You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/alerts-reference.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -475,8 +475,8 @@ Microsoft Defender for Containers provides security alerts on the cluster level
475
475
| **Unusual data exploration in a storage account**<br>(Storage.Blob_DataExplorationAnomaly<br>Storage.Files_DataExplorationAnomaly) | Indicates that blobs or containers in a storage account have been enumerated in an abnormal way, compared to recent activity on this account. A potential cause is that an attacker has performed reconnaissance for a future attack.<br>Applies to: Azure Blob Storage, Azure Files | Execution | High/Medium |
476
476
| **Unusual deletion in a storage account**<br>(Storage.Blob_DeletionAnomaly<br>Storage.Files_DeletionAnomaly) | Indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account. A potential cause is that an attacker has deleted data from your storage account.<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2 | Exfiltration | High/Medium |
477
477
| **Unusual unauthenticated public access to a sensitive blob container (Preview)**<br>Storage.Blob_AnonymousAccessAnomaly.Sensitive | The alert indicates that someone accessed a blob container with sensitive data in the storage account without authentication, using an external (public) IP address. This access is suspicious since the blob container is open to public access and is typically only accessed with authentication from internal networks (private IP addresses). This access could indicate that the blob container's access level is misconfigured, and a malicious actor may have exploited the public access. The security alert includes the discovered sensitive information context (scanning time, classification label, information types, and file types). Learn more on sensitive data threat detection. <br> Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2 or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled. | Initial Access | High |
478
-
| **Unusual amount of data extracted from a sensitive blob container (Preview)**<br>Storage.Blob_DataExfiltration.AmountOfDataAnomaly.Sensitive | The alert indicates that someone has extracted an unusually large number of blobs from a blob container with sensitive data in the storage account.<br>Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2 or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled. | Exfiltration | Medium |
479
-
| **Unusual number of blobs extracted from a sensitive blob container (Preview)**<br>Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly.Sensitive | The alert indicates that someone has extracted an unusually large amount of data from a blob container with sensitive data in the storage account. <br>Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2 or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled. | Exfiltration | |
478
+
| **Unusual amount of data extracted from a sensitive blob container (Preview)**<br>Storage.Blob_DataExfiltration.AmountOfDataAnomaly.Sensitive |The alert indicates that someone has extracted an unusually large amount of data from a blob container with sensitive data in the storage account. Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2 or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled. | Exfiltration | Medium |
479
+
| **Unusual number of blobs extracted from a sensitive blob container (Preview)**<br>Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly.Sensitive |The alert indicates that someone has extracted an unusually large number of blobs from a blob container with sensitive data in the storage account. Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2 or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled. | Exfiltration | |
480
480
| **Access from a known suspicious application to a sensitive blob container (Preview)**<br>Storage.Blob_SuspiciousApp.Sensitive | The alert indicates that someone with a known suspicious application accessed a blob container with sensitive data in the storage account and performed authenticated operations. <br>The access may indicate that a threat actor obtained credentials to access the storage account by using a known suspicious application. However, the access could also indicate a penetration test carried out in the organization. <br>Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2 or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled. | Initial Access | High |
481
481
| **Access from a known suspicious IP address to a sensitive blob container (Preview)**<br>Storage.Blob_SuspiciousIp.Sensitive | The alert indicates that someone accessed a blob container with sensitive data in the storage account from a known suspicious IP address associated with threat intel by Microsoft Threat Intelligence. Since the access was authenticated, it's possible that the credentials allowing access to this storage account were compromised. <br>Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684). <br>Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2 or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled. | Pre-Attack | High |
482
482
| **Access from a Tor exit node to a sensitive blob container (Preview)**<br>Storage.Blob_TorAnomaly.Sensitive | The alert indicates that someone with an IP address known to be a Tor exit node accessed a blob container with sensitive data in the storage account with authenticated access. Authenticated access from a Tor exit node strongly indicates that the actor is attempting to remain anonymous for possible malicious intent. Since the access was authenticated, it's possible that the credentials allowing access to this storage account were compromised. <br>Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2 or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled. | Pre-Attack | High |
0 commit comments