What's new in Defender for Cloud recommendations, alerts, and incidents

This article summarizes what's new in security recommendations, alerts, and incidents in Microsoft Defender for Cloud. It includes information about new, modified, and deprecated recommendations and alerts.

Tip

Get notified when this page is updated by copying and pasting the following URL into your feed reader:

https://aka.ms/mdc/rss-recommendations-alerts

Recommendations, alerts, and incidents updates

New and updated recommendations, alerts, and incidents are added to the table in date order.

Date Type State Name
December 16 Alert Preview AI - Access from a Tor IP
November 19 Deprecation GA MFA recommendations are deprecated as Azure now requires it..
The following recommendations are deprecated:
* Accounts with read permissions on Azure resources should be MFA enabled
* Accounts with write permissions on Azure resources should be MFA enabled
* Accounts with owner permissions on Azure resources should be MFA enabled
November 19 Alert Preview AI - suspicious user agent detected
November 19 Alert Preview ASCII Smuggling prompt injection detected
October 30 Alert GA Suspicious extraction of Azure Cosmos DB account keys
October 30 Alert GA The access level of a sensitive storage blob container was changed to allow unauthenticated public access
October 30 Recommendation Upcoming Deprecation MFA recommendations are deprecated as Azure now requires it..
The following recommendations will be deprecated:
* Accounts with read permissions on Azure resources should be MFA enabled
* Accounts with write permissions on Azure resources should be MFA enabled
* Accounts with owner permissions on Azure resources should be MFA enabled
October 12 Recommendation GA Azure Database for PostgreSQL flexible server should have Microsoft Entra authentication only enabled
October 6 Recommendation Update [Preview] Containers running in GCP should have vulnerability findings resolved
October 6 Recommendation Update [Preview] Containers running in AWS should have vulnerability findings resolved
October 6 Recommendation Update [Preview] Containers running in Azure should have vulnerability findings resolved
September 10 Alert Preview Corrupted AI application\model\data directed a phishing attempt at a user
September 10 Alert Preview Phishing URL shared in an AI application
September 10 Alert Preview Phishing attempt detected in an AI application
September 5 Recommendation GA System updates should be installed on your machines (powered by Azure Update Manager)
September 5 Recommendation GA Machines should be configured to periodically check for missing system updates
August 15 Incident Upcoming deprecation Estimated date for change: September 15, 2024

Security incident detected anomalous geographical location activity (Preview)
Security incident detected suspicious app service activity (Preview)
Security incident detected suspicious Key Vault activity (Preview)
Security incident detected suspicious Azure toolkits activity (Preview)
Security incident detected on the same resource (Preview)
Security incident detected suspicious IP activity (Preview)
Security incident detected suspicious user activity (Preview)
Security incident detected suspicious service principal activity (Preview)
Security incident detected suspicious SAS activity (Preview)
Security incident detected suspicious account activity (Preview)
Security incident detected suspicious crypto mining activity (Preview)
Security incident detected suspicious fileless attack activity (Preview)
Security incident detected suspicious Kubernetes cluster activity (Preview)
Security incident detected suspicious storage activity (Preview)
Security incident detected suspicious crypto mining activity (Preview)
Security incident detected suspicious data exfiltration activity (Preview)
Security incident detected suspicious Kubernetes cluster activity (Preview)
Security incident detected suspicious DNS activity (Preview)
Security incident detected suspicious SQL activity (Preview)
Security incident detected suspicious DDOS activity (Preview)
August 12 Recommendation Upcoming deprecation File integrity monitoring should be enabled on machines Estimated deprecation: August 2024
August 11 Recommendation Upcoming deprecation Super identities in your Azure environment should be removed Super Identities in your GCP environment should be removed Estimated deprecation: September 2024
August 2 Recommendation Preview Azure DevOps projects should have creation of classic pipelines disabled
August 2 Recommendation Preview GitHub organizations should block Copilot suggestions that match public code
August 2 Recommendation Preview GitHub organizations should enforce multifactor authentication for outside collaborators
August 2 Recommendation Preview GitHub repositories should require minimum two-reviewer approval for code pushes
July 31 Recommendation Preview Privileged roles should not have permanent access at the subscription and resource group level
July 31 Recommendation Preview Service Principals should not be assigned with administrative roles at the subscription and resource group level
July 31 Recommendation Update Azure AI Services resources should use Azure Private Link
July 31 Recommendation GA [EDR solution should be installed on Virtual Machines](recommendations-reference-compute.md#edr-solution-should-be-installed-on-virtual-machineshttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey06e3a6db-6c0c-4ad9-943f-31d9d73ecf6c)
July 31 Recommendation GA [EDR solution should be installed on EC2s](recommendations-reference-compute.md#edr-solution-should-be-installed-on-ec2shttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey77d09952-2bc2-4495-8795-cc8391452f85)
July 31 Recommendation GA [EDR solution should be installed on GCP Virtual Machines](recommendations-reference-compute.md#edr-solution-should-be-installed-on-gcp-virtual-machineshttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey68e595c1-a031-4354-b37c-4bdf679732f1)
July 31 Recommendation GA [EDR configuration issues should be resolved on virtual machines](recommendations-reference-compute.md#edr-configuration-issues-should-be-resolved-on-virtual-machineshttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkeydc5357d0-3858-4d17-a1a3-072840bff5be)
July 31 Recommendation GA [EDR configuration issues should be resolved on EC2s](recommendations-reference-compute.md#edr-configuration-issues-should-be-resolved-on-ec2shttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey695abd03-82bd-4d7f-a94c-140e8a17666c)
July 31 Recommendation GA [EDR configuration issues should be resolved on GCP virtual machines](recommendations-reference-compute.md#edr-configuration-issues-should-be-resolved-on-gcp-virtual-machineshttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkeyf36a15fb-61a6-428c-b719-6319538ecfbc)
July 31 Recommendation Upcoming deprecation Adaptive network hardening recommendations should be applied on internet facing virtual machines
July 31 Alert Upcoming deprecation Traffic detected from IP addresses recommended for blocking
July 30 Recommendation Preview AWS Bedrock should use AWS PrivateLink
July 22 Recommendation Update (Enable if required) Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)
June 28 Recommendation GA Azure DevOps repositories should require minimum two-reviewer approval for code pushes
June 28 Recommendation GA Azure DevOps repositories should not allow requestors to approve their own Pull Requests
June 28 Recommendation GA GitHub organizations should not make action secrets accessible to all repositories
June 27 Alert Deprecation Security incident detected suspicious source IP activity

Severity: Medium/High
June 27 Alert Deprecation Security incident detected on multiple resources

Severity: Medium/High
June 27 Alert Deprecation Security incident detected compromised machine

Severity: Medium/High
June 27 Alert Deprecation Security incident detected suspicious virtual machines activity

Severity: Medium/High
May 30 Recommendation GA Linux virtual machines should enable Azure Disk Encryption (ADE) or EncryptionAtHost. Assessment key a40cc620-e72c-fdf4-c554-c6ca2cd705c0
May 30 Recommendation GA Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Assessment key 0cb5f317-a94b-6b80-7212-13a9cc8826af
May 28 Recommendation GA Machine should be configured securely (powered by MDVM)
May 1 Recommendation Upcoming deprecation System updates should be installed on your machines.

Estimated deprecation: July 2024.
May 1 Recommendation Upcoming deprecation System updates on virtual machine scale sets should be installed.

Estimated deprecation: July 2024.
May 1 Recommendation Upcoming deprecation Log Analytics agent should be installed on Windows-based Azure Arc-enabled machines

Estimated deprecation: July 2024
May 1 Recommendation Upcoming deprecation Log Analytics agent should be installed on virtual machine scale sets

Estimated deprecation: July 2024
May 1 Recommendation Upcoming deprecation Auto provisioning of the Log Analytics agent should be enabled on subscriptions

Estimated deprecation: July 2024
May 1 Recommendation Upcoming deprecation Log Analytics agent should be installed on virtual machines

Estimated deprecation: July 2024
May 1 Recommendation Upcoming deprecation Adaptive application controls for defining safe applications should be enabled on your machines

Estimated deprecation: July 2024
April 18 Alert Deprecation Fileless attack toolkit detected (VM_FilelessAttackToolkit.Windows)
Fileless attack technique detected (VM_FilelessAttackTechnique.Windows)
Fileless attack behavior detected (VM_FilelessAttackBehavior.Windows)
Fileless Attack Toolkit Detected (VM_FilelessAttackToolkit.Linux)
Fileless Attack Technique Detected (VM_FilelessAttackTechnique.Linux)
Fileless Attack Behavior Detected (VM_FilelessAttackBehavior.Linux)

Fileless attack alerts for Windows and Linux VMs will be discontinued. Instead, alerts will be generated by Defender for Endpoint. If you already have the Defender for Endpoint integration enabled in Defender for Servers, there's no action required on your part. In May 2024 you might experience a decrease in your alerts volume, but still remain protected. If you don't currently have integration enabled, enable it to maintain and improve alert coverage. All Defender for Server customers can access the full value of Defender for Endpoint's integration at no additional cost. Learn more.
April 3 Recommendation Upcoming deprecation Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
April 3 Recommendation Preview Container images in Azure registry should have vulnerability findings resolved (Preview)
April 3 Recommendation Preview Containers running in Azure should have vulnerability findings resolved (Preview)
April 3 Recommendation Preview Container images in AWS registry should have vulnerability findings resolved (Preview)
April 3 Recommendation Preview Containers running in AWS should have vulnerability findings resolved (Preview)
April 3 Recommendation Preview Container images in GCP registry should have vulnerability findings resolved (Preview)
April 3 Recommendation Preview Containers running in GCP should have vulnerability findings resolved (Preview)
April 2 Recommendation Upcoming deprecation Virtual machines should be migrated to new Azure Resource Manager resources

There's no effect since these resources no longer exist. Estimated date: July 30, 2024
April 2 Recommendation Update Azure AI Services should restrict network access.
April 2 Recommendation Update Azure AI Services should have key access disabled (disable local authentication).
April 2 Recommendation Update Diagnostic logs in Azure AI services resources should be enabled.
April 2 Recommendation Deprecation Public network access should be disabled for Cognitive Services accounts.
April 2 Recommendation GA Azure registry container images should have vulnerabilities resolved
April 2 Recommendation Deprecation Public network access should be disabled for Cognitive Services accounts
April 2 Recommendation GA Azure running container images should have vulnerabilities resolved
April 2 Recommendation GA AWS registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)
April 2 Recommendation GA AWS running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)
April 2 Recommendation GA GCP registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)
April 2 Recommendation GA GCP running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)
March 28 Recommendation Upcoming Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost (assessment key a40cc620-e72c-fdf4-c554-c6ca2cd705c0)
March 28 Recommendation Upcoming Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost (assessment key 0cb5f317-a94b-6b80-7212-13a9cc8826af)

Unified disk encryption recommendations will be available for GA in the Azure public cloud in April 2024, replacing the recommendation "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources."
March 18 Recommendation GA EDR solution should be installed on virtual machines
March 18 Recommendation GA EDR configuration issues should be resolved on virtual machines
March 18 Recommendation GA EDR configuration issues should be resolved on EC2s
March 18 Recommendation GA EDR solution should be installed on EC2s
March 18 Recommendation GA EDR configuration issues should be resolved on GCP virtual machines
March 18 Recommendation GA EDR solution should be installed on GCP virtual machines
End March Recommendation Deprecation Endpoint protection should be installed on machines .
End March Recommendation Deprecation Endpoint protection health issues on machines should be resolved
March 5 Recommendation Deprecation Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI)
March 5 Recommendation Deprecation Over-provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI)
February 20 Recommendation Upcoming Azure AI Services resources should restrict network access
February 20 Recommendation Upcoming Azure AI Services resources should have key access disabled (disable local authentication)
February 12 Recommendation Deprecation Public network access should be disabled for Cognitive Services accounts. Estimated deprecation: March 14 2024
February 8 Recommendation Preview (Preview) Azure Local machine(s) should meet secured-core requirements
February 8 Recommendation Preview (Preview) Azure Local machine(s) should have consistently enforced application control policies
February 8 Recommendation Preview (Preview) Azure Local systems should have encrypted volumes
February 8 Recommendation Preview (Preview) Host and VM networking should be protected on Azure Local systems
February 1 Recommendation Upcoming EDR solution should be installed on virtual machines
EDR configuration issues should be resolved on virtual machines
EDR solution should be installed on EC2s
EDR configuration issues should be resolved on EC2s
EDR configuration issues should be resolved on GCP virtual machines
EDR solution should be installed on GCP virtual machines.
January 25 Alert (Container) Deprecation Anomalous pod deployment (Preview) (K8S_AnomalousPodDeployment)
January 25 Alert (Container) Deprecation Excessive role permissions assigned in Kubernetes cluster (Preview) (K8S_ServiceAcountPermissionAnomaly)
January 25 Alert (Container) Deprecation Anomalous access to Kubernetes secret (Preview) (K8S_AnomalousSecretAccess)
January 25 Alert (Windows machines) Update to informational Adaptive application control policy violation was audited (VM_AdaptiveApplicationControlWindowsViolationAudited)
January 25 Alert (Windows machines) Update to informational Adaptive application control policy violation was audited (VM_AdaptiveApplicationControlLinuxViolationAudited)
January 25 Alert (Container) Update to informational Attempt to create a new Linux namespace from a container detected (K8S.NODE_NamespaceCreation)
January 25 Alert (Container) Update to informational Attempt to stop apt-daily-upgrade.timer service detected (K8S.NODE_TimerServiceDisabled)
January 25 Alert (Container) Update to informational Command within a container running with high privileges (K8S.NODE_PrivilegedExecutionInContainer)
January 25 Alert (Container) Update to informational Container running in privileged mode (K8S.NODE_PrivilegedContainerArtifacts)
January 25 Alert (Container) Update to informational Container with a sensitive volume mount detected (K8S_SensitiveMount)
January 25 Alert (Container) Update to informational Creation of admission webhook configuration detected (K8S_AdmissionController)
January 25 Alert (Container) Update to informational Detected suspicious file download (K8S.NODE_SuspectDownloadArtifacts)
January 25 Alert (Container) Update to informational Docker build operation detected on a Kubernetes node (K8S.NODE_ImageBuildOnNode)
January 25 Alert (Container) Update to informational New container in the kube-system namespace detected (K8S_KubeSystemContainer)
January 25 Alert (Container) Update to informational New high privileges role detected (K8S_HighPrivilegesRole)
January 25 Alert (Container) Update to informational Privileged container detected (K8S_PrivilegedContainer)
January 25 Alert (Container) Update to informational Process seen accessing the SSH authorized keys file in an unusual way (K8S.NODE_SshKeyAccess)
January 25 Alert (Container) Update to informational Role binding to the cluster-admin role detected (K8S_ClusterAdminBinding)
January 25 Alert (Container) Update to informational SSH server is running inside a container (K8S.NODE_ContainerSSH)
January 25 Alert (DNS) Update to informational Communication with suspicious algorithmically generated domain (AzureDNS_DomainGenerationAlgorithm)
January 25 Alert (DNS) Update to informational Communication with suspicious algorithmically generated domain (DNS_DomainGenerationAlgorithm)
January 25 Alert (DNS) Update to informational Communication with suspicious random domain name (Preview) (DNS_RandomizedDomain)
January 25 Alert (DNS) Update to informational Communication with suspicious random domain name (AzureDNS_RandomizedDomain)
January 25 Alert (DNS) Update to informational Communication with possible phishing domain (AzureDNS_PhishingDomain)
January 25 Alert (DNS) Update to informational Communication with possible phishing domain (Preview) (DNS_PhishingDomain)
January 25 Alert (Azure App Service) Update to informational NMap scanning detected (AppServices_Nmap)
January 25 Alert (Azure App Service) Update to informational Suspicious User Agent detected (AppServices_UserAgentInjection)
January 25 Alert (Azure network layer) Update to informational Possible incoming SMTP brute force attempts detected (Generic_Incoming_BF_OneToOne)
January 25 Alert (Azure network layer) Update to informational Traffic detected from IP addresses recommended for blocking (Network_TrafficFromUnrecommendedIP)
January 25 Alert (Azure Resource Manager) Update to informational Privileged custom role created for your subscription in a suspicious way (Preview)(ARM_PrivilegedRoleDefinitionCreation)
January 4 Recommendation Preview Cognitive Services accounts should have local authentication methods disabled
Microsoft Cloud Security Benchmark
January 4 Recommendation preview Cognitive Services should use private link
Microsoft Cloud Security Benchmark
January 4 Recommendation Preview Virtual machines and virtual machine scale sets should have encryption at host enabled
Microsoft Cloud Security Benchmark
January 4 Recommendation Preview Azure Cosmos DB should disable public network access
Microsoft Cloud Security Benchmark
January 4 Recommendation Preview Cosmos DB accounts should use private link
Microsoft Cloud Security Benchmark
January 4 Recommendation Preview VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users
Microsoft Cloud Security Benchmark
January 4 Recommendation Preview Azure SQL Database should be running TLS version 1.2 or newer
Microsoft Cloud Security Benchmark
January 4 Recommendation Preview Azure SQL Managed Instances should disable public network access
Microsoft Cloud Security Benchmark
January 4 Recommendation Preview Storage accounts should prevent shared key access
Microsoft Cloud Security Benchmark
December 14 Recommendation Preview Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)

Vulnerability assessment for Linux container images with Microsoft Defender Vulnerability Management.
December 14 Recommendation GA Azure running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)

Vulnerability assessment for Linux container images with Microsoft Defender Vulnerability Management.
December 14 Recommendation Rename New: Azure registry container images should have vulnerabilities resolved (powered by Qualys). Vulnerability assessment for container images using Qualys.
Old: Container registry images should have vulnerability findings resolved (powered by Qualys)
December 14 Recommendation Rename New: Azure running container images should have vulnerabilities resolved - (powered by Qualys)

Vulnerability assessment for container images using Qualys.
Old: Running container images should have vulnerability findings resolved (powered by Qualys)
December 4 Alert Preview Malicious blob was downloaded from a storage account (Preview)

MITRE tactics: Lateral movement

For information about new features, see What's new in Defender for Cloud features.