attempting to exploit vulnerabilities in the software, access confidential data, and surreptitiously persist within a compromised machine. Security Center does this work with minimal performance impact to hosts.

    For details of the crash dump analysis alerts, see the Reference table of alerts.

  • Fileless attack detection - Fileless attacks targeting your endpoints are common. To avoid detection, fileless attacks inject malicious payloads into memory. Attacker payloads persist within the memory of compromised processes, and perform a wide range of malicious activities.

    With fileless attack detection, automated memory forensic techniques identify fileless attack toolkits, techniques, and behaviors. This solution periodically scans your machine at runtime, and extracts insights directly from the memory of security-critical processes.

    It finds evidence of exploitation, code injection, and execution of malicious payloads. Fileless attack detection generates detailed security alerts to accelerate alert triage, correlation, and downstream response time. This approach complements event-based EDR solutions, providing greater detection coverage.

    For details of the fileless attack detection alerts, see the Reference table of alerts.

Tip

You can simulate Windows alerts by downloading Azure Security Center Playbook: Security Alerts.

Threat protection for Linux machines

Security Center collects audit records from Linux machines by using auditd, one of the most common Linux auditing frameworks. auditd lives in the mainline kernel.

  • Linux auditd alerts and Log Analytics agent integration - The auditd system consists of a kernel-level subsystem, which is responsible for monitoring system calls. It filters them by a specified rule set, and writes messages for them to a socket. Security Center integrates functionalities from the auditd package within the Log Analytics agent. This integration enables collection of auditd events in all supported Linux distributions, without any prerequisites.

    auditd records are collected, enriched, and aggregated into events by using the Log Analytics agent for Linux agent. Security Center continuously adds new analytics that use Linux signals to detect malicious behaviors on cloud and on-premises Linux machines. Similar to Windows capabilities, these analytics span across suspicious processes, dubious sign in attempts, kernel module loading, and other activities. These activities can indicate a machine is either under attack or has been breached.

    For a list of the Linux alerts, see the Reference table of alerts.

Tip

You can simulate Linux alerts by downloading Azure Security Center Playbook: Linux Detections.

Threat protection for Azure App Service

Note

This service is not currently available in Azure government and sovereign cloud regions.

Security Center uses the scale of the cloud to identify attacks targeting applications running over App Service. Attackers probe web applications to find and exploit weaknesses. Before being routed to specific environments, requests to applications running in Azure go through several gateways, where they're inspected and logged. This data is then used to identify exploits and attackers, and to learn new patterns that will be used later.

By using the visibility that Azure has as a cloud provider, Security Center analyzes App Service internal logs to identify attack methodology on multiple targets. For example, methodology includes widespread scanning and distributed attacks. This type of attack typically comes from a small subset of IPs, and shows patterns of crawling to similar endpoints on multiple hosts. The attacks are searching for a vulnerable page or plugin, and can't be identified from the standpoint of a single host.

If you're running a Windows-based App Service plan, Security Center also has access to the underlying sandboxes and VMs. Together with the log data mentioned above, the infrastructure can tell the story, from a new attack circulating in the wild to compromises in customer machines. Therefore, even if Security Center is deployed after a web app has been exploited, it may be able to detect ongoing attacks.

For a list of the Azure App Service alerts, see the Reference table of alerts.

For more information on App Service plans, see App Service plans.

Threat protection for Azure containers

Note

This service is not currently available in Azure government and sovereign cloud regions.

Security Center provides real-time threat protection for your containerized environments and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers.

Security Center provides threat protection at different levels:

  • Host level - Security Center's agent (available on the Standard tier, see pricing for details) monitors Linux for suspicious activities. The agent triggers alerts for suspicious activities originating from the node or a container running on it. Examples of such activities include web shell detection and connection with known suspicious IP addresses.

    For a deeper insight into the security of your containerized environment, the agent monitors container-specific analytics. It will trigger alerts for events such as privileged container creation, suspicious access to API servers, and Secure Shell (SSH) servers running inside a Docker container.

    Important

    If you choose not to install the agents on your hosts, you will only receive a subset of the threat protection benefits and security alerts. You'll still receive alerts related to network analysis and communications with malicious servers.

    For a list of the host level alerts, see the Reference table of alerts.

  • At the AKS cluster level, the threat protection is based on analyzing Kubernetes' audit logs. To enable this agentless monitoring, add the Kubernetes option to your subscription from the Pricing & settings page (see pricing). To generate alerts at this level, Security Center monitors your AKS-managed services using the logs retrieved by AKS. Examples of events at this level include exposed Kubernetes dashboards, creation of high privileged roles, and the creation of sensitive mounts.

    Note

    Security Center generates security alerts for Azure Kubernetes Service actions and deployments occurring after the Kubernetes option is enabled on the subscription settings.

    For a list of the AKS cluster level alerts, see the Reference table of alerts.

Also, our global team of security researchers constantly monitor the threat landscape. They add container-specific alerts and vulnerabilities as they're discovered.

Tip

You can simulate container alerts by following the instructions in this blog post.

Threat protection for SQL Database and SQL Data Warehouse

Advanced Threat Protection for Azure SQL Database detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

You'll see alerts when there are suspicious database activities, potential vulnerabilities, or SQL injection attacks, and anomalous database access and query patterns.

Advanced Threat Protection for Azure SQL Database and SQL is part of the Advanced Data Security (ADS) unified package for advanced SQL security capabilities, covering Azure SQL Databases, Azure SQL Database managed instances, Azure SQL Data Warehouse databases, and SQL servers on Azure Virtual Machines.

For more information, see:

Threat protection for Azure Storage

Note

This service is available in US government clouds, but no other sovereign or Azure government cloud regions.

Advanced Threat Protection for Storage (currently available for Blob storage only) detects unusual and potentially harmful attempts to access or exploit storage accounts. This layer of protection allows you to address threats without requiring you to be a security expert, and helps you manage your security monitoring systems.

For more information, see:

Tip

You can simulate Azure Storage alerts by following the instructions in this blog post.

Threat protection for Azure Cosmos DB

The Azure Cosmos DB alerts are generated by unusual and potentially harmful attempts to access or exploit Azure Cosmos DB accounts.

For more information, see:

Threat protection for Azure network layer

Security Center network-layer analytics are based on sample IPFIX data, which are packet headers collected by Azure core routers. Based on this data feed, Security Center uses machine learning models to identify and flag malicious traffic activities. Security Center also uses the Microsoft Threat Intelligence database to enrich IP addresses.

Some network configurations may restrict Security Center from generating alerts on suspicious network activity. For Security Center to generate network alerts, ensure that:

  • Your virtual machine has a public IP address (or is on a load balancer with a public IP address).

  • Your virtual machine's network egress traffic isn't blocked by an external IDS solution.

  • Your virtual machine has been assigned the same IP address for the entire hour during which the suspicious communication occurred. This also applies to VMs created as part of a managed service (for example, AKS, Databricks).

For a list of the Azure network layer alerts, see the Reference table of alerts.

For details of how Security Center can use network-related signals to apply threat protection, see Heuristic DNS detections in Security Center.

Threat protection for Azure management layer (Azure Resource Manager) (Preview)

Security Center's protection layer based on Azure Resource Manager is currently in preview.

Security Center offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Security Center detects unusual or potentially harmful operations in the Azure subscription environment.

For a list of the Azure Resource Manager (Preview) alerts, see the Reference table of alerts.

Note

Several of the preceding analytics are powered by Microsoft Cloud App Security. To benefit from these analytics, you must activate a Cloud App Security license. If you have a Cloud App Security license, then these alerts are enabled by default. To disable the alerts:

  1. In the Security Center blade, select Security policy. For the subscription you want to change, select Edit settings.
  2. Select Threat detection.
  3. Under Enable integrations, clear Allow Microsoft Cloud App Security to access my data, and select Save.

Note

Security Center stores security-related customer data in the same geo as its resource. If Microsoft hasn't yet deployed Security Center in the resource's geo, then it stores the data in the United States. When Cloud App Security is enabled, this information is stored in accordance with the geo location rules of Cloud App Security. For more information, see Data storage for non-regional services.

Threat protection for Azure Key Vault (Preview)

Note

This service is not currently available in Azure government and sovereign cloud regions.

Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords.

Azure Security Center includes Azure-native, advanced threat protection for Azure Key Vault, providing an additional layer of security intelligence. Security Center detects unusual and potentially harmful attempts to access or exploit Key Vault accounts. This layer of protection allows you to address threats without being a security expert, and without the need to manage third-party security monitoring systems.

When anomalous activities occur, Security Center shows alerts and optionally sends them via email to subscription administrators. These alerts include the details of the suspicious activity and recommendations on how to investigate and remediate threats.

For a list of the Azure Key Vault alerts, see the Reference table of alerts.

Threat protection for other Microsoft services

Threat protection for Azure WAF

Azure Application Gateway offers a web application firewall (WAF) that provides centralized protection of your web applications from common exploits and vulnerabilities.

Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. The Application Gateway WAF is based on Core Rule Set 3.0 or 2.2.9 from the Open Web Application Security Project. The WAF is updated automatically to protect against new vulnerabilities.

If you have a license for Azure WAF, your WAF alerts are streamed to Security Center with no additional configuration needed. For more information on the alerts generated by WAF, see Web application firewall CRS rule groups and rules.

Threat protection for Azure DDoS Protection

Distributed denial of service (DDoS) attacks are known to be easy to execute. They've become a great security concern, particularly if you're moving your applications to the cloud.

A DDoS attack attempts to exhaust an application's resources, making the application unavailable to legitimate users. DDoS attacks can target any endpoint that can be reached through the internet.

To defend against DDoS attacks, purchase a license for Azure DDoS Protection and ensure you're following application design best practices. DDoS Protection provides different service tiers. For more information, see Azure DDoS Protection overview.

For a list of the Azure DDoS Protection alerts, see the Reference table of alerts.

Next steps

To learn more about the security alerts from these threat protection features, see the following articles: