What’s the Difference Between an Azure Security Center Alert and a MSRC Notification

imageThis week someone wrote to me and asked about an email he received from Microsoft regarding a possible security incident.

Of course, since I always have Azure Security Center in mind, my first question was “did the email come from an Azure Security Center alert”?

The reason why I asked about it being an alert is that it’s possible to configure Azure Security Center to forward alerts to one or more email addresses.

You can see how to do that in the figure below. Just click Email notifications in the Policy components section. That will bring up the Email notifications pane and there you enter your Security contact emails (BTW – there’s no practical limit on the number of emails, but don’t enter so many that it looks like SPAM [not that you would Smile]). And although this pane is intended for email notification, we also provide you the opportunity to give us a phone number that we can use if we need to contact you about high security alerts.

Also note in the Send me emails section that you can turn off/on Send me emails about alerts (which is currently in Preview) and Send email also to subscription owners (which is also in Preview). Note that “me” can actually be many “me’s” (but not mini-me’s Smile), because the alert will go to all email addresses listed in the Security contact emails text box.

image

When you do get an alert, you can check it out as seen in the figure below. Just for fun (since we’re here), I highlighted an interesting alert that was generated because of a modified system binary that was found by a crash dump analysis performed by Azure Security Center.

image

 

When we look at the details of the alert, we see that Azure Security Center detected an image mismatch on a loaded module in memory during the analysis of a crash dump. If the presence of this module is unexpected, it may indicate a system compromise and that the Process name was lync.exe – it isn’t good to have this kind of mismatch on what would otherwise be a trusted application. Notice that we provide some remediation steps too.

image

Anyhow, back to the story.

The email my friend received wasn’t generated by Azure Security Center – it came directly from the Microsoft Security Response Center (MSRC). These emails are different from those you get from Azure Security Center. The Security Center emails are automated. Emails coming from the MSRC are manually driven by the MSRC. The MSRC does continuous security monitoring of the Azure fabric as well as receiving threat intelligence feeds from multiple resources. When the MSRC determines that you data has been accessed by unauthorized entities (i.e., attackers) OR if you’re doing something in Azure that you shouldn’t be doing, an incident response manager will contact you via email (or phone or maybe even both).

So now you know – there’s a difference between emails you get from Azure Security Center and the MSRC – they’re both important – but if you get one from the MSRC, make sure you read it right away!

BTW – if you want to learn more about Azure Security Center alerts, check out Managing and Responding to Security Alert in Azure Security Center.

HTH,

Tom

Tom Shinder
Program Manager, Azure Security
@tshinder | Facebook | LinkedIn | Email | Web | Bing me! | GOOG me