Merge pull request #107458 from memildin/melvyn-asc-alerts_ref

PRMerger9 · web-flow · commit 71170fc8bb1e · 2020-03-12T07:16:11.000-07:00
Tweaks based on feedback
diff --git a/articles/security-center/alerts-reference.md b/articles/security-center/alerts-reference.md
@@ -238,13 +238,13 @@ Below the alerts tables is a table describing the Azure Security Center kill cha
 
 |Alert|Description|Intent ([Learn more](#intentions))|Severity|
 |----|----|:----:|--|
-|**PREVIEW - Container with a sensitive volume mount detected**|Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type that mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount to gain access to the node.|PrivilegeEscalation|Medium|
-|**PREVIEW - Digital currency mining container detected**|Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool.|Execution|High|
-|**PREVIEW - Exposed Kubernetes dashboard detected**|Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service. Exposed dashboards allow unauthenticated access to the cluster management and pose a security threat.|Initial access|High|
-|**PREVIEW - New container in the kube-system namespace detected**|Kubernetes audit log analysis detected a new container in the kube-system namespace that isn't among the containers that normally run in this namespace. The kube-system namespaces shouldn't contain user resources. Attackers can use this namespace to hide malicious components.|Persistence|Low|
-|**PREVIEW - New high privileges role detected**|Kubernetes audit log analysis detected a new role with high privileges. A binding to a role with high privileges gives the user/group elevated privileges in the cluster. Unnecessarily providing elevated privileges might result in privilege escalation issues in the cluster.|Persistence|Low|
-|**PREVIEW - Privileged container detected**|Kubernetes audit log analysis detected a new privileged container. A privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the node.|PrivilegeEscalation|Low|
-|**PREVIEW - Role binding to the cluster-admin role detected**|Kubernetes audit log analysis detected a new binding to the cluster-admin role resulting in administrator privileges. Unnecessarily providing administrator privileges might result in privilege escalation issues in the cluster.|Persistence|Low|
+|**Container with a sensitive volume mount detected**|Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type that mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount to gain access to the node.|PrivilegeEscalation|Medium|
+|**Digital currency mining container detected**|Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool.|Execution|High|
+|**Exposed Kubernetes dashboard detected**|Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service. Exposed dashboards allow unauthenticated access to the cluster management and pose a security threat.|Initial access|High|
+|**New container in the kube-system namespace detected**|Kubernetes audit log analysis detected a new container in the kube-system namespace that isn't among the containers that normally run in this namespace. The kube-system namespaces shouldn't contain user resources. Attackers can use this namespace to hide malicious components.|Persistence|Low|
+|**New high privileges role detected**|Kubernetes audit log analysis detected a new role with high privileges. A binding to a role with high privileges gives the user/group elevated privileges in the cluster. Unnecessarily providing elevated privileges might result in privilege escalation issues in the cluster.|Persistence|Low|
+|**Privileged container detected**|Kubernetes audit log analysis detected a new privileged container. A privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the node.|PrivilegeEscalation|Low|
+|**Role binding to the cluster-admin role detected**|Kubernetes audit log analysis detected a new binding to the cluster-admin role resulting in administrator privileges. Unnecessarily providing administrator privileges might result in privilege escalation issues in the cluster.|Persistence|Low|
 |||||
 
 ## <a name="alerts-containerhost"></a>Alerts for containers - host level
@@ -259,7 +259,7 @@ Below the alerts tables is a table describing the Azure Security Center kill cha
 |**SSH server is running inside a container**|Machine logs indicate that an SSH server is running inside a Docker container. While this behavior can be intentional, it frequently indicates that a container is misconfigured or breached.|Execution|Medium|
 |**Container with a miner image detected**|Machine logs indicate execution of a Docker container running an image associated with digital currency mining. This behavior can possibly indicate that your resources are being abused.|Execution|High|
 |**Suspicious request to Kubernetes API**|Machine logs indicate that a suspicious request was made to the Kubernetes API. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container.|Execution|Medium|
-|**Suspicious request to the Kubernetes Dashboard**|Machine logs indicate that a suspicious request was made to the Kubernetes Dashboard. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container.|Lateral movement|
+|**Suspicious request to the Kubernetes Dashboard**|Machine logs indicate that a suspicious request was made to the Kubernetes Dashboard. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container.|Lateral movement|Medium|
 |||||
 
 
@@ -287,9 +287,9 @@ Below the alerts tables is a table describing the Azure Security Center kill cha
 
 |Alert|Description|Intent ([Learn more](#intentions))|Severity|
 |----|----|:----:|--|
+|**Access from a Tor exit node to a storage account**|Indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert considers the authentication type used (if any), and whether this is the first case of such access. Potential causes can be an attacker who has accessed your storage account by using Tor, or a legitimate user who has accessed your storage account by using Tor.|Probing / Exploitation|High|
+|**Access from an unusual location to a storage account**|Indicates that there was a change in the access pattern to an Azure Storage account. Someone has accessed this account from an IP address considered unfamiliar when compared with recent activity. Either an attacker has gained access to the account, or a legitimate user has connected from a new or unusual geographic location. An example of the latter is remote maintenance from a new application or developer.|Exploitation|Low|
 |**Anonymous access to a storage account**|Indicates that there's a change in the access pattern to a storage account. For instance, the account has been accessed anonymously (without any authentication), which is unexpected compared to the recent access pattern on this account. A potential cause is that an attacker has exploited public read access to a container that holds blob storage.|Exploitation|High|
-|**PREVIEW - Access from a Tor exit node to a storage account**|Indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert considers the authentication type used (if any), and whether this is the first case of such access. Potential causes can be an attacker who has accessed your storage account by using Tor, or a legitimate user who has accessed your storage account by using Tor.|Probing / Exploitation|High|
-|**PREVIEW - Access from an unusual location to a storage account**|Indicates that there was a change in the access pattern to an Azure Storage account. Someone has accessed this account from an IP address considered unfamiliar when compared with recent activity. Either an attacker has gained access to the account, or a legitimate user has connected from a new or unusual geographic location. An example of the latter is remote maintenance from a new application or developer.|Exploitation|Low|
 |**PREVIEW - Potential malware uploaded to a storage account**|Indicates that a blob containing potential malware has been uploaded to a storage account. Potential causes may include an intentional malware upload by an attacker or an unintentional upload, of a potentially malicious blob, by a legitimate user.|LateralMovement|High|
 |**Unusual access inspection in a storage account**|Indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has performed reconnaissance for a future attack.|Collection|Medium|
 |**Unusual amount of data extracted from a storage account**|Indicates that an unusually large amount of data has been extracted compared to recent activity on this storage container. A potential cause is that an attacker has extracted a large amount of data from a container that holds blob storage.|Exfiltration|Medium|
