Merge pull request #100946 from memildin/melvyn-asc-alerts_ref

Updated the list of App Service alerts

Author: PRMerger20

articles/security-center/alerts-reference.md

@@ -44,13 +44,21 @@ Below the alerts table is a table describing the Azure Security Center kill chai
 |**Potential port forwarding to external IP address**|Host data analysis detected the initiation of port forwarding to an external IP address.|Exfiltration / CommandAndControl|
 ||<a name="alerts-azureappserv"></a><h3>Azure App Service</h3> [Further details and notes](security-center-alerts-compute.md#azure-app-service-)||
 |**Suspicious WordPress theme invocation detected**|The App Service activity log indicates a possible code injection activity on your App Service resource.<br>This suspicious activity resembles activity that manipulates a WordPress theme to support server-side execution of code, followed by a direct web request to invoke the manipulated theme file. This type of activity can be part of an attack campaign over WordPress.|-|
-|**An IP that connected to your Azure App Service FTP Interface was found in Threat Intelligence**|App Service FTP logs analysis has detected a connection from a source address that was found in the threat intelligence feed. During this connection, a user accessed the pages listed.|-|
-|**Web fingerprinting detected**|The App Service activity log indicates a possible web fingerprinting activity on your App Service resource.<br>This suspicious activity is associated with a tool called Blind Elephant. The tool fingerprints web servers and tries to detect the installed applications and their versions. Attackers often use this tool for probing the web applications to find vulnerabilities. |-|
+|**Web fingerprinting detected**<br>(NMAP / Blind Elephant)|The App Service activity log indicates a possible web fingerprinting activity on your App Service resource.<br>This suspicious activity is associated with a tool called Blind Elephant. The tool fingerprints web servers and tries to detect the installed applications and their versions. Attackers often use this tool for probing the web applications to find vulnerabilities. |-|
 |**Suspicious access to possibly vulnerable web page detected**|The App Service activity log indicates that a web page that seems to be sensitive was accessed.<br>This suspicious activity originated from a source address whose access pattern resembles that of a web scanner. This kind of activity is often associated with an attempt by an attacker to scan your network to try to gain access to sensitive or vulnerable web pages. |-|
+|**An IP that connected to your Azure App Service FTP Interface was found in Threat Intelligence**|App Service FTP logs analysis has detected a connection from a source address that was found in the threat intelligence feed. During this connection, a user accessed the pages listed.|-|
 |**An attempt to run Linux commands on a Windows App Service**|Analysis of App Service processes detected an attempt to run a Linux command on a Windows App Service. This action was running by the web application. This behavior is often seen during campaigns that exploit a vulnerability in a common web application.|-|
 |**Suspicious PHP execution detected**|Machine logs indicate that a suspicious PHP process is running. The action included an attempt to run operating system commands or PHP code from the command line, by using the PHP process. While this behavior can be legitimate, in web applications this behavior might indicate malicious activities, such as attempts to infect websites with web shells.|Execution|
 |**Process execution from temporary folder**|App Service processes analysis has detected an execution of a process from the app's temporary folder. While this behavior can be legitimate, in web applications this behavior might indicate malicious activities.|-|
 |**Attempt to run high privilege command detected**|Analysis of App Service processes has detected an attempt to run a command that requires high privileges. The command ran in the web application context. While this behavior can be legitimate, in web applications this behavior might indicate malicious activities.|-|
+|**Saving curl output to disk detected**|Analysis of App Service processes detected the running of a curl command in which the output was saved to the disk. While this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.|-|
+|**Raw data download detected**|Analysis of App Service processes detected an attempt to download code from raw-data websites such as Pastebin. This action was run by a PHP process. This behavior is associated with attempts to download web shells or other malicious components to the App Service.|-|
+|**Vulnerability scanner detected**<br>(Joomla/WordPress/CMS)|The Azure App Service activity log indicates that a possible vulnerability scanner was used on your App Service resource. The suspicious activity detected resembles that of tools targeting Joomla applications / WordPress applications / a content management system (CMS).|-|
+|**Spam folder referrer detected**|Azure App Service activity log indicates web activity that was identified as originating from a web site associated with SPAM activity. This could occur if your web site is compromised and used for spam activity.|-|
+|**Connection to web page from anomalous IP address detected**|The Azure App Service activity log indicates a connection to a sensitive web page from a source IP address (%{Source IP Address}) that never connect to it before. This might indicate that someone is attempting a brute force attack into your web app administration pages. It might also be the result of a new IP address being used by a legitimate user.|-|
+|**Suspicious User Agent detected**|Azure App Service activity log indicates requests with suspicious user agent. This behavior can indicate on attempts to exploit a vulnerability in your App Service application.|-|
+|**PHP file in upload folder**|The Azure App Service activity log indicates an access to a suspicious PHP page located in the upload folder. This type of folder does not usually contain PHP files. The existence of this type of file might indicate an exploitation taking advantage of arbitrary file upload vulnerabilities.|-|
+|**Anomalous requests pattern detected**|The Azure App Service activity log indicates an anomalous HTTP activity to the App Service from %{Source IP}. This activity resembles a pattern of Fuzzing \ Brute force activity.|-|
 ||<a name="alerts-akscluster"></a><h3>AKS cluster level</h3> [Further details and notes](security-center-alerts-compute.md#azure-containers-)||
 |**PREVIEW - Role binding to the cluster-admin role detected**|Kubernetes audit log analysis detected a new binding to the cluster-admin role resulting in administrator privileges. Unnecessarily providing administrator privileges might result in privilege escalation issues in the cluster.|Persistence|
 |**PREVIEW - Exposed Kubernetes dashboard detected**|Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service. Exposed dashboards allow unauthenticated access to the cluster management and pose a security threat.|Persistence|
@@ -123,8 +131,8 @@ Below the alerts table is a table describing the Azure Security Center kill chai
 |**High volume of operations in a Key Vault**|A larger volume of Key Vault operations has been performed compared with historical data. Key Vault activity is typically the same over time. This may be a legitimate change in activity. Alternatively, your infrastructure might be compromised and further investigations are necessary.|-|
 |**User accessed high volume of Key Vaults**|The number of vaults that a user or application accesses has changed compared with historical data. Key Vault activity is typically the same over time. This may be a legitimate change in activity. Alternatively, your infrastructure might be compromised and further investigations are necessary.|-|
 ||<a name="alerts-azureddos"></a><h3>Azure DDoS Protection</h3> [Further details and notes](security-center-alerts-integration.md#azure-ddos)||
-|**DDoS Attack detected for Public IP**|DDoS Attack detected for Public IP (IP address) and being mitigated.|Probing|
-|**DDoS Attack mitigated for Public IP**|DDoS Attack mitigated for Public IP (IP address).|Probing|
+|**DDoS Attack detected for Public IP**|DDoS Attack detected for Public IP (IP address) and being mitigated.|Probing|
+|**DDoS Attack mitigated for Public IP**|DDoS Attack mitigated for Public IP (IP address).|Probing|
 |**Volumetric attack detected**|This attack's goal is to flood the network layer with a substantial amount of seemingly legitimate traffic. It includes UDP floods, amplification floods, and other spoofed-packet floods. DDoS Protection Standard mitigates these potential multi-gigabyte attacks by absorbing and scrubbing them, with global network scale, automatically.|-|
 |**Protocol attack detected**|These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stacks. It includes SYN flood attacks, reflection attacks, and other protocol attacks. DDoS Protection Standard mitigates these attacks, differentiating between malicious and legitimate traffic, by interacting with the client, and blocking malicious traffic.|-|
 |**Resource (application) layer attack detected**|These attacks target web application packets, to disrupt the transmission of data between hosts. The attacks include HTTP protocol violations, SQL injection, cross-site scripting, and other layer 7 attacks. Use the Azure Application Gateway WAF, with DDoS Protection Standard, to defend against these attacks. There are also third-party WAF offerings available in Azure Marketplace.|-|