Respond to security events with the Security Alerts dashboard

Appropriate roles: Admin Agent

Applies to: Partner Center direct-bill partners and indirect providers

The Partner Center Security Alerts dashboard helps you respond quickly to security, fraud, and other events that occur in Partner Center or your customer's tenant.

APIs

If you have multiple Microsoft Entra tenants in Partner Center, you can use the following APIs to get and update alerts instead of using the Security Alerts dashboard:

• Azure fraud notification - Get fraud events
• Azure fraud notification - Update fraud event status

Prerequisites

To use the Partner Center Security Alerts dashboard, your user account must be assigned the Admin Agent role.

Importance of timely response to alerts

When an alert is created in your dashboard, it's critical that you triage and mitigate the incident that caused the alert as soon as possible. As a guiding principle, we recommend responding to alerts within one hour. For the Fraud type of alerts, the longer you take to respond to and mitigate the incident that caused the alert, the greater the potential financial impact.

Opening the dashboard

To open the Partner Center Security Alerts dashboard:

1. Sign in to Partner Center as a user who has the Admin Agent role.
2. Select the Insights workspace.
3. On the left menu, under Security, select Alerts.

You can also use this link to go directly to the dashboard.

Viewing alerts

The dashboard shows information about the following alert categories.

• Average time: The average time to respond to and resolve alerts over the last 30 days.
• New events this week: The number of new alerts for the last seven days.
• Resolved: The number of alerts that are resolved with a reason specified (for example, Legitimate or Fraud).
• Unresolved: The number of unresolved alerts that need attention.

The lower section of the dashboard lists alerts that affect the Partner Center tenant where you're signed in.

The table has these columns:

• Alert name: High-level information about what was detected.
• Subscription ID: An identifier that appears when an alert is detected in a specific Azure subscription.
• Alert ID: The unique identifier for the alert.
• Alert status: The status of the alert (Active or Resolved).
• First observed: The first time that the alert appeared.
• Last observed: The most recent time that the alert appeared.
• Alert type: The type of activity that was detected and that caused the alert. There are two alert types:
  • Azure Notification: Indicates that a message was sent to the customer of the affected Azure subscription and displayed as a Service Health notification. A copy of this message appears in the alert details.
  • Azure Usage: Indicates either an unusual increase in activity in the Azure subscription or an anomalous activity occurring in the subscription, such as cryptocurrency mining.
• Severity: The level of urgency in responding to the alert.

You can use the Filter option to change which alerts appear on the Alert dashboard.

You can use the Search feature to search all alerts for the information that you enter in the box. Search results include the following information:

• Subscription ID
• Alert ID
• Customer name

Actions on the alert detail page

To display more details about an alert, select the alert name. For example, the following example alert shows behavior that relates to cryptocurrency mining occurring in an Azure subscription.

Top section

The top of the alert detail page shows customer and reseller (if applicable) information.

Alert description

The Alert description section provides an overview of why the alert occurred, along with steps to investigate.

Impacted resources

The Impacted resources section contains two actions:

• Mark as legitimate: You investigated the resources and either found no evidence of what the alert indicated or verified with the customer that the behavior is expected.
• Mark as fraud: You investigated the resources and found that they were performing the behavior that alert indicated.

When you complete your investigation into the alert, select an action to tell Partner Center what you discovered. Selecting an action marks the alert Resolved. The action that you select indicates the reason (that is, the Reason value) why you're resolving the alert.

Resource information

The Resource information section provides details about the resources that were involved in the detection that caused the alert. In this example, there's a virtual machine named badvmtest in the resource group named testserver. The First connection time and Last connection time values indicate when we first detected this resource contacting a known mining pool and the most recent time that we observed it.

Additional information

The Additional information section provides details about the behavior that the resource exhibits, if any are available. In this example, the virtual machine badvmtest communicated with the IP address of a known mining pool. The Resource information section shows that it connected to the IP address four times between First connection time and Last connection time.

Resources

In the Resources section, use the links to learn more about alerts and what to do when you receive an alert.

Bottom section

The bottom of the alert detail page shows three buttons for actions that you can take.

• Cancel subscription: You must have both Global Administrator and Admin Agent roles to use this action. If your investigation into the alert indicates that an unauthorized party overtook the Azure subscription, you can select Cancel subscription to deallocate all resources in the Azure subscription and mark all the data in the subscription for deletion after the retention period.

  Before you take this action, we recommend that you communicate with your customer about the alert and (if possible) get their consent to cancel the subscription. When you select the button, a dialog appears and asks you to confirm that you understand the impact of this action.

  

  To cancel the Azure subscription, select Continue with cancellation. When you select Continue with cancellation, the subscription is canceled and all alerts for that subscription are marked Resolved with the reason Fraud.

  For more information, see Cancel an Azure subscription.

• Manage subscription: This action takes you to the Azure portal by using Admin on Behalf of (AOBO). Based on the level of access that the customer granted to you, you might be able to further investigate the resources indicated in the alert details. For more information, see Manage subscriptions and resources under the Azure plan.

• Back to alerts: This action returns you to the Security Alerts dashboard with the list of alerts.

Actions on the Security Alerts dashboard

Above the alert list on the Security Alerts dashboard are two actions that you can take.

• Cancel subscription: You must have both Global Administrator and Admin Agent roles to use this action. If your investigation into the alert indicates that an unauthorized party overtook the Azure subscription, you can select Cancel subscription to deallocate all resources in the Azure subscription and mark all the data in the subscription for deletion after the retention period.

  Before you take this action, we recommend that you communicate with your customer about the alert and (if possible) get their consent to cancel the subscription. When you select the button, a dialog appears and asks you to confirm that you understand the impact of this action.

  To cancel the Azure subscription, select Continue with cancellation.

  

• Export: If you want to export all the detailed information about the alerts, you can use the Export action to download a comma-separated value (CSV) file that contains the alert information.

  This action produces a CSV file with only the alerts that you're currently viewing. To adjust the alerts that you want to export, use the Filter option.

Related content

• Azure fraud detection and notification