Become a Microsoft Defender for Cloud Ninja
[Last update: 01/28/2026] This blog post has a curation of many Microsoft Defender for Cloud (formerly known as Azure Security Center and Azure Defender) resources, organized in a format that can help you to go from absolutely no knowledge in Microsoft Defender for Cloud, to design and implement different scenarios. You can use this blog post as a training roadmap to learn more about Microsoft Defender for Cloud. On November 2nd, at Microsoft Ignite 2021, Microsoft announced the rebrand of Azure Security Center and Azure Defender for Microsoft Defender for Cloud. To learn more about this change, read this article. Every month we are adding new updates to this article, and you can track it by checking the red date besides the topic. If you already study all the modules and you are ready for the knowledge check, follow the procedures below: To obtain the Defender for Cloud Ninja Certificate 1. Take this knowledge check here, where you will find questions about different areas and plans available in Defender for Cloud. 2. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. To obtain the Defender for Servers Ninja Certificate (Introduced in 08/2023) 1. Take this knowledge check here, where you will find only questions related to Defender for Servers. 2. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. Modules To become an Microsoft Defender for Cloud Ninja, you will need to complete each module. The content of each module will vary, refer to the legend to understand the type of content before clicking in the topic’s hyperlink. The table below summarizes the content of each module: Module Description 0 - CNAPP In this module you will familiarize yourself with the concepts of CNAPP and how to plan Defender for Cloud deployment as a CNAPP solution. 1 – Introducing Microsoft Defender for Cloud and Microsoft Defender Cloud plans In this module you will familiarize yourself with Microsoft Defender for Cloud and understand the use case scenarios. You will also learn about Microsoft Defender for Cloud and Microsoft Defender Cloud plans pricing and overall architecture data flow. 2 – Planning Microsoft Defender for Cloud In this module you will learn the main considerations to correctly plan Microsoft Defender for Cloud deployment. From supported platforms to best practices implementation. 3 – Enhance your Cloud Security Posture In this module you will learn how to leverage Cloud Security Posture management capabilities, such as Secure Score and Attack Path to continuous improvement of your cloud security posture. This module includes automation samples that can be used to facilitate secure score adoption and operations. 4 – Cloud Security Posture Management Capabilities in Microsoft Defender for Cloud In this module you will learn how to use the cloud security posture management capabilities available in Microsoft Defender for Cloud, which includes vulnerability assessment, inventory, workflow automation and custom dashboards with workbooks. 5 – Regulatory Compliance Capabilities in Microsoft Defender for Cloud In this module you will learn about the regulatory compliance dashboard in Microsoft Defender for Cloud and give you insights on how to include additional standards. In this module you will also familiarize yourself with Azure Blueprints for regulatory standards. 6 – Cloud Workload Protection Platform Capabilities in Azure Defender In this module you will learn how the advanced cloud capabilities in Microsoft Defender for Cloud work, which includes JIT, File Integrity Monitoring and Adaptive Application Control. This module also covers how threat protection works in Microsoft Defender for Cloud, the different categories of detections, and how to simulate alerts. 7 – Streaming Alerts and Recommendations to a SIEM Solution In this module you will learn how to use native Microsoft Defender for Cloud capabilities to stream recommendations and alerts to different platforms. You will also learn more about Azure Sentinel native connectivity with Microsoft Defender for Cloud. Lastly, you will learn how to leverage Graph Security API to stream alerts from Microsoft Defender for Cloud to Splunk. 8 – Integrations and APIs In this module you will learn about the different integration capabilities in Microsoft Defender for Cloud, how to connect Tenable to Microsoft Defender for Cloud, and how other supported solutions can be integrated with Microsoft Defender for Cloud. 9 - DevOps Security In this module you will learn more about DevOps Security capabilities in Defender for Cloud. You will be able to follow the interactive guide to understand the core capabilities and how to navigate through the product. 10 - Defender for APIs In this module you will learn more about the new plan announced at RSA 2023. You will be able to follow the steps to onboard the plan and validate the threat detection capability. 11 - AI Posture Management and Workload Protection In this module you will learn more about the risks of Gen AI and how Defender for Cloud can help improve your AI posture management and detect threats against your Gen AI apps. Module 0 - Cloud Native Application Protection Platform (CNAPP) Improving Your Multi-Cloud Security with a CNAPP - a vendor agnostic approach Microsoft CNAPP Solution Planning and Operationalizing Microsoft CNAPP Understanding Cloud Native Application Protection Platforms (CNAPP) Cloud Native Applications Protection Platform (CNAPP) Microsoft CNAPP eBook Understanding CNAPP Why Microsoft Leads the IDC CNAPP MarketScape: Key Insights for Security Decision-Makers Module 1 - Introducing Microsoft Defender for Cloud What is Microsoft Defender for Cloud? A New Approach to Get Your Cloud Risks Under Control Getting Started with Microsoft Defender for Cloud Implementing a CNAPP Strategy to Embed Security From Code to Cloud Boost multicloud security with a comprehensive code to cloud strategy A new name for multi-cloud security: Microsoft Defender for Cloud Common questions about Defender for Cloud MDC Cost Calculator Breaking down security silos: Microsoft Defender for Cloud Expands into the Defender Portal Microsoft Defender for Cloud Customer Newsletter (01/2026) Module 2 – Planning Microsoft Defender for Cloud Features for IaaS workloads Features for PaaS workloads Built-in RBAC Roles in Microsoft Defender for Cloud Enterprise Onboarding Guide Design Considerations for Log Analytics Workspace Onboarding on-premises machines using Windows Admin Center Understanding Security Policies in Microsoft Defender for Cloud Creating Custom Policies Centralized Policy Management in Microsoft Defender for Cloud using Management Groups Planning Data Collection for IaaS VMs Microsoft Defender for Cloud PoC Series – Microsoft Defender for Storage How to Effectively Perform an Microsoft Defender for Cloud PoC Microsoft Defender for Cloud PoC Series – Microsoft Defender CSPM Microsoft Defender for DevOps GitHub Connector - Microsoft Defender for Cloud PoC Series Grant tenant-wide permissions to yourself Simplifying Onboarding to Microsoft Defender for Cloud with Terraform Module 3 – Enhance your Cloud Security Posture How Secure Score affects your governance Cloud secure score in Microsoft Defender for Cloud - Microsoft Defender for Cloud Enhance your Secure Score in Microsoft Defender for Cloud Security recommendations Active User (Public Preview) Resource exemption Create custom security standards and recommendations - Microsoft Defender for Cloud Deliver a Security Score weekly briefing Send Microsoft Defender for Cloud Recommendations to Azure Resource Stakeholders User roles and permissions - Microsoft Defender for Cloud Secure Score Reduction Alert Improved experience for managing the default Azure security policies Security Policy Enhancements in Defender for Cloud Create custom recommendations and security standards Secure Score Overtime Workbook Automation Artifacts for Secure Score Recommendations Connecting Defender for Cloud with Jira Remediation Scripts Module 4 – Cloud Security Posture Management Capabilities in Microsoft Defender for Cloud CSPM in Defender for Cloud Take a Proactive Risk-Based Approach to Securing your Cloud Native Applications Predict future security incidents! Cloud Security Posture Management with Microsoft Defender Software inventory filters added to asset inventory Drive your organization to security actions using Governance experience Managing Asset Inventory in Microsoft Defender for Cloud Vulnerability Assessment Workbook Template Vulnerability Assessment for Containers Implementing Workflow Automation Workflow Automation Artifacts Using Microsoft Defender for Cloud API for Workflow Automation What you need to know when deleting and re-creating the security connector(s) in Defender for Cloud Connect AWS Account with Microsoft Defender for Cloud Video Demo - Connecting AWS accounts Microsoft Defender for Cloud PoC Series - Multi-cloud with AWS Onboarding your AWS/GCP environment to Microsoft Defender for Cloud with Terraform How to better manage cost of API calls that Defender for Cloud makes to AWS Cloud posture management adds serverless protection for Azure and AWS Integrate AWS CloudTrail logs with Microsoft Defender for Cloud Connect GCP Account with Microsoft Defender for Cloud Protecting Containers in GCP with Defender for Containers Video Demo - Connecting GCP Accounts Microsoft Defender for Cloud PoC Series - Multicloud with GCP All You Need to Know About Microsoft Defender for Cloud Multicloud Protection Custom recommendations for AWS and GCP 31 new and enhanced multicloud regulatory standards coverage Azure Monitor Workbooks integrated into Microsoft Defender for Cloud and three templates provided How to Generate a Microsoft Defender for Cloud exemption and disable policy report Exempt resources at scale - Microsoft Defender for Cloud Cloud security posture and contextualization across cloud boundaries from a single dashboard Best Practices to Manage and Mitigate Security Recommendations Defender CSPM Defender CSPM Plan Options Go Beyond Checkboxes: Proactive Cloud Security with Microsoft Defender CSPM What’s New in Microsoft Defender CSPM (01/2026) Cloud Security Explorer Identify and remediate attack paths Agentless scanning for machines Cloud security explorer and Attack path analysis Governance Rules at Scale Governance Improvements Data Security Aware Posture Management Fast-Start Checklist for Microsoft Defender CSPM: From Enablement to Best Practices Unlocking API visibility: Defender for Cloud Expands API security to Function Apps and Logic Apps A Proactive Approach to Cloud Security Posture Management with Microsoft Defender for Cloud Prioritize Risk remediation with Microsoft Defender for Cloud Attack Path Analysis Understanding data aware security posture capability Agentless Container Posture Agentless Container Posture Management Microsoft Defender for Cloud - Automate Notifications when new Attack Paths are created Proactively secure your Google Cloud Resources with Microsoft Defender for Cloud Demystifying Defender CSPM Discover and Protect Sensitive Data with Defender for Cloud Defender for cloud's Agentless secret scanning for virtual machines is now generally available! Defender CSPM Support for GCP Data Security Dashboard Agentless Container Posture Management in Multicloud Agentless malware scanning for servers Recommendation Prioritization Unified insights from Microsoft Entra Permissions Management Defender CSPM Internet Exposure Analysis Future-Proofing Cloud Security with Defender CSPM ServiceNow's integration now includes Configuration Compliance module Agentless code scanning for GitHub and Azure DevOps (preview) 🚀 Suggested Labs: Improving your Secure Posture Connecting a GCP project Connecting an AWS project Defender CSPM Agentless container posture through Defender CSPM Contextual Security capabilities for AWS using Defender CSPM Module 5 – Regulatory Compliance Capabilities in Microsoft Defender for Cloud Understanding Regulatory Compliance Capabilities in Microsoft Defender for Cloud Adding new regulatory compliance standards Regulatory Compliance workbook Regulatory compliance dashboard now includes Azure Audit reports Microsoft cloud security benchmark: Azure compute benchmark is now aligned with CIS! Updated naming format of Center for Internet Security (CIS) standards in regulatory compliance CIS Azure Foundations Benchmark v2.0.0 in regulatory compliance dashboard Spanish National Security Framework (Esquema Nacional de Seguridad (ENS)) added to regulatory compliance dashboard for Azure Microsoft Defender for Cloud Adds Four New Regulatory Frameworks | Microsoft Community Hub 🚀 Suggested Lab: Regulatory Compliance Module 6 – Cloud Workload Protection Platform Capabilities in Microsoft Defender for Clouds Understanding Just-in-Time VM Access Implementing JIT VM Access File Integrity Monitoring in Microsoft Defender Understanding Threat Protection in Microsoft Defender Performing Advanced Risk Hunting in Defender for Cloud Microsoft Defender for Servers Demystifying Defender for Servers Onboarding directly (without Azure Arc) to Defender for Servers Agentless secret scanning for virtual machines in Defender for servers P2 & DCSPM Vulnerability Management in Defender for Cloud File Integrity Monitoring using Microsoft Defender for Endpoint Microsoft Defender for Containers Basics of Defender for Containers Secure your Containers from Build to Runtime Guarding Kubernetes Deployments: Runtime Gating for Vulnerable Images Now Generally Available (01/2026) AWS ECR Coverage in Defender for Containers Upgrade to Microsoft Defender Vulnerability Management End to end container security with unified SOC experience Binary drift detection episode Binary drift detection Cloud Detection Response experience Exploring the Latest Container Security Updates from Microsoft Ignite 2024 Unveiling Kubernetes lateral movement and attack paths with Microsoft Defender for Cloud Onboarding Docker Hub and JFrog Artifactory Improvements in Container’s Posture Management New AKS Security Dashboard in Defender for Cloud The Risk of Default Configuration: How Out-of-the-Box Helm Charts Can Breach Your Cluster Your cluster, your rules: Helm support for container security with Microsoft Defender for Cloud Microsoft Defender for Storage Protect your storage resources against blob-hunting Malware Scanning in Defender for Storage What's New in Defender for Storage Defender for Storage: Malware Scan Error Message Update Protecting Cloud Storage in the Age of AI Key findings from product telemetry: top storage security alerts across industries Microsoft Defender for SQL New Defender for SQL VA Defender for SQL on Machines Enhanced Agent Update Microsoft Defender for SQL Anywhere New autoprovisioning process for SQL Server on machines plan Enhancements for protecting hosted SQL servers across clouds and hybrid environments Defender for Open-Source Relational Databases Multicloud Microsoft Defender for KeyVault Microsoft Defender for AppService Microsoft Defender for Resource Manager Understanding Security Incident Security Alert Correlation Alert Reference Guide 'Copy alert JSON' button added to security alert details pane Alert Suppression Simulating Alerts in Microsoft Defender for Cloud Alert validation Simulating alerts for Windows Simulating alerts for Containers Simulating alerts for Storage Simulating alerts for Microsoft Key Vault Simulating alerts for Microsoft Defender for Resource Manager Integration with Microsoft Defender for Endpoint Auto-provisioning of Microsoft Defender for Endpoint unified solution Resolve security threats with Microsoft Defender for Cloud Protect your servers and VMs from brute-force and malware attacks with Microsoft Defender for Cloud Filter security alerts by IP address Alerts by resource group Defender for Servers Security Alerts Improvements From visibility to action: The power of cloud detection and response 🚀 Suggested Labs: Workload Protections Agentless container vulnerability assessment scanning Microsoft Defender for Cloud database protection Protecting On-Prem Servers in Defender for Cloud Defender for Storage Module 7 – Streaming Alerts and Recommendations to a SIEM Solution Continuous Export capability in Microsoft Defender for Cloud Deploying Continuous Export using Azure Policy Connecting Microsoft Sentinel with Microsoft Defender for Cloud Stream alerts to monitoring solutions - Microsoft Defender for Cloud | Microsoft Learn Microsoft Sentinel bi-directional alert synchronization 🚀 Suggested Lab: Exporting Microsoft Defender for Cloud information to a SIEM Module 8 – Integrations and APIs Integration with Tenable Integrate security solutions in Microsoft Defender for Cloud Defender for Cloud integration with Defender EASM Defender for Cloud integration with Defender TI REST APIs for Microsoft Defender for Cloud Using Graph Security API to Query Alerts in Microsoft Defender for Cloud Automate(d) Security with Microsoft Defender for Cloud and Logic Apps Automating Cloud Security Posture and Cloud Workload Protection Responses Module 9 – DevOps Security Overview of Microsoft Defender for Cloud DevOps Security DevOps Security Interactive Guide Configure the Microsoft Security DevOps Azure DevOps extension Configure the Microsoft Security DevOps GitHub action Automate SecOps to Developer Communication with Defender for DevOps Compliance for Exposed Secrets Discovered by DevOps Security Automate DevOps Security Recommendation Remediation DevOps Security Workbook Remediating Security Issues in Code with Pull Request Annotations Code to Cloud Security using Microsoft Defender for DevOps GitHub Advanced Security for Azure DevOps alerts in Defender for Cloud Securing your GitLab Environment with Microsoft Defender for Cloud Bridging the Gap Between Code and Cloud with Defender for Cloud Integrate Defender for Cloud CLI with CI/CD pipelines Code Reachability Analysis 🚀 Suggested Labs: Onboarding Azure DevOps to Defender for Cloud Onboarding GitHub to Defender for Cloud Module 10 – Defender for APIs What is Microsoft Defender for APIs? Onboard Defender for APIs Validating Microsoft Defender for APIs Alerts API Security with Defender for APIs Microsoft Defender for API Security Dashboard Exempt functionality now available for Defender for APIs recommendations Create sample alerts for Defender for APIs detections Defender for APIs reach GA Increasing API Security Testing Visibility Boost Security with API Security Posture Management 🚀 Suggested Lab: Defender for APIs Module 11 – AI Posture Management and Threat Protection Secure your AI applications from code to runtime with Microsoft Defender for Cloud AI security posture management AI threat protection Secure your AI applications from code to runtime Data and AI security dashboard Protecting Azure AI Workloads using Threat Protection for AI in Defender for Cloud Plug, Play, and Prey: The security risks of the Model Context Protocol Learn Live: Enable advanced threat protection for AI workloads with Microsoft Defender for Cloud Microsoft AI Security Story: Protection Across the Platform Microsoft Defender for AI Alerts Demystifying AI Security Posture Management Part 3: Unified Security Intelligence - Orchestrating GenAI Threat Detection with Microsoft Sentinel A new era of agents, a new era of posture | Microsoft Security Blog (01/2026) 🚀 Suggested Lab: Security for AI workloads Are you ready to take your knowledge check? If so, click here. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. Other Resources Microsoft Defender for Cloud Labs Become an Microsoft Sentinel Ninja Become an MDE Ninja Cross-product lab (Defend the Flag) Release notes (updated every month) Important upcoming changes Have a great time ramping up in Microsoft Defender for Cloud and becoming a Microsoft Defender for Cloud Ninja!! Reviewer: Tom Janetscheck, Senior PMExtending Defender’s AI Threat Protection to Microsoft Foundry Agents
Today’s blog post introduces new capabilities to strengthen the security and governance of AI agents using Microsoft Foundry Agent Service and explores how Microsoft Defender helps organizations secure Foundry agents as they move from experimentation to production.Microsoft Defender for Cloud Customer Newsletter
What's new in Defender for Cloud? Now in public preview, Microsoft Security Private Link allows for private connectivity between Defender for Cloud and your workloads. For more information, see our public documentation. Blogs of the month In January, our team published the following blog posts we would like to share: Guarding Kubernetes Deployments: Runtime gating for vulnerable images now GA Architecting Trust: A NIST-Based Security Governance Framework for AI Agents Defender for Cloud in the field Revisit the announcement on the CloudStorageAggregatedEvents table in XDR’s Advanced Hunting experience. Storage aggregated logs in XDR’s advanced hunting Visit our YouTube page GitHub Community Update your Defender for SQL on machines extension at scale Update Defender for SQL extension at scale Visit our GitHub page Customer journey Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring Toyota Leasing Thailand. Toyota Leasing Thailand, a financial services subsidiary of Toyota, provides financing, insurance and mobility services and is entrusted with sensitive personal data. Integrating with Defender, Entra and Purview, Security Copilot provided the SOC and the IT team a unified view, streamlined operations and reporting to reduce response times on phishing attacks from hours to minutes. Join our community! We offer several customer connection programs within our private communities. By signing up, you can help us shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at aka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in https://aka.ms/PublicContentFeedback. Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter: https://aka.ms/MDCNewsSubscribe
Part 3: Unified Security Intelligence - Orchestrating GenAI Threat Detection with Microsoft Sentinel
Why Sentinel for GenAI Security Observability? Before diving into detection rules, let's address why Microsoft Sentinel is uniquely positioned for GenAI security operations—especially compared to traditional or non-native SIEMs. Native Azure Integration: Zero ETL Overhead The problem with external SIEMs: To monitor your GenAI workloads with a third-party SIEM, you need to: Configure log forwarding from Log Analytics to external systems Set up data connectors or agents for Azure OpenAI audit logs Create custom parsers for Azure-specific log schemas Maintain authentication and network connectivity between Azure and your SIEM Pay data egress costs for logs leaving Azure The Sentinel advantage: Your logs are already in Azure. Sentinel connects directly to: Log Analytics workspace - Where your Container Insights logs already flow Azure OpenAI audit logs - Native access without configuration Azure AD sign-in logs - Instant correlation with identity events Defender for Cloud alerts - Platform-level AI threat detection included Threat intelligence feeds - Microsoft's global threat data built-in Microsoft Defender XDR - AI-driven cybersecurity that unifies threat detection and response across endpoints, email, identities, cloud apps and Sentinel There's no data movement, no ETL pipelines, and no latency from log shipping. Your GenAI security data is queryable in real-time. KQL: Built for Complex Correlation at Scale Why this matters for GenAI: Detecting sophisticated AI attacks requires correlating: Application logs (your code from Part 2) Azure OpenAI service logs (API calls, token usage, throttling) Identity signals (who authenticated, from where) Threat intelligence (known malicious IPs) Defender for Cloud alerts (platform-level anomalies) KQL's advantage: Kusto Query Language is designed for this. You can: Join across multiple data sources in a single query Parse nested JSON (like your structured logs) natively Use time-series analysis functions for anomaly detection and behavior patterns Aggregate millions of events in seconds Extract entities (users, IPs, sessions) automatically for investigation graphs Example: Correlating your app logs with Azure AD sign-ins and Defender alerts takes 10 lines of KQL. In a traditional SIEM, this might require custom scripts, data normalization, and significantly slower performance. User Security Context Flows Natively Remember the user_security_context you pass in extra_body from Part 2? That context: Automatically appears in Azure OpenAI's audit logs Flows into Defender for Cloud AI alerts Is queryable in Sentinel without custom parsing Maps to the same identity schema as Azure AD logs With external SIEMs: You'd need to: Extract user context from your application logs Separately ingest Azure OpenAI logs Write correlation logic to match them Maintain entity resolution across different data sources With Sentinel: It just works. The end_user_id, source_ip, and application_name are already normalized across Azure services. Built-In AI Threat Detection Sentinel includes pre-built detections for cloud and AI workloads: Azure OpenAI anomalous access patterns (out of the box) Unusual token consumption (built-in analytics templates) Geographic anomalies (using Azure's global IP intelligence) Impossible travel detection (cross-referencing sign-ins with AI API calls) Microsoft Defender XDR (correlation with endpoint, email, cloud app signals) These aren't generic "high volume" alerts—they're tuned for Azure AI services by Microsoft's security research team. You can use them as-is or customize them with your application-specific context. Entity Behavior Analytics (UEBA) Sentinel's UEBA automatically builds baselines for: Normal request volumes per user Typical request patterns per application Expected geographic access locations Standard model usage patterns Then it surfaces anomalies: "User_12345 normally makes 10 requests/day, suddenly made 500 in an hour" "Application_A typically uses GPT-3.5, suddenly switched to GPT-4 exclusively" "User authenticated from Seattle, made AI requests from Moscow 10 minutes later" This behavior modeling happens automatically—no custom ML model training required. Traditional SIEMs would require you to build this logic yourself. The Bottom Line For GenAI security on Azure: Sentinel reduces time-to-detection because data is already there Correlation is simpler because everything speaks the same language Investigation is faster because entities are automatically linked Cost is lower because you're not paying data egress fees Maintenance is minimal because connectors are native If your GenAI workloads are on Azure, using anything other than Sentinel means fighting against the platform instead of leveraging it. From Logs to Intelligence: The Complete Picture Your structured logs from Part 2 are flowing into Log Analytics. Here's what they look like: { "timestamp": "2025-10-21T14:32:17.234Z", "level": "INFO", "message": "LLM Request Received", "request_id": "a7c3e9f1-4b2d-4a8e-9c1f-3e5d7a9b2c4f", "session_id": "550e8400-e29b-41d4-a716-446655440000", "prompt_hash": "d3b07384d113edec49eaa6238ad5ff00", "security_check_passed": "PASS", "source_ip": "203.0.113.42", "end_user_id": "user_550e8400", "application_name": "AOAI-Customer-Support-Bot", "model_deployment": "gpt-4-turbo" } These logs are in the ContainerLogv2 table since our application “AOAI-Customer-Support-Bot” is running on Azure Kubernetes Services (AKS). Steps to Setup AKS to stream logs to Sentinel/Log Analytics From Azure portal, navigate to your AKS, then to Monitoring -> Insights Select Monitor Settings Under Container Logs Select the Sentinel-enabled Log Analytics workspace Select Logs and events Check the ‘Enable ContainerLogV2’ and ‘Enable Syslog collection’ options More details can be found at this link Kubernetes monitoring in Azure Monitor - Azure Monitor | Microsoft Learn Critical Analytics Rules: What to Detect and Why Rule 1: Prompt Injection Attack Detection Why it matters: Prompt injection is the GenAI equivalent of SQL injection. Attackers try to manipulate the model by overriding system instructions. Multiple attempts indicate intentional malicious behavior. What to detect: 3+ prompt injection attempts within 10 minutes from similar IP let timeframe = 1d; let threshold = 3; AlertEvidence | where TimeGenerated >= ago(timeframe) and EntityType == "Ip" | where DetectionSource == "Microsoft Defender for AI Services" | where Title contains "jailbreak" or Title contains "prompt injection" | summarize count() by bin (TimeGenerated, 1d), RemoteIP | where count_ >= threshold What the SOC sees: User identity attempting injection Source IP and geographic location Sample prompts for investigation Frequency indicating automation vs. manual attempts Severity: High (these are actual attempts to bypass security) Rule 2: Content Safety Filter Violations Why it matters: When Azure AI Content Safety blocks a request, it means harmful content (violence, hate speech, etc.) was detected. Multiple violations indicate intentional abuse or a compromised account. What to detect: Users with 3+ content safety violations in a 1 hour block during a 24 hour time period. let timeframe = 1d; let threshold = 3; ContainerLogV2 | where TimeGenerated >= ago(timeframe) | where isnotempty(LogMessage.end_user_id) | where LogMessage.security_check_passed == "FAIL" | extend source_ip=tostring(LogMessage.source_ip) | extend end_user_id=tostring(LogMessage.end_user_id) | extend session_id=tostring(LogMessage.session_id) | extend application_name = tostring(LogMessage.application_name) | extend security_check_passed = tostring (LogMessage.security_check_passed) | summarize count() by bin(TimeGenerated, 1h),source_ip,end_user_id,session_id,Computer,application_name,security_check_passed | where count_ >= threshold What the SOC sees: Severity based on violation count Time span showing if it's persistent vs. isolated Prompt samples (first 80 chars) for context Session ID for conversation history review Severity: High (these are actual harmful content attempts) Rule 3: Rate Limit Abuse Why it matters: Persistent rate limit violations indicate automated attacks, credential stuffing, or attempts to overwhelm the system. Legitimate users who hit rate limits don't retry 10+ times in minutes. What to detect: Users blocked by rate limiter 5+ times in 10 minutes let timeframe = 1h; let threshold = 5; AzureDiagnostics | where ResourceProvider == "MICROSOFT.COGNITIVESERVICES" | where OperationName == "Completions" or OperationName contains "ChatCompletions" | extend tokensUsed = todouble(parse_json(properties_s).usage.total_tokens) | summarize totalTokens = sum(tokensUsed), requests = count(), rateLimitErrors = countif(httpstatuscode_s == "429") by bin(TimeGenerated, 1h) | where count_ >= threshold What the SOC sees: Whether it's a bot (immediate retries) or human (gradual retries) Duration of attack Which application is targeted Correlation with other security events from same user/IP Severity: Medium (nuisance attack, possible reconnaissance) Rule 4: Anomalous Source IP for User Why it matters: A user suddenly accessing from a new country or VPN could indicate account compromise. This is especially critical for privileged accounts or after-hours access. What to detect: User accessing from an IP never seen in the last 7 days let lookback = 7d; let recent = 1h; let baseline = IdentityLogonEvents | where Timestamp between (ago(lookback + recent) .. ago(recent)) | where isnotempty(IPAddress) | summarize knownIPs = make_set(IPAddress) by AccountUpn; ContainerLogV2 | where TimeGenerated >= ago(recent) | where isnotempty(LogMessage.source_ip) | extend source_ip=tostring(LogMessage.source_ip) | extend end_user_id=tostring(LogMessage.end_user_id) | extend session_id=tostring(LogMessage.session_id) | extend application_name = tostring(LogMessage.application_name) | extend security_check_passed = tostring (LogMessage.security_check_passed) | extend full_prompt_sample = tostring (LogMessage.full_prompt_sample) | lookup baseline on $left.AccountUpn == $right.end_user_id | where isnull(knownIPs) or IPAddress !in (knownIPs) | project TimeGenerated, source_ip, end_user_id, session_id, Computer, application_name, security_check_passed, full_prompt_sample What the SOC sees: User identity and new IP address Geographic location change Whether suspicious prompts accompanied the new IP Timing (after-hours access is higher risk) Severity: Medium (environment compromise, reconnaissance) Rule 5: Coordinated Attack - Same Prompt from Multiple Users Why it matters: When 5+ users send identical prompts, it indicates a bot network, credential stuffing, or organized attack campaign. This is not normal user behavior. What to detect: Same prompt hash from 5+ different users within 1 hour let timeframe = 1h; let threshold = 5; ContainerLogV2 | where TimeGenerated >= ago(timeframe) | where isnotempty(LogMessage.prompt_hash) | where isnotempty(LogMessage.end_user_id) | extend source_ip=tostring(LogMessage.source_ip) | extend end_user_id=tostring(LogMessage.end_user_id) | extend prompt_hash=tostring(LogMessage.prompt_hash) | extend application_name = tostring(LogMessage.application_name) | extend security_check_passed = tostring (LogMessage.security_check_passed) | project TimeGenerated, prompt_hash, source_ip, end_user_id, application_name, security_check_passed | summarize DistinctUsers = dcount(end_user_id), Attempts = count(), Users = make_set(end_user_id, 100), IpAddress = make_set(source_ip, 100) by prompt_hash, bin(TimeGenerated, 1h) | where DistinctUsers >= threshold What the SOC sees: Attack pattern (single attacker with stolen accounts vs. botnet) List of compromised user accounts Source IPs for blocking Prompt sample to understand attack goal Severity: High (indicates organized attack) Rule 6: Malicious model detected Why it matters: Model serialization attacks can lead to serious compromise. When Defender for Cloud Model Scanning identifies issues with a custom or opensource model that is part of Azure ML Workspace, Registry, or hosted in Foundry, that may be or may not be a user oversight. What to detect: Model scan results from Defender for Cloud and if it is being actively used. What the SOC sees: Malicious model Applications leveraging the model Source IPs and users accessed the model Severity: Medium (can be user oversight) Advanced Correlation: Connecting the Dots The power of Sentinel is correlating your application logs with other security signals. Here are the most valuable correlations: Correlation 1: Failed GenAI Requests + Failed Sign-Ins = Compromised Account Why: Account showing both authentication failures and malicious AI prompts is likely compromised within a 1 hour timeframe l let timeframe = 1h; ContainerLogV2 | where TimeGenerated >= ago(timeframe) | where isnotempty(LogMessage.source_ip) | extend source_ip=tostring(LogMessage.source_ip) | extend end_user_id=tostring(LogMessage.end_user_id) | extend session_id=tostring(LogMessage.session_id) | extend application_name = tostring(LogMessage.application_name) | extend security_check_passed = tostring (LogMessage.security_check_passed) | extend full_prompt_sample = tostring (LogMessage.full_prompt_sample) | extend message = tostring (LogMessage.message) | where security_check_passed == "FAIL" or message contains "WARNING" | join kind=inner ( SigninLogs | where ResultType != 0 // 0 means success, non-zero indicates failure | project TimeGenerated, UserPrincipalName, ResultType, ResultDescription, IPAddress, Location, AppDisplayName ) on $left.end_user_id == $right.UserPrincipalName | project TimeGenerated, source_ip, end_user_id, application_name, full_prompt_sample, prompt_hash, message, security_check_passed Severity: High (High probability of compromise) Correlation 2: Application Logs + Defender for Cloud AI Alerts Why: Defender for Cloud AI Threat Protection detects platform-level threats (unusual API patterns, data exfiltration attempts). When both your code and the platform flag the same user, confidence is very high. let timeframe = 1h; ContainerLogV2 | where TimeGenerated >= ago(timeframe) | where isnotempty(LogMessage.source_ip) | extend source_ip=tostring(LogMessage.source_ip) | extend end_user_id=tostring(LogMessage.end_user_id) | extend session_id=tostring(LogMessage.session_id) | extend application_name = tostring(LogMessage.application_name) | extend security_check_passed = tostring (LogMessage.security_check_passed) | extend full_prompt_sample = tostring (LogMessage.full_prompt_sample) | extend message = tostring (LogMessage.message) | where security_check_passed == "FAIL" or message contains "WARNING" | join kind=inner ( AlertEvidence | where TimeGenerated >= ago(timeframe) and AdditionalFields.Asset == "true" | where DetectionSource == "Microsoft Defender for AI Services" | project TimeGenerated, Title, CloudResource ) on $left.application_name == $right.CloudResource | project TimeGenerated, application_name, end_user_id, source_ip, Title Severity: Critical (Multi-layer detection) Correlation 3: Source IP + Threat Intelligence Feeds Why: If requests come from known malicious IPs (C2 servers, VPN exit nodes used in attacks), treat them as high priority even if behavior seems normal. //This rule correlates GenAI app activity with Microsoft Threat Intelligence feed available in Sentinel and Microsoft XDR for malicious IP IOCs let timeframe = 10m; ContainerLogV2 | where TimeGenerated >= ago(timeframe) | where isnotempty(LogMessage.source_ip) | extend source_ip=tostring(LogMessage.source_ip) | extend end_user_id=tostring(LogMessage.end_user_id) | extend session_id=tostring(LogMessage.session_id) | extend application_name = tostring(LogMessage.application_name) | extend security_check_passed = tostring (LogMessage.security_check_passed) | extend full_prompt_sample = tostring (LogMessage.full_prompt_sample) | join kind=inner ( ThreatIntelIndicators | where IsActive == "true" | where ObservableKey startswith "ipv4-addr" or ObservableKey startswith "network-traffic" | project IndicatorIP = ObservableValue ) on $left.source_ip == $right.IndicatorIP | project TimeGenerated, source_ip, end_user_id, application_name, full_prompt_sample, security_check_passed Severity: High (Known bad actor) Workbooks: What Your SOC Needs to See Executive Dashboard: GenAI Security Health Purpose: Leadership wants to know: "Are we secure?" Answer with metrics. Key visualizations: Security Status Tiles (24 hours) Total Requests Success Rate Blocked Threats (Self detected + Content Safety + Threat Protection for AI) Rate Limit Violations Model Security Score (Red Team evaluation status of currently deployed model) ContainerLogV2 | where TimeGenerated > ago (1d) | extend security_check_passed = tostring (LogMessage.security_check_passed) | summarize SuccessCount=countif(security_check_passed == "PASS"), FailedCount=countif(security_check_passed == "FAIL") by bin(TimeGenerated, 1h) | extend TotalRequests = SuccessCount + FailedCount | extend SuccessRate = todouble(SuccessCount)/todouble(TotalRequests) * 100 | order by SuccessRate 1. Trend Chart: Pass vs. Fail Over Time Shows if attack volume is increasing Identifies attack time windows Validates that defenses are working ContainerLogV2 | where TimeGenerated > ago (14d) | extend security_check_passed = tostring (LogMessage.security_check_passed) | summarize SuccessCount=countif(security_check_passed == "PASS"), FailedCount=countif(security_check_passed == "FAIL") by bin(TimeGenerated, 1d) | render timechart 2. Top 10 Users by Security Events Bar chart of users with most failures ContainerLogV2 | where TimeGenerated > ago (1d) | where isnotempty(LogMessage.end_user_id) | extend end_user_id=tostring(LogMessage.end_user_id) | extend security_check_passed = tostring (LogMessage.security_check_passed) | where security_check_passed == "FAIL" | summarize FailureCount = count() by end_user_id | top 20 by FailureCount | render barchart Applications with most failures ContainerLogV2 | where TimeGenerated > ago (1d) | where isnotempty(LogMessage.application_name) | extend application_name=tostring(LogMessage.application_name) | extend security_check_passed = tostring (LogMessage.security_check_passed) | where security_check_passed == "FAIL" | summarize FailureCount = count() by application_name | top 20 by FailureCount | render barchart 3. Geographic Threat Map Where are attacks originating? Useful for geo-blocking decisions ContainerLogV2 | where TimeGenerated > ago (1d) | where isnotempty(LogMessage.application_name) | extend application_name=tostring(LogMessage.application_name) | extend source_ip=tostring(LogMessage.source_ip) | extend security_check_passed = tostring (LogMessage.security_check_passed) | where security_check_passed == "FAIL" | extend GeoInfo = geo_info_from_ip_address(source_ip) | project sourceip, GeoInfo.counrty, GeoInfo.city Analyst Deep-Dive: User Behavior Analysis Purpose: SOC analyst investigating a specific user or session Key components: 1. User Activity Timeline Every request from the user in time order ContainerLogV2 | where isnotempty(LogMessage.end_user_id) | project TimeGenerated, LogMessage.source_ip, LogMessage.end_user_id, LogMessage. session_id, Computer, LogMessage.application_name, LogMessage.request_id, LogMessage.message, LogMessage.full_prompt_sample | order by tostring(LogMessage_end_user_id), TimeGenerated Color-coded by security status AlertInfo | where DetectionSource == "Microsoft Defender for AI Services" | project TimeGenerated, AlertId, Title, Category, Severity, SeverityColor = case( Severity == "High", "🔴 High", Severity == "Medium", "🟠 Medium", Severity == "Low", "🟢 Low", "⚪ Unknown" ) 2. Session Analysis Table All sessions for the user ContainerLogV2 | where TimeGenerated > ago (1d) | where isnotempty(LogMessage.end_user_id) | extend end_user_id=tostring(LogMessage.end_user_id) | where end_user_id == "<username>" // Replace with actual username | extend application_name=tostring(LogMessage.application_name) | extend source_ip=tostring(LogMessage.source_ip) | extend session_id=tostri1ng(LogMessage.session_id) | extend security_check_passed = tostring (LogMessage.security_check_passed) | project TimeGenerated, session_id, end_user_id, application_name, security_check_passed Failed requests per session ContainerLogV2 | where TimeGenerated > ago (1d) | extend security_check_passed = tostring (LogMessage.security_check_passed) | where security_check_passed == "FAIL" | extend end_user_id=tostring(LogMessage.end_user_id) | extend session_id=tostring(LogMessage.session_id) | extend security_check_passed = tostring (LogMessage.security_check_passed) | summarize Failed_Sessions = count() by end_user_id, session_id | order by Failed_Sessions Session duration ContainerLogV2 | where TimeGenerated > ago (1d) | where isnotempty(LogMessage.session_id) | extend security_check_passed = tostring (LogMessage.security_check_passed) | where security_check_passed == "PASS" | extend end_user_id=tostring(LogMessage.end_user_id) | extend session_id=tostring(LogMessage.session_id) | extend application_name=tostring(LogMessage.application_name) | extend source_ip=tostring(LogMessage.source_ip) | summarize Start=min(TimeGenerated), End=max(TimeGenerated), count() by end_user_id, session_id, source_ip, application_name | extend DurationSeconds = datetime_diff("second", End, Start) 3. Prompt Pattern Detection Unique prompts by hash Frequency of each pattern Detect if user is fuzzing/testing boundaries Sample query for user investigation: ContainerLogV2 | where TimeGenerated > ago (14d) | where isnotempty(LogMessage.prompt_hash) | where isnotempty(LogMessage.full_prompt_sample) | extend prompt_hash=tostring(LogMessage.prompt_hash) | extend full_prompt_sample=tostring(LogMessage.full_prompt_sample) | extend application_name=tostring(LogMessage.application_name) | summarize count() by prompt_hash, full_prompt_sample | order by count_ Threat Hunting Dashboard: Proactive Detection Purpose: Find threats before they trigger alerts Key queries: 1. Suspicious Keywords in Prompts (e.g. Ignore, Disregard, system prompt, instructions, DAN, jailbreak, pretend, roleplay) let suspicious_prompts = externaldata (content_policy:int, content_policy_name:string, q_id:int, question:string) [ @"https://raw.githubusercontent.com/verazuo/jailbreak_llms/refs/heads/main/data/forbidden_question/forbidden_question_set.csv"] with (format="csv", has_header_row=true, ignoreFirstRecord=true); ContainerLogV2 | where TimeGenerated > ago (14d) | where isnotempty(LogMessage.full_prompt_sample) | extend full_prompt_sample=tostring(LogMessage.full_prompt_sample) | where full_prompt_sample in (suspicious_prompts) | extend end_user_id=tostring(LogMessage.end_user_id) | extend session_id=tostring(LogMessage.session_id) | extend application_name=tostring(LogMessage.application_name) | extend source_ip=tostring(LogMessage.source_ip) | project TimeGenerated, session_id, end_user_id, source_ip, application_name, full_prompt_sample 2. High-Volume Anomalies User sending too many requests by a IP or User. Assuming that Foundry Projects are configured to use Azure AD and not API Keys. //50+ requests in 1 hour let timeframe = 1h; let threshold = 50; AzureDiagnostics | where ResourceProvider == "MICROSOFT.COGNITIVESERVICES" | where OperationName == "Completions" or OperationName contains "ChatCompletions" | extend tokensUsed = todouble(parse_json(properties_s).usage.total_tokens) | summarize totalTokens = sum(tokensUsed), requests = count() by bin(TimeGenerated, 1h),CallerIPAddress | where count_ >= threshold 3. Rare Failures (Novel Attack Detection) Rare failures might indicate zero-day prompts or new attack techniques //10 or more failures in 24 hours ContainerLogV2 | where TimeGenerated >= ago (24h) | where isnotempty(LogMessage.security_check_passed) | extend security_check_passed=tostring(LogMessage.security_check_passed) | where security_check_passed == "FAIL" | extend application_name=tostring(LogMessage.application_name) | extend end_user_id=tostring(LogMessage.end_user_id) | extend source_ip=tostring(LogMessage.source_ip) | summarize FailedAttempts = count(), FirstAttempt=min(TimeGenerated), LastAttempt=max(TimeGenerated) by application_name | extend DurationHours = datetime_diff('hour', LastAttempt, FirstAttempt) | where DurationHours >= 24 and FailedAttempts >=10 | project application_name, FirstAttempt, LastAttempt, DurationHours, FailedAttempts Measuring Success: Security Operations Metrics Key Performance Indicators Mean Time to Detect (MTTD): let AppLog = ContainerLogV2 | extend application_name=tostring(LogMessage.application_name) | extend security_check_passed=tostring (LogMessage.security_check_passed) | extend session_id=tostring(LogMessage.session_id) | extend end_user_id=tostring(LogMessage.end_user_id) | extend source_ip=tostring(LogMessage.source_ip) | where security_check_passed=="FAIL" | summarize FirstLogTime=min(TimeGenerated) by application_name, session_id, end_user_id, source_ip; let Alert = AlertEvidence | where DetectionSource == "Microsoft Defender for AI Services" | extend end_user_id = tostring(AdditionalFields.AadUserId) | extend source_ip=RemoteIP | extend application_name=CloudResource | summarize FirstAlertTime=min(TimeGenerated) by AlertId, Title, application_name, end_user_id, source_ip; AppLog | join kind=inner (Alert) on application_name, end_user_id, source_ip | extend DetectionDelayMinutes=datetime_diff('minute', FirstAlertTime, FirstLogTime) | summarize MTTD_Minutes=round(avg (DetectionDelayMinutes),2) by AlertId, Title Target: <= 15 minutes from first malicious activity to alert Mean Time to Respond (MTTR): SecurityIncident | where Status in ("New", "Active") | where CreatedTime >= ago(14d) | extend ResponseDelay = datetime_diff('minute', LastActivityTime, FirstActivityTime) | summarize MTTR_Minutes = round (avg (ResponseDelay),2) by CreatedTime, IncidentNumber | order by CreatedTime, IncidentNumber asc Target: < 4 hours from alert to remediation Threat Detection Rate: ContainerLogV2 | where TimeGenerated > ago (1d) | extend security_check_passed = tostring (LogMessage.security_check_passed) | summarize SuccessCount=countif(security_check_passed == "PASS"), FailedCount=countif(security_check_passed == "FAIL") by bin(TimeGenerated, 1h) | extend TotalRequests = SuccessCount + FailedCount | extend SuccessRate = todouble(SuccessCount)/todouble(TotalRequests) * 100 | order by SuccessRate Context: 1-3% is typical for production systems (most traffic is legitimate) What You've Built By implementing the logging from Part 2 and the analytics rules in this post, your SOC now has: ✅ Real-time threat detection - Alerts fire within minutes of malicious activity ✅ User attribution - Every incident has identity, IP, and application context ✅ Pattern recognition - Detect both volume-based and behavior-based attacks ✅ Correlation across layers - Application logs + platform alerts + identity signals ✅ Proactive hunting - Dashboards for finding threats before they trigger rules ✅ Executive visibility - Metrics showing program effectiveness Key Takeaways GenAI threats need GenAI-specific analytics - Generic rules miss context like prompt injection, content safety violations, and session-based attacks Correlation is critical - The most sophisticated attacks span multiple signals. Correlating app logs with identity and platform alerts catches what individual rules miss. User context from Part 2 pays off - end_user_id, source_ip, and session_id enable investigation and response at scale Prompt hashing enables pattern detection - Detect repeated attacks without storing sensitive prompt content Workbooks serve different audiences - Executives want metrics; analysts want investigation tools; hunters want anomaly detection Start with high-fidelity rules - Content Safety violations and rate limit abuse have very low false positive rates. Add behavioral rules after establishing baselines. What's Next: Closing the Loop You've now built detection and visibility. In Part 4, we'll close the security operations loop with: Part 4: Platform Integration and Automated Response Building SOAR playbooks for automated incident response Implementing automated key rotation with Azure Key Vault Blocking identities in Entra Creating feedback loops from incidents to code improvements The journey from blind spot to full security operations capability is almost complete. Previous: Part 1: Securing GenAI Workloads in Azure: A Complete Guide to Monitoring and Threat Protection - AIO11Y | Microsoft Community Hub Part 2: Part 2: Building Security Observability Into Your Code - Defensive Programming for Azure OpenAI | Microsoft Community Hub Next: Part 4: Platform Integration and Automated Response (Coming soon)Demystifying AI Security Posture Management
Introduction In the ever-evolving paradigm shift that is Generative AI, adoption is accelerating at an unprecedented level. Organizations find it increasingly challenging to keep up with the multiple security branches of defence and attack that are complementing the adoption. With agentic and autonomous agents being the new security frontier we will be concentrating on for the next 10 years, the need to understand, secure and govern what Generative AI applications are running within an organisation becomes critical. Organizations that have a strong “security first” principle have been able to integrate AI by following appropriate methodologies such as Microsoft’s Prepare, Discover, Protect and Govern approach, and are now accelerating the adoption with strong posture management. Link: Build a strong security posture for AI | Microsoft Learn However, due to the nature of this rapid adoption, many organizations have found themselves in a “chicken and egg” situation whereby they are racing to allow employees and developers to adopt and embrace both Low Code and Pro Code solutions such as Microsoft Copilot Studio and Microsoft Foundry, but due to governance and control policies not being implemented in time, now find themselves in a Shadow AI situation, and require the ability to retroactively assess already deployed solutions. Why AI Security Posture Management? Generative AI Workloads, like any other, can only be secured and governed if the organization is aware of their existence and usage. With the advent of Generative AI we now not only have Shadow IT but also Shadow AI, so the need to be able to discover, assess, understand, and govern the Generative AI tooling that is being used in an organisation is now more important than ever. Consider the risks mentioned in the recent Microsoft Digital Defence Report and how they align to AI Usage, AI Applications and AI Platform Security. As Generative AI becomes more ingrained in the day-to-day operations of organizations, so does the potential for increased attack vectors, misuse and the need for appropriate security oversight and mitigation. Link: Microsoft Digital Defense Report 2025 – Safeguarding Trust in the AI Era A recent study by KMPG discussing Shadow AI listed the following statistics: 44% of employees have used AI in ways that contravene policies and guidelines, indicating a significant prevalence of shadow AI in organizations. 57% of employees have made mistakes due to AI, and 58 percent have relied on AI output without evaluating its accuracy. 41% of employees report that their organization has a policy guiding the use of GenAI, highlighting a huge gap in guardrails. A very informed comment by Sawmi Chandrasekaran, Principal, US and Global AI and Data Labs leader at KPMG states: “Shadow AI isn’t a fringe issue—it’s a signal that employees are moving faster than the systems designed to support them. Without trusted oversight and a coordinated architectural strategy, even a single shortcut can expose the organization to serious risk. But with the right guardrails in place, shadow AI can become a powerful force for innovation, agility, and long-term competitive advantage. The time to act is now—with clarity, trust, and bold forward-looking leadership.” Link: Shadow AI is already here: Take control, reduce risk, and unleash innovation It’s abundantly clear that organizations require integrated solutions to deal with the escalating risks and potential flashpoints. The “Best of Breed” approach is no longer sustainable considering the integration challenges both in cross-platform support and data ingestion charges that can arise, this is where the requirements for a modern CNAPP start to come to the forefront. The Next Era of Cloud Security report created by the IDC highlights Cloud Native Application Protection Platforms (CNAPPs) as a key investment area for organizations: “The IDC CNAPP Survey affirmed that 71% of respondents believe that over the next two years, it would be beneficial for their organization to invest in an integrated SecOps platform that includes technologies such as XDR/EDR, SIEM, CNAPP/cloud security, GenAI, and threat intelligence.” Link: The Next Era of Cloud Security: Cloud-Native Application Protection Platform and Beyond AI Security Posture Management vs Data Security Posture Management Data Security Posture Management (DSPM) is often discussed, having evolved prior to the conceptualization of Generative AI. However, DSPM is its own solution that is covered in the Blog Post Data Security Posture Management for AI. AI Security Posture Management (AI-SPM) focuses solely on the ability to monitor, assess and improve the security of AI systems, models, data and infrastructure in the environment. Microsoft’s Approach – Defender for Cloud Defender for Cloud is Microsoft’s modern Cloud Native Application Protection Platform (CNAPP), encompassing multiple cloud security solution services across both Proactive Security and Runtime Protection. However, for the purposes of this article, we will just be delving into AI Security Posture Management (AI-SPM) which is a sub feature of Cloud Security Posture Management (CSPM), both of which sit under Proactive Security solutions. Link: Microsoft Defender for Cloud Overview - Microsoft Defender for Cloud | Microsoft Learn Understanding AI Security Posture Management The following is going to attempt to “cut to the chase” on each of the four areas and cover an overview of the solution and the requirements. For detailed information on feature enablement and usage, each section includes a link to the full documentation on Microsoft Learn for further reading AI Security Posture Management AI Security Posture Management is a key component of the all-up Cloud Security Posture Management (CSPM) solution, and focuses on 4 key areas: o Generative AI Workload Discover o Vulnerability Assessment o Attack Path Analysis o Security Recommendations Generative AI Workload Discovery Overview Arguably, the principal role of AI Security Posture Management is to discover and identify Generative AI Workloads in the organization. Understanding what AI resources exist in the environment being the key to understanding their defence. Microsoft refers to this as the AI Bill-Of-Materials or AI-BOM. Bill-Of-Materials is a manufacturing term used to describe the components that go together to create a product (think door, handle, latch, hinges and screws). In the AI World this becomes application components such as data and artifacts. AI-SPM can discover Generative AI Applications across multiple supported services including: Azure OpenAI Service Microsoft foundry Azure Machine Learning Amazon Bedrock Google Vertex AI (Preview) Why no Microsoft Copilot Studio Integration? Microsoft Copilot Studio is not an external or custom AI agent service and is deeply integrated into Microsoft 365. Security posture for Microsoft Copilot Studio is handed over to Microsoft Defender for Cloud Apps and Microsoft Purview, with applications being marked as Sanctioned or Unsanctioned via the Defender for Cloud portal. For more information on Microsoft Defender for Cloud Apps see the link below. Link: App governance in Microsoft Defender for Cloud Apps and Microsoft Defender XDR - Microsoft Defender for Cloud Apps | Microsoft Learn Requirements An active Azure Subscription with Microsoft Defender for Cloud. Cloud Security Posture Management (CSPM) Enabled Have at least one environment with an AI supported workload. Link: Discover generative AI workloads - Microsoft Defender for Cloud | Microsoft Learn Vulnerability Assessment Once you have a clear overview of which AI resources exist in your environment, Vulnerability Assessment in AI-SPM allows you to cover two main areas of consideration. The first allows for the organization to discover vulnerabilities within containers that are running generative AI images with known vulnerabilities. The second allows vulnerability discovery within Generative AI Library Dependences such as TensorFlow, PyTorch, and LangChain. Both options will align any vulnerabilities detected to known Common Vulnerabilities and Exposures (CVE) IDs via Microsoft Threat Detection. Requirements An active Azure Subscription with Microsoft Defender for Cloud. Cloud Security Posture Management (CSPM) Enabled Have at least one Azure OpenAI resource, with at least one model deployment connected to it via Azure AI Foundry portal. Link: Explore risks to pre-deployment generative AI artifacts - Microsoft Defender for Cloud | Microsoft Learn Attack Path Analysis AI-SPM hunts for potential attack paths in a multi-cloud environment, by concentrating on real, externally driven and exploitable threats rather than generic scenarios. Using a proprietary algorithm, the attack path is mapped from outside the organization, through to critical assets. The attack path analysis is used to highlight immediately, exploitable threats to the business, which attackers would be able to exploit and breach the environment. Recommendations are given to be able to resolve the detected security issues. Discovered Attack Paths are organized by risk levels, which are determined using a context-aware risk-prioritization engine that considers the risk factors of each resource. Requirements An active Azure Subscription with Microsoft Defender for Cloud. Cloud Security Posture Management (CSPM) with Agentless Scanning Enabled. Required roles and permissions: Security Reader, Security Admin, Reader, Contributor, or Owner. To view attack paths that are related to containers: You must enable agentless container posture extension in Defender CSPM or You can enable Defender for Containers, and install the relevant agents in order to view attack paths that are related to containers. This also gives you the ability to query containers data plane workloads in security explorer. Required roles and permissions: Security Reader, Security Admin, Reader, Contributor, or Owner. Link: Identify and remediate attack paths - Microsoft Defender for Cloud | Microsoft Learn Security Recommendations Microsoft Defender for Cloud evaluates all resources discovered, including AI resources, and all workloads based on both built-in and custom security standards, which are implemented across Azure subscriptions, Amazon Web Services (AWS) accounts, and Google Cloud Platform (GCP) projects. Following these assessments, security recommendations offer actionable guidance to address issues and enhance the overall security posture. Defender for Cloud utilizes an advanced dynamic engine to systematically assess risks within your environment by considering exploitation potential and possible business impacts. This engine prioritizes security recommendations according to the risk factors associated with each resource, determined by the context of the environment, including resource configuration, network connections, and existing security measures. Requirements No specific requirements are required for Security Recommendations if you have Defender for Cloud enabled in the tenant as the feature is included by default. However, you will not be able to see Risk Prioritization unless you have the Defender for CSPM plan enabled. Link: Review Security Recommendations - Microsoft Defender for Cloud | Microsoft Learn CSPM Pricing CSPM has two billing models, Foundational CSPM (Free) Defender CSPM, which has its own additional billing model. AI-SPM is only included as part of the Defender CSPM plan. Foundational CSPM Defender CSPM Cloud Availability AI Security Posture Management - Azure, AWS, GCP (Preview) Price Free $5.11/Billable resource/month Information regarding licensing in this article is provided for guidance purposes only and doesn’t provide any contractual commitment. This list and license requirements are subject to change without any prior notice. Full details can be found on the official Microsoft documentation found here, Link: Pricing - Microsoft Defender for Cloud | Microsoft Azure. Final Thoughts AI Security Posture Management can no longer be considered an optional component to security, but rather a cornerstone to any organization’s operations. The integration of Microsoft Defender for Cloud across all areas of an organization shows the true potential of a modern a CNAPP, where AI is no longer a business objective, but rather a functional business component.Defender for AI services: Threat Protection and AI red team workshop
Authors: Thor Draper & Nathan Swift Generative AI is reshaping how enterprises operate, introducing new efficiencies—and new risks. Imagine launching a helpful chatbot, only to learn a cleverly crafted prompt can bypass safety controls and exfiltrate sensitive data. This is today’s reality: every system prompt, plugin/tool, dataset, fine‑tune, or orchestration step can change the attack surface. This is due to the non deterministic nature in how LLM models craft responses in output. The slightest change in the input of a prompt in verbiage or tone can change the outcome of a output in subtle but non predictable ways especially when your data is involved. This post shows how to operationalize AI red teaming with Microsoft Defender for AI services so security teams gain evidence‑backed visibility into adversarial behavior and turn that visibility into daily defense. By aligning with Microsoft’s Responsible AI principles of transparency, accountability, and continuous improvement, we demonstrate a pragmatic, repeatable loop that makes AI safer week after week. Crucially, security needs to have a seat at the table across the AI app lifecycle from model selection and pilot to production and ongoing updates. Who Should Read This (and What You’ll See) SOC analysts & incident responders - See how AI signals materialize as high‑fidelity alerts (prompt evidence, URL intel, identity context) in Defender for Cloud and Defender XDR for fast triage and correlation. AI/ML engineers - Validate model safety with controlled simulations (PyRIT‑informed strategies) and understand which filters/guardrails move the needle. Security architects - Integrate Microsoft Defender for AI services into your cloud security program; codify improvements as policy, IaC, and identity hygiene. Red teamers/researchers - Run structured, repeatable adversarial tests that produce measurable outcomes the org can act on. Why now? Data leakage, prompt injection, jailbreaks, and endpoint abuse are among the fastest‑growing threats to AI systems. With AI red teaming and Microsoft Defender for AI services, you catch intent before impact and translate insight into durable controls. What’s Different About the AI Attack Surface New risks sit alongside the traditional ones: Prompts & responses — Susceptible to prompt injection and jailbreak attempts (rule change, role‑play, encoding/obfuscation). User & application context — Missing context slows investigations and blurs accountability. Model endpoints & identities — Static keys and weak identity practices increase credential theft and scripted probing risk. Attached data (RAG/fine‑tuning) — Indirect prompt injection via documents or data sources. Orchestration layers/agents — Tool invocation abuse, unintended actions, or “over‑permissive” chains. Content & safety filters — Configuration drift or silent loosening erodes protection. A key theme across these risks is context propagation. The way user identity, application parameters, and environmental signals travel with each prompt and response. When context is preserved and surfaced in security alerts, SOC teams can quickly correlate incidents, trace attack paths, and remediate threats with precision. Effective context propagation transforms raw signals into actionable intelligence, making investigations faster and more accurate. Microsoft Defender for AI services adds a real‑time protection layer across this surface by combining Prompt Shields, activity monitoring, and Microsoft threat intelligence to produce high‑fidelity alerts you can operationalize. The Improvement Loop (Responsible AI in Practice) Responsible AI comes to life when teams Observe → Correlate → Remediate → Retest → Codify: Observe controlled jailbreak/phishing/automation patterns and collect prompt evidence. Correlate with identity, network, and prior incidents in Defender XDR. Remediate with the smallest effective control (filters, identities, rate limits, data scoping). Retest the same scenario to verify risk reduction. Codify as baseline (policy, IaC template, guardrail profile, rotation notes). Repeat this rhythm on a schedule and you’ll build durable posture faster than a one‑time “big‑bang” control set. Prerequisites: To take advantage of this workshop you’ll need: Sandbox subscription (ideally inside a Sandbox Mgmt Group with lighter policies), you may also leverage a Free trial of Azure Subscription as well. Microsoft Defender for AI services plan enabled (see Participant Guide ) Contributor access (you can deploy + view alerts) Region capacity confirmed (Azure AI Foundry in East US 2) Workshop flow and testing: Prep: Enable the Microsoft Defender for AI services plan with prompt evidence, deploy the Azure Template (one hub + single endpoint), and open the AIRT-Eval.ipynb notebook; you now have a controlled space to generate signals(see Participant Guide). Controlled Signals: Trigger against a jailbreak attempt, a phishing URL simulation, and a suspicious user agent simulation to produce three distinct alert types. Triage & Correlate: For each alert, review anatomy (evidence, severity, IDs) and capture prompt/URL evidence. Harden & Retest: Apply improvements or security controls, then validate fixes. After you harden controls and retest, the next step is validating that your defenses trigger the right alerts on demand. There is a list of Microsoft Defender for AI services alerts here. To evaluate alerts, open DfAI‑Eval.ipynb - a streamlined notebook that safely simulates adversarial activity (current alerts: jailbreak, phishing URL, suspicious user agent) to exercise Microsoft Defender for AI services detections. Think of it as the EICAR test for AI workloads: consistent, repeatable, and safe. Next, we will review and break down each of the alerts you’ll generate in the workshop and how to read them effectively. Anatomy of Jailbreak from AI Red team Agent: A jailbreak is a user prompt designed to sidestep system or safety instructions—rule‑change (“ignore previous rules”), fake embedded conversation, role‑play as an unrestricted persona, or encoding tricks. Microsoft Defender for AI services (via Prompt Shields + threat intelligence) flags it before unsafe output (“left‑of‑boom”) and publishes a correlated high‑fidelity alert into Defender XDR for cross‑signal investigation. Anatomy of a Phishing involved in an attack: Phishing prompt URL alerts fire when a prompt or draft response embeds domains linked to impersonation, homoglyph tricks, newly registered infrastructure, encoded redirects, or reputation‑flagged hosting. Microsoft Defender for AI services enriches the URL (normalization, age, reputation, brand similarity) and—if prompt evidence is enabled—includes the exact snippet, then streams the alert into Defender XDR where end‑user/application context fields (e.g. `EndUserId`, `SourceIP`) let analysts correlate repeated lure attempts and pivot to related credential or jailbreak activity. Anatomy of a User Agent involved in an attack: Suspicious user agent alerts highlight enumeration or automation patterns (generic library signatures, headless runners, scanner strings, cadence anomalies) tied to AI endpoint usage and identity context. Microsoft Defender for AI services scores the anomaly and forwards it to Defender XDR enriched with optional `UserSecurityContext` (IP, user ID, application name) so analysts can correlate rapid probing with concurrent jailbreak or phishing alerts and enforce mitigations like managed identity, rate limits, or user agent filtering. Conclusion The goal of this Red teaming and AI Threat workshop amongst the different attendees is to catch intent before impact, prompt manipulation before unsafe output, phishing infrastructure before credential loss, and scripted probing before exfiltration. Microsoft Defender for AI services feeding Defender XDR enables a compact improvement loop that converts red team findings into operational guardrails. Within weeks, this cadence transforms AI from experimental liability into a governed, monitored asset aligned with your cloud security program. Incrementally closing gaps within context propagation, identity hygiene, Prompt Shields & filter tuning—builds durable posture. Small, focused cycles win ship one improvement, measure its impact, promote to baseline, and repeat.The Microsoft Defender for AI Alerts
I will start this blog post by thanking my Secure AI GBB Colleague Hiten Sharma for his contributions to this Tech Blog as a peer-reviewer. Microsoft Defender for AI (part of Microsoft Defender) helps organizations threats to generative AI applications in real time and helps respond to security issues. Microsoft Defender for AI is in General Availability state and covers Azure OpenAI supported models and Azure AI Model Inference service supported models deployed on Azure Commercial Cloud and provides Activity monitoring and prompt evidence for security teams. This blog aims to help the Microsoft Defender for AI (the service) users understand the different alerts generated by the service, what they mean, how they align to the Mitre Att&ck Framework, and how to reduce the potential alert re-occurrences. The 5 Generative AI Security Threats You Need to Know About This section aims to give the reader an overview of the 5 Generative AI Security Threats every security professional needs to know about. For more details, please refer to “The 5 generative AI security threats you need to know about e-book”. Poisoning Attacks Poisoning attacks are adversarial attacks which target the training or fine-tuning data of generative AI models. In a Poisoning Attack, the adversary injects biased or malicious data during the learning process with the intention of affecting the model’s behavior, accuracy, reliability, and ethical boundaries. Evasion Attacks Evasion Attacks are adversarial attacks where the adversary crafts inputs designed to bypass the security controls and model restrictions. This kind of attacks [Evasion Attacks] exploit the generative AI system in the model’s inference stage (In the context of generative AI, this is the stage where the model generates text, images, or other outputs in response to user inputs.). In an Evasion Attack, the adversary does not modify the Generative AI model itself but rather adapts and manipulates prompts to avoid the model safety mechanisms. Functional Extraction Functional Extraction attacks are model extraction attacks where the adversary repeatedly interacts with the Generative AI system and observes the responses. In a Functional Extraction attack, the adversary attempts to reverse-engineer or recreate the generative AI system without direct access to its infrastructure or training data. Inversion Attack Inversion Attacks are adversarial attacks where the adversary repeatedly interacts with the Generative AI system to reconstruct or infer sensitive information about the model and its infrastructure. In an Inversion Attack, the adversary attempts to exploit what the Generative AI model have memorized from its training data. Prompt Injection Attacks Prompt Injection Attacks are evasion attacks where the adversary uses malicious prompts to override or bypass the AI system’s safety rules, policies, and intended behavior. In a Prompt Injection Attack, the adversary embeds malicious instructions in a prompt (or a sequence of prompts) to trick the AI system into ignoring safety filters, generate harmful or restricted contents, or reveal confidential information (i.e. the Do Anything Now (DAN) exploit, which prompts LLMs to “do anything now.” More details about AI Jail Brake attempts, including DAN exploit can be found in this Microsoft Tech Blog Article). The Microsoft Defender for AI Alerts Microsoft Defender for AI works with Azure AI Prompt Shields (more details at Microsoft Foundry Prompt Shields documentation) and utilizes Microsoft’s Threat Intelligence to identify (in real-time) the threats impacting the monitored AI Services. Below is a list of the different alerts Defender for AI generates, what they mean, how they align with the Mitre Att&ck Framework, and suggestion on how to reduce the potential of their re-occurrence. More details about these alerts can be found at Microsoft Defender for AI documentation. Detected credential theft attempts on an Azure AI model deployment Severity: Medium Mitre Tactics: Credential Access, Lateral Movement, Exfiltration Attack Type: Inversion Attack Description: As per Microsoft Documentation “The credential theft alert is designed to notify the SOC when credentials are detected within GenAI model responses to a user prompt, indicating a potential breach. This alert is crucial for detecting cases of credential leak or theft, which are unique to generative AI and can have severe consequences if successful.” How it happens: Credential Leakage in a Generative AI response typically occur because of training the model with data that contains credentials (i.e. Hardcoded secrets, API Keys, passwords, or configuration files that contain such information), this can also occur if the prompt triggers the AI System to retrieve the information from host system tools or memory. How to avoid: The re-occurrence of this alert can be reduced by adapting the following: Training Data Hygiene: Ensure that no credentials exist in the training data, this can be done by scanning for credentials and using secret-detection tools before training or fine-tuning the model(s) in use. Guardrails and Filtering: Implementing output scanning (i.e. credential detectors, filters, etc…) to block responses that contain credentials. This can be addressed using various methods including custom content filters in Azure AI Foundry. Adapt Zero Trust, including least privilege access to the run-time environment for the AI system, ensure that the AI System and its plugins has no access to secrets (more details at Microsoft’s Zero Trust site.) Prompt Injection Defense: In addition to adapting the earlier recommendations, also use Azure AI Prompt Shields to identify and potentially block prompt injection attempts. A Jailbreak attempt on an Azure AI model deployment was blocked by Azure AI Content Safety Prompt Shields Severity: Medium Mitre Tactics: Privilege Escalation, Defense Evasion Attack Type: Prompt Injection Attack Description: As per Microsoft Documentation “The Jailbreak alert, carried out using a direct prompt injection technique, is designed to notify the SOC there was an attempt to manipulate the system prompt to bypass the generative AI’s safeguards, potentially accessing sensitive data or privileged functions. It indicated that such attempts were blocked by Azure Responsible AI Content Safety (also known as Prompt Shields), ensuring the integrity of the AI resources and the data security.” How it happens: This alert indicates that Prompt Shields (more details about prompt shields at Microsoft Foundry Prompt Shields documentation) have identified an attempt by an adversary to use a specially engineered input to trick the AI System into by passing its safety rules, guardrails, or content filters. In the case of this alert, Prompt Shields have detected and blocked the attempt, preventing the AI system from acting differently than its guardrails. How to avoid: While this alert indicates that Prompt Shield has successfully blocked the Jailbreak attempt, additional measures can be taken to reduce the potential impact and re-occurrence of Jailbreak attempts: Use Azure AI Prompt Shields: Real-Time detection is not a single use but rather a continuous use security measure. Continue using it and monitor alerts, (more details at Microsoft Foundry Prompt Shields documentation). Use Retrieval Isolation: Retrieval Isolation separates user prompts from knowledge/retrieval sources (i.e. Knowledge Bases, Databases, Web search Agents, APIs, Documents), this isolation ensures that the model is not directly influencing what contents is retrieved, insures that malicious prompts cannot poison the knowledge/retrieval sources, and reduces the impact of malicious prompts that intend to coerce the system to retrieve sensitive or unsafe data. Continuous testing: Using Red Teaming tools (i.e. Microsoft AI Read Team tools) and exercises, continuously test the AI system against Jail Break patterns and models and adjust security measures according to findings. Adapt Zero Trust, including enforcing strong authentication and authorization measures where you verify explicitly, use least privilege access, and always assume breach to ensure the AI system cannot directly trigger actions, API calls, or sensitive operations without proper validation (more details at Microsoft’s Zero Trust site. A Jailbreak attempt on an Azure AI model deployment was detected by Azure AI Content Safety Prompt Shields Severity: Medium Mitre Tactics: Privilege Escalation, Defense Evasion Attack Type: Prompt Injection Attack Description: As per Microsoft Documentation “The Jailbreak alert, carried out using a direct prompt injection technique, is designed to notify the SOC there was an attempt to manipulate the system prompt to bypass the generative AI’s safeguards, potentially accessing sensitive data or privileged functions. It indicated that such attempts were detected by Azure Responsible AI Content Safety (also known as Prompt Shields), but weren't blocked due to content filtering settings or due to low confidence.” How it happens: This alert indicates that Prompt Shields have identified an attempt by an adversary to use a specially engineered input to trick the AI System into by passing its safety rules, guardrails, or content filters. In the case of this alert, Prompt Shields have detected the attempt but did not block it, the event is not blocked due to either the content filter settings configuration or low confidence. How to avoid: While this alert indicates that Prompt Shield is enabled to protect the AI system and has successfully detected the Jailbreak attempt, additional measures can be taken to reduce the potential impact and re-occurrence of Jailbreak attempts: Use Azure AI Prompt Shields: Real-Time detection is not a single use but rather a continuous use security measure. Continue using it and monitor alerts, (more details at Microsoft Foundry Prompt Shields documentation). Use Retrieval Isolation: Retrieval Isolation separates user prompts from knowledge/retrieval sources (i.e. Knowledge Bases, Databases, Web search Agents, APIs, Documents), this isolation ensures that the model is not directly influencing what contents is retrieved, insures that malicious prompts cannot poison the knowledge/retrieval sources, and reduces the impact of malicious prompts that intend to coerce the system to retrieve sensitive or unsafe data. Continuous testing: Using Red Teaming tools (i.e. Microsoft AI Read Team tools) and exercises, continuously test the AI system against Jail Break patterns and models and adjust security measures according to findings. Adapt Zero Trust, including enforcing strong authentication and authorization measures where you verify explicitly, use least privilege access, and always assume breach to ensure the AI system cannot directly trigger actions, API calls, or sensitive operations without proper validation (more details at Microsoft’s Zero Trust site. Corrupted AI application\model\data directed a phishing attempt at a user Severity: High Mitre Tactics: Impact (Defacement) Attack Type: Poisoning Attack Description: As per Microsoft Documentation “This alert indicates a corruption of an AI application developed by the organization, as it has actively shared a known malicious URL used for phishing with a user. The URL originated within the application itself, the AI model, or the data the application can access.” How it happens: This alert indicates the AI system, its underlying model, or its knowledge sources were corrupted with malicious data and started returning the corrupted data in the form of phishing-style responses to the users. This can occur because of training data poisoning, an earlier successful attack that modified the system knowledge sources, tampered system instructions, or unauthorized access to the AI system itself. How to avoid: This alert needs to be taken seriously and investigated accordingly, the re-occurrence of this alert can be reduced by adapting the following: Strengthen model and data integrity controls, this includes hashing model artifacts (i.e. Model Weights, Tokenizers), signing model packages, and enforcing integrity checks during runtime. Adapt Zero Trust, including enforcing strong authentication and authorization measures where you verify explicitly, across developer environments, CI/CD pipelines, knowledge sources, and deployment endpoints, (more details at Microsoft’s Zero Trust site.) Implement data validation and data poisoning detection strategies on all incoming training and fine-tuning data. Use Retrieval Isolation: Retrieval Isolation separates user prompts from knowledge/retrieval sources (i.e. Knowledge Bases, Databases, Web search Agents, APIs, Documents), this isolation ensures that the model is not directly influencing what contents is retrieved, insures that malicious prompts cannot poison the knowledge/retrieval sources, and reduces the impact of malicious prompts that intend to coerce the system to retrieve sensitive or unsafe data. Continuous testing: Using Red Teaming tools (i.e. Microsoft AI Read Team tools) and exercises, continuously test the AI system against poisoning attempts, prompt injection attacks, and malicious tools invocation scenarios. Phishing URL shared in an AI application Severity: High Mitre Tactics: Impact (Defacement), Collection Attack Type: Prompt Injection Description: As per Microsoft Documentation “This alert indicates a potential corruption of an AI application, or a phishing attempt by one of the end users. The alert determines that a malicious URL used for phishing was passed during a conversation through the AI application, however the origin of the URL (user or application) is unclear.” How it happens: This alert indicates that a phishing URL was present in the interaction between the user and the AI System, this phishing URL might originate from a user prompt, as a result of malicious input in a prompt, generated by them model as a result of an earlier attack, or due to a poisoned knowledge source. How to avoid: This alert needs to be taken seriously and investigated accordingly, the re-occurrence of this alert can be reduced by adapting the following: Adapt URL scanning mechanism prior to returning any URL to users (i.e. check against Threat Intelligence, URL reputation sources) and content scanning mechanisms (This can be done using Azure Prompt Flows, or using Azure Functions). Use Retrieval Isolation: Retrieval Isolation separates user prompts from knowledge/retrieval sources (i.e. Knowledge Bases, Databases, Web search Agents, APIs, Documents), this isolation ensures that the model is not directly influencing what contents is retrieved, insures that malicious prompts cannot poison the knowledge/retrieval sources, and reduces the impact of malicious prompts that intend to coerce the system to retrieve sensitive or unsafe data. Filter and sanitize user prompts to prevent harmful or malicious URLs from being used or amplified by the AI system (This can be done using Azure Prompt Flows, or using Azure Functions). Phishing attempt detected in an AI application Severity: High Mitre Tactics: Collection Attack Type: Prompt Injection, Poisoning Attack Description: As per Microsoft Documentation “This alert indicates a URL used for phishing attack was sent by a user to an AI application. The content typically lures visitors into entering their corporate credentials or financial information into a legitimate looking website. Sending this to an AI application might be for the purpose of corrupting it, poisoning the data sources it has access to, or gaining access to employees or other customers via the application's tools.” How it happens: This alert indicates that a phishing URL was present in a prompt sent from the user to the AI System. When a user uses a phishing URL in a prompt, this can be an indicator of a user who is attempting to corrupt the AI system, corrupt its knowledge sources to compromise other users of the AI system, or a user who is trying to manipulate the AI system to use stored data, stored credentials or system tools in the phishing URL. How to avoid: This alert needs to be taken seriously and investigated accordingly, the re-occurrence of this alert can be reduced by adapting the following: Filter and sanitize user prompts to prevent harmful or malicious URLs from being used or amplified by the AI system (This can be done using Azure Prompt Flows, or using Azure Functions). Use Retrieval Isolation: Retrieval Isolation separates user prompts from knowledge/retrieval sources (i.e. Knowledge Bases, Databases, Web search Agents, APIs, Documents), this isolation ensures that the model is not directly influencing what contents is retrieved, insures that malicious prompts cannot poison the knowledge/retrieval sources, and reduces the impact of malicious prompts that intend to coerce the system to retrieve sensitive or unsafe data. Monitor anomalous behavior originating from the sources that have common connection characteristics. Suspicious user agent detected Severity: Medium Mitre Tactics: Execution, Reconnaissance, Initial access Attack Type: Multiple Description: As per Microsoft Documentation “The user agent of a request accessing one of your Azure AI resources contained anomalous values indicative of an attempt to abuse or manipulate the resource. The suspicious user agent in question has been mapped by Microsoft threat intelligence as suspected of malicious intent and hence your resources were likely compromised.” How it happens: This alert indicates that a user agent of a request that is accessing one of your Azure AI resources contains values that were mapped by Microsoft Threat Intelligence as suspected of Malicious intent. When this alert is present, it is indicative of an abuse or manipulation attempt. This does not necessarily mean that your AI System has been breached, however its an indication that an attack is being attempted and underway, or the AI system was already compromised. How to avoid: Indicators from this alert need to reviewed, including other alerts that might help formulate a full understanding of the sequence of events taking place. Impact and re-occurrence of this alert can be reduced by adapting the following: Review impacted AI systems to assess impact of the event on these systems. Adapt Zero Trust, including enforcing strong authentication and authorization measures where you verify explicitly, use least privilege access, and always assume breach (more details at Microsoft’s Zero Trust site.) Applying rate limiting and bot detection measures using services like Azure Management Gateway. Apply comprehensive user agent filtering and restriction measures to protect your AI System from suspicious or malicious clients by enforcing user-agent filtering at the edge (i.e. using Azure Front door), the gateway (i.e. using Azure API Management), and identity layers to ensure only trusted, verified applications and devices can access your GenAI endpoints. Enable Network Protection Measures (i.e. WAF, Reputation Filters, Geo Restrictions) to filter out traffic from IP addresses associated with Malicious actors and their infrastructure, to avoid traffic from geographies and locations known to be associated with malicious actors, and to eliminate traffic with other highly suspicious characteristics. This can be done using services like Azure Front Door, or Azure Web Application Firewall. ASCII Smuggling prompt injection detected Severity: Medium Mitre Tactics: Execution, Reconnaissance, Initial access Attack Type: Evasion Attack, Prompt Injection Description: As per Microsoft Documentation “ASCII smuggling technique allows an attacker to send invisible instructions to an AI model. These attacks are commonly attributed to indirect prompt injections, where the malicious threat actor is passing hidden instructions to bypass the application and model guardrails. These attacks are usually applied without the user's knowledge given their lack of visibility in the text and can compromise the application tools or connected data sets.” How it happens: This alert indicates an AI system has received a request that a attempted to circumvent system guardrails by embedding harmful instructions by using ASCII characters commonly used for prompt injection attacks. This alert can be caused by multiple reasons including: a malicious user who is attempting prompt manipulation, by an innocent user who is pasting a prompt that contains malicious hidden ASCII characters or instructions, or a knowledge source connected to the AI System that is adding the malicious ASCII characters to the user prompt. How to avoid: Indicators from this alert should be reviewed, including other alerts that might help formulate a full understanding of the sequence of events taking place. Impact and re-occurrence of this alert can be reduced by adapting the following: If the user involved in the incident is known, review their access grant (in Microsoft Entra), and ensure their device and accounts are not compromised starting with reviewing incidents and evidences in Microsoft Defender. Normalize user input before sending it to the models of the AI system, this can be performed using a pre-processing ( i.e. using Azure Prompt Flows, or using Azure Functions, or using Azure API Management). Strip (or block) suspicious ASCII patterns and hidden characters using a pre-processing layer (i.e. using Azure Prompt Flows, or using Azure Functions). Use retrieval isolation to prevent smuggled ASCII from propagating to knowledge sources and tools, multiple retrieval isolation strategies can be adapted including separating user’s raw-input from system-safe input and utilizing the system-safe inputs as bases to build queries and populate fields (i.e. arguments) to invoke tools the AI System interacts with. Using Red Teaming tools (i.e. Microsoft AI Read Team tools) and exercises, continuously test the AI system against ASCII smuggling attempts. Access from a Tor IP Severity: High Mitre Tactics: Execution Attack Type: Multiple Description: As per Microsoft Documentation “An IP address from the Tor network accessed one of the AI resources. Tor is a network that allows people to access the Internet while keeping their real IP hidden. Though there are legitimate uses, it is frequently used by attackers to hide their identity when they target people's systems online.” How it happens: This alert indicates that a user attempted to access the AI System using a TOR exit node. This can be an indicator of a malicious user attempting to hide the true origin of there connection source, whether to avoid geo fencing, or to conceal their identity while carrying on an attack against the AI system. How to avoid: Impact and re-occurrence of this alert can be reduced by adapting the following: Adapt Zero Trust, including enforcing strong authentication and authorization measures where you verify explicitly, use least privilege access, and always assume breach (more details at Microsoft’s Zero Trust site.) Enable Network Protection Measures (i.e. WAF, Reputation Filters, Geo Restrictions) to prevent traffic from TOR exit nodes from reaching the AI System. This can be done using services like Azure Front Door, or Azure Web Application Firewall. Access from a suspicious IP Severity: High Mitre Tactics: Execution Attack Type: Multiple Description: As per Microsoft Documentation “An IP address accessing one of your AI services was identified by Microsoft Threat Intelligence as having a high probability of being a threat. While observing malicious Internet traffic, this IP came up as involved in attacking other online targets.” How it happens: This alert indicates that a user attempted to access the AI System from an IP address that was identified by Microsoft Threat Intelligence as suspicious. This can be an indicator of a malicious user or a malicious tool carrying on an attack against the AI system. How to avoid: Impact and re-occurrence of this alert can be reduced by adapting the following: Adapt Zero Trust, including enforcing strong authentication and authorization measures where you verify explicitly, use least privilege access, and always assume breach (more details at Microsoft’s Zero Trust site.) Enable Network Protection Measures (i.e. WAF, Reputation Filters, Geo Restrictions) to prevent traffic from suspicious IP addresses from reaching the AI System. This can be done using services like Azure Front Door, or Azure Web Application Firewall. Suspected wallet attack - recurring requests Severity: Medium Mitre Tactics: Impact Attack Type: Wallet Attack Description: As per Microsoft Documentation “Wallet attacks are a family of attacks common for AI resources that consist of threat actors excessively engage with an AI resource directly or through an application in hopes of causing the organization large financial damages. This detection tracks high volumes of identical requests targeting the same AI resource which may be caused due to an ongoing attack.” How it happens: Wallet attacks are a category of attacks that attempt to exploit the usage-based billing, quota limits, or token-consumption of the AI System to inflect financial or operational harm on the AI system. This alert is an indicator of the AI System receiving repeated, or high-frequency, or patterned requests that are consistent with wallet attack attempts. How to avoid: Impact and re-occurrence of this alert can be reduced by adapting the following: Adapt Zero Trust, including enforcing strong authentication and authorization measures where you verify explicitly, use least privilege access, and always assume breach (more details at Microsoft’s Zero Trust site.) Enable Network Protection Measures (i.e. WAF, Reputation Filters, Geo Restrictions) to prevent traffic from known malicious actors known IP addresses and infrastructure from reaching the AI System. This can be done using services like Azure Front Door, or Azure Web Application Firewall. Apply rate-limiting and throttling to connection attempts to the AI System using Azure API Management. Enable Quotas, strict usage caps, and cost guardrails using Azure API Management, using Azure Foundry Limits and Quotas, and Azure cost management. Implement client-side security measures (i.e. tokens, signed requests) to prevent bots from imitating legitimate users. There are multiple approaches to adapt (collectively) to achieve this, for example by using Entra ID Tokens for authentication instead of using a simple API key from the front end. Suspected wallet attack - volume anomaly Severity: Medium Mitre Tactics: Impact Attack Type: Wallet Attack Description: As per Microsoft Documentation “Wallet attacks are a family of attacks common for AI resources that consist of threat actors excessively engage with an AI resource directly or through an application in hopes of causing the organization large financial damages. This detection tracks high volumes of requests and responses by the resource that are inconsistent with its historical usage patterns.” How it happens: Wallet attacks are a category of attacks that attempt to exploit the usage-based billing, quota limits, or token-consumption of the AI System to inflect financial or operational harm on the AI system. This alert is an indicator of the AI system experiencing an abnormal volume of interactions exceeding normal usage patterns, which can be caused by automated scripts, bots, or coordinated efforts that are attempting to impose financial and / or operational harm on the AI System. How to avoid: Impact and re-occurrence of this alert can be reduced by adapting the following: Adapt Zero Trust, including enforcing strong authentication and authorization measures where you verify explicitly, use least privilege access, and always assume breach (more details at Microsoft’s Zero Trust site.) Enable Network Protection Measures (i.e. WAF, Reputation Filters, Geo Restrictions) to prevent traffic from known malicious actors known IP addresses and infrastructure from reaching the AI System. This can be done using services like Azure Front Door, or Azure Web Application Firewall. Apply rate-limiting and throttling to connection attempts to the AI System using Azure API Management. Enable Quotas, strict usage caps, and cost guardrails using Azure API Management, using Azure Foundry Limits and Quotas and Azure cost management. Implement client-side security measures (i.e. tokens, signed requests) to prevent bots from imitating legitimate users. There are multiple approaches to adapt (collectively) to achieve this, for example by using Entra ID Tokens for authentication instead of using a simple API key from the front end. Access anomaly in AI resource Severity: Medium Mitre Tactics: Execution, Reconnaissance, Initial access Attack Type: Multiple Description: As per Microsoft Documentation “This alert track anomalies in access patterns to an AI resource. Changes in request parameters by users or applications such as user agents, IP ranges, authentication methods. can indicate a compromised resource that is now being accessed by malicious actors. This alert may trigger when requests are valid if they represent significant changes in the pattern of previous access to a certain resource.” How it happens: This alert indicates that a shift in connection and interaction patterns was detected compared to the established baseline of connections and interactions with the AI Systems. This alert can be an indicator of probing events or can be an indicator of a compromised AI System that is now being abused by the malicious actor. How to avoid: Impact and re-occurrence of this alert can be reduced by adapting the following: Adapt Zero Trust, including enforcing strong authentication and authorization measures where you verify explicitly, use least privilege access, and always assume breach (more details at Microsoft’s Zero Trust site.) If exposure is suspected, rotate API Keys and Secrets (more details on how to rotate API Keys in Azure Foundry Documentation). Enable Network Protection Measures (i.e. WAF, Reputation Filters, Geo Restrictions, Conditional Access Controls) to prevent similar traffic from reaching the AI System. Restrictions can be implemented using services like Azure Front Door, or Azure Web Application Firewall. Apply rate-limiting and anomaly detection measures to block unusual request bursts or abnormal access patterns. Rate limiting can be implemented using Azure API Management, Anomaly detection can be performed using AI Real-Time monitoring tools like Microsoft Defender for AI and Security Operations platforms like Microsoft Sentinel where rules can later be created to trigger automations and playbooks that can update the Azure WAF and APIM to block or rate limit traffic from a certain origin. Suspicious invocation of a high-risk 'Initial Access' operation by a service principal detected (AI resources) Severity: Medium Mitre Tactics: Initial access Attack Type: Identity-based Initial Access Attack Description: As per Microsoft Documentation “This alert detects a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to access restricted resources. The identified AI-resource related operations are designed to allow administrators to efficiently access their environments. While this activity might be legitimate, a threat actor might utilize such operations to gain initial access to restricted AI resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.” How it happens: This alert indicates that an AI System was involved in a highly privileged operation against the run-time environment of the AI System using legitimate credentials. While this might be an intended behavior (regardless of the validity of this design from a security standpoint), this can also be an indicator of an attack against the AI system where the malicious actor has successfully circumvented the AI System guardrails and influenced the AI System to operate beyond its intended behavior. When performed by a malicious actor, this event is expected to be a part of a multi-stage attack against the AI System. How to avoid: Impact and re-occurrence of this alert can be reduced by adapting the following: Upon detection, immediately rotate impacted accounts secrets and certificates. To ensure the AI system cannot directly trigger actions, API calls, or sensitive operations without proper validation, Adapt Zero Trust, including enforcing strong authentication and authorization measures where you verify explicitly, use least privilege access, and always assume breach (more details at Microsoft’s Zero Trust site.). As a part of adapting Zero Trust strategy, enforce managed identities usage instead of relying on long-lived credentials, such as Entra managed IDs for Azure. Use conditional access measures (i.e. Entra conditional access) to limit where and how service principals can authenticate into the system. Enforce a training data hygiene practice to ensure that no credentials exist in the training data, this can be done by scanning for credentials and using secret-detection tools before training or fine-tuning the model(s) in use. Use retrieval isolation to prevent similar events from propagating to knowledge sources and tools, multiple retrieval isolation strategies can be adapted including separating user’s raw-input from system-safe input and utilizing the system-safe inputs as bases to build queries and populate fields (i.e. arguments) to invoke tools the AI System interacts with. Anomalous tool invocation Severity: Low Mitre Tactics: Execution Attack Type: Prompt Injection, Evasion Attack Description: As per Microsoft Documentation “This alert analyzes anomalous activity from an AI application connected to an Azure OpenAI model deployment. The application attempted to invoke a tool in a manner that deviates from expected behavior. This behavior may indicate potential misuse or an attempted attack through one of the tools available to the application.” How it happens: This alert indicates that the AI System has invoked a tool or a downstream capability in behavior pattern that deviates from its expected behavior. This event can be an indicator that a malicious user have managed to provide a prompt (or series of prompts) that have circumvented the AI System defenses and guardrails and as a result caused the AI System to call tools it should not call or caused it to use tools it has access to in an abnormal way. How to avoid: Impact and re-occurrence of this alert can be reduced by adapting the following: Adapt Zero Trust, including enforcing strong authentication and authorization measures where you verify explicitly, use least privilege access, and always assume breach (more details at Microsoft’s Zero Trust site.) In addition to Prompt Shields, use input sanitization in the AI System to block malicious prompts and sanitize ASCII smuggling attempts using a pre-processing layer (i.e. using Azure Prompt Flows, or using Azure Functions). Use retrieval isolation to prevent similar events from propagating to knowledge sources and tools, multiple retrieval isolation strategies can be adapted including separating user’s raw-input from system-safe input and utilizing the system-safe inputs as bases to build queries and populate fields (i.e. arguments) to invoke tools the AI System interacts with. Implement functional guardrails to separate model reasoning from tool-execution, multiple strategies can be adapted to implement function guardrails including retrieval isolation (discussed earlier) and separating the decision making layer to call a tool from the LLM itself. In this case, the LLM will receive the user prompt (request and context) and will then reason that it need to invoke a specific tool, then the request is sent to an orchestration layer that will validate the request and run policy and safety checks, and then initiates the tool execution. Suggested Additional Reading: Microsoft Azure Functions Documentation https://aka.ms/azureFunctionsDocs Microsoft Azure AI Content Safety https://aka.ms/aiContentSafety Microsoft Azure AI Content Safety Prompt Shields https://aka.ms/aiPromptShields Microsoft AI Red Team https://aka.ms/aiRedTeam Microsoft Azure API Management Documentation https://aka.ms/azureAPIMDocs Microsoft Azure Front Door https://aka.ms/azureFrontDoorDocs Microsoft Azure Machine Learning Prompt Flow https://aka.ms/azurePromptFlowDocs Microsoft Azure Web Application Firewall https://aka.ms/azureWAF Microsoft Defender for AI Alerts https://aka.ms/d4aiAlerts Microsoft Defender for AI Documentation Homepage https://aka.ms/d4aiDocs Microsoft Entra Conditional Access Documentation https://aka.ms/EntraConditionalAccess Microsoft Foundry Models quotas and limits https://aka.ms/FoundryQuotas Microsoft Sentinel Documentation Home page: https://aka.ms/SentinelDocs Protect and modernize your organization with a Zero Trust strategy: https://aka.ms/ZeroTrust. The 5 generative AI security threats you need to know about e-book https://aka.ms/genAItop5Threats Microsoft’s open automation framework to red team generative AI Systems https://aka.ms/PyRITMicrosoft Defender for Cloud Customer Newsletter
What's new in Defender for Cloud? Defender for Cloud integrates into the Defender portal as part of the broader Microsoft Security ecosystem, now in public preview. This integration, while adding posture management insight, eliminates silos natively to allow security teams to see and act on threats across all cloud, hybrid, and code environments from one place. For more information, see our public documentation. Discover Azure AI Foundry agents in your environment The Defender Cloud Security Posture Management (CSPM) plan secures generative AI applications and now, in public preview, AI agents throughout its entire lifecycle. Discover AI agent workloads and identify details of your organization’s AI Bill of Materials (BOM). Details like vulnerabilities, misconfigurations and potential attack paths help protect your environment. Plus, Defender for Cloud monitors for any suspicious or harmful actions initiated by the agent. Blogs of the month Unlocking Business Value: Microsoft’s Dual Approach to AI for Security and Security for AI Fast-Start Checklist for Microsoft Defender CSPM: From Enablement to Best Practices Announcing Microsoft cloud security benchmark v2 (public preview) Microsoft Defender for Cloud Innovations at Ignite 2025 Defender for AI services: Threat protection and AI red team workshop Defender for Cloud in the field Revisit the Cloud Detection Response experience here.. Visit our YouTube page: here GitHub Community Check out the Microsoft Defender for Cloud Enterprise Onboarding Guide. It has been updated to include the latest network requirements. This guide describes the actions an organization must take to successfully onboard to MDC at scale. Customer journeys Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring Icertis. Icertis, a global leader in contract intelligence, launched AI applications using Azure OpenAI in Foundry Models that help customers extract clauses, assess risk, and automate contract workflows. Because contracts contain highly sensitive business rules and arrangements, their deployment of Vera, their own generative AI technology that includes Copilot agents and analytics for tailored contract intelligence, introduced challenges like enforcing and maintaining compliance and security challenges like prompt injections, jailbreak attacks and hallucinations. Microsoft Defender for Cloud’s comprehensive AI posture visibility with risk reduction recommendations and threat protection for AI applications with contextual evidence helped preserve their generative AI applications. Icertis can monitor OpenAI deployments, detect malicious prompts and enforce security policies as their first line of defense against AI-related threats. Join our community! Join our experts in the upcoming webinars to learn what we are doing to secure your workloads running in Azure and other clouds. Check out our upcoming webinars this month! DECEMBER 4 (8:00 AM- 9:00 AM PT) Microsoft Defender for Cloud | Unlocking New Capabilities in Defender for Storage DECEMBER 10 (9:00 AM - 10:00 AM PT) Microsoft Defender for Cloud | Expose Less, Protect More with Microsoft Security Exposure Management DECEMBER 11 (8:00 AM - 9:00 AM PT) Microsoft Defender for Cloud | Modernizing Cloud Security with Next‑Generation Microsoft Defender for Cloud We offer several customer connection programs within our private communities. By signing up, you can help us shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at aka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in https://aka.ms/PublicContentFeedback. Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter: https://aka.ms/MDCNewsSubscribe
Key findings from product telemetry: top storage security alerts across industries
1.0 Introduction Cloud storage stands at the core of AI-driven applications, making its security more vital than ever. As generative AI continues to drive innovation, protecting the storage infrastructure becomes central to ensuring both the reliability and safety of AI solutions. Every industry encounters its own set of storage security challenges. For example, financial services must navigate complex compliance requirements and guard against insider risks. Healthcare organizations deal with the protection of confidential patient information (e.g. electronic medical records), while manufacturing and retail face the complexities of distributed environments and vulnerable supply chains. At Microsoft, we leverage product telemetry to gain insight into the most frequent storage security alerts and understand how risks manifest differently across various customer sectors. This article delves into how storage threats are shaped by industry dynamics, drawn on data collected from our customer base to illustrate emerging patterns and risks. Acknowledgement: This blog represents the collaborative work of the following Stroage security in MDC v-team members: Fernanda Vela and Alex Steele, for initiating the project and preparing the initial draft and directing the way we tell the story Eitan Bremler and Lior Tsalovich, for product and customer insights, synthesizing product telemetry and providing review Yuri Diogenes, for his supervision, review and cheerleading We extend our sincere appreciation to each contributor for their dedication and expertise. 1.1 Key findings from product telemetry: Top storage security alerts across industries Based on telemetry gathered from Microsoft Defender for Cloud, certain alerts consistently emerge as the most prevalent across different sectors. These patterns highlight the types of threats and suspicious activities organizations encounter most frequently, reflecting both industry-specific risks and broader attack trends. In the section that follows, this information is presented in detail, offering a breakdown of the most common alerts observed within each industry and providing valuable insight into how storage environments are being targeted and defended. 1.1.1 How does storage security alert in Defender for Cloud work To protect storage accounts from threats, Microsoft Defender for Cloud storage security provides a wide range of security alerts designed to detect suspicious, risky, or anomalous activity across Azure Storage services such as Blob Storage, Data Lake Gen2, and Azure Files. These alerts cover scenarios like unauthorized access attempts, abnormal usage patterns, potential data exfiltration, malware uploads or downloads, sensitive data exposure and changes that may expose storage containers to the public. They leverage threat intelligence and behavioral analytics to identify activity from malicious IPs, unusual geographies, or suspicious applications, ensuring organizations are alerted when their storage environment is potentially at risk. Each alert is categorized by severity, helping organizations prioritize responses to the most critical threats, such as confirmed malware or credential compromise, while also surfacing medium and low-risk anomalies that may indicate early stages of an attack. Overall, Defender for Storage enables proactive monitoring and rapid detection of threats to cloud storage, reducing the risk of exposure, misuse, or compromise of valuable data assets. 1.1.2 Top alert types for major industries Financial, healthcare, technology, energy and manufacturing are often cited as the most targeted industries because of the value of their data, regulatory exposure and their role in critical infrastructure. Our telemetry from Microsoft Defender for Cloud (MDC) shows the top security alerts in storage resources across these five industries: Finance industry Health care industry Manufacturing industry Software industry Energy industry 1.1.3 Top 9 alerts across industries Across industries, the most common alert—averaging 1,300 occurrences per month—is “Unusual application accessed a storage account,” indicating unexpected access to a storage account. Below are the top cross-industry alerts based on this analysis. 1.2 Analysis Application Anomaly Alerts Ranking: #1 across all industries (Finance, Manufacturing, Software, Energy, Healthcare) Alert: Access from a suspicious application (Storage.Blob_ApplicationAnomaly) Why it happens: Organizations increasingly use automation, third-party integrations, and custom scripts to interact with cloud storage. Shadow IT and lack of centralized app governance lead to unexpected access patterns. In sectors like healthcare and finance, sensitive data attracts attackers who may use compromised or malicious apps to probe for weaknesses. Interpretation: High prevalence indicates a need for stricter application registration, monitoring, and access controls. Industries should prioritize visibility into which apps are accessing storage and enforce policies to block unapproved applications. Geo-Anomaly Alerts Ranking: #2 or #3 in most industries Alert: Access from an unusual location (Storage.Blob_GeoAnomaly, Storage.Files_GeoAnomaly) Why it happens: Global operations, remote work, and distributed teams are common in energy, manufacturing, and healthcare. Attackers may use VPNs or compromised credentials to access storage from unusual regions. Interpretation: Frequent geo-anomalies suggest gaps in geo-fencing and conditional access policies. Organizations should review access logs, enforce region-based restrictions, and monitor cross-border data flows. Malware-Related Alerts Ranking: Prominent in healthcare, finance, and software sectors Alert: Malware found in blob (Storage.Blob_AM.MalwareFound) Malware download detected (Storage.Blob_MalwareDownload) Access from IP with suspicious file hash reputation (Storage.Blob_MalwareHashReputation) Why it happens: High-value data and frequent file exchanges make these industries attractive targets for ransomware and malware campaigns. Insufficient scanning capacity or delayed remediation can allow malware to persist. Interpretation: Rising malware alerts point to active threat campaigns and the need for real-time scanning and automated remediation. Industries should scale up Defender capacity, integrate threat intelligence, and enable automatic malware removal. Open Container Scanning Alerts Ranking: More frequent in energy and manufacturing Alerts: Successful discovery of open storage containers (Storage.Blob_OpenContainersScanning.SuccessfulDiscovery) Failed attempt to scan open containers (Storage.Blob_OpenContainersScanning.FailedAttempt) Why it happens: Rapid cloud adoption and operational urgency can lead to misconfigured storage containers. Legacy systems and lack of automated policy enforcement increase exposure risk. Interpretation: High rates of open container alerts signal the need for regular configuration audits and automated security policies. Organizations should prioritize closing public access and monitoring for changes in container exposure. Anonymous Access & Data Exfiltration Alerts Ranking: Present across industries, especially where sensitive data is stored Alerts: Anonymous access anomaly detected (Storage.Blob_AnonymousAccessAnomaly) Data exfiltration detected: unusual amount/number of blobs (Storage.Blob_DataExfiltration.AmountOfDataAnomaly, Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly) Why it happens: Attackers may attempt to access data anonymously or exfiltrate large volumes of data. Weak access controls or lack of monitoring can enable these behaviors. Interpretation: These alerts should trigger immediate investigation and remediation. Organizations must enforce strict access controls and monitor for abnormal data movement. Key Takeaways Across Industries Application anomaly and geo-anomaly alerts are universal, reflecting the challenges of managing automation and global access in modern cloud environments. Malware-related alerts are especially critical in sectors handling sensitive or regulated data, indicating active targeting by threat actors. Open container and capacity alerts reveal operational and configuration risks, often tied to rapid scaling and cloud adoption. Interpreting these trends: High alert shares for specific patterns should drive targeted investments in security controls, monitoring, and automation. Industries must adapt their security strategies to their unique risk profiles, balancing innovation with robust protection. 1.3 Protect storage accounts from threats To address these challenges, Microsoft Defender for Cloud Storage Security offers: Real-time monitoring of storage-related threats: Identifies unusual access patterns with direct integration with Azure. Detect and mitigate with threat intelligence: understand threat context and reduce false positives. Integration with Defender XDR: Provides unified threat correlation, investigation and triaging with industry leading SIEM integration. 2.0 Malware in Storage: A Growing Threat Based on the findings from section 1, let’s analyze which industry receives the most amount of malware related threats: 2.1 Top Findings Healthcare: Malware found in blob (8.6%) Malware download detected (5.5%) Malware hash reputation (4.6%) Total malware-related share: ~18.7% Finance: Malware found in blob (4.5%) Malware download detected (3.9%) Malware hash reputation (4.6%) Total malware-related share: ~13% Manufacturing: Malware found in blob (8.5%) Malware download detected (2.7%) Malware hash reputation (3.3%) Total malware-related share: ~14.5% Software: Malware found in blob (7.8%) Malware download detected (5.9%) Malware hash reputation (15.6%) Total malware-related share: ~29.3% (notably high due to hash reputation alert) Energy: Malware hash reputation (4.2%) Malware found in blob (not top 7) Malware download detected (not top 7) Total malware-related share: ~4.2% (lower than other sectors) 2.2 Analysis Software industry has the highest ranked malware alerts, especially due to a very high share for “Malware hash reputation” (15.6%) and significant shares for “Malware found in blob” and “Malware download detected.” Healthcare also has a high combined share of malware alerts, but not as high as software. Finance, Manufacturing, and Energy have lower shares for malware alerts compared to software and healthcare. How to Read This Trend Software companies are likely targeted more for malware due to their high volume of code, frequent file exchanges, and integration with many external sources. Healthcare is also a prime target because of sensitive patient data (e.g. electronic medical records) and regulatory requirements. If your organization is in software or healthcare, pay extra attention to malware scanning, automated remediation, and threat intelligence integration. Regularly review and update malware protection policies. 2.3 How Microsoft Helps Prevent Malware Spread Defender for Cloud mitigates these risks by: Scanning for malicious content on upload or on demand, in storage accounts Automatic remediation after suspicious uploads Integrating with threat intelligence for threat context correlation, advance investigation and threat response. To learn more about Malware Scanning in Defender for Cloud, visit: Introduction to Defender for Storage malware scanning - Microsoft Defender for Cloud | Microsoft Learn 3.0 Conclusion As cloud and AI adoption accelerate, storage security is now essential for every industry. Microsoft Defender for Cloud storage security telemetry shows that the most frequent alerts—like suspicious application access, geo-anomalies, and malware detection—reflect both evolving threats and the realities of modern operations. These trends highlight the need for proactive monitoring, and strong threat detection and mitigation. Defender for Cloud helps organizations stay ahead of risks, protect critical data, and enable safe innovation in the cloud. Learn more about Defender for Cloud storage security: Microsoft Defender for Cloud | Microsoft Security Start a free Azure trial. Read more about Microsoft Defender for Cloud Storage Security here. 4.0 Appendix: Detailed Data for Top Industry-Specific Alerts 4.1 Finance Industry Alert Type Tag Description Share (%) Access from a suspicious application Storage.Blob_ApplicationAnomaly Blob accessed using a suspicious/uncommon application 34.40 Access from an unusual location Storage.Blob_GeoAnomaly Blob accessed from a geographic location that deviates from typical patterns 23.10 Access from an unusual location (Azure Files) Storage.Files_GeoAnomaly Azure Files share accessed from an unexpected geographic region 7.90 Access from a suspicious application (Files) Storage.Files_ApplicationAnomaly Azure Files share accessed using a suspicious application 7.80 Failed attempt to scan open containers Storage.Blob_OpenContainersScanning.FailedAttempt Failed attempt to scan publicly accessible containers for security risks 6.40 Access from IP with suspicious file hash Storage.Blob_MalwareHashReputation Blob accessed from an IP with known malicious file hashes 4.60 Malware found in blob Storage.Blob_AM.MalwareFound Malware detected within a blob during scanning 4.50 Malware download detected Storage.Blob_MalwareDownload Blob download activity suggests malware distribution 3.90 Anonymous access anomaly detected Storage.Blob_AnonymousAccessAnomaly Blob accessed anonymously in an abnormal way 3.30 Data exfiltration: unusual amount of data Storage.Blob_DataExfiltration.AmountOfDataAnomaly Large volume of data accessed/downloaded, possible exfiltration 2.20 4.2 Healthcare Industry Alert Type Tag Description Share (%) Access from a suspicious application Storage.Blob_ApplicationAnomaly Blob accessed using a suspicious/uncommon application 42.40 Access from an unusual location Storage.Blob_GeoAnomaly Blob accessed from a geographic location that deviates from typical patterns 17.10 Access from a suspicious application (Files) Storage.Files_ApplicationAnomaly Azure Files share accessed using a suspicious application 9.70 Malware found in blob Storage.Blob_AM.MalwareFound Malware detected within a blob during scanning 8.60 Access from an unusual location (Files) Storage.Files_GeoAnomaly Azure Files share accessed from an unexpected geographic region 8.20 Malware download detected Storage.Blob_MalwareDownload Blob download activity suggests malware distribution 5.50 Access from IP with suspicious file hash Storage.Blob_MalwareHashReputation Blob accessed from an IP with known malicious file hashes 4.60 Failed attempt to scan open containers Storage.Blob_OpenContainersScanning.FailedAttempt Failed attempt to scan publicly accessible containers for security risks 4.10 4.3 Manufacturing Industry Alert Type Tag Description Share (%) Access from a suspicious application Storage.Blob_ApplicationAnomaly Blob accessed using a suspicious/uncommon application 28.70 Access from an unusual location Storage.Blob_GeoAnomaly Blob accessed from a geographic location that deviates from typical patterns 24.10 Access from a suspicious application (Files) Storage.Files_ApplicationAnomaly Azure Files share accessed using a suspicious application 9.40 Failed attempt to scan open containers Storage.Blob_OpenContainersScanning.FailedAttempt Failed attempt to scan publicly accessible containers for security risks 8.90 Malware found in blob Storage.Blob_AM.MalwareFound Malware detected within a blob during scanning 8.50 Access from an unusual location (Files) Storage.Files_GeoAnomaly Azure Files share accessed from an unexpected geographic region 7.00 Anonymous access anomaly detected Storage.Blob_AnonymousAccessAnomaly Blob accessed anonymously in an abnormal way 5.20 Access from IP with suspicious file hash Storage.Blob_MalwareHashReputation Blob accessed from an IP with known malicious file hashes 3.30 Malware download detected Storage.Blob_MalwareDownload Blob download activity suggests malware distribution 2.70 Data exfiltration: unusual number of blobs Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly Unusual number of blobs accessed, possible exfiltration 2.30 4.4 Software Industry Alert Type Tag Description Share (%) Access from a suspicious application Storage.Blob_ApplicationAnomaly Blob accessed using a suspicious/uncommon application 22.20 Access from an unusual location Storage.Blob_GeoAnomaly Blob accessed from a geographic location that deviates from typical patterns 16.40 Access from IP with suspicious file hash Storage.Blob_MalwareHashReputation Blob accessed from an IP with known malicious file hashes 15.60 Access from a suspicious application (Files) Storage.Files_ApplicationAnomaly Azure Files share accessed using a suspicious application 8.10 Malware found in blob Storage.Blob_AM.MalwareFound Malware detected within a blob during scanning 7.80 Failed attempt to scan open containers Storage.Blob_OpenContainersScanning.FailedAttempt Failed attempt to scan publicly accessible containers for security risks 7.10 Malware download detected Storage.Blob_MalwareDownload Blob download activity suggests malware distribution 5.90 Anonymous access anomaly detected Storage.Blob_AnonymousAccessAnomaly Blob accessed anonymously in an abnormal way 5.50 Access from an unusual location (Files) Storage.Files_GeoAnomaly Azure Files share accessed from an unexpected geographic region 5.50 Data exfiltration: unusual amount of data Storage.Blob_DataExfiltration.AmountOfDataAnomaly Large volume of data accessed/downloaded, possible exfiltration 3.30 Data exfiltration: unusual number of blobs Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly Unusual number of blobs accessed, possible exfiltration 2.50 4.5 Energy Industry Alert Type Tag Description Share (%) Access from a suspicious application Storage.Blob_ApplicationAnomaly Blob accessed using a suspicious/uncommon application 38.60 Access from an unusual location Storage.Blob_GeoAnomaly Blob accessed from a geographic location that deviates from typical patterns 22.60 Successful discovery of open containers Storage.Blob_OpenContainersScanning.SuccessfulDiscovery Publicly accessible containers discovered during scanning, exposure risk 13.50 Access from a suspicious application (Files) Storage.Files_ApplicationAnomaly Azure Files share accessed using a suspicious application 10.20 Access from an unusual location (Files) Storage.Files_GeoAnomaly Azure Files share accessed from an unexpected geographic region 5.90 Failed attempt to scan open containers Storage.Blob_OpenContainersScanning.FailedAttempt Failed attempt to scan publicly accessible containers for security risks 3.0Microsoft Defender for Cloud Innovations at Ignite 2025
In today’s AI-powered world, the boundaries of security are shifting fast. From code to runtime, organizations are moving faster than ever – building with AI across clouds, accelerating innovation, and expanding the landscape defenders must protect. Security teams are balancing fragmented tools, growing complexity and a new generation of intelligent, agentic systems that learn, adapt and act across the digital estate. The challenge isn’t understanding the change – it’s staying ahead of it. At Ignite 2025, we’re unveiling four major advancements in Microsoft Defender for Cloud that redefine how security keeps pace with cloud-scale innovation and AI autonomy. Together, they advance a simple idea – that security should move as fast as the systems it protects, adapting in real time to new patterns of risk. Defender for Cloud + GitHub Advanced Security integration delivers AI-driven, automated remediation We start where every application does: in the code – and with a major step forward in how security and development teams work together. The pace of development has scaled dramatically. Organizations now build more than 500 new apps 1 on average each year – and as code volume grows, the gap between development and security widens. Working in separate tools with no shared context, developers can’t see which threats security teams prioritize, and security teams can’t easily trace issues back to their source in code. To help organizations address this challenge, Microsoft Defender for Cloud now natively integrates with GitHub Advanced Security (in public preview) – the first native link between runtime intelligence and developer workflows, delivering continuous protection from code to runtime. This bidirectional integration brings Defender for Cloud’s runtime insights directly into GitHub, so vulnerabilities can be surfaced, prioritized, and remediated with AI assistance – all within the developer environment. When Defender for Cloud detects a critical vulnerability in a running workload, developers see exactly where the issue originated in code, how it manifests in production, and the suggestion of how to fix the vulnerability. With Copilot Autofix and GitHub Copilot coding agent capabilities, AI-generated and validated fixes are suggested in real time – shortening remediation cycles from days to hours. For organizations, this integration delivers three tangible benefits: Collaborate without friction. Security teams can open and track GitHub issues directly from Defender for Cloud with context and vulnerability details, ensuring shared visibility between security and development. Accelerate remediation with AI. Copilot-assisted fixes make it faster and safer to resolve vulnerabilities without breaking developer flow. Prioritize what matters most. By mapping runtime threats directly to their source in code, teams can focus on vulnerabilities that are truly exploitable – not just theoretical. Together, security, development, and AI now move as one, finding and fixing issues faster and creating a continuous feedback loop that learns from runtime, feeds insights back into development, and redefines how secure apps and agents get built in the age of AI. Unified posture management and threat protection extends to secure AI Agents The next frontier is securing the AI agents teams create – ensuring protection evolves as fast as the intelligence driving them. IDC projects that organizations will deploy 1.3 billion AI agents by 2028 2 , each capable of reasoning, acting, and accessing sensitive data across multiple environments. As these systems scale, visibility becomes the first challenge: knowing what agents exist, what data they touch, and where risks connect. And with 66% of organizations 3 planning to establish a formal AI risk management function within the next four years, it’s clear that security leaders are racing to catch up with this next evolution. To help organizations stay ahead, Microsoft Defender now provides unified posture management and threat protection for AI agents as a part of Microsoft Agent 365 (in preview). These first-of-its-kind capabilities that secure agentic AI applications across their entire lifecycle. With this innovation, Defender helps organizations secure AI agents in three critical ways: Comprehensive visibility for AI Agents. Gain unified visibility and management of AI agents through Defender, spanning both pro-code and low-code environments from Microsoft Foundry to Copilot Studio. With a single agent inventory, teams can see where agents run and what they connect to – reducing shadow AI and agent sprawl. Risk reduction through posture management. Proactively strengthen AI agents’ security posture with Defender’s posture recommendations and attack path analysis for AI agents. These insights reveal how weak links across agents and cloud resources can form broader risks, helping teams detect and address vulnerabilities before they lead to incidents. Threat protection for AI Agents. Detect, investigate, and respond to threats targeting agentic AI services across models, agents from Microsoft Copilot Studio and Microsoft Foundry, and cloud applications using Defender’s AI-specific detection analytics. These include scenarios like prompt injection, sensitive data exposure, or malicious tool misuse, all enriched with Microsoft’s unmatched threat intelligence for deeper context and faster response. By embedding security into every layer of the agentic AI lifecycle, Defender helps organizations start secure and stay secure. This unified approach ensures that as AI agents evolve and scale, protection scales with them, anchoring the same continuous security foundation that extends across code, cloud, and beyond. Cloud posture management extends to secure serverless resources Defender for Cloud’s unified foundation extends beyond agents – to the cloud infrastructure and platforms that power them – rounding out the protection that scales with innovation itself. That innovation is increasingly running on serverless computing, now a core layer of cloud-native and AI-powered application development. It gives teams the speed and simplicity to deliver faster, but also expands the attack surface across multicloud environments with new exposure points, from unsecured functions to lateral movement risks. To help organizations secure this expanding layer, Microsoft Defender for Cloud is extending its Cloud Security Posture Management (CSPM) to serverless compute and application platforms (available in preview by end of November). With this new coverage, security teams gain greater visibility into serverless compute environments and application platforms, including Azure Functions, Azure Web Apps, and AWS Lambda. Defender for Cloud integrates serverless posture insights into attack path analysis, helping security teams identify and visualize risk, continuously monitor and detect misconfigurations, and find vulnerable serverless resources – further strengthening security posture across the modern application lifecycle. This extension brings serverless computing into the same unified protection model that already secures code, containers, and workloads in Defender for Cloud. As customers modernize with event-driven architectures, Defender for Cloud evolves with them, delivering consistent visibility, control, and protection across every layer of the cloud. Deeper expansion into the Defender Portal turns fragmentation into focus Finally, bringing all the signals security teams depend on into one place requires a single operational hub – a unified security experience that delivers clarity at scale. Yet with 89% of organizations operating across multiple clouds 4 and using an average of 10 security tools to protect them 5 , teams struggle to manage risk across fragmented dashboards and disjointed data – slowing detection and response and leaving blind spots that attackers can exploit. To help security teams move faster and act with clarity, we’re announcing the public preview of unified cloud security posture management into the Microsoft Defender security portal. With Microsoft Defender for Cloud’s deep integration into the unified portal, we eliminate security silos and bring a modern, streamlined experience that is more intuitive and purpose-built for today’s security teams. With this deep integration, Microsoft delivers three key advancements: A new Cloud Security dashboard that unifies posture management and threat protection, giving security teams a complete view of their multicloud environment in one place. Integrated posture capabilities within Exposure Management. Security teams can now see assets, vulnerabilities, attack paths, secure scores, and prioritized recommendations in a single pane of glass, focusing on the issues that matter most. A centralized asset inventory that consolidates resources across Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP), enabling posture validation, logical segmentation, and simplified visibility aligned to operational needs. To complement these capabilities, granular role-based access control (RBAC) helps reduce operational risk and simplify compliance across multicloud environments. The Microsoft Defender portal is now the center of gravity for security teams – bringing together cloud, endpoint and identity protection into one connected experience. Looking ahead, customers will soon be able to onboard and secure new resources directly within the Defender portal, streamlining setup and accelerating time to value. Large organizations will also gain the ability to manage multiple tenants from this unified experience as the rollout expands. The Azure portal remains essential for Defender for Cloud personas beyond security teams, such as DevOps. Adding new resource coverage will continue in the Azure portal as part of this transition. We’ll also keep enhancing experiences for IT and operations personas as part of our broader vision, read more on that in the latest news here. Ready to explore more? To learn more about Defender for Cloud and our latest innovations, you can: Join us at Ignite breakout sessions: Secure what matters with a unified cloud security strategy Secure code to cloud with AI infused DevSecOps Secure your applications: Unified Visibility and Posture Management AI-powered defense for cloud workloads Check out our cloud security solution page and Defender for Cloud product page. New IDC research reveals a major cloud security shift – read the full blog to understand what it means for your organization. Start a 30-day free trial. 1: Source: State of the Developer Nation Report 2: Source: IDC Info Snapshot, Sponsored by Microsoft, 1.3 Billion AI Agents by 2028, Doc. #US53361825, May 2025 3: Source: According to KPMG, 66% of firms who don’t have a formalized AI risk management function are aiming to do so in the next 1-4 years. 4: Source: Flexera 2024 State of the Cloud Report 5: Source: IDC White Paper, Sponsored by Microsoft, "THE NEXT ERA OF CLOUD SECURITY: Cloud-Native Application Protection Platform and Beyond", Doc. #US53297125, April 2025
