Detect and respond to security alerts

Appropriate roles: Admin agent

Applies to: Partner Center Direct Bill and Indirect Providers

Starting May 2023, you can subscribe to a new security alert for detections related to unauthorized party abuse and account takeovers. This security alert is one of the many ways Microsoft provides the data you need to secure your customer's tenants.

Important

As a partner in the Cloud Solution Provider (CSP) program, you're responsible for your customers' Azure consumption, so it's important that you're aware of any anomalous usage in your customer's Azure subscriptions. Use Microsoft Azure security alerts to detect patterns of fraudulent activities and misuse in Azure resources to help reduce your exposure to online transaction risks. Microsoft Azure security alerts don't detect all types of fraudulent activities or misuse, so it's critical that you use additional methods of monitoring to help detect anomalous usage in your customer's Azure subscriptions. To learn more, see Managing nonpayment, fraud, or misuse and Managing customer accounts.

Action required: With monitoring and signal awareness, you can take immediate action to determine whether the behavior is legitimate or fraudulent. If necessary, you can suspend affected Azure resources or Azure subscriptions to mitigate an issue.

Make sure that the preferred email address for your Partner Admin Agents is up-to-date, so they can be notified along with the security contacts.

Subscribe to security alert notifications

You can subscribe to various partner notifications based on your role.

Security alerts notify you when your customer's Azure subscription shows possible anomalous activities.

Get alerts by email

  1. Sign in to Partner Center and select Notifications (bell).
  2. Select My preferences.
  3. Set a preferred email address if you haven't already done so.
  4. Set the preferred language for the notification if you haven't already done so.
  5. Select Edit next to Email notification preferences.
  6. Check all boxes relating to Customers in the Workspace column. (To unsubscribe, unselect the transactional section under customer workspace.)
  7. Select Save.

We send security alerts when we detect possible security alert activities or misuse in some of your customers' Microsoft Azure subscriptions. There are three types of emails:

  • Daily summary of unresolved security alerts (count of partners, customers and subscriptions affected by various alert types)
  • Near real-time security alerts. To get a list of Azure subscriptions that have potential security concerns, see Get fraud events.
  • Near real-time security advisory notifications. These notifications provide visibility into the notifications sent to the customer when there's a security alert.

CSP direct bill partners can see more alerts for activities, for example: anomalous compute usage, crypto mining, Azure Machine Learning usage and service health advisory notifications.

Get alerts through a webhook

Starting from January 2023, partners can register to a webhook event: azure-fraud-event-detected to receive alerts for resource change events. To learn more, see Partner Center webhook events.

See and respond to alerts through the Security Alerts dashboard

Starting May 2023, CSP partners can access the Partner Center Security Alerts dashboard to detect and respond to alerts. To learn more, see Respond to security events with Partner Center Security Alerts dashboard.

Get alert details through API

As of May 2023, CSP partners can use the FraudEvents API to get extra detection signals using X-NewEventsModel. With this model, you can get new types of alerts as they're added to the system, for example, anomalous compute usage, crypto mining, Azure Machine Learning usage and service health advisory notifications. New types of alerts can be added with limited notice, because threats are also evolving. If you use special handling through the API for different alert types, monitor these APIs for changes:

What to do when you receive a security alert notification

The following checklist provides suggested next steps for what to do when you receive a security notification.

  • Check to make sure the email notification is valid. When we send security alerts, they're sent from Microsoft Azure, with the email address: no-reply@microsoft.com. Partners only receive notification from Microsoft.
  • When you're notified, you can also see the email alert in the Action Center portal. Select the bell icon to see the Action Center alerts.
  • Review the Azure subscriptions. Determine whether the activity in the subscription is legitimate and expected, or whether the activity might be due to unauthorized abuse or fraud.
  • Let us know what you found, either through the Security Alerts dashboard or from the API. To learn more about using the API, see Update fraud event status. Use the following categories to describe what you found:
    • Legitimate - The activity is expected or a false positive signal.
    • Fraud - The activity is due to unauthorized abuse or fraud.
    • Ignore - The activity is an older alert and should be ignored. To learn more, see Why are partners receiving older Security Alerts?.

What additional steps can you take to lower the risk of compromise?

What should you do if an Azure subscription has been compromised?

Take immediate action to protect your account and data. Here are a few suggestions and tips to quickly respond and contain a potential incident to reduce its impact and overall business risk.

Remediating compromised identities in a cloud environment is crucial for ensuring the overall security of cloud-based systems. Compromised identities can provide attackers with access to sensitive data and resources, making it essential to take immediate action to protect the account and data.

After malicious actors are evicted, clean the compromised resources. Keep a close eye on the affected subscription to make sure there's no further suspicious activity. It's also a good idea to regularly review your logs and audit trails to ensure that your account is secure.

Preventing account compromise is easier than recovering from it. Therefore, it's important to strengthen your security posture.

For more information, see the article support.

More tools for monitoring

How to prepare your end customers

Microsoft sends notifications to Azure subscriptions, which go to your end customers. Work with your end customer to ensure that they can act appropriately and are alerted of various security issues within their environment:

  • Set up usage alerts with Azure Monitor or Azure Cost management.
  • Set up Service Health Alerts to be aware of other notifications from Microsoft about security and other related issues.
  • Work with your organization's Tenant Admin (if this isn't managed by the Partner) to enforce increased security measures on your tenant (see the following section).

Additional information for protecting your tenant

If you suspect unauthorized usage of your or your customer's Azure subscription, engage Microsoft Azure Support so Microsoft can help expedite any other questions or concerns.

If you have specific questions regarding Partner Center, submit a support request in Partner Center. For more information: Get support in Partner Center.

Check security notifications under Activity logs

  1. Sign in to Partner Center and select the settings (gear) icon on top right corner, then select the Account settings workspace.
  2. Navigate to Activity logs on the left panel.
  3. Set the From and To dates in the top filter.
  4. In Filter by Operation Type, select Azure Fraud Event Detected. You should be able to see all security alerts Events detected for the selected period.

Why are partners receiving older Azure security alerts?

Microsoft has been sending Azure Fraud alerts since December 2021. However, in the past, alert notification was based on opt-in preference only, where partners had to opt in to receive notice. We've changed this behavior. Partners should now resolve all fraud alerts (including old alerts) that are open. Follow the Cloud Solution Provider security best practices to secure your and your customers' security posture.

Microsoft is sending the daily fraud summary (this is the count of partners, customers and subscriptions affected) if there's an active unresolved fraud alert within the last 60 days.

Why am I not seeing all the alerts?

Security alert notifications are limited to detecting patterns of certain anomalous actions in Azure. Security alert notifications don't detect and aren't guaranteed to detect all anomalous behaviors. It's critical that you use other methods of monitoring to help detect anomalous usage in your customer's Azure subscriptions, such as monthly Azure spending budgets. If you receive an alert that is significant and is a false negative, reach out to Partner Support and provide the following information:

  • Partner Tenant ID
  • Customer Tenant ID
  • Subscription ID
  • Resource ID
  • Impact start and impact end dates

Next steps