Azure Security Center – Custom Alerts


Many my clients have asked can you extend the alerting in Azure Security Center(ASC). The answer is yes as few months back custom alerts went into public preview. Using this allows you to take a log analytics query and have it evaluated in ASC. It's ideal if for example your application generates notable security events or if you are using sources not currently supported in ASC. Creating custom alerts is very simple. A quick run through below is an example –

Create your query either in “Log Search” or in “Analytics”.
Simple query to list Windows Systems that have had their event logs cleaned.Create your query either in “Log Search” or in “Analytics”.

Simple query to list Windows Systems that have had their event logs cleaned.

SecurityEvent

| where (EventID == 1102 or EventID == 517) and EventSourceName == "Microsoft-Windows-Eventlog"

| summarize AggregatedValue = count() by Computer

clip_image002

Now take this query into ASC and open up “Custom Alerts Preview”

clip_image004

Click “New custom alert rule”

clip_image006

Start creating your custom rule as below –

clip_image008

Check your query has pasted correctly by clicking “Execute your search query now”. This should return results similar to those you previously had when building your query in analytics.

clip_image010

Complete the alert criteria, evaluation window etc and click “OK” –

clip_image012

Your custom alert should now be listed –

clip_image014

Now to test, clear some event logs and monitor ASC alerts!

clip_image016

A handy tip when looking at alerts in ASC is the filter option shown above top left. I limited my filter just to low priority to make this alert easier to find –

clip_image018

Hope this is useful!

Comments (0)

Skip to main content