Real-Time Threat Configuration for Azure

❗️

Please note that this feature is currently not working due to some technical issues.

Overview

This user guide explains the configuration steps and pricing details to enable real-time threat detection using Microsoft Defender for Cloud, set up Policy Assignments, configure Defender Plans, define Action Groups, and configure Activity Log Alert Rules to receive security alerts.

Users must perform the following steps in the Azure portal.

Step1: Create Policy Assignment

Create a Policy Assignment using the sample JSON code shown below.

{  
            "name": "SecurityCenterBuiltIn",  
            "properties":  
                {  
                    "displayName": "Enable Monitoring in Azure Security Center",  
                    "description": "Policy Assignment to enable security center",  
                    "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8",  
                    "parameters": {},  
                    "metadata": {  
                        "assignedBy": "Security_Center",  
                        "corestack-system-manage": "true",  
                        "corestack-system-category": "enable_azure_security_center"  
                    }  
                }  
        }  

To enforce the use of Defender for Cloud, apply a built-in Azure policy. Note that Policy Assignment is done only for Audit purposes.

Step 2: Enable Services and Select Pricing Tier 

In the Defender for Cloud application, enable all required services and select pricing tier.

In Defender plans, the Foundational Cloud Security Posture Management (CSPM) tier is currently free. Other Defender plans (for example: Servers, Containers, SQL, etc.) incur usage-based charges. Please review cost breakdown details in the Defender for Cloud Pricing page.

Services to be enabled are:

  • Defender for Cloud
  • Log Analytics
  • Azure Monitor

Steps for pricing tier selection:

  1. Go to Defender for Cloud > Environment Settings > [Subscription] > Pricing & Settings.
  2. Select pricing tier for the required resource types (VMs, Containers, SQL, etc.).
  3. Click Save.

Step 3: Create Action Group with Webhook Receiver 

Create Action Group with Webhook Receiver using the following JSON code.

{  
  "location": "Global",  
  "tags": {  
    "corestack-system-manage": "true"  
  },  
  "properties": {  
    "groupShortName": "<first_8_chars_of_action_group_name>",  
    "enabled": true,  
    "webhookReceivers": [  
      {  
        "name": "security_webhook",  
        "serviceUri": "<webhook_url>"  
      }  
    ]  
  }  
}  

Steps to create an Action Group: 

  1. Navigate to Azure portal > Monitor > Alerts > Action groups.

  2. Click + Create.

  3. Select appropriate options in Subscription and Resource group fields.

  4. In the Action group name box, type the action group name and in the Display name box, type the short name.

  5. In the Actions type list, select the Webhook option and fill the following: 

  6. Add any additional tags such as: corestack-system-manage=true 

  7. Click Review + create.

    Step 4: Create Activity Log Alert Rule

Create Activity Log Alert Rules to monitor specific actions in your Azure environment and trigger notifications or automated responses. Refer to the following example.

{  
                "location": "global",  
                "tags": {  
                    "corestack-system-manage": "true"  
                },  
                "properties": {  
                    "scopes": [  
                        f"/subscriptions/<subscription_id>  
                    ],  
                    "enabled": True,  
                    "condition": {  
                        "allOf": [  
                            {  
                                "field": "category",  
                                "equals": “Security”  
                            },  
                            {  
                                "field": "resourceType",  
                                "equals": "Microsoft.Security/locations/alerts"  
                            }  
                        ]  
                    },  
                    "actions": {  
                        "actionGroups": [  
                            {  
                                "actionGroupId": <Above created Action group ID>  
                            }  
                        ]  
                    },  
                    "description": "This alert rule is created to trigger security threats in this subscription"  
                }  
            }}  

Steps to Create Alert Rule: 

  1. Navigate to Azure portal > Monitor > Alerts > Alert rules.

  2. Click + Create and choose Activity Log Alert. 

  3. Select Subscription and Scope.

  4. In the Condition tab, define conditions (for example: in the Signal name field, type Security).

  5. In the Actions tab, in the Subscription drop-down list, select the previously created action group to attach it.

  6. In the Review + create tab, review the details and click Create.

Step 5: Perform Threat Configuration in the Platform

After completing all the steps in Azure portal, refer to the following link and perform threat configuration in the CoreStack platform.

https://docs.corestack.io/docs/onboarding-for-azure-subscriptions#threat-management

Summary Table

ComponentFreeCost Notes
Policy AssignmentYesFree
Defender CSPM (Foundational)YesFree
Defender Plans (Servers, SQL, etc.)NoUsage-based
Action Group CreationYesFree
Action Group Actions (SMS, Voice, etc.)NoUsage-based
Activity Log Alert RuleYesFree
Log Analytics (ingestion/storage)No~$2.30/GB + retention

Cost Breakdown Details 

Action Group Pricing 

Action TypePricing Detail
SMS~$0.01–$0.02 per message (varies by region)
Voice Call~$0.02–$0.05 per call
WebhookFree from Azure, but external Webhook platform may have its own cost.
Logic AppBased on number of executions (per Logic App pricing).
Azure FunctionFirst 1M executions/month free; $0.20 per million after that.
Automation RunbookFirst 500mins/month free; then ~$0.002/min.

Log Analytics Cost 

  • Typical event size: ~10–25 KB
  • Ingestion price: ~$2.30 per GB (varies by region) 
  • Data retention: First 31 days free, ~$0.10/GB/month after that 

References