In Azure Security Center, you have an option to configure Email Notification to receive alerts, as shown below:
In ASC, an email notification is sent on the first daily occurrence of an alert and only for high severity alerts, as fully documented in this article. In summary, ASC alert email notifications are sent under the following circumstances:
- Only for high severity alerts
- To a single email recipient per alert type per day
- No more than 3 email messages are sent to a single recipient in a single day
- Each email message contains a single alert, not an aggregation of alerts
When you enable SQL Severs and Storage accounts resources under the Pricing Tier in Security Center, the SQL ATP and ATP for Storage Account capabilities are going to be enabled for this subscription.
At that point, when SQL ATP or ATP for Azure Storage detects a malicious activity, it will trigger an alert, and that alert will appear in Security Center security alert dashboard. However, SQL ATP and ATP for Azure Storage have their own email notification flow, which is currently not integrated with Security Center. This means that you may receive email notification for alerts triggered by SQL ATP or ATP for Azure Storage that are medium severity, like the one below:
The email address that ATP for Azure Storage uses to send those alerts is the email address configured in the Azure account profile. For more information about how to change this email address, read this article. The email address that SQL ATP uses is configured under the Database or Server setting, as shown below:
In summary, when you enabled these two new resources in ASC, you will have three locations for email notifications:
- ASC dashboard: for alerts triggered by ASC threat detection engine
- SQL Advanced Data Security blade: for alerts triggered by SQL ATP
- Azure account information: for alerts triggered by ATP for Azure Storage