Sending SMS notification of Azure #Sentinel alerts, through #AzureMonitor

In Azure Sentinel all alert responses are driven by Playbooks. Playbooks is Azure Logic Apps, that allow everything automation from simple send e-mail to complex integration scenario.

Last week Anders and I were working in a scenario where we needed to send alert notification as text messages (SMS). There are several 3rd party connectors available in Logic Apps, but Azure Monitor provides this capability out of the box, without the need for additional agreements. Without any experience we would guess that the 3rd party connects have more features, for example possibility for engineers on duty to confirm alert notification by a test message. But in this example we only need to send text messages.

All alerts raised within Azure Sentinel, as well as Azure Security Center, are written into the SecurityAlert table in the Azure Monitor Logs workspace. You can use the following query to view which products have raised alerts into this table in the last 60 days:

SecurityAlert

| where TimeGenerated between (ago(60d) .. ago(5m))

| summarize by ProductName

If you have connected products like Microsoft Cloud App Security or Microsoft Defender ATP, you may also see these listed as a product:

clip_image002

Alerts raised by the analytics rules in Azure Sentinel will have the ProductName property set to Azure Sentinel. As the alert data is stored in the SecurityAlert table in the Azure Monitor Logs workspace, it is possible to leverage built-in capabilities in Azure Monitor Alerts for responses.

In this example, we will use Azure Monitor to raise alerts from the Sentinel data for “Failed logon attempts within 10 mins”. This is a default rule in Azure Sentinel.

clip_image004

The following query show the alerts we want to be notified about. This query is executed in the workspace that Azure Sentinel is using. Once we test the query in Logs, we can use it to configure an alert rule in Azure Monitor.

SecurityAlert

| where ProductName == "Azure Sentinel"

| where ProviderName == "ASI Scheduled Alerts"

| where AlertName == "Failed logon attempts within 10 mins"

clip_image006

In this example we create a new action group to send out the notification, by text message.

clip_image008

clip_image010

clip_image012

Once the action group is configured, and the alert rule, the phone number we included will get a SMS saying welcome to the action group. When a new alert is raised a text message notification will be sent out, as shown in the image below.

clip_image014

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s