Alerts
Azure Monitor Alert Overview
Azure Monitor Alerts are a feature within Azure Monitor, designed to proactively notify you of potential issues, suspicious activities, and security threats in your Azure environment.
Key Concepts for Alerts in Azure Monitor
Define Alert Criteria: Identify the specific conditions that should trigger an alert based on your threat-hunting objectives.
Create Alert Rules: Configure alert rules to specify the conditions and actions for the alerts.
Set Up Action Groups: Define the actions to take when an alert is triggered, such as sending notifications or executing automated responses.
Monitor and Refine: Continuously monitor the effectiveness of your alerts and refine them as needed.
Step-by-Step Guide to Creating Alerts
Step 1: Access Azure Monitor
Log in to Azure Portal: Go to Azure Portal and log in with your credentials.
Navigate to Azure Monitor: Use the search bar to find and select "Azure Monitor".
Step 2: Define Alert Criteria
Determine the specific conditions that you want to monitor. Common criteria for threat hunters include:
Multiple failed login attempts.
Unusual access patterns.
High-severity security alerts.
Step 3: Create Alert Rules
Go to Alerts: In the Azure Monitor overview pane, select "Alerts".
Create New Alert Rule:
Click on New Alert Rule.
Select the target resource (e.g., a Log Analytics Workspace, virtual machine, or specific Azure resource).
Define the Condition:
Click on Add condition.
Select the appropriate signal type (e.g., log search, metric, activity log).
Use Kusto Query Language (KQL) to define the specific condition. For example, to detect multiple failed login attempts:
Configure Alert Details:
Provide a name and description for the alert rule.
Set the severity level (e.g., Sev 0 - Critical, Sev 1 - Warning, etc.).
Define the evaluation criteria (e.g., how often the condition should be evaluated).
Step 4: Set Up Action Groups
Add Action Group:
In the alert rule creation pane, click on Add action group.
Create a new action group or select an existing one.
Define Actions:
Configure the actions to take when the alert is triggered. Common actions include:
Sending email notifications to specific recipients.
Sending SMS messages.
Triggering a Logic App to automate response actions (e.g., blocking an IP address).
Running an Azure Automation runbook to execute custom scripts.
Provide necessary details for each action type (e.g., email addresses, phone numbers, or Logic App URIs).
Step 5: Review and Create
Review Alert Rule:
Review the configured alert rule, conditions, and actions.
Create Alert Rule:
Click on Create to save and activate the alert rule.
Example Alert Scenarios
Multiple Failed Login Attempts
Condition:
KQL Query:
Action:
Send email notification to the security team.
Trigger a Logic App to block the offending IP address.
High-Severity Security Alerts
Condition:
KQL Query:
Action:
Send SMS notification to the on-call security analyst.
Trigger an Azure Automation runbook to collect additional forensic data.
Monitoring and Refining Alerts
Monitor Alert Effectiveness:
Regularly review the alerts to ensure they are firing as expected and providing useful information.
Refine Alert Conditions:
Adjust the alert conditions and thresholds based on observed patterns and feedback to reduce false positives and improve accuracy.
Update Action Groups:
Periodically review and update the action groups to ensure that the correct contacts and response actions are in place.
Last updated