Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Security alerts in Microsoft defender for Cloud

Microsoft

Hello All,

 

we have received below security alert in Microsoft defender for cloud for our App service.

 

1) NMap scanning detected (for this we got the carrier and organization as Microsoft)

2) Vulnerability scanner detected

3) Suspicious User Agent detected

 

Our website is Internet facing (Public facing). so, we cannot put much restriction on our app service (ex IP restriction, SSL certificate).

 

We are unable to investigate the below alerts. we checked the log analytics workspace logs but and extracted the logs from the caller IP. but could not find much information form it

we also checked there was no impact found on our webapp.

 

1) NMap scanning detected (for this we got the carrier and organization as Microsoft)

2) Vulnerability scanner detected

3) Suspicious User Agent detected

 

Is there any way by which we can investigate why these alerts got generated. and what next action can be taken on this ?

1 Reply
It sounds like it could have been scanned by a VM running VA tools. Hence the IP address would have been a MS data center.
For the suspicious user agent detected, you may check the entities and try to find out which user was the one used. As well, with the Vulnerability scanner detected, check if the entities have any details as to which was the one used.
Is the web app hosted in a VM? If so, Microsoft holds scanning tools like Qualys and MDVM that may had performed a scan as per configuration.
Given the IP address was of Microsoft, you could try to trace it back to a specific datacenter to gain more insights if this was malicious or not.