Merge pull request #101059 from memildin/melvyn-asc-alerts_ref

PRMerger14 · web-flow · commit a88585250492 · 2020-01-13T23:34:49.000-08:00
Added an alert to the list of Storage alerts
diff --git a/articles/security-center/alerts-reference.md b/articles/security-center/alerts-reference.md
@@ -93,6 +93,7 @@ Below the alerts table is a table describing the Azure Security Center kill chai
 |**Unusual amount of data extracted from a storage account**|Indicates that an unusually large amount of data has been extracted compared to recent activity on this storage container. A potential cause is that an attacker has extracted a large amount of data from a container that holds blob storage.|Exfiltration|
 |**Unusual deletion in a storage account**|Indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account. A potential cause is that an attacker has deleted data from your storage account.|Exfiltration|
 |**Unusual upload of .cspkg to a storage account**|Indicates that an Azure Cloud Services package (.cspkg file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has been preparing to deploy malicious code from your storage account to an Azure cloud service.|LateralMovement / Execution|
+|**Unusual upload of .exe to a storage account**|Indicates that an .exe file has been uploaded to a storage account in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has uploaded a malicious executable file to your storage account, or that a legitimate user has uploaded an executable file.|LateralMovement / Execution|
 |**Unusual change of access permissions in a storage account**|Indicates that the access permissions of this storage container have been changed in an unusual way. A potential cause is that an attacker has changed container permissions to weaken its security posture or to gain persistence.|Persistence|
 |**Unusual access inspection in a storage account**|Indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has performed reconnaissance for a future attack.|Collection|
 |**Unusual data exploration in a storage account**|Indicates that blobs or containers in a storage account have been enumerated in an abnormal way, compared to recent activity on this account. A potential cause is that an attacker has performed reconnaissance for a future attack.|Collection|
