Deprecated security alerts
This article lists deprecated security alerts in Microsoft Defender for Cloud.
The following lists include the Defender for Containers security alerts which were deprecated.
(K8S.NODE_FirewallDisabled)
Description: Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible manipulation of the on-host firewall. Attackers will often disable this to exfiltrate data.
MITRE tactics: DefenseEvasion, Exfiltration
Severity: Medium
(K8S.NODE_SuspiciousDNSOverHttps)
Description: Analysis of processes running within a container or directly on a Kubernetes node, has detected the use of a DNS call over HTTPS in an uncommon fashion. This technique is used by attackers to hide calls out to suspect or malicious sites.
MITRE tactics: DefenseEvasion, Exfiltration
Severity: Medium
(K8S.NODE_ThreatIntelCommandLineSuspectDomain)
Description: Analysis of processes running within a container or directly on a Kubernetes node, has detected a connection to a location that has been reported to be malicious or unusual. This is an indicator that a compromise might have occurred.
MITRE tactics: InitialAccess
Severity: Medium
(K8S.NODE_CurrencyMining)
Description: Analysis of DNS transactions detected digital currency mining activity. Such activity, while possibly legitimate user behavior, is frequently performed by attackers following compromise of resources. Typical related attacker activity is likely to include the download and execution of common mining tools.
MITRE tactics: Exfiltration
Severity: Low
Alert Display Name: Abnormal Termination
Severity: Low
Alert Display Name: Suspicious binary detected
Severity: Medium
Alert Display Name: domain name reference
Severity: Low
Alert Display Name: Behavior similar to common Linux bots detected
Severity: Medium
Alert Display Name: Commands similar to common Linux bots detected
Severity: Medium
Alert Display Name: Shell Script Detected
Severity: Medium
Alert Display Name: Composite Analytic Test Alert
Severity: Low
Alert Display Name: Manipulation of scheduled tasks detected
Severity: Informational
Alert Display Name: Process associated with digital currency mining detected
Severity: Medium
Alert Display Name: Possible Cryptocoinminer download detected
Severity: Medium
Alert Display Name: Potential crypto coin miner started
Severity: Medium
Alert Display Name: Possible data exfiltration detected
Severity: Medium
Alert Display Name: Digital currency mining related behavior detected
Severity: High
Alert Display Name: Suspicious Download Then Run Activity
Severity: Medium
Alert Display Name: Microsoft Defender for Cloud test alert (not a threat)
Severity: High
Alert Display Name: Execution of hidden file
Severity: Informational
Alert Display Name: Possible command line exploitation attempt
Severity: Medium
Alert Display Name: Exposed Docker daemon on TCP socket
Severity: Medium
Alert Display Name: Behavior similar to Fairware ransomware detected
Severity: Medium
Alert Display Name: Manipulation of host firewall detected
Severity: Medium
Alert Display Name: Possible exploitation of Hadoop Yarn
Severity: Medium
Alert Display Name: A history file has been cleared
Severity: Medium
Alert Display Name: Possible attack tool detected
Severity: Medium
Alert Display Name: Possible credential access tool detected
Severity: Medium
Alert Display Name: Indicators associated with DDOS toolkit detected
Severity: Medium
Alert Display Name: Screenshot taken on host
Severity: Low
Alert Display Name: Possible backdoor detected
Severity: Medium
Alert Display Name: Local host reconnaissance detected
Severity: Medium
Alert Display Name: Script extension mismatch detected
Severity: Medium
Alert Display Name: MITRE Caldera agent detected
Severity: Medium
Alert Display Name: Detected Persistence Attempt
Severity: Medium
Alert Display Name: Account added to sudo group
Severity: Low
Alert Display Name: Potential overriding of common files
Severity: Medium
Alert Display Name: Container running in privileged mode
Severity: Low
Alert Display Name: Command within a container running with high privileges
Severity: Low
Alert Display Name: Unusual access to bash history file
Severity: Informational
Alert Display Name: Potential reverse shell detected
Severity: Medium
Alert Display Name: Process seen accessing the SSH authorized keys file in an unusual way
Severity: Low
Alert Display Name: New SSH key added
Severity: Low
Alert Display Name: Suspicious compilation detected
Severity: Medium
Alert Display Name: An uncommon connection attempt detected
Severity: Medium
Alert Display Name: Detected file download from a known malicious source
Severity: Medium
Alert Display Name: Detected suspicious file download
Severity: Low
Alert Display Name: Executable found running from a suspicious location
Severity: Medium
Alert Display Name: Access of htaccess file detected
Severity: Medium
Alert Display Name: Suspicious first command in shell
Severity: Low
Alert Display Name: Detected anomalous mix of uppercase and lowercase characters in command line
Severity: Medium
Alert Display Name: Suspicious network connection
Severity: Informational
Alert Display Name: Detected suspicious use of the nohup command
Severity: Medium
Alert Display Name: Possible password change using crypt-method detected
Severity: Medium
Alert Display Name: Suspicious password access
Severity: Informational
Alert Display Name: Suspicious PHP execution detected
Severity: Medium
Alert Display Name: Potential port forwarding to external IP address
Severity: Medium
Alert Display Name: Process running in a service account became root unexpectedly
Severity: Medium
Alert Display Name: Security-related process termination detected
Severity: Low
Alert Display Name: Detected suspicious use of the useradd command
Severity: Medium
Alert Display Name: Suspicious command execution
Severity: High
Alert Display Name: Suspicious use of DNS over HTTPS
Severity: Medium
Alert Display Name: Possible Log Tampering Activity Detected
Severity: Medium
Alert Display Name: A possible connection to malicious location has been detected
Severity: Medium
Alert Display Name: A logon from a malicious IP has been detected
Severity: High
Alert Display Name: Attempt to stop apt-daily-upgrade.timer service detected
Severity: Informational
Alert Display Name: Suspicious file timestamp modification
Severity: Low
Alert Display Name: Possible malicious web shell detected
Severity: Medium
Alert Display Name: Suspicious creation of accounts on multiple hosts
Severity: Medium
Alert Display Name: Suspicious use of PowerShell detected
Severity: Informational
Alert Display Name: Addition of Guest account to Local Administrators group
Severity: Medium
Alert Display Name: Apache_Tomcat_executing_suspicious_commands
Severity: Medium
Alert Display Name: Suspicious process executed
Severity: High
Alert Display Name: Suspicious process executed
Severity: High
Alert Display Name: Suspicious process executed
Severity: High
Alert Display Name: Suspicious process executed
Severity: High
Alert Display Name: Suspicious process executed
Severity: High
Alert Display Name: Suspicious process executed
Severity: Medium
Alert Display Name: Detected the disabling of critical services
Severity: Medium
Alert Display Name: Suspicious process executed
Severity: High
Alert Display Name: Suspect integrity level indicative of RDP hijacking
Severity: Medium
Alert Display Name: Suspect service installation
Severity: Medium
Alert Display Name: Detected suppression of legal notice displayed to users at logon
Severity: Low
Alert Display Name: Detected enabling of the WDigest UseLogonCredential registry key
Severity: Medium
Alert Display Name: Potential attempt to bypass AppLocker detected
Severity: High
Alert Display Name: Detected suspicious file creation
Severity: High
Alert Display Name: Detected encoded executable in command line data
Severity: High
Alert Display Name: Detected suspicious use of Cacls to lower the security state of the system
Severity: Medium
Alert Display Name: Detected suspicious command line used to start all executables in a directory
Severity: Medium
Alert Display Name: Detected actions indicative of disabling and deleting IIS log files
Severity: Medium
Alert Display Name: Suspicious download using Certutil detected
Severity: Medium
Alert Display Name: Detected suspicious named pipe communications
Severity: High
Alert Display Name: Dynamic PowerShell script construction
Severity: Medium
Alert Display Name: Detected decoding of an executable using built-in certutil.exe tool
Severity: Medium
Alert Display Name: Suspicious file deletion detected
Severity: Medium
Alert Display Name: Suspected Kerberos Golden Ticket attack parameters observed
Severity: Medium
Alert Display Name: Detected possible execution of keygen executable Suspicious process executed
Severity: Medium
Alert Display Name: Suspicious process executed
Severity: High
Alert Display Name: Suspicious use of PowerShell detected
Severity: High
Alert Display Name: High risk software detected
Severity: Medium
Alert Display Name: Detected suspicious combination of HTA and PowerShell
Severity: Medium
Alert Display Name: Multiple Domain Accounts Queried
Severity: Medium
Alert Display Name: Account creation detected
Severity: Informational
Alert Display Name: Detected obfuscated command line.
Severity: High
Alert Display Name: Detected suspicious use of Pcalua.exe to launch executable code
Severity: Medium
Alert Display Name: Detected Petya ransomware indicators
Severity: High
Alert Display Name: Suspicious PowerShell cmdlets executed
Severity: Medium
Alert Display Name: Ransomware indicators detected
Severity: High
Alert Display Name: Possible credential dumping detected [seen multiple times]
Severity: Medium
Alert Display Name: Detected the disabling of critical services
Severity: Medium
Alert Display Name: Sticky keys attack detected Suspicious account creation detected Medium
Alert Display Name: Suspicious Account Creation Detected
Severity: Medium
Alert Display Name: Detected suspicious new firewall rule
Severity: Medium
Alert Display Name: Detected suspicious use of FTP -s switch
Severity: Medium
Alert Display Name: Suspicious SQL activity
Severity: Medium
Alert Display Name: Suspicious process executed
Severity: High
Alert Display Name: The Windows Security log was cleared
Severity: Informational
Alert Display Name: Detected potentially suspicious use of Telegram tool
Severity: Medium
Alert Display Name: Suspiciously named process detected
Severity: High
Alert Display Name: Detected change to a registry key that can be abused to bypass UAC
Severity: Medium
Alert Display Name: Detected suspicious execution of VBScript.Encode command
Severity: Medium
Alert Display Name: Suspicious WindowPosition registry value detected
Severity: Low
Alert Display Name: Malicious firewall rule created by ZINC server implant
Severity: High
Alert Display Name: Digital currency mining related behavior detected
Severity: High
Alert Display Name: Malicious SQL activity
Severity: High
Alert Display Name: Suspicious double extension file executed
Severity: High
Alert Display Name: Windows registry persistence method detected
Severity: Low
Alert Display Name: Suspicious Volume Shadow Copy Activity Executable found running from a suspicious location
Severity: High
Alert Display Name: Executable found running from a suspicious location Detected anomalous mix of uppercase and lowercase characters in command line
Severity: Informational
Medium
Alert Display Name: Suspicious PHP execution detected
Severity: Medium
Alert Display Name: Suspicious command execution
Severity: High
Alert Display Name: Suspicious Screensaver process executed
Severity: Medium
Alert Display Name: Rare SVCHOST service group executed
Severity: Informational
Alert Display Name: Suspicious system process executed
Severity: Medium
Alert Display Name: A possible connection to malicious location has been detected
Severity: Medium
Alert Display Name: A logon from a malicious IP has been detected
Severity: High
Alert Display Name: VBScript HTTP object allocation detected
Severity: High
Alert Display Name: Suspicious process termination burst
Severity: Low
Alert Display Name: PsExec execution detected
Severity: Informational
Note
For alerts that are in preview: The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.