You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security-center/security-center-alerts-service-layer.md
+9-5Lines changed: 9 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,16 +22,20 @@ This topic presents the Azure Security Center alerts available when monitoring t
22
22
23
23
## Azure network layer<aname="network-layer"></a>
24
24
25
-
Security Center network-layer analytics are based on sample [IPFIX data](https://en.wikipedia.org/wiki/IP_Flow_Information_Export), which are packet headers collected by Azure core routers. Based on this data feed, Security Center machine learning models identify and flag malicious traffic activities. To enrich IP addresses, Security Center makes use of the Microsoft Threat Intelligence database.
25
+
Security Center network-layer analytics are based on sample [IPFIX data](https://en.wikipedia.org/wiki/IP_Flow_Information_Export), which are packet headers collected by Azure core routers. Based on this data feed, Security Center uses machine learning models to identify and flag malicious traffic activities. Security Center also uses the Microsoft Threat Intelligence database to enrich IP addresses.
26
26
27
-
You'll get alerts for suspicious network activity if your virtual machine has a public IP address, or is on a load balancer with a public IP address. If your VM or load balancer don't have a public IP address, Security Center will not generate network security alerts. Network layer threat detection alerts will be generated when an external IDS solutions are not blocking VMs network egress traffic.
27
+
Some network configurations may restrict Security Center from generating alerts on suspicious network activity. For Security Center to generate network alerts, ensure that:
28
+
29
+
✔ Your virtual machine has a public IP address (or is on a load balancer with a public IP address).
30
+
31
+
✔ Your virtual machine's network egress traffic isn't blocked by an external IDS solution.
32
+
33
+
✔ Your virtual machine has been assigned the same IP address for the entire hour during which the suspicious communication occurred. This also applies to VMs created as part of a managed service (e.g. AKS, Databricks).
28
34
29
35
For a list of the Azure network layer alerts, see the [Reference table of alerts](alerts-reference.md#alerts-azurenetlayer).
30
36
31
-
To understand how Security Center can use network-related signals to apply threat protection, see [Heuristic DNS detections in Azure Security Center](https://azure.microsoft.com/blog/heuristic-dns-detections-in-azure-security-center/).
37
+
For details of how Security Center can use network-related signals to apply threat protection, see [Heuristic DNS detections in Security Center](https://azure.microsoft.com/blog/heuristic-dns-detections-in-azure-security-center/).
32
38
33
-
>[!NOTE]
34
-
>Azure network layer threat detection alerts, in Azure Security Center, are only generated on virtual machines which have been assigned the same IP address for the entire hour during which a suspicious communication has taken place. This applies to virtual machines, as well as virtual machines that are created in the customer’s subscription as part of a managed service (e.g. AKS, Databricks).
0 commit comments