threat protection
19 TopicsAzure Cloud Defender false positive
Cloud Defender threw up alert onTrojan:Script/Phonzy.B!ml for a PaloAlto virtual firewall. There are no Defender agents, (detection was agentless). I cannot find any other incidents or similar issues. The affected file ispps_parport.ko which is a library file. Currently unable to get the file off the Palo to upload to VirusTotal or similar website. No other security issues with Azure servers. Is there a way to find if this is a false positive or am is this system a canary in a coalmine?677Views0likes3CommentsNew Blog | Effective novelty detection in cloud security domain
In cloud security domain, we often need to monitor entities – such as users, IP addresses, applications, or access tokens – and their patterns of behavior. We might want to detect ‘novelties’ – unexpected and previously unseen values of these entities - which can indicate security issues. Some examples of such scenarios are: IP address belonging to a previously unseen ASN range accesses cloud storage. Previously unseen application logs to SQL database. A new user logs to an administration portal. Read the full blog post:Effective novelty detection in cloud security domain - Microsoft Community Hub454Views0likes0CommentsNew Blog | Announcing new CNAPP capabilities in Defender for Cloud
In the fast-paced world of cloud computing, security teams are facing unprecedented challenges. As organizations increasingly adopt multicloud environments and prioritize the development of cloud-native applications, the complexity of ensuring robust security has grown exponentially. To tackle these evolving cloud security needs, a powerful solution has emerged – Cloud-Native Application Protection Platforms (CNAPP). Read the full blog here:Announcing new CNAPP capabilities in Defender for Cloud - Microsoft Community Hub679Views0likes0CommentsNew Blog | Microsoft Defender for Cloud latest protection against abuse of Azure VM Extensions
Throughout recent years, the IT world has shifted its workloads, management layers, and machines to the cloud, thus introducing a new attack surface, accompanied by new attack vectors.The following introduced a tactic for threat actors to deploy their cyber-attacks against organizations’ cloud environments, gaining strong permissions, operating for financial gain, and more. Upon succeeding in compromising an identity with sufficient permissions in Azure, threat actors often try to abuse existing features within the environment that allow them to deploy their malicious activity stealthily, efficiently, and easily, and one special feature is:Azure VM extensions. Read the full blog here:Microsoft Defender for Cloud latest protection against sophisticated abuse of Azure VM Extensions - Microsoft Community Hub611Views1like0CommentsSQL Advanced Threat Protection - Requirements Unclear
When configuring Defender for SQL, nothing suggests auditing is required for ATP to work. However, when looking at audit sectionremarks,one of the points says "After you've configured your auditing settings, you can turn on the new threat detection feature... This seems to be a requirement for SQL on Machines, however, is it for Azure SQL workloads? (MI & DB)Solved1.2KViews0likes6CommentsSecurity alerts in Microsoft defender for Cloud
Hello All, we have received below security alert in Microsoft defender for cloud for our App service. 1)NMap scanning detected (for this we got the carrier and organizationas Microsoft) 2)Vulnerability scanner detected 3)Suspicious User Agent detected Our website is Internet facing (Public facing). so, we cannot put much restriction on our app service (ex IP restriction, SSL certificate). We are unable to investigate the below alerts. we checked the log analytics workspace logs but and extracted the logs from the caller IP. but could not find much information form it we also checked there was no impact found on our webapp. 1)NMap scanning detected (for this we got the carrier and organizationas Microsoft) 2)Vulnerability scanner detected 3)Suspicious User Agent detected Is there any way by which we can investigate why these alerts got generated. and what next action can be taken on this ?2.5KViews0likes1CommentNew Blog | Incident Triage: Microsoft Defender for Cloud Attack Path Analysis and Microsoft Sentinel
Introduction If you are actively involved in the process of responding to cybersecurity incidents or work in a capacity that deals with incident response, you understand the criticality of promptly identifying and mitigating security breaches in cloud environments. Timely and accurate incident triaging is crucial to minimize the impact of potential breaches and ensure a proactive security posture. However, in many cases, security analysts are overwhelmed by the sheer volume of incidents and the manual effort required to investigate and prioritize them. To address this challenge, we have developed a solution leveraging Microsoft Defender for Cloud Attack Path Analysis into Microsoft Sentinel to streamline computer’s cyber security incident triaging and improve response times. Read the blog:Incident Triage: Microsoft Defender for Cloud Attack Path Analysis and Microsoft Sentinel - Microsoft Community Hub930Views0likes0CommentsDeploying and Onboarding 2008 R2
Hi all, We purchased Defender for Business Servers, and i need to install it on some 2008 R2 servers. There is no Defender for Endpoint software, so following the guides, i only have to install the MMA, but then how i know my server is protected? i need to enroll it at azure? Our servers are on-premise, and i don't know if i need to use Azure Arc (i need to pay?), anyone is using Defender for Windows Servers (On-Premise) with 2008 R2 version? Thanks in advanceSolved49KViews0likes7CommentsLog Analytics workspace
Hello, can anyone help me understand the workspace used for Defender for Cloud How to identify which workspace is Defender for cloud connected to, older version of Defender for cloud has clear mention of the workspace name to which it is connected, the latest version just displays it as "Default Workspace" not the actual name of the workspace, as there are multiple "Default workspaces" in a subscription/Tenant. Thanks in Adv.1.6KViews1like1Comment