Set up Security Alerts with Azure Service Health

5 Min. Read

How do you stay on top of activities in your Azure account and improve the security of all your Azure subscriptions?

In this article, we will show you how to set up security alerts with Azure Service Health to improve the security health of your cloud resources.

Introduction

What is Azure service health?

Azure offers a suite of experiences to keep you informed about the health of your cloud resources. This information includes current and upcoming issues such as service impacting events, planned maintenance, and other changes that may affect your application availability.

Azure Service Health is a combination of four separate smaller services called: Azure Status (global view of the health of all Azure services across all Azure regions), Service Health (personalized view of the health of the Azure services and regions you’re using), the Resource Health (health of your individual cloud resources), and the Security advisories which is the topic of this article.

Azure Service Health security advisories will communicate urgent security-related information affecting your Azure workloads.

For more information about each of these services, I highly encourage you to watch this overview video.

Service health notifications are stored in the Azure activity log, and because of the large volume of information that is stored in the activity log, Microsoft created a separate blade for Service Health to make it easier to view and set up alerts on service health notifications as shown in the figure below.

Azure Service Health blade
Azure Service Health blade

Security advisories have two types — “warnings,” which affect existing services and may require your administrative action, and “informational,” which only affect existing services.

This article shows you how to set up security alerts using Azure service health notifications using the Azure portal, ARM template, and PowerShell.

Prerequisites

To follow this article, you need to have the following:

1) An Azure subscription. If you don’t have an Azure subscription, you can create a free one here.

2) One or more Azure services are deployed in your subscription.

Create a Service Health security alert

Launch the Azure portal and search for Service Health.

In the Alerts section, select Health alerts, and then select Add service health alert as shown in the figure below.

Add service health alert
Add service health alert

Enter the following details:

> Alert target: Select the desired Subscription, Azure Services, and the Azure Regions for which you want to be alerted. By default, the ‘Global’ region is automatically selected because some services aren’t associated with a specific region, so you don’t miss any health or security events. At the time of this writing, Azure can identify 205 services (Azure resource types) of service health and security events.

> Service health criteria: Select the Event type you want to be alerted for: Service issues, Planned maintenance, Health advisories, or Security advisory. For the purpose of this article, we will choose Security advisory as the event type.

Create an alert rule - Security advisory
Create an alert rule – Security advisory

Next, under Actions, click Select action groups to choose an existing action group if you have already one or create a new action group. You can select up to five action groups to attach to this security alert rule. For more information on action groups, please check how to create and manage action groups in the Azure portal.

You can also send alerts outside via Webhook. A concrete example is to use Webhook as action and set a URI to send notifications to an Azure function app where it creates automatically a ticket in Jira Service Desk.

Select action groups
Select action groups

Next, under the Alert rule details, you need to define your alert details by entering an Alert rule name, and Description and selecting the desired Resource group where you want the alert to be saved. The alert rule is enabled by default. Last, Select Create alert rule.

Alert rule details
Alert rule details

After the alert is created, it takes a few minutes for changes to take effect. The alert is active and begins to trigger based on the conditions you specified during creation. In this example, we are looking for security alerts on the specified Azure subscription.

You can see all the alert details, criteria, and the history for this rule under the Health alerts blade as shown in the figure below.

Service Health | Health alerts
Service Health | Health alerts

Please note that you need to repeat the same steps described above to cover other subscriptions as well.

This alert rule will monitor all incidents type security in all Azure regions.

You can then review these security advisories in the Service Health blade in the portal, and get notified about security advisories via your preferred channel by setting up Service Health alerts for this type of notification.

There’s more…

You can also create a Service Health security alert using the ARM template.

The following template will create an action group with an email target and enables all security notifications for the target subscription.

Copy and save the following template as CreateServiceHealthSecurityAlert.json.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "actionGroups_name": {
            "type": "String",
            "defaultValue": "SecurityRule"
        },
        "activityLogAlerts_name": {
            "type": "String",
            "defaultValue": "Service Health Security Alert"
        },
        "emailAddress": {
            "type": "string"
        }
    },
    "variables": {
        "alertScope": "[concat('/','subscriptions','/',subscription().subscriptionId)]"
    },
    "resources": [
        {
            "comments": "Action Group",
            "type": "microsoft.insights/actionGroups",
            "apiVersion": "2021-09-01",
            "name": "[parameters('actionGroups_name')]",
            "location": "Global",
            "scale": null,
            "dependsOn": [],
            "tags": {},
            "properties": {
                "groupShortName": "[parameters('actionGroups_name')]",
                "enabled": true,
                "emailReceivers": [
                    {
                        "name": "[parameters('actionGroups_name')]",
                        "emailAddress": "[parameters('emailAddress')]"
                    }
                ],
                "smsReceivers": [],
                "webhookReceivers": []
            }
        },
        {
            "comments": "Service Health Activity Log Alert",
            "type": "microsoft.insights/activityLogAlerts",
            "apiVersion": "2020-10-01",
            "name": "[parameters('activityLogAlerts_name')]",
            "location": "Global",
            "scale": null,
            "dependsOn": [
                "[resourceId('microsoft.insights/actionGroups', parameters('actionGroups_name'))]"
            ],
            "tags": {},
            "properties": {
                "scopes": [
                    "[variables('alertScope')]"
                ],
                "condition": {
                    "allOf": [
                        {
                            "field": "category",
                            "equals": "ServiceHealth"
                        },
                        {
                            "anyOf": [
                                {
                                    "field": "properties.incidentType",
                                    "equals": "Security"
                                }
                            ]
                        },
                        {
                            "field": "properties.impactedServices[*].ImpactedRegions[*].RegionName",
                            "containsAny": [
                                "Global"
                            ]
                        }
                    ]
                },
                "actions": {
                    "actionGroups": [
                        {
                            "actionGroupId": "[resourceId('microsoft.insights/actionGroups', parameters('actionGroups_name'))]",
                            "webhookProperties": {}
                        }
                    ]
                },
                "enabled": true,
                "description": "Service Health Security Advisory Alert!"
            }
        }
    ]
}

Launch the custom template deployment in the Azure portal, load the template and click Save.

Next, select the subscription, resource group, region, and email address. Click Review + create.

Create Service Health security alert using ARM template
Create Service Health security alert using ARM template

This template defines and creates two resources: Microsoft.Insights/actionGroups and Microsoft.Insights/activityLogAlerts as shown in the figure below.

Microsoft Insights resources
Microsoft Insights resources

You can also deploy this template via the Azure CLI or PowerShell. Here is the PowerShell example:

Connect-AzAccount
Select-AzSubscription -SubscriptionName yoursubscription
New-AzResourceGroupDeployment -Name "ServiceHealthSecurityAlert" -ResourceGroupName "your-resource-group" -TemplateFile C:\CreateServiceHealthSecurityAlert.json -emailAddress email@company.com

last, you can validate the template deployment by running the following PowerShell command:

Get-AzActivityLogAlert -ResourceGroupName "your-resource-group" -Name "ServiceHealthSecurityAlert"

That’s it there you have it!

Summary

In this article, we showed you how to set up security alerts with azure service health using the Azure portal, ARM template, and PowerShell, so you can stay on top of security activities and improve the security of your Azure subscriptions.

Please note that there’s an important difference between Service Health security advisories and Microsoft Defender for Cloud security notifications—Security advisories in Service Health provide notifications dealing with platform vulnerabilities and security and privacy breaches at the Azure service level, while security notifications in Microsoft Defender for Cloud communicate vulnerabilities that pertain to affected individual Azure resources.

Once the security alert rule is configured, Service Health notification alerts are sent to you via emails, text messages, and webhook notifications to alert you of security issues and advisories that may affect your Azure services.

Together, these services provide you with a comprehensive view of the health of Azure, at the granularity that is most relevant to you.

At the time of this writing, Service Health does not support management groups, hopefully, Microsoft will improve the health service to cover management groups instead of selecting individual subscriptions.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

Cyber Threat Report 2022 Edition – Hornetsecurity

6 Tips to Achieve a Robust Security Posture in AWS

Next

Let me know what you think, or ask a question...

The content of this website is copyrighted from being plagiarized!

You can copy from the 'Code Blocks' in 'Black' by selecting the Code.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!