Respond to Azure Defender for DNS alerts

When you receive an alert from Azure Defender for DNS, we recommend you investigate and respond to the alert as described below. Azure Defender for DNS protects all connected resources, so even if you're familiar with the application or user that triggered the alert, it's important to verify the situation surrounding every alert.

Step 1. Contact

  1. Contact the resource owner to determine whether the behavior was expected or intentional.
  2. If the activity is expected, dismiss the alert.
  3. If the activity is unexpected, treat the resource as potentially compromised and mitigate as described in the next step.

Step 2. Immediate mitigation

  1. Isolate the resource from the network to prevent lateral movement.
  2. Run a full antimalware scan on the resource, following any resulting remediation advice.
  3. Review installed and running software on the resource, removing any unknown or unwanted packages.
  4. Revert the machine to a known good state, reinstalling the operating system if required, and restore software from a verified malware-free source.
  5. Resolve any Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.

Next steps

This page explained the process of responding to an alert from Azure Defender for DNS. For related information see the following pages: