A logon from a malicious IP has been detected. [seen multiple times],"A successful remote authentication for the account [account] and process [process] occurred, however the logon IP address (x.x.x.x) has previously been reported as malicious or highly unusual. A successful attack has probably occurred. Files with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.",-,High,Windows,Azure Defender
A logon from a malicious IP has been detected(VM_ThreatIntelSuspectLogon),"A successful remote authentication for the account [account] and process [process] occurred, however the logon IP address (x.x.x.x) has previously been reported as malicious or highly unusual. A successful attack has probably occurred.",Initial access,High,Windows,Azure Defender
Addition of Guest account to Local Administrators group,"Analysis of host data has detected the addition of the built-in Guest account to the Local Administrators group on %{Compromised Host}, which is strongly associated with attacker activity.",-,Medium,Windows,Azure Defender
An event log was cleared,Machine logs indicate a suspicious event log clearing operation by user: '%{user name}' in Machine: '%{CompromisedEntity}'. The %{log channel} log was cleared.,-,Informational,Windows,Azure Defender
Antimalware Action Failed,Microsoft Antimalware has encountered an error when taking an action on malware or other potentially unwanted software.,-,Medium,Windows,Azure Defender
Antimalware Action Taken,Microsoft Antimalware for Azure has taken an action to protect this machine from malware or other potentially unwanted software.,-,Medium,Windows,Azure Defender
Antimalware broad files exclusion in your virtual machine(ARM_AmBroadFilesExclusion),Files exclusion from antimalware extension with broad exclusion rule was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Such exclusion practically disabling the Antimalware protection.Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.,-,Medium,Windows,Azure Defender
Antimalware disabled and code execution in your virtual machine(ARM_AmDisablementAndCodeExecution),Antimalware disabled at the same time as code execution on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.Attackers disable antimalware scanners to prevent detection while running unauthorized tools or infecting the machine with malware.,-,High,Windows,Azure Defender
Antimalware disabled in your virtual machine(ARM_AmDisablement),Antimalware disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.Attackers might disable the antimalware on your virtual machine to prevent detection.,Defense Evasion,Medium,Windows,Azure Defender
Antimalware file exclusion and code execution in your virtual machine(ARM_AmFileExclusionAndCodeExecution),File excluded from your antimalware scanner at the same time as code was executed via a custom script extension on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware.,"Defense Evasion, Execution",High,Windows,Azure Defender
Antimalware file exclusion and code execution in your virtual machine(ARM_AmTempFileExclusionAndCodeExecution),Temporary file exclusion from antimalware extension in parallel to execution of code via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.,"Defense Evasion, Execution",High,Windows,Azure Defender
Antimalware file exclusion in your virtual machine(ARM_AmTempFileExclusion),File excluded from your antimalware scanner on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware.,Defense Evasion,Medium,Windows,Azure Defender
Antimalware real-time protection was disabled in your virtual machine(ARM_AmRealtimeProtectionDisabled),Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.,Defense Evasion,Medium,Windows,Azure Defender
Antimalware real-time protection was disabled temporarily in your virtual machine(ARM_AmTempRealtimeProtectionDisablement),Real-time protection temporary disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.,Defense Evasion,Medium,Windows,Azure Defender
Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine(ARM_AmRealtimeProtectionDisablementAndCodeExec),Real-time protection temporary disablement of the antimalware extension in parallel to code execution via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.,-,High,Windows,Azure Defender
Antimalware scans blocked for files potentially related to malware campaigns on your virtual machine (Preview)(ARM_AmMalwareCampaignRelatedExclusion),An exclusion rule was detected in your virtual machine to prevent your antimalware extension scanning certain files that are suspected of being related to a malware campaign. The rule was detected by analyzing the Azure Resource Manager operations in your subscription. Attackers might exclude files from antimalware scans to prevent detection while running arbitrary code or infecting the machine with malware.,Defense Evasion,Medium,Windows,Azure Defender
Antimalware temporarily disabled in your virtual machine(ARM_AmTemporarilyDisablement),Antimalware temporarily disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.Attackers might disable the antimalware on your virtual machine to prevent detection.,-,Medium,Windows,Azure Defender
Antimalware unusual file exclusion in your virtual machine(ARM_UnusualAmFileExclusion),Unusual file exclusion from antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.,Defense Evasion,Medium,Windows,Azure Defender
Custom script extension with suspicious command in your virtual machine(ARM_CustomScriptExtensionSuspiciousCmd),Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Attackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager.,Execution,Medium,Windows,Azure Defender
Custom script extension with suspicious entry-point in your virtual machine(ARM_CustomScriptExtensionSuspiciousEntryPoint),Custom script extension with a suspicious entry-point was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. The entry-point refers to a suspicious GitHub repository.Attackers may use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.,Execution,Medium,Windows,Azure Defender
Custom script extension with suspicious payload in your virtual machine(ARM_CustomScriptExtensionSuspiciousPayload),Custom script extension with a payload from a suspicious GitHub repository was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Attackers may use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.,Execution,Medium,Windows,Azure Defender
Detected actions indicative of disabling and deleting IIS log files,Analysis of host data detected actions that show IIS log files being disabled and/or deleted.,-,Medium,Windows,Azure Defender
Detected anomalous mix of upper and lower case characters in command-line,"Analysis of host data on %{Compromised Host} detected a command line with anomalous mix of upper and lower case characters. This kind of pattern, while possibly benign, is also typical of attackers trying to hide from case-sensitive or hash-based rule matching when performing administrative tasks on a compromised host.",-,Medium,Windows,Azure Defender
Detected change to a registry key that can be abused to bypass UAC,"Analysis of host data on %{Compromised Host} detected that a registry key that can be abused to bypass UAC (User Account Control) was changed. This kind of configuration, while possibly benign, is also typical of attacker activity when trying to move from unprivileged (standard user) to privileged (for example administrator) access on a compromised host.",-,Medium,Windows,Azure Defender
Detected decoding of an executable using built-in certutil.exe tool,"Analysis of host data on %{Compromised Host} detected that certutil.exe, a built-in administrator utility, was being used to decode an executable instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using a tool such as certutil.exe to decode a malicious executable that will then be subsequently executed.",-,High,Windows,Azure Defender
Detected enabling of the WDigest UseLogonCredential registry key,"Analysis of host data detected a change in the registry key HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\ ""UseLogonCredential"". Specifically this key has been updated to allow logon credentials to be stored in clear text in LSA memory. Once enabled an attacker can dump clear text passwords from LSA memory with credential harvesting tools such as Mimikatz.",-,Medium,Windows,Azure Defender
Detected encoded executable in command line data,"Analysis of host data on %{Compromised Host} detected a base-64 encoded executable. This has previously been associated with attackers attempting to construct executables on-the-fly through a sequence of commands, and attempting to evade intrusion detection systems by ensuring that no individual command would trigger an alert. This could be legitimate activity, or an indication of a compromised host.",-,High,Windows,Azure Defender
Detected obfuscated command line,Attackers use increasingly complex obfuscation techniques to evade detections that run against the underlying data. Analysis of host data on %{Compromised Host} detected suspicious indicators of obfuscation on the commandline.,-,Informational,Windows,Azure Defender
Detected Petya ransomware indicators,Analysis of host data on %{Compromised Host} detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the command line associated in this alert and escalate this alert to your security team.,-,High,Windows,Azure Defender
Detected possible execution of keygen executable,Analysis of host data on %{Compromised Host} detected execution of a process whose name is indicative of a keygen tool; such tools are typically used to defeat software licensing mechanisms but their download is often bundled with other malicious software. Activity group GOLD has been known to make use of such keygens to covertly gain back door access to hosts that they compromise.,-,Medium,Windows,Azure Defender
Detected possible execution of malware dropper,Analysis of host data on %{Compromised Host} detected a filename that has previously been associated with one of activity group GOLD's methods of installing malware on a victim host.,-,High,Windows,Azure Defender
Detected potentially suspicious use of Telegram tool,"Analysis of host data shows installation of Telegram, a free cloud-based instant messaging service that exists both for mobile and desktop system. Attackers are known to abuse this service to transfer malicious binaries to any other computer, phone, or tablet.",-,Medium,Windows,Azure Defender
Detected suppression of legal notice displayed to users at logon,Analysis of host data on %{Compromised Host} detected changes to the registry key that controls whether a legal notice is displayed to users when they log on. Microsoft security analysis has determined that this is a common activity undertaken by attackers after having compromised a host.,-,Low,Windows,Azure Defender
Detected suspicious combination of HTA and PowerShell,"mshta.exe (Microsoft HTML Application Host) which is a signed Microsoft binary is being used by the attackers to launch malicious PowerShell commands. Attackers often resort to having an HTA file with inline VBScript. When a victim browses to the HTA file and chooses to run it, the PowerShell commands and scripts that it contains are executed. Analysis of host data on %{Compromised Host} detected mshta.exe launching PowerShell commands.",-,Medium,Windows,Azure Defender
Detected suspicious commandline arguments,Analysis of host data on %{Compromised Host} detected suspicious commandline arguments that have been used in conjunction with a reverse shell used by activity group HYDROGEN.,-,High,Windows,Azure Defender
Detected suspicious commandline used to start all executables in a directory,Analysis of host data has detected a suspicious process running on %{Compromised Host}. The commandline indicates an attempt to start all executables (*.exe) that may reside in a directory. This could be an indication of a compromised host.,-,Medium,Windows,Azure Defender
Detected suspicious credentials in commandline,Analysis of host data on %{Compromised Host} detected a suspicious password being used to execute a file by activity group BORON. This activity group has been known to use this password to execute Pirpi malware on a victim host.,-,High,Windows,Azure Defender
Detected suspicious document credentials,"Analysis of host data on %{Compromised Host} detected a suspicious, common precomputed password hash used by malware being used to execute a file. Activity group HYDROGEN has been known to use this password to execute malware on a victim host.",-,High,Windows,Azure Defender
Detected suspicious execution of VBScript.Encode command,"Analysis of host data on %{Compromised Host} detected the execution of VBScript.Encode command. This encodes the scripts into unreadable text, making it more difficult for users to examine the code. Microsoft threat research shows that attackers often use encoded VBscript files as part of their attack to evade detection systems. This could be legitimate activity, or an indication of a compromised host.",-,Medium,Windows,Azure Defender
Detected suspicious execution via rundll32.exe,"Analysis of host data on %{Compromised Host} detected rundll32.exe being used to execute a process with an uncommon name, consistent with the process naming scheme previously seen used by activity group GOLD when installing their first stage implant on a compromised host.",-,High,Windows,Azure Defender
Detected suspicious file cleanup commands,"Analysis of host data on %{Compromised Host} detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.",-,High,Windows,Azure Defender
Detected suspicious file creation,Analysis of host data on %{Compromised Host} detected creation or execution of a process which has previously indicated post-compromise action taken on a victim host by activity group BARIUM. This activity group has been known to use this technique to download additional malware to a compromised host after an attachment in a phishing doc has been opened.,-,High,Windows,Azure Defender
Detected suspicious named pipe communications,"Analysis of host data on %{Compromised Host} detected data being written to a local named pipe from a Windows console command. Named pipes are known to be a channel used by attackers to task and communicate with a malicious implant. This could be legitimate activity, or an indication of a compromised host.",-,High,Windows,Azure Defender
Detected suspicious network activity,"Analysis of network traffic from %{Compromised Host} detected suspicious network activity. Such traffic, while possibly benign, is typically used by an attacker to communicate with malicious servers for downloading of tools, command-and-control and exfiltration of data. Typical related attacker activity includes copying remote administration tools to a compromised host and exfiltrating user data from it.",-,Low,Windows,Azure Defender
Detected suspicious new firewall rule,Analysis of host data detected a new firewall rule has been added via netsh.exe to allow traffic from an executable in a suspicious location.,-,Medium,Windows,Azure Defender
Detected suspicious use of Cacls to lower the security state of the system,"Attackers use myriad ways like brute force, spear phishing etc. to achieve initial compromise and get a foothold on the network. Once initial compromise is achieved they often take steps to lower the security settings of a system. Cacls—short for change access control list is Microsoft Windows native command-line utility often used for modifying the security permission on folders and files. A lot of time the binary is used by the attackers to lower the security settings of a system. This is done by giving Everyone full access to some of the system binaries like ftp.exe, net.exe, wscript.exe etc. Analysis of host data on %{Compromised Host} detected suspicious use of Cacls to lower the security of a system.",-,Medium,Windows,Azure Defender
Detected suspicious use of FTP -s Switch,"Analysis of process creation data from the %{Compromised Host} detected the use of the FTP ""-s:filename"" switch. This switch is used to specify an FTP script file for the client to run. Malware or malicious processes are known to use this FTP switch (-s:filename) to point to a script file which is configured to connect to a remote FTP server and download additional malicious binaries.",-,Medium,Windows,Azure Defender
Detected suspicious use of Pcalua.exe to launch executable code,"Analysis of host data on %{Compromised Host} detected the use of pcalua.exe to launch executable code. Pcalua.exe is component of the Microsoft Windows ""Program Compatibility Assistant"" which detects compatibility issues during the installation or execution of a program. Attackers are known to abuse functionality of legitimate Windows system tools to perform malicious actions, for example using pcalua.exe with the -a switch to launch malicious executables either locally or from remote shares.",-,Medium,Windows,Azure Defender
Detected the disabling of critical services,"The analysis of host data on %{Compromised Host} detected execution of ""net.exe stop"" command being used to stop critical services like SharedAccess or Windows Security Center. The stopping of either of these services can be indication of a malicious behavior.",-,Medium,Windows,Azure Defender
Digital currency mining related behavior detected,Analysis of host data on %{Compromised Host} detected the execution of a process or command normally associated with digital currency mining.,-,High,Windows,Azure Defender
Dynamic PS script construction,"Analysis of host data on %{Compromised Host} detected a PowerShell script being constructed dynamically. Attackers sometimes use this approach of progressively building up a script in order to evade IDS systems. This could be legitimate activity, or an indication that one of your machines has been compromised.",-,Medium,Windows,Azure Defender
Executable found running from a suspicious location,"Analysis of host data detected an executable file on %{Compromised Host} that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.",-,High,Windows,Azure Defender
Fileless attack behavior detected(VM_FilelessAttackBehavior.Windows),"The memory of the process specified contains behaviors commonly used by fileless attacks. Specific behaviors include:1) Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.2) Active network connections. See NetworkConnections below for details.3) Function calls to security sensitive operating system interfaces. See Capabilities below for referenced OS capabilities.4) Contains a thread that was started in a dynamically allocated code segment. This is a common pattern for process injection attacks.",Defense Evasion,Low,Windows,Azure Defender
Fileless attack technique detected(VM_FilelessAttackTechnique.Windows),"The memory of the process specified below contains evidence of a fileless attack technique. Fileless attacks are used by attackers to execute code while evading detection by security software. Specific behaviors include:1) Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.2) Executable image injected into the process, such as in a code injection attack.3) Active network connections. See NetworkConnections below for details.4) Function calls to security sensitive operating system interfaces. See Capabilities below for referenced OS capabilities.5) Process hollowing, which is a technique used by malware in which a legitimate process is loaded on the system to act as a container for hostile code.6) Contains a thread that was started in a dynamically allocated code segment. This is a common pattern for process injection attacks.","Defense Evasion, Execution",High,Windows,Azure Defender
Fileless attack toolkit detected(VM_FilelessAttackToolkit.Windows),"The memory of the process specified contains a fileless attack toolkit: [toolkit name]. Fileless attack toolkits use techniques that minimize or eliminate traces of malware on disk, and greatly reduce the chances of detection by disk-based malware scanning solutions. Specific behaviors include:1) Well-known toolkits and crypto mining software.2) Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.3) Injected malicious executable in process memory.","Defense Evasion, Execution",Medium,Windows,Azure Defender
High risk software detected,"Analysis of host data from %{Compromised Host} detected the usage of software that has been associated with the installation of malware in the past. A common technique utilized in the distribution of malicious software is to package it within otherwise benign tools such as the one seen in this alert. Upon using these tools, the malware can be silently installed in the background.",-,Medium,Windows,Azure Defender
Local Administrators group members were enumerated,"Machine logs indicate a successful enumeration on group %{Enumerated Group Domain Name}%{Enumerated Group Name}. Specifically, %{Enumerating User Domain Name}%{Enumerating User Name} remotely enumerated the members of the %{Enumerated Group Domain Name}%{Enumerated Group Name} group. This activity could either be legitimate activity, or an indication that a machine in your organization has been compromised and used to reconnaissance %{vmname}.",-,Informational,Windows,Azure Defender
Malicious firewall rule created by ZINC server implant [seen multiple times],"A firewall rule was created using techniques that match a known actor, ZINC. The rule was possibly used to open a port on %{Compromised Host} to allow for Command & Control communications. This behavior was seen [x] times today on the following machines: [Machine names]",-,High,Windows,Azure Defender
Malicious SQL activity,Machine logs indicate that '%{process name}' was executed by account: %{user name}. This activity is considered malicious.,-,High,Windows,Azure Defender
Multiple Domain Accounts Queried,"Analysis of host data has determined that an unusual number of distinct domain accounts are being queried within a short time period from %{Compromised Host}. This kind of activity could be legitimate, but can also be an indication of compromise.",-,Medium,Windows,Azure Defender
Possible credential dumping detected [seen multiple times],Analysis of host data has detected use of native windows tool (e.g. sqldumper.exe) being used in a way that allows to extract credentials from memory. Attackers often use these techniques to extract credentials that they then further use for lateral movement and privilege escalation. This behavior was seen [x] times today on the following machines: [Machine names],-,Medium,Windows,Azure Defender
Potential attempt to bypass AppLocker detected,"Analysis of host data on %{Compromised Host} detected a potential attempt to bypass AppLocker restrictions. AppLocker can be configured to implement a policy that limits what executables are allowed to run on a Windows system. The command-line pattern similar to that identified in this alert has been previously associated with attacker attempts to circumvent AppLocker policy by using trusted executables (allowed by AppLocker policy) to execute untrusted code. This could be legitimate activity, or an indication of a compromised host.",-,High,Windows,Azure Defender
PsExec execution detected(VM_RunByPsExec),Analysis of host data indicates that the process %{Process Name} was executed by PsExec utility. PsExec can be used for running processes remotely. This technique might be used for malicious purposes.,"Lateral Movement, Execution",Informational,Windows,Azure Defender
Ransomware indicators detected [seen multiple times],"Analysis of host data indicates suspicious activity traditionally associated with lock-screen and encryption ransomware. Lock screen ransomware displays a full-screen message preventing interactive use of the host and access to its files. Encryption ransomware prevents access by encrypting data files. In both cases a ransom message is typically displayed, requesting payment in order to restore file access. This behavior was seen [x] times today on the following machines: [Machine names]",-,High,Windows,Azure Defender
Ransomware indicators detected,"Analysis of host data indicates suspicious activity traditionally associated with lock-screen and encryption ransomware. Lock screen ransomware displays a full-screen message preventing interactive use of the host and access to its files. Encryption ransomware prevents access by encrypting data files. In both cases a ransom message is typically displayed, requesting payment in order to restore file access.",-,High,Windows,Azure Defender
Rare SVCHOST service group executed(VM_SvcHostRunInRareServiceGroup),The system process SVCHOST was observed running a rare service group. Malware often uses SVCHOST to masquerade its malicious activity.,"Defense Evasion, Execution",Informational,Windows,Azure Defender
Sticky keys attack detected,"Analysis of host data indicates that an attacker may be subverting an accessibility binary (for example sticky keys, onscreen keyboard, narrator) in order to provide backdoor access to the host %{Compromised Host}.",-,Medium,Windows,Azure Defender
Successful brute force attack(VM_LoginBruteForceSuccess),"Several sign in attempts were detected from the same source. Some successfully authenticated to the host.This resembles a burst attack, in which an attacker performs numerous authentication attempts to find valid account credentials.",Exploitation,Medium/High,Windows,Azure Defender
Suspect integrity level indicative of RDP hijacking,Analysis of host data has detected the tscon.exe running with SYSTEM privileges - this can be indicative of an attacker abusing this binary in order to switch context to any other logged on user on this host; it is a known attacker technique to compromise additional user accounts and move laterally across a network.,-,Medium,Windows,Azure Defender
Suspect service installation,Analysis of host data has detected the installation of tscon.exe as a service: this binary being started as a service potentially allows an attacker to trivially switch to any other logged on user on this host by hijacking RDP connections; it is a known attacker technique to compromise additional user accounts and move laterally across a network.,-,Medium,Windows,Azure Defender
Suspected Kerberos Golden Ticket attack parameters observed,Analysis of host data detected commandline parameters consistent with a Kerberos Golden Ticket attack.,-,Medium,Windows,Azure Defender
Suspicious Account Creation Detected,"Analysis of host data on %{Compromised Host} detected creation or use of a local account %{Suspicious account name} : this account name closely resembles a standard Windows account or group name '%{Similar To Account Name}'. This is potentially a rogue account created by an attacker, so named in order to avoid being noticed by a human administrator.",-,Medium,Windows,Azure Defender
Suspicious Activity Detected(VM_SuspiciousActivity),"Analysis of host data has detected a sequence of one or more processes running on %{machine name} that have historically been associated with malicious activity. While individual commands may appear benign the alert is scored based on an aggregation of these commands. This could either be legitimate activity, or an indication of a compromised host.",Execution,Medium,Windows,Azure Defender
Suspicious authentication activity(VM_LoginBruteForceValidUserFailed),"Although none of them succeeded, some of them used accounts were recognized by the host. This resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host. This indicates that some of your host account names might exist in a well-known account name dictionary.",Probing,Medium,Windows,Azure Defender
Suspicious code segment detected,"Indicates that a code segment has been allocated by using non-standard methods, such as reflective injection and process hollowing. The alert provides additional characteristics of the code segment that have been processed to provide context for the capabilities and behaviors of the reported code segment.",-,Medium,Windows,Azure Defender
Suspicious command execution(VM_SuspiciousCommandLineExecution),Machine logs indicate a suspicious command-line execution by user %{user name}.,Execution,High,Windows,Azure Defender
Suspicious double extension file executed,Analysis of host data indicates an execution of a process with a suspicious double extension. This extension may trick users into thinking files are safe to be opened and might indicate the presence of malware on the system.,-,High,Windows,Azure Defender
Suspicious download using Certutil detected [seen multiple times],"Analysis of host data on %{Compromised Host} detected the use of certutil.exe, a built-in administrator utility, for the download of a binary instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using certutil.exe to download and decode a malicious executable that will then be subsequently executed. This behavior was seen [x] times today on the following machines: [Machine names]",-,Medium,Windows,Azure Defender
Suspicious download using Certutil detected,"Analysis of host data on %{Compromised Host} detected the use of certutil.exe, a built-in administrator utility, for the download of a binary instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using certutil.exe to download and decode a malicious executable that will then be subsequently executed.",-,Medium,Windows,Azure Defender
Suspicious failed execution of custom script extension in your virtual machine(ARM_CustomScriptExtensionSuspiciousFailure),Suspicious failure of a custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Such failures may be associated with malicious scripts run by this extension.,Execution,Medium,Windows,Azure Defender
Suspicious PowerShell Activity Detected,"Analysis of host data detected a PowerShell script running on %{Compromised Host} that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.",-,High,Windows,Azure Defender
Suspicious PowerShell cmdlets executed,Analysis of host data indicates execution of known malicious PowerShell PowerSploit cmdlets.,-,Medium,Windows,Azure Defender
Suspicious process executed [seen multiple times],"Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on the machine, often associated with attacker attempts to access credentials. This behavior was seen [x] times today on the following machines: [Machine names]",-,High,Windows,Azure Defender
Suspicious process executed,"Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on the machine, often associated with attacker attempts to access credentials.",-,High,Windows,Azure Defender
Suspicious process name detected [seen multiple times],"Analysis of host data on %{Compromised Host} detected a process whose name is suspicious, for example corresponding to a known attacker tool or named in a way that is suggestive of attacker tools that try to hide in plain sight. This process could be legitimate activity, or an indication that one of your machines has been compromised. This behavior was seen [x] times today on the following machines: [Machine names]",-,Medium,Windows,Azure Defender
Suspicious process name detected,"Analysis of host data on %{Compromised Host} detected a process whose name is suspicious, for example corresponding to a known attacker tool or named in a way that is suggestive of attacker tools that try to hide in plain sight. This process could be legitimate activity, or an indication that one of your machines has been compromised.",-,Medium,Windows,Azure Defender
Suspicious process termination burst(VM_TaskkillBurst),"Analysis of host data indicates a suspicious process termination burst in %{Machine Name}. Specifically, %{NumberOfCommands} processes were killed between %{Begin} and %{Ending}.",Defense Evasion,Low,Windows,Azure Defender
Suspicious Screensaver process executed(VM_SuspiciousScreenSaverExecution),The process '%{process name}' was observed executing from an uncommon location. Files with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.,"Defense Evasion, Execution",Medium,Windows,Azure Defender
Suspicious SQL activity,Machine logs indicate that '%{process name}' was executed by account: %{user name}. This activity is uncommon with this account.,-,Medium,Windows,Azure Defender
Suspicious SVCHOST process executed,The system process SVCHOST was observed running in an abnormal context. Malware often uses SVCHOST to masquerade its malicious activity.,-,High,Windows,Azure Defender
Suspicious system process executed(VM_SystemProcessInAbnormalContext),The system process %{process name} was observed running in an abnormal context. Malware often uses this process name to masquerade its malicious activity.,"Defense Evasion, Execution",High,Windows,Azure Defender
Suspicious Volume Shadow Copy Activity,"Analysis of host data has detected a shadow copy deletion activity on the resource. Volume Shadow Copy (VSC) is an important artifact that stores data snapshots. Some malware and specifically Ransomware, targets VSC to sabotage backup strategies.",-,High,Windows,Azure Defender
Suspicious WindowPosition registry value detected,"Analysis of host data on %{Compromised Host} detected an attempted WindowPosition registry configuration change that could be indicative of hiding application windows in non-visible sections of the desktop. This could be legitimate activity, or an indication of a compromised machine: this type of activity has been previously associated with known adware (or unwanted software) such as Win32/OneSystemCare and Win32/SystemHealer and malware such as Win32/Creprote. When the WindowPosition value is set to 201329664, (Hex: 0x0c00 0c00, corresponding to X-axis=0c00 and the Y-axis=0c00) this places the console app's window in a non-visible section of the user's screen in an area that is hidden from view below the visible start menu/taskbar. Known suspect Hex value includes, but not limited to c000c000",-,Low,Windows,Azure Defender
Suspiciously named process detected,Analysis of host data on %{Compromised Host} detected a process whose name is very similar to but different from a very commonly run process (%{Similar To Process Name}). While this process could be benign attackers are known to sometimes hide in plain sight by naming their malicious tools to resemble legitimate process names.,-,Medium,Windows,Azure Defender
Unusual config reset in your virtual machine(ARM_VMAccessUnusualConfigReset),"An unusual config reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.While this action may be legitimate, attackers can try utilizing VM Access extension to reset the configuration in your virtual machine and compromise it.",Credential Access,Medium,Windows,Azure Defender
Unusual deletion of custom script extension in your virtual machine(ARM_CustomScriptExtensionUnusualDeletion),Unusual deletion of a custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Attackers may use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.,Execution,Medium,Windows,Azure Defender
Unusual execution of custom script extension in your virtual machine(ARM_CustomScriptExtensionUnusualExecution),Unusual execution of a custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Attackers may use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.,Execution,Medium,Windows,Azure Defender
Unusual process execution detected,"Analysis of host data on %{Compromised Host} detected the execution of a process by %{User Name} that was unusual. Accounts such as %{User Name} tend to perform a limited set of operations, this execution was determined to be out of character and may be suspicious.",-,High,Windows,Azure Defender
Unusual user password reset in your virtual machine(ARM_VMAccessUnusualPasswordReset),"An unusual user password reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.While this action may be legitimate, attackers can try utilizing the VM Access extension to reset the credentials of a local user in your virtual machine and compromise it.",Credential Access,Medium,Windows,Azure Defender
Unusual user SSH key reset in your virtual machine(ARM_VMAccessUnusualSSHReset),"An unusual user SSH key reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.While this action may be legitimate, attackers can try utilizing VM Access extension to reset SSH key of a user account in your virtual machine and compromise it.",Credential Access,Medium,Windows,Azure Defender
VBScript HTTP object allocation detected,Creation of a VBScript file using Command Prompt has been detected. The following script contains HTTP object allocation command. This action can be used to download malicious files.,-,High,Windows,Azure Defender
Windows registry persistence method detected(VM_RegistryPersistencyKey),Analysis of host data has detected an attempt to persist an executable in the Windows registry. Malware often uses such a technique to survive a boot.,Persistence,Low,Windows,Azure Defender
Access of htaccess file detected(VM_SuspectHtaccessFileAccess),"Analysis of host data on %{Compromised Host} detected possible manipulation of a htaccess file. Htaccess is a powerful configuration file that allows you to make multiple changes to a web server running the Apache Web software including basic redirect functionality, or for more advanced functions such as basic password protection. Attackers will often modify htaccess files on machines they have compromised to gain persistence.","Persistence, Defense Evasion, Execution",Medium,Linux,Azure Defender
An history file has been cleared,Analysis of host data indicates that the command history log file has been cleared. Attackers may do this to cover their traces. The operation was performed by user: '%{user name}'.,-,Medium,Linux,Azure Defender
Antimalware broad files exclusion in your virtual machine(ARM_AmBroadFilesExclusion),Files exclusion from antimalware extension with broad exclusion rule was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Such exclusion practically disabling the Antimalware protection.Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.,-,Medium,Linux,Azure Defender
Antimalware disabled and code execution in your virtual machine(ARM_AmDisablementAndCodeExecution),Antimalware disabled at the same time as code execution on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.Attackers disable antimalware scanners to prevent detection while running unauthorized tools or infecting the machine with malware.,-,High,Linux,Azure Defender
Antimalware disabled in your virtual machine(ARM_AmDisablement),Antimalware disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.Attackers might disable the antimalware on your virtual machine to prevent detection.,Defense Evasion,Medium,Linux,Azure Defender
Antimalware file exclusion and code execution in your virtual machine(ARM_AmFileExclusionAndCodeExecution),File excluded from your antimalware scanner at the same time as code was executed via a custom script extension on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware.,"Defense Evasion, Execution",High,Linux,Azure Defender
Antimalware file exclusion and code execution in your virtual machine(ARM_AmTempFileExclusionAndCodeExecution),Temporary file exclusion from antimalware extension in parallel to execution of code via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.,"Defense Evasion, Execution",High,Linux,Azure Defender
Antimalware file exclusion in your virtual machine(ARM_AmTempFileExclusion),File excluded from your antimalware scanner on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware.,Defense Evasion,Medium,Linux,Azure Defender
Antimalware real-time protection was disabled in your virtual machine(ARM_AmRealtimeProtectionDisabled),Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.,Defense Evasion,Medium,Linux,Azure Defender
Antimalware real-time protection was disabled temporarily in your virtual machine(ARM_AmTempRealtimeProtectionDisablement),Real-time protection temporary disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.,Defense Evasion,Medium,Linux,Azure Defender
Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine(ARM_AmRealtimeProtectionDisablementAndCodeExec),Real-time protection temporary disablement of the antimalware extension in parallel to code execution via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.,-,High,Linux,Azure Defender
Antimalware scans blocked for files potentially related to malware campaigns on your virtual machine (Preview)(ARM_AmMalwareCampaignRelatedExclusion),An exclusion rule was detected in your virtual machine to prevent your antimalware extension scanning certain files that are suspected of being related to a malware campaign. The rule was detected by analyzing the Azure Resource Manager operations in your subscription. Attackers might exclude files from antimalware scans to prevent detection while running arbitrary code or infecting the machine with malware.,Defense Evasion,Medium,Linux,Azure Defender
Antimalware temporarily disabled in your virtual machine(ARM_AmTemporarilyDisablement),Antimalware temporarily disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.Attackers might disable the antimalware on your virtual machine to prevent detection.,-,Medium,Linux,Azure Defender
Antimalware unusual file exclusion in your virtual machine(ARM_UnusualAmFileExclusion),Unusual file exclusion from antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.,Defense Evasion,Medium,Linux,Azure Defender
Attempt to stop apt-daily-upgrade.timer service detected [seen multiple times],"Analysis of host data on %{Compromised Host} detected an attempt to stop apt-daily-upgrade.timer service. In some recent attacks, attackers have been observed stopping this service, to download malicious files and granting execution privileges for their attack. This behavior was seen [x] times today on the following machines: [Machine names]",-,Low,Linux,Azure Defender
Attempt to stop apt-daily-upgrade.timer service detected(VM_TimerServiceDisabled),"Analysis of host data on %{Compromised Host} detected an attempt to stop apt-daily-upgrade.timer service. In some recent attacks, attackers have been observed stopping this service, to download malicious files and granting execution privileges for their attack.",Defense Evasion,Low,Linux,Azure Defender
Behavior similar to common Linux bots detected [seen multiple times],Analysis of host data on %{Compromised Host} detected the execution of a process normally associated with common Linux botnets. This behavior was seen [x] times today on the following machines: [Machine names],-,Medium,Linux,Azure Defender
Behavior similar to common Linux bots detected(VM_CommonBot),Analysis of host data on %{Compromised Host} detected the execution of a process normally associated with common Linux botnets.,"Execution, Collection, Command and Control",Medium,Linux,Azure Defender
Behavior similar to Fairware ransomware detected [seen multiple times],"Analysis of host data on %{Compromised Host} detected the execution of rm -rf commands applied to suspicious locations. As rm -rf will recursively delete files, it is normally used on discrete folders. In this case, it is being used in a location that could remove a lot of data. Fairware ransomware is known to execute rm -rf commands in this folder. This behavior was seen [x] times today on the following machines: [Machine names]",-,Medium,Linux,Azure Defender
Behavior similar to Fairware ransomware detected(VM_FairwareMalware),"Analysis of host data on %{Compromised Host} detected the execution of rm -rf commands applied to suspicious locations. As rm -rf will recursively delete files, it is normally used on discrete folders. In this case, it is being used in a location that could remove a lot of data. Fairware ransomware is known to execute rm -rf commands in this folder.",Execution,Medium,Linux,Azure Defender
Behavior similar to ransomware detected [seen multiple times],"Analysis of host data on %{Compromised Host} detected the execution of files that have resemblance of known ransomware that can prevent users from accessing their system or personal files, and demands ransom payment in order to regain access. This behavior was seen [x] times today on the following machines: [Machine names]",-,High,Linux,Azure Defender
Container with a miner image detected,Machine logs indicate execution of a Docker container that runs an image associated with a digital currency mining. This behavior can possibly indicate that your resources are abused by an attacker.,-,High,Linux,Azure Defender
Custom script extension with suspicious command in your virtual machine(ARM_CustomScriptExtensionSuspiciousCmd),Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Attackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager.,Execution,Medium,Linux,Azure Defender
Custom script extension with suspicious entry-point in your virtual machine(ARM_CustomScriptExtensionSuspiciousEntryPoint),Custom script extension with a suspicious entry-point was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. The entry-point refers to a suspicious GitHub repository.Attackers may use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.,Execution,Medium,Linux,Azure Defender
Custom script extension with suspicious payload in your virtual machine(ARM_CustomScriptExtensionSuspiciousPayload),Custom script extension with a payload from a suspicious GitHub repository was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Attackers may use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.,Execution,Medium,Linux,Azure Defender
Detected anomalous mix of upper and lower case characters in command line,"Analysis of host data on %{Compromised Host} detected a command line with anomalous mix of upper and lower case characters. This kind of pattern, while possibly benign, is also typical of attackers trying to hide from case-sensitive or hash-based rule matching when performing administrative tasks on a compromised host.",-,Medium,Linux,Azure Defender
Detected file download from a known malicious source [seen multiple times](VM_SuspectDownload),Analysis of host data has detected the download of a file from a known malware source on %{Compromised Host}. This behavior was seen over [x] times today on the following machines: [Machine names],"Privilege Escalation, Execution, Exfiltration, Command and Control",Medium,Linux,Azure Defender
Detected file download from a known malicious source,Analysis of host data has detected the download of a file from a known malware source on %{Compromised Host}.,-,Medium,Linux,Azure Defender
Detected persistence attempt [seen multiple times],"Analysis of host data on %{Compromised Host} has detected installation of a startup script for single-user mode. It is extremely rare that any legitimate process needs to execute in that mode, so this may indicate that an attacker has added a malicious process to every run-level to guarantee persistence. This behavior was seen [x] times today on the following machines: [Machine names]",-,Medium,Linux,Azure Defender
Detected persistence attempt(VM_NewSingleUserModeStartupScript),"Host data analysis has detected that a startup script for single-user mode has been installed.Because it's rare that any legitimate process would be required to run in that mode, this might indicate that an attacker has added a malicious process to every run-level to guarantee persistence.",Persistence,Medium,Linux,Azure Defender
Detected suspicious file download [seen multiple times],Analysis of host data has detected suspicious download of remote file on %{Compromised Host}. This behavior was seen 10 times today on the following machines: [Machine name],-,Low,Linux,Azure Defender
Detected suspicious file download(VM_SuspectDownloadArtifacts),Analysis of host data has detected suspicious download of remote file on %{Compromised Host}.,Persistence,Low,Linux,Azure Defender
Detected suspicious network activity,"Analysis of network traffic from %{Compromised Host} detected suspicious network activity. Such traffic, while possibly benign, is typically used by an attacker to communicate with malicious servers for downloading of tools, command-and-control and exfiltration of data. Typical related attacker activity includes copying remote administration tools to a compromised host and exfiltrating user data from it.",-,Low,Linux,Azure Defender
Detected suspicious use of the useradd command [seen multiple times],Analysis of host data has detected suspicious use of the useradd command on %{Compromised Host}. This behavior was seen [x] times today on the following machines: [Machine names],-,Medium,Linux,Azure Defender
Detected suspicious use of the useradd command(VM_SuspectUserAddition),Analysis of host data has detected suspicious use of the useradd command on %{Compromised Host}.,Persistence,Medium,Linux,Azure Defender
Digital currency mining related behavior detected,Analysis of host data on %{Compromised Host} detected the execution of a process or command normally associated with digital currency mining.,-,High,Linux,Azure Defender
Disabling of auditd logging [seen multiple times],The Linux Audit system provides a way to track security-relevant information on the system. It records as much information about the events that are happening on your system as possible. Disabling auditd logging could hamper discovering violations of security policies used on the system. This behavior was seen [x] times today on the following machines: [Machine names],-,Low,Linux,Azure Defender
Executable found running from a suspicious location(VM_SuspectExecutablePath),"Analysis of host data detected an executable file on %{Compromised Host} that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.",Execution,High,Linux,Azure Defender
Exploitation of Xorg vulnerability [seen multiple times],Analysis of host data on %{Compromised Host} detected the user of Xorg with suspicious arguments. Attackers may use this technique in privilege escalation attempts. This behavior was seen [x] times today on the following machines: [Machine names],-,Medium,Linux,Azure Defender
Exposed Docker daemon on TCP socket(VM_ExposedDocker),"Machine logs indicate that your Docker daemon (dockerd) exposes a TCP socket. By default, Docker configuration, does not use encryption or authentication when a TCP socket is enabled. This enables full access to the Docker daemon, by anyone with access to the relevant port.","Execution, Exploitation",Medium,Linux,Azure Defender
Failed SSH brute force attack(VM_SshBruteForceFailed),Failed brute force attacks were detected from the following attackers: %{Attackers}. Attackers were trying to access the host with the following user names: %{Accounts used on failed sign in to host attempts}.,Probing,Medium,Linux,Azure Defender
Fileless Attack Behavior Detected(AppServices_FilelessAttackBehaviorDetection),The memory of the process specified below contains behaviors commonly used by fileless attacks.Specific behaviors include: {list of observed behaviors},Execution,Medium,Linux,Azure Defender
Fileless Attack Technique Detected(VM_FilelessAttackTechnique.Linux),The memory of the process specified below contains evidence of a fileless attack technique. Fileless attacks are used by attackers to execute code while evading detection by security software.Specific behaviors include: {list of observed behaviors},Execution,High,Linux,Azure Defender
Fileless Attack Toolkit Detected(VM_FilelessAttackToolkit.Linux),"The memory of the process specified below contains a fileless attack toolkit: {ToolKitName}. Fileless attack toolkits typically do not have a presence on the filesystem, making detection by traditional anti-virus software difficult.Specific behaviors include: {list of observed behaviors}","Defense Evasion, Execution",High,Linux,Azure Defender
Hidden file execution detected,"Analysis of host data indicates that a hidden file was executed by %{user name}. This activity could either be legitimate activity, or an indication of a compromised host.",-,Informational,Linux,Azure Defender
Indicators associated with DDOS toolkit detected [seen multiple times],"Analysis of host data on %{Compromised Host} detected file names that are part of a toolkit associated with malware capable of launching DDoS attacks, opening ports and services and taking full control over the infected system. This could also possibly be legitimate activity. This behavior was seen [x] times today on the following machines: [Machine names]",-,Medium,Linux,Azure Defender
Indicators associated with DDOS toolkit detected(VM_KnownLinuxDDoSToolkit),"Analysis of host data on %{Compromised Host} detected file names that are part of a toolkit associated with malware capable of launching DDoS attacks, opening ports and services and taking full control over the infected system. This could also possibly be legitimate activity.","Persistence, Lateral Movement, Execution, Exploitation",Medium,Linux,Azure Defender
Local host reconnaissance detected [seen multiple times],Analysis of host data on %{Compromised Host} detected the execution of a command normally associated with common Linux bot reconnaissance. This behavior was seen [x] times today on the following machines: [Machine names],-,Medium,Linux,Azure Defender
Local host reconnaissance detected(VM_LinuxReconnaissance),Analysis of host data on %{Compromised Host} detected the execution of a command normally associated with common Linux bot reconnaissance.,Discovery,Medium,Linux,Azure Defender
Manipulation of host firewall detected [seen multiple times](VM_FirewallDisabled),Analysis of host data on %{Compromised Host} detected possible manipulation of the on-host firewall. Attackers will often disable this to exfiltrate data. This behavior was seen [x] times today on the following machines: [Machine names],"Defense Evasion, Exfiltration",Medium,Linux,Azure Defender
Manipulation of host firewall detected,Analysis of host data on %{Compromised Host} detected possible manipulation of the on-host firewall. Attackers will often disable this to exfiltrate data.,-,Medium,Linux,Azure Defender
MITRE Caldera agent detected(VM_MitreCalderaTools),Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on %{Compromised Host}. This is often associated with the MITRE 54ndc47 agent which could be used maliciously to attack other machines in some way.,All,Medium,Linux,Azure Defender
New SSH key added [seen multiple times](VM_SshKeyAddition),A new SSH key was added to the authorized keys file. This behavior was seen [x] times today on the following machines: [Machine names],Persistence,Low,Linux,Azure Defender
New SSH key added,A new SSH key was added to the authorized keys file,-,Low,Linux,Azure Defender
Possible attack tool detected [seen multiple times],Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on %{Compromised Host}. This tool is often associated with malicious users attacking other machines in some way. This behavior was seen [x] times today on the following machines: [Machine names],-,Medium,Linux,Azure Defender
Possible attack tool detected(VM_KnownLinuxAttackTool),Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on %{Compromised Host}. This tool is often associated with malicious users attacking other machines in some way.,"Execution, Collection, Command and Control, Probing",Medium,Linux,Azure Defender
Possible backdoor detected [seen multiple times],Analysis of host data has detected a suspicious file being downloaded then run on %{Compromised Host} in your subscription. This activity has previously been associated with installation of a backdoor. This behavior was seen [x] times today on the following machines: [Machine names],-,Medium,Linux,Azure Defender
Possible credential access tool detected [seen multiple times],Machine logs indicate a possible known credential access tool was running on %{Compromised Host} launched by process: '%{Suspicious Process}'. This tool is often associated with attacker attempts to access credentials. This behavior was seen [x] times today on the following machines: [Machine names],-,Medium,Linux,Azure Defender
Possible credential access tool detected(VM_KnownLinuxCredentialAccessTool),Machine logs indicate a possible known credential access tool was running on %{Compromised Host} launched by process: '%{Suspicious Process}'. This tool is often associated with attacker attempts to access credentials.,Credential Access,Medium,Linux,Azure Defender
Possible exploitation of Hadoop Yarn(VM_HadoopYarnExploit),Analysis of host data on %{Compromised Host} detected the possible exploitation of the Hadoop Yarn service.,Exploitation,Medium,Linux,Azure Defender
Possible exploitation of the mailserver detected(VM_MailserverExploitation ),Analysis of host data on %{Compromised Host} detected an unusual execution under the mail server account,Exploitation,Medium,Linux,Azure Defender
Possible Log Tampering Activity Detected [seen multiple times],Analysis of host data on %{Compromised Host} detected possible removal of files that tracks user's activity during the course of its operation. Attackers often try to evade detection and leave no trace of malicious activities by deleting such log files. This behavior was seen [x] times today on the following machines: [Machine names],-,Medium,Linux,Azure Defender
Possible Log Tampering Activity Detected(VM_SystemLogRemoval),Analysis of host data on %{Compromised Host} detected possible removal of files that tracks user's activity during the course of its operation. Attackers often try to evade detection and leave no trace of malicious activities by deleting such log files.,Defense Evasion,Medium,Linux,Azure Defender
Possible loss of data detected [seen multiple times],Analysis of host data on %{Compromised Host} detected a possible data egress condition. Attackers will often egress data from machines they have compromised. This behavior was seen [x]] times today on the following machines: [Machine names],-,Medium,Linux,Azure Defender
Possible loss of data detected(VM_DataEgressArtifacts),Analysis of host data on %{Compromised Host} detected a possible data egress condition. Attackers will often egress data from machines they have compromised.,"Collection, Exfiltration",Medium,Linux,Azure Defender
Possible malicious web shell detected [seen multiple times](VM_Webshell),Analysis of host data on %{Compromised Host} detected a possible web shell. Attackers will often upload a web shell to a machine they have compromised to gain persistence or for further exploitation. This behavior was seen [x] times today on the following machines: [Machine names],"Persistence, Exploitation",Medium,Linux,Azure Defender
Possible malicious web shell detected,Analysis of host data on %{Compromised Host} detected a possible web shell. Attackers will often upload a web shell to a machine they have compromised to gain persistence or for further exploitation.,-,Medium,Linux,Azure Defender
Possible password change using crypt-method detected [seen multiple times],Analysis of host data on %{Compromised Host} detected password change using crypt method. Attackers can make this change to continue access and gaining persistence after compromise. This behavior was seen [x] times today on the following machines: [Machine names],-,Medium,Linux,Azure Defender
Potential overriding of common files [seen multiple times],Analysis of host data has detected common executables being overwritten on %{Compromised Host}. Attackers will overwrite common files as a way to obfuscate their actions or for persistence. This behavior was seen [x] times today on the following machines: [Machine names],-,Medium,Linux,Azure Defender
Potential overriding of common files(VM_OverridingCommonFiles),Analysis of host data has detected common executables being overwritten on %{Compromised Host}. Attackers will overwrite common files as a way to obfuscate their actions or for persistence.,Persistence,Medium,Linux,Azure Defender
Potential port forwarding to external IP address [seen multiple times],Analysis of host data on %{Compromised Host} detected the initiation of port forwarding to an external IP address. This behavior was seen [x] times today on the following machines: [Machine names],-,Medium,Linux,Azure Defender
Potential port forwarding to external IP address(VM_SuspectPortForwarding),Host data analysis detected the initiation of port forwarding to an external IP address.,"Exfiltration, Command and Control",Medium,Linux,Azure Defender
Potential reverse shell detected [seen multiple times],Analysis of host data on %{Compromised Host} detected a potential reverse shell. These are used to get a compromised machine to call back into a machine an attacker owns. This behavior was seen [x] times today on the following machines: [Machine names],-,Medium,Linux,Azure Defender
Potential reverse shell detected(VM_ReverseShell),Analysis of host data on %{Compromised Host} detected a potential reverse shell. These are used to get a compromised machine to call back into a machine an attacker owns.,"Exfiltration, Exploitation",Medium,Linux,Azure Defender
Privileged command run in container,Machine logs indicate that a privileged command was run in a Docker container. A privileged command has extended privileges on the host machine.,-,Low,Linux,Azure Defender
Privileged Container Detected,"Machine logs indicate that a privileged Docker container is running. A privileged container has a full access to the host's resources. If compromised, an attacker can use the privileged container to gain access to the host machine.",-,Low,Linux,Azure Defender
Process associated with digital currency mining detected [seen multiple times],Analysis of host data on %{Compromised Host} detected the execution of a process normally associated with digital currency mining. This behavior was seen over 100 times today on the following machines: [Machine name],-,Medium,Linux,Azure Defender
Process associated with digital currency mining detected,Host data analysis detected the execution of a process that is normally associated with digital currency mining.,"Exploitation, Execution",Medium,Linux,Azure Defender
Process seen accessing the SSH authorized keys file in an unusual way(VM_SshKeyAccess),An SSH authorized keys file has been accessed in a method similar to known malware campaigns. This access can indicate that an attacker is attempting to gain persistent access to a machine.,-,Low,Linux,Azure Defender
Python encoded downloader detected [seen multiple times],Analysis of host data on %{Compromised Host} detected the execution of encoded Python that downloads and runs code from a remote location. This may be an indication of malicious activity. This behavior was seen [x] times today on the following machines: [Machine names],-,Low,Linux,Azure Defender
Screenshot taken on host [seen multiple times],Analysis of host data on %{Compromised Host} detected the user of a screen capture tool. Attackers may use these tools to access private data. This behavior was seen [x] times today on the following machines: [Machine names],-,Low,Linux,Azure Defender
Script extension mismatch detected [seen multiple times],Analysis of host data on %{Compromised Host} detected a mismatch between the script interpreter and the extension of the script file provided as input. This has frequently been associated with attacker script executions. This behavior was seen [x] times today on the following machines: [Machine names],-,Medium,Linux,Azure Defender
Script extension mismatch detected(VM_MismatchedScriptFeatures),Analysis of host data on %{Compromised Host} detected a mismatch between the script interpreter and the extension of the script file provided as input. This has frequently been associated with attacker script executions.,Defense Evasion,Medium,Linux,Azure Defender
Shellcode detected [seen multiple times],"Analysis of host data on %{Compromised Host} detected shellcode being generated from the command line. This process could be legitimate activity, or an indication that one of your machines has been compromised. This behavior was seen [x] times today on the following machines: [Machine names]",-,Medium,Linux,Azure Defender
SSH server is running inside a container(VM_ContainerSSH),"Machine logs indicate that an SSH server is running inside a Docker container. While this behavior can be intentional, it frequently indicates that a container is misconfigured or breached.",Execution,Medium,Linux,Azure Defender
Successful SSH brute force attack(VM_SshBruteForceSuccess),Analysis of host data has detected a successful brute force attack. The IP %{Attacker source IP} was seen making multiple login attempts. Successful logins were made from that IP with the following user(s): %{Accounts used to successfully sign in to host}. This means that the host may be compromised and controlled by a malicious actor.,Exploitation,High,Linux,Azure Defender
Suspicious Account Creation Detected,"Analysis of host data on %{Compromised Host} detected creation or use of a local account %{Suspicious account name} : this account name closely resembles a standard Windows account or group name '%{Similar To Account Name}'. This is potentially a rogue account created by an attacker, so named in order to avoid being noticed by a human administrator.",-,Medium,Linux,Azure Defender
Suspicious compilation detected [seen multiple times],Analysis of host data on %{Compromised Host} detected suspicious compilation. Attackers will often compile exploits on a machine they have compromised to escalate privileges. This behavior was seen [x] times today on the following machines: [Machine names],-,Medium,Linux,Azure Defender
Suspicious compilation detected(VM_SuspectCompilation),Analysis of host data on %{Compromised Host} detected suspicious compilation. Attackers will often compile exploits on a machine they have compromised to escalate privileges.,"Privilege Escalation, Exploitation",Medium,Linux,Azure Defender
Suspicious failed execution of custom script extension in your virtual machine(ARM_CustomScriptExtensionSuspiciousFailure),Suspicious failure of a custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Such failures may be associated with malicious scripts run by this extension.,Execution,Medium,Linux,Azure Defender
Suspicious kernel module detected [seen multiple times],"Analysis of host data on %{Compromised Host} detected a shared object file being loaded as a kernel module. This could be legitimate activity, or an indication that one of your machines has been compromised. This behavior was seen [x] times today on the following machines: [Machine names]",-,Medium,Linux,Azure Defender
Suspicious password access [seen multiple times],Analysis of host data has detected suspicious access to encrypted user passwords on %{Compromised Host}. This behavior was seen [x] times today on the following machines: [Machine names],-,Informational,Linux,Azure Defender
Suspicious password access,Analysis of host data has detected suspicious access to encrypted user passwords on %{Compromised Host}.,-,Informational,Linux,Azure Defender
Suspicious PHP execution detected(VM_SuspectPhp),"Machine logs indicate that a suspicious PHP process is running. The action included an attempt to run OS commands or PHP code from the command line using the PHP process. While this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.",Execution,Medium,Linux,Azure Defender
Suspicious request to Kubernetes API(VM_KubernetesAPI),"Machine logs indicate that a suspicious request was made to the Kubernetes API. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container.",Execution,Medium,Linux,Azure Defender
Unusual config reset in your virtual machine(ARM_VMAccessUnusualConfigReset),"An unusual config reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.While this action may be legitimate, attackers can try utilizing VM Access extension to reset the configuration in your virtual machine and compromise it.",Credential Access,Medium,Linux,Azure Defender
Unusual deletion of custom script extension in your virtual machine(ARM_CustomScriptExtensionUnusualDeletion),Unusual deletion of a custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Attackers may use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.,Execution,Medium,Linux,Azure Defender
Unusual execution of custom script extension in your virtual machine(ARM_CustomScriptExtensionUnusualExecution),Unusual execution of a custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.Attackers may use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.,Execution,Medium,Linux,Azure Defender
Unusual user password reset in your virtual machine(ARM_VMAccessUnusualPasswordReset),"An unusual user password reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.While this action may be legitimate, attackers can try utilizing the VM Access extension to reset the credentials of a local user in your virtual machine and compromise it.",Credential Access,Medium,Linux,Azure Defender
Unusual user SSH key reset in your virtual machine(ARM_VMAccessUnusualSSHReset),"An unusual user SSH key reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.While this action may be legitimate, attackers can try utilizing VM Access extension to reset SSH key of a user account in your virtual machine and compromise it.",Credential Access,Medium,Linux,Azure Defender
An attempt to run Linux commands on a Windows App Service(AppServices_LinuxCommandOnWindows),Analysis of App Service processes detected an attempt to run a Linux command on a Windows App Service. This action was running by the web application. This behavior is often seen during campaigns that exploit a vulnerability in a common web application.(Applies to: App Service on Windows),-,Medium,Azure App Service,Azure Defender
An IP that connected to your Azure App Service FTP Interface was found in Threat Intelligence(AppServices_IncomingTiClientIpFtp),"Azure App Service FTP log indicates a connection from a source address that was found in the threat intelligence feed. During this connection, a user accessed the pages listed.(Applies to: App Service on Windows and App Service on Linux)",Initial Access,Medium,Azure App Service,Azure Defender
Attempt to run high privilege command detected(AppServices_HighPrivilegeCommand),"Analysis of App Service processes detected an attempt to run a command that requires high privileges.The command ran in the web application context. While this behavior can be legitimate, in web applications this behavior is also observed in malicious activities.(Applies to: App Service on Windows)",-,Medium,Azure App Service,Azure Defender
Azure Security Center test alert for App Service (not a threat)(AppServices_EICAR),This is a test alert generated by Azure Security Center. No further action is needed.(Applies to: App Service on Windows and App Service on Linux),-,High,Azure App Service,Azure Defender
Connection to web page from anomalous IP address detected(AppServices_AnomalousPageAccess),"Azure App Service activity log indicates an anomalous connection to a sensitive web page from the listed source IP address. This might indicate that someone is attempting a brute force attack into your web app administration pages. It might also be the result of a new IP address being used by a legitimate user. If the source IP address is trusted, you can safely suppress this alert for this resource. To learn how to suppress Azure Defender alerts, see Suppress alerts from Azure Defender. (Applies to: App Service on Windows and App Service on Linux)",Initial Access,Medium,Azure App Service,Azure Defender
Dangling DNS record for an App Service resource detected(AppServices_DanglingDomain),"A DNS record that points to a recently deleted App Service resource (also known as ""dangling DNS"" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.(Applies to: App Service on Windows and App Service on Linux)",-,High,Azure App Service,Azure Defender
Detected encoded executable in command line data(AppServices_Base64EncodedExecutableInCommandLineParams),"Analysis of host data on {Compromised host} detected a base-64 encoded executable. This has previously been associated with attackers attempting to construct executables on-the-fly through a sequence of commands, and attempting to evade intrusion detection systems by ensuring that no individual command would trigger an alert. This could be legitimate activity, or an indication of a compromised host.(Applies to: App Service on Windows)","Defense Evasion, Execution",High,Azure App Service,Azure Defender
Detected file download from a known malicious source(AppServices_SuspectDownload),Analysis of host data has detected the download of a file from a known malware source on your host.(Applies to: App Service on Linux),"Privilege Escalation, Execution, Exfiltration, Command and Control",Medium,Azure App Service,Azure Defender
Digital currency mining related behavior detected(AppServices_DigitalCurrencyMining),Analysis of host data on Inn-Flow-WebJobs detected the execution of a process or command normally associated with digital currency mining.(Applies to: App Service on Windows and App Service on Linux),Execution,High,Azure App Service,Azure Defender
Executable decoded using certutil(AppServices_ExecutableDecodedUsingCertutil),"Analysis of host data on [Compromised entity] detected that certutil.exe, a built-in administrator utility, was being used to decode an executable instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using a tool such as certutil.exe to decode a malicious executable that will then be subsequently executed.(Applies to: App Service on Windows)","Defense Evasion, Execution",High,Azure App Service,Azure Defender
Fileless Attack Behavior Detected(AppServices_FilelessAttackBehaviorDetection),The memory of the process specified below contains behaviors commonly used by fileless attacks.Specific behaviors include: {list of observed behaviors}(Applies to: App Service on Windows and App Service on Linux),Execution,Medium,Azure App Service,Azure Defender
Fileless Attack Technique Detected(AppServices_FilelessAttackTechniqueDetection),The memory of the process specified below contains evidence of a fileless attack technique. Fileless attacks are used by attackers to execute code while evading detection by security software.Specific behaviors include: {list of observed behaviors}(Applies to: App Service on Windows and App Service on Linux),Execution,High,Azure App Service,Azure Defender
Fileless Attack Toolkit Detected(AppServices_FilelessAttackToolkitDetection),"The memory of the process specified below contains a fileless attack toolkit: {ToolKitName}. Fileless attack toolkits typically do not have a presence on the filesystem, making detection by traditional anti-virus software difficult.Specific behaviors include: {list of observed behaviors}(Applies to: App Service on Windows and App Service on Linux)","Defense Evasion, Execution",High,Azure App Service,Azure Defender
NMap scanning detected(AppServices_Nmap),Azure App Service activity log indicates a possible web fingerprinting activity on your App Service resource.The suspicious activity detected is associated with NMAP. Attackers often use this tool for probing the web application to find vulnerabilities.(Applies to: App Service on Windows and App Service on Linux),PreAttack,Medium,Azure App Service,Azure Defender
Phishing content hosted on Azure Webapps(AppServices_PhishingContent),URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to Microsoft 365 customers. The content typically lures visitors into entering their corporate credentials or financial information into a legitimate looking website.(Applies to: App Service on Windows and App Service on Linux),Collection,High,Azure App Service,Azure Defender
PHP file in upload folder(AppServices_PhpInUploadFolder),Azure App Service activity log indicates an access to a suspicious PHP page located in the upload folder.This type of folder does not usually contain PHP files. The existence of this type of file might indicate an exploitation taking advantage of arbitrary file upload vulnerabilities.(Applies to: App Service on Windows and App Service on Linux),Execution,Medium,Azure App Service,Azure Defender
Possible Cryptocoinminer download detected(AppServices_CryptoCoinMinerDownload),Analysis of host data has detected the download of a file normally associated with digital currency mining.(Applies to: App Service on Linux),"Defense Evasion, Command and Control, Exploitation",Medium,Azure App Service,Azure Defender
Potential dangling DNS record for an App Service resource detected(AppServices_PotentialDanglingDomain),"A DNS record that points to a recently deleted App Service resource (also known as ""dangling DNS"" entry) has been detected. This might leave you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity. In this case, a text record with the Domain Verification ID was found. Such text records prevent subdomain takeover but we still recommend removing the dangling domain. If you leave the DNS record pointing at the subdomain you’re at risk if anyone in your organization deletes the TXT file or record in the future.(Applies to: App Service on Windows and App Service on Linux)",-,Low,Azure App Service,Azure Defender
Potential reverse shell detected(AppServices_ReverseShell),Analysis of host data detected a potential reverse shell. These are used to get a compromised machine to call back into a machine an attacker owns.(Applies to: App Service on Linux),"Exfiltration, Exploitation",Medium,Azure App Service,Azure Defender
Raw data download detected(AppServices_DownloadCodeFromWebsite),Analysis of App Service processes detected an attempt to download code from raw-data websites such as Pastebin. This action was run by a PHP process. This behavior is associated with attempts to download web shells or other malicious components to the App Service.(Applies to: App Service on Windows),Execution,Medium,Azure App Service,Azure Defender
Saving curl output to disk detected(AppServices_CurlToDisk),"Analysis of App Service processes detected the running of a curl command in which the output was saved to the disk. While this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.(Applies to: App Service on Windows)",-,Low,Azure App Service,Azure Defender
Spam folder referrer detected(AppServices_SpamReferrer),Azure App Service activity log indicates web activity that was identified as originating from a web site associated with spam activity. This can occur if your website is compromised and used for spam activity.(Applies to: App Service on Windows and App Service on Linux),-,Low,Azure App Service,Azure Defender
Suspicious access to possibly vulnerable web page detected(AppServices_ScanSensitivePage),Azure App Service activity log indicates a web page that seems to be sensitive was accessed. This suspicious activity originated from a source IP address whose access pattern resembles that of a web scanner.This activity is often associated with an attempt by an attacker to scan your network to try and gain access to sensitive or vulnerable web pages.(Applies to: App Service on Windows and App Service on Linux),-,Low,Azure App Service,Azure Defender
Suspicious domain name reference(AppServices_CommandlineSuspectDomain),"Analysis of host data detected reference to suspicious domain name. Such activity, while possibly legitimate user behavior, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.(Applies to: App Service on Linux)",Exfiltration,Low,Azure App Service,Azure Defender
Suspicious download using Certutil detected(AppServices_DownloadUsingCertutil),"Analysis of host data on {NAME} detected the use of certutil.exe, a built-in administrator utility, for the download of a binary instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using certutil.exe to download and decode a malicious executable that will then be subsequently executed.(Applies to: App Service on Windows)",Execution,Medium,Azure App Service,Azure Defender
Suspicious PHP execution detected(AppServices_SuspectPhp),"Machine logs indicate that a suspicious PHP process is running. The action included an attempt to run operating system commands or PHP code from the command line, by using the PHP process. While this behavior can be legitimate, in web applications this behavior might indicate malicious activities, such as attempts to infect websites with web shells.(Applies to: App Service on Windows and App Service on Linux)",Execution,Medium,Azure App Service,Azure Defender
Suspicious PowerShell cmdlets executed(AppServices_PowerShellPowerSploitScriptExecution),Analysis of host data indicates execution of known malicious PowerShell PowerSploit cmdlets.(Applies to: App Service on Windows),Execution,Medium,Azure App Service,Azure Defender
Suspicious process executed(AppServices_KnownCredential AccessTools),"Machine logs indicate that the suspicious process: '%{process path}' was running on the machine, often associated with attacker attempts to access credentials.(Applies to: App Service on Windows)",Credential Access,High,Azure App Service,Azure Defender
Suspicious process name detected(AppServices_ProcessWithKnownSuspiciousExtension),"Analysis of host data on {NAME} detected a process whose name is suspicious, for example corresponding to a known attacker tool or named in a way that is suggestive of attacker tools that try to hide in plain sight. This process could be legitimate activity, or an indication that one of your machines has been compromised.(Applies to: App Service on Windows)","Persistence, Defense Evasion",Medium,Azure App Service,Azure Defender
Suspicious SVCHOST process executed(AppServices_SVCHostFromInvalidPath),The system process SVCHOST was observed running in an abnormal context. Malware often use SVCHOST to mask its malicious activity.(Applies to: App Service on Windows),"Defense Evasion, Execution",High,Azure App Service,Azure Defender
Suspicious User Agent detected(AppServices_UserAgentInjection),Azure App Service activity log indicates requests with suspicious user agent. This behavior can indicate on attempts to exploit a vulnerability in your App Service application.(Applies to: App Service on Windows and App Service on Linux),Initial Access,Medium,Azure App Service,Azure Defender
Suspicious WordPress theme invocation detected(AppServices_WpThemeInjection),"Azure App Service activity log indicates a possible code injection activity on your App Service resource.The suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.This type of activity was seen in the past as part of an attack campaign over WordPress.If your App Service resource isn’t hosting a WordPress site, it isn’t vulnerable to this specific code injection exploit and you can safely suppress this alert for the resource. To learn how to suppress Azure Defender alerts, see Suppress alerts from Azure Defender.(Applies to: App Service on Windows and App Service on Linux)",Execution,High,Azure App Service,Azure Defender
Vulnerability scanner detected(AppServices_DrupalScanner),"Azure App Service activity log indicates that a possible vulnerability scanner was used on your App Service resource.The suspicious activity detected resembles that of tools targeting a content management system (CMS).If your App Service resource isn’t hosting a Drupal site, it isn’t vulnerable to this specific code injection exploit and you can safely suppress this alert for the resource. To learn how to suppress Azure Defender alerts, see Suppress alerts from Azure Defender.(Applies to: App Service on Windows)",PreAttack,Medium,Azure App Service,Azure Defender
Vulnerability scanner detected(AppServices_JoomlaScanner),"Azure App Service activity log indicates that a possible vulnerability scanner was used on your App Service resource.The suspicious activity detected resembles that of tools targeting Joomla applications.If your App Service resource isn’t hosting a Joomla site, it isn’t vulnerable to this specific code injection exploit and you can safely suppress this alert for the resource. To learn how to suppress Azure Defender alerts, see Suppress alerts from Azure Defender.(Applies to: App Service on Windows and App Service on Linux)",PreAttack,Medium,Azure App Service,Azure Defender
Vulnerability scanner detected(AppServices_WpScanner),"Azure App Service activity log indicates that a possible vulnerability scanner was used on your App Service resource.The suspicious activity detected resembles that of tools targeting WordPress applications.If your App Service resource isn’t hosting a WordPress site, it isn’t vulnerable to this specific code injection exploit and you can safely suppress this alert for the resource. To learn how to suppress Azure Defender alerts, see Suppress alerts from Azure Defender.(Applies to: App Service on Windows and App Service on Linux)",PreAttack,Medium,Azure App Service,Azure Defender
Web fingerprinting detected(AppServices_WebFingerprinting),Azure App Service activity log indicates a possible web fingerprinting activity on your App Service resource.The suspicious activity detected is associated with a tool called Blind Elephant. The tool fingerprint web servers and tries to detect the installed applications and version.Attackers often use this tool for probing the web application to find vulnerabilities.(Applies to: App Service on Windows and App Service on Linux),PreAttack,Medium,Azure App Service,Azure Defender
Website is tagged as malicious in threat intelligence feed(AppServices_SmartScreen),"Your website as described below is marked as a malicious site by Windows SmartScreen. If you think this is a false positive, contact Windows SmartScreen via report feedback link provided.(Applies to: App Service on Windows and App Service on Linux)",Collection,Medium,Azure App Service,Azure Defender
Possible loss of data detected(AppServices_DataEgressArtifacts),Analysis of host/device data detected a possible data egress condition. Attackers will often egress data from machines they have compromised.(Applies to: App Service on Linux),"Collection, Exfiltration",Medium,Azure App Service,Azure Defender
Detected suspicious file download(AppServices_SuspectDownloadArtifacts),Analysis of host data has detected suspicious download of remote file.(Applies to: App Service on Linux),Persistence,Medium,Azure App Service,Azure Defender
K8S API requests from proxy IP address detected(K8S_TI_Proxy),"Kubernetes audit log analysis detected API requests to your cluster from an IP address that is associated with proxy services, such as TOR. While this behavior can be legitimate, it's often seen in malicious activities, when attackers try to hide their source IP.",Execution,Low,Azure Kubernetes Service clusters,Azure Defender
Container with a sensitive volume mount detected(K8S_SensitiveMount),"Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.",Privilege Escalation,Medium,Azure Kubernetes Service clusters,Azure Defender
CoreDNS modification in Kubernetes detected(K8S_CoreDnsModification),"Kubernetes audit log analysis detected a modification of the CoreDNS configuration. The configuration of CoreDNS can be modified by overriding its configmap. While this activity can be legitimate, if attackers have permissions to modify the configmap, they can change the behavior of the cluster’s DNS server and poison it.",Lateral Movement,Low,Azure Kubernetes Service clusters,Azure Defender
Creation of admission webhook configuration detected(K8S_AdmissionController),"Kubernetes audit log analysis detected a new admission webhook configuration. Kubernetes has two built-in generic admission controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. The behavior of these admission controllers is determined by an admission webhook that the user deploys to the cluster. The usage of such admission controllers can be legitimate, however attackers can use such webhooks for modifying the requests (in case of MutatingAdmissionWebhook) or inspecting the requests and gain sensitive information (in case of ValidatingAdmissionWebhook).","Credential Access, Persistence",Low,Azure Kubernetes Service clusters,Azure Defender
Digital currency mining container detected(K8S_MaliciousContainerImage),Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool.,Execution,High,Azure Kubernetes Service clusters,Azure Defender
Exposed Kubeflow dashboard detected(K8S_ExposedKubeflow),"The Kubernetes audit log analysis detected exposure of the Istio Ingress by a load balancer in a cluster that runs Kubeflow. This action might expose the Kubeflow dashboard to the internet. If the dashboard is exposed to the internet, attackers can access it and run malicious containers or code on the cluster. Find more details in the following article: https://www.microsoft.com/security/blog/2020/06/10/misconfigured-kubeflow-workloads-are-a-security-risk",Initial Access,Medium,Azure Kubernetes Service clusters,Azure Defender
Exposed Kubernetes dashboard detected(K8S_ExposedDashboard),Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service. Exposed dashboard allows an unauthenticated access to the cluster management and poses a security threat.,Initial Access,High,Azure Kubernetes Service clusters,Azure Defender
Exposed Kubernetes service detected(K8S_ExposedService),"The Kubernetes audit log analysis detected exposure of a service by a load balancer. This service is related to a sensitive application that allows high impact operations in the cluster such as running processes on the node or creating new containers. In some cases, this service doesn't require authentication. If the service doesn't require authentication, exposing it to the internet poses a security risk.",Initial Access,Medium,Azure Kubernetes Service clusters,Azure Defender
Exposed Redis service in AKS detected(K8S_ExposedRedis),"The Kubernetes audit log analysis detected exposure of a Redis service by a load balancer. If the service doesn't require authentication, exposing it to the internet poses a security risk.",Initial Access,Low,Azure Kubernetes Service clusters,Azure Defender
Kubernetes events deleted(K8S_DeleteEvents),Security Center detected that some Kubernetes events have been deleted. Kubernetes events are objects in Kubernetes which contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster.,Defense Evasion,Medium,Azure Kubernetes Service clusters,Azure Defender
Kubernetes penetration testing tool detected(K8S_PenTestToolsKubeHunter),"Kubernetes audit log analysis detected usage of Kubernetes penetration testing tool in the AKS cluster. While this behavior can be legitimate, attackers might use such public tools for malicious purposes.",Execution,Low,Azure Kubernetes Service clusters,Azure Defender
New container in the kube-system namespace detected(K8S_KubeSystemContainer),Kubernetes audit log analysis detected a new container in the kube-system namespace that isn’t among the containers that normally run in this namespace. The kube-system namespaces should not contain user resources. Attackers can use this namespace for hiding malicious components.,Persistence,Low,Azure Kubernetes Service clusters,Azure Defender
New high privileges role detected(K8S_HighPrivilegesRole),Kubernetes audit log analysis detected a new role with high privileges. A binding to a role with high privileges gives the user\group high privileges in the cluster. Unnecessary privileges might cause privilege escalation in the cluster.,Persistence,Low,Azure Kubernetes Service clusters,Azure Defender
Privileged container detected(K8S_PrivilegedContainer),"Kubernetes audit log analysis detected a new privileged container. A privileged container has access to the node’s resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the node.",Privilege Escalation,Low,Azure Kubernetes Service clusters,Azure Defender
Role binding to the cluster-admin role detected(K8S_ClusterAdminBinding),Kubernetes audit log analysis detected a new binding to the cluster-admin role which gives administrator privileges. Unnecessary administrator privileges might cause privilege escalation in the cluster.,Persistence,Low,Azure Kubernetes Service clusters,Azure Defender
Container with a miner image detected(VM_MinerInContainerImage),Machine logs indicate execution of a Docker container that run an image associated with a digital currency mining.,Execution,High,Containers- Host Level,Azure Defender
Docker build operation detected on a Kubernetes node(VM_ImageBuildOnNode),"Machine logs indicate a build operation of a container image on a Kubernetes node. While this behavior might be legitimate, attackers might build their malicious images locally to avoid detection.",Defense Evasion,Low,Containers- Host Level,Azure Defender
Exposed Docker daemon detected(VM_ExposedDocker),"Machine logs indicate that your Docker daemon (dockerd) exposes a TCP socket. By default, Docker configuration, does not use encryption or authentication when a TCP socket is enabled. This enables full access to the Docker daemon, by anyone with access to the relevant port.","Execution, Exploitation",Medium,Containers- Host Level,Azure Defender
Privileged command run in container(VM_PrivilegedExecutionInContainer),Machine logs indicate that a privileged command was run in a Docker container. A privileged command has extended privileges on the host machine.,Privilege Escalation,Low,Containers- Host Level,Azure Defender
Privileged Container Detected(VM_PrivilegedContainerArtifacts),"Machine logs indicate that a privileged Docker container is running. A privileged container has a full access to the host's resources. If compromised, an attacker can use the privileged container to gain access to the host machine.","Privilege Escalation, Execution",Low,Containers- Host Level,Azure Defender
SSH server is running inside a container(VM_ContainerSSH),"Machine logs indicate that an SSH server is running inside a Docker container. While this behavior can be intentional, it frequently indicates that a container is misconfigured or breached.",Execution,Medium,Containers- Host Level,Azure Defender
Suspicious request to Kubernetes API(VM_KubernetesAPI),"Machine logs indicate that a suspicious request was made to the Kubernetes API. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container.",Execution,Medium,Containers- Host Level,Azure Defender
Suspicious request to the Kubernetes Dashboard(VM_KubernetesDashboard),"Machine logs indicate that a suspicious request was made to the Kubernetes Dashboard. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container.",Lateral movement,Medium,Containers- Host Level,Azure Defender
A possible vulnerability to SQL Injection(SQL.VM_VulnerabilityToSqlInjectionSQL.DB_VulnerabilityToSqlInjectionSQL.MI_VulnerabilityToSqlInjectionSQL.DW_VulnerabilityToSqlInjection),"An application has generated a faulty SQL statement in the database. This can indicate a possible vulnerability to SQL injection attacks. There are two possible reasons for a faulty statement. A defect in application code might have constructed the faulty SQL statement. Or, application code or stored procedures didn't sanitize user input when constructing the faulty SQL statement, which can be exploited for SQL injection.",PreAttack,Medium,SQL Database and Synapse Analytics,Azure Defender
Attempted logon by a potentially harmful application(SQL.DB_HarmfulApplicationSQL.VM_HarmfulApplicationSQL.MI_HarmfulApplicationSQL.DW_HarmfulApplication),A potentially harmful application attempted to access SQL server '{name}'.,PreAttack,High,SQL Database and Synapse Analytics,Azure Defender
Log on from an unusual Azure Data Center(SQL.DB_DataCenterAnomalySQL.VM_DataCenterAnomalySQL.DW_DataCenterAnomalySQL.MI_DataCenterAnomaly),"There has been a change in the access pattern to an SQL Server, where someone has signed in to the server from an unusual Azure Data Center. In some cases, the alert detects a legitimate action (a new application or Azure service). In other cases, the alert detects a malicious action (attacker operating from breached resource in Azure).",Probing,Low,SQL Database and Synapse Analytics,Azure Defender
Log on from an unusual location(SQL.DB_GeoAnomalySQL.VM_GeoAnomalySQL.DW_GeoAnomalySQL.MI_GeoAnomaly),"There has been a change in the access pattern to SQL Server, where someone has signed in to the server from an unusual geographical location. In some cases, the alert detects a legitimate action (a new application or developer maintenance). In other cases, the alert detects a malicious action (a former employee or external attacker).",Exploitation,Medium,SQL Database and Synapse Analytics,Azure Defender
Login from a principal user not seen in 60 days(SQL.DB_PrincipalAnomalySQL.VM_PrincipalAnomalySQL.DW_PrincipalAnomalySQL.MI_PrincipalAnomaly),"A principal user not seen in the last 60 days has logged into your database. If this database is new or this is expected behavior caused by recent changes in the users accessing the database, Security Center will identify significant changes to the access patterns and attempt to prevent future false positives.",Exploitation,Medium,SQL Database and Synapse Analytics,Azure Defender
Login from a suspicious IP(SQL.VM_SuspiciousIpAnomaly),Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.,PreAttack,Medium,SQL Database and Synapse Analytics,Azure Defender
Potential SQL Brute Force attempt,"An abnormally high number of failed sign in attempts with different credentials have occurred. In some cases, the alert detects penetration testing in action. In other cases, the alert detects a brute force attack.",Probing,High,SQL Database and Synapse Analytics,Azure Defender
Potential SQL injection(SQL.DB_PotentialSqlInjectionSQL.VM_PotentialSqlInjectionSQL.MI_PotentialSqlInjectionSQL.DW_PotentialSqlInjectionSynapse.SQLPool_PotentialSqlInjection),An active exploit has occurred against an identified application vulnerable to SQL injection. This means an attacker is trying to inject malicious SQL statements by using the vulnerable application code or stored procedures.,PreAttack,High,SQL Database and Synapse Analytics,Azure Defender
Potentially Unsafe Action(SQL.DB_UnsafeCommandsSQL.MI_UnsafeCommandsSQL.DW_UnsafeCommands),A potentially unsafe action was attempted on your database '{name}' on server '{name}'.,-,High,SQL Database and Synapse Analytics,Azure Defender
Suspected brute force attack using a valid user,"A potential brute force attack has been detected on your resource. The attacker is using the valid user sa, which has permissions to login.",PreAttack,High,SQL Database and Synapse Analytics,Azure Defender
Suspected brute force attack,A potential brute force attack has been detected on your SQL server '{name}'.,PreAttack,High,SQL Database and Synapse Analytics,Azure Defender
Suspected successful brute force attack(SQL.DB_BruteForceSQL.VM_BruteForceSQL.DW_BruteForceSQL.MI_BruteForce),A successful login occurred after an apparent brute force attack on your resource,PreAttack,High,SQL Database and Synapse Analytics,Azure Defender
Unusual export location,Someone has extracted a massive amount of data from your SQL Server '{name}' to an unusual location.,Exfiltration,High,SQL Database and Synapse Analytics,Azure Defender
Suspected brute force attack using a valid user(SQL.PostgreSQL_BruteForceSQL.MariaDB_BruteForceSQL.MySQL_BruteForce),"A potential brute force attack has been detected on your resource. The attacker is using the valid user (username), which has permissions to login.",PreAttack,High,Open source relational Databases,Azure Defender
Suspected successful brute force attack(SQL.PostgreSQL_BruteForceSQL.MySQL_BruteForceSQL.MariaDB_BruteForce),A successful login occurred after an apparent brute force attack on your resource.,PreAttack,High,Open source relational Databases,Azure Defender
"Suspected brute force attack(""SQL.MySQL_BruteForce"")",A potential brute force attack has been detected on your SQL server '{name}'.,PreAttack,High,Open source relational Databases,Azure Defender
Attempted logon by a potentially harmful application(SQL.PostgreSQL_HarmfulApplicationSQL.MariaDB_HarmfulApplicationSQL.MySQL_HarmfulApplication),A potentially harmful application attempted to access your resource.,PreAttack,High,Open source relational Databases,Azure Defender
Login from a principal user not seen in 60 days(SQL.PostgreSQL_PrincipalAnomalySQL.MariaDB_PrincipalAnomalySQL.MySQL_PrincipalAnomaly),"A principal user not seen in the last 60 days has logged into your database. If this database is new or this is expected behavior caused by recent changes in the users accessing the database, Security Center will identify significant changes to the access patterns and attempt to prevent future false positives.",Exploitation,Medium,Open source relational Databases,Azure Defender
Login from a domain not seen in 60 days(SQL.MariaDB_DomainAnomalySQL.PostgreSQL_DomainAnomalySQL.MySQL_DomainAnomaly),"A user has logged in to your resource from a domain no other users have connected from in the last 60 days. If this resource is new or this is expected behavior caused by recent changes in the users accessing the resource, Security Center will identify significant changes to the access patterns and attempt to prevent future false positives.",Exploitation,Medium,Open source relational Databases,Azure Defender
Log on from an unusual Azure Data Center(SQL.PostgreSQL_DataCenterAnomalySQL.MariaDB_DataCenterAnomalySQL.MySQL_DataCenterAnomaly),Someone logged on to your resource from an unusual Azure Data Center.,Probing,Low,Open source relational Databases,Azure Defender
Logon from an unusual cloud provider(SQL.PostgreSQL_CloudProviderAnomalySQL.MariaDB_CloudProviderAnomalySQL.MySQL_CloudProviderAnomaly),"Someone logged on to your resource from a cloud provider not seen in the last 60 days. It's quick and easy for threat actors to obtain disposable compute power for use in their campaigns. If this is expected behavior caused by the recent adoption of a new cloud provider, Security Center will learn over time and attempt to prevent future false positives.",Exploitation,Medium,Open source relational Databases,Azure Defender
Log on from an unusual location(SQL.MariaDB_GeoAnomalySQL.PostgreSQL_GeoAnomalySQL.MySQL_GeoAnomaly),Someone logged on to your resource from an unusual Azure Data Center.,Exploitation,Medium,Open source relational Databases,Azure Defender
Login from a suspicious IP(SQL.PostgreSQL_SuspiciousIpAnomalySQL.MariaDB_SuspiciousIpAnomalySQL.MySQL_SuspiciousIpAnomaly),Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.,PreAttack,Medium,Open source relational Databases,Azure Defender
Azure Resource Manager operation from suspicious IP address (Preview)(ARM_OperationFromSuspiciousIP),Azure Defender for Resource Manager detected an operation from an IP address that has been marked as suspicious in threat intelligence feeds.,Execution,Medium,Azure Resource Manager,Azure Defender
Azure Resource Manager operation from suspicious proxy IP address (Preview)(ARM_OperationFromSuspiciousProxyIP),"Azure Defender for Resource Manager detected a resource management operation from an IP address that is associated with proxy services, such as TOR. While this behavior can be legitimate, it's often seen in malicious activities, when threat actors try to hide their source IP.",Defense Evasion,Medium,Azure Resource Manager,Azure Defender
MicroBurst exploitation toolkit used to enumerate resources in your subscriptions(ARM_MicroBurst.AzDomainInfo),"MicroBurst's Information Gathering module was run on your subscription. This tool can be used to discover resources, permissions and network structures. This was detected by analyzing the Azure Activity logs and resource management operations in your subscription",-,High,Azure Resource Manager,Azure Defender
MicroBurst exploitation toolkit used to enumerate resources in your subscriptions(ARM_MicroBurst.AzureDomainInfo),"MicroBurst's Information Gathering module was run on your subscription. This tool can be used to discover resources, permissions and network structures. This was detected by analyzing the Azure Activity logs and resource management operations in your subscription",-,High,Azure Resource Manager,Azure Defender
MicroBurst exploitation toolkit used to execute code on your virtual machine(ARM_MicroBurst.AzVMBulkCMD),MicroBurst's exploitation toolkit was used to execute code on your virtual machines. This was detected by analyzing Azure Resource Manager operations in your subscription.,Execution,High,Azure Resource Manager,Azure Defender
MicroBurst exploitation toolkit used to execute code on your virtual machine(RM_MicroBurst.AzureRmVMBulkCMD),MicroBurst's exploitation toolkit was used to execute code on your virtual machines. This was detected by analyzing Azure Resource Manager operations in your subscription.,-,High,Azure Resource Manager,Azure Defender
MicroBurst exploitation toolkit used to extract keys from your Azure key vaults(ARM_MicroBurst.AzKeyVaultKeysREST),MicroBurst's exploitation toolkit was used to extract keys from your Azure key vaults. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.,-,High,Azure Resource Manager,Azure Defender
MicroBurst exploitation toolkit used to extract keys to your storage accounts(ARM_MicroBurst.AZStorageKeysREST),MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.,Collection,High,Azure Resource Manager,Azure Defender
MicroBurst exploitation toolkit used to extract secrets from your Azure key vaults(ARM_MicroBurst.AzKeyVaultSecretsREST),MicroBurst's exploitation toolkit was used to extract secrets from your Azure key vaults. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.,-,High,Azure Resource Manager,Azure Defender
Permissions granted for an RBAC role in an unusual way for your Azure environment (Preview)(ARM_AnomalousRBACRoleAssignment),"Azure Defender for Resource Manager detected an RBAC role assignment that's unusual when compared with other assignments performed by the same assigner / performed for the same assignee / in your tenant due to the following anomalies: assignment time, assigner location, assigner, authentication method, assigned entities, client software used, assignment extent. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to grant permissions to an additional user account they own.","Lateral Movement, Defense Evasion",Medium,Azure Resource Manager,Azure Defender
PowerZure exploitation toolkit used to elevate access from Azure AD to Azure(ARM_PowerZure.AzureElevatedPrivileges),PowerZure exploitation toolkit was used to elevate access from AzureAD to Azure. This was detected by analyzing Azure Resource Manager operations in your tenant.,-,High,Azure Resource Manager,Azure Defender
PowerZure exploitation toolkit used to enumerate resources(ARM_PowerZure.GetAzureTargets),PowerZure exploitation toolkit was used to enumerate resources on behalf of a legitimate user account in your organization. This was detected by analyzing Azure Resource Manager operations in your subscription.,Collection,High,Azure Resource Manager,Azure Defender
"PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables(ARM_PowerZure.ShowStorageContent)","PowerZure exploitation toolkit was used to enumerate storage shares, tables, and containers. This was detected by analyzing Azure Resource Manager operations in your subscription.",-,High,Azure Resource Manager,Azure Defender
PowerZure exploitation toolkit used to execute a Runbook in your subscription(ARM_PowerZure.StartRunbook),PowerZure exploitation toolkit was used to execute a Runbook. This was detected by analyzing Azure Resource Manager operations in your subscription.,-,High,Azure Resource Manager,Azure Defender
PowerZure exploitation toolkit used to extract Runbooks content(ARM_PowerZure.AzureRunbookContent),PowerZure exploitation toolkit was used to extract Runbook content. This was detected by analyzing Azure Resource Manager operations in your subscription.,Collection,High,Azure Resource Manager,Azure Defender
PREVIEW - Activity from a risky IP address(ARM.MCAS_ActivityFromAnonymousIPAddresses),"Users activity from an IP address that has been identified as an anonymous proxy IP address has been detected.These proxies are used by people who want to hide their device's IP address, and can be used for malicious intent. This detection uses a machine learning algorithm that reduces false positives, such as mis-tagged IP addresses that are widely used by users in the organization.Requires an active Microsoft Cloud App Security license.",-,Medium,Azure Resource Manager,Azure Defender
PREVIEW - Activity from infrequent country(ARM.MCAS_ActivityFromInfrequentCountry),Activity from a location that wasn't recently or ever visited by any user in the organization has occurred.This detection considers past activity locations to determine new and infrequent locations. The anomaly detection engine stores information about previous locations used by users in the organization.Requires an active Microsoft Cloud App Security license.,-,Medium,Azure Resource Manager,Azure Defender
PREVIEW - Azurite toolkit run detected(ARM_Azurite),A known cloud-environment reconnaissance toolkit run has been detected in your environment. The tool Azurite can be used by an attacker (or penetration tester) to map your subscriptions' resources and identify insecure configurations.,Collection,High,Azure Resource Manager,Azure Defender
PREVIEW - Impossible travel activity(ARM.MCAS_ImpossibleTravelActivity),"Two user activities (in a single or multiple sessions) have occurred, originating from geographically distant locations. This occurs within a time period shorter than the time it would have taken the user to travel from the first location to the second. This indicates that a different user is using the same credentials.This detection uses a machine learning algorithm that ignores obvious false positives contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The detection has an initial learning period of seven days, during which it learns a new user's activity pattern.Requires an active Microsoft Cloud App Security license.",-,Medium,Azure Resource Manager,Azure Defender
PREVIEW - Suspicious management session using an inactive account detected(ARM_UnusedAccountPersistence),Subscription activity logs analysis has detected suspicious behavior. A principal not in use for a long period of time is now performing actions that can secure persistence for an attacker.,Persistence,Medium,Azure Resource Manager,Azure Defender
PREVIEW - Suspicious management session using PowerShell detected(ARM_UnusedAppPowershellPersistence),"Subscription activity logs analysis has detected suspicious behavior. A principal that doesn't regularly use PowerShell to manage the subscription environment is now using PowerShell, and performing actions that can secure persistence for an attacker.",Persistence,Medium,Azure Resource Manager,Azure Defender
PREVIEW – Suspicious management session using Azure portal detected(ARM_UnusedAppIbizaPersistence),"Analysis of your subscription activity logs has detected a suspicious behavior. A principal that doesn't regularly use the Azure portal (Ibiza) to manage the subscription environment (hasn't used Azure portal to manage for the last 45 days, or a subscription that it is actively managing), is now using the Azure portal and performing actions that can secure persistence for an attacker.",Persistence,Medium,Azure Resource Manager,Azure Defender
Privileged custom role created for your subscription in a suspicious way (Preview)(ARM_PrivilegedRoleDefinitionCreation),"Azure Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection.","Privilege Escalation, Defense Evasion",Low,Azure Resource Manager,Azure Defender
Usage of MicroBurst exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials(ARM_MicroBurst.RunCodeOnBehalf),Usage of MicroBurst exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials. This was detected by analyzing Azure Resource Manager operations in your subscription.,"Persistence, Credential Access",High,Azure Resource Manager,Azure Defender
Usage of NetSPI techniques to maintain persistence in your Azure environment(ARM_NetSPI.MaintainPersistence),Usage of NetSPI persistence technique to create a webhook backdoor and maintain persistence in your Azure environment. This was detected by analyzing Azure Resource Manager operations in your subscription.,-,High,Azure Resource Manager,Azure Defender
Usage of PowerZure exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials(ARM_PowerZure.RunCodeOnBehalf),PowerZure exploitation toolkit detected attempting to run code or exfiltrate Azure Automation account credentials. This was detected by analyzing Azure Resource Manager operations in your subscription.,-,High,Azure Resource Manager,Azure Defender
Usage of PowerZure function to maintain persistence in your Azure environment(ARM_PowerZure.MaintainPersistence),PowerZure exploitation toolkit detected creating a webhook backdoor to maintain persistence in your Azure environment. This was detected by analyzing Azure Resource Manager operations in your subscription.,-,High,Azure Resource Manager,Azure Defender
Anomalous network protocol usage(AzureDNS_ProtocolAnomaly),"Analysis of DNS transactions from %{CompromisedEntity} detected anomalous protocol usage. Such traffic, while possibly benign, may indicate abuse of this common protocol to bypass network traffic filtering. Typical related attacker activity includes copying remote administration tools to a compromised host and exfiltrating user data from it.",Exfiltration,-,Azure DNS,Azure Defender
Anonymity network activity(AzureDNS_DarkWeb),"Analysis of DNS transactions from %{CompromisedEntity} detected anonymity network activity. Such activity, while possibly legitimate user behavior, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.",Exfiltration,-,Azure DNS,Azure Defender
Anonymity network activity using web proxy(AzureDNS_DarkWebProxy),"Analysis of DNS transactions from %{CompromisedEntity} detected anonymity network activity. Such activity, while possibly legitimate user behavior, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.",Exfiltration,-,Azure DNS,Azure Defender
Attempted communication with suspicious sinkholed domain(AzureDNS_SinkholedDomain),"Analysis of DNS transactions from %{CompromisedEntity} detected request for sinkholed domain. Such activity, while possibly legitimate user behavior, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.",Exfiltration,-,Azure DNS,Azure Defender
Communication with possible phishing domain(AzureDNS_PhishingDomain),"Analysis of DNS transactions from %{CompromisedEntity} detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.",Exfiltration,-,Azure DNS,Azure Defender
Communication with suspicious algorithmically generated domain(AzureDNS_DomainGenerationAlgorithm),"Analysis of DNS transactions from %{CompromisedEntity} detected possible usage of a domain generation algorithm. Such activity, while possibly benign, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.",Exfiltration,-,Azure DNS,Azure Defender
Communication with suspicious domain identified by threat intelligence(AzureDNS_ThreatIntelSuspectDomain),"Communication with suspicious domain was detected by analyzing DNS transactions from your resource and comparing against known malicious domains identified by threat intelligence feeds. Communication to malicious domains is frequently performed by attackers and could imply that your resource is compromised.""",Initial Access,Medium,Azure DNS,Azure Defender
Communication with suspicious random domain name(AzureDNS_RandomizedDomain),"Analysis of DNS transactions from %{CompromisedEntity} detected usage of a suspicious randomly generated domain name. Such activity, while possibly benign, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.",Exfiltration,-,Azure DNS,Azure Defender
Digital currency mining activity(AzureDNS_CurrencyMining),"Analysis of DNS transactions from %{CompromisedEntity} detected digital currency mining activity. Such activity, while possibly legitimate user behavior, is frequently performed by attackers following compromise of resources. Typical related attacker activity is likely to include the download and execution of common mining tools.",Exfiltration,-,Azure DNS,Azure Defender
Network intrusion detection signature activation(AzureDNS_SuspiciousDomain),"Analysis of DNS transactions from %{CompromisedEntity} detected a known malicious network signature. Such activity, while possibly legitimate user behavior, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.",Exfiltration,-,Azure DNS,Azure Defender
Possible data download via DNS tunnel(AzureDNS_DataInfiltration),"Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behavior, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.",Exfiltration,-,Azure DNS,Azure Defender
Possible data exfiltration via DNS tunnel(AzureDNS_DataExfiltration),"Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behavior, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.",Exfiltration,-,Azure DNS,Azure Defender
Possible data transfer via DNS tunnel(AzureDNS_DataObfuscation),"Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behavior, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.",Exfiltration,-,Azure DNS,Azure Defender
Access from a suspicious IP address(Storage.Blob_SuspiciousIpStorage.Files_SuspiciousIp),"Indicates that this storage account has been successfully accessed from an IP address that is considered suspicious. This alert is powered by Microsoft Threat Intelligence.Learn more about Microsoft's threat intelligence capabilities.Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2",Initial Access,Medium,Azure Storage,Azure Defender
PREVIEW - Anonymous scan of public storage containers(Storage.Blob_ContainerAnonymousScan),"A series of attempts were made to anonymously identify public containers in your storage account. This might indicate a reconnaissance attack, where the attacker scans your storage account to identify publicly accessible containers and then tries to find sensitive data inside them. Applies to: Azure Blob Storage","PreAttack, Collection",Medium / High,Azure Storage,Azure Defender
PREVIEW – Phishing content hosted on a storage account(Storage.Blob_PhishingContentStorage.Files_PhishingContent),"A URL used in a phishing attack points to your Azure Storage account. This URL was part of a phishing attack affecting users of Microsoft 365.Typically, content hosted on such pages is designed to trick visitors into entering their corporate credentials or financial information into a web form that looks legitimate.This alert is powered by Microsoft Threat Intelligence.Learn more about Microsoft's threat intelligence capabilities.Applies to: Azure Blob Storage, Azure Files",Collection,High,Azure Storage,Azure Defender
PREVIEW - Storage account identified as source for distribution of malware(Storage.Files_WidespreadeAm),"Antimalware alerts indicate that an infected file(s) is stored in an Azure file share that is mounted to multiple VMs. If attackers gain access to a VM with a mounted Azure file share, they can use it to spread malware to other VMs that mount the same share.Applies to: Azure Files","Lateral Movement, Execution",High,Azure Storage,Azure Defender
PREVIEW - Storage account with potentially sensitive data has been detected with a publicly exposed container(Storage.Blob_OpenACL),"The access policy of a container in your storage account was modified to allow anonymous access. This might lead to a data breach if the container holds any sensitive data. This alert is based on analysis of Azure activity log.Applies to: Azure Blob Storage, Azure Data Lake Storage Gen2",Privilege Escalation,Medium,Azure Storage,Azure Defender
Access from a Tor exit node to a storage account(Storage.Blob_TorAnomalyStorage.Files_TorAnomaly),"Indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert considers the authentication type used (if any), and whether this is the first case of such access. Potential causes can be an attacker who has accessed your storage account by using Tor, or a legitimate user who has accessed your storage account by using Tor.Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2","Probing, Exploitation",High,Azure Storage,Azure Defender
Access from an unusual location to a storage account(Storage.Blob_GeoAnomalyStorage.Files_GeoAnomaly),"Indicates that there was a change in the access pattern to an Azure Storage account. Someone has accessed this account from an IP address considered unfamiliar when compared with recent activity. Either an attacker has gained access to the account, or a legitimate user has connected from a new or unusual geographic location. An example of the latter is remote maintenance from a new application or developer.Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2",Exploitation,Low,Azure Storage,Azure Defender
Anonymous access to a storage account(Storage.Blob_AnonymousAccessAnomaly),"Indicates that there was a change in the access pattern to an Azure Storage account. Someone accessed a countainer in this storage account without authenticating. Access to this container is typically authenticated by SAS token, storage account key, or AAD. This might indicate that an attacker has exploited public read access to the storage account.Applies to: Azure Blob Storage",Exploitation,High,Azure Storage,Azure Defender
Potential malware uploaded to a storage account(Storage.Blob_MalwareHashReputationStorage.Files_MalwareHashReputation),"Indicates that a blob containing potential malware has been uploaded to a blob container or a file share in a storage account. This alert is based on hash reputation analysis leveraging the power of Microsoft threat intelligence, which includes hashes for viruses, trojans, spyware and ransomware. Potential causes may include an intentional malware upload by an attacker, or an unintentional upload of a potentially malicious blob by a legitimate user.Applies to: Azure Blob Storage, Azure Files (Only for transactions over REST API)Learn more about Azure's hash reputation analysis for malware.Learn more about Microsoft's threat intelligence capabilities.",Lateral Movement,High,Azure Storage,Azure Defender
Unusual access inspection in a storage account(Storage.Blob_AccessInspectionAnomalyStorage.Files_AccessInspectionAnomaly),"Indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has performed reconnaissance for a future attack.Applies to: Azure Blob Storage, Azure Files",Collection,Medium,Azure Storage,Azure Defender
Unusual amount of data extracted from a storage account(Storage.Blob_DataExfiltration.AmountOfDataAnomalyStorage.Blob_DataExfiltration.NumberOfBlobsAnomalyStorage.Files_DataExfiltration.AmountOfDataAnomalyStorage.Files_DataExfiltration.NumberOfFilesAnomaly),"Indicates that an unusually large amount of data has been extracted compared to recent activity on this storage container. A potential cause is that an attacker has extracted a large amount of data from a container that holds blob storage.Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2",Exfiltration,Medium,Azure Storage,Azure Defender
Unusual application accessed a storage account(Storage.Blob_ApplicationAnomalyStorage.Files_ApplicationAnomaly),"Indicates that an unusual application has accessed this storage account. A potential cause is that an attacker has accessed your storage account by using a new application.Applies to: Azure Blob Storage, Azure Files",Exploitation,Medium,Azure Storage,Azure Defender
Unusual change of access permissions in a storage account(Storage.Blob_PermissionsChangeAnomalyStorage.Files_PermissionsChangeAnomaly),"Indicates that the access permissions of this storage container have been changed in an unusual way. A potential cause is that an attacker has changed container permissions to weaken its security posture or to gain persistence.Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2",Persistence,Medium,Azure Storage,Azure Defender
Unusual data exploration in a storage account(Storage.Blob_DataExplorationAnomalyStorage.Files_DataExplorationAnomaly),"Indicates that blobs or containers in a storage account have been enumerated in an abnormal way, compared to recent activity on this account. A potential cause is that an attacker has performed reconnaissance for a future attack.Applies to: Azure Blob Storage, Azure Files",Collection,Medium,Azure Storage,Azure Defender
Unusual deletion in a storage account(Storage.Blob_DeletionAnomalyStorage.Files_DeletionAnomaly),"Indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account. A potential cause is that an attacker has deleted data from your storage account.Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2",Exfiltration,Medium,Azure Storage,Azure Defender
Unusual upload of .cspkg to a storage account(Storage.Blob_CspkgUploadAnomaly),"Indicates that an Azure Cloud Services package (.cspkg file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has been preparing to deploy malicious code from your storage account to an Azure cloud service.Applies to: Azure Blob Storage, Azure Data Lake Storage Gen2","Lateral Movement, Execution",Medium,Azure Storage,Azure Defender
Unusual upload of .exe to a storage account(Storage.Blob_ExeUploadAnomalyStorage.Files_ExeUploadAnomaly),"Indicates that an .exe file has been uploaded to a storage account in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has uploaded a malicious executable file to your storage account, or that a legitimate user has uploaded an executable file.Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2","Lateral Movement, Execution",Medium,Azure Storage,Azure Defender
PREVIEW - Access from an unusual location to a Cosmos DB account,"Indicates that there was a change in the access pattern to an Azure Cosmos DB account. Someone has accessed this account from an unfamiliar IP address, compared to recent activity. Either an attacker has accessed the account, or a legitimate user has accessed it from a new and unusual geographical location. An example of the latter is remote maintenance from a new application or developer.",Exploitation,Medium,Azure Cosmos DB (Preview),Azure Defender
PREVIEW - Unusual amount of data extracted from a Cosmos DB account,"Indicates that there was a change in the data extraction pattern from an Azure Cosmos DB account. Someone has extracted an unusual amount of data compared to recent activity. An attacker might have extracted a large amount of data from an Azure Cosmos DB database (for example, data exfiltration or leakage, or an unauthorized transfer of data). Or, a legitimate user or application might have extracted an unusual amount of data from a container (for example, for maintenance backup activity).",Exfiltration,Medium,Azure Cosmos DB (Preview),Azure Defender
Network communication with a malicious machine detected(Network_CommunicationWithC2),"Network traffic analysis indicates that your machine (IP %{Victim IP}) has communicated with what is possibly a Command and Control center. When the compromised resource is a load balancer or an application gateway, the suspected activity might indicate that one or more of the resources in the backend pool (of the load balancer or application gateway) has communicated with what is possibly a Command and Control center.",Command and Control,Medium,Azure Network Layer,Azure Defender
Possible compromised machine detected(Network_ResourceIpIndicatedAsMalicious),"Threat intelligence indicates that your machine (at IP %{Machine IP}) may have been compromised by a malware of type Conficker. Conficker was a computer worm that targets the Microsoft Windows operating system and was first detected in November 2008. Conficker infected millions of computers including government, business and home computers in over 200 countries/regions, making it the largest known computer worm infection since the 2003 Welchia worm.",Command and Control,Medium,Azure Network Layer,Azure Defender
Possible incoming %{Service Name} brute force attempts detected(Generic_Incoming_BF_OneToOne),"Network traffic analysis detected incoming %{Service Name} communication to %{Victim IP}, associated with your resource %{Compromised Host} from %{Attacker IP}. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows suspicious activity between %{Start Time} and %{End Time} on port %{Victim Port}. This activity is consistent with brute force attempts against %{Service Name} servers.",PreAttack,Medium,Azure Network Layer,Azure Defender
Possible incoming SQL brute force attempts detected(SQL_Incoming_BF_OneToOne),"Network traffic analysis detected incoming SQL communication to %{Victim IP}, associated with your resource %{Compromised Host}, from %{Attacker IP}. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows suspicious activity between %{Start Time} and %{End Time} on port %{Port Number} (%{SQL Service Type}). This activity is consistent with brute force attempts against SQL servers.",PreAttack,Medium,Azure Network Layer,Azure Defender
Possible outgoing denial-of-service attack detected(DDOS),"Network traffic analysis detected anomalous outgoing activity originating from %{Compromised Host}, a resource in your deployment. This activity may indicate that your resource was compromised and is now engaged in denial-of-service attacks against external endpoints. When the compromised resource is a load balancer or an application gateway, the suspected activity might indicate that one or more of the resources in the backend pool (of the load balancer or application gateway) was compromised. Based on the volume of connections, we believe that the following IPs are possibly the targets of the DOS attack: %{Possible Victims}. Note that it is possible that the communication to some of these IPs is legitimate.",Impact,Medium,Azure Network Layer,Azure Defender
Possible outgoing port scanning activity detected(PortSweeping),"Network traffic analysis detected suspicious outgoing traffic from %{Compromised Host}. This traffic may be a result of a port scanning activity. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). If this behavior is intentional, please note that performing port scanning is against Azure Terms of service. If this behavior is unintentional, it may mean your resource has been compromised.",Discovery,Medium,Azure Network Layer,Azure Defender
Suspicious incoming RDP network activity from multiple sources(RDP_Incoming_BF_ManyToOne),"Network traffic analysis detected anomalous incoming Remote Desktop Protocol (RDP) communication to %{Victim IP}, associated with your resource %{Compromised Host}, from multiple sources. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Attacking IPs} unique IPs connecting to your resource, which is considered abnormal for this environment. This activity may indicate an attempt to brute force your RDP end point from multiple hosts (Botnet)",PreAttack,Medium,Azure Network Layer,Azure Defender
Suspicious incoming RDP network activity(RDP_Incoming_BF_OneToOne),"Network traffic analysis detected anomalous incoming Remote Desktop Protocol (RDP) communication to %{Victim IP}, associated with your resource %{Compromised Host}, from %{Attacker IP}. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Connections} incoming connections to your resource, which is considered abnormal for this environment. This activity may indicate an attempt to brute force your RDP end point",PreAttack,Medium,Azure Network Layer,Azure Defender
Suspicious incoming SSH network activity from multiple sources(SSH_Incoming_BF_ManyToOne),"Network traffic analysis detected anomalous incoming SSH communication to %{Victim IP}, associated with your resource %{Compromised Host}, from multiple sources. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Attacking IPs} unique IPs connecting to your resource, which is considered abnormal for this environment. This activity may indicate an attempt to brute force your SSH end point from multiple hosts (Botnet)",PreAttack,Medium,Azure Network Layer,Azure Defender
Suspicious incoming SSH network activity(SSH_Incoming_BF_OneToOne),"Network traffic analysis detected anomalous incoming SSH communication to %{Victim IP}, associated with your resource %{Compromised Host}, from %{Attacker IP}. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Connections} incoming connections to your resource, which is considered abnormal for this environment. This activity may indicate an attempt to brute force your SSH end point",PreAttack,Medium,Azure Network Layer,Azure Defender
Suspicious outgoing %{Attacked Protocol} traffic detected(PortScanning),"Network traffic analysis detected suspicious outgoing traffic from %{Compromised Host} to destination port %{Most Common Port}. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). This behavior may indicate that your resource is taking part in %{Attacked Protocol} brute force attempts or port sweeping attacks.",Discovery,Medium,Azure Network Layer,Azure Defender
Suspicious outgoing RDP network activity to multiple destinations(RDP_Outgoing_BF_OneToMany),"Network traffic analysis detected anomalous outgoing Remote Desktop Protocol (RDP) communication to multiple destinations originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows your machine connecting to %{Number of Attacked IPs} unique IPs, which is considered abnormal for this environment. This activity may indicate that your resource was compromised and is now used to brute force external RDP end points. Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities.",Discovery,High,Azure Network Layer,Azure Defender
Suspicious outgoing RDP network activity(RDP_Outgoing_BF_OneToOne),"Network traffic analysis detected anomalous outgoing Remote Desktop Protocol (RDP) communication to %{Victim IP} originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Connections} outgoing connections from your resource, which is considered abnormal for this environment. This activity may indicate that your machine was compromised and is now used to brute force external RDP end points. Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities.",Lateral Movement,High,Azure Network Layer,Azure Defender
Suspicious outgoing SSH network activity to multiple destinations(SSH_Outgoing_BF_OneToMany),"Network traffic analysis detected anomalous outgoing SSH communication to multiple destinations originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows your resource connecting to %{Number of Attacked IPs} unique IPs, which is considered abnormal for this environment. This activity may indicate that your resource was compromised and is now used to brute force external SSH end points. Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities.",Discovery,Medium,Azure Network Layer,Azure Defender
Suspicious outgoing SSH network activity(SSH_Outgoing_BF_OneToOne),"Network traffic analysis detected anomalous outgoing SSH communication to %{Victim IP} originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Connections} outgoing connections from your resource, which is considered abnormal for this environment. This activity may indicate that your resource was compromised and is now used to brute force external SSH end points. Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities.",Lateral Movement,Medium,Azure Network Layer,Azure Defender
Traffic detected from IP addresses recommended for blocking,"Azure Security Center detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources.",Probing,Low,Azure Network Layer,Azure Defender
Access from a suspicious IP address to a key vault(KV_SuspiciousIPAccess),A key vault has been successfully accessed by an IP that has been identified by Microsoft Threat Intelligence as a suspicious IP address. This may indicate that your infrastructure has been compromised. We recommend further investigation. Learn more about Microsoft's threat intelligence capabilities.,Credential Access,Medium,Azure Key Vault,Azure Defender
Access from a TOR exit node to a key vault(KV_TORAccess),A key vault has been accessed from a known TOR exit node. This could be an indication that a threat actor has accessed the key vault and is using the TOR network to hide their source location. We recommend further investigations.,Credential Access,Medium,Azure Key Vault,Azure Defender
High volume of operations in a key vault(KV_OperationVolumeAnomaly),"An anomalous number of key vault operations were performed by a user, service principal, and/or a specific key vault. This anomalous activity pattern may be legitimate, but it could be an indication that a threat actor has gained access to the key vault and the secrets contained within it. We recommend further investigations.",Credential Access,Medium,Azure Key Vault,Azure Defender
Suspicious policy change and secret query in a key vault(KV_PutGetAnomaly),"A user or service principal has performed an anomalous Vault Put policy change operation followed by one or more Secret Get operations. This pattern is not normally performed by the specified user or service principal. This may be legitimate activity, but it could be an indication that a threat actor has updated the key vault policy to access previously inaccessible secrets. We recommend further investigations.",Credential Access,Medium,Azure Key Vault,Azure Defender
Suspicious secret listing and query in a key vault(KV_ListGetAnomaly),"A user or service principal has performed an anomalous Secret List operation followed by one or more Secret Get operations. This pattern is not normally performed by the specified user or service principal and is typically associated with secret dumping. This may be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault and is trying to discover secrets that can be used to move laterally through your network and/or gain access to sensitive resources. We recommend further investigations.",Credential Access,Medium,Azure Key Vault,Azure Defender
Unusual application accessed a key vault(KV_AppAnomaly),"A key vault has been accessed by a service principal that does not normally access it. This anomalous access pattern may be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault in an attempt to access the secrets contained within it. We recommend further investigations.",Credential Access,Medium,Azure Key Vault,Azure Defender
Unusual operation pattern in a key vaultKV_OperationPatternAnomaly),"An anomalous pattern of key vault operations was performed by a user, service principal, and/or a specific key vault. This anomalous activity pattern may be legitimate, but it could be an indication that a threat actor has gained access to the key vault and the secrets contained within it. We recommend further investigations.",Credential Access,Medium,Azure Key Vault,Azure Defender
Unusual user accessed a key vault(KV_UserAnomaly),"A key vault has been accessed by a user that does not normally access it. This anomalous access pattern may be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault in an attempt to access the secrets contained within it. We recommend further investigations.",Credential Access,Medium,Azure Key Vault,Azure Defender
Unusual user-application pair accessed a key vault(KV_UserAppAnomaly),"A key vault has been accessed by a user-service principal pair that does not normally access it. This anomalous access pattern may be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault in an attempt to access the secrets contained within it. We recommend further investigations.",Credential Access,Medium,Azure Key Vault,Azure Defender
User accessed high volume of key vaults(KV_AccountVolumeAnomaly),"A user or service principal has accessed an anomalously high volume of key vaults. This anomalous access pattern may be legitimate activity, but it could be an indication that a threat actor has gained access to multiple key vaults in an attempt to access the secrets contained within them. We recommend further investigations.",Credential Access,Medium,Azure Key Vault,Azure Defender
DDoS Attack detected for Public IP,DDoS Attack detected for Public IP (IP address) and being mitigated.,Probing,High,Azure DDoS Protection,Azure Defender
DDoS Attack mitigated for Public IP,DDoS Attack mitigated for Public IP (IP address).,Probing,Low,Azure DDoS Protection,Azure Defender
Security incident with shared process detected,The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resource {Host},-,High,Security Incident,Azure Defender
Security incident detected on multiple resources,The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that similar attack methods were performed on your cloud resources {Host},-,Medium,Security Incident,Azure Defender
Security incident detected from same source,The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resource {Host},-,High,Security Incident,Azure Defender
Security incident detected on multiple machines,The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resources {Host},-,Medium,Security Incident,Azure Defender
Anonymous IP address,"This risk detection type indicates sign-ins from an anonymous IP address (for example, Tor browser or anonymous VPN). These IP addresses are typically used by actors who want to hide their login telemetry (IP address, location, device, etc.) for potentially malicious intent.",N.A.,N.A.,N.A.,Azure Identity Protection Center (IPC)
Atypical travel,"This risk detection type identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. Among several other factors, this machine learning algorithm takes into account the time between the two sign-ins and the time it would have taken for the user to travel from the first location to the second, indicating that a different user is using the same credentials. The algorithm ignores obvious ""false positives"" contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The system has an initial learning period of the earliest of 14 days or 10 logins, during which it learns a new user's sign-in behavior.",N.A.,N.A.,N.A.,Azure Identity Protection Center (IPC)
Anomalous Token,This detection indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token played from an unfamiliar location. This detection covers Session Tokens and Refresh Tokens.,N.A.,N.A.,N.A.,Azure Identity Protection Center (IPC)
Token Issuer Anomaly,This risk detection indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns.,N.A.,N.A.,N.A.,Azure Identity Protection Center (IPC)
Malware linked IP address,This risk detection type indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server. This detection is determined by correlating IP addresses of the user's device against IP addresses that were in contact with a bot server while the bot server was active.,N.A.,N.A.,N.A.,Azure Identity Protection Center (IPC)
Suspicious browser,Suspicious browser detection indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser.,N.A.,N.A.,N.A.,Azure Identity Protection Center (IPC)
Unfamiliar sign-in properties,"This risk detection type considers past sign-in history (IP, Latitude / Longitude and ASN) to look for anomalous sign-ins. The system stores information about previous locations used by a user, and considers these ""familiar"" locations. The risk detection is triggered when the sign-in occurs from a location that's not already in the list of familiar locations. Newly created users will be in ""learning mode"" for a period of time in which unfamiliar sign-in properties risk detections will be turned off while our algorithms learn the user's behavior. The learning mode duration is dynamic and depends on how much time it takes the algorithm to gather enough information about the user's sign-in patterns. The minimum duration is five days. A user can go back into learning mode after a long period of inactivity. The system also ignores sign-ins from familiar devices, and locations that are geographically close to a familiar location. We also run this detection for basic authentication (or legacy protocols). Because these protocols do not have modern properties such as client ID, there is limited telemetry to reduce false positives. We recommend our customers to move to modern authentication.",N.A.,N.A.,N.A.,Azure Identity Protection Center (IPC)
Admin confirmed user compromised,"This detection indicates an admin has selected 'Confirm user compromised' in the Risky users UI or using riskyUsers API. To see which admin has confirmed this user compromised, check the user's risk history (via UI or API).",N.A.,N.A.,N.A.,Azure Identity Protection Center (IPC)
Malicious IP address,This detection indicates sign-in from a malicious IP address. An IP address is considered malicious based on high failure rates because of invalid credentials received from the IP address or other IP reputation sources.,N.A.,N.A.,N.A.,Azure Identity Protection Center (IPC)
Suspicious inbox manipulation rules,"This detection is discovered by Microsoft Cloud App Security (MCAS). This detection profiles your environment and triggers alerts when suspicious rules that delete or move messages or folders are set on a user's inbox. This detection may indicate that the user's account is compromised, that messages are being intentionally hidden, and that the mailbox is being used to distribute spam or malware in your organization.",N.A.,N.A.,N.A.,Azure Identity Protection Center (IPC)
Password spray,A password spray attack is where multiple usernames are attacked using common passwords in a unified brute force manner to gain unauthorized access. This risk detection is triggered when a password spray attack has been performed.,N.A.,N.A.,N.A.,Azure Identity Protection Center (IPC)
Impossible travel,"This detection is discovered by Microsoft Cloud App Security (MCAS). This detection identifies two user activities (is a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second, indicating that a different user is using the same credentials.",N.A.,N.A.,N.A.,Azure Identity Protection Center (IPC)
New country,This detection is discovered by Microsoft Cloud App Security (MCAS). This detection considers past activity locations to determine new and infrequent locations. The anomaly detection engine stores information about previous locations used by users in the organization.,N.A.,N.A.,N.A.,Azure Identity Protection Center (IPC)
Activity from anonymous IP address,This detection is discovered by Microsoft Cloud App Security (MCAS). This detection identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.,N.A.,N.A.,N.A.,Azure Identity Protection Center (IPC)
Suspicious inbox forwarding,"This detection is discovered by Microsoft Cloud App Security (MCAS). This detection looks for suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.",N.A.,N.A.,N.A.,Azure Identity Protection Center (IPC)
Azure AD threat intelligence,This risk detection type indicates sign-in activity that is unusual for the given user or is consistent with known attack patterns based on Microsoft's internal and external threat intelligence sources.,N.A.,N.A.,N.A.,Azure Identity Protection Center (IPC)
Additional risk detected,"This detection indicates that one of the above premium detections was detected. Since the premium detections are visible only to Azure AD Premium P2 customers, they are titled ""additional risk detected"" for customers without Azure AD Premium P2 licenses.",N.A.,N.A.,N.A.,Azure Identity Protection Center (IPC)
Account enumeration reconnaissance,N.A.,Discovery,Medium,N.A.,Microsoft Defender for Identity
Active Directory attributes reconnaissance (LDAP),N.A.,Discovery,Medium,N.A.,Microsoft Defender for Identity
Data exfiltration over SMB,N.A.,"Exfiltration,Lateral movement,Command and control",High,N.A.,Microsoft Defender for Identity
Honeytoken activity,N.A.,"Credential access,Discovery",Medium,N.A.,Microsoft Defender for Identity
Malicious request of Data Protection API master key,N.A.,Credential access,High,N.A.,Microsoft Defender for Identity
Network mapping reconnaissance (DNS),N.A.,Discovery,Medium,N.A.,Microsoft Defender for Identity
Remote code execution attempt,N.A.,"Execution,Persistence,Privilege escalation,Defense evasion,Lateral movement",Medium,N.A.,Microsoft Defender for Identity
Remote code execution over DNS,N.A.,"Privilege escalation,Lateral movement",Medium,N.A.,Microsoft Defender for Identity
Security principal reconnaissance (LDAP),N.A.,Credential access,Medium,N.A.,Microsoft Defender for Identity
"Suspected Brute Force attack (Kerberos, NTLM)",N.A.,Credential access,Medium,N.A.,Microsoft Defender for Identity
Suspected Brute Force attack (LDAP),N.A.,Credential access,Medium,N.A.,Microsoft Defender for Identity
Suspected Brute Force attack (SMB),N.A.,Lateral movement,Medium,N.A.,Microsoft Defender for Identity
Suspected DCShadow attack (domain controller promotion),N.A.,Defense evasion,High,N.A.,Microsoft Defender for Identity
Suspected DCShadow attack (domain controller replication request),N.A.,Defense evasion,High,N.A.,Microsoft Defender for Identity
Suspected DCSync attack (replication of directory services),N.A.,"Persistence,Credential access",High,N.A.,Microsoft Defender for Identity
Suspected Golden Ticket usage (encryption downgrade),N.A.,"Privilege Escalation,Lateral movement,Persistence",Medium,N.A.,Microsoft Defender for Identity
Suspected Golden Ticket usage (forged authorization data),N.A.,"Privilege escalation,Lateral movement,Persistence",High,N.A.,Microsoft Defender for Identity
Suspected Golden Ticket usage (nonexistent account),N.A.,"Privilege Escalation,Lateral movement,Persistence",High,N.A.,Microsoft Defender for Identity
Suspected Golden Ticket usage (ticket anomaly),N.A.,"Privilege Escalation,Lateral movement,Persistence",High,N.A.,Microsoft Defender for Identity
Suspected Golden Ticket usage (ticket anomaly using RBCD),N.A.,Persistence,High,N.A.,Microsoft Defender for Identity
Suspected Golden Ticket usage (time anomaly),N.A.,"Privilege Escalation,Lateral movement,Persistence",High,N.A.,Microsoft Defender for Identity
Suspected identity theft (pass-the-hash),N.A.,Lateral movement,High,N.A.,Microsoft Defender for Identity
Suspected identity theft (pass-the-ticket),N.A.,Lateral movement,High or Medium,N.A.,Microsoft Defender for Identity
Suspected Kerberos SPN exposure (external ID 2410),N.A.,Credential access,High,N.A.,Microsoft Defender for Identity
Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation),N.A.,Privilege Escalation,High,N.A.,Microsoft Defender for Identity
Suspected NTLM authentication tampering,N.A.,"Privilege escalation, Lateral movement",Medium,N.A.,Microsoft Defender for Identity
Suspected NTLM relay attack,N.A.,"Privilege escalation, Lateral movement",Medium or Low if observed using signed NTLM v2 protocol,N.A.,Microsoft Defender for Identity
Suspected overpass-the-hash attack (Kerberos),N.A.,Lateral movement,Medium,N.A.,Microsoft Defender for Identity
Suspected rogue Kerberos certificate usage,N.A.,Lateral movement,High,N.A.,Microsoft Defender for Identity
Suspected Skeleton Key attack (encryption downgrade),N.A.,"Lateral movement,Persistence",Medium,N.A.,Microsoft Defender for Identity
Suspected SMB packet manipulation (CVE-2020-0796 exploitation) - (preview),N.A.,Lateral movement,High,N.A.,Microsoft Defender for Identity
Suspected use of Metasploit hacking framework,N.A.,Lateral movement,Medium,N.A.,Microsoft Defender for Identity
Suspected WannaCry ransomware attack,N.A.,Lateral movement,Medium,N.A.,Microsoft Defender for Identity
Suspicious additions to sensitive groups,N.A.,"Credential access,Persistence",Medium,N.A.,Microsoft Defender for Identity
Suspicious communication over DNS,N.A.,Exfiltration,Medium,N.A.,Microsoft Defender for Identity
Suspicious service creation,N.A.,"Execution,Persistence,Privilege Escalation,Defense evasion,Lateral movement",Medium,N.A.,Microsoft Defender for Identity
Suspicious VPN connection,N.A.,"Persistence,Defense evasion",Medium,N.A.,Microsoft Defender for Identity
User and Group membership reconnaissance (SAMR),N.A.,Discovery,Medium,N.A.,Microsoft Defender for Identity
User and IP address reconnaissance (SMB),N.A.,Discovery,Medium,N.A.,Microsoft Defender for Identity
Activity from anonymous IP address,N.A.,InitialAccess,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Activity from infrequent country,N.A.,InitialAccess,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Activity from suspicious IP addresses,N.A.,InitialAccess,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Impossible Travel,N.A.,InitialAccess,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Misleading OAuth app name,N.A.,InitialAccess,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Misleading publisher name for an OAuth app,N.A.,InitialAccess,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Multiple storage deletion activities,N.A.,Execution,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Multiple VM creation activities,N.A.,Execution,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Suspicious creation activity for cloud region (preview),N.A.,Execution,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Activity performed by terminated user,N.A.,Persistence,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Suspicious change of CloudTrail logging service,N.A.,Persistence,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Suspicious email deletion activity (by user),N.A.,Persistence,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Suspicious inbox manipulation rule,N.A.,Persistence,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Unusual administrative activity (by user),N.A.,PrivilegeEscalation,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Multiple failed login attempts,N.A.,CredentialAccess,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Unusual addition of credentials to an OAuth app,N.A.,Collection,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Multiple Power BI report sharing activities,N.A.,Collection,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Suspicious Power BI report sharing,N.A.,Collection,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Unusual impersonated activity (by user),N.A.,Exfiltration,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Suspicious inbox forwarding,N.A.,Exfiltration,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Unusual file download (by user),N.A.,Exfiltration,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Unusual file access (by user),N.A.,Impact,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Unusual file share activity (by user),N.A.,Impact,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Multiple delete VM activities,N.A.,Impact,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Ransomware activity,N.A.,N.A.,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Unusual file deletion activity (by user),N.A.,N.A.,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)
Investigation priority score increase (preview),N.A.,N.A.,N.A.,N.A.,Microsoft Cloud Application Security (MCAS)