Updates from: 07/12/2021 03:02:44
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory View Applications Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/view-applications-portal.md
To view the applications registered in your tenant:
The applications that are registered with your Azure AD tenant are viewable in the **Enterprise apps** section of the Azure portal. 1. Sign in to your [Azure portal](https://portal.azure.com).
-2. On the left navigation panel, select **Azure Active Directory**.
-3. In the **Azure Active Directory** pane, select **Enterprise applications**.
-4. From the **Application Type** drop-down menu, select **All Applications**, and choose **Apply**. A random sample of your tenant applications appears.
-5. To view more applications, select **Load more** at the bottom of the list. If there are numerous applications in your tenant, it might be easier to search for a particular application instead of scrolling through the list. Searching for a particular application is covered later in this quickstart.
+2. In the **Azure services** pane, select **Enterprise applications**.
+3. From the **Application Type** drop-down menu, select **All Applications**, and choose **Apply**. A random sample of your tenant applications appears.
+4. To view more applications, select **Load more** at the bottom of the list. If there are numerous applications in your tenant, it might be easier to search for a particular application instead of scrolling through the list. Searching for a particular application is covered later in this quickstart.
# [Azure CLI](#tab/azure-cli)
To search for a particular application:
1. In the **Application Type** menu, select **All applications**, and choose **Apply**. 2. Enter the name of the application you want to find. If the application has been added to your Azure AD tenant, it appears in the search results. This example shows that GitHub hasn't been added to the tenant applications. ![Example shows an app hasn't been added to the tenant](media/view-applications-portal/search-for-tenant-application.png)
-3. Try entering the first few letters of an application name. This example shows all the applications that start with **Sales**.
+3. Try entering the first few letters of an application name. This example shows all the applications that start with **Office**.
![Example shows all apps that start with Sales](media/view-applications-portal/search-by-prefix.png) # [Azure CLI](#tab/azure-cli)
azure-monitor App Insights Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/app-insights-overview.md
There are several ways to get started. Begin with whichever works best for you.
* **At run time: instrument your web app on the server.** Ideal for applications already deployed. Avoids any update to the code. * [**ASP.NET or ASP.NET Core applications hosted on Azure Web Apps**](./azure-web-apps.md) * [**ASP.NET applications hosted in IIS on Azure VM or Azure virtual machine scale set**](./azure-vm-vmss-apps.md)
- * [**ASP.NET applications hosted in IIS on-premises VM**](./monitor-performance-live-website-now.md)
+ * [**ASP.NET applications hosted in IIS on-premises server**](./status-monitor-v2-overview.md)
* **At development time: add Application Insights to your code.** Allows you to customize telemetry collection and send additional telemetry. * [ASP.NET Applications](./asp-net.md) * [ASP.NET Core Applications](./asp-net-core.md)
There are several ways to get started. Begin with whichever works best for you.
Get started at runtime with: * [Azure VM and Azure virtual machine scale set IIS-hosted apps](./azure-vm-vmss-apps.md)
-* [IIS server](./monitor-performance-live-website-now.md)
+* [IIS server](./status-monitor-v2-overview.md)
* [Azure Web Apps](./azure-web-apps.md) Get started at development time with:
Get started at development time with:
[platforms]: ./platforms.md [portal]: https://portal.azure.com/ [qna]: ../faq.yml
-[redfield]: ./monitor-performance-live-website-now.md
+[redfield]: ./status-monitor-v2-overview.md
azure-monitor Asp Net Core https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/asp-net-core.md
If the SDK is installed at build time as shown in this article, you don't need t
* You can track additional custom telemetry by using the `TrackXXX()` API. * You have full control over the configuration.
-### Can I enable Application Insights monitoring by using tools like Status Monitor?
+### Can I enable Application Insights monitoring by using tools like Azure Monitor Application Insights Agent (formally Status Monitor v2)?
-No. [Status Monitor](./monitor-performance-live-website-now.md) and [Status Monitor v2](./status-monitor-v2-overview.md) currently support only ASP.NET 4.x.
+No, [Azure Monitor Application Insights Agent](./status-monitor-v2-overview.md) currently supports only ASP.NET 4.x.
### If I run my application in Linux, are all features supported?
azure-monitor Asp Net Exceptions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/asp-net-exceptions.md
To have exceptions reported from your server side application, consider the foll
* **Azure web apps**: Add the [Application Insights Extension](./azure-web-apps.md) * **Azure VM and Azure virtual machine scale set IIS-hosted apps**: Add the [Application Monitoring Extension](./azure-vm-vmss-apps.md) * Install [Application Insights SDK](./asp-net.md) in your app code, or
- * **IIS web servers**: Run [Application Insights Agent](./monitor-performance-live-website-now.md), or
+ * **IIS web servers**: Run [Application Insights Agent](./status-monitor-v2-overview.md), or
* **Java web apps**: Enable the [Java agent](./java-in-process-agent.md) ### Client side
namespace WcfService4
## Exception performance counters
-If you have [installed the Application Insights Agent](./monitor-performance-live-website-now.md) on your server, you can get a chart of the exceptions rate, measured by .NET. This includes both handled and unhandled .NET exceptions.
+If you have [installed the Azure Monitor Application Insights Agent](./status-monitor-v2-overview.md) on your server, you can get a chart of the exceptions rate, measured by .NET. This includes both handled and unhandled .NET exceptions.
Open a Metric Explorer tab, add a new chart, and select **Exception rate**, listed under Performance Counters.
azure-monitor Asp Net Troubleshoot No Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/asp-net-troubleshoot-no-data.md
Internet Information Services (IIS) logs counts of all request reaching IIS and
* This is probably a firewall issue. [Set firewall exceptions for Application Insights to send data](../../azure-monitor/app/ip-addresses.md). * IIS Server might be missing some prerequisites, like .NET Extensibility 4.5 or ASP.NET 4.5.
-*I [installed Status Monitor](./monitor-performance-live-website-now.md) on my web server to monitor existing apps. I don't see any results.*
+*I [installed Azure Monitor Application Insights Agent](./status-monitor-v2-overview.md) on my web server to monitor existing apps. I don't see any results.*
-* See [Troubleshooting Status Monitor](./monitor-performance-live-website-now.md#troubleshoot).
+* See [Troubleshooting Status Monitor](./status-monitor-v2-troubleshoot.md).
> [!IMPORTANT] > [Connection Strings](./sdk-connection-string.md?tabs=net) are recommended over instrumentation keys. New Azure regions **require** the use of connection strings instead of instrumentation keys. Connection string identifies the resource that you want to associate your telemetry data with. It also allows you to modify the endpoints your resource will use as a destination for your telemetry. You will need to copy the connection string and add it to your application's code or to an environment variable.
The data comes from scripts in the web pages.
See [dependency telemetry](./asp-net-dependencies.md) and [exception telemetry](asp-net-exceptions.md). ## No performance data
-Performance data (CPU, IO rate, and so on) is available for [Java web services](java-2x-collectd.md), [Windows desktop apps](./windows-desktop.md), [IIS web apps and services if you install status monitor](./monitor-performance-live-website-now.md), and [Azure Cloud Services](./app-insights-overview.md). you'll find it under Settings, Servers.
+Performance data (CPU, IO rate, and so on) is available for [Java web services](java-2x-collectd.md), [Windows desktop apps](./windows-desktop.md), [IIS web apps and services if you install Application Insights Agent](./status-monitor-v2-overview.md), and [Azure Cloud Services](./app-insights-overview.md). you'll find it under Settings, Servers.
## No (server) data since I published the app to my server * Check that you actually copied all the Microsoft. ApplicationInsights DLLs to the server, together with Microsoft.Diagnostics.Instrumentation.Extensions.Intercept.dll
azure-monitor Availability Multistep https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/availability-multistep.md
For guidance on creating Visual Studio web tests consult the [official Visual St
## Upload the web test
-1. In the Application Insights portal on the Availability pane select **Create Test** > **Test type** > **Multi-step web test**.
-
-2. Set the test locations, frequency, and alert parameters.
+1. In the Application Insights portal on the Availability pane select **Add Classic test**, then select **Multi-step** as the *SKU*.
+2. Upload your multi-step web test.
+3. Set the test locations, frequency, and alert parameters.
+4. Select **Create**.
### Frequency & location
azure-monitor Availability Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/availability-overview.md
Title: Application Insights availability overview description: Set up recurring web tests to monitor availability and responsiveness of your app or website. Previously updated : 07/08/2021 Last updated : 07/10/2021
You can set up availability tests for any HTTP or HTTPS endpoint that is accessi
## Types of availability tests
-There are four types of availability tests:
+There are three types of availability tests:
-* [URL ping test](monitor-web-app-availability.md): A simple tests you can create through the portal. Standard ping test includes features like using any HTTP request methods (for example `GET`,`HEAD`,`POST`, etc.) or adding custom headers.
+* [URL ping test](monitor-web-app-availability.md): A simple tests you can create through the portal to validate whether an endpoint is responding and measure performance associated with that response. You may also set custom success criteria coupled with more advanced features like parsing dependent requests, and allowing for retries.
* [Multi-step web test](availability-multistep.md): A recording of a sequence of web requests, which can be played back to test more complex scenarios. Multi-step web tests are created in Visual Studio Enterprise and uploaded to the portal for execution.
-* [Custom Track Availability Tests](/dotnet/api/microsoft.applicationinsights.telemetryclient.trackavailability): If you decide to create a custom application to run availability tests, the `TrackAvailability()` method can be used to send the results to Application Insights.
+* [Custom Track Availability Tests](availability-azure-functions.md): If you decide to create a custom application to run availability tests, the [TrackAvailability()](/dotnet/api/microsoft.applicationinsights.telemetryclient.trackavailability) method can be used to send the results to Application Insights.
> [!IMPORTANT] > Both, [URL ping test](monitor-web-app-availability.md) and [multi-step web test](availability-multistep.md) rely on the public internet DNS infrastructure to resolve the domain names of the tested endpoints. This means that if you are using Private DNS, you must either ensure that every domain name of your test is also resolvable by the public domain name servers or, when it is not possible, you can use [custom track availability tests](/dotnet/api/microsoft.applicationinsights.telemetryclient.trackavailability) instead.
Dedicated [troubleshooting article](troubleshoot-availability.md).
* [Multi-step web tests](availability-multistep.md) * [URL tests](monitor-web-app-availability.md) * [Create and run custom availability tests using Azure Functions.](availability-azure-functions.md)
-* [Web Tests Azure Resource Manager template](/azure/templates/microsoft.insights/webtests?tabs=json)
+* [Web Tests Azure Resource Manager template](/azure/templates/microsoft.insights/webtests?tabs=json)
azure-monitor Data Retention Privacy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/data-retention-privacy.md
Application Insights SDKs are available for a range of application types: web se
## What data does it collect? There are three sources of data:
-* The SDK, which you integrate with your app either [in development](./asp-net.md) or [at run time](./monitor-performance-live-website-now.md). There are different SDKs for different application types. There's also an [SDK for web pages](./javascript.md), which loads into the end user's browser along with the page.
+* The SDK, which you integrate with your app either [in development](./asp-net.md) or [at run time](./status-monitor-v2-overview.md). There are different SDKs for different application types. There's also an [SDK for web pages](./javascript.md), which loads into the end user's browser along with the page.
* Each SDK has a number of [modules](./configuration-with-applicationinsights-config.md), which use different techniques to collect different types of telemetry. * If you install the SDK in development, you can use its API to send your own telemetry, in addition to the standard modules. This custom telemetry can include any data you want to send.
This product includes GeoLite2 data created by MaxMind, available from [https://
[java]: ./java-in-process-agent.md [platforms]: ./platforms.md [pricing]: https://azure.microsoft.com/pricing/details/application-insights/
-[redfield]: ./monitor-performance-live-website-now.md
+[redfield]: ./status-monitor-v2-overview.md
[start]: ./app-insights-overview.md
azure-monitor Devops https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/devops.md
Title: Web app performance monitoring - Azure Application Insights
-description: How Application Insights fits into the devOps cycle
+description: How Application Insights fits into the DevOps cycle
Last updated 12/21/2018
When an alert is raised, Application Insights can automatically create a work it
## Next steps Getting started with Application Insights is easy. The main options are:
-* [IIS servers](./monitor-performance-live-website-now.md), and also for [Azure App Service](./app-insights-overview.md).
-* Instrument your project during development. You can do this for [ASP.NET](./asp-net.md) or [Java](./java-in-process-agent.md) apps, as well as [Node.js](./nodejs.md) and a host of [other types](./platforms.md).
+* [IIS servers](./status-monitor-v2-overview.md)
+* Instrument your project during development. You can do this for [ASP.NET](./asp-net.md) or [Java](./java-in-process-agent.md) apps, and [Node.js](./nodejs.md) and a host of [other types](./platforms.md).
* Instrument [any web page](./javascript.md) by adding a short code snippet.
azure-monitor How Do I https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/how-do-i.md
Among the metrics you can show in metrics explorer are a set of system performan
![Open your Application Insights resource and click Servers](./media/how-do-i/121-servers.png) ### If you see no performance counter data
-* **IIS server** on your own machine or on a VM. [Install Status Monitor](./monitor-performance-live-website-now.md).
+* **IIS server** on your own machine or on a VM. [Install Azure Monitor Application Insights Agent](./status-monitor-v2-overview.md).
* **Azure web site** - we don't support performance counters yet. There are several metrics you can get as a standard part of the Azure web site control panel. * **Unix server** - [Install collectd](java-2x-collectd.md)
azure-monitor Monitor Performance Live Website Now https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/monitor-performance-live-website-now.md
- Title: Monitor a live ASP.NET web app with Azure Application Insights | Microsoft Docs
-description: Monitor a website's performance without re-deploying it. Works with ASP.NET web apps hosted on-premises or in VMs.
- Previously updated : 08/26/2019----
-# Instrument web apps at runtime with Application Insights Codeless Attach
-
-> [!IMPORTANT]
-> Status Monitor is no longer recommended for use, and **starting June 1st 2021** this version of Status monitor will not be supported. It has been replaced by the Azure Monitor Application Insights Agent (formerly named Status Monitor v2). See our documentation for [on-premises server deployments](./status-monitor-v2-overview.md) or [Azure virtual machine and virtual machine scale set deployments](./azure-vm-vmss-apps.md).
-
-You can instrument a live web app with Azure Application Insights, without having to modify or redeploy your code. You need a [Microsoft Azure](https://azure.com) subscription.
-
-Status Monitor is used to instrument a .NET application hosted in IIS either on-premises or in a VM.
--- If your app is deployed into Azure VM or Azure virtual machine scale set, follow [these instructions](azure-vm-vmss-apps.md).-- If your app is deployed into Azure app services, follow [these instructions](azure-web-apps.md).-- If your app is deployed in an Azure VM, you can switch on Application Insights monitoring from the Azure control panel.-- (There are also separate articles about instrumenting [Azure Cloud Services](./cloudservices.md).)--
-![Screenshot of App Insights overview graphs containing information on failed requests, server response time, and server requests](./media/monitor-performance-live-website-now/overview-graphs.png)
-
-You have a choice of two routes to apply Application Insights to your .NET web applications:
-
-* **Build time:** [Add the Application Insights SDK][greenbrown] to your web app code.
-* **Run time:** Instrument your web app on the server, as described below, without rebuilding and redeploying the code.
-
-> [!NOTE]
-> If you use build time instrumentation, run time instrumentation will not work even if it is turned on.
-
-Here's a summary of what you get by each route:
-
-| | Build time | Run time |
-| | | |
-| **Requests & exceptions** |Yes |Yes |
-| **[More detailed exceptions](./asp-net-exceptions.md)** | |Yes |
-| **[Dependency diagnostics](./asp-net-dependencies.md)** |On .NET 4.6+, but less detail |Yes, full detail: result codes, SQL command text, HTTP verb|
-| **[System performance counters](./performance-counters.md)** |Yes |Yes |
-| **[API for custom telemetry][api]** |Yes |No |
-| **[Trace log integration](./asp-net-trace-logs.md)** |Yes |No |
-| **[Page view & user data](./javascript.md)** |Yes |No |
-| **Need to rebuild code** |Yes | No |
---
-## Monitor a live IIS web app
-
-If your app is hosted on an IIS server, enable Application Insights by using Status Monitor.
-
-1. On your IIS web server, sign in with administrator credentials.
-2. If Application Insights Status Monitor is not already installed, [download and run the installer](#download)
-3. In Status Monitor, select the installed web application or website that you want to monitor. Sign in with your Azure credentials.
-
- Configure the resource where you want to see the results in the Application Insights portal. (Normally, it's best to create a new resource. Select an existing resource if you already have [web tests][availability] or [client monitoring][client] for this app.)
-
- ![Choose an app and a resource.](./media/monitor-performance-live-website-now/appinsights-036-configAIC.png)
-
-4. Restart IIS.
-
- ![Choose Restart at the top of the dialog.](./media/monitor-performance-live-website-now/appinsights-036-restart.png)
-
- Your web service is interrupted for a short while.
-
-## Customize monitoring options
-
-Enabling Application Insights adds DLLs and ApplicationInsights.config to your web app. You can [edit the .config file](./configuration-with-applicationinsights-config.md) to change some of the options.
-
-## When you re-publish your app, re-enable Application Insights
-
-Before you re-publish your app, consider [adding Application Insights to the code in Visual Studio][greenbrown]. You'll get more detailed telemetry and the ability to write custom telemetry.
-
-If you want to re-publish without adding Application Insights to the code, be aware that the deployment process may delete the DLLs and ApplicationInsights.config from the published web site. Therefore:
-
-1. If you edited ApplicationInsights.config, take a copy of it before you re-publish your app.
-2. Republish your app.
-3. Re-enable Application Insights monitoring. (Use the appropriate method: either the Azure web app control panel, or the Status Monitor on an IIS host.)
-4. Reinstate any edits you performed on the .config file.
--
-## <a name="troubleshoot"></a>Troubleshooting
-
-### Confirm a valid installation
-
-These are some steps that you can perform to confirm that your installation was successful.
--- Confirm that the applicationInsights.config file is present in the target app directory and contains your ikey.--- If you suspect that data is missing, you can run a query in [Analytics](../logs/log-analytics-tutorial.md) to list all the cloud roles currently sending telemetry.
- ```Kusto
- union * | summarize count() by cloud_RoleName, cloud_RoleInstance
- ```
--- If you need to confirm that Application Insights is successfully attached, you can run [Sysinternals Handle](/sysinternals/downloads/handle) in a command window to confirm that applicationinsights.dll has been loaded by IIS.-
- ```console
- handle.exe /p w3wp.exe
- ```
--
-### Can't connect? No telemetry?
-
-* Open [the necessary outgoing ports](./ip-addresses.md#outgoing-ports) in your server's firewall to allow Status Monitor to work.
-
-### Unable to login
-
-If Status Monitor cannot login, do a command line install instead. Status Monitor attempts to login to collect your ikey, but you can provide this manually using the command:
-
-```powershell
-Import-Module 'C:\Program Files\Microsoft Application Insights\Status Monitor\PowerShell\Microsoft.Diagnostics.Agent.StatusMonitor.PowerShell.dll'
-Start-ApplicationInsightsMonitoring -Name appName -InstrumentationKey 00000000-000-000-000-0000000
-```
-
-### Could not load file or assembly 'System.Diagnostics.DiagnosticSource'
-
-You may get this error after enabling Application Insights. This is because the installer replaces this dll in your bin directory.
-To fix update your web.config:
-
-```xml
-<dependentAssembly>
- <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51"/>
- <bindingRedirect oldVersion="0.0.0.0-4.*.*.*" newVersion="4.0.2.1"/>
-</dependentAssembly>
-```
-
-We are tracking this issue [here](https://github.com/MohanGsk/ApplicationInsights-Home).
--
-### Application diagnostic messages
-
-* Open Status Monitor and select your application on left pane. Check if there are any diagnostics messages for this application in the "Configuration notifications" section:
-
- ![Open the Performance blade to see request, response time, dependency and other data](./media/monitor-performance-live-website-now/appinsights-status-monitor-diagnostics-message.png)
-
-### Detailed logs
-
-* By default Status Monitor will output diagnostic logs at: `C:\Program Files\Microsoft Application Insights\Status Monitor\diagnostics.log`
-
-* To output verbose logs, modify the config file: `C:\Program Files\Microsoft Application Insights\Status Monitor\Microsoft.Diagnostics.Agent.StatusMonitor.exe.config` and add `<add key="TraceLevel" value="All" />` to the `appsettings`.
-Then restart status monitor.
-
-* As Status Monitor is a .NET application you can also enable [.net tracing by adding the appropriate diagnostics to the config file](/dotnet/framework/configure-apps/file-schema/trace-debug/system-diagnostics-element). For example, in some scenarios it can be useful to see what's happening at the network level by [configuring network tracing](/dotnet/framework/network-programming/how-to-configure-network-tracing)
-
-### Insufficient permissions
-
-* On the server, if you see a message about "insufficient permissions", try the following:
- * In IIS Manager, select your application pool, open **Advanced Settings**, and under **Process Model** note the identity.
- * In Computer management control panel, add this identity to the Performance Monitor Users group.
-
-### Conflict with Systems Center Operations Manager
-
-* If you have MMA/SCOM (Systems Center Operations Manager) installed on your server, some versions can conflict. Uninstall both SCOM and Status Monitor, and re-install the latest versions.
-
-### Failed or incomplete installation
-
-If Status Monitor fails during an installation, you could be left with an incomplete install that Status Monitor is unable to recover from. This will require a manual reset.
-
-Delete any of these files found in your application directory:
-- Any DLLs in your bin directory starting with either "Microsoft.AI." or "Microsoft.ApplicationInsights.".-- This DLL in your bin directory "Microsoft.Web.Infrastructure.dll"-- This DLL in your bin directory "System.Diagnostics.DiagnosticSource.dll"-- In your application directory remove "App_Data\packages"-- In your application directory remove "applicationinsights.config"--
-### Additional Troubleshooting
-
-* See Additional [Troubleshooting][qna].
-
-## System Requirements
-OS support for Application Insights Status Monitor on Server:
-
-* Windows Server 2008
-* Windows Server 2008 R2
-* Windows Server 2012
-* Windows server 2012 R2
-* Windows Server 2016
-
-with latest SP and .NET Framework 4.5 (Status Monitor is built on this version of the framework)
-
-On the client side: Windows 7, 8, 8.1 and 10, again with .NET Framework 4.5
-
-IIS support is: IIS 7, 7.5, 8, 8.5
-(IIS is required)
-
-## Automation with PowerShell
-You can start and stop monitoring by using PowerShell on your IIS server.
-
-First import the Application Insights module:
-
-```powershell
-Import-Module 'C:\Program Files\Microsoft Application Insights\Status Monitor\PowerShell\Microsoft.Diagnostics.Agent.StatusMonitor.PowerShell.dll'
-```
-
-Find out which apps are being monitored:
-
-`Get-ApplicationInsightsMonitoringStatus [-Name appName]`
-
-* `-Name` (Optional) The name of a web app.
-* Displays the Application Insights monitoring status for each web app (or the named app) in this IIS server.
-* Returns `ApplicationInsightsApplication` for each app:
-
- * `SdkState==EnabledAfterDeployment`: App is being monitored, and was instrumented at run time, either by the Status Monitor tool, or by `Start-ApplicationInsightsMonitoring`.
- * `SdkState==Disabled`: The app is not instrumented for Application Insights. Either it was never instrumented, or run-time monitoring was disabled with the Status Monitor tool or with `Stop-ApplicationInsightsMonitoring`.
- * `SdkState==EnabledByCodeInstrumentation`: The app was instrumented by adding the SDK to the source code. Its SDK cannot be updated or stopped.
- * `SdkVersion` shows the version in use for monitoring this app.
- * `LatestAvailableSdkVersion`shows the version currently available on the NuGet gallery. To upgrade the app to this version, use `Update-ApplicationInsightsMonitoring`.
-
-`Start-ApplicationInsightsMonitoring -Name appName -InstrumentationKey 00000000-000-000-000-0000000`
-
-* `-Name` The name of the app in IIS
-* `-InstrumentationKey` The ikey of the Application Insights resource where you want the results to be displayed.
-* This cmdlet only affects apps that are not already instrumented - that is, SdkState==NotInstrumented.
-
- The cmdlet does not affect an app that is already instrumented. It does not matter whether the app was instrumented at build time by adding the SDK to the code, or at run time by a previous use of this cmdlet.
-
- The SDK version used to instrument the app is the version that was most recently downloaded to this server.
-
- To download the latest version, use Update-ApplicationInsightsVersion.
-* Returns `ApplicationInsightsApplication` on success. If it fails, it logs a trace to stderr.
-
- ```output
- Name : Default Web Site/WebApp1
- InstrumentationKey : 00000000-0000-0000-0000-000000000000
- ProfilerState : ApplicationInsights
- SdkState : EnabledAfterDeployment
- SdkVersion : 1.2.1
- LatestAvailableSdkVersion : 1.2.3
- ```
-
-`Stop-ApplicationInsightsMonitoring [-Name appName | -All]`
-
-* `-Name` The name of an app in IIS
-* `-All` Stops monitoring all apps in this IIS server for which `SdkState==EnabledAfterDeployment`
-* Stops monitoring the specified apps and removes instrumentation. It only works for apps that have been instrumented at run-time using the Status Monitoring tool or Start-ApplicationInsightsApplication. (`SdkState==EnabledAfterDeployment`)
-* Returns ApplicationInsightsApplication.
-
-`Update-ApplicationInsightsMonitoring -Name appName [-InstrumentationKey "0000000-0000-000-000-0000"`]
-
-* `-Name`: The name of a web app in IIS.
-* `-InstrumentationKey` (Optional.) Use this to change the resource to which the app's telemetry is sent.
-* This cmdlet:
- * Upgrades the named app to the version of the SDK most recently downloaded to this machine. (Only works if `SdkState==EnabledAfterDeployment`)
- * If you provide an instrumentation key, the named app is reconfigured to send telemetry to the resource with that key. (Works if `SdkState != Disabled`)
-
-`Update-ApplicationInsightsVersion`
-
-* Downloads the latest Application Insights SDK to the server.
-
-## <a name="questions"></a>Questions about Status Monitor
-
-### What is Status Monitor?
-
-A desktop application that you install in your IIS web server. It helps you instrument and configure web apps.
-
-### When do I use Status Monitor?
-
-* To instrument any web app that is running on your IIS server - even if it is already running.
-* To enable additional telemetry for web apps that have been [built with the Application Insights SDK](./asp-net.md) at compile time.
-
-### Can I close it after it runs?
-
-Yes. After it has instrumented the websites you select, you can close it.
-
-It doesn't collect telemetry by itself. It just configures the web apps and sets some permissions.
-
-### What does Status Monitor do?
-
-When you select a web app for Status Monitor to instrument:
-
-* Downloads and places the Application Insights assemblies and ApplicationInsights.config file in the web app's binaries folder.
-* Enables CLR profiling to collect dependency calls.
-
-### What version of Application Insights SDK does Status Monitor install?
-
-As of now, Status Monitor can only install Application Insights SDK versions 2.3 or 2.4.
-
-The Application Insights SDK Version 2.4 is the [last version to support .NET 4.0](https://github.com/microsoft/ApplicationInsights-dotnet/releases/tag/v2.5.0-beta1) which was [EOL January 2016](https://devblogs.microsoft.com/dotnet/support-ending-for-the-net-framework-4-4-5-and-4-5-1/). Therefore, as of now Status Monitor can be used to instrument a .NET 4.0 application.
-
-### Do I need to run Status Monitor whenever I update the app?
-
-Not if you redeploy incrementally.
-
-If you select the 'delete existing files' option in the publish process, you would need to re-run Status Monitor to configure Application Insights.
-
-### What telemetry is collected?
-
-For applications that you instrument only at run-time by using Status Monitor:
-
-* HTTP requests
-* Calls to dependencies
-* Exceptions
-* Performance counters
-
-For applications already instrumented at compile time:
-
- * Process counters.
- * Dependency calls (.NET 4.5); return values in dependency calls (.NET 4.6).
- * Exception stack trace values.
-
-[Learn more](https://apmtips.com/posts/2016-11-18-how-application-insights-status-monitor-not-monitors-dependencies/)
-
-## Video
-
-> [!VIDEO https://channel9.msdn.com/events/Connect/2016/100/player]
-
-## <a name="download"></a>Download Status Monitor
--- Use the new [PowerShell Module](./status-monitor-v2-overview.md)-- Download and run the [Status Monitor installer](https://go.microsoft.com/fwlink/?LinkId=506648)-- Or run [Web Platform Installer](https://www.microsoft.com/web/downloads/platform.aspx) and search in it for Application Insights Status Monitor.-
-## <a name="next"></a>Next steps
-
-View your telemetry:
-
-* [Explore metrics](../essentials/metrics-charts.md) to monitor performance and usage
-* [Search events and logs][diagnostic] to diagnose problems
-* [Analytics](../logs/log-query-overview.md) for more advanced queries
-
-Add more telemetry:
-
-* [Create web tests][availability] to make sure your site stays live.
-* [Add web client telemetry][usage] to see exceptions from web page code and to let you insert trace calls.
-* [Add Application Insights SDK to your code][greenbrown] so that you can insert trace and log calls
-
-<!--Link references-->
-
-[api]: ./api-custom-events-metrics.md
-[availability]: monitor-web-app-availability.md
-[client]: ./javascript.md
-[diagnostic]: ./diagnostic-search.md
-[greenbrown]: ./asp-net.md
-[qna]: ../faq.yml
-[roles]: ./resources-roles-access-control.md
-[usage]: ./javascript.md
azure-monitor Monitor Web App Availability https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/monitor-web-app-availability.md
Title: Monitor availability with URL ping tests- Azure Monitor description: Set up ping tests in Application Insights. Get alerts if a website becomes unavailable or responds slowly. Previously updated : 07/08/2021 Last updated : 07/10/2021 # Monitor availability with URL ping tests
-The name "URL ping test" is a bit of a misnomer. To be clear, these tests aren't making any use of ICMP (Internet Control Message Protocol) to check your site's availability. Instead they use more advanced HTTP request functionality to validate whether an endpoint is responding. They also measure the performance associated with that response, and adds the ability to set custom success criteria coupled with more advanced features like parsing dependent requests, and allowing for retries.
+The name "URL ping test" is a bit of a misnomer. To be clear, these tests are not making any use of ICMP (Internet Control Message Protocol) to check your site's availability. Instead they use more advanced HTTP request functionality to validate whether an endpoint is responding. They also measure the performance associated with that response, and adds the ability to set custom success criteria coupled with more advanced features like parsing dependent requests, and allowing for retries.
-> [!NOTE]
-> Standard ping tests are currently in public preview. These preview versions are provided without a service level agreement. Certain features might not be supported or might have constrained capabilities.
-
-> [!NOTE]
-> There are currently no additional charges for the preview feature Standard Ping tests. Pricing for features that are in preview will be announced in the future and a notice provided prior to start of billing. Should you choose to continue using Standard Ping tests after the notice period, you will be billed at the applicable rate.
+In order to create an availability test, you need use an existing Application Insights resource or [create an Application Insights resource](create-new-resource.md).
-## Create a Standard URL ping test
+## Create a test
-To create an availability test, you need use an existing Application Insight resource or [create an Application Insights resource](create-new-resource.md).
+To create your first availability request:
+1. In your Application Insights resource open the Availability pane and selectΓÇ» **Add Classic Test**.
+ :::image type="content" source="./media/monitor-web-app-availability/create-test.png" alt-text="Screenshot of create of create a test." lightbox ="./media/monitor-web-app-availability/create-test.png":::
+1. Name your test and select "URL ping " as the *SKU*.
+1. Enter the URL you wish to test.
+1. Adjust the settings to your needs ( explanation below) and select **Create**.
-|Setting | Explanation |
-|--|-|
+|Setting| Explanation |
+|-|-|
|**URL** | The URL can be any web page you want to test, but it must be visible from the public internet. The URL can include a query string. So, for example, you can exercise your database a little. If the URL resolves to a redirect, we follow it up to 10 redirects.|
-|**Parse dependent requests**| Test requests images, scripts, style files, and other files that are part of the web page under test. The recorded response time includes the time taken to get these files. The test fails if any of these resources cannot be successfully downloaded within the timeout for the whole test. If the option isn't checked, the test only requests the file at the URL you specified. Enabling this option results in a stricter check. The test could fail for cases, which may not be noticeable when manually browsing the site. |
-|**Enable retries**| When the test fails, it's retried after a short interval. A failure is reported only if three successive attempts fail. Subsequent tests are then performed at the usual test frequency. Retry is temporarily suspended until the next success. This rule is applied independently at each test location. **We recommend this option**. On average, about 80% of failures disappear on retry.|
-| **SSL certificate validation test** | You can verify the SSL certificate on your website to make sure it's correctly installed, valid, trusted, and doesn't give any errors to any of your users. |
-| **Proactive lifetime check** | This enables you to define a set time period before your SSL certificate expires. Once it expires, your test will fail. |
+|**Parse dependent requests**| Test requests images, scripts, style files, and other files that are part of the web page under test. The recorded response time includes the time taken to get these files. The test fails if any of these resources cannot be successfully downloaded within the timeout for the whole test. If the option is not checked, the test only requests the file at the URL you specified. Enabling this option results in a stricter check. The test could fail for cases, which may not be noticeable when manually browsing the site.
+|**Enable retries**|when the test fails, it is retried after a short interval. A failure is reported only if three successive attempts fail. Subsequent tests are then performed at the usual test frequency. Retry is temporarily suspended until the next success. This rule is applied independently at each test location. **We recommend this option**. On average, about 80% of failures disappear on retry.|
|**Test frequency**| Sets how often the test is run from each test location. With a default frequency of five minutes and five test locations, your site is tested on average every minute.|
-|**Test locations**| Are the places from where our servers send web requests to your URL. **Our minimum number of recommended test locations is five** to ensure that you can distinguish problems in your website from network issues. You can select up to 16 locations.|
-| **Custom headers** | Key value pairs that define the operating parameters. |
-| **HTTP request verb** | Indicate what action you would like to take with your request. IF your chosen verb is not available in the UI you can deploy a standard test using Azure Resource Monitor with the desired choice. |
-| **Request body** | Custom data associated with your HTTP request. You can upload your own files, type in your content, or disable this feature. For raw body content, we support TEXT, JSON, HTML, XML, and JavaScript. |
-
+|**Test locations**| Are the places from where our servers send web requests to your URL. **Our minimum number of recommended test locations is five** in order to insure that you can distinguish problems in your website from network issues. You can select up to 16 locations.
**If your URL is not visible from the public internet, you can choose to selectively open up your firewall to allow only the test transactions through**. To learn more about the firewall exceptions for our availability test agents, consult the [IP address guide](./ip-addresses.md#availability-tests).
To create an availability test, you need use an existing Application Insight res
## Success criteria
-|Setting| Explanation|
-|-||
+|Setting| Explanation |
+|-|-|
| **Test timeout** |Decrease this value to be alerted about slow responses. The test is counted as a failure if the responses from your site have not been received within this period. If you selected **Parse dependent requests**, then all the images, style files, scripts, and other dependent resources must have been received within this period.| | **HTTP response** | The returned status code that is counted as a success. 200 is the code that indicates that a normal web page has been returned.| | **Content match** | A string, like "Welcome!" We test that an exact case-sensitive match occurs in every response. It must be a plain string, without wildcards. Don't forget that if your page content changes you might have to update it. **Only English characters are supported with content match** | ## Alerts
-|Setting| Explanation|
-|-||
+|Setting| Explanation |
+|-|-|
|**Near-realtime (Preview)** | We recommend using Near-realtime alerts. Configuring this type of alert is done after your availability test is created. | |**Alert location threshold**|We recommend a minimum of 3/5 locations. The optimal relationship between alert location threshold and the number of test locations is **alert location threshold** = **number of test locations - 2, with a minimum of five test locations.**|
Availability test results can be visualized with both line and scatter plot view
After a few minutes, select **Refresh** to see your test results. The scatterplot view shows samples of the test results that have diagnostic test-step detail in them. The test engine stores diagnostic detail for tests that have failures. For successful tests, diagnostic details are stored for a subset of the executions. Hover over any of the green/red dots to see the test, test name, and location.
Select a particular test, location, or reduce the time period to see more result
## Inspect and edit tests
-To edit, temporarily disable, or delete a test, select the ellipses next to a test name. It may take up to 20 minutes for configuration changes to propagate to all test agents after a change is made.
+To edit, temporarily disable, or delete a test select the ellipses next to a test name. It may take up to 20 minutes for configuration changes to propagate to all test agents after a change is made.
:::image type="content" source="./media/monitor-web-app-availability/edit.png" alt-text="View test details. Edit and Disable a web test." border="false":::
azure-monitor Platforms https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/platforms.md
### Instrumentation for already-deployed applications (codeless, agent-based) * [Azure VM and Azure virtual machine scale sets](./azure-vm-vmss-apps.md) * [Azure App Service](./azure-web-apps.md)
-* [ASP.NET - for apps that are already live](./monitor-performance-live-website-now.md)
+* [ASP.NET - for web apps hosted with IIS](./status-monitor-v2-overview.md)
* [Azure Cloud Services](./cloudservices.md), including both web and worker roles * [Azure Functions](../../azure-functions/functions-monitoring.md) ### Instrumentation through code (SDKs)
azure-monitor Sdk Connection String https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/sdk-connection-string.md
tracer = Tracer(exporter=AzureExporter(connection_string='InstrumentationKey=000
Get started at runtime with: * [Azure VM and Azure virtual machine scale set IIS-hosted apps](./azure-vm-vmss-apps.md)
-* [IIS server](./monitor-performance-live-website-now.md)
+* [IIS server](./status-monitor-v2-overview.md)
* [Azure Web Apps](./azure-web-apps.md) Get started at development time with:
azure-monitor Status Monitor V2 Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/status-monitor-v2-overview.md
Last updated 09/16/2019
> This guidance is recommended for On-Premises and non-Azure cloud deployments of Application Insights Agent. Here's the recommended approach for [Azure virtual machine and virtual machine scale set deployments](./azure-vm-vmss-apps.md). Application Insights Agent (formerly named Status Monitor V2) is a PowerShell module published to the [PowerShell Gallery](https://www.powershellgallery.com/packages/Az.ApplicationMonitor).
-It replaces [Status Monitor](./monitor-performance-live-website-now.md).
+It replaces Status Monitor.
Telemetry is sent to the Azure portal, where you can [monitor](./app-insights-overview.md) your app. > [!NOTE]
azure-monitor Worker Service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/worker-service.md
The new SDK does not do any telemetry collection by itself. Instead, it brings i
## Supported scenarios
-The [Application Insights SDK for Worker Service](https://www.nuget.org/packages/Microsoft.ApplicationInsights.WorkerService) is best suited for non-HTTP applications no matter where or how they run. If your application is running and has network connectivity to Azure, telemetry can be collected. Application Insights monitoring is supported everywhere .NET Core is supported. This package can be used in the newly introduced [.NET Core 3.0 Worker Service](https://devblogs.microsoft.com/aspnet/dotnet-core-workers-in-azure-container-instances), [background tasks in Asp.Net Core 2.1/2.2](/aspnet/core/fundamentals/host/hosted-services), Console apps (.NET Core/ .NET Framework), etc.
+The [Application Insights SDK for Worker Service](https://www.nuget.org/packages/Microsoft.ApplicationInsights.WorkerService) is best suited for non-HTTP applications no matter where or how they run. If your application is running and has network connectivity to Azure, telemetry can be collected. Application Insights monitoring is supported everywhere .NET Core is supported. This package can be used in the newly introduced [.NET Core 3.0 Worker Service](https://devblogs.microsoft.com/aspnet/dotnet-core-workers-in-azure-container-instances), [background tasks in ASP.NET Core 2.1/2.2](/aspnet/core/fundamentals/host/hosted-services), Console apps (.NET Core/ .NET Framework), etc.
## Prerequisites
Get an instance of `TelemetryClient` by using constructor injection, and call th
Visual Studio IDE onboarding is currently supported only for ASP.NET/ASP.NET Core Applications. This document will be updated when Visual Studio ships support for onboarding Worker service applications.
-### Can I enable Application Insights monitoring by using tools like Status Monitor?
+### Can I enable Application Insights monitoring by using tools like Azure Monitor Application Insights Agent (formerly Status Monitor v2)?
-No. [Status Monitor](./monitor-performance-live-website-now.md) and [Status Monitor v2](./status-monitor-v2-overview.md) currently support ASP.NET 4.x only.
+No, [Azure Monitor Application Insights Agent](./status-monitor-v2-overview.md) currently supports ASP.NET 4.x only.
### If I run my application in Linux, are all features supported? Yes. Feature support for this SDK is the same in all platforms, with the following exceptions: * Performance counters are supported only in Windows with the exception of Process CPU/Memory shown in Live Metrics.
-* Even though `ServerTelemetryChannel` is enabled by default, if the application is running in Linux or MacOS, the channel doesn't automatically create a local storage folder to keep telemetry temporarily if there are network issues. Because of this limitation, telemetry is lost when there are temporary network or server issues. To work around this issue, configure a local folder for the channel:
+* Even though `ServerTelemetryChannel` is enabled by default, if the application is running in Linux or macOS, the channel doesn't automatically create a local storage folder to keep telemetry temporarily if there are network issues. Because of this limitation, telemetry is lost when there are temporary network or server issues. To work around this issue, configure a local folder for the channel:
```csharp using Microsoft.ApplicationInsights.Channel;
using Microsoft.ApplicationInsights.WindowsServer.TelemetryChannel;
[.NET Core Console Application](https://github.com/microsoft/ApplicationInsights-dotnet/tree/develop/examples/WorkerServiceSDK/ConsoleAppWithApplicationInsights) Use this sample if you are using a Console Application written in either .NET Core (2.0 or higher) or .NET Framework (4.7.2 or higher)
-[ASP .NET Core background tasks with HostedServices](https://github.com/microsoft/ApplicationInsights-dotnet/tree/develop/examples/WorkerServiceSDK/BackgroundTasksWithHostedService)
-Use this sample if you are in Asp.Net Core 2.1/2.2, and creating background tasks as per official guidance [here](/aspnet/core/fundamentals/host/hosted-services)
+[ASP.NET Core background tasks with HostedServices](https://github.com/microsoft/ApplicationInsights-dotnet/tree/develop/examples/WorkerServiceSDK/BackgroundTasksWithHostedService)
+Use this sample if you are in ASP.NET Core 2.1/2.2, and creating background tasks as per official guidance [here](/aspnet/core/fundamentals/host/hosted-services)
[.NET Core 3.0 Worker Service](https://github.com/microsoft/ApplicationInsights-dotnet/tree/develop/examples/WorkerServiceSDK/WorkerServiceSampleWithApplicationInsights) Use this sample if you have a .NET Core 3.0 Worker Service application as per official guidance [here](/aspnet/core/fundamentals/host/hosted-services?tabs=visual-studio#worker-service-template)
Use this sample if you have a .NET Core 3.0 Worker Service application as per of
* [Read and contribute to the code](https://github.com/microsoft/ApplicationInsights-dotnet).
-For the latest updates and bug fixes [consult the release notes](./release-notes.md).
+For the latest updates and bug fixes, [consult the release notes](./release-notes.md).
## Next steps
azure-monitor Deploy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/deploy.md
To enable monitoring for an application, you must decide whether you will use co
- [Applications hosted on Azure Web Apps](app/azure-web-apps.md) - [Java applications](app/java-in-process-agent.md) - [ASP.NET applications hosted in IIS on Azure VM or Azure virtual machine scale set](app/azure-vm-vmss-apps.md)-- [ASP.NET applications hosted in IIS on-premises VM](app/monitor-performance-live-website-now.md)
+- [ASP.NET applications hosted in IIS on-premises](app/status-monitor-v2-overview.md)
**Code-based monitoring** is more customizable and collects additional telemetry, but it requires adding a dependency to your code on the Application Insights SDK NuGet packages. See the following resources for details on enabling monitoring depending on your application.
azure-resource-manager Azure Subscription Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/azure-subscription-service-limits.md
The following table details the features and limits of the Basic, Standard, and
[!INCLUDE [database-migration-service-limits](../../../includes/database-migration-service-limits.md)]
+## Device Update for IoT Hub limits
++ ## Digital Twins limits > [!NOTE]
cognitive-services Cognitive Services Data Loss Prevention https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/cognitive-services-data-loss-prevention.md
There are two parts to enable data loss prevention. First the property restrictO
>[!NOTE] > > * The `allowedFqdnList` property value supports a maximum of 1000 URLs.
-> * The property supports both IP addresses and fully qualified domain names i.e., www.microsoft.com, values.
+> * The property supports both IP addresses and fully qualified domain names i.e., `www.microsoft.com`, values.
> * It can take up to 15 minutes for the updated list to take effect. # [Azure CLI](#tab/azure-cli)
expressroute Designing For High Availability With Expressroute https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/expressroute/designing-for-high-availability-with-expressroute.md
Running the primary and secondary connections of an ExpressRoute circuit in acti
Alternatively, running the primary and secondary connections of an ExpressRoute circuit in active-active mode, results in only about half the flows failing and getting rerouted, following an ExpressRoute connection failure. Thus, active-active mode will significantly help improve the Mean Time To Recover (MTTR).
+> [!NOTE]
+> During a maintenance activity or in case of unplanned events impacting one of the connection, Microsoft will prefer to use AS path prepending to drain traffic over to the healthy connection. You will need to ensure the traffic is able to route over the healthy path when path prepend is configured from Microsoft and required route advertisements are configured appropriately to avoid any service disruption.
+>
+ ### NAT for Microsoft peering Microsoft peering is designed for communication between public end-points. So commonly, on-premises private endpoints are Network Address Translated (NATed) with public IP on the customer or partner network before they communicate over Microsoft peering. Assuming you use both the primary and secondary connections in active-active mode, where and how you NAT has an impact on how quickly you recover following a failure in one of the ExpressRoute connections. Two different NAT options are illustrated in the following figure:
For design considerations to build geo-redundant network connectivity to Microso
[conf zone redundant vgw]: ../vpn-gateway/create-zone-redundant-vnet-gateway.md [Configure Global Reach]: ./expressroute-howto-set-global-reach.md [BFD]: ./expressroute-bfd.md
-[DR]: ./designing-for-disaster-recovery-with-expressroute-privatepeering.md
+[DR]: ./designing-for-disaster-recovery-with-expressroute-privatepeering.md
hdinsight Hdinsight Custom Ambari Db https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/hdinsight-custom-ambari-db.md
az deployment group create --name HDInsightAmbariDBDeployment \
--parameters azuredeploy.parameters.json ```
-## Database sizing
+
+> [!WARNING]
+> Please use the following recommended SQL DB and Headnode VM for your HDInsight cluster. Please don't use default Ambari DB (S0) for any production environment.
+>
++
+## Database and Headnode sizing
The following table provides guidelines on which Azure SQL DB tier to select based on the size of your HDInsight cluster.
-| Number of worker nodes | Required DB tier |
-|||
-| <=4 | S0 |
-| >4 && <=8 | S1 |
-| >8 && <=16 | S2 |
-| >16 && <=32 | S3 |
-| >32 && <=64 | S4 |
-| >64 && <=128 | P2 |
-| >128 | Contact Support |
+| Number of worker nodes | Required DB tier | Required Headnode VM |
+||||
+| <=4 | S0 | 4 core/28 GB RAM or higher |
+| >4 && <=8 | S1 | 4 core/28 GB RAM or higher |
+| >8 && <=16 | S2 | 4 core/28 GB RAM or higher |
+| >16 && <=32 | S3 | 8 core/56 GB RAM or higher |
+| >32 && <=64 | S4 | 8 core/56 GB RAM or higher |
+| >64 && <=128 | P2 | 16 core/112 GB RAM or higher |
+| >128 | Contact Support | Contact Support |
## Next steps
iot-hub-device-update Device Update Limits https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub-device-update/device-update-limits.md
+
+ Title: Understand Device Update for IoT Hub limits | Microsoft Docs
+description: Key limits for Device Update for IoT Hub.
++ Last updated : 7/8/2021++++
+# Device Update for IoT Hub limits
+
+This document provides an overview of the various limits that are imposed on the Device Update for IoT Hub resource and its associated operations. It also indicates whether the limits are adjustable by contacting Microsoft Support or not.
+
+## Preview limits
+
+During preview, the Device Update for IoT Hub service is provided at no cost to customers. More restrictive limits are imposed during the service's preview offering. These limits
+are expected to change once the service is Generally Available.
++
+## Next steps
+
+- [Create a Device Update for IoT Hub account](create-device-update-account.md)
+- [Troubleshoot common Device Update for IoT Hub issues](troubleshoot-device-update.md)
machine-learning Concept Automated Ml https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/concept-automated-ml.md
Consider these pros and cons when choosing to use local vs. remote.
| Register and visualize experiment's info and metrics in UI | Γ£ô | Γ£ô | | Data guardrails | Γ£ô | Γ£ô |
-## Many Models Solution Accelerator
-
-The [Many Models Solution Accelerator](https://aka.ms/many-models) (preview) builds on Azure Machine Learning and enables you to use automated ML to train, operate, and manage hundreds or even thousands of machine learning models.
-
-For example, building a model __for each instance or individual__ in the following scenarios can lead to improved results:
-
-* Predicting sales for each individual store
-* Predictive maintenance for hundreds of oil wells
-* Tailoring an experience for individual users.
<a name="use-with-onnx"></a>
machine-learning Concept Designer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/concept-designer.md
# What is Azure Machine Learning designer?
-Azure Machine Learning designer is a drag-and-drop interface used to train and deploy models in Azure Machine Learning.
+Azure Machine Learning designer is a drag-and-drop interface used to train and deploy models in Azure Machine Learning. This article describes the tasks you can do in the designer.
To get started with the designer, see [Tutorial: Train a no-code regression model](tutorial-designer-automobile-price-train-score.md)
The designer creates the same [PublishedPipeline](/python/api/azureml-pipeline-c
## Next steps * Learn the fundamentals of predictive analytics and machine learning with [Tutorial: Predict automobile price with the designer](tutorial-designer-automobile-price-train-score.md)
-* Learn how to modify existing [designer samples](samples-designer.md) to adapt them to your needs.
+* Learn how to modify existing [designer samples](samples-designer.md) to adapt them to your needs.
machine-learning Concept Manage Ml Pitfalls https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/concept-manage-ml-pitfalls.md
Last updated 04/09/2020
# Prevent overfitting and imbalanced data with automated machine learning
-Over-fitting and imbalanced data are common pitfalls when you build machine learning models. By default, Azure Machine Learning's automated machine learning provides charts and metrics to help you identify these risks, and implements best practices to help mitigate them.
+Overfitting and imbalanced data are common pitfalls when you build machine learning models. By default, Azure Machine Learning's automated machine learning provides charts and metrics to help you identify these risks, and implements best practices to help mitigate them.
-## Identify over-fitting
+## Identify overfitting
-Over-fitting in machine learning occurs when a model fits the training data too well, and as a result can't accurately predict on unseen test data. In other words, the model has simply memorized specific patterns and noise in the training data, but is not flexible enough to make predictions on real data.
+Overfitting in machine learning occurs when a model fits the training data too well, and as a result can't accurately predict on unseen test data. In other words, the model has simply memorized specific patterns and noise in the training data, but is not flexible enough to make predictions on real data.
Consider the following trained models and their corresponding train and test accuracies.
Consider the following trained models and their corresponding train and test acc
| B | 87% | 87% | | C | 99.9% | 45% |
-Considering model **A**, there is a common misconception that if test accuracy on unseen data is lower than training accuracy, the model is over-fitted. However, test accuracy should always be less than training accuracy, and the distinction for over-fit vs. appropriately fit comes down to *how much* less accurate.
+Considering model **A**, there is a common misconception that if test accuracy on unseen data is lower than training accuracy, the model is overfitted. However, test accuracy should always be less than training accuracy, and the distinction for overfit vs. appropriately fit comes down to *how much* less accurate.
-When comparing models **A** and **B**, model **A** is a better model because it has higher test accuracy, and although the test accuracy is slightly lower at 95%, it is not a significant difference that suggests over-fitting is present. You wouldn't choose model **B** simply because the train and test accuracies are closer together.
+When comparing models **A** and **B**, model **A** is a better model because it has higher test accuracy, and although the test accuracy is slightly lower at 95%, it is not a significant difference that suggests overfitting is present. You wouldn't choose model **B** simply because the train and test accuracies are closer together.
-Model **C** represents a clear case of over-fitting; the training accuracy is very high but the test accuracy isn't anywhere near as high. This distinction is subjective, but comes from knowledge of your problem and data, and what magnitudes of error are acceptable.
+Model **C** represents a clear case of overfitting; the training accuracy is very high but the test accuracy isn't anywhere near as high. This distinction is subjective, but comes from knowledge of your problem and data, and what magnitudes of error are acceptable.
-## Prevent over-fitting
+## Prevent overfitting
-In the most egregious cases, an over-fitted model will assume that the feature value combinations seen during training will always result in the exact same output for the target.
+In the most egregious cases, an overfitted model assumes that the feature value combinations seen during training will always result in the exact same output for the target.
-The best way to prevent over-fitting is to follow ML best-practices including:
+The best way to prevent overfitting is to follow ML best-practices including:
* Using more training data, and eliminating statistical bias * Preventing target leakage
The best way to prevent over-fitting is to follow ML best-practices including:
* **Model complexity limitations** * **Cross-validation**
-In the context of automated ML, the first three items above are **best-practices you implement**. The last three bolded items are **best-practices automated ML implements** by default to protect against over-fitting. In settings other than automated ML, all six best-practices are worth following to avoid over-fitting models.
+In the context of automated ML, the first three items above are **best-practices you implement**. The last three bolded items are **best-practices automated ML implements** by default to protect against overfitting. In settings other than automated ML, all six best-practices are worth following to avoid overfitting models.
-### Best practices you implement
+## Best practices you implement
-Using **more data** is the simplest and best possible way to prevent over-fitting, and as an added bonus typically increases accuracy. When you use more data, it becomes harder for the model to memorize exact patterns, and it is forced to reach solutions that are more flexible to accommodate more conditions. It's also important to recognize **statistical bias**, to ensure your training data doesn't include isolated patterns that won't exist in live-prediction data. This scenario can be difficult to solve, because there may not be over-fitting between your train and test sets, but there may be over-fitting present when compared to live test data.
+### Use more data
-**Target leakage** is a similar issue, where you may not see over-fitting between train/test sets, but rather it appears at prediction-time. Target leakage occurs when your model "cheats" during training by having access to data that it shouldn't normally have at prediction-time. For example, if your problem is to predict on Monday what a commodity price will be on Friday, but one of your features accidentally included data from Thursdays, that would be data the model won't have at prediction-time since it cannot see into the future. Target leakage is an easy mistake to miss, but is often characterized by abnormally high accuracy for your problem. If you are attempting to predict stock price and trained a model at 95% accuracy, there is likely target leakage somewhere in your features.
+Using **more data** is the simplest and best possible way to prevent overfitting, and as an added bonus typically increases accuracy. When you use more data, it becomes harder for the model to memorize exact patterns, and it is forced to reach solutions that are more flexible to accommodate more conditions. It's also important to recognize **statistical bias**, to ensure your training data doesn't include isolated patterns that won't exist in live-prediction data. This scenario can be difficult to solve, because there may not be overfitting between your train and test sets, but there may be overfitting present when compared to live test data.
-**Removing features** can also help with over-fitting by preventing the model from having too many fields to use to memorize specific patterns, thus causing it to be more flexible. It can be difficult to measure quantitatively, but if you can remove features and retain the same accuracy, you have likely made the model more flexible and have reduced the risk of over-fitting.
+### Prevent target leakage
-### Best practices automated ML implements
+**Target leakage** is a similar issue, where you may not see overfitting between train/test sets, but rather it appears at prediction-time. Target leakage occurs when your model "cheats" during training by having access to data that it shouldn't normally have at prediction-time. For example, if your problem is to predict on Monday what a commodity price will be on Friday, but one of your features accidentally included data from Thursdays, that would be data the model won't have at prediction-time since it cannot see into the future. Target leakage is an easy mistake to miss, but is often characterized by abnormally high accuracy for your problem. If you are attempting to predict stock price and trained a model at 95% accuracy, there is likely target leakage somewhere in your features.
-**Regularization** is the process of minimizing a cost function to penalize complex and over-fitted models. There are different types of regularization functions, but in general they all penalize model coefficient size, variance, and complexity. Automated ML uses L1 (Lasso), L2 (Ridge), and ElasticNet (L1 and L2 simultaneously) in different combinations with different model hyperparameter settings that control over-fitting. In simple terms, automated ML will vary how much a model is regulated and choose the best result.
+### Use fewer features
-Automated ML also implements explicit **model complexity limitations** to prevent over-fitting. In most cases this implementation is specifically for decision tree or forest algorithms, where individual tree max-depth is limited, and the total number of trees used in forest or ensemble techniques are limited.
+**Removing features** can also help with overfitting by preventing the model from having too many fields to use to memorize specific patterns, thus causing it to be more flexible. It can be difficult to measure quantitatively, but if you can remove features and retain the same accuracy, you have likely made the model more flexible and have reduced the risk of overfitting.
-**Cross-validation (CV)** is the process of taking many subsets of your full training data and training a model on each subset. The idea is that a model could get "lucky" and have great accuracy with one subset, but by using many subsets the model won't achieve this high accuracy every time. When doing CV, you provide a validation holdout dataset, specify your CV folds (number of subsets) and automated ML will train your model and tune hyperparameters to minimize error on your validation set. One CV fold could be over-fit, but by using many of them it reduces the probability that your final model is over-fit. The tradeoff is that CV does result in longer training times and thus greater cost, because instead of training a model once, you train it once for each *n* CV subsets.
+## Best practices automated ML implements
+
+### Regularization and hyperparameter tuning
+
+**Regularization** is the process of minimizing a cost function to penalize complex and overfitted models. There are different types of regularization functions, but in general they all penalize model coefficient size, variance, and complexity. Automated ML uses L1 (Lasso), L2 (Ridge), and ElasticNet (L1 and L2 simultaneously) in different combinations with different model hyperparameter settings that control overfitting. In simple terms, automated ML will vary how much a model is regulated and choose the best result.
+
+### Model complexity limitations
+
+Automated ML also implements explicit **model complexity limitations** to prevent overfitting. In most cases this implementation is specifically for decision tree or forest algorithms, where individual tree max-depth is limited, and the total number of trees used in forest or ensemble techniques are limited.
+
+### Cross-validation
+
+**Cross-validation (CV)** is the process of taking many subsets of your full training data and training a model on each subset. The idea is that a model could get "lucky" and have great accuracy with one subset, but by using many subsets the model won't achieve this high accuracy every time. When doing CV, you provide a validation holdout dataset, specify your CV folds (number of subsets) and automated ML will train your model and tune hyperparameters to minimize error on your validation set. One CV fold could be overfitted, but by using many of them it reduces the probability that your final model is overfitted. The tradeoff is that CV does result in longer training times and thus greater cost, because instead of training a model once, you train it once for each *n* CV subsets.
> [!NOTE] > Cross-validation is not enabled by default; it must be configured in automated ML settings. However, after cross-validation is configured and a validation data set has been provided, the process is automated for you. Learn more about [cross validation configuration in Auto ML](how-to-configure-cross-validation-data-splits.md)
See examples and learn how to build models using automated machine learning:
+ Configure the settings for automatic training experiment: + In Azure Machine Learning studio, [use these steps](how-to-use-automated-ml-for-ml-models.md). + With the Python SDK, [use these steps](how-to-configure-auto-train.md).--
machine-learning How To Auto Train Forecast https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-auto-train-forecast.md
automl_config = AutoMLConfig(task='forecasting',
**time_series_settings) ```
-Learn more about how AutoML applies cross validation to [prevent over-fitting models](concept-manage-ml-pitfalls.md#prevent-over-fitting).
+Learn more about how AutoML applies cross validation to [prevent over-fitting models](concept-manage-ml-pitfalls.md#prevent-overfitting).
## Configure experiment
machine-learning How To Troubleshoot Managed Online Endpoints https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-troubleshoot-managed-online-endpoints.md
Before deploying a model, you need to have enough compute quota. This quota defi
A possible mitigation is to check if there are unused deployments that can be deleted. Or you can submit a [request for a quota increase](./how-to-manage-quotas.md).
+### ERR_1101: Out of capacity
+
+The specified VM Size failed to provision due to a lack of Azure Machine Learning capacity. Retry later or try deploying to a different region.
+ ### ERR_1200: Unable to download user container image During deployment creation after the compute provisioning, Azure tries to pull the user container image from the workspace private Azure Container Registry (ACR). There could be two possible issues.
az ml endpoint get-logs -n <endpoint-name> --deployment <deployment-name> --line
### ERR_1350: Unable to download user model, not enough space on the disk
-This issue happens when the size of the model is bigger than the available disk space. Please try an SKU with more disk space.
+This issue happens when the size of the model is bigger than the available disk space. Try an SKU with more disk space.
### ERR_2100: Unable to start user container
marketplace Analytics Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/analytics-faq.md
- Title: Commercial marketplace analytics common questions | Azure Marketplace
-description: Get answers to commonly asked questions about commercial marketplace analytics in Partner Center for offers published to Azure Marketplace.
--- Previously updated : 11/10/2020----
-# Commercial marketplace analytics common questions
-
-This article addresses commonly asked questions about analytics messages in Partner Center.
-
-## Common questions
-
-### Why am I unable to view my analytics data in Partner Center?
-
-When I access the analytics pages, I see the following message.
-
-[![No data for your offers yet.](./media/analytics-faq-no-data.png)](./media/analytics-faq-no-data.png#lightbox)
-
-Why you may be seeing this message:
--- No acquisitions currently exist for your published offers in the commercial marketplace. This can mean that your offers are live in the commercial marketplace and customers are viewing your product listing pages, but customers haven't yet taken action to purchase and deploy them.-- Your offer might be in the process of being published but isn't live yet. Only live offers can be acquired by customers. To check the status of your offers, see the **Summary** page in the [Analyze dashboard](https://go.microsoft.com/fwlink/?linkid=2165765). For more information, see [Summary dashboard in commercial marketplace analytics](summary-dashboard.md).-- Your offers may be listed as **Contact Me**, which are list-only offers and cannot be purchased by customers in the commercial marketplace. Although these offers generate leads and are shared with you, orders aren't created for these offers as they cannot be purchased. To check your offer listing type, go to the setup page for your offer.-
-### I know I have analytics data, so why does the No Analytics Available message appear?
-
-[![No data for your offers yet.](./media/analytics-faq-no-data.png)](./media/analytics-faq-no-data.png#lightbox)
-
-Why you might be seeing this message:
--- If you're receiving this message, it means you have analytics data but there isn't data for the computation period that you have selected. Select a different computation period or month range to view any data since 2010.-- If you have selected one or more categories from the various dimensions in the filter selection, you may not have analytics data for the selection. Try resetting the filter or make different selections from the filter.-
-## Next steps
--- For an overview of analytics reports available in Partner Center, see [Access analytics reports for the commercial marketplace in Partner Center](analytics.md).-- For information about your orders in a graphical and downloadable format, see [Orders dashboard in commercial marketplace analytics](orders-dashboard.md).-- For Virtual Machine (VM) offers usage and metered billing metrics, see [Usage dashboard in commercial marketplace analytics](usage-dashboard.md).-- For detailed information about your customers, including growth trends, see [Customers dashboard in commercial marketplace analytics](customer-dashboard.md).-- For a list of your download requests over the last 30 days, see [Downloads dashboard in commercial marketplace analytics](downloads-dashboard.md).-- To see a consolidated view of customer feedback for offers on Azure Marketplace and Microsoft AppSource, see [Ratings & reviews analytics dashboard in Partner Center](ratings-reviews.md).
marketplace Analytics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/analytics.md
Learn how to access analytic reports in Microsoft Partner Center to monitor sale
To access the Partner Center analytics tools, go to the **[Summary](https://go.microsoft.com/fwlink/?linkid=2165765)** dashboard. >[!NOTE]
-> For detailed definitions of analytics terminology, see [Frequently asked questions and terminology for commercial marketplace analytics](analytics-faq.md).
+> For detailed definitions of analytics terminology, see [Frequently asked questions and terminology for commercial marketplace analytics](analytics-faq.yml).
## Next steps
To access the Partner Center analytics tools, go to the **[Summary](https://go.m
- For information about your licenses, see [License dashboard in commercial marketplace analytics](license-dashboard.md) - For a list of your download requests over the last 30 days, see [Downloads dashboard in commercial marketplace analytics](downloads-dashboard.md). - To see a consolidated view of customer feedback for offers on Azure Marketplace and AppSource, see [Ratings and reviews dashboard in commercial marketplace analytics](ratings-reviews.md).-- For frequently asked questions about commercial marketplace analytics and for a comprehensive dictionary of data terms, see [Frequently asked questions and terminology for commercial marketplace analytics](analytics-faq.md).
+- For frequently asked questions about commercial marketplace analytics and for a comprehensive dictionary of data terms, see [Frequently asked questions and terminology for commercial marketplace analytics](analytics-faq.yml).
marketplace Customer Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/customer-dashboard.md
This article provides information on the Customers dashboard in Partner Center. This dashboard displays information about your customers, including growth trends, presented in a graphical and downloadable format. >[!NOTE]
-> For detailed definitions of analytics terminology, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.md).
+> For detailed definitions of analytics terminology, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.yml).
## Customers dashboard
The Customers page filters are applied at the Customers page level. You can sele
- For virtual machine (VM) offers usage and metered billing metrics, see [Usage Dashboard in commercial marketplace analytics](./usage-dashboard.md). - For a list of your download requests over the last 30 days, see [Downloads dashboard in commercial marketplace analytics](downloads-dashboard.md). - To see a consolidated view of customer feedback for offers on Azure Marketplace and Microsoft AppSource, see [Ratings & Reviews analytics dashboard in Partner Center](ratings-reviews.md).-- For frequently asked questions about commercial marketplace analytics and for a comprehensive dictionary of data terms, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.md).
+- For frequently asked questions about commercial marketplace analytics and for a comprehensive dictionary of data terms, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.yml).
marketplace Downloads Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/downloads-dashboard.md
This article provides information on the Downloads dashboard in Partner Center. This dashboard displays a list of your download requests over the last 30 days. >[!NOTE]
-> For detailed definitions of analytics terminology, see [Frequently asked questions and terminology for commercial marketplace analytics](analytics-faq.md).
+> For detailed definitions of analytics terminology, see [Frequently asked questions and terminology for commercial marketplace analytics](analytics-faq.yml).
## Downloads dashboard
A user can schedule asynchronous downloads of reports from the Downloads section
- For Virtual Machine (VM) offers usage and metered billing metrics, see [Usage Dashboard in commercial marketplace analytics](usage-dashboard.md). - For detailed information about your customers, including growth trends, see [Customer Dashboard in commercial marketplace analytics](customer-dashboard.md). - To see a consolidated view of customer feedback for offers on Azure Marketplace and AppSource, see [Ratings and reviews dashboard in commercial marketplace analytics](ratings-reviews.md).-- For frequently asked questions about commercial marketplace analytics and for a comprehensive dictionary of data terms, see [Frequently asked questions and terminology for commercial marketplace analytics](analytics-faq.md).
+- For frequently asked questions about commercial marketplace analytics and for a comprehensive dictionary of data terms, see [Frequently asked questions and terminology for commercial marketplace analytics](analytics-faq.yml).
marketplace Insights Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/insights-dashboard.md
This article provides information on the Marketplace Insights dashboard in Partner Center. This dashboard displays a summary of commercial marketplace web analytics that enables publishers to measure customer engagement for their respective product detail pages listed in the commercial marketplace online stores: Microsoft AppSource and Azure Marketplace.
-For detailed definitions of analytics terminology, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.md).
+For detailed definitions of analytics terminology, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.yml).
## Marketplace Insights dashboard
This table provides a list view of the page visits and the calls to action of yo
- For detailed information about your customers, including growth trends, see [Customer dashboard in commercial marketplace analytics](customer-dashboard.md). - For a list of your download requests over the last 30 days, see [Downloads dashboard in commercial marketplace analytics](downloads-dashboard.md). - To see a consolidated view of customer feedback for offers on Azure Marketplace and AppSource, see [Ratings & Reviews analytics dashboard in Partner Center](ratings-reviews.md).-- For frequently asked questions about commercial marketplace analytics and for a comprehensive dictionary of data terms, see [Commercial marketplace analytics terminology and common questions](analytics-faq.md).
+- For frequently asked questions about commercial marketplace analytics and for a comprehensive dictionary of data terms, see [Commercial marketplace analytics terminology and common questions](analytics-faq.yml).
marketplace Lead Management Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/lead-management-faq.md
- Title: Lead management questions and troubleshooting - Microsoft Partner Center
-description: Read about common errors and questions when configuring commercial marketplace leads in Partner Center
----- Previously updated : 10/01/2020--
-# Common questions and troubleshooting for lead configuration
-
-This article answers some common questions about lead management for your commercial marketplace offers. It also addresses errors you might encounter when configuring leads to your customer relationship management (CRM) system in Partner Center.
-
-## Common questions about lead management
-
-#### Where can I get help in setting up my lead destination?
-
-See [Customer leads from your commercial marketplace offer](partner-center-portal/commercial-marketplace-get-customer-leads.md) for an overview of how to connect your CRM system to your commercial marketplace offers. If you have an error, review the troubleshooting guidance below. For more support, submit a support ticket through [Partner Center Help and support](https://go.microsoft.com/fwlink/?linkid=2165533). Then select **Offer creation** > **Your type of offer** > **Lead management configuration**.
-
-#### Am I required to configure a lead destination in order to publish an offer in the commercial marketplace?
-
-The answer depends on the type of offer you're publishing. Software as a service (SaaS) and Dynamics 365 Customer Engagement use **Contact Me** to list all Dynamics 365 for Finance and Operations offers, all Dynamics 365 Business Central offers, and all Consulting Service offers. As a result, they require a connection to a lead destination. If your offer type wasn't listed, a connection to a lead destination isn't required. We recommend that you configure a lead destination so you don't miss business opportunities.
-
-#### How can I find the test lead?
-
-Search for `"MSFT_TEST"` in your lead destination. Below is a sample test lead from Microsoft. Note that the format of the test lead varies depending on the lead destination.
-
-```
-{
- "userDetails": {
- "FirstName": "MSFT_TEST_636573304831318844",
- "LastName": "MSFT_TEST_636573304831318844",
- "Email": "MSFT_TEST_636573304831318844@test.com",
- "Phone": "1234567890",
- "Country": "US",
- "Company": "MSFT_TEST_636573304831318844",
- "Title": "MSFT_TEST_636573304831318844"
- },
- "LeadSource": "AzureMarketplace",
- "ActionCode": "INS",
- "OfferTitle": "Contoso Test"
- "Description": "MSFT_TEST_636573304831318844"
-}
-```
-
-#### I have a live offer, but why am I not seeing any leads?
-
-Make sure your connection to the lead destination is valid. We'll send you a test lead after you select **Publish** on your offer in Partner Center. If you see the test lead, the connection is valid. You can also test your lead connection by trying to acquire the offer preview during the preview step. Select **Get It Now**, **Contact Me**, or **Free Trial** on the listing in the commercial marketplace.
-
-Also, make sure you're looking for the right data. See [Understand lead data](partner-center-portal/commercial-marketplace-get-customer-leads.md) for an explanation of the lead data we send to your lead destination.
-
-#### I configured Azure Blob storage as my lead destination, but why don't I see the lead?
-
-Azure Blob storage is no longer supported as a lead destination, so you're missing any customer leads generated by your offer. Switch to any of the other [lead destination options](partner-center-portal/commercial-marketplace-get-customer-leads.md).
-
-#### I received an email from the commercial marketplace, but why can't I find the lead in my CRM?
-
-It's possible that the end user's email domain is from .edu. For privacy reasons, we don't pass personal information from the .edu domain. Submit a support ticket through [Partner Center Help and support](https://go.microsoft.com/fwlink/?linkid=2165533).
-
-#### I configured an Azure table as my lead destination. How can I view the leads?
-
-You can access the lead data stored in the Azure table from the Azure portal. You can also download and install [Azure Storage Explorer](https://azure.microsoft.com/features/storage-explorer/) for free to view your Azure storage account's table data.
-
-#### I configured an Azure table as my lead destination. Can I get notified whenever a new commercial marketplace lead is sent?
-
-Yes. Follow the instructions in [Configure lead management by using an Azure table](partner-center-portal/commercial-marketplace-lead-management-instructions-azure-table.md) to set up a Microsoft flow that sends an email if a lead is added to the Azure table.
-
-#### I configured Salesforce as my lead destination, but why can't I find the leads?
-
-Check if the web-to-lead form is a mandatory field based on a pick list. If it is, switch the field to a nonmandatory text field.
-
-#### There was an issue with my lead destination, and I missed some leads. Can I have them sent to me in an email?
-
-Due to personal information policies, we can't share lead information through unsecured email.
-
-#### I configured an Azure table as my lead destination. How much will it cost?
-
-Lead generation data is low. It's less than 1 GB for almost all publishers. The cost depends on the number of leads received. For example, if 1,000 leads are received in a month, the cost is around 50 cents. For more information about storage pricing, see [Azure Storage overview pricing](https://azure.microsoft.com/pricing/details/storage/).
-
-If your question isn't answered, contact Microsoft Support through [Partner Center Help and support](https://aka.ms/marketplacepublishersupport). Then select **Offer creation** > **Your type of offer** > **Lead management configuration**.
-
-#### I'm receiving email notifications when new customer leads are received. How can I configure someone else to receive these emails?
-
-Access your offer in Partner Center, and go to the **Offer setup** page > **Lead Management** > **Edit**. Update the email addresses under the **Contact email** field.
-
-## <a id="publishing-config-errors"></a> Troubleshooting lead configuration errors
-
-**Could not save the lead to Dynamics CRM. Check the Dynamics CRM account settings. LastCRMError: Unable to sign in to Dynamics CRM, LastCRMException:**
-
-> If Microsoft 365 authentication was selected, check if the user account and password is valid. If Azure Active Directory was selected, check if the tenant ID, application ID and application secret key matches what was set up on Azure Active Directory. Follow instructions [here](./partner-center-portal/commercial-marketplace-lead-management-instructions-dynamics.md). If the account username/password is valid, please make sure it has access to Dynamics 365 and has a license assigned (Steps 11-15 if using Azure Active Directory or Security Settings if using an Office user).
-
-**Could not save the lead to Dynamics CRM. User does not have create permissions for the leadsourcecode attribute in the lead entity**
-
-> The application/user is missing security role(s) to Microsoft Marketplace lead writer. Follow steps 11-15 if using Azure Active Directory, or Security Settings if using an Office user [here](./partner-center-portal/commercial-marketplace-lead-management-instructions-dynamics.md).
-
-**Could not save the lead to Dynamics CRM using AAD. Exception:: Tenant not found. This instance may happen if there are no active subscriptions for the tenant.**
-
-> The Directory Id provided in the lead management section is not a valid directory. Please get the Directory Id based on the instructions at Step 2 (under Azure Active Directory) [here](./partner-center-portal/commercial-marketplace-lead-management-instructions-dynamics.md).
-
-**Could not save the lead to Dynamics CRM. LastCRMError: SecLib::RetrievePrivilegeForUser failed - no roles are assigned to user.**
-
-> Resolution: Assign Security role to Microsoft Marketplace lead writer. Follow instructions [here](./partner-center-portal/commercial-marketplace-lead-management-instructions-dynamics.md) under Security settings.
-
-**Could not save the lead to Dynamics CRM using AAD. Exception:: Application with identifier was not found in the directory**
-
-> The Application Id provided in the lead management section is not a valid directory. Please get the Directory Id based on the instructions at Step 8 (under Azure Active Directory, from [here](./partner-center-portal/commercial-marketplace-lead-management-instructions-dynamics.md)).
-
-**Could not save the lead to Dynamics CRM using AAD. Exception:: Requested tenant identifier is not valid and not valid external domain format**
-
-> The Directory Id provided in the lead management section is not a valid directory. Please get the Directory Id based on the instructions at Step 2 (under Azure Active Directory, from [here](./partner-center-portal/commercial-marketplace-lead-management-instructions-dynamics.md)).
-
-**Could not save the lead to Dynamics CRM using AAD. Exception:: Error validating credentials.: Invalid client secret is provided.**
-
-> Resolution: Sign in to the Azure portal, check if the application key matches what's in the Partner Center. Please generate password based on the instruction at Step 10 (under Azure Active Directory), from [here](./partner-center-portal/commercial-marketplace-lead-management-instructions-dynamics.md)).
-
-**Could not save the lead to Dynamics CRM. LastCRMError: The request channel timed out while waiting for a reply after 00:02:00. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout.**
-
-> Resolution: Sign in to Partner Center, check Offer setup >> Customer leads >> URL, check if it's a valid Dynamic CRM instance.
marketplace Orders Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/orders-dashboard.md
This article provides information on the Orders dashboard in Partner Center. This dashboard displays information about your orders, including growth trends, presented in a graphical and downloadable format. >[!NOTE]
-> For detailed definitions of analytics terminology, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.md).
+> For detailed definitions of analytics terminology, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.yml).
## Orders dashboard
The **Orders** page filters are applied at the Orders page level. You can select
- For Virtual Machine (VM) offers usage and metered billing metrics, see [Usage dashboard in commercial marketplace analytics](./usage-dashboard.md). - For a list of your download requests over the last 30 days, see [Downloads dashboard in commercial marketplace analytics](downloads-dashboard.md). - To see a consolidated view of customer feedback for offers on Azure Marketplace and AppSource, see [Ratings & Reviews analytics dashboard in Partner Center](ratings-reviews.md).-- For frequently asked questions about commercial marketplace analytics and for a comprehensive dictionary of data terms, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.md).
+- For frequently asked questions about commercial marketplace analytics and for a comprehensive dictionary of data terms, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.yml).
marketplace Commercial Marketplace Get Customer Leads https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/partner-center-portal/commercial-marketplace-get-customer-leads.md
feedback](mailto:AzureMarketOnboard@microsoft.com) and suggestions to enable you
## Next steps -- [Lead management FAQ and troubleshooting](../lead-management-faq.md)
+- [Lead management FAQ and troubleshooting](../lead-management-faq.yml)
marketplace Commercial Marketplace Lead Management Instructions Azure Table https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/partner-center-portal/commercial-marketplace-lead-management-instructions-azure-table.md
When leads are generated, Microsoft sends leads to the Azure table. If you confi
## Next steps -- [Lead management FAQ and troubleshooting](../lead-management-faq.md)
+- [Lead management FAQ and troubleshooting](../lead-management-faq.yml)
marketplace Ratings Reviews https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/ratings-reviews.md
This article provides information on the Ratings & Reviews dashboard in Partner
- Reviews are posted on the Reviews tab on the product display page of the offer in Azure Marketplace or AppSource. Customers can include their name or post anonymously. >[!NOTE]
-> For detailed definitions of analytics terminology, see [Frequently asked questions and terminology for commercial marketplace analytics](analytics-faq.md).
+> For detailed definitions of analytics terminology, see [Frequently asked questions and terminology for commercial marketplace analytics](analytics-faq.yml).
## Access the dashboard
marketplace Summary Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/summary-dashboard.md
This article provides information on the Summary dashboard in Partner Center. This dashboard displays graphs, trends, and values of aggregate data that summarize marketplace activity for your offers. >[!NOTE]
-> For detailed definitions of analytics terminology, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.md).
+> For detailed definitions of analytics terminology, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.yml).
## Summary dashboard
Note the following:
- For detailed information about your customers, including growth trends, see [Customer Dashboard in commercial marketplace analytics](customer-dashboard.md). - For a list of your download requests over the last 30 days, see [Downloads Dashboard in commercial marketplace analytics](downloads-dashboard.md). - To see a consolidated view of customer feedback for offers on Azure Marketplace and AppSource, see [Ratings & Reviews analytics dashboard in Partner Center](ratings-reviews.md).-- For frequently asked questions about commercial marketplace analytics and for a comprehensive dictionary of data terms, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.md).
+- For frequently asked questions about commercial marketplace analytics and for a comprehensive dictionary of data terms, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.yml).
marketplace Usage Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/usage-dashboard.md
This article provides information on the Usage dashboard in Partner Center. This dashboard displays all virtual machine (VM) offers normalized usage, raw usage, and metered billing metrics in three separate tabs: VM Normalized usage, VM Raw usage, and metered billing usage. >[!NOTE]
-> For detailed definitions of analytics terminology, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.md).
+> For detailed definitions of analytics terminology, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.yml).
## Usage dashboard
If you have multiple offers that use custom meters, the metered billing usage re
- For virtual machine (VM) offers usage and metered billing metrics, see [Usage Dashboard in commercial marketplace analytics](usage-dashboard.md). - For a list of your download requests over the last 30 days, see [Downloads dashboard in commercial marketplace analytics](downloads-dashboard.md). - To see a consolidated view of customer feedback for offers on Azure Marketplace and Microsoft AppSource, see [Ratings & Reviews analytics dashboard in Partner Center](ratings-reviews.md).-- For frequently asked questions about commercial marketplace analytics and for a comprehensive dictionary of data terms, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.md).
+- For frequently asked questions about commercial marketplace analytics and for a comprehensive dictionary of data terms, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.yml).
media-services Media Services Event Schemas https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/monitoring/media-services-event-schemas.md
editor: ''
Previously updated : 03/17/2021 Last updated : 07/08/2021
The following example shows the schema of the **LiveEventIncomingDataChunkDroppe
"trackType": "Video", "trackName": "Video", "bitrate": 300000,
- "timestamp": 36656620000,
- "timescale": 10000000,
+ "timestamp": "36656620000",
+ "timescale": "10000000",
"resultCode": "FragmentDrop_OverlapTimestamp" }, "dataVersion": "1.0",
The following example shows the schema of the **LiveEventIngestHeartbeat** event
"topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", "subject": "liveEvent/mle1", "eventType": "Microsoft.Media.LiveEventIngestHeartbeat",
- "eventTime": "2018-08-07T23:17:57.4610506",
+ "eventTime": "2021-05-14T23:50:00.324",
"id": "7f450938-491f-41e1-b06f-c6cd3965d786", "data": {
- "trackType": "audio",
- "trackName": "audio",
- "bitrate": 160000,
- "incomingBitrate": 155903,
- "lastTimestamp": "15336837535253637",
- "timescale": "10000000",
- "overlapCount": 0,
- "discontinuityCount": 0,
- "nonincreasingCount": 0,
- "unexpectedBitrate": false,
- "state": "Running",
- "healthy": true
+ "trackType":"video",
+ "trackName":"video",
+ "bitrate":2500000,
+ "incomingBitrate":2462597,
+ "lastTimestamp":"106999",
+ "timescale":"1000",
+ "overlapCount":0,
+ "discontinuityCount":0,
+ "nonincreasingCount":0,
+ "unexpectedBitrate":false,
+ "state":"Running",
+ "healthy":true,
+ "lastFragmentArrivalTime":"2021-05-14T23:50:00.324",
+ "ingestDriftValue":"0",
+ "transcriptionState":"",
+ "transcriptionLanguage":""
}, "dataVersion": "1.0", "metadataVersion": "1"
The data object has the following properties:
| unexpectedBitrate | bool | If expected and actual bitrates differ by more than allowed limit in last 20 seconds. It's true if and only if, incomingBitrate >= 2* bitrate OR incomingBitrate <= bitrate/2 OR IncomingBitrate = 0. | | state | string | State of the live event. | | healthy | bool | Indicates whether ingest is healthy based on the counts and flags. Healthy is true if overlapCount = 0 && discontinuityCount = 0 && nonIncreasingCount = 0 && unexpectedBitrate = false. |
+| lastFragmentArrivalTime | string |The last time stamp in UTC that a fragment arrived at the ingest endpoint. Example date format is "2020-11-11 12:12:12:888999" |
+| ingestDriftValue | string | Measures the drift between the timestamp of the ingested content and the system clock of the ingest endpoint, measured in seconds (unit is an int64 string value). A non zero value indicates that the ingested content is arriving slower than system clock time. In other cases you will see the value 0 when there is no measured drift, or "n/a" when there are no incoming fragments. |
+| transcriptionState | string | This value is "On" for audio track heartbeats if live transcription is turned on, otherwise you will see an empty string. This state is only applicable to tracktype of "audio" for Live transcription. All other tracks will have an empty value.|
+| transcriptionLanguage | string | The language code (in BCP-47 format) of the transcription language. For example ΓÇ£de-deΓÇ¥ indicates German (Germany). The value is empty for the video track heartbeats, or when live transcription is turned off. |
+ ### LiveEventTrackDiscontinuityDetected
media-services Reacting To Media Services Events https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/monitoring/reacting-to-media-services-events.md
editor: ''
Previously updated : 03/17/2021 Last updated : 07/08/2021
media-services Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/release-notes.md
To stay up-to-date with the most recent developments, this article provides you
## June 2021
+### Additional Live Event ingest heartbeat properties for improved diagnostics
+
+Additional live event ingest heartbeat properties have been added to the Event Grid message. This includes the following new fields to assist with diagnosing issues during live ingest. The **ingestDriftValue** is helpful in scenarios where you need to monitor network latency from the source ingest encoder pushing into the live event. If this value drifts out too far, it can be an indication that the network latency is too high for a successful live streaming event.
+
+See the [LiveEventIngestHeartbeat schema](./monitoring/media-services-event-schemas.md) for more details.
+
+| New LiveEventIngestHeartbeat property | Description |
+| -- | - |
+| lastFragmentArrivalTime | The last time stamp in UTC that a fragment arrived at the ingest endpoint. Example date format is "2020-11-11 12:12:12:888999" |
+| ingestDriftValue | Measures the drift between the timestamp of the ingested content and the system clock in the ingest endpoint, measured in integer seconds per minute. A non zero value indicates that the ingested content is arriving slower than system clock time In other cases you will see 0, or "n/a" when there are no incoming fragments.|
+| transcriptionState | The state of the live transcription feature. This state is only applicable to tracktype of "audio" for Live transcription. All other tracks will have an empty value, or empty when disabled.|
+| transcriptionLanguage | The BCP-47 language code used for this track if the tracktype is "audio". When transcriptionState is empty (off) this will have an empty value. All other non-audio tracks will also contain an empty value. |
+ ### Private links support is now GA Support for using Media Services with [private links](/azure/private-link/) is now GA and available in all Azure regions including Azure Government clouds.
media-services Media Services Sspk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-sspk.md
Interim and Final SSPK licensees can submit technical questions to [smoothpk@mic
* SKARDIN INDUSTRIAL CORP * Sky CP Ltd * SMARDTV GLOBAL SAS
+* Sony Corporation
* SoftAtHome * Technicolor Delivery Technologies, SAS * Top Victory Investments, Ltd.
network-watcher Traffic Analytics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/network-watcher/traffic-analytics.md
Do you have malicious traffic in your environment? Where is it originating from?
![Malicious traffic flows detail in log search](./media/traffic-analytics/malicious-traffic-flows-detail-in-log-search.png)
+### View information about public IPs interacting with your deployment
+
+**Look for**
+
+- Which public IPs are conversing with my network? What is the WHOIS data and geographic location of all public IPs?
+- Which malicious IPs are sending traffic to my deployments? What is the threat type and threat description for malicious IPs?
+ - The Public IP Information section, gives a summary of all types of public IPs present in your network traffic.
+ Select the public IP type of interest to view details. This [schema document](https://docs.microsoft.com/azure/network-watcher/traffic-analytics-schema#public-ip-details-schema) defines the data fields presented.
+
+ :::image type="content" source="./media/traffic-analytics/public-ip-information.png" alt-text="Public IP information" lightbox="./media/traffic-analytics/public-ip-information.png":::
+
+ - On the traffic analytics dashboard, click on any IP to view its information
+
+ :::image type="content" source="./media/traffic-analytics/external-public-ip-details.png" alt-text="external IP information in tool tip" lightbox="./media/traffic-analytics/external-public-ip-details.png":::
+
+ :::image type="content" source="./media/traffic-analytics/malicious-ip-details.png" alt-text="malicious IP information in tool tip" lightbox="./media/traffic-analytics/malicious-ip-details.png":::
### Visualize the trends in NSG/NSG rules hits
security-center Alerts Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security-center/alerts-reference.md
Previously updated : 07/04/2021 Last updated : 07/11/2021
At the bottom of this page, there's a table describing the Azure Security Center
[Further details and notes](defender-for-servers-introduction.md)
-|Alert|Description|MITRE tactics<br>([Learn more](#intentions))|Severity|
+|Alert (alert type)|Description|MITRE tactics<br>([Learn more](#intentions))|Severity|
|-|-|:-:|--|
-|**A logon from a malicious IP has been detected**|A successful remote authentication for the account [account] and process [process] occurred, however the logon IP address (x.x.x.x) has previously been reported as malicious or highly unusual. A successful attack has probably occurred.|-|High|
+|**A logon from a malicious IP has been detected**<br>(VM_ThreatIntelSuspectLogon)|A successful remote authentication for the account [account] and process [process] occurred, however the logon IP address (x.x.x.x) has previously been reported as malicious or highly unusual. A successful attack has probably occurred.|Initial access|High|
|**A logon from a malicious IP has been detected. [seen multiple times]**|A successful remote authentication for the account [account] and process [process] occurred, however the logon IP address (x.x.x.x) has previously been reported as malicious or highly unusual. A successful attack has probably occurred. Files with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.|-|High| |**Addition of Guest account to Local Administrators group**|Analysis of host data has detected the addition of the built-in Guest account to the Local Administrators group on %{Compromised Host}, which is strongly associated with attacker activity.|-|Medium| |**An event log was cleared**|Machine logs indicate a suspicious event log clearing operation by user: '%{user name}' in Machine: '%{CompromisedEntity}'. The %{log channel} log was cleared.|-|Informational|
At the bottom of this page, there's a table describing the Azure Security Center
|**Multiple Domain Accounts Queried**|Analysis of host data has determined that an unusual number of distinct domain accounts are being queried within a short time period from %{Compromised Host}. This kind of activity could be legitimate, but can also be an indication of compromise.|-|Medium| |**Possible credential dumping detected [seen multiple times]**|Analysis of host data has detected use of native windows tool (e.g. sqldumper.exe) being used in a way that allows to extract credentials from memory. Attackers often use these techniques to extract credentials that they then further use for lateral movement and privilege escalation. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium| |**Potential attempt to bypass AppLocker detected**|Analysis of host data on %{Compromised Host} detected a potential attempt to bypass AppLocker restrictions. AppLocker can be configured to implement a policy that limits what executables are allowed to run on a Windows system. The command-line pattern similar to that identified in this alert has been previously associated with attacker attempts to circumvent AppLocker policy by using trusted executables (allowed by AppLocker policy) to execute untrusted code. This could be legitimate activity, or an indication of a compromised host.|-|High|
-|**PsExec execution detected**|Analysis of host data indicates that the process %{Process Name} was executed by PsExec utility. PsExec can be used for running processes remotely. This technique might be used for malicious purposes.|-|Informational|
+|**PsExec execution detected**<br>(VM_RunByPsExec)|Analysis of host data indicates that the process %{Process Name} was executed by PsExec utility. PsExec can be used for running processes remotely. This technique might be used for malicious purposes.| Lateral Movement, Execution |Informational|
|**Ransomware indicators detected [seen multiple times]**|Analysis of host data indicates suspicious activity traditionally associated with lock-screen and encryption ransomware. Lock screen ransomware displays a full-screen message preventing interactive use of the host and access to its files. Encryption ransomware prevents access by encrypting data files. In both cases a ransom message is typically displayed, requesting payment in order to restore file access. This behavior was seen [x] times today on the following machines: [Machine names]|-|High| |**Ransomware indicators detected**|Analysis of host data indicates suspicious activity traditionally associated with lock-screen and encryption ransomware. Lock screen ransomware displays a full-screen message preventing interactive use of the host and access to its files. Encryption ransomware prevents access by encrypting data files. In both cases a ransom message is typically displayed, requesting payment in order to restore file access.|-|High|
-|**Rare SVCHOST service group executed**|The system process SVCHOST was observed running a rare service group. Malware often uses SVCHOST to masquerade its malicious activity.|-|Informational|
+|**Rare SVCHOST service group executed**<br>(VM_SvcHostRunInRareServiceGroup)|The system process SVCHOST was observed running a rare service group. Malware often uses SVCHOST to masquerade its malicious activity.| Defense Evasion, Execution |Informational|
|**Sticky keys attack detected**|Analysis of host data indicates that an attacker may be subverting an accessibility binary (for example sticky keys, onscreen keyboard, narrator) in order to provide backdoor access to the host %{Compromised Host}.|-|Medium|
-|**Successful brute force attack**|Several sign in attempts were detected from the same source. Some successfully authenticated to the host.<br>This resembles a burst attack, in which an attacker performs numerous authentication attempts to find valid account credentials.|-|Medium/High|
+|**Successful brute force attack**<br>(VM_LoginBruteForceSuccess)|Several sign in attempts were detected from the same source. Some successfully authenticated to the host.<br>This resembles a burst attack, in which an attacker performs numerous authentication attempts to find valid account credentials.|Exploitation|Medium/High|
|**Suspect integrity level indicative of RDP hijacking**|Analysis of host data has detected the tscon.exe running with SYSTEM privileges - this can be indicative of an attacker abusing this binary in order to switch context to any other logged on user on this host; it is a known attacker technique to compromise additional user accounts and move laterally across a network.|-|Medium| |**Suspect service installation**|Analysis of host data has detected the installation of tscon.exe as a service: this binary being started as a service potentially allows an attacker to trivially switch to any other logged on user on this host by hijacking RDP connections; it is a known attacker technique to compromise additional user accounts and move laterally across a network.|-|Medium| |**Suspected Kerberos Golden Ticket attack parameters observed**|Analysis of host data detected commandline parameters consistent with a Kerberos Golden Ticket attack.|-|Medium|
At the bottom of this page, there's a table describing the Azure Security Center
|**Suspicious Screensaver process executed**|The process '%{process name}' was observed executing from an uncommon location. Files with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.|-|Medium| |**Suspicious Volume Shadow Copy Activity**|Analysis of host data has detected a shadow copy deletion activity on the resource. Volume Shadow Copy (VSC) is an important artifact that stores data snapshots. Some malware and specifically Ransomware, targets VSC to sabotage backup strategies.|-|High| |**Suspicious WindowPosition registry value detected**|Analysis of host data on %{Compromised Host} detected an attempted WindowPosition registry configuration change that could be indicative of hiding application windows in non-visible sections of the desktop. This could be legitimate activity, or an indication of a compromised machine: this type of activity has been previously associated with known adware (or unwanted software) such as Win32/OneSystemCare and Win32/SystemHealer and malware such as Win32/Creprote. When the WindowPosition value is set to 201329664, (Hex: 0x0c00 0c00, corresponding to X-axis=0c00 and the Y-axis=0c00) this places the console app's window in a non-visible section of the user's screen in an area that is hidden from view below the visible start menu/taskbar. Known suspect Hex value includes, but not limited to c000c000|-|Low|
-|**Suspicious authentication activity**|Although none of them succeeded, some of them used accounts were recognized by the host. This resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host. This indicates that some of your host account names might exist in a well-known account name dictionary.|-|Medium|
+|**Suspicious authentication activity**<br>(VM_LoginBruteForceValidUserFailed)|Although none of them succeeded, some of them used accounts were recognized by the host. This resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host. This indicates that some of your host account names might exist in a well-known account name dictionary.|Probing|Medium|
|**Suspicious code segment detected**|Indicates that a code segment has been allocated by using non-standard methods, such as reflective injection and process hollowing. The alert provides additional characteristics of the code segment that have been processed to provide context for the capabilities and behaviors of the reported code segment.|-|Medium| |**Suspicious command execution**|Machine logs indicate a suspicious command-line execution by user %{user name}.|-|| |**Suspicious double extension file executed**|Analysis of host data indicates an execution of a process with a suspicious double extension. This extension may trick users into thinking files are safe to be opened and might indicate the presence of malware on the system.|-|High|
At the bottom of this page, there's a table describing the Azure Security Center
|**Suspicious process executed**|Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on the machine, often associated with attacker attempts to access credentials.|-|High| |**Suspicious process name detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected a process whose name is suspicious, for example corresponding to a known attacker tool or named in a way that is suggestive of attacker tools that try to hide in plain sight. This process could be legitimate activity, or an indication that one of your machines has been compromised. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium| |**Suspicious process name detected**|Analysis of host data on %{Compromised Host} detected a process whose name is suspicious, for example corresponding to a known attacker tool or named in a way that is suggestive of attacker tools that try to hide in plain sight. This process could be legitimate activity, or an indication that one of your machines has been compromised.|-|Medium|
-|**Suspicious process termination burst**|Analysis of host data indicates a suspicious process termination burst in %{Machine Name}. Specifically, %{NumberOfCommands} processes were killed between %{Begin} and %{Ending}.|-|Low|
+|**Suspicious process termination burst**<br>(VM_TaskkillBurst)|Analysis of host data indicates a suspicious process termination burst in %{Machine Name}. Specifically, %{NumberOfCommands} processes were killed between %{Begin} and %{Ending}.|Defense Evasion|Low|
|**Suspicious system process executed**|The system process %{process name} was observed running in an abnormal context. Malware often uses this process name to masquerade its malicious activity.|-|High| |**Suspiciously named process detected**|Analysis of host data on %{Compromised Host} detected a process whose name is very similar to but different from a very commonly run process (%{Similar To Process Name}). While this process could be benign attackers are known to sometimes hide in plain sight by naming their malicious tools to resemble legitimate process names.|-|Medium| |**Unusual process execution detected**|Analysis of host data on %{Compromised Host} detected the execution of a process by %{User Name} that was unusual. Accounts such as %{User Name} tend to perform a limited set of operations, this execution was determined to be out of character and may be suspicious.|-|High| |**VBScript HTTP object allocation detected**|Creation of a VBScript file using Command Prompt has been detected. The following script contains HTTP object allocation command. This action can be used to download malicious files.|-|High|
-|**Windows registry persistence method detected**|Analysis of host data has detected an attempt to persist an executable in the Windows registry. Malware often uses such a technique to survive a boot.|-|Low|
+|**Windows registry persistence method detected**<br>(VM_RegistryPersistencyKey)|Analysis of host data has detected an attempt to persist an executable in the Windows registry. Malware often uses such a technique to survive a boot.|Persistence|Low|
|||||
At the bottom of this page, there's a table describing the Azure Security Center
|**Access of htaccess file detected**|Analysis of host data on %{Compromised Host} detected possible manipulation of a htaccess file. Htaccess is a powerful configuration file that allows you to make multiple changes to a web server running the Apache Web software including basic redirect functionality, or for more advanced functions such as basic password protection. Attackers will often modify htaccess files on machines they have compromised to gain persistence.|-|Medium| |**An history file has been cleared**|Analysis of host data indicates that the command history log file has been cleared. Attackers may do this to cover their traces. The operation was performed by user: '%{user name}'.|-|Medium| |**Attempt to stop apt-daily-upgrade.timer service detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected an attempt to stop apt-daily-upgrade.timer service. In some recent attacks, attackers have been observed stopping this service, to download malicious files and granting execution privileges for their attack. This behavior was seen [x] times today on the following machines: [Machine names]|-|Low|
-|**Attempt to stop apt-daily-upgrade.timer service detected**|Analysis of host data on %{Compromised Host} detected an attempt to stop apt-daily-upgrade.timer service. In some recent attacks, attackers have been observed stopping this service, to download malicious files and granting execution privileges for their attack.|-|Low|
+|**Attempt to stop apt-daily-upgrade.timer service detected**<br>(VM_TimerServiceDisabled)|Analysis of host data on %{Compromised Host} detected an attempt to stop apt-daily-upgrade.timer service. In some recent attacks, attackers have been observed stopping this service, to download malicious files and granting execution privileges for their attack.|Defense Evasion|Low|
|**Behavior similar to common Linux bots detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected the execution of a process normally associated with common Linux botnets. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium|
-|**Behavior similar to common Linux bots detected**|Analysis of host data on %{Compromised Host} detected the execution of a process normally associated with common Linux botnets.|-|Medium|
+|**Behavior similar to common Linux bots detected**<br>(VM_CommonBot)|Analysis of host data on %{Compromised Host} detected the execution of a process normally associated with common Linux botnets.|Execution, Collection, Command and Control|Medium|
|**Behavior similar to Fairware ransomware detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected the execution of rm -rf commands applied to suspicious locations. As rm -rf will recursively delete files, it is normally used on discrete folders. In this case, it is being used in a location that could remove a lot of data. Fairware ransomware is known to execute rm -rf commands in this folder. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium| |**Behavior similar to Fairware ransomware detected**|Analysis of host data on %{Compromised Host} detected the execution of rm -rf commands applied to suspicious locations. As rm -rf will recursively delete files, it is normally used on discrete folders. In this case, it is being used in a location that could remove a lot of data. Fairware ransomware is known to execute rm -rf commands in this folder.|-|Medium| |**Behavior similar to ransomware detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected the execution of files that have resemblance of known ransomware that can prevent users from accessing their system or personal files, and demands ransom payment in order to regain access. This behavior was seen [x] times today on the following machines: [Machine names]|-|High|
At the bottom of this page, there's a table describing the Azure Security Center
|**Detected file download from a known malicious source [seen multiple times]**|Analysis of host data has detected the download of a file from a known malware source on %{Compromised Host}. This behavior was seen over [x] times today on the following machines: [Machine names]|-|Medium| |**Detected file download from a known malicious source**|Analysis of host data has detected the download of a file from a known malware source on %{Compromised Host}.|-|Medium| |**Detected persistence attempt [seen multiple times]**|Analysis of host data on %{Compromised Host} has detected installation of a startup script for single-user mode. It is extremely rare that any legitimate process needs to execute in that mode, so this may indicate that an attacker has added a malicious process to every run-level to guarantee persistence. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium|
-|**Detected persistence attempt**|Host data analysis has detected that a startup script for single-user mode has been installed.<br>Because it's rare that any legitimate process would be required to run in that mode, this might indicate that an attacker has added a malicious process to every run-level to guarantee persistence. |Persistence|Medium|
+|**Detected persistence attempt**<br>(VM_NewSingleUserModeStartupScript)|Host data analysis has detected that a startup script for single-user mode has been installed.<br>Because it's rare that any legitimate process would be required to run in that mode, this might indicate that an attacker has added a malicious process to every run-level to guarantee persistence. |Persistence|Medium|
|**Detected suspicious file download [seen multiple times]**|Analysis of host data has detected suspicious download of remote file on %{Compromised Host}. This behavior was seen 10 times today on the following machines: [Machine name]|-|Low|
-|**Detected suspicious file download**|Analysis of host data has detected suspicious download of remote file on %{Compromised Host}.|-|Low|
+|**Detected suspicious file download**<br>(VM_SuspectDownloadArtifacts)|Analysis of host data has detected suspicious download of remote file on %{Compromised Host}.|Persistence|Low|
|**Detected suspicious network activity**|Analysis of network traffic from %{Compromised Host} detected suspicious network activity. Such traffic, while possibly benign, is typically used by an attacker to communicate with malicious servers for downloading of tools, command-and-control and exfiltration of data. Typical related attacker activity includes copying remote administration tools to a compromised host and exfiltrating user data from it.|-|Low| |**Detected suspicious use of the useradd command [seen multiple times]**|Analysis of host data has detected suspicious use of the useradd command on %{Compromised Host}. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium| |**Detected suspicious use of the useradd command**|Analysis of host data has detected suspicious use of the useradd command on %{Compromised Host}.|-|Medium| |**Digital currency mining related behavior detected**|Analysis of host data on %{Compromised Host} detected the execution of a process or command normally associated with digital currency mining.|-|High| |**Disabling of auditd logging [seen multiple times]**|The Linux Audit system provides a way to track security-relevant information on the system. It records as much information about the events that are happening on your system as possible. Disabling auditd logging could hamper discovering violations of security policies used on the system. This behavior was seen [x] times today on the following machines: [Machine names]|-|Low|
-|**Executable found running from a suspicious location**|Analysis of host data detected an executable file on %{Compromised Host} that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.|-|High|
+|**Executable found running from a suspicious location**<br>(VM_SuspectExecutablePath)|Analysis of host data detected an executable file on %{Compromised Host} that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.| Execution |High|
|**Exploitation of Xorg vulnerability [seen multiple times]**|Analysis of host data on %{Compromised Host} detected the user of Xorg with suspicious arguments. Attackers may use this technique in privilege escalation attempts. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium| |**Exposed Docker daemon detected**|Machine logs indicate that your Docker daemon (dockerd) exposes a TCP socket. By default, Docker configuration, does not use encryption or authentication when a TCP socket is enabled. This enables full access to the Docker daemon, by anyone with access to the relevant port.|-|Medium|
-|**Failed SSH brute force attack**|Failed brute force attacks were detected from the following attackers: %{Attackers}. Attackers were trying to access the host with the following user names: %{Accounts used on failed sign in to host attempts}.|-|Medium|
+|**Failed SSH brute force attack**<br>(VM_SshBruteForceFailed)|Failed brute force attacks were detected from the following attackers: %{Attackers}. Attackers were trying to access the host with the following user names: %{Accounts used on failed sign in to host attempts}.|Probing|Medium|
|**Fileless Attack Behavior Detected**<br>(AppServices_FilelessAttackBehaviorDetection)| The memory of the process specified below contains behaviors commonly used by fileless attacks.<br>Specific behaviors include: {list of observed behaviors} | Execution | Medium | |**Fileless Attack Technique Detected**<br>(VM_FilelessAttackTechnique.Linux)| The memory of the process specified below contains evidence of a fileless attack technique. Fileless attacks are used by attackers to execute code while evading detection by security software.<br>Specific behaviors include: {list of observed behaviors} | Execution | High | |**Fileless Attack Toolkit Detected**<br>(VM_FilelessAttackToolkit.Linux)| The memory of the process specified below contains a fileless attack toolkit: {ToolKitName}. Fileless attack toolkits typically do not have a presence on the filesystem, making detection by traditional anti-virus software difficult.<br>Specific behaviors include: {list of observed behaviors} | Defense Evasion, Execution | High |
At the bottom of this page, there's a table describing the Azure Security Center
|**Indicators associated with DDOS toolkit detected**|Analysis of host data on %{Compromised Host} detected file names that are part of a toolkit associated with malware capable of launching DDoS attacks, opening ports and services and taking full control over the infected system. This could also possibly be legitimate activity.|-|Medium| |**Local host reconnaissance detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected the execution of a command normally associated with common Linux bot reconnaissance. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium| |**Local host reconnaissance detected**|Analysis of host data on %{Compromised Host} detected the execution of a command normally associated with common Linux bot reconnaissance.|-|Medium|
-|**Manipulation of host firewall detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected possible manipulation of the on-host firewall. Attackers will often disable this to exfiltrate data. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium|
+|**Manipulation of host firewall detected [seen multiple times]**<br>(VM_FirewallDisabled)|Analysis of host data on %{Compromised Host} detected possible manipulation of the on-host firewall. Attackers will often disable this to exfiltrate data. This behavior was seen [x] times today on the following machines: [Machine names]|Defense Evasion, Exfiltration|Medium|
|**Manipulation of host firewall detected**|Analysis of host data on %{Compromised Host} detected possible manipulation of the on-host firewall. Attackers will often disable this to exfiltrate data.|-|Medium| |**MITRE Caldera agent detected**<br>(VM_MitreCalderaTools)|Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on %{Compromised Host}. This is often associated with the MITRE 54ndc47 agent which could be used maliciously to attack other machines in some way.|All |Medium|
-|**New SSH key added [seen multiple times]**|A new SSH key was added to the authorized keys file. This behavior was seen [x] times today on the following machines: [Machine names]|-|Low|
+|**New SSH key added [seen multiple times]**<br>(VM_SshKeyAddition)|A new SSH key was added to the authorized keys file. This behavior was seen [x] times today on the following machines: [Machine names]|Persistence|Low|
|**New SSH key added**|A new SSH key was added to the authorized keys file|-|Low| |**Possible attack tool detected [seen multiple times]**|Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on %{Compromised Host}. This tool is often associated with malicious users attacking other machines in some way. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium| |**Possible attack tool detected**|Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on %{Compromised Host}. This tool is often associated with malicious users attacking other machines in some way.|-|Medium| |**Possible backdoor detected [seen multiple times]**|Analysis of host data has detected a suspicious file being downloaded then run on %{Compromised Host} in your subscription. This activity has previously been associated with installation of a backdoor. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium| |**Possible credential access tool detected [seen multiple times]**|Machine logs indicate a possible known credential access tool was running on %{Compromised Host} launched by process: '%{Suspicious Process}'. This tool is often associated with attacker attempts to access credentials. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium| |**Possible credential access tool detected**|Machine logs indicate a possible known credential access tool was running on %{Compromised Host} launched by process: '%{Suspicious Process}'. This tool is often associated with attacker attempts to access credentials.|-|Medium|
-|**Possible exploitation of Hadoop Yarn**|Analysis of host data on %{Compromised Host} detected the possible exploitation of the Hadoop Yarn service.|-|Medium|
+|**Possible exploitation of Hadoop Yarn**<br>(VM_HadoopYarnExploit)|Analysis of host data on %{Compromised Host} detected the possible exploitation of the Hadoop Yarn service.|Exploitation|Medium|
|**Possible exploitation of the mailserver detected**<br>(VM_MailserverExploitation )|Analysis of host data on %{Compromised Host} detected an unusual execution under the mail server account|Exploitation|Medium| |**Possible Log Tampering Activity Detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected possible removal of files that tracks user's activity during the course of its operation. Attackers often try to evade detection and leave no trace of malicious activities by deleting such log files. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium| |**Possible Log Tampering Activity Detected**|Analysis of host data on %{Compromised Host} detected possible removal of files that tracks user's activity during the course of its operation. Attackers often try to evade detection and leave no trace of malicious activities by deleting such log files.|-|Medium| |**Possible loss of data detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected a possible data egress condition. Attackers will often egress data from machines they have compromised. This behavior was seen [x]] times today on the following machines: [Machine names]|-|Medium|
-|**Possible loss of data detected**|Analysis of host data on %{Compromised Host} detected a possible data egress condition. Attackers will often egress data from machines they have compromised.|-|Medium|
+|**Possible loss of data detected**<br>(VM_DataEgressArtifacts)|Analysis of host data on %{Compromised Host} detected a possible data egress condition. Attackers will often egress data from machines they have compromised.|Collection, Exfiltration|Medium|
|**Possible malicious web shell detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected a possible web shell. Attackers will often upload a web shell to a machine they have compromised to gain persistence or for further exploitation. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium| |**Possible malicious web shell detected**|Analysis of host data on %{Compromised Host} detected a possible web shell. Attackers will often upload a web shell to a machine they have compromised to gain persistence or for further exploitation.|-|Medium| |**Possible password change using crypt-method detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected password change using crypt method. Attackers can make this change to continue access and gaining persistence after compromise. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium| |**Potential overriding of common files [seen multiple times]**|Analysis of host data has detected common executables being overwritten on %{Compromised Host}. Attackers will overwrite common files as a way to obfuscate their actions or for persistence. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium| |**Potential overriding of common files**|Analysis of host data has detected common executables being overwritten on %{Compromised Host}. Attackers will overwrite common files as a way to obfuscate their actions or for persistence.|-|Medium| |**Potential port forwarding to external IP address [seen multiple times]**|Analysis of host data on %{Compromised Host} detected the initiation of port forwarding to an external IP address. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium|
-|**Potential port forwarding to external IP address**|Host data analysis detected the initiation of port forwarding to an external IP address.|Exfiltration / Command And Control|Medium|
+|**Potential port forwarding to external IP address**<br>(VM_SuspectPortForwarding)|Host data analysis detected the initiation of port forwarding to an external IP address.|Exfiltration, Command And Control|Medium|
|**Potential reverse shell detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected a potential reverse shell. These are used to get a compromised machine to call back into a machine an attacker owns. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium| |**Potential reverse shell detected**|Analysis of host data on %{Compromised Host} detected a potential reverse shell. These are used to get a compromised machine to call back into a machine an attacker owns.|-|Medium| |**Privileged command run in container**|Machine logs indicate that a privileged command was run in a Docker container. A privileged command has extended privileges on the host machine.|-|Low| |**Privileged Container Detected**|Machine logs indicate that a privileged Docker container is running. A privileged container has a full access to the host's resources. If compromised, an attacker can use the privileged container to gain access to the host machine.|-|Low| |**Process associated with digital currency mining detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected the execution of a process normally associated with digital currency mining. This behavior was seen over 100 times today on the following machines: [Machine name]|-|Medium|
-|**Process associated with digital currency mining detected**|Host data analysis detected the execution of a process that is normally associated with digital currency mining.|Exploitation / Execution|Medium|
+|**Process associated with digital currency mining detected**|Host data analysis detected the execution of a process that is normally associated with digital currency mining.|Exploitation, Execution|Medium|
|**Process seen accessing the SSH authorized keys file in an unusual way**|An SSH authorized keys file has been accessed in a method similar to known malware campaigns. This access can indicate that an attacker is attempting to gain persistent access to a machine.|-|| |**Python encoded downloader detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected the execution of encoded Python that downloads and runs code from a remote location. This may be an indication of malicious activity. This behavior was seen [x] times today on the following machines: [Machine names]|-|Low| |**Screenshot taken on host [seen multiple times]**|Analysis of host data on %{Compromised Host} detected the user of a screen capture tool. Attackers may use these tools to access private data. This behavior was seen [x] times today on the following machines: [Machine names]|-|Low| |**Script extension mismatch detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected a mismatch between the script interpreter and the extension of the script file provided as input. This has frequently been associated with attacker script executions. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium|
-|**Script extension mismatch detected**|Analysis of host data on %{Compromised Host} detected a mismatch between the script interpreter and the extension of the script file provided as input. This has frequently been associated with attacker script executions.|-|Medium|
+|**Script extension mismatch detected**<br>(VM_MismatchedScriptFeatures)|Analysis of host data on %{Compromised Host} detected a mismatch between the script interpreter and the extension of the script file provided as input. This has frequently been associated with attacker script executions.|Defense Evasion|Medium|
|**Shellcode detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected shellcode being generated from the command line. This process could be legitimate activity, or an indication that one of your machines has been compromised. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium| |**SSH server is running inside a container** | Machine logs indicate that an SSH server is running inside a Docker container. While this behavior can be intentional, it frequently indicates that a container is misconfigured or breached.|-|Medium|
-|**Successful SSH brute force attack**|Analysis of host data has detected a successful brute force attack. The IP %{Attacker source IP} was seen making multiple login attempts. Successful logins were made from that IP with the following user(s): %{Accounts used to successfully sign in to host}. This means that the host may be compromised and controlled by a malicious actor.|-|High|
+|**Successful SSH brute force attack**<br>(VM_SshBruteForceSuccess)|Analysis of host data has detected a successful brute force attack. The IP %{Attacker source IP} was seen making multiple login attempts. Successful logins were made from that IP with the following user(s): %{Accounts used to successfully sign in to host}. This means that the host may be compromised and controlled by a malicious actor.|Exploitation|High|
|**Suspicious Account Creation Detected**|Analysis of host data on %{Compromised Host} detected creation or use of a local account %{Suspicious account name} : this account name closely resembles a standard Windows account or group name '%{Similar To Account Name}'. This is potentially a rogue account created by an attacker, so named in order to avoid being noticed by a human administrator.|-|Medium| |**Suspicious compilation detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected suspicious compilation. Attackers will often compile exploits on a machine they have compromised to escalate privileges. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium| |**Suspicious compilation detected**|Analysis of host data on %{Compromised Host} detected suspicious compilation. Attackers will often compile exploits on a machine they have compromised to escalate privileges.|-|Medium|
Azure Defender alerts for container hosts aren't limited to the alerts below. Ma
|-||:-:|-| | **Antimalware broad files exclusion in your virtual machine**<br>(ARM_AmBroadFilesExclusion) | Files exclusion from antimalware extension with broad exclusion rule was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Such exclusion practically disabling the Antimalware protection.<br>Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware. | | Medium | | **Antimalware disabled and code execution in your virtual machine**<br>(ARM_AmDisablementAndCodeExecution) | Antimalware disabled at the same time as code execution on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.<br>Attackers disable antimalware scanners to prevent detection while running unauthorized tools or infecting the machine with malware. | | High |
-| **Antimalware disabled in your virtual machine**<br>(ARM_AmDisablement) | Antimalware disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.<br>Attackers might disable the antimalware on your virtual machine to prevent detection. | | Medium |
-| **Antimalware file exclusion and code execution in your virtual machine**<br>(ARM_AmFileExclusionAndCodeExecution) | File excluded from your antimalware scanner at the same time as code was executed via a custom script extension on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.<br>Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware. | | High |
-| **Antimalware file exclusion and code execution in your virtual machine**<br>(ARM_AmTempFileExclusionAndCodeExecution) | Temporary file exclusion from antimalware extension in parallel to execution of code via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware. | | High |
-| **Antimalware file exclusion in your virtual machine**<br>(ARM_AmTempFileExclusion) | File excluded from your antimalware scanner on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.<br>Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware. | | Medium |
-| **Antimalware real-time protection was disabled in your virtual machine**<br>(ARM_AmRealtimeProtectionDisabled) | Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware. | | Medium |
-| **Antimalware real-time protection was disabled temporarily in your virtual machine**<br>(ARM_AmTempRealtimeProtectionDisablement) | Real-time protection temporary disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware. | | Medium |
+| **Antimalware disabled in your virtual machine**<br>(ARM_AmDisablement) | Antimalware disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.<br>Attackers might disable the antimalware on your virtual machine to prevent detection. | Defense Evasion | Medium |
+| **Antimalware file exclusion and code execution in your virtual machine**<br>(ARM_AmFileExclusionAndCodeExecution) | File excluded from your antimalware scanner at the same time as code was executed via a custom script extension on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.<br>Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware. | Defense Evasion, Execution | High |
+| **Antimalware file exclusion and code execution in your virtual machine**<br>(ARM_AmTempFileExclusionAndCodeExecution) | Temporary file exclusion from antimalware extension in parallel to execution of code via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware. | Defense Evasion, Execution | High |
+| **Antimalware file exclusion in your virtual machine**<br>(ARM_AmTempFileExclusion) | File excluded from your antimalware scanner on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.<br>Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware. | Defense Evasion | Medium |
+| **Antimalware real-time protection was disabled in your virtual machine**<br>(ARM_AmRealtimeProtectionDisabled) | Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware. | Defense Evasion | Medium |
+| **Antimalware real-time protection was disabled temporarily in your virtual machine**<br>(ARM_AmTempRealtimeProtectionDisablement) | Real-time protection temporary disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware. | Defense Evasion | Medium |
| **Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine**<br>(ARM_AmRealtimeProtectionDisablementAndCodeExec) | Real-time protection temporary disablement of the antimalware extension in parallel to code execution via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware. | | High | | **Antimalware scans blocked for files potentially related to malware campaigns on your virtual machine (Preview)**<br>(ARM_AmMalwareCampaignRelatedExclusion) | An exclusion rule was detected in your virtual machine to prevent your antimalware extension scanning certain files that are suspected of being related to a malware campaign. The rule was detected by analyzing the Azure Resource Manager operations in your subscription. Attackers might exclude files from antimalware scans to prevent detection while running arbitrary code or infecting the machine with malware. | Defense Evasion | Medium | | **Antimalware temporarily disabled in your virtual machine**<br>(ARM_AmTemporarilyDisablement) | Antimalware temporarily disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.<br>Attackers might disable the antimalware on your virtual machine to prevent detection. | | Medium |
-| **Antimalware unusual file exclusion in your virtual machine**<br>(ARM_UnusualAmFileExclusion) | Unusual file exclusion from antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware. | | Medium |
-| **Azure Resource Manager operation from suspicious IP address (Preview)**<br>(ARM_OperationFromSuspiciousIP) | Azure Defender for Resource Manager detected an operation from an IP address that has been marked as suspicious in threat intelligence feeds.|Execution|Medium|
-| **Azure Resource Manager operation from suspicious proxy IP address (Preview)**<br>(ARM_OperationFromSuspiciousProxyIP) | Azure Defender for Resource Manager detected a resource management operation from an IP address that is associated with proxy services, such as TOR. While this behavior can be legitimate, it's often seen in malicious activities, when threat actors try to hide their source IP.|Defense Evasion|Medium|
+| **Antimalware unusual file exclusion in your virtual machine**<br>(ARM_UnusualAmFileExclusion) | Unusual file exclusion from antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware. | Defense Evasion | Medium |
+| **Azure Resource Manager operation from suspicious IP address (Preview)**<br>(ARM_OperationFromSuspiciousIP) | Azure Defender for Resource Manager detected an operation from an IP address that has been marked as suspicious in threat intelligence feeds. | Execution | Medium |
+| **Azure Resource Manager operation from suspicious proxy IP address (Preview)**<br>(ARM_OperationFromSuspiciousProxyIP) | Azure Defender for Resource Manager detected a resource management operation from an IP address that is associated with proxy services, such as TOR. While this behavior can be legitimate, it's often seen in malicious activities, when threat actors try to hide their source IP. | Defense Evasion | Medium |
| **Custom script extension with suspicious command in your virtual machine**<br>(ARM_CustomScriptExtensionSuspiciousCmd) | Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>Attackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager. | Execution | Medium | | **Custom script extension with suspicious entry-point in your virtual machine**<br>(ARM_CustomScriptExtensionSuspiciousEntryPoint) | Custom script extension with a suspicious entry-point was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. The entry-point refers to a suspicious GitHub repository.<br>Attackers may use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager. | Execution | Medium | | **Custom script extension with suspicious payload in your virtual machine**<br>(ARM_CustomScriptExtensionSuspiciousPayload) | Custom script extension with a payload from a suspicious GitHub repository was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>Attackers may use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager. | Execution | Medium | | **MicroBurst exploitation toolkit used to enumerate resources in your subscriptions**<br>(ARM_MicroBurst.AzDomainInfo) | MicroBurst's Information Gathering module was run on your subscription. This tool can be used to discover resources, permissions and network structures. This was detected by analyzing the Azure Activity logs and resource management operations in your subscription | | High | | **MicroBurst exploitation toolkit used to enumerate resources in your subscriptions**<br>(ARM_MicroBurst.AzureDomainInfo) | MicroBurst's Information Gathering module was run on your subscription. This tool can be used to discover resources, permissions and network structures. This was detected by analyzing the Azure Activity logs and resource management operations in your subscription | | High |
-| **MicroBurst exploitation toolkit used to execute code on your virtual machine**<br>(ARM_MicroBurst.AzVMBulkCMD) | MicroBurst's exploitation toolkit was used to execute code on your virtual machines. This was detected by analyzing Azure Resource Manager operations in your subscription. | | High |
+| **MicroBurst exploitation toolkit used to execute code on your virtual machine**<br>(ARM_MicroBurst.AzVMBulkCMD) | MicroBurst's exploitation toolkit was used to execute code on your virtual machines. This was detected by analyzing Azure Resource Manager operations in your subscription. | Execution | High |
| **MicroBurst exploitation toolkit used to execute code on your virtual machine**<br>(RM_MicroBurst.AzureRmVMBulkCMD) | MicroBurst's exploitation toolkit was used to execute code on your virtual machines. This was detected by analyzing Azure Resource Manager operations in your subscription. | | High | | **MicroBurst exploitation toolkit used to extract keys from your Azure key vaults**<br>(ARM_MicroBurst.AzKeyVaultKeysREST) | MicroBurst's exploitation toolkit was used to extract keys from your Azure key vaults. This was detected by analyzing Azure Activity logs and resource management operations in your subscription. | | High |
-| **MicroBurst exploitation toolkit used to extract keys to your storage accounts**<br>(ARM_MicroBurst.AZStorageKeysREST) | MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription. | | High |
+| **MicroBurst exploitation toolkit used to extract keys to your storage accounts**<br>(ARM_MicroBurst.AZStorageKeysREST) | MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription. | Collection | High |
| **MicroBurst exploitation toolkit used to extract secrets from your Azure key vaults**<br>(ARM_MicroBurst.AzKeyVaultSecretsREST) | MicroBurst's exploitation toolkit was used to extract secrets from your Azure key vaults. This was detected by analyzing Azure Activity logs and resource management operations in your subscription. | | High | | **Permissions granted for an RBAC role in an unusual way for your Azure environment (Preview)**<br>(ARM_AnomalousRBACRoleAssignment) | Azure Defender for Resource Manager detected an RBAC role assignment that's unusual when compared with other assignments performed by the same assigner / performed for the same assignee / in your tenant due to the following anomalies: assignment time, assigner location, assigner, authentication method, assigned entities, client software used, assignment extent. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to grant permissions to an additional user account they own.|Lateral Movement, Defense Evasion|Medium| | **PowerZure exploitation toolkit used to elevate access from Azure AD to Azure**<br>(ARM_PowerZure.AzureElevatedPrivileges) | PowerZure exploitation toolkit was used to elevate access from AzureAD to Azure. This was detected by analyzing Azure Resource Manager operations in your tenant. | | High |
-| **PowerZure exploitation toolkit used to enumerate resources**<br>(ARM_PowerZure.GetAzureTargets) | PowerZure exploitation toolkit was used to enumerate resources on behalf of a legitimate user account in your organization. This was detected by analyzing Azure Resource Manager operations in your subscription. | | High |
+| **PowerZure exploitation toolkit used to enumerate resources**<br>(ARM_PowerZure.GetAzureTargets) | PowerZure exploitation toolkit was used to enumerate resources on behalf of a legitimate user account in your organization. This was detected by analyzing Azure Resource Manager operations in your subscription. | Collection | High |
| **PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables**<br>(ARM_PowerZure.ShowStorageContent) | PowerZure exploitation toolkit was used to enumerate storage shares, tables, and containers. This was detected by analyzing Azure Resource Manager operations in your subscription. | | High | | **PowerZure exploitation toolkit used to execute a Runbook in your subscription**<br>(ARM_PowerZure.StartRunbook) | PowerZure exploitation toolkit was used to execute a Runbook. This was detected by analyzing Azure Resource Manager operations in your subscription. | | High |
-| **PowerZure exploitation toolkit used to extract Runbooks content**<br>(ARM_PowerZure.AzureRunbookContent) | PowerZure exploitation toolkit was used to extract Runbook content. This was detected by analyzing Azure Resource Manager operations in your subscription. | | High |
-| **PREVIEW - Activity from a risky IP address**<br>(ARM.MCAS_ActivityFromAnonymousIPAddresses) | Users activity from an IP address that has been identified as an anonymous proxy IP address has been detected.<br>These proxies are used by people who want to hide their device's IP address, and can be used for malicious intent. This detection uses a machine learning algorithm that reduces false positives, such as mis-tagged IP addresses that are widely used by users in the organization.<br>Requires an active Microsoft Cloud App Security license. | - | Medium |
-| **PREVIEW - Activity from infrequent country**<br>(ARM.MCAS_ActivityFromInfrequentCountry) | Activity from a location that wasn't recently or ever visited by any user in the organization has occurred.<br>This detection considers past activity locations to determine new and infrequent locations. The anomaly detection engine stores information about previous locations used by users in the organization.<br>Requires an active Microsoft Cloud App Security license. | - | Medium |
-| **PREVIEW - Azurite toolkit run detected**<br>(ARM_Azurite) | A known cloud-environment reconnaissance toolkit run has been detected in your environment. The tool [Azurite](https://github.com/mwrlabs/Azurite) can be used by an attacker (or penetration tester) to map your subscriptions' resources and identify insecure configurations. | - | High |
-| **PREVIEW - Impossible travel activity**<br>(ARM.MCAS_ImpossibleTravelActivity) | Two user activities (in a single or multiple sessions) have occurred, originating from geographically distant locations. This occurs within a time period shorter than the time it would have taken the user to travel from the first location to the second. This indicates that a different user is using the same credentials.<br>This detection uses a machine learning algorithm that ignores obvious false positives contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The detection has an initial learning period of seven days, during which it learns a new user's activity pattern.<br>Requires an active Microsoft Cloud App Security license. | - | Medium |
-| **PREVIEW - Suspicious management session using an inactive account detected**<br>(ARM_UnusedAccountPersistence) | Subscription activity logs analysis has detected suspicious behavior. A principal not in use for a long period of time is now performing actions that can secure persistence for an attacker. | Persistence | Medium |
-| **PREVIEW - Suspicious management session using PowerShell detected**<br>(ARM_UnusedAppPowershellPersistence) | Subscription activity logs analysis has detected suspicious behavior. A principal that doesn't regularly use PowerShell to manage the subscription environment is now using PowerShell, and performing actions that can secure persistence for an attacker. | Persistence | Medium |
-| **PREVIEW ΓÇô Suspicious management session using Azure portal detected**<br>(ARM_UnusedAppIbizaPersistence) | Analysis of your subscription activity logs has detected a suspicious behavior. A principal that doesn't regularly use the Azure portal (Ibiza) to manage the subscription environment (hasn't used Azure portal to manage for the last 45 days, or a subscription that it is actively managing), is now using the Azure portal and performing actions that can secure persistence for an attacker. | - | Medium |
-| **Privileged custom role created for your subscription in a suspicious way (Preview)**<br>(ARM_PrivilegedRoleDefinitionCreation) | Azure Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection.|Lateral Movement, Defense Evasion|Low|
+| **PowerZure exploitation toolkit used to extract Runbooks content**<br>(ARM_PowerZure.AzureRunbookContent) | PowerZure exploitation toolkit was used to extract Runbook content. This was detected by analyzing Azure Resource Manager operations in your subscription. | Collection | High |
+| **PREVIEW - Activity from a risky IP address**<br>(ARM.MCAS_ActivityFromAnonymousIPAddresses) | Users activity from an IP address that has been identified as an anonymous proxy IP address has been detected.<br>These proxies are used by people who want to hide their device's IP address, and can be used for malicious intent. This detection uses a machine learning algorithm that reduces false positives, such as mis-tagged IP addresses that are widely used by users in the organization.<br>Requires an active Microsoft Cloud App Security license. | - | Medium |
+| **PREVIEW - Activity from infrequent country**<br>(ARM.MCAS_ActivityFromInfrequentCountry) | Activity from a location that wasn't recently or ever visited by any user in the organization has occurred.<br>This detection considers past activity locations to determine new and infrequent locations. The anomaly detection engine stores information about previous locations used by users in the organization.<br>Requires an active Microsoft Cloud App Security license. | - | Medium |
+| **PREVIEW - Azurite toolkit run detected**<br>(ARM_Azurite) | A known cloud-environment reconnaissance toolkit run has been detected in your environment. The tool [Azurite](https://github.com/mwrlabs/Azurite) can be used by an attacker (or penetration tester) to map your subscriptions' resources and identify insecure configurations. | Collection | High |
+| **PREVIEW - Impossible travel activity**<br>(ARM.MCAS_ImpossibleTravelActivity) | Two user activities (in a single or multiple sessions) have occurred, originating from geographically distant locations. This occurs within a time period shorter than the time it would have taken the user to travel from the first location to the second. This indicates that a different user is using the same credentials.<br>This detection uses a machine learning algorithm that ignores obvious false positives contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The detection has an initial learning period of seven days, during which it learns a new user's activity pattern.<br>Requires an active Microsoft Cloud App Security license. | - | Medium |
+| **PREVIEW - Suspicious management session using an inactive account detected**<br>(ARM_UnusedAccountPersistence) | Subscription activity logs analysis has detected suspicious behavior. A principal not in use for a long period of time is now performing actions that can secure persistence for an attacker. | Persistence | Medium |
+| **PREVIEW - Suspicious management session using PowerShell detected**<br>(ARM_UnusedAppPowershellPersistence) | Subscription activity logs analysis has detected suspicious behavior. A principal that doesn't regularly use PowerShell to manage the subscription environment is now using PowerShell, and performing actions that can secure persistence for an attacker. | Persistence | Medium |
+| **PREVIEW ΓÇô Suspicious management session using Azure portal detected**<br>(ARM_UnusedAppIbizaPersistence) | Analysis of your subscription activity logs has detected a suspicious behavior. A principal that doesn't regularly use the Azure portal (Ibiza) to manage the subscription environment (hasn't used Azure portal to manage for the last 45 days, or a subscription that it is actively managing), is now using the Azure portal and performing actions that can secure persistence for an attacker. | Persistence | Medium |
+| **Privileged custom role created for your subscription in a suspicious way (Preview)**<br>(ARM_PrivilegedRoleDefinitionCreation) | Azure Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection. | Privilege Escalation, Defense Evasion | Low|
| **Suspicious failed execution of custom script extension in your virtual machine**<br>(ARM_CustomScriptExtensionSuspiciousFailure) | Suspicious failure of a custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>Such failures may be associated with malicious scripts run by this extension. | Execution | Medium | | **Unusual config reset in your virtual machine**<br>(ARM_VMAccessUnusualConfigReset) | An unusual config reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>While this action may be legitimate, attackers can try utilizing VM Access extension to reset the configuration in your virtual machine and compromise it. | Credential Access | Medium | | **Unusual deletion of custom script extension in your virtual machine**<br>(ARM_CustomScriptExtensionUnusualDeletion) | Unusual deletion of a custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>Attackers may use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager. | Execution | Medium | | **Unusual execution of custom script extension in your virtual machine**<br>(ARM_CustomScriptExtensionUnusualExecution) | Unusual execution of a custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>Attackers may use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager. | Execution | Medium | | **Unusual user password reset in your virtual machine**<br>(ARM_VMAccessUnusualPasswordReset) | An unusual user password reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>While this action may be legitimate, attackers can try utilizing the VM Access extension to reset the credentials of a local user in your virtual machine and compromise it. | Credential Access | Medium | | **Unusual user SSH key reset in your virtual machine**<br>(ARM_VMAccessUnusualSSHReset) | An unusual user SSH key reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>While this action may be legitimate, attackers can try utilizing VM Access extension to reset SSH key of a user account in your virtual machine and compromise it. | Credential Access | Medium |
-| **Usage of MicroBurst exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials**<br>(ARM_MicroBurst.RunCodeOnBehalf) | Usage of MicroBurst exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials. This was detected by analyzing Azure Resource Manager operations in your subscription. | | High |
+| **Usage of MicroBurst exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials**<br>(ARM_MicroBurst.RunCodeOnBehalf) | Usage of MicroBurst exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials. This was detected by analyzing Azure Resource Manager operations in your subscription. | Persistence, Credential Access | High |
| **Usage of NetSPI techniques to maintain persistence in your Azure environment**<br>(ARM_NetSPI.MaintainPersistence) | Usage of NetSPI persistence technique to create a webhook backdoor and maintain persistence in your Azure environment. This was detected by analyzing Azure Resource Manager operations in your subscription. | | High | | **Usage of PowerZure exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials**<br>(ARM_PowerZure.RunCodeOnBehalf) | PowerZure exploitation toolkit detected attempting to run code or exfiltrate Azure Automation account credentials. This was detected by analyzing Azure Resource Manager operations in your subscription. | | High | | **Usage of PowerZure function to maintain persistence in your Azure environment**<br>(ARM_PowerZure.MaintainPersistence) | PowerZure exploitation toolkit detected creating a webhook backdoor to maintain persistence in your Azure environment. This was detected by analyzing Azure Resource Manager operations in your subscription. | | High |
-| | | | |
+| | | | |
## <a name="alerts-dns"></a>Alerts for DNS
Azure Defender alerts for container hosts aren't limited to the alerts below. Ma
[Further details and notes](security-center-alerts-overview.md#cloud-smart-alert-correlation-in-azure-security-center-incidents)
-| Alert | Description | MITRE tactics<br>([Learn more](#intentions)) | Severity |
-|--|-|:-:|-|
-|**Security incident with shared process detected**|The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resource {Host}|-|High|
-|**Security incident detected on multiple resources**|The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that similar attack methods were performed on your cloud resources {Host}|-|Medium|
-|**Security incident detected from same source**|The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resource {Host}|-|High|
-|**Security incident detected on multiple machines**|The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resources {Host}|-|Medium|
-| | | | |
+| Alert | Description | MITRE tactics<br>([Learn more](#intentions)) | Severity |
+||-|:--:|-|
+| **Security incident with shared process detected** | The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resource {Host} | - | High |
+| **Security incident detected on multiple resources** | The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that similar attack methods were performed on your cloud resources {Host} | - | Medium |
+| **Security incident detected from same source** | The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resource {Host} | - | High |
+| **Security incident detected on multiple machines** | The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resources {Host} | - | Medium |
+| | | | |
## MITRE ATT&CK tactics <a name="intentions"></a>
sentinel Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/sentinel/whats-new.md
Previously updated : 06/30/2021 Last updated : 07/11/2021 # What's new in Azure Sentinel
If you're looking for items older than six months, you'll find them in the [Arch
> You can also contribute! Join us in the [Azure Sentinel Threat Hunters GitHub community](https://github.com/Azure/Azure-Sentinel/wiki). >
+## July 2021
+
+- [Support for data residency in more geos](#support-for-data-residency-in-more-geos)
+- [Bidirectional sync in Azure Defender connector](#bidirectional-sync-in-azure-defender-connector)
+
+### Support for data residency in more geos
+
+Azure Sentinel now supports full data residency in the following additional geos:
+
+Brazil, Norway, South Africa, Korea, Germany, United Arab Emirates (UAE), and Switzerland.
+
+See the [complete list of supported geos](quickstart-onboard.md#geographical-availability-and-data-residency) for data residency.
+
+### Bidirectional sync in Azure Defender connector
+
+The Azure Defender connector now supports bi-directional syncing of alerts' status between Defender and Azure Sentinel. When you close a Sentinel incident containing a Defender alert, the alert will automatically be closed in the Defender portal as well.
+
+See this [complete description of the updated Azure Defender connector](connect-azure-security-center.md).
+ ## June 2021 - [Upgrades for normalization and the Azure Sentinel Information Model](#upgrades-for-normalization-and-the-azure-sentinel-information-model) - [Updated service-to-service connectors](#updated-service-to-service-connectors) - [Export and import analytics rules (Public preview)](#export-and-import-analytics-rules-public-preview) - [Alert enrichment: alert details (Public preview)](#alert-enrichment-alert-details-public-preview)- - [More help for playbooks!](#more-help-for-playbooks) - [New documentation reorganization](#new-documentation-reorganization)
Playbook documentation also explicitly addresses the multi-tenant MSSP scenario.
### New documentation reorganization
-This month we've reorganization our [Azure Sentinel documentation](index.yml), restructuring into intuitive categories that follow common customer journeys. Use the filtered docs search and updated landing page to navigate through Azure Sentinel docs.
+This month we've reorganized our [Azure Sentinel documentation](index.yml), restructuring into intuitive categories that follow common customer journeys. Use the filtered docs search and updated landing page to navigate through Azure Sentinel docs.
:::image type="content" source="media/whats-new/new-docs.png" alt-text="New Azure Sentinel documentation reorganization." lightbox="media/whats-new/new-docs.png":::
storage Nfs Comparison https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/storage/common/nfs-comparison.md
For more general comparisons, see the [this article](storage-introduction.md) to
||||| |Use cases |Blob Storage is best suited for large scale read-heavy sequential access workloads where data is ingested once and minimally modified further.<br></br>Blob Storage offers the lowest total cost of ownership, if there is little or no maintenance.<br></br>Some example scenarios are: Large scale analytical data, throughput sensitive high-performance computing, backup and archive, autonomous driving, media rendering, or genomic sequencing. |Azure Files is a highly available service best suited for random access workloads.<br></br>For NFS shares, Azure Files provides full POSIX file system support and can easily be used from container platforms like Azure Container Instance (ACI) and Azure Kubernetes Service (AKS) with the built-in CSI driver, in addition to VM-based platforms.<br></br>Some example scenarios are: Shared files, databases, home directories, traditional applications, ERP, CMS, NAS migrations that don't require advanced management, and custom applications requiring scale-out file storage. |Fully managed file service in the cloud, powered by NetApp, with advanced management capabilities.<br></br>NetApp Files is suited for workloads that require random access and provides broad protocol support and data protection capabilities.<br></br>Some example scenarios are: On-premises enterprise NAS migration that requires rich management capabilities, latency sensitive workloads like SAP HANA, latency-sensitive or IOPS intensive high performance compute, or workloads that require simultaneous multi-protocol access. | |Available protocols |NFS 3.0<br></br>REST<br></br>Data Lake Storage Gen2 |SMB<br><br>NFS 4.1 (preview)<br></br> (No interoperability between either protocol) |NFS 3.0 and 4.1<br></br>SMB |
-|Key features | Integrated with HPC cache for low latency workloads. <br> </br> Integrated management, including lifecycle, immutable blobs, data failover, and metadata index. | Zonally redundant for high availability. <br></br> Consistent single-digit millisecond latency. <br></br>Predictable performance and cost that scales with capacity. |Extremely low latency (as low as sub-ms).<br></br>Rich NetApp ONTAP management capability (FlexClones*, SnapMirror*) in cloud.<br></br>Consistent hybrid cloud experience. |
+|Key features | Integrated with HPC cache for low latency workloads. <br> </br> Integrated management, including lifecycle, immutable blobs, data failover, and metadata index. | Zonally redundant for high availability. <br></br> Consistent single-digit millisecond latency. <br></br>Predictable performance and cost that scales with capacity. |Extremely low latency (as low as sub-ms).<br></br>Rich NetApp ONTAP management capability such as SnapMirror in cloud.<br></br>Consistent hybrid cloud experience. |
|Performance (Per volume) |Up to 20,000 IOPS, up to 100 GiB/s throughput. |Up to 100,000 IOPS, up to 80 Gib/s throughput. |Up to 460,000 IOPS, up to 36 Gib/s throughput. | |Scale | Up to 2 PiB for a single volume. <br></br> Up to ~4.75 TiB max for a single file.<br></br>No minimum capacity requirements. |Up to 100 TiB for a single file share.<br></br>Up to 4 TiB for a single file.<br></br>100 GiB min capacity. |Up to 100 TiB for a single volume.<br></br>Up to 16 TiB for a single file.<br></br>Consistent hybrid cloud experience. | |Pricing |[Azure Blob Storage pricing](https://azure.microsoft.com/pricing/details/storage/blobs/) |[Azure Files pricing](https://azure.microsoft.com/pricing/details/storage/files/) |[Azure NetApp Files pricing](https://azure.microsoft.com/pricing/details/netapp/) |
For more general comparisons, see the [this article](storage-introduction.md) to
- To access Blob storage with NFS, see [Network File System (NFS) 3.0 protocol support in Azure Blob Storage (preview)](../blobs/network-file-system-protocol-support.md). - To access Azure Files with NFS, see [NFS file shares in Azure Files](../files/files-nfs-protocol.md).-- To access Azure NetApp Files with NFS, see [Quickstart: Set up Azure NetApp Files and create an NFS volume](../../azure-netapp-files/azure-netapp-files-quickstart-set-up-account-create-volumes.md).
+- To access Azure NetApp Files with NFS, see [Quickstart: Set up Azure NetApp Files and create an NFS volume](../../azure-netapp-files/azure-netapp-files-quickstart-set-up-account-create-volumes.md).
virtual-machines Expand Os Disk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-machines/windows/expand-os-disk.md
When you create a new virtual machine (VM) in a resource group by deploying an i
5. In **Size + performance**, select the disk size you want. > [!WARNING]
- > The new size should be greater than the existing disk size. The maximum allowed is 2,048 GB for OS disks. (It's possible to expand the VHD blob beyond that size, but the OS works only with the first 2,048 GB of space.)
+ > The new size should be greater than the existing disk size. The maximum allowed is 4,095 GB for OS disks. (It's possible to expand the VHD blob beyond that size, but the OS works only with the first 4,095 GB of space.)
> :::image type="content" source="./media/expand-os-disk/size.png" alt-text="Screenshot that shows the Size and performance pane with the disk size selected.":::
Open your PowerShell ISE or PowerShell window in administrative mode and follow
Update-AzDisk -ResourceGroupName $rgName -Disk $disk -DiskName $disk.Name ``` > [!WARNING]
- > The new size should be greater than the existing disk size. The maximum allowed is 2,048 GB for OS disks. (It is possible to expand the VHD blob beyond that size, but the OS works only with the first 2,048 GB of space.)
+ > The new size should be greater than the existing disk size. The maximum allowed is 4,095 GB for OS disks. (It is possible to expand the VHD blob beyond that size, but the OS works only with the first 4,095 GB of space.)
> 6. Updating the VM might take a few seconds. When the command finishes executing, restart the VM:
virtual-machines Cal S4h https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-machines/workloads/sap/cal-s4h.md
You will need to authenticate with your S-User or P-User. You can create a P-Use
| -- | : | | **SAP S/4HANA 2020 FPS01, Fully-Activated Appliance** Apr 21, 2021 | [Create Instance](https://cal.sap.com/registration?sguid=a0b63a18-0fd3-4d88-bbb9-4f02c13dc343&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) | |This appliance contains SAP S/4HANA 2020 (FPS01) with pre-activated SAP Best Practices for SAP S/4HANA core functions, and further scenarios for Service, Master Data Governance (MDG), Transportation Mgmt. (TM), Portfolio Mgmt. (PPM), Human Capital Management (HCM), Analytics, Migration Cockpit, and more. User access happens via SAP Fiori, SAP GUI, SAP HANA Studio, Windows remote desktop, or the backend operating system for full administrative access. | [Details](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/solutions/a0b63a18-0fd3-4d88-bbb9-4f02c13dc343) |
-| **SAP S/4HANA 2020, Fully-Activated Appliance** Dec 14, 2020 | [Create Instance](https://cal.sap.com/registration?sguid=7a3ebd3e-d005-4c70-ae35-40a167aed981&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) |
-| This appliance contains SAP S/4HANA 2020 (SP00) with pre-activated SAP Best Practices for SAP S/4HANA core functions, and further scenarios for Service Management, Master Data Governance (MDG), Transportation Mgmt. (TM), Portfolio Mgmt. (PPM), Human Capital Management (HCM), Analytics, and more. User access happens via SAP Fiori, SAP GUI, SAP HANA Studio, Windows Remote desktop, or the backend operating system for full administrative access. | [Details](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/solutions/7a3ebd3e-d005-4c70-ae35-40a167aed981) |
+| **SAP S/4HANA 2020 FPS02** Jun 10, 2021 | [Create Instance](https://cal.sap.com/registration?sguid=c7cff775-cbf7-4cd1-a907-6eeca95a0946&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) |
+| This solution comes as a standard S/4HANA system installation including a remote desktop for easy frontend access. It contains a pre-configured and activated SAP S/4HANA Fiori UI in client 100, with prerequisite components activated as per SAP note 3045635 Rapid Activation for SAP Fiori in SAP S/4HANA 2020 FPS02. See More Information Link. | [Details](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/solutions/c7cff775-cbf7-4cd1-a907-6eeca95a0946) |
| **SAP Business One 10.0 PL02, version for SAP HANA** Aug 4, 2020 | [Create Instance](https://cal.sap.com/registration?sguid=371edc8c-56c6-4d21-acb4-2d734722c712&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) | |Trusted by over 70,000 small and midsize businesses in 170+ countries, SAP Business One is a flexible, affordable, and scalable ERP solution with the power of SAP HANA. The solution is pre-configured using a 31-day trial license and has a demo database of your choice pre-installed. See the getting started guide to learn about the scope of the solution and how to easily add new demo databases.| [Details](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/solutions/371edc8c-56c6-4d21-acb4-2d734722c712) | | **SAP Financial Services Data Platform 1.13** Jun 6, 2021 | [Create Instance](https://cal.sap.com/registration?sguid=5e351903-8fbe-40ce-b7ae-8ec53cb1ddb8&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) |
You will need to authenticate with your S-User or P-User. You can create a P-Use
## Setup and get started with SAP Cloud Appliance Library > [!NOTE]
-For more information about the SAP CAL, go to the [SAP Cloud Appliance Library](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) website. SAP also has a blog about the [SAP Cloud Appliance Library 3.0](http://scn.sap.com/community/cloud-appliance-library/blog/2016/05/27/sap-cloud-appliance-library-30-came-with-a-new-user-experience).
+> For more information about the SAP CAL, go to the [SAP Cloud Appliance Library](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) website. SAP also has a blog about the [SAP Cloud Appliance Library 3.0](http://scn.sap.com/community/cloud-appliance-library/blog/2016/05/27/sap-cloud-appliance-library-30-came-with-a-new-user-experience).
> [!NOTE]
-As of May 29, 2017, you can use the Azure Resource Manager deployment model in addition to the less-preferred classic deployment model to deploy the SAP CAL. We recommend that you use the new Resource Manager deployment model and disregard the classic deployment model.
+> As of May 29, 2017, you can use the Azure Resource Manager deployment model in addition to the less-preferred classic deployment model to deploy the SAP CAL. We recommend that you use the new Resource Manager deployment model and disregard the classic deployment model.
## Create an account in the SAP CAL 1. To sign in to the SAP CAL for the first time, use your SAP S-User or other user registered with SAP. Then define an SAP CAL account that is used by the SAP CAL to deploy appliances on Azure. In the account definition, you need to:
As of May 29, 2017, you can use the Azure Resource Manager deployment model in a
c. Give the SAP CAL permission to deploy into your Azure subscription. > [!NOTE]
- The next steps show how to create an SAP CAL account for Resource Manager deployments. If you already have an SAP CAL account that is linked to the classic deployment model, you *need* to follow these steps to create a new SAP CAL account. The new SAP CAL account needs to deploy in the Resource Manager model.
+ > The next steps show how to create an SAP CAL account for Resource Manager deployments. If you already have an SAP CAL account that is linked to the classic deployment model, you *need* to follow these steps to create a new SAP CAL account. The new SAP CAL account needs to deploy in the Resource Manager model.
2. Create a new SAP CAL account. The **Accounts** page shows three choices for Azure:
You successfully created an SAP CAL account that is able to:
Now you can start to deploy S/4HANA into your user subscription in Azure. > [!NOTE]
-Before you continue, determine whether you have required Azure core quotas. Some solutions in SAP CAL uses M-Series VMs of Azure to deploy some of the SAP HANA-based solutions. Your Azure subscription might not have any M-Series core quotas. If so, you might need to contact Azure support to get a required quota.
+> Before you continue, determine whether you have required Azure core quotas. Some solutions in SAP CAL uses M-Series VMs of Azure to deploy some of the SAP HANA-based solutions. Your Azure subscription might not have any M-Series core quotas. If so, you might need to contact Azure support to get a required quota.
> [!NOTE]
-When you deploy a solution on Azure in the SAP CAL, you might find that you can choose only one Azure region. To deploy into Azure regions other than the one suggested by the SAP CAL, you need to purchase a CAL subscription from SAP. You also might need to open a message with SAP to have your CAL account enabled to deliver into Azure regions other than the ones initially suggested.
+> When you deploy a solution on Azure in the SAP CAL, you might find that you can choose only one Azure region. To deploy into Azure regions other than the one suggested by the SAP CAL, you need to purchase a CAL subscription from SAP. You also might need to open a message with SAP to have your CAL account enabled to deliver into Azure regions other than the ones initially suggested.
## Deploy a solution