Security alerts reference guide
This page lists the security alert types that are crucial for maintaining the integrity and safety of our operations within the Cloud Service Provider (CSP) program. Each alert type is designed to alert you about security-related conditions that might need prompt attention or intervention.
Important
This article serves as a comprehensive reference for both legacy and contemporary Security Alert types. Partners are encouraged to utilize this resource to accurately query alerts, distinguishing between those detected before and after May 15th. For alerts identified post-May 15th, the new Security Alert Types should be employed, while legacy Security Alerts should be addressed for earlier detections. The alerts within this guide are meticulously crafted to reflect ongoing changes and improvements in the security domain. Partners are advised to use this guide frequently to remain informed and proactive in managing security threats effectively. To learn more about how to resolve alerts, please review the Partner Center API or Partner Center portal documentation for more details.
Security alerts (new)
To query or resolve alerts for new Security alert types.
| Alert | Description | AlertType |
|---|---|---|
| ARM Anomalous Resource Consumption | Indicates unusual Azure Resource Manager (ARM) resource consumption detected on the subscription | ARM_AnomalousResourceConsumption |
| ARM Suspicious Operations | Indicates unusual ARM operations detected on the subscription | ARM_SuspiciousOperations |
| VM Anomalous Deployment | Indicates unusual virtual machine (VM) deployment operations detected on the subscription | VM_AnomalousDeployment |
| Azure Batch Anomalous Deployment | Indicates unusual Azure batch deployment operations detected on the subscription | AzureBatch_AnomalousDeployment |
| Azure Container Instances Anomalous Deployment | Indicates unusual Azure container instance deployment operations detected on the subscription | AzureContainerInstances_AnomalousDeployment |
| Azure Machine Learning Anomalous Deployment | Indicates unusual Azure Batch Machine deployment operations detected on the subscription | AzureMachineLearning_AnomalousDeployment |
| CryptoMining | Indicates cryptomining activity detected on Azure Subscription Resource | CryptoMining |
| Quota Increase Anomaly | Indicates unusual quota increase operations detected on the subscription | QuotaIncrease_Anomaly |
| User Suspicious Activities | Indicates unusual activity performed by subscription users | User_SuspiciousUserActivities |
| Service Health Security Advisory | Indicates a security advisory notification sent to your customer tenant For more information, see the description of the security alert from the Dashboard |
ServiceHealthSecurityAdvisory |
Legacy security alert types
To resolve the alerts earlier than May 15, 2024, partners should use the following alert types:
| Legacy securityAlertType | Description |
|---|---|
| ElevateAccess_VMCreation | Analysis of anomalous number of elevate access requests and high deployment count. |
| UsageAnomalyDetection | Analysis of Azure resource detected anomalies in: "Anomalous increase in Machine Learning General purpose CPU deployment regions compared to trend in the last 30 days." |
| VirtualMachineDeploymentAnomaly | Analysis of Azure resource detected anomalies in Virtual Machine Deployments across one or more regions. |
| MultiRegionVirtualMachineScaleSetDeploymentAnomaly | Analysis of Azure resource detected anomalies in Azure Virtual Machine Scale Set usage across one or more regions. |
| RiskyIdentityCryptoMining | Identifies subscriptions that access at least one known crypto mining pool from a VM deployed by a risky user. |
| ElevateAccess_RBACWrites | Analysis of anomalous number of elevate access requests and high deployment count. |
| VmDeploymentVelocity | Suspicious virtual machine deployments. |
| AzureSubscription_ConfirmedMSAPUID | Analysis of Azure subscription shows the Partner Unique ID (PUID) used by Unauthorized Party Abuse (UPA) actor was added to this subscription. |
| RecentlyAddedCryptoMining | Identifies subscriptions who mine crypto currency from resources deployed by recently added principal object identifiers (OIDs). |
| ArmActionsAnomaly | Analysis of Azure resource detected anomalies in Azure Resource Manager (ARM) write operations. |
| MultiRegionMachineLearningUsageAnomaly | Analysis of Azure resource detected anomalies in Azure Machine Learning resources usage across one or more regions. |
| AzureSubscription_SuspiciousMSAPuid | Analysis of Azure subscription shows that it has operations performed by suspicious Microsoft account (MSA) PUID. |
| AzureMachineLearning_MultiRegionCoreCreationAnomaly | Analysis of Azure resource detected rapid multi-region Azure Machine Learning cores creation. |
| AzureMachineLearning_MultiRegionClusterCreationAnomaly | Analysis of Azure resource detected rapid multi-region Azure Machine Learning cluster creation across one or more regions. |
| NetworkConnectionsToCryptoMiningPools | Analysis of Azure resource network activity detected the resource was connecting to a crypto currency mining pool. This would often be an indication that your Azure resource is compromised. |
| ElevateAccess_ClassicAdminWrites | Analysis of anomalous number of elevate access requests and high deployment count. |
Related content
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for