Edit

Manage and respond to security alerts in Microsoft Defender for Cloud

  • Article

This topic shows you how to view and process Defender for Cloud's alerts and protect your resources.

Advanced detections that trigger security alerts are only available with Microsoft Defender for Cloud's enhanced security features enabled. A free trial is available. To upgrade, see Enable enhanced protections.

What are security alerts?

Defender for Cloud collects, analyzes, and integrates log data from your Azure, hybrid, and multicloud resources, the network, and connected partner solutions, such as firewalls and endpoint agents. Defender for Cloud uses the log data to detect real threats and reduce false positives. A list of prioritized security alerts is shown in Defender for Cloud along with the information you need to quickly investigate the problem and the steps to take to remediate an attack.

To learn about the different types of alerts, see Security alerts - a reference guide.

For an overview of how Defender for Cloud generates alerts, see How Microsoft Defender for Cloud detects and responds to threats.

Manage your security alerts

  1. From Defender for Cloud's overview page, select the Security alerts tile at the top of the page, or the link from the sidebar.

    Getting to the security alerts page from Microsoft Defender for Cloud's overview page

    The security alerts page opens.

    Microsoft Defender for Cloud's security alerts list

  2. To filter the alerts list, select any of the relevant filters. You can optionally add further filters with the Add filter option.

    Adding filters to the alerts view.

    The list updates according to the filtering options you've selected. For example, you might you want to address security alerts that occurred in the last 24 hours because you are investigating a potential breach in the system.

Respond to security alerts

  1. From the Security alerts list, select an alert. A side pane opens and shows a description of the alert and all the affected resources.

    Mini details view of a security alert.

    Tip

    With this side pane open, you can quickly review the alerts list with the up and down arrows on your keyboard.

  2. For further information, select View full details.

    The left pane of the security alert page shows high-level information regarding the security alert: title, severity, status, activity time, description of the suspicious activity, and the affected resource. The Azure tags for the affected resource helps you to understand the organizational context of the resource.

    The right pane includes the Alert details tab containing further details of the alert to help you investigate the issue: IP addresses, files, processes, and more.

    Suggestions for what to do about security alerts.

    Also in the right pane is the Take action tab. Use this tab to take further actions regarding the security alert. Actions such as:

    • Inspect resource context - sends you to the resource's activity logs that support the security alert
    • Mitigate the threat - provides manual remediation steps for this security alert
    • Prevent future attacks - provides security recommendations to help reduce the attack surface, increase security posture, and thus prevent future attacks
    • Trigger automated response - provides the option to trigger a logic app as a response to this security alert
    • Suppress similar alerts - provides the option to suppress future alerts with similar characteristics if the alert isn’t relevant for your organization

    Take action tab.

Change the status of multiple security alerts at once

The alerts list includes checkboxes so you can handle multiple alerts at once. For example, for triaging purposes you might decide to dismiss all informational alerts for a specific resource.

  1. Filter according to the alerts you want to handle in bulk.

    In this example, we've selected all alerts with severity of 'Informational' for the resource 'ASC-AKS-CLOUD-TALK'.

    Screenshot of filtering the alerts to show related alerts.

  2. Use the checkboxes to select the alerts to be processed - or use the checkbox at the top of the list to select them all.

    In this example, we've selected all alerts. Notice that the Change status button is now available.

    Screenshot of selecting all alerts to handle in bulk.

  3. Use the Change status options to set the desired status.

The alerts shown in the current page will have their status changed to the selected value.

See also

In this document, you learned how to view security alerts. See the following pages for related material: