Tutorial: Triage, investigate, and respond to security alerts
Security Center continuously analyzes your hybrid cloud workloads using advanced analytics and threat intelligence to alert you about potentially malicious activities in your cloud resources. You can also integrate alerts from other security products and services into Security Center. Once an alert is raised, swift action is needed to investigate and remediate the potential security issue.
In this tutorial, you will learn how to:
- Triage security alerts
- Investigate a security alert to determine the root cause
- Respond to a security alert and mitigate that root cause
If you don't have an Azure subscription, create a free account before you begin.
To step through the features covered in this tutorial, you must have Azure Defender enabled. You can try Azure Defender at no cost. To learn more, see the pricing page. The quickstart Get started with Security Center walks you through how to upgrade.
Triage security alerts
Security Center provides a unified view of all security alerts. Security alerts are ranked based on the severity of the detected activity.
Triage your alerts from the Security alerts page:
Use this page to review the active security alerts in your environment to decide which alert to investigate first.
When triaging security alerts, prioritize alerts based on the alert severity by addressing alerts with higher severity first. Learn more about alerts severity in How are alerts classified?.
You can connect Azure Security Center to most popular SIEM solutions including Azure Sentinel and consume the alerts from your tool of choice. Learn more in Stream alerts to a SIEM, SOAR, or IT Service Management solution.
Investigate a security alert
When you've decided which alert to investigate first:
Select the desired alert.
From the alert overview page, select the resource to investigate first.
Begin your investigation from the left pane, which shows the high-level information about the security alert.
This pane shows:
- Alert severity, status, and activity time
- Description that explains the precise activity that was detected
- Affected resources
- Kill chain intent of the activity on the MITRE ATT&CK matrix
For more detailed information that can help you investigate the suspicious activity, examine the Alert details tab.
When you've reviewed the information on this page, you may have enough to proceed with a response. If you need further details:
- Contact the resource owner to verify whether the detected activity is a false positive.
- Investigate the raw logs generated by the attacked resource
Respond to a security alert
After investigating an alert and understanding its scope, you can respond to security alert from within Azure Security Center:
Open the Take action tab to see the recommended responses.
Review the Mitigate the threat section for the manual investigation steps necessary to mitigate the issue.
To harden your resources and prevent future attacks of this kind, remediate the security recommendations in the Prevent future attacks section.
To trigger a logic app with automated response steps, use the Trigger automated response section.
If the detected activity isn’t malicious, you can suppress future alerts of this kind using the Suppress similar alerts section.
When you've completed the investigation into the alert and responded in the appropriate way, change the status to Dismissed.
This removes the alert from the main alerts list. You can use the filter from the alerts list page to view all alerts with Dismissed status.
We encourage you to provide feedback about the alert to Microsoft:
Marking the alert as Useful or Not useful.
Select a reason and add a comment.
We review your feedback to improve our algorithms and provide better security alerts.
End the tutorial
Other quickstarts and tutorials in this collection build upon this quickstart. If you plan to continue to work with subsequent quickstarts and tutorials, keep automatic provisioning and Azure Defender enabled.
If you don't plan to continue, or you want to disable either of these features:
- Return to the Security Center main menu and select Pricing and settings.
- Select the relevant subscription.
- To downgrade, select Azure Defender off.
- To disable automatic provisioning, open the Data Collection page and set Auto provisioning to Off.
- Select Save.
Disabling automatic provisioning does not remove the Log Analytics agent from Azure VMs that already have the agent. Disabling automatic provisioning limits security monitoring for your resources.
In this tutorial, you learned about Security Center features to be used when responding to a security alert. For related material see: