What's new in Defender for Cloud recommendations, alerts, and incidents
This article summarizes what's new in security recommendations, alerts, and incidents in Microsoft Defender for Cloud. It includes information about new, modified, and deprecated recommendations and alerts.
This page is updated frequently with the latest recommendations and alerts in Defender for Cloud.
Find the latest information about new and updated Defender for Cloud features in What's new in Defender for Cloud features.
Tip
Get notified when this page is updated by copying and pasting the following URL into your feed reader:
https://aka.ms/mdc/rss-recommendations-alerts
- Review a complete list of security recommendations and alerts:
Recommendations, alerts, and incidents updates
New and updated recommendations, alerts, and incidents are added to the table in date order.
Date | Type | State | Name |
---|---|---|---|
October 30 | Recommendation | Upcoming Deprecation | MFA recommendations are deprecated as Azure now requires it.. The following recommendations will be deprecated: * Accounts with read permissions on Azure resources should be MFA enabled * Accounts with write permissions on Azure resources should be MFA enabled * Accounts with owner permissions on Azure resources should be MFA enabled |
September 5 | Recommendation | GA | System updates should be installed on your machines (powered by Azure Update Manager) |
September 5 | Recommendation | GA | Machines should be configured to periodically check for missing system updates |
August 15 | Incident | Upcoming deprecation | Estimated date for change: September 15, 2024 Security incident detected anomalous geographical location activity (Preview) Security incident detected suspicious app service activity (Preview) Security incident detected suspicious Key Vault activity (Preview) Security incident detected suspicious Azure toolkits activity (Preview) Security incident detected on the same resource (Preview) Security incident detected suspicious IP activity (Preview) Security incident detected suspicious user activity (Preview) Security incident detected suspicious service principal activity (Preview) Security incident detected suspicious SAS activity (Preview) Security incident detected suspicious account activity (Preview) Security incident detected suspicious crypto mining activity (Preview) Security incident detected suspicious fileless attack activity (Preview) Security incident detected suspicious Kubernetes cluster activity (Preview) Security incident detected suspicious storage activity (Preview) Security incident detected suspicious crypto mining activity (Preview) Security incident detected suspicious data exfiltration activity (Preview) Security incident detected suspicious Kubernetes cluster activity (Preview) Security incident detected suspicious DNS activity (Preview) Security incident detected suspicious SQL activity (Preview) Security incident detected suspicious DDOS activity (Preview) |
August 12 | Recommendation | Upcoming deprecation | File integrity monitoring should be enabled on machines Estimated deprecation: August 2024 |
August 11 | Recommendation | Upcoming deprecation | Super identities in your Azure environment should be removed Estimated deprecation: September 2024 |
August 2 | Recommendation | Preview | Azure DevOps projects should have creation of classic pipelines disabled |
August 2 | Recommendation | Preview | GitHub organizations should block Copilot suggestions that match public code |
August 2 | Recommendation | Preview | GitHub organizations should enforce multifactor authentication for outside collaborators |
August 2 | Recommendation | Preview | GitHub repositories should require minimum two-reviewer approval for code pushes |
July 31 | Recommendation | Preview | Privileged roles should not have permanent access at the subscription and resource group level |
July 31 | Recommendation | Preview | Service Principals should not be assigned with administrative roles at the subscription and resource group level |
July 31 | Recommendation | Update | Azure AI Services resources should use Azure Private Link |
July 31 | Recommendation | GA | [EDR solution should be installed on Virtual Machines](recommendations-reference-compute.md#edr-solution-should-be-installed-on-virtual-machineshttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey06e3a6db-6c0c-4ad9-943f-31d9d73ecf6c) |
July 31 | Recommendation | GA | [EDR solution should be installed on EC2s](recommendations-reference-compute.md#edr-solution-should-be-installed-on-ec2shttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey77d09952-2bc2-4495-8795-cc8391452f85) |
July 31 | Recommendation | GA | [EDR configuration issues should be resolved on virtual machines](recommendations-reference-compute.md#edr-configuration-issues-should-be-resolved-on-virtual-machineshttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkeydc5357d0-3858-4d17-a1a3-072840bff5be) |
July 31 | Recommendation | GA | [EDR configuration issues should be resolved on EC2s](recommendations-reference-compute.md#edr-configuration-issues-should-be-resolved-on-ec2shttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey695abd03-82bd-4d7f-a94c-140e8a17666c) |
July 31 | Alert | Upcoming deprecation | Traffic detected from IP addresses recommended for blocking |
June 27 | Alert | Deprecation | Security incident detected suspicious source IP activity Severity: Medium/High |
June 27 | Alert | Deprecation | Security incident detected on multiple resources Severity: Medium/High |
June 27 | Alert | Deprecation | Security incident detected compromised machine Severity: Medium/High |
June 27 | Alert | Deprecation | Security incident detected suspicious virtual machines activity Severity: Medium/High |
May 30 | Recommendation | GA | Linux virtual machines should enable Azure Disk Encryption (ADE) or EncryptionAtHost. Assessment key a40cc620-e72c-fdf4-c554-c6ca2cd705c0 |
May 30 | Recommendation | GA | Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Assessment key 0cb5f317-a94b-6b80-7212-13a9cc8826af |
May 28 | Recommendation | GA | Machine should be configured securely (powered by MDVM) |
May 1 | Recommendation | Upcoming deprecation | System updates should be installed on your machines. Estimated deprecation: July 2024. |
May 1 | Recommendation | Upcoming deprecation | System updates on virtual machine scale sets should be installed. Estimated deprecation: July 2024. |
May 1 | Recommendation | Upcoming deprecation | Log Analytics agent should be installed on Windows-based Azure Arc-enabled machines Estimated deprecation: July 2024 |
May 1 | Recommendation | Upcoming deprecation | Log Analytics agent should be installed on virtual machine scale sets Estimated deprecation: July 2024 |
May 1 | Recommendation | Upcoming deprecation | Auto provisioning of the Log Analytics agent should be enabled on subscriptions Estimated deprecation: July 2024 |
May 1 | Recommendation | Upcoming deprecation | Log Analytics agent should be installed on virtual machines Estimated deprecation: July 2024 |
May 1 | Recommendation | Upcoming deprecation | Adaptive application controls for defining safe applications should be enabled on your machines Estimated deprecation: July 2024 |
April 3 | Recommendation | Upcoming deprecation | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
April 3 | Recommendation | Preview | Container images in Azure registry should have vulnerability findings resolved (Preview) |
April 3 | Recommendation | Preview | Containers running in Azure should have vulnerability findings resolved (Preview) |
April 2 | Recommendation | Upcoming deprecation | Virtual machines should be migrated to new Azure Resource Manager resourcesThe. There's no effect since these resources no longer exist. Estimated date: July 30, 2024 |
April 2 | Recommendation | Deprecation | Public network access should be disabled for Cognitive Services accounts. |
April 2 | Recommendation | GA | Azure registry container images should have vulnerabilities resolved |
April 2 | Recommendation | Deprecation | Public network access should be disabled for Cognitive Services accounts |
April 2 | Recommendation | GA | Azure running container images should have vulnerabilities resolved |
March 28 | Recommendation | Upcoming | Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost (assessment key a40cc620-e72c-fdf4-c554-c6ca2cd705c0) |
March 28 | Recommendation | Upcoming | Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost (assessment key 0cb5f317-a94b-6b80-7212-13a9cc8826af) |
March 18 | Recommendation | GA | EDR solution should be installed on virtual machines |
March 18 | Recommendation | GA | EDR configuration issues should be resolved on virtual machines |
March 18 | Recommendation | GA | EDR configuration issues should be resolved on EC2s |
March 18 | Recommendation | GA | EDR solution should be installed on EC2s |
End March | Recommendation | Deprecation | Endpoint protection should be installed on machines . |
End March | Recommendation | Deprecation | Endpoint protection health issues on machines should be resolved |
March 5 | Recommendation | Deprecation | Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI) |
March 5 | Recommendation | Deprecation | Over-provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI) |
February 20 | Recommendation | Upcoming | Azure AI Services resources should restrict network access |
February 20 | Recommendation | Upcoming | Azure AI Services resources should have key access disabled (disable local authentication) |
February 12 | Recommendation | Deprecation | Public network access should be disabled for Cognitive Services accounts . Estimated deprecation: March 14 2024 |
February 8 | Recommendation | Preview | (Preview) Azure Stack HCI servers should meet secured-core requirements |
February 8 | Recommendation | Preview | (Preview) Azure Stack HCI servers should have consistently enforced application control policies |
February 8 | Recommendation | Preview | (Preview) Azure Stack HCI systems should have encrypted volumes |
February 8 | Recommendation | Preview | (Preview) Host and VM networking should be protected on Azure Stack HCI systems |
January 25 | Alert (Container) | Deprecation | Anomalous pod deployment (Preview) (K8S_AnomalousPodDeployment) |
January 25 | Alert (Container) | Deprecation | Excessive role permissions assigned in Kubernetes cluster (Preview) (K8S_ServiceAcountPermissionAnomaly) |
January 25 | Alert (Container) | Deprecation | Anomalous access to Kubernetes secret (Preview) (K8S_AnomalousSecretAccess) |
January 25 | Alert (Windows machines) | Update to informational | Adaptive application control policy violation was audited (VM_AdaptiveApplicationControlWindowsViolationAudited) |
January 25 | Alert (Windows machines) | Update to informational | Adaptive application control policy violation was audited (VM_AdaptiveApplicationControlLinuxViolationAudited) |
January 25 | Alert (Container) | Update to informational | Attempt to create a new Linux namespace from a container detected (K8S.NODE_NamespaceCreation) |
January 25 | Alert (Container) | Update to informational | Attempt to stop apt-daily-upgrade.timer service detected (K8S.NODE_TimerServiceDisabled) |
January 25 | Alert (Container) | Update to informational | Command within a container running with high privileges (K8S.NODE_PrivilegedExecutionInContainer) |
January 25 | Alert (Container) | Update to informational | Container running in privileged mode (K8S.NODE_PrivilegedContainerArtifacts) |
January 25 | Alert (Container) | Update to informational | Container with a sensitive volume mount detected (K8S_SensitiveMount) |
January 25 | Alert (Container) | Update to informational | Creation of admission webhook configuration detected (K8S_AdmissionController) |
January 25 | Alert (Container) | Update to informational | Detected suspicious file download (K8S.NODE_SuspectDownloadArtifacts) |
January 25 | Alert (Container) | Update to informational | Docker build operation detected on a Kubernetes node (K8S.NODE_ImageBuildOnNode) |
January 25 | Alert (Container) | Update to informational | New container in the kube-system namespace detected (K8S_KubeSystemContainer) |
January 25 | Alert (Container) | Update to informational | New high privileges role detected (K8S_HighPrivilegesRole) |
January 25 | Alert (Container) | Update to informational | Privileged container detected (K8S_PrivilegedContainer) |
January 25 | Alert (Container) | Update to informational | Process seen accessing the SSH authorized keys file in an unusual way (K8S.NODE_SshKeyAccess) |
January 25 | Alert (Container) | Update to informational | Role binding to the cluster-admin role detected (K8S_ClusterAdminBinding) |
January 25 | Alert (Container) | Update to informational | SSH server is running inside a container (K8S.NODE_ContainerSSH) |
January 25 | Alert (DNS) | Update to informational | Communication with suspicious algorithmically generated domain (AzureDNS_DomainGenerationAlgorithm) |
January 25 | Alert (DNS) | Update to informational | Communication with suspicious algorithmically generated domain (DNS_DomainGenerationAlgorithm) |
January 25 | Alert (DNS) | Update to informational | Communication with suspicious random domain name (Preview) (DNS_RandomizedDomain) |
January 25 | Alert (DNS) | Update to informational | Communication with suspicious random domain name (AzureDNS_RandomizedDomain) |
January 25 | Alert (DNS) | Update to informational | Communication with possible phishing domain (AzureDNS_PhishingDomain) |
January 25 | Alert (DNS) | Update to informational | Communication with possible phishing domain (Preview) (DNS_PhishingDomain) |
January 25 | Alert (Azure App Service) | Update to informational | NMap scanning detected (AppServices_Nmap) |
January 25 | Alert (Azure App Service) | Update to informational | Suspicious User Agent detected (AppServices_UserAgentInjection) |
January 25 | Alert (Azure network layer) | Update to informational | Possible incoming SMTP brute force attempts detected (Generic_Incoming_BF_OneToOne) |
January 25 | Alert (Azure network layer) | Update to informational | Traffic detected from IP addresses recommended for blocking (Network_TrafficFromUnrecommendedIP) |
January 25 | Alert (Azure Resource Manager) | Update to informational | Privileged custom role created for your subscription in a suspicious way (Preview)(ARM_PrivilegedRoleDefinitionCreation) |
January 4 | Recommendation | Preview | Cognitive Services accounts should have local authentication methods disabled Microsoft Cloud Security Benchmark |
January 4 | Recommendation preview | Cognitive Services should use private link Microsoft Cloud Security Benchmark |
|
January 4 | Recommendation | Preview | Virtual machines and virtual machine scale sets should have encryption at host enabled Microsoft Cloud Security Benchmark |
January 4 | Recommendation | Preview | Azure Cosmos DB should disable public network access Microsoft Cloud Security Benchmark |
January 4 | Recommendation | Preview | Cosmos DB accounts should use private link Microsoft Cloud Security Benchmark |
January 4 | Recommendation | Preview | VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users Microsoft Cloud Security Benchmark |
January 4 | Recommendation | Preview | Azure SQL Database should be running TLS version 1.2 or newer Microsoft Cloud Security Benchmark |
January 4 | Recommendation | Preview | Azure SQL Managed Instances should disable public network access Microsoft Cloud Security Benchmark |
January 4 | Recommendation | Preview | Storage accounts should prevent shared key access Microsoft Cloud Security Benchmark |
December 14 | Recommendation | Preview | Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Vulnerability assessment for Linux container images with Microsoft Defender Vulnerability Management. |
December 14 | Recommendation | GA | Azure running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) Vulnerability assessment for Linux container images with Microsoft Defender Vulnerability Management. |
December 14 | Recommendation | Rename | New: Azure registry container images should have vulnerabilities resolved (powered by Qualys). Vulnerability assessment for container images using Qualys. Old: Container registry images should have vulnerability findings resolved (powered by Qualys) |
December 14 | Recommendation | Rename | New: Azure running container images should have vulnerabilities resolved - (powered by Qualys) Vulnerability assessment for container images using Qualys. Old: Running container images should have vulnerability findings resolved (powered by Qualys) |
December 4 | Alert | Preview | Malicious blob was downloaded from a storage account (Preview) MITRE tactics: Lateral movement |
Related content
For information about new features, see What's new in Defender for Cloud features.