In a previous post, I enabled Azure Security Center as a technique for additional security visibility into Azure services. As you can see in these posts, I’m rather focused on storage accounts and today I had an interesting point raised by Azure Security Center.
As a practical piece of advice, I will continue to advocate that every time you log into the Azure portal, you should first view Azure Advisor. Additionally, if you are subscribed to Azure Security Center, you should visit that as well. Additionally, end your session in Advisor to make sure your changes haven’t introduced a new threat or recommendation to your Azure resources. Today’s observation proves how that is a very good practice.
In my recent log in to the Azure Security Center, I had a medium security threat protection alert as shown below:
The alert was for access to a storage account from an unusual location. When I look into the alert in detail, it provides me some additional information. This information includes the IP address, approximate location of the access, time, type of connection and more. The most important piece of information that is provided to me is which storage resource was accessed:
When I interpret this information, I was initially concerned but then it was made clear to me. A few pieces of information that helped put this all together:
- I recently took a business trip to China
- This storage account is not the account that I recently provided steps to set up network access restrictions
- I did run an Azure File Share remote connection while I was in China
With these pieces of information, this put a bit more context around the access that it was unusual. It is however, something that should be looked at when remote connections to storage accounts are used. For the other account where I put in explicit networks and Internet IPs for access to that storage account; there was no concern in Azure Security Center for that access. I can dismiss this alert in the display of all alerts as shown below:
At this point, a small alert is dismissed and the main display for Azure Security Center is much more aligned to my liking:
This alert is one example of a difference between Azure Advisor and Azure Security Center. When I started the Azure Security Center trial, one of the questions I had is how practical the difference is between the two services. While this was a false positive, I very much appreciated the visibility provided to me in Azure Security Center.
Do you manage alerts in Azure Security Center, if so, what types of investigation to you do with them? Share your comments below.