Edit

Share via

Alert validation in Microsoft Defender for Cloud

  • Article

This document helps you learn how to verify if your system is properly configured for Microsoft Defender for Cloud alerts.

What are security alerts?

Alerts are the notifications that Defender for Cloud generates when it detects threats on your resources. It prioritizes and lists the alerts along with the information needed to quickly investigate the problem. Defender for Cloud also provides recommendations for how you can remediate an attack.

For more information, see Security alerts in Defender for Cloud and Managing and responding to security alerts.

Prerequisites

To receive all the alerts, your machines and the connected Log Analytics workspaces need to be in the same tenant.

Generate sample security alerts

If you're using the new preview alerts experience as described in Manage and respond to security alerts in Microsoft Defender for Cloud, you can create sample alerts from the security alerts page in the Azure portal.

Use sample alerts to:

  • evaluate the value and capabilities of your Microsoft Defender plans.
  • validate any configurations you've made for your security alerts (such as SIEM integrations, workflow automation, and email notifications).

To create sample alerts:

  1. As a user with the role Subscription Contributor, from the toolbar on the security alerts page, select Sample alerts.

  2. Select the subscription.

  3. Select the relevant Microsoft Defender plan/s for which you want to see alerts.

  4. Select Create sample alerts.

    Screenshot showing steps to create sample alerts in Microsoft Defender for Cloud.

    A notification appears letting you know that the sample alerts are being created:

    Screenshot showing notification that the sample alerts are being generated.

    After a few minutes, the alerts appear in the security alerts page. They also appear anywhere else that you've configured to receive your Microsoft Defender for Cloud security alerts (connected SIEMs, email notifications, and so on).

    Screenshot showing sample alerts in the security alerts list.

    Tip

    The alerts are for simulated resources.

Simulate alerts on your Azure VMs (Windows)

After the Microsoft Defender for Endpoint agent is installed on your machine, as part of Defender for Servers integration, follow these steps from the machine where you want to be the attacked resource of the alert:

  1. Open an elevated command-line prompt on the device and run the script:

    1. Go to Start and type cmd.

    2. Right-select Command Prompt and select Run as administrator

    Screenshot showing where to select Run as Administrator.

  2. At the prompt, copy and run the following command: powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'

  3. The Command Prompt window closes automatically. If successful, a new alert should appear in Defender for Cloud Alerts blade in 10 minutes.

  4. The message line in the PowerShell box should appear similar to how it's presented here:

    Screenshot showing PowerShell message line.

Alternately, you can also use the EICAR test string to perform this test: Create a text file, paste the EICAR line, and save the file as an executable file to your machine's local drive.

Note

When reviewing test alerts for Windows, make sure that you have Defender for Endpoint running with Real-Time protection enabled. Learn how to validate this configuration.

Simulate alerts on your Azure VMs (Linux)

After the Microsoft Defender for Endpoint agent is installed on your machine, as part of Defender for Servers integration, follow these steps from the machine where you want to be the attacked resource of the alert:

  1. Open a Terminal window, copy and run the following command: curl -O https://secure.eicar.org/eicar.com.txt

  2. The Command Prompt window closes automatically. If successful, a new alert should appear in Defender for Cloud Alerts blade in 10 minutes.

Note

When reviewing test alerts for Linux, make sure that you have Defender for Endpoint running with Real-Time protection enabled. Learn how to validate this configuration.

Simulate alerts on Kubernetes

Defender for Containers provides security alerts for both your clusters and underlying cluster nodes. Defender for Containers accomplishes this by monitoring both the control plane (API server) and the containerized workload.

You can simulate alerts for both of the control plane and the workload using the Kubernetes alerts simulation tool.

Learn more about defending your Kubernetes nodes and clusters with Microsoft Defender for Containers.

Simulate alerts for App Service

You can simulate alerts for resources running on App Service.

  1. Create a new website and wait 24 hours for it to be registered with Defender for Cloud, or use an existing web site.

  2. Once the web site is created, access it using the following URL:

    1. Open the app service resource pane and copy the domain for the URL from the default domain field.

      Screenshot showing where to copy the default domain.

    2. Copy the website name into the URL: https://<website name>.azurewebsites.net/This_Will_Generate_ASC_Alert.

  3. An alert is generated within about 1-2 hours.

Simulate alerts for Storage ATP (Advanced Threat Protection)

  1. Navigate to a storage account that has Azure Defender for Storage enabled.

  2. Select the Containers tab in the sidebar.

    Screenshot showing where to navigate to select a container.

  3. Navigate to an existing container or create a new one.

  4. Upload a file to that container. Avoid uploading any file that might contain sensitive data.

    Screenshot showing where to upload a file to the container.

  5. Right-select the uploaded file and select Generate SAS.

  6. Select the Generated SAS token and URL button (no need to change any options).

  7. Copy the generated SAS URL.

  8. Open the Tor browser, which you can download here.

  9. In the Tor browser, navigate to the SAS URL. You should now see and can download the file that was uploaded.

Test AppServices alerts

To simulate an app services EICAR alert:

  1. Find the HTTP endpoint of the website either by going into Azure portal blade for the App Services website or using the custom DNS entry associated with this website. (The default URL endpoint for Azure App Services website has the suffix https://XXXXXXX.azurewebsites.net). The website should be an existing website and not one that was created prior to the alert simulation.
  2. Browse to the website URL and add the following fixed suffix: /This_Will_Generate_ASC_Alert. The URL should look like this: https://XXXXXXX.azurewebsites.net/This_Will_Generate_ASC_Alert. It might take some time for the alert to be generated (~1.5 hours).

Validate Azure Key Vault Threat Detection

  1. If you don't have a Key Vault created yet, make sure to create one.
  2. After finishing creating the Key Vault and the secret, go to a VM that has Internet access and download the TOR Browser.
  3. Install the TOR Browser on your VM.
  4. Once you finished the installation, open your regular browser, sign-in to the Azure portal, and access the Key Vault page. Select the highlighted URL and copy the address.
  5. Open TOR and paste this URL (you need to authenticate again to access the Azure portal).
  6. After finishing access, you can also select the Secrets option in the left pane.
  7. In the TOR Browser, sign out from Azure portal and close the browser.
  8. After some time, Defender for Key Vault will trigger an alert with detailed information about this suspicious activity.

Next steps

This article introduced you to the alerts validation process. Now that you're familiar with this validation, explore the following articles: