Azure Security Center – Custom Alerts

Many my clients have asked can you extend the alerting in Azure Security Center(ASC). The answer is yes as few months back custom alerts went into public preview. Using this allows you to take a log analytics query and have it evaluated in ASC. It's ideal if for example your application generates notable security events or if you are using sources not currently supported in ASC. Creating custom alerts is very simple. A quick run through below is an example –

Create your query either in “Log Search” or in “Analytics”.
Simple query to list Windows Systems that have had their event logs cleaned.Create your query either in “Log Search” or in “Analytics”.

Simple query to list Windows Systems that have had their event logs cleaned.

SecurityEvent

| where (EventID == 1102 or EventID == 517) and EventSourceName == "Microsoft-Windows-Eventlog"

| summarize AggregatedValue = count() by Computer

Now take this query into ASC and open up “Custom Alerts Preview”

Click “New custom alert rule”

Start creating your custom rule as below –

Check your query has pasted correctly by clicking “Execute your search query now”. This should return results similar to those you previously had when building your query in analytics.

Complete the alert criteria, evaluation window etc and click “OK” –

Your custom alert should now be listed –

Now to test, clear some event logs and monitor ASC alerts!

A handy tip when looking at alerts in ASC is the filter option shown above top left. I limited my filter just to low priority to make this alert easier to find –

Hope this is useful!