What's new in Defender for Cloud recommendations, alerts, and incidents

This article summarizes what's new in security recommendations, alerts, and incidents in Microsoft Defender for Cloud. It includes information about new, modified, and deprecated recommendations and alerts.

  • This page is updated frequently with the latest recommendations and alerts in Defender for Cloud.

  • Find the latest information about new and updated Defender for Cloud features in What's new in Defender for Cloud features.

Tip

Get notified when this page is updated by copying and pasting the following URL into your feed reader:

https://aka.ms/mdc/rss-recommendations-alerts

Recommendations, alerts, and incidents updates

New and updated recommendations, alerts, and incidents are added to the table in date order.

Date Type State Name
October 30 Recommendation Upcoming Deprecation MFA recommendations are deprecated as Azure now requires it..
The following recommendations will be deprecated:
* Accounts with read permissions on Azure resources should be MFA enabled
* Accounts with write permissions on Azure resources should be MFA enabled
* Accounts with owner permissions on Azure resources should be MFA enabled
September 5 Recommendation GA System updates should be installed on your machines (powered by Azure Update Manager)
September 5 Recommendation GA Machines should be configured to periodically check for missing system updates
August 15 Incident Upcoming deprecation Estimated date for change: September 15, 2024

Security incident detected anomalous geographical location activity (Preview)
Security incident detected suspicious app service activity (Preview)
Security incident detected suspicious Key Vault activity (Preview)
Security incident detected suspicious Azure toolkits activity (Preview)
Security incident detected on the same resource (Preview)
Security incident detected suspicious IP activity (Preview)
Security incident detected suspicious user activity (Preview)
Security incident detected suspicious service principal activity (Preview)
Security incident detected suspicious SAS activity (Preview)
Security incident detected suspicious account activity (Preview)
Security incident detected suspicious crypto mining activity (Preview)
Security incident detected suspicious fileless attack activity (Preview)
Security incident detected suspicious Kubernetes cluster activity (Preview)
Security incident detected suspicious storage activity (Preview)
Security incident detected suspicious crypto mining activity (Preview)
Security incident detected suspicious data exfiltration activity (Preview)
Security incident detected suspicious Kubernetes cluster activity (Preview)
Security incident detected suspicious DNS activity (Preview)
Security incident detected suspicious SQL activity (Preview)
Security incident detected suspicious DDOS activity (Preview)
August 12 Recommendation Upcoming deprecation File integrity monitoring should be enabled on machines Estimated deprecation: August 2024
August 11 Recommendation Upcoming deprecation Super identities in your Azure environment should be removed Estimated deprecation: September 2024
August 2 Recommendation Preview Azure DevOps projects should have creation of classic pipelines disabled
August 2 Recommendation Preview GitHub organizations should block Copilot suggestions that match public code
August 2 Recommendation Preview GitHub organizations should enforce multifactor authentication for outside collaborators
August 2 Recommendation Preview GitHub repositories should require minimum two-reviewer approval for code pushes
July 31 Recommendation Preview Privileged roles should not have permanent access at the subscription and resource group level
July 31 Recommendation Preview Service Principals should not be assigned with administrative roles at the subscription and resource group level
July 31 Recommendation Update Azure AI Services resources should use Azure Private Link
July 31 Recommendation GA [EDR solution should be installed on Virtual Machines](recommendations-reference-compute.md#edr-solution-should-be-installed-on-virtual-machineshttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey06e3a6db-6c0c-4ad9-943f-31d9d73ecf6c)
July 31 Recommendation GA [EDR solution should be installed on EC2s](recommendations-reference-compute.md#edr-solution-should-be-installed-on-ec2shttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey77d09952-2bc2-4495-8795-cc8391452f85)
July 31 Recommendation GA [EDR configuration issues should be resolved on virtual machines](recommendations-reference-compute.md#edr-configuration-issues-should-be-resolved-on-virtual-machineshttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkeydc5357d0-3858-4d17-a1a3-072840bff5be)
July 31 Recommendation GA [EDR configuration issues should be resolved on EC2s](recommendations-reference-compute.md#edr-configuration-issues-should-be-resolved-on-ec2shttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey695abd03-82bd-4d7f-a94c-140e8a17666c)
July 31 Alert Upcoming deprecation Traffic detected from IP addresses recommended for blocking
June 27 Alert Deprecation Security incident detected suspicious source IP activity

Severity: Medium/High
June 27 Alert Deprecation Security incident detected on multiple resources

Severity: Medium/High
June 27 Alert Deprecation Security incident detected compromised machine

Severity: Medium/High
June 27 Alert Deprecation Security incident detected suspicious virtual machines activity

Severity: Medium/High
May 30 Recommendation GA Linux virtual machines should enable Azure Disk Encryption (ADE) or EncryptionAtHost. Assessment key a40cc620-e72c-fdf4-c554-c6ca2cd705c0
May 30 Recommendation GA Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Assessment key 0cb5f317-a94b-6b80-7212-13a9cc8826af
May 28 Recommendation GA Machine should be configured securely (powered by MDVM)
May 1 Recommendation Upcoming deprecation System updates should be installed on your machines.

Estimated deprecation: July 2024.
May 1 Recommendation Upcoming deprecation System updates on virtual machine scale sets should be installed.

Estimated deprecation: July 2024.
May 1 Recommendation Upcoming deprecation Log Analytics agent should be installed on Windows-based Azure Arc-enabled machines

Estimated deprecation: July 2024
May 1 Recommendation Upcoming deprecation Log Analytics agent should be installed on virtual machine scale sets

Estimated deprecation: July 2024
May 1 Recommendation Upcoming deprecation Auto provisioning of the Log Analytics agent should be enabled on subscriptions

Estimated deprecation: July 2024
May 1 Recommendation Upcoming deprecation Log Analytics agent should be installed on virtual machines

Estimated deprecation: July 2024
May 1 Recommendation Upcoming deprecation Adaptive application controls for defining safe applications should be enabled on your machines

Estimated deprecation: July 2024
April 3 Recommendation Upcoming deprecation Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
April 3 Recommendation Preview Container images in Azure registry should have vulnerability findings resolved (Preview)
April 3 Recommendation Preview Containers running in Azure should have vulnerability findings resolved (Preview)
April 2 Recommendation Upcoming deprecation Virtual machines should be migrated to new Azure Resource Manager resourcesThe.

There's no effect since these resources no longer exist. Estimated date: July 30, 2024
April 2 Recommendation Deprecation Public network access should be disabled for Cognitive Services accounts.
April 2 Recommendation GA Azure registry container images should have vulnerabilities resolved
April 2 Recommendation Deprecation Public network access should be disabled for Cognitive Services accounts
April 2 Recommendation GA Azure running container images should have vulnerabilities resolved
March 28 Recommendation Upcoming Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost (assessment key a40cc620-e72c-fdf4-c554-c6ca2cd705c0)
March 28 Recommendation Upcoming Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost (assessment key 0cb5f317-a94b-6b80-7212-13a9cc8826af)
March 18 Recommendation GA EDR solution should be installed on virtual machines
March 18 Recommendation GA EDR configuration issues should be resolved on virtual machines
March 18 Recommendation GA EDR configuration issues should be resolved on EC2s
March 18 Recommendation GA EDR solution should be installed on EC2s
End March Recommendation Deprecation Endpoint protection should be installed on machines .
End March Recommendation Deprecation Endpoint protection health issues on machines should be resolved
March 5 Recommendation Deprecation Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI)
March 5 Recommendation Deprecation Over-provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI)
February 20 Recommendation Upcoming Azure AI Services resources should restrict network access
February 20 Recommendation Upcoming Azure AI Services resources should have key access disabled (disable local authentication)
February 12 Recommendation Deprecation Public network access should be disabled for Cognitive Services accounts. Estimated deprecation: March 14 2024
February 8 Recommendation Preview (Preview) Azure Stack HCI servers should meet secured-core requirements
February 8 Recommendation Preview (Preview) Azure Stack HCI servers should have consistently enforced application control policies
February 8 Recommendation Preview (Preview) Azure Stack HCI systems should have encrypted volumes
February 8 Recommendation Preview (Preview) Host and VM networking should be protected on Azure Stack HCI systems
January 25 Alert (Container) Deprecation Anomalous pod deployment (Preview) (K8S_AnomalousPodDeployment)
January 25 Alert (Container) Deprecation Excessive role permissions assigned in Kubernetes cluster (Preview) (K8S_ServiceAcountPermissionAnomaly)
January 25 Alert (Container) Deprecation Anomalous access to Kubernetes secret (Preview) (K8S_AnomalousSecretAccess)
January 25 Alert (Windows machines) Update to informational Adaptive application control policy violation was audited (VM_AdaptiveApplicationControlWindowsViolationAudited)
January 25 Alert (Windows machines) Update to informational Adaptive application control policy violation was audited (VM_AdaptiveApplicationControlLinuxViolationAudited)
January 25 Alert (Container) Update to informational Attempt to create a new Linux namespace from a container detected (K8S.NODE_NamespaceCreation)
January 25 Alert (Container) Update to informational Attempt to stop apt-daily-upgrade.timer service detected (K8S.NODE_TimerServiceDisabled)
January 25 Alert (Container) Update to informational Command within a container running with high privileges (K8S.NODE_PrivilegedExecutionInContainer)
January 25 Alert (Container) Update to informational Container running in privileged mode (K8S.NODE_PrivilegedContainerArtifacts)
January 25 Alert (Container) Update to informational Container with a sensitive volume mount detected (K8S_SensitiveMount)
January 25 Alert (Container) Update to informational Creation of admission webhook configuration detected (K8S_AdmissionController)
January 25 Alert (Container) Update to informational Detected suspicious file download (K8S.NODE_SuspectDownloadArtifacts)
January 25 Alert (Container) Update to informational Docker build operation detected on a Kubernetes node (K8S.NODE_ImageBuildOnNode)
January 25 Alert (Container) Update to informational New container in the kube-system namespace detected (K8S_KubeSystemContainer)
January 25 Alert (Container) Update to informational New high privileges role detected (K8S_HighPrivilegesRole)
January 25 Alert (Container) Update to informational Privileged container detected (K8S_PrivilegedContainer)
January 25 Alert (Container) Update to informational Process seen accessing the SSH authorized keys file in an unusual way (K8S.NODE_SshKeyAccess)
January 25 Alert (Container) Update to informational Role binding to the cluster-admin role detected (K8S_ClusterAdminBinding)
January 25 Alert (Container) Update to informational SSH server is running inside a container (K8S.NODE_ContainerSSH)
January 25 Alert (DNS) Update to informational Communication with suspicious algorithmically generated domain (AzureDNS_DomainGenerationAlgorithm)
January 25 Alert (DNS) Update to informational Communication with suspicious algorithmically generated domain (DNS_DomainGenerationAlgorithm)
January 25 Alert (DNS) Update to informational Communication with suspicious random domain name (Preview) (DNS_RandomizedDomain)
January 25 Alert (DNS) Update to informational Communication with suspicious random domain name (AzureDNS_RandomizedDomain)
January 25 Alert (DNS) Update to informational Communication with possible phishing domain (AzureDNS_PhishingDomain)
January 25 Alert (DNS) Update to informational Communication with possible phishing domain (Preview) (DNS_PhishingDomain)
January 25 Alert (Azure App Service) Update to informational NMap scanning detected (AppServices_Nmap)
January 25 Alert (Azure App Service) Update to informational Suspicious User Agent detected (AppServices_UserAgentInjection)
January 25 Alert (Azure network layer) Update to informational Possible incoming SMTP brute force attempts detected (Generic_Incoming_BF_OneToOne)
January 25 Alert (Azure network layer) Update to informational Traffic detected from IP addresses recommended for blocking (Network_TrafficFromUnrecommendedIP)
January 25 Alert (Azure Resource Manager) Update to informational Privileged custom role created for your subscription in a suspicious way (Preview)(ARM_PrivilegedRoleDefinitionCreation)
January 4 Recommendation Preview Cognitive Services accounts should have local authentication methods disabled
Microsoft Cloud Security Benchmark
January 4 Recommendation preview Cognitive Services should use private link
Microsoft Cloud Security Benchmark
January 4 Recommendation Preview Virtual machines and virtual machine scale sets should have encryption at host enabled
Microsoft Cloud Security Benchmark
January 4 Recommendation Preview Azure Cosmos DB should disable public network access
Microsoft Cloud Security Benchmark
January 4 Recommendation Preview Cosmos DB accounts should use private link
Microsoft Cloud Security Benchmark
January 4 Recommendation Preview VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users
Microsoft Cloud Security Benchmark
January 4 Recommendation Preview Azure SQL Database should be running TLS version 1.2 or newer
Microsoft Cloud Security Benchmark
January 4 Recommendation Preview Azure SQL Managed Instances should disable public network access
Microsoft Cloud Security Benchmark
January 4 Recommendation Preview Storage accounts should prevent shared key access
Microsoft Cloud Security Benchmark
December 14 Recommendation Preview Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)

Vulnerability assessment for Linux container images with Microsoft Defender Vulnerability Management.
December 14 Recommendation GA Azure running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)

Vulnerability assessment for Linux container images with Microsoft Defender Vulnerability Management.
December 14 Recommendation Rename New: Azure registry container images should have vulnerabilities resolved (powered by Qualys). Vulnerability assessment for container images using Qualys.
Old: Container registry images should have vulnerability findings resolved (powered by Qualys)
December 14 Recommendation Rename New: Azure running container images should have vulnerabilities resolved - (powered by Qualys)

Vulnerability assessment for container images using Qualys.
Old: Running container images should have vulnerability findings resolved (powered by Qualys)
December 4 Alert Preview Malicious blob was downloaded from a storage account (Preview)

MITRE tactics: Lateral movement

For information about new features, see What's new in Defender for Cloud features.