You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/incidents-reference.md
+2-5Lines changed: 2 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,8 +1,8 @@
1
1
---
2
2
title: Reference table for all incidents
3
-
description: This article lists the incidents visible in Microsoft Defender for Cloud
3
+
description: This article lists the incidents visible in Microsoft Defender for Cloud and provides information on managing security incidents.
4
4
ms.topic: reference
5
-
ms.date: 10/15/2023
5
+
ms.date: 06/26/2024
6
6
---
7
7
8
8
# Incidents - a reference guide
@@ -27,9 +27,6 @@ Learn how to [manage security incidents](incidents.md#managing-security-incident
27
27
28
28
| Alert | Description | Severity |
29
29
|--|--|--|
30
-
|**Security incident detected suspicious virtual machines activity**| This incident indicates suspicious activity on your virtual machines. Multiple alerts from different Defender for Cloud plans have been triggered revealing a similar pattern on your virtual machines. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it. | Medium/High |
31
-
|**Security incident detected suspicious source IP activity**| This incident indicates that suspicious activity has been detected on the same source IP. Multiple alerts from different Defender for Cloud plans have been triggered on the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious activity on the same IP address might indicate that an attacker has gained unauthorized access to your environment and is attempting to compromise it. | Medium/High |
32
-
|**Security incident detected on multiple resources**| This incident indicates that suspicious activity had been detected on your cloud resources. Multiple alerts from different Defender for Cloud plan have been triggered, revealing similar attack methods were performed on your cloud resources. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it. | Medium/High |
33
30
|**Security incident detected suspicious user activity (Preview)**| This incident indicates suspicious user operations in your environment. Multiple alerts from different Defender for Cloud plans have been triggered by this user, which increases the fidelity of malicious activity in your environment. While this activity may be legitimate, a threat actor might utilize such operations to compromise resources in your environment. This might indicate that the account is compromised and is being used with malicious intent. | High |
34
31
|**Security incident detected suspicious service principal activity (Preview)**| This incident indicates suspicious service principal operations in your environment. Multiple alerts from different Defender for Cloud plans have been triggered by this service principal, which increases the fidelity of malicious activity in your environment. While this activity may be legitimate, a threat actor might utilize such operations to compromise resources in your environment. This might indicate that the service principal is compromised and is being used with malicious intent. | High |
35
32
| **Security incident detected suspicious crypto mining activity (Preview)** | Scenario 1: This incident indicates that suspicious crypto mining activity has been detected following suspicious user or service principal activity. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. Suspicious account activity might indicate a threat actor gained unauthorized access to your environment, and the succeeding crypto mining activity may suggest that they successfully compromised your resource and are using it for mining cryptocurrencies, which can lead to increased costs for your organization. <br><br> Scenario 2: This incident indicates that suspicious crypto mining activity has been detected following a brute force attack on the same virtual machine resource. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. The brute force attack on the virtual machine might indicate that a threat actor is attempting to gain unauthorized access to your environment, and the succeeding crypto mining activity may suggest they successfully compromised your resource and using it for mining cryptocurrencies, which can lead to increased costs for your organization. | High |
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/release-notes.md
+16Lines changed: 16 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -24,9 +24,25 @@ If you're looking for items older than six months, you can find them in the [Arc
24
24
25
25
|Date | Update |
26
26
|--|--|
27
+
| June 27 |[Four security incidents have been deprecated](#four-security-incidents-have-been-deprecated)|
27
28
| June 24 |[Change in pricing for Defender for Containers in multicloud](#change-in-pricing-for-defender-for-containers-in-multicloud)|
28
29
| June 10 |[Copilot for Security in Defender for Cloud (Preview)](#copilot-for-security-in-defender-for-cloud-preview)|
29
30
31
+
### Four security incidents have been deprecated
32
+
33
+
June 27, 2024
34
+
35
+
The following security incidents are deprecated from the Defender for Cloud portal:
36
+
37
+
| Alert | Description | Severity |
38
+
|--|--|--|
39
+
|**Security incident detected suspicious source IP activity**| This incident indicates that suspicious activity has been detected on the same source IP. Multiple alerts from different Defender for Cloud plans have been triggered on the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious activity on the same IP address might indicate that an attacker has gained unauthorized access to your environment and is attempting to compromise it. | Medium/High |
40
+
|**Security incident detected on multiple resources**| This incident indicates that suspicious activity had been detected on your cloud resources. Multiple alerts from different Defender for Cloud plan have been triggered, revealing similar attack methods were performed on your cloud resources. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it. | Medium/High |
41
+
| Security incident detected | - | - |
42
+
|**Security incident detected suspicious virtual machines activity**| This incident indicates suspicious activity on your virtual machines. Multiple alerts from different Defender for Cloud plans have been triggered revealing a similar pattern on your virtual machines. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it. | Medium/High |
43
+
44
+
The security value of these incidents are now available through the Microsoft Defender XDR portal. Learn more about [alerts and incidents in Defender XDR](concept-integration-365.md).
45
+
30
46
### Change in pricing for Defender for Containers in multicloud
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/upcoming-changes.md
-16Lines changed: 0 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,7 +25,6 @@ If you're looking for the latest release notes, you can find them in the [What's
25
25
26
26
| Planned change | Announcement date | Estimated date for change |
27
27
|--|--|--|
28
-
|[Deprecating four security incidents](#deprecating-four-security-incidents)| June 26, 2024 | July 2024 |
29
28
|[General Availability of Checkov IaC Scanning in Defender for Cloud](#general-availability-of-checkov-iac-scanning-in-defender-for-cloud)| June 24, 2024 | July 2024 |
30
29
|[Reminder of the deprecation scope of adaptive recommendations as of MMA deprecation](#reminder-of-the-deprecation-scope-of-adaptive-recommendations-as-of-mma-deprecation)| June 20, 2024 | August 2024 |
31
30
|[SQL vulnerability assessment automatic enablement using express configuration on unconfigured servers](#sql-vulnerability-assessment-automatic-enablement-using-express-configuration-on-unconfigured-servers)| June 10, 2024 | July 10, 2024 |
@@ -50,21 +49,6 @@ If you're looking for the latest release notes, you can find them in the [What's
50
49
|[Deprecating two security incidents](#deprecating-two-security-incidents)|| November 2023 |
51
50
|[Defender for Cloud plan and strategy for the Log Analytics agent deprecation](#defender-for-cloud-plan-and-strategy-for-the-log-analytics-agent-deprecation)|| August 2024 |
52
51
53
-
## Deprecating four security incidents
54
-
55
-
**Announcement date: June 26, 2024**
56
-
57
-
**Estimated date for change: July 2024**
58
-
59
-
The following security incidents are set to be deprecated in the Defender for Cloud portal:
60
-
61
-
- Security incident detected suspicious source IP activity
62
-
- Security incident detected on multiple resources
The security value of the incidents will be available through the Microsoft Defender XDR portal. Learn more about [alerts and incidents in Defender XDR](concept-integration-365.md).
67
-
68
52
## General Availability of Checkov IaC Scanning in Defender for Cloud
0 commit comments