You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/review-security-recommendations.md
+19Lines changed: 19 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -43,6 +43,7 @@ It's important to review all of the details related to a recommendation before t
43
43
-**Scope** - The affected subscription or resource.
44
44
-**Freshness** - The freshness interval for the recommendation.
45
45
-**Last change date** - The date this recommendation last had a change
46
+
-**Severity** - The severity of the recommendation (High, Medium, or Low). More details below.
46
47
-**Owner** - The person assigned to this recommendation.
47
48
-**Due date** - The assigned date the recommendation must be resolved by.
48
49
-**Tactics & techniques** - The tactics and techniques mapped to MITRE ATT&CK.
@@ -176,6 +177,24 @@ You can use [Azure Resource Graph](../governance/resource-graph/index.yml) to wr
176
177
177
178
1. Review the results.
178
179
180
+
181
+
## How are recommendations classified?
182
+
183
+
Every security recommendation from Defender for Cloud is assigned one of three severity ratings:
184
+
185
+
-**High severity**: These recommendations should be addressed immediately, as they indicate a critical security vulnerability that could be exploited by an attacker to gain unauthorized access to your systems or data. Examples of high severity recommendations are when we’ve discovered unprotected secrets on a machine, overly-permissive inbound NSG rules, clusters allowing images to be deployed from untrusted registries, and unrestricted public access to storage accounts or databases.
186
+
187
+
-**Medium severity**: These recommendations indicate a potential security risk that should be addressed in a timely manner, but may not require immediate attention. Examples of medium severity recommendations might include containers sharing sensitive host namespaces, web apps not using managed identities, Linux machines not requiring SSH keys during authentication, and unused credentials being left in the system after 90 days of inactivity.
188
+
189
+
-**Low severity**: These recommendations indicate a relatively minor security issue that can be addressed at your convenience. Examples of low severity recommendations might include the need to disable local authentication in favor of Microsoft Entra ID, health issues with your endpoint protection solution, best practices not being followed with network security groups, or misconfigured logging settings that could make it harder to detect and respond to security incidents.
190
+
191
+
Of course, the internal views of an organization might differ with Microsoft’s classification of a specific recommendation. So, it's always a good idea to review each recommendation carefully and consider its potential impact on your security posture before deciding how to address it.
192
+
193
+
> [!NOTE]
194
+
> Defender CSPM customers have access to a richer classification system where recommendations are shown a more dynamic **Risk level** that utilizes the *context* of the resource and all related resources. Learn more about [risk prioritization](risk-prioritization.md).
195
+
196
+
197
+
179
198
### Example
180
199
181
200
In this example, this recommendation details page shows 15 affected resources:
0 commit comments