Catégorie : Microsoft Defender for Cloud

New alert in Azure Defender for Key Vault

Hi!

Azure Defender for Key Vault has the following new alert:

Alert (alert type)DescriptionMITRE tacticsSeverity
Denied access from a suspicious IP to a key vault
(KV_SuspiciousIPAccessDenied)
An unsuccessful key vault access has been attempted by an IP that has been identified by Microsoft Threat Intelligence as a suspicious IP address. Though this attempt was unsuccessful, it indicates that your infrastructure might have been compromised. We recommend further investigations.Credential AccessLow

You can see a list of all of the alerts available for Key Vault.

Maxime.

Generate Alerts Samples for Containers plan

Hi!

You can now create sample alerts also for Defender for Containers plan. The new sample alerts are presented as being from AKS, Arc-connected clusters, EKS, and GKE resources with different severities and MITRE tactics. You can use the sample alerts to validate security alert configurations, such as SIEM integrations, workflow automation, and email notifications.

Maxime.

Deprecated VM alerts regarding suspicious activity related to a Kubernetes cluster

Hi!

The following table lists the alerts that were deprecated:

Alert nameDescriptionTacticsSeverity
Docker build operation detected on a Kubernetes node
(VM_ImageBuildOnNode)
Machine logs indicate a build operation of a container image on a Kubernetes node. While this behavior might be legitimate, attackers might build their malicious images locally to avoid detection.Defense EvasionLow
Suspicious request to Kubernetes API
(VM_KubernetesAPI)
Machine logs indicate that a suspicious request was made to the Kubernetes API. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container.LateralMovementMedium
SSH server is running inside a container
(VM_ContainerSSH)
Machine logs indicate that an SSH server is running inside a Docker container. While this behavior can be intentional, it frequently indicates that a container is misconfigured or breached.ExecutionMedium

These alerts are used to notify a user about suspicious activity connected to a Kubernetes cluster. The alerts will be replaced with matching alerts that are part of the Microsoft Defender for Cloud Container alerts (K8S.NODE_ImageBuildOnNodeK8S.NODE_ KubernetesAPI and K8S.NODE_ ContainerSSH) which will provide improved fidelity and comprehensive context to investigate and act on the alerts.

Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes

Maxime.