Update alerts-reference.md

added alert: Preview Suspicious key vault recovery detected

Author: AlizaBernstein

articles/defender-for-cloud/alerts-reference.md

@@ -446,6 +446,7 @@ Microsoft Defender for Containers provides security alerts on the cluster level
 | **PREVIEW - Activity from infrequent country**<br>(ARM.MCAS_ActivityFromInfrequentCountry)                                                                        | Activity from a location that wasn't recently or ever visited by any user in the organization has occurred.<br>This detection considers past activity locations to determine new and infrequent locations. The anomaly detection engine stores information about previous locations used by users in the organization.<br>Requires an active Microsoft Defender for Cloud Apps license.                                                       | -                                       | Medium   |
 | **PREVIEW - Azurite toolkit run detected**<br>(ARM_Azurite)                                                                                                       | A known cloud-environment reconnaissance toolkit run has been detected in your environment. The tool [Azurite](https://github.com/mwrlabs/Azurite) can be used by an attacker (or penetration tester) to map your subscriptions' resources and identify insecure configurations.                                                                                                                                                         | Collection                                   | High     |
 | **PREVIEW - Impossible travel activity**<br>(ARM.MCAS_ImpossibleTravelActivity)                                                                                   | Two user activities (in a single or multiple sessions) have occurred, originating from geographically distant locations. This occurs within a time period shorter than the time it would have taken the user to travel from the first location to the second. This indicates that a different user is using the same credentials.<br>This detection uses a machine learning algorithm that ignores obvious false positives contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The detection has an initial learning period of seven days, during which it learns a new user's activity pattern.<br>Requires an active Microsoft Defender for Cloud Apps license. | - | Medium   |
+| **PREVIEW - Suspicious key vault recovery detected**<br>(Arm_Suspicious_Vault_Recovering) | Microsoft Defender for Resource Manager detected a suspicious recovery operation for a soft-deleted key vault resource.<br> The user recovering the resource is different from the user that deleted it. This is highly suspicious because the user rarely invokes such an operation. In addition, the user logged on without multi-factor authentication (MFA).<br> This might indicate that the user is compromised and is attempting to discover secrets and keys to gain access to sensitive resources, or to perform lateral movement across your network. | Lateral movement | Medium/high    |
 | **PREVIEW - Suspicious management session using an inactive account detected**<br>(ARM_UnusedAccountPersistence)                                                  | Subscription activity logs analysis has detected suspicious behavior. A principal not in use for a long period of time is now performing actions that can secure persistence for an attacker.                                                                                                                                                                                                                                            | Persistence                                  | Medium   |
 | **PREVIEW - Suspicious management session using PowerShell detected**<br>(ARM_UnusedAppPowershellPersistence)                                                     | Subscription activity logs analysis has detected suspicious behavior. A principal that doesn't regularly use PowerShell to manage the subscription environment is now using PowerShell, and performing actions that can secure persistence for an attacker.                                                                                                                                                                              | Persistence                                  | Medium   |
 | **PREVIEW – Suspicious management session using Azure portal detected**<br>(ARM_UnusedAppIbizaPersistence)                                                        | Analysis of your subscription activity logs has detected a suspicious behavior. A principal that doesn't regularly use the Azure portal (Ibiza) to manage the subscription environment (hasn't used Azure portal to manage for the last 45 days, or a subscription that it is actively managing), is now using the Azure portal and performing actions that can secure persistence for an attacker.                                      | Persistence                                  | Medium   |