What's new in Defender for Cloud recommendations, alerts, and incidents
This article summarizes what's new in security recommendations, alerts, and incidents in Microsoft Defender for Cloud. It includes information about new, modified, and deprecated recommendations and alerts.
This page is updated frequently with the latest recommendations and alerts in Defender for Cloud.
Find the latest information about new and updated Defender for Cloud features in What's new in Defender for Cloud features.
Find items older than six months in the What's new archive.
Tip
Get notified when this page is updated by copying and pasting the following URL into your feed reader:
https://aka.ms/mdc/rss-recommendations-alerts
- Review a complete list of multicloud security recommendations and alerts:
Recommendations, alerts, and incidents updates
New and updated recommendations, alerts, and incidents are added to the table in date order.
Date | Type | State | Name |
---|---|---|---|
December 16 | Alert | Preview | AI - Access from a Tor IP |
November 19 | Deprecation | GA | MFA recommendations are deprecated as Azure now requires it.. The following recommendations are deprecated: * Accounts with read permissions on Azure resources should be MFA enabled * Accounts with write permissions on Azure resources should be MFA enabled * Accounts with owner permissions on Azure resources should be MFA enabled |
November 19 | Alert | Preview | AI - suspicious user agent detected |
November 19 | Alert | Preview | ASCII Smuggling prompt injection detected |
October 30 | Alert | GA | Suspicious extraction of Azure Cosmos DB account keys |
October 30 | Alert | GA | The access level of a sensitive storage blob container was changed to allow unauthenticated public access |
October 30 | Recommendation | Upcoming Deprecation | MFA recommendations are deprecated as Azure now requires it.. The following recommendations will be deprecated: * Accounts with read permissions on Azure resources should be MFA enabled * Accounts with write permissions on Azure resources should be MFA enabled * Accounts with owner permissions on Azure resources should be MFA enabled |
October 12 | Recommendation | GA | Azure Database for PostgreSQL flexible server should have Microsoft Entra authentication only enabled |
October 6 | Recommendation | Update | [Preview] Containers running in GCP should have vulnerability findings resolved |
October 6 | Recommendation | Update | [Preview] Containers running in AWS should have vulnerability findings resolved |
October 6 | Recommendation | Update | [Preview] Containers running in Azure should have vulnerability findings resolved |
September 10 | Alert | Preview | Corrupted AI application\model\data directed a phishing attempt at a user |
September 10 | Alert | Preview | Phishing URL shared in an AI application |
September 10 | Alert | Preview | Phishing attempt detected in an AI application |
September 5 | Recommendation | GA | System updates should be installed on your machines (powered by Azure Update Manager) |
September 5 | Recommendation | GA | Machines should be configured to periodically check for missing system updates |
August 15 | Incident | Upcoming deprecation | Estimated date for change: September 15, 2024 Security incident detected anomalous geographical location activity (Preview) Security incident detected suspicious app service activity (Preview) Security incident detected suspicious Key Vault activity (Preview) Security incident detected suspicious Azure toolkits activity (Preview) Security incident detected on the same resource (Preview) Security incident detected suspicious IP activity (Preview) Security incident detected suspicious user activity (Preview) Security incident detected suspicious service principal activity (Preview) Security incident detected suspicious SAS activity (Preview) Security incident detected suspicious account activity (Preview) Security incident detected suspicious crypto mining activity (Preview) Security incident detected suspicious fileless attack activity (Preview) Security incident detected suspicious Kubernetes cluster activity (Preview) Security incident detected suspicious storage activity (Preview) Security incident detected suspicious crypto mining activity (Preview) Security incident detected suspicious data exfiltration activity (Preview) Security incident detected suspicious Kubernetes cluster activity (Preview) Security incident detected suspicious DNS activity (Preview) Security incident detected suspicious SQL activity (Preview) Security incident detected suspicious DDOS activity (Preview) |
August 12 | Recommendation | Upcoming deprecation | File integrity monitoring should be enabled on machines Estimated deprecation: August 2024 |
August 11 | Recommendation | Upcoming deprecation | Super identities in your Azure environment should be removed Super Identities in your GCP environment should be removed Estimated deprecation: September 2024 |
August 2 | Recommendation | Preview | Azure DevOps projects should have creation of classic pipelines disabled |
August 2 | Recommendation | Preview | GitHub organizations should block Copilot suggestions that match public code |
August 2 | Recommendation | Preview | GitHub organizations should enforce multifactor authentication for outside collaborators |
August 2 | Recommendation | Preview | GitHub repositories should require minimum two-reviewer approval for code pushes |
July 31 | Recommendation | Preview | Privileged roles should not have permanent access at the subscription and resource group level |
July 31 | Recommendation | Preview | Service Principals should not be assigned with administrative roles at the subscription and resource group level |
July 31 | Recommendation | Update | Azure AI Services resources should use Azure Private Link |
July 31 | Recommendation | GA | [EDR solution should be installed on Virtual Machines](recommendations-reference-compute.md#edr-solution-should-be-installed-on-virtual-machineshttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey06e3a6db-6c0c-4ad9-943f-31d9d73ecf6c) |
July 31 | Recommendation | GA | [EDR solution should be installed on EC2s](recommendations-reference-compute.md#edr-solution-should-be-installed-on-ec2shttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey77d09952-2bc2-4495-8795-cc8391452f85) |
July 31 | Recommendation | GA | [EDR solution should be installed on GCP Virtual Machines](recommendations-reference-compute.md#edr-solution-should-be-installed-on-gcp-virtual-machineshttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey68e595c1-a031-4354-b37c-4bdf679732f1) |
July 31 | Recommendation | GA | [EDR configuration issues should be resolved on virtual machines](recommendations-reference-compute.md#edr-configuration-issues-should-be-resolved-on-virtual-machineshttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkeydc5357d0-3858-4d17-a1a3-072840bff5be) |
July 31 | Recommendation | GA | [EDR configuration issues should be resolved on EC2s](recommendations-reference-compute.md#edr-configuration-issues-should-be-resolved-on-ec2shttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey695abd03-82bd-4d7f-a94c-140e8a17666c) |
July 31 | Recommendation | GA | [EDR configuration issues should be resolved on GCP virtual machines](recommendations-reference-compute.md#edr-configuration-issues-should-be-resolved-on-gcp-virtual-machineshttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkeyf36a15fb-61a6-428c-b719-6319538ecfbc) |
July 31 | Recommendation | Upcoming deprecation | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
July 31 | Alert | Upcoming deprecation | Traffic detected from IP addresses recommended for blocking |
July 30 | Recommendation | Preview | AWS Bedrock should use AWS PrivateLink |
July 22 | Recommendation | Update | (Enable if required) Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK) |
June 28 | Recommendation | GA | Azure DevOps repositories should require minimum two-reviewer approval for code pushes |
June 28 | Recommendation | GA | Azure DevOps repositories should not allow requestors to approve their own Pull Requests |
June 28 | Recommendation | GA | GitHub organizations should not make action secrets accessible to all repositories |
June 27 | Alert | Deprecation | Security incident detected suspicious source IP activity Severity: Medium/High |
June 27 | Alert | Deprecation | Security incident detected on multiple resources Severity: Medium/High |
June 27 | Alert | Deprecation | Security incident detected compromised machine Severity: Medium/High |
June 27 | Alert | Deprecation | Security incident detected suspicious virtual machines activity Severity: Medium/High |
May 30 | Recommendation | GA | Linux virtual machines should enable Azure Disk Encryption (ADE) or EncryptionAtHost. Assessment key a40cc620-e72c-fdf4-c554-c6ca2cd705c0 |
May 30 | Recommendation | GA | Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Assessment key 0cb5f317-a94b-6b80-7212-13a9cc8826af |
May 28 | Recommendation | GA | Machine should be configured securely (powered by MDVM) |
May 1 | Recommendation | Upcoming deprecation | System updates should be installed on your machines. Estimated deprecation: July 2024. |
May 1 | Recommendation | Upcoming deprecation | System updates on virtual machine scale sets should be installed. Estimated deprecation: July 2024. |
May 1 | Recommendation | Upcoming deprecation | Log Analytics agent should be installed on Windows-based Azure Arc-enabled machines Estimated deprecation: July 2024 |
May 1 | Recommendation | Upcoming deprecation | Log Analytics agent should be installed on virtual machine scale sets Estimated deprecation: July 2024 |
May 1 | Recommendation | Upcoming deprecation | Auto provisioning of the Log Analytics agent should be enabled on subscriptions Estimated deprecation: July 2024 |
May 1 | Recommendation | Upcoming deprecation | Log Analytics agent should be installed on virtual machines Estimated deprecation: July 2024 |
May 1 | Recommendation | Upcoming deprecation | Adaptive application controls for defining safe applications should be enabled on your machines Estimated deprecation: July 2024 |
April 18 | Alert | Deprecation | Fileless attack toolkit detected (VM_FilelessAttackToolkit.Windows) Fileless attack technique detected (VM_FilelessAttackTechnique.Windows) Fileless attack behavior detected (VM_FilelessAttackBehavior.Windows) Fileless Attack Toolkit Detected (VM_FilelessAttackToolkit.Linux) Fileless Attack Technique Detected (VM_FilelessAttackTechnique.Linux) Fileless Attack Behavior Detected (VM_FilelessAttackBehavior.Linux) Fileless attack alerts for Windows and Linux VMs will be discontinued. Instead, alerts will be generated by Defender for Endpoint. If you already have the Defender for Endpoint integration enabled in Defender for Servers, there's no action required on your part. In May 2024 you might experience a decrease in your alerts volume, but still remain protected. If you don't currently have integration enabled, enable it to maintain and improve alert coverage. All Defender for Server customers can access the full value of Defender for Endpoint's integration at no additional cost. Learn more. |
April 3 | Recommendation | Upcoming deprecation | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
April 3 | Recommendation | Preview | Container images in Azure registry should have vulnerability findings resolved (Preview) |
April 3 | Recommendation | Preview | Containers running in Azure should have vulnerability findings resolved (Preview) |
April 3 | Recommendation | Preview | Container images in AWS registry should have vulnerability findings resolved (Preview) |
April 3 | Recommendation | Preview | Containers running in AWS should have vulnerability findings resolved (Preview) |
April 3 | Recommendation | Preview | Container images in GCP registry should have vulnerability findings resolved (Preview) |
April 3 | Recommendation | Preview | Containers running in GCP should have vulnerability findings resolved (Preview) |
April 2 | Recommendation | Upcoming deprecation | Virtual machines should be migrated to new Azure Resource Manager resources There's no effect since these resources no longer exist. Estimated date: July 30, 2024 |
April 2 | Recommendation | Update | Azure AI Services should restrict network access. |
April 2 | Recommendation | Update | Azure AI Services should have key access disabled (disable local authentication). |
April 2 | Recommendation | Update | Diagnostic logs in Azure AI services resources should be enabled. |
April 2 | Recommendation | Deprecation | Public network access should be disabled for Cognitive Services accounts. |
April 2 | Recommendation | GA | Azure registry container images should have vulnerabilities resolved |
April 2 | Recommendation | Deprecation | Public network access should be disabled for Cognitive Services accounts |
April 2 | Recommendation | GA | Azure running container images should have vulnerabilities resolved |
April 2 | Recommendation | GA | AWS registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) |
April 2 | Recommendation | GA | AWS running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) |
April 2 | Recommendation | GA | GCP registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) |
April 2 | Recommendation | GA | GCP running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) |
March 28 | Recommendation | Upcoming | Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost (assessment key a40cc620-e72c-fdf4-c554-c6ca2cd705c0) |
March 28 | Recommendation | Upcoming | Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost (assessment key 0cb5f317-a94b-6b80-7212-13a9cc8826af) Unified disk encryption recommendations will be available for GA in the Azure public cloud in April 2024, replacing the recommendation "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources." |
March 18 | Recommendation | GA | EDR solution should be installed on virtual machines |
March 18 | Recommendation | GA | EDR configuration issues should be resolved on virtual machines |
March 18 | Recommendation | GA | EDR configuration issues should be resolved on EC2s |
March 18 | Recommendation | GA | EDR solution should be installed on EC2s |
March 18 | Recommendation | GA | EDR configuration issues should be resolved on GCP virtual machines |
March 18 | Recommendation | GA | EDR solution should be installed on GCP virtual machines |
End March | Recommendation | Deprecation | Endpoint protection should be installed on machines . |
End March | Recommendation | Deprecation | Endpoint protection health issues on machines should be resolved |
March 5 | Recommendation | Deprecation | Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI) |
March 5 | Recommendation | Deprecation | Over-provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI) |
February 20 | Recommendation | Upcoming | Azure AI Services resources should restrict network access |
February 20 | Recommendation | Upcoming | Azure AI Services resources should have key access disabled (disable local authentication) |
February 12 | Recommendation | Deprecation | Public network access should be disabled for Cognitive Services accounts . Estimated deprecation: March 14 2024 |
February 8 | Recommendation | Preview | (Preview) Azure Local machine(s) should meet secured-core requirements |
February 8 | Recommendation | Preview | (Preview) Azure Local machine(s) should have consistently enforced application control policies |
February 8 | Recommendation | Preview | (Preview) Azure Local systems should have encrypted volumes |
February 8 | Recommendation | Preview | (Preview) Host and VM networking should be protected on Azure Local systems |
February 1 | Recommendation | Upcoming | EDR solution should be installed on virtual machines EDR configuration issues should be resolved on virtual machines EDR solution should be installed on EC2s EDR configuration issues should be resolved on EC2s EDR configuration issues should be resolved on GCP virtual machines EDR solution should be installed on GCP virtual machines. |
January 25 | Alert (Container) | Deprecation | Anomalous pod deployment (Preview) (K8S_AnomalousPodDeployment) |
January 25 | Alert (Container) | Deprecation | Excessive role permissions assigned in Kubernetes cluster (Preview) (K8S_ServiceAcountPermissionAnomaly) |
January 25 | Alert (Container) | Deprecation | Anomalous access to Kubernetes secret (Preview) (K8S_AnomalousSecretAccess) |
January 25 | Alert (Windows machines) | Update to informational | Adaptive application control policy violation was audited (VM_AdaptiveApplicationControlWindowsViolationAudited) |
January 25 | Alert (Windows machines) | Update to informational | Adaptive application control policy violation was audited (VM_AdaptiveApplicationControlLinuxViolationAudited) |
January 25 | Alert (Container) | Update to informational | Attempt to create a new Linux namespace from a container detected (K8S.NODE_NamespaceCreation) |
January 25 | Alert (Container) | Update to informational | Attempt to stop apt-daily-upgrade.timer service detected (K8S.NODE_TimerServiceDisabled) |
January 25 | Alert (Container) | Update to informational | Command within a container running with high privileges (K8S.NODE_PrivilegedExecutionInContainer) |
January 25 | Alert (Container) | Update to informational | Container running in privileged mode (K8S.NODE_PrivilegedContainerArtifacts) |
January 25 | Alert (Container) | Update to informational | Container with a sensitive volume mount detected (K8S_SensitiveMount) |
January 25 | Alert (Container) | Update to informational | Creation of admission webhook configuration detected (K8S_AdmissionController) |
January 25 | Alert (Container) | Update to informational | Detected suspicious file download (K8S.NODE_SuspectDownloadArtifacts) |
January 25 | Alert (Container) | Update to informational | Docker build operation detected on a Kubernetes node (K8S.NODE_ImageBuildOnNode) |
January 25 | Alert (Container) | Update to informational | New container in the kube-system namespace detected (K8S_KubeSystemContainer) |
January 25 | Alert (Container) | Update to informational | New high privileges role detected (K8S_HighPrivilegesRole) |
January 25 | Alert (Container) | Update to informational | Privileged container detected (K8S_PrivilegedContainer) |
January 25 | Alert (Container) | Update to informational | Process seen accessing the SSH authorized keys file in an unusual way (K8S.NODE_SshKeyAccess) |
January 25 | Alert (Container) | Update to informational | Role binding to the cluster-admin role detected (K8S_ClusterAdminBinding) |
January 25 | Alert (Container) | Update to informational | SSH server is running inside a container (K8S.NODE_ContainerSSH) |
January 25 | Alert (DNS) | Update to informational | Communication with suspicious algorithmically generated domain (AzureDNS_DomainGenerationAlgorithm) |
January 25 | Alert (DNS) | Update to informational | Communication with suspicious algorithmically generated domain (DNS_DomainGenerationAlgorithm) |
January 25 | Alert (DNS) | Update to informational | Communication with suspicious random domain name (Preview) (DNS_RandomizedDomain) |
January 25 | Alert (DNS) | Update to informational | Communication with suspicious random domain name (AzureDNS_RandomizedDomain) |
January 25 | Alert (DNS) | Update to informational | Communication with possible phishing domain (AzureDNS_PhishingDomain) |
January 25 | Alert (DNS) | Update to informational | Communication with possible phishing domain (Preview) (DNS_PhishingDomain) |
January 25 | Alert (Azure App Service) | Update to informational | NMap scanning detected (AppServices_Nmap) |
January 25 | Alert (Azure App Service) | Update to informational | Suspicious User Agent detected (AppServices_UserAgentInjection) |
January 25 | Alert (Azure network layer) | Update to informational | Possible incoming SMTP brute force attempts detected (Generic_Incoming_BF_OneToOne) |
January 25 | Alert (Azure network layer) | Update to informational | Traffic detected from IP addresses recommended for blocking (Network_TrafficFromUnrecommendedIP) |
January 25 | Alert (Azure Resource Manager) | Update to informational | Privileged custom role created for your subscription in a suspicious way (Preview)(ARM_PrivilegedRoleDefinitionCreation) |
January 4 | Recommendation | Preview | Cognitive Services accounts should have local authentication methods disabled Microsoft Cloud Security Benchmark |
January 4 | Recommendation preview | Cognitive Services should use private link Microsoft Cloud Security Benchmark |
|
January 4 | Recommendation | Preview | Virtual machines and virtual machine scale sets should have encryption at host enabled Microsoft Cloud Security Benchmark |
January 4 | Recommendation | Preview | Azure Cosmos DB should disable public network access Microsoft Cloud Security Benchmark |
January 4 | Recommendation | Preview | Cosmos DB accounts should use private link Microsoft Cloud Security Benchmark |
January 4 | Recommendation | Preview | VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users Microsoft Cloud Security Benchmark |
January 4 | Recommendation | Preview | Azure SQL Database should be running TLS version 1.2 or newer Microsoft Cloud Security Benchmark |
January 4 | Recommendation | Preview | Azure SQL Managed Instances should disable public network access Microsoft Cloud Security Benchmark |
January 4 | Recommendation | Preview | Storage accounts should prevent shared key access Microsoft Cloud Security Benchmark |
December 14 | Recommendation | Preview | Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Vulnerability assessment for Linux container images with Microsoft Defender Vulnerability Management. |
December 14 | Recommendation | GA | Azure running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) Vulnerability assessment for Linux container images with Microsoft Defender Vulnerability Management. |
December 14 | Recommendation | Rename | New: Azure registry container images should have vulnerabilities resolved (powered by Qualys). Vulnerability assessment for container images using Qualys. Old: Container registry images should have vulnerability findings resolved (powered by Qualys) |
December 14 | Recommendation | Rename | New: Azure running container images should have vulnerabilities resolved - (powered by Qualys) Vulnerability assessment for container images using Qualys. Old: Running container images should have vulnerability findings resolved (powered by Qualys) |
December 4 | Alert | Preview | Malicious blob was downloaded from a storage account (Preview) MITRE tactics: Lateral movement |
Related content
For information about new features, see What's new in Defender for Cloud features.