Event banner

Microsoft Detection and Response Team (DART) AMA

Event Ended
Tuesday, Mar 15, 2022, 09:00 AM PDT
In-Person

Event details

We are very excited to announce our Microsoft Detection and Response Team (DART) AMA!   About DART: Our job is to respond to compromises and help our customers become cyber-resilient. This is al...
Trevor_Rusher
Updated Feb 16, 2022
AMA
Jerad_Rodgers's avatar
Jerad_Rodgers
Copper Contributor
Mar 15, 2022
We recently discovered that a compromised account created a Azure Virtual Machine. We were not able to see the subscription in our tenant. How would you handle the incident response for this? How often has something like this been seen in the wild?
aymansiraj's avatar
aymansiraj
Copper Contributor
Mar 15, 2022
For Azure Virtual Machines, reviewing alerts in Microsoft Defender for Cloud: https://docs.microsoft.com/en-us/azure/defender-for-cloud/tutorial-security-incident. The reason you might not be seeing the subscription is your account might not have the rights to see the subscription, a Global Admin may have access to the subscription so I would recommend you ask a global admin in your org to see if they are able to see the subscription: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
Date and Time
Mar 15, 20229:00 AM - 10:00 AM PDT