Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article summarizes what's new in security recommendations, alerts, and incidents in Microsoft Defender for Cloud. It includes information about new, modified, and deprecated recommendations and alerts.
This page is updated frequently with the latest recommendations and alerts in Defender for Cloud.
Recommendations older than six months are found in the relevant recommendations reference list.
Find the latest information about new and updated Defender for Cloud features in What's new in Defender for Cloud features.
Tip
Get notified when this page is updated by copying and pasting the following URL into your feed reader:
https://aka.ms/mdc/rss-recommendations-alerts
- Review a complete list of multicloud security recommendations and alerts:
- AI recommendations
- Compute recommendations
- Container recommendations
- Data recommendations
- DevOps recommendations
- Identity and access recommendations
- IoT recommendations
- Keyvault recommendations
- Networking recommendations
- Deprecated recommendations
- Security alerts.
- Security incidents
- Serverless containers recommendations
Recommendations, alerts, and incidents updates
New and updated recommendations, alerts, and incidents are added to the table in date order.
| Date announced | Type | State | Name |
|---|---|---|---|
| June 9, 2026 | Recommendation | Preview | New preview multicloud recommendations are now available for AWS MSK, AWS OpenSearch Service, GCP App Engine, and GCP Certificate Manager across networking, data, identity and access, and compute categories. |
| June 8, 2026 | Recommendation | Preview | Customer-managed KMS key should be configured for encryption on Amazon AppFlow Flows (Preview) |
| June 8, 2026 | Recommendation | Preview | Glue Data Catalog metadata registration should be configured on AppFlow flows (Preview) |
| June 8, 2026 | Recommendation | Preview | CloudWatch query metrics should be enabled on Athena workgroups (Preview) |
| June 8, 2026 | Recommendation | Preview | Workgroup configuration enforcement should be enabled on Athena workgroups (Preview) |
| June 8, 2026 | Recommendation | Preview | Expected S3 bucket owner should be configured for query results on Athena workgroups (Preview) |
| June 8, 2026 | Recommendation | Preview | Query results output location should be configured on Athena workgroups (Preview) |
| June 8, 2026 | Recommendation | Preview | KMS-based encryption should be enforced for query results on Athena workgroups (Preview) |
| June 8, 2026 | Recommendation | Preview | Encryption at rest should be enabled for EBS volumes in Auto Scaling Groups (Preview) |
| June 8, 2026 | Recommendation | Preview | Customer-managed encryption keys should be enabled on Comprehend EntityRecognizer Models (Preview) |
| June 8, 2026 | Recommendation | Preview | Customer-managed encryption keys should be enabled on Comprehend EntityRecognizer Volume (Preview) |
| June 8, 2026 | Recommendation | Preview | VPC configuration should be enabled on Amazon Comprehend EntityRecognizer (Preview) |
| June 8, 2026 | Recommendation | Preview | Customer-managed encryption keys should be used on DMS replication instances (Preview) |
| June 8, 2026 | Recommendation | Preview | Data integrity verification should be enabled on DataSync tasks (Preview) |
| June 8, 2026 | Recommendation | Preview | File-level audit visibility should be configured on DataSync tasks (Preview) |
| June 8, 2026 | Recommendation | Preview | Automatic backups should be enabled on FSx for Lustre (Preview) |
| June 8, 2026 | Recommendation | Preview | Automatic backups should be enabled on FSx for OpenZFS (Preview) |
| June 8, 2026 | Recommendation | Preview | File access auditing should be enabled on FSx for Windows File Server (Preview) |
| June 8, 2026 | Recommendation | Preview | Automatic backups should be enabled on FSx for Windows File Server (Preview) |
| June 8, 2026 | Recommendation | Preview | Customer-managed KMS encryption at rest should be configured on Amazon Kendra indexes (Preview) |
| June 8, 2026 | Recommendation | Preview | Customer-managed KMS keys should be used for encryption on Amazon Keyspaces tables without replica regions (Preview) |
| June 8, 2026 | Recommendation | Preview | Point-in-Time Recovery (PITR) should be enabled on Amazon Keyspaces tables (Preview) |
| June 8, 2026 | Recommendation | Preview | Server-side encryption should be enabled on Kinesis streams (Preview) |
| June 8, 2026 | Recommendation | Preview | Customer-managed KMS key for encryption at rest should be configured on Amazon MQ broker (Preview) |
| June 8, 2026 | Recommendation | Preview | Encryption at rest should be enabled on Neptune DB instances (Preview) |
| June 8, 2026 | Recommendation | Preview | Public sharing should be disabled on QuickSight accounts (Preview) |
| June 8, 2026 | Recommendation | Preview | Termination protection should be enabled on Amazon QuickSight accounts (Preview) |
| June 8, 2026 | Recommendation | Preview | Smart card sign-in should be configured for WorkSpaces Applications (AppStream) Stacks (Preview) |
| June 8, 2026 | Recommendation | Preview | Secure authorization modes should be configured on AppSync APIs (Preview) |
| June 8, 2026 | Recommendation | Preview | IMDSv2 should be configured on Auto Scaling Groups (Preview) |
| June 8, 2026 | Recommendation | Preview | Trust policy scoping conditions should be enforced on unauthenticated IAM roles for Amazon Cognito Identity Pool (Preview) |
| June 8, 2026 | Recommendation | Preview | Wildcard principals should be removed from Amazon Cognito Identity Pool IAM role trust policies (Preview) |
| June 8, 2026 | Recommendation | Preview | Multi-factor authentication should be enforced on Cognito User Pools (Preview) |
| June 8, 2026 | Recommendation | Preview | Strong password policy should be enforced on Cognito User Pools (Preview) |
| June 8, 2026 | Recommendation | Preview | Threat protection should be enabled on Cognito User Pools (Preview) |
| June 8, 2026 | Recommendation | Preview | Custom KMS key should be configured for encryption on Cognito User Pools (Preview) |
| June 8, 2026 | Recommendation | Preview | Object tags should be preserved during transfer on DataSync tasks (Preview) |
| June 8, 2026 | Recommendation | Preview | POSIX permissions should be preserved during transfer on DataSync tasks (Preview) |
| June 8, 2026 | Recommendation | Preview | POSIX user and group ownership should be preserved during transfer on DataSync tasks (Preview) |
| June 8, 2026 | Recommendation | Preview | SMB security descriptors should be preserved during Windows-to-Windows transfers on DataSync tasks (Preview) |
| June 8, 2026 | Recommendation | Preview | Per-user query access control should be configured on Amazon Kendra indexes (Preview) |
| June 8, 2026 | Recommendation | Preview | Secure authentication strategy should be configured on Amazon MQ brokers (Preview) |
| June 8, 2026 | Recommendation | Preview | VPC Access Endpoints should be configured on WorkSpaces Applications (AppStream) Stacks (Preview) |
| June 8, 2026 | Recommendation | Preview | AWS WAF web ACL should be associated with AppSync APIs (Preview) |
| June 8, 2026 | Recommendation | Preview | Public access should be disabled on DMS replication instances (Preview) |
| June 8, 2026 | Recommendation | Preview | Public access should be disabled on Amazon MQ brokers (Preview) |
| June 8, 2026 | Recommendation | Preview | CloudWatch group metrics collection should be enabled on Auto Scaling Groups (Preview) |
| June 8, 2026 | Recommendation | Preview | Deletion protection should be enabled on Auto Scaling Groups (Preview) |
| June 8, 2026 | Recommendation | Preview | Artifact encryption should be enabled on CodeBuild projects (Preview) |
| June 8, 2026 | Recommendation | Preview | Privileged mode should be disabled on CodeBuild projects (Preview) |
| June 8, 2026 | Recommendation | Preview | Source provider authentication should be enabled on CodeBuild projects (Preview) |
| June 8, 2026 | Recommendation | Preview | Secure SSL should be enabled on CodeBuild source connections (Preview) |
| June 8, 2026 | Recommendation | Preview | Data at rest encryption with customer-managed keys should be enabled on Kinesis streams (Preview) |
| June 8, 2026 | Recommendation | Preview | Audit logging should be enabled on Amazon MQ broker (Preview) |
| June 8, 2026 | Recommendation | Preview | General logging should be enabled on Amazon MQ broker (Preview) |
| June 3, 2026 | Recommendation | Preview | IAM task roles assigned to ECS Fargate tasks should follow least privilege |
| June 3, 2026 | Recommendation | Preview | ECS Fargate tasks shouldn't run containers with elevated privileges |
| June 3, 2026 | Recommendation | Preview | Read-only root filesystem should be enabled for ECS Containers |
| June 3, 2026 | Recommendation | Preview | ECS Fargate tasks shouldn't be publicly exposed |
| June 3, 2026 | Recommendation | Preview | Logging should be configured for ECS Exec on ECS clusters |
| June 3, 2026 | Recommendation | Preview | ECS Exec should be disabled on Fargate ECS services |
| June 3, 2026 | Recommendation | Preview | Authentication should be enabled on Azure Container Apps |
| June 3, 2026 | Recommendation | Preview | Azure Container Apps shouldn't be exposed to the public internet unless required |
| June 3, 2026 | Recommendation | Preview | Managed identities assigned to Azure Container Apps should follow least privilege |
| June 3, 2026 | Recommendation | Preview | Azure Container Instances shouldn't be publicly exposed |
| June 3, 2026 | Recommendation | Preview | Managed identities assigned to Azure Container Instances should follow least privilege |
| June 2, 2026 | Recommendation | Preview | The following recommendations are now available in preview for Kubernetes node vulnerability assessment on EKS and GKE: * EKS nodes should have vulnerability findings resolved * GKE nodes should have vulnerability findings resolved |
| June 1, 2026 | Recommendation | Preview | The following new container-level Kubernetes misconfiguration recommendations are now available in preview as part of Defender CSPM: * Containers shouldn't use excessive CPU or memory * Containers should only use images from trusted registries * Containers shouldn't allow privilege escalation * Containers shouldn't share sensitive host namespaces * Containers should use a read-only root filesystem * Kubernetes clusters should be accessible only over HTTPS * Containers shouldn't automount API credentials * Containers shouldn't run in the default namespace * Containers should drop all capabilities and add only those required * Privileged containers should be avoided * Containers shouldn't run as root These container-level recommendations replace existing cluster-level equivalents. Cluster-level recommendations will be deprecated at GA. |
| June 1, 2026 | Recommendation | Upcoming deprecation | The following cluster-level Kubernetes recommendations are set for deprecation at GA of the new container-level misconfiguration recommendations: * Containers should only use allowed AppArmor profiles * Kubernetes clusters shouldn't grant CAPSYSADMIN security capabilities * Services should listen on allowed ports only * Usage of host networking and ports should be restricted * Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers |
| June 1, 2026 | Recommendation | Preview | Upgrade Azure Kubernetes Service Version |
| June 1, 2026 | Recommendation | GA | Code Signing should be enabled on Lambda |
| June 1, 2026 | Recommendation | GA | Security mechanism should be used on lambda function API Gateway |
| June 1, 2026 | Recommendation | GA | Authentication should be enabled on Lambda Function URLs |
| June 1, 2026 | Recommendation | GA | Lambda function should implement Reserved Concurrency to prevent resource exhaustion |
| June 1, 2026 | Recommendation | GA | Lambda function should be configured with automatic runtime version updates |
| June 1, 2026 | Recommendation | GA | Authentication should be enabled on Azure Functions |
| June 1, 2026 | Recommendation | GA | Overly permissive permissions shouldn't be configured on Function App, Web App, or Logic App |
| June 1, 2026 | Recommendation | GA | Restricted network access should be configured on Internet exposed Function app |
| May 13, 2026 | Alert | Deprecated | The following alert is now deprecated: (Preview) Suspicious sensitive data mentioned by your Azure AI resource (AI.Azure_SensitiveDataAnomaly). |
| May 12, 2026 | Recommendation | Preview | The following recommendations are now available in preview for Azure Database for PostgreSQL Flexible Servers as part of Defender CSPM: * connection_throttle should be set to “on” for PostgreSQL Servers * logfiles.retention_days should be greater than 3 for PostgreSQL Servers * pgaudit.log_statement should be set to “on” for Azure Database for PostgreSQL Servers * pgaudit.log_statement_once should be set to “on” for Azure Database for PostgreSQL Servers * pgaudit.log should include role, ddl, and misc for Azure Database for PostgreSQL Servers * pgaudit.log_level should be set to “log” for Azure Database for PostgreSQL Servers * Public IP access should be disabled for Azure Database for PostgreSQL Servers |
| April 30, 2026 | Recommendation | Deprecation | Grouped recommendation types are deprecated from the Azure portal and will be removed on July 30, 2026. These recommendations are currently tagged as Set for deprecation. |
| April 14, 2026 | Recommendation | Preview | The following recommendations are now available in preview for Azure Database for PostgreSQL Flexible Servers as part of Defender CSPM: * Private endpoint should be configured for Azure Database for PostgreSQL Servers * 'Allow access to Azure services' should be disabled for PostgreSQL Servers |
| April 13, 2026 | Recommendation | Deprecation | Following the announcement from March 4, 2026, the following grouped container vulnerability recommendations are now deprecated: Container recommendations: * [Preview] Containers running in Azure should have vulnerability findings resolved * [Preview] Containers running in AWS should have vulnerability findings resolved * [Preview] Containers running in GCP should have vulnerability findings resolved Container image recommendations: * [Preview] Container images in Azure registry should have vulnerability findings resolved * [Preview] Container images in AWS registry should have vulnerability findings resolved * [Preview] Container images in GCP registry should have vulnerability findings resolved These grouped recommendations are being replaced by individual recommendations that provide more granular visibility, better prioritization, and improved governance. Learn more in Deprecation of preview of container and container images vulnerability recommendations. |
| March 30, 2026 | Alert | Preview | The following alert is now in Preview: * Malicious content detected in uploaded AI model |
| March 29, 2026 | Recommendation | Preview | The following recommendations are now available in preview for Azure Database for PostgreSQL Flexible Servers as part of Defender CSPM: * Geo-redundant backups should be enabled for PostgreSQL Servers * require_secure_transport should be set to "on" for Azure Database for PostgreSQL Servers |
| March 29, 2026 | Recommendation | Deprecation | Following the announcement from December 3, 2025, The recommendation Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers for Defender for SQL Servers on Machines plan, is now deprecated. |
| March 04, 2026 | Recommendation | Upcoming deprecation | The following grouped container vulnerability recommendations are set for deprecation on April 13, 2026: Container recommendations: * [Preview] Containers running in Azure should have vulnerability findings resolved * [Preview] Containers running in AWS should have vulnerability findings resolved * [Preview] Containers running in GCP should have vulnerability findings resolved Container image recommendations: * [Preview] Container images in Azure registry should have vulnerability findings resolved * [Preview] Container images in AWS registry should have vulnerability findings resolved * [Preview] Container images in GCP registry should have vulnerability findings resolved These grouped recommendations are being replaced by individual recommendations that provide more granular visibility, better prioritization, and improved governance. Learn more in Deprecation of preview of container and container images vulnerability recommendations. |
| February 24, 2026 | Recommendation | GA | The following data recommendations are GA: - Storage accounts should restrict network access using virtual network rules. - Storage account should use a private link connection. - Storage accounts should prevent shared key access. |
| February 16 2026 | Recommendation | Upcoming deprecation (March 19, 2026) |
The preview recommendation Machines should be configured securely (powered by MDVM), which applied to Window machines, is set for deprecation. The recommendation is set to be replaced by the following OS-specific recommendations, which include Linux support using Guest configuration: - Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration) - Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration). These replacement recommendations are already available in Defender for Cloud. If you have any governance rules, reports, or workflows that reference the deprecated recommendation, update them to use the replacement recommendations. To ensure the new recommendations can assess your machines, verify that the required prerequisites are in place: - Azure machines should have the Azure Machine Configuration extension installed. - Non-Azure machines should be onboarded via Azure Arc, which includes the Machine Configuration extension by default. |
| February 10, 2026 | Recommendation | Preview | The following recommendations are released in Preview: * Execute permissions on xp_cmdshell from all users (except dbo) should be revoked for SQL Servers * Latest updates should be installed for SQL Servers * Database user GUEST shouldn't be a member of any role in SQL databases * Ad hoc distributed queries should be disabled for SQL Servers * CLR should be disabled for SQL Servers * Untracked trusted assemblies should be removed for SQL Servers * Database ownership chaining should be disabled for all databases except for 'master', 'msdb' and 'tempdb' on SQL Servers * Principal GUEST shouldn't have access to any user SQL database * Remote Admin Connections should be disabled unless required for SQL databases * Default trace should be enabled for SQL Servers * CHECK_POLICY should be enabled for all SQL logins for SQL Servers * Password expiration check should be enabled for all SQL logins on SQL Servers * Database principals shouldn't be mapped to the sa account in SQL databases * AUTO_CLOSE should be disabled for SQL databases * BUILTIN\Administrators should be removed as a server login for SQL Servers * Account with default name 'sa' should be renamed and disabled on SQL Servers * Excessive permissions shouldn't be granted to PUBLIC role on objects or columns in SQL databases * 'sa' login should be disabled for SQL Servers * xp_cmdshell should be disabled for SQL Servers * Unused service broker endpoints should be removed for SQL Servers * Database Mail XPs should be disabled when it isn't in use on SQL Servers * Server permissions shouldn't be granted directly to principals for SQL Servers * Database users shouldn't share the same name as a server login for Model SQL database * 'Scan for startup stored procedures' option should be disabled for SQL Servers * Authentication mode should be Windows Authentication for SQL Servers * Auditing of both successful and failed login attempts (default trace) should be enabled when 'Login auditing' is set up to track logins for SQL Servers * SQL Server instance shouldn't be advertised by the SQL Server Browser service for SQL Servers * Maximum number of error logs should be 12 or more for SQL Servers * Database permissions shouldn't be granted directly to principals for SQL Servers * Excessive permissions shouldn't be granted to PUBLIC role in SQL databases * Principal GUEST shouldn't be granted permissions in SQL databases * Principal GUEST shouldn't be granted permissions on objects or columns in SQL databases * AES encryption should be required for any Existing Mirroring or SSB endpoint on SQL Databases * GUEST user shouldn't be granted permissions on SQL database securables * The Trustworthy bit should be disabled on all databases except MSDB for SQL Databases * 'dbo' user shouldn't be used for normal service operation in SQL databases * Only 'dbo' should have access to Model SQL database * Transparent data encryption should be enabled for SQL databases * Database communication using TDS should be protected through TLS for SQL Servers * Database Encryption Symmetric Keys should use AES algorithm in SQL databases * Cell-Level Encryption keys should use AES algorithm in SQL databases * Certificate keys should use at least 2,048 bits for SQL Databases * Asymmetric keys' length should be at least 2,048 bits in SQL databases * Filestream should be disabled for SQL Servers * Server configuration 'Replication XPs' should be disabled for SQL Servers * Orphaned users should be removed from SQL server databases * The database owner information in the database should match the respective database owner information in the master database for SQL databases * Application roles shouldn't be used in SQL databases * There should be no SPs marked as auto-start for SQL Servers * User-defined database roles shouldn't be members of fixed roles in SQL databases * User CLR assemblies shouldn't be defined in SQL databases * Database owners should be as expected for SQL databases * Auditing of both successful and failed login attempts should be enabled for SQL Servers * Auditing of both successful and failed login attempts for contained DB authentication should be enabled for SQL databases * Contained users should use Windows Authentication in SQL Server databases * Polybase network encryption should be enabled for SQL databases * Create a baseline of External Key Management Providers for SQL Servers * Force encryption should be enabled for TDS for SQL Servers * Server Permissions granted to public should be minimized for SQL Servers * All memberships for user-defined roles should be intended in SQL databases * Orphan database roles should be removed from SQL databases * There should be at least 1 active audit in the system for SQL Servers * Minimal set of principals should be granted ALTER or ALTER ANY USER database-scoped permissions in SQL databases * Minimal set of principals should be granted EXECUTE permission on objects or columns in SQL databases * SQL Threat Detection should be enabled at the SQL server level * Auditing should be enabled at the server level for SQL Servers * Database-level firewall rules shouldn't grant excessive access for SQL Servers * Server-level firewall rules shouldn't grant excessive access for SQL Servers * Database-level firewall rules should be tracked and maintained at a strict minimum for SQL Servers * Server-level firewall rules should be tracked and maintained at a strict minimum on SQL Servers * Unnecessary execute permissions on extended stored procedures should be revoked for SQL Servers * Minimal set of principals should be members of fixed Azure SQL Database master database roles * Minimal set of principals should be members of fixed high impact database roles in SQL databases * Minimal set of principals should be members of fixed low impact database roles in SQL databases * Execute permissions to access the registry should be restricted for SQL Servers * Sample databases should be removed for SQL Servers * Data Transformation Services (DTS) permissions should only be granted to SSIS roles in MSDB SQL database * Minimal set of principals should be members of fixed server roles for SQL Servers * Features that may affect security should be disabled for SQL Servers * 'OLE Automation Procedures' feature should be disabled for SQL Servers * 'User Options' feature should be disabled for SQL Servers * Extensibility-features that may affect security should be disabled if not needed for SQL Servers * Vulnerability Assessment should be configured on SQL Server 2012 and higher only * Changes to signed modules should be authorized for SQL databases * Track all users with access to the database for SQL Databases * SQL logins with commonly used names should be disabled for SQL Servers * See the full rules and recommendations mapping |
| December 11, 2025 | Alert | Deprecated | The following alerts are now deprecated. * AppServices_AnomalousPageAccess * AppServices_CurlToDisk * AppServices_WpThemeInjection * AppServices_SmartScreen * AppServices_ScanSensitivePage * AppServices_CommandlineSuspectDomain * AzureDNS_ThreatIntelSuspectDomain * AppServices_FilelessAttackBehaviorDetection * AppServices_FilelessAttackTechniqueDetection * AppServices_FilelessAttackToolkitDetection * AppServices_PhishingContent * AppServices_ProcessWithKnownSuspiciousExtension These alerts are being retired as part of a quality improvement process and replaced by newer, more advanced alerts that provide greater accuracy and improved threat detection capabilities. This update ensures enhanced security coverage and reduced noise. |
| December 3, 2025 | Recommendation | Upcoming deprecation (30 day notice) | The following recommendation is set for deprecation 30 days from now: Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers for Defender for SQL Servers on Machines plan. |
| December 1, 2025 | Recommendation | Preview | (Preview) Code Signing should be enabled on Lambda |
| December 1, 2025 | Recommendation | Preview | (Preview) Security mechanism should be used on lambda function API Gateway |
| December 1, 2025 | Recommendation | Preview | (Preview) Authentication should be enabled on Lambda Function URLs |
| December 1, 2025 | Recommendation | Preview | (Preview) Lambda function should implement Reserved Concurrency to prevent resource exhaustion |
| December 1, 2025 | Recommendation | Preview | (Preview) Lambda function should be configured with automatic runtime version updates |
| December 1, 2025 | Recommendation | Preview | (Preview) Authentication should be enabled on Azure Functions |
| December 1, 2025 | Recommendation | Preview | (Preview) Overly permissive permissions shouldn't be configured on Function App, Web App, or Logic App |
| December 1, 2025 | Recommendation | Preview | (Preview) Restricted network access should be configured on Internet exposed Function app |
| October 21, 2025 | Alert | Update | The following changes will apply to K8S.Node_* Alerts for EKS and GKE clusters. The resourceIdentifiers property will reference the MDC Connector Identifier: Microsoft.Security/securityConnectors/CONNECTOR_NAME/securityentitydata/EKS_CLUSTER_NAME instead of the Arc resource ID Microsoft.Kubernetes/connectedClusters/ARC_CLUSTER_NAME. The Entities property will reference the Cloud Native Identifier arn:aws:eks:AWS_REGION:AWS_ACCOUNT:cluster/CLUSTER_NAME or container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_NAME, rather than the Arc resource ID Microsoft.Kubernetes/connectedClusters/ARC_CLUSTER_NAME. The resourceTypefield under extendedPropertieswill change from "Kubernetes – Azure Arc" to the respective "AWS EKS Cluster" or "GCP GKE Cluster" resource type. |
| September 10, 2025 | Alert | Deprecation | The following alert is deprecated: Suspicious process name detected |
| June 1, 2025 | Alert | Upcoming Deprecation | The following alert will be deprecated since the method is no longer supported in PowerZure: * Usage of PowerZure function to maintain persistence in your Azure environment |
| May 15, 2025 | Alert | Upcoming Deprecation | The following alerts will be deprecated and won't be available through XDR Integration: * DDoS Attack detected for Public IP * DDoS Attack mitigated for Public IP Note: The alerts will be available on Defender for Cloud portal. |
| May 1, 2025 | Alert | GA | AI alerts have been released to GA with the plan's official GA release |
| April 20 2025 | Alert | Preview | (Preview) AI - Suspicious sensitive data mentioned by your Azure AI resource, this replaces the previous sensitive data exposure alert |
| April 29, 2025 | Recommendation | GA | Role-Based Access Control should be used on Keyvault Services |
| April 20, 2025 | Alert | Preview | AI - Suspicious anomaly detected in sensitive data exposed by AI resource, this replaces the previous sensitive data exposure alert |
| February 5, 2025 | Recommendation | Upcoming Deprecation | The following recommendations will be deprecated: * Configure Microsoft Defender for Storage (Classic) to be enabled * Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only) |
| January 29, 2025 | Recommendation | GA | We have further hardened the Running containers as root user should be avoided recommendation. What's Changing? We now require at least one range to be specified for the "Run as group rule". This change was needed to ensure containers won't get access to files owned by root, and groups with permissions to the root group. |
| January 13, 2025 | Alert | Preview | AI - Access from a suspicious IP |
| January 13, 2025 | Alert | Preview | AI - Suspected wallet attack |
| December 19, 2024 | Alert | GA | The following Azure Storage alerts are GA: Malicious blob was downloaded from a storage account Unusual SAS token was used to access an Azure storage account from a public IP address Suspicious external operation to an Azure storage account with overly permissive SAS token Suspicious external access to an Azure storage account with overly permissive SAS token Unusual unauthenticated public access to a sensitive blob container Unusual amount of data extracted from a sensitive blob container Unusual number of blobs extracted from a sensitive blob container Access from an unusual location to a sensitive blob container Access from a known suspicious application to a sensitive blob container Access from a known suspicious IP address to a sensitive blob container Access from a Tor exit node to a sensitive blob container |
| December 16, 2024 | Alert | Preview | AI - Access from a Tor IP |
| November 19, 2024 | Deprecation | GA | MFA recommendations are deprecated as Azure now requires it.. The following recommendations are deprecated: * Accounts with read permissions on Azure resources should be MFA enabled * Accounts with write permissions on Azure resources should be MFA enabled * Accounts with owner permissions on Azure resources should be MFA enabled |
| November 19, 2024 | Alert | Preview | AI - suspicious user agent detected |
| November 19, 2024 | Alert | Preview | ASCII Smuggling prompt injection detected |
| October 30, 2024 | Alert | GA | Suspicious extraction of Azure Cosmos DB account keys |
| October 30, 2024 | Alert | GA | The access level of a sensitive storage blob container was changed to allow unauthenticated public access |
| October 30, 2024 | Recommendation | Upcoming Deprecation | MFA recommendations are deprecated as Azure now requires it.. The following recommendations will be deprecated: * Accounts with read permissions on Azure resources should be MFA enabled * Accounts with write permissions on Azure resources should be MFA enabled * Accounts with owner permissions on Azure resources should be MFA enabled |
| October 12, 2024 | Recommendation | GA | Azure Database for PostgreSQL flexible server should have Microsoft Entra authentication only enabled |
| October 6, 2024 | Recommendation | Update | [Preview] Containers running in GCP should have vulnerability findings resolved |
| October 6, 2024 | Recommendation | Update | [Preview] Containers running in AWS should have vulnerability findings resolved |
| October 6, 2024 | Recommendation | Update | [Preview] Containers running in Azure should have vulnerability findings resolved |
| September 10, 2024 | Alert | Preview | Corrupted AI application\model\data directed a phishing attempt at a user |
| September 10, 2024 | Alert | Preview | Phishing URL shared in an AI application |
| September 10, 2024 | Alert | Preview | Phishing attempt detected in an AI application |
| September 5, 2024 | Recommendation | GA | System updates should be installed on your machines (powered by Azure Update Manager) |
| September 5, 2024 | Recommendation | GA | Machines should be configured to periodically check for missing system updates |
Related content
For information about new features, see What's new in Defender for Cloud features.