|
2 | 2 | title: Reference table for all security alerts in Microsoft Defender for Cloud |
3 | 3 | description: This article lists the security alerts visible in Microsoft Defender for Cloud |
4 | 4 | ms.topic: reference |
5 | | -ms.date: 02/06/2022 |
| 5 | +ms.date: 02/10/2022 |
6 | 6 | --- |
7 | 7 | # Security alerts - a reference guide |
8 | 8 |
|
@@ -513,11 +513,16 @@ Microsoft Defender for Containers provides security alerts on the cluster level |
513 | 513 |
|
514 | 514 | [Further details and notes](other-threat-protections.md#cosmos-db) |
515 | 515 |
|
516 | | -| Alert | Description | MITRE tactics<br>([Learn more](#intentions)) | Severity | |
517 | | -|-------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------:|----------| |
518 | | -| **PREVIEW - Access from an unusual location to a Cosmos DB account** | Indicates that there was a change in the access pattern to an Azure Cosmos DB account. Someone has accessed this account from an unfamiliar IP address, compared to recent activity. Either an attacker has accessed the account, or a legitimate user has accessed it from a new and unusual geographical location. An example of the latter is remote maintenance from a new application or developer. | Exploitation | Medium | |
519 | | -| **PREVIEW - Unusual amount of data extracted from a Cosmos DB account** | Indicates that there was a change in the data extraction pattern from an Azure Cosmos DB account. Someone has extracted an unusual amount of data compared to recent activity. An attacker might have extracted a large amount of data from an Azure Cosmos DB database (for example, data exfiltration or leakage, or an unauthorized transfer of data). Or, a legitimate user or application might have extracted an unusual amount of data from a container (for example, for maintenance backup activity). | Exfiltration | Medium | |
520 | | -| | | | | |
| 516 | +| Alert | Description | MITRE tactics<br>([Learn more](#intentions)) | Severity | |
| 517 | +|--|--|:-:|--| |
| 518 | +| **PREVIEW - Access from a Tor exit node** | This Cosmos DB account was successfully accessed from an IP address known to be an active exit node of Tor, an anonymizing proxy. Authenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity. | Initial Access | High/Medium | |
| 519 | +| **PREVIEW - Access from a suspicious IP** | This Cosmos DB account was successfully accessed from an IP address that was identified as a threat by Microsoft Threat Intelligence. | Initial Access | Medium | |
| 520 | +| **PREVIEW - Access from an unusual location** | This Cosmos DB account was accessed from a location considered unfamiliar, based on the usual access pattern. <br><br> Either a threat actor has gained access to the account, or a legitimate user has connected from a new or unusual geographic location | Initial Access | Low | |
| 521 | +| **PREVIEW - Unusual volume of data extracted** | An unusually large volume of data has been extracted from this Cosmos DB account. This might indicate that a threat actor exfiltrated data. | Exfiltration | Medium | |
| 522 | +| **PREVIEW - Extraction of Cosmos DB accounts keys via a potentially malicious script** | A PowerShell script was run in your subscription and performed a suspicious pattern of key-listing operations to get the keys of Cosmos DB accounts in your subscription. Threat actors use automated scripts, like Microburst, to list keys and find Cosmos DB accounts they can access. <br><br> This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise Cosmos DB accounts in your environment for malicious intentions. <br><br> Alternatively, a malicious insider could be trying to access sensitive data and perform lateral movement. | Collection | High | |
| 523 | +| **PREVIEW - SQL injection: potential data exfiltration** | A suspicious SQL statement was used to query a container in this Cosmos DB account. <br><br> The injected statement might have succeeded in exfiltrating data that the threat actor isn’t authorized to access. <br><br> Due to the structure and capabilities of Cosmos DB queries, many known SQL injection attacks on Cosmos DB accounts cannot work. However, the variation used in this attack may work and threat actors can exfiltrate data. | Exfiltration | Medium | |
| 524 | +| **PREVIEW - SQL injection: fuzzing attempt** | A suspicious SQL statement was used to query a container in this Cosmos DB account. <br><br> Like other well-known SQL injection attacks, this attack won’t succeed in compromising the Cosmos DB account. <br><br> Nevertheless, it’s an indication that a threat actor is trying to attack the resources in this account, and your application may be compromised. <br><br> Some SQL injection attacks can succeed and be used to exfiltrate data. This means that if the attacker continues performing SQL injection attempts, they may be able to compromise your Cosmos DB account and exfiltrate data. <br><br> You can prevent this threat by using parameterized queries. | Pre-attack | Low | |
| 525 | +| | | | | |
521 | 526 |
|
522 | 527 |
|
523 | 528 | ## <a name="alerts-azurenetlayer"></a>Alerts for Azure network layer |
|
0 commit comments