Responding and Managing Security alerts in Azure Security Center

  1. Home
  2. Responding and Managing Security alerts in Azure Security Center

Go back to AZ-500 Tutorials

In this tutorial, we will learn and understand about managing and responding to security alerts in Azure Security Center. Moreover, we will discuss the process of the alerts that you have received in order to protect your resources.

Security alerts overview

Security Center performs actions like automatically collecting, analyzing, and integrating log data from your Azure resources, the network, and connected partner solutions. However, the solution includes firewall and endpoint protection solutions, for detecting real threats and reducing false positives. A list of prioritized security alerts is shown in the Security Center along with the information that is necessary for quickly investigating the problem. This is for knowing how to remediate an attack.

AZ-500 Practice tests

Managing your security alerts

  • For managing, firstly, from the Security Center dashboard, see the Threat protection tile to view and overview of the alerts.
  • Secondly, for seeing more details about the alerts, click the tile.
  • Thirdly, for filtering the alerts shown, click Filter, and then from the Filter blade that opens, select the filter options that you want to apply. However, the list updates according to the selected filter. So, filtering can be very helpful. 

Responding to security alerts

  • Firstly, from the Security alerts list, click a security alert. 
  • Secondly, after reviewing the information, click a resource that was attacked. However, the left pane of the security alert page displays high-level information regarding the security alert. This includes title, severity, status, activity time, description of the suspicious activity, and the affected resource. 
  • On the other hand, the right pane includes the Alert details tab containing further details of the alert to help you investigate the issue like IP addresses, files, processes, and more.
  • Next, in the right pane it also has a Take action tab. So, use this tab for taking further actions regarding the security alert. Actions include:
  1. Firstly, mitigating the threat for providing manual remediation steps for this security alert
  2. Secondly, preventing future attacks for providing security recommendations to help reduce the attack surface, increase security posture, and thus prevent future attacks
  3. Thirdly, triggering automated response for providing the option to trigger a logic app as a response to this security alert
  4. Lastly, suppressing similar alerts for providing the option to suppress future alerts with similar characteristics if the alert isn’t relevant for your organization

Change the status of multiple security alerts at once

Checkboxes are included in the alerts list, allowing you to address numerous notifications at once. For example, you may elect to ignore all informative alerts for a given resource for triaging reasons.

  • Filter by the notifications you wish to deal with in bulk.
    • For the resource ‘ASC-AKS-CLOUD-TALK,’ we’ve picked all warnings with a severity of ‘Informational.’
  • Pick the alerts to be processed using the checkboxes, or use the checkbox at the top of the list to select them all.
    • We’ve selected all notifications in this example. The Change Status button has now become available.
  • Set the required state using the Change status options.
AZ-500 online course configuring security alerts concepts

Reference: Microsoft Documentation

Go back to AZ-500 Tutorials

Menu