Reference guide for security alerts
This article lists the security alert types that are crucial for maintaining the integrity and safety of operations within the Cloud Solution Provider (CSP) program. Each alert type is designed to alert you about security-related conditions that might need prompt attention or intervention.
Important
This article serves as a comprehensive reference to help you accurately query both older (before May 15, 2024) and current security alert types. The alerts that this article describes reflect ongoing changes and improvements in the security domain. Use this article frequently to stay informed and proactive in managing security threats effectively.
To learn more about how to resolve alerts, review the Partner Center API or Partner Center dashboard documentation.
Current security alert types
To query or resolve current security alerts, use the following alert types.
| Alert | Description | AlertType value |
|---|---|---|
| ARM Anomalous Resource Consumption | Indicates unusual Azure Resource Manager resource consumption detected on the subscription. | ARM_AnomalousResourceConsumption |
| ARM Suspicious Operations | Indicates unusual Resource Manager operations detected on the subscription. | ARM_SuspiciousOperations |
| VM Anomalous Deployment | Indicates unusual virtual machine (VM) deployment operations detected on the subscription. | VM_AnomalousDeployment |
| Azure Batch Anomalous Deployment | Indicates unusual Azure Batch deployment operations detected on the subscription. | AzureBatch_AnomalousDeployment |
| Azure Container Instances Anomalous Deployment | Indicates unusual Azure Container Instances deployment operations detected on the subscription. | AzureContainerInstances_AnomalousDeployment |
| Azure Machine Learning Anomalous Deployment | Indicates unusual Azure Machine Learning deployment operations detected on the subscription. | AzureMachineLearning_AnomalousDeployment |
| CryptoMining | Indicates cryptocurrency mining activity detected on an Azure subscription resource. | CryptoMining |
| Quota Increase Anomaly | Indicates unusual quota-increase operations detected on the subscription. | QuotaIncrease_Anomaly |
| User Suspicious Activities | Indicates unusual activity performed by subscription users. | User_SuspiciousUserActivities |
| Service Health Security Advisory | Indicates a security advisory notification sent to your customer's tenant. For more information, see the description of the security alert from the dashboard. |
ServiceHealthSecurityAdvisory |
Earlier security alert types
To resolve security alerts earlier than May 15, 2024, use the following alert types.
| securityAlertType value | Description |
|---|---|
ElevateAccess_VMCreation |
Analysis of Azure resources detected an anomalous number of elevate-access requests and a high deployment count. |
UsageAnomalyDetection |
Analysis of Azure resources detected: "Anomalous increase in Machine Learning General purpose CPU deployment regions compared to trend in the last 30 days." |
VirtualMachineDeploymentAnomaly |
Analysis of Azure resources detected anomalies in virtual machine deployments across one or more regions. |
MultiRegionVirtualMachineScaleSetDeploymentAnomaly |
Analysis of Azure resources detected anomalies in usage of Azure virtual machine scale sets across one or more regions. |
RiskyIdentityCryptoMining |
This alert type identifies subscriptions that access at least one known crypto mining pool from a VM that a risky user deployed. |
ElevateAccess_RBACWrites |
Analysis of Azure resources detected an anomalous number of elevate-access requests and a high deployment count. |
VmDeploymentVelocity |
This alert type identifies suspicious virtual machine deployments. |
AzureSubscription_ConfirmedMSAPUID |
Analysis of Azure subscriptions shows that a Partner Unique ID (PUID) used by an Unauthorized Party Abuse (UPA) actor was added to this subscription. |
RecentlyAddedCryptoMining |
This alert type identifies subscriptions that mine cryptocurrency from resources deployed by recently added principal object identifiers (OIDs). |
ArmActionsAnomaly |
Analysis of Azure resources detected anomalies in Azure Resource Manager write operations. |
MultiRegionMachineLearningUsageAnomaly |
Analysis of Azure resources detected anomalies in Azure Machine Learning resource usage across one or more regions. |
AzureSubscription_SuspiciousMSAPuid |
Analysis of Azure subscriptions shows that this subscription has operations performed by a suspicious Microsoft account PUID. |
AzureMachineLearning_MultiRegionCoreCreationAnomaly |
Analysis of Azure resources detected rapid creation of multiple-region Azure Machine Learning cores. |
AzureMachineLearning_MultiRegionClusterCreationAnomaly |
Analysis of Azure resources detected rapid creation of multiple-region Azure Machine Learning clusters across one or more regions. |
NetworkConnectionsToCryptoMiningPools |
Analysis of Azure resource network activity detected that the resource was connecting to a cryptocurrency mining pool. This alert is often an indication that your Azure resource is compromised. |
ElevateAccess_ClassicAdminWrites |
Analysis of Azure resources detected an anomalous number of elevate-access requests and a high deployment count. |