Merge pull request #189879 from dotanpatrich/patch-11

change AppServices_AnomalousPageAccess severity to Low

Author: PRMerger15

articles/defender-for-cloud/alerts-reference.md

@@ -258,7 +258,7 @@ At the bottom of this page, there's a table describing the Microsoft Defender fo
 | **An IP that connected to your Azure App Service FTP Interface was found in Threat Intelligence**<br>(AppServices_IncomingTiClientIpFtp) | Azure App Service FTP log indicates a connection from a source address that was found in the threat intelligence feed. During this connection, a user accessed the pages listed.<br>(Applies to: App Service on Windows and App Service on Linux)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Initial Access                                                     | Medium   |
 | **Attempt to run high privilege command detected**<br>(AppServices_HighPrivilegeCommand)                                                 | Analysis of App Service processes detected an attempt to run a command that requires high privileges.<br>The command ran in the web application context. While this behavior can be legitimate, in web applications this behavior is also observed in malicious activities.<br>(Applies to: App Service on Windows)                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | -                                                                  | Medium   |
 | **Communication with suspicious domain identified by threat intelligence**<br>(AzureDNS_ThreatIntelSuspectDomain) | Communication with suspicious domain was detected by analyzing DNS transactions from your resource and comparing against known malicious domains identified by threat intelligence feeds. Communication to malicious domains is frequently performed by attackers and could imply that your resource is compromised.                                                                            | Initial Access, Persistence, Execution, Command And Control, Exploitation              | Medium   |
-| **Connection to web page from anomalous IP address detected**<br>(AppServices_AnomalousPageAccess)                                       | Azure App Service activity log indicates an anomalous connection to a sensitive web page from the listed source IP address. This might indicate that someone is attempting a brute force attack into your web app administration pages. It might also be the result of a new IP address being used by a legitimate user. If the source IP address is trusted, you can safely suppress this alert for this resource. To learn how to suppress security alerts, see [Suppress alerts from Microsoft Defender for Cloud](alerts-suppression-rules.md). <br>(Applies to: App Service on Windows and App Service on Linux)                                                                                                                                                                        | Initial Access                                                     | Medium   |
+| **Connection to web page from anomalous IP address detected**<br>(AppServices_AnomalousPageAccess)                                       | Azure App Service activity log indicates an anomalous connection to a sensitive web page from the listed source IP address. This might indicate that someone is attempting a brute force attack into your web app administration pages. It might also be the result of a new IP address being used by a legitimate user. If the source IP address is trusted, you can safely suppress this alert for this resource. To learn how to suppress security alerts, see [Suppress alerts from Microsoft Defender for Cloud](alerts-suppression-rules.md). <br>(Applies to: App Service on Windows and App Service on Linux)                                                                                                                                                                        | Initial Access                                                     | Low   |
 | **Dangling DNS record for an App Service resource detected**<br>(AppServices_DanglingDomain)                                             | A DNS record that points to a recently deleted App Service resource (also known as "dangling DNS" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.<br>(Applies to: App Service on Windows and App Service on Linux)                                                                                                                                                                                                                                                                                                                                                                                             | -                                                                  | High     |
 | **Detected encoded executable in command line data**<br>(AppServices_Base64EncodedExecutableInCommandLineParams)                         | Analysis of host data on {Compromised host} detected a base-64 encoded executable. This has previously been associated with attackers attempting to construct executables on-the-fly through a sequence of commands, and attempting to evade intrusion detection systems by ensuring that no individual command would trigger an alert. This could be legitimate activity, or an indication of a compromised host.<br>(Applies to: App Service on Windows)                                                                                                                                                                                                                                                                                                                                   | Defense Evasion, Execution                                         | High     |
 | **Detected file download from a known malicious source**<br>(AppServices_SuspectDownload)                                                | Analysis of host data has detected the download of a file from a known malware source on your host.<br>(Applies to: App Service on Linux)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Privilege Escalation, Execution, Exfiltration, Command and Control | Medium   |