Tilbakemeldinger Rediger

View and configure DDoS protection alerts

  • Artikkel
  • 5 minutter å lese

Azure DDoS Protection standard provides detailed attack insights and visualization with DDoS Attack Analytics. Customers protecting their virtual networks against DDoS attacks have detailed visibility into attack traffic and actions taken to mitigate the attack via attack mitigation reports & mitigation flow logs. Rich telemetry is exposed via Azure Monitor including detailed metrics during the duration of a DDoS attack. Alerting can be configured for any of the Azure Monitor metrics exposed by DDoS Protection. Logging can be further integrated with Microsoft Sentinel, Splunk (Azure Event Hubs), OMS Log Analytics, and Azure Storage for advanced analysis via the Azure Monitor Diagnostics interface.

In this tutorial, you'll learn how to:

  • Configure alerts through Azure Monitor
  • Configure alerts through portal
  • View alerts in Microsoft Defender for Cloud
  • Validate and test your alerts

Prerequisites

  • If you don't have an Azure subscription, create a free account before you begin.
  • Before you can complete the steps in this tutorial, you must first create a Azure DDoS Standard protection plan and DDoS Protection Standard must be enabled on a virtual network.
  • DDoS monitors public IP addresses assigned to resources within a virtual network. If you don't have any resources with public IP addresses in the virtual network, you must first create a resource with a public IP address. You can monitor the public IP address of all resources deployed through Resource Manager (not classic) listed in Virtual network for Azure services (including Azure Load Balancers where the backend virtual machines are in the virtual network), except for Azure App Service Environments. To continue with this tutorial, you can quickly create a Windows or Linux virtual machine.  

Configure alerts through Azure Monitor

With these templates, you will be able to configure alerts for all public IP addresses that you have enabled diagnostic logging on. Hence in order to use these alert templates, you will first need a Log Analytics Workspace with diagnostic settings enabled. See View and configure DDoS diagnostic logging.

Azure Monitor alert rule

This Azure Monitor alert rule will run a simple query to detect when an active DDoS mitigation is occurring. This indicates a potential attack. Action groups can be used to invoke actions as a result of the alert.

Deploy to Azure

Azure Monitor alert rule with Logic App

This template deploys the necessary components of an enriched DDoS mitigation alert: Azure Monitor alert rule, action group, and Logic App. The result of the process is an email alert with details about the IP address under attack, including information about the resource associated with the IP. The owner of the resource is added as a recipient of the email, along with the security team. A basic application availability test is also performed and the results are included in the email alert.

Deploy to Azure

Configure alerts through portal

You can select any of the available DDoS protection metrics to alert you when there’s an active mitigation during an attack, using the Azure Monitor alert configuration.

  1. Sign in to the Azure portal and browse to your DDoS Protection Plan.

  2. Under Monitoring, select Alerts.

  3. Select the + New Alert Rule button or select + Create on the navigation bar, then select Alert rule.

  4. Close the Select a Signal page.

  5. On the Create an alert rule page, you'll see the follow tabs:

    • Scope
    • Condition
    • Actions
    • Details
    • Tags
    • Review + create

    For each step use the values described below:

    Setting Value
    Scope 1) Select + Select Scope.
    2) From the Filter by subscription dropdown list, select the Subscription that contains the public IP address you want to log.
    3) From the Filter by resource type dropdown list, select Public IP Address, then select the specific public IP address you want to log metrics for.
    4) Select Done.
    Condition 1) Select the + Add Condition button
    2) In the Search by signal name search box, select Under DDoS attack or not.
    3) Leave Chart period and Alert Logic as default.
    4) From the Operator drop-down, select Greater than or equal to.
    5) From the Aggregation type drop-down, select Maximum.
    6) In the Threshold value box, enter 1. For the Under DDoS attack or not metric, 0 means you're not under attack while 1 means you are under attack.
    7) Select Done.
    Actions 1) Select the + Create action group button.
    2) On the Basics tab, select your subscription, a resource group and provide the Action group name and Display name.
    3) On the Notifications tab, under Notification type, select Email/SMS message/Push/Voice.
    4) Under Name, enter MyUnderAttackEmailAlert.
    5) On the Email/SMS message/Push/Voice page enter the Email and as many of the available options you require, and then select OK.
    6) Select Review + create and then select Create.
    Details 1) Under Alert rule name, enter MyDdosAlert.
    2) Select Review + create and then select Create.

Within a few minutes of attack detection, you should receive an email from Azure Monitor metrics that looks similar to the following picture:

Attack alert

You can also learn more about configuring webhooks and logic apps for creating alerts.

View alerts in Microsoft Defender for Cloud

Microsoft Defender for Cloud provides a list of security alerts, with information to help investigate and remediate problems. With this feature, you get a unified view of alerts, including DDoS attack-related alerts and the actions taken to mitigate the attack in near-time. There are two specific alerts that you will see for any DDoS attack detection and mitigation:

  • DDoS Attack detected for Public IP: This alert is generated when the DDoS protection service detects that one of your public IP addresses is the target of a DDoS attack.
  • DDoS Attack mitigated for Public IP: This alert is generated when an attack on the public IP address has been mitigated. To view the alerts, open Defender for Cloud in the Azure portal and select Security alerts. Under Threat Protection, select Security alerts. The following screenshot shows an example of the DDoS attack alerts.

DDoS Alert in Microsoft Defender for Cloud

The alerts include general information about the public IP address that’s under attack, geo and threat intelligence information, and remediations steps.

Validate and test

To simulate a DDoS attack to validate your alerts, see Validate DDoS detection.

Next steps

In this tutorial, you learned how to:

  • Configure alerts through Azure Monitor
  • Configure alerts through portal
  • View alerts in Microsoft Defender for Cloud
  • Validate and test your alerts

To learn how to test and simulate a DDoS attack, see the simulation testing guide:

Test through simulations