Threat protection in Azure Security Center
When Security Center detects a threat in any area of your environment, it generates an alert. These alerts describe details of the affected resources, suggested remediation steps, and in some cases an option to trigger a logic app in response.
Azure Security Center's threat protection provides comprehensive defenses for your environment:
Threat protection for Azure compute resources: Windows machines, Linux machines, Azure App Service, and Azure containers
Threat protection for Azure data resources: SQL Database and SQL Data Warehouse, Azure Storage, and Azure Cosmos DB
Threat protection for Azure service layers: Azure network layer, Azure management layer (Azure Resource Manager) (Preview), and Azure Key Vault (Preview)
Whether an alert is generated by Security Center, or received by Security Center from a different security product, you can export it. To export your alerts to Azure Sentinel, any third-party SIEM, or any other external tool, follow the instructions in Exporting alerts to a SIEM.
Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
To enable Security Center's threat protection capabilities, you must apply the standard pricing tier to the subscription containing the applicable workloads.
You can enable threat protection for Azure Storage accounts at either the subscription level or resource level. You can enable threat protection for Azure SQL Database SQL servers at either the subscription level or resource level. You can enable threat protection for Azure Database for MariaDB/ MySQL/ PostgreSQL at the resource level only.
Azure Security Center integrates with Azure services to monitor and protect your Windows-based machines. Security Center presents the alerts and remediation suggestions from all of these services in an easy-to-use format.
Microsoft Defender Advanced Threat Protection (ATP) - Security Center extends its cloud workload protection platforms by integrating with Microsoft Defender Advanced Threat Protection (ATP). Together, they provide comprehensive endpoint detection and response (EDR) capabilities.
The Microsoft Defender ATP sensor is automatically enabled on Windows servers that use Security Center.
When Microsoft Defender ATP detects a threat, it triggers an alert. The alert is shown on the Security Center dashboard. From the dashboard, you can pivot to the Microsoft Defender ATP console, and perform a detailed investigation to uncover the scope of the attack. For more information about Microsoft Defender ATP, see Onboard servers to the Microsoft Defender ATP service.
Fileless attack detection - Fileless attacks inject malicious payloads into memory to avoid detection by disk-based scanning techniques. The attacker’s payload then persists within the memory of compromised processes and performs a wide range of malicious activities.
With fileless attack detection, automated memory forensic techniques identify fileless attack toolkits, techniques, and behaviors. This solution periodically scans your machine at runtime, and extracts insights directly from the memory of processes. Specific insights for Linux include the identification of:
- Well-known toolkits and crypto mining software
- Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.
- Injected malicious executable in process memory
Fileless attack detection generates detailed security alerts containing the descriptions with additional process metadata, such as network activity. This accelerates alert triage, correlation, and downstream response time. This approach complements event based EDR solutions, and provides increased detection coverage.
For details of the fileless attack detection alerts, see the Reference table of alerts.
You can simulate Windows alerts by downloading Azure Security Center Playbook: Security Alerts.
Security Center collects audit records from Linux machines by using auditd, one of the most common Linux auditing frameworks. auditd lives in the mainline kernel.
Linux auditd alerts and Log Analytics agent integration - The auditd system consists of a kernel-level subsystem, which is responsible for monitoring system calls. It filters them by a specified rule set, and writes messages for them to a socket. Security Center integrates functionalities from the auditd package within the Log Analytics agent. This integration enables collection of auditd events in all supported Linux distributions, without any prerequisites.
auditd records are collected, enriched, and aggregated into events by using the Log Analytics agent for Linux agent. Security Center continuously adds new analytics that use Linux signals to detect malicious behaviors on cloud and on-premises Linux machines. Similar to Windows capabilities, these analytics span across suspicious processes, dubious sign-in attempts, kernel module loading, and other activities. These activities can indicate a machine is either under attack or has been breached.
For a list of the Linux alerts, see the Reference table of alerts.
You can simulate Linux alerts by downloading Azure Security Center Playbook: Linux Detections.
This service is not currently available in Azure government and sovereign cloud regions.
Security Center uses the scale of the cloud to identify attacks targeting applications running over App Service. Attackers probe web applications to find and exploit weaknesses. Before being routed to specific environments, requests to applications running in Azure go through several gateways, where they're inspected and logged. This data is then used to identify exploits and attackers, and to learn new patterns that will be used later.
By using the visibility that Azure has as a cloud provider, Security Center analyzes App Service internal logs to identify attack methodology on multiple targets. For example, methodology includes widespread scanning and distributed attacks. This type of attack typically comes from a small subset of IPs, and shows patterns of crawling to similar endpoints on multiple hosts. The attacks are searching for a vulnerable page or plugin, and can't be identified from the standpoint of a single host.
If you're running a Windows-based App Service plan, Security Center also has access to the underlying sandboxes and VMs. Together with the log data mentioned above, the infrastructure can tell the story, from a new attack circulating in the wild to compromises in customer machines. Therefore, even if Security Center is deployed after a web app has been exploited, it may be able to detect ongoing attacks.
For a list of the Azure App Service alerts, see the Reference table of alerts.
For more information on App Service plans, see App Service plans.
|Release state:||Generally Available|
|Required roles and permissions:||Security admin can dismiss alerts.
Security reader can view findings.
|Clouds:|| Commercial clouds
National/Sovereign (US Gov, China Gov, Other Gov)
Security Center provides real-time threat protection for your containerized environments and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers.
Security Center provides threat protection at different levels:
Host level - The Log Analytics agent monitors Linux for suspicious activities. The agent triggers alerts for suspicious activities originating from the node or a container running on it. Examples of such activities include web shell detection and connection with known suspicious IP addresses.
For a deeper insight into the security of your containerized environment, the agent monitors container-specific analytics. It will trigger alerts for events such as privileged container creation, suspicious access to API servers, and Secure Shell (SSH) servers running inside a Docker container.
If you choose not to install the agents on your hosts, you will only receive a subset of the threat protection benefits and security alerts. You'll still receive alerts related to network analysis and communications with malicious servers.
For a list of the AKS host level alerts, see the Reference table of alerts.
At the AKS cluster level, the threat protection is based on analyzing Kubernetes' audit logs. To enable this agentless monitoring, add the Kubernetes option to your subscription from the Pricing & settings page (see pricing). To generate alerts at this level, Security Center monitors your AKS-managed services using the logs retrieved by AKS. Examples of events at this level include exposed Kubernetes dashboards, creation of high privileged roles, and the creation of sensitive mounts.
Security Center generates security alerts for Azure Kubernetes Service actions and deployments occurring after the Kubernetes option is enabled on the subscription settings.
For a list of the AKS cluster level alerts, see the Reference table of alerts.
Also, our global team of security researchers constantly monitor the threat landscape. They add container-specific alerts and vulnerabilities as they're discovered.
You can simulate container alerts by following the instructions in this blog post.
Advanced Threat Protection for Azure SQL Database detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.
You'll see alerts when there are suspicious database activities, potential vulnerabilities, or SQL injection attacks, and anomalous database access and query patterns.
Advanced Threat Protection for Azure SQL Database and SQL is part of the Advanced Data Security (ADS) unified package for advanced SQL security capabilities, covering Azure SQL Database, Azure SQL Managed Instances, Azure SQL Data Warehouse databases, and SQL servers on Azure Virtual Machines.
For more information, see:
- How to enable Advanced Threat Protection for Azure SQL Database
- How to enable Advanced Threat Protection for SQL servers on Azure Virtual Machines
- The list of threat protection alerts for SQL Database and SQL Data Warehouse
|Release state:||Blob Storage (general availability)
Azure Files (preview)
Azure Data Lake Storage Gen2 (preview)
|Clouds:|| Commercial clouds
China Gov, Other Gov
Threat protection for Azure Storage detects potentially harmful activity on your Azure Storage accounts. Your data can be protected whether it's stored as blob containers, file shares, or data lakes.
This layer of protection allows you to address threats without requiring you to be a security expert, and helps you manage your security monitoring systems.
Your storage accounts are protected
What kind of alerts does Threat protection for Azure Storage provide?
Security alerts are triggered when there's:
- Suspicious activity - for example, the storage account has been accessed successfully from an IP address that is known as an active exit node of Tor
- Anomalous behavior - for example, changes in the access pattern to a storage account
- Potential malware uploaded - hash reputation analysis indicates that an uploaded file contains malware
Alerts include details of the incident that triggered them, as well as recommendations on how to investigate and remediate threats.
What is hash reputation analysis for malware?
To determine whether an uploaded file is suspicious, threat protection for Azure Storage uses hash reputation analysis supported by Microsoft Threat Intelligence. The threat protection tools don’t scan the uploaded files, rather they examine the storage logs and compare the hashes of newly uploaded files with those of known viruses, trojans, spyware, and ransomware.
When a file is suspected to contain malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file. To set up this automatic removal of files that hash reputation analysis indicates contain malware, deploy a workflow automation to trigger on alerts that contain "Potential malware uploaded to a storage account”.
For pricing details, including a free 30-day trial, see the Azure Security Center pricing page.
For more information, see:
- How to enable Advanced Threat Protection for Azure Storage
- The list of threat protection alerts for Azure Storage
- Microsoft's threat intelligence capabilities
You can simulate storage alerts by following the instructions in this blog post.
The Azure Cosmos DB alerts are generated by unusual and potentially harmful attempts to access or exploit Azure Cosmos DB accounts.
For more information, see:
- Advanced Threat Protection for Azure Cosmos DB (Preview)
- The list of threat protection alerts for Azure Cosmos DB (Preview)
Security Center network-layer analytics are based on sample IPFIX data, which are packet headers collected by Azure core routers. Based on this data feed, Security Center uses machine learning models to identify and flag malicious traffic activities. Security Center also uses the Microsoft Threat Intelligence database to enrich IP addresses.
Some network configurations may restrict Security Center from generating alerts on suspicious network activity. For Security Center to generate network alerts, ensure that:
Your virtual machine has a public IP address (or is on a load balancer with a public IP address).
Your virtual machine's network egress traffic isn't blocked by an external IDS solution.
Your virtual machine has been assigned the same IP address for the entire hour during which the suspicious communication occurred. This also applies to VMs created as part of a managed service (for example, AKS, Databricks).
For a list of the Azure network layer alerts, see the Reference table of alerts.
For details of how Security Center can use network-related signals to apply threat protection, see Heuristic DNS detections in Security Center.
Security Center's protection layer based on Azure Resource Manager is currently in preview.
Security Center offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Security Center detects unusual or potentially harmful operations in the Azure subscription environment.
For a list of the Azure Resource Manager (Preview) alerts, see the Reference table of alerts.
Several of the preceding analytics are powered by Microsoft Cloud App Security. To benefit from these analytics, you must activate a Cloud App Security license. If you have a Cloud App Security license, then these alerts are enabled by default. To disable the alerts:
- From Security Center's menu, select Pricing & settings.
- Select the subscription you want to change.
- Select Threat detection.
- Clear Allow Microsoft Cloud App Security to access my data, and select Save.
Security Center stores security-related customer data in the same geo as its resource. If Microsoft hasn't yet deployed Security Center in the resource's geo, then it stores the data in the United States. When Cloud App Security is enabled, this information is stored in accordance with the geo location rules of Cloud App Security. For more information, see Data storage for non-regional services.
Set the workspace on which you're installing the agent. Make sure the workspace is in the same subscription you use in Security Center and that you have read/write permissions on the workspace.
Set the standard pricing tier, and select Save.
This service is not currently available in Azure government and sovereign cloud regions.
Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords.
Azure Security Center includes Azure-native, advanced threat protection for Azure Key Vault, providing an additional layer of security intelligence. Security Center detects unusual and potentially harmful attempts to access or exploit Key Vault accounts. This layer of protection allows you to address threats without being a security expert, and without the need to manage third-party security monitoring systems.
When anomalous activities occur, Security Center shows alerts and optionally sends them via email to subscription administrators. These alerts include the details of the suspicious activity and recommendations on how to investigate and remediate threats.
For a list of the Azure Key Vault alerts, see the Reference table of alerts.
Azure Application Gateway offers a web application firewall (WAF) that provides centralized protection of your web applications from common exploits and vulnerabilities.
Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. The Application Gateway WAF is based on Core Rule Set 3.0 or 2.2.9 from the Open Web Application Security Project. The WAF is updated automatically to protect against new vulnerabilities.
If you have a license for Azure WAF, your WAF alerts are streamed to Security Center with no additional configuration needed. For more information on the alerts generated by WAF, see Web application firewall CRS rule groups and rules.
Distributed denial of service (DDoS) attacks are known to be easy to execute. They've become a great security concern, particularly if you're moving your applications to the cloud.
A DDoS attack attempts to exhaust an application's resources, making the application unavailable to legitimate users. DDoS attacks can target any endpoint that can be reached through the internet.
To defend against DDoS attacks, purchase a license for Azure DDoS Protection and ensure you're following application design best practices. DDoS Protection provides different service tiers. For more information, see Azure DDoS Protection overview.
For a list of the Azure DDoS Protection alerts, see the Reference table of alerts.
To learn more about the security alerts from these threat protection features, see the following articles: