Alerts are another part of Azure Security Center; these are very helpful and allow you to detect possible issues. The security alerts section allows you to track and see when unauthorized access to your resources was attempted. In the overview of alerts in Azure Security Center, you can see a list of possible attacks on your resources and see when they happened, as shown in the following screenshot:

If we select any alerts, we will see more information such as a date, what credentials were used, the number of login attempts, and other information. Under Geo and Threat Intelligence Information, we can see from where an attack took place, giving us a detailed geographical location of the attack origin. Based on the login information and geo-location, we can detect if this was a legitimate user or a brute-force attack on our resources. If we have a valid user attempting this three times from a known location, we can assume this was a user who has simply forgotten their password.

If we have 50 attempts from unknown user(s) from unknown location(s), we can assume it was a brute-force attack. Under Remediation steps, we have instructions on how to prevent similar attacks in the future. A sample of suspicious authentication activity is shown here:

At the bottom, we have two additional actions—Investigate and View playbooks. Investigate allows us to review details about incidents with more details. View playbooks allows us to create (or use an existing) logic app that will take action if similar events happen in the future. With a logic app, we can design steps and actions that will prevent attacks. For example, if login with an invalid user is attempted more than three times, it will add an NSG rule that will prevent access to a resource for the next 48 hours. An example of investigation details is shown in the following screenshot: