Microsoft Defender for Cloud Security Alerts

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the main navigation panel, under General, choose Overview.

04 Choose the Azure subscription that you want to examine and ensure that the appropriate Defender plans are active.

05 Navigate back to the Microsoft Defender for Cloud blade and select Security alerts from the main navigation panel.

06 Select Active and In Progress from the Status filter and choose OK to list all the active security alerts generated for the selected Azure subscription.

07 Click on the name of the security alert that you want to examine.

08 Analyze the selected Microsoft Defender for Cloud security alert by verifying the following attributes:

1. Name – the name of the selected security alert.
2. Severity – the severity level of the selected alert.
3. Status – the current status of the selected security alert.
4. Activity time – the start time of the detected malicious activity.
5. Alert description – an explicit description of the selected security alert.
6. Affected resources – the identifier(s) of the impacted Azure cloud resource(s).

09 Choose Take action and follow the Microsoft Defender for Cloud recommendations on how to mitigate the threats detected for your resource(s) in order to assess the security incident and remediate the issue.

10 Repeat steps no. 7 – 9 for each security alert notification identified in the selected Azure subscription.

11 Repeat steps no. 4 – 10 for each subscription created in your Microsoft Azure cloud account.

01 Run account list command (Windows/macOS/Linux) with custom query filters to list the identifier (ID) of each cloud subscription available in your Azure cloud account:

az account list
--query '[*].id'

02 The command output should return the requested subscription IDs:

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-1234-abcd-1234-abcd1234abcd"
]

03 Run security alert list command (Windows/macOS/Linux) using the ID of the Azure subscription that you want to examine as the identifier parameter and custom output filters to list the identifier (name) of each security alert generated for the selected subscription:

az security alert list
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
  --query '[*].name'

04 The command output should return the identifiers (IDs) of the requested security alerts:

[
	"1234abcd1234abcd123_abcd1234-abcd-1234-abcd-abcd1234abcd",
	"abc1234abcd1234abcd_12341234-abcd-1234-abcd-123412341234",
	"123abcd1234abcd1234_abcd1234-1234-abcd-1234-abcd1234abcd"
]

05 Run security alert show command (Windows/macOS/Linux) using the name of the Microsoft Defender for Cloud alert that you want to examine as the identifier parameter, to describe the details available for the selected security alert notification:

az security alert show
  --location "westeurope"
  --name "1234abcd1234abcd123_abcd1234-abcd-1234-abcd-abcd1234abcd"

06 The command output should return the requested information (JSON format):

{
	"name": "1234abcd1234abcd123_abcd1234-abcd-1234-abcd-abcd1234abcd",
	"alertDisplayName": "Suspected successful brute force attack",
	"description": "A successful login occurred after an apparent brute force attack on your resource",
	"severity": "High",
	"compromisedEntity": "cc-production-vm",
	"startTimeUtc": "2023-06-07T20:08:06.708743+00:00",
	"processingEndTimeUtc": "2023-06-07T20:09:24.708743+00:00",
	"productName": "Microsoft Defender for Cloud",
	"remediationSteps": [
	"Go to the firewall settings in order to lock down the firewall as tightly as possible."
	],

	...

	"resourceGroup": "cloud-shell-storage-westeurope",
	"endTimeUtc": "2023-06-07T20:08:06.708743+00:00",
	"status": "Active",
	"subTechniques": null,
	"supportingEvidence": null,
	"systemAlertId": "1234abcd1234abcd123_abcd1234-abcd-1234-abcd-abcd1234abcd",
	"techniques": null,
	"timeGeneratedUtc": "2023-06-07T20:09:27.458301+00:00",
	"type": "Microsoft.Security/Locations/alerts",
	"vendorName": "Microsoft",
	"version": "2022-01-01.0"
}

07 Analyze the information returned at the previous step by checking the following attributes:

1. "alertDisplayName" – the display name of the selected security alert.
   1. "severity" – the severity level of the selected alert.
   2. "status" – the current status of the selected security alert.
   3. "startTimeUtc" – the start time (UTC) of the detected malicious activity.
   4. "description" – an explicit description of the selected security alert.
   5. "compromisedEntity" – the identifier(s) of the impacted Azure cloud resource(s).
   6. "remediationSteps" - recommendations and instructions on how to mitigate the threats detected for your resource(s) in order to assess the security incident and remediate the issue.

   08 Based on the information returned at the previous steps, follow the instructions outlined in the Remediation/Resolution section to implement the recommended security fix.

   09 Repeat steps no. 5 – 8 for each security alert notification generated within the selected Azure subscription.

   10 Repeat steps no. 3 – 9 for each subscription available in your Microsoft Azure cloud account.

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 From the Subscription filter box, select the Azure account subscription that you want to access and choose Apply.

04 From the Type filter box, select Network security group, and choose Apply to list only the security groups available in the selected Azure subscription.

05 To allow SSH access on TCP port 22 to specific, authorized entities only such as IP addresses or IP ranges, you must update the inbound configuration of the network security group associated with the impacted VM instance. Click on the name of the network security group that you want to reconfigure.

06 In the resource navigation panel, under Settings, select Inbound security rules to access the list with the inbound rules defined for the selected security group.

07 On the Inbound security rules page, click on the name (link) of the non-compliant security group rule that you want to reconfigure.

08 On the selected security group rule configuration panel, perform the following actions:

• Select IP Addresses from the Source dropdown list to allow inbound traffic on TCP port 22 from specified IP addresses only.
• For Source IP addresses/CIDR ranges, provide the source IP address, IP addresses or IP address ranges that will be allowed to access the virtual machine(s) associated with the selected network security group (NSG). You can specify a single value or comma-separated list of multiple values. An example of multiple values is 10.0.1.15/32, 10.0.1.16/32.
• Choose Save to apply the configuration changes.

09 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

10 In the main navigation panel, under General, choose Security alerts.

11 Select the security alert associated with the security issue mitigated at the previous steps, choose Change status and select Resolved.

12 Repeat steps no. 4 – 11 for each security alert that you want to resolve, available in the selected Azure subscription.

13 Repeat steps no. 3 – 12 for each subscription created within your Microsoft Azure cloud account.

01 Run network nsg rule update command (Windows/macOS/Linux) using the name of the network security group rule that you want to reconfigure as the identifier parameter to restrict SSH access on TCP port 22 to specific, trusted entities by setting the --source-address-prefixes parameter to the IP address, IP addresses or IP address ranges that can be allowed to access the virtual machines associated with the selected network security group. You can specify a single value (e.g. 10.0.1.16/32) or a space-separated list of multiple values (e.g. 10.0.1.15/32 10.0.1.16/32):

az network nsg rule update
  --name SSH
  --nsg-name cc-production-vm-nsg
  --resource-group cloud-shell-storage-westeurope
  --source-address-prefixes 10.0.1.16/32

02 The command output should return the configuration information available for the updated NSG rule:

{
	"access": "Allow",
	"description": null,
	"destinationAddressPrefix": "*",
	"destinationAddressPrefixes": [],
	"destinationApplicationSecurityGroups": null,
	"destinationPortRange": "22",
	"destinationPortRanges": [],
	"direction": "Inbound",

	...

	"name": "SSH",
	"priority": 300,
	"protocol": "TCP",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sourceAddressPrefix": "10.0.1.16/32",
	"sourceAddressPrefixes": [],
	"sourceApplicationSecurityGroups": null,
	"sourcePortRange": "*",
	"sourcePortRanges": [],
	"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}

03 Run security alert update command (Windows/macOS/Linux) using the name of the security alert associated with the security issue remediated at the previous steps as the identifier parameter, to update the security alert status to Resolved (the command does not produce an output):

az security alert update
  --name "1234abcd1234abcd123_abcd1234-abcd-1234-abcd-abcd1234abcd"
  --subscription "abcdabcd-1234-abcd-1234-abcdabcdabcd"
  --location "centralus"
  --status "resolve"

04 Repeat steps no. 1 - 3 for each security alert that you want to resolve, available in the current Azure subscription.

05 Repeat steps no. 1 – 4 for each subscription created within your Microsoft Azure cloud account.