Skip to content

Commit e675fa8

Browse files
memildinmemildin
committed
Changes required following PR review
1 parent 87ecf06 commit e675fa8

5 files changed

+6
-13
lines changed

.openpublishing.redirection.defender-for-cloud.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -141,7 +141,7 @@
141141
"redirect_document_id": false
142142
},
143143
{
144-
"source_path_from_root": "/articles/security-center/security-center-provide-security-contacts",
144+
"source_path_from_root": "/articles/security-center/security-center-provide-security-contacts.md",
145145
"redirect_url": "/azure/security-center/configure-email-notifications",
146146
"redirect_document_id": false
147147
},

articles/security-center/adaptive-application-controls.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -182,7 +182,7 @@ To remediate the issues:
182182

183183
The alerts page shows the more details of the alerts and provides a **Take action** link with recommendations of how to mitigate the threat.
184184

185-
:::image type="content" source="media/adaptive-application/adaptive-application-alerts-start-time.png" alt-text="The start time of adaptive application controls alerts is the .":::
185+
:::image type="content" source="media/adaptive-application/adaptive-application-alerts-start-time.png" alt-text="The start time of adaptive application controls alerts is the time that adaptive application controls created the alert.":::
186186

187187
> [!NOTE]
188188
> Adaptive application controls calculates events once every twelve hours. The "activity start time" shown in the alerts page is the time that adaptive application controls created the alert, **not** the time that the suspicious process was active.

articles/security-center/alerts-reference.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -450,7 +450,7 @@ Azure Defender alerts for container hosts aren't limited to the alerts below. Ma
450450
| **PREVIEW - Storage account with potentially sensitive data has been detected with a publicly exposed container**<br>(Storage.Blob_OpenACL) | The access policy of a container in your storage account was modified to allow anonymous access. This might lead to a data breach if the container holds any sensitive data. This alert is based on analysis of Azure activity log.<br>Applies to: Azure Blob Storage, Azure Data Lake Storage Gen2 | Privilege Escalation | Medium |
451451
| **Access from a Tor exit node to a storage account**<br>(Storage.Blob_TorAnomaly<br>Storage.Files_TorAnomaly) | Indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert considers the authentication type used (if any), and whether this is the first case of such access. Potential causes can be an attacker who has accessed your storage account by using Tor, or a legitimate user who has accessed your storage account by using Tor.<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2 | Probing, Exploitation | High |
452452
| **Access from an unusual location to a storage account**<br>(Storage.Blob_GeoAnomaly<br>Storage.Files_GeoAnomaly) | Indicates that there was a change in the access pattern to an Azure Storage account. Someone has accessed this account from an IP address considered unfamiliar when compared with recent activity. Either an attacker has gained access to the account, or a legitimate user has connected from a new or unusual geographic location. An example of the latter is remote maintenance from a new application or developer.<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2 | Exploitation | Low |
453-
| **Anonymous access to a storage account**<br>(Storage.Blob_AnonymousAccessAnomaly) | Indicates that there was a change in the access pattern to an Azure Storage account. Someone accessed a countainer in this storage account without authenticating. Access to this container is typically authenticated by SAS token, storage account key, or AAD. This might indicate that an attacker has exploited public read access to the storage account.<br>Applies to: Azure Blob Storage | Exploitation | High |
453+
| **Anonymous access to a storage account**<br>(Storage.Blob_AnonymousAccessAnomaly) | Indicates that there was a change in the access pattern to an Azure Storage account. Someone accessed a container in this storage account without authenticating. Access to this container is typically authenticated by SAS token, storage account key, or AAD. This might indicate that an attacker has exploited public read access to the storage account.<br>Applies to: Azure Blob Storage | Exploitation | High |
454454
| **Potential malware uploaded to a storage account**<br>(Storage.Blob_MalwareHashReputation<br>Storage.Files_MalwareHashReputation) | Indicates that a blob containing potential malware has been uploaded to a blob container or a file share in a storage account. This alert is based on hash reputation analysis leveraging the power of Microsoft threat intelligence, which includes hashes for viruses, trojans, spyware and ransomware. Potential causes may include an intentional malware upload by an attacker, or an unintentional upload of a potentially malicious blob by a legitimate user.<br>Applies to: Azure Blob Storage, Azure Files (Only for transactions over REST API)<br>Learn more about [Azure's hash reputation analysis for malware](defender-for-storage-introduction.md#what-is-hash-reputation-analysis-for-malware).<br>Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684). | Lateral Movement | High |
455455
| **Unusual access inspection in a storage account**<br>(Storage.Blob_AccessInspectionAnomaly<br>Storage.Files_AccessInspectionAnomaly) | Indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has performed reconnaissance for a future attack.<br>Applies to: Azure Blob Storage, Azure Files | Collection | Medium |
456456
| **Unusual amount of data extracted from a storage account**<br>(Storage.Blob_DataExfiltration.AmountOfDataAnomaly<br>Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly<br>Storage.Files_DataExfiltration.AmountOfDataAnomaly<br>Storage.Files_DataExfiltration.NumberOfFilesAnomaly) | Indicates that an unusually large amount of data has been extracted compared to recent activity on this storage container. A potential cause is that an attacker has extracted a large amount of data from a container that holds blob storage.<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2 | Exfiltration | Medium |

articles/security-center/alerts-suppression-rules.md

+1-2
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
---
2-
title: Using alerts suppression rules to suppress false positives or other unwanted security alerts in Microsoft Defender for Cloud.
2+
title: Using alerts suppression rules to suppress false positives or other unwanted security alerts in Microsoft Defender for Cloud
33
description: This article explains how to use Microsoft Defender for Cloud's suppression rules to hide unwanted security alerts
44
author: memildin
55
manager: rkarlin
@@ -9,7 +9,6 @@ ms.date: 10/18/2021
99
ms.service: security-center
1010
ms.topic: how-to
1111
---
12-
1312
# Suppress alerts from Microsoft Defender for Cloud
1413

1514
This page explains how you can use alerts suppression rules to suppress false positives or other unwanted security alerts from Defender for Cloud.

articles/security-center/threat-intelligence-reports.md

+2-8
Original file line numberDiff line numberDiff line change
@@ -5,15 +5,13 @@ author: memildin
55
manager: rkarlin
66
ms.service: security-center
77
ms.topic: how-to
8-
ms.date: 06/15/2020
8+
ms.date: 06/15/2021
99
ms.author: memildin
10-
1110
---
1211
# Microsoft Defender for Cloud threat intelligence report
1312

1413
This page explains how Microsoft Defender for Cloud's threat intelligence reports can help you learn more about a threat that triggered a security alert.
1514

16-
1715
## What is a threat intelligence report?
1816

1917
Defender for Cloud's threat protection works by monitoring security information from your Azure resources, the network, and connected partner solutions. It analyzes this information, often correlating information from multiple sources, to identify threats. For more information, see [How Microsoft Defender for Cloud detects and responds to threats](alerts-overview.md#detect-threats).
@@ -39,8 +37,6 @@ Defender for Cloud has three types of threat reports, which can vary according t
3937

4038
This type of information is useful during the incident response process, where there's an ongoing investigation to understand the source of the attack, the attacker’s motivations, and what to do to mitigate this issue in the future.
4139

42-
43-
4440
## How to access the threat intelligence report?
4541

4642
1. From Defender for Cloud's menu, open the **Security alerts** page.
@@ -59,11 +55,9 @@ This type of information is useful during the incident response process, where t
5955
>[!TIP]
6056
> The amount of information available for each security alert will vary according to the type of alert.
6157
62-
63-
6458
## Next steps
6559

6660
This page explained how to open threat intelligence reports when investigating security alerts. For related information, see the following pages:
6761

6862
* [Managing and responding to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.md). Learn how to manage and respond to security alerts.
69-
* [Handling security incidents in Microsoft Defender for Cloud](incidents.md)
63+
* [Handling security incidents in Microsoft Defender for Cloud](incidents.md)

0 commit comments

Comments
 (0)