Alerts

Azure Monitor Alert Overview

Azure Monitor Alerts are a feature within Azure Monitor, designed to proactively notify you of potential issues, suspicious activities, and security threats in your Azure environment.

Key Concepts for Alerts in Azure Monitor

Define Alert Criteria: Identify the specific conditions that should trigger an alert based on your threat-hunting objectives.
Create Alert Rules: Configure alert rules to specify the conditions and actions for the alerts.
Set Up Action Groups: Define the actions to take when an alert is triggered, such as sending notifications or executing automated responses.
Monitor and Refine: Continuously monitor the effectiveness of your alerts and refine them as needed.

Step-by-Step Guide to Creating Alerts

Step 1: Access Azure Monitor

Log in to Azure Portal: Go to Azure Portal and log in with your credentials.
Navigate to Azure Monitor: Use the search bar to find and select "Azure Monitor".

Step 2: Define Alert Criteria

Determine the specific conditions that you want to monitor. Common criteria for threat hunters include:

Multiple failed login attempts.
Unusual access patterns.
High-severity security alerts.

Step 3: Create Alert Rules

Go to Alerts: In the Azure Monitor overview pane, select "Alerts".
Create New Alert Rule:
- Click on New Alert Rule.
- Select the target resource (e.g., a Log Analytics Workspace, virtual machine, or specific Azure resource).
Define the Condition:
- Click on Add condition.
- Select the appropriate signal type (e.g., log search, metric, activity log).
- Use Kusto Query Language (KQL) to define the specific condition. For example, to detect multiple failed login attempts:
  SecurityEvent | where EventID == 4625 | summarize FailedLogins = count() by bin(TimeGenerated, 1h), IPAddress | where FailedLogins > 10
Configure Alert Details:
- Provide a name and description for the alert rule.
- Set the severity level (e.g., Sev 0 - Critical, Sev 1 - Warning, etc.).
- Define the evaluation criteria (e.g., how often the condition should be evaluated).

Step 4: Set Up Action Groups

Add Action Group:
- In the alert rule creation pane, click on Add action group.
- Create a new action group or select an existing one.
Define Actions:
- Configure the actions to take when the alert is triggered. Common actions include:
  - Sending email notifications to specific recipients.
  - Sending SMS messages.
  - Triggering a Logic App to automate response actions (e.g., blocking an IP address).
  - Running an Azure Automation runbook to execute custom scripts.
- Provide necessary details for each action type (e.g., email addresses, phone numbers, or Logic App URIs).

Step 5: Review and Create

Review Alert Rule:
- Review the configured alert rule, conditions, and actions.
Create Alert Rule:
- Click on Create to save and activate the alert rule.

Example Alert Scenarios

Multiple Failed Login Attempts

Condition:

KQL Query:

SecurityEvent
| where EventID == 4625
| summarize FailedLogins = count() by bin(TimeGenerated, 1h), IPAddress
| where FailedLogins > 10

Action:
- Send email notification to the security team.
- Trigger a Logic App to block the offending IP address.

High-Severity Security Alerts

Condition:

KQL Query:

SecurityAlert
| where Severity == "High"
| summarize count() by bin(TimeGenerated, 1h), AlertName

Action:
- Send SMS notification to the on-call security analyst.
- Trigger an Azure Automation runbook to collect additional forensic data.

Monitoring and Refining Alerts

Monitor Alert Effectiveness:
- Regularly review the alerts to ensure they are firing as expected and providing useful information.
Refine Alert Conditions:
- Adjust the alert conditions and thresholds based on observed patterns and feedback to reduce false positives and improve accuracy.
Update Action Groups:
- Periodically review and update the action groups to ensure that the correct contacts and response actions are in place.

PreviousDashboards NextAutomation

Last updated 25 days ago