Incidents - a reference guide

Note

For incidents that are in preview: The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

This article lists the incidents you might get from Microsoft Defender for Cloud and any Microsoft Defender plans you've enabled. The incidents shown in your environment depend on the resources and services you're protecting, and your customized configuration.

A security incident is a correlation of alerts with an attack story that share an entity. For example, Resource, IP Address, User or share a kill chain pattern.

You can select an incident to view all of the alerts that are related to the incident and get more information.

Learn how to manage security incidents.

Note

The same alert can exist as part of an incident, as well as to be visible as a standalone alert.

Security incident

Further details and notes

Alert Description Severity
Security incident detected suspicious virtual machines activity This incident indicates suspicious activity on your virtual machines. Multiple alerts from different Defender for Cloud plans have been triggered revealing a similar pattern on your virtual machines. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it. Medium/High
Security incident detected suspicious source IP activity This incident indicates that suspicious activity has been detected on the same source IP. Multiple alerts from different Defender for Cloud plans have been triggered on the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious activity on the same IP address might indicate that an attacker has gained unauthorized access to your environment and is attempting to compromise it. Medium/High
Security incident detected on multiple resources This incident indicates that suspicious activity had been detected on your cloud resources. Multiple alerts from different Defender for Cloud plan have been triggered, revealing similar attack methods were performed on your cloud resources. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it. Medium/High
Security incident detected suspicious user activity (Preview) This incident indicates suspicious user operations in your environment. Multiple alerts from different Defender for Cloud plans have been triggered by this user, which increases the fidelity of malicious activity in your environment. While this activity may be legitimate, a threat actor might utilize such operations to compromise resources in your environment. This might indicate that the account is compromised and is being used with malicious intent. High
Security incident detected suspicious service principal activity (Preview) This incident indicates suspicious service principal operations in your environment. Multiple alerts from different Defender for Cloud plans have been triggered by this service principal, which increases the fidelity of malicious activity in your environment. While this activity may be legitimate, a threat actor might utilize such operations to compromise resources in your environment. This might indicate that the service principal is compromised and is being used with malicious intent. High
Security incident detected suspicious crypto mining activity (Preview) Scenario 1: This incident indicates that suspicious crypto mining activity has been detected following suspicious user or service principal activity. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. Suspicious account activity might indicate a threat actor gained unauthorized access to your environment, and the succeeding crypto mining activity may suggest that they successfully compromised your resource and are using it for mining cryptocurrencies, which can lead to increased costs for your organization.

Scenario 2: This incident indicates that suspicious crypto mining activity has been detected following a brute force attack on the same virtual machine resource. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. The brute force attack on the virtual machine might indicate that a threat actor is attempting to gain unauthorized access to your environment, and the succeeding crypto mining activity may suggest they successfully compromised your resource and using it for mining cryptocurrencies, which can lead to increased costs for your organization.
High
Security incident detected suspicious Key Vault activity (Preview) Scenario 1: This incident indicates that suspicious activity has been detected in your environment related to the usage of Key Vault. Multiple alerts from different Defender for Cloud plans have been triggered by this user or service principal, which increases the fidelity of malicious activity in your environment. Suspicious Key Vault activity might indicate that a threat actor is attempting to gain access to your sensitive data, such as keys, secrets, and certificates, and the account is compromised and is being used with malicious intent.

Scenario 2: This incident indicates that suspicious activity has been detected in your environment related to the usage of Key Vault. Multiple alerts from different Defender for Cloud plans have been triggered from the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious Key Vault activity might indicate that a threat actor is attempting to gain access to your sensitive data, such as keys, secrets, and certificates, and the account is compromised and is being used with malicious intent.

Scenario 3: This incident indicates that suspicious activity has been detected in your environment related to the usage of Key Vault. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. Suspicious Key Vault activity might indicate that a threat actor is attempting to gain access to your sensitive data, such as keys, secrets, and certificates, and the account is compromised and is being used with malicious intent.
High
Security incident detected suspicious SAS activity (Preview) This incident indicates that suspicious activity has been detected following the potential misuse of a SAS token. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. The usage of a SAS token can indicate that a threat actor has gained unauthorized access to your storage account and is attempting to access or exfiltrate sensitive data. High
Security incident detected anomalous geographical location activity (Preview) Scenario 1: This incident indicates that anomalous geographical location activity has been detected in your environment. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. Suspicious activity originating from anomalous locations might indicate that a threat actor gained unauthorized access to your environment and is attempting to compromise it.

Scenario 2: This incident indicates that anomalous geographical location activity has been detected in your environment. Multiple alerts from different Defender for Cloud plans have been triggered from the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious activity originating from anomalous locations might indicate that a threat actor gained unauthorized access to your environment and is attempting to compromise it.
High
Security incident detected suspicious IP activity (Preview) Scenario 1: This incident indicates that suspicious activity has been detected originating from a suspicious IP address. Multiple alerts from different Defender for Cloud plans have been triggered from the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious activity originating from a suspicious IP address might indicate that an attacker has gained unauthorized access to your environment and is attempting to compromise it.

Scenario 2: This incident indicates that suspicious activity has been detected originating from a suspicious IP address. Multiple alerts from different Defender for Cloud plans have been triggered on the same user or service principal, which increases the fidelity of malicious activity in your environment. Suspicious activity originating from a suspicious IP address can indicate that an attacker has gained unauthorized access to your environment and is attempting to compromise it.
High
Security incident detected suspicious fileless attack activity (Preview) This incident indicates that a fileless attack toolkit has been detected on a virtual machine following a potential exploit attempt on the same resource. Multiple alerts from different Defender for Cloud plans have been triggered on the same virtual machine, which increases the fidelity of malicious activity in your environment. The presence of a fileless attack toolkit on the virtual machine might indicate that a threat actor has gained unauthorized access to your environment and is attempting to evade detection while carrying out further malicious activities. High
Security incident detected suspicious DDOS activity (Preview) This incident indicates that suspicious Distributed Denial of Service (DDOS) activity has been detected in your environment. DDOS attacks are designed to overwhelm your network or application with a high volume of traffic, causing it to become unavailable to legitimate users. Multiple alerts from different Defender for Cloud plans have been triggered on the same IP address, which increases the fidelity of malicious activity in your environment. High
Security incident detected suspicious data exfiltration activity (Preview) Scenario 1: This incident indicates that suspicious data exfiltration activity has been detected following suspicious user or service principal activity. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. Suspicious account activity might indicate that a threat actor gained unauthorized access to your environment, and the succeeding data exfiltration activity may suggest that they are attempting to steal sensitive information.

Scenario 2: This incident indicates that suspicious data exfiltration activity has been detected following suspicious user or service principal activity. Multiple alerts from different Defender for Cloud plans have been triggered from the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious account activity might indicate that a threat actor gained unauthorized access to your environment, and the succeeding data exfiltration activity may suggest that they are attempting to steal sensitive information.

Scenario 3: This incident indicates that suspicious data exfiltration activity has been detected following unusual password reset on a virtual machine. Multiple alerts from different Defender for Cloud plans have been triggered from the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious account activity might indicate that a threat actor gained unauthorized access to your environment, and the succeeding data exfiltration activity may suggest that they are attempting to steal sensitive information.
High
Security incident detected suspicious API activity (Preview) This incident indicates that suspicious API activity has been detected. Multiple alerts from Defender for Cloud have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. Suspicious API usage might indicate that a threat actor is attempting to access sensitive information or execute unauthorized actions. High
Security incident detected suspicious Kubernetes cluster activity (Preview) This incident indicates that suspicious activity has been detected on your Kubernetes cluster following suspicious user activity. Multiple alerts from different Defender for Cloud plans have been triggered on the same cluster, which increases the fidelity of malicious activity in your environment. The suspicious activity on your Kubernetes cluster might indicate that a threat actor has gained unauthorized access to your environment and is attempting to compromise it. High
Security incident detected suspicious storage activity (Preview) Scenario 1: This incident indicates that suspicious storage activity has been detected following suspicious user or service principal activity. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. Suspicious account activity might indicate that a threat actor gained unauthorized access to your environment, and the succeeding suspicious storage activity may suggest they are attempting to access potentially sensitive data.

Scenario 2: This incident indicates that suspicious storage activity has been detected following suspicious user or service principal activity. Multiple alerts from different Defender for Cloud plans have been triggered from the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious account activity might indicate that a threat actor gained unauthorized access to your environment, and the succeeding suspicious storage activity may suggest they are attempting to access potentially sensitive data.
High
Security incident detected suspicious Azure toolkit activity (Preview) This incident indicates that suspicious activity has been detected following the potential usage of an Azure toolkit. Multiple alerts from different Defender for Cloud plans have been triggered on the same user or service principal, which increases the fidelity of malicious activity in your environment. The usage of an Azure toolkit can indicate that an attacker has gained unauthorized access to your environment and is attempting to compromise it. High
Security incident detected suspicious DNS activity (Preview) Scenario 1: This incident indicates that suspicious DNS activity has been detected. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. Suspicious DNS activity might indicate that a threat actor gained unauthorized access to your environment and is attempting to compromise it.

Scenario 2: This incident indicates that suspicious DNS activity has been detected. Multiple alerts from different Defender for Cloud plans have been triggered from the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious DNS activity might indicate that a threat actor gained unauthorized access to your environment and is attempting to compromise it.
Medium
Security incident detected suspicious SQL activity (Preview) Scenario 1: This incident indicates that suspicious SQL activity has been detected. Multiple alerts from different Defender for Cloud plans have been triggered from the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious SQL activity might indicate that a threat actor is targeting your SQL server and is attempting to compromise it.

Scenario 2: This incident indicates that suspicious SQL activity has been detected. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. Suspicious SQL activity might indicate that a threat actor is targeting your SQL server and is attempting to compromise it.
High
Security incident detected suspicious app service activity (Preview) Scenario 1: This incident indicates that suspicious activity has been detected in your app service environment. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. Suspicious app service activity might indicate that a threat actor is targeting your application and may be attempting to compromise it.

Scenario 2: This incident indicates that suspicious activity has been detected in your app service environment. Multiple alerts from different Defender for Cloud plans have been triggered from the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious app service activity might indicate that a threat actor is targeting your application and may be attempting to compromise it.‚Äč
High
Security incident detected compromised machine This incident indicates suspicious activity on one or more of your virtual machines. Multiple alerts from different Defender for Cloud plans have been triggered in chronological order on the same resource, following the MITRE ATT&CK framework. This might indicate a threat actor has gained unauthorized access to your environment and successfully compromised this machine. Medium/High
Security incident detected compromised machine with botnet communication This incident indicates suspicious botnet activity on your virtual machine. Multiple alerts from different Defender for Cloud plans have been triggered in chronological order on the same resource, following the MITRE ATT&CK framework. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it. Medium/High
Security incident detected compromised machines with botnet communication This incident indicates suspicious botnet activity on your virtual machines. Multiple alerts from different Defender for Cloud plans have been triggered in chronological order on the same resource, following the MITRE ATT&CK framework. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it. Medium/High
Security incident detected compromised machine with malicious outgoing activity This incident indicates suspicious outgoing activity on your virtual machine. Multiple alerts from different Defender for Cloud plans have been triggered in chronological order on the same resource, following the MITRE ATT&CK framework. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it. Medium/High
Security incident detected compromised machines This incident indicates suspicious activity on one or more of your virtual machines. Multiple alerts from different Defender for Cloud plans have been triggered in chronological order on the same resources, following the MITRE ATT&CK framework. This might indicate a threat actor has gained unauthorized access to your environment and successfully compromised these machines. Medium/High
Security incident detected compromised machines with malicious outgoing activity This incident indicates suspicious outgoing activity from your virtual machines. Multiple alerts from different Defender for Cloud plans have been triggered in chronological order on the same resources, following the MITRE ATT&CK framework. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it. Medium/High
Security incident detected on multiple machines This incident indicates suspicious activity on one or more of your virtual machines. Multiple alerts from different Defender for Cloud plans have been triggered in chronological order on the same resource, following the MITRE ATT&CK framework. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it. Medium/High
Security incident with shared process detected Scenario 1: This incident indicates suspicious activity on your virtual machine. Multiple alerts from different Defender for Cloud plans have been triggered sharing the same process. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it.

Scenario 2: This incident indicates suspicious activity on your virtual machines. Multiple alerts from different Defender for Cloud plans have been triggered sharing the same process. This might indicate a threat actor has gained unauthorized access to your environment and is attempting to compromise it.
Medium/High

Next steps

Manage security incidents in Microsoft Defender for Cloud