Catégorie : Microsoft Defender for Cloud

Generate Alerts Samples for Containers plan

Hi!

You can now create sample alerts also for Defender for Containers plan. The new sample alerts are presented as being from AKS, Arc-connected clusters, EKS, and GKE resources with different severities and MITRE tactics. You can use the sample alerts to validate security alert configurations, such as SIEM integrations, workflow automation, and email notifications.

Maxime.

Deprecated VM alerts regarding suspicious activity related to a Kubernetes cluster

Hi!

The following table lists the alerts that were deprecated:

Alert nameDescriptionTacticsSeverity
Docker build operation detected on a Kubernetes node
(VM_ImageBuildOnNode)
Machine logs indicate a build operation of a container image on a Kubernetes node. While this behavior might be legitimate, attackers might build their malicious images locally to avoid detection.Defense EvasionLow
Suspicious request to Kubernetes API
(VM_KubernetesAPI)
Machine logs indicate that a suspicious request was made to the Kubernetes API. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container.LateralMovementMedium
SSH server is running inside a container
(VM_ContainerSSH)
Machine logs indicate that an SSH server is running inside a Docker container. While this behavior can be intentional, it frequently indicates that a container is misconfigured or breached.ExecutionMedium

These alerts are used to notify a user about suspicious activity connected to a Kubernetes cluster. The alerts will be replaced with matching alerts that are part of the Microsoft Defender for Cloud Container alerts (K8S.NODE_ImageBuildOnNodeK8S.NODE_ KubernetesAPI and K8S.NODE_ ContainerSSH) which will provide improved fidelity and comprehensive context to investigate and act on the alerts.

Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes

Maxime.

Two news alerts for Microsoft Defender for KeyVault (AKV)

Hi!

In this article, I will share with you two news alerts released in June 2022 for Microsoft Defender for KeyVault.

Alert (alert type)DescriptionMITRE tacticsSeverity
Unusual access denied – User accessing high volume of key vaults denied
(KV_DeniedAccountVolumeAnomaly)
A user or service principal has attempted access to anomalously high volume of key vaults in the last 24 hours. This anomalous access pattern may be legitimate activity. Though this attempt was unsuccessful, it could be an indication of a possible attempt to gain access of key vault and the secrets contained within it. We recommend further investigations.DiscoveryLow
Unusual access denied – Unusual user accessing key vault denied
(KV_UserAccessDeniedAnomaly)
A key vault access was attempted by a user that doesn’t normally access it, this anomalous access pattern may be legitimate activity. Though this attempt was unsuccessful, it could be an indication of a possible attempt to gain access of key vault and the secrets contained within it.Initial Access, DiscoveryLow

Maxime.