Editja

Ixxerja permezz ta’


Deprecated security alerts

This article lists deprecated security alerts in Microsoft Defender for Cloud.

Deprecated Defender for Containers alerts

The following lists include the Defender for Containers security alerts which were deprecated.

Manipulation of host firewall detected

(K8S.NODE_FirewallDisabled)

Description: Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible manipulation of the on-host firewall. Attackers will often disable this to exfiltrate data.

MITRE tactics: DefenseEvasion, Exfiltration

Severity: Medium

Suspicious use of DNS over HTTPS

(K8S.NODE_SuspiciousDNSOverHttps)

Description: Analysis of processes running within a container or directly on a Kubernetes node, has detected the use of a DNS call over HTTPS in an uncommon fashion. This technique is used by attackers to hide calls out to suspect or malicious sites.

MITRE tactics: DefenseEvasion, Exfiltration

Severity: Medium

A possible connection to malicious location has been detected

(K8S.NODE_ThreatIntelCommandLineSuspectDomain)

Description: Analysis of processes running within a container or directly on a Kubernetes node, has detected a connection to a location that has been reported to be malicious or unusual. This is an indicator that a compromise might have occurred.

MITRE tactics: InitialAccess

Severity: Medium

Digital currency mining activity

(K8S.NODE_CurrencyMining)

Description: Analysis of DNS transactions detected digital currency mining activity. Such activity, while possibly legitimate user behavior, is frequently performed by attackers following compromise of resources. Typical related attacker activity is likely to include the download and execution of common mining tools.

MITRE tactics: Exfiltration

Severity: Low

Deprecated Defender for Servers Linux alerts

VM_AbnormalDaemonTermination

Alert Display Name: Abnormal Termination

Severity: Low

VM_BinaryGeneratedFromCommandLine

Alert Display Name: Suspicious binary detected

Severity: Medium

VM_CommandlineSuspectDomain Suspicious

Alert Display Name: domain name reference

Severity: Low

VM_CommonBot

Alert Display Name: Behavior similar to common Linux bots detected

Severity: Medium

VM_CompCommonBots

Alert Display Name: Commands similar to common Linux bots detected

Severity: Medium

VM_CompSuspiciousScript

Alert Display Name: Shell Script Detected

Severity: Medium

VM_CompTestRule

Alert Display Name: Composite Analytic Test Alert

Severity: Low

VM_CronJobAccess

Alert Display Name: Manipulation of scheduled tasks detected

Severity: Informational

VM_CryptoCoinMinerArtifacts

Alert Display Name: Process associated with digital currency mining detected

Severity: Medium

VM_CryptoCoinMinerDownload

Alert Display Name: Possible Cryptocoinminer download detected

Severity: Medium

VM_CryptoCoinMinerExecution

Alert Display Name: Potential crypto coin miner started

Severity: Medium

VM_DataEgressArtifacts

Alert Display Name: Possible data exfiltration detected

Severity: Medium

VM_DigitalCurrencyMining

Alert Display Name: Digital currency mining related behavior detected

Severity: High

VM_DownloadAndRunCombo

Alert Display Name: Suspicious Download Then Run Activity

Severity: Medium

VM_EICAR

Alert Display Name: Microsoft Defender for Cloud test alert (not a threat)

Severity: High

VM_ExecuteHiddenFile

Alert Display Name: Execution of hidden file

Severity: Informational

VM_ExploitAttempt

Alert Display Name: Possible command line exploitation attempt

Severity: Medium

VM_ExposedDocker

Alert Display Name: Exposed Docker daemon on TCP socket

Severity: Medium

VM_FairwareMalware

Alert Display Name: Behavior similar to Fairware ransomware detected

Severity: Medium

VM_FirewallDisabled

Alert Display Name: Manipulation of host firewall detected

Severity: Medium

VM_HadoopYarnExploit

Alert Display Name: Possible exploitation of Hadoop Yarn

Severity: Medium

VM_HistoryFileCleared

Alert Display Name: A history file has been cleared

Severity: Medium

VM_KnownLinuxAttackTool

Alert Display Name: Possible attack tool detected

Severity: Medium

VM_KnownLinuxCredentialAccessTool

Alert Display Name: Possible credential access tool detected

Severity: Medium

VM_KnownLinuxDDoSToolkit

Alert Display Name: Indicators associated with DDOS toolkit detected

Severity: Medium

VM_KnownLinuxScreenshotTool

Alert Display Name: Screenshot taken on host

Severity: Low

VM_LinuxBackdoorArtifact

Alert Display Name: Possible backdoor detected

Severity: Medium

VM_LinuxReconnaissance

Alert Display Name: Local host reconnaissance detected

Severity: Medium

VM_MismatchedScriptFeatures

Alert Display Name: Script extension mismatch detected

Severity: Medium

VM_MitreCalderaTools

Alert Display Name: MITRE Caldera agent detected

Severity: Medium

VM_NewSingleUserModeStartupScript

Alert Display Name: Detected Persistence Attempt

Severity: Medium

VM_NewSudoerAccount

Alert Display Name: Account added to sudo group

Severity: Low

VM_OverridingCommonFiles

Alert Display Name: Potential overriding of common files

Severity: Medium

VM_PrivilegedContainerArtifacts

Alert Display Name: Container running in privileged mode

Severity: Low

VM_PrivilegedExecutionInContainer

Alert Display Name: Command within a container running with high privileges

Severity: Low

VM_ReadingHistoryFile

Alert Display Name: Unusual access to bash history file

Severity: Informational

VM_ReverseShell

Alert Display Name: Potential reverse shell detected

Severity: Medium

VM_SshKeyAccess

Alert Display Name: Process seen accessing the SSH authorized keys file in an unusual way

Severity: Low

VM_SshKeyAddition

Alert Display Name: New SSH key added

Severity: Low

VM_SuspectCompilation

Alert Display Name: Suspicious compilation detected

Severity: Medium

VM_SuspectConnection

Alert Display Name: An uncommon connection attempt detected

Severity: Medium

VM_SuspectDownload

Alert Display Name: Detected file download from a known malicious source

Severity: Medium

VM_SuspectDownloadArtifacts

Alert Display Name: Detected suspicious file download

Severity: Low

VM_SuspectExecutablePath

Alert Display Name: Executable found running from a suspicious location

Severity: Medium

VM_SuspectHtaccessFileAccess

Alert Display Name: Access of htaccess file detected

Severity: Medium

VM_SuspectInitialShellCommand

Alert Display Name: Suspicious first command in shell

Severity: Low

VM_SuspectMixedCaseText

Alert Display Name: Detected anomalous mix of uppercase and lowercase characters in command line

Severity: Medium

VM_SuspectNetworkConnection

Alert Display Name: Suspicious network connection

Severity: Informational

VM_SuspectNohup

Alert Display Name: Detected suspicious use of the nohup command

Severity: Medium

VM_SuspectPasswordChange

Alert Display Name: Possible password change using crypt-method detected

Severity: Medium

VM_SuspectPasswordFileAccess

Alert Display Name: Suspicious password access

Severity: Informational

VM_SuspectPhp

Alert Display Name: Suspicious PHP execution detected

Severity: Medium

VM_SuspectPortForwarding

Alert Display Name: Potential port forwarding to external IP address

Severity: Medium

VM_SuspectProcessAccountPrivilegeCombo

Alert Display Name: Process running in a service account became root unexpectedly

Severity: Medium

VM_SuspectProcessTermination

Alert Display Name: Security-related process termination detected

Severity: Low

VM_SuspectUserAddition

Alert Display Name: Detected suspicious use of the useradd command

Severity: Medium

VM_SuspiciousCommandLineExecution

Alert Display Name: Suspicious command execution

Severity: High

VM_SuspiciousDNSOverHttps

Alert Display Name: Suspicious use of DNS over HTTPS

Severity: Medium

VM_SystemLogRemoval

Alert Display Name: Possible Log Tampering Activity Detected

Severity: Medium

VM_ThreatIntelCommandLineSuspectDomain

Alert Display Name: A possible connection to malicious location has been detected

Severity: Medium

VM_ThreatIntelSuspectLogon

Alert Display Name: A logon from a malicious IP has been detected

Severity: High

VM_TimerServiceDisabled

Alert Display Name: Attempt to stop apt-daily-upgrade.timer service detected

Severity: Informational

VM_TimestampTampering

Alert Display Name: Suspicious file timestamp modification

Severity: Low

VM_Webshell

Alert Display Name: Possible malicious web shell detected

Severity: Medium

Deprecated Defender for Servers Windows alerts

SCUBA_MULTIPLEACCOUNTCREATE

Alert Display Name: Suspicious creation of accounts on multiple hosts

Severity: Medium

SCUBA_PSINSIGHT_CONTEXT

Alert Display Name: Suspicious use of PowerShell detected

Severity: Informational

SCUBA_RULE_AddGuestToAdministrators

Alert Display Name: Addition of Guest account to Local Administrators group

Severity: Medium

SCUBA_RULE_Apache_Tomcat_executing_suspicious_commands

Alert Display Name: Apache_Tomcat_executing_suspicious_commands

Severity: Medium

SCUBA_RULE_KnownBruteForcingTools

Alert Display Name: Suspicious process executed

Severity: High

SCUBA_RULE_KnownCollectionTools

Alert Display Name: Suspicious process executed

Severity: High

SCUBA_RULE_KnownDefenseEvasionTools

Alert Display Name: Suspicious process executed

Severity: High

SCUBA_RULE_KnownExecutionTools

Alert Display Name: Suspicious process executed

Severity: High

SCUBA_RULE_KnownPassTheHashTools

Alert Display Name: Suspicious process executed

Severity: High

SCUBA_RULE_KnownSpammingTools

Alert Display Name: Suspicious process executed

Severity: Medium

SCUBA_RULE_Lowering_Security_Settings

Alert Display Name: Detected the disabling of critical services

Severity: Medium

SCUBA_RULE_OtherKnownHackerTools

Alert Display Name: Suspicious process executed

Severity: High

SCUBA_RULE_RDP_session_hijacking_via_tscon

Alert Display Name: Suspect integrity level indicative of RDP hijacking

Severity: Medium

SCUBA_RULE_RDP_session_hijacking_via_tscon_service

Alert Display Name: Suspect service installation

Severity: Medium

SCUBA_RULE_Suppress_pesky_unauthorized_use_prohibited_notices

Alert Display Name: Detected suppression of legal notice displayed to users at logon

Severity: Low

SCUBA_RULE_WDigest_Enabling

Alert Display Name: Detected enabling of the WDigest UseLogonCredential registry key

Severity: Medium

VM.Windows_ApplockerBypass

Alert Display Name: Potential attempt to bypass AppLocker detected

Severity: High

VM.Windows_BariumKnownSuspiciousProcessExecution

Alert Display Name: Detected suspicious file creation

Severity: High

VM.Windows_Base64EncodedExecutableInCommandLineParams

Alert Display Name: Detected encoded executable in command line data

Severity: High

VM.Windows_CalcsCommandLineUse

Alert Display Name: Detected suspicious use of Cacls to lower the security state of the system

Severity: Medium

VM.Windows_CommandLineStartingAllExe

Alert Display Name: Detected suspicious command line used to start all executables in a directory

Severity: Medium

VM.Windows_DisablingAndDeletingIISLogFiles

Alert Display Name: Detected actions indicative of disabling and deleting IIS log files

Severity: Medium

VM.Windows_DownloadUsingCertutil

Alert Display Name: Suspicious download using Certutil detected

Severity: Medium

VM.Windows_EchoOverPipeOnLocalhost

Alert Display Name: Detected suspicious named pipe communications

Severity: High

VM.Windows_EchoToConstructPowerShellScript

Alert Display Name: Dynamic PowerShell script construction

Severity: Medium

VM.Windows_ExecutableDecodedUsingCertutil

Alert Display Name: Detected decoding of an executable using built-in certutil.exe tool

Severity: Medium

VM.Windows_FileDeletionIsSospisiousLocation

Alert Display Name: Suspicious file deletion detected

Severity: Medium

VM.Windows_KerberosGoldenTicketAttack

Alert Display Name: Suspected Kerberos Golden Ticket attack parameters observed

Severity: Medium

VM.Windows_KeygenToolKnownProcessName

Alert Display Name: Detected possible execution of keygen executable Suspicious process executed

Severity: Medium

VM.Windows_KnownCredentialAccessTools

Alert Display Name: Suspicious process executed

Severity: High

VM.Windows_KnownSuspiciousPowerShellScript

Alert Display Name: Suspicious use of PowerShell detected

Severity: High

VM.Windows_KnownSuspiciousSoftwareInstallation

Alert Display Name: High risk software detected

Severity: Medium

VM.Windows_MsHtaAndPowerShellCombination

Alert Display Name: Detected suspicious combination of HTA and PowerShell

Severity: Medium

VM.Windows_MultipleAccountsQuery

Alert Display Name: Multiple Domain Accounts Queried

Severity: Medium

VM.Windows_NewAccountCreation

Alert Display Name: Account creation detected

Severity: Informational

VM.Windows_ObfuscatedCommandLine

Alert Display Name: Detected obfuscated command line.

Severity: High

VM.Windows_PcaluaUseToLaunchExecutable

Alert Display Name: Detected suspicious use of Pcalua.exe to launch executable code

Severity: Medium

VM.Windows_PetyaRansomware

Alert Display Name: Detected Petya ransomware indicators

Severity: High

VM.Windows_PowerShellPowerSploitScriptExecution

Alert Display Name: Suspicious PowerShell cmdlets executed

Severity: Medium

VM.Windows_RansomwareIndication

Alert Display Name: Ransomware indicators detected

Severity: High

VM.Windows_SqlDumperUsedSuspiciously

Alert Display Name: Possible credential dumping detected [seen multiple times]

Severity: Medium

VM.Windows_StopCriticalServices

Alert Display Name: Detected the disabling of critical services

Severity: Medium

VM.Windows_SubvertingAccessibilityBinary

Alert Display Name: Sticky keys attack detected Suspicious account creation detected Medium

VM.Windows_SuspiciousAccountCreation

Alert Display Name: Suspicious Account Creation Detected

Severity: Medium

VM.Windows_SuspiciousFirewallRuleAdded

Alert Display Name: Detected suspicious new firewall rule

Severity: Medium

VM.Windows_SuspiciousFTPSSwitchUsage

Alert Display Name: Detected suspicious use of FTP -s switch

Severity: Medium

VM.Windows_SuspiciousSQLActivity

Alert Display Name: Suspicious SQL activity

Severity: Medium

VM.Windows_SVCHostFromInvalidPath

Alert Display Name: Suspicious process executed

Severity: High

VM.Windows_SystemEventLogCleared

Alert Display Name: The Windows Security log was cleared

Severity: Informational

VM.Windows_TelegramInstallation

Alert Display Name: Detected potentially suspicious use of Telegram tool

Severity: Medium

VM.Windows_UndercoverProcess

Alert Display Name: Suspiciously named process detected

Severity: High

VM.Windows_UserAccountControlBypass

Alert Display Name: Detected change to a registry key that can be abused to bypass UAC

Severity: Medium

VM.Windows_VBScriptEncoding

Alert Display Name: Detected suspicious execution of VBScript.Encode command

Severity: Medium

VM.Windows_WindowPositionRegisteryChange

Alert Display Name: Suspicious WindowPosition registry value detected

Severity: Low

VM.Windows_ZincPortOpenningUsingFirewallRule

Alert Display Name: Malicious firewall rule created by ZINC server implant

Severity: High

VM_DigitalCurrencyMining

Alert Display Name: Digital currency mining related behavior detected

Severity: High

VM_MaliciousSQLActivity

Alert Display Name: Malicious SQL activity

Severity: High

VM_ProcessWithDoubleExtensionExecution

Alert Display Name: Suspicious double extension file executed

Severity: High

VM_RegistryPersistencyKey

Alert Display Name: Windows registry persistence method detected

Severity: Low

VM_ShadowCopyDeletion

Alert Display Name: Suspicious Volume Shadow Copy Activity Executable found running from a suspicious location

Severity: High

VM_SuspectExecutablePath

Alert Display Name: Executable found running from a suspicious location Detected anomalous mix of uppercase and lowercase characters in command line

Severity: Informational

Medium

VM_SuspectPhp

Alert Display Name: Suspicious PHP execution detected

Severity: Medium

VM_SuspiciousCommandLineExecution

Alert Display Name: Suspicious command execution

Severity: High

VM_SuspiciousScreenSaverExecution

Alert Display Name: Suspicious Screensaver process executed

Severity: Medium

VM_SvcHostRunInRareServiceGroup

Alert Display Name: Rare SVCHOST service group executed

Severity: Informational

VM_SystemProcessInAbnormalContext

Alert Display Name: Suspicious system process executed

Severity: Medium

VM_ThreatIntelCommandLineSuspectDomain

Alert Display Name: A possible connection to malicious location has been detected

Severity: Medium

VM_ThreatIntelSuspectLogon

Alert Display Name: A logon from a malicious IP has been detected

Severity: High

VM_VbScriptHttpObjectAllocation

Alert Display Name: VBScript HTTP object allocation detected

Severity: High

VM_TaskkillBurst

Alert Display Name: Suspicious process termination burst

Severity: Low

VM_RunByPsExec

Alert Display Name: PsExec execution detected

Severity: Informational

Note

For alerts that are in preview: The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Next steps