What's new in Defender for Cloud recommendations, alerts, and incidents

This article summarizes what's new in security recommendations, alerts, and incidents in Microsoft Defender for Cloud. It includes information about new, modified, and deprecated recommendations and alerts.

• This page is updated frequently with the latest recommendations and alerts in Defender for Cloud.

• Recommendations older than six months are found in the relevant recommendations reference list.

• Find the latest information about new and updated Defender for Cloud features in What's new in Defender for Cloud features.

Tip

Get notified when this page is updated by copying and pasting the following URL into your feed reader: https://aka.ms/mdc/rss-recommendations-alerts

• Review a complete list of multicloud security recommendations and alerts:
  • AI recommendations
  • Compute recommendations
  • Container recommendations
  • Data recommendations
  • DevOps recommendations
  • Identity and access recommendations
  • IoT recommendations
  • Networking recommendations
  • Deprecated recommendations
  • Security alerts.
  • Security incidents

Recommendations, alerts, and incidents updates

New and updated recommendations, alerts, and incidents are added to the table in date order.

Date	Type	State	Name
February 5	Recommendation	Upcoming Deprecation	The following recommendations will be deprecated: * Configure Microsoft Defender for Storage (Classic) to be enabled * Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only)
January 29	Recommendation	GA	We have further hardened the Running containers as root user should be avoided recommendation. What's Changing? We now require at least one range to be specified for the "Run as group rule". This change was needed to ensure containers will not get access to files owned by root, and groups with permissions to the root group.
January 13	Alert	Preview	AI - Access from a suspicious IP
January 13	Alert	Preview	AI - Suspected wallet attack
December 19	Alert	GA	The following Azure Storage alerts are GA: Malicious blob was downloaded from a storage account Unusual SAS token was used to access an Azure storage account from a public IP address Suspicious external operation to an Azure storage account with overly permissive SAS token Suspicious external access to an Azure storage account with overly permissive SAS token Unusual unauthenticated public access to a sensitive blob container Unusual amount of data extracted from a sensitive blob container Unusual number of blobs extracted from a sensitive blob container Access from an unusual location to a sensitive blob container Access from a known suspicious application to a sensitive blob container Access from a known suspicious IP address to a sensitive blob container Access from a Tor exit node to a sensitive blob container
December 16	Alert	Preview	AI - Access from a Tor IP
November 19	Deprecation	GA	MFA recommendations are deprecated as Azure now requires it.. The following recommendations are deprecated: * Accounts with read permissions on Azure resources should be MFA enabled * Accounts with write permissions on Azure resources should be MFA enabled * Accounts with owner permissions on Azure resources should be MFA enabled
November 19	Alert	Preview	AI - suspicious user agent detected
November 19	Alert	Preview	ASCII Smuggling prompt injection detected
October 30	Alert	GA	Suspicious extraction of Azure Cosmos DB account keys
October 30	Alert	GA	The access level of a sensitive storage blob container was changed to allow unauthenticated public access
October 30	Recommendation	Upcoming Deprecation	MFA recommendations are deprecated as Azure now requires it.. The following recommendations will be deprecated: * Accounts with read permissions on Azure resources should be MFA enabled * Accounts with write permissions on Azure resources should be MFA enabled * Accounts with owner permissions on Azure resources should be MFA enabled
October 12	Recommendation	GA	Azure Database for PostgreSQL flexible server should have Microsoft Entra authentication only enabled
October 6	Recommendation	Update	[Preview] Containers running in GCP should have vulnerability findings resolved
October 6	Recommendation	Update	[Preview] Containers running in AWS should have vulnerability findings resolved
October 6	Recommendation	Update	[Preview] Containers running in Azure should have vulnerability findings resolved
September 10	Alert	Preview	Corrupted AI application\model\data directed a phishing attempt at a user
September 10	Alert	Preview	Phishing URL shared in an AI application
September 10	Alert	Preview	Phishing attempt detected in an AI application
September 5	Recommendation	GA	System updates should be installed on your machines (powered by Azure Update Manager)
September 5	Recommendation	GA	Machines should be configured to periodically check for missing system updates

Related content

For information about new features, see What's new in Defender for Cloud features.