Alert FineTuning(Sev:Low): Vulnerability Scanner Detection
Hi, we are seeing a high number of "Vulnerability Scanner Detection" alerts and facing challenges during analysis: The alerts often show Microsoft IP addresses, and some of them appear malicious. Can we fine-tune this to capture the actual IP scanning the environment? How can we determine whether the scan was successful or failed, for example, by using status codes like 200 or 404? Is there a way to identify if the app service is using platforms like Joomla, Drupal, WordPress, or others? Looking forward to your support on this.
"Duplicate" alerts in Defender for Cloud from MDE
Hello, I discovered that security alerts generated from Defender for Endpoint are causing "duplicate" security alerts in Defender for Cloud. We have several Azure Arc-enabled servers active with Defender for Server P1 which includes Defender for Endpoint integration. Hence Arc servers are automatically onboarded to Defender for Endpoint. We had a false positive caused by the addition of AV exclusions which generated an alert / incident in Defender XDR which was then synced to Sentinel. Closing the alerts in Defender XDR or Sentinel resulted in synced status between the two. However it seems the same alerts were also created in Defender for Cloud, and their status remained "open" even after being resolved in Defender XDR. The link in the open Defender for Cloud Alert effectively opens up the resolved alert in Defender XDR. So it seems to be the same alert but its status is not being synced. Is this a known issue?
Azure Cloud Defender false positive
Cloud Defender threw up alert on Trojan:Script/Phonzy.B!ml for a PaloAlto virtual firewall. There are no Defender agents, (detection was agentless). I cannot find any other incidents or similar issues. The affected file is pps_parport.ko which is a library file. Currently unable to get the file off the Palo to upload to VirusTotal or similar website. No other security issues with Azure servers. Is there a way to find if this is a false positive or am is this system a canary in a coalmine?New Blog | Microsoft Defender for Cloud latest protection against abuse of Azure VM Extensions
Throughout recent years, the IT world has shifted its workloads, management layers, and machines to the cloud, thus introducing a new attack surface, accompanied by new attack vectors. The following introduced a tactic for threat actors to deploy their cyber-attacks against organizations’ cloud environments, gaining strong permissions, operating for financial gain, and more. Upon succeeding in compromising an identity with sufficient permissions in Azure, threat actors often try to abuse existing features within the environment that allow them to deploy their malicious activity stealthily, efficiently, and easily, and one special feature is: Azure VM extensions. Read the full blog here: Microsoft Defender for Cloud latest protection against sophisticated abuse of Azure VM Extensions - Microsoft Community Hub
Security alerts in Microsoft defender for Cloud
Hello All, we have received below security alert in Microsoft defender for cloud for our App service. 1) NMap scanning detected (for this we got the carrier and organization as Microsoft) 2) Vulnerability scanner detected 3) Suspicious User Agent detected Our website is Internet facing (Public facing). so, we cannot put much restriction on our app service (ex IP restriction, SSL certificate). We are unable to investigate the below alerts. we checked the log analytics workspace logs but and extracted the logs from the caller IP. but could not find much information form it we also checked there was no impact found on our webapp. 1) NMap scanning detected (for this we got the carrier and organization as Microsoft) 2) Vulnerability scanner detected 3) Suspicious User Agent detected Is there any way by which we can investigate why these alerts got generated. and what next action can be taken on this ?Did I just stumble on a hidden gem?
Hi all, A while back I asked a question on antimalware monitoring, and Noa Kuperberg pointed me to the Antimalware assessment. However, last week I noticed Azure Security Center has the same features as the Antimalware assessment, and it even shows that in the pricing and settings: I see that even the free ASC tier has the ProtectionStatus table in the Log Analytics workspace, so I am indeed able to see the status of the antimalware. Now here comes my confusion: I know that the Azure Security Center "Azure Defender On" paid tier has alerting capabilities on things like brute force attacks, but it seems the free tier has alerting on antimalware (from the IaaSAntimalware extension at least) baked in. I tested this with an eicar test file, and sure enough I am getting alerts. I tested this on several Azure subscriptions that have no Azure Defender subscription, nor trial enabled. I see alerts not only in ASC, but they come to the Activity Log as well, so I can alert from there, even showing me the file path and threat status whether it was quarantined. My question: Is this a happy accident, or is even the free tier supposed to have antimalware alerting from Azure Security Center? Or is that ability going away like after a while, like a secret trialware? P.S. I am well aware that ASC's capabilities extend beyond just antimalware, but this feature alone would be a serious bonus.
