You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security-center/alerts-reference.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,7 +31,7 @@ Below the alerts table is a table describing the Azure Security Center kill chai
31
31
|----|----|:----:|
32
32
||<aname="alerts-crashdump"></a><h3>Crash dump analysis (Windows)</h3> [Further details and notes](security-center-alerts-iaas.md#windows-)||
33
33
|**Code injection discovered**|Code injection is the insertion of executable modules into running processes or threads. This technique is used by malware to access data, while successfully hiding itself to prevent being found and removed.<br>This alert indicates that an injected module is present in the crash dump. To differentiate between malicious and non-malicious injected modules, Security Center checks whether the injected module conforms to a profile of suspicious behavior.|-|
34
-
|**Suspicious code segment discovered**|Indicates that a code segment has been allocated by using non-standard methods, such as reflective injection and process hollowing. The alert provides additional characteristics of the code segment that have been processed to provide context for the capabilities and behaviors of the reported code segment.|-|
34
+
|**Suspicious code segment detected**|Indicates that a code segment has been allocated by using non-standard methods, such as reflective injection and process hollowing. The alert provides additional characteristics of the code segment that have been processed to provide context for the capabilities and behaviors of the reported code segment.|-|
35
35
|**Shellcode discovered**|Shellcode is the payload that is run after malware exploits a software vulnerability.<br>This alert indicates that crash dump analysis has detected executable code that exhibits behavior commonly performed by malicious payloads. Although non-malicious software can also perform this behavior, it isn't typical of normal software development practices.|-|
36
36
||<aname="alerts-filelessattackdetect"></a><h3>Fileless attack detection (Windows)</h3> [Further details and notes](security-center-alerts-iaas.md#windows-)||
37
37
|**Fileless attack technique detected**|The memory of the process specified contains a fileless attack toolkit: Meterpreter. Fileless attack toolkits typically don't have a presence on the file system, making detection by traditional antivirus software difficult.|DefenseEvasion / Execution|
@@ -108,14 +108,14 @@ Below the alerts table is a table describing the Azure Security Center kill chai
108
108
|**Suspicious incoming RDP network activity**|Sampled network traffic analysis detected anomalous incoming RDP communication to a resource in your deployment. A relatively high number of incoming connections to your resource is considered abnormal for this environment. This activity might indicate an attempt to brute force attack your SSH interface.|-|
109
109
|**Network communication with a malicious address has been detected**|Sampled network traffic analysis detected communication originating from a resource in your deployment with a possible command and control (C&C) server. This type of activity could possibly cause your IP to be flagged as malicious by external entities.|-|
110
110
||<aname="alerts-azureresourceman"></a><h3>Azure Resource Manager (Preview)</h3> [Further details and notes](security-center-alerts-service-layer.md#azure-management-layer-azure-resource-manager-preview)||
111
-
|**PREVIEW - MicroBurst toolkit run**|A known cloud-environment reconnaissance toolkit run has been detected in your environment. The tool [MicroBurst](https://github.com/NetSPI/MicroBurst) can be used by an attacker (or penetration tester) to map your subscriptions' resources, identify insecure configurations, and leak confidential information.|-|
112
-
|**PREVIEW - Azurite toolkit run**|A known cloud-environment reconnaissance toolkit run has been detected in your environment. The tool [Azurite](https://github.com/mwrlabs/Azurite) can be used by an attacker (or penetration tester) to map your subscriptions' resources and identify insecure configurations.|-|
113
-
|**Suspicious management session using an inactive account**|Subscription activity logs analysis has detected suspicious behavior. A principal not in use for a long period of time is now performing actions that can secure persistence for an attacker.|Persistence|
114
-
|**Suspicious management session using PowerShell**|Subscription activity logs analysis has detected suspicious behavior. A principal that doesn’t regularly use PowerShell to manage the subscription environment is now using PowerShell, and performing actions that can secure persistence for an attacker.|Persistence|
111
+
|**PREVIEW - MicroBurst toolkit function run detected**|A known cloud-environment reconnaissance toolkit run has been detected in your environment. The tool [MicroBurst](https://github.com/NetSPI/MicroBurst) can be used by an attacker (or penetration tester) to map your subscriptions' resources, identify insecure configurations, and leak confidential information.|-|
112
+
|**PREVIEW - Azurite toolkit run detected**|A known cloud-environment reconnaissance toolkit run has been detected in your environment. The tool [Azurite](https://github.com/mwrlabs/Azurite) can be used by an attacker (or penetration tester) to map your subscriptions' resources and identify insecure configurations.|-|
113
+
|**PREVIEW - Suspicious management session using an inactive account detected**|Subscription activity logs analysis has detected suspicious behavior. A principal not in use for a long period of time is now performing actions that can secure persistence for an attacker.|Persistence|
114
+
|**PREVIEW - Suspicious management session using PowerShell detected**|Subscription activity logs analysis has detected suspicious behavior. A principal that doesn’t regularly use PowerShell to manage the subscription environment is now using PowerShell, and performing actions that can secure persistence for an attacker.|Persistence|
115
115
|**Use of advanced Azure persistence techniques**|Subscription activity logs analysis has detected suspicious behavior. Customized roles have been given legitimized identity entities. This can lead the attacker to gain persistency in an Azure customer environment.|-|
116
116
|**Activity from infrequent country**|Activity from a location that wasn't recently or ever visited by any user in the organization has occurred.<br>This detection considers past activity locations to determine new and infrequent locations. The anomaly detection engine stores information about previous locations used by users in the organization.|-|
117
117
|**Activity from anonymous IP addresses**|Users activity from an IP address that has been identified as an anonymous proxy IP address has been detected.<br>These proxies are used by people who want to hide their device’s IP address, and can be used for malicious intent. This detection uses a machine learning algorithm that reduces false positives, such as mis-tagged IP addresses that are widely used by users in the organization.|-|
118
-
|**Impossible travel detected**|Two user activities (in a single or multiple sessions) have occurred, originating from geographically distant locations. This occurs within a time period shorter than the time it would have taken the user to travel from the first location to the second. This indicates that a different user is using the same credentials.<br>This detection uses a machine learning algorithm that ignores obvious false positives contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The detection has an initial learning period of seven days, during which it learns a new user’s activity pattern. |-|
118
+
|**Impossible travel activity**|Two user activities (in a single or multiple sessions) have occurred, originating from geographically distant locations. This occurs within a time period shorter than the time it would have taken the user to travel from the first location to the second. This indicates that a different user is using the same credentials.<br>This detection uses a machine learning algorithm that ignores obvious false positives contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The detection has an initial learning period of seven days, during which it learns a new user’s activity pattern. |-|
119
119
||<aname="alerts-azurekv"></a><h3>Azure Key Vault (Preview)</h3> [Further details and notes](security-center-alerts-service-layer.md#azure-keyvault)||
120
120
|**Access from a TOR exit node to a Key Vault**|The Key Vault has been accessed by someone using the TOR IP anonymization system to hide their location. Malicious actors often try to hide their location when attempting to gain unauthorized access to internet-connected resources.|-|
121
121
|**Suspicious policy change and secret query in a Key Vault**|A Key Vault policy change has been made and then operations to list and/or get secrets occurred. In addition, this operation pattern isn't normally performed by the user on this vault. This is highly indicative that the Key Vault is compromised and the secrets within have been stolen by a malicious actor.|-|
0 commit comments