You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/incidents-reference.md
+2-6Lines changed: 2 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,8 +1,8 @@
1
1
---
2
2
title: Reference table for all incidents
3
-
description: This article lists the incidents visible in Microsoft Defender for Cloud
3
+
description: This article lists the incidents visible in Microsoft Defender for Cloud and provides information on managing security incidents.
4
4
ms.topic: reference
5
-
ms.date: 10/15/2023
5
+
ms.date: 06/26/2024
6
6
---
7
7
8
8
# Incidents - a reference guide
@@ -27,9 +27,6 @@ Learn how to [manage security incidents](incidents.md#managing-security-incident
27
27
28
28
| Alert | Description | Severity |
29
29
|--|--|--|
30
-
|**Security incident detected suspicious virtual machines activity**| This incident indicates suspicious activity on your virtual machines. Multiple alerts from different Defender for Cloud plans have been triggered revealing a similar pattern on your virtual machines. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it. | Medium/High |
31
-
|**Security incident detected suspicious source IP activity**| This incident indicates that suspicious activity has been detected on the same source IP. Multiple alerts from different Defender for Cloud plans have been triggered on the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious activity on the same IP address might indicate that an attacker has gained unauthorized access to your environment and is attempting to compromise it. | Medium/High |
32
-
|**Security incident detected on multiple resources**| This incident indicates that suspicious activity had been detected on your cloud resources. Multiple alerts from different Defender for Cloud plan have been triggered, revealing similar attack methods were performed on your cloud resources. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it. | Medium/High |
33
30
|**Security incident detected suspicious user activity (Preview)**| This incident indicates suspicious user operations in your environment. Multiple alerts from different Defender for Cloud plans have been triggered by this user, which increases the fidelity of malicious activity in your environment. While this activity may be legitimate, a threat actor might utilize such operations to compromise resources in your environment. This might indicate that the account is compromised and is being used with malicious intent. | High |
34
31
|**Security incident detected suspicious service principal activity (Preview)**| This incident indicates suspicious service principal operations in your environment. Multiple alerts from different Defender for Cloud plans have been triggered by this service principal, which increases the fidelity of malicious activity in your environment. While this activity may be legitimate, a threat actor might utilize such operations to compromise resources in your environment. This might indicate that the service principal is compromised and is being used with malicious intent. | High |
35
32
| **Security incident detected suspicious crypto mining activity (Preview)** | Scenario 1: This incident indicates that suspicious crypto mining activity has been detected following suspicious user or service principal activity. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. Suspicious account activity might indicate a threat actor gained unauthorized access to your environment, and the succeeding crypto mining activity may suggest that they successfully compromised your resource and are using it for mining cryptocurrencies, which can lead to increased costs for your organization. <br><br> Scenario 2: This incident indicates that suspicious crypto mining activity has been detected following a brute force attack on the same virtual machine resource. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. The brute force attack on the virtual machine might indicate that a threat actor is attempting to gain unauthorized access to your environment, and the succeeding crypto mining activity may suggest they successfully compromised your resource and using it for mining cryptocurrencies, which can lead to increased costs for your organization. | High |
@@ -47,7 +44,6 @@ Learn how to [manage security incidents](incidents.md#managing-security-incident
47
44
|**Security incident detected suspicious DNS activity (Preview)**| Scenario 1: This incident indicates that suspicious DNS activity has been detected. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. Suspicious DNS activity might indicate that a threat actor gained unauthorized access to your environment and is attempting to compromise it. <br><br> Scenario 2: This incident indicates that suspicious DNS activity has been detected. Multiple alerts from different Defender for Cloud plans have been triggered from the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious DNS activity might indicate that a threat actor gained unauthorized access to your environment and is attempting to compromise it. | Medium |
48
45
|**Security incident detected suspicious SQL activity (Preview)**| Scenario 1: This incident indicates that suspicious SQL activity has been detected. Multiple alerts from different Defender for Cloud plans have been triggered from the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious SQL activity might indicate that a threat actor is targeting your SQL server and is attempting to compromise it. <br><br> Scenario 2: This incident indicates that suspicious SQL activity has been detected. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. Suspicious SQL activity might indicate that a threat actor is targeting your SQL server and is attempting to compromise it. |High|
49
46
|**Security incident detected suspicious app service activity (Preview)**| Scenario 1: This incident indicates that suspicious activity has been detected in your app service environment. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. Suspicious app service activity might indicate that a threat actor is targeting your application and may be attempting to compromise it. <br><br> Scenario 2: This incident indicates that suspicious activity has been detected in your app service environment. Multiple alerts from different Defender for Cloud plans have been triggered from the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious app service activity might indicate that a threat actor is targeting your application and may be attempting to compromise it. | High |
50
-
|**Security incident detected compromised machine**| This incident indicates suspicious activity on one or more of your virtual machines. Multiple alerts from different Defender for Cloud plans have been triggered in chronological order on the same resource, following the MITRE ATT&CK framework. This might indicate a threat actor has gained unauthorized access to your environment and successfully compromised this machine.| Medium/High |
51
47
|**Security incident detected compromised machine with botnet communication**| This incident indicates suspicious botnet activity on your virtual machine. Multiple alerts from different Defender for Cloud plans have been triggered in chronological order on the same resource, following the MITRE ATT&CK framework. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it. | Medium/High |
52
48
|**Security incident detected compromised machines with botnet communication**| This incident indicates suspicious botnet activity on your virtual machines. Multiple alerts from different Defender for Cloud plans have been triggered in chronological order on the same resource, following the MITRE ATT&CK framework. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it. | Medium/High |
53
49
|**Security incident detected compromised machine with malicious outgoing activity**| This incident indicates suspicious outgoing activity on your virtual machine. Multiple alerts from different Defender for Cloud plans have been triggered in chronological order on the same resource, following the MITRE ATT&CK framework. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it. | Medium/High |
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/release-notes.md
+16Lines changed: 16 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -24,9 +24,25 @@ If you're looking for items older than six months, you can find them in the [Arc
24
24
25
25
|Date | Update |
26
26
|--|--|
27
+
| June 27 |[Four security incidents have been deprecated](#four-security-incidents-have-been-deprecated)|
27
28
| June 24 |[Change in pricing for Defender for Containers in multicloud](#change-in-pricing-for-defender-for-containers-in-multicloud)|
28
29
| June 10 |[Copilot for Security in Defender for Cloud (Preview)](#copilot-for-security-in-defender-for-cloud-preview)|
29
30
31
+
### Four security incidents have been deprecated
32
+
33
+
June 27, 2024
34
+
35
+
The following security incidents are deprecated from the Defender for Cloud portal:
36
+
37
+
| Alert | Description | Severity |
38
+
|--|--|--|
39
+
|**Security incident detected suspicious source IP activity**| This incident indicates that suspicious activity has been detected on the same source IP. Multiple alerts from different Defender for Cloud plans have been triggered on the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious activity on the same IP address might indicate that an attacker has gained unauthorized access to your environment and is attempting to compromise it. | Medium/High |
40
+
|**Security incident detected on multiple resources**| This incident indicates that suspicious activity had been detected on your cloud resources. Multiple alerts from different Defender for Cloud plan have been triggered, revealing similar attack methods were performed on your cloud resources. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it. | Medium/High |
41
+
|**Security incident detected compromised machine**| This incident indicates suspicious activity on one or more of your virtual machines. Multiple alerts from different Defender for Cloud plans have been triggered in chronological order on the same resource, following the MITRE ATT&CK framework. This might indicate a threat actor has gained unauthorized access to your environment and successfully compromised this machine.| Medium/High |
42
+
|**Security incident detected suspicious virtual machines activity**| This incident indicates suspicious activity on your virtual machines. Multiple alerts from different Defender for Cloud plans have been triggered revealing a similar pattern on your virtual machines. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it. | Medium/High |
43
+
44
+
The security value of these incidents are now available through the Microsoft Defender XDR portal. Learn more about [alerts and incidents in Defender XDR](concept-integration-365.md).
45
+
30
46
### Change in pricing for Defender for Containers in multicloud
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments