Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Security alerts - a reference guide
In this articleThis article lists the security alerts you might get from Microsoft Defender for Cloud and any Microsoft Defender plans you've enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration. At the bottom of this page, there's a table describing the Microsoft Defender for Cloud kill chain aligned with version 9 of the MITRE ATT&CK matrix. Learn how to respond to these alerts. Learn how to export alerts. Note Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines. Alerts for Windows machinesMicrosoft Defender for Servers Plan 2 provides unique detections and alerts, in addition to the ones provided by Microsoft Defender for Endpoint. The alerts provided for Windows machines are: Further details and notes
Alerts for Linux machinesMicrosoft Defender for Servers Plan 2 provides unique detections and alerts, in addition to the ones provided by Microsoft Defender for Endpoint. The alerts provided for Linux machines are: Further details and notes
Alerts for Azure App ServiceFurther details and notes
Alerts for containers - Kubernetes clustersMicrosoft Defender for Containers provides security alerts on the cluster level and on the underlying cluster nodes by monitoring both control plane (API server) and the containerized workload itself. Control plane security alerts can be recognized by a prefix of Further details and notes
1: Preview for non-AKS clusters: This alert is generally available for AKS clusters, but it is in preview for other environments, such as Azure Arc, EKS and GKE. 2: Limitations on GKE clusters: GKE uses a Kuberenetes audit policy that doesn't support all alert types. As a result, this security alert, which is based on Kubernetes audit events, is not supported for GKE clusters. 3: This alert is supported on Windows nodes/containers. Alerts for SQL Database and Azure Synapse AnalyticsFurther details and notes
Alerts for open-source relational databasesFurther details and notes
Alerts for Resource ManagerFurther details and notes
Alerts for DNSFurther details and notes
Alerts for Azure StorageFurther details and notes
Alerts for Azure Cosmos DBFurther details and notes
Alerts for Azure network layerFurther details and notes
Alerts for Azure Key VaultFurther details and notes
Alerts for Azure DDoS ProtectionFurther details and notes
Security incident alertsFurther details and notes
MITRE ATT&CK tacticsUnderstanding the intention of an attack can help you investigate and report the event more easily. To help with these efforts, Microsoft Defender for Cloud alerts include the MITRE tactics with many alerts. The series of steps that describe the progression of a cyberattack from reconnaissance to data exfiltration is often referred to as a "kill chain". Defender for Cloud's supported kill chain intents are based on version 9 of the MITRE ATT&CK matrix and described in the table below.
Note For alerts that are in preview: The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. Next stepsTo learn more about Microsoft Defender for Cloud security alerts, see the following:
FeedbackSubmit and view feedback for Additional resourcesWhich option should you use to respond to every single person included on an email?To reply to the original sender and all other recipients on the To and Cc lines, select Reply All.
Which of the following is a category of SaaS applications?Other types of SaaS applications include billing and invoice software, collaboration software, web hosting software and Human Resources software. With all the SaaS options available, you can pick and choose which cloud products make the most sense for your business.
Which of the following is used to identify specific hypertext resources on the World Wide Web?Which of the following is used to identify specific hypertext resources on the World Wide Web? EXPLANATION A Uniform Resource Locator (URL) is entered into the address bar near the top of browser window. It is the reference or address to a web resource.
Which of the following is most likely to have peer reviewed material written by an expert in the field correct answer?Which of the following is most likely to have peer-reviewed material written by an expert in the field? EXPLANATION Academic journal articles are written by experts in their fields and usually have to be reviewed by a panel of experts to assess the validity of their methods and conclusions before being published.
|