Security alerts - a reference guide

This article lists the security alerts you might see in Azure Security Center's Threat Protection module. The alerts shown in your environment depend on the resources and services you're protecting, as well as your customized configuration.

To learn about how to respond to these alerts, see Manage and respond to security alerts in Azure Security Center.

To learn about how to export alerts (and recommendations) see Export security alerts and recommendations (Preview).

Below the alerts tables is a table describing the Azure Security Center kill chain that is used to categorize the intents of these alerts.

Alerts for Windows machines

Further details and notes

Alert Description Intent (Learn more)
A logon from a malicious IP has been detected A successful remote authentication for the account 'tristan.schleining' and process 'Advapi' occurred, however the logon IP address [IP address] has previously been reported as malicious or highly unusual. A successful attack has probably occurred. -
A logon from a malicious IP has been detected. [seen multiple times] A successful remote authentication for the account 'IUSR_10001' and process 'Advapi' occurred, however the logon IP address [IP address] has previously been reported as malicious or highly unusual. A successful attack has probably occurred. Files with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory. -
Addition of Guest account to Local Administrators group Analysis of host data has detected the addition of the built in Guest account to the Local Administrators group on %{Compromised Host}, which is strongly associated with attacker activity. -
An event log was cleared Machine logs indicate a suspicious event log clearing operation by user: '%{user name}' in Machine: '%{CompromisedEntity}'. The %{log channel} log was cleared. -
Detected actions indicative of disabling and deleting IIS log files Analysis of host data detected actions that show IIS log files being disabled and/or deleted. -
Detected anomalous mix of upper and lower case characters in command line Analysis of host data on %{Compromised Host} detected a command line with anomalous mix of upper and lower case characters. This kind of pattern, while possibly benign, is also typical of attackers trying to hide from case-sensitive or hash-based rule matching when performing administrative tasks on a compromised host. -
Detected change to a registry key that can be abused to bypass UAC Analysis of host data on %{Compromised Host} detected that a registry key that can be abused to bypass UAC (User Account Control) was changed. This kind of configuration, while possibly benign, is also typical of attacker activity when trying to move from unprivileged (standard user) to privileged (for example administrator) access on a compromised host. -
Detected decoding of an executable using built-in certutil.exe tool Analysis of host data on %{Compromised Host} detected that certutil.exe, a built-in administrator utility, was being used to decode an executable instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using a tool such as certutil.exe to decode a malicious executable that will then be subsequently executed. -
Detected enabling of the WDigest UseLogonCredential registry key Analysis of host data detected a change in the registry key HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\ "UseLogonCredential". Specifically this key has been updated to allow logon credentials to be stored in clear text in LSA memory. Once enabled an attacker can dump clear text passwords from LSA memory with credential harvesting tools such as Mimikatz. -
Detected encoded executable in command line data Analysis of host data on %{Compromised Host} detected a base-64 encoded executable. This has previously been associated with attackers attempting to construct executables on-the-fly through a sequence of commands, and attempting to evade intrusion detection systems by ensuring that no individual command would trigger an alert. This could be legitimate activity, or an indication of a compromised host. -
Detected obfuscated command line Attackers use increasingly complex obfuscation techniques to evade detections that run against the underlying data. Analysis of host data on %{Compromised Host} detected suspicious indicators of obfuscation on the commandline. -
Detected Petya ransomware indicators Analysis of host data on %{Compromised Host} detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the commandline associated in this alert and escalate this alert to your security team. -
Detected possible execution of keygen executable Analysis of host data on %{Compromised Host} detected execution of a process whose name is indicative of a keygen tool; such tools are typically used to defeat software licensing mechanisms but their download is often bundled with other malicious software. Activity group GOLD has been known to make use of such keygens to covertly gain back door access to hosts that they compromise. -
Detected possible execution of malware dropper Analysis of host data on %{Compromised Host} detected a filename that has previously been associated with one of activity group GOLD's methods of installing malware on a victim host. -
Detected possible local reconnaissance activity Analysis of host data on %{Compromised Host} detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing reconnaissance activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession in the way that has occurred here is rare. -
Detected potentially suspicious use of Telegram tool Analysis of host data shows installation of Telegram, a free cloud-based instant messaging service that exists both for mobile and desktop system. Attackers are known to abuse this service to transfer malicious binaries to any other computer, phone, or tablet. -
Detected suppression of legal notice displayed to users at logon Analysis of host data on %{Compromised Host} detected changes to the registry key that controls whether a legal notice is displayed to users when they log on. Microsoft security analysis has determined that this is a common activity undertaken by attackers after having compromised a host. -
Detected suspicious combination of HTA and PowerShell mshta.exe (Microsoft HTML Application Host) which is a signed Microsoft binary is being used by the attackers to launch malicious PowerShell commands. Attackers often resort to having a HTA file with inline VBScript. When a victim browses to the HTA file and chooses to run it, the PowerShell commands and scripts that it contains are executed. Analysis of host data on %{Compromised Host} detected mshta.exe launching PowerShell commands. -
Detected suspicious commandline arguments Analysis of host data on %{Compromised Host} detected suspicious commandline arguments that have been used in conjunction with a reverse shell used by activity group HYDROGEN. -
Detected suspicious commandline used to start all executables in a directory Analysis of host data has detected a suspicious process running on %{Compromised Host}. The commandline indicates an attempt to start all executables (*.exe) that may reside in a directory. This could be an indication of a compromised host. -
Detected suspicious credentials in commandline Analysis of host data on %{Compromised Host} detected a suspicious password being used to execute a file by activity group BORON. This activity group has been known to use this password to execute Pirpi malware on a victim host. -
Detected suspicious document credentials Analysis of host data on %{Compromised Host} detected a suspicious, common precomputed password hash used by malware being used to execute a file. Activity group HYDROGEN has been known to use this password to execute malware on a victim host. -
Detected suspicious execution of VBScript.Encode command Analysis of host data on %{Compromised Host} detected the execution of VBScript.Encode command. This encodes the scripts into unreadable text, making it more difficult for users to examine the code. Microsoft threat research shows that attackers often use encoded VBscript files as part of their attack to evade detection systems. This could be legitimate activity, or an indication of a compromised host. -
Detected suspicious execution via rundll32.exe Analysis of host data on %{Compromised Host} detected rundll32.exe being used to execute a process with an uncommon name, consistent with the process naming scheme previously seen used by activity group GOLD when installing their first stage implant on a compromised host. -
Detected suspicious file cleanup commands Analysis of host data on %{Compromised Host} detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare. -
Detected suspicious file creation Analysis of host data on %{Compromised Host} detected creation or execution of a process which has previously indicated post-compromise action taken on a victim host by activity group BARIUM. This activity group has been known to use this technique to download additional malware to a compromised host after an attachment in a phishing doc has been opened. -
Detected suspicious named pipe communications Analysis of host data on %{Compromised Host} detected data being written to a local named pipe from a Windows console command. Named pipes are known to be a channel used by attackers to task and communicate with a malicious implant. This could be legitimate activity, or an indication of a compromised host. -
Detected suspicious network activity Analysis of network traffic from %{Compromised Host} detected suspicious network activity. Such traffic, while possibly benign, is typically used by an attacker to communicate with malicious servers for downloading of tools, command-and-control and exfiltration of data. Typical related attacker activity includes copying remote administration tools to a compromised host and exfiltrating user data from it. -
Detected suspicious new firewall rule Analysis of host data detected a new Firewall rule has been added via netsh.exe to allow traffic from an executable in a suspicious location. -
Detected suspicious use of Cacls to lower the security state of the system Attackers use myriad ways like brute force, spear phishing etc. to achieve initial compromise and get a foothold on the network . Once initial compromise is achieved they often take steps to lower the security settings of a system. Cacls—short for change access control list is Microsoft Windows native command line utility often used for modifying the security permission on folders and files. A lot of time the binary is used by the attackers to lower the security settings of a system. This is done by giving Everyone full access to some of the system binaries like ftp.exe, net.exe, wscript.exe etc. Analysis of host data on %{Compromised Host} detected suspicious use of Cacls to lower the security of a system. -
Detected suspicious use of FTP -s Switch Analysis of process creation data from the %{Compromised Host} detected the use of FTP's "-s:filename" switch. This switch is used to specify an FTP script file for the client to run. Malware or malicious processes are known to use this FTP switch (-s:filename) to point to a script file which is configured to connect to a remote FTP server and download additional malicious binaries. -
Detected suspicious use of Pcalua.exe to launch executable code Analysis of host data on %{Compromised Host} detected the use of pcalua.exe to launch executable code. Pcalua.exe is component of the Microsoft Windows "Program Compatibility Assistant" which detects compatibility issues during the installation or execution of a program. Attackers are known to abuse functionality of legitimate Windows system tools to perform malicious actions, for example using pcalua.exe with the -a switch to launch malicious executables either locally or from remote shares. -
Detected the disabling of critical services The analysis of host data on %{Compromised Host} detected execution of "net.exe stop" command being used to stop critical services like SharedAccess or Windows Security Center. The stopping of either of these service can be indication of a malicious behavior. -
Digital currency mining related behavior detected Analysis of host data on %{Compromised Host} detected the execution of a process or command normally associated with digital currency mining. -
Dynamic PS script construction Analysis of host data on %{Compromised Host} detected a PowerShell script being constructed dynamically. Attackers sometimes use this approach of progressively building up a script in order to evade IDS systems. This could be legitimate activity, or an indication that one of your machines has been compromised. -
Executable found running from a suspicious location Analysis of host data detected an executable file on %{Compromised Host} that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host. -
High risk software detected Analysis of host data from %{Compromised Host} detected the usage of software that has been associated with the installation of malware in the past. A common technique utilized in the distribution of malicious software is to package it within otherwise benign tools such as the one seen in this alert. Upon using these tools, the malware can be silently installed in the background. -
Local Administrators group members were enumerated Machine logs indicate a successful enumeration on group %{Enumerated Group Domain Name}%{Enumerated Group Name}. Specifically, %{Enumerating User Domain Name}%{Enumerating User Name} remotely enumerated the members of the %{Enumerated Group Domain Name}%{Enumerated Group Name} group. This activity could either be legitimate activity, or an indication that a machine in your organization has been compromised and used to reconnaissance %{vmname}. -
Malicious firewall rule created by ZINC server implant [seen multiple times] A firewall rule was created using techniques that match a known actor, ZINC. The rule was possibly used to open a port on %{Compromised Host} to allow for Command & Control communications. This behavior was seen [x] times today on the following machines: [Machine names] -
Malicious SQL activity Machine logs indicate that '%{process name}' was executed by account: %{user name}. This activity is considered malicious. -
Masquerading Windows Module Detected Crash dump analysis detected the presence of a 3rd party module impersonating a Windows module within a crash dump from the process identified in this alert. This occurrence may indicate a system compromise. -
Multiple Domain Accounts Queried Analysis of host data has determined that an unusual number of distinct domain accounts are being queried within a short time period from %{Compromised Host}. This kind of activity could be legitimate, but can also be an indication of compromise. -
Possible credential dumping detected [seen multiple times] Analysis of host data has detected use of native windows tool( e.g. sqldumper.exe) being used in a way that allows to extract credentials from memory. Often times attackers use these techniques to extract credentials that they then further use for lateral movement and privilege escalation. This behavior was seen [x] times today on the following machines: [Machine names] -
Potential attempt to bypass AppLocker detected Analysis of host data on %{Compromised Host} detected a potential attempt to bypass AppLocker restrictions. AppLocker can be configured to implement a policy that limits what executables are allowed to run on a Windows system. The command line pattern similar to that identified in this alert has been previously associated with attacker attempts to circumvent AppLocker policy by using trusted executables (allowed by AppLocker policy) to execute untrusted code. This could be legitimate activity, or an indication of a compromised host. -
PsExec execution detected Analysis of host data indicates that the process %{Process Name} was executed by PsExec utility. PsExec can be used for running processes remotely. This technique might be used for malicious purposes. -
Ransomware indicators detected Analysis of host data indicates suspicious activity traditionally associated with lock-screen and encryption ransomware. Lock screen ransomware displays a full-screen message preventing interactive use of the host and access to its files. Encryption ransomware prevents access by encrypting data files. In both cases a ransom message is typically displayed, requesting payment in order to restore file access. -
Ransomware indicators detected [seen multiple times] Analysis of host data indicates suspicious activity traditionally associated with lock-screen and encryption ransomware. Lock screen ransomware displays a full-screen message preventing interactive use of the host and access to its files. Encryption ransomware prevents access by encrypting data files. In both cases a ransom message is typically displayed, requesting payment in order to restore file access. This behavior was seen [x] times today on the following machines: [Machine names] -
Rare SVCHOST service group executed The system process SVCHOST was observed running a rare service group. Malware often use SVCHOST to masquerade its malicious activity. -
Sticky keys attack detected Analysis of host data indicates that an attacker may be subverting an accessibility binary (for example sticky keys, onscreen keyboard, narrator) in order to provide backdoor access to the host %{Compromised Host}. -
Successful brute force attack Multiple failed authentication attempts originating from the same source were detected across multiple hosts in Azure subscriptions . This resembles a password spray attack, in which an attacker performs numerous authentication attempts spread across multiple hosts. Some of the authentication attempts successfully signed in to a host in this subscription. -
Suspect integrity level indicative of RDP hijacking Analysis of host data has detected the tscon.exe running with SYSTEM privileges - this can be indicative of an attacker abusing this binary in order to switch context to any other logged on user on this host; it is a known attacker technique to compromise additional user accounts and move laterally across a network. -
Suspect service installation Analysis of host data has detected the installation of tscon.exe as a service: this binary being started as a service potentially allows an attacker to trivially switch to any other logged on user on this host by hijacking RDP connections; it is a known attacker technique to compromise additional user accounts and move laterally across a network. -
Suspected Kerberos Golden Ticket attack parameters observed Analysis of host data detected commandline parameters consistent with a Kerberos Golden Ticket attack. -
Suspicious Account Creation Detected Analysis of host data on %{Compromised Host} detected creation or use of a local account %{Suspicious account name} : this account name closely resembles a standard Windows account or group name '%{Similar To Account Name}'. This is potentially a rogue account created by an attacker, so named in order to avoid being noticed by a human administrator. -
Suspicious Activity Detected Analysis of host data has detected a sequence of one or more processes running on %{machine name} that have historically been associated with malicious activity. While individual commands may appear benign the alert is scored based on an aggregation of these commands. This could either be legitimate activity, or an indication of a compromised host. -
Suspicious authentication activity Although none of them succeeded, some of them used accounts were recognized by the host. This resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host. This indicates that some of your host account names might exist in a well-known account name dictionary. -
Suspicious command execution Machine logs indicate a suspicious command line execution by user %{user name}. -
Suspicious double extension file executed Analysis of host data indicates an execution of a process with a suspicious double extension. This extension may trick users into thinking files are safe to be opened and might indicate the presence of malware on the system. -
Suspicious download using Certutil detected Analysis of host data on %{Compromised Host} detected the use of certutil.exe, a built-in administrator utility, for the download of a binary instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using certutil.exe to download and decode a malicious executable that will then be subsequently executed. -
Suspicious download using Certutil detected [seen multiple times] Analysis of host data on %{Compromised Host} detected the use of certutil.exe, a built-in administrator utility, for the download of a binary instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using certutil.exe to download and decode a malicious executable that will then be subsequently executed. This behavior was seen [x] times today on the following machines: [Machine names] -
Suspicious PowerShell Activity Detected Analysis of host data detected a PowerShell script running on %{Compromised Host} that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host. -
Suspicious PowerShell cmdlets executed Analysis of host data indicates execution of known malicious PowerShell PowerSploit cmdlets. -
Suspicious process executed Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on the machine, often associated with attacker attempts to access credentials.' -
Suspicious process executed [seen multiple times] Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on the machine, often associated with attacker attempts to access credentials. This behavior was seen [x] times today on the following machines: [Machine names] -
Suspicious process name detected Analysis of host data on %{Compromised Host} detected a process whose name is suspicious, for example corresponding to a known attacker tool or named in a way that is suggestive of attacker tools that try to hide in plain sight. This process could be legitimate activity, or an indication that one of your machines has been compromised. -
Suspicious process name detected [seen multiple times] Analysis of host data on %{Compromised Host} detected a process whose name is suspicious, for example corresponding to a known attacker tool or named in a way that is suggestive of attacker tools that try to hide in plain sight. This process could be legitimate activity, or an indication that one of your machines has been compromised. This behavior was seen [x] times today on the following machines: [Machine names] -
Suspicious process termination burst Analysis of host data indicates a suspicious process termination burst in %{Machine Name}. Specifically, %{NumberOfCommands} processes were killed between %{Begin} and %{Ending}. -
Suspicious Screensaver process executed The process ‘%{process name}’ was observed executing from an uncommon location. Files with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory. -
Suspicious SQL activity Machine logs indicate that '%{process name}' was executed by account: %{user name}. This activity is uncommon with this account. -
Suspicious SVCHOST process executed The system process SVCHOST was observed running in an abnormal context. Malware often use SVCHOST to masquerade its malicious activity. -
Suspicious system file execution Analysis of host data detected an executable file on %{Compromised Host} that is running from an unusual location. This executable could either be legitimate activity, or an indication of a compromised host. -
Suspicious system process executed The system process %{process name} was observed running in an abnormal context. Malware often use this process name to masquerade its malicious activity. -
Suspicious Volume Shadow Copy Activity Analysis of host data has detected a shadow copy deletion activity on the resource. Volume Shadow Copy (VSC) is an important artifact that stores data snapshots. Some malware and specifically Ransomware, targets VSC to sabotage backup strategies. -
Suspicious WindowPosition registry value detected Analysis of host data on %{Compromised Host} detected an attempted WindowPosition registry configuration change that could be indicative of hiding application windows in non-visible sections of the desktop. This could be legitimate activity, or an indication of a compromised machine: this type of activity has been previously associated with known adware (or unwanted software) such as Win32/OneSystemCare and Win32/SystemHealer and malware such as Win32/Creprote. When the WindowPosition value is set to 201329664, (Hex: 0x0c00 0c00, corresponding to X-axis=0c00 and the Y-axis=0c00) this places the console app's window in a non-visible section of the user's screen in an area that is hidden from view below the visible start menu/taskbar. Known suspect Hex value includes, but not limited to c000c000 -
Suspiciously named process detected Analysis of host data on %{Compromised Host} detected a process whose name is very similar to but different from a very commonly run process (%{Similar To Process Name}). While this process could be benign attackers are known to sometimes hide in plain sight by naming their malicious tools to resemble legitimate process names. -
Unusual process execution detected Analysis of host data on %{Compromised Host} detected the execution of a process by %{User Name} that was unusual. Accounts such as %{User Name} tend to perform a limited set of operations, this execution was determined to be out of character and may be suspicious. -
VBScript HTTP object allocation detected Creation of a VBScript file using Command Prompt has been detected. The following script contains HTTP object allocation command. This action can be used to download malicious files. -
Windows registry persistence method detected Analysis of host data has detected an attempt to persist an executable in the Windows registry. Malware often uses such a technique to survive a boot. -
Code injection discovered Code injection is the insertion of executable modules into running processes or threads. This technique is used by malware to access data, while successfully hiding itself to prevent being found and removed.
This alert indicates that an injected module is present in the crash dump. To differentiate between malicious and non-malicious injected modules, Security Center checks whether the injected module conforms to a profile of suspicious behavior.
-
Suspicious code segment detected Indicates that a code segment has been allocated by using non-standard methods, such as reflective injection and process hollowing. The alert provides additional characteristics of the code segment that have been processed to provide context for the capabilities and behaviors of the reported code segment. -
Shellcode discovered Shellcode is the payload that is run after malware exploits a software vulnerability.
This alert indicates that crash dump analysis has detected executable code that exhibits behavior commonly performed by malicious payloads. Although non-malicious software can also perform this behavior, it isn't typical of normal software development practices.
-
Fileless attack technique detected The memory of the process specified contains a fileless attack toolkit: [toolkit name]. Fileless attack toolkits typically don't have a presence on the file system, making detection by traditional antivirus software difficult. DefenseEvasion / Execution

Alerts for Linux machines

Further details and notes

Alert Description Intent (Learn more)
Process seen accessing the SSH authorized keys file in an unusual way An SSH authorized keys file has been accessed in a method similar to known malware campaigns. This access can indicate that an attacker is attempting to gain persistent access to a machine. -
Detected Persistence Attempt Host data analysis has detected that a startup script for single-user mode has been installed.
Because it's rare that any legitimate process would be required to run in that mode, this might indicate that an attacker has added a malicious process to every run-level to guarantee persistence.
Persistence
Suspicious file timestamp modification Host data analysis detected a suspicious timestamp modification. Attackers often copy timestamps from existing, legitimate files to new tools to avoid detection of these newly dropped files. Persistence / DefenseEvasion
A new user was added to the sudoers group Host data analysis detected that a user was added to the sudoers group, which enables its members to run commands with high privileges. PrivilegeEscalation
Process associated with digital currency mining detected Host data analysis detected the execution of a process that is normally associated with digital currency mining. Exploitation / Execution
Potential port forwarding to external IP address Host data analysis detected the initiation of port forwarding to an external IP address. Exfiltration / CommandAndControl
A kernel module was loaded A kernel module was loaded in the host %{compromised host} using the command %{Command used} by the user %{user}. -
A kernel module was removed A kernel module was removed in the host %{compromised host} using the command %{Command used} by the user %{user}. -
Access of htaccess file detected Analysis of host data on %{Compromised Host} detected possible manipulation of a htaccess file. Htaccess is a powerful configuration file that allows you to make multiple changes to a web server running the Apache Web software including basic redirect functionality, or for more advanced functions such as basic password protection. Attackers will often modify htaccess files on machines they have compromised to gain persistence. -
An history file has been cleared Analysis of host data indicates that the command history log file has been cleared. Attackers may do this to cover their traces. The operation was performed by user: '%{user name}'. -
Attempt to stop apt-daily-upgrade.timer service detected Analysis of host data on %{Compromised Host} detected an attempt to stop apt-daily-upgrade.timer service.In some recent attacks ,its been observed attackers stopping this service ,to download malicious files and granting execution privileges for their attack -
Attempt to stop apt-daily-upgrade.timer service detected [seen multiple times] Analysis of host data on %{Compromised Host} detected an attempt to stop apt-daily-upgrade.timer service.In some recent attacks ,its been observed attackers stopping this service ,to download malicious files and granting execution privileges for their attack. This behavior was seen [x] times today on the following machines: [Machine names] -
Behavior similar to common Linux bots detected Analysis of host data on %{Compromised Host} detected the execution of a process normally associated with common Linux botnets. -
Behavior similar to common Linux bots detected [seen multiple times] Analysis of host data on %{Compromised Host} detected the execution of a process normally associated with common Linux botnets. This behavior was seen [x] times today on the following machines: [Machine names] -
Behavior similar to Fairware ransomware detected Analysis of host data on %{Compromised Host} detected the execution of rm -rf commands applied to suspicious locations. As rm -rf will recursively delete files, it is normally used on discrete folders. In this case, it is being used in a location that could remove a lot of data. Fairware ransomware is known to execute rm -rf commands in this folder. -
Behavior similar to Fairware ransomware detected [seen multiple times] Analysis of host data on %{Compromised Host} detected the execution of rm -rf commands applied to suspicious locations. As rm -rf will recursively delete files, it is normally used on discrete folders. In this case, it is being used in a location that could remove a lot of data. Fairware ransomware is known to execute rm -rf commands in this folder. This behavior was seen [x] times today on the following machines: [Machine names] -
Behavior similar to ransomware detected [seen multiple times] Analysis of host data on %{Compromised Host} detected the execution of files that have resemblance of known ransomware that can prevents users from accessing their system or personal files and demands ransom payment in order to regain access. This behavior was seen [x] times today on the following machines: [Machine names] -
Container with a miner image detected Machine logs indicate execution of a Docker container that run an image associated with a digital currency mining. This behavior can possibly indicate that your resources are abused by an attacker. -
Detected anomalous mix of upper and lower case characters in command line Analysis of host data on %{Compromised Host} detected a command line with anomalous mix of upper and lower case characters. This kind of pattern, while possibly benign, is also typical of attackers trying to hide from case-sensitive or hash-based rule matching when performing administrative tasks on a compromised host. -
Detected file download from a known malicious source Analysis of host data has detected the download of a file from a known malware source on %{Compromised Host}. -
Detected file download from a known malicious source [seen multiple times] Analysis of host data has detected the download of a file from a known malware source on %{Compromised Host}. This behavior was seen over [x] times today on the following machines: [Machine names] -
Detected Persistence Attempt [seen multiple times] Analysis of host data on %{Compromised Host} has detected installation of a startup script for single-user mode. It is extremely rare than any legitimate process has any requirement to execute in that mode so may indicate an attacker has added a malicious process to every run-level to guarantee persistence. This behavior was seen [x] times today on the following machines: [Machine names] -
Detected suspicious file download Analysis of host data has detected suspicious download of remote file on %{Compromised Host}. -
Detected suspicious file download [seen multiple times] Analysis of host data has detected suspicious download of remote file on %{Compromised Host}. This behavior was seen 10 times today on the following machines: [Machine name] -
Detected suspicious network activity Analysis of network traffic from %{Compromised Host} detected suspicious network activity. Such traffic, while possibly benign, is typically used by an attacker to communicate with malicious servers for downloading of tools, command-and-control and exfiltration of data. Typical related attacker activity includes copying remote administration tools to a compromised host and exfiltrating user data from it. -
Detected suspicious use of the nohup command Analysis of host data has detected suspicious use of the nohup command on %{Compromised Host}. Attackers have been seen running the command nohup from a temporary directory to allow their executables to run in the background. It is not normal to see this command run on files located in a temporary directory. -
Detected suspicious use of the nohup command [seen multiple times] Analysis of host data has detected suspicious use of the nohup command on %{Compromised Host}. Attackers have been seen running the command nohup from a temporary directory to allow their executables to run in the background. It is not normal to see this command run on files located in a temporary directory. This behavior was seen [x] times today on the following machines: [Machine names] -
Detected suspicious use of the useradd command Analysis of host data has detected suspicious use of the useradd command on %{Compromised Host}. -
Detected suspicious use of the useradd command [seen multiple times] Analysis of host data has detected suspicious use of the useradd command on %{Compromised Host}. This behavior was seen [x] times today on the following machines: [Machine names] -
Digital currency mining related behavior detected Analysis of host data on %{Compromised Host} detected the execution of a process or command normally associated with digital currency mining. -
Disabling of auditd logging [seen multiple times] The Linux Audit system provides a way to track security-relevant information on the system. It records as much information about the events that are happening on your system as possible. Disabling auditd logging could hamper discovering violations of security policies used on the system. This behavior was seen [x] times today on the following machines: [Machine names] -
Executable found running from a suspicious location Analysis of host data detected an executable file on %{Compromised Host} that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host. -
Exploitation of Xorg vulnerability [seen multiple times] Analysis of host data on %{Compromised Host} detected the user of Xorg with suspicious arguments. Attackers may use this technique in privilege escalation attempts. This behavior was seen [x] times today on the following machines: [Machine names] -
Exposed Docker daemon detected Machine logs indicate that your Docker daemon (dockerd) exposes a TCP socket. By default, Docker configuration, does not use encryption or authentication when a TCP socket is enabled. This enables full access to the Docker daemon, by anyone with access to the relevant port. -
Failed SSH brute force attack Failed brute force attacks were detected from the following attackers: %{Attackers}. Attackers were trying to access the host with the following user names: %{Accounts used on failed sign in to host attempts}. -
Hidden file execution detected Analysis of host data indicates that a hidden file was execute by %{user name}. This activity could either be legitimate activity, or an indication of a compromised host. -
Indicators associated with DDOS toolkit detected Analysis of host data on %{Compromised Host} detected file names that are part of a toolkit associated with malware capable of launching DDoS attacks, opening ports and services and taking full control over the infected system. This could also possibly be legitimate activity. -
Indicators associated with DDOS toolkit detected [seen multiple times] Analysis of host data on %{Compromised Host} detected file names that are part of a toolkit associated with malware capable of launching DDoS attacks, opening ports and services and taking full control over the infected system. This could also possibly be legitimate activity. This behavior was seen [x] times today on the following machines: [Machine names] -
Local host reconnaissance detected Analysis of host data on %{Compromised Host} detected the execution of a command normally associated with common Linux bot reconnaissance. -
Local host reconnaissance detected [seen multiple times] Analysis of host data on %{Compromised Host} detected the execution of a command normally associated with common Linux bot reconnaissance. This behavior was seen [x] times today on the following machines: [Machine names] -
Manipulation of host firewall detected Analysis of host data on %{Compromised Host} detected possible manipulation of the on-host firewall. Attackers will often disable this to exfiltrate data. -
Manipulation of host firewall detected [seen multiple times] Analysis of host data on %{Compromised Host} detected possible manipulation of the on-host firewall. Attackers will often disable this to exfiltrate data. This behavior was seen [x] times today on the following machines: [Machine names] -
New SSH key added A new SSH key was added to the authorized keys file -
New SSH key added [seen multiple times] A new SSH key was added to the authorized keys file. This behavior was seen [x] times today on the following machines: [Machine names] -
Possible attack tool detected Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on %{Compromised Host}. This tool is often associated with malicious users attacking other machines in some way. -
Possible attack tool detected [seen multiple times] Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on %{Compromised Host}. This tool is often associated with malicious users attacking other machines in some way. This behavior was seen [x] times today on the following machines: [Machine names] -
Possible backdoor detected [seen multiple times] Analysis of host data has detected a suspicious file being downloaded then run on %{Compromised Host} in your subscription. This activity has previously been associated with installation of a backdoor. This behavior was seen [x] times today on the following machines: [Machine names] -
Possible credential access tool detected Machine logs indicate a possible known credential access tool was running on %{Compromised Host} launched by process: '%{Suspicious Process}'. This tool is often associated with attacker attempts to access credentials. -
Possible credential access tool detected [seen multiple times] Machine logs indicate a possible known credential access tool was running on %{Compromised Host} launched by process: '%{Suspicious Process}'. This tool is often associated with attacker attempts to access credentials. This behavior was seen [x] times today on the following machines: [Machine names] -
Possible exploitation of Hadoop Yarn Analysis of host data on %{Compromised Host} detected the possible exploitation of the Hadoop Yarn service. -
Possible Log Tampering Activity Detected Analysis of host data on %{Compromised Host} detected possible removal of files that tracks user's activity during the course of its operation. Attackers often try to evade detection and leave no trace of malicious activities by deleting such log files. -
Possible Log Tampering Activity Detected [seen multiple times] Analysis of host data on %{Compromised Host} detected possible removal of files that tracks user's activity during the course of its operation. Attackers often try to evade detection and leave no trace of malicious activities by deleting such log files. This behavior was seen [x] times today on the following machines: [Machine names] -
Possible loss of data detected Analysis of host data on %{Compromised Host} detected a possible data egress condition. Attackers will often egress data from machines they have compromised. -
Possible loss of data detected [seen multiple times] Analysis of host data on %{Compromised Host} detected a possible data egress condition. Attackers will often egress data from machines they have compromised. This behavior was seen [x]] times today on the following machines: [Machine names] -
Possible malicious web shell detected Analysis of host data on %{Compromised Host} detected a possible web shell. Attackers will often upload a web shell to a machine they have compromised to gain persistence or for further exploitation. -
Possible malicious web shell detected [seen multiple times] Analysis of host data on %{Compromised Host} detected a possible web shell. Attackers will often upload a web shell to a machine they have compromised to gain persistence or for further exploitation. This behavior was seen [x] times today on the following machines: [Machine names] -
Possible password change using crypt-method detected [seen multiple times] Analysis of host data on %{Compromised Host} detected password change using crypt method. Attackers can make this change to continue access and gaining persistence after compromise. This behavior was seen [x] times today on the following machines: [Machine names] -
Potential overriding of common files Analysis of host data has detected common executables being overwritten on %{Compromised Host}. Attackers will overwrite common files as a way to obfuscate their actions or for persistence. -
Potential overriding of common files [seen multiple times] Analysis of host data has detected common executables being overwritten on %{Compromised Host}. Attackers will overwrite common files as a way to obfuscate their actions or for persistence. This behavior was seen [x] times today on the following machines: [Machine names] -
Potential port forwarding to external IP address [seen multiple times] Analysis of host data on %{Compromised Host} detected the initiation of port forwarding to an external IP address. This behavior was seen [x] times today on the following machines: [Machine names] -
Potential reverse shell detected Analysis of host data on %{Compromised Host} detected a potential reverse shell. These are used to get a compromised machine to call back into a machine an attacker owns. -
Potential reverse shell detected [seen multiple times] Analysis of host data on %{Compromised Host} detected a potential reverse shell. These are used to get a compromised machine to call back into a machine an attacker owns. This behavior was seen [x] times today on the following machines: [Machine names] -
Privileged command run in container Machine logs indicate that a privileged command was run in a Docker container. A privileged command has extended privileges on the host machine. -
Privileged Container Detected Machine logs indicate that a privileged Docker container is running. A privileged container has a full access to the host's resources. If compromised, an attacker can use the privileged container to gain access to the host machine. -
Process associated with digital currency mining detected [seen multiple times] Analysis of host data on %{Compromised Host} detected the execution of a process normally associated with digital currency mining. This behavior was seen over 100 times today on the following machines: [Machine name] -
Python encoded downloader detected [seen multiple times] Analysis of host data on %{Compromised Host} detected the execution of encoded Python that downloads and runs code from a remote location. This may be an indication of malicious activity. This behavior was seen [x] times today on the following machines: [Machine names] -
Screenshot taken on host [seen multiple times] Analysis of host data on %{Compromised Host} detected the user of a screen capture tool. Attackers may use these tools to access private data. This behavior was seen [x] times today on the following machines: [Machine names] -
Script extension mismatch detected Analysis of host data on %{Compromised Host} detected a mismatch between the script interpreter and the extension of the script file provided as input. This has frequently been associated with attacker script executions. -
Script extension mismatch detected [seen multiple times] Analysis of host data on %{Compromised Host} detected a mismatch between the script interpreter and the extension of the script file provided as input. This has frequently been associated with attacker script executions. This behavior was seen [x] times today on the following machines: [Machine names] -
Shellcode detected [seen multiple times] Analysis of host data on %{Compromised Host} detected shellcode being generated from the command line. This process could be legitimate activity, or an indication that one of your machines has been compromised. This behavior was seen [x] times today on the following machines: [Machine names] -
SSH server is running inside a container Machine logs indicate that an SSH server is running inside a Docker container. While this behavior can be intentional, it frequently indicates that a container is misconfigured or breached. -
Successful SSH brute force attack Analysis of host data has detected a successful brute force attack. The IP %{Attacker source IP} was seen making multiple login attempts. Successful logins were made from that IP with the following user(s): %{Accounts used to successfully sign in to host}. This means that the host may be compromised and controlled by a malicious actor. -
Suspicious Account Creation Detected Analysis of host data on %{Compromised Host} detected creation or use of a local account %{Suspicious account name} : this account name closely resembles a standard Windows account or group name '%{Similar To Account Name}'. This is potentially a rogue account created by an attacker, so named in order to avoid being noticed by a human administrator. -
Suspicious compilation detected Analysis of host data on %{Compromised Host} detected suspicious compilation. Attackers will often compile exploits on a machine they have compromised to escalate privileges. -
Suspicious compilation detected [seen multiple times] Analysis of host data on %{Compromised Host} detected suspicious compilation. Attackers will often compile exploits on a machine they have compromised to escalate privileges. This behavior was seen [x] times today on the following machines: [Machine names] -
Suspicious kernel module detected [seen multiple times] Analysis of host data on %{Compromised Host} detected a shared object file being loaded as a kernel module. This could be legitimate activity, or an indication that one of your machines has been compromised. This behavior was seen [x] times today on the following machines: [Machine names] -
Suspicious password access Analysis of host data has detected suspicious access to encrypted user passwords on %{Compromised Host}. -
Suspicious password access [seen multiple times] Analysis of host data has detected suspicious access to encrypted user passwords on %{Compromised Host}. This behavior was seen [x] times today on the following machines: [Machine names] -
Suspicious PHP execution detected Machine logs indicate a that a suspicious PHP process is running. The action included an attempt to run OS commands or PHP code from the command line using the PHP process. While this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells. -
Suspicious request to Kubernetes API Machine logs indicate that a suspicious request was made to the Kubernetes API. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container. -

Alerts for Azure App Service

Further details and notes

Alert Description Intent (Learn more)
An attempt to run Linux commands on a Windows App Service Analysis of App Service processes detected an attempt to run a Linux command on a Windows App Service. This action was running by the web application. This behavior is often seen during campaigns that exploit a vulnerability in a common web application. -
An IP that connected to your Azure App Service FTP Interface was found in Threat Intelligence App Service FTP logs analysis has detected a connection from a source address that was found in the threat intelligence feed. During this connection, a user accessed the pages listed. -
Anomalous requests pattern detected The Azure App Service activity log indicates an anomalous HTTP activity to the App Service from %{Source IP}. This activity resembles a pattern of Fuzzing \ Brute force activity. -
Attempt to run high privilege command detected Analysis of App Service processes has detected an attempt to run a command that requires high privileges. The command ran in the web application context. While this behavior can be legitimate, in web applications this behavior might indicate malicious activities. -
Connection to web page from anomalous IP address detected The Azure App Service activity log indicates a connection to a sensitive web page from a source IP address (%{Source IP Address}) that has never connected to it before. This might indicate that someone is attempting a brute force attack into your web app administration pages. It might also be the result of a new IP address being used by a legitimate user. -
Raw data download detected Analysis of App Service processes detected an attempt to download code from raw-data websites such as Pastebin. This action was run by a PHP process. This behavior is associated with attempts to download web shells or other malicious components to the App Service. -
Phishing content hosted on Azure Webapps URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to O365 customers. The content typically lures visitors into entering their corporate credentials or financial information into a legitimate looking website. Collection
PHP file in upload folder The Azure App Service activity log indicates an access to a suspicious PHP page located in the upload folder. This type of folder does not usually contain PHP files. The existence of this type of file might indicate an exploitation taking advantage of arbitrary file upload vulnerabilities. -
Saving curl output to disk detected Analysis of App Service processes detected the running of a curl command in which the output was saved to the disk. While this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells. -
Spam folder referrer detected Azure App Service activity log indicates web activity that was identified as originating from a web site associated with SPAM activity. This could occur if your web site is compromised and used for spam activity. -
Suspicious access to possibly vulnerable web page detected The App Service activity log indicates that a web page that seems to be sensitive was accessed.
This suspicious activity originated from a source address whose access pattern resembles that of a web scanner. This kind of activity is often associated with an attempt by an attacker to scan your network to try to gain access to sensitive or vulnerable web pages.
-
Suspicious PHP execution detected Machine logs indicate that a suspicious PHP process is running. The action included an attempt to run operating system commands or PHP code from the command line, by using the PHP process. While this behavior can be legitimate, in web applications this behavior might indicate malicious activities, such as attempts to infect websites with web shells. Execution
Suspicious User Agent detected Azure App Service activity log indicates requests with suspicious user agent. This behavior can indicate on attempts to exploit a vulnerability in your App Service application. -
Suspicious WordPress theme invocation detected The App Service activity log indicates a possible code injection activity on your App Service resource.
This suspicious activity resembles activity that manipulates a WordPress theme to support server-side execution of code, followed by a direct web request to invoke the manipulated theme file. This type of activity can be part of an attack campaign over WordPress.
-
Vulnerability scanner detected
(Joomla/WordPress/CMS)
The Azure App Service activity log indicates that a possible vulnerability scanner was used on your App Service resource. The suspicious activity detected resembles that of tools targeting Joomla applications / WordPress applications / a content management system (CMS). -
Web fingerprinting detected
(NMAP / Blind Elephant)
The App Service activity log indicates a possible web fingerprinting activity on your App Service resource.
This suspicious activity is associated with a tool called Blind Elephant. The tool fingerprints web servers and tries to detect the installed applications and their versions. Attackers often use this tool for probing the web applications to find vulnerabilities.
-

Alerts for containers - Azure Kubernetes Service clusters

Further details and notes

Alert Description Intent (Learn more)
PREVIEW - Role binding to the cluster-admin role detected Kubernetes audit log analysis detected a new binding to the cluster-admin role resulting in administrator privileges. Unnecessarily providing administrator privileges might result in privilege escalation issues in the cluster. Persistence
PREVIEW - Exposed Kubernetes dashboard detected Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service. Exposed dashboards allow unauthenticated access to the cluster management and pose a security threat. Persistence
PREVIEW - New high privileges role detected Kubernetes audit log analysis detected a new role with high privileges. A binding to a role with high privileges gives the user/group elevated privileges in the cluster. Unnecessarily providing elevated privileges might result in privilege escalation issues in the cluster. Persistence
PREVIEW - New container in the kube-system namespace detected Kubernetes audit log analysis detected a new container in the kube-system namespace that isn’t among the containers that normally run in this namespace. The kube-system namespaces shouldn't contain user resources. Attackers can use this namespace to hide malicious components. Persistence
PREVIEW - Digital currency mining container detected Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool. Execution
PREVIEW - Privileged container detected Kubernetes audit log analysis detected a new privileged container. A privileged container has access to the node’s resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the node. PrivilegeEscalation
PREVIEW - Container with a sensitive volume mount detected Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type that mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount to gain access to the node. PrivilegeEscalation

Alerts for containers - host level

Further details and notes

Alert Description Intent (Learn more)
Privileged Container Detected Machine logs indicate that a privileged Docker container is running. A privileged container has full access to the host's resources. If compromised, an attacker can use the privileged container to gain access to the host machine. PrivilegeEscalation / Execution
Privileged command run in container Machine logs indicate that a privileged command was run in a Docker container. A privileged command has extended privileges on the host machine. PrivilegeEscalation
Exposed Docker daemon detected Machine logs indicate that your Docker daemon (dockerd) exposes a TCP socket. By default, Docker configuration doesn't use encryption or authentication when a TCP socket is enabled. Anyone with access to the relevant port can then get full access to the Docker daemon. Exploitation / Execution
SSH server is running inside a container Machine logs indicate that an SSH server is running inside a Docker container. While this behavior can be intentional, it frequently indicates that a container is misconfigured or breached. Execution
Container with a miner image detected Machine logs indicate execution of a Docker container running an image associated with digital currency mining. This behavior can possibly indicate that your resources are being abused. Execution
Suspicious request to Kubernetes API Machine logs indicate that a suspicious request was made to the Kubernetes API. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container. Execution
Suspicious request to the Kubernetes Dashboard Machine logs indicate that a suspicious request was made to the Kubernetes Dashboard. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container. -

Alerts for SQL Database and SQL Data Warehouse

Further details and notes

Alert Description Intent (Learn more)
A possible vulnerability to SQL Injection An application has generated a faulty SQL statement in the database. This can indicate a possible vulnerability to SQL injection attacks. There are two possible reasons for a faulty statement. A defect in application code might have constructed the faulty SQL statement. Or, application code or stored procedures didn't sanitize user input when constructing the faulty SQL statement, which can be exploited for SQL injection. -
Attempted logon by a potentially harmful application A potentially harmful application has been used to access the database. In some cases, the alert detects penetration testing in action. In other cases, the alert detects an attack that uses common tools. Probing
Logon from an unusual location There has been a change in the access pattern to SQL Server, where someone has signed in to the server from an unusual geographical location. In some cases, the alert detects a legitimate action (a new application or developer maintenance). In other cases, the alert detects a malicious action (a former employee or external attacker). Exploitation
Logon by an unfamiliar principal There has been a change in the access pattern to SQL Server. Someone has signed in to the server by using an unusual principal (user). In some cases, the alert detects a legitimate action (a new application or developer maintenance). In other cases, the alert detects a malicious action (a former employee or external attacker). Exploitation
Potential SQL Brute Force attempt An abnormally high number of failed sign-ins with different credentials have occurred. In some cases, the alert detects penetration testing in action. In other cases, the alert detects a brute force attack. Probing
Potential SQL injection An active exploit has occurred against an identified application vulnerable to SQL injection. This means an attacker is trying to inject malicious SQL statements by using the vulnerable application code or stored procedures. -
Logon from an unusual Azure Data Center There has been a change in the access pattern to an SQL Server, where someone has signed in to the server from an unusual Azure Data Center. In some cases, the alert detects a legitimate action (a new application or Azure service). In other cases, the alert detects a malicious action (attacker operating from breached resource in Azure). Probing
Potentially Unsafe Action High privileged SQL command which is commonly used in malicious sessions has been executed in an SQL Server. Those commands are recommended to be disabled by default. In some cases, the alert detects a legitimate action (admin script running). In other cases, the alert detects a malicious action (attacker using SQL trusts to breach Windows layer). Execution
Unusual export location There has been a change in the export storage destination for a SQL import and export operation. In some cases, the alert detects a legitimate change (new backup destination). In other cases, the alert detects a malicious action (attacker easily exfiltrated data to a file). Exfiltration

Alerts for Azure Storage

Further details and notes

Alert Description Intent (Learn more)
PREVIEW - Potential malware uploaded to a storage account Indicates that a blob containing potential malware has been uploaded to a storage account. Potential causes may include an intentional malware upload by an attacker or an unintentional upload, of a potentially malicious blob, by a legitimate user. LateralMovement
Access from a Tor exit node to a storage account Indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert considers the authentication type used (if any), and whether this is the first case of such access. Potential causes can be an attacker who has accessed your storage account by using Tor, or a legitimate user who has accessed your storage account by using Tor. Probing / Exploitation
Access from an unusual location to a storage account Indicates that there was a change in the access pattern to an Azure Storage account. Someone has accessed this account from an IP address considered unfamiliar when compared with recent activity. Either an attacker has gained access to the account, or a legitimate user has connected from a new or unusual geographic location. An example of the latter is remote maintenance from a new application or developer. Exploitation
Anonymous access to a storage account Indicates that there's a change in the access pattern to a storage account. For instance, the account has been accessed anonymously (without any authentication), which is unexpected compared to the recent access pattern on this account. A potential cause is that an attacker has exploited public read access to a container that holds blob storage. Exploitation
Unusual access inspection in a storage account Indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has performed reconnaissance for a future attack. Collection
Unusual amount of data extracted from a storage account Indicates that an unusually large amount of data has been extracted compared to recent activity on this storage container. A potential cause is that an attacker has extracted a large amount of data from a container that holds blob storage. Exfiltration
Unusual application accessed a storage account Indicates that an unusual application has accessed this storage account. A potential cause is that an attacker has accessed your storage account by using a new application. Exploitation
Unusual change of access permissions in a storage account Indicates that the access permissions of this storage container have been changed in an unusual way. A potential cause is that an attacker has changed container permissions to weaken its security posture or to gain persistence. Persistence
Unusual data exploration in a storage account Indicates that blobs or containers in a storage account have been enumerated in an abnormal way, compared to recent activity on this account. A potential cause is that an attacker has performed reconnaissance for a future attack. Collection
Unusual deletion in a storage account Indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account. A potential cause is that an attacker has deleted data from your storage account. Exfiltration
Unusual upload of .cspkg to a storage account Indicates that an Azure Cloud Services package (.cspkg file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has been preparing to deploy malicious code from your storage account to an Azure cloud service. LateralMovement / Execution
Unusual upload of .exe to a storage account Indicates that an .exe file has been uploaded to a storage account in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has uploaded a malicious executable file to your storage account, or that a legitimate user has uploaded an executable file. LateralMovement / Execution

Alerts for Azure Cosmos DB (Preview)

Further details and notes

Alert Description Intent (Learn more)
Access from an unusual location to a Cosmos DB account Indicates that there was a change in the access pattern to an Azure Cosmos DB account. Someone has accessed this account from an unfamiliar IP address, compared to recent activity. Either an attacker has accessed the account, or a legitimate user has accessed it from a new and unusual geographical location. An example of the latter is remote maintenance from a new application or developer. Exploitation
Unusual amount of data extracted from a Cosmos DB account Indicates that there was a change in the data extraction pattern from an Azure Cosmos DB account. Someone has extracted an unusual amount of data compared to recent activity. An attacker might have extracted a large amount of data from an Azure Cosmos DB database (for example, data exfiltration or leakage, or an unauthorized transfer of data). Or, a legitimate user or application might have extracted an unusual amount of data from a container (for example, for maintenance backup activity). Exfiltration

Alerts for Azure network layer

Further details and notes

Alert Description Intent (Learn more)
Network communication with a malicious machine detected Network traffic analysis indicates that your machine (IP %{Victim IP}) has communicated with what is possibly a Command and Control center. When the compromised resource is a load balancer or an application gateway, the suspected activity might indicate that one or more of the resources in the backend pool (of the load balancer or application gateway) has communicated with what is possibly a Command and Control center. -
Possible compromised machine detected Threat intelligence indicates that your machine (at IP %{Machine IP}) may have been compromised by a malware of type Conficker. Conficker was a computer worm that targets the Microsoft Windows operating system and was first detected in November 2008. Conficker infected millions of computers including government, business and home computers in over 200 countries, making it the largest known computer worm infection since the 2003 Welchia worm. -
Possible incoming %{Service Name} brute force attempts detected Network traffic analysis detected incoming %{Service Name} communication to %{Victim IP}, associated with your resource %{Compromised Host} from %{Attacker IP}. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows suspicious activity between %{Start Time} and %{End Time} on port %{Victim Port}. This activity is consistent with brute force attempts against %{Service Name} servers. -
Possible incoming SQL brute force attempts detected Network traffic analysis detected incoming SQL communication to %{Victim IP}, associated with your resource %{Compromised Host}, from %{Attacker IP}. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows suspicious activity between %{Start Time} and %{End Time} on port %{Port Number} (%{SQL Service Type}). This activity is consistent with brute force attempts against SQL servers. -
Possible outgoing denial-of-service attack detected Network traffic analysis detected anomalous outgoing activity originating from %{Compromised Host}, a resource in your deployment. This activity may indicate that your resource was compromised and is now engaged in denial-of-service attacks against external endpoints. When the compromised resource is a load balancer or an application gateway, the suspected activity might indicate that one or more of the resources in the backend pool (of the load balancer or application gateway) was compromised. Based on the volume of connections, we believe that the following IPs are possibly the targets of the DOS attack: %{Possible Victims}. Note that it is possible that the communication to some of these IPs is legitimate. -
Possible outgoing port scanning activity detected Network traffic analysis detected suspicious outgoing traffic from %{Compromised Host}. This traffic may be a result of a port scanning activity. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). If this behavior is intentional, please note that performing port scanning is against Azure Terms of service. If this behavior is unintentional, it may mean your resource has been compromised. -
Suspicious incoming RDP network activity Network traffic analysis detected anomalous incoming Remote Desktop Protocol (RDP) communication to %{Victim IP}, associated with your resource %{Compromised Host}, from %{Attacker IP}. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Connections} incoming connections to your resource, which is considered abnormal for this environment. This activity may indicate an attempt to brute force your RDP end point -
Suspicious incoming RDP network activity from multiple sources Network traffic analysis detected anomalous incoming Remote Desktop Protocol (RDP) communication to %{Victim IP}, associated with your resource %{Compromised Host}, from multiple sources. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Attacking IPs} unique IPs connecting to your resource, which is considered abnormal for this environment. This activity may indicate an attempt to brute force your RDP end point from multiple hosts (Botnet) -
Suspicious incoming SSH network activity Network traffic analysis detected anomalous incoming SSH communication to %{Victim IP}, associated with your resource %{Compromised Host}, from %{Attacker IP}. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Connections} incoming connections to your resource, which is considered abnormal for this environment. This activity may indicate an attempt to brute force your SSH end point -
Suspicious incoming SSH network activity from multiple sources Network traffic analysis detected anomalous incoming SSH communication to %{Victim IP}, associated with your resource %{Compromised Host}, from multiple sources. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Attacking IPs} unique IPs connecting to your resource, which is considered abnormal for this environment. This activity may indicate an attempt to brute force your SSH end point from multiple hosts (Botnet) -
Suspicious outgoing %{Attacked Protocol} traffic detected Network traffic analysis detected suspicious outgoing traffic from %{Compromised Host} to destination port %{Most Common Port}. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). This behavior may indicate that your resource is taking part in %{Attacked Protocol} brute force attempts or port sweeping attacks. -
Suspicious outgoing RDP network activity Network traffic analysis detected anomalous outgoing Remote Desktop Protocol (RDP) communication to %{Victim IP} originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Connections} outgoing connections from your resource, which is considered abnormal for this environment. This activity may indicate that your machine was compromised and is now used to brute force external RDP end points. Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities. -
Suspicious outgoing RDP network activity to multiple destinations Network traffic analysis detected anomalous outgoing Remote Desktop Protocol (RDP) communication to multiple destinations originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows your machine connecting to %{Number of Attacked IPs} unique IPs, which is considered abnormal for this environment. This activity may indicate that your resource was compromised and is now used to brute force external RDP end points. Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities. -
Suspicious outgoing SSH network activity Network traffic analysis detected anomalous outgoing SSH communication to %{Victim IP} originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Connections} outgoing connections from your resource, which is considered abnormal for this environment. This activity may indicate that your resource was compromised and is now used to brute force external SSH end points. Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities. -
Suspicious outgoing SSH network activity to multiple destinations Network traffic analysis detected anomalous outgoing SSH communication to multiple destinations originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows your resource connecting to %{Number of Attacked IPs} unique IPs, which is considered abnormal for this environment. This activity may indicate that your resource was compromised and is now used to brute force external SSH end points. Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities. -
Traffic detected from IP addresses recommended for blocking Azure Security Center detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. Probing

Alerts for Azure Resource Manager (Preview)

Further details and notes

Alert Description Intent (Learn more)
PREVIEW - Azurite toolkit run detected A known cloud-environment reconnaissance toolkit run has been detected in your environment. The tool Azurite can be used by an attacker (or penetration tester) to map your subscriptions' resources and identify insecure configurations. -
PREVIEW – MicroBurst toolkit “Get-AzureDomainInfo” function run detected A known cloud-environment reconnaissance toolkit run has been detected in your environment. The tool “MicroBurst” (see https://github.com/NetSPI/MicroBurst) can be used by an attacker (or penetration tester) to map your subscription(s) resources, identify insecure configurations, and leak confidential information. -
PREVIEW - Suspicious management session using an inactive account detected Subscription activity logs analysis has detected suspicious behavior. A principal not in use for a long period of time is now performing actions that can secure persistence for an attacker. Persistence
PREVIEW – MicroBurst toolkit “Get-AzurePasswords” function run detected A known cloud-environment reconnaissance toolkit run has been detected in your environment. The tool “MicroBurst” (see https://github.com/NetSPI/MicroBurst) can be used by an attacker (or penetration tester) to map your subscription(s) resources, identify insecure configurations, and leak confidential information. -
PREVIEW – Suspicious management session using Azure portal detected Analysis of your subscription activity logs has detected a suspicious behavior. A principal that doesn’t regularly use the Azure portal (Ibiza) to manage the subscription environment (hasn’t used Azure portal to manage for the last 45 days, or a subscription that it is actively managing), is now using the Azure portal and performing actions that can secure persistence for an attacker. -
PREVIEW - Suspicious management session using PowerShell detected Subscription activity logs analysis has detected suspicious behavior. A principal that doesn’t regularly use PowerShell to manage the subscription environment is now using PowerShell, and performing actions that can secure persistence for an attacker. Persistence
Activity from anonymous IP addresses Users activity from an IP address that has been identified as an anonymous proxy IP address has been detected.
These proxies are used by people who want to hide their device’s IP address, and can be used for malicious intent. This detection uses a machine learning algorithm that reduces false positives, such as mis-tagged IP addresses that are widely used by users in the organization.
-
Activity from infrequent country Activity from a location that wasn't recently or ever visited by any user in the organization has occurred.
This detection considers past activity locations to determine new and infrequent locations. The anomaly detection engine stores information about previous locations used by users in the organization.
-
Impossible travel activity Two user activities (in a single or multiple sessions) have occurred, originating from geographically distant locations. This occurs within a time period shorter than the time it would have taken the user to travel from the first location to the second. This indicates that a different user is using the same credentials.
This detection uses a machine learning algorithm that ignores obvious false positives contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The detection has an initial learning period of seven days, during which it learns a new user’s activity pattern.
-
Use of advanced Azure persistence techniques Subscription activity logs analysis has detected suspicious behavior. Customized roles have been given legitimized identity entities. This can lead the attacker to gain persistency in an Azure customer environment. -

Alerts for Azure Key Vault (Preview)

Further details and notes

Alert Description Intent (Learn more)
Access from a TOR exit node to a Key Vault The Key Vault has been accessed by someone using the TOR IP anonymization system to hide their location. Malicious actors often try to hide their location when attempting to gain unauthorized access to internet-connected resources. -
High volume of operations in a Key Vault A larger volume of Key Vault operations has been performed compared with historical data. Key Vault activity is typically the same over time. This may be a legitimate change in activity. Alternatively, your infrastructure might be compromised and further investigations are necessary. -
Suspicious policy change and secret query in a Key Vault A Key Vault policy change has been made and then operations to list and/or get secrets occurred. In addition, this operation pattern isn't normally performed by the user on this vault. This is highly indicative that the Key Vault is compromised and the secrets within have been stolen by a malicious actor. -
Suspicious secret listing and query in a Key Vault A Secret List operation was followed by many Secret Get operations. Also, this operation pattern isn't normally performed by the user on this vault. This indicates that someone could be dumping the secrets stored in the Key Vault for potentially malicious purposes. -
Unusual user-application pair accessed a Key Vault The Key Vault has been accessed by a User-Application pairing that doesn't normally access it. This may be a legitimate access attempt (for example, following an infrastructure or code update). This is also a possible indication that your infrastructure is compromised and a malicious actor is trying to access your Key Vault. -
Unusual application accessed a Key Vault The Key Vault has been accessed by an Application that doesn't normally access it. This may be a legitimate access attempt (for example, following an infrastructure or code update). This is also a possible indication that your infrastructure is compromised and a malicious actor is trying to access your Key Vault. -
Unusual user accessed a Key Vault The Key Vault has been accessed by a User that doesn't normally access it. This may be a legitimate access attempt (for example, a new user needing access has joined the organization). This is also a possible indication that your infrastructure is compromised and a malicious actor is trying to access your Key Vault. -
Unusual operation pattern in a Key Vault An unusual set of Key Vault operations has been performed compared with historical data. Key Vault activity is typically the same over time. This may be a legitimate change in activity. Alternatively, your infrastructure might be compromised and further investigations are necessary. -
User accessed high volume of Key Vaults The number of vaults that a user or application accesses has changed compared with historical data. Key Vault activity is typically the same over time. This may be a legitimate change in activity. Alternatively, your infrastructure might be compromised and further investigations are necessary. -

Alerts for Azure DDoS Protection

Further details and notes

Alert Description Intent (Learn more)
DDoS Attack detected for Public IP DDoS Attack detected for Public IP (IP address) and being mitigated. Probing
DDoS Attack mitigated for Public IP DDoS Attack mitigated for Public IP (IP address). Probing

Intentions

Understanding the intention of an attack can help you investigate and report the event more easily. Azure Security Center alerts include the 'intent' field to help with these efforts.

The series of steps that describe the progression of a cyberattack from reconnaissance to data exfiltration is often referred to as a "kill chain".

Security Center's supported kill chain intents are based on the MITRE ATT&CK™ framework and described in the table below.

Intent Description
Probing Probing could be either an attempt to access a certain resource regardless of a malicious intent, or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt, originating from outside the network, to scan the target system and identify an entry point.
Exploitation Exploitation is the stage where an attacker manages to get a foothold on the attacked resource. This stage is relevant for compute hosts and resources such as user accounts, certificates etc. Threat actors will often be able to control the resource after this stage.
Persistence Persistence is any access, action, or configuration change to a system that gives a threat actor a persistent presence on that system. Threat actors will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or provide an alternate backdoor for them to regain access.
PrivilegeEscalation Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege.
DefenseEvasion Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as (or variations of) techniques in other categories that have the added benefit of subverting a particular defense or mitigation.
CredentialAccess Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment.
Discovery Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.
LateralMovement Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect.
Execution The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.
Collection Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.
Exfiltration Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.
CommandAndControl The command and control tactic represents how adversaries communicate with systems under their control within a target network.
Impact Impact events primarily try to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransomware, defacement, data manipulation, and others.

Next steps

To learn more about alerts, see the following: