Merge pull request #269065 from ElazarK/wi229444-old-container-alerts

prmerger-automator[bot] · web-flow · commit 7a69c08ec573 · 2024-03-17T09:02:08.000Z
removed containers alerts
diff --git a/articles/defender-for-cloud/alerts-reference.md b/articles/defender-for-cloud/alerts-reference.md
@@ -2,7 +2,7 @@
 title: Reference table for all security alerts
 description: This article lists the security alerts visible in Microsoft Defender for Cloud.
 ms.topic: reference
-ms.date: 05/31/2023
+ms.date: 03/17/2024
 ai-usage: ai-assisted
 ---
 
@@ -2370,16 +2370,6 @@ Microsoft Defender for Containers provides security alerts on the cluster level
 
 **Severity**: Low
 
-### **Manipulation of host firewall detected**
-
-(K8S.NODE_FirewallDisabled) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible manipulation of the on-host firewall. Attackers will often disable this to exfiltrate data.
-
-**[MITRE tactics](#mitre-attck-tactics)**: DefenseEvasion, Exfiltration
-
-**Severity**: Medium
-
 ### **Microsoft Defender for Cloud test alert (not a threat).**
 
 (K8S.NODE_EICAR) <sup>[1](#footnote1)</sup>
@@ -2610,26 +2600,6 @@ Microsoft Defender for Containers provides security alerts on the cluster level
 
 **Severity**: Informational
 
-### **Suspicious use of DNS over HTTPS**
-
-(K8S.NODE_SuspiciousDNSOverHttps) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected the use of a DNS call over HTTPS in an uncommon fashion. This technique is used by attackers to hide calls out to suspect or malicious sites.
-
-**[MITRE tactics](#mitre-attck-tactics)**: DefenseEvasion, Exfiltration
-
-**Severity**: Medium
-
-### **A possible connection to malicious location has been detected.**
-
-(K8S.NODE_ThreatIntelCommandLineSuspectDomain) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a connection to a location that has been reported to be malicious or unusual. This is an indicator that a compromise might have occurred.
-
-**[MITRE tactics](#mitre-attck-tactics)**: InitialAccess
-
-**Severity**: Medium
-
 ### **Possible malicious web shell detected.**
 
 (K8S.NODE_Webshell) <sup>[1](#footnote1)</sup>
@@ -2660,16 +2630,6 @@ Microsoft Defender for Containers provides security alerts on the cluster level
 
 **Severity**: Medium
 
-### **Digital currency mining activity**
-
-(K8S.NODE_CurrencyMining) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of DNS transactions detected digital currency mining activity. Such activity, while possibly legitimate user behavior, is frequently performed by attackers following compromise of resources. Typical related attacker activity is likely to include the download and execution of common mining tools.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: Low
-
 ### **Access to kubelet kubeconfig file detected**
 
 (K8S.NODE_KubeConfigAccess) <sup>[1](#footnote1)</sup>
@@ -4406,11 +4366,51 @@ Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen
 
 **Severity**: Medium
 
-## Deprecated Defender for Servers alerts
+## Deprecated Defender for Containers alerts
 
-The following lists include the Defender for Servers security alerts [which were deprecated in April 2023 due to an improvement process](release-notes-archive.md#deprecation-and-improvement-of-selected-alerts-for-windows-and-linux-servers).
+The following lists include the Defender for Containers security alerts which were deprecated.
+
+### **Manipulation of host firewall detected**
+
+(K8S.NODE_FirewallDisabled)
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible manipulation of the on-host firewall. Attackers will often disable this to exfiltrate data.
+
+**[MITRE tactics](#mitre-attck-tactics)**: DefenseEvasion, Exfiltration
+
+**Severity**: Medium
+
+### **Suspicious use of DNS over HTTPS**
+
+(K8S.NODE_SuspiciousDNSOverHttps)
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected the use of a DNS call over HTTPS in an uncommon fashion. This technique is used by attackers to hide calls out to suspect or malicious sites.
+
+**[MITRE tactics](#mitre-attck-tactics)**: DefenseEvasion, Exfiltration
+
+**Severity**: Medium
+
+### **A possible connection to malicious location has been detected.**
+
+(K8S.NODE_ThreatIntelCommandLineSuspectDomain)
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a connection to a location that has been reported to be malicious or unusual. This is an indicator that a compromise might have occurred.
+
+**[MITRE tactics](#mitre-attck-tactics)**: InitialAccess
+
+**Severity**: Medium
+
+### **Digital currency mining activity**
+
+(K8S.NODE_CurrencyMining)
+
+**Description**: Analysis of DNS transactions detected digital currency mining activity. Such activity, while possibly legitimate user behavior, is frequently performed by attackers following compromise of resources. Typical related attacker activity is likely to include the download and execution of common mining tools.
+
+**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: Low
 
-### Deprecated Linux alerts
+## Deprecated Defender for Servers Linux alerts
 
 ### VM_AbnormalDaemonTermination
 
@@ -4796,7 +4796,7 @@ The following lists include the Defender for Servers security alerts [which were
 
 **Severity**: Medium
 
-### Deprecated Windows alerts
+## Deprecated Defender for Servers Windows alerts
 
 ### SCUBA_MULTIPLEACCOUNTCREATE
 
diff --git a/articles/defender-for-cloud/release-notes-archive.md b/articles/defender-for-cloud/release-notes-archive.md
@@ -515,7 +515,7 @@ All Defender for Servers customers, have full access to the Defender for Endpoin
 
 You can learn more about [Microsoft Defender for Endpoint onboarding options](enable-defender-for-endpoint.md#enable-the-microsoft-defender-for-endpoint-integration).
 
-You can also view the [full list of alerts](alerts-reference.md#deprecated-defender-for-servers-alerts) that are set to be deprecated.
+You can also view the [full list of alerts](alerts-reference.md) that are set to be deprecated.
 
 Read the [Microsoft Defender for Cloud blog](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-for-servers-security-alerts-improvements/ba-p/3714175).
 
