Blog Post

Microsoft Defender for Cloud Blog
2 MIN READ

Email Notification for alerts triggered by ATP for Azure Storage, SQL ATP and Azure Security Center

YuriDiogenes's avatar
YuriDiogenes
Icon for Microsoft rankMicrosoft
May 20, 2019

In Azure Security Center, you have an option to configure Email Notification to receive alerts, as shown below:

 

In ASC, an email notification is sent on the first daily occurrence of an alert and only for high severity alerts, as fully documented in this article. In summary, ASC alert email notifications are sent under the following circumstances:

  • Only for high severity alerts
  • To a single email recipient per alert type per day
  • No more than 3 email messages are sent to a single recipient in a single day
  • Each email message contains a single alert, not an aggregation of alerts

When you enable SQL Severs and Storage accounts resources under the Pricing Tier in Security Center, the SQL ATP and ATP for Storage Account capabilities are going to be enabled for this subscription.

 

At that point, when SQL ATP or ATP for Azure Storage detects a malicious activity, it will trigger an alert, and that alert will appear in Security Center security alert dashboard. However, SQL ATP and ATP for Azure Storage have their own email notification flow, which is currently not integrated with Security Center. This means that you may receive email notification for alerts triggered by SQL ATP or ATP for Azure Storage that are medium severity, like the one below:

 

 

The email address that ATP for Azure Storage uses to send those alerts is the email address configured in the Azure account profile. For more information about how to change this email address, read this article. The email address that SQL ATP uses is configured under the Database or Server setting, as shown below:

 

 

In summary, when you enabled these two new resources in ASC, you will have three locations for email notifications:

  • ASC dashboard: for alerts triggered by ASC threat detection engine
  • SQL Advanced Data Security blade: for alerts triggered by SQL ATP
  • Azure account information: for alerts triggered by ATP for Azure Storage

 

Updated May 20, 2019
Version 2.0
  • joenyiri's avatar
    joenyiri
    Copper Contributor

    YuriDiogenesthank you very much for documenting this. I had a hard time determining how Azure was determining which e-mail address to send the Azure Storage ATP e-mails to. I just wish that the configurations across the three sources you describe were more consistent. For Azure Storage ATP especially, in order to change where these alerts are being sent, we'd need to change the e-mail address associated with the Azure account profile. This is extremely undesirable.

  • sn128's avatar
    sn128
    Copper Contributor

    YuriDiogenes  I've seen your other work on how to setup alerts and notifications via the ASC as well, especially the piece on how to validate if notifications are working (using the calc.exe app and a VM). Thanks for sharing your expertise with ASC. 

     

    Regarding this setup, it's unfortunate that it isn't documented in the official documentation. We had a high severity alert on an SQL resource that we did not get notified of because of not knowing about this. Are you aware of when this will be integrated into a single workflow for all resources? Additionally, does this setup send out notifications for low severity alerts as well?

  • Hello sn128 - thanks for your feedback. We have in our roadmap the enhancement of this workflow, exactly to mitigate this scenario that you mentioned. I don't have a precise date to tell you, but it is target for next calendar year.