Updates from: 07/19/2024 01:12:12
Service Microsoft Docs article Related commit history on GitHub Change details
ai-services Quickstart Custom Categories https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/quickstart-custom-categories.md
curl -X PUT "<your_endpoint>/contentsafety/text/categories/survival-advice?api-v
-H "Ocp-Apim-Subscription-Key: <your_api_key>" \ -H "Content-Type: application/json" \ -d "{
- \"categoryName\": \"survival-advice\",
- \"definition\": \"text prompts about survival advice in camping/wilderness situations\",
- \"sampleBlobUrl\": \"https://<your-azure-storage-url>/example-container/survival-advice.jsonl\"
+ \"categoryName\": \"survival-advice\",
+ \"definition\": \"text prompts about survival advice in camping/wilderness situations\",
+ \"sampleBlobUrl\": \"https://<your-azure-storage-url>/example-container/survival-advice.jsonl\"
}" ```
curl -X POST "<your_endpoint>/contentsafety/text:analyzeCustomCategory?api-versi
-H "Ocp-Apim-Subscription-Key: <your_api_key>" \ -H "Content-Type: application/json" \ -d "{
- \"text\": \"<Example text to analyze>\",
- \"categoryName\": \"survival-advice\",
- \"version\": 1
+ \"text\": \"<Example text to analyze>\",
+ \"categoryName\": \"survival-advice\",
+ \"version\": 1
}" ```
ai-services Quickstart Groundedness https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/quickstart-groundedness.md
This section walks through a sample request with cURL. Paste the command below i
"domain": "Generic", "task": "QnA", "qna": {
- "query": "How much does she currently get paid per hour at the bank?"
+ "query": "How much does she currently get paid per hour at the bank?"
}, "text": "12/hour", "groundingSources": [
To test a summarization task instead of a question answering (QnA) task, use the
```json {
- "domain": "Medical",
- "task": "Summarization",
- "text": "Ms Johnson has been in the hospital after experiencing a stroke.",
- "groundingSources": ["Our patient, Ms. Johnson, presented with persistent fatigue, unexplained weight loss, and frequent night sweats. After a series of tests, she was diagnosed with HodgkinΓÇÖs lymphoma, a type of cancer that affects the lymphatic system. The diagnosis was confirmed through a lymph node biopsy revealing the presence of Reed-Sternberg cells, a characteristic of this disease. She was further staged using PET-CT scans. Her treatment plan includes chemotherapy and possibly radiation therapy, depending on her response to treatment. The medical team remains optimistic about her prognosis given the high cure rate of HodgkinΓÇÖs lymphoma."],
- "reasoning": false
+ "domain": "Medical",
+ "task": "Summarization",
+ "text": "Ms Johnson has been in the hospital after experiencing a stroke.",
+ "groundingSources": [
+ "Our patient, Ms. Johnson, presented with persistent fatigue, unexplained weight loss, and frequent night sweats. After a series of tests, she was diagnosed with HodgkinΓÇÖs lymphoma, a type of cancer that affects the lymphatic system. The diagnosis was confirmed through a lymph node biopsy revealing the presence of Reed-Sternberg cells, a characteristic of this disease. She was further staged using PET-CT scans. Her treatment plan includes chemotherapy and possibly radiation therapy, depending on her response to treatment. The medical team remains optimistic about her prognosis given the high cure rate of HodgkinΓÇÖs lymphoma."
+ ],
+ "reasoning": false
} ```
After you submit your request, you'll receive a JSON response reflecting the Gro
```json {
- "ungroundedDetected": true,
- "ungroundedPercentage": 1,
- "ungroundedDetails": [
- {
- "text": "12/hour."
- }
- ]
+ "ungroundedDetected": true,
+ "ungroundedPercentage": 1,
+ "ungroundedDetails": [
+ {
+ "text": "12/hour."
+ }
+ ]
} ```
In order to use your Azure OpenAI GPT4-Turbo (1106-preview) resource to enable t
In your request to the Groundedness detection API, set the `"reasoning"` body parameter to `true`, and provide the other needed parameters: ```json
- {
+{
"reasoning": true, "llmResource": { "resourceType": "AzureOpenAI",
This section walks through a sample request with cURL. Paste the command below i
"domain": "Generic", "task": "QnA", "qna": {
- "query": "How much does she currently get paid per hour at the bank?"
+ "query": "How much does she currently get paid per hour at the bank?"
}, "text": "12/hour", "groundingSources": [
After you submit your request, you'll receive a JSON response reflecting the Gro
```json {
- "ungroundedDetected": true,
- "ungroundedPercentage": 1,
- "ungroundedDetails": [
- {
- "text": "12/hour.",
- "offset": {
- "utf8": 0,
- "utf16": 0,
- "codePoint": 0
- },
- "length": {
- "utf8": 8,
- "utf16": 8,
- "codePoint": 8
- },
- "reason": "None. The premise mentions a pay of \"10/hour\" but does not mention \"12/hour.\" It's neutral. "
- }
- ]
+ "ungroundedDetected": true,
+ "ungroundedPercentage": 1,
+ "ungroundedDetails": [
+ {
+ "text": "12/hour.",
+ "offset": {
+ "utf8": 0,
+ "utf16": 0,
+ "codePoint": 0
+ },
+ "length": {
+ "utf8": 8,
+ "utf16": 8,
+ "codePoint": 8
+ },
+ "reason": "None. The premise mentions a pay of \"10/hour\" but does not mention \"12/hour.\" It's neutral. "
+ }
+ ]
} ```
ai-services Quickstart Protected Material https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/quickstart-protected-material.md
curl --location --request POST '<endpoint>/contentsafety/text:detectProtectedMat
--header 'Ocp-Apim-Subscription-Key: <your_subscription_key>' \ --header 'Content-Type: application/json' \ --data-raw '{
- "text": "to everyone, the best things in life are free. the stars belong to everyone, they gleam there for you and me. the flowers in spring, the robins that sing, the sunbeams that shine, they\'re yours, they\'re mine. and love can come to everyone, the best things in life are"
+ "text": "to everyone, the best things in life are free. the stars belong to everyone, they gleam there for you and me. the flowers in spring, the robins that sing, the sunbeams that shine"
}' ``` The below fields must be included in the url:
ai-services Studio Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/studio-quickstart.md
In this quickstart, get started with the Azure AI Content Safety service using C
* An active Azure account. If you don't have one, you can [create one for free](https://azure.microsoft.com/free/cognitive-services/). * A [Content Safety](https://aka.ms/acs-create) Azure resource.
-* The `Cognitive Services User` role assigned to the Content Safety resource in the desired Azure subscription.
+* Assign `Cognitive Services User` role to your account to ensure the studio experience. Go to [Azure Portal](https://portal.azure.com/), navigate to your Content Safety resource or Azure AI Services resource, and select **Access Control** in the left navigation bar, then click **+ Add role assignment**, choose the `Cognitive Services User` role and select the memeber of your account that you need to assign this role to, then review and assign. It might take few minutes for the assignment to take effect.
* Sign in to [Content Safety Studio](https://contentsafety.cognitive.azure.com) with your Azure subscription and Content Safety resource.
ai-services Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/concepts/best-practices.md
If you require the learned component, make sure that *ticket quantity* is only r
## Addressing model inconsistencies
-If your model is overly sensitive to small grammatical changes, like casing or diacritics, you can systematically manipulate your dataset directly in the Language Studio. To use these features, click on the Settings tab on the left toolbar and locate the **Advanced project settings** section. First, you can ***Enable data transformation for casing***, which normalizes the casing of utterances when training, testing, and implementing your model. If you've migrated from LUIS, you might recognize that LUIS did this normalization by default. To access this feature via the API, set the `"normalizeCasing"` parameter to `true`. See an example below:
+If your model is overly sensitive to small grammatical changes, like casing or diacritics, you can systematically manipulate your dataset directly in the Language Studio. To use these features, click on the Settings tab on the left toolbar and locate the **Advanced project settings** section.
++
+First, you can ***Enable data transformation for casing***, which normalizes the casing of utterances when training, testing, and implementing your model. If you've migrated from LUIS, you might recognize that LUIS did this normalization by default. To access this feature via the API, set the `"normalizeCasing"` parameter to `true`. See an example below:
++ ```json {
ai-services Prompt Flow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/tutorials/prompt-flow.md
+
+ Title: Use Language in Azure prompt flow
+description: Learn how to use Azure AI Language in prompt flow.
++++ Last updated : 07/09/2024++
+# Use Language in Azure prompt flow
+
+> [!IMPORTANT]
+> Some of the features described in this article might only be available in preview. This preview is provided without a service-level agreement, and we don't recommend it for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+[Prompt flow in Azure AI Studio](../../../ai-studio/how-to/prompt-flow.md) is a development tool designed to streamline the entire development cycle of AI applications powered by Large Language Models (LLMs). You can explore and quickly start to use and fine-tune various natural language processing capabilities from Azure AI Language, reducing your time to value and deploying solutions with reliable evaluation.
+
+This tutorial teaches you how to use Language in prompt flow utilizing [Azure AI Studio](https://ai.azure.com).
+
+## Prerequisites
+
+- An Azure subscription - <a href="https://azure.microsoft.com/free/cognitive-services" target="_blank">Create one for free</a>.
+
+- Access granted to Azure OpenAI in the desired Azure subscription.
+
+ Currently, access to this service is granted only by application. You can apply for access to Azure OpenAI by completing the form at <a href="https://aka.ms/oai/access" target="_blank">https://aka.ms/oai/access</a>. Open an issue on this repo to contact us if you have an issue.
+
+- You need an Azure AI Studio hub or permissions to create one. Your user role must be **Azure AI Developer**, **Contributor**, or **Owner** on the hub. For more information, see [hubs](../../../ai-studio/concepts/ai-resources.md) and [Azure AI roles](../../../ai-studio/concepts/rbac-ai-studio.md).
+ - If your role is **Contributor** or **Owner**, you can [create a hub in this tutorial](#create-a-project-in-azure-ai-studio).
+ - If your role is **Azure AI Developer**, the hub must already be created.
+
+- Your subscription needs to be below your [quota limit](../../../ai-studio/how-to/quota.md) to deploy a new flow in this tutorial.
+
+## Create a project in Azure AI Studio
+
+Your project is used to organize your work and save state.
++
+## Using Azure AI Language via the prompt flow gallery
+
+You can create an Azure AI Language flow by either cloning the samples available in the gallery or creating a flow from scratch. If you already have flow files in local or file share, you can also import the files to create a flow. For the purposes of this tutorial we'll be using the prebuilt **Analyze Conversations** flow.
+
+To create a prompt flow from the gallery in Azure AI Studio:
+
+1. Sign in to Azure AI Studio and select your project.
+
+1. From the collapsible left menu, select Prompt flow.
+
+1. Select + Create.
+
+1. Find the **Analyze Conversations** tile in the gallery and select *Clone*.
+
+1. In the right sidebar, name the folder and click the **Clone** button.
+
+1. After the process is complete, you'll be taken to the prompt flow wizard. Click **Start Compute Session** in the upper right hand corner to begin. The various parts of the wizard are out lined below:
+
+ :::image type="content" source="../media/prompt-flow/prompt-flow-wizard.png" alt-text="Screenshot of the prompt flow wizard page with each part of the tool numbered." lightbox="../media/prompt-flow/prompt-flow-wizard.png":::
+
+ 1. A graph view of your flow.
+ 1. Files in your flow. Click the arrow to expand this section.
+ 1. Azure AI Language tools in the "More tools" dropdown menu, which you can add capabilities that you need for your flow. There are more tools that you can add from LLM, Prompt, and Python menu. This menu is only accessible after the compute session has started.
+ 1. Configure your output.
+ 1. Configure steps (or tools) in the flow.
+ 1. Run, evaluate, and deploy your flow.
+
+1. Once you've configured everything to your liking, press the run button in the upper right hand corner.
+
+## Related content
+
+* [Azure AI Language homepage](https://aka.ms/azure-language)
+* [Azure AI Language product demo videos](https://aka.ms/language-videos)
+* [Explore Azure AI Language in Azure AI Studio](https://aka.ms/AzureAiLanguage)
ai-services Model Retirements https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/model-retirements.md
description: Learn about the model deprecations and retirements in Azure OpenAI. Previously updated : 07/10/2024 Last updated : 07/18/2024
These models are currently available for use in Azure OpenAI Service.
| `gpt-35-turbo` | 1106 | No earlier than Nov 17, 2024 | | `gpt-35-turbo` | 0125 | No earlier than Feb 22, 2025 | | `gpt-4`<br>`gpt-4-32k` | 0314 | **Deprecation:** October 1, 2024 <br> **Retirement:** June 6, 2025 |
-| `gpt-4`<br>`gpt-4-32k` | 0613 | No earlier than Sep 30, 2024 |
+| `gpt-4`<br>`gpt-4-32k` | 0613 | **Deprecation:** October 1, 2024 <br> **Retirement:** June 6, 2025 |
| `gpt-4` | 1106-preview | To be upgraded to `gpt-4` Version: `turbo-2024-04-09`, starting on August 15, 2024, or later **<sup>1</sup>** | | `gpt-4` | 0125-preview |To be upgraded to `gpt-4` Version: `turbo-2024-04-09`, starting on August 15, 2024, or later **<sup>1</sup>** | | `gpt-4` | vision-preview | To be upgraded to `gpt-4` Version: `turbo-2024-04-09`, starting on August 15, 2024, or later **<sup>1</sup>** |
If you're an existing customer looking for information about these models, see [
## Retirement and deprecation history
+## July 18, 2024
+
+* Updated `gpt-4` 0613 deprecation date to October 1, 2024 and the retirement date to June 6, 2025.
+ ## June 19, 2024 * Updated `gpt-35-turbo` 0301 retirement date to no earlier than October 1, 2024.
ai-services Models https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/models.md
description: Learn about the different model capabilities that are available with Azure OpenAI. Previously updated : 07/08/2024 Last updated : 07/18/2024
Azure OpenAI Service is powered by a diverse set of models with different capabi
| Models | Description | |--|--|
-| [GPT-4o & GPT-4 Turbo **NEW**](#gpt-4o-and-gpt-4-turbo) | The latest most capable Azure OpenAI models with multimodal versions, which can accept both text and images as input. |
+| [GPT-4o & GPT-4 Turbo](#gpt-4o-and-gpt-4-turbo) | The latest most capable Azure OpenAI models with multimodal versions, which can accept both text and images as input. |
| [GPT-4](#gpt-4) | A set of models that improve on GPT-3.5 and can understand and generate natural language and code. | | [GPT-3.5](#gpt-35) | A set of models that improve on GPT-3 and can understand and generate natural language and code. | | [Embeddings](#embeddings-models) | A set of models that can convert text into numerical vector form to facilitate text similarity. |
Azure OpenAI Service is powered by a diverse set of models with different capabi
## GPT-4o and GPT-4 Turbo
-GPT-4o is the latest model from OpenAI. GPT-4o integrates text and images in a single model, enabling it to handle multiple data types simultaneously. This multimodal approach enhances accuracy and responsiveness in human-computer interactions. GPT-4o matches GPT-4 Turbo in English text and coding tasks while offering superior performance in non-English languages and vision tasks, setting new benchmarks for AI capabilities.
+GPT-4o integrates text and images in a single model, enabling it to handle multiple data types simultaneously. This multimodal approach enhances accuracy and responsiveness in human-computer interactions. GPT-4o matches GPT-4 Turbo in English text and coding tasks while offering superior performance in non-English languages and vision tasks, setting new benchmarks for AI capabilities.
+
+### Early access playground
+
+Existing Azure OpenAI customers can test out the **NEW GPT-4o mini** model in the **Azure OpenAI Studio Early Access Playground (Preview)**.
+
+To test the latest model:
+
+> [!NOTE]
+> The GPT-4o mini early access playground is currently only available for resources in **West US3** and **East US**, and is limited to 10 requests every five minutes per subscription. Azure OpenAI content filters are enabled at the default configuration and cannot be modified. GPT-4o mini is a preview model and is currently not available for deployment/direct API access.
+
+1. Navigate to Azure OpenAI Studio at https://oai.azure.com/ and sign-in with credentials that have access to your OpenAI resources.
+2. Select an Azure OpenAI resource in the **West US3** or **East US** regions. If you don't have a resource in one of these regions you will need to [create a resource](../how-to/create-resource.md).
+3. From the main [Azure OpenAI Studio](https://oai.azure.com/) page select the **Early Access Playground (Preview)** button from under the **Get started** section. (This button will only be visible when a resource in **West US3** or **East US** is selected.)
+4. Now you can start asking the model questions just as you would before in the existing [chat playground](../chatgpt-quickstart.md).
### How do I access the GPT-4o model?
ai-services Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/monitoring.md
The following table summarizes the current subset of metrics available in Azure
|Metric|Category|Aggregation|Description|Dimensions| |||||| |`Azure OpenAI Requests`|HTTP|Count|Total number of calls made to the Azure OpenAI API over a period of time. Applies to PayGo, PTU, and PTU-managed SKUs.| `ApiName`, `ModelDeploymentName`,`ModelName`,`ModelVersion`, `OperationName`, `Region`, `StatusCode`, `StreamType`|
-| `Active Tokens` | Usage | Total tokens minus cached tokens over a period of time. Applies to PTU and PTU-managed deployments. Use this metric to understand your TPS or TPM based utilization for PTUs and compare to your benchmarks for target TPS or TPM for your scenarios. | `ModelDeploymentName`,`ModelName`,`ModelVersion` |
+| `Active Tokens` | Usage |Sum | Total tokens minus cached tokens over a period of time. Applies to PTU and PTU-managed deployments. Use this metric to understand your TPS or TPM based utilization for PTUs and compare to your benchmarks for target TPS or TPM for your scenarios. | `ModelDeploymentName`,`ModelName`,`ModelVersion` |
| `Generated Completion Tokens` | Usage | Sum | Number of generated tokens (output) from an Azure OpenAI model. Applies to PayGo, PTU, and PTU-manged SKUs | `ApiName`, `ModelDeploymentName`,`ModelName`, `Region`| | `Processed FineTuned Training Hours` | Usage |Sum| Number of training hours processed on an Azure OpenAI fine-tuned model. | `ApiName`, `ModelDeploymentName`,`ModelName`, `Region`| | `Processed Inference Tokens` | Usage | Sum| Number of inference tokens processed by an Azure OpenAI model. Calculated as prompt tokens (input) + generated tokens. Applies to PayGo, PTU, and PTU-manged SKUs.|`ApiName`, `ModelDeploymentName`,`ModelName`, `Region`|
ai-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/whats-new.md
- ignite-2023 - references_regions Previously updated : 07/09/2024 Last updated : 07/18/2024 recommendations: false
This article provides a summary of the latest releases and major documentation u
## July 2024
+### GPT-4o mini preview model available for early access
+
+GPT-4o mini is the latest model from OpenAI [launched on July 18, 2024](https://openai.com/index/gpt-4o-mini-advancing-cost-efficient-intelligence/).
+
+From OpenAI:
+
+*"GPT-4o mini surpasses GPT-3.5 Turbo and other small models on academic benchmarks across both textual intelligence and multimodal reasoning, and supports the same range of languages as GPT-4o. It also demonstrates strong performance in function calling, which can enable developers to build applications that fetch data or take actions with external systems, and improved long-context performance compared to GPT-3.5 Turbo."*
+
+To start testing out the model today in Azure OpenAI, see the [**Azure OpenAI Studio early access playground**](./concepts/models.md#early-access-playground).
+ ### New Responsible AI default content filtering policy The new default content filtering policy `DefaultV2` delivers the latest safety and security mitigations for the GPT model series (text), including:
ai-studio Flow Deploy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/flow-deploy.md
To deploy a prompt flow as an online endpoint, you need:
* An Azure subscription. If you don't have one, create a free account before you begin. * An Azure AI Studio project. -
-> [!NOTE]
-> Managed online endpoint only supports managed virtual network. If your hub is in custom vnet, you need to try other deployment options, such as [deploy to other platforms such as Docker](https://microsoft.github.io/promptflow/how-to-guides/deploy-a-flow/https://docsupdatetracker.net/index.html).
- ## Create an online deployment Now that you have built a flow and tested it properly, it's time to create your online endpoint for real-time inference.
ai-studio Copilot Sdk Build Rag https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/tutorials/copilot-sdk-build-rag.md
+
+ Title: "Part 1: Build a RAG-based copilot with the prompt flow SDK"
+
+description: Learn how to build a RAG-based copilot using the prompt flow SDK. This tutorial is part 1 of a 2-part tutorial.
+++ Last updated : 7/18/2024+++
+#customer intent: As a developer, I want to learn how to use the prompt flow SDK so that I can build a RAG-based copilot.
++
+# Tutorial: Part 1 - Build a RAG-based copilot with the prompt flow SDK
+
+In this [Azure AI Studio](https://ai.azure.com) tutorial, you use the prompt flow SDK (and other libraries) to build, configure, evaluate, and deploy a copilot for your retail company called Contoso Trek. Your retail company specializes in outdoor camping gear and clothing. The copilot should answer questions about your products and services. For example, the copilot can answer questions such as "which tent is the most waterproof?" or "what is the best sleeping bag for cold weather?".
+
+This tutorial is part one of a two-part tutorial.
+
+> [!TIP]
+> This tutorial is based on code in the sample repo for a [copilot application that implements RAG](https://github.com/Azure-Samples/rag-data-openai-python-promptflow).
+
+This part one shows you how to enhance a basic chat application by adding retrieval augmented generation (RAG) to ground the responses in your custom data.
+
+In this part one, you learn how to:
+
+> [!div class="checklist"]
+> - [Deploy an embedding model](#deploy-an-embedding-model)
+> - [Create an Azure AI Search index](#create-an-azure-ai-search-index)
+> - [Develop custom RAG code](#develop-custom-rag-code)
+> - [Use prompt flow to test your copilot](#use-prompt-flow-to-test-your-copilot)
++
+## Prerequisites
+
+- You need to complete the [Build a custom chat app in Python using the prompt flow SDK quickstart](../quickstarts/get-started-code.md) to set up your environment.
+
+ > [!IMPORTANT]
+ > This tutorial builds on the code and environment you set up in the quickstart.
+
+- You need a local copy of product data. The [Azure-Samples/rag-data-openai-python-promptflow repository on GitHub](https://github.com/Azure-Samples/rag-data-openai-python-promptflow/) contains sample retail product information that's relevant for this tutorial scenario. Clone the repository or [download the example Contoso Trek retail product data in a ZIP file](https://github.com/Azure-Samples/rag-data-openai-python-promptflow/raw/main/tutorial/data.zip) to your local machine.
+
+- You must have the necessary permissions to add role assignments in your Azure subscription. Granting permissions by role assignment is only allowed by the **Owner** of the specific Azure resources. You might need to ask your IT admin for help with completing the [assign access](#configure-access-for-the-azure-ai-search-service) section.
+
+## Application code structure
+
+Create a folder called **rag-tutorial** on your local machine. This tutorial series walks through creation of the contents of each file. If you complete the tutorial series, your folder structure looks like this:
+
+```text
+rag-tutorial/
+Γöé .env
+Γöé build_index.py
+Γöé deploy.py
+Γöé evaluate.py
+Γöé eval_dataset.jsonl
+| invoke-local.py
+Γöé
+Γö£ΓöÇΓöÇΓöÇcopilot_flow
+Γöé ΓööΓöÇΓöÇΓöÇ chat.prompty
+| ΓööΓöÇΓöÇΓöÇ copilot.py
+| ΓööΓöÇΓöÇΓöÇ Dockerfile
+Γöé ΓööΓöÇΓöÇΓöÇ flow.flex.yaml
+Γöé ΓööΓöÇΓöÇΓöÇ input_with_chat_history.json
+Γöé ΓööΓöÇΓöÇΓöÇ queryIntent.prompty
+Γöé ΓööΓöÇΓöÇΓöÇ requirements.txt
+Γöé
+Γö£ΓöÇΓöÇΓöÇdata
+| ΓööΓöÇΓöÇΓöÇ product-info/
+| ΓööΓöÇΓöÇΓöÇ [Your own data or sample data as described in the prerequisites.]
+```
+
+The implementation in this tutorial uses prompt flow's flex flow, which is the code-first approach to implementing flows. You specify an entry function (which will be defined in **copilot.py**), and then use prompt flow's testing, evaluation, and tracing capabilities for your flow. This flow is in code and doesn't have a DAG (Directed Acyclic Graph) or other visual component. Learn more about how to develop a flex flow in the [prompt flow documentation on GitHub](https://microsoft.github.io/promptflow/how-to-guides/develop-a-flex-flow/https://docsupdatetracker.net/index.html).
+
+## Set initial environment variables
+
+There's a collection of environment variables used across the different code snippets. Let's set them now.
+
+1. You created an **.env** file with the following environment variables via the [Build a custom chat app in Python using the prompt flow SDK quickstart](../quickstarts/get-started-code.md). If you haven't already, create an **.env** file in your **rag-tutorial** folder with the following environment variables:
+
+ ```
+ AZURE_OPENAI_ENDPOINT=endpoint_value
+ AZURE_OPENAI_DEPLOYMENT_NAME=chat_model_deployment_name
+ AZURE_OPENAI_API_VERSION=api_version
+ ```
+
+1. Copy the **.env** file into your **rag-tutorial** folder.
+1. In the **.env** file enter more environment variables for the copilot application:
+ - **AZURE_SUBSCRIPTION_ID**: Your Azure subscription ID
+ - **AZURE_RESOURCE_GROUP**: Your Azure resource group
+ - **AZUREAI_PROJECT_NAME**: Your Azure AI Studio project name
+ - **AZURE_OPENAI_CONNECTION_NAME**: Use the same **AIServices** or **Azure OpenAI** connection that you used [to deploy the chat model](../quickstarts/get-started-playground.md#deploy-a-chat-model).
+
+You can find the subscription ID, resource group name, and project name from your project view in AI Studio.
+1. In [AI Studio](https://ai.azure.com), go to your project and select **Settings** from the left pane.
+1. In the **Project details** section, you can find the **Subscription ID** and **Resource group**.
+1. In the **Project settings** section, you can find the **Project name**.
+
+By now, you should have the following environment variables in your *.env* file:
+
+```env
+AZURE_OPENAI_ENDPOINT=endpoint_value
+AZURE_OPENAI_DEPLOYMENT_NAME=chat_model_deployment_name
+AZURE_OPENAI_API_VERSION=api_version
+AZURE_SUBSCRIPTION_ID=<your subscription id>
+AZURE_RESOURCE_GROUP=<your resource group>
+AZUREAI_PROJECT_NAME=<your project name>
+AZURE_OPENAI_CONNECTION_NAME=<your AIServices or Azure OpenAI connection name>
+```
+
+## Deploy an embedding model
+
+For the RAG capability, we need to be able to embed the search query to search the Azure AI Search index we create.
+
+1. Deploy an Azure OpenAI embedding model. Follow the [deploy Azure OpenAI models guide](../how-to/deploy-models-openai.md) and deploy the **text-embedding-ada-002** model. Use the same **AIServices** or **Azure OpenAI** connection that you used [to deploy the chat model](../quickstarts/get-started-playground.md#deploy-a-chat-model).
+2. Add embedding model environment variables in your *.env* file. For the *AZURE_OPENAI_EMBEDDING_DEPLOYMENT* value, enter the name of the embedding model that you deployed.
+
+ ```env
+ AZURE_OPENAI_EMBEDDING_DEPLOYMENT=embedding_model_deployment_name
+ ```
+
+## Create an Azure AI Search index
+
+The goal with this RAG-based application is to ground the model responses in your custom data. You use an Azure AI Search index that stores vectorized data from the embeddings model. The search index is used to retrieve relevant documents based on the user's question.
+
+You need an Azure AI Search service and connection in order to create a search index.
+
+> [!NOTE]
+> Creating an Azure AI Search service and subsequent search indexes has associated costs. You can see details about pricing and pricing tiers for the Azure AI Search service on the creation page, to confirm cost before creating the resource.
+
+### Create an Azure AI Search service
+
+If you already have an Azure AI Search service in the same location as your project, you can skip to the [next section](#create-an-azure-ai-search-connection).
+
+Otherwise, you can create an Azure AI Search service using the [Azure portal](https://portal.azure.com) or the Azure CLI (which you installed previously for the [quickstart](../quickstarts/get-started-code.md)).
+
+> [!IMPORTANT]
+> Use the same location as your project for the Azure AI Search service. Find your project's location in the top-right project picker of the Azure AI Studio in the project view.
+
+## [Portal](#tab/azure-portal)
+
+1. Go to the [Azure portal](https://portal.azure.com).
+1. [Create an Azure AI Search service](https://portal.azure.com/#create/Microsoft.Search) in the Azure portal.
+1. Select your resource group and instance details. You can see details about pricing and pricing tiers on this page.
+1. Continue through the wizard and select **Review + assign** to create the resource.
+1. Confirm the details of your Azure AI Search service, including estimated cost.
+
+## [Azure CLI](#tab/cli)
+
+1. Open a terminal on your local machine.
+1. Type `az` and then enter to verify that the Azure CLI tool is installed. If it's installed, a help menu with `az` commands appears. If you get an error, make sure you followed the [steps for installing the Azure CLI in the quickstart](../quickstarts/get-started-code.md#install-the-azure-cli-and-login).
+1. Follow the steps to create an Azure AI Search service using the [`az search service create`](../../search/search-manage-azure-cli.md#create-or-delete-a-service) command.
+++
+### Create an Azure AI Search connection
+
+If you already have an Azure AI Search connection in your project, you can skip to [configure access for the Azure AI Search service](#configure-access-for-the-azure-ai-search-service). Only use an existing connection if it's in the same location as your project.
+
+In the Azure AI Studio, check for an Azure AI Search connected resource.
+
+1. In [AI Studio](https://ai.azure.com), go to your project and select **Settings** from the left pane.
+1. In the **Connected resources** section, look to see if you have a connection of type Azure AI Search.
+1. If you have an Azure AI Search connection, verify that it is in the same location as your project. If so, you can skip ahead to [configure access for the Azure AI Search service](#configure-access-for-the-azure-ai-search-service).
+1. Otherwise, select **New connection** and then **Azure AI Search**.
+1. Find your Azure AI Search service in the options and select **Add connection**.
+1. Continue through the wizard to create the connection. For more information about adding connections, see [this how-to guide](../how-to/connections-add.md#create-a-new-connection).
+
+### Configure access for the Azure AI Search service
+
+We recommend using [Microsoft Entra ID](/entra/fundamentals/whatis) instead of using API keys. In order to use this authentication, you need to set the right access controls and assign the right roles for your Azure AI Search service.
+
+> [!WARNING]
+> You can use role-based access control locally because you run `az login` later in this tutorial. But when you deploy your app in [part 2 of the tutorial](./copilot-sdk-evaluate-deploy.md), the deployment is authenticated using API keys from your Azure AI Search service. Support for Microsoft Entra ID authentication of the deployment is coming soon.
+
+To enable role-based access control for your Azure AI Search service, follow these steps:
+
+1. On your Azure AI Search service in the [Azure portal](https://portal.azure.com), select **Settings > Keys** from the left pane.
+1. Select **Both** to ensure that API keys and role-based access control are both enabled for your Azure AI Search service.
+
+ :::image type="content" source="../media/tutorials/develop-rag-copilot-sdk/search-access-control.png" alt-text="Screenshot shows API Access control setting.":::
+
+You or your administrator needs to grant your user identity the **Search Index Data Contributor** and **Search Service Contributor** roles on your Azure AI Search service. These roles enable you to call the Azure AI Search service using your user identity.
+
+> [!NOTE]
+> These steps are similar to how you assigned a role for your user identity to use the Azure OpenAI Service in the [quickstart](../quickstarts/get-started-code.md).
+
+In the Azure portal, follow these steps to assign the **Search Index Data Contributor** role to your Azure AI Search service:
+
+1. Select your Azure AI Search service in the [Azure portal](https://portal.azure.com).
+1. From the left page in the Azure portal, select **Access control (IAM)** > **+ Add** > **Add role assignment**.
+1. Search for the **Search Index Data Contributor** role and then select it. Then select **Next**.
+1. Select **User, group, or service principal**. Then select **Select members**.
+1. In the **Select members** pane that opens, search for the name of the user that you want to add the role assignment for. Select the user and then select **Select**.
+1. Continue through the wizard and select **Review + assign** to add the role assignment.
+
+Repeat the previous steps to add the **Search Service Contributor** role.
+
+> [!IMPORTANT]
+> After you assign these roles, run `az login` in your console to ensure the changes propagate in your development environment. This also ensures that you can use your user identity locally to authenticate with the Azure AI Search service.
+
+### Set search environment variables
+
+You need to set environment variables for the Azure AI Search service and connection in your **.env** file.
+
+1. In [AI Studio](https://ai.azure.com), go to your project and select **Settings** from the left pane.
+1. In the **Connected resources** section, select the link for the Azure AI Search service that you created previously.
+1. Copy the **Target** URL for `<your Azure Search endpoint>`.
+1. Copy the name at the top for `<your Azure Search connection name>`.
+
+ :::image type="content" source="../media/tutorials/develop-rag-copilot-sdk/search-settings.png" alt-text="Screenshot shows endpoint and connection names.":::
+
+1. Add these environment variables to your **.env** file:
+
+ ```env
+ AZURE_SEARCH_ENDPOINT=<your Azure Search endpoint>
+ AZURE_SEARCH_CONNECTION_NAME=<your Azure Search connection name>
+ ```
+
+### Create the search index
+
+If you don't have an Azure AI Search index already created, we walk through how to create one. If you already have an index to use, you can skip to the [set the search environment variables](#set-search-environment-variables) section. The search index is created on the Azure AI Search service that was either created or referenced in the previous step.
+
+1. Use your own data or [download the example Contoso Trek retail product data in a ZIP file](https://github.com/Azure-Samples/rag-data-openai-python-promptflow/raw/main/tutorial/data.zip) to your local machine. Unzip the file into your **rag-tutorial** folder. This data is a collection of markdown files that represent product information. The data is structured in a way that is easy to ingest into a search index. You build a search index from this data.
+
+1. The prompt flow RAG package allows you to ingest the markdown files, locally create a search index, and register it in the cloud project. Install the prompt flow RAG package:
+
+ ```bash
+ pip install promptflow-rag
+ ```
+
+1. Upgrade the *azure-ai-ml* package to the latest version. Run the following command in your terminal:
+
+ ```bash
+ pip install azure-ai-ml -U
+ ```
+
+1. Create the **build_index.py** file in your **rag-tutorial** folder.
+1. Copy and paste the following code into your **build_index.py** file.
+
+ :::code language="python" source="~/rag-data-openai-python-promptflow-main/tutorial/build_index.py":::
+
+ - Set the `index_name` variable to the name of the index you want.
+ - As needed, you can update the `path_to_data` variable to the path where your data files are stored.
+
+ > [!IMPORTANT]
+ > By default the code sample expects the application code structure as described [previously in this tutorial](#application-code-structure). The `data` folder should be at the same level as your **build_index.py** and the downloaded `product-info` folder with md files within it.
+
+1. From your console, run the code to build your index locally and register it to the cloud project:
+
+ ```bash
+ python build_index.py
+ ```
+
+1. Once the script is run, you can view your newly created index in the **Indexes** page of your Azure AI Studio project. For more information, see [How to build and consume vector indexes in Azure AI Studio](../how-to/index-add.md).
+
+1. If you run the script again with the same index name, it creates a new version of the same index.
+
+### Set the search index environment variable
+
+Once you have the index name you want to use (either by creating a new one, or referencing an existing one), add it to your **.env** file, like this:
+
+```env
+AZUREAI_SEARCH_INDEX_NAME=<index-name>
+```
+
+## Develop custom RAG code
+
+Next you create custom code to add retrieval augmented generation (RAG) capabilities to a basic chat application. In the quickstart, you created **chat.py** and **chat.prompty** files. Here you expand on that code to include RAG capabilities.
+
+The copilot with RAG implements the following general logic:
+
+1. Generate a search query based on user query intent and any chat history
+1. Use an embedding model to embed the query
+1. Retrieve relevant documents from the search index, given the query
+1. Pass the relevant context to the Azure OpenAI chat completion model
+1. Return the response from the Azure OpenAI model
+
+### The copilot implementation logic
+
+The copilot implementation logic is in the **copilot.py** file. This file contains the core logic for the RAG-based copilot.
+
+1. Create a folder named **copilot_flow** in the **rag-tutorial** folder.
+1. Then create a file called **copilot.py** in the **copilot_flow** folder.
+1. Add the following code to the **copilot.py** file:
+
+ :::code language="python" source="~/rag-data-openai-python-promptflow-main/tutorial/copilot_flow/copilot.py":::
+
+The **copilot.py** file contains two key functions: `get_documents()` and `get_chat_response()`.
+
+Notice these two functions have the `@trace` decorator, which allows you to see the prompt flow tracing logs of each function call inputs and outputs. `@trace` is an alternative and extended approach to the way the [quickstart](../quickstarts/get-started-code.md) showed tracing capabilities.
+
+The `get_documents()` function is the core of the RAG logic.
+1. Takes in the search query and number of documents to retrieve.
+1. Embeds the search query using an embedding model.
+1. Queries the Azure Search index to retrieve the documents relevant to the query.
+1. Returns the context of the documents.
+
+The `get_chat_response()` function builds from the previous logic in your **chat.py** file:
+1. Takes in the `chat_input` and any `chat_history`.
+1. Constructs the search query based on `chat_input` intent and `chat_history`.
+1. Calls `get_documents()` to retrieve the relevant docs.
+1. Calls the chat completion model with context to get a grounded response to the query.
+1. Returns the reply and context. We set a typed dictionary as the return object for our `get_chat_response()` function. You can choose how your code returns the response to best fit your use case.
+
+The `get_chat_response()` function uses two `Prompty` files to make the necessary Large Language Model (LLM) calls, which we cover next.
+
+### Prompt template for chat
+
+The **chat.prompty** file is simple, and similar to the **chat.prompty** in the [quickstart](../quickstarts/get-started-code.md). The system prompt is updated to reflect our product and the prompt templates includes document context.
+
+1. Add the file **chat.prompty** in the **copilot_flow** directory. The file represents the call to the chat completion model, with the system prompt, chat history, and document context provided.
+1. Add this code to the **chat.prompty** file:
+
+ :::code language="yaml" source="~/rag-data-openai-python-promptflow-main/tutorial/copilot_flow/chat.prompty":::
+
+### Prompt template for chat history
+
+Because we're implementing a RAG-based application, there's some extra logic required for retrieving relevant documents not only for the current user query, but also taking into account chat history. Without this extra logic, your LLM call would account for chat history. But you wouldn't retrieve the right documents for that context, so you wouldn't get the expected response.
+
+For instance, if the user asks the question "is it waterproof?", we need the system to look at the chat history to determine what the word "it" refers to, and include that context into the search query to embed. This way, we retrieve the right documents for "it" (perhaps the Alpine Explorer Tent) and its "cost."
+
+Instead of passing only the user's query to be embedded, we need to generate a new search query that takes into account any chat history. We use another `Prompty` (which is another LLM call) with specific prompting to interpret the user query **intent** given chat history, and construct a search query that has the necessary context.
+
+1. Create the file **queryIntent.prompty** in the **copilot_flow** folder.
+1. Enter this code for specific details about the prompt format and few-shot examples.
+
+ :::code language="yaml" source="~/rag-data-openai-python-promptflow-main/tutorial/copilot_flow/queryIntent.prompty":::
+
+The simple system message in our **queryIntent.prompty** file achieves the minimum required for the RAG solution to work with chat history.
+
+### Configure required packages
+
+Create the file **requirements.txt** in the **copilot_flow** folder. Add this content:
++
+These are the packages required for the flow to run locally and in a deployed environment.
+
+### Use flex flow
+
+As previously mentioned, this implementation uses prompt flow's flex flow, which is the code-first approach to implementing flows. You specify an entry function (which is defined in **copilot.py**). Learn more at [Develop a flex flow](https://microsoft.github.io/promptflow/how-to-guides/develop-a-flex-flow/https://docsupdatetracker.net/index.html).
+
+This yaml specifies the entry function, which is the `get_chat_response` function defined in `copilot.py`. It also specifies the requirements the flow needs to run.
+
+Create the file **flow.flex.yaml** in the **copilot_flow** folder. Add this content:
++
+## Use prompt flow to test your copilot
+
+Use prompt flow's testing capability to see how your copilot performs as expected on sample inputs. By using your **flow.flex.yaml** file, you can use prompt flow to test with your specified inputs.
+
+Run the flow using this prompt flow command:
+
+```bash
+pf flow test --flow ./copilot_flow --inputs chat_input="how much do the Trailwalker shoes cost?"
+```
+
+Alternatively, you can run the flow interactively with the `--ui` flag.
+
+```bash
+pf flow test --flow ./copilot_flow --ui
+```
+
+When you use `--ui`, the interactive sample chat experience opens a window in your local browser.
+- The first time you run with the `--ui` flag, you need to manually select your chat inputs and outputs from the options. The first time you create this session, select the **Chat input/output field config** settings, then start chatting.
+- The next time you run with the `--ui` flag, the session will remember your settings.
++
+When you're finished with your interactive session, enter **Ctrl + C** in the terminal window to stop the server.
+
+### Test with chat history
+
+In general, prompt flow and `Prompty` support chat history. If you test with the `--ui` flag in the locally served front end, prompt flow manages your chat history. If you test without the `--ui`, you can specify an inputs file that includes chat history.
+
+Because our application implements RAG, we had to add [extra logic to handle chat history](#prompt-template-for-chat-history) in the **queryIntent.prompty** file.
+
+To test with chat history, create a file called **input_with_chat_history.json** in the **copilot_flow** folder, and paste in this content:
++
+To test with this file, run:
+
+```bash
+pf flow test --flow ./copilot_flow --inputs ./copilot_flow/input_with_chat_history.json
+```
+
+The expected output is something like: "The Alpine Explorer Tent is priced at $350."
+
+This system is able to interpret the intent of the query "how much does it cost?" to know that "it" refers to the Alpine Explorer Tent, which was the latest context in the chat history. Then the system constructs a search query for the price of the Alpine Explorer Tent to retrieve the relevant documents for the Alpine Explorer Tent's cost, and we get the response.
+
+If you navigate to the trace from this flow run, you see this in action. The local traces link shows in the console output before the result of the flow test run.
++
+## Clean up resources
+
+To avoid incurring unnecessary Azure costs, you should delete the resources you created in this tutorial if they're no longer needed. To manage resources, you can use the [Azure portal](https://portal.azure.com?azure-portal=true).
+
+But don't delete them yet, if you want to deploy your copilot to Azure in [the next part of this tutorial series](copilot-sdk-evaluate-deploy.md).
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [Evaluate and deploy your copilot to Azure](copilot-sdk-evaluate-deploy.md)
ai-studio Copilot Sdk Evaluate Deploy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/tutorials/copilot-sdk-evaluate-deploy.md
+
+ Title: "Part 2: Evaluate and deploy copilot with the prompt flow SDK"
+
+description: Evaluate and deploy a RAG-based copilot with the prompt flow SDK. This tutorial is part 2 of a two-part tutorial.
+++ Last updated : 7/18/2024+++
+#customer intent: As a developer, I want to learn how to use the prompt flow SDK so that I can evaluate and deploy a copilot.
++
+# Tutorial: Part 2 - Evaluate and deploy a RAG-based copilot with the prompt flow SDK
+
+In this [Azure AI Studio](https://ai.azure.com) tutorial, you use the prompt flow SDK (and other libraries) to evaluate and deploy the copilot you built in [Part 1 of the tutorial series](copilot-sdk-build-rag.md).
+
+This tutorial is part two of a two-part tutorial.
+
+> [!TIP]
+> This tutorial is based on code in the sample repo for a [copilot application that implements RAG](https://github.com/Azure-Samples/rag-data-openai-python-promptflow).
+
+In this part two, you learn how to:
+
+> [!div class="checklist"]
+> - [Evaluate the quality of copilot responses](#evaluate-the-quality-of-copilot-responses)
+> - [Deploy the copilot to Azure](#deploy-the-copilot-to-azure)
+> - [Verify the deployment](#verify-the-deployment)
+
+## Prerequisites
+
+- You must complete [part 1 of the tutorial series](copilot-sdk-build-rag.md) to build the copilot application.
+
+- You must have the necessary permissions to add role assignments in your Azure subscription. Granting permissions by role assignment is only allowed by the **Owner** of the specific Azure resources. You might need to ask your IT admin for help with completing the [assign access](#assign-access-for-the-endpoint) section.
+
+## Evaluate the quality of copilot responses
+
+Now that you know your copilot responds well to your queries, including with chat history, it's time to evaluate how it does across a few different metrics and more data.
+
+You use the prompt flow evaluator with an evaluation dataset and the `get_chat_response()` target function, then assess the evaluation results.
+
+Once you run an evaluation, you can then make improvements to your logic, like improving your system prompt, and observing how the copilot responses change and improve.
+
+### Set your evaluation model
+
+Choose the evaluation model you want to use. It can be the same as the chat model you deployed before. If you want a different model for evaluation, you need to deploy it, or specify it if it already exists. For example, you might be using gpt-35-turbo for your chat completions, but want to use gpt-4 for evaluation since it might perform better.
+
+Add your evaluation model name in your **.env** file:
+
+```env
+AZURE_OPENAI_EVALUATION_DEPLOYMENT=<your evaluation model deployment name>
+```
+
+### Create evaluation dataset
+
+Use the following evaluation dataset, which contains example questions and expected answers (truth).
+
+1. Create a file called **eval_dataset.jsonl** in your **rag-tutorial** folder. See the [application code structure](copilot-sdk-build-rag.md#application-code-structure) for reference.
+1. Paste this dataset into the file:
+
+ :::code language="jsonl" source="~/rag-data-openai-python-promptflow-main/tutorial/eval_dataset.jsonl":::
+
+### Evaluate with prompt flow evaluators
+
+Now define an evaluation script that will:
+
+- Import the `evaluate` function and evaluators from the Prompt flow `evals` package.
+- Load the sample `.jsonl` dataset.
+- Generate a target function wrapper around our copilot logic.
+- Run the evaluation, which takes the target function, and merges the evaluation dataset with the responses from the copilot.
+- Generate a set of GPT-assisted metrics (Relevance, Groundedness, and Coherence) to evaluate the quality of the copilot responses.
+- Output the results locally, and logs the results to the cloud project.
+
+The script allows you to review the results locally, by outputting the results in the command line, and to a json file.
+
+The script also logs the evaluation results to the cloud project so that you can compare evaluation runs in the UI.
+
+1. Create a file called **evaluate.py** in your **rag-tutorial** folder.
+1. Add the following code. Update the `dataset_path` and `evaluation_name` to fit your use case.
+
+ :::code language="python" source="~/rag-data-openai-python-promptflow-main/tutorial/evaluate.py":::
+
+The main function at the end allows you to view the evaluation result locally, and gives you a link to the evaluation results in AI Studio.
+
+### Run the evaluation script
+
+1. From your console, sign in to your Azure account with the Azure CLI:
+
+ ```bash
+ az login
+ ```
+
+1. Install the required package:
+
+ ```bash
+ pip install promptflow-evals
+ ```
+
+1. Now run the evaluation script:
+
+ ```bash
+ python evaluate.py
+ ```
+
+For more information about using the prompt flow SDK for evaluation, see [Evaluate with the prompt flow SDK](../how-to/develop/flow-evaluate-sdk.md).
+
+### Interpret the evaluation output
+
+In the console output, you see for each question an answer and the summarized metrics in this nice table format. (You might see different columns in your output.)
+
+```txt
+'--Summarized Metrics--'
+{'coherence.gpt_coherence': 4.3076923076923075,
+ 'groundedness.gpt_groundedness': 4.384615384615385,
+ 'relevance.gpt_relevance': 4.384615384615385}
+
+'--Tabular Result--'
+ question ... gpt_coherence
+0 Which tent is the most waterproof? ... 5
+1 Which camping table holds the most weight? ... 5
+2 How much does TrailWalker Hiking Shoes cost? ... 5
+3 What is the proper care for trailwalker hiking... ... 5
+4 What brand is the TrailMaster tent? ... 1
+5 How do I carry the TrailMaster tent around? ... 5
+6 What is the floor area for Floor Area? ... 3
+7 What is the material for TrailBlaze Hiking Pants ... 5
+8 What color do the TrailBlaze Hiking Pants come ... 5
+9 Can the warranty for TrailBlaze pants be trans... ... 3
+10 How long are the TrailBlaze pants under warren... ... 5
+11 What is the material for PowerBurner Camping S... ... 5
+12 Is France in Europe? ... 1
+```
+
+The script writes the full evaluation results to `./eval_results.jsonl`.
+And there's a link in the console to view evaluation results in your Azure AI Studio project.
+
+> [!NOTE]
+> You may see an `ERROR:asyncio:Unclosed client session` - this can be safely ignored and does not affect the evaluation results.
+
+### View evaluation results in AI Studio
+
+Once the evaluation run completes, follow the link to view the evaluation results on the **Evaluation** page in the Azure AI Studio.
++
+You can also look at the individual rows and see metric scores per row, and view the full context/documents that were retrieved. These metrics can be helpful in interpreting and debugging evaluation results.
++
+For more information about evaluation results in AI Studio, see [How to view evaluation results in AI Studio](../how-to/evaluate-flow-results.md).
+
+Now that you verified your copilot behaves as expected, you're ready to deploy your application.
+
+## Deploy the copilot to Azure
+
+Now let's go ahead and deploy this copilot to a managed endpoint so that it can be consumed by an external application or website.
+
+The deploy script will:
+
+- Create a managed online endpoint
+- Define our flow as a model
+- Deploy our flow to a managed environment on that endpoint that has our environment variables
+- Route all traffic to that deployment
+- Output the link to view and test the deployment in the Azure AI Studio
+
+The deployment defines a build context (Dockerfile) that relies on the `requirement.txt` specified in our flow folder, and also sets our environment variables to the deployed environment, so we can be confident that our copilot application runs the same in a production environment as it did locally.
+
+### Build context for the deployment (Dockerfile)
+
+The deployed environment needs a build context, so let's define a Dockerfile for the deployed environment.
+The deploy script creates an environment based on this Dockerfile. Create this **Dockerfile** in the **copilot_flow** folder:
+
+```docker
+FROM mcr.microsoft.com/azureml/promptflow/promptflow-runtime:latest
+COPY ./requirements.txt .
+RUN pip install -r requirements.txt
+```
+
+### Deploy copilot to a managed endpoint
+
+To deploy your application to a managed endpoint in Azure, create an online endpoint, then create a deployment in that endpoint, and then route all traffic to that deployment.
+
+As part of creating the deployment, your copilot_flow folder is packaged as a model and a cloud environment is built. The endpoint is set up with Microsoft Entra ID authentication. You can update the auth mode you want in the code, or in the Azure AI Studio on the endpoint details page.
+
+> [!IMPORTANT]
+> Deploying your application to a managed endpoint in Azure has associated compute cost based on the instance type you choose. Make sure you are aware of the associated cost and have quota for the instance type you specify. Learn more about [online endpoints](../../machine-learning/reference-managed-online-endpoints-vm-sku-list.md).
+
+Create the file **deploy.py** in the **rag-tutorial** folder. Add the following code:
++
+> [!IMPORTANT]
+> The endpoint and deployment name must be unique within an Azure region. If you get an error that the endpoint or deployment name already exists, try different names.
+
+### Output deployment details
+
+Add the following lines to the end your deploy script to view the evaluation result locally, and get a link to the studio:
++
+Now, run the script with:
+
+```bash
+python deploy.py
+```
+
+> [!NOTE]
+> Deployment may take over 10 minutes to complete. We suggest you follow the next step to assign access to the endpoint while you wait.
+
+Once the deployment is completed, you get a link to the Azure AI Studio deployment page, where you can test your deployment.
+
+## Verify the deployment
+
+We recommend you test your application in the Azure AI Studio. If you prefer to test your deployed endpoint locally, you can invoke it with some custom code.
+
+Note your endpoint name, which you need for the next steps.
+
+### Assign access for the endpoint
+
+While you wait for your application to deploy, you or your administrator can assign role-based access to the endpoint. These roles allow the application to run without keys in the deployed environment, just like it did locally.
+
+Previously, you provided your account with a specific role to be able to access the resource using Microsoft Entra ID authentication. Now, assign the endpoint that same role.
+
+### Endpoint access for Azure OpenAI resource
+
+You or your administrator needs to grant your endpoint the **Cognitive Services OpenAI User** role on the Azure AI Services resource that you're using. This role lets your endpoint call the Azure OpenAI service.
+
+> [!NOTE]
+> These steps are similar to how you assigned a role for your user identity to use the Azure OpenAI Service in the [quickstart](../quickstarts/get-started-code.md).
+
+To grant yourself access to the Azure AI Services resource that you're using:
+
+1. In [AI Studio](https://ai.azure.com), go to your project and select **Settings** from the left pane.
+1. In the **Connected resources** section, select the connection name with type **AIServices**.
+
+ :::image type="content" source="../media/quickstarts/promptflow-sdk/project-settings-pick-resource.png" alt-text="Screenshot of the project settings page, highlighting how to select the connected AI services resource to open it." lightbox="../media/quickstarts/promptflow-sdk/project-settings-pick-resource.png":::
+
+ > [!NOTE]
+ > If you don't see the **AIServices** connection, use the **Azure OpenAI** connection instead.
+
+1. On the resource details page, select the link under the **Resource** heading to open the AI services resource in the Azure portal.
+
+ :::image type="content" source="../media/quickstarts/promptflow-sdk/project-ai-services-open-in-portal.png" alt-text="Screenshot of the AI Services connection details showing how to open the resource in the Azure portal." lightbox="../media/quickstarts/promptflow-sdk/project-ai-services-open-in-portal.png":::
+
+1. From the left page in the Azure portal, select **Access control (IAM)** > **+ Add** > **Add role assignment**.
+
+1. Search for the **Cognitive Services OpenAI User** role and then select it. Then select **Next**.
+
+ :::image type="content" source="../media/quickstarts/promptflow-sdk/ai-services-add-role-assignment.png" alt-text="Screenshot of the page to select the Cognitive Services OpenAI User role." lightbox="../media/quickstarts/promptflow-sdk/ai-services-add-role-assignment.png":::
+
+1. Select **Managed identity**. Then select **Select members**.
+
+1. In the **Select members** pane that opens, select _Machine learning online endpoint_ for the Managed identity, and then search for your endpoint name. Select the endpoint and then select **Select**.
+
+ :::image type="content" source="../media/tutorials/develop-rag-copilot-sdk/managed-identity-role-aoai.png" alt-text="Screenshot shows Selection of members for the online endpoint.":::
+
+1. Continue through the wizard and select **Review + assign** to add the role assignment.
+
+> [!NOTE]
+> It may take a few minutes for the access to propagate. If you get an unauthorized error when testing in the next step, try again after a few minutes.
+
+### Endpoint access for Azure AI Search resource
+
+Similar to how you assigned the **Search Index Data Contributor** [role to your Azure AI Search service](./copilot-sdk-build-rag.md#configure-access-for-the-azure-ai-search-service), you need to assign the same role for your endpoint.
+
+1. In Azure AI Studio, select **Settings** and navigate to the connected **Azure AI Search** service.
+1. Select the link to open a summary of the resource. Select the link on the summary page to open the resource in the Azure portal.
+
+1. From the left page in the Azure portal, select **Access control (IAM)** > **+ Add** > **Add role assignment**.
+
+ :::image type="content" source="../media/tutorials/develop-rag-copilot-sdk/add-role-search.png" alt-text="Screenshot shows Access control for search resource.":::
+
+1. Search for the **Search Index Data Contributor** role and then select it. Then select **Next**.
+
+1. Select **Managed identity**. Then select **Select members**.
+
+1. In the **Select members** pane that opens, select _Machine learning online endpoint_ for the Managed identity, and then search for your endpoint name. Select the endpoint and then select **Select**.
+
+ :::image type="content" source="../media/tutorials/develop-rag-copilot-sdk/managed-identity-role-search.png" alt-text="Screenshot shows selecting the endpoint.":::
+
+1. Continue through the wizard and select **Review + assign** to add the role assignment.
+
+> [!NOTE]
+> It may take a few minutes for the access to propagate. If you get an unauthorized error when testing in the next step, try again after a few minutes.
+
+### Test your deployment in AI Studio
+
+Once the deployment is completed, you get a handy link to your deployment. If you don't use the link, navigate to the **Deployments** tab in your project and select your new deployment.
++
+Select the **Test** tab, and try asking a question in the chat interface.
+
+For example, type "Are the Trailwalker hiking shoes waterproof?" and enter.
++
+Seeing the response come back verifies your deployment.
+
+If you get an error, select the **Logs** tab to get more details.
+
+> [!NOTE]
+> If you get an unauthorized error, your endpoint access may not have been applied yet. Try again in a few minutes.
+
+### Invoke the deployed copilot locally
+
+If you prefer to verify your deployment locally, you can invoke it via a Python script.
+
+Define a script that will:
+
+- Construct a well-formed request to our scoring URL.
+- Post the request and handle the response.
+
+Create an **invoke-local.py** file in your **rag-tutorial** folder, with the following code. Modify the `query` and `endpoint_name` (and other parameters as needed) to fit your use case.
++
+You should see the copilot reply to your query in the console.
+
+> [!NOTE]
+> If you get an unauthorized error, your endpoint access may not have been applied yet. Try again in a few minutes.
+
+## Clean up resources
+
+To avoid incurring unnecessary Azure costs, you should delete the resources you created in this tutorial if they're no longer needed. To manage resources, you can use the [Azure portal](https://portal.azure.com?azure-portal=true).
+
+## Related content
+
+> [!div class="nextstepaction"]
+> [Learn more about prompt flow](../how-to/prompt-flow.md)
aks Azure Linux Aks Partner Solutions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-linux-aks-partner-solutions.md
description: Discover partner-tested solutions that enable you to build, test, deploy, manage, and monitor your AKS environment using Azure Linux Container Host. -++ Last updated 06/13/2024
aks Certificate Rotation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/certificate-rotation.md
Title: Certificate Rotation in Azure Kubernetes Service (AKS)
-description: Learn certificate rotation in an Azure Kubernetes Service (AKS) cluster.
+description: Learn about certificate rotation in an Azure Kubernetes Service (AKS) cluster.
+++ Previously updated : 01/19/2023 Last updated : 06/05/2024 # Certificate rotation in Azure Kubernetes Service (AKS)
-Azure Kubernetes Service (AKS) uses certificates for authentication with many of its components. RBAC-enabled clusters created after March 2022 are enabled with certificate auto-rotation. You may need to periodically rotate those certificates for security or policy reasons. For example, you may have a policy to rotate all your certificates every 90 days.
+Azure Kubernetes Service (AKS) uses certificates for authentication with many of its components. Clusters with Azure role-based access control (Azure RBAC) that were created after March 2022 are enabled with certificate auto-rotation. You may need to periodically rotate those certificates for security or policy reasons. For example, you may have a policy to rotate all your certificates every 90 days.
> [!NOTE]
-> Certificate auto-rotation is *only* enabled by default for RBAC enabled AKS clusters.
+> Certificate auto-rotation is enabled by default only for RBAC-enabled AKS clusters.
This article shows you how certificate rotation works in your AKS cluster.
Microsoft maintains all certificates mentioned in this section, except for the c
az vm run-command invoke --resource-group MC_rg_myAKSCluster_region --name vm-name --command-id RunShellScript --query 'value[0].message' -otsv --scripts "openssl x509 -in /etc/kubernetes/certs/apiserver.crt -noout -enddate" ```
-### Check Virtual Machine Scale Set agent node certificate expiration date
+### Check certificate expiration for the virtual machine scale set agent node
-* Check the expiration date of the Virtual Machine Scale Set agent node certificate using the `az vm run-command invoke` command.
+* Check the expiration date of the virtual machine scale set agent node certificate using the `az vm run-command invoke` command.
```azurecli-interactive az vmss run-command invoke --resource-group "MC_rg_myAKSCluster_region" --name "vmss-name" --command-id RunShellScript --instance-id 1 --scripts "openssl x509 -in /etc/kubernetes/certs/apiserver.crt -noout -enddate" --query "value[0].message" ```
-## Certificate Auto Rotation
+## Certificate auto-rotation
For AKS to automatically rotate non-CA certificates, the cluster must have [TLS Bootstrapping](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/), which is enabled by default in all Azure regions.
For any AKS clusters created or upgraded after March 2022, Azure Kubernetes Serv
## Manually rotate your cluster certificates > [!WARNING]
-> Rotating your certificates using `az aks rotate-certs` recreates all of your nodes, Virtual Machine Scale Sets and Disks and can cause up to *30 minutes of downtime* for your AKS cluster.
+> Rotating your certificates using `az aks rotate-certs` recreates all of your nodes, virtual machine scale sets, and disks and can cause up to *30 minutes of downtime* for your AKS cluster.
1. Connect to your cluster using the [`az aks get-credentials`][az-aks-get-credentials] command.
For any AKS clusters created or upgraded after March 2022, Azure Kubernetes Serv
## Next steps
-This article showed you how to automatically rotate your cluster certificates, CAs, and SAs. For more information, see [Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)][aks-best-practices-security-upgrades].
+This article showed you how to manually and automatically rotate your cluster certificates, CAs, and SAs. For more information, see [Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)][aks-best-practices-security-upgrades].
<!-- LINKS - internal --> [azure-cli-install]: /cli/azure/install-azure-cli
aks Dapr Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/dapr-overview.md
The Dapr extension supports stable versions of Dapr APIs (building blocks).
| [**Secrets**][dapr-secrets] | Stable | Access secrets from your application code or reference secure values in your Dapr components. | | [**Configuration**][dapr-config] | Stable | Retrieve and subscribe to application configuration items for supported configuration. stores. | ### Clouds/regions
aks Ha Dr Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/ha-dr-overview.md
For more information, see the [**Recommended passive-cold failover solution over
AKS sets default limits and quotas for resources and features, including usage restrictions for certain VM SKUs. For more information, see [AKS service quotas and limits](./quotas-skus-regions.md#service-quotas-and-limits).
aks Kubernetes Service Principal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/kubernetes-service-principal.md
The default expiration time for the service principal credentials is one year. I
**General Azure CLI troubleshooting** ### [Azure PowerShell](#tab/azure-powershell)
aks Quotas Skus Regions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/quotas-skus-regions.md
This article details the default resource limits for Azure Kubernetes Service (A
## Service quotas and limits ## Provisioned infrastructure
api-center Check Minimal Api Permissions Dev Proxy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-center/check-minimal-api-permissions-dev-proxy.md
+
+ Title: Check app's API calls for minimal permissions with Dev Proxy
+description: Learn how to use Dev Proxy to check if your app is calling APIs using minimal permissions defined in Azure API Center.
+++ Last updated : 07/17/2024+++
+# Check if your app is calling APIs using minimal permissions with Dev Proxy
+
+When building your app, you likely integrate with several APIs and operations. To ensure that your app is secure and follows the principle of least privilege, you should check if your app is calling APIs with minimal permissions. By using minimal permissions, you reduce the risk of unauthorized access to your data and resources.
+
+What's hard about checking if your app is calling APIs with minimal permissions is that each time you integrate a new operation, you need to evaluate the set of permissions you use in your app. Manually tracking all operations and permissions is time-consuming and error-prone. Using Dev Proxy and Azure API Center you can automate checking if your app is calling APIs with minimal permissions.
+
+To check if your app is calling APIs using minimal permissions, you can use Dev Proxy. Dev Proxy is an API simulator that intercepts and analyzes API requests from applications. One feature of Dev Proxy is comparing the permissions that your app uses with the permissions defined in Azure API Center and reporting on any excessive permissions. Dev Proxy also recommends the minimal set of permissions that you should use.
++
+> [!VIDEO https://www.youtube.com/embed/fFr3tFBp1Z8]
+
+## Before you start
+
+To check if your app is calling APIs using minimal permissions, you need to have an Azure API Center instance with information about the APIs that you use in your organization. If you haven't created one already, see [Quickstart: Create your API center](set-up-api-center.md). Additionally, you need to install [Dev Proxy](https://aka.ms/devproxy).
+
+> [!TIP]
+> Download the preset for this how to article by running in the command prompt `devproxy preset get demo-apicenter-minimalpermissions`.
+
+### Register APIs in your Azure API Center instance
+
+Register APIs that you use in your organization. For each API, upload the OpenAPI specification file that describes the API operations and permissions.
++
+The Dev Proxy `ApiCenterMinimalPermissionsPlugin` uses this information to check if your app is calling APIs using minimal permissions.
+
+### Copy API Center information
+
+From the Azure API Center instance Overview page, copy the **name** of the API Center instance, the name of the **resource group** and the **subscription ID**. You need this information to configure the `ApiCenterMinimalPermissionsPlugin` so that it can connect to your Azure API Center instance.
++
+## Configure Dev Proxy
+
+To check if your app is calling APIs using minimal permissions, you need to enable the `ApiCenterMinimalPermissionsPlugin` in the Dev Proxy configuration file. To create a report of permissions that your app uses, add a reporter.
+
+### Enable the `ApiCenterMinimalPermissionsPlugin`
+
+In the `devproxyrc.json` file, add the following configuration:
+
+```json
+{
+ "$schema": "https://raw.githubusercontent.com/microsoft/dev-proxy/main/schemas/v0.19.0/rc.schema.json",
+ "plugins": [
+ {
+ "name": "ApiCenterMinimalPermissionsPlugin",
+ "enabled": true,
+ "pluginPath": "~appFolder/plugins/dev-proxy-plugins.dll",
+ "configSection": "apiCenterMinimalPermissionsPlugin"
+ }
+ ],
+ "urlsToWatch": [
+ "https://api.northwind.com/*"
+ ],
+ "apiCenterMinimalPermissionsPlugin": {
+ "subscriptionId": "00000000-0000-0000-0000-000000000000",
+ "resourceGroupName": "demo",
+ "serviceName": "contoso-api-center",
+ "workspaceName": "default"
+ }
+}
+```
+
+In the `subscriptionId`, `resourceGroupName`, and `serviceName` properties, provide the information about your Azure API Center instance.
+
+In the `urlsToWatch` property, specify the URLs that your app uses.
+
+> [!TIP]
+> Use the [Dev Proxy Toolkit](https://aka.ms/devproxy/toolkit) Visual Studio Code extension to easily manage Dev Proxy configuration.
+
+### Add a reporter
+
+The `ApiCenterMinimalPermissionsPlugin` produces a report of APIs that your app is using, and the minimal permissions required to call them. To view this report, add a reporter to your Dev Proxy configuration file. Dev Proxy offers several [reporters](/microsoft-cloud/dev/dev-proxy/technical-reference/overview#reporters). In this example, you use the [plain-text reporter](/microsoft-cloud/dev/dev-proxy/technical-reference/plaintextreporter).
+
+Update your `devproxyrc.json` file with a reference to the plain-text reporter:
+
+```json
+{
+ "$schema": "https://raw.githubusercontent.com/microsoft/dev-proxy/main/schemas/v0.19.0/rc.schema.json",
+ "plugins": [
+ {
+ "name": "ApiCenterMinimalPermissionsPlugin",
+ "enabled": true,
+ "pluginPath": "~appFolder/plugins/dev-proxy-plugins.dll",
+ "configSection": "apiCenterMinimalPermissionsPlugin"
+ },
+ {
+ "name": "PlainTextReporter",
+ "enabled": true,
+ "pluginPath": "~appFolder/plugins/dev-proxy-plugins.dll"
+ }
+ ],
+ "urlsToWatch": [
+ "https://api.northwind.com/*"
+ ],
+ "apiCenterMinimalPermissionsPlugin": {
+ "subscriptionId": "00000000-0000-0000-0000-000000000000",
+ "resourceGroupName": "demo",
+ "serviceName": "contoso-api-center",
+ "workspaceName": "default"
+ }
+}
+```
+
+## Check if your app is calling APIs using minimal permissions
+
+To check if your app is calling APIs using minimal permissions, you need to connect to your Azure subscription, run Dev Proxy, and let it intercept API requests from your app. Dev Proxy then compares the information about the API requests with the information from Azure API Center and reports on the minimal permissions.
+
+### Connect to your Azure subscription
+
+Dev Proxy uses information from Azure API Center to determine if your app is calling APIs using minimal permissions. To get this information, it needs a connection to your Azure subscription. You can connect to your Azure subscription in [several ways](/microsoft-cloud/dev/dev-proxy/technical-reference/apicenterproductionversionplugin#remarks).
+
+### Run Dev Proxy
+
+After connecting to your Azure subscription, start Dev Proxy. If you start Dev Proxy from the same folder where your `devproxyrc.json` file is located, it automatically loads the configuration. Otherwise, specify the path to the configuration file using the `--config-file` option.
+
+When Dev Proxy starts, it checks that it can connect to your Azure subscription. When the connection is successful, you see a message similar to:
+
+```text
+ info Plugin ApiCenterMinimalPermissionsPlugin connecting to Azure...
+ info Listening on 127.0.0.1:8000...
+
+Hotkeys: issue (w)eb request, (r)ecord, (s)top recording, (c)lear screen
+Press CTRL+C to stop Dev Proxy
+```
+
+Press <kbd>r</kbd> to start recording API requests from your app.
+
+### Use your app
+
+Use your app as you would normally do. In this tutorial, you can use the following request with a simulated access token with `customer.readwrite` permission:
+
+```http
+@readwriteToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJzY3AiOlsiY3VzdG9tZXIucmVhZHdyaXRlIl19.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
+
+GET https://api.northwind.com/customers/ALFKI
+Authorization: Bearer {{readwriteToken}}
+```
+
+Dev Proxy intercepts the API requests and stores information about them in memory. In the command line where Dev Proxy runs, you should see information about API requests that your app makes.
+
+```text
+ info Plugin ApiCenterMinimalPermissionsPlugin connecting to Azure...
+ info Listening on 127.0.0.1:8000...
+
+Hotkeys: issue (w)eb request, (r)ecord, (s)top recording, (c)lear screen
+Press CTRL+C to stop Dev Proxy
+
+Γùë Recording...
+
+ req Γò¡ GET https://api.northwind.com/customers/ALFKI
+ mock Γò░ 200 /{customer-id}
+```
+
+### Check permissions
+
+Stop the recording by pressing <kbd>s</kbd>. Dev Proxy connects to the API Center instance and compares the information about requests with the information from API Center.
+
+```text
+ info Plugin ApiCenterMinimalPermissionsPlugin connecting to Azure...
+ info Listening on 127.0.0.1:8000...
+
+Hotkeys: issue (w)eb request, (r)ecord, (s)top recording, (c)lear screen
+Press CTRL+C to stop Dev Proxy
+
+Γùë Recording...
+
+ req Γò¡ GET https://api.northwind.com/customers/ALFKI
+ mock Γò░ 200 /{customer-id}
+Γùï Stopped recording
+ info Checking if recorded API requests use minimal permissions as defined in API Center...
+ info Loading APIs from API Center...
+ info Loading API definitions from API Center...
+ info Checking minimal permissions for API https://api.northwind.com...
+ info Analyzing recorded requests...
+ warn Calling API Northwind with excessive permissions: customer.readwrite. Minimal permissions are: customer.read
+ info DONE
+```
+
+When Dev Proxy finishes its analysis, it creates a report in a file named `ApiCenterMinimalPermissionsPlugin_PlainTextReporter.txt` with the following contents:
+
+```text
+Azure API Center minimal permissions report
+
+APIS
+
+Northwind
+
+x Called using excessive permissions
+
+Permissions
+
+- Minimal permissions: customer.read
+- Permissions on the token: customer.readwrite
+- Excessive permissions: customer.readwrite
+
+Requests
+
+- GET https://api.northwind.com/customers/ALFKI
+
+UNMATCHED REQUESTS
+
+No unmatched requests found.
+
+ERRORS
+
+No errors occurred.
+```
+
+## Summary
+
+Using the `ApiCenterMinimalPermissionsPlugin`, you can check if your app is calling APIs using minimal permissions. The plugin compares the information about API requests from your app with information from Azure API Center and reports on excessive permissions. It also recommends the minimal permissions needed to call the APIs that you're using in your app. Verifying that your app is calling APIs using minimal permissions, helps you make your app more secure. You can run this check manually or integrate with your CI/CD pipeline to ensure that your app is calling APIs using minimal permissions before releasing it to production.
+
+## Related content
+
+- [Learn more about Dev Proxy](/microsoft-cloud/dev/dev-proxy/overview)
+- [Learn more about Azure API Center](./key-concepts.md)
api-center Find Nonproduction Api Requests Dev Proxy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-center/find-nonproduction-api-requests-dev-proxy.md
+
+ Title: Find nonproduction API requests with Dev Proxy
+description: Learn how to check if your app is using production-level APIs defined in Azure API Center using Dev Proxy.
+++ Last updated : 07/17/2024+++
+# Find nonproduction API requests with Dev Proxy
+
+When building your app, you might be using APIs that are still in preview. You often use preview APIs, when you're integrating with new features that are being built along with your app. Before you release your app to production, you should ensure that you're using production-level APIs. When you use stable APIs, which are supported and covered by Service Level Agreements (SLAs), your app is more robust.
+
+One way to check if your app is using production-level APIs, is by using [Dev Proxy](https://aka.ms/devproxy). Dev Proxy is an API simulator that intercepts and analyzes API requests from applications. One feature of Dev Proxy is checking if the intercepted API requests belong to a nonproduction API. Dev Proxy also recommends the production version of the API you're using.
++
+## Before you start
+
+To detect nonproduction API requests, you need to have an Azure API Center instance with information about the APIs that you use in your organization. If you haven't created one already, see [Quickstart: Create your API center](set-up-api-center.md). Additionally, you need to install [Dev Proxy](https://aka.ms/devproxy).
+
+### Register APIs in your API Center instance
+
+Register APIs that you use in your organization. For each API, define the versions you use and specify their lifecycle stage.
++
+The Dev Proxy's `ApiCenterProductionVersionPlugin` uses this information to check if the APIs, that your app is using, belong to production or nonproduction APIs.
+
+### Copy API Center information
+
+From the Azure API Center instance Overview page, copy the **name** of the API Center instance, the name of the **resource group** and the **subscription ID**. You need this information to configure the `ApiCenterProductionVersionPlugin` so that it can connect to your Azure API Center instance.
++
+## Configure Dev Proxy
+
+To check if your app is using production-level APIs, you need to enable the `ApiCenterProductionVersionPlugin` in the Dev Proxy configuration file. To create a report of APIs that your app uses, add a reporter.
+
+### Enable the `ApiCenterProductionVersionPlugin`
+
+In the `devproxyrc.json` file, add the following configuration:
+
+```json
+{
+ "$schema": "https://raw.githubusercontent.com/microsoft/dev-proxy/main/schemas/v0.19.0/rc.schema.json",
+ "plugins": [
+ {
+ "name": "ApiCenterProductionVersionPlugin",
+ "enabled": true,
+ "pluginPath": "~appFolder/plugins/dev-proxy-plugins.dll",
+ "configSection": "apiCenterProductionVersionPlugin"
+ }
+ ],
+ "urlsToWatch": [
+ "https://jsonplaceholder.typicode.com/*"
+ ],
+ "apiCenterProductionVersionPlugin": {
+ "subscriptionId": "00000000-0000-0000-0000-000000000000",
+ "resourceGroupName": "demo",
+ "serviceName": "contoso-api-center",
+ "workspaceName": "default"
+ }
+}
+```
+
+In the `subscriptionId`, `resourceGroupName`, and `serviceName` properties, provide the information about your Azure API Center instance.
+
+In the `urlsToWatch` property, specify the URLs that your app uses.
+
+> [!TIP]
+> Use the [Dev Proxy Toolkit](https://aka.ms/devproxy/toolkit) Visual Studio Code extension to easily manage Dev Proxy configuration.
+
+### Add a reporter
+
+The `ApiCenterProductionVersionPlugin` produces a report of APIs that your app is using. To view this report, add a reporter to your Dev Proxy configuration file. Dev Proxy offers several [reporters](/microsoft-cloud/dev/dev-proxy/technical-reference/overview#reporters). In this example, you use the [plain-text reporter](/microsoft-cloud/dev/dev-proxy/technical-reference/plaintextreporter).
+
+Update your `devproxyrc.json` file with a reference to the plain-text reporter:
+
+```json
+{
+ "$schema": "https://raw.githubusercontent.com/microsoft/dev-proxy/main/schemas/v0.19.0/rc.schema.json",
+ "plugins": [
+ {
+ "name": "ApiCenterProductionVersionPlugin",
+ "enabled": true,
+ "pluginPath": "~appFolder/plugins/dev-proxy-plugins.dll",
+ "configSection": "apiCenterProductionVersionPlugin"
+ },
+ {
+ "name": "PlainTextReporter",
+ "enabled": true,
+ "pluginPath": "~appFolder/plugins/dev-proxy-plugins.dll"
+ }
+ ],
+ "urlsToWatch": [
+ "https://jsonplaceholder.typicode.com/*"
+ ],
+ "apiCenterProductionVersionPlugin": {
+ "subscriptionId": "00000000-0000-0000-0000-000000000000",
+ "resourceGroupName": "demo",
+ "serviceName": "contoso-api-center",
+ "workspaceName": "default"
+ }
+}
+```
+
+## Check if your app is using production-level APIs
+
+To check if your app is using production-level APIs, you need to connect to your Azure subscription, run Dev Proxy, and let it intercept API requests from your app. Dev Proxy then compares the information about the API requests with the information from Azure API Center and reports on any nonproduction APIs.
+
+### Connect to your Azure subscription
+
+Dev Proxy uses information from Azure API Center to determine if the APIs your app is using are production-level. To get this information, it needs a connection to your Azure subscription. You can connect to your Azure subscription in [several ways](/microsoft-cloud/dev/dev-proxy/technical-reference/apicenterproductionversionplugin#remarks).
+
+### Run Dev Proxy
+
+After connecting to your Azure subscription, start Dev Proxy. If you start Dev Proxy from the same folder where your `devproxyrc.json` file is located, it automatically loads the configuration. Otherwise, specify the path to the configuration file using the `--config-file` option.
+
+When Dev Proxy starts, it checks that it can connect to your Azure subscription. When the connection is successful, you see a message similar to:
+
+```text
+ info Plugin ApiCenterProductionVersionPlugin connecting to Azure...
+ info Listening on 127.0.0.1:8000...
+
+Hotkeys: issue (w)eb request, (r)ecord, (s)top recording, (c)lear screen
+Press CTRL+C to stop Dev Proxy
+```
+
+Press <kbd>r</kbd> to start recording API requests from your app.
+
+### Use your app
+
+Use your app as you would normally do. Dev Proxy intercepts the API requests and stores information about them in memory. In the command line where Dev Proxy runs, you should see information about API requests that your app makes.
+
+```text
+ info Plugin ApiCenterProductionVersionPlugin connecting to Azure...
+ info Listening on 127.0.0.1:8000...
+
+Hotkeys: issue (w)eb request, (r)ecord, (s)top recording, (c)lear screen
+Press CTRL+C to stop Dev Proxy
+
+Γùë Recording...
+
+ req Γò¡ GET https://jsonplaceholder.typicode.com/posts?api-version=v1.0
+ api Γò░ Passed through
+
+ req Γò¡ GET https://jsonplaceholder.typicode.com/users?api-version=beta
+ api Γò░ Passed through
+```
+
+### Check API versions
+
+Stop the recording by pressing <kbd>s</kbd>. Dev Proxy connects to the API Center instance and compares the information about requests with the information from API Center.
+
+```text
+ info Plugin ApiCenterProductionVersionPlugin connecting to Azure...
+ info Listening on 127.0.0.1:8000...
+
+Hotkeys: issue (w)eb request, (r)ecord, (s)top recording, (c)lear screen
+Press CTRL+C to stop Dev Proxy
+
+Γùë Recording...
+
+ req Γò¡ GET https://jsonplaceholder.typicode.com/posts?api-version=v1.0
+ api Γò░ Passed through
+
+ req Γò¡ GET https://jsonplaceholder.typicode.com/users?api-version=beta
+ api Γò░ Passed through
+Γùï Stopped recording
+ info Checking if recorded API requests use production APIs as defined in API Center...
+ info Loading APIs from API Center...
+ info Analyzing recorded requests...
+ warn Request GET https://jsonplaceholder.typicode.com/users?api-version=beta uses API version beta which is defined as Preview. Upgrade to a production version of the API. Recommended versions: v1.0
+ info DONE
+```
+
+When Dev Proxy finishes its analysis, it creates a report in a file named `ApiCenterProductionVersionPlugin_PlainTextReporter.txt` with the following contents:
+
+```text
+Non-production APIs:
+
+ GET https://jsonplaceholder.typicode.com/users?api-version=beta
+
+Production APIs:
+
+ GET https://jsonplaceholder.typicode.com/posts?api-version=v1.0
+```
+
+## Summary
+
+Using Dev Proxy and its `ApiCenterProductionVersionPlugin`, you can check if your app is using production-level APIs. The plugin compares the information about API requests from your app with information from Azure API Center and reports on any nonproduction API requests. It also recommends the production version of the APIs you're using. Verifying what APIs your app is using, helps you ensure that your app is using stable APIs, which are supported and covered by SLAs, making your app more robust. You can run this check manually or integrate with your CI/CD pipeline to ensure that your app is using production-level APIs before releasing it to production.
+
+## Related content
+
+- [Learn more about Dev Proxy](/microsoft-cloud/dev/dev-proxy/overview)
+- [Learn more about Azure API Center](./key-concepts.md)
api-center Import Api Management Apis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-center/import-api-management-apis.md
This article shows two options for using the Azure CLI to add APIs to your API c
* Run [az apic api register](/cli/azure/apic/api#az-apic-api-register) to register a new API in your API center. * Run [az apic api definition import-specification](/cli/azure/apic/api/definition#az-apic-api-definition-import-specification) to import the API definition to an existing API.
-* **Option 2** - Import APIs directly from API Management to your API center using the [az apic import-from-apim](/cli/azure/apic/az-apic-import-from-apim) command.
+* **Option 2** - Import APIs directly from API Management to your API center using the [az apic import-from-apim](/cli/azure/apic#az-apic-import-from-apim) command.
After importing API definitions or APIs from API Management, you can add metadata and documentation in your API center to help stakeholders discover, understand, and consume the API.
api-center Manage Apis Azure Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-center/manage-apis-azure-cli.md
To delete individual API versions and definitions, use [az apic api version dele
## Related content
-* See the [Azure CLI reference for Azure API Center](/cli/azure/apic) for a complete command list, including commands to manage [environments](/cli/azure/apic/environment), [deployments](/cli/azure/apic/api/deployment), [metadata schemas](/cli/azure/apic/metadata), and [services](/cli/azure/apic/service).
+* See the [Azure CLI reference for Azure API Center](/cli/azure/apic) for a complete command list, including commands to manage [environments](/cli/azure/apic/environment), [deployments](/cli/azure/apic/api/deployment), [metadata schemas](/cli/azure/apic/metadata), and [services](/cli/azure/apic).
* [Import APIs to your API center from API Management](import-api-management-apis.md) * [Use the Visual Studio extension for API Center](use-vscode-extension.md) to build and register APIs from Visual Studio Code.
api-center Use Vscode Extension https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-center/use-vscode-extension.md
Visual Studio Code will open a diff view between the two API specifications. Any
Use the power of GitHub Copilot with the Azure API Center extension for Visual Studio Code to create an OpenAPI specification file from your API code. Right click on the API code, select **Copilot** from the options, and select **Generate API documentation**. This will create an OpenAPI specification file. + After generating the OpenAPI specification file and checking for accuracy, you can register the API with your API center using the **Azure API Center: Register API** command. ## Discover APIs
api-management Api Management Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-kubernetes.md
Cons:
Although Option 1 might be easier, it has notable drawbacks as mentioned above. If an API Management instance doesn't reside in the cluster VNet, Mutual TLS authentication (mTLS) is a robust way of ensuring the traffic is secure and trusted in both directions between an API Management instance and an AKS cluster.
-Mutual TLS authentication is [natively supported](./api-management-howto-mutual-certificates.md) by API Management and can be enabled in Kubernetes by [installing an Ingress Controller](../aks/ingress-own-tls.md) (Fig. 3). As a result, authentication will be performed in the Ingress Controller, which simplifies the microservices. Additionally, you can add the IP addresses of API Management to the allowed list by Ingress to make sure only API Management has access to the cluster.
+Mutual TLS authentication is [natively supported](./api-management-howto-mutual-certificates.md) by API Management and can be enabled in Kubernetes by [installing an Ingress Controller](../aks/ingress-own-tls.md) (Fig. 3). As a result, authentication will be performed in the Ingress Controller, which simplifies the microservices. Additionally, you can add the IP addresses of API Management to the allowed list by Ingress to make sure only API Management has access to the cluster. If API Management [Premium Tier](./api-management-using-with-internal-vnet.md) or [Standard V2](./integrate-vnet-outbound.md) tier is used, network level isolation can be achieved.
![Publish via an ingress controller](./media/api-management-aks/ingress-controller.png)
Pros:
Cons: * Increases complexity of cluster configuration due to extra work to install, configure and maintain the Ingress Controller and manage certificates used for mTLS
-* Security risk due to public visibility of Ingress Controller endpoint(s)
+* Security risk due to public visibility of Ingress Controller endpoint(s) unless API Management Standard v2 or Premium tier is being used.
When you publish APIs through API Management, it's easy and common to secure access to those APIs by using subscription keys. Developers who need to consume the published APIs must include a valid subscription key in HTTP requests when they make calls to those APIs. Otherwise, the calls are rejected immediately by the API Management gateway. They aren't forwarded to the back-end services.
app-service Creation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/creation.md
Title: Create an App Service Environment
description: Learn how to create an App Service Environment. Previously updated : 03/09/2023 Last updated : 07/18/2024
For the deployment type, you can choose *single zone*, *zone redundant*, or *hos
In a zone redundant App Service Environment, your apps spread across three zones in the same region. Zone redundant is available in regions that support availability zones. With this deployment type, the smallest size for your App Service plan is three instances. That ensures that there's an instance in each availability zone. App Service plans can be scaled up one or more instances at a time. Scaling doesn't need to be in units of three, but the app is only balanced across all availability zones when the total instances are multiples of three.
-A zone redundant deployment has triple the infrastructure, and ensures that even if two of the three zones go down, your workloads remain available. Due to the increased system need, the minimum charge for a zone redundant App Service Environment is nine instances. If you've fewer than this number of instances, the difference is charged as Windows I1v2. If you've nine or more instances, there's no added charge to have a zone redundant App Service Environment. To learn more about zone redundancy, see [Regions and availability zones](./overview-zone-redundancy.md).
+A zone redundant deployment has triple the infrastructure, and ensures that even if two of the three zones go down, your workloads remain available. Due to the increased system need, the minimum charge for a zone redundant App Service Environment is 18 cores. If you've fewer than this number of cores across all App Service plans in your App Service Environment, the difference is charged as Windows I1v2. If you've 18 or more cores, there's no added charge to have a zone redundant App Service Environment. To learn more about zone redundancy, see [Regions and availability zones](./overview-zone-redundancy.md). For sample calculations for zone redundant App Service Environment, see [App Service Environment pricing](overview.md#pricing).
In a host group deployment, your apps are deployed onto a dedicated host group. The dedicated host group isn't zone redundant. With this type of deployment, you can install and use your App Service Environment on dedicated hardware. There's no minimum instance charge for using App Service Environment on a dedicated host group, but you do have to pay for the host group when you're provisioning the App Service Environment. You also pay a discounted App Service plan rate as you create your plans and scale out.
app-service Migrate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/migrate.md
description: Learn how to migrate your App Service Environment to App Service En
Previously updated : 7/3/2024 Last updated : 7/18/2024 zone_pivot_groups: app-service-cli-portal
app-service Networking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/networking.md
Title: App Service Environment networking
description: App Service Environment networking details Previously updated : 04/23/2024 Last updated : 07/18/2024
You can bring your own inbound address to your App Service Environment. If you c
For your app to receive traffic, ensure that inbound network security group (NSG) rules allow the App Service Environment subnet to receive traffic from the required ports. In addition to any ports, you'd like to receive traffic on, you should ensure that Azure Load Balancer is able to connect to the subnet on port 80. This port is used for health checks of the internal virtual machine. You can still control port 80 traffic from the virtual network to your subnet.
+> [!NOTE]
+> Changes to NSG rules can take up to 14 days to take effect due to HTTP connection persistence. If you make a change that blocks platform/management traffic, it could take up to 14 days for the impact to be seen.
+>
+ It's a good idea to configure the following inbound NSG rule: |Source / Destination Port(s)|Direction|Source|Destination|Purpose|
The minimal requirement for App Service Environment to be operational is:
|* / 80|Inbound|AzureLoadBalancer|App Service Environment subnet range|Allow internal health ping traffic| If you use the minimum required rule, you might need one or more rules for your application traffic. If you're using any of the deployment or debugging options, you must also allow this traffic to the App Service Environment subnet. The source of these rules can be the virtual network, or one or more specific client IPs or IP ranges. The destination is always the App Service Environment subnet range.+ The internal health ping traffic on port 80 is isolated between the Load balancer and the internal servers. No outside traffic can reach the health ping endpoint. The normal app access ports inbound are as follows:
The normal app access ports inbound are as follows:
> [!NOTE] > For FTP access, even if you want to disallow standard FTP on port 21, you still need to allow traffic from the LoadBalancer to the App Service Environment subnet range on port 21, as this is used for internal health ping traffic for the ftp service specifically.
+>
## Network routing
app-service Quickstart Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-python.md
Title: 'Quickstart: Deploy a Python (Django or Flask) web app to Azure'
+ Title: 'Quickstart: Deploy a Python (Django, Flask, or FastAPI) web app to Azure'
description: Get started with Azure App Service by deploying your first Python app to Azure App Service. Previously updated : 07/26/2023 Last updated : 06/28/2024 ms.devlang: python
[!INCLUDE [regionalization-note](./includes/regionalization-note.md)]
-In this quickstart, you'll deploy a Python web app (Django or Flask) to [Azure App Service](./overview.md#app-service-on-linux). Azure App Service is a fully managed web hosting service that supports Python apps hosted in a Linux server environment.
+In this quickstart, you deploy a Python web app (Django, Flask, or FastAPI) to [Azure App Service](./overview.md#app-service-on-linux). Azure App Service is a fully managed web hosting service that supports Python apps hosted in a Linux server environment.
To complete this quickstart, you need:
To complete this quickstart, you need:
## 1 - Sample application
-This quickstart can be completed using either Flask or Django. A sample application in each framework is provided to help you follow along with this quickstart. Download or clone the sample application to your local workstation.
+This quickstart can be completed using either Flask, Django, or FastAPI. A sample application in each framework is provided to help you follow along with this quickstart. Download or clone the sample application to your local workstation.
### [Flask](#tab/flask)
git clone https://github.com/Azure-Samples/msdocs-python-flask-webapp-quickstart
git clone https://github.com/Azure-Samples/msdocs-python-django-webapp-quickstart ```
+### [FastAPI](#tab/fastapi)
+
+```Console
+git clone https://github.com/Azure-Samples/msdocs-python-fastapi-webapp-quickstart.git
+```
+ To run the application locally:
Having issues? [Let us know](https://aka.ms/PythonAppServiceQuickstartFeedback).
Having issues? [Let us know](https://aka.ms/PythonAppServiceQuickstartFeedback).
+### [FastAPI](#tab/fastapi)
+
+1. Go to the application folder:
+
+ ```Console
+ cd msdocs-python-fastapi-webapp-quickstart
+ ```
+
+1. Create a virtual environment for the app:
+
+ [!INCLUDE [Virtual environment setup](./includes/quickstart-python/virtual-environment-setup.md)]
+
+1. Install the dependencies:
+
+ ```Console
+ pip install -r requirements.txt
+ ```
+
+1. Run the app:
+
+ ```Console
+ uvicorn main:app --reload
+ ```
+
+1. Browse to the sample application at `http://localhost:8000` in a web browser.
+
+ :::image type="content" source="./media/quickstart-python/run-django-app-localhost.png" alt-text="Screenshot of the FastAPI app running locally in a browser.":::
+
+Having issues? [Let us know](https://aka.ms/PythonAppServiceQuickstartFeedback).
+ ## 2 - Create a web app in Azure
To create Azure resources in VS Code, you must have the [Azure Tools extension p
> [Download Azure Tools extension pack](https://marketplace.visualstudio.com/items?itemName=ms-vscode.vscode-node-azure-pack) In the application folder, open VS Code:+ ```Console code . ```
Azure App service supports multiple methods to deploy your application code to A
Having issues? Refer first to the [Troubleshooting guide](./configure-language-python.md#troubleshooting), otherwise, [let us know](https://aka.ms/PythonAppServiceQuickstartFeedback).
-## 4 - Browse to the app
+## 4 - Configure startup script
+
+Based on the presence of certain files in a deployment, App Service automatically detects whether an app is a Django or Flask app and performs default steps to run your app. For apps based on other web frameworks like FastAPI, you need to configure a startup script for App Service to run your app; otherwise, App Service runs a default read-only app located in the *opt/defaultsite* folder.
+
+To learn more about how App Service runs Python apps and how you can configure and customize its behavior with your app, see [Configure a Linux Python app for Azure App Service](configure-language-python.md).
+
+### [Azure CLI](#tab/azure-cli/flask)
+
+App Service automatically detects the presence of a Flask app. No additional configuration is needed for this quickstart.
+
+### [Azure CLI](#tab/azure-cli/django)
+
+App Service automatically detects the presence of a Django app. No additional configuration is needed for this quickstart.
+
+### [Azure CLI](#tab/azure-cli/fastapi)
+
+For FastAPI, you must configure a custom startup command for App Service to run your app. The following command starts Gunicorn with 2 Uvicorn worker processes: `gunicorn -w 2 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:8000 main:app`.
+
+First, configure the startup command using the [az webapp config set](/cli/azure/webapp/config#az-webapp-config-set) command.
+
+```azurecli
+az webapp config set \
+ --startup-file "gunicorn -w 2 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:8000 main:app" \
+ --name $APP_SERVICE_NAME \
+ --resource-group $RESOURCE_GROUP_NAME
+```
+
+Next, restart the web app using the [az webapp restart](/cli/azure/webapp#az-webapp-restart) command.
+
+```azurecli
+az webapp restart \
+ --name $APP_SERVICE_NAME \
+ --resource-group $RESOURCE_GROUP_NAME
+```
+
+### [VS Code](#tab/vscode-aztools/flask)
+
+App Service automatically detects the presence of a Flask app. No additional configuration is needed for this quickstart.
+
+### [VS Code](#tab/vscode-aztools/django)
+
+App Service automatically detects the presence of a Django app. No additional configuration is needed for this quickstart.
+
+### [VS Code](#tab/vscode-aztools/fastapi)
+
+Use Azure CLI or the Azure portal to configure the startup command.
+
+### [Azure portal](#tab/azure-portal/flask)
+
+App Service automatically detects the presence of a Flask app. No additional configuration is needed for this quickstart.
+
+### [Azure portal](#tab/azure-portal/django)
+
+App Service automatically detects the presence of a Django app. No additional configuration is needed for this quickstart.
+
+### [Azure portal](#tab/azure-portal/fastapi)
+
+For FastAPI, you must configure a custom startup command for App Service to run your app. The following command starts Gunicorn with 2 Uvicorn worker processes: `gunicorn -w 2 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:8000 main:app`.
+
+| Instructions | Screenshot |
+|:-|--:|
+| [!INCLUDE [Configure startup command from Azure portal 1](./includes/quickstart-python/configure-startup-azure-portal-1.md)] | :::image type="content" source="./media/quickstart-python/configure-startup-azure-portal-1-240px.png" alt-text="A screenshot of the location in the Azure portal where to configure the startup command." lightbox="./media/quickstart-python/configure-startup-azure-portal-1.png"::: |
+| [!INCLUDE [Configure startup command from Azure portal 2](./includes/quickstart-python/configure-startup-azure-portal-2.md)] | :::image type="content" source="./media/quickstart-python/configure-startup-azure-portal-2-240px.png" alt-text="A screenshot of how to reset the web app in the Azure portal." lightbox="./media/quickstart-python/configure-startup-azure-portal-2.png"::: |
+++
+## 5 - Browse to the app
Browse to the deployed application in your web browser at the URL `http://<app-name>.azurewebsites.net`. If you see a default app page, wait a minute and refresh the browser.
The Python sample code is running a Linux container in App Service using a built
Having issues? Refer first to the [Troubleshooting guide](./configure-language-python.md#troubleshooting), otherwise, [let us know](https://aka.ms/PythonAppServiceQuickstartFeedback).
-## 5 - Stream logs
+## 6 - Stream logs
Azure App Service captures all messages output to the console to assist you in diagnosing issues with your application. The sample apps include `print()` statements to demonstrate this capability. ### [Flask](#tab/flask) ### [Django](#tab/django) :::code language="python" source="~/msdocs-python-django-webapp-quickstart/hello_azure/views.py" range="5-21" highlight="2,11,14":::
+### [FastAPI](#tab/fastapi)
++ The contents of the App Service diagnostic logs can be reviewed using the Azure CLI, VS Code, or Azure portal.
Having issues? [Let us know](https://aka.ms/PythonAppServiceQuickstartFeedback).
## Next steps > [!div class="nextstepaction"]
-> [Tutorial: Python (Django) web app with PostgreSQL](./tutorial-python-postgresql-app.md)
+> [Tutorial: Python (Django or Flask) web app with PostgreSQL](./tutorial-python-postgresql-app.md)
> [!div class="nextstepaction"] > [Configure Python app](./configure-language-python.md)
application-gateway Application Gateway Private Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/application-gateway-private-deployment.md
Previously updated : 05/22/2023 Last updated : 07/18/2024 #Customer intent: As an administrator, I want to evaluate Azure Private Application Gateway
Historically, Application Gateway v2 SKUs, and to a certain extent v1, have required public IP addressing to enable management of the service. This requirement has imposed several limitations in using fine-grain controls in Network Security Groups and Route Tables. Specifically, the following challenges have been observed:
-1. All Application Gateways v2 deployments must contain public facing frontend IP configuration to enable communication to the **Gateway Manager** service tag.
-2. Network Security Group associations require rules to allow inbound access from GatewayManager and Outbound access to Internet.
-3. When introducing a default route (0.0.0.0/0) to forward traffic anywhere other than the Internet, metrics, monitoring, and updates of the gateway result in a failed status.
+* All Application Gateways v2 deployments must contain public facing frontend IP configuration to enable communication to the **Gateway Manager** service tag.
+* Network Security Group associations require rules to allow inbound access from GatewayManager and Outbound access to Internet.
+* When introducing a default route (0.0.0.0/0) to forward traffic anywhere other than the Internet, metrics, monitoring, and updates of the gateway result in a failed status.
Application Gateway v2 can now address each of these items to further eliminate risk of data exfiltration and control privacy of communication from within the virtual network. These changes include the following capabilities:
-1. Private IP address only frontend IP configuration
+* Private IP address only frontend IP configuration
- No public IP address resource required
-2. Elimination of inbound traffic from GatewayManager service tag via Network Security Group
-3. Ability to define a **Deny All** outbound Network Security Group (NSG) rule to restrict egress traffic to the Internet
-4. Ability to override the default route to the Internet (0.0.0.0/0)
-5. DNS resolution via defined resolvers on the virtual network [Learn more](../virtual-network/manage-virtual-network.yml#change-dns-servers), including private link private DNS zones.
+* Elimination of inbound traffic from GatewayManager service tag via Network Security Group
+* Ability to define a **Deny All** outbound Network Security Group (NSG) rule to restrict egress traffic to the Internet
+* Ability to override the default route to the Internet (0.0.0.0/0)
+* DNS resolution via defined resolvers on the virtual network [Learn more](../virtual-network/manage-virtual-network.yml#change-dns-servers), including private link private DNS zones.
Each of these features can be configured independently. For example, a public IP address can be used to allow traffic inbound from the Internet and you can define a **_Deny All_** outbound rule in the network security group configuration to prevent data exfiltration.
For more information about preview features, see [Set up preview features in Azu
## Register to the preview
-# [Azure Portal](#tab/portal)
+# [Azure portal](#tab/portal)
Use the following steps to enroll into the public preview for the enhanced Application Gateway network controls via the Azure portal:
For more information about preview features, see [Set up preview features in Azu
## Unregister from the preview
-# [Azure Portal](#tab/portal)
+# [Azure portal](#tab/portal)
To opt out of the public preview for the enhanced Application Gateway network controls via Portal, use the following steps:
To create a route table and associate it to the Application Gateway subnet:
While in public preview, the following limitations are known.
-### Private link configuration (preview)
+### Private link configuration
[Private link configuration](private-link.md) support for tunneling traffic through private endpoints to Application Gateway is unsupported with private only gateway.
application-gateway Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/diagnostics.md
Previously updated : 02/27/2024 Last updated : 07/17/2024
Each access log entry in Application Gateway for Containers contains the followi
| trackingId | Generated guid by Application Gateway for Containers to help with tracking and debugging. This value correlates to the x-request-id header returned to the client from Application Gateway for Containers. | | userAgent | User-Agent header of the request received from the client by Application Gateway for Containers |
+>[!Note]
+>Query string parameter values such as "secret", "password", "pwd", "passwd", "key", "token", "pat", "accesskey", "accesstoken", "credential", "sas", "personalAccessToken", and "personal.access.token" logged in the requestUri field will be replaced with a value of _**<redacted\>**_ to prevent sensitive information from being logged. This is non-configurable.
+ Here an example of the access log emitted in JSON format to a storage account. ```JSON
automanage Repair Automanage Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/repair-automanage-account.md
If you're using an ARM template or the Azure CLI, you'll need the Principal ID (
| Assign access to | User, group, or service principal | | Members | \<Name of your Automanage account> |
- ![Screenshot showing Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Screenshot showing Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
1. Repeat steps 2 through 4, selecting the **Resource Policy Contributor** role.
automation Automation Update Azure Modules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-update-azure-modules.md
Title: Update Azure PowerShell modules in Azure Automation
description: This article tells how to update common Azure PowerShell modules provided by default in Azure Automation. Previously updated : 07/03/2023 Last updated : 07/17/2024
The most common PowerShell modules are provided by default in each Automation ac
> [!NOTE] > You can't delete global modules, which are modules that Automation provides out of the box.
+> [!IMPORTANT]
+> New Runtime environment experience allows you to manage modules and packages by allowing you to configure the job execution environment. In the new experience, Modules and Packages blades are not available. To manage modules and packages, see [Manage Runtime environment and associated runbooks](manage-runtime-environment.md).
## Set up an Automation account
automation Manage Runtime Environment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/manage-runtime-environment.md
An Azure Automation account in supported public region (except Central India, Ge
> [!NOTE] > - When you import a package, it might take several minutes. 100MB is the maximum total size of the files that you can import.
- > - Use *.zip* files for PowerShell runbook types as mentioned [here](https://learn.microsoft.com/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.4)
+ > - Use *.zip* files for PowerShell runbook types as mentioned [here](/powershell/scripting/developer/module/understanding-a-windows-powershell-module)
> - For Python 3.8 packages, use .tar.gz or .whl files targeting cp38-amd64. > - For Python 3.10 (preview) packages, use .whl files targeting cp310 Linux OS.
automation Runtime Environment Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/runtime-environment-overview.md
Title: Runtime environment (preview) in Azure Automation
description: This article provides an overview on Runtime environment in Azure Automation. Previously updated : 04/01/2024 Last updated : 07/17/2024
You can't edit these Runtime environments. However, any changes that are made in
- Runtime environment can't be configured through Azure Automation extension for Visual Studio Code. - Deleted Runtime environments cannot be recovered. - The feature is only supported through Azure portal and [REST API](/rest/api/automation/runtime-environments?view=rest-automation-2023-05-15-preview&preserve-view=true).
+- Management of modules for Azure Automation State Configuration is not supported through Runtime environment experience. You can continue using the old experience for managing modules and packages for Azure Automation State Configuration.
## Switch between new and old experience
automation Modules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/shared-resources/modules.md
Title: Manage modules in Azure Automation
description: This article tells how to use PowerShell modules to enable cmdlets in runbooks and DSC resources in DSC configurations. Previously updated : 11/01/2021 Last updated : 07/17/2024
Azure Automation uses a number of PowerShell modules to enable cmdlets in runboo
When you create an Automation account, Azure Automation imports some modules by default. See [Default modules](#default-modules).
+> [!IMPORTANT]
+> New Runtime environment experience allows you to manage modules and packages by allowing you to configure the job execution environment. In the new experience, Modules and Packages blades are not available. To manage modules and packages, see [Manage Runtime environment and associated runbooks](../manage-runtime-environment.md).
+ ## Sandboxes When Automation executes runbook and DSC compilation jobs, it loads the modules into sandboxes where the runbooks can run and the DSC configurations can compile. Automation also automatically places any DSC resources in modules on the DSC pull server. Machines can pull the resources when they apply the DSC configurations.
azure-arc Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/release-notes.md
Previously updated : 04/09/2024 Last updated : 07/17/2024 #Customer intent: As a data professional, I want to understand why my solutions would benefit from running with Azure Arc-enabled data services so that I can leverage the capability of the feature.
This article highlights capabilities, features, and enhancements recently released or improved for Azure Arc-enabled data services.
+## July 9, 2024
+
+**Image tag**: `v1.31.0_2024-07-09`
+
+For complete release version information, review [Version log](version-log.md#july-9-2024).
+ ## June 11, 2024 **Image tag**: `v1.30.0_2024-06-11`
azure-arc Custom Locations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/custom-locations.md
In this article, you learn how to enable custom locations on an Arc-enabled Kube
## Enable custom locations on your cluster > [!TIP]
-> The custom locations feature is dependent on the [cluster connect](cluster-connect.md) feature. Both features have to be enabled in the cluster for custom locations to work.
+> The custom locations feature is dependent on the [cluster connect](cluster-connect.md) feature. Both features must be enabled in the cluster for custom locations to function. To enable the custom locations feature, follow the steps below:
If you are signed in to Azure CLI as a Microsoft Entra user, use the following command:
If you run the above command while signed in to Azure CLI using a service princi
Unable to fetch oid of 'custom-locations' app. Proceeding without enabling the feature. Insufficient privileges to complete the operation. ```
-This is because a service principal doesn't have permissions to get information about the application used by the Azure Arc service (custom location). To avoid this error, complete the following steps:
+This warning occurs because the service principal lacks the necessary permissions to retrieve the `oid` (object ID) of the custom location used by the Azure Arc service. To avoid this error, follow these steps:
-1. Sign in to Azure CLI using your user account. Fetch the `objectId` or `id` of the custom location application used by the Azure Arc service by using the following command:
+1. Sign in to Azure CLI with your user account.
- ```azurecli
+1. Run the following command to fetch the `oid` (object ID) of the custom location, where `--id` is predefined and set to `bc313c14-388c-4e7d-a58e-70017303ee3b`:
+
+ **Important!** Copy and run the command exactly as it is shown below. Do not replace the value passed to the `--id` parameter with a different value.
+
+ ```azurecli
az ad sp show --id bc313c14-388c-4e7d-a58e-70017303ee3b --query id -o tsv ```
-1. Sign in to Azure CLI using the service principal. Use the `<objectId>` or `id` value from the previous step to enable custom locations on the cluster:
+1. Sign in to Azure CLI using the service principal. Run the following command to enable the custom locations feature on the cluster, using the `oid` (object ID) value from the previous step for the `--custom-locations-oid` parameter:
```azurecli
- az connectedk8s enable-features -n <cluster-name> -g <resource-group-name> --custom-locations-oid <objectId/id> --features cluster-connect custom-locations
+ az connectedk8s enable-features -n <cluster-name> -g <resource-group-name> --custom-locations-oid <cl-oid> --features cluster-connect custom-locations
``` ## Create custom location
azure-arc Troubleshoot Resource Bridge https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/resource-bridge/troubleshoot-resource-bridge.md
When deploying Arc resource bridge, you may receive the error: `{ _errorCode_: _
This error occurs in the deployment process when images need to be downloaded from Microsoft registries to the deployment machine and the download is being blocked by a proxy or firewall. Review the [network requirements](network-requirements.md#general-network-requirements) and verify that all required URLs are reachable. You may need to update your no proxy settings to ensure that traffic from your deployment machine to Microsoft required URLs are not going through a proxy.
+### SSH folder access denied
+
+The CLI requires permission to access the SSH folder during deployment or operations that involve accessing files within the folder. This folder contains essential files such as the kubeconfig and logs key for the appliance VM. For instance, the CLI needs to access the logs key stored in the SSH folder to collect logs from the appliance VM.
+
+If you encounter an error stating: `Access to the file in the SSH folder was denied. This may occur if the CLI doesn't have permission to the SSH folder or if another CLI instance is using the file`, there are two common causes for this issue:
+
+1. Insufficient permissions: The CLI lacks the necessary permissions to access the SSH folder. Ensure that the user account running the CLI has appropriate permissions to access the SSH folder.
+
+1. Concurrent file access: Another instance of the CLI might be using the file in the SSH folder. This often happens on workstations with shared profiles. Ensure that any other CLI instance completes or terminates its operation before you proceed.
+ ### Arc resource bridge is offline If the resource bridge is offline, this is typically due to a networking change in the infrastructure, environment or cluster that stops the appliance VM from being able to communicate with its counterpart Azure resource. If you're unable to determine what changed, you can reboot the appliance VM, collect logs and submit a support ticket for further investigation.
azure-arc Enable Guest Management At Scale https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/vmware-vsphere/enable-guest-management-at-scale.md
Title: Install Arc agent at scale for your VMware VMs description: Learn how to enable guest management at scale for Arc enabled VMware vSphere VMs. Previously updated : 07/08/2024 Last updated : 07/18/2024
Arc agents can be installed directly on machines without relying on VMware tools
- The following command scans all the Arc for Server machines that belong to the vCenter in the specified subscription and links the machines with that vCenter.
- ```azurecli-interactive
- az connectedvmware vm create-from-machines --subscription contoso-sub --vcenter-id /subscriptions/999998ee-cd13-9999-b9d4-55ca5c25496d/resourceGroups/allhands-demo/providers/microsoft.connectedvmwarevsphere/VCenters/ContosovCentervcenters/contoso-vcenter
- ```
+ [!INCLUDE [azure-cli-subscription](./includes/azure-cli-subscription.md)]
- The following command scans all the Arc for Server machines that belong to the vCenter in the specified Resource Group and links the machines with that vCenter.
- ```azurecli-interactive
- az connectedvmware vm create-from-machines --resource-group contoso-rg --vcenter-id /subscriptions/999998ee-cd13-9999-b9d4-55ca5c25496d/resourceGroups/allhands-demo/providers/microsoft.connectedvmwarevsphere/VCenters/ContosovCentervcenters/contoso-vcenter
- ```
+ [!INCLUDE [azure-cli-all](./includes/azure-cli-all.md)]
- The following command can be used to link an individual Arc for Server resource to vCenter.
- ```azurecli-interactive
- az connectedvmware vm create-from-machines --subscription contoso-sub --vcenter-id /subscriptions/999998ee-cd13-9999-b9d4-55ca5c25496d/resourceGroups/allhands-demo/providers/microsoft.connectedvmwarevsphere/VCenters/ContosovCentervcenters/contoso-vcenter
- ```
+ [!INCLUDE [azure-cli-specified-arc](./includes/azure-cli-specified-arc.md)]
## Next steps
azure-arc Enable Virtual Hardware https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/vmware-vsphere/enable-virtual-hardware.md
Title: Enable additional capabilities on Arc-enabled Server machines by linking to vCenter description: Enable additional capabilities on Arc-enabled Server machines by linking to vCenter. Previously updated : 07/04/2024 Last updated : 07/18/2024
Use the following az commands to link Arc-enabled Server machines to vCenter at
**Create VMware resource from the specified Arc for Server machine in the vCenter**
-```azurecli-interactive
-az connectedvmware vm create-from-machines --resource-group contoso-rg --name contoso-vm --vcenter-id /subscriptions/999998ee-cd13-9999-b9d4-55ca5c25496d/resourceGroups/allhands-demo/providers/microsoft.connectedvmwarevsphere/VCenters/ContosovCentervcenters/contoso-vcenter
-```
**Create VMware resources from all Arc for Server machines in the specified resource group belonging to that vCenter**
-```azurecli-interactive
-az connectedvmware vm create-from-machines --resource-group contoso-rg --vcenter-id /subscriptions/999998ee-cd13-9999-b9d4-55ca5c25496d/resourceGroups/allhands-demo/providers/microsoft.connectedvmwarevsphere/VCenters/ContosovCentervcenters/contoso-vcenter
-```
**Create VMware resources from all Arc for Server machines in the specified subscription belonging to that vCenter**
-```azurecli-interactive
-az connectedvmware vm create-from-machines --subscription contoso-sub --vcenter-id /subscriptions/999998ee-cd13-9999-b9d4-55ca5c25496d/resourceGroups/allhands-demo/providers/microsoft.connectedvmwarevsphere/VCenters/ContosovCentervcenters/contoso-vcenter
-```
### Required Parameters
azure-cache-for-redis Cache How To Manage Redis Cache Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-how-to-manage-redis-cache-powershell.md
This article shows you how to create, update, and scale your Azure Cache for Redis instances. The article also shows how to regenerate access keys, and how to view information about your caches. For a complete list of Azure Cache for Redis PowerShell cmdlets, see [Azure Cache for Redis cmdlets](/powershell/module/az.rediscache). For more information about the classic deployment model, see [Azure Resource Manager vs. classic deployment: Understand deployment models and the state of your resources](../azure-resource-manager/management/deployment-models.md).
azure-functions Create First Function Vs Code Csharp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/create-first-function-vs-code-csharp.md
In this section, you use Visual Studio Code to create a local Azure Functions pr
|**Select a template for your project's first function**|Choose `HTTP trigger`.<sup>1</sup>| |**Provide a function name**|Type `HttpExample`.| |**Provide a namespace** | Type `My.Functions`. |
- |**Authorization level**|Choose `Anonymous`, which enables anyone to call your function endpoint. To learn about authorization level, see [Authorization keys](functions-bindings-http-webhook-trigger.md#authorization-keys).|
+ |**Authorization level**|Choose `Anonymous`, which enables anyone to call your function endpoint. For more information, see [Authorization level](functions-bindings-http-webhook-trigger.md#http-auth).|
|**Select how you would like to open your project**|Select `Open in current window`.| <sup>1</sup> Depending on your VS Code settings, you may need to use the `Change template filter` option to see the full list of templates.
azure-functions Create First Function Vs Code Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/create-first-function-vs-code-java.md
In this section, you use Visual Studio Code to create a local Azure Functions pr
|**Select a template for your project's first function**| Choose `HTTP trigger`.| | **Select the build tool for Java project** | Choose `Maven`. | |**Provide a function name**| Enter `HttpExample`.|
- |**Authorization level**| Choose `Anonymous`, which lets anyone call your function endpoint. For more information about the authorization level, see [Authorization keys](functions-bindings-http-webhook-trigger.md#authorization-keys).|
+ |**Authorization level**| Choose `Anonymous`, which lets anyone call your function endpoint. For more information, see [Authorization level](functions-bindings-http-webhook-trigger.md#http-auth).|
|**Select how you would like to open your project**| Choose `Open in current window`.| 1. Visual Studio Code uses the provided information and generates an Azure Functions project with an HTTP trigger. You can view the local project files in the Explorer. For more information about the files that are created, see [Generated project files](functions-develop-vs-code.md?tabs=java#generated-project-files).
azure-functions Create First Function Vs Code Node https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/create-first-function-vs-code-node.md
In this section, you use Visual Studio Code to create a local Azure Functions pr
|**Select a JavaScript programming model**|Choose `Model V3`| |**Select a template for your project's first function**|Choose `HTTP trigger`.| |**Provide a function name**|Type `HttpExample`.|
- |**Authorization level**|Choose `Anonymous`, which enables anyone to call your function endpoint. To learn about authorization level, see [Authorization keys](functions-bindings-http-webhook-trigger.md#authorization-keys).|
+ |**Authorization level**|Choose `Anonymous`, which enables anyone to call your function endpoint. For more information, see [Authorization level](functions-bindings-http-webhook-trigger.md#http-auth).|
|**Select how you would like to open your project**|Choose `Open in current window`.| Using this information, Visual Studio Code generates an Azure Functions project with an HTTP trigger. You can view the local project files in the Explorer. To learn more about files that are created, see [Generated project files](functions-develop-vs-code.md?tabs=javascript#generated-project-files).
azure-functions Create First Function Vs Code Other https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/create-first-function-vs-code-other.md
In this section, you use Visual Studio Code to create a local Azure Functions cu
|**Select a language for your function project**|Choose `Custom Handler`.| |**Select a template for your project's first function**|Choose `HTTP trigger`.| |**Provide a function name**|Type `HttpExample`.|
- |**Authorization level**|Choose `Anonymous`, which enables anyone to call your function endpoint. To learn about authorization level, see [Authorization keys](functions-bindings-http-webhook-trigger.md#authorization-keys).|
+ |**Authorization level**|Choose `Anonymous`, which enables anyone to call your function endpoint. For more information, see [Authorization level](functions-bindings-http-webhook-trigger.md#http-auth).|
|**Select how you would like to open your project**|Choose `Open in current window`.| Using this information, Visual Studio Code generates an Azure Functions project with an HTTP trigger. You can view the local project files in the Explorer.
azure-functions Create First Function Vs Code Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/create-first-function-vs-code-powershell.md
In this section, you use Visual Studio Code to create a local Azure Functions pr
|**Select a language for your function project**|Choose `PowerShell`.| |**Select a template for your project's first function**|Choose `HTTP trigger`.| |**Provide a function name**|Type `HttpExample`.|
- |**Authorization level**|Choose `Anonymous`, which enables anyone to call your function endpoint. To learn about authorization level, see [Authorization keys](functions-bindings-http-webhook-trigger.md#authorization-keys).|
+ |**Authorization level**|Choose `Anonymous`, which enables anyone to call your function endpoint. For more information, see [Authorization level](functions-bindings-http-webhook-trigger.md#http-auth).|
|**Select how you would like to open your project**|Choose `Open in current window`.| Using this information, Visual Studio Code generates an Azure Functions project with an HTTP trigger. You can view the local project files in the Explorer. To learn more about files that are created, see [Generated project files](functions-develop-vs-code.md?tabs=powershell#generated-project-files).
azure-functions Create First Function Vs Code Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/create-first-function-vs-code-python.md
In this section, you use Visual Studio Code to create a local Azure Functions pr
|**Select a Python interpreter to create a virtual environment**| Choose your preferred Python interpreter. If an option isn't shown, type in the full path to your Python binary.| |**Select a template for your project's first function** | Choose `HTTP trigger`. | |**Name of the function you want to create**| Enter `HttpExample`.|
- |**Authorization level**| Choose `ANONYMOUS`, which lets anyone call your function endpoint. For more information about the authorization level, see [Authorization keys](functions-bindings-http-webhook-trigger.md#authorization-keys).|
+ |**Authorization level**| Choose `ANONYMOUS`, which lets anyone call your function endpoint. For more information, see [Authorization level](functions-bindings-http-webhook-trigger.md#http-auth).|
|**Select how you would like to open your project** | Choose `Open in current window`.| 4. Visual Studio Code uses the provided information and generates an Azure Functions project with an HTTP trigger. You can view the local project files in the Explorer. The generated `function_app.py` project file contains your functions.
azure-functions Create First Function Vs Code Typescript https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/create-first-function-vs-code-typescript.md
In this section, you use Visual Studio Code to create a local Azure Functions pr
|**Select a TypeScript programming model**|Choose `Model V3`| |**Select a template for your project's first function**|Choose `HTTP trigger`.| |**Provide a function name**|Type `HttpExample`.|
- |**Authorization level**|Choose `Anonymous`, which enables anyone to call your function endpoint. To learn about authorization level, see [Authorization keys](functions-bindings-http-webhook-trigger.md#authorization-keys).|
+ |**Authorization level**|Choose `Anonymous`, which enables anyone to call your function endpoint. For more information, see [Authorization level](functions-bindings-http-webhook-trigger.md#http-auth).|
|**Select how you would like to open your project**|Choose `Open in current window`.| Using this information, Visual Studio Code generates an Azure Functions project with an HTTP trigger. You can view the local project files in the Explorer. To learn more about files that are created, see [Generated project files](functions-develop-vs-code.md?tabs=typescript#generated-project-files).
azure-functions Disable Function https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/disable-function.md
To learn more, see [Azure Functions Deployment slots](functions-deployment-slots
## Run a disabled function
-You can still cause a disabled function to run by supplying the [master key](functions-bindings-http-webhook-trigger.md#master-key-admin-level) in a REST request to the endpoint URL of the disabled function. In this way, you can develop and validate functions in Azure in a disabled state while preventing them from being accessed by others. Using any other type of key in the request returns an HTTP 404 response.
+You can still cause a disabled function to run by supplying the master access key (`_master`) in a REST request to the endpoint URL of the disabled function. In this way, you can develop and validate functions in Azure in a disabled state while preventing them from being accessed by others. Using any other type of key in the request returns an HTTP 404 response.
[!INCLUDE [functions-master-key-caution](../../includes/functions-master-key-caution.md)]
-To learn more about the master key, see [Obtaining keys](functions-bindings-http-webhook-trigger.md#obtaining-keys). To learn more about calling non-HTTP triggered functions, see [Manually run a non HTTP-triggered function](functions-manually-run-non-http.md).
+To learn more about the master key, see [Understand keys](function-keys-how-to.md#understand-keys). To learn more about calling non-HTTP triggered functions, see [Manually run a non HTTP-triggered function](functions-manually-run-non-http.md).
## Disable functions locally
azure-functions Azfd0007 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/errors-diagnostics/diagnostic-events/azfd0007.md
This error occurs when you reach the maximum number of backups of the secrets re
## Event description
-Azure Functions uses an encrypted repository file (host.json) to securely store [access keys](../../functions-bindings-http-webhook-trigger.md#authorization-keys) used by your function app. Whenever the Functions host is unable to decrypt this repository file, it and regenerates the repository file and creates a backup of the unreadable file with a name like `host.snapshot.<DATE>.json`.
+Azure Functions uses an encrypted repository file (host.json) to securely store [access keys](../../function-keys-how-to.md) used by your function app. Whenever the Functions host is unable to decrypt this repository file, it and regenerates the repository file and creates a backup of the unreadable file with a name like `host.snapshot.<DATE>.json`.
Some reasons for the repository to be regenerated can include:
azure-functions Azfd0008 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/errors-diagnostics/diagnostic-events/azfd0008.md
This error happens when you set the Azure Blob Storage access tier to `archive`
By default, the access tier for blobs in Azure Storage is set to an online value (`hot` or `cool`). For more information, see [Set a blob's access tier](../../../storage/blobs/access-tiers-online-manage.md).
-Azure Functions uses an encrypted repository file (host.json) to securely store [access keys](../../functions-bindings-http-webhook-trigger.md#authorization-keys) (function or host) used by your function app. When the access tier of this secrets repository file is set to `archive`, functions that require access keys return an error. These functions can include HTTP triggers, Event Grid calls, and durable orchestrations.
+Azure Functions uses an encrypted repository file (host.json) to securely store [access keys](../../function-keys-how-to.md) (function or host) used by your function app. When the access tier of this secrets repository file is set to `archive`, functions that require access keys return an error. These functions can include HTTP triggers, Event Grid calls, and durable orchestrations.
When access keys aren't accessible because the secrets repository is in an archived state, you see a 409 warning in the logs like:
azure-functions Azfd0012 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/errors-diagnostics/diagnostic-events/azfd0012.md
Title: "AZFD0012: A non highly-identifiable secret has been loaded by the applic
description: "Learn how to troubleshoot the event 'AZFD0012: A non highly identifiable secret has been loaded by the application' in Azure Functions." Previously updated : 02/29/2024 Last updated : 07/06/2024
By default, the secret key values generated by Azure Functions are highly identi
## How to resolve the event
-This event indicates the name and type of the key that is in violation. You should regenerate the key to obtain a new value that is highly identifiable.
+This event indicates the name and type of the key that is in violation. You should regenerate the key to obtain a new value that is highly identifiable. To learn how to regenerate keys, see [Renew access keys](../../function-keys-how-to.md#renew-or-create-access-keys).
## When to suppress the event
azure-functions Event Grid How Tos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/event-grid-how-tos.md
http://{functionappname}.azurewebsites.net/admin/host/systemkeys/eventgridextens
-This REST API is an administrator API, so it requires your function app [master key](functions-bindings-http-webhook-trigger.md#authorization-keys). Don't confuse the system key (for invoking an Event Grid trigger function) with the master key (for performing administrative tasks on the function app). When you subscribe to an Event Grid topic, be sure to use the system key.
+This REST API is an administrator API, so it requires your function app [master key](function-keys-how-to.md). Don't confuse the system key (for invoking an Event Grid trigger function) with the master key (for performing administrative tasks on the function app). When you subscribe to an Event Grid topic, be sure to use the system key.
Here's an example of the response that provides the system key:
azure-functions Flex Consumption Plan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/flex-consumption-plan.md
Title: Azure Functions Flex Consumption plan hosting
description: Running your function code in the Azure Functions Flex Consumption plan provides virtual network integration, dynamic scale (to zero), and reduced cold starts. Previously updated : 05/24/2024 Last updated : 06/15/2024 # Customer intent: As a developer, I want to understand the benefits of using the Flex Consumption plan so I can get the scalability benefits of Azure Functions without having to pay for resources I don't need.
The Flex Consumption plan builds on the strengths of the Consumption plan, which
+ [Always-ready instances](#always-ready-instances) + [Virtual network integration](#virtual-network-integration) + Fast scaling based on concurrency for both HTTP and non-HTTP apps
-+ Multiple choices, for instance, memory size
++ Multiple choices for instance memory sizes This table helps you directly compare the features of Flex Consumption with the Consumption hosting plan:
Concurrency has a direct effect on how your app scales because at lower concurre
## Deployment
-Deployments in the Flex Consumption plan follow a single path. After your project code is built and zipped into an application package, it is deployed to a blob storage container. Upon startup, your app will retrieve the package and run from it. By default, the same storage account used to store internal host metadata (AzureWebJobsStorage) is also used as the deployment container. However, you can use an alternative storage account or choose your preferred authentication method by [configuring your app's deployment settings](flex-consumption-how-to.md#configure-deployment-settings). In streamlining the deployment path, there is no longer the need for app settings to influence deployment behavior.
+Deployments in the Flex Consumption plan follow a single path. After your project code is built and zipped into an application package, it is deployed to a blob storage container. On startup, your app gets the package and runs your function code from this package. By default, the same storage account used to store internal host metadata (AzureWebJobsStorage) is also used as the deployment container. However, you can use an alternative storage account or choose your preferred authentication method by [configuring your app's deployment settings](flex-consumption-how-to.md#configure-deployment-settings). In streamlining the deployment path, there's no longer the need for app settings to influence deployment behavior.
## Billing
This table shows the language stack versions that are currently supported for Fl
Currently in preview each region in a given subscription has a memory limit of `512,000 MB` for all instances of apps running on Flex Consumption plans. This means that, in a given subscription and region, you could have any combination of instance memory sizes and counts, as long as they stay under the quota limit. For example, each the following examples would mean the quota has been reached and the apps would stop scaling:
-+ You have one 2048GB app scaled to 100 and a second 2048GB app scaled to 150 instances
-+ You have one 2048GB app that scaled out to 250 instances
-+ You have one 4096GB app that scaled out to 125 instances
-+ You have one 4096GB app scaled to 100 and one 2048GB app scaled to 50 instances
++ You have one 2,048 MB app scaled to 100 and a second 2,048 MB app scaled to 150 instances++ You have one 2,048 MB app that scaled out to 250 instances++ You have one 4,096 MB app that scaled out to 125 instances++ You have one 4,096 MB app scaled to 100 and one 2,048 MB app scaled to 50 instances This quota can be increased to allow your Flex Consumption apps to scale further, depending on your requirements. If your apps require a larger quota please create a support ticket.
Keep these other considerations in mind when using Flex Consumption plan during
+ Continuous deployment using Azure DevOps Tasks (`AzureFunctionApp@2`) + Continuous deployment using GitHub Actions (`functions-action@v1`) + **Scale**: The lowest maximum scale in preview is `40`. The highest currently supported value is `1000`.
-+ **Authorization**: EasyAuth is currently not supported. Unauthenticated callers currently aren't blocked when EasyAuth is enabled in a Flex Consumption plan app.
-+ **CORS**: CORS settings are currently not supported. Exceptions might occur if CORS is configured for Flex Consumption apps.
++ **Authorization**: EasyAuth isn't currently supported. Unauthenticated callers currently aren't blocked when EasyAuth is enabled in a Flex Consumption plan app.++ **CORS**: [Cross-origin resource sharing (CORS) settings](functions-how-to-use-azure-function-app-settings.md#cors) are currently ignored for Flex Consumption apps. + **Managed dependencies**: [Managed dependencies in PowerShell](functions-reference-powershell.md#dependency-management) aren't supported by Flex Consumption. You must instead [define your own custom modules](functions-reference-powershell.md#custom-modules). ## Related articles
azure-functions Function Keys How To https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/function-keys-how-to.md
+
+ Title: Work with access keys in Azure Functions
+description: Learn about access keys in Azure Functions, including how to get and renew keys and how to use access keys when calling function endpoints.
++ Last updated : 07/18/2024+
+#CustomerIntent: As an Azure Functions developer, I want learn how to work with access keys so that I can properly harden both my function endpoints and my overall function app running in Azure.
++
+# Work with access keys in Azure Functions
+
+Azure Functions lets you use secret keys to make it more difficult to access your function endpoints. This article describes the various kinds of access keys supported by Functions, and how to work with access keys.
+
+While access keys provide some mitigation against unwanted access, you should consider other options to secure HTTP endpoints in production. For example, it's not a good practice to distribute shared secrets in a public app. If your function is being called from a public client, you should consider implementing these or other security mechanisms:
+++ [Enable App Service Authentication/Authorization](security-concepts.md#enable-app-service-authenticationauthorization)++ [Use Azure API Management (APIM) to authenticate requests](security-concepts.md#use-azure-api-management-apim-to-authenticate-requests)++ [Deploy your function app to a virtual network](security-concepts.md#deploy-your-function-app-to-a-virtual-network)++ [Deploy your function app in isolation](security-concepts.md#deploy-your-function-app-in-isolation)
+
+Access keys provide the basis for HTTP authorization in HTTP triggered functions. For more information, see [Authorization level](./functions-bindings-http-webhook-trigger.md#http-auth).
+
+## Understand keys
+
+The scope of an access key and the actions it supports depend on the type of access key.
+
+| Key type | Key name | HTTP auth level | Description |
+| -- | -- | - | - |
+| **Function** | `default` or user defined | `function` | Allows access only to a specific function endpoint. |
+| **Host** | `default` or user defined | `function` | Allows access to all function endpoints in a function app. |
+| **Master** | `_master` | `admin` | Special host key that also provides administrative access to the runtime REST APIs in a function app. This key can't be revoked. Because the master key grants elevated permissions in your function app, you shouldn't share this key with third parties or distribute it in native client applications. |
+| **System** | Depends on the extension | n/a | Specific extensions might require a system-managed key to access webhook endpoints. System keys are designed for extension-specific function endpoints that get called by internal components. For example, the [Event Grid trigger](functions-bindings-event-grid-trigger.md) requires that the subscription use a system key when calling the trigger endpoint. Durable Functions also uses system keys to call [Durable Task extension APIs](durable/durable-functions-http-api.md). <br/>System keys can only be created by specific extensions, and you can't explicitly set their values. Like other keys, you can generate a new value for the key from the portal or by using the key APIs. |
+
+Each key is named for reference, and there's a default key (named `default`) at the function and host level. Function keys take precedence over host keys. When two keys are defined with the same name, the function key is always used.
+
+The following table compares the uses for various kinds of access keys:
+
+| Action | Scope | Key type |
+|--|--|--|
+| Execute a function | Specific function | Function |
+| Execute a function | Any function | Function or host |
+| Call an `admin` endpoint | Function app | Master-only |
+| Call Durable Task extension APIs | Function app<sup>*</sup> | System |
+| Call an extension-specific Webhook (internal) | Function app<sup>*</sup> | system |
+
+<sup>*</sup>Scope determined by the extension.
+
+## Key requirements
+
+In Functions, access keys are randomly generated 32-byte arrays that are encoded as URL-safe base-64 strings. While you can generate your own access keys and use them with Functions, we strongly recommend that you instead allow Functions to generate all of your access keys for you.
+
+Functions-generated access keys include special signature and checksum values that indicate the type of access key and that it was generated by Azure Functions. Having these extra components in the key itself makes it much easier to determine the source of these kinds of secrets located during security scanning and other automated processes.
+
+To allow Functions to generate your keys for you, don't supply the key `value` to any of the APIs that you can use to generate keys.
+
+## Manage key storage
+
+Keys are stored as part of your function app in Azure and are encrypted at rest. By default, keys are stored in a Blob storage container in the account provided by the `AzureWebJobsStorage` setting. You can use the [`AzureWebJobsSecretStorageType`](functions-app-settings.md#azurewebjobssecretstoragetype) setting to override this default behavior and instead store keys in one of these alternate locations:
+
+|Location | Value | Description |
+||||
+| A second storage account | `blob` | Stores keys in Blob storage in a storage account that's different that the one used by the Functions runtime. The specific account and container used is defined by a shared access signature (SAS) URL set in the [`AzureWebJobsSecretStorageSas`](functions-app-settings.md#azurewebjobssecretstoragesas) setting. You must maintain the `AzureWebJobsSecretStorageSas` setting when the SAS URL changes. |
+| [Azure Key Vault](../key-vault/general/overview.md) | `keyvault` | The key vault set in [`AzureWebJobsSecretStorageKeyVaultUri`](functions-app-settings.md#azurewebjobssecretstoragekeyvaulturi) is used to store keys. |
+| File system | `files` | Keys are persisted on the local file system, which is the default in Functions v1.x. File system storage isn't recommended. |
+| Kubernetes Secrets |`kubernetes` | The resource set in [AzureWebJobsKubernetesSecretName](functions-app-settings.md#azurewebjobskubernetessecretname) is used to store keys. Supported only when your function app is deployed to Kubernetes. The [Azure Functions Core Tools](functions-run-local.md) generates the values automatically when you use it to deploy your app to a Kubernetes cluster.|
+
+When using Key Vault for key storage, the app settings you need depend on the managed identity type, either system-assigned or user-assigned.
+
+| Setting name | System-assigned | User-assigned | App registration |
+| | | | |
+| [AzureWebJobsSecretStorageKeyVaultUri](functions-app-settings.md#azurewebjobssecretstoragekeyvaulturi) | Γ£ô | Γ£ô | Γ£ô |
+| [AzureWebJobsSecretStorageKeyVaultClientId](functions-app-settings.md#azurewebjobssecretstoragekeyvaultclientid) | X | Γ£ô |Γ£ô |
+| [AzureWebJobsSecretStorageKeyVaultClientSecret](functions-app-settings.md#azurewebjobssecretstoragekeyvaultclientsecret) | X | X | Γ£ô |
+| [AzureWebJobsSecretStorageKeyVaultTenantId](functions-app-settings.md#azurewebjobssecretstoragekeyvaulttenantid) | X | X | Γ£ô |
+
+## Use access keys
+
+HTTP triggered functions can generally be called by using a URL in the format: `https://<APP_NAME>.azurewebsites.net/api/<FUNCTION_NAME>`. When the authorization level of a given function is set a value other than `anonymous`, you must also provide an access key in your request. The access key can either be provided in the URL using the `?code=` query string or in the request header (`x-functions-key`). For more information, see [Access key authorization](functions-bindings-http-webhook-trigger.md#api-key-authorization).
+
+To access the runtime REST APIs (under `/admin/`), you must provide the master key (`_master`) in the `x-functions-key` request header.
+
+## Get your function access keys
+
+You can get function and host keys programmatically by using these Azure Resource Manager APIs:
+++ [List Function Keys](/rest/api/appservice/webapps/listfunctionkeys)++ [List Host Keys](/rest/api/appservice/webapps/listhostkeys)++ [List Function Keys Slot](/rest/api/appservice/webapps/listfunctionkeysslot)++ [List Host Keys Slot](/rest/api/appservice/webapps/listhostkeysslot).+
+To learn how to call Azure Resource Manager APIs, see the [Azure REST API reference](/rest/api/azure/).
+
+You can use these methods to get access keys without having to use the REST APIs.
+
+### [Azure portal](#tab/azure-portal)
+
+1. Sign in to the Azure portal, then search for and select **Function App**.
+
+1. Select the function app you want to work with.
+
+1. In the left pane, expand **Functions**, and then select **App keys**.
+
+ The **App keys** page appears. On this page the host keys are displayed, which can be used to access any function in the app. The system key is also displayed, which gives anyone administrator-level access to all function app APIs.
+
+You can also practice least privilege by using the key for a specific function. You can get function-specific keys from the **Function keys** tab of a specific HTTP-triggered function.
+
+### [Azure CLI](#tab/azure-cli)
+
+Run the following script in Azure Cloud Shell, the output of which is the `default` host key, which can be used to access any HTTP triggered function in the function app.
+
+```azurecli-interactive
+az functionapp keys list --resource-group <RESOURCE_GROUP> --name <APP_NAME> --query functionKeys.default --output tsv
+```
+
+In this script, replace `<RESOURCE_GROUP>` and `<APP_NAME>` with the resource group and your function app name, respective.
+
+Because the output contains sensitive information, either don't persist the output or secure any persisted file outputs.
+
+### [Azure PowerShell](#tab/azure-powershell)
+
+Run the following script, the output of which is the `default` host key, which can be used to access any HTTP triggered function in the function app.
+
+```powershell-interactive
+$subName = '<SUBSCRIPTION_ID>'
+$rGroup = '<RESOURCE_GROUP>'
+$appName = '<APP_NAME>'
+$path = "/subscriptions/$((Get-AzContext).Subscription.Id)/resourceGroups/$rGroup/providers/Microsoft.Web/sites/$appName/host/default/listKeys?api-version=2018-11-01"
+((Invoke-AzRestMethod -Path $path -Method POST).Content | ConvertFrom-JSON).functionKeys.default
+```
+
+In this script, replace `<RESOURCE_GROUP>` and `<APP_NAME>` with the resource group and your function app name, respective.
+++
+## Renew or create access keys
+
+When you renew or create your access key values, you must manually redistribute the updated key values to all clients that call your function.
+
+You can renew function and host keys programmatically or create new ones by using these Azure Resource Manager APIs:
+++ [Create Or Update Function Secret](/rest/api/appservice/webapps/createorupdatefunctionsecret) ++ [Create Or Update Function Secret Slot](/rest/api/appservice/webapps/createorupdatefunctionsecretslot)++ [Create Or Update Host Secret](/rest/api/appservice/webapps/createorupdatehostsecret) ++ [Create Or Update Host Secret Slot](/rest/api/appservice/webapps/createorupdatehostsecretslot)+
+To learn how to call Azure Resource Manager APIs, see the [Azure REST API reference](/rest/api/azure/).
+
+You can use these methods to get access keys without having to manually create calls to the REST APIs.
+
+### [Azure portal](#tab/azure-portal)
+
+1. Sign in to the Azure portal, then search for and select **Function App**.
+
+1. Select the function app you want to work with.
+
+1. In the left pane, expand **Functions**, and then select **App keys**.
+
+ The **App keys** page appears. On this page the host keys are displayed, which can be used to access any function in the app. The system key is also displayed, which gives anyone administrator-level access to all function app APIs.
+
+1. Select **Renew key value** next to the key you want to renew, then select **Renew and save**.
+
+You can also renew a function key in the **Function keys** tab of a specific HTTP-triggered function.
+
+### [Azure CLI](#tab/azure-cli)
+
+Run the following script in Azure Cloud Shell, which renews the `default` host key with a new key value generated by Functions.
+
+```azurecli-interactive
+az functionapp keys set --resource-group <RESOURCE_GROUP> --name <APP_NAME> --key-type functionKeys --key-name default
+```
+
+In this script, replace `<RESOURCE_GROUP>` and `<APP_NAME>` with the resource group and your function app name, respective. This script has been created to run in Azure Cloud Shell (Bash). You must modify it to run in a Windows terminal.
+
+The new key value generated by Functions is displayed for your reference. This new key value must be securely distributed to any apps that rely on the host key. Because the output contains sensitive information, either don't persist the output or secure any persisted file outputs.
+
+### [Azure PowerShell](#tab/azure-powershell)
+
+Run the following script, which uses the REST APIs to renew the `default` host key with a new key value generated by Functions.
+
+```powershell-interactive
+# Variables - replace these with your actual values
+$resourceGroupName = "<RESOURCE_GROUP>"
+$functionAppName = "<APP_NAME>"
+
+# Construct the URI for the REST API call
+$uri = "https://management.azure.com/subscriptions/$((Get-AzContext).Subscription.Id)/resourceGroups/$resourceGroupName/providers/Microsoft.Web/sites/$functionAppName/host/default/listkeys?api-version=2021-02-01"
+
+# Construct the body of the request
+$body = @{
+ properties = @{
+ name = "default"
+ }
+} | ConvertTo-Json
+
+# Invoke the REST API to create or update the host-level secret
+$response = Invoke-AzRestMethod -Method Post -Uri $uri -Payload $body
+
+# Output the updated key for reference
+($response.Content | ConvertFrom-Json).functionKeys.default
+```
+
+In this script, replace `<RESOURCE_GROUP>` and `<APP_NAME>` with the resource group and your function app name, respective.
+
+The new key value generated by Functions is returned for your reference. It must be securely distributed to any apps that rely on the host key. Because the output contains sensitive information, either don't persist the output or secure any persisted file outputs.
+++
+## Delete access keys
+
+You can delete function and host keys programmatically by using these Azure Resource Manager APIs:
+++ [Delete Function Secret](/rest/api/appservice/webapps/deletefunctionsecret)++ [Delete Function Secret Slot](/rest/api/appservice/webapps/deletefunctionsecretslot)++ [Delete Host Secret](/rest/api/appservice/webapps/deletehostsecret)++ [Delete Host Secret Slot](/rest/api/appservice/webapps/deletehostsecretslot)+
+To learn how to call Azure Resource Manager APIs, see the [Azure REST API reference](/rest/api/azure/).
+
+## Related content
+++ [Securing Azure Functions](security-concepts.md)++ [Azure Functions HTTP trigger](functions-bindings-http-webhook-trigger.md)++ [Manage your function app](functions-how-to-use-azure-function-app-settings.md)+
azure-functions Functions App Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-app-settings.md
Indicates the Kubernetes Secrets resource used for storing keys. Supported only
||| |AzureWebJobsKubernetesSecretName|`<SECRETS_RESOURCE>`|
-To learn more, see [Secret repositories](security-concepts.md#secret-repositories).
+To learn more, see [Manage key storage](function-keys-how-to.md#manage-key-storage).
## AzureWebJobsSecretStorageKeyVaultClientId
The client ID of the user-assigned managed identity or the app registration used
||| |AzureWebJobsSecretStorageKeyVaultClientId|`<CLIENT_ID>`|
-To learn more, see [Secret repositories](security-concepts.md#secret-repositories).
+To learn more, see [Manage key storage](function-keys-how-to.md#manage-key-storage).
## AzureWebJobsSecretStorageKeyVaultClientSecret
The secret for client ID of the user-assigned managed identity or the app regist
||| |AzureWebJobsSecretStorageKeyVaultClientSecret|`<CLIENT_SECRET>`|
-To learn more, see [Secret repositories](security-concepts.md#secret-repositories).
+To learn more, see [Manage key storage](function-keys-how-to.md#manage-key-storage).
## AzureWebJobsSecretStorageKeyVaultName
-The name of a key vault instance used to store keys. This setting is only supported for version 3.x of the Functions runtime. For version 4.x, instead use `AzureWebJobsSecretStorageKeyVaultUri`. This setting requires you to set `AzureWebJobsSecretStorageType` to `keyvault`.
+_This setting is deprecated and was only used when running on version 3.x of the Azure Functions runtime._
+
+The name of a key vault instance used to store keys. This setting was only used in version 3.x of the Functions runtime, which is no longer supported. For version 4.x, instead use `AzureWebJobsSecretStorageKeyVaultUri`. This setting requires you to set `AzureWebJobsSecretStorageType` to `keyvault`.
The vault must have an access policy corresponding to the system-assigned managed identity of the hosting resource. The access policy should grant the identity the following secret permissions: `Get`,`Set`, `List`, and `Delete`. <br/>When your functions run locally, the developer identity is used, and settings must be in the [local.settings.json file](functions-develop-local.md#local-settings-file).
The vault must have an access policy corresponding to the system-assigned manage
||| |AzureWebJobsSecretStorageKeyVaultName|`<VAULT_NAME>`|
-To learn more, see [Secret repositories](security-concepts.md#secret-repositories).
+To learn more, see [Manage key storage](function-keys-how-to.md#manage-key-storage).
## AzureWebJobsSecretStorageKeyVaultTenantId
-The tenant ID of the app registration used to access the vault where keys are stored. This setting requires you to set `AzureWebJobsSecretStorageType` to `keyvault`. Supported in version 4.x and later versions of the Functions runtime. To learn more, see [Secret repositories](security-concepts.md#secret-repositories).
+The tenant ID of the app registration used to access the vault where keys are stored. This setting requires you to set `AzureWebJobsSecretStorageType` to `keyvault`. Supported in version 4.x and later versions of the Functions runtime. To learn more, see [Manage key storage](function-keys-how-to.md#manage-key-storage).
|Key|Sample value| |||
To learn more, see [Use Key Vault references for Azure Functions](../app-service
## AzureWebJobsSecretStorageSas
-A Blob Storage SAS URL for a second storage account used for key storage. By default, Functions uses the account set in `AzureWebJobsStorage`. When using this secret storage option, make sure that `AzureWebJobsSecretStorageType` isn't explicitly set or is set to `blob`. To learn more, see [Secret repositories](security-concepts.md#secret-repositories).
+A Blob Storage SAS URL for a second storage account used for key storage. By default, Functions uses the account set in `AzureWebJobsStorage`. When using this secret storage option, make sure that `AzureWebJobsSecretStorageType` isn't explicitly set or is set to `blob`. To learn more, see [Manage key storage](function-keys-how-to.md#manage-key-storage).
|Key|Sample value| |--|--|
Specifies the repository or provider to use for key storage. Keys are always enc
|AzureWebJobsSecretStorageType |`keyvault` | Keys are stored in a key vault instance set by `AzureWebJobsSecretStorageKeyVaultName`. | |AzureWebJobsSecretStorageType | `kubernetes` | Supported only when running the Functions runtime in Kubernetes. When `AzureWebJobsKubernetesSecretName` isn't set, the repository is considered read only. In this case, the values must be generated before deployment. The [Azure Functions Core Tools](functions-run-local.md) generates the values automatically when deploying to Kubernetes.|
-To learn more, see [Secret repositories](security-concepts.md#secret-repositories).
+To learn more, see [Manage key storage](function-keys-how-to.md#manage-key-storage).
## AzureWebJobsStorage
This app setting is a temporary way for Node.js apps to enable a breaking change
Starting with Node.js v20, the app setting has no effect and the breaking change behavior is always enabled.
-For Node.js v18 or lower, the app setting can be used and the default behavior depends on if the error happens before or after a model v4 function has been registered:
+For Node.js v18 or lower, the app setting is used, and the default behavior depends on if the error happens before or after a model v4 function has been registered:
+ - If the error is thrown before (for example if you're using model v3 or your entry point file doesn't exist), the default behavior matches `false`. - If the error is thrown after (for example if you try to register duplicate model v4 functions), the default behavior matches `true`.
Some configurations must be maintained at the App Service level as site settings
### alwaysOn
-On a function app running in a [Dedicated (App Service) plan](./dedicated-plan.md), the Functions runtime goes idle after a few minutes of inactivity, a which point only requests to an HTTP trigger _wakes-up_ your function app. To make sure that your non-HTTP triggered functions run correctly, including Timer trigger functions, enable Always On for the function app by setting the `alwaysOn` site setting to a value of `true`.
+On a function app running in a [Dedicated (App Service) plan](./dedicated-plan.md), the Functions runtime goes idle after a few minutes of inactivity, a which point only requests to an HTTP trigger _wakes up_ your function app. To make sure that your non-HTTP triggered functions run correctly, including Timer trigger functions, enable Always On for the function app by setting the `alwaysOn` site setting to a value of `true`.
### linuxFxVersion
azure-functions Functions Bindings Http Webhook Trigger https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-http-webhook-trigger.md
Title: Azure Functions HTTP trigger description: Learn how to call an Azure Function via HTTP. Previously updated : 05/16/2024 Last updated : 07/16/2024 ms.devlang: csharp # ms.devlang: csharp, java, javascript, powershell, python
public HttpResponseMessage run(
#### Read POJO body from a POST request
-Here is the code for the `ToDoItem` class, referenced in this example:
+Here's the code for the `ToDoItem` class, referenced in this example:
```java
The following example shows an HTTP trigger [TypeScript function](functions-refe
# [Model v3](#tab/nodejs-v3)
-TypeScript samples are not documented for model v3.
+TypeScript samples aren't documented for model v3.
For Python v2 functions defined using a decorator, the following properties for
| Property | Description | |-|--|
-| `route` | Route for the http endpoint. If None, it will be set to function name if present or user defined python function name. |
+| `route` | Route for the http endpoint. If None, it will be set to function name if present or user-defined python function name. |
| `trigger_arg_name` | Argument name for HttpRequest. The default value is 'req'. | | `binding_arg_name` | Argument name for HttpResponse. The default value is '$return'. | | `methods` | A tuple of the HTTP methods to which the function responds. |
The [HttpTrigger](/java/api/com.microsoft.azure.functions.annotation.httptrigger
### Payload
-# [Isolated worker model](#tab/isolated-process)
+#### [Isolated worker model](#tab/isolated-process)
The trigger input type is declared as one of the following types:
The trigger input type is declared as one of the following types:
|-|-| | [HttpRequest] | _Use of this type requires that the app is configured with [ASP.NET Core integration in .NET Isolated]._<br/>This gives you full access to the request object and overall HttpContext. | | [HttpRequestData] | A projection of the request object. |
-| A custom type | When the body of the request is JSON, the runtime will try to parse it to set the object properties. |
+| A custom type | When the body of the request is JSON, the runtime tries to parse it to set the object properties. |
-When the trigger parameter is an `HttpRequestData` an `HttpRequest`, custom types can also be bound to additional parameters using `Microsoft.Azure.Functions.Worker.Http.FromBodyAttribute`. Use of this attribute requires [`Microsoft.Azure.Functions.Worker.Extensions.Http` version 3.1.0 or later](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.Extensions.Http). Note that this is a different type than the similar attribute in `Microsoft.AspNetCore.Mvc`, and when using ASP.NET Core integration, you will need a fully qualified reference or `using` statement. The following example shows how to use the attribute to get just the body contents while still having access to the full `HttpRequest`, using the ASP.NET Core integration:
+When the trigger parameter is of type `HttpRequestData` or `HttpRequest`, custom types can also be bound to other parameters using `Microsoft.Azure.Functions.Worker.Http.FromBodyAttribute`. Use of this attribute requires [`Microsoft.Azure.Functions.Worker.Extensions.Http` version 3.1.0 or later](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.Extensions.Http). This is a different type than the similar attribute in `Microsoft.AspNetCore.Mvc`. When using ASP.NET Core integration, you need a fully qualified reference or `using` statement. This example shows how to use the attribute to get just the body contents while still having access to the full `HttpRequest`, using ASP.NET Core integration:
```csharp using Microsoft.AspNetCore.Http;
namespace AspNetIntegration
} ```
-# [In-process model](#tab/in-process)
+#### [In-process model](#tab/in-process)
The trigger input type is declared as either `HttpRequest` or a custom type. If you choose `HttpRequest`, you get full access to the request object. For a custom type, the runtime tries to parse the JSON request body to set the object properties.
-### HTTP streams
-
-HTTP streams support in Python lets you accept and return data from your HTTP endpoints using FastAPI request and response APIs enabled in your functions. These APIs enable the host to process data in HTTP messages as chunks instead of having to read an entire message into memory. For more information, see [HTTP streams in Python](./functions-reference-python.md#http-streams-preview)
-
->[!IMPORTANT]
-> HTTP streams support for Python is currently in preview and is only supported for the Python v2 programming model.
::: zone-end ### Customize the HTTP endpoint
You can customize this route using the optional `route` property on the HTTP tri
::: zone pivot="programming-language-csharp"
-# [Isolated worker model](#tab/isolated-process)
+#### [Isolated worker model](#tab/isolated-process)
The following function code accepts two parameters `category` and `id` in the route and writes a response using both parameters.
FunctionContext executionContext)
} ```
-# [In-process model](#tab/in-process)
+#### [In-process model](#tab/in-process)
The following C# function code accepts two parameters `category` and `id` in the route and writes a response using both parameters.
public class HttpTriggerJava {
::: zone-end ::: zone pivot="programming-language-typescript"
-# [Model v4](#tab/nodejs-v4)
+#### [Model v4](#tab/nodejs-v4)
As an example, the following TypeScript code defines a `route` property for an HTTP trigger with two parameters, `category` and `id`. The example reads the parameters from the request and returns their values in the response. :::code language="typescript" source="~/azure-functions-nodejs-v4/ts/src/functions/httpTrigger2.ts" :::
-# [Model v3](#tab/nodejs-v3)
+#### [Model v3](#tab/nodejs-v3)
-TypeScript samples are not documented for model v3.
+TypeScript samples aren't documented for model v3.
::: zone-end ::: zone pivot="programming-language-javascript"
-# [Model v4](#tab/nodejs-v4)
+#### [Model v4](#tab/nodejs-v4)
As an example, the following JavaScript code defines a `route` property for an HTTP trigger with two parameters, `category` and `id`. The example reads the parameters from the request and returns their values in the response. :::code language="javascript" source="~/azure-functions-nodejs-v4/js/src/functions/httpTrigger2.js" :::
-# [Model v3](#tab/nodejs-v3)
+#### [Model v3](#tab/nodejs-v3)
As an example, the following *function.json* file defines a `route` property for an HTTP trigger with two parameters, `category` and `id`:
module.exports = async function (context, req) {
As an example, the following code defines a `route` property for an HTTP trigger with two parameters, `category` and `id`:
-# [v2](#tab/python-v2)
+#### [v2](#tab/python-v2)
```python @app.function_name(name="httpTrigger") @app.route(route="products/{category:alpha}/{id:int?}") ```
-# [v1](#tab/python-v1)
+#### [v1](#tab/python-v1)
In the *function.json* file:
https://<APP_NAME>.azurewebsites.net/api/products/electronics/357
This configuration allows the function code to support two parameters in the address, _category_ and _ID_. For more information on how route parameters are tokenized in a URL, see [Routing in ASP.NET Core](/aspnet/core/fundamentals/routing#route-constraint-reference).
-By default, all function routes are prefixed with *api*. You can also customize or remove the prefix using the `extensions.http.routePrefix` property in your [host.json](functions-host-json.md) file. The following example removes the *api* route prefix by using an empty string for the prefix in the *host.json* file.
+By default, all function routes are prefixed with `api`. You can also customize or remove the prefix using the `extensions.http.routePrefix` property in your [host.json](functions-host-json.md) file. The following example removes the `api` route prefix by using an empty string for the prefix in the *host.json* file.
```json {
Route parameters that defined a function's `route` pattern are available to each
The following configuration shows how the `{id}` parameter is passed to the binding's `rowKey`. ::: zone-end ::: zone pivot="programming-language-python"
-# [v2](#tab/python-v2)
+#### [v2](#tab/python-v2)
```python @app.table_input(arg_name="product", table_name="products",
The following configuration shows how the `{id}` parameter is passed to the bind
connection="AzureWebJobsStorage") ```
-# [v1](#tab/python-v1)
+#### [v1](#tab/python-v1)
```json {
The following configuration shows how the `{id}` parameter is passed to the bind
::: zone-end ::: zone pivot="programming-language-typescript"
-# [Model v4](#tab/nodejs-v4)
+#### [Model v4](#tab/nodejs-v4)
:::code language="typescript" source="~/azure-functions-nodejs-v4/ts/src/functions/httpTrigger3.ts" :::
-# [Model v3](#tab/nodejs-v3)
+#### [Model v3](#tab/nodejs-v3)
-TypeScript samples are not documented for model v3.
+TypeScript samples aren't documented for model v3.
::: zone-end ::: zone pivot="programming-language-javascript"
-# [Model v4](#tab/nodejs-v4)
+#### [Model v4](#tab/nodejs-v4)
:::code language="javascript" source="~/azure-functions-nodejs-v4/js/src/functions/httpTrigger3.js" :::
-# [Model v3](#tab/nodejs-v3)
+#### [Model v3](#tab/nodejs-v3)
```json {
You can programmatically access the `invoke_URL_template` by using the Azure Res
You can now stream requests to and responses from your HTTP endpoint in Node.js v4 function apps. For more information, see [HTTP streams](functions-reference-node.md?pivots=nodejs-model-v4#http-streams). ::: zone-end
+### HTTP streams
+
+HTTP streams support in Python lets you accept and return data from your HTTP endpoints using FastAPI request and response APIs enabled in your functions. These APIs enable the host to process data in HTTP messages as chunks instead of having to read an entire message into memory. For more information, see [HTTP streams in Python](./functions-reference-python.md#http-streams-preview)
+>[!IMPORTANT]
+> HTTP streams support for Python is currently in preview and is only supported for the Python v2 programming model.
### Working with client identities If your function app is using [App Service Authentication / Authorization](../app-service/overview-authentication-authorization.md), you can view information about authenticated clients from your code. This information is available as [request headers injected by the platform](../app-service/configure-authentication-user-identities.md#access-user-claims-in-app-code).
-You can also read this information from binding data. This capability is only available to the Functions runtime in 2.x and higher. It is also currently only available for .NET languages.
+You can also read this information from binding data.
+
+> [!NOTE]
+> Access to authenticated client information is currently only available for .NET languages. It also isn't supported in version 1.x of the Functions runtime.
::: zone pivot="programming-language-csharp" Information regarding authenticated clients is available as a [ClaimsPrincipal], which is available as part of the request context as shown in the following example:
-# [Isolated worker model](#tab/isolated-process)
+#### [Isolated worker model](#tab/isolated-process)
The authenticated user is available via [HTTP Headers](../app-service/configure-authentication-user-identities.md#access-user-claims-in-app-code).
-# [In-process model](#tab/in-process)
+#### [In-process model](#tab/in-process)
```csharp using System.Net;
public static IActionResult Run(HttpRequest req, ILogger log)
} ```
-Alternatively, the ClaimsPrincipal can simply be included as an additional parameter in the function signature:
+Alternatively, the ClaimsPrincipal can simply be included as an extra parameter in the function signature:
```csharp using System.Net;
The authenticated user is available via [HTTP Headers](../app-service/configure-
The authorization level is a string value that indicates the kind of [authorization key](#authorization-keys) that's required to access the function endpoint. For an HTTP triggered function, the authorization level can be one of the following values: -
-# [Model v4](#tab/nodejs-v4)
-
-| Level value | Description |
-| | |
-|**anonymous**| No API key is required. This is the default value when a level isn't specifically set.|
-|**function**| A function-specific API key is required.|
-|**admin**| The master key is required.|
-
-# [Model v3](#tab/nodejs-v3)
- | Level value | Description | | | |
-|**anonymous**| No API key is required.|
-|**function**| A function-specific API key is required. This is the default value when a level isn't specifically set.|
-|**admin**| The master key is required.|
--
+|**anonymous**| No access key is required.|
+|**function**| A function-specific key is required to access the endpoint. |
+|**admin**| The master key is required to access the endpoint.|
::: zone pivot="programming-language-csharp,programming-language-java,programming-language-powershell,programming-language-python"-
-| Level value | Description |
-| | |
-|**anonymous**| No API key is required.|
-|**function**| A function-specific API key is required. This is the default value when a level isn't specifically set.|
-|**admin**| The master key is required.|
-
+When a level isn't explicitly set, authorization defaults to the `function` level.
::: zone-end
+When a level isn't explicitly set, the default authorization depends on the version of the Node.js model:
-### <a name="authorization-keys"></a>Function access keys
--
-#### Obtaining keys
-
-Keys are stored as part of your function app in Azure and are encrypted at rest. To view your keys, create new ones, or roll keys to new values, navigate to one of your HTTP-triggered functions in the [Azure portal](https://portal.azure.com) and select **Function Keys**.
+#### [Model v4](#tab/nodejs-v4)
-You can also manage host keys. Navigate to the function app in the [Azure portal](https://portal.azure.com) and select **App keys**.
+Authorization defaults to the `anonymous` level.
-You can obtain function and host keys programmatically by using the Azure Resource Manager APIs. There are APIs to [List Function Keys](/rest/api/appservice/webapps/listfunctionkeys) and [List Host Keys](/rest/api/appservice/webapps/listhostkeys), and when using deployment slots the equivalent APIs are [List Function Keys Slot](/rest/api/appservice/webapps/listfunctionkeysslot) and [List Host Keys Slot](/rest/api/appservice/webapps/listhostkeysslot).
+#### [Model v3](#tab/nodejs-v3)
-You can also create new function and host keys programmatically by using the [Create Or Update Function Secret](/rest/api/appservice/webapps/createorupdatefunctionsecret), [Create Or Update Function Secret Slot](/rest/api/appservice/webapps/createorupdatefunctionsecretslot), [Create Or Update Host Secret](/rest/api/appservice/webapps/createorupdatehostsecret) and [Create Or Update Host Secret Slot](/rest/api/appservice/webapps/createorupdatehostsecretslot) APIs.
+Authorization defaults to the `function` level.
-Function and host keys can be deleted programmatically by using the [Delete Function Secret](/rest/api/appservice/webapps/deletefunctionsecret), [Delete Function Secret Slot](/rest/api/appservice/webapps/deletefunctionsecretslot), [Delete Host Secret](/rest/api/appservice/webapps/deletehostsecret), and [Delete Host Secret Slot](/rest/api/appservice/webapps/deletehostsecretslot) APIs.
+
+### <a name="authorization-keys"></a>Function access keys
-You can also use the [legacy key management APIs to obtain function keys](https://github.com/Azure/azure-functions-host/wiki/Key-management-API), but using the Azure Resource Manager APIs is recommended instead.
+Functions lets you use access keys to make it harder to access your function endpoints. Unless the authorization level on an HTTP triggered function is set to `anonymous`, requests must include an access key in the request. For more information, see [Work with access keys in Azure Functions](function-keys-how-to.md).
-#### API key authorization
+### <a name="api-key-authorization"></a>Access key authorization
-Most HTTP trigger templates require an API key in the request. So your HTTP request normally looks like the following URL:
+Most HTTP trigger templates require an access key in the request. So your HTTP request normally looks like the following URL:
```http https://<APP_NAME>.azurewebsites.net/api/<FUNCTION_NAME>?code=<API_KEY> ```
-The key can be included in a query string variable named `code`, as above. It can also be included in an `x-functions-key` HTTP header. The value of the key can be any function key defined for the function, or any host key.
+The key can be included in a query string variable named `code`, as mentioned earlier. It can also be included in an `x-functions-key` HTTP header. The value of the key can be any function key defined for the function, or any host key.
-You can allow anonymous requests, which do not require keys. You can also require that the master key is used. You change the default authorization level by using the `authLevel` property in the binding JSON. For more information, see [Trigger - configuration](#configuration).
+You can allow anonymous requests, which don't require keys. You can also require that the master key is used. You change the default authorization level by using the `authLevel` property in the binding JSON.
> [!NOTE] > When running functions locally, authorization is disabled regardless of the specified authorization level setting. After publishing to Azure, the `authLevel` setting in your trigger is enforced. Keys are still required when running [locally in a container](functions-create-container-registry.md#build-the-container-image-and-verify-locally). -
-#### Secure an HTTP endpoint in production
-
-To fully secure your function endpoints in production, you should consider implementing one of the following function app-level security options. When using one of these function app-level security methods, you should set the HTTP-triggered function authorization level to `anonymous`.
--
-##### Deploy your function app in isolation
-- ### Webhooks > [!NOTE] > Webhook mode is only available for version 1.x of the Functions runtime. This change was made to improve the performance of HTTP triggers in version 2.x and higher.
-In version 1.x, webhook templates provide additional validation for webhook payloads. In version 2.x and higher, the base HTTP trigger still works and is the recommended approach for webhooks.
+In version 1.x, webhook templates provide another validation for webhook payloads. In version 2.x and higher, the base HTTP trigger still works and is the recommended approach for webhooks.
#### WebHook type
azure-functions Functions Core Tools Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-core-tools-reference.md
The `func new` action supports the following options:
| Option | Description | | | -- |
-| **`--authlevel`** | Lets you set the authorization level for an HTTP trigger. Supported values are: `function`, `anonymous`, `admin`. Authorization isn't enforced when running locally. For more information, see the [HTTP binding article](functions-bindings-http-webhook-trigger.md#authorization-keys). |
+| **`--authlevel`** | Lets you set the authorization level for an HTTP trigger. Supported values are: `function`, `anonymous`, `admin`. Authorization isn't enforced when running locally. For more information, see [Authorization level](functions-bindings-http-webhook-trigger.md#http-auth). |
| **`--csx`** | (Version 2.x and later versions.) Generates the same C# script (.csx) templates used in version 1.x and in the portal. | | **`--language`**, **`-l`**| The template programming language, such as C#, F#, or JavaScript. This option is required in version 1.x. In version 2.x and later versions, you don't use this option because the language is defined by the worker runtime. | | **`--name`**, **`-n`** | The function name. |
The following publish options apply, based on version:
| Option | Description | | | -- |
-| **`--access-token`** | Lets you use a specific access token when performing authenticated azure actions. |
+| **`--access-token`** | Lets you use a specific access token when performing authenticated `azure` actions. |
| **`--access-token-stdin `** | Reads a specific access token from a standard input. Use this when reading the token directly from a previous command such as [`az account get-access-token`](/cli/azure/account#az-account-get-access-token). | | **`--additional-packages`** | List of packages to install when building native dependencies. For example: `python3-dev libevent-dev`. | | **`--build`**, **`-b`** | Performs build action when deploying to a Linux function app. Accepts: `remote` and `local`. |
The following deployment options apply:
| Option | Description | | | -- |
-| **`--access-token`** | Lets you use a specific access token when performing authenticated azure actions. |
+| **`--access-token`** | Lets you use a specific access token when performing authenticated `azure` actions. |
| **`--access-token-stdin `** | Reads a specific access token from a standard input. Use this when reading the token directly from a previous command such as [`az account get-access-token`](/cli/azure/account#az-account-get-access-token). | | **`--environment`** | The name of an existing Container Apps environment.| | **`--image-build`** | When set to `true`, skips the local Docker build. |
The following Kubernetes deployment options are available:
| **`--ignore-errors`** | Continues the deployment after a resource returns an error. The default behavior is to stop on error. | | **`--image-name`** | The name of the image to use for the pod deployment and from which to read functions. | | **`--keda-version`** | Sets the version of KEDA to install. Valid options are: `v1` and `v2` (default). |
-| **`--keys-secret-name`** | The name of a Kubernetes Secrets collection to use for storing [function access keys](functions-bindings-http-webhook-trigger.md#authorization-keys). |
+| **`--keys-secret-name`** | The name of a Kubernetes Secrets collection to use for storing [access keys](function-keys-how-to.md). |
| **`--max-replicas`** | Sets the maximum replica count for to which the Horizontal Pod Autoscaler (HPA) scales. | | **`--min-replicas`** | Sets the minimum replica count below which HPA won't scale. |
-| **`--mount-funckeys-as-containervolume`** | Mounts the [function access keys](functions-bindings-http-webhook-trigger.md#authorization-keys) as a container volume. |
+| **`--mount-funckeys-as-containervolume`** | Mounts the [access keys](function-keys-how-to.md) as a container volume. |
| **`--name`** | The name used for the deployment and other artifacts in Kubernetes. | | **`--namespace`** | Sets the Kubernetes namespace to which to deploy, which defaults to the default namespace. | | **`--no-docker`** | Functions are read from the current directory instead of from an image. Requires mounting the image filesystem. |
azure-functions Functions Create First Java Gradle https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-create-first-java-gradle.md
Hello, AzureFunctions
</pre> > [!NOTE]
-> If you set authLevel to `FUNCTION` or `ADMIN`, the [function key](functions-bindings-http-webhook-trigger.md#authorization-keys) isn't required when running locally.
+> If you set authLevel to `FUNCTION` or `ADMIN`, the [access key](function-keys-how-to.md) isn't required when running locally.
Use `Ctrl+C` in the terminal to stop the function code.
azure-functions Functions Create Function App Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-create-function-app-portal.md
Next, create a function in the new function app.
1. Under **Select a template**, scroll down and choose the **HTTP trigger** template.
-1. In **Template details**, use `HttpExample` for **New Function**, select **Anonymous** from the **[Authorization level](functions-bindings-http-webhook-trigger.md#authorization-keys)** drop-down list, and then select **Create**.
+1. In **Template details**, use `HttpExample` for **New Function**, select **Anonymous** from the **[Authorization level](functions-bindings-http-webhook-trigger.md#http-auth)** drop-down list, and then select **Create**.
Azure creates the HTTP trigger function. Now, you can run the new function by sending an HTTP request. ::: zone-end
azure-functions Functions Create Your First Function Visual Studio https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-create-your-first-function-visual-studio.md
The Azure Functions project template in Visual Studio creates a C# class library
| **Functions worker** | **.NET 8.0 Isolated (Long Term Support)** | Your functions run on .NET 8 in an isolated worker process. | | **Function** | **HTTP trigger** | This value creates a function triggered by an HTTP request. | | **Use Azurite for runtime storage account (AzureWebJobsStorage)** | Enable | Because a function app in Azure requires a storage account, one is assigned or created when you publish your project to Azure. An HTTP trigger doesn't use an Azure Storage account connection string; all other trigger types require a valid Azure Storage account connection string. When you select this option, the [Azurite emulator](../storage/common/storage-use-azurite.md?tabs=visual-studio) is used. |
- | **Authorization level** | **Anonymous** | The created function can be triggered by any client without providing a key. This authorization setting makes it easy to test your new function. For more information about keys and authorization, see [Authorization keys](./functions-bindings-http-webhook-trigger.md#authorization-keys) and [HTTP and webhook bindings](./functions-bindings-http-webhook.md). |
+ | **Authorization level** | **Anonymous** | The created function can be triggered by any client without providing a key. This authorization setting makes it easy to test your new function. For more information, see [Authorization level](functions-bindings-http-webhook-trigger.md#http-auth). |
:::image type="content" source="../../includes/media/functions-vs-tools-create/functions-project-settings-v4-isolated.png" alt-text="Screenshot of Azure Functions project settings.":::
- Make sure you set the **Authorization level** to **Anonymous**. If you choose the default level of **Function**, you're required to present the [function key](./functions-bindings-http-webhook-trigger.md#authorization-keys) in requests to access your function endpoint in Azure.
+ Make sure you set the **Authorization level** to **Anonymous**. If you choose the default level of **Function**, you're required to present the [function key](function-keys-how-to.md) in requests to access your function endpoint in Azure.
2. Select **Create** to create the function project and HTTP trigger function.
azure-functions Functions Deployment Technologies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-deployment-technologies.md
Some key concepts are critical to understanding how deployments work in Azure Fu
When you change any of your triggers, the Functions infrastructure must be aware of the changes. Synchronization happens automatically for many deployment technologies. However, in some cases, you must manually sync your triggers.
-You must manually sync triggers when using these deploymention options:
+You must manually sync triggers when using these deployment options:
+ [External package URL](#external-package-url) + [Local Git](#local-git)
You must manually sync triggers when using these deploymention options:
You can sync triggers in one of three ways: + Restart your function app in the Azure portal.
-+ Send an HTTP POST request to `https://{functionappname}.azurewebsites.net/admin/host/synctriggers?code=<API_KEY>` using the [master key](functions-bindings-http-webhook-trigger.md#authorization-keys).
++ Send an HTTP POST request to `https://{functionappname}.azurewebsites.net/admin/host/synctriggers?code=<API_KEY>` using the [master key](function-keys-how-to.md). + Send an HTTP POST request to `https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.Web/sites/<FUNCTION_APP_NAME>/syncfunctiontriggers?api-version=2016-08-01`. Replace the placeholders with your subscription ID, resource group name, and the name of your function app. This request requires an [access token](/rest/api/azure/#acquire-an-access-token) in the [`Authorization` request header](/rest/api/azure/#request-header).
azure-functions Functions Develop Vs Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-develop-vs-code.md
The Functions extension lets you create the required function app project at the
1. For the function name, enter **HttpExample**, select Enter, and then select **Function** authorization.
- This authorization level requires that you provide a [function key](functions-bindings-http-webhook-trigger.md#authorization-keys) when you call the function endpoint.
+ This authorization level requires that you provide a [function key](function-keys-how-to.md) when you call the function endpoint.
:::image type="content" source="./media/functions-develop-vs-code/create-function-auth.png" alt-text="Screenshot for creating function authorization.":::
azure-functions Functions Develop Vs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-develop-vs.md
The Azure Functions project template in Visual Studio creates a C# class library
| **.NET version** | **.NET 6 Isolated** | This value creates a function project that runs in an [isolated worker process](dotnet-isolated-process-guide.md). Isolated worker process supports other non-LTS version of .NET and also .NET Framework. For more information, see [Azure Functions runtime versions overview](functions-versions.md). | | **Function template** | **HTTP trigger** | This value creates a function triggered by an HTTP request. | | **Storage account (AzureWebJobsStorage)** | **Storage emulator** | Because a function app in Azure requires a storage account, one is assigned or created when you publish your project to Azure. An HTTP trigger doesn't use an Azure Storage account connection string; all other trigger types require a valid Azure Storage account connection string. |
- | **Authorization level** | **Anonymous** | The created function can be triggered by any client without providing a key. This authorization setting makes it easy to test your new function. For more information about keys and authorization, see [Authorization keys](functions-bindings-http-webhook-trigger.md#authorization-keys) and [HTTP and webhook bindings](functions-bindings-http-webhook.md). |
+ | **Authorization level** | **Anonymous** | The created function can be triggered by any client without providing a key. This authorization setting makes it easy to test your new function. For more information, see [Authorization level](functions-bindings-http-webhook-trigger.md#http-auth).|
![Screenshot of Azure Functions project settings](./media/functions-develop-vs/functions-project-settings-v4-isolated.png) ::: zone-end
The Azure Functions project template in Visual Studio creates a C# class library
| **.NET version** | **.NET 6** | This value creates a function project that runs in-process with version 4.x of the Azure Functions runtime. For more information, see [Azure Functions runtime versions overview](functions-versions.md). | | **Function template** | **HTTP trigger** | This value creates a function triggered by an HTTP request. | | **Storage account (AzureWebJobsStorage)** | **Storage emulator** | Because a function app in Azure requires a storage account, one is assigned or created when you publish your project to Azure. An HTTP trigger doesn't use an Azure Storage account connection string; all other trigger types require a valid Azure Storage account connection string. |
- | **Authorization level** | **Anonymous** | The created function can be triggered by any client without providing a key. This authorization setting makes it easy to test your new function. For more information about keys and authorization, see [Authorization keys](functions-bindings-http-webhook-trigger.md#authorization-keys) and [HTTP and webhook bindings](functions-bindings-http-webhook.md). |
+ | **Authorization level** | **Anonymous** | The created function can be triggered by any client without providing a key. This authorization setting makes it easy to test your new function. For more information, see [Authorization level](functions-bindings-http-webhook-trigger.md#http-auth). |
![Screenshot of Azure Functions project settings](./media/functions-develop-vs/functions-project-settings.png) ::: zone-end
- Make sure you set the **Authorization level** to **Anonymous**. If you choose the default level of **Function**, you're required to present the [function key](functions-bindings-http-webhook-trigger.md#authorization-keys) in requests to access your function endpoint.
+ Make sure you set the **Authorization level** to **Anonymous**. If you choose the default level of **Function**, you're required to present the [function key](function-keys-how-to.md) in requests to access your function endpoint.
1. Select **Create** to create the function project and HTTP trigger function. ::: zone pivot="isolated"
azure-functions Functions How To Use Azure Function App Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-how-to-use-azure-function-app-settings.md
Use the following procedure to migrate from a Premium plan to a Consumption plan
-## Get your function access keys
-
-HTTP triggered functions can generally be called by using a URL in the format: `https://<APP_NAME>.azurewebsites.net/api/<FUNCTION_NAME>`. When the authorization to your function is set a value other than `anonymous`, you must also provide an access key in your request. The access key can either be provided in the URL using the `?code=` query string or in the request header. For more information, see [Function access keys](functions-bindings-http-webhook-trigger.md#authorization-keys). There are several ways to get your access keys.
-
-### [Azure portal](#tab/azure-portal)
-
-1. Sign in to the Azure portal, then search for and select **Function App**.
-
-1. Select the function you want to verify.
-
-1. In the left pane, expand **Functions**, and then select **App keys**.
-
- The **App keys** page appears. On this page the host keys are displayed, which can be used to access any function in the app. The system key is also displayed, which gives anyone administrator-level access to all function app APIs.
-
-You can also practice least privilege by using the key for a specific function. To do so, select **Function keys** under **Developer** in your HTTP-triggered function.
-
-### [Azure CLI](#tab/azure-cli)
-
-Run the following script in Azure Cloud Shell, the output of which is the [default (host) key](functions-bindings-http-webhook-trigger.md#authorization-scopes-function-level) that can be used to access any HTTP triggered function in the function app.
-
-```azurecli-interactive
-subName='<SUBSCRIPTION_ID>'
-resGroup=AzureFunctionsContainers-rg
-appName=glengagtestdocker
-path=/subscriptions/$subName/resourceGroups/$resGroup/providers/Microsoft.Web/sites/$appName/host/default/listKeys?api-version=2018-11-01
-az rest --method POST --uri $path --query functionKeys.default --output tsv
-```
-
-In this script, replace `<SUBSCRIPTION_ID>` and `<APP_NAME>` with the ID of your subscription and your function app name, respective. This script runs on Bash in Cloud Shell. It must be modified to run in a Windows command prompt.
-
-### [Azure PowerShell](#tab/azure-powershell)
-
-Run the following script, the output of which is the [default (host) key](functions-bindings-http-webhook-trigger.md#authorization-scopes-function-level) that can be used to access any HTTP triggered function in the function app.
-
-```powershell-interactive
-$subName = '<SUBSCRIPTION_ID>'
-$rGroup = 'AzureFunctionsContainers-rg'
-$appName = '<APP_NAME>'
-$path = "/subscriptions/$subName/resourceGroups/$rGroup/providers/Microsoft.Web/sites/$appName/host/default/listKeys?api-version=2018-11-01"
-((Invoke-AzRestMethod -Path $path -Method POST).Content | ConvertFrom-JSON).functionKeys.default
-```
-
-In this script, replace `<SUBSCRIPTION_ID>` and `<APP_NAME>` with the ID of your subscription and your function app name, respectively.
--- ## Development limitations in the Azure portal Consider these limitations when you develop your functions in the [Azure portal](https://portal.azure.com):
Function apps run in the Azure App Service platform, which maintains them. As su
The following matrix indicates Azure portal feature support by hosting plan and operating system:
-| Feature | Consumption plan | Premium plan | Dedicated plan |
+| Feature | Consumption plan | Flex Consumption plan | Premium plan | Dedicated plan |
| | | | |
-| [Advanced tools (Kudu)](#kudu) | Windows: Γ£ö <br/>Linux: **X** | Γ£ö | Γ£ö|
-| [App Service editor](#editor) | Windows: Γ£ö <br/>Linux: **X** | Windows: Γ£ö <br/>Linux: **X** | Windows: Γ£ö <br/>Linux: **X**|
-| [Backups](../app-service/manage-backup.md) |**X** |**X** | Γ£ö|
-| [Console](#console) | Windows: command-line <br/>Linux: **X** | Windows: command-line <br/>Linux: SSH | Windows: command-line <br/>Linux: SSH |
+| [Advanced tools (Kudu)](#kudu) | Windows: Γ£ö <br/>Linux: **X** | **X** | Γ£ö | Γ£ö|
+| [App Service editor](#editor) | Windows: Γ£ö <br/>Linux: **X** | **X** | Windows: Γ£ö <br/>Linux: **X** | Windows: Γ£ö <br/>Linux: **X**|
+| [Backups](../app-service/manage-backup.md) |**X** |**X** | **X** | Γ£ö|
+| [Console](#console) | Windows: command-line <br/>Linux: **X** | **X** | Windows: command-line <br/>Linux: SSH | Windows: command-line <br/>Linux: SSH |
The rest of this article focuses on the following features in the portal that are useful for your function apps:
azure-functions Functions Infrastructure As Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-infrastructure-as-code.md
Title: Automate function app resource deployment to Azure
description: Learn how to build, validate, and use a Bicep file or an Azure Resource Manager template to deploy your function app and related Azure resources. ms.assetid: d20743e3-aab6-442c-a836-9bcea09bfd32 Previously updated : 04/01/2024 Last updated : 07/16/2024 zone_pivot_groups: functions-hosting-plan # Automate resource deployment for your function app in Azure Functions
-You can use a Bicep file or an Azure Resource Manager template to automate the process of deploying a function app to new or existing Azure resources. Such automation provides a great way to be able to integrate your resource deployments with your source code in DevOps, restore a function app and related resources from a backup, or deploy an app topology multiple times.
+You can use a Bicep file or an Azure Resource Manager (ARM) template to automate the process of deploying your function app. During the deployment, you can use existing Azure resources or create new ones. Automation help's you with these scenarios:
+++ Integrating your resource deployments with your source code in Azure Pipelines and GitHub Actions-based deployments.++ Restoring a function app and related resources from a backup.++ Deploying an app topology multiple times. This article shows you how to automate the creation of resources and deployment for Azure Functions. Depending on the [triggers and bindings](functions-triggers-bindings.md) used by your functions, you might need to deploy other resources, which is outside of the scope of this article.
-The specific template code depends on how your function app is hosted, whether you're deploying code or a containerized function app, and the operating system used by your app. This article supports the following hosting options:
+The template code required depends on the desired hosting options for your function app. This article supports the following hosting options:
| Hosting option | Deployment type | To learn more, see... | | -- | -- | -- | | [Azure Functions Consumption plan](functions-infrastructure-as-code.md?pivots=consumption-plan) | Code-only | [Consumption plan](./consumption-plan.md) |
+| [Azure Functions Flex Consumption plan](functions-infrastructure-as-code.md?pivots=consumption-plan) | Code-only | [Flex Consumption plan](./flex-consumption-plan.md) |
| [Azure Functions Elastic Premium plan](functions-infrastructure-as-code.md?pivots=premium-plan) | Code \| Container | [Premium plan](./functions-premium-plan.md)| | [Azure Functions Dedicated (App Service) plan](functions-infrastructure-as-code.md?pivots=dedicated-plan) | Code \| Container | [Dedicated plan](./dedicated-plan.md)| | [Azure Container Apps](functions-infrastructure-as-code.md?pivots=premium-plan) | Container-only | [Container Apps hosting of Azure Functions](functions-container-apps-hosting.md)| | [Azure Arc](functions-infrastructure-as-code.md?pivots=premium-plan) | Code \| Container | [App Service, Functions, and Logic Apps on Azure Arc (Preview)](../app-service/overview-arc-integration.md)| +
+When using this article, keep these considerations in mind:
+++ There's no canonical way to structure an ARM template.
+
++ A Bicep deployment can be modularized into multiple Bicep files. +++ This article assumes that you have a basic understanding of [creating Bicep files](../azure-resource-manager/bicep/file.md) or [authoring Azure Resource Manager templates](../azure-resource-manager/templates/syntax.md). ++ Examples are shown as individual sections for specific resources. For a broad set of complete Bicep file and ARM template examples, see [these function app deployment examples](/samples/browse/?expanded=azure&terms=%22azure%20functions%22&products=azure-resource-manager). ++ Examples are shown as individual sections for specific resources. For a broad set of complete Bicep file and ARM template examples, see [these Flex Consumption app deployment examples](/samples/browse/?expanded=azure&terms=%22azure%20functions%20flex%22&products=azure-resource-manager). ++ Examples are shown as individual sections for specific resources. ## Required resources
-An Azure Functions-hosted deployment typically consists of these resources:
+You must create or configure these resources for an Azure Functions-hosted deployment:
| Resource | Requirement | Syntax and properties reference | ||-|-| | A [storage account](#create-storage-account) | Required | [Microsoft.Storage/storageAccounts](/azure/templates/microsoft.storage/storageaccounts) |
-| An [Application Insights](#create-application-insights) component | Recommended | [Microsoft.Insights/components](/azure/templates/microsoft.insights/components)|
-| A [hosting plan](#create-the-hosting-plan)| Required<sup>1</sup> | [Microsoft.Web/serverfarms](/azure/templates/microsoft.web/serverfarms) |
+| An [Application Insights](#create-application-insights) component | Recommended | [Microsoft.Insights/components](/azure/templates/microsoft.insights/components)<sup>*</sup>|
+| A [hosting plan](#create-the-hosting-plan)| Required | [Microsoft.Web/serverfarms](/azure/templates/microsoft.web/serverfarms) |
| A [function app](#create-the-function-app) | Required | [Microsoft.Web/sites](/azure/templates/microsoft.web/sites) | :::zone-end :::zone pivot="consumption-plan"
-An Azure Functions deployment for a Consumption plan typically consists of these resources:
+You must create or configure these resources for an Azure Functions-hosted deployment:
| Resource | Requirement | Syntax and properties reference | ||-|-| | A [storage account](#create-storage-account) | Required | [Microsoft.Storage/storageAccounts](/azure/templates/microsoft.storage/storageaccounts) |
-| An [Application Insights](#create-application-insights) component | Recommended | [Microsoft.Insights/components](/azure/templates/microsoft.insights/components)|
+| An [Application Insights](#create-application-insights) component | Recommended | [Microsoft.Insights/components](/azure/templates/microsoft.insights/components)<sup>*</sup>|
| A [function app](#create-the-function-app) | Required | [Microsoft.Web/sites](/azure/templates/microsoft.web/sites) | :::zone-end :::zone pivot="container-apps"
An Azure Container Apps-hosted deployment typically consists of these resources:
| Resource | Requirement | Syntax and properties reference | ||-|-| | A [storage account](#create-storage-account) | Required | [Microsoft.Storage/storageAccounts](/azure/templates/microsoft.storage/storageaccounts) |
-| An [Application Insights](#create-application-insights) component | Recommended | [Microsoft.Insights/components](/azure/templates/microsoft.insights/components)|
+| An [Application Insights](#create-application-insights) component | Recommended | [Microsoft.Insights/components](/azure/templates/microsoft.insights/components)<sup>*</sup>|
| A [managed environment](./functions-container-apps-hosting.md#) | Required | [Microsoft.App/managedEnvironments](/azure/templates/microsoft.app/managedenvironments) | | A [function app](#create-the-function-app) | Required | [Microsoft.Web/sites](/azure/templates/microsoft.web/sites) | :::zone-end
An Azure Arc-hosted deployment typically consists of these resources:
| Resource | Requirement | Syntax and properties reference | ||-|-| | A [storage account](#create-storage-account) | Required | [Microsoft.Storage/storageAccounts](/azure/templates/microsoft.storage/storageaccounts) |
-| An [Application Insights](#create-application-insights) component | Recommended | [Microsoft.Insights/components](/azure/templates/microsoft.insights/components)|
+| An [Application Insights](#create-application-insights) component | Recommended | [Microsoft.Insights/components](/azure/templates/microsoft.insights/components)<sup>1</sup>|
| An [App Service Kubernetes environment](../app-service/overview-arc-integration.md#app-service-kubernetes-environment) | Required | [Microsoft.ExtendedLocation/customLocations](/azure/templates/microsoft.extendedlocation/customlocations) | | A [function app](#create-the-function-app) | Required | [Microsoft.Web/sites](/azure/templates/microsoft.web/sites) | :::zone-end
-<sup>1</sup>An explicit hosting plan isn't required when you choose to host your function app in a [Consumption plan](./consumption-plan.md).
+<sup>*</sup>If you don't already have a Log Analytics Workspace that can be used by your Application Insights instance, you also need to create this resource.
When you deploy multiple resources in a single Bicep file or ARM template, the order in which resources are created is important. This requirement is a result of dependencies between resources. For such dependencies, make sure to use the `dependsOn` element to define the dependency in the dependent resource. For more information, see either [Define the order for deploying resources in ARM templates](../azure-resource-manager/templates/resource-dependency.md) or [Resource dependencies in Bicep](../azure-resource-manager/bicep/resource-dependencies.md).
-This article assumes that you have a basic understanding about [creating Bicep files](../azure-resource-manager/bicep/file.md) or [authoring Azure Resource Manager templates](../azure-resource-manager/templates/syntax.md), and examples are shown as individual sections for specific resources. For a broad set of complete Bicep file and ARM template examples, see [these function app deployment examples](/samples/browse/?expanded=azure&terms=%22azure%20functions%22&products=azure-resource-manager).
## Prerequisites +++ The examples are designed to execute in the context of an existing resource group.++ Both Application Insights and storage logs require you to have an existing [Azure Log Analytics workspace](../azure-monitor/logs/log-analytics-overview.md). Workspaces can be shared between services, and as a rule of thumb you should create a workspace in each geographic region to improve performance. For an example of how to create a Log Analytics workspace, see [Create a Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md?tabs=azure-resource-manager#create-a-workspace). You can find the fully qualified workspace resource ID in a workspace page in the [Azure portal](https://portal.azure.com) under **Settings** > **Properties** > **Resource ID**. :::zone pivot="container-apps"
-This article assumes that you have already created a [managed environment](../container-apps/environment.md) in Azure Container Apps. You need both the name and the ID of the managed environment to create a function app hosted on Container Apps.
++ This article assumes that you have already created a [managed environment](../container-apps/environment.md) in Azure Container Apps. You need both the name and the ID of the managed environment to create a function app hosted on Container Apps. :::zone-end :::zone pivot="azure-arc"
-This article assumes that you have already created an [App Service-enabled custom location](../app-service/overview-arc-integration.md) on an [Azure Arc-enabled Kubernetes cluster](../azure-arc/kubernetes/overview.md). You need both the custom location ID and the Kubernetes environment ID to create a function app hosted in an Azure Arc custom location.
++ This article assumes that you have already created an [App Service-enabled custom location](../app-service/overview-arc-integration.md) on an [Azure Arc-enabled Kubernetes cluster](../azure-arc/kubernetes/overview.md). You need both the custom location ID and the Kubernetes environment ID to create a function app hosted in an Azure Arc custom location. :::zone-end <a name="storage"></a> ## Create storage account
All function apps require an Azure storage account. You need a general purpose a
[!INCLUDE [functions-storage-access-note](../../includes/functions-storage-access-note.md)]
-This example section creates a Standard general-purpose v2 storage account:
+This example section creates a Standard general purpose v2 storage account:
+
+### [Bicep](#tab/bicep)
+
+```bicep
+resource storageAccountName 'Microsoft.Storage/storageAccounts@2023-05-01' = {
+ name: storageAccountName
+ location: location
+ kind: 'StorageV2'
+ sku: {
+ name: 'Standard_LRS'
+ }
+ properties: {
+ supportsHttpsTrafficOnly: true
+ defaultToOAuthAuthentication: true
+ allowBlobPublicAccess: false
+ }
+}
+```
+For more context, see the complete [main.bicep](https://github.com/Azure-Samples/function-app-arm-templates/blob/main/function-app-linux-consumption/main.bicep#L37) file in the templates repository.
+For more context, see the complete [storage-account.bicep](https://github.com/Azure-Samples/azure-functions-flex-consumption-samples/blob/main/starters/http/dotnet/infra/core/storage/storage-account.bicep#L11) file in the sample repository.
### [ARM template](#tab/json)
This example section creates a Standard general-purpose v2 storage account:
"resources": [ { "type": "Microsoft.Storage/storageAccounts",
- "apiVersion": "2022-05-01",
+ "apiVersion": "2023-05-01",
"name": "[parameters('storageAccountName')]", "location": "[parameters('location')]", "kind": "StorageV2", "sku": {
- "name": "[parameters('storageAccountType')]"
+ "name": "Standard_LRS"
}, "properties": { "supportsHttpsTrafficOnly": true,
- "defaultToOAuthAuthentication": true
+ "defaultToOAuthAuthentication": true,
+ "allowBlobPublicAccess": false
} } ]
This example section creates a Standard general-purpose v2 storage account:
For more context, see the complete [azuredeploy.json](https://github.com/Azure-Samples/function-app-arm-templates/blob/main/function-app-linux-consumption/azuredeploy.json#L77) file in the templates repository. ++
+You need to set the connection string of this storage account as the `AzureWebJobsStorage` app setting, which Functions requires. The templates in this article construct this connection string value based on the created storage account, which is a best practice. For more information, see [Application configuration](#application-configuration).
+
+<!{{todo: MI/KeyVault info/links here}} -->
+
+### Deployment container
+
+Deployments to an app running in the Flex Consumption plan require a container in Azure Blob Storage as the deployment source. You can use either the default storage account or you can specify a separate storage account. For more information, see [Configure deployment settings](flex-consumption-how-to.md#configure-deployment-settings).
+
+This deployment account must already be configured when you create your app, including the specific container used for deployments. To learn more about configuring deployments, see [Deployment sources](#deployment-sources-2).
+
+This example shows how to create a container in the storage account:
+ ### [Bicep](#tab/bicep)
-```bicep
-resource storageAccountName 'Microsoft.Storage/storageAccounts@2022-05-01' = {
- name: storageAccountName
- location: location
- kind: 'StorageV2'
- sku: {
- name: storageAccountType
- }
- properties: {
- supportsHttpsTrafficOnly: true
- defaultToOAuthAuthentication: true
- }
-}
-```
-For more context, see the complete [main.bicep](https://github.com/Azure-Samples/function-app-arm-templates/blob/main/function-app-linux-consumption/main.bicep#L37) file in the templates repository.
+For the snippet in context, see [this deployment example](https://github.com/Azure-Samples/azure-functions-flex-consumption-samples/blob/main/IaC/bicep/core/storage/storage-account.bicep#L46).
+
+### [ARM template](#tab/json)
++
+For the snippet in context, see [this deployment example](https://github.com/Azure-Samples/azure-functions-flex-consumption-samples/blob/main/IaC/armtemplate/azuredeploy.json#L117).
-You need to set the connection string of this storage account as the `AzureWebJobsStorage` app setting, which Functions requires. The templates in this article construct this connection string value based on the created storage account, which is a best practice. For more information, see [Application configuration](#application-configuration).
+Other deployment settings are [configured with the app itself](#deployment-sources-2).
### Enable storage logs Because the storage account is used for important function app data, you should monitor the account for modification of that content. To monitor your storage account, you need to configure Azure Monitor resource logs for Azure Storage. In this example section, a Log Analytics workspace named `myLogAnalytics` is used as the destination for these logs.
+#### [Bicep](#tab/bicep)
+
+```bicep
+resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2021-09-01' existing = {
+ name:'default'
+ parent:storageAccountName
+}
+
+resource storageDataPlaneLogs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
+ name: '${storageAccountName}-logs'
+ scope: blobService
+ properties: {
+ workspaceId: myLogAnalytics.id
+ logs: [
+ {
+ category: 'StorageWrite'
+ enabled: true
+ }
+ ]
+ metrics: [
+ {
+ category: 'Transaction'
+ enabled: true
+ }
+ ]
+ }
+}
+```
+ #### [ARM template](#tab/json) ```json
Because the storage account is used for important function app data, you should
] ```
-#### [Bicep](#tab/bicep)
++
+This same workspace can be used for the Application Insights resource defined later. For more information, including how to work with these logs, see [Monitoring Azure Storage](../storage/blobs/monitor-blob-storage.md).
+
+## Create Application Insights
+
+You should be using Application Insights for monitoring your function app executions. Application Insights now requires an Azure Log Analytics workspace, which can be shared. These examples assume you're using an existing workspace and have the fully qualified resource ID for the workspace. For more information, see [Azure Log Analytics workspace](../azure-monitor/logs/log-analytics-overview.md).
+
+In this example section, the Application Insights resource is defined with the type `Microsoft.Insights/components` and the kind `web`:
+
+### [Bicep](#tab/bicep)
```bicep
-resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2021-09-01' existing = {
- name:'default'
- parent:storageAccountName
+resource applicationInsight 'Microsoft.Insights/components@2020-02-02' = {
+ name: applicationInsightsName
+ location: appInsightsLocation
+ tags: tags
+ kind: 'web'
+ properties: {
+ Application_Type: 'web'
+ WorkspaceResourceId: '<FULLY_QUALIFIED_RESOURCE_ID>'
+ }
}
+```
-resource storageDataPlaneLogs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
- name: '${storageAccountName}-logs'
- scope: blobService
- properties: {
- workspaceId: myLogAnalytics.id
- logs: [
- {
- category: 'StorageWrite'
- enabled: true
- }
- ]
- metrics: [
- {
- category: 'Transaction'
- enabled: true
- }
- ]
+For more context, see the complete [main.bicep](https://github.com/Azure-Samples/function-app-arm-templates/blob/main/function-app-linux-consumption/main.bicep#L60) file in the templates repository.
++
+### [ARM template](#tab/json)
+
+```json
+{
+ "type": "Microsoft.Insights/components",
+ "apiVersion": "2020-02-02",
+ "name": "[parameters('applicationInsightsName')]",
+ "location": "[parameters('location')]",
+ "kind": "web",
+ "properties": {
+ "Application_Type": "web",
+ "WorkspaceResourceId": "<FULLY_QUALIFIED_RESOURCE_ID>"
} } ``` +
+For more context, see the complete [azuredeploy.json](https://github.com/Azure-Samples/function-app-arm-templates/blob/main/function-app-linux-consumption/azuredeploy.json#L102) file in the templates repository.
+
-This same workspace can be used for the Application Insights resource defined later. For more information, including how to work with these logs, see [Monitoring Azure Storage](../storage/blobs/monitor-blob-storage.md).
+The connection must be provided to the function app using the [`APPLICATIONINSIGHTS_CONNECTION_STRING`](functions-app-settings.md#applicationinsights_connection_string) application setting. For more information, see [Application configuration](#application-configuration).
-## Create Application Insights
+The examples in this article obtain the connection string value for the created instance. Older versions might instead use [`APPINSIGHTS_INSTRUMENTATIONKEY`](functions-app-settings.md#appinsights_instrumentationkey) to set the instrumentation key, which is no longer recommended.
-Application Insights is recommended for monitoring your function app executions. In this example section, the Application Insights resource is defined with the type `Microsoft.Insights/components` and the kind `web`:
+## Create the hosting plan
-### [ARM template](#tab/json)
+Apps hosted in an Azure Functions [Flex Consumption plan](./flex-consumption-plan.md), [Premium plan](./functions-premium-plan.md), or [Dedicated (App Service) plan](./dedicated-plan.md) must have the hosting plan explicitly defined.
+Flex Consumption is a Linux-based hosting plan that builds on the Consumption _pay for what you use_ serverless billing model. The plan features support for private networking, instance memory size selection, and improved managed identity support.
+A Flex Consumption plan is a special type of `serverfarm` resource. You can specify it by using `FC1` for the `Name` property value in the `sku` property with a `tier` value of `FlexConsumption`.
-For more context, see the complete [azuredeploy.json](https://github.com/Azure-Samples/function-app-arm-templates/blob/main/function-app-linux-consumption/azuredeploy.json#L102) file in the templates repository.
+This example section creates Flex Consumption plan:
### [Bicep](#tab/bicep)
-For more context, see the complete [main.bicep](https://github.com/Azure-Samples/function-app-arm-templates/blob/main/function-app-linux-consumption/main.bicep#L60) file in the templates repository.
+For more context, see the complete [function.bicep](https://github.com/Azure-Samples/azure-functions-flex-consumption-samples/blob/main/IaC/bicep/core/host/function.bicep#L21) file in the Flex Consumption plan sample repository.
-
+### [ARM template](#tab/json)
-The connection must be provided to the function app using the [`APPLICATIONINSIGHTS_CONNECTION_STRING`](functions-app-settings.md#applicationinsights_connection_string) application setting. For more information, see [Application settings](#application-configuration).
-The examples in this article obtain the connection string value for the created instance. Older versions might instead use [`APPINSIGHTS_INSTRUMENTATIONKEY`](functions-app-settings.md#appinsights_instrumentationkey) to set the instrumentation key, which is no longer recommended.
+For more context, see the complete [azuredeploy.json](https://github.com/Azure-Samples/azure-functions-flex-consumption-samples/blob/main/IaC/armtemplate/azuredeploy.json#L136) file in the templates repository.
-## Create the hosting plan
+
-Apps hosted in an Azure Functions [Premium plan](./functions-premium-plan.md) or [Dedicated (App Service) plan](./dedicated-plan.md) must have the hosting plan explicitly defined.
+Because the Flex Consumption plan currently only supports Linux, you must also set the `reserved` property to `true`.
:::zone pivot="premium-plan" The Premium plan offers the same scaling as the Consumption plan but includes dedicated resources and extra capabilities. To learn more, see [Azure Functions Premium Plan](functions-premium-plan.md).
For a list of application settings required when running on Windows, see [Applic
[!INCLUDE [functions-arm-linux-intro](../../includes/functions-arm-linux-intro.md)] +
+Flex Consumption replaces many of the standard application settings and site configuration properties used in Bicep and ARM template deployments. For more information, see [Application configuration](#application-configuration).
+
+### [Bicep](#tab/bicep)
++
+For more context, see the complete [function.bicep](https://github.com/Azure-Samples/azure-functions-flex-consumption-samples/blob/main/IaC/bicep/core/host/function.bicep#L35) file in the Flex Consumption plan sample repository.
+
+### [ARM template](#tab/json)
++
+For more context, see the complete [azuredeploy.json](https://github.com/Azure-Samples/azure-functions-flex-consumption-samples/blob/main/IaC/armtemplate/azuredeploy.json#L144) file in the templates repository.
+ ::: zone-end :::zone pivot="consumption-plan"
Your Bicep file or ARM template can optionally also define a deployment for your
+ [Zip deployment package](./deployment-zip-push.md) + [Linux container](./functions-how-to-custom-container.md) :::zone-end
+## Deployment sources
+
+In the Flex Consumption plan, your project code is deployed from a zip-compressed package published to a Blob storage container. For more information, see [Deployment](flex-consumption-plan.md#deployment). The specific storage account and container used for deployments, the authentication method, and credentials are set in the `functionAppConfig.deployment.storage` element of the `properties` for the site. The container and any application settings must exist when the app is created. For an example of how to create the storage container, see [Deployment container](#deployment-container).
+
+This example uses a system assigned managed identity to access the specified blob storage container, which is created elsewhere in the deployment:
+
+### [Bicep](#tab/bicep)
++
+### [ARM template](#tab/json)
++++
+When using managed identities, you must also enable the function app to access the storage account using the identity, as shown in this example:
+
+ ### [Bicep](#tab/bicep)
++
+For a complete reference example, see [this Bicep file](https://github.com/Azure-Samples/azure-functions-flex-consumption-samples/blob/main/IaC/bicep/core/host/function.bicep).
+
+### [ARM template](#tab/json)
++
+For a complete reference example, see [this ARM template](https://github.com/Azure-Samples/azure-functions-flex-consumption-samples/blob/main/IaC/armtemplate/azuredeploy.json).
+++
+When using a connection string instead of managed identities, you need to instead set the `authentication.type` to `StorageAccountConnectionString` and set `authentication.storageAccountConnectionStringName` to the name of the application setting that contains the deployment storage account connection string.
:::zone pivot="consumption-plan" ## Deployment sources Your Bicep file or ARM template can optionally also define a deployment for your function code using a [zip deployment package](./deployment-zip-push.md). :::zone-end :::zone pivot="dedicated-plan,premium-plan,consumption-plan"
-To successfully deploy your application by using Azure Resource Manager, it's important to understand how resources are deployed in Azure. In most examples, top-level configurations are applied by using `siteConfig`. It's important to set these configurations at a top level, because they convey information to the Functions runtime and deployment engine. Top-level information is required before the child `sourcecontrols/web` resource is applied. Although it's possible to configure these settings in the child-level `config/appSettings` resource, in some cases your function app must be deployed *before* `config/appSettings` is applied.
+To successfully deploy your application by using Azure Resource Manager, it's important to understand how resources are deployed in Azure. In most examples, top-level configurations are applied by using `siteConfig`. It's important to set these configurations at a top level, because they convey information to the Functions runtime and deployment engine. Top-level information is required before the child `sourcecontrols/web` resource is applied. Although it's possible to configure these settings in the child-level `config/appSettings` resource, in some cases your function app must be deployed _before_ `config/appSettings` is applied.
## Zip deployment package
Keep the following things in mind when including zip deployment resources in you
The deployment process assumes that the .zip file that you use or a zip deployment contains a ready-to-run app. This means that by default no customizations are run.
-However, there are scenarios that require you to rebuild your app remotely, such as when you need to pull Linux-specific packages in Python or Node.js apps that you developed on a Windows computer. In this case, you can configure Functions to perform a remote build on your code after the zip deployment.
+There are scenarios that require you to rebuild your app remotely. One such example is when you need to include Linux-specific packages in Python or Node.js apps that you developed on a Windows computer. In this case, you can configure Functions to perform a remote build on your code after the zip deployment.
-The way that you request a remote build depends on the operating system to which you are deploying:
+The way that you request a remote build depends on the operating system to which you're deploying:
### [Windows](#tab/windows)
If you're deploying a [containerized function app](./functions-how-to-custom-con
For more information, see [Application configuration](#application-configuration).
+### [Bicep](#tab/bicep)
+
+```bicep
+resource functionApp 'Microsoft.Web/sites@2022-03-01' = {
+ name: functionAppName
+ location: location
+ kind: 'functionapp'
+ properties: {
+ serverFarmId: hostingPlan.id
+ siteConfig: {
+ appSettings: [
+ {
+ name: 'AzureWebJobsStorage'
+ value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};AccountKey=${storageAccount.listKeys().keys[0].value}'
+ }
+ {
+ name: 'FUNCTIONS_WORKER_RUNTIME'
+ value: 'node'
+ }
+ {
+ name: 'WEBSITE_NODE_DEFAULT_VERSION'
+ value: '~14'
+ }
+ {
+ name: 'FUNCTIONS_EXTENSION_VERSION'
+ value: '~4'
+ }
+ {
+ name: 'DOCKER_REGISTRY_SERVER_URL'
+ value: dockerRegistryUrl
+ }
+ {
+ name: 'DOCKER_REGISTRY_SERVER_USERNAME'
+ value: dockerRegistryUsername
+ }
+ {
+ name: 'DOCKER_REGISTRY_SERVER_PASSWORD'
+ value: dockerRegistryPassword
+ }
+ {
+ name: 'WEBSITES_ENABLE_APP_SERVICE_STORAGE'
+ value: 'false'
+ }
+ ]
+ linuxFxVersion: 'DOCKER|myacr.azurecr.io/myimage:mytag'
+ }
+ }
+ dependsOn: [
+ storageAccount
+ ]
+}
+```
+ ### [ARM template](#tab/json) ```json
For more information, see [Application configuration](#application-configuration
] ``` ++
+When deploying [containerized functions to Azure Container Apps](./functions-container-apps-hosting.md), your template must:
+++ Set the `kind` field to a value of `functionapp,linux,container,azurecontainerapps`. ++ Set the `managedEnvironmentId` site property to the fully qualified URI of the Container Apps environment. ++ Add a resource link in the site's `dependsOn` collection when creating a `Microsoft.App/managedEnvironments` resource at the same time as the site. +
+The definition of a containerized function app deployed from a private container registry to an existing Container Apps environment might look like this example:
+ ### [Bicep](#tab/bicep) ```bicep resource functionApp 'Microsoft.Web/sites@2022-03-01' = { name: functionAppName
+ kind: 'functionapp,linux,container,azurecontainerapps'
location: location
- kind: 'functionapp'
properties: {
- serverFarmId: hostingPlan.id
+ serverFarmId: hostingPlanName
siteConfig: {
+ linuxFxVersion: 'DOCKER|myacr.azurecr.io/myimage:mytag'
appSettings: [
- {
- name: 'AzureWebJobsStorage'
- value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};AccountKey=${storageAccount.listKeys().keys[0].value}'
- }
- {
- name: 'FUNCTIONS_WORKER_RUNTIME'
- value: 'node'
- }
- {
- name: 'WEBSITE_NODE_DEFAULT_VERSION'
- value: '~14'
- }
{ name: 'FUNCTIONS_EXTENSION_VERSION' value: '~4' } {
- name: 'DOCKER_REGISTRY_SERVER_URL'
- value: dockerRegistryUrl
- }
- {
- name: 'DOCKER_REGISTRY_SERVER_USERNAME'
- value: dockerRegistryUsername
- }
- {
- name: 'DOCKER_REGISTRY_SERVER_PASSWORD'
- value: dockerRegistryPassword
+ name: 'AzureWebJobsStorage'
+ value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};AccountKey=${storageAccount.listKeys().keys[0].value}'
} {
- name: 'WEBSITES_ENABLE_APP_SERVICE_STORAGE'
- value: 'false'
+ name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
+ value: applicationInsightsName.properties.ConnectionString
} ]
- linuxFxVersion: 'DOCKER|myacr.azurecr.io/myimage:mytag'
}
+ managedEnvironmentId: managedEnvironmentId
} dependsOn: [ storageAccount
+ hostingPlan
] } ``` --
-When deploying [containerized functions to Azure Container Apps](./functions-container-apps-hosting.md), your template must:
-
-+ Set the `kind` field to a value of `functionapp,linux,container,azurecontainerapps`.
-+ Set the `managedEnvironmentId` site property to the fully qualified URI of the Container Apps environment.
-+ Add a resource link in the site's `dependsOn` collection when creating a `Microsoft.App/managedEnvironments` resource at the same time as the site.
-
-The definition of a containerized function app deployed from a private container registry to an existing Container Apps environment might look like this example:
- ### [ARM template](#tab/json) ```json
The definition of a containerized function app deployed from a private container
] ``` ++
+When deploying functions to Azure Arc, the value you set for the `kind` field of the function app resource depends on the type of deployment:
+
+| Deployment type | `kind` field value |
+|-|-|
+| Code-only deployment | `functionapp,linux,kubernetes` |
+| Container deployment | `functionapp,linux,kubernetes,container` |
+
+You must also set the `customLocationId` as you did for the [hosting plan resource](#create-the-hosting-plan).
+
+The definition of a containerized function app, using a .NET 6 quickstart image, might look like this example:
+ ### [Bicep](#tab/bicep) ```bicep resource functionApp 'Microsoft.Web/sites@2022-03-01' = { name: functionAppName
- kind: 'functionapp,linux,container,azurecontainerapps'
+ kind: 'kubernetes,functionapp,linux,container'
location: location
+ extendedLocation: {
+ name: customLocationId
+ }
properties: { serverFarmId: hostingPlanName siteConfig: {
- linuxFxVersion: 'DOCKER|myacr.azurecr.io/myimage:mytag'
+ linuxFxVersion: 'DOCKER|mcr.microsoft.com/azure-functions/4-dotnet-isolated6.0-appservice-quickstart'
appSettings: [ { name: 'FUNCTIONS_EXTENSION_VERSION'
resource functionApp 'Microsoft.Web/sites@2022-03-01' = {
value: applicationInsightsName.properties.ConnectionString } ]
+ alwaysOn: true
}
- managedEnvironmentId: managedEnvironmentId
} dependsOn: [ storageAccount
resource functionApp 'Microsoft.Web/sites@2022-03-01' = {
} ``` --
-When deploying functions to Azure Arc, the value you set for the `kind` field of the function app resource depends on the type of deployment:
-
-| Deployment type | `kind` field value |
-|-|-|
-| Code-only deployment | `functionapp,linux,kubernetes` |
-| Container deployment | `functionapp,linux,kubernetes,container` |
-
-You must also set the `customLocationId` as you did for the [hosting plan resource](#create-the-hosting-plan).
-
-The definition of a containerized function app, using a .NET 6 quickstart image, might look like this example:
- ### [ARM template](#tab/json) ```json
The definition of a containerized function app, using a .NET 6 quickstart image,
] ```
-### [Bicep](#tab/bicep)
+
-```bicep
-resource functionApp 'Microsoft.Web/sites@2022-03-01' = {
- name: functionAppName
- kind: 'kubernetes,functionapp,linux,container'
- location: location
- extendedLocation: {
- name: customLocationId
- }
- properties: {
- serverFarmId: hostingPlanName
- siteConfig: {
- linuxFxVersion: 'DOCKER|mcr.microsoft.com/azure-functions/4-dotnet-isolated6.0-appservice-quickstart'
- appSettings: [
- {
- name: 'FUNCTIONS_EXTENSION_VERSION'
- value: '~4'
- }
- {
- name: 'AzureWebJobsStorage'
- value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};AccountKey=${storageAccount.listKeys().keys[0].value}'
- }
- {
- name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
- value: applicationInsightsName.properties.ConnectionString
- }
- ]
- alwaysOn: true
- }
- }
- dependsOn: [
- storageAccount
- hostingPlan
- ]
-}
-```
+## Application configuration
-
+In a Flex Consumption plan, you configure your function app in Azure with two types of properties:
+
+| Configuration | `Microsoft.Web/sites` property |
+| - | - |
+| Application configuration | `functionAppConfig` |
+| Application settings | `siteConfig.appSettings` collection |
+
+These configurations are maintained in `functionAppConfig`:
+
+| Behavior | Setting in `functionAppConfig`|
+| | |
+| [Language runtime](functions-app-settings.md#functions_worker_runtime) | `runtime.name` |
+| [Language version](supported-languages.md) | `runtime.version` |
+| [Maximum instance count](event-driven-scaling.md#flex-consumption-plan) | `scaleAndConcurrency.maximumInstanceCount` |
+| [Instance memory size](flex-consumption-plan.md#instance-memory) | `scaleAndConcurrency.instanceMemoryMB` |
+| [Deployment source](#deployment-sources) | `deployment` |
+
+The Flex Consumption plan also supports these application settings:
+++ Connection string-based settings:
+ + [`APPLICATIONINSIGHTS_CONNECTION_STRING`](functions-app-settings.md#applicationinsights_connection_string)
+ + [`AzureWebJobsStorage`](functions-app-settings.md#azurewebjobsstorage)
++ Managed identity-based settings:
+ + [`APPLICATIONINSIGHTS_AUTHENTICATION_STRING`](functions-app-settings.md#applicationinsights_authentication_string)
+ + [`AzureWebJobsStorage__accountName`](functions-app-settings.md#azurewebjobsstorage__accountname)
::: zone-end ## Application configuration Functions provides the following options for configuring your function app in Azure:
Functions provides the following options for configuring your function app in Az
| Site settings | `siteConfig` | | Application settings | `siteConfig.appSettings` collection |
-The following site settings are required on the `siteConfig` property:
+These site settings are required on the `siteConfig` property:
:::zone pivot="dedicated-plan" ### [Windows](#tab/windows)
Keep these considerations in mind when working with site and application setting
:::zone pivot="container-apps,azure-arc,premium-plan,dedicated-plan" + For container deployments, also set [`WEBSITES_ENABLE_APP_SERVICE_STORAGE`](../app-service/reference-app-settings.md#custom-containers) to `false`, since your app content is provided in the container itself. ::: zone-end
-+ You should always define your application settings as a `siteConfig/appSettings` collection of the `Microsoft.Web/sites` resource being created, as is done in the examples in this article. This makes sure that the settings that your function app needs to run are available on initial startup.
++ You should always define your application settings as a `siteConfig/appSettings` collection of the `Microsoft.Web/sites` resource being created, as is done in the examples in this article. This definition guarantees the settings your function app needs to run are available on initial startup. + When adding or updating application settings using templates, make sure that you include all existing settings with the update. You must do this because the underlying update REST API calls replace the entire `/config/appsettings` resource. If you remove the existing settings, your function app won't run. To programmatically update individual application settings, you can instead use the Azure CLI, Azure PowerShell, or the Azure portal to make these changes. For more information, see [Work with application settings](functions-how-to-use-azure-function-app-settings.md#settings). :::zone pivot="consumption-plan,premium-plan,dedicated-plan" ## Slot deployments
-Functions lets you deploy different versions of your code to unique endpoints in your function app. This makes it easier to develop, validate, and deploy functions updates without impacting functions running in production. Deployment slots is a feature of Azure App Service. The number of slots available [depends on your hosting plan](./functions-scale.md#service-limits). For more information, see [Azure Functions deployment slots](functions-deployment-slots.md) functions.
+Functions lets you deploy different versions of your code to unique endpoints in your function app. This option makes it easier to develop, validate, and deploy functions updates without impacting functions running in production. Deployment slots is a feature of Azure App Service. The number of slots available [depends on your hosting plan](./functions-scale.md#service-limits). For more information, see [Azure Functions deployment slots](functions-deployment-slots.md) functions.
A slot resource is defined in the same way as a function app resource (`Microsoft.Web/sites`), but instead you use the `Microsoft.Web/sites/slots` resource identifier. For an example deployment (in both Bicep and ARM templates) that creates both a production and a staging slot in a Premium plan, see [Azure Function App with a Deployment Slot](https://github.com/Azure-Samples/function-app-arm-templates/blob/main/function-app-deployment-slot).
-To learn about how to perform the swap by using templates, see [Automate with Resource Manager templates](../app-service/deploy-staging-slots.md#automate-with-resource-manager-templates).
+To learn about how to swap slots by using templates, see [Automate with Resource Manager templates](../app-service/deploy-staging-slots.md#automate-with-resource-manager-templates).
Keep the following considerations in mind when working with slot deployments:
Keep the following considerations in mind when working with slot deployments:
+ When you swap slots, some application settings are considered "sticky," in that they stay with the slot and not with the code being swapped. You can define such a _slot setting_ by including `"slotSetting":true` in the specific application setting definition in your template. For more information, see [Manage settings](functions-deployment-slots.md#manage-settings). ::: zone-end ## Secured deployments You can create your function app in a deployment where one or more of the resources have been secured by integrating with virtual networks. Virtual network integration for your function app is defined by a `Microsoft.Web/sites/networkConfig` resource. This integration depends on both the referenced function app and virtual network resources. Your function app might also depend on other private networking resources, such as private endpoints and routes. For more information, see [Azure Functions networking options](functions-networking-options.md).
+These projects provide Bicep-based examples of how to deploy your function apps in a virtual network, including with network access restrictions:
++ [High-scale HTTP triggered function connects to an event hub secured by a virtual network](https://github.com/Azure-Samples/azure-functions-flex-consumption-samples/blob/main/E2E/HTTP-VNET-EH/README.md): An HTTP triggered function (.NET isolated worker mode) accepts calls from any source and then sends the body of those HTTP calls to a secure event hub running in a virtual network by using virtual network integration.++ [Function is triggered by a Service Bus queue secured in a virtual network](https://github.com/Azure-Samples/azure-functions-flex-consumption-samples/blob/main/E2E/SB-VNET/README.md): A Python function is triggered by a Service Bus queue secured in a virtual network. The queue is accessed in the virtual network using private endpoint. A virtual machine in the virtual network is used to send messages. When creating a deployment that uses a secured storage account, you must both explicitly set the `WEBSITE_CONTENTSHARE` setting and create the file share resource named in this setting. Make sure you create a `Microsoft.Storage/storageAccounts/fileServices/shares` resource using the value of `WEBSITE_CONTENTSHARE`, as shown in this example ([ARM template](https://github.com/Azure-Samples/function-app-arm-templates/blob/main/function-app-private-endpoints-storage-private-endpoints/azuredeploy.json#L467)|[Bicep file](https://github.com/Azure-Samples/function-app-arm-templates/blob/main/function-app-private-endpoints-storage-private-endpoints/main.bicep#L351)). You'll also need to set the site property `vnetContentShareEnabled` to true. > [!NOTE]
These projects provide both Bicep and ARM template examples of how to deploy you
| [Create a function app that accesses a secured storage account](https://github.com/Azure-Samples/function-app-arm-templates/blob/main/function-app-storage-private-endpoints) | Your created function app uses a secured storage account, which Functions accesses by using private endpoints. For more information, see [Restrict your storage account to a virtual network](configure-networking-how-to.md#restrict-your-storage-account-to-a-virtual-network). | | [Create a function app and storage account that both use private endpoints](https://github.com/Azure-Samples/function-app-arm-templates/tree/main/function-app-private-endpoints-storage-private-endpoints) | Your created function app can only be accessed by using private endpoints, and it uses private endpoints to access storage resources. For more information, see [Private endpoints](functions-networking-options.md#private-endpoints). | ### Restricted network settings You might also need to use these settings when your function app has network restrictions:
You might also need to use these settings when your function app has network res
| - | - | - | | [`WEBSITE_CONTENTOVERVNET`](functions-app-settings.md#website_contentovervnet) | `1` | Application setting that enables your function app to scale when the storage account is restricted to a virtual network. For more information, see [Restrict your storage account to a virtual network](functions-networking-options.md#restrict-your-storage-account-to-a-virtual-network).| | [`vnetrouteallenabled`](functions-app-settings.md#vnetrouteallenabled) | `1` | Site setting that forces all traffic from the function app to use the virtual network. For more information, see [Regional virtual network integration](functions-networking-options.md#regional-virtual-network-integration). This site setting supersedes the application setting [`WEBSITE_VNET_ROUTE_ALL`](./functions-app-settings.md#website_vnet_route_all). |
-
+ ### Considerations for network restrictions When you're restricting access to the storage account through the private endpoints, you aren't able to access the storage account through the portal or any device outside the virtual network. You can give access to your secured IP address or virtual network in the storage account by [Managing the default network access rule](../storage/common/storage-network-security.md#change-the-default-network-access-rule). ::: zone-end
+## Function access keys
+
+Host-level [function access keys](function-keys-how-to.md) are defined as Azure resources. This means that you can create and manage host keys in your ARM templates and Bicep files. A host key is defined as a resource of type `Microsoft.Web/sites/host/functionKeys`. This example creates a host-level access key named `my_custom_key` when the function app is created:
+
+### [Bicep](#tab/bicep)
+
+```bicep
+resource functionKey 'Microsoft.Web/sites/host/functionKeys@2022-09-01' = {
+ name: '${parameters('name')}/default/my_custom_key'
+ properties: {
+ name: 'my_custom_key'
+ }
+ dependsOn: [
+ resourceId('Microsoft.Web/Sites', parameters('name'))
+ ]
+}
+```
+
+### [ARM template](#tab/json)
+
+```json
+{
+ "type": "Microsoft.Web/sites/host/functionKeys",
+ "apiVersion": "2022-09-01",
+ "name": "[concat(parameters('name'), '/default/my_custom_key')]",
+ "properties": {
+ "name": "my_custom_key"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/Sites', parameters('name'))]"
+ ]
+}
+```
+++
+In this example, the `name` parameter is the name of the new function app. You must include a `dependsOn` setting to guarantee that the key is created with the new function app. Finally, the `properties` object of the host key can also include a `value` property that can be used to set a specific key.
+
+When you don't set the `value` property, Functions automatically generates a new key for you when the resource is created, which is recommended. To learn more about access keys, including security best practices for working with access keys, see [Work with access keys in Azure Functions](function-keys-how-to.md).
+ ## Create your template Experts with Bicep or ARM templates can manually code their deployments using a simple text editor. For the rest of us, there are several ways to make the development process easier:
Experts with Bicep or ARM templates can manually code their deployments using a
:::image type="content" source="media/functions-infrastructure-as-code/portal-download-template.png" alt-text="Download template link from the Azure Functions creation process in the Azure portal.":::
- This link shows you the ARM template generated based on the options you chose in portal. While this template can be a bit complex when you're creating a function app with many new resources, it can provide a good reference for how your ARM template might look.
+ This link shows you the ARM template generated based on the options you chose in portal. This template can seem a bit complex when you're creating a function app with many new resources. However, it can provide a good reference for how your ARM template might look.
## Validate your template
You can also create a test resource group to find [preflight](../azure-resource-
You can use any of the following ways to deploy your Bicep file and template:
+### [Bicep](#tab/bicep)
+
+- [Azure CLI](../azure-resource-manager/bicep/deploy-cli.md)
+- [PowerShell](../azure-resource-manager/bicep/deploy-powershell.md)
+ ### [ARM template](#tab/json) - [Azure portal](../azure-resource-manager/templates/deploy-portal.md) - [Azure CLI](../azure-resource-manager/templates/deploy-cli.md) - [PowerShell](../azure-resource-manager/templates/deploy-powershell.md)
-### [Bicep](#tab/bicep)
--- [Azure CLI](../azure-resource-manager/bicep/deploy-cli.md)-- [PowerShell](../azure-resource-manager/bicep/deploy-powershell.md)- ### Deploy to Azure button
Here's an example that uses HTML:
### Deploy using PowerShell
-The following PowerShell commands create a resource group and deploy a Bicep file/ARM template that creates a function app with its required resources. To run locally, you must have [Azure PowerShell](/powershell/azure/install-azure-powershell) installed. Run [`Connect-AzAccount`](/powershell/module/az.accounts/connect-azaccount) to sign in.
+The following PowerShell commands create a resource group and deploy a Bicep file or ARM template that creates a function app with its required resources. To run locally, you must have [Azure PowerShell](/powershell/azure/install-azure-powershell) installed. Run [`Connect-AzAccount`](/powershell/module/az.accounts/connect-azaccount) to sign in.
-#### [ARM template](#tab/json)
+#### [Bicep](#tab/bicep)
```powershell # Register Resource Providers if they're not already registered
Register-AzResourceProvider -ProviderNamespace "microsoft.storage"
New-AzResourceGroup -Name "MyResourceGroup" -Location 'West Europe' # Deploy the template
-New-AzResourceGroupDeployment -ResourceGroupName "MyResourceGroup" -TemplateFile azuredeploy.json -Verbose
+New-AzResourceGroupDeployment -ResourceGroupName "MyResourceGroup" -TemplateFile main.bicep -Verbose
```
-#### [Bicep](#tab/bicep)
+#### [ARM template](#tab/json)
```powershell # Register Resource Providers if they're not already registered
Register-AzResourceProvider -ProviderNamespace "microsoft.storage"
New-AzResourceGroup -Name "MyResourceGroup" -Location 'West Europe' # Deploy the template
-New-AzResourceGroupDeployment -ResourceGroupName "MyResourceGroup" -TemplateFile main.bicep -Verbose
+New-AzResourceGroupDeployment -ResourceGroupName "MyResourceGroup" -TemplateFile azuredeploy.json -Verbose
```
Learn more about how to develop and configure Azure Functions.
<!-- LINKS -->
-[Function app on Consumption plan]: https://azure.microsoft.com/resources/templates/function-app-create-dynamic/
[Function app on Azure App Service plan]: https://azure.microsoft.com/resources/templates/function-app-create-dedicated/
azure-functions Functions Run Local https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-run-local.md
Http Function MyHttpTrigger: http://localhost:7071/api/MyHttpTrigger
Keep in mind the following considerations when running your functions locally:
-+ By default, authorization isn't enforced locally for HTTP endpoints. This means that all local HTTP requests are handled as `authLevel = "anonymous"`. For more information, see the [HTTP binding article](functions-bindings-http-webhook-trigger.md#authorization-keys). You can use the `--enableAuth` option to require authorization when running locally. For more information, see [`func start`](./functions-core-tools-reference.md?tabs=v2#func-start)
++ By default, authorization isn't enforced locally for HTTP endpoints. This means that all local HTTP requests are handled as `authLevel = "anonymous"`. For more information, see [Authorization level](functions-bindings-http-webhook-trigger.md#http-auth). You can use the `--enableAuth` option to require authorization when running locally. For more information, see [`func start`](./functions-core-tools-reference.md?tabs=v2#func-start) + You can use the local Azurite emulator when locally running functions that require access to Azure Storage services (Queue Storage, Blob Storage, and Table Storage) without having to connect to these services in Azure. When using local emulation, make sure to start Azurite before starting the local host (func.exe). For more information, see [Local storage emulation](functions-develop-local.md#local-storage-emulator). ::: zone pivot="programming-language-python"
The following considerations apply when using the administrator endpoint for loc
+ You can call the `functions` administrator endpoint (`http://localhost:{port}/admin/functions/`) to return a list of administrator URLs for all available functions, both HTTP triggered and non-HTTP triggered.
-+ Authentication and authorization are bypassed when running locally. The same APIs exist in Azure, but when you try to call the same administrator endpoints in Azure, you must provide an access key. To learn more, see [Function access keys](functions-bindings-http-webhook-trigger.md#authorization-keys).
++ Authentication and authorization are bypassed when running locally. The same APIs exist in Azure, but when you try to call the same administrator endpoints in Azure, you must provide an access key. To learn more, see [Work with access keys](function-keys-how-to.md). + Access keys are valuable shared secrets. When used locally, they must be securely stored outside of source control. Because authentication and authorization aren't required by Functions when running locally, you should avoid using and storing access keys unless your scenarios require it.
When the settings file is encrypted and decrypted, the file's `IsEncrypted` sett
[Functions triggers and bindings](functions-triggers-bindings.md) are implemented as .NET extension (NuGet) packages. To be able to use a specific binding extension, that extension must be installed in the project. ::: zone pivot="programming-language-javascript,programming-language-csharp"
-This section doesn't apply to version 1.x of the Functions runtime. In version 1.x, supported binding were included in the core product extension.
+This section doesn't apply to version 1.x of the Functions runtime. In version 1.x, supported bindings were included in the core product extension.
::: zone-end ::: zone pivot="programming-language-csharp"
azure-functions Migrate Version 3 Version 4 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/migrate-version-3-version-4.md
If you don't see your programming language, go select it from the [top of the pa
- Default and maximum timeouts are now enforced in 4.x for function apps running on Linux in a Consumption plan. ([#1915](https://github.com/Azure/Azure-Functions/issues/1915)) -- Azure Functions 4.x uses `Azure.Identity` and `Azure.Security.KeyVault.Secrets` for the Key Vault provider and has deprecated the use of Microsoft.Azure.KeyVault. For more information about how to configure function app settings, see the Key Vault option in [Secret Repositories](security-concepts.md#secret-repositories). ([#2048](https://github.com/Azure/Azure-Functions/issues/2048))
+- Azure Functions 4.x uses `Azure.Identity` and `Azure.Security.KeyVault.Secrets` for the Key Vault provider and has deprecated the use of Microsoft.Azure.KeyVault. For more information about how to configure function app settings, see the Key Vault option in [Manage key storage](function-keys-how-to.md#manage-key-storage). ([#2048](https://github.com/Azure/Azure-Functions/issues/2048))
- Function apps that share storage accounts now fail to start when their host IDs are the same. For more information, see [Host ID considerations](storage-considerations.md#host-id-considerations). ([#2049](https://github.com/Azure/Azure-Functions/issues/2049))
azure-functions Monitor Functions Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/monitor-functions-reference.md
The following table lists operations related to Azure Functions that might be cr
| Operation | Description | |:|:|
-|Microsoft.web/sites/functions/listkeys/action | Return the [keys for the function](functions-bindings-http-webhook-trigger.md#authorization-keys).|
-|Microsoft.Web/sites/host/listkeys/action | Return the [host keys for the function app](functions-bindings-http-webhook-trigger.md#authorization-keys).|
+|Microsoft.web/sites/functions/listkeys/action | Return the [keys for the function](function-keys-how-to.md).|
+|Microsoft.Web/sites/host/listkeys/action | Return the [host keys for the function app](function-keys-how-to.md).|
|Microsoft.Web/sites/host/sync/action | [Sync triggers](functions-deployment-technologies.md#trigger-syncing) operation.| |Microsoft.Web/sites/start/action| Function app started. | |Microsoft.Web/sites/stop/action| Function app stopped.|
azure-functions Openapi Apim Integrate Visual Studio https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/openapi-apim-integrate-visual-studio.md
The Azure Functions project template in Visual Studio creates a project that you
| **Functions worker** | **.NET 6** | This value creates a function project that runs in-process on version 4.x of the Azure Functions runtime, which is required for OpenAPI file generation. | | **Function template** | **HTTP trigger with OpenAPI** | This value creates a function triggered by an HTTP request, with the ability to generate an OpenAPI definition file. | | **Use Azurite for runtime storage account (AzureWebJobsStorage)** | **Selected** | You can use the emulator for local development of HTTP trigger functions. Because a function app in Azure requires a storage account, one is assigned or created when you publish your project to Azure. |
- | **Authorization level** | **Function** | When running in Azure, clients must provide a key when accessing the endpoint. For more information about keys and authorization, see [function access keys](functions-bindings-http-webhook-trigger.md#authorization-keys). |
+ | **Authorization level** | **Function** | When running in Azure, clients must provide a key when accessing the endpoint. For more information, see [Authorization level](functions-bindings-http-webhook-trigger.md#http-auth). |
![Azure Functions project settings](./media/openapi-apim-integrate-vs/functions-project-settings.png)
azure-functions Security Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/security-concepts.md
# Securing Azure Functions
-In many ways, planning for secure development, deployment, and operation of serverless functions is much the same as for any web-based or cloud hosted application. [Azure App Service](../app-service/index.yml) provides the hosting infrastructure for your function apps. This article provides security strategies for running your function code, and how App Service can help you secure your functions.
+In many ways, planning for secure development, deployment, and operation of serverless functions is much the same as for any web-based or cloud-hosted application. [Azure App Service](../app-service/index.yml) provides the hosting infrastructure for your function apps. This article provides security strategies for running your function code, and how App Service can help you secure your functions.
[!INCLUDE [app-service-security-intro](../../includes/app-service-security-intro.md)]
This section guides you on configuring and running your function app as securely
### Defender for Cloud
-Defender for Cloud integrates with your function app in the portal. It provides, for free, a quick assessment of potential configuration-related security vulnerabilities. Function apps running in a dedicated plan can also use Defender for Cloud's enhanced security features for an additional cost. To learn more, see [Protect your Azure App Service web apps and APIs](../defender-for-cloud/defender-for-app-service-introduction.md).
+Defender for Cloud integrates with your function app in the portal. It provides, for free, a quick assessment of potential configuration-related security vulnerabilities. Function apps running in a dedicated plan can also use Defender for Cloud's enhanced security features for an extra cost. To learn more, see [Protect your Azure App Service web apps and APIs](../defender-for-cloud/defender-for-app-service-introduction.md).
### Log and monitor
For enterprise-level threat detection and response automation, stream your logs
For more security recommendations for observability, see the [Azure security baseline for Azure Functions](security-baseline.md#logging-and-monitoring).
+### Secure HTTP endpoints
+
+HTTP endpoints that are exposed publicly provide a vector of attack for malicious actors. When securing your HTTP endpoints, you should use a layered security approach. These techniques can be used to reduce the vulnerability of publicly exposed HTTP endpoints, ordered from most basic to most secure and restrictive:
+++ [Require HTTPS](#require-https)++ [Require access keys](#function-access-keys)++ [Enable App Service Authentication/Authorization](#enable-app-service-authenticationauthorization)++ [Use Azure API Management (APIM) to authenticate requests](#use-azure-api-management-apim-to-authenticate-requests)++ [Deploy your function app to a virtual network](#deploy-your-function-app-to-a-virtual-network)++ [Deploy your function app in isolation](#deploy-your-function-app-in-isolation)+ ### Require HTTPS By default, clients can connect to function endpoints by using both HTTP or HTTPS. You should redirect HTTP to HTTPs because HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated. To learn how, see [Enforce HTTPS](../app-service/configure-ssl-bindings.md#enforce-https).
-When you require HTTPS, you should also Require the latest TLS version. To learn how, see [Enforce TLS versions](../app-service/configure-ssl-bindings.md#enforce-tls-versions).
+When you require HTTPS, you should also require the latest TLS version. To learn how, see [Enforce TLS versions](../app-service/configure-ssl-bindings.md#enforce-tls-versions).
For more information, see [Secure connections (TLS)](../app-service/overview-security.md#https-and-certificates). ### Function access keys -
-#### System key
-
-Specific extensions may require a system-managed key to access webhook endpoints. System keys are designed for extension-specific function endpoints that get called by internal components. For example, the [Event Grid trigger](functions-bindings-event-grid-trigger.md) requires that the subscription use a system key when calling the trigger endpoint. Durable Functions also uses system keys to call [Durable Task extension APIs](durable/durable-functions-http-api.md).
-
-The scope of system keys is determined by the extension, but it generally applies to the entire function app. System keys can only be created by specific extensions, and you can't explicitly set their values. Like other keys, you can generate a new value for the key from the portal or by using the key APIs.
-
-#### Keys comparison
-
-The following table compares the uses for various kinds of access keys:
-
-| Action | Scope | Valid keys |
-|--|--|--|
-| Execute a function | Specific function | Function |
-| Execute a function | Any function | Function or host |
-| Call an admin endpoint | Function app | Host (master only) |
-| Call Durable Task extension APIs | Function app<sup>1</sup> | System<sup>2</sup> |
-| Call an extension-specific Webhook (internal) | Function app<sup>1</sup> | system<sup>2</sup> |
-
-<sup>1</sup>Scope determined by the extension.
-<sup>2</sup>Specific names set by extension.
+Functions lets you use keys to make it harder to access your function endpoints. Unless the HTTP access level on an HTTP triggered function is set to `anonymous`, requests must include an access key in the request. For more information, see [Work with access keys in Azure Functions](function-keys-how-to.md).
-To learn more about access keys, see the [HTTP trigger binding article](functions-bindings-http-webhook-trigger.md#obtaining-keys).
+While access keys can provide some mitigation for unwanted access, the only way to truly secure your function endpoints is by implementing positive authentication of clients accessing your functions. You can then make authorization decisions based on identity.
+For the highest level of security, you can also secure the entire application architecture inside a virtual network [using private endpoints](#deploy-your-function-app-to-a-virtual-network) or by [running in isolation.](#deploy-your-function-app-in-isolation).
-#### Secret repositories
-
-By default, keys are stored in a Blob storage container in the account provided by the `AzureWebJobsStorage` setting. You can use the [AzureWebJobsSecretStorageType](functions-app-settings.md#azurewebjobssecretstoragetype) setting to override this behavior and store keys in a different location.
-
-|Location | Value | Description |
-||||
-|Second storage account | `blob` | Stores keys in Blob storage of a different storage account, based on the SAS URL in [AzureWebJobsSecretStorageSas](functions-app-settings.md#azurewebjobssecretstoragesas). |
-|File system | `files` | Keys are persisted on the file system, which is the default in Functions v1.x. |
-|Azure Key Vault | `keyvault` | The key vault set in [AzureWebJobsSecretStorageKeyVaultUri](functions-app-settings.md#azurewebjobssecretstoragekeyvaulturi) is used to store keys. |
-|Kubernetes Secrets |`kubernetes` | The resource set in [AzureWebJobsKubernetesSecretName](functions-app-settings.md#azurewebjobskubernetessecretname) is used to store keys. Supported only when running the Functions runtime in Kubernetes. The [Azure Functions Core Tools](functions-run-local.md) generates the values automatically when deploying to Kubernetes.|
-
-When using Key Vault for key storage, the app settings you need depend on the managed identity type. Functions runtime version 3.x only supports system-assigned managed identities.
-
-# [Version 4.x](#tab/v4)
-
-| Setting name | System-assigned | User-assigned | App registration |
-| | | | |
-| [AzureWebJobsSecretStorageKeyVaultUri](functions-app-settings.md#azurewebjobssecretstoragekeyvaulturi) | Γ£ô | Γ£ô | Γ£ô |
-| [AzureWebJobsSecretStorageKeyVaultClientId](functions-app-settings.md#azurewebjobssecretstoragekeyvaultclientid) | X | Γ£ô |Γ£ô |
-| [AzureWebJobsSecretStorageKeyVaultClientSecret](functions-app-settings.md#azurewebjobssecretstoragekeyvaultclientsecret) | X | X | Γ£ô |
-| [AzureWebJobsSecretStorageKeyVaultTenantId](functions-app-settings.md#azurewebjobssecretstoragekeyvaulttenantid) | X | X | Γ£ô |
-
-# [Version 3.x](#tab/v3)
-
-| Setting name | System-assigned | User-assigned | App registration |
-| | | | |
-| [AzureWebJobsSecretStorageKeyVaultName](functions-app-settings.md#azurewebjobssecretstoragekeyvaultname) | Γ£ô | X | X |
--
+### Enable App Service Authentication/Authorization
-### Authentication/authorization
+The App Service platform lets you use Microsoft Entra ID and several third-party identity providers to authenticate clients. You can use this strategy to implement custom authorization rules for your functions, and you can work with user information from your function code. To learn more, see [Authentication and authorization in Azure App Service](../app-service/overview-authentication-authorization.md) and [Working with client identities](functions-bindings-http-webhook-trigger.md#working-with-client-identities).
-While function keys can provide some mitigation for unwanted access, the only way to truly secure your function endpoints is by implementing positive authentication of clients accessing your functions. You can then make authorization decisions based on identity.
+### Use Azure API Management (APIM) to authenticate requests
+APIM provides various API security options for incoming requests. To learn more, see [API Management authentication policies](../api-management/api-management-policies.md#authentication-and-authorization). With APIM in place, you can configure your function app to accept requests only from the IP address of your APIM instance. To learn more, see [IP address restrictions](ip-addresses.md#ip-address-restrictions).
### Permissions
While application settings are sufficient for most many functions, you may want
Identities may be used in place of secrets for connecting to some resources. This has the advantage of not requiring the management of a secret, and it provides more fine-grained access control and auditing.
-When you are writing code that creates the connection to [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication), you can choose to use an identity instead of a secret or connection string. Details for both connection methods are covered in the documentation for each service.
+When you're writing code that creates the connection to [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication), you can choose to use an identity instead of a secret or connection string. Details for both connection methods are covered in the documentation for each service.
-Some Azure Functions trigger and binding extensions may be configured using an identity-based connection. Today, this includes the [Azure Blob](./functions-bindings-storage-blob.md) and [Azure Queue](./functions-bindings-storage-queue.md) extensions. For information about how to configure these extensions to use an identity, see [How to use identity-based connections in Azure Functions](./functions-reference.md#configure-an-identity-based-connection).
+Some Azure Functions binding extensions can be configured to access services using identity-based connections. For more information, see [Configure an identity-based connection](./functions-reference.md#configure-an-identity-based-connection).
### Set usage quotas
Access restrictions allow you to define lists of allow/deny rules to control tra
### Secure the storage account
-When you create a function app, you must create or link to a general-purpose Azure Storage account that supports Blob, Queue, and Table storage. You can replace this storage account with one that is secured with service endpoints or private endpoints. For more information, see [Restrict your storage account to a virtual network](./functions-networking-options.md#restrict-your-storage-account-to-a-virtual-network).
+When you create a function app, you must create or link to a general-purpose Azure Storage account that supports Blob, Queue, and Table storage. You can replace this storage account with one that is secured by a virtual network with access enabled by service endpoints or private endpoints. For more information, see [Restrict your storage account to a virtual network](./functions-networking-options.md#restrict-your-storage-account-to-a-virtual-network).
-### Private site access
+### Deploy your function app to a virtual network
[!INCLUDE [functions-private-site-access](../../includes/functions-private-site-access.md)] ### Deploy your function app in isolation
+Azure App Service Environment provides a dedicated hosting environment in which to run your functions. These environments let you configure a single front-end gateway that you can use to authenticate all incoming requests. For more information, see [Configuring a Web Application Firewall (WAF) for App Service Environment](../app-service/environment/integrate-with-application-gateway.md).
### Use a gateway service
azure-functions Deploy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/start-stop-vms/deploy.md
After the Start/Stop deployment completes, perform the following steps to enable
| Assign access to | User, group, or service principal | | Members | \<Your Azure Function App name> |
- ![Screenshot showing Add role assignment page in Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Screenshot showing Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
## Configure schedules overview
azure-functions Storage Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/storage-considerations.md
Azure Functions requires an Azure Storage account when you create a function app
| [Azure Queue storage](../storage/queues/storage-queues-introduction.md) | Used by default for [task hubs in Durable Functions](durable/durable-functions-task-hubs.md). Used for failure and retry handling in [specific Azure Functions triggers](./functions-bindings-storage-blob-trigger.md). Used for object tracking by the [Blob storage trigger](functions-bindings-storage-blob-trigger.md). | | [Azure Table storage](../storage/tables/table-storage-overview.md) | Used by default for [task hubs in Durable Functions](durable/durable-functions-task-hubs.md). |
-<sup>1</sup> Blob storage is the default store for function keys, but you can [configure an alternate store](./security-concepts.md#secret-repositories).
-
-<sup>2</sup> Azure Files is set up by default, but you can [create an app without Azure Files](#create-an-app-without-azure-files) under certain conditions.
+1. Blob storage is the default store for function keys, but you can [configure an alternate store](function-keys-how-to.md#manage-key-storage).
+2. Azure Files is set up by default, but you can [create an app without Azure Files](#create-an-app-without-azure-files) under certain conditions.
## Important considerations
You must strongly consider the following facts regarding the storage accounts us
+ When your function app is hosted on the Consumption plan or Premium plan, your function code and configuration files are stored in Azure Files in the linked storage account. When you delete this storage account, the content is deleted and can't be recovered. For more information, see [Storage account was deleted](functions-recover-storage-account.md#storage-account-was-deleted)
-+ Important data, such as function code, [access keys](functions-bindings-http-webhook-trigger.md#authorization-keys), and other important service-related data, can be persisted in the storage account. You must carefully manage access to the storage accounts used by function apps in the following ways:
++ Important data, such as function code, [access keys](function-keys-how-to.md), and other important service-related data, can be persisted in the storage account. You must carefully manage access to the storage accounts used by function apps in the following ways: + Audit and limit the access of apps and users to the storage account based on a least-privilege model. Permissions to the storage account can come from [data actions in the assigned role](../role-based-access-control/role-definitions.md#control-and-data-actions) or through permission to perform the [listKeys operation].
You might need to use separate storage accounts to [avoid host ID collisions](#a
### Lifecycle management policy considerations
-You shouldn't apply [lifecycle management policies](../storage/blobs/lifecycle-management-overview.md) to your Blob Storage account used by your function app. Functions uses Blob storage to persist important information, such as [function access keys](functions-bindings-http-webhook-trigger.md#authorization-keys), and policies could remove blobs (such as keys) needed by the Functions host. If you must use policies, exclude containers used by Functions, which are prefixed with `azure-webjobs` or `scm`.
+You shouldn't apply [lifecycle management policies](../storage/blobs/lifecycle-management-overview.md) to your Blob Storage account used by your function app. Functions uses Blob storage to persist important information, such as [function access keys](function-keys-how-to.md), and policies could remove blobs (such as keys) needed by the Functions host. If you must use policies, exclude containers used by Functions, which are prefixed with `azure-webjobs` or `scm`.
### Storage logs
azure-maps How To Secure Spa App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-secure-spa-app.md
To create a secured web service application that's responsible for authenticatio
6. Configure security for the Azure function HttpTrigger: 1. [Create a function access key]
- 1. [Secure HTTP endpoint](../azure-functions/functions-bindings-http-webhook-trigger.md?tabs=csharp#secure-an-http-endpoint-in-production) for the Azure function in production.
+ 1. [Secure HTTP endpoint](../azure-functions/security-concepts.md#secure-http-endpoints) for the Azure function in production.
7. Configure a web application Azure Maps Web SDK.
Explore other samples that show how to integrate Microsoft Entra ID with Azure M
[Add a system-assigned identity]: ../app-service/overview-managed-identity.md?tabs=dotnet#add-a-system-assigned-identity [Grant role-based access]: #grant-role-based-access-for-users-to-azure-maps [Obtain tokens for Azure resources]: ../app-service/overview-managed-identity.md?tabs=dotnet#add-a-system-assigned-identity
-[Create a function access key]: ../azure-functions/functions-bindings-http-webhook-trigger.md?tabs=csharp#authorization-keys
+[Create a function access key]: ../azure-functions/function-keys-how-to.md#renew-or-create-access-keys
azure-monitor Agent Linux Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/agent-linux-troubleshoot.md
This is a known issue that occurs on the first upload of Linux data into a Log A
### Probable causes
-A regression in nss-pem package [v1.0.3-5.el7](https://centos.pkgs.org/7/centos-x86_64/nss-pem-1.0.3-7.el7.x86_64.rpm.html) caused a severe performance issue. We've been seeing this issue come up a lot in Redhat/CentOS 7.x distributions. To learn more about this issue, see [1667121 Performance regression in libcurl](https://bugzilla.redhat.com/show_bug.cgi?id=1667121).
+A regression in nss-pem package [v1.0.3-5.el7](https://pkgs.org/download/nss-pem) caused a severe performance issue. We've been seeing this issue come up a lot in Redhat/CentOS 7.x distributions. To learn more about this issue, see [1667121 Performance regression in libcurl](https://bugzilla.redhat.com/show_bug.cgi?id=1667121).
Performance-related bugs don't happen all the time, and they're difficult to reproduce. If you experience such an issue with omiagent, use the script `omiHighCPUDiagnostics.sh`, which will collect the stack trace of the omiagent when it exceeds a certain threshold.
Performance-related bugs don't happen all the time, and they're difficult to rep
### Resolution
-1. Upgrade the nss-pem package to [v1.0.3-5.el7_6.1](https://centos.pkgs.org/7/centos-x86_64/nss-pem-1.0.3-7.el7.x86_64.rpm.html): <br/>
+1. Upgrade the nss-pem package to [v1.0.3-5.el7_6.1](https://pkgs.org/download/nss-pem): <br/>
`sudo yum upgrade nss-pem` 1. If nss-pem isn't available for upgrade, which mostly happens on CentOS, downgrade curl to 7.29.0-46. If you run "yum update" by mistake, curl will be upgraded to 7.29.0-51 and the issue will happen again: <br/>
azure-monitor Azure Monitor Agent Data Field Differences https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/azure-monitor-agent-data-field-differences.md
+
+ Title: Data field differences between MMA and AMA
+
+description: Documents that field lever data changes made in the migration.
++++ Last updated : 06/21/2024+
+Customer intent: As an azure administrator, I want to understand which Log Analytics Workspace queries I may need to update after AMA migration.
+++
+# AMA agent data field differences from MMA
+[Azure Monitor Agent (AMA)](./agents-overview.md) replaces the Log Analytics agent, also known as Microsoft Monitor Agent (MMA) and OMS, for Windows and Linux machines, in Azure and non-Azure environments, on-premises and other clouds. The agent introduces a simplified, flexible method of configuring data collection using [Data Collection Rules (DCRs)](../essentials/data-collection-rule-overview.md). The article provides information on the data fields that change when collected by AMA, which is critical information for you to migrate your LAW queries.
+
+Each of the data changes was carefully considered and the rational for each change is provided in the table. If you encounter a data field that isn't in the tables file a support request. Your help keeping the tables current and complete is appreciated.
+
+## Log analytics workspace tables
+### W3CIISLog Table for Internet Information Services (IIS)
+This table collects log data from the Internet Information Service on Window systems.
+
+|LAW Field | Difference | Reason| Additional Information |
+|||||
+| sSiteName | Not be populated | depends on customer data collection configuration | The MMA agent could turn on collection by default, but by principle is restricted from making configuration changes in other services.<p>Enable the `Service Name (s-sitename)` field in W3C logging of IIS. See [Select W3C Fields to Log](/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis#select-w3c-fields-to-log).|
+| Fileuri | No longer populated | not required for MMA parity | MMA doesn't collect this field. This field was only populated for IIS logs collected from Azure Cloud Services through the Azure Diagnostics Extension.|
++
+## Next steps
+- [Azure Monitor Agent migration helper workbook](./azure-monitor-agent-migration-helper-workbook.md)
+- [DCR Config Generator](./azure-monitor-agent-migration-data-collection-rule-generator.md)
+
azure-monitor Opentelemetry Add Modify https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-add-modify.md
It's not possible to filter telemetry in Java native.
## Get the trace ID or span ID
-You might want to get the trace ID or span ID. If you have logs sent to a destination other than Application Insights, consider adding the trace ID or span ID. Doing so enables better correlation when debugging and diagnosing issues.
+You can obtain the `Trace ID` and `Span ID` of the currently active Span using following steps.
### [ASP.NET Core](#tab/aspnetcore)
azure-monitor Opentelemetry Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-configuration.md
var builder = WebApplication.CreateBuilder(args);
// Add the OpenTelemetry telemetry service to the application. // This service will collect and send telemetry data to Azure Monitor.
-builder.Services.AddOpenTelemetry().UseAzureMonitor();
-
-// Configure the OpenTelemetry tracer provider to add the resource attributes to all traces.
-builder.Services.ConfigureOpenTelemetryTracerProvider((sp, builder) =>
- builder.ConfigureResource(resourceBuilder =>
- resourceBuilder.AddAttributes(resourceAttributes)));
+builder.Services.AddOpenTelemetry()
+ .UseAzureMonitor()
+ // Configure the ResourceBuilder to add the custom resource attributes to all signals.
+ // Custom resource attributes should be added AFTER AzureMonitor to override the default ResourceDetectors.
+ .ConfigureResource(resourceBuilder => resourceBuilder.AddAttributes(_testResourceAttributes));
// Build the ASP.NET Core web application. var app = builder.Build();
azure-monitor Cost Usage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/cost-usage.md
See [Azure Monitor billing meter names](cost-meters.md) for a list of all Azure
Other services such as Microsoft Defender for Cloud and Microsoft Sentinel also bill their usage against Log Analytics workspace resources. See [Common cost analysis uses](../cost-management-billing/costs/cost-analysis-common-uses.md) for details on using this view.
->[!NOTE]
->Alternatively, you can go to the **Overview** page of a Log Analytics workspace or Application Insights resource and click **View Cost** in the upper right corner of the **Essentials** section. This will launch the **Cost Analysis** from Azure Cost Management + Billing already scoped to the workspace or application.
+> [!NOTE]
+> Alternatively, you can go to the **Overview** page of a Log Analytics workspace or Application Insights resource and click **View Cost** in the upper right corner of the **Essentials** section. This will launch the **Cost Analysis** from Azure Cost Management + Billing already scoped to the workspace or application. (You might need to use the [preview version](https://preview.portal.azure.com/) of the Azure portal to see this option.)
> :::image type="content" source="logs/media/view-bill/view-cost-option.png" lightbox="logs/media/view-bill/view-cost-option.png" alt-text="Screenshot of option to view cost for Log Analytics workspace.":::- ### Automated mails and alerts Rather than manually analyzing your costs in the Azure portal, you can automate delivery of information using the following methods.
azure-monitor Metrics Aggregation Explained https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/metrics-aggregation-explained.md
Previously updated : 07/13/2023 Last updated : 07/13/2024 # Azure Monitor Metrics aggregation and display explained
-This article explains the aggregation of metrics in the Azure Monitor time-series database that back Azure Monitor [platform metrics](../data-platform.md) and [custom metrics](../essentials/metrics-custom-overview.md). This article also applies to standard [Application Insights metrics](../app/app-insights-overview.md).
+This article explains the aggregation of metrics in the time-series database that backs Azure Monitor [platform metrics](../data-platform.md) and [custom metrics](../essentials/metrics-custom-overview.md). The article also applies to standard [Application Insights metrics](../app/app-insights-overview.md).
-The contents of this article are complex in nature and not necessary to understand to use Azure Monitor metrics effectively.
+This information in this article is complex and is provided for those who want to dig deeper into the metrics system. You do not need to understand it to use Azure Monitor metrics effectively.
## Overview and terms
azure-monitor Monitor Off Azure Vm With Scom Managed Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/scom-manage-instance/monitor-off-azure-vm-with-scom-managed-instance.md
The following are the supported monitoring scenarios:
SCOM Managed Instance users will be able to: -- Set up and manage Gateways seamlessly from SCOM Managed Instance portal on Arc-enabled servers.
+- Set up and manage Gateways on Arc-enabled servers from SCOM Managed Instance portal.
- Set high availability at Gateway plane for agent failover as described in [Designing for High Availability and Disaster Recovery](/system-center/scom/plan-hadr-design). + ## Supported scenarios The following are the supported monitoring scenarios:
azure-netapp-files Azure Netapp Files Cost Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-cost-model.md
For cost model specific to cross-region replication, see [Cost model for cross-r
Azure NetApp Files is billed on provisioned storage capacity, which is allocated by creating capacity pools. Capacity pools are billed monthly based on a set cost per allocated GiB per hour. Capacity pool allocation is measured hourly.
-Capacity pools must be at least 1 TiB and can be increased or decreased in 1-TiB intervals. Capacity pools contain volumes that range in size from a minimum of 100 GiB to a maximum of 100 TiB for regular volumes and up to 500 TiB for [large volumes](azure-netapp-files-understand-storage-hierarchy.md#large-volumes). Volumes are assigned quotas that are subtracted from the capacity poolΓÇÖs provisioned size. For an active volume, capacity consumption against the quota is based on logical (effective) capacity, being active filesystem data or snapshot data. See [How Azure NetApp Files snapshots work](snapshots-introduction.md) for details.
+Capacity pools must be at least 1 TiB and can be increased or decreased in 1-TiB intervals. Capacity pools contain volumes that range in size from a minimum of 100 GiB to a maximum of 100 TiB for regular volumes and up to 1 PiB for [large volumes](azure-netapp-files-understand-storage-hierarchy.md#large-volumes). Volumes are assigned quotas that are subtracted from the capacity poolΓÇÖs provisioned size. For an active volume, capacity consumption against the quota is based on logical (effective) capacity, being active filesystem data or snapshot data. See [How Azure NetApp Files snapshots work](snapshots-introduction.md) for details.
### Pricing examples
azure-netapp-files Azure Netapp Files Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-introduction.md
Azure NetApp Files is designed to provide high-performance file storage for ente
| Small-to-large volumes | Easily resize file volumes from 100 GiB up to 100 TiB without downtime. | Scale storage as business needs grow without over-provisioning, avoiding upfront cost. | 1-TiB minimum capacity pool size | 1-TiB capacity pool is a reduced-size storage pool compared to the initial 4-TiB minimum. | Save money by starting with a smaller storage footprint and lower entry point, without sacrificing performance or availability. Scale storage based on growth without high upfront costs. | 2,048-TiB maximum capacity pool | 2048-TiB capacity pool is an increased storage pool compared to the initial 500-TiB maximum. | Reduce waste by creating larger, pooled capacity and performance budget, and share and distribute across volumes.
-| 50-500 TiB large volumes | Store large volumes of data up to 500 TiB in a single volume. | Manage large datasets and high-performance workloads with ease.
+| 50-1,024 TiB large volumes | Store large volumes of data up to 1,024 TiB in a single volume. | Manage large datasets and high-performance workloads with ease.
| User and group quotas | Set quotas on storage usage for individual users and groups. | Control storage usage and optimize resource allocation. | Virtual machine (VM) networked storage performance | Higher VM network throughput compared to disk IO limits enable more demanding workloads on smaller Azure VMs. | Improve application performance at a smaller VM footprint, improving overall efficiency and lowering application license cost. | Deep workload readiness | Seamless deployment and migration of any-size workload with well-documented deployment guides. | Easily migrate any workload of any size to the platform. Enjoy a seamless, cost-effective deployment and migration experience.
azure-netapp-files Azure Netapp Files Resource Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-resource-limits.md
The following table describes resource limits for Azure NetApp Files:
| Maximum size of a single regular volume | 100 TiB | No | | Minimum size of a single [large volume](large-volumes-requirements-considerations.md) | 50 TiB | No | | Large volume size increase | 30% of lowest provisioned size | Yes |
-| Maximum size of a single [large volume](large-volumes-requirements-considerations.md) | 500 TiB | No |
+| Maximum size of a single [large volume](large-volumes-requirements-considerations.md) | 1,024 TiB | No |
+| Maximum size of a single large volume on dedicated capacity (preview) | 2,048 TiB | No |
| Maximum size of a single file | 16 TiB | No | | Maximum size of directory metadata in a single directory | 320 MB | No | | Maximum number of files in a single directory | *Approximately* 4 million. <br> See [Determine if a directory is approaching the limit size](#directory-limit). | No |
azure-netapp-files Azure Netapp Files Understand Storage Hierarchy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-understand-storage-hierarchy.md
When you use a manual QoS capacity pool with, for example, an SAP HANA system, a
- A volume's capacity consumption counts against its pool's provisioned capacity. - A volumeΓÇÖs throughput consumption counts against its poolΓÇÖs available throughput. See [Manual QoS type](#manual-qos-type). - Each volume belongs to only one pool, but a pool can contain multiple volumes. -- Volumes contain a capacity of between 100 GiB and 100 TiB. You can create a [large volume](#large-volumes) with a size of between 50 TiB and 500 TiB.
+- Volumes contain a capacity of between 100 GiB and 100 TiB. You can create a [large volume](#large-volumes) with a size of between 50 and 1 PiB.
## Large volumes
-Azure NetApp Files allows you to create volumes up to 500 TiB in size. Large volumes begin at a capacity of 50 TiB and scale up to 500 TiB. Regular Azure NetApp Files volumes are offered between 100 GiB and 102,400 GiB.
+Azure NetApp Files allows you to create large volumes up to 1 PiB in size. Large volumes begin at a capacity of 50 TiB and scale up to 1 PiB. Regular Azure NetApp Files volumes are offered between 100 GiB and 102,400 GiB.
For more information, see [Requirements and considerations for large volumes](large-volumes-requirements-considerations.md).
azure-netapp-files Large Volumes Requirements Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/large-volumes-requirements-considerations.md
This article describes the requirements and considerations you need to be aware
The following requirements and considerations apply to large volumes. For performance considerations of *regular volumes*, see [Performance considerations for Azure NetApp Files](azure-netapp-files-performance-considerations.md). * A regular volume canΓÇÖt be converted to a large volume.
-* You must create a large volume at a size of 50 TiB or larger. A single volume can't exceed 500 TiB.
+* You must create a large volume at a size of 50 TiB or larger. A single volume can't exceed 1 PiB.
* You can't resize a large volume to less than 50 TiB. A large volume cannot be resized to less than 30% of its lowest provisioned size. This limit is adjustable via [a support request](azure-netapp-files-resource-limits.md#resource-limits). * Large volumes are currently not supported with Azure NetApp Files backup. * You can't create a large volume with application volume groups. * Currently, large volumes aren't suited for database (HANA, Oracle, SQL Server, etc.) data and log volumes. For database workloads requiring more than a single volumeΓÇÖs throughput limit, consider deploying multiple regular volumes. To optimize multiple volume deployments for databases, use [application volume groups](application-volume-group-concept.md).
-* Throughput ceilings for the three performance tiers (Standard, Premium, and Ultra) of large volumes are based on the existing 100-TiB maximum capacity targets. You're able to grow to 500 TiB with the throughput ceiling per the following table:
+* Throughput ceilings for the three performance tiers (Standard, Premium, and Ultra) of large volumes are based on the existing 100-TiB maximum capacity targets. You're able to grow to 1 PiB with the throughput ceiling per the following table:
- | Capacity tier | Volume size (TiB) | Throughput (MiB/s) |
- | | | |
- | Standard | 50 to 500 | 1,600 |
- | Premium | 50 to 500 | 6,400 |
- | Ultra | 50 to 500 | 10,240 |
+ <table><thead>
+ <tr>
+ <th></th>
+ <th colspan="2">Capacity</th>
+ <th colspan="2">Linear performance scaling per TiB up to maximum throughput </th>
+ </tr></thead>
+ <tbody>
+ <tr>
+ <td>Capacity tier</td>
+ <td>Minimum volume size<br>(TiB)</td>
+ <td>Maximum volume size (TiB)</td>
+ <td>Minimum throughput (MiB/s)</td>
+ <td>Maximum throughput (MiB/s)</td>
+ </tr>
+ <tr>
+ <td>Standard (16 MiB/s per TiB)</td>
+ <td>50</td>
+ <td>1,024</td>
+ <td>800</td>
+ <td>12,800</td>
+ </tr>
+ <tr>
+ <td>Premium (64 MiB/s per TiB)</td>
+ <td>50</td>
+ <td>1,024</td>
+ <td>3,200</td>
+ <td>12</td>
+ </tr>
+ </tbody>
+ </table>
+
+ \* 2-PiB large volumes are available on request depending on regional dedicated capacity availability. To request 2-PiB large volumes, contact your account team.
* Large volumes aren't currently supported with standard storage with cool access.
Support for Azure NetApp Files large volumes is available in the following regio
>[!IMPORTANT] >Before you can use large volumes, you must first request [an increase in regional capacity quota](azure-netapp-files-resource-limits.md#request-limit-increase).
-Once your [regional capacity quota](regional-capacity-quota.md) has increased, you can create volumes that are up to 500 TiB in size. When creating a volume, after you designate the volume quota, you must select **Yes** for the **Large volume** field. Once created, you can manage your large volumes in the same manner as regular volumes.
+Once your [regional capacity quota](regional-capacity-quota.md) has increased, you can create volumes that are up to 1 PiB in size. When creating a volume, after you designate the volume quota, you must select **Yes** for the **Large volume** field. Once created, you can manage your large volumes in the same manner as regular volumes.
### Register the feature
azure-netapp-files Volume Hard Quota Guidelines https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/volume-hard-quota-guidelines.md
Many customers have requested direct control over provisioned capacity. They wan
## What is the volume hard quota change
-With the volume hard quota change, Azure NetApp Files volumes will no longer be thin provisioned at (the maximum) 100 TiB. The volumes will be provisioned at the actual configured size (quota). Also, the underlaying capacity pools will no longer automatically grow upon reaching full-capacity consumption. This change will reflect the behavior like Azure managed disks, which are also provisioned as-is, without automatic capacity increase.
+With the volume hard quota change, Azure NetApp Files volumes are no longer thinly provisioned at (the maximum) 100 TiB. The volumes will be provisioned at the actual configured size (quota). Also, the underlying capacity pools will no longer automatically grow upon reaching full-capacity consumption. This change will reflect the behavior like Azure managed disks, which are also provisioned as-is, without automatic capacity increase.
For example, consider an Azure NetApp Files volume configured at 1-TiB size (quota) on a 4-TiB Ultra service level capacity pool. An application is continuously writing data to the volume. The *initial* behavior: * Expected bandwidth: 128 MiB/s * Total usable (and client visible) capacity: 100 TiB
- You will not be able to write more data on the volume beyond this size.
+ You aren't able to write more data on the volume beyond this size.
* Capacity pool: Automatically grows with 1 TiB increments when it is full.
-* Volume quota change: Only changes performance (bandwidth) of the volume. It does not change client visible or usable capacity.
+* Volume quota change: Only changes performance (bandwidth) of the volume. It doesn't change client visible or usable capacity.
The *changed* behavior: * Expected bandwidth: 128 MiB/s * Total usable (and client visible) capacity: 1 TiB You will not be able to write more data on the volume beyond this size.
-* Capacity pool: Remains 4 TiB in size and does not automatically grow.
+* Capacity pool: Remains 4 TiB in size and doesn't automatically grow.
* Volume quota change: Changes performance (bandwidth) and client visible or usable capacity of the volume. You need to proactively monitor the utilization of Azure NetApp Files volumes and capacity pools. You need to purposely change the volume and pool utilization for close-to-full consumption. Azure NetApp Files will continue to allow for [on-the-fly volume and capacity pool resize operations](azure-netapp-files-resize-capacity-pools-or-volumes.md). ## How to operationalize the volume hard quota change
-This section provides guidance on how to operationalize the change to volume hard quota for a smooth transition. It also provides insights for handling currently provisioned volumes and capacity pools, on-going monitoring, and alerting and capacity management options.
+This section provides guidance on how to operationalize the change to volume hard quota for a smooth transition. It also provides insights for handling currently provisioned volumes and capacity pools, ongoing monitoring, and alerting and capacity management options.
### Currently provisioned volumes and capacity pools
The volume hard quota change will result in changes in provisioned and available
Resize every provisioned volume to have appropriate buffer based on change rate and alerting or resize turnaround time (for example, 20% based on typical workload considerations), with a maximum of 100 TiB (which is the regular [volume size limit](azure-netapp-files-resource-limits.md#resource-limits). This new volume size, including buffer capacity, should be based on the following factors: * **Provisioned** volume capacity, in case the used capacity is less than the provisioned volume quota. * **Used** volume capacity, in case the used capacity is more than the provisioned volume quota.
- There is no additional charge for volume-level capacity increase if the underlaying capacity pool does not need to be grown. As an effect of this change, you might observe a bandwidth limit *increase* for the volume (in case the [auto QoS capacity pool type](azure-netapp-files-understand-storage-hierarchy.md#qos_types) is used).
+ There's no additional charge for volume-level capacity increase if the underlaying capacity pool doesn't need to be grown. As an effect of this change, you might observe a bandwidth limit *increase* for the volume (in case the [auto QoS capacity pool type](azure-netapp-files-understand-storage-hierarchy.md#qos_types) is used).
* **Provisioned capacity pool sizes**:
- After the volume sizes adjustments, if the sum of volumes sizes becomes larger than the size of the hosting capacity pool, the capacity pool will have to be increased to a size equal to or larger than the sum of the volumes, with a maximum of 500 TiB (which is the [capacity pool size limit](azure-netapp-files-resource-limits.md#resource-limits)). Additional capacity pool capacity will be subject to ACR charge as normal.
+ After the volume sizes adjustments, if the sum of volumes sizes becomes larger than the size of the hosting capacity pool, the capacity pool has to be increased to a size equal to or larger than the sum of the volumes, with a maximum of 500 TiB. For information about limits, see [Azure NetApp Files resource limits](azure-netapp-files-resource-limits.md#resource-limits)). Additional capacity pool capacity is subject to ACR charge as normal.
You should work with your Azure NetApp Files specialists to validate your environment, if you need help with setting up monitoring or alerting as described in the sections below.
You can use the community-supported Logic Apps ANFCapacityManager tool to monito
ANFCapacityManager is an Azure Logic App that manages capacity-based alert rules. It automatically increases volume sizes to prevent your Azure NetApp Files volumes from running out of space. It is easy to deploy and provides the following Alert Management capabilities: * When an Azure NetApp Files capacity pool or volume is created, ANFCapacityManager creates a metric alert rule based on the specified percent consumed threshold.
-* When an Azure NetApp Files capacity pool or volume is resized, ANFCapacityManager modifies the metric alert rule based on the specified percent capacity consumed threshold. If the alert rule does not exist, it will be created.
-* When an Azure NetApp Files capacity pool or volume is deleted, the corresponding metric alert rule will be deleted.
+* When an Azure NetApp Files capacity pool or volume is resized, ANFCapacityManager modifies the metric alert rule based on the specified percent capacity consumed threshold. If the alert rule doesn't exist, it's created.
+* When an Azure NetApp Files capacity pool or volume is deleted, the corresponding metric alert rule it's deleted.
You can configure the following key alerting settings:
You can use the portal or the CLI to manually increase the volume or capacity po
You can [change the size of a volume](azure-netapp-files-resize-capacity-pools-or-volumes.md#resize-a-volume-using-the-azure-portal) as necessary. A volume's capacity consumption counts against its pool's provisioned capacity.
-1. From the Manage NetApp Account blade, select **Volumes**.
+1. From your NetApp Account, select **Volumes**.
2. Right-click the name of the volume that you want to resize or select the `…` icon at the end of the volume's row to display the context menu. 3. Use the context menu options to resize or delete the volume.
You can [change the size of a volume](azure-netapp-files-resize-capacity-pools-o
![Screenshot that shows the Update Volume Quota window.](./media/volume-hard-quota-guidelines/hard-quota-update-volume-quota.png)
-In some cases, the hosting capacity pool does not have sufficient capacity to resize the volumes. However, you can [change the capacity pool size](azure-netapp-files-resize-capacity-pools-or-volumes.md#resizing-the-capacity-pool-or-a-volume-using-azure-cli) in 1-TiB increments or decrements. The capacity pool size cannot be smaller than 4 TiB. *Resizing the capacity pool changes the purchased Azure NetApp Files capacity.*
+In some cases, the hosting capacity pool doesn't have sufficient capacity to resize the volumes. However, you can [change the capacity pool size](azure-netapp-files-resize-capacity-pools-or-volumes.md#resizing-the-capacity-pool-or-a-volume-using-azure-cli) in 1-TiB increments or decrements. The capacity pool size can't be smaller than 4 TiB. *Resizing the capacity pool changes the purchased Azure NetApp Files capacity.*
1. From the Manage NetApp Account blade, select the capacity pool that you want to resize. 2. Right-click the capacity pool name or select the `…` icon at the end of the capacity pool’s row to display the context menu.
A common misconception is that Azure NetApp Files *volumes* would automatically
### Does this change have any effect on volumes replicated with cross-region-replication (preview)?
-The hard volume quota is not enforced on replication destination volumes.
+The hard volume quota isn't enforced on replication destination volumes.
### Does this change have any effect on metrics currently available in Azure Monitor?
Yes. See the [Volume AutoGrow Workflow Example GitHub page](https://github.com/A
### Is ANFCapacityManager Microsoft supported?
-[The ANFCapacityManager logic app is provided as-is and is not supported by NetApp or Microsoft](https://github.com/ANFTechTeam/ANFCapacityManager#disclaimer). You're encouraged to modify to fit your specific environment or requirements. You should test the functionality before deploying it to any business critical or production environments.
+[The ANFCapacityManager logic app is provided as-is and isn't supported by NetApp or Microsoft](https://github.com/ANFTechTeam/ANFCapacityManager#disclaimer). You're encouraged to modify to fit your specific environment or requirements. You should test the functionality before deploying it to any business critical or production environments.
### How can I report a bug or submit a feature request for ANFCapacityManger? You can submit bugs and feature requests by selecting **New Issue** on the [ANFCapacityManager GitHub page](https://github.com/ANFTechTeam/ANFCapacityManager/issues).
azure-netapp-files Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/whats-new.md
Azure NetApp Files is updated regularly. This article provides a summary about t
## July 2024
+* [Azure NetApp Files large volume enhancement:](large-volumes-requirements-considerations.md) increased throughput and maximum size limit of 2-PiB volume (preview)
+
+ Azure NetApp Files large volumes now support increased maximum throughput and size limits. This update brings an increased size limit to **one PiB,** available via Azure Feature Exposure Control (AFEC), allowing for more extensive and robust data management solutions for various workloads, including HPC, EDA, VDI, and more.
+
+ This update also introduces a preview of a large volume type, starting from **one PiB** up to **two PiB**, available upon request. This **2-PiB** enhancement is subject to regional availability and capacity, ensuring that Azure NetApp Files can meet your specific needs and requirements. This feature is currently in preview. To take advantage of the 2-PiB large volume feature, contact your account team.
+
* [Azure NetApp Files backup](backup-introduction.md) is now available in Azure [US Gov regions](backup-introduction.md#supported-regions).
Azure NetApp Files is updated regularly. This article provides a summary about t
* [Large volumes](large-volumes-requirements-considerations.md) (Preview)
- Regular Azure NetApp Files volumes are limited to 100 TiB in size. Azure NetApp Files [large volumes](azure-netapp-files-understand-storage-hierarchy.md#large-volumes) break this barrier by enabling volumes of 100 TiB to 500 TiB in size. The large volumes capability enables various use cases and workloads that require large volumes with a single directory namespace.
+ Regular Azure NetApp Files volumes are limited to 100 TiB in size. Azure NetApp Files [large volumes](azure-netapp-files-understand-storage-hierarchy.md#large-volumes) break this barrier by enabling volumes of 100 TiB to 1 PiB in size. The large volumes capability enables various use cases and workloads that require large volumes with a single directory namespace.
* [Customer-managed keys](configure-customer-managed-keys.md) (Preview)
azure-portal Azure Portal Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-portal/azure-portal-overview.md
Title: What is the Azure portal? description: The Azure portal is a graphical user interface that you can use to manage your Azure services. Learn how to navigate and find resources in the Azure portal. Previously updated : 07/02/2024 Last updated : 07/18/2024
When you save a command as a favorite, it appears in a **Favorites** folder near
Your menu group selections are preserved by resource type and throughout sessions. For example, if you add a favorite command while working with a VM, that command will appear in your **Favorites** if you later work with a different VM. Specific menu groups will also appear collapsed or expanded based on your previous selections.
-> [!NOTE]
-> We're in the process of rolling out the new service menu experience to all customers. If you don't see these options in the service menu, check back soon. We'll remove this note once all customers are seeing the new experience.
- ## Dashboard Dashboards provide a focused view of the resources in your subscription that matter most to you. We give you a default dashboard to get you started. You can customize this dashboard to bring resources you use frequently into a single view, or to display other information.
azure-portal Set Preferences https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-portal/set-preferences.md
Title: Manage Azure portal settings and preferences description: Change Azure portal settings such as default subscription/directory, timeouts, menu mode, contrast, theme, notifications, language/region and more. Previously updated : 07/02/2024 Last updated : 07/18/2024
The **Startup views** section lets you set options for what you see when you fir
### Portal menu behavior
-The **Menu behavior** section lets you choose how the [Azure portal menu](azure-portal-overview.md#service-menu) appears.
+The **Menu behavior** section lets you choose how the [Azure portal menu](azure-portal-overview.md#portal-menu) appears.
- **Flyout**: The menu is hidden until you need it. You can select the menu icon in the upper left hand corner to open or close the menu. - **Docked**: The menu is always visible. You can collapse the menu to provide more working space.
The **Service menu behavior** section lets you choose how items in [service menu
- **Collapsed**: Groups of commands in service menus will appear collapsed. You can still manually select any top-level item to display the commands within that menu group. - **Expanded**: Groups of commands in service menus will appear expanded. You can still manually select any top-level item to collapse that menu group.
-> [!NOTE]
-> We're in the process of rolling out the **Service menu behavior** settings option to all customers. If you don't see this section, check back soon. We'll remove this note after all customers have this option in their portal settings.
- ### Choose a theme or enable high contrast The theme that you choose affects the background and font colors that appear in the Azure portal. In the **Theme** section, you can select from one of four preset color themes. Select each thumbnail to find the theme that best suits you.
azure-resource-manager Visual Studio Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/visual-studio-code.md
Title: Create Bicep files by using Visual Studio Code
description: Describes how to create Bicep files by using Visual Studio Code Previously updated : 05/10/2024 Last updated : 07/18/2024 # Create Bicep files by using Visual Studio Code
From Visual Studio Code, you can open the template reference for the resource ty
## Go to definition
-When defining a [module](./modules.md), regardless of the types of the referenced file - whether it is a local file, module registry file, template spec, you can open the referenced file by selecting or highlighting the module path and then press **[F12]**. If the referenced file is an [Azure Verified Modules(AVM)](https://aka.ms/avm), you can toggle between compiled JSON or Bicep file. To be able to open the Bicep file of a private registry module, ensure that the module is published to the registry with the `WithSource` switch enabled. For more information, see [Publish files to registry](./private-module-registry.md#publish-files-to-registry). The Visual Studio Code Bicep extension version 0.27.1 or newer is required for opening Bicep file from private module registry.
+When defining a [module](./modules.md), regardless of the types of the referenced file - whether it's a local file, module registry file, template spec, you can open the referenced file by selecting or highlighting the module path and then press **[F12]**. If the referenced file is an [Azure Verified Modules(AVM)](https://aka.ms/avm), you can toggle between compiled JSON or Bicep file. To be able to open the Bicep file of a private registry module, ensure that the module is published to the registry with the `WithSource` switch enabled. For more information, see [Publish files to registry](./private-module-registry.md#publish-files-to-registry). The Visual Studio Code Bicep extension version 0.27.1 or newer is required for opening Bicep file from private module registry.
## Paste as Bicep
Visual Studio Code automatically converts the JSON to Bicep. Notice that you als
You can undo the decompilation by using <kbd>Ctrl+Z</kbd>. The original JSON appears in the file.
+## Troubleshoot
+
+The `Problems` pane summarizes the errors and warning in your Bicep file.
++
+For the list of error/warning codes, see [Bicep error/warning codes](./bicep-error-codes.md).
+
## Next steps To walk through a quickstart, see [Quickstart: Create Bicep files with Visual Studio Code](./quickstart-create-bicep-use-visual-studio-code.md).
azure-resource-manager Azure Subscription Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/azure-subscription-service-limits.md
The following limits apply to [management groups](../../governance/management-gr
The following limits apply when you use Azure Resource Manager and Azure resource groups. ### Resource group limits
For more information, see [Functions Hosting plans comparison](../../azure-funct
## Azure Kubernetes Service limits ## Azure Lab Services
The maximum number of private endpoints per Azure SQL Database logical server is
<!-- conceptual info about disk limits -- applies to unmanaged and managed --> ### Virtual machine disk limits For more information, see [Virtual machine sizes](../../virtual-machines/sizes.md?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json).
need to increase the quota, contact Azure support.
### Managed virtual machine disks ### Unmanaged virtual machine disks ## StorSimple System limits
azure-signalr Signalr Howto Authorize Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/signalr-howto-authorize-application.md
The following steps describe how to assign a SignalR App Server role to a servic
1. Select **Add** > **Add role assignment**.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows the page for access control and selections for adding a role assignment.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows the page for access control and selections for adding a role assignment.":::
1. On the **Role** tab, select **SignalR App Server**.
azure-signalr Signalr Howto Authorize Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/signalr-howto-authorize-managed-identity.md
The following steps describe how to assign a SignalR App Server role to a system
1. Select **Add** > **Add role assignment**.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows the page for access control and selections for adding a role assignment.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows the page for access control and selections for adding a role assignment.":::
1. On the **Role** tab, select **SignalR App Server**.
azure-web-pubsub Reference Functions Bindings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/reference-functions-bindings.md
Working with the trigger and bindings requires you reference the appropriate pac
Use the function trigger to handle requests from Azure Web PubSub service.
-`WebPubSubTrigger` is used when you need to handle requests from service side. The trigger endpoint pattern would be like below which should be set in Web PubSub service side (Portal: settings -> event handler -> URL Template). In the endpoint pattern, the query part `code=<API_KEY>` is **REQUIRED** when you're using Azure Function App for [security](../azure-functions/security-concepts.md#system-key) reasons. The key can be found in **Azure portal**. Find your function app resource and navigate to **Functions** -> **App keys** -> **System keys** -> **webpubsub_extension** after you deploy the function app to Azure. Though, this key isn't needed when you're working with local functions.
+`WebPubSubTrigger` is used when you need to handle requests from service side. The trigger endpoint pattern would be like below which should be set in Web PubSub service side (Portal: settings -> event handler -> URL Template). In the endpoint pattern, the query part `code=<API_KEY>` is **REQUIRED** when you're using Azure Function App for [security](../azure-functions/function-keys-how-to.md#understand-keys) reasons. The key can be found in **Azure portal**. Find your function app resource and navigate to **Functions** -> **App keys** -> **System keys** -> **webpubsub_extension** after you deploy the function app to Azure. Though, this key isn't needed when you're working with local functions.
``` <Function_App_Url>/runtime/webhooks/webpubsub?code=<API_KEY>
backup Azure Policy Configure Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/azure-policy-configure-diagnostics.md
Title: Configure Vault Diagnostics settings at scale description: Configure Log Analytics Diagnostics settings for all vaults in a given scope using Azure Policy- Previously updated : 02/14/2020+ Last updated : 07/18/2024
backup Backup Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-architecture.md
Title: Architecture Overview description: Provides an overview of the architecture, components, and processes used by the Azure Backup service.- Previously updated : 03/20/2024+ Last updated : 07/18/2024
backup Backup Azure Afs Automation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-afs-automation.md
Title: Back up an Azure file share by using PowerShell description: In this article, learn how to back up an Azure Files file share by using the Azure Backup service and PowerShell. - Previously updated : 02/11/2022+ Last updated : 07/18/2024
backup Backup Azure Arm Userestapi Restoreazurevms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-arm-userestapi-restoreazurevms.md
The response is returned in the following format:
#### Step 2:
-Use the [Get Access Token API](/rest/api/backup/recovery-points-get-access-token-for-crr/get-access-token) to authorize your request to access replicated restore points in the secondary region:
+Use the Get Access Token API to authorize your request to access replicated restore points in the secondary region:
```http POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.RecoveryServices/vaults/{vaultName}/backupFabrics/{fabricName}/protectionContainers/{containerName}/protectedItems/{protectedItemName}/recoveryPoints/{recoveryPointId}/accessToken?api-version=2018-12-20
backup Backup Azure Data Protection Use Rest Api Backup Postgresql https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-data-protection-use-rest-api-backup-postgresql.md
Title: Back up Azure PostgreSQL databases using Azure data protection REST API description: In this article, learn how to configure, initiate, and manage backup operations of Azure PostgreSQL databases using REST API.- Previously updated : 01/24/2022+ Last updated : 07/18/2024 ms.assetid: 55fa0a81-018f-4843-bef8-609a44c97dcd
backup Backup Azure Data Protection Use Rest Api Create Update Postgresql Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-data-protection-use-rest-api-create-update-postgresql-policy.md
Title: Create backup policies for Azure PostgreSQL databases using data protection REST API description: In this article, you'll learn how to create and manage backup policies for Azure PostgreSQL databases using REST API.- Previously updated : 01/24/2022+ Last updated : 07/18/2024 ms.assetid: 759ee63f-148b-464c-bfc4-c9e640b7da6b
backup Backup Azure Dataprotection Use Rest Api Create Update Backup Vault https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-dataprotection-use-rest-api-create-update-backup-vault.md
Title: Create Azure Backup policy for blobs using REST API. description: In this article, learn how to create a policy to back up blobs in a storage account using REST API.- Previously updated : 07/09/2021+ Last updated : 07/18/2024 ms.assetid: 93861379-5bec-4ed5-95d2-46f534a115fd
backup Backup Azure Enhanced Soft Delete About https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-enhanced-soft-delete-about.md
Title: Overview of enhanced soft delete for Azure Backup description: This article gives an overview of enhanced soft delete for Azure Backup.-+ Previously updated : 03/02/2024 Last updated : 07/18/2024
backup Backup Azure Manage Windows Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-manage-windows-server.md
This article explains how to use the Recovery Services vault **Overview** dashbo
The prerequisites for this article are: an Azure subscription, a Recovery Services vault, and that there's at least one backup item configured for the vault. ## Open a Recovery Services vault
backup Backup Azure Mars Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-mars-troubleshoot.md
This section explains the process to troubleshoot errors that you might encounte
| Causes | Recommended actions | | | | | **Vault credentials aren't valid** <br/> <br/> Vault credential files might be corrupt, might have expired, or they might have a different file extension than `.vaultCredentials`. (For example, they might have been downloaded more than 10 days before the time of registration.) | [Download new credentials](backup-azure-file-folder-backup-faq.yml#where-can-i-download-the-vault-credentials-file-) from the Recovery Services vault on the Azure portal. Then take these steps, as appropriate: <br><br>- If you've already installed and registered MARS, open the Microsoft Azure Backup Agent MMC console. Then select **Register Server** in the **Actions** pane to complete the registration with the new credentials. <br> - If the new installation fails, try reinstalling with the new credentials. <br><br> **Note**: If multiple vault credential files have been downloaded, only the latest file is valid for the next 10 days. We recommend that you download a new vault credential file. <br><br> - To prevent errors during vault registration, ensure that the MARS agent version 2.0.9249.0 or above is installed. If not, we recommend you to install it [from here](https://aka.ms/azurebackup_agent).|
-| **Proxy server/firewall is blocking registration** <br/>Or <br/>**No internet connectivity** <br/><br/> If your machine has limited internet access, and you don't ensure the firewall, proxy, and network settings allow access to the FQDNS and public IP addresses, the registration will fail.| Follow these steps:<br/> <br><br>- Work with your IT team to ensure the system has internet connectivity.<br>- If you don't have a proxy server, ensure the proxy option isn't selected when you register the agent. [Check your proxy settings](#verifying-proxy-settings-for-windows).<br>- If you do have a firewall/proxy server, work with your networking team to allow access to the following FQDNs and public IP addresses. Access to all of the URLs and IP addresses listed below uses the HTTPS protocol on port 443.<br/> <br> **URLs**<br> `*.microsoft.com` <br> `*.windowsazure.com` <br> `*.microsoftonline.com` <br> `*.windows.net` <br> `*blob.core.windows.net` <br> `*queue.core.windows.net` <br> `*blob.storage.azure.net`<br><br><br>- If you're a US Government customer, ensure that you have access to the following URLs:<br><br> `www.msftncsi.com` <br> `*.microsoft.com` <br> `*.windowsazure.us` <br> `*.microsoftonline.us` <br> `*.windows.net` <br> `*.usgovcloudapi.net` <br> `*blob.core.windows.net` <br> `*queue.core.windows.net` <br> `*blob.storage.azure.net` <br><br> Try registering again after you complete the preceding troubleshooting steps.<br></br> If your connection is via Azure ExpressRoute, make sure the settings are configured as described in Azure [ExpressRoute support](../backup/backup-support-matrix-mars-agent.md#azure-expressroute-support). |
+| **Proxy server/firewall is blocking registration** <br/>Or <br/>**No internet connectivity** <br/><br/> If your machine has limited internet access, and you don't ensure the firewall, proxy, and network settings allow access to the FQDNS and public IP addresses, the registration will fail.| Follow these steps:<br/> <br><br>- Work with your IT team to ensure the system has internet connectivity.<br>- If you don't have a proxy server, ensure the proxy option isn't selected when you register the agent. [Check your proxy settings](#verifying-proxy-settings-for-windows).<br>- If you do have a firewall/proxy server, work with your networking team to allow access to the following FQDNs and public IP addresses. Access to all of the URLs and IP addresses listed below uses the HTTPS protocol on port 443.<br/> <br> **URLs**<br> `*.microsoft.com` <br> `*.windowsazure.com` <br> `*.microsoftonline.com` <br> `*.windows.net` <br> `*blob.core.windows.net` <br> `*queue.core.windows.net` <br> `*blob.storage.azure.net`<br><br><br>- If you're a US Government customer, ensure that you have access to the following URLs:<br><br> `www.msftncsi.com` <br> `*.microsoft.com` <br> `*.windowsazure.us` <br> `*.microsoftonline.us` <br> `*.windows.net` <br> `*.usgovcloudapi.net` <br> `*blob.core.windows.net` <br> `*queue.core.windows.net` <br> `*blob.storage.azure.net` <br><br> Try registering again after you complete the preceding troubleshooting steps.<br></br> If your connection is via Azure ExpressRoute, make sure the settings are configured as described in Azure [ExpressRoute support](../backup/backup-support-matrix-mars-agent.md#azure-expressroute-support). <br/> <br/> If you are using the [Entra Tenant Restrictions](https://learn.microsoft.com/entra/identity/enterprise-apps/tenant-restrictions) feature with your proxy, ensure that the tenant id of Recovery Services Vault used to register the MARS agent is added to the list of allowed tenants in the `Restrict-Access-To-Tenants` header. This tenant id is unique per Azure region. You can find the tenant id by opening the vault credential file and locating the `<AadTenantId>` element.|
| **Antivirus software is blocking registration** | If you have antivirus software installed on the server, add the exclusion rules to the antivirus scan for: <br><br> - Every file and folder under the *scratch* and *bin* folder locations - `<InstallPath>\Scratch\*` and `<InstallPath>\Bin\*`. <br> - cbengine.exe | #### Additional recommendations
backup Backup Azure Restore Windows Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-restore-windows-server.md
Use the Instant Restore feature to mount a writeable recovery point snapshot as
Use Instant Restore with Recovery Services vaults in the Azure portal. If you stored data in Backup vaults, they've been converted to Recovery Services vaults. If you want to use Instant Restore, download the MARS update, and follow the procedures that mention Instant Restore. ## Use Instant Restore to recover data to the same machine
backup Backup Azure Vms Enhanced Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-vms-enhanced-policy.md
Trusted Launch VMs can only be backed up using Enhanced policies.
>- The support for Enhanced policy is available in all Azure Public and US Government regions. >- For hourly backups, the last backup of the day is transferred to vault. If backup fails, the first backup of the next day is transferred to vault. >- Migration to enhanced policy for Azure VMs protected with standard policy is now supported and available in preview.
->- Backup an Azure VM with disks that have public network access disabled is now supported and available in preview.
+>- Backup an Azure VM with disks that have public network access disabled is now supported and generally available.
## Enable selective disk backup and restore
backup Backup Azure Vms Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-vms-troubleshoot.md
If after restore, you notice the disks are offline then:
* Verify if the machine where the script is executed meets the OS requirements. [Learn more](./backup-azure-restore-files-from-vm.md#step-3-os-requirements-to-successfully-run-the-script). * Ensure you are not restoring to the same source, [Learn more](./backup-azure-restore-files-from-vm.md#step-2-ensure-the-machine-meets-the-requirements-before-executing-the-script).
+### Folder is missing when a Linux VM is recovered as a new VM
+This issue can occur if disks are mounted to a directory using the device name (e.g., /dev/sdc1) instead of UUID. When the VM reboots or when it is recovered as a new VM, the device names are assigned in a random order. To ensure that the right drive is mounted to your directory, always mount drives using UUID obtained from the `blkid` utility. [Learn more](../virtual-machines/linux/attach-disk-portal.yml).
+ ### UserErrorInstantRpNotFound - Restore failed because the Snapshot of the VM was not found Error code: UserErrorInstantRpNotFound <br>
DHCP must be enabled inside the guest for IaaS VM backup to work. If you need a
Get more information on how to set up a static IP through PowerShell: * [How to add a static internal IP to an existing VM](/powershell/module/az.network/set-aznetworkinterfaceipconfig#description)
-* [Change the allocation method for a private IP address assigned to a network interface](../virtual-network/ip-services/virtual-networks-static-private-ip-arm-ps.md)
+* [Change the allocation method for a private IP address assigned to a network interface](../virtual-network/ip-services/virtual-networks-static-private-ip-arm-ps.md)
backup Restore Azure Sql Vm Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/restore-azure-sql-vm-rest-api.md
To perform Cross-region restore, you will require an access token to enable prop
} ```
-1. Use the [Get Access Token API](/rest/api/backup/recovery-points-get-access-token-for-crr/get-access-token) to get an access token to enable communication between the Azure Backup services.
+1. Use the Get Access Token API to get an access token to enable communication between the Azure Backup services.
```http POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.RecoveryServices/vaults/{vaultName}/backupFabrics/{fabricName}/protectionContainers/{containerName}/protectedItems/{protectedItemName}/recoveryPoints/{recoveryPointId}/accessToken?api-version=2018-12-20
backup Restore Managed Disks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/restore-managed-disks.md
Title: Restore Azure Managed Disks description: Learn how to restore Azure Managed Disks from the Azure portal.- Previously updated : 01/07/2021+ Last updated : 07/18/2024
backup Save Backup Passphrase Securely In Azure Key Vault https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/save-backup-passphrase-securely-in-azure-key-vault.md
Title: Save and manage MARS agent passphrase securely in Azure Key Vault description: Learn how to save MARS agent passphrase securely in Azure Key Vault and retrieve them during restore. Previously updated : 11/07/2023 Last updated : 07/18/2024
backup Troubleshoot Azure Files https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/troubleshoot-azure-files.md
Title: Troubleshoot Azure file share backup description: This article is troubleshooting information about issues occurring when protecting your Azure file shares. Previously updated : 06/25/2024 Last updated : 07/18/2024
In the Azure portal, open your **Vault** > **Backup Infrastructure** > **Storage
Error Code: FileShareNotFound
-Error Message: Operation failed as the file share is not found
+Error Message: Operation failed as the file share isn't found
Ensure that the file share you're trying to protect hasn't been deleted.
Error Message: Storage account not found or not supported
- Ensure that the Storage account is a supported Storage account for file share backup.
-### AFSMaxSnapshotReached- You have reached the max limit of snapshots for this file share; you will be able to take more once the older ones expire
+### AFSMaxSnapshotReached- You have reached the max limit of snapshots for this file share; you'll be able to take more once the older ones expire
Error Code: AFSMaxSnapshotReached
-Error Message: You have reached the max limit of snapshots for this file share; you will be able to take more once the older ones expire.
+Error Message: You have reached the max limit of snapshots for this file share; you'll be able to take more once the older ones expire.
- This error can occur when you create multiple on-demand backups for a file share. - There's a limit of 200 snapshots per file share including the ones taken by Azure Backup. Older scheduled backups (or snapshots) are cleaned up automatically. On-demand backups (or snapshots) must be deleted if the maximum limit is reached.
baremetal-infrastructure Nc2 On Azure Responsibility Matrix https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/baremetal-infrastructure/workloads/nc2-on-azure/nc2-on-azure-responsibility-matrix.md
description: Defines who's responsible for what for NC2 on Azure.
Previously updated : 06/07/2024 Last updated : 7/18/2024 # NC2 on Azure responsibility matrix
-On-premises Nutanix environments require the Nutanix customer to support all the hardware and software for running the platform. For NC2 on Azure, Microsoft maintains the hardware for the customer.
-The following table color-codes areas of management, where:
+NC2 on Azure implements a shared responsibility model that defines distinct roles and responsibilities of the three parties involved in the offering: the Customer, Microsoft and Nutanix.
-* Microsoft NC2 team = blue
-* Nutanix = purple
-* Customer = gray
+On-premises Nutanix environments require the Nutanix customer to support all the hardware and software for running the platform. For NC2 on Azure, Microsoft maintains the hardware for the customer.
Microsoft manages the Azure BareMetal specialized compute hardware and its data and control plane platform for underlay network. Microsoft supports if the customers plan to bring their existing Azure Subscription, VNet, vWAN, etc.
Nutanix covers the life-cycle management of Nutanix software (MCM, Prism Central
**Monitoring and remediation**
-Microsoft NC2 team continuously monitors the health of the underlay and BareMetal infrastructure. If MS NC2 detects a failure, it takes action to repair the failed services.
+Microsoft continuously monitors the health of the underlay and BareMetal infrastructure. If Microsoft detects a failure, it takes action to repair the failed services.
batch Batch Cli Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/batch-cli-get-started.md
To view the command output in JSON format, add `--json` to the end of your comma
**General Azure CLI troubleshooting** ## Next steps
business-continuity-center Business Continuity Center Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/business-continuity-center/business-continuity-center-overview.md
Title: What is Azure Business Continuity center?
description: Azure Business Continuity center is a cloud-native unified business continuity and disaster recovery (BCDR) management platform in Azure that enables you to manage your protection estate across solutions and environments. Previously updated : 11/15/2023 Last updated : 07/18/2024 - mvc - ignite-2023
chaos-studio Chaos Studio Tutorial Aks Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/chaos-studio/chaos-studio-tutorial-aks-portal.md
Chaos Studio uses [Chaos Mesh](https://chaos-mesh.org/), a free, open-source cha
Before you can run Chaos Mesh faults in Chaos Studio, you must install Chaos Mesh on your AKS cluster.
-1. Run the following commands in an [Azure Cloud Shell](../cloud-shell/overview.md) window where you have the active subscription set to be the subscription where your AKS cluster is deployed. Replace `$RESOURCE_GROUP` and `$CLUSTER_NAME` with the resource group and name of your cluster resource.
+1. Run the following commands in an [Azure Cloud Shell](../cloud-shell/overview.md) window where you have the active subscription set to be the subscription where your AKS cluster is deployed. Replace `MyManagedCluster` and `MyResourceGroup` with the name of your cluster and resource group.
```azurecli
- az aks get-credentials -g $RESOURCE_GROUP -n $CLUSTER_NAME
+ az aks get-credentials --admin --name MyManagedCluster --resource-group MyResourceGroup
``` ```bash
cloud-services Cloud Services Guestos Msrc Releases https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cloud-services/cloud-services-guestos-msrc-releases.md
The following tables show the Microsoft Security Response Center (MSRC) updates
[5004335]: https://support.microsoft.com/kb/5004335 [5008244]: https://support.microsoft.com/kb/5008244 [5008277]: https://support.microsoft.com/kb/5008277
-[5008263]: https://support.microsoft.com/kb/5008263
+[5008263]: https://support.microsoft.com/topic/december-14-2021-kb5008263-monthly-rollup-513a39f5-b624-4214-b2be-b93f5a775e12
[5001401]: https://support.microsoft.com/kb/5001401 [5001403]: https://support.microsoft.com/kb/5001403 [4578013]: https://support.microsoft.com/kb/4578013
cloud-services Mitigate Se https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cloud-services/mitigate-se.md
# Guidance to mitigate speculative execution side-channel vulnerabilities in Azure
communication-services Download Media https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/advanced-messaging/whatsapp/download-media.md
+
+ Title: Download WhatsApp message media
+
+description: In this quickstart, you learn how to download the media received in a WhatsApp message with Azure Communication Services Messages.
++++ Last updated : 07/15/2024++++
+# Quickstart: Download WhatsApp message media
+
+Azure Communication Services enables you to send and receive WhatsApp messages. In this quickstart, you learn how to download the media payload received in a WhatsApp message.
+
+Use case: A business receives a WhatsApp message from their customer that contains an image. The business needs to download the image from WhatsApp in order to view the image.
++
+## Next steps
+
+In this quickstart, you tried out the Advanced Messaging for WhatsApp SDK. Next you might also want to see the following articles:
+
+- [Send WhatsApp Messages using Advanced Messages](../../../quickstarts/advanced-messaging/whatsapp/get-started.md)
+- [Handle Advanced Messaging Events](./handle-advanced-messaging-events.md)
+- [Send WhatsApp Template Messages](../../../concepts/advanced-messaging/whatsapp/template-messages.md)
communication-services Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/advanced-messaging/whatsapp/get-started.md
Previously updated : 02/29/2024 Last updated : 07/15/2024 zone_pivot_groups: acs-js-csharp-java-python
-# Quickstart: Send WhatsApp Messages using Advanced Messages
+# Quickstart: Send WhatsApp messages using Advanced Messages
Azure Communication Services enables you to send and receive WhatsApp messages. In this quickstart, get started integrating your app with Azure Communication Advanced Messages SDK and start sending/receiving WhatsApp messages. Completing this quickstart incurs a small cost of a few USD cents or less in your Azure account.
Azure Communication Services enables you to send and receive WhatsApp messages.
In this quickstart, you tried out the Advanced Messaging for WhatsApp SDK. Next you might also want to see the following articles: -- [Handle Advanced Messaging Events](./handle-advanced-messaging-events.md)-- [Send WhatsApp Template Messages](../../../concepts/advanced-messaging/whatsapp/template-messages.md)
+- [Handle Advanced Messaging events](./handle-advanced-messaging-events.md)
+- [Send WhatsApp template messages](../../../concepts/advanced-messaging/whatsapp/template-messages.md)
container-apps Dapr Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/dapr-overview.md
To learn more about using _alpha_ Dapr APIs and features, [see the Dapr FAQ][dap
| [**Secrets**][dapr-secrets] | GA | Access secrets from your application code or reference secure values in your Dapr components. | | [**Configuration**][dapr-config] | GA | Retrieve and subscribe to application configuration items for supported configuration stores. | ### Tooling
container-registry Container Registry Content Trust https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-content-trust.md
Details for granting the `AcrImageSigner` role in the Azure portal and the Azure
| Assign access to | User | | Members | Alain |
- ![Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
### Azure CLI
cosmos-db Continuous Backup Restore Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/continuous-backup-restore-permissions.md
To perform a restore, a user or a principal need the permission to restore (that
| Assign access to | User, group, or service principal | | Members | &lt;User of your choice&gt; |
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-page.png" alt-text="Screenshot that shows Add role assignment page in Azure portal.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png" alt-text="Screenshot that shows Add role assignment page in Azure portal.":::
1. Repeat step 4 with the **Cosmos DB Operator** role to grant the write permission. When assigning this role from the Azure portal, it grants the restore permission to the whole subscription.
cosmos-db Monitor Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/vcore/monitor-metrics.md
+
+ Title: Monitor metrics in Azure Cosmos DB for MongoDB (vCore)
+description: Discover how to monitor memory or CPU usage for operations in Azure Cosmos DB. Account owners can identify resource-intensive operations.
++++ Last updated : 07/02/2024++
+# Explore Azure Monitor in vCore-based Azure Cosmos DB for MongoDB (vCore)
+
+Azure Monitor for vCore-based Azure Cosmos DB for MongoDB provides a metrics view to monitor your account and create dashboards. The Azure Cosmos DB metrics are collected by default, however this feature is only accessible to M40 and above cluster tiers. The **CPU percent** metric is used to get the consumption for different types of operations. Later you can analyze which operations used most of the committed memory. By default, the consumption data is aggregated at five-minute interval. However, you can change the aggregation unit by changing the time granularity option.
+
+## Introduction
+
+Before you begin, you should understand how information is presented and visualized.
+
+It delivers:
+
+* **At-scale perspective** of your Azure Cosmos DB for MongoDB (vCore) resources across all your subscriptions in a single location. You can selectively scope to only the subscriptions and resources that you're interested in evaluating.
+* **Drill-down analysis** of a particular Azure Cosmos DB for MongoDB (vCore) resource. You can diagnose issues or perform detailed analysis by using the categories of utilization, failures, capacity, and operations. Selecting any one of the options provides an in-depth view of the relevant Azure Cosmos DB for MongoDB (vCore) metrics.
+* **Customizable** experience built on top of Azure Monitor workbook templates. You can change what metrics are displayed, modify or set thresholds that align with your limits, and then save into a custom workbook. Charts in the workbooks can then be pinned to Azure dashboards.
+
+## Metrics available today
+### System Metrics (available on all cluster tiers)
+- **Committed memory percent**: Shows the percentage of the committed memory limit that is allocated by applications on a shard. This metric helps in monitoring the memory usage against the allocated limit.
+- **CPU percent**: Indicates the CPU utilization on a shard.
+ - **High CPU Utilization**: If you notice a spike in CPU utilization on average, the best option to maximize performance is to increase the cluster tier. After increasing the tier, monitor the usage to see if it stabilizes.
+ - **Low CPU Utilization**: Conversely, if the CPU utilization is consistently low, it is recommended to scale down to a lower cluster tier to save on cost.
+- **Memory percent**: Shows the memory utilization on a shard. For read-heavy workloads, consider using cluster tiers with more RAM to optimize performance and ensure smoother operations.
+- **Storage percent:** Displays the available storage percentage on a shard.
+- **Storage used**: Represents the actual amount of storage used on a shard. This metric is crucial for understanding the storage consumption trends and managing storage resources.
+ - **Monitoring and Management**: If storage utilization increases above 80%, users should monitor this more closely. It is recommended to increase the SKU size of the disk to manage storage more effectively.
+ - **Performance Optimization**: If write performance is not at the desired level, particularly when running at scale, increasing the disk size can enhance write performance.
+- **IOPS:** Measures the disk IO operations per second on a shard. It provides insights into the read and write performance of the storage system, helping to optimize disk usage.
+ - **Write Heavy Workloads**: IOPS is particularly important for write-heavy workloads, especially when operating at scale. If write performance needs to be improved, it is recommended to upgrade the storage disk SKU size rather than increasing the cluster tier.
+
+### Database metrics
+- **Mongo request duration**: Captures the end-to-end duration in milliseconds of client MongoDB requests handled by the Mongo cluster, updated every 60 seconds. This metric is vital for assessing the responsiveness and latency of the database operations.
+
+>[!NOTE]
+>There's no charge to access Database metrics. However, you'll have to be on the M40 cluster tier or higher to access the metrics. For more information on upgrading, please refer to [this guide](./how-to-scale-cluster.md).
++
+## View metrics
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+2. Navigate to the existing Azure Cosmos DB for MongoDB vCore cluster page.
+
+3. From the Azure Cosmos DB for MongoDB vCore cluster page, select the **Metrics** navigation menu option.
+
+ :::image type="content" source="./media/monitor/monitor-metrics-blade.png" alt-text="Screenshot of metrics blade in Azure Cosmos DB.":::
+
+1. Next select the **Monogo request duration** metric from the list of available metrics. In this example, let's select **Mongo request duration** and **Avg** as the aggregation value. In addition to these details, you can also select the **Time range** and **Time granularity** of the metrics. At max, you can view metrics for the past 30 days. After you apply the filter, a chart is displayed based on your filter. You can see the average number of request units consumed per minute for the selected period.
+
+ :::image type="content" source="./media/monitor/monitor-metric-mongo-request-duration.png" alt-text="Screenshot of choosing a metric from the Azure portal." border="true":::
+
+## Filters for database metrics
+
+- You can also filter metrics and get the charts displayed by a specific **CollectionName**, **DatabaseName**, **Operation**, and **StatusCode**. The **Add filter** and **Apply splitting** options allows you to filter the usage and group the metrics.
+
+- If you want to see the usage by collection, select **Apply splitting** and choose the collection name as a filter. You will see a chart like the following with a choice of collections within the dashboard. You can then select a specific collection name to view more details:
+
+ :::image type="content" source="./media/monitor/monitor-metrics-filtering.png" alt-text="Azure Cosmos DB memory request duration for all operations by the collection in Azure monitor" border="true":::
+
+## Next steps
+
+* Configure [metric alerts](../../../azure-monitor/alerts/alerts-metric.md) to set up automated alerting to aid in detecting issues.
+* [Migrate your data](./migration-options.md) to vCore-based Azure Cosmos DB for MongoDB
+++
cosmos-db Rag https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/vcore/rag.md
+
+ Title: Optimize Retrieval-Augmented Generation (RAG) with Azure Cosmos DB for MongoDB (vCore), LangChain, and OpenAI
+
+description: Learn how to enhance AI-based applications using Retrieval-Augmented Generation (RAG) with Azure Cosmos DB for MongoDB (vCore), LangChain, and OpenAI. Discover key concepts, architecture, and real-world applications.
++++++ Last updated : 07/08/2024++
+# RAG with vCore-based Azure Cosmos DB for MongoDB
+In the fast-evolving realm of generative AI, Large Language Models (LLMs) like GPT-3.5 have transformed natural language processing. However, an emerging trend in AI is the use of vector stores, which play a pivotal role in enhancing AI applications.
+
+This tutorial explores how to use Azure Cosmos DB for MongoDB (vCore), LangChain, and OpenAI to implement Retrieval-Augmented Generation (RAG) for superior AI performance alongside discussing LLMs and their limitations. We explore the rapidly adopted paradigm of "retrieval-augmented generation" (RAG), and briefly discuss the LangChain framework, Azure OpenAI models. Finally, we integrate these concepts into a real-world application. By the end, readers will have a solid understanding of these concepts.
+
+## Understand Large Language Models (LLMs) and their limitations
+
+Large Language Models (LLMs) are advanced deep neural network models trained on extensive text datasets, enabling them to understand and generate human-like text. While revolutionary in natural language processing, LLMs have inherent limitations:
+
+- **Hallucinations**: LLMs sometimes generate factually incorrect or ungrounded information, known as "hallucinations."
+- **Stale Data**: LLMs are trained on static datasets that might not include the most recent information, limiting their current relevance.
+- **No Access to UserΓÇÖs Local Data**: LLMs don't have direct access to personal or localized data, restricting their ability to provide personalized responses.
+- **Token Limits**: LLMs have a maximum token limit per interaction, constraining the amount of text they can process at once. For example, OpenAIΓÇÖs gpt-3.5-turbo has a token limit of 4096.
+
+## Leverage Retrieval-Augmented Generation (RAG)
+
+Retrieval-augmented generation (RAG) is an architecture designed to overcome LLM limitations. RAG uses vector search to retrieve relevant documents based on an input query, providing these documents as context to the LLM for generating more accurate responses. Instead of relying solely on pretrained patterns, RAG enhances responses by incorporating up-to-date, relevant information. This approach helps to:
+
+- **Minimize Hallucinations**: Grounding responses in factual information.
+- **Ensure Current Information**: Retrieving the most recent data to ensure up-to-date responses.
+- **Utilize External Databases**: Though it doesn't grant direct access to personal data, RAG allows integration with external, user-specific knowledge bases.
+- **Optimize Token Usage**: By focusing on the most relevant documents, RAG makes token usage more efficient.
+
+This tutorial demonstrates how RAG can be implemented using Azure Cosmos DB for MongoDB (vCore) to build a question-answering application tailored to your data.
+
+## Application architecture overview
+
+The architecture diagram below illustrates the key components of our RAG implementation:
+
+![Architecture Diagram](./media/vector/architecture-diagram.png)
+
+## Key components and frameworks
+
+We'll now discuss the various frameworks, models, and components used in this tutorial, emphasizing their roles and nuances.
+
+### Azure Cosmos DB for MongoDB (vCore)
+
+Azure Cosmos DB for MongoDB (vCore) supports semantic similarity searches, essential for AI-powered applications. It allows data in various formats to be represented as vector embeddings, which can be stored alongside source data and metadata. Using an approximate nearest neighbors algorithm, like Hierarchical navigable small world (HNSW), these embeddings can be queried for fast semantic similarity searches.
+
+### LangChain framework
+
+LangChain simplifies the creation of LLM applications by providing a standard interface for chains, multiple tool integrations, and end-to-end chains for common tasks. It enables AI developers to build LLM applications that leverage external data sources.
+
+Key aspects of LangChain:
+
+- **Chains**: Sequences of components solving specific tasks.
+- **Components**: Modules like LLM wrappers, vector store wrappers, prompt templates, data loaders, text splitters, and retrievers.
+- **Modularity**: Simplifies development, debugging, and maintenance.
+- **Popularity**: An open-source project rapidly gaining adoption and evolving to meet user needs.
+
+### Azure App Services interface
+
+App services provide a robust platform for building user-friendly web interfaces for Gen-AI applications. This tutorial uses Azure App services to create an interactive web interface for the application.
+
+### OpenAI models
+
+OpenAI is a leader in AI research, providing various models for language generation, text vectorization, image creation, and audio-to-text conversion. For this tutorial, we'll use OpenAIΓÇÖs embedding and language models, crucial for understanding and generating language-based applications.
+
+### Embedding models vs. Language generation models
+
+| | **Text Embedding Model** | **Language Model** |
+||-||
+| **Purpose** | Converting text into vector embeddings. | Understanding and generating natural language. |
+| **Function** | Transforms textual data into high-dimensional arrays of numbers, capturing the semantic meaning of the text. | Comprehends and produces human-like text based on given input. |
+| **Output** | Array of numbers (vector embeddings). | Text, answers, translations, code, etc. |
+| **Example Output** | Each embedding represents the semantic meaning of the text in numerical form, with a dimensionality determined by the model. For example, `text-embedding-ada-002` generates vectors with 1536 dimensions. | Contextually relevant and coherent text generated based on the input provided. For example, `gpt-3.5-turbo` can generate responses to questions, translate text, write code, and more. |
+| **Typical Use Cases** | - Semantic search | - Chatbots |
+| | - Recommendation systems | - Automated content creation |
+| | - Clustering and classification of text data | - Language translation |
+| | - Information retrieval | - Summarization |
+| **Data Representation** | Numerical representation (embeddings) | Natural language text |
+| **Dimensionality** | The length of the array corresponds to the number of dimensions in the embedding space, for example, 1536 dimensions. | Typically represented as a sequence of tokens, with the context determining the length. |
++
+### Main components of the application
+
+- **Azure Cosmos DB for MongoDB vCore**: Storing and querying vector embeddings.
+- **LangChain**: Constructing the applicationΓÇÖs LLM workflow. Utilizes tools such as:
+ - **Document Loader**: For loading and processing documents from a directory.
+ - **Vector Store Integration**: For storing and querying vector embeddings in Azure Cosmos DB.
+ - **AzureCosmosDBVectorSearch**: Wrapper around Cosmos DB Vector search
+- **Azure App Services**: Building the user interface for Cosmic Food app.
+- **Azure OpenAI**: For providing LLM and embedding models, including:
+ - **text-embedding-ada-002**: A text embedding model that converts text into vector embeddings with 1536 dimensions.
+ - **gpt-3.5-turbo**: A language model for understanding and generating natural language.
+
+### Set up the environment
+
+To get started with optimizing retrieval-augmented generation (RAG) using Azure Cosmos DB for MongoDB (vCore), follow these steps:
+
+- **Create the following resources on Microsoft Azure:**
+ - **Azure Cosmos DB for MongoDB vCore cluster**: See the [Quick Start guide here](https://aka.ms/tryvcore).
+ - **Azure OpenAI resource with:**
+ - **Embedding model deployment** (for example, `text-embedding-ada-002`).
+ - **Chat model deployment** (for example, `gpt-35-turbo`).
+
+### Sample documents
+In this tutorial, we will be loading a single text file using [Document](https://python.langchain.com/v0.1/docs/modules/data_connection/document_loaders/). These files should be saved in a directory named **data** in the **src** folder. The contents of the are as follows:
+```food_items.json
+ {
+ "category": "Cold Dishes",
+ "name": "Hamachi Fig",
+ "description": "Hamachi sashimi lightly tossed in a fig sauce with rum raisins, and serrano peppers then topped with fried lotus root.",
+ "price": "16.0 USD"
+ },
+```
+
+### Load documents
+1. Set the Cosmos DB for MongoDB (vCore) connection string, Database Name, Collection Name, and Index:
+```python
+mongo_client = MongoClient(mongo_connection_string)
+database_name = "Contoso"
+db = mongo_client[database_name]
+collection_name = "ContosoCollection"
+index_name = "ContosoIndex"
+collection = db[collection_name]
+```
+
+2. Initialize the Embedding Client.
+```python
+from langchain_openai import AzureOpenAIEmbeddings
+
+openai_embeddings_model = os.getenv("AZURE_OPENAI_EMBEDDINGS_MODEL_NAME", "text-embedding-ada-002")
+openai_embeddings_deployment = os.getenv("AZURE_OPENAI_EMBEDDINGS_DEPLOYMENT_NAME", "text-embedding")
+
+azure_openai_embeddings: AzureOpenAIEmbeddings = AzureOpenAIEmbeddings(
+ model=openai_embeddings_model,
+ azure_deployment=openai_embeddings_deployment,
+)
+```
+
+3. Create embeddings from the data, save to the database and return a connection to your vector store, Cosmos DB for MongoDB (vCore).
+```python
+vector_store: AzureCosmosDBVectorSearch = AzureCosmosDBVectorSearch.from_documents(
+ json_data,
+ azure_openai_embeddings,
+ collection=collection,
+ index_name=index_name,
+)
+```
+
+4. Create the following [HNSW vector Index](./vector-search.md) on the collection (Note the name of the index is same as above).
+```python
+num_lists = 100
+dimensions = 1536
+similarity_algorithm = CosmosDBSimilarityType.COS
+kind = CosmosDBVectorSearchType.VECTOR_HNSW
+m = 16
+ef_construction = 64
+
+vector_store.create_index(
+ num_lists, dimensions, similarity_algorithm, kind, m, ef_construction
+)
+```
+
+### Perform Vector search using Cosmos DB for MongoDB (vCore)
+
+1. Connect to your vector store.
+```python
+vector_store: AzureCosmosDBVectorSearch = AzureCosmosDBVectorSearch.from_connection_string(
+ connection_string=mongo_connection_string,
+ namespace=f"{database_name}.{collection_name}",
+ embedding=azure_openai_embeddings,
+)
+```
+
+2. Define a function that performs semantic similarity search using Cosmos DB Vector Search on a query (note this code snippet is just a test function).
+```python
+query = "beef dishes"
+docs = vector_store.similarity_search(query)
+print(docs[0].page_content)
+```
+
+3. Initialize the Chat Client to implement a RAG function.
+```python
+azure_openai_chat: AzureChatOpenAI = AzureChatOpenAI(
+ model=openai_chat_model,
+ azure_deployment=openai_chat_deployment,
+)
+```
+
+4. Create a RAG function.
+```python
+history_prompt = ChatPromptTemplate.from_messages(
+ [
+ MessagesPlaceholder(variable_name="chat_history"),
+ ("user", "{input}"),
+ (
+ "user",
+ """Given the above conversation,
+ generate a search query to look up to get information relevant to the conversation""",
+ ),
+ ]
+)
+
+context_prompt = ChatPromptTemplate.from_messages(
+ [
+ ("system", "Answer the user's questions based on the below context:\n\n{context}"),
+ MessagesPlaceholder(variable_name="chat_history"),
+ ("user", "{input}"),
+ ]
+)
+```
+
+5. Converts the vector store into a retriever, which can search for relevant documents based on specified parameters.
+```python
+vector_store_retriever = vector_store.as_retriever(
+ search_type=search_type, search_kwargs={"k": limit, "score_threshold": score_threshold}
+)
+```
+
+6. Create a retriever chain that is aware of the conversation history, ensuring contextually relevant document retrieval using the **azure_openai_chat** model and **vector_store_retriever**.
+```python
+retriever_chain = create_history_aware_retriever(azure_openai_chat, vector_store_retriever, history_prompt)
+```
+
+7. Create a chain that combines retrieved documents into a coherent response using the language model (**azure_openai_chat**) and a specified prompt (**context_prompt**).
+```python
+context_chain = create_stuff_documents_chain(llm=azure_openai_chat, prompt=context_prompt)
+```
+
+8. Create a chain that handles the entire retrieval process, integrating the history-aware retriever chain and the document combination chain. This RAG chain can be executed to retrieve and generate contextually accurate responses.
+```python
+rag_chain: Runnable = create_retrieval_chain(
+ retriever=retriever_chain,
+ combine_docs_chain=context_chain,
+)
+```
+
+### Sample outputs
+The screenshot below illustrates the outputs for various questions. A purely semantic-similarity search returns the raw text from the source documents, while the question-answering app using the RAG architecture generates precise and personalized answers by combining retrieved document contents with the language model.
+
+![Rag Comic App](./media/vector/rag-cosmic-screenshot.png)
+
+### Conclusion
+In this tutorial, we explored how to build a question-answering app that interacts with your private data using Cosmos DB as a vector store. By leveraging the retrieval-augmented generation (RAG) architecture with LangChain and Azure OpenAI, we demonstrated how vector stores are essential for LLM applications.
+
+RAG is a significant advancement in AI, particularly in natural language processing, and combining these technologies allows for the creation of powerful AI-driven applications for various use cases.
+
+## Next steps
+
+For a detailed, hands-on experience and to see how RAG can be implemented using Azure Cosmos DB for MongoDB (vCore), LangChain, and OpenAI models, visit our GitHub repository.
+
+> [!div class="nextstepaction"]
+> [Check out RAG sample on GitHub](https://github.com/Azure-Samples/Cosmic-Food-RAG-app)
+
cosmos-db Migrate Hbase To Cosmos Db https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/migrate-hbase-to-cosmos-db.md
HBase offers several server-side programming features. If you're using these fea
**HBase**
-* [Custom filters](https://hbase.apache.org/apidocs/org/apache/hadoop/hbase/filter/Filter.html)
+* [Custom filters](https://hbase.apache.org/apidocs/org/apache/hadoop/hbase/filter/package-summary.html)
Various filters are available as default in HBase, but you can also implement your own custom filters. Custom filters may be implemented if the filters available as default on HBase do not meet your requirements.
cosmos-db Migrate Passwordless https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/migrate-passwordless.md
The following tutorial explains how to migrate an existing application to connec
### Sign-in to Azure locally ### Migrate the app code to use passwordless connections
Once your application is configured to use passwordless connections and runs loc
### Create the managed identity #### Associate the managed identity with your web app
Complete the following steps in the Azure portal to associate an identity with y
# [Azure CLI](#tab/azure-cli-associate)
az cosmosdb sql role assignment create \
--role-definition-id <your-custom-role-id> ``` ### Test the app
cosmos-db Secure Access To Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/secure-access-to-data.md
To add Azure Cosmos DB account reader access to your user account, have a subscr
| Assign access to | User, group, or service principal. | | Members | The user, group, or application in your directory to which you want to grant access. |
- ![Screenshot that shows the Add role assignment page in the Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Screenshot that shows the Add role assignment page in the Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
The entity can now read Azure Cosmos DB resources.
cost-management-billing Ea Transfers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/ea-transfers.md
Previously updated : 03/05/2024 Last updated : 07/15/2024
This section is for informational purposes only. An enterprise administrator doe
Keep the following points in mind when you transfer an enterprise account to a new enrollment: -- Only the accounts specified in the request are transferred. If all accounts are chosen, then they're all transferred.
+- Only the accounts specified in the request are transferred. If all accounts are chosen, then they all get transferred.
- The source enrollment keeps its status as active or extended. You can continue using the enrollment until it expires. - You can't change account ownership during a transfer. After the account transfer is complete, the current account owner can change account ownership in the Azure portal. Keep in mind that an EA administrator can't change account ownership.
Other points to keep in mind before an account transfer:
An enrollment transfer is considered when: -- A current enrollment's Prepayment term ends.
+- A current enrollment's prepayment term ends.
- An enrollment is in expired/extended status and a new agreement is negotiated. - You have multiple enrollments and want to combine all the accounts and billing under a single enrollment.
This section is for informational purposes only. An enterprise administrator doe
When you request to transfer an old enterprise enrollment to a new enrollment, the following actions occur: -- Usage transferred might take up to 72 hours to be reflected in the new enrollment. --- Prices for the new enrolment might take at least 72 hours to be reflected in the Price sheet download and the Azure Pricing calculator. -
+- Usage transferred might take up to 72 hours to be reflected in the new enrollment.
+- Prices for the new enrollment might take at least 72 hours to be reflected in the Price sheet download and the Azure Pricing calculator.
- If department administrator (DA) or account owner (AO) view charges were enabled on the previously transferred enrollment, they must be enabled on the new enrollment. - If you're using API reports or Power BI, see [Migrate from Azure Enterprise Reporting to Microsoft Cost Management APIs overview](../automate/migrate-ea-reporting-arm-apis-overview.md). - All APIs use either the old enrollment or the new one, not both, for reporting purposes. If you need reports from APIs for the old and new enrollments, you must create your own reports.
When you request to transfer an old enterprise enrollment to a new enrollment, t
- The enrollment status is set to `Transferred` for the old enrollment. The old enrollment that was transferred is available for historic usage reporting purposes only. - You can't add roles or subscriptions to the old enrollment that was transferred. `Transferred` status prevents any new usage against the old enrollment. - Any remaining Azure Prepayment balance in the agreement is lost, including future terms.-- If the old enrollment that you're transferring from has any reservation purchases, the historic (past) reservation purchasing fee remains in the old source enrollment. All future purchasing fees transfer to the new enrollment. Additionally, all reservation benefits are transferred across for use in the new enrollment.-- The historic marketplace one-time purchase fee and any monthly fixed fees already incurred on the old enrollment aren't transferred to the new enrollment. Consumption-based marketplace charges are transferred.
+- If the old enrollment that you're transferring from has any reservation purchases, the historic (past) reservation purchasing fee remains in the old source enrollment. All future purchasing fees transfer to the new enrollment. Additionally, all reservation benefits are transferred across for use in the new enrollment.
+- The historic marketplace one-time purchase fee and any monthly fixed fees already incurred on the old enrollment aren't transferred to the new enrollment. Consumption-based marketplace charges are transferred.
### Effective transfer date
Other points to keep in mind before an enrollment transfer:
- If an enrollment transfer doesn't meet your requirements, consider an account transfer. - The source enrollment status is updated to `Transferred` and is available for historic usage reporting purposes only. - There's no downtime during an enrollment transfer.-- Usage might take up to 24 - 48 hours to be reflected in the target enrollment.
+- Usage might take up to 24 - 48 hours to be reflected in the target enrollment.
- Cost view settings for department administrators or account owners don't carry over. - If previously enabled, settings must be enabled for the target enrollment.-- Exports, Views, Budget alert, Scheduled actions - The existing rules at billing scopes (billing account, enrollment account and department scopes) need to be recreated after the enrolment transfer. All rules at management group, subscription and resource group scopes will be transferred to the new enrolment and no further action will be required.
+- Exports, views, budget alerts, and scheduled actions - The existing rules at billing scopes (billing account, enrollment account, and department scopes) need to be recreated after the enrollment transfer. All rules at management group, subscription, and resource group scopes get transferred to the new enrollment and no further action is required.
-- Reservation utilization alert, Cost allocation rules - These features are supported only at billing account scope and hence they need to be recreated after the enrolment transfer. --- Anomaly alerts - This feature is supported at subscription scope and hence will be transferred to the new enrolment requiring no further action.
+- Reservation utilization alert and cost allocation rules - These features are supported only at billing account scope. They need to get recreated after the enrollment transfer.
+- Anomaly alerts - This feature is supported at the subscription scope. They get transferred to the new enrollment requiring no further action.
- If the source and destination enrollments are on different cloud instances, the transfer fails. Support personnel can transfer only within the same cloud instance. Cloud instances are the global Azure cloud and individual national clouds. For more information about national clouds, see [National clouds](../../active-directory/develop/authentication-national-cloud.md). - For reservations (reserved instances):
Other points to keep in mind before an enrollment transfer:
- When there's is a currency change during or after an enrollment transfer, reservations paid for monthly are canceled for the source enrollment. Cancellation happens at the time of next monthly payment for an individual reservation. This cancellation is intentional and affects only the monthly reservation purchases. - You might have to repurchase the canceled monthly reservations from the source enrollment using the new enrollment in the local or new currency. If you repurchase a reservation, the purchase term (one or three years) is reset. The repurchase doesn't continue under the previous term.-- If there's a backdated enrollment transfer, any savings plan benefit is applicable from the transfer request submission date - not from the effective transfer date.-
+- If there's a backdated enrollment transfer, any reservation or savings plan benefit is applicable from the transfer request submission date - not from the effective transfer date.
### Auto enrollment transfer
data-factory Compute Linked Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/compute-linked-services.md
[!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)] This article explains different compute environments that you can use to process or transform data. It also provides details about different configurations (on-demand vs. bring your own) supported when configuring linked services linking these compute environments.
See following articles if you are new to Azure Batch service:
## Machine Learning Studio (classic) linked service You create a Machine Learning Studio (classic) linked service to register a Machine Learning Studio (classic) batch scoring endpoint to a data factory or Synapse workspace.
You create an Azure Function linked service and use it with the [Azure Function
| | | | | type | The type property must be set to: **AzureFunction** | yes | | function app url | URL for the Azure Function App. Format is `https://<accountname>.azurewebsites.net`. This URL is the value under **URL** section when viewing your Function App in the Azure portal | yes |
-| function key | Access key for the Azure Function. Click on the **Manage** section for the respective function, and copy either the **Function Key** or the **Host key**. Find out more here: [Azure Functions HTTP triggers and bindings](../azure-functions/functions-bindings-http-webhook-trigger.md#authorization-keys) | yes |
+| function key | Access key for the Azure Function. Click on the **Manage** section for the respective function, and copy either the **Function Key** or the **Host key**. Find out more here: [Work with access keys](../azure-functions/function-keys-how-to.md) | yes |
| | | | ## Related content
data-factory Concepts Pipelines Activities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/concepts-pipelines-activities.md
Last updated 03/11/2024
[!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)] This article helps you understand pipelines and activities in Azure Data Factory and Azure Synapse Analytics and use them to construct end-to-end data-driven workflows for your data movement and data processing scenarios.
data-factory Control Flow Azure Function Activity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/control-flow-azure-function-activity.md
Function Key provides secure access to function name with each one having separa
| - | | | | Type | The type property must be set to: **AzureFunction** | Yes | | Function app url | URL for the Azure Function App. Format is `https://<accountname>.azurewebsites.net`. This URL is the value under **URL** section when viewing your Function App in the Azure portal | Yes |
-| Function key | Access key for the Azure Function. Click on the **Manage** section for the respective function, and copy either the **Function Key** or the **Host key**. Find out more here: [Azure Functions HTTP triggers and bindings](../azure-functions/functions-bindings-http-webhook-trigger.md#authorization-keys) | Yes |
+| Function key | Access key for the Azure Function. Click on the **Manage** section for the respective function, and copy either the **Function Key** or the **Host key**. Find out more here: [Work with access keys](../azure-functions/function-keys-how-to.md) | Yes |
| Authentication | The authentication method used for calling the Azure Function. The supported values are 'System-assigned managed identity' or 'anonymous'.| Yes | | Resource ID | The App (client) ID of the Azure Function. Switch to **Authentication** section for the respective function, and get the App (client) ID under **Identity provider**. This property will be displayed when you use system-assigned managed identity. For more information, see [Configure your App Service or Azure Functions app to use Microsoft Entra login](../app-service/configure-authentication-provider-aad.md).| No |
data-factory Data Factory Service Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/data-factory-service-identity.md
To grant permissions, follow these steps. For detailed steps, see [Assign Azure
1. Select **Add** > **Add role assignment**.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::
1. On the **Members** tab, select **Managed identity**, and then select **Select members**.
data-factory How To Schedule Azure Ssis Integration Runtime https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-to-schedule-azure-ssis-integration-runtime.md
If you create a third trigger that's scheduled to run daily at midnight and is a
| Assign access to | User, group, or service principal | | Members | Your Data Factory username |
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-page.png" alt-text="Screenshot that shows the page for adding a role assignment in the Azure portal.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png" alt-text="Screenshot that shows the page for adding a role assignment in the Azure portal.":::
7. Validate your data factory and all pipeline settings by selecting **Validate all** or **Validate** on the factory or pipeline toolbar. Close **Factory Validation Output** or **Pipeline Validation Output** by selecting the double arrow (**>>**) button.
data-factory Transform Data Using Machine Learning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/transform-data-using-machine-learning.md
Last updated 05/15/2024
[!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)] > [!NOTE] > Since Machine Learning Studio (classic) resources can no longer be created after 1 Dec, 2021, users are encouraged to use [Azure Machine Learning](https://azure.microsoft.com/services/machine-learning/) with the [Machine Learning Execute Pipeline activity](transform-data-machine-learning-service.md) rather than using the Batch Execution activity to execute Machine Learning Studio (classic) batches.
data-factory Transform Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/transform-data.md
Last updated 05/15/2024
[!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)] ## Overview This article explains data transformation activities in Azure Data Factory and Synapse pipelines that you can use to transform and process your raw data into predictions and insights at scale. A transformation activity executes in a computing environment such as Azure Databricks or Azure HDInsight. It provides links to articles with detailed information on each transformation activity.
The HDInsight Spark activity in a pipeline executes Spark programs on your own H
### ML Studio (classic) activities The service enables you to easily create pipelines that use a published ML Studio (classic) web service for predictive analytics. Using the [Batch Execution activity](transform-data-using-machine-learning.md) in a pipeline, you can invoke a Studio (classic) web service to make predictions on the data in batch.
data-factory Update Machine Learning Models https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/update-machine-learning-models.md
Last updated 05/15/2024
[!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)] > [!NOTE] > Since Machine Learning Studio (classic) resources can no longer be created after 1 Dec, 2021, users are encouraged to use [Azure Machine Learning](https://azure.microsoft.com/services/machine-learning/) with the [Machine Learning Execute Pipeline activity](transform-data-machine-learning-service.md) rather than using the Update Resource activity to update Machine Learning Studio (classic) models.
data-share Concepts Roles Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-share/concepts-roles-permissions.md
To create a role assignment for the data share resource's managed identity manua
1. Select **Add > Add role assignment**.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::
1. On the **Role** tab, select one of the roles listed in the role assignment table in the previous section.
Alternatively, user can have owner of the storage account add the data share res
1. Select **Add > Add role assignment**.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::
1. On the **Role** tab, select one of the roles listed in the role assignment table in the previous section. For example, for a storage account, select Storage Blob Data Reader.
databox Data Box Deploy Picked Up https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox/data-box-deploy-picked-up.md
Previously updated : 01/23/2023 Last updated : 07/16/2024 zone_pivot_groups: data-box-shipping
databox Data Box Disk Deploy Picked Up https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox/data-box-disk-deploy-picked-up.md
Previously updated : 01/23/2023 Last updated : 07/17/2024 zone_pivot_groups: data-box-shipping
If using Microsoft managed shipping, follow these steps.
### US & Canada
+Microsoft uses two shipping partners to return Data Box Disk devices to Azure Data Centers. Canada and US Government orders are returned by UPS; United States public cloud orders are serviced by FedEx.
+
+#### [United States - FedEx](#tab/fedex)
+
+Take the following steps if you are a US Public Cloud customer returning a Data Box Disk device in the US or Canada.
+
+1. Use the return shipping label that has the clear plastic sleeve affixed to the box. If the label is damaged or lost:
+ - Go to **Overview > Download shipping label** and download a return ship label.
+ - Affix the label on the device.
+1. Seal the shipping box and ensure that the return shipping label is visible.
+1. Schedule a pickup with FedEx. To schedule a pickup:
+ - Call the local FedEx number: 800-Go-FedEx.
+ - Provide the reverse shipment tracking number as shown on your printed label.
+ - Contact [Azure Data Box Operations](mailto:adbops@microsoft.com) if you encounter any issues while scheduling a pickup.
+
+You can also drop your Data Box Disk at your nearest FedEx drop-off location.
+
+#### [US Government and Canada - UPS](#tab/ups)
+ Take the following steps if returning the device in US or Canada. 1. Use the return shipping label that has the clear plastic sleeve affixed to the box. If the label is damaged or lost:
Take the following steps if returning the device in US or Canada.
- If the tracking number isn't quoted, UPS will require you to pay an additional charge during pickup. - Instead of scheduling the pickup, you can also drop off the Data Box Disk at the nearest drop-off location.
+
+ ::: zone-end ::: zone pivot="europe"
ddos-protection Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/alerts.md
Title: 'Configure Azure DDoS Protection metric alerts through portal'
+ Title: 'Tutorial: Configure Azure DDoS Protection metric alerts through portal'
description: Learn how to configure DDoS protection metric alerts for Azure DDoS Protection. Previously updated : 08/07/2023 Last updated : 07/17/2024
-# Configure Azure DDoS Protection metric alerts through portal
-DDoS Protection metrics alerts are an important step in alerting your team through Azure portal, email, SMS message, push, or voice notification when an attack is detected.
+# Tutorial: Configure Azure DDoS Protection metric alerts through portal
In this tutorial, you learn how to: > [!div class="checklist"] > * Configure metrics alerts through Azure Monitor.
+DDoS Protection metrics alerts are an important step in alerting your team through Azure portal, email, SMS message, push, or voice notification when an attack is detected.
## Prerequisites - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). - [DDoS Network Protection](manage-ddos-protection.md) must be enabled on a virtual network or [DDoS IP Protection](manage-ddos-protection-powershell-ip.md) must be enabled on a public IP address. -- DDoS Protection monitors public IP addresses assigned to resources within a virtual network. If you don't have any resources with public IP addresses in the virtual network, you must first create a resource with a public IP address. You can monitor the public IP address of all resources deployed through Resource Manager (not classic) listed in [Virtual network for Azure services](../virtual-network/virtual-network-for-azure-services.md#services-that-can-be-deployed-into-a-virtual-network) (including Azure Load Balancers where the backend virtual machines are in the virtual network), except for Azure App Service Environments. To continue with this How-To guide, you can quickly create a [Windows](../virtual-machines/windows/quick-create-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json) or [Linux](../virtual-machines/linux/quick-create-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json) virtual machine.  
+- DDoS Protection monitors public IP addresses assigned to resources within a virtual network. If you don't have any resources with public IP addresses in the virtual network, you must first create a resource with a public IP address.  
## Configure metric alerts through portal
You can select any of the available Azure DDoS Protection metrics to alert you w
1. Select **+ Create** on the navigation bar, then select **Alert rule**.
- :::image type="content" source="./media/ddos-alerts/ddos-protection-alert-page.png" alt-text="Screenshot of creating Alerts." lightbox="./media/ddos-alerts/ddos-protection-alert-page.png":::
+ :::image type="content" source="./media/ddos-alerts/ddos-protection-alert-page.png" alt-text="Screenshot of DDoS Protection creating Alerts." lightbox="./media/ddos-alerts/ddos-protection-alert-page.png":::
1. On the **Create an alert rule** page, select **+ Select scope**, then select the following information in the **Select a resource** page.
You can select any of the available Azure DDoS Protection metrics to alert you w
|Resource | Select the specific **Public IP address** you want to log metrics for. | 1. Select **Done**, then select **Next: Condition**.
-1. On the **Condition** page, select **+ Add Condition**, then in the *Search by signal name* search box, search and select **Under DDoS attack or not**.
+1. On the **Condition** page, select **+ Add Condition**, then in the *Search by signal name* search box, search, and select **Under DDoS attack or not**.
:::image type="content" source="./media/ddos-alerts/ddos-protection-alert-add-condition.png" alt-text="Screenshot of adding DDoS Protection attack alert condition." lightbox="./media/ddos-alerts/ddos-protection-alert-add-condition.png":::
-1. In the **Create an alert rule** page, enter or select the following information.
- :::image type="content" source="./media/ddos-alerts/ddos-protection-alert-signal.png" alt-text="Screenshot of adding DDoS Protection attack alert signal." lightbox="./media/ddos-alerts/ddos-protection-alert-signal.png":::
+1. In the **Create an alert rule** page, select the following information.
+
+ :::image type="content" source="./media/ddos-alerts/ddos-protection-alert-signal.png" alt-text="Screenshot of adding DDoS Protection attack alert signal." lightbox="./media/ddos-alerts/ddos-protection-alert-signal.png":::
| Setting | Value | |--|--|
- | Threshold | Leave as default. |
- | Aggregation type | Leave as default. |
+ | Threshold | Leave as the default *Static*. |
+ | Aggregation type | Leave as default *Maximum*. |
| Operator | Select **Greater than or equal to**. |
- | Unit | Leave as default. |
+ | Unit | Leave as default *Count*. |
| Threshold value | Enter **1**. For the *Under DDoS attack or not metric*, **0** means you're not under attack while **1** means you are under attack. |-
+ | Check every | Choose how often the alert rule will check if the condition is met. Leave as default *1 minute*. |
+ | Lookback period | This is the lookback period, or the time period to look back at each time the data is checked. For example, every 1 minute youΓÇÖll be looking at the past 5 minutes. Leave as default *5 minutes*. |
1. Select **Next: Actions** then select **+ Create action group**.
You can select any of the available Azure DDoS Protection metrics to alert you w
### Create action group 1. In the **Create action group** page, enter the following information, then select **Next: Notifications**.+
+ :::image type="content" source="./media/ddos-alerts/ddos-protection-alert-action-group-basics.png" alt-text="Screenshot of adding DDoS Protection attack alert action group basics." lightbox="./media/ddos-alerts/ddos-protection-alert-action-group-basics.png":::
| Setting | Value | |--|--| | Subscription | Select your Azure subscription that contains the public IP address you want to log. | | Resource Group | Select your Resource group. |
- | Region | Leave as default. |
- | Action Group | Enter **myDDoSAlertsActionGroup**. |
- | Display name | Enter **myDDoSAlerts**. |
+ | Region | Choose these locations for the broadest set of Azure products and long-term capacity growth. |
+ | Action Group | Provide an action group name that is unique within the resource group. For this example, enter **myDDoSAlertsActionGroup**. |
+ | Display name | This display name will be shown as the action group name in email and SMS notifications. For this example, enter **myDDoSAlerts**. |
-1. On the *Notifications* tab, under *Notification type*, select **Email/SMS message/Push/Voice**. Under *Name*, enter **myUnderAttackEmailAlert**.
+1. On the *Notifications* tab, under *Notification type*, select the notification type you wish to use. For this example, we select **Email/SMS message/Push/Voice**. In the *Name* tab, enter **myUnderAttackEmailAlert**.
:::image type="content" source="./media/ddos-alerts/ddos-protection-alert-action-group-notification.png" alt-text="Screenshot of adding DDoS Protection attack alert notification type." lightbox="./media/ddos-alerts/ddos-protection-alert-action-group-notification.png"::: - 1. On the *Email/SMS message/Push/Voice* page, select the **Email** check box, then enter the required email. Select **OK**. :::image type="content" source="./media/ddos-alerts/ddos-protection-alert-notification.png" alt-text="Screenshot of adding DDoS Protection attack alert notification page." lightbox="./media/ddos-alerts/ddos-protection-alert-notification.png"::: 1. Select **Review + create** and then select **Create**.+
+> [!NOTE]
+> Review the [Action groups](../azure-monitor/alerts/action-groups.md) documentation for more information on creating action groups.
+ ### Continue configuring alerts through portal 1. Select **Next: Details**.
You can select any of the available Azure DDoS Protection metrics to alert you w
Within a few minutes of attack detection, you should receive an email from Azure Monitor metrics that looks similar to the following picture: You can also learn more about [configuring webhooks](../azure-monitor/alerts/alerts-webhooks.md?toc=%2fazure%2fvirtual-network%2ftoc.json) and [logic apps](../logic-apps/logic-apps-overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json) for creating alerts.
You can keep your resources for the next tutorial. If no longer needed, delete t
1. In the search box at the top of the portal, enter **Alerts**. Select **Alerts** in the search results.
- :::image type="content" source="./media/ddos-alerts/ddos-protection-alert-rule.png" alt-text="Screenshot of Alerts page." lightbox="./media/ddos-alerts/ddos-protection-alert-rule.png":::
+ :::image type="content" source="./media/ddos-alerts/ddos-protection-alert-rule.png" alt-text="Screenshot of Alerts page within Azure for DDoS Protection." lightbox="./media/ddos-alerts/ddos-protection-alert-rule.png":::
1. Select **Alert rules**.
- :::image type="content" source="./media/ddos-alerts/ddos-protection-delete-alert-rules.png" alt-text="Screenshot of Alert rules page." lightbox="./media/ddos-alerts/ddos-protection-delete-alert-rules.png":::
+ :::image type="content" source="./media/ddos-alerts/ddos-protection-delete-alert-rules.png" alt-text="Screenshot of Alert rules page within Azure for DDoS Protection." lightbox="./media/ddos-alerts/ddos-protection-delete-alert-rules.png":::
1. In the Alert rules page, select your subscription.+ 1. Select the alerts created in this tutorial, then select **Delete**. + ## Next steps In this tutorial you learned how to configure metric alerts through Azure portal.
ddos-protection Ddos Configure Log Analytics Workspace https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-configure-log-analytics-workspace.md
Title: 'Configure Azure DDoS Protection Log Analytics workspace'
+ Title: 'Tutorial: Configure Azure DDoS Protection Log Analytics workspace'
description: Learn how to configure Log Analytics workspace for Azure DDoS Protection. Previously updated : 08/07/2023 Last updated : 07/17/2024
-# Configure Azure DDoS Protection Log Analytics workspace
-
-In order to use diagnostic logging, you'll first need a Log Analytics workspace with diagnostic settings enabled.
+# Tutorial: Configure Azure DDoS Protection Log Analytics workspace
In this tutorial, you learn how to: > [!div class="checklist"] > * Configure a Log Analytics workspace for DDoS Protection.
+In order to use diagnostic logging, you'll first need a Log Analytics workspace with diagnostic settings enabled.
+ ## Prerequisites - If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
In this tutorial, you learn how to:
:::image type="content" source="./media/ddos-log-analytics-workspace/ddos-protection-log-analytics-workspace-settings.png" alt-text="Screenshot of locating log analytics workspace diagnostic setting."::: 1. On the *Diagnostic setting* page, under *Destination details*, select **Send to Log Analytics workspace**, then enter the following information.+
+ :::image type="content" source="./media/ddos-log-analytics-workspace/ddos-protection-diagnostic-settings.png" alt-text="Screenshot of log analytics workspace diagnostic setting.":::
| Setting | Value | |--|--|
ddos-protection Ddos Diagnostic Alert Templates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-diagnostic-alert-templates.md
Title: 'Configure Azure DDoS Protection diagnostic logging alerts'
+ Title: 'Tutorial: Configure Azure DDoS Protection diagnostic logging alerts'
description: Learn how to configure DDoS protection diagnostic alerts for Azure DDoS Protection. Previously updated : 08/07/2023 Last updated : 07/17/2024
-# Configure Azure DDoS Protection diagnostic logging alerts
-
-DDoS Protection diagnostic logging alerts provide visibility into DDoS attacks and mitigation actions. You can configure alerts for all DDoS protected public IP addresses that you have enabled diagnostic logging on.
+# Tutorial: Configure Azure DDoS Protection diagnostic logging alerts
In this tutorial, you learn how to: > [!div class="checklist"] > * Configure diagnostic logging alerts through Azure Monitor and Logic App.+
+DDoS Protection diagnostic logging alerts provide visibility into DDoS attacks and mitigation actions. You can configure alerts for all DDoS protected public IP addresses that you have enabled diagnostic logging on.
+ ## Prerequisites - If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. - [DDoS Network Protection](manage-ddos-protection.md) must be enabled on a virtual network or [DDoS IP Protection](manage-ddos-protection-powershell-ip.md) must be enabled on a public IP address. - In order to use diagnostic logging, you must first create a [Log Analytics workspace with diagnostic settings enabled](ddos-configure-log-analytics-workspace.md). -- DDoS Protection monitors public IP addresses assigned to resources within a virtual network. If you don't have any resources with public IP addresses in the virtual network, you must first create a resource with a public IP address. You can monitor the public IP address of all resources deployed through Resource Manager (not classic) listed in [Virtual network for Azure services](../virtual-network/virtual-network-for-azure-services.md#services-that-can-be-deployed-into-a-virtual-network) (including Azure Load Balancers where the backend virtual machines are in the virtual network), except for Azure App Service Environments. To continue with this guide, you can quickly create a [Windows](../virtual-machines/windows/quick-create-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json) or [Linux](../virtual-machines/linux/quick-create-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json) virtual machine.
+- DDoS Protection monitors public IP addresses assigned to resources within a virtual network. If you don't have any resources with public IP addresses in the virtual network, you must first create a resource with a public IP address.
## Configure diagnostic logging alerts through Azure Monitor
-With these templates, you'll be able to configure alerts for all public IP addresses that you have enabled diagnostic logging on.
+With these templates, you are able to configure alerts for all public IP addresses that you have enabled diagnostic logging on.
### Create Azure Monitor alert rule
-The Azure Monitor alert rule template will run a query against the diagnostic logs to detect when an active DDoS mitigation is occurring. The alert indicates a potential attack. Action groups can be used to invoke actions as a result of the alert.
+The Azure Monitor alert rule template runs a query against the diagnostic logs to detect when an active DDoS mitigation is occurring. The alert indicates a potential attack. Action groups can be used to invoke actions as a result of the alert.
#### Deploy the template
The Azure Monitor alert rule template will run a query against the diagnostic lo
| Subscription | Select your Azure subscription. | | Resource Group | Select your Resource group. | | Region | Select your Region. |
- | Workspace Name | Enter your workspace name. In this example the *Workspace name* is **myLogAnalyticsWorkspace**. |
+ | Workspace Name | Enter your workspace name. In this example, the *Workspace name* is **myLogAnalyticsWorkspace**. |
| Location | Enter **East US**. | > [!NOTE]
This DDoS Mitigation Alert Enrichment template deploys the necessary components
| Alert Name | Leave as default. | | Security Team Email | Enter the required email address. | | Company Domain | Enter the required domain. |
- | Workspace Name | Enter your workspace name. In this example the *Workspace name* is **myLogAnalyticsWorkspace**. |
+ | Workspace Name | Enter your workspace name. In this example, the *Workspace name* is **myLogAnalyticsWorkspace**. |
1. Select **Review + create** and then select **Create** after validation passes.
ddos-protection Ddos Pricing Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-pricing-guide.md
Previously updated : 07/19/2023 Last updated : 07/17/2024
Azure DDoS Protection has two tiers: Network Protection and IP Protection. The Network Protection tier is available for resources deployed in virtual networks that are enabled for DDoS Protection. The IP Protection tier is available for public IP addresses that are enabled for DDoS Protection. We recommend a cost analysis to understand the pricing differences between the tiers. In this article, we show you how to evaluate cost for your environment. -- ## Cost assessment Network Protection cost begins once the DDoS protection plan is created. IP Protection cost begins once the Public IP address is configured with IP Protection, and its associated virtual network isn't protected by a DDoS protection plan. For more information, see [Azure DDoS Protection Pricing](https://azure.microsoft.com/pricing/details/ddos-protection/). When IP Protection is enabled for a public IP resource and a DDoS protection plan is created and enabled on its virtual network, customers are billed for the lower *per Public IP resource* rate. In this case, we'll automatically start billing for Network Protection. + ## Example scenarios For this section we use the following pricing information:
In this example, we compare the cost of Network Protection and IP Protection for
#### Network Protection
-Let's assume you have only one subscription in your tenant. If you create a Network Protection plan, the plan includes protection for 100 IP address. That subscription is billed for $2944 USD per month (29.5 USD x 100 resources). To learn more about different scenarios within DDoS Network Protection, see [Pricing examples](https://azure.microsoft.com/pricing/details/ddos-protection/#pricing).
+Let's assume you have only one subscription in your tenant. If you create a Network Protection plan, the plan includes protection for 100 IP address. That subscription is billed for $2,944 USD per month (29.5 USD x 100 resources). To learn more about different scenarios within DDoS Network Protection, see [Pricing examples](https://azure.microsoft.com/pricing/details/ddos-protection/#pricing).
#### IP Protection
-Let's take this same scenario and assume you have 10 Public IP addresses. If you enable IP Protection for each Public IP address, you're billed for $1990 USD per month (199 USD x 10 resources).
+Let's take this same scenario and assume you have 10 Public IP addresses. If you enable IP Protection for each Public IP address, you're billed for $1,990 USD per month (199 USD x 10 resources).
Under this scenario, it's more cost effective to enable IP Protection for each Public IP address. For environments with more than 15 Public IP addresses, it's more cost effective to create a Network Protection plan. To calculate your unique pricing scenarios, see the [pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=ddos-protection).
ddos-protection Ddos Protection Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-protection-features.md
Previously updated : 11/06/2023 Last updated : 07/17/2024 # Azure DDoS Protection features
Azure DDoS Protection monitors actual traffic utilization and constantly compare
During mitigation, traffic sent to the protected resource is redirected by the DDoS protection service and several checks are performed, such as: -- Ensure packets conform to internet specifications and are not malformed.
+- Ensure packets conform to internet specifications and aren't malformed.
- Interact with the client to determine if the traffic is potentially a spoofed packet (e.g: SYN Auth or SYN Cookie or by dropping a packet for the source to retransmit it). - Rate-limit packets, if no other enforcement method can be performed.
-Azure DDoS Protection drops attack traffic and forwards the remaining traffic to its intended destination. Within a few minutes of attack detection, you are notified using Azure Monitor metrics. By configuring logging on DDoS Protection telemetry, you can write the logs to available options for future analysis. Metric data in Azure Monitor for DDoS Protection is retained for 30 days.
+Azure DDoS Protection drops attack traffic and forwards the remaining traffic to its intended destination. Within a few minutes of attack detection, you're notified using Azure Monitor metrics. By configuring logging on DDoS Protection telemetry, you can write the logs to available options for future analysis. Metric data in Azure Monitor for DDoS Protection is retained for 30 days.
## Adaptive real time tuning
ddos-protection Ddos Protection Reference Architectures https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-protection-reference-architectures.md
Previously updated : 03/27/2024 Last updated : 07/17/2024
ddos-protection Ddos Protection Sku Comparison https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-protection-sku-comparison.md
Previously updated : 03/27/2024 Last updated : 07/17/2024
The following table shows features and corresponding tiers.
| WAF discount | Not available | Yes | | Price | Per protected IP | Per 100 protected IP addresses |
->[!Note]
->At no additional cost, Azure DDoS infrastructure protection protects every Azure service that uses public IPv4 and IPv6 addresses. This DDoS protection service helps to protect all Azure services, including platform as a service (PaaS) services such as Azure DNS. For more information on supported PaaS services, see [DDoS Protection reference architectures](ddos-protection-reference-architectures.md). Azure DDoS infrastructure protection requires no user configuration or application changes. Azure provides continuous protection against DDoS attacks. DDoS protection does not store customer data.
+> [!NOTE]
+> At no additional cost, Azure DDoS infrastructure protection protects every Azure service that uses public IPv4 and IPv6 addresses. This DDoS protection service helps to protect all Azure services, including platform as a service (PaaS) services such as Azure DNS. For more information on supported PaaS services, see [DDoS Protection reference architectures](ddos-protection-reference-architectures.md). Azure DDoS infrastructure protection requires no user configuration or application changes. Azure provides continuous protection against DDoS attacks. DDoS protection does not store customer data.
## Limitations DDoS Network Protection and DDoS IP Protection have the following limitations: -- PaaS services (multi-tenant), which includes Azure App Service Environment for Power Apps, Azure API Management in deployment modes other than APIM with virtual network integration (For more information see https://techcommunity.microsoft.com/t5/azure-network-security-blog/azure-ddos-standard-protection-now-supports-apim-in-vnet/ba-p/3641671), and Azure Virtual WAN aren't currently supported.
+- PaaS services (multi-tenant), which includes Azure App Service Environment for Power Apps, Azure API Management in deployment modes other than APIM with virtual network integration (For more information, see https://techcommunity.microsoft.com/t5/azure-network-security-blog/azure-ddos-standard-protection-now-supports-apim-in-vnet/ba-p/3641671), and Azure Virtual WAN aren't currently supported.
- Protecting a public IP resource attached to a NAT Gateway isn't supported. - Virtual machines in Classic/RDFE deployments aren't supported. - VPN gateway or Virtual network gateway is protected by a DDoS policy. Adaptive tuning isn't supported at this stage.
DDoS IP Protection is similar to Network Protection, but has the following addit
- Public IP Basic tier protection isn't supported.
->[!Note]
->Scenarios in which a single VM is running behind a public IP is supported, but not recommended. For more information, see [Fundamental best practices](./fundamental-best-practices.md#design-for-scalability).
+> [!NOTE]
+> Scenarios in which a single VM is running behind a public IP is supported, but not recommended. For more information, see [Fundamental best practices](./fundamental-best-practices.md#design-for-scalability).
For more information, see [Azure DDoS Protection reference architectures](./ddos-protection-reference-architectures.md).
ddos-protection Ddos Rapid Response https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-rapid-response.md
Previously updated : 11/06/2023 Last updated : 07/17/2024 # Azure DDoS Rapid Response
ddos-protection Ddos Response Strategy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-response-strategy.md
Previously updated : 06/01/2023 Last updated : 07/17/2024
Azure DDoS Protection identifies and mitigates DDoS attacks without any user int
### When to contact Microsoft support
-Azure DDoS Network Protection customers have access to the DDoS Rapid Response (DRR) team, who can help with attack investigation during an attack as well as post-attack analysis. For more details, including when you should engage the DRR team, see [DDoS Rapid Response](ddos-rapid-response.md). Azure DDoS IP Protection customers should create a request to connect with Microsoft support. To learn more, see [Create a support request](../azure-portal/supportability/how-to-create-azure-support-request.md).
+Azure DDoS Network Protection customers have access to the DDoS Rapid Response (DRR) team, who can help with attack investigation during an attack and post-attack analysis. For more information, including when you should engage the DRR team, see [DDoS Rapid Response](ddos-rapid-response.md). Azure DDoS IP Protection customers should create a request to connect with Microsoft support. To learn more, see [Create a support request](../azure-portal/supportability/how-to-create-azure-support-request.md).
## Post-attack steps
ddos-protection Ddos Switch Ddos Protection Tier https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-switch-ddos-protection-tier.md
Previously updated : 06/21/2023 Last updated : 07/17/2024
In this guide, we walk through the steps to switch between Network Protection and IP Protection tiers using Azure portal. This guide follows the *Application running on load-balanced virtual machines* architecture. To learn more about the different architectures, see [Azure DDoS Protection reference architectures](./ddos-protection-reference-architectures.md#application-running-on-load-balanced-virtual-machines). - ## Prerequisites - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
The DDoS protection plan must be disassociated from the protected resources befo
>To maintain DDoS Protection during migration, ensure IP protection is enabled on all public IPs protected by Network Protection. 1. In the search box at the top of the portal, enter **DDoS protection plans**. Select your DDoS protection plan.
-1. In the **Settings** page, select the **Protected Resources** tab, then select the **Dissociate** icon next to the virtual network that contains the resources you are protecting. When prompted, select **Yes** to confirm.
+1. In the **Settings** page, select the **Protected Resources** tab, then select the **Dissociate** icon next to the virtual network that contains the resources you're protecting. When prompted, select **Yes** to confirm.
:::image type="content" source="./media/ddos-switch-ddos-protection/ddos-remove-protected-resources.png" alt-text="Screenshot of removing protected resources to DDoS protection plan.":::
ddos-protection Ddos View Alerts Defender For Cloud https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-view-alerts-defender-for-cloud.md
Title: 'View Azure DDoS Protection alerts in Microsoft Defender for Cloud'
+ Title: 'Tutorial: View Azure DDoS Protection alerts in Microsoft Defender for Cloud'
description: Learn how to view DDoS protection alerts in Microsoft Defender for Cloud. Previously updated : 08/08/2023 Last updated : 07/17/2024
-# View Azure DDoS Protection alerts in Microsoft Defender for Cloud
-
-Microsoft Defender for Cloud provides a list of [security alerts](../security-center/security-center-managing-and-responding-alerts.md), with information to help investigate and remediate problems. With this feature, you get a unified view of alerts - including DDoS attack-related alerts - and the actions to take to mitigate the attack.
+# Tutorial: View Azure DDoS Protection alerts in Microsoft Defender for Cloud
In this tutorial, you learn how to: > [!div class="checklist"] > * View Azure DDoS Protection alerts in Microsoft Defender for Cloud.
+Microsoft Defender for Cloud provides a list of [security alerts](../security-center/security-center-managing-and-responding-alerts.md), with information to help investigate and remediate problems. With this feature, you get a unified view of alerts - including DDoS attack-related alerts - and the actions to take to mitigate the attack.
+ There are two specific alerts that you'll see for any DDoS attack detection and mitigation: - **DDoS Attack detected for Public IP**: This alert is generated when the DDoS protection service detects that one of your public IP addresses is the target of a DDoS attack.
To view the alerts, open **Defender for Cloud** in the Azure portal and select *
:::image type="content" source="./media/ddos-view-alerts-defender-for-cloud/ddos-alert-asc.png" alt-text="Screenshot of DDoS Alert in Microsoft Defender for Cloud." lightbox="./media/ddos-view-alerts-defender-for-cloud/ddos-alert-asc.png"::: -- ## Prerequisites - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
ddos-protection Ddos View Diagnostic Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-view-diagnostic-logs.md
Title: 'View Azure DDoS Protection logs in Log Analytics workspace'
+ Title: 'Tutorial: View Azure DDoS Protection logs in Log Analytics workspace'
description: Learn how to view DDoS protection diagnostic logs in Log Analytics workspace. Previously updated : 08/08/2023 Last updated : 07/17/2024
-# View Azure DDoS Protection logs in Log Analytics workspace
-
-DDoS Protection diagnostic logs provide you with the ability to view DDoS Protection notifications, mitigation reports and mitigation flow logs after a DDoS attack. You can view these logs in your Log Analytics workspace.
-
+# Tutorial: View Azure DDoS Protection logs in Log Analytics workspace
In this tutorial, you learn how to: > [!div class="checklist"] > * view Azure DDoS Protection diagnostic logs including notifications, mitigation reports and mitigation flow logs.
+DDoS Protection diagnostic logs provide you with the ability to view DDoS Protection notifications, mitigation reports and mitigation flow logs after a DDoS attack. You can view these logs in your Log Analytics workspace.
+
+Attack mitigation reports use the Netflow protocol data, which is aggregated to provide detailed information about the attack on your resource. Anytime a public IP resource is under attack, the report generation starts as soon as the mitigation starts. There will be an incremental report generated every 5 mins and a post-mitigation report for the whole mitigation period. This is to ensure that in an event the DDoS attack continues for a longer duration of time, you'll be able to view the most current snapshot of mitigation report every 5 minutes and a complete summary once the attack mitigation is over.
+ ## Prerequisites - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
In this tutorial, you learn how to:
1. Sign in to the [Azure portal](https://portal.azure.com/). 1. In the search box at the top of the portal, enter **Log Analytics workspace**. Select **Log Analytics workspace** in the search results. 1. Under the **Log Analytics workspaces** blade, select your workspace.
-1. On the left-side tab, select **Logs**. Here you'll see the query explorer. Exit out the *Queries* pane to utilize the *Logs* page.
+1. On the left-side tab, select **Logs**. Here you see the query explorer. Exit out the *Queries* pane to utilize the *Logs* page.
:::image type="content" source="./media/ddos-view-diagnostic-logs/ddos-select-logs-in-workspace.png" alt-text="Screenshot of viewing a log analytics workspace.":::
In this tutorial, you learn how to:
:::image type="content" source="./media/ddos-view-diagnostic-logs/ddos-notification-logs.png" alt-text="Screenshot of viewing DDoS Protection notification logs in log analytics workspace.":::
+### Query Azure DDoS Protection logs in log analytics workspace
+
+For more information on log schemas, see [View diagnostic logs](ddos-view-diagnostic-logs.md#example-log-queries).
+
+#### DDoSProtectionNotifications logs
+
+1. Under the **Log analytics workspaces** blade, select your log analytics workspace.
++
+1. On the left side pane, select **Logs**.
+
+ :::image type="content" source="./media/ddos-attack-telemetry/ddos-workspace-diagnostic-logs.png" alt-text="Screenshot of log query in Log analytics workspaces.":::
+
+1. In Query explorer, type in the following Kusto Query and change the time range to Custom and change the time range to last three months. Then hit Run.
+
+ ```kusto
+ AzureDiagnostics
+ | where Category == "DDoSProtectionNotifications"
+ ```
+
+1. To view **DDoSMitigationFlowLogs** change the query to the following and keep the same time range and hit Run.
+
+ ```kusto
+ AzureDiagnostics
+ | where Category == "DDoSMitigationFlowLogs"
+ ```
+
+1. To view **DDoSMitigationReports** change the query to the following and keep the same time range and hit Run.
+
+ ```kusto
+ AzureDiagnostics
+ | where Category == "DDoSMitigationReports"
+ ```
+ ## Example log queries ### DDoS Protection Notifications
The following table lists the field names and descriptions:
| **SubscriptionId** | Your DDoS protection plan subscription ID. | | **Resource** | The name of your public IP address. | | **ResourceType** | This will always be `PUBLICIPADDRESS`. |
-| **OperationName** | For notifications, this will be `DDoSProtectionNotifications`. |
+| **OperationName** | For notifications, this is `DDoSProtectionNotifications`. |
| **Message** | Details of the attack. | | **Type** | Type of notification. Possible values include `MitigationStarted`. `MitigationStopped`. | | **PublicIpAddress** | Your public IP address. | ### DDoS Mitigation FlowLogs
-Attack mitigation flow logs allow you to review the dropped traffic, forwarded traffic and other interesting data-points during an active DDoS attack in near-real time. You can ingest the constant stream of this data into Microsoft Sentinel or to your third-party SIEM systems via event hub for near-real time monitoring, take potential actions and address the need of your defense operations.
+Attack mitigation flow logs allow you to review the dropped traffic, forwarded traffic, and other interesting data-points during an active DDoS attack in near-real time. You can ingest the constant stream of this data into Microsoft Sentinel or to your third-party SIEM systems via event hub for near-real time monitoring, take potential actions and address the need of your defense operations.
```kusto AzureDiagnostics
The following table lists the field names and descriptions:
| | | | **TimeGenerated** | The date and time in UTC when the flow log was created. | | **ResourceId** | The resource ID of your public IP address. |
-| **Category** | For flow logs, this will be `DDoSMitigationFlowLogs`.|
+| **Category** | For flow logs, this is `DDoSMitigationFlowLogs`.|
| **ResourceGroup** | The resource group that contains your public IP address and virtual network. | | **SubscriptionId** | Your DDoS protection plan subscription ID. | | **Resource** | The name of your public IP address. | | **ResourceType** | This will always be `PUBLICIPADDRESS`. |
-| **OperationName** | For flow logs, this will be `DDoSMitigationFlowLogs`. |
+| **OperationName** | For flow logs, this is `DDoSMitigationFlowLogs`. |
| **Message** | Details of the attack. | | **SourcePublicIpAddress** | The public IP address of the client generating traffic to your public IP address. | | **SourcePort** | Port number ranging from 0 to 65535. |
The following table lists the field names and descriptions:
### DDoS Mitigation Reports
-Attack mitigation reports use the Netflow protocol data, which is aggregated to provide detailed information about the attack on your resource. Anytime a public IP resource is under attack, the report generation will start as soon as the mitigation starts. There will be an incremental report generated every 5 mins and a post-mitigation report for the whole mitigation period. This is to ensure that in an event the DDoS attack continues for a longer duration of time, you'll be able to view the most current snapshot of mitigation report every 5 minutes and a complete summary once the attack mitigation is over.
- ```kusto AzureDiagnostics | where Category == "DDoSMitigationReports"
The following table lists the field names and descriptions:
| | | | **TimeGenerated** | The date and time in UTC when the notification was created. | | **ResourceId** | The resource ID of your public IP address. |
-| **Category** | For mitigation reports, this will be `DDoSMitigationReports`. |
+| **Category** | For mitigation reports, this is `DDoSMitigationReports`. |
| **ResourceGroup** | The resource group that contains your public IP address and virtual network. | | **SubscriptionId** | Your DDoS protection plan subscription ID. | | **Resource** | The name of your public IP address. | | **ResourceType** | This will always be `PUBLICIPADDRESS`. |
-| **OperationName** | For mitigation reports, this will be `DDoSMitigationReports`.  |
+| **OperationName** | For mitigation reports, this is `DDoSMitigationReports`.  |
| **ReportType** | Possible values are `Incremental` and `PostMitigation`. | | **MitigationPeriodStart** | The date and time in UTC when the mitigation started. | | **MitigationPeriodEnd** | The date and time in UTC when the mitigation ended. |
ddos-protection Diagnostic Logging https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/diagnostic-logging.md
Title: 'Configure Azure DDoS Protection diagnostic logging through portal'
+ Title: 'Tutorial: Configure Azure DDoS Protection diagnostic logging through portal'
description: Learn how to configure Azure DDoS Protection diagnostic logs. Previously updated : 08/07/2023 Last updated : 07/17/2024
-# Configure Azure DDoS Protection diagnostic logging through portal
-
-Configure diagnostic logging for Azure DDoS Protection to gain visibility into DDoS attacks.
+# Tutorial: Configure Azure DDoS Protection diagnostic logging through portal
In this tutorial, you learn how to: > [!div class="checklist"] > * Configure diagnostic logs. > * Query logs in log analytics workspace.+
+Configure diagnostic logging for Azure DDoS Protection to gain visibility into DDoS attacks.
+ ## Prerequisites - If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. - Before you can complete the steps in this guide, you must first create a [Azure DDoS protection plan](manage-ddos-protection.md). DDoS Network Protection must be enabled on a virtual network or DDoS IP Protection must be enabled on a public IP address. - In order to use diagnostic logging, you must first create a [Log Analytics workspace with diagnostic settings enabled](ddos-configure-log-analytics-workspace.md). -- DDoS monitors public IP addresses assigned to resources within a virtual network. If you don't have any resources with public IP addresses in the virtual network, you must first create a resource with a public IP address. You can monitor the public IP address of all resources deployed through Resource Manager (not classic) listed in [Virtual network for Azure services](../virtual-network/virtual-network-for-azure-services.md#services-that-can-be-deployed-into-a-virtual-network) (including Azure Load Balancers where the backend virtual machines are in the virtual network), except for Azure App Service Environments. To continue with this guide, you can quickly create a [Windows](../virtual-machines/windows/quick-create-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json) or [Linux](../virtual-machines/linux/quick-create-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json) virtual machine.
+- DDoS monitors public IP addresses assigned to resources within a virtual network. If you don't have any resources with public IP addresses in the virtual network, you must first create a resource with a public IP address.
## Configure diagnostic logs
In this tutorial, you learn how to:
1. On the *Diagnostic setting* page, under *Destination details*, select **Send to Log Analytics workspace**, then enter the following information, then select **Save**.
- :::image type="content" source="./media/ddos-attack-telemetry/ddos-public-ip-diagnostic-setting.png" alt-text="Screenshot of DDoS diagnostic settings.":::
+ :::image type="content" source="./media/ddos-attack-telemetry/ddos-public-ip-diagnostic-setting.png" alt-text="Screenshot of DDoS Protection diagnostic settings.":::
| Setting | Value | |--|--|
In this tutorial, you learn how to:
| Subscription | Select your Azure subscription. | | Log Analytics Workspace | Select **myLogAnalyticsWorkspace**. | -
-### Query Azure DDOS Protection logs in log analytics workspace
-
-For more information on log schemas, see [View diagnostic logs](ddos-view-diagnostic-logs.md#example-log-queries).
-#### DDoSProtectionNotifications logs
-
-1. Under the **Log analytics workspaces** blade, select your log analytics workspace.
-
-1. Under **General**, select on **Logs**
-
-1. In Query explorer, type in the following Kusto Query and change the time range to Custom and change the time range to last three months. Then hit Run.
-
- ```kusto
- AzureDiagnostics
- | where Category == "DDoSProtectionNotifications"
- ```
-
-1. To view **DDoSMitigationFlowLogs** change the query to the following and keep the same time range and hit Run.
-
- ```kusto
- AzureDiagnostics
- | where Category == "DDoSMitigationFlowLogs"
- ```
-
-1. To view **DDoSMitigationReports** change the query to the following and keep the same time range and hit Run.
-
- ```kusto
- AzureDiagnostics
- | where Category == "DDoSMitigationReports"
- ```
- ## Validate 1. In the search box at the top of the portal, enter **Monitor**. Select **Monitor** in the search results.
ddos-protection Fundamental Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/fundamental-best-practices.md
Previously updated : 10/06/2023 Last updated : 07/17/2024 # Azure DDoS Protection fundamental best practices
For [Azure Virtual Machines](../virtual-machines/index.yml), ensure that your vi
The idea behind defense in depth is to manage risk by using diverse defensive strategies. Layering security defenses in an application reduces the chance of a successful attack. We recommend that you implement secure designs for your applications by using the built-in capabilities of the Azure platform.
-For example, the risk of attack increases with the size (*surface area*) of the application. You can reduce the surface area by using an approval list to close down the exposed IP address space and listening ports that are not needed on the load balancers ([Azure Load Balancer](../load-balancer/quickstart-load-balancer-standard-public-portal.md) and [Azure Application Gateway](../application-gateway/application-gateway-create-probe-portal.md)). [Network security groups (NSGs)](../virtual-network/network-security-groups-overview.md) are another way to reduce the attack surface.
+For example, the risk of attack increases with the size (*surface area*) of the application. You can reduce the surface area by using an approval list to close down the exposed IP address space and listening ports that aren't needed on the load balancers ([Azure Load Balancer](../load-balancer/quickstart-load-balancer-standard-public-portal.md) and [Azure Application Gateway](../application-gateway/application-gateway-create-probe-portal.md)). [Network security groups (NSGs)](../virtual-network/network-security-groups-overview.md) are another way to reduce the attack surface.
You can use [service tags](../virtual-network/network-security-groups-overview.md#service-tags) and [application security groups](../virtual-network/network-security-groups-overview.md#application-security-groups) to minimize complexity for creating security rules and configuring network security, as a natural extension of an applicationΓÇÖs structure. Additionally, you can use [Azure DDoS Solution for Microsoft Sentinel](https://techcommunity.microsoft.com/t5/azure-network-security-blog/new-azure-ddos-solution-for-microsoft-sentinel/ba-p/3732013) to pinpoint offending DDoS sources and to block them from launching other, sophisticated attacks, such as data theft. You should deploy Azure services in a [virtual network](../virtual-network/virtual-networks-overview.md) whenever possible. This practice allows service resources to communicate through private IP addresses. Azure service traffic from a virtual network uses public IP addresses as source IP addresses by default. Using [service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md) will switch service traffic to use virtual network private addresses as the source IP addresses when they're accessing the Azure service from a virtual network.
ddos-protection Manage Ddos Ip Protection Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-ip-protection-cli.md
Previously updated : 03/18/2024 Last updated : 07/17/2024
ddos-protection Manage Ddos Ip Protection Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-ip-protection-portal.md
Previously updated : 03/01/2024 Last updated : 07/17/2024
ddos-protection Manage Ddos Ip Protection Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-ip-protection-template.md
Previously updated : 03/18/2024 Last updated : 07/17/2024 # QuickStart: Create and configure Azure DDoS IP Protection using ARM template
ddos-protection Manage Ddos Protection Bicep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-bicep.md
Previously updated : 02/14/2024 Last updated : 07/17/2024 # QuickStart: Create and configure Azure DDoS Network Protection using Bicep
ddos-protection Manage Ddos Protection Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-cli.md
Previously updated : 05/29/2024 Last updated : 07/17/2024 # QuickStart: Create and configure Azure DDoS Network Protection using Azure CLI
ddos-protection Manage Ddos Protection Powershell Ip https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-powershell-ip.md
Previously updated : 03/18/2024 Last updated : 07/17/2024
ddos-protection Manage Ddos Protection Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-powershell.md
Previously updated : 05/29/2024 Last updated : 07/17/2024
ddos-protection Manage Ddos Protection Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-template.md
Previously updated : 05/29/2024 Last updated : 07/17/2024 # QuickStart: Create and configure Azure DDoS Network Protection using ARM template
ddos-protection Manage Ddos Protection Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-terraform.md
Previously updated : 3/18/2024 Last updated : 07/17/2024 content_well_notification: - AI-contribution ai-usage: ai-assisted
ddos-protection Manage Ddos Protection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection.md
Previously updated : 11/28/2023 Last updated : 07/17/2024
ddos-protection Manage Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-permissions.md
Previously updated : 11/06/2023 Last updated : 07/17/2024
ddos-protection Monitor Ddos Protection Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/monitor-ddos-protection-reference.md
Previously updated : 05/22/2024 Last updated : 07/17/2024
ddos-protection Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/policy-reference.md
description: Lists Azure Policy built-in policy definitions for Azure DDoS Prote
Previously updated : 02/06/2024 Last updated : 07/17/2024
ddos-protection Telemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/telemetry.md
Previously updated : 05/09/2024 Last updated : 07/17/2024 # Tutorial: View and configure Azure DDoS protection telemetry
-Azure DDoS Protection offers in-depth insights and visualizations of attack patterns through DDoS Attack Analytics. It provides customers with comprehensive visibility into attack traffic and mitigation actions via reports and flow logs. During a DDoS attack, detailed metrics are available through Azure Monitor, which also allows alert configurations based on these metrics.
- In this tutorial, you'll learn how to: > [!div class="checklist"]
In this tutorial, you'll learn how to:
> * View Azure DDoS Protection mitigation policies > * Validate and test Azure DDoS Protection telemetry
-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
--
+Azure DDoS Protection offers in-depth insights and visualizations of attack patterns through DDoS Attack Analytics. It provides customers with comprehensive visibility into attack traffic and mitigation actions via reports and flow logs. During a DDoS attack, detailed metrics are available through Azure Monitor, which also allows alert configurations based on these metrics.
## Prerequisites
For more information on metrics, see [Monitoring Azure DDoS Protection](monitor-
1. For **Metric** select **Under DDoS attack or not**. 1. Select the **Aggregation** type as **Max**.
+ :::image type="content" source="./media/ddos-attack-telemetry/ddos-metrics-menu.png" alt-text="Screenshot of creating DDoS protection metrics menu." lightbox="./media/ddos-attack-telemetry/ddos-metrics-menu.png":::
### View metrics from virtual network
For more information on metrics, see [Monitoring Azure DDoS Protection](monitor-
1. Select **Public IP Address** for **Resource type** then select the specific public IP address you want to log metrics for, and then select **Apply**. 1. Under **Metric** select your chosen metric then under **Aggregation** select type as **Max**.
->[!NOTE]
->To filter IP Addresses select **Add filter**. Under **Property**, select **Protected IP Address**, and the operator should be set to **=**. Under **Values**, you will see a dropdown of public IP addresses, associated with the virtual network, that are protected by Azure DDoS Protection.
+ :::image type="content" source="./media/ddos-attack-telemetry/vnet-ddos-metrics.png" alt-text="Screenshot of DDoS diagnostic settings within Azure." lightbox="./media/ddos-attack-telemetry/vnet-ddos-metrics.png":::
+> [!NOTE]
+> To filter IP Addresses select **Add filter**. Under **Property**, select **Protected IP Address**, and the operator should be set to **=**. Under **Values**, you will see a dropdown of public IP addresses, associated with the virtual network, that are protected by Azure DDoS Protection.
### View metrics from Public IP address
For more information on metrics, see [Monitoring Azure DDoS Protection](monitor-
1. Select **Public IP Address** for **Resource type** then select the specific public IP address you want to log metrics for, and then select **Apply**. 1. Under **Metric** select your chosen metric then under **Aggregation** select type as **Max**.
->[!NOTE]
->When changing DDoS IP protection from **enabled** to **disabled**, telemetry for the public IP resource will not be available.
+> [!NOTE]
+> When changing DDoS IP protection from **enabled** to **disabled**, telemetry for the public IP resource will not be available.
### View DDoS mitigation policies
You can make a chart for the public IP address resource. In this chart, include
:::image type="content" source="./media/manage-ddos-protection/ddos-baseline-metrics.png" alt-text="Screenshot of viewing peace time telemetry." lightbox="./media/manage-ddos-protection/ddos-baseline-metrics.png":::
->[!NOTE]
+> [!NOTE]
> To make a fair comparison, you need to convert the data to packets-per-second. You can do this by dividing the number you see by 60, as the data represents the number of packets, bytes, or SYN packets collected over 60 seconds. For example, if you have 91,000 packets collected over 60 seconds, divide 91,000 by 60 to get approximately 1,500 packets-per-second (pps). ## Validate and test
ddos-protection Test Through Simulations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/test-through-simulations.md
Previously updated : 04/11/2024 Last updated : 07/17/2024
ItΓÇÖs a good practice to test your assumptions about how your services respond to an attack by conducting periodic simulations. During testing, validate that your services or applications continue to function as expected and thereΓÇÖs no disruption to the user experience. Identify gaps from both a technology and process standpoint and incorporate them in the DDoS response strategy. We recommend that you perform such tests in staging environments or during non-peak hours to minimize the impact to the production environment.
+For this tutorial, you'll create a test environment that includes:
+
+- A DDoS protection plan
+- A virtual network
+- An Azure Bastion host
+- A load balancer
+- Two virtual machines
+
+You'll then configure diagnostic logs and alerts to monitor for attacks and traffic patterns. Finally, you'll configure a DDoS attack simulation using one of our approved testing partners.
++ Simulations help you:+ - Validate how Azure DDoS Protection helps protect your Azure resources from DDoS attacks. - Optimize your incident response process while under DDoS attack. - Document DDoS compliance.
Our testing partners' simulation environments are built within Azure. You can on
> [!NOTE] > BreakingPoint Cloud and Red Button are only available for the Public cloud.
-For this tutorial, you'll create a test environment that includes:
-- A DDoS protection plan-- A virtual network-- An Azure Bastion host -- A load balancer -- Two virtual machines-
-You'll then configure diagnostic logs and alerts to monitor for attacks and traffic patterns. Finally, you'll configure a DDoS attack simulation using one of our approved testing partners.
-- ## Prerequisites - An Azure account with an active subscription.
In this tutorial, we'll configure DDoS Protection metrics and alerts to monitor
1. On the *Diagnostic setting* page, under *Destination details*, select **Send to Log Analytics workspace**, then enter the following information, then select **Save**.
- :::image type="content" source="./media/ddos-attack-simulation/ddos-public-ip-diagnostic-setting.png" alt-text="Screenshot of DDoS diagnostic settings.":::
+ :::image type="content" source="./media/ddos-attack-simulation/ddos-public-ip-diagnostic-setting.png" alt-text="Screenshot of DDoS diagnostic settings in Azure.":::
| Setting | Value | |--|--|
In this tutorial, we'll configure DDoS Protection metrics and alerts to monitor
1. Select **+ Create** on the navigation bar, then select **Alert rule**.
- :::image type="content" source="./media/ddos-attack-simulation/ddos-protection-alert-page.png" alt-text="Screenshot of creating Alerts." lightbox="./media/ddos-attack-simulation/ddos-protection-alert-page.png":::
+ :::image type="content" source="./media/ddos-attack-simulation/ddos-protection-alert-page.png" alt-text="Screenshot of creating Alerts in Azure." lightbox="./media/ddos-attack-simulation/ddos-protection-alert-page.png":::
1. On the **Create an alert rule** page, select **+ Select scope**, then select the following information in the **Select a resource** page.
ddos-protection Types Of Attacks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/types-of-attacks.md
Previously updated : 12/07/2023 Last updated : 07/17/2024 # Types of attacks Azure DDoS Protection mitigates
Azure DDoS Protection can mitigate the following types of attacks:
- **Volumetric attacks**: These attacks flood the network layer with a substantial amount of seemingly legitimate traffic. They include UDP floods, amplification floods, and other spoofed-packet floods. DDoS Protection mitigates these potential multi-gigabyte attacks by absorbing and scrubbing them, with Azure's global network scale, automatically. - **Protocol attacks**: These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack. They include SYN flood attacks, reflection attacks, and other protocol attacks. DDoS Protection mitigates these attacks, differentiating between malicious and legitimate traffic, by interacting with the client, and blocking malicious traffic. - **Resource (application) layer attacks**: These attacks target web application packets, to disrupt the transmission of data between hosts. They include HTTP protocol violations, SQL injection, cross-site scripting, and other layer 7 attacks. Use a Web Application Firewall, such as the Azure [Application Gateway web application firewall](../web-application-firewall/ag/ag-overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json), as well as DDoS Protection to provide defense against these attacks. There are also third-party web application firewall offerings available in the [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps?page=1&search=web%20application%20firewall).-
+- **
## Azure DDoS Protection Azure DDoS Protection protects resources in a virtual network including public IP addresses associated with virtual machines, load balancers, and application gateways. When coupled with the Application Gateway web application firewall, or a third-party web application firewall deployed in a virtual network with a public IP, Azure DDoS Protection can provide full layer 3 to layer 7 mitigation capability.
defender-for-cloud Ai Threat Protection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/ai-threat-protection.md
To use threat protection for AI workloads, you must enroll in the limited public
## Related content - [Enable threat protection for AI workloads (preview) (Preview)](ai-onboarding.md).-- [Alerts for AI workloads](alerts-reference.md#alerts-for-ai-workloads)
+- [Alerts for AI workloads](alerts-ai-workloads.md)
defender-for-cloud Alerts Ai Workloads https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/alerts-ai-workloads.md
+
+ Title: Alerts for AI workloads
+description: This article lists the security alerts for AI workloads visible in Microsoft Defender for Cloud.
++ Last updated : 06/03/2024
+ai-usage: ai-assisted
++
+# Alerts for AI workloads
+
+This article lists the security alerts you might get for AI workloads from Microsoft Defender for Cloud and any Microsoft Defender plans you enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration.
+
+> [!NOTE]
+> Some of the recently added alerts powered by Microsoft Defender Threat Intelligence and Microsoft Defender for Endpoint might be undocumented.
+
+[Learn how to respond to these alerts](managing-and-responding-alerts.yml).
+
+[Learn how to export alerts](continuous-export.md).
+
+> [!NOTE]
+> Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
+
+## AI workload alerts
+
+### Detected credential theft attempts on an Azure OpenAI model deployment
+
+(AI.Azure_CredentialTheftAttempt)
+
+**Description**: The credential theft alert is designed to notify the SOC when credentials are detected within GenAI model responses to a user prompt, indicating a potential breach. This alert is crucial for detecting cases of credential leak or theft, which are unique to generative AI and can have severe consequences if successful.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access, Lateral Movement, Exfiltration
+
+**Severity**: Medium
+
+### A Jailbreak attempt on an Azure OpenAI model deployment was blocked by Azure AI Content Safety Prompt Shields
+
+(AI.Azure_Jailbreak.ContentFiltering.BlockedAttempt)
+
+**Description**: The Jailbreak alert, carried out using a direct prompt injection technique, is designed to notify the SOC there was an attempt to manipulate the system prompt to bypass the generative AIΓÇÖs safeguards, potentially accessing sensitive data or privileged functions. It indicated that such attempts were blocked by Azure Responsible AI Content Safety (AKA Prompt Shields), ensuring the integrity of the AI resources and the data security.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Privilege Escalation, Defense Evasion
+
+**Severity**: Medium
+
+### A Jailbreak attempt on an Azure OpenAI model deployment was detected by Azure AI Content Safety Prompt Shields
+
+(AI.Azure_Jailbreak.ContentFiltering.DetectedAttempt)
+
+**Description**: The Jailbreak alert, carried out using a direct prompt injection technique, is designed to notify the SOC there was an attempt to manipulate the system prompt to bypass the generative AIΓÇÖs safeguards, potentially accessing sensitive data or privileged functions. It indicated that such attempts were detected by Azure Responsible AI Content Safety (AKA Prompt Shields), but were not blocked due to content filtering settings or due to low confidence.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Privilege Escalation, Defense Evasion
+
+**Severity**: Medium
+
+### Sensitive Data Exposure Detected in Azure OpenAI Model Deployment
+
+(AI.Azure_DataLeakInModelResponse.Sensitive)
+
+**Description**: The sensitive data leakage alert is designed to notify the SOC that a GenAI model responded to a user prompt with sensitive information, potentially due to a malicious user attempting to bypass the generative AIΓÇÖs safeguards to access unauthorized sensitive data.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Collection
+
+**Severity**: Medium
+
+> [!NOTE]
+> For alerts that are in preview: [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
+
+## Next steps
+
+- [Security alerts in Microsoft Defender for Cloud](alerts-overview.md)
+- [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml)
+- [Continuously export Defender for Cloud data](continuous-export.md)
defender-for-cloud Alerts Azure App Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/alerts-azure-app-service.md
+
+ Title: Alerts for Azure App Service
+description: This article lists the security alerts for Azure App Service visible in Microsoft Defender for Cloud.
++ Last updated : 06/03/2024
+ai-usage: ai-assisted
++
+# Alerts for Azure App Service
+
+This article lists the security alerts you might get for Azure App Service from Microsoft Defender for Cloud and any Microsoft Defender plans you enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration.
+
+> [!NOTE]
+> Some of the recently added alerts powered by Microsoft Defender Threat Intelligence and Microsoft Defender for Endpoint might be undocumented.
+
+[Learn how to respond to these alerts](managing-and-responding-alerts.yml).
+
+[Learn how to export alerts](continuous-export.md).
+
+> [!NOTE]
+> Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
+
+## Azure App Service alerts
+
+[Further details and notes](defender-for-app-service-introduction.md)
+
+### **An attempt to run Linux commands on a Windows App Service**
+
+(AppServices_LinuxCommandOnWindows)
+
+**Description**: Analysis of App Service processes detected an attempt to run a Linux command on a Windows App Service. This action was running by the web application. This behavior is often seen during campaigns that exploit a vulnerability in a common web application.
+(Applies to: App Service on Windows)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **An IP that connected to your Azure App Service FTP Interface was found in Threat Intelligence**
+
+(AppServices_IncomingTiClientIpFtp)
+
+**Description**: Azure App Service FTP log indicates a connection from a source address that was found in the threat intelligence feed. During this connection, a user accessed the pages listed.
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access
+
+**Severity**: Medium
+
+### **Attempt to run high privilege command detected**
+
+(AppServices_HighPrivilegeCommand)
+
+**Description**: Analysis of App Service processes detected an attempt to run a command that requires high privileges.
+The command ran in the web application context. While this behavior can be legitimate, in web applications this behavior is also observed in malicious activities.
+(Applies to: App Service on Windows)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Communication with suspicious domain identified by threat intelligence**
+
+(AzureDNS_ThreatIntelSuspectDomain)
+
+**Description**: Communication with suspicious domain was detected by analyzing DNS transactions from your resource and comparing against known malicious domains identified by threat intelligence feeds. Communication to malicious domains is frequently performed by attackers and could imply that your resource is compromised.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access, Persistence, Execution, Command And Control, Exploitation
+
+**Severity**: Medium
+
+### **Connection to web page from anomalous IP address detected**
+
+(AppServices_AnomalousPageAccess)
+
+**Description**: Azure App Service activity log indicates an anomalous connection to a sensitive web page from the listed source IP address. This might indicate that someone is attempting a brute force attack into your web app administration pages. It might also be the result of a new IP address being used by a legitimate user. If the source IP address is trusted, you can safely suppress this alert for this resource. To learn how to suppress security alerts, see [Suppress alerts from Microsoft Defender for Cloud](alerts-suppression-rules.md).
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access
+
+**Severity**: Low
+
+### **Dangling DNS record for an App Service resource detected**
+
+(AppServices_DanglingDomain)
+
+**Description**: A DNS record that points to a recently deleted App Service resource (also known as "dangling DNS" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization's domain to a site performing malicious activity.
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Detected encoded executable in command line data**
+
+(AppServices_Base64EncodedExecutableInCommandLineParams)
+
+**Description**: Analysis of host data on {Compromised host} detected a base-64 encoded executable. This has previously been associated with attackers attempting to construct executables on-the-fly through a sequence of commands, and attempting to evade intrusion detection systems by ensuring that no individual command would trigger an alert. This could be legitimate activity, or an indication of a compromised host.
+(Applies to: App Service on Windows)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion, Execution
+
+**Severity**: High
+
+### **Detected file download from a known malicious source**
+
+(AppServices_SuspectDownload)
+
+**Description**: Analysis of host data has detected the download of a file from a known malware source on your host.
+(Applies to: App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Privilege Escalation, Execution, Exfiltration, Command and Control
+
+**Severity**: Medium
+
+### **Detected suspicious file download**
+
+(AppServices_SuspectDownloadArtifacts)
+
+**Description**: Analysis of host data has detected suspicious download of remote file.
+(Applies to: App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence
+
+**Severity**: Medium
+
+### **Digital currency mining related behavior detected**
+
+(AppServices_DigitalCurrencyMining)
+
+**Description**: Analysis of host data on Inn-Flow-WebJobs detected the execution of a process or command normally associated with digital currency mining.
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: High
+
+### **Executable decoded using certutil**
+
+(AppServices_ExecutableDecodedUsingCertutil)
+
+**Description**: Analysis of host data on [Compromised entity] detected that certutil.exe, a built-in administrator utility, was being used to decode an executable instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using a tool such as certutil.exe to decode a malicious executable that will then be subsequently executed.
+(Applies to: App Service on Windows)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion, Execution
+
+**Severity**: High
+
+### **Fileless attack behavior detected**
+
+(AppServices_FilelessAttackBehaviorDetection)
+
+**Description**: The memory of the process specified below contains behaviors commonly used by fileless attacks.
+Specific behaviors include: {list of observed behaviors}
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Medium
+
+### **Fileless attack technique detected**
+
+(AppServices_FilelessAttackTechniqueDetection)
+
+**Description**: The memory of the process specified below contains evidence of a fileless attack technique. Fileless attacks are used by attackers to execute code while evading detection by security software.
+Specific behaviors include: {list of observed behaviors}
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: High
+
+### **Fileless attack toolkit detected**
+
+(AppServices_FilelessAttackToolkitDetection)
+
+**Description**: The memory of the process specified below contains a fileless attack toolkit: {ToolKitName}. Fileless attack toolkits typically do not have a presence on the filesystem, making detection by traditional anti-virus software difficult.
+Specific behaviors include: {list of observed behaviors}
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion, Execution
+
+**Severity**: High
+
+### **Microsoft Defender for Cloud test alert for App Service (not a threat)**
+
+(AppServices_EICAR)
+
+**Description**: This is a test alert generated by Microsoft Defender for Cloud. No further action is needed.
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **NMap scanning detected**
+
+(AppServices_Nmap)
+
+**Description**: Azure App Service activity log indicates a possible web fingerprinting activity on your App Service resource.
+The suspicious activity detected is associated with NMAP. Attackers often use this tool for probing the web application to find vulnerabilities.
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: Informational
+
+### **Phishing content hosted on Azure Webapps**
+
+(AppServices_PhishingContent)
+
+**Description**: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to Microsoft 365 customers. The content typically lures visitors into entering their corporate credentials or financial information into a legitimate looking website.
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Collection
+
+**Severity**: High
+
+### **PHP file in upload folder**
+
+(AppServices_PhpInUploadFolder)
+
+**Description**: Azure App Service activity log indicates an access to a suspicious PHP page located in the upload folder.
+This type of folder doesn't usually contain PHP files. The existence of this type of file might indicate an exploitation taking advantage of arbitrary file upload vulnerabilities.
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Medium
+
+### **Possible Cryptocoinminer download detected**
+
+(AppServices_CryptoCoinMinerDownload)
+
+**Description**: Analysis of host data has detected the download of a file normally associated with digital currency mining.
+(Applies to: App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion, Command and Control, Exploitation
+
+**Severity**: Medium
+
+### **Possible data exfiltration detected**
+
+(AppServices_DataEgressArtifacts)
+
+**Description**: Analysis of host/device data detected a possible data egress condition. Attackers will often egress data from machines they have compromised.
+(Applies to: App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Collection, Exfiltration
+
+**Severity**: Medium
+
+### **Potential dangling DNS record for an App Service resource detected**
+
+(AppServices_PotentialDanglingDomain)
+
+**Description**: A DNS record that points to a recently deleted App Service resource (also known as "dangling DNS" entry) has been detected. This might leave you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization's domain to a site performing malicious activity. In this case, a text record with the Domain Verification ID was found. Such text records prevent subdomain takeover but we still recommend removing the dangling domain. If you leave the DNS record pointing at the subdomain you're at risk if anyone in your organization deletes the TXT file or record in the future.
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Low
+
+### **Potential reverse shell detected**
+
+(AppServices_ReverseShell)
+
+**Description**: Analysis of host data detected a potential reverse shell. These are used to get a compromised machine to call back into a machine an attacker owns.
+(Applies to: App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration, Exploitation
+
+**Severity**: Medium
+
+### **Raw data download detected**
+
+(AppServices_DownloadCodeFromWebsite)
+
+**Description**: Analysis of App Service processes detected an attempt to download code from raw-data websites such as Pastebin. This action was run by a PHP process. This behavior is associated with attempts to download web shells or other malicious components to the App Service.
+(Applies to: App Service on Windows)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Medium
+
+### **Saving curl output to disk detected**
+
+(AppServices_CurlToDisk)
+
+**Description**: Analysis of App Service processes detected the running of a curl command in which the output was saved to the disk. While this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.
+(Applies to: App Service on Windows)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Low
+
+### **Spam folder referrer detected**
+
+(AppServices_SpamReferrer)
+
+**Description**: Azure App Service activity log indicates web activity that was identified as originating from a web site associated with spam activity. This can occur if your website is compromised and used for spam activity.
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Low
+
+### **Suspicious access to possibly vulnerable web page detected**
+
+(AppServices_ScanSensitivePage)
+
+**Description**: Azure App Service activity log indicates a web page that seems to be sensitive was accessed. This suspicious activity originated from a source IP address whose access pattern resembles that of a web scanner.
+This activity is often associated with an attempt by an attacker to scan your network to try to gain access to sensitive or vulnerable web pages.
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Low
+
+### **Suspicious domain name reference**
+
+(AppServices_CommandlineSuspectDomain)
+
+**Description**: Analysis of host data detected reference to suspicious domain name. Such activity, while possibly legitimate user behavior, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.
+(Applies to: App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: Low
+
+### **Suspicious download using Certutil detected**
+
+(AppServices_DownloadUsingCertutil)
+
+**Description**: Analysis of host data on {NAME} detected the use of certutil.exe, a built-in administrator utility, for the download of a binary instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using certutil.exe to download and decode a malicious executable that will then be subsequently executed.
+(Applies to: App Service on Windows)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Medium
+
+### **Suspicious PHP execution detected**
+
+(AppServices_SuspectPhp)
+
+**Description**: Machine logs indicate that a suspicious PHP process is running. The action included an attempt to run operating system commands or PHP code from the command line, by using the PHP process. While this behavior can be legitimate, in web applications this behavior might indicate malicious activities, such as attempts to infect websites with web shells.
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Medium
+
+### **Suspicious PowerShell cmdlets executed**
+
+(AppServices_PowerShellPowerSploitScriptExecution)
+
+**Description**: Analysis of host data indicates execution of known malicious PowerShell PowerSploit cmdlets.
+(Applies to: App Service on Windows)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Medium
+
+### **Suspicious process executed**
+
+(AppServices_KnownCredential AccessTools)
+
+**Description**: Machine logs indicate that the suspicious process: '%{process path}' was running on the machine, often associated with attacker attempts to access credentials.
+(Applies to: App Service on Windows)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: High
+
+### **Suspicious process name detected**
+
+(AppServices_ProcessWithKnownSuspiciousExtension)
+
+**Description**: Analysis of host data on {NAME} detected a process whose name is suspicious, for example corresponding to a known attacker tool or named in a way that is suggestive of attacker tools that try to hide in plain sight. This process could be legitimate activity, or an indication that one of your machines has been compromised.
+(Applies to: App Service on Windows)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence, Defense Evasion
+
+**Severity**: Medium
+
+### **Suspicious SVCHOST process executed**
+
+(AppServices_SVCHostFromInvalidPath)
+
+**Description**: The system process SVCHOST was observed running in an abnormal context. Malware often uses SVCHOST to mask its malicious activity.
+(Applies to: App Service on Windows)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion, Execution
+
+**Severity**: High
+
+### **Suspicious User Agent detected**
+
+(AppServices_UserAgentInjection)
+
+**Description**: Azure App Service activity log indicates requests with suspicious user agent. This behavior can indicate on attempts to exploit a vulnerability in your App Service application.
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access
+
+**Severity**: Informational
+
+### **Suspicious WordPress theme invocation detected**
+
+(AppServices_WpThemeInjection)
+
+**Description**: Azure App Service activity log indicates a possible code injection activity on your App Service resource.
+The suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.
+This type of activity was seen in the past as part of an attack campaign over WordPress.
+If your App Service resource isn't hosting a WordPress site, it isn't vulnerable to this specific code injection exploit and you can safely suppress this alert for the resource. To learn how to suppress security alerts, see [Suppress alerts from Microsoft Defender for Cloud](alerts-suppression-rules.md).
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: High
+
+### **Vulnerability scanner detected**
+
+(AppServices_DrupalScanner)
+
+**Description**: Azure App Service activity log indicates that a possible vulnerability scanner was used on your App Service resource.
+The suspicious activity detected resembles that of tools targeting a content management system (CMS).
+If your App Service resource isn't hosting a Drupal site, it isn't vulnerable to this specific code injection exploit and you can safely suppress this alert for the resource. To learn how to suppress security alerts, see [Suppress alerts from Microsoft Defender for Cloud](alerts-suppression-rules.md).
+(Applies to: App Service on Windows)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: Low
+
+### **Vulnerability scanner detected (Joomla)**
+
+(AppServices_JoomlaScanner)
+
+**Description**: Azure App Service activity log indicates that a possible vulnerability scanner was used on your App Service resource.
+The suspicious activity detected resembles that of tools targeting Joomla applications.
+If your App Service resource isn't hosting a Joomla site, it isn't vulnerable to this specific code injection exploit and you can safely suppress this alert for the resource. To learn how to suppress security alerts, see [Suppress alerts from Microsoft Defender for Cloud](alerts-suppression-rules.md).
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: Low
+
+### **Vulnerability scanner detected (WordPress)**
+
+(AppServices_WpScanner)
+
+**Description**: Azure App Service activity log indicates that a possible vulnerability scanner was used on your App Service resource.
+The suspicious activity detected resembles that of tools targeting WordPress applications.
+If your App Service resource isn't hosting a WordPress site, it isn't vulnerable to this specific code injection exploit and you can safely suppress this alert for the resource. To learn how to suppress security alerts, see [Suppress alerts from Microsoft Defender for Cloud](alerts-suppression-rules.md).
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: Low
+
+### **Web fingerprinting detected**
+
+(AppServices_WebFingerprinting)
+
+**Description**: Azure App Service activity log indicates a possible web fingerprinting activity on your App Service resource.
+The suspicious activity detected is associated with a tool called Blind Elephant. The tool fingerprint web servers and tries to detect the installed applications and version.
+Attackers often use this tool for probing the web application to find vulnerabilities.
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: Medium
+
+### **Website is tagged as malicious in threat intelligence feed**
+
+(AppServices_SmartScreen)
+
+**Description**: Your website as described below is marked as a malicious site by Windows SmartScreen. If you think this is a false positive, contact Windows SmartScreen via report feedback link provided.
+(Applies to: App Service on Windows and App Service on Linux)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Collection
+
+**Severity**: Medium
+
+> [!NOTE]
+> For alerts that are in preview: [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
+
+## Next steps
+
+- [Security alerts in Microsoft Defender for Cloud](alerts-overview.md)
+- [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml)
+- [Continuously export Defender for Cloud data](continuous-export.md)
defender-for-cloud Alerts Azure Cosmos Db https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/alerts-azure-cosmos-db.md
+
+ Title: Alerts for Azure Cosmos DB
+description: This article lists the security alerts for Azure Cosmos DB visible in Microsoft Defender for Cloud.
++ Last updated : 06/03/2024
+ai-usage: ai-assisted
++
+# Alerts for Azure Cosmos DB
+
+This article lists the security alerts you might get for Azure Cosmos DB from Microsoft Defender for Cloud and any Microsoft Defender plans you enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration.
+
+> [!NOTE]
+> Some of the recently added alerts powered by Microsoft Defender Threat Intelligence and Microsoft Defender for Endpoint might be undocumented.
+
+[Learn how to respond to these alerts](managing-and-responding-alerts.yml).
+
+[Learn how to export alerts](continuous-export.md).
+
+> [!NOTE]
+> Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
+
+## Azure Cosmos DB alerts
+
+[Further details and notes](concept-defender-for-cosmos.md)
+
+### **Access from a Tor exit node**
+
+ (CosmosDB_TorAnomaly)
+
+**Description**: This Azure Cosmos DB account was successfully accessed from an IP address known to be an active exit node of Tor, an anonymizing proxy. Authenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access
+
+**Severity**: High/Medium
+
+### **Access from a suspicious IP**
+
+(CosmosDB_SuspiciousIp)
+
+**Description**: This Azure Cosmos DB account was successfully accessed from an IP address that was identified as a threat by Microsoft Threat Intelligence.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access
+
+**Severity**: Medium
+
+### **Access from an unusual location**
+
+(CosmosDB_GeoAnomaly)
+
+**Description**: This Azure Cosmos DB account was accessed from a location considered unfamiliar, based on the usual access pattern.
+
+ Either a threat actor has gained access to the account, or a legitimate user has connected from a new or unusual geographic location
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access
+
+**Severity**: Low
+
+### **Unusual volume of data extracted**
+
+(CosmosDB_DataExfiltrationAnomaly)
+
+**Description**: An unusually large volume of data has been extracted from this Azure Cosmos DB account. This might indicate that a threat actor exfiltrated data.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: Medium
+
+### **Extraction of Azure Cosmos DB accounts keys via a potentially malicious script**
+
+(CosmosDB_SuspiciousListKeys.MaliciousScript)
+
+**Description**: A PowerShell script was run in your subscription and performed a suspicious pattern of key-listing operations to get the keys of Azure Cosmos DB accounts in your subscription. Threat actors use automated scripts, like Microburst, to list keys and find Azure Cosmos DB accounts they can access.
+
+ This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise Azure Cosmos DB accounts in your environment for malicious intentions.
+
+ Alternatively, a malicious insider could be trying to access sensitive data and perform lateral movement.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Collection
+
+**Severity**: Medium
+
+### **Suspicious extraction of Azure Cosmos DB account keys** (AzureCosmosDB_SuspiciousListKeys.SuspiciousPrincipal)
+
+**Description**: A suspicious source extracted Azure Cosmos DB account access keys from your subscription. If this source is not a legitimate source, this might be a high impact issue. The access key that was extracted provides full control over the associated databases and the data stored within. See the details of each specific alert to understand why the source was flagged as suspicious.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: high
+
+### **SQL injection: potential data exfiltration**
+
+(CosmosDB_SqlInjection.DataExfiltration)
+
+**Description**: A suspicious SQL statement was used to query a container in this Azure Cosmos DB account.
+
+ The injected statement might have succeeded in exfiltrating data that the threat actor isn't authorized to access.
+
+ Due to the structure and capabilities of Azure Cosmos DB queries, many known SQL injection attacks on Azure Cosmos DB accounts can't work. However, the variation used in this attack might work and threat actors can exfiltrate data.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: Medium
+
+### **SQL injection: fuzzing attempt**
+
+(CosmosDB_SqlInjection.FailedFuzzingAttempt)
+
+**Description**: A suspicious SQL statement was used to query a container in this Azure Cosmos DB account.
+
+ Like other well-known SQL injection attacks, this attack won't succeed in compromising the Azure Cosmos DB account.
+
+ Nevertheless, it's an indication that a threat actor is trying to attack the resources in this account, and your application might be compromised.
+
+ Some SQL injection attacks can succeed and be used to exfiltrate data. This means that if the attacker continues performing SQL injection attempts, they might be able to compromise your Azure Cosmos DB account and exfiltrate data.
+
+ You can prevent this threat by using parameterized queries.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Pre-attack
+
+**Severity**: Low
+
+> [!NOTE]
+> For alerts that are in preview: [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
+
+## Next steps
+
+- [Security alerts in Microsoft Defender for Cloud](alerts-overview.md)
+- [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml)
+- [Continuously export Defender for Cloud data](continuous-export.md)
defender-for-cloud Alerts Azure Ddos Protection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/alerts-azure-ddos-protection.md
+
+ Title: Alerts for Azure DDoS Protection
+description: This article lists the security alerts for Azure DDoS Protection visible in Microsoft Defender for Cloud.
++ Last updated : 06/03/2024
+ai-usage: ai-assisted
++
+# Alerts for Azure DDoS Protection
+
+This article lists the security alerts you might get for Azure DDoS Protection from Microsoft Defender for Cloud and any Microsoft Defender plans you enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration.
+
+> [!NOTE]
+> Some of the recently added alerts powered by Microsoft Defender Threat Intelligence and Microsoft Defender for Endpoint might be undocumented.
+
+[Learn how to respond to these alerts](managing-and-responding-alerts.yml).
+
+[Learn how to export alerts](continuous-export.md).
+
+> [!NOTE]
+> Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
+
+## Azure DDoS Protection alerts
+
+[Further details and notes](other-threat-protections.md#azure-ddos)
+
+### **DDoS Attack detected for Public IP**
+
+(NETWORK_DDOS_DETECTED)
+
+**Description**: DDoS Attack detected for Public IP (IP address) and being mitigated.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Probing
+
+**Severity**: High
+
+### **DDoS Attack mitigated for Public IP**
+
+(NETWORK_DDOS_MITIGATED)
+
+**Description**: DDoS Attack mitigated for Public IP (IP address).
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Probing
+
+**Severity**: Low
+
+> [!NOTE]
+> For alerts that are in preview: [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
+
+## Next steps
+
+- [Security alerts in Microsoft Defender for Cloud](alerts-overview.md)
+- [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml)
+- [Continuously export Defender for Cloud data](continuous-export.md)
defender-for-cloud Alerts Azure Key Vault https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/alerts-azure-key-vault.md
+
+ Title: Alerts for Azure Key Vault
+description: This article lists the security alerts for Azure Key Vault visible in Microsoft Defender for Cloud.
++ Last updated : 06/03/2024
+ai-usage: ai-assisted
++
+# Alerts for Azure Key Vault
+
+This article lists the security alerts you might get for Azure Key Vault from Microsoft Defender for Cloud and any Microsoft Defender plans you enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration.
+
+> [!NOTE]
+> Some of the recently added alerts powered by Microsoft Defender Threat Intelligence and Microsoft Defender for Endpoint might be undocumented.
+
+[Learn how to respond to these alerts](managing-and-responding-alerts.yml).
+
+[Learn how to export alerts](continuous-export.md).
+
+> [!NOTE]
+> Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
+
+## Azure Key Vault alerts
+
+[Further details and notes](defender-for-key-vault-introduction.md)
+
+### **Access from a suspicious IP address to a key vault**
+
+(KV_SuspiciousIPAccess)
+
+**Description**: A key vault has been successfully accessed by an IP that has been identified by Microsoft Threat Intelligence as a suspicious IP address. This might indicate that your infrastructure has been compromised. We recommend further investigation. Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684).
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: Medium
+
+### **Access from a TOR exit node to a key vault**
+
+(KV_TORAccess)
+
+**Description**: A key vault has been accessed from a known TOR exit node. This could be an indication that a threat actor has accessed the key vault and is using the TOR network to hide their source location. We recommend further investigations.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: Medium
+
+### **High volume of operations in a key vault**
+
+(KV_OperationVolumeAnomaly)
+
+**Description**: An anomalous number of key vault operations were performed by a user, service principal, and/or a specific key vault. This anomalous activity pattern might be legitimate, but it could be an indication that a threat actor has gained access to the key vault and the secrets contained within it. We recommend further investigations.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: Medium
+
+### **Suspicious policy change and secret query in a key vault**
+
+(KV_PutGetAnomaly)
+
+**Description**: A user or service principal has performed an anomalous Vault Put policy change operation followed by one or more Secret Get operations. This pattern is not normally performed by the specified user or service principal. This might be legitimate activity, but it could be an indication that a threat actor has updated the key vault policy to access previously inaccessible secrets. We recommend further investigations.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: Medium
+
+### **Suspicious secret listing and query in a key vault**
+
+(KV_ListGetAnomaly)
+
+**Description**: A user or service principal has performed an anomalous Secret List operation followed by one or more Secret Get operations. This pattern is not normally performed by the specified user or service principal and is typically associated with secret dumping. This might be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault and is trying to discover secrets that can be used to move laterally through your network and/or gain access to sensitive resources. We recommend further investigations.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: Medium
+
+### **Unusual access denied - User accessing high volume of key vaults denied**
+
+(KV_AccountVolumeAccessDeniedAnomaly)
+
+**Description**: A user or service principal has attempted access to anomalously high volume of key vaults in the last 24 hours. This anomalous access pattern might be legitimate activity. Though this attempt was unsuccessful, it could be an indication of a possible attempt to gain access of key vault and the secrets contained within it. We recommend further investigations.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Discovery
+
+**Severity**: Low
+
+### **Unusual access denied - Unusual user accessing key vault denied**
+
+(KV_UserAccessDeniedAnomaly)
+
+**Description**: A key vault access was attempted by a user that does not normally access it, this anomalous access pattern might be legitimate activity. Though this attempt was unsuccessful, it could be an indication of a possible attempt to gain access of key vault and the secrets contained within it.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access, Discovery
+
+**Severity**: Low
+
+### **Unusual application accessed a key vault**
+
+(KV_AppAnomaly)
+
+**Description**: A key vault has been accessed by a service principal that doesn't normally access it. This anomalous access pattern might be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault in an attempt to access the secrets contained within it. We recommend further investigations.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: Medium
+
+### **Unusual operation pattern in a key vault**
+
+(KV_OperationPatternAnomaly)
+
+**Description**: An anomalous pattern of key vault operations was performed by a user, service principal, and/or a specific key vault. This anomalous activity pattern might be legitimate, but it could be an indication that a threat actor has gained access to the key vault and the secrets contained within it. We recommend further investigations.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: Medium
+
+### **Unusual user accessed a key vault**
+
+(KV_UserAnomaly)
+
+**Description**: A key vault has been accessed by a user that does not normally access it. This anomalous access pattern might be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault in an attempt to access the secrets contained within it. We recommend further investigations.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: Medium
+
+### **Unusual user-application pair accessed a key vault**
+
+(KV_UserAppAnomaly)
+
+**Description**: A key vault has been accessed by a user-service principal pair that doesn't normally access it. This anomalous access pattern might be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault in an attempt to access the secrets contained within it. We recommend further investigations.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: Medium
+
+### **User accessed high volume of key vaults**
+
+(KV_AccountVolumeAnomaly)
+
+**Description**: A user or service principal has accessed an anomalously high volume of key vaults. This anomalous access pattern might be legitimate activity, but it could be an indication that a threat actor has gained access to multiple key vaults in an attempt to access the secrets contained within them. We recommend further investigations.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: Medium
+
+### **Denied access from a suspicious IP to a key vault**
+
+(KV_SuspiciousIPAccessDenied)
+
+**Description**: An unsuccessful key vault access has been attempted by an IP that has been identified by Microsoft Threat Intelligence as a suspicious IP address. Though this attempt was unsuccessful, it indicates that your infrastructure might have been compromised. We recommend further investigations.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: Low
+
+### **Unusual access to the key vault from a suspicious IP (Non-Microsoft or external)**
+
+(KV_UnusualAccessSuspiciousIP)
+
+**Description**: A user or service principal has attempted anomalous access to key vaults from a non-Microsoft IP in the last 24 hours. This anomalous access pattern might be legitimate activity. It could be an indication of a possible attempt to gain access of the key vault and the secrets contained within it. We recommend further investigations.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: Medium
+
+> [!NOTE]
+> For alerts that are in preview: [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
+
+## Next steps
+
+- [Security alerts in Microsoft Defender for Cloud](alerts-overview.md)
+- [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml)
+- [Continuously export Defender for Cloud data](continuous-export.md)
defender-for-cloud Alerts Azure Network Layer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/alerts-azure-network-layer.md
+
+ Title: Alerts for Azure network layer
+description: This article lists the security alerts for Azure network layer visible in Microsoft Defender for Cloud.
++ Last updated : 06/03/2024
+ai-usage: ai-assisted
++
+# Alerts for Azure network layer
+
+This article lists the security alerts you might get for Azure network layer from Microsoft Defender for Cloud and any Microsoft Defender plans you enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration.
+
+> [!NOTE]
+> Some of the recently added alerts powered by Microsoft Defender Threat Intelligence and Microsoft Defender for Endpoint might be undocumented.
+
+[Learn how to respond to these alerts](managing-and-responding-alerts.yml).
+
+[Learn how to export alerts](continuous-export.md).
+
+> [!NOTE]
+> Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
+
+## Azure network layer alerts
+
+[Further details and notes](other-threat-protections.md#network-layer)
+
+### **Network communication with a malicious machine detected**
+
+(Network_CommunicationWithC2)
+
+**Description**: Network traffic analysis indicates that your machine (IP %{Victim IP}) has communicated with what is possibly a Command and Control center. When the compromised resource is a load balancer or an application gateway, the suspected activity might indicate that one or more of the resources in the backend pool (of the load balancer or application gateway) has communicated with what is possibly a Command and Control center.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Command and Control
+
+**Severity**: Medium
+
+### **Possible compromised machine detected**
+
+(Network_ResourceIpIndicatedAsMalicious)
+
+**Description**: Threat intelligence indicates that your machine (at IP %{Machine IP}) might have been compromised by a malware of type Conficker. Conficker was a computer worm that targets the Microsoft Windows operating system and was first detected in November 2008. Conficker infected millions of computers including government, business and home computers in over 200 countries/regions, making it the largest known computer worm infection since the 2003 Welchia worm.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Command and Control
+
+**Severity**: Medium
+
+### **Possible incoming %{Service Name} brute force attempts detected**
+
+(Generic_Incoming_BF_OneToOne)
+
+**Description**: Network traffic analysis detected incoming %{Service Name} communication to %{Victim IP}, associated with your resource %{Compromised Host} from %{Attacker IP}. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows suspicious activity between %{Start Time} and %{End Time} on port %{Victim Port}. This activity is consistent with brute force attempts against %{Service Name} servers.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: Informational
+
+### **Possible incoming SQL brute force attempts detected**
+
+(SQL_Incoming_BF_OneToOne)
+
+**Description**: Network traffic analysis detected incoming SQL communication to %{Victim IP}, associated with your resource %{Compromised Host}, from %{Attacker IP}. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows suspicious activity between %{Start Time} and %{End Time} on port %{Port Number} (%{SQL Service Type}). This activity is consistent with brute force attempts against SQL servers.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: Medium
+
+### **Possible outgoing denial-of-service attack detected**
+
+(DDOS)
+
+**Description**: Network traffic analysis detected anomalous outgoing activity originating from %{Compromised Host}, a resource in your deployment. This activity might indicate that your resource was compromised and is now engaged in denial-of-service attacks against external endpoints. When the compromised resource is a load balancer or an application gateway, the suspected activity might indicate that one or more of the resources in the backend pool (of the load balancer or application gateway) was compromised. Based on the volume of connections, we believe that the following IPs are possibly the targets of the DOS attack: %{Possible Victims}. Note that it is possible that the communication to some of these IPs is legitimate.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Impact
+
+**Severity**: Medium
+
+### **Suspicious incoming RDP network activity from multiple sources**
+
+(RDP_Incoming_BF_ManyToOne)
+
+**Description**: Network traffic analysis detected anomalous incoming Remote Desktop Protocol (RDP) communication to %{Victim IP}, associated with your resource %{Compromised Host}, from multiple sources. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Attacking IPs} unique IPs connecting to your resource, which is considered abnormal for this environment. This activity might indicate an attempt to brute force your RDP end point from multiple hosts (Botnet).
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: Medium
+
+### **Suspicious incoming RDP network activity**
+
+(RDP_Incoming_BF_OneToOne)
+
+**Description**: Network traffic analysis detected anomalous incoming Remote Desktop Protocol (RDP) communication to %{Victim IP}, associated with your resource %{Compromised Host}, from %{Attacker IP}. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Connections} incoming connections to your resource, which is considered abnormal for this environment. This activity might indicate an attempt to brute force your RDP end point
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: Medium
+
+### **Suspicious incoming SSH network activity from multiple sources**
+
+(SSH_Incoming_BF_ManyToOne)
+
+**Description**: Network traffic analysis detected anomalous incoming SSH communication to %{Victim IP}, associated with your resource %{Compromised Host}, from multiple sources. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Attacking IPs} unique IPs connecting to your resource, which is considered abnormal for this environment. This activity might indicate an attempt to brute force your SSH end point from multiple hosts (Botnet)
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: Medium
+
+### **Suspicious incoming SSH network activity**
+
+(SSH_Incoming_BF_OneToOne)
+
+**Description**: Network traffic analysis detected anomalous incoming SSH communication to %{Victim IP}, associated with your resource %{Compromised Host}, from %{Attacker IP}. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Connections} incoming connections to your resource, which is considered abnormal for this environment. This activity might indicate an attempt to brute force your SSH end point
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: Medium
+
+### **Suspicious outgoing %{Attacked Protocol} traffic detected**
+
+(PortScanning)
+
+**Description**: Network traffic analysis detected suspicious outgoing traffic from %{Compromised Host} to destination port %{Most Common Port}. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). This behavior might indicate that your resource is taking part in %{Attacked Protocol} brute force attempts or port sweeping attacks.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Discovery
+
+**Severity**: Medium
+
+### **Suspicious outgoing RDP network activity to multiple destinations**
+
+(RDP_Outgoing_BF_OneToMany)
+
+**Description**: Network traffic analysis detected anomalous outgoing Remote Desktop Protocol (RDP) communication to multiple destinations originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows your machine connecting to %{Number of Attacked IPs} unique IPs, which is considered abnormal for this environment. This activity might indicate that your resource was compromised and is now used to brute force external RDP end points. Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Discovery
+
+**Severity**: High
+
+### **Suspicious outgoing RDP network activity**
+
+(RDP_Outgoing_BF_OneToOne)
+
+**Description**: Network traffic analysis detected anomalous outgoing Remote Desktop Protocol (RDP) communication to %{Victim IP} originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Connections} outgoing connections from your resource, which is considered abnormal for this environment. This activity might indicate that your machine was compromised and is now used to brute force external RDP end points. Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Lateral Movement
+
+**Severity**: High
+
+### **Suspicious outgoing SSH network activity to multiple destinations**
+
+(SSH_Outgoing_BF_OneToMany)
+
+**Description**: Network traffic analysis detected anomalous outgoing SSH communication to multiple destinations originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows your resource connecting to %{Number of Attacked IPs} unique IPs, which is considered abnormal for this environment. This activity might indicate that your resource was compromised and is now used to brute force external SSH end points. Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Discovery
+
+**Severity**: Medium
+
+### **Suspicious outgoing SSH network activity**
+
+(SSH_Outgoing_BF_OneToOne)
+
+**Description**: Network traffic analysis detected anomalous outgoing SSH communication to %{Victim IP} originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Connections} outgoing connections from your resource, which is considered abnormal for this environment. This activity might indicate that your resource was compromised and is now used to brute force external SSH end points. Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Lateral Movement
+
+**Severity**: Medium
+
+### **Traffic detected from IP addresses recommended for blocking**
+
+(Network_TrafficFromUnrecommendedIP)
+
+**Description**: Microsoft Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Defender for Cloud's threat intelligence sources.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Probing
+
+**Severity**: Informational
+
+> [!NOTE]
+> For alerts that are in preview: [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
+
+## Next steps
+
+- [Security alerts in Microsoft Defender for Cloud](alerts-overview.md)
+- [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml)
+- [Continuously export Defender for Cloud data](continuous-export.md)
defender-for-cloud Alerts Azure Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/alerts-azure-storage.md
+
+ Title: Alerts for Azure Storage
+description: This article lists the security alerts for Azure Storage visible in Microsoft Defender for Cloud.
++ Last updated : 06/03/2024
+ai-usage: ai-assisted
++
+# Alerts for Azure Storage
+
+This article lists the security alerts you might get for Azure Storage from Microsoft Defender for Cloud and any Microsoft Defender plans you enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration.
+
+> [!NOTE]
+> Some of the recently added alerts powered by Microsoft Defender Threat Intelligence and Microsoft Defender for Endpoint might be undocumented.
+
+[Learn how to respond to these alerts](managing-and-responding-alerts.yml).
+
+[Learn how to export alerts](continuous-export.md).
+
+> [!NOTE]
+> Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
+
+## Azure Storage alerts
+
+[Further details and notes](defender-for-storage-introduction.md)
+
+### **Access from a suspicious application**
+
+(Storage.Blob_SuspiciousApp)
+
+**Description**: Indicates that a suspicious application has successfully accessed a container of a storage account with authentication.
+This might indicate that an attacker has obtained the credentials necessary to access the account, and is exploiting it. This could also be an indication of a penetration test carried out in your organization.
+Applies to: Azure Blob Storage, Azure Data Lake Storage Gen2
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access
+
+**Severity**: High/Medium
+
+### **Access from a suspicious IP address**
+
+(Storage.Blob_SuspiciousIp
+Storage.Files_SuspiciousIp)
+
+**Description**: Indicates that this storage account has been successfully accessed from an IP address that is considered suspicious. This alert is powered by Microsoft Threat Intelligence.
+Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684).
+Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Pre Attack
+
+**Severity**: High/Medium/Low
+
+### **Phishing content hosted on a storage account**
+
+(Storage.Blob_PhishingContent
+Storage.Files_PhishingContent)
+
+**Description**: A URL used in a phishing attack points to your Azure Storage account. This URL was part of a phishing attack affecting users of Microsoft 365.
+Typically, content hosted on such pages is designed to trick visitors into entering their corporate credentials or financial information into a web form that looks legitimate.
+This alert is powered by Microsoft Threat Intelligence.
+Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684).
+Applies to: Azure Blob Storage, Azure Files
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Collection
+
+**Severity**: High
+
+### **Storage account identified as source for distribution of malware**
+
+(Storage.Files_WidespreadeAm)
+
+**Description**: Antimalware alerts indicate that an infected file(s) is stored in an Azure file share that is mounted to multiple VMs. If attackers gain access to a VM with a mounted Azure file share, they can use it to spread malware to other VMs that mount the same share.
+Applies to: Azure Files
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Medium
+
+### **The access level of a potentially sensitive storage blob container was changed to allow unauthenticated public access**
+
+(Storage.Blob_OpenACL)
+
+**Description**: The alert indicates that someone has changed the access level of a blob container in the storage account, which might contain sensitive data, to the 'Container' level, to allow unauthenticated (anonymous) public access. The change was made through the Azure portal.
+Based on statistical analysis, the blob container is flagged as possibly containing sensitive data. This analysis suggests that blob containers or storage accounts with similar names are typically not exposed to public access.
+Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Collection
+
+**Severity**: Medium
+
+### **Authenticated access from a Tor exit node**
+
+(Storage.Blob_TorAnomaly
+Storage.Files_TorAnomaly)
+
+**Description**: One or more storage container(s) / file share(s) in your storage account were successfully accessed from an IP address known to be an active exit node of Tor (an anonymizing proxy). Threat actors use Tor to make it difficult to trace the activity back to them. Authenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity.
+Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access / Pre Attack
+
+**Severity**: High/Medium
+
+### **Access from an unusual location to a storage account**
+
+(Storage.Blob_GeoAnomaly
+Storage.Files_GeoAnomaly)
+
+**Description**: Indicates that there was a change in the access pattern to an Azure Storage account. Someone has accessed this account from an IP address considered unfamiliar when compared with recent activity. Either an attacker has gained access to the account, or a legitimate user has connected from a new or unusual geographic location. An example of the latter is remote maintenance from a new application or developer.
+Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access
+
+**Severity**: High/Medium/Low
+
+### **Unusual unauthenticated access to a storage container**
+
+(Storage.Blob_AnonymousAccessAnomaly)
+
+**Description**: This storage account was accessed without authentication, which is a change in the common access pattern. Read access to this container is usually authenticated. This might indicate that a threat actor was able to exploit public read access to storage container(s) in this storage account(s).
+Applies to: Azure Blob Storage
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access
+
+**Severity**: High/Low
+
+### **Potential malware uploaded to a storage account**
+
+(Storage.Blob_MalwareHashReputation
+Storage.Files_MalwareHashReputation)
+
+**Description**: Indicates that a blob containing potential malware has been uploaded to a blob container or a file share in a storage account. This alert is based on hash reputation analysis leveraging the power of Microsoft threat intelligence, which includes hashes for viruses, trojans, spyware and ransomware. Potential causes might include an intentional malware upload by an attacker, or an unintentional upload of a potentially malicious blob by a legitimate user.
+Applies to: Azure Blob Storage, Azure Files (Only for transactions over REST API)
+Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684).
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Lateral Movement
+
+**Severity**: High
+
+### **Publicly accessible storage containers successfully discovered**
+
+(Storage.Blob_OpenContainersScanning.SuccessfulDiscovery)
+
+**Description**: A successful discovery of publicly open storage container(s) in your storage account was performed in the last hour by a scanning script or tool.
+
+This usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storage containers with sensitive data in them.
+
+The threat actor might use their own script or use known scanning tools like Microburst to scan for publicly open containers.
+
+Γ£ö Azure Blob Storage
+Γ£û Azure Files
+Γ£û Azure Data Lake Storage Gen2
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Collection
+
+**Severity**: High/Medium
+
+### **Publicly accessible storage containers unsuccessfully scanned**
+
+(Storage.Blob_OpenContainersScanning.FailedAttempt)
+
+**Description**: A series of failed attempts to scan for publicly open storage containers were performed in the last hour.
+
+This usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storage containers with sensitive data in them.
+
+The threat actor might use their own script or use known scanning tools like Microburst to scan for publicly open containers.
+
+Γ£ö Azure Blob Storage
+Γ£û Azure Files
+Γ£û Azure Data Lake Storage Gen2
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Collection
+
+**Severity**: High/Low
+
+### **Unusual access inspection in a storage account**
+
+(Storage.Blob_AccessInspectionAnomaly
+Storage.Files_AccessInspectionAnomaly)
+
+**Description**: Indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has performed reconnaissance for a future attack.
+Applies to: Azure Blob Storage, Azure Files
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Discovery
+
+**Severity**: High/Medium
+
+### **Unusual amount of data extracted from a storage account**
+
+(Storage.Blob_DataExfiltration.AmountOfDataAnomaly
+Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly
+Storage.Files_DataExfiltration.AmountOfDataAnomaly
+Storage.Files_DataExfiltration.NumberOfFilesAnomaly)
+
+**Description**: Indicates that an unusually large amount of data has been extracted compared to recent activity on this storage container. A potential cause is that an attacker has extracted a large amount of data from a container that holds blob storage.
+Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: High/Low
+
+### **Unusual application accessed a storage account**
+
+(Storage.Blob_ApplicationAnomaly
+Storage.Files_ApplicationAnomaly)
+
+**Description**: Indicates that an unusual application has accessed this storage account. A potential cause is that an attacker has accessed your storage account by using a new application.
+Applies to: Azure Blob Storage, Azure Files
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: High/Medium
+
+### **Unusual data exploration in a storage account**
+
+(Storage.Blob_DataExplorationAnomaly
+Storage.Files_DataExplorationAnomaly)
+
+**Description**: Indicates that blobs or containers in a storage account have been enumerated in an abnormal way, compared to recent activity on this account. A potential cause is that an attacker has performed reconnaissance for a future attack.
+Applies to: Azure Blob Storage, Azure Files
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: High/Medium
+
+### **Unusual deletion in a storage account**
+
+(Storage.Blob_DeletionAnomaly
+Storage.Files_DeletionAnomaly)
+
+**Description**: Indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account. A potential cause is that an attacker has deleted data from your storage account.
+Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: High/Medium
+
+### **Unusual unauthenticated public access to a sensitive blob container (Preview)**
+
+Storage.Blob_AnonymousAccessAnomaly.Sensitive
+
+**Description**: The alert indicates that someone accessed a blob container with sensitive data in the storage account without authentication, using an external (public) IP address. This access is suspicious since the blob container is open to public access and is typically only accessed with authentication from internal networks (private IP addresses). This access could indicate that the blob container's access level is misconfigured, and a malicious actor might have exploited the public access. The security alert includes the discovered sensitive information context (scanning time, classification label, information types, and file types). Learn more on sensitive data threat detection.
+ Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access
+
+**Severity**: High
+
+### **Unusual amount of data extracted from a sensitive blob container (Preview)**
+
+Storage.Blob_DataExfiltration.AmountOfDataAnomaly.Sensitive
+
+**Description**: The alert indicates that someone has extracted an unusually large amount of data from a blob container with sensitive data in the storage account. Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: Medium
+
+### **Unusual number of blobs extracted from a sensitive blob container (Preview)**
+
+Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly.Sensitive
+
+**Description**: The alert indicates that someone has extracted an unusually large number of blobs from a blob container with sensitive data in the storage account. Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2 or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+### **Access from a known suspicious application to a sensitive blob container (Preview)**
+
+Storage.Blob_SuspiciousApp.Sensitive
+
+**Description**: The alert indicates that someone with a known suspicious application accessed a blob container with sensitive data in the storage account and performed authenticated operations.
+The access might indicate that a threat actor obtained credentials to access the storage account by using a known suspicious application. However, the access could also indicate a penetration test carried out in the organization.
+Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2 or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access
+
+**Severity**: High
+
+### **Access from a known suspicious IP address to a sensitive blob container (Preview)**
+
+Storage.Blob_SuspiciousIp.Sensitive
+
+**Description**: The alert indicates that someone accessed a blob container with sensitive data in the storage account from a known suspicious IP address associated with threat intel by Microsoft Threat Intelligence. Since the access was authenticated, it's possible that the credentials allowing access to this storage account were compromised.
+Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684).
+Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Pre-Attack
+
+**Severity**: High
+
+### **Access from a Tor exit node to a sensitive blob container (Preview)**
+
+Storage.Blob_TorAnomaly.Sensitive
+
+**Description**: The alert indicates that someone with an IP address known to be a Tor exit node accessed a blob container with sensitive data in the storage account with authenticated access. Authenticated access from a Tor exit node strongly indicates that the actor is attempting to remain anonymous for possible malicious intent. Since the access was authenticated, it's possible that the credentials allowing access to this storage account were compromised.
+Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Pre-Attack
+
+**Severity**: High
+
+### **Access from an unusual location to a sensitive blob container (Preview)**
+
+Storage.Blob_GeoAnomaly.Sensitive
+
+**Description**: The alert indicates that someone has accessed blob container with sensitive data in the storage account with authentication from an unusual location. Since the access was authenticated, it's possible that the credentials allowing access to this storage account were compromised.
+Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access
+
+**Severity**: Medium
+
+### **The access level of a sensitive storage blob container was changed to allow unauthenticated public access (Preview)**
+
+Storage.Blob_OpenACL.Sensitive
+
+**Description**: The alert indicates that someone has changed the access level of a blob container in the storage account, which contains sensitive data, to the 'Container' level, which allows unauthenticated (anonymous) public access. The change was made through the Azure portal.
+The access level change might compromise the security of the data. We recommend taking immediate action to secure the data and prevent unauthorized access in case this alert is triggered.
+Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Collection
+
+**Severity**: High
+
+### **Suspicious external access to an Azure storage account with overly permissive SAS token (Preview)**
+
+Storage.Blob_AccountSas.InternalSasUsedExternally
+
+**Description**: The alert indicates that someone with an external (public) IP address accessed the storage account using an overly permissive SAS token with a long expiration date. This type of access is considered suspicious because the SAS token is typically only used in internal networks (from private IP addresses).
+The activity might indicate that a SAS token has been leaked by a malicious actor or leaked unintentionally from a legitimate source.
+Even if the access is legitimate, using a high-permission SAS token with a long expiration date goes against security best practices and poses a potential security risk.
+Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration / Resource Development / Impact
+
+**Severity**: Medium
+
+### **Suspicious external operation to an Azure storage account with overly permissive SAS token (Preview)**
+
+Storage.Blob_AccountSas.UnusualOperationFromExternalIp
+
+**Description**: The alert indicates that someone with an external (public) IP address accessed the storage account using an overly permissive SAS token with a long expiration date. The access is considered suspicious because operations invoked outside your network (not from private IP addresses) with this SAS token are typically used for a specific set of Read/Write/Delete operations, but other operations occurred, which makes this access suspicious.
+This activity might indicate that a SAS token has been leaked by a malicious actor or leaked unintentionally from a legitimate source.
+Even if the access is legitimate, using a high-permission SAS token with a long expiration date goes against security best practices and poses a potential security risk.
+Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration / Resource Development / Impact
+
+**Severity**: Medium
+
+### **Unusual SAS token was used to access an Azure storage account from a public IP address (Preview)**
+
+Storage.Blob_AccountSas.UnusualExternalAccess
+
+**Description**: The alert indicates that someone with an external (public) IP address has accessed the storage account using an account SAS token. The access is highly unusual and considered suspicious, as access to the storage account using SAS tokens typically comes only from internal (private) IP addresses.
+It's possible that a SAS token was leaked or generated by a malicious actor either from within your organization or externally to gain access to this storage account.
+Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration / Resource Development / Impact
+
+**Severity**: Low
+
+### **Malicious file uploaded to storage account**
+
+Storage.Blob_AM.MalwareFound
+
+**Description**: The alert indicates that a malicious blob was uploaded to a storage account. This security alert is generated by the Malware Scanning feature in Defender for Storage.
+Potential causes might include an intentional upload of malware by a threat actor or an unintentional upload of a malicious file by a legitimate user.
+Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan with the Malware Scanning feature enabled.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Lateral Movement
+
+**Severity**: High
+
+### **Malicious blob was downloaded from a storage account (Preview)**
+
+Storage.Blob_MalwareDownload
+
+**Description**: The alert indicates that a malicious blob was downloaded from a storage account. Potential causes might include malware that was uploaded to the storage account and not removed or quarantined, thereby enabling a threat actor to download it, or an unintentional download of the malware by legitimate users or applications.
+Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2 or premium block blobs) storage accounts with the new Defender for Storage plan with the Malware Scanning feature enabled.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Lateral Movement
+
+**Severity**: High, if Eicar - low
+
+> [!NOTE]
+> For alerts that are in preview: [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
+
+## Next steps
+
+- [Security alerts in Microsoft Defender for Cloud](alerts-overview.md)
+- [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml)
+- [Continuously export Defender for Cloud data](continuous-export.md)
defender-for-cloud Alerts Azure Vm Extensions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/alerts-azure-vm-extensions.md
+
+ Title: Alerts for Azure VM extensions
+description: This article lists the security alerts for Azure VM extensions visible in Microsoft Defender for Cloud.
++ Last updated : 06/03/2024
+ai-usage: ai-assisted
++
+# Alerts for Azure VM extensions
+
+This article lists the security alerts you might get for Azure VM extensions from Microsoft Defender for Cloud and any Microsoft Defender plans you enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration.
+
+> [!NOTE]
+> Some of the recently added alerts powered by Microsoft Defender Threat Intelligence and Microsoft Defender for Endpoint might be undocumented.
+
+[Learn how to respond to these alerts](managing-and-responding-alerts.yml).
+
+[Learn how to export alerts](continuous-export.md).
+
+> [!NOTE]
+> Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
+
+## Azure VM extensions alerts
+
+These alerts focus on detecting suspicious activities of Azure virtual machine extensions and provides insights into attackers' attempts to compromise and perform malicious activities on your virtual machines.
+
+Azure virtual machine extensions are small applications that run post-deployment on virtual machines and provide capabilities such as configuration, automation, monitoring, security, and more. While extensions are a powerful tool, they can be used by threat actors for various malicious intents, for example:
+
+- Data collection and monitoring
+
+- Code execution and configuration deployment with high privileges
+
+- Resetting credentials and creating administrative users
+
+- Encrypting disks
+
+Learn more about [Defender for Cloud latest protections against the abuse of Azure VM extensions](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-latest-protection-against/ba-p/3970121).
+
+### **Suspicious failure installing GPU extension in your subscription (Preview)**
+
+(VM_GPUExtensionSuspiciousFailure)
+
+**Description**: Suspicious intent of installing a GPU extension on unsupported VMs. This extension should be installed on virtual machines equipped with a graphic processor, and in this case the virtual machines are not equipped with such. These failures can be seen when malicious adversaries execute multiple installations of such extension for crypto-mining purposes.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Impact
+
+**Severity**: Medium
+
+### **Suspicious installation of a GPU extension was detected on your virtual machine (Preview)**
+
+(VM_GPUDriverExtensionUnusualExecution)
+
+**Description**: Suspicious installation of a GPU extension was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use the GPU driver extension to install GPU drivers on your virtual machine via the Azure Resource Manager to perform cryptojacking. This activity is deemed suspicious as the principal's behavior departs from its usual patterns.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Impact
+
+**Severity**: Low
+
+### **Run Command with a suspicious script was detected on your virtual machine (Preview)**
+
+(VM_RunCommandSuspiciousScript)
+
+**Description**: A Run Command with a suspicious script was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use Run Command to execute malicious code with high privileges on your virtual machine via the Azure Resource Manager. The script is deemed suspicious as certain parts were identified as being potentially malicious.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: High
+
+### **Suspicious unauthorized Run Command usage was detected on your virtual machine (Preview)**
+
+(VM_RunCommandSuspiciousFailure)
+
+**Description**: Suspicious unauthorized usage of Run Command has failed and was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might attempt to use Run Command to execute malicious code with high privileges on your virtual machines via the Azure Resource Manager. This activity is deemed suspicious as it hasn't been commonly seen before.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Medium
+
+### **Suspicious Run Command usage was detected on your virtual machine (Preview)**
+
+(VM_RunCommandSuspiciousUsage)
+
+**Description**: Suspicious usage of Run Command was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use Run Command to execute malicious code with high privileges on your virtual machines via the Azure Resource Manager. This activity is deemed suspicious as it hasn't been commonly seen before.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Low
+
+### **Suspicious usage of multiple monitoring or data collection extensions was detected on your virtual machines (Preview)**
+
+(VM_SuspiciousMultiExtensionUsage)
+
+**Description**: Suspicious usage of multiple monitoring or data collection extensions was detected on your virtual machines by analyzing the Azure Resource Manager operations in your subscription. Attackers might abuse such extensions for data collection, network traffic monitoring, and more, in your subscription. This usage is deemed suspicious as it hasn't been commonly seen before.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Reconnaissance
+
+**Severity**: Medium
+
+### **Suspicious installation of disk encryption extensions was detected on your virtual machines (Preview)**
+
+(VM_DiskEncryptionSuspiciousUsage)
+
+**Description**: Suspicious installation of disk encryption extensions was detected on your virtual machines by analyzing the Azure Resource Manager operations in your subscription. Attackers might abuse the disk encryption extension to deploy full disk encryptions on your virtual machines via the Azure Resource Manager in an attempt to perform ransomware activity. This activity is deemed suspicious as it hasn't been commonly seen before and due to the high number of extension installations.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Impact
+
+**Severity**: Medium
+
+### **Suspicious usage of VMAccess extension was detected on your virtual machines (Preview)**
+
+(VM_VMAccessSuspiciousUsage)
+
+**Description**: Suspicious usage of VMAccess extension was detected on your virtual machines. Attackers might abuse the VMAccess extension to gain access and compromise your virtual machines with high privileges by resetting access or managing administrative users. This activity is deemed suspicious as the principal's behavior departs from its usual patterns, and due to the high number of the extension installations.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence
+
+**Severity**: Medium
+
+### **Desired State Configuration (DSC) extension with a suspicious script was detected on your virtual machine (Preview)**
+
+(VM_DSCExtensionSuspiciousScript)
+
+**Description**: Desired State Configuration (DSC) extension with a suspicious script was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use the Desired State Configuration (DSC) extension to deploy malicious configurations, such as persistence mechanisms, malicious scripts, and more, with high privileges, on your virtual machines. The script is deemed suspicious as certain parts were identified as being potentially malicious.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: High
+
+### **Suspicious usage of a Desired State Configuration (DSC) extension was detected on your virtual machines (Preview)**
+
+(VM_DSCExtensionSuspiciousUsage)
+
+**Description**: Suspicious usage of a Desired State Configuration (DSC) extension was detected on your virtual machines by analyzing the Azure Resource Manager operations in your subscription. Attackers might use the Desired State Configuration (DSC) extension to deploy malicious configurations, such as persistence mechanisms, malicious scripts, and more, with high privileges, on your virtual machines. This activity is deemed suspicious as the principal's behavior departs from its usual patterns, and due to the high number of the extension installations.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Low
+
+### **Custom script extension with a suspicious script was detected on your virtual machine (Preview)**
+
+(VM_CustomScriptExtensionSuspiciousCmd)
+
+**Description**: Custom script extension with a suspicious script was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use Custom script extension to execute malicious code with high privileges on your virtual machine via the Azure Resource Manager. The script is deemed suspicious as certain parts were identified as being potentially malicious.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: High
+
+### **Suspicious failed execution of custom script extension in your virtual machine**
+
+(VM_CustomScriptExtensionSuspiciousFailure)
+
+**Description**: Suspicious failure of a custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Such failures might be associated with malicious scripts run by this extension.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Medium
+
+### **Unusual deletion of custom script extension in your virtual machine**
+
+(VM_CustomScriptExtensionUnusualDeletion)
+
+**Description**: Unusual deletion of a custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Medium
+
+### **Unusual execution of custom script extension in your virtual machine**
+
+(VM_CustomScriptExtensionUnusualExecution)
+
+**Description**: Unusual execution of a custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Medium
+
+### **Custom script extension with suspicious entry-point in your virtual machine**
+
+(VM_CustomScriptExtensionSuspiciousEntryPoint)
+
+**Description**: Custom script extension with a suspicious entry-point was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. The entry-point refers to a suspicious GitHub repository. Attackers might use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Medium
+
+### **Custom script extension with suspicious payload in your virtual machine**
+
+(VM_CustomScriptExtensionSuspiciousPayload)
+
+**Description**: Custom script extension with a payload from a suspicious GitHub repository was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Medium
+
+> [!NOTE]
+> For alerts that are in preview: [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
+
+## Next steps
+
+- [Security alerts in Microsoft Defender for Cloud](alerts-overview.md)
+- [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml)
+- [Continuously export Defender for Cloud data](continuous-export.md)
defender-for-cloud Alerts Containers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/alerts-containers.md
+
+ Title: Alerts for containers - Kubernetes clusters
+description: This article lists the security alerts for containers and Kubernetes clusters visible in Microsoft Defender for Cloud.
++ Last updated : 06/03/2024
+ai-usage: ai-assisted
++
+# Alerts for containers - Kubernetes clusters
+
+This article lists the security alerts you might get for containers and Kubernetes clusters from Microsoft Defender for Cloud and any Microsoft Defender plans you enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration.
+
+> [!NOTE]
+> Some of the recently added alerts powered by Microsoft Defender Threat Intelligence and Microsoft Defender for Endpoint might be undocumented.
+
+[Learn how to respond to these alerts](managing-and-responding-alerts.yml).
+
+[Learn how to export alerts](continuous-export.md).
+
+> [!NOTE]
+> Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
+
+## Alerts for containers and Kubernetes clusters
+
+Microsoft Defender for Containers provides security alerts on the cluster level and on the underlying cluster nodes by monitoring both control plane (API server) and the containerized workload itself. Control plane security alerts can be recognized by a prefix of `K8S_` of the alert type. Security alerts for runtime workload in the clusters can be recognized by the `K8S.NODE_` prefix of the alert type. All alerts are supported on Linux only, unless otherwise indicated.
+
+[Further details and notes](defender-for-containers-introduction.md#run-time-protection-for-kubernetes-nodes-and-clusters)
+
+### **Exposed Postgres service with trust authentication configuration in Kubernetes detected (Preview)**
+
+(K8S_ExposedPostgresTrustAuth)
+
+**Description**: Kubernetes cluster configuration analysis detected exposure of a Postgres service by a load balancer. The service is configured with trust authentication method, which doesn't require credentials.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: InitialAccess
+
+**Severity**: Medium
+
+### **Exposed Postgres service with risky configuration in Kubernetes detected (Preview)**
+
+(K8S_ExposedPostgresBroadIPRange)
+
+**Description**: Kubernetes cluster configuration analysis detected exposure of a Postgres service by a load balancer with a risky configuration. Exposing the service to a wide range of IP addresses poses a security risk.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: InitialAccess
+
+**Severity**: Medium
+
+### **Attempt to create a new Linux namespace from a container detected**
+
+(K8S.NODE_NamespaceCreation) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container in Kubernetes cluster detected an attempt to create a new Linux namespace. While this behavior might be legitimate, it might indicate that an attacker tries to escape from the container to the node. Some CVE-2022-0185 exploitations use this technique.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PrivilegeEscalation
+
+**Severity**: Informational
+
+### **A history file has been cleared**
+
+(K8S.NODE_HistoryFileCleared) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected that the command history log file has been cleared. Attackers might do this to cover their tracks. The operation was performed by the specified user account.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: DefenseEvasion
+
+**Severity**: Medium
+
+### **Abnormal activity of managed identity associated with Kubernetes (Preview)**
+
+(K8S_AbnormalMiActivity)
+
+**Description**: Analysis of Azure Resource Manager operations detected an abnormal behavior of a managed identity used by an AKS addon. The detected activity isn\'t consistent with the behavior of the associated addon. While this activity can be legitimate, such behavior might indicate that the identity was gained by an attacker, possibly from a compromised container in the Kubernetes cluster.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Lateral Movement
+
+**Severity**: Medium
+
+### **Abnormal Kubernetes service account operation detected**
+
+(K8S_ServiceAccountRareOperation)
+
+**Description**: Kubernetes audit log analysis detected abnormal behavior by a service account in your Kubernetes cluster. The service account was used for an operation, which isn't common for this service account. While this activity can be legitimate, such behavior might indicate that the service account is being used for malicious purposes.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Lateral Movement, Credential Access
+
+**Severity**: Medium
+
+### **An uncommon connection attempt detected**
+
+(K8S.NODE_SuspectConnection) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected an uncommon connection attempt utilizing a socks protocol. This is very rare in normal operations, but a known technique for attackers attempting to bypass network-layer detections.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution, Exfiltration, Exploitation
+
+**Severity**: Medium
+
+### **Attempt to stop apt-daily-upgrade.timer service detected**
+
+(K8S.NODE_TimerServiceDisabled) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected an attempt to stop apt-daily-upgrade.timer service. Attackers have been observed stopping this service to download malicious files and grant execution privileges for their attacks. This activity can also happen if the service is updated through normal administrative actions.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: DefenseEvasion
+
+**Severity**: Informational
+
+### **Behavior similar to common Linux bots detected (Preview)**
+
+(K8S.NODE_CommonBot)
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected the execution of a process normally associated with common Linux botnets.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution, Collection, Command And Control
+
+**Severity**: Medium
+
+### **Command within a container running with high privileges**
+
+(K8S.NODE_PrivilegedExecutionInContainer) <sup>[1](#footnote1)</sup>
+
+**Description**: Machine logs indicate that a privileged command was run in a Docker container. A privileged command has extended privileges on the host machine.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PrivilegeEscalation
+
+**Severity**: Informational
+
+### **Container running in privileged mode**
+
+(K8S.NODE_PrivilegedContainerArtifacts) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected the execution of a Docker command that is running a privileged container. The privileged container has full access to the hosting pod or host resource. If compromised, an attacker might use the privileged container to gain access to the hosting pod or host.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PrivilegeEscalation, Execution
+
+**Severity**: Informational
+
+### **Container with a sensitive volume mount detected**
+
+(K8S_SensitiveMount)
+
+**Description**: Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Privilege Escalation
+
+**Severity**: Informational
+
+### **CoreDNS modification in Kubernetes detected**
+
+(K8S_CoreDnsModification) <sup>[2](#footnote2)</sup> <sup>[3](#footnote3)</sup>
+
+**Description**: Kubernetes audit log analysis detected a modification of the CoreDNS configuration. The configuration of CoreDNS can be modified by overriding its configmap. While this activity can be legitimate, if attackers have permissions to modify the configmap, they can change the behavior of the cluster's DNS server and poison it.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Lateral Movement
+
+**Severity**: Low
+
+### **Creation of admission webhook configuration detected**
+
+(K8S_AdmissionController) <sup>[3](#footnote3)</sup>
+
+**Description**: Kubernetes audit log analysis detected a new admission webhook configuration. Kubernetes has two built-in generic admission controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. The behavior of these admission controllers is determined by an admission webhook that the user deploys to the cluster. The usage of such admission controllers can be legitimate, however attackers can use such webhooks for modifying the requests (in case of MutatingAdmissionWebhook) or inspecting the requests and gain sensitive information (in case of ValidatingAdmissionWebhook).
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access, Persistence
+
+**Severity**: Informational
+
+### **Detected file download from a known malicious source**
+
+(K8S.NODE_SuspectDownload) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a download of a file from a source frequently used to distribute malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PrivilegeEscalation, Execution, Exfiltration, Command And Control
+
+**Severity**: Medium
+
+### **Detected suspicious file download**
+
+(K8S.NODE_SuspectDownloadArtifacts) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious download of a remote file.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence
+
+**Severity**: Informational
+
+### **Detected suspicious use of the nohup command**
+
+(K8S.NODE_SuspectNohup) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious use of the nohup command. Attackers have been seen using the command nohup to run hidden files from a temporary directory to allow their executables to run in the background. It's rare to see this command run on hidden files located in a temporary directory.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence, DefenseEvasion
+
+**Severity**: Medium
+
+### **Detected suspicious use of the useradd command**
+
+(K8S.NODE_SuspectUserAddition) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious use of the useradd command.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence
+
+**Severity**: Medium
+
+### **Digital currency mining container detected**
+
+(K8S_MaliciousContainerImage) <sup>[3](#footnote3)</sup>
+
+**Description**: Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: High
+
+### **Digital currency mining related behavior detected**
+
+(K8S.NODE_DigitalCurrencyMining) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected an execution of a process or command normally associated with digital currency mining.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: High
+
+### **Docker build operation detected on a Kubernetes node**
+
+(K8S.NODE_ImageBuildOnNode) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a build operation of a container image on a Kubernetes node. While this behavior might be legitimate, attackers might build their malicious images locally to avoid detection.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: DefenseEvasion
+
+**Severity**: Informational
+
+### **Exposed Kubeflow dashboard detected**
+
+(K8S_ExposedKubeflow)
+
+**Description**: The Kubernetes audit log analysis detected exposure of the Istio Ingress by a load balancer in a cluster that runs Kubeflow. This action might expose the Kubeflow dashboard to the internet. If the dashboard is exposed to the internet, attackers can access it and run malicious containers or code on the cluster. Find more details in the following article: <https://aka.ms/exposedkubeflow-blog>
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access
+
+**Severity**: Medium
+
+### **Exposed Kubernetes dashboard detected**
+
+(K8S_ExposedDashboard)
+
+**Description**: Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service. Exposed dashboard allows an unauthenticated access to the cluster management and poses a security threat.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access
+
+**Severity**: High
+
+### **Exposed Kubernetes service detected**
+
+(K8S_ExposedService)
+
+**Description**: The Kubernetes audit log analysis detected exposure of a service by a load balancer. This service is related to a sensitive application that allows high impact operations in the cluster such as running processes on the node or creating new containers. In some cases, this service doesn't require authentication. If the service doesn't require authentication, exposing it to the internet poses a security risk.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access
+
+**Severity**: Medium
+
+### **Exposed Redis service in AKS detected**
+
+(K8S_ExposedRedis)
+
+**Description**: The Kubernetes audit log analysis detected exposure of a Redis service by a load balancer. If the service doesn't require authentication, exposing it to the internet poses a security risk.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access
+
+**Severity**: Low
+
+### **Indicators associated with DDOS toolkit detected**
+
+(K8S.NODE_KnownLinuxDDoSToolkit) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected file names that are part of a toolkit associated with malware capable of launching DDoS attacks, opening ports and services, and taking full control over the infected system. This could also possibly be legitimate activity.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence, LateralMovement, Execution, Exploitation
+
+**Severity**: Medium
+
+### **K8S API requests from proxy IP address detected**
+
+(K8S_TI_Proxy) <sup>[3](#footnote3)</sup>
+
+**Description**: Kubernetes audit log analysis detected API requests to your cluster from an IP address that is associated with proxy services, such as TOR. While this behavior can be legitimate, it's often seen in malicious activities, when attackers try to hide their source IP.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Low
+
+### **Kubernetes events deleted**
+
+(K8S_DeleteEvents) <sup>[2](#footnote2)</sup> <sup>[3](#footnote3)</sup>
+
+**Description**: Defender for Cloud detected that some Kubernetes events have been deleted. Kubernetes events are objects in Kubernetes that contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion
+
+**Severity**: Low
+
+### **Kubernetes penetration testing tool detected**
+
+(K8S_PenTestToolsKubeHunter)
+
+**Description**: Kubernetes audit log analysis detected usage of Kubernetes penetration testing tool in the AKS cluster. While this behavior can be legitimate, attackers might use such public tools for malicious purposes.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Low
+
+### **Microsoft Defender for Cloud test alert (not a threat)**
+
+(K8S.NODE_EICAR) <sup>[1](#footnote1)</sup>
+
+**Description**: This is a test alert generated by Microsoft Defender for Cloud. No further action is needed.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: High
+
+### **New container in the kube-system namespace detected**
+
+(K8S_KubeSystemContainer) <sup>[3](#footnote3)</sup>
+
+**Description**: Kubernetes audit log analysis detected a new container in the kube-system namespace that isn't among the containers that normally run in this namespace. The kube-system namespaces shouldn't contain user resources. Attackers can use this namespace for hiding malicious components.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence
+
+**Severity**: Informational
+
+### **New high privileges role detected**
+
+(K8S_HighPrivilegesRole) <sup>[3](#footnote3)</sup>
+
+**Description**: Kubernetes audit log analysis detected a new role with high privileges. A binding to a role with high privileges gives the user\group high privileges in the cluster. Unnecessary privileges might cause privilege escalation in the cluster.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence
+
+**Severity**: Informational
+
+### **Possible attack tool detected**
+
+(K8S.NODE_KnownLinuxAttackTool) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious tool invocation. This tool is often associated with malicious users attacking others.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution, Collection, Command And Control, Probing
+
+**Severity**: Medium
+
+### **Possible backdoor detected**
+
+(K8S.NODE_LinuxBackdoorArtifact) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious file being downloaded and run. This activity has previously been associated with installation of a backdoor.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence, DefenseEvasion, Execution, Exploitation
+
+**Severity**: Medium
+
+### **Possible command line exploitation attempt**
+
+(K8S.NODE_ExploitAttempt) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible exploitation attempt against a known vulnerability.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exploitation
+
+**Severity**: Medium
+
+### **Possible credential access tool detected**
+
+(K8S.NODE_KnownLinuxCredentialAccessTool) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible known credential access tool was running on the container, as identified by the specified process and commandline history item. This tool is often associated with attacker attempts to access credentials.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: CredentialAccess
+
+**Severity**: Medium
+
+### **Possible Cryptocoinminer download detected**
+
+(K8S.NODE_CryptoCoinMinerDownload) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected download of a file normally associated with digital currency mining.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: DefenseEvasion, Command And Control, Exploitation
+
+**Severity**: Medium
+
+### **Possible Log Tampering Activity Detected**
+
+(K8S.NODE_SystemLogRemoval) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible removal of files that tracks user's activity during the course of its operation. Attackers often try to evade detection and leave no trace of malicious activities by deleting such log files.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: DefenseEvasion
+
+**Severity**: Medium
+
+### **Possible password change using crypt-method detected**
+
+(K8S.NODE_SuspectPasswordChange) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a password change using the crypt method. Attackers can make this change to continue access and gain persistence after compromise.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: CredentialAccess
+
+**Severity**: Medium
+
+### **Potential port forwarding to external IP address**
+
+(K8S.NODE_SuspectPortForwarding) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected an initiation of port forwarding to an external IP address.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration, Command And Control
+
+**Severity**: Medium
+
+### **Potential reverse shell detected**
+
+(K8S.NODE_ReverseShell) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a potential reverse shell. These are used to get a compromised machine to call back into a machine an attacker owns.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration, Exploitation
+
+**Severity**: Medium
+
+### **Privileged container detected**
+
+(K8S_PrivilegedContainer)
+
+**Description**: Kubernetes audit log analysis detected a new privileged container. A privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the node.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Privilege Escalation
+
+**Severity**: Informational
+
+### **Process associated with digital currency mining detected**
+
+(K8S.NODE_CryptoCoinMinerArtifacts) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container detected the execution of a process normally associated with digital currency mining.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution, Exploitation
+
+**Severity**: Medium
+
+### **Process seen accessing the SSH authorized keys file in an unusual way**
+
+(K8S.NODE_SshKeyAccess) <sup>[1](#footnote1)</sup>
+
+**Description**: An SSH authorized_keys file was accessed in a method similar to known malware campaigns. This access could signify that an actor is attempting to gain persistent access to a machine.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Unknown
+
+**Severity**: Informational
+
+### **Role binding to the cluster-admin role detected**
+
+(K8S_ClusterAdminBinding)
+
+**Description**: Kubernetes audit log analysis detected a new binding to the cluster-admin role which gives administrator privileges. Unnecessary administrator privileges might cause privilege escalation in the cluster.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence
+
+**Severity**: Informational
+
+### **Security-related process termination detected**
+
+(K8S.NODE_SuspectProcessTermination) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected an attempt to terminate processes related to security monitoring on the container. Attackers will often try to terminate such processes using predefined scripts post-compromise.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence
+
+**Severity**: Low
+
+### **SSH server is running inside a container**
+
+(K8S.NODE_ContainerSSH) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container detected an SSH server running inside the container.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Informational
+
+### **Suspicious file timestamp modification**
+
+(K8S.NODE_TimestampTampering) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious timestamp modification. Attackers will often copy timestamps from existing legitimate files to new tools to avoid detection of these newly dropped files.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence, DefenseEvasion
+
+**Severity**: Low
+
+### **Suspicious request to Kubernetes API**
+
+(K8S.NODE_KubernetesAPI) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container indicates that a suspicious request was made to the Kubernetes API. The request was sent from a container in the cluster. Although this behavior can be intentional, it might indicate that a compromised container is running in the cluster.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: LateralMovement
+
+**Severity**: Medium
+
+### **Suspicious request to the Kubernetes Dashboard**
+
+(K8S.NODE_KubernetesDashboard) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container indicates that a suspicious request was made to the Kubernetes Dashboard. The request was sent from a container in the cluster. Although this behavior can be intentional, it might indicate that a compromised container is running in the cluster.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: LateralMovement
+
+**Severity**: Medium
+
+### **Potential crypto coin miner started**
+
+(K8S.NODE_CryptoCoinMinerExecution) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a process being started in a way normally associated with digital currency mining.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Medium
+
+### **Suspicious password access**
+
+(K8S.NODE_SuspectPasswordFileAccess) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected suspicious attempt to access encrypted user passwords.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence
+
+**Severity**: Informational
+
+### **Possible malicious web shell detected**
+
+(K8S.NODE_Webshell) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container detected a possible web shell. Attackers will often upload a web shell to a compute resource they have compromised to gain persistence or for further exploitation.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence, Exploitation
+
+**Severity**: Medium
+
+### **Burst of multiple reconnaissance commands could indicate initial activity after compromise**
+
+(K8S.NODE_ReconnaissanceArtifactsBurst) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of host/device data detected execution of multiple reconnaissance commands related to gathering system or host details performed by attackers after initial compromise.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Discovery, Collection
+
+**Severity**: Low
+
+### **Suspicious Download Then Run Activity**
+
+(K8S.NODE_DownloadAndRunCombo) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a file being downloaded then run in the same command. While this isn't always malicious, this is a very common technique attackers use to get malicious files onto victim machines.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution, CommandAndControl, Exploitation
+
+**Severity**: Medium
+
+### **Access to kubelet kubeconfig file detected**
+
+(K8S.NODE_KubeConfigAccess) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running on a Kubernetes cluster node detected access to kubeconfig file on the host. The kubeconfig file, normally used by the Kubelet process, contains credentials to the Kubernetes cluster API server. Access to this file is often associated with attackers attempting to access those credentials, or with security scanning tools which check if the file is accessible.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: CredentialAccess
+
+**Severity**: Medium
+
+### **Access to cloud metadata service detected**
+
+(K8S.NODE_ImdsCall) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container detected access to the cloud metadata service for acquiring identity token. The container doesn't normally perform such operation. While this behavior might be legitimate, attackers might use this technique to access cloud resources after gaining initial access to a running container.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: CredentialAccess
+
+**Severity**: Medium
+
+### **MITRE Caldera agent detected**
+
+(K8S.NODE_MitreCalderaTools) <sup>[1](#footnote1)</sup>
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious process. This is often associated with the MITRE 54ndc47 agent, which could be used maliciously to attack other machines.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence, PrivilegeEscalation, DefenseEvasion, CredentialAccess, Discovery, LateralMovement, Execution, Collection, Exfiltration, Command And Control, Probing, Exploitation
+
+**Severity**: Medium
+
+<sup><a name="footnote1"></a>1</sup>: **Preview for non-AKS clusters**: This alert is generally available for AKS clusters, but it is in preview for other environments, such as Azure Arc, EKS, and GKE.
+
+<sup><a name="footnote2"></a>2</sup>: **Limitations on GKE clusters**: GKE uses a Kubernetes audit policy that doesn't support all alert types. As a result, this security alert, which is based on Kubernetes audit events, is not supported for GKE clusters.
+
+<sup><a name="footnote3"></a>3</sup>: This alert is supported on Windows nodes/containers.
+
+> [!NOTE]
+> For alerts that are in preview: [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
+
+## Next steps
+
+- [Security alerts in Microsoft Defender for Cloud](alerts-overview.md)
+- [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml)
+- [Continuously export Defender for Cloud data](continuous-export.md)
defender-for-cloud Alerts Defender For Apis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/alerts-defender-for-apis.md
+
+ Title: Alerts for Defender for APIs
+description: This article lists the security alerts for Defender for APIs visible in Microsoft Defender for Cloud.
++ Last updated : 06/03/2024
+ai-usage: ai-assisted
++
+# Alerts for Defender for APIs
+
+This article lists the security alerts you might get for Defender for APIs from Microsoft Defender for Cloud and any Microsoft Defender plans you enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration.
+
+> [!NOTE]
+> Some of the recently added alerts powered by Microsoft Defender Threat Intelligence and Microsoft Defender for Endpoint might be undocumented.
+
+[Learn how to respond to these alerts](managing-and-responding-alerts.yml).
+
+[Learn how to export alerts](continuous-export.md).
+
+> [!NOTE]
+> Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
+
+## Defender for APIs alerts
+
+### **Suspicious population-level spike in API traffic to an API endpoint**
+
+ (API_PopulationSpikeInAPITraffic)
+
+**Description**: A suspicious spike in API traffic was detected at one of the API endpoints. The detection system used historical traffic patterns to establish a baseline for routine API traffic volume between all IPs and the endpoint, with the baseline being specific to API traffic for each status code (such as 200 Success). The detection system flagged an unusual deviation from this baseline leading to the detection of suspicious activity.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Impact
+
+**Severity**: Medium
+
+### **Suspicious spike in API traffic from a single IP address to an API endpoint**
+
+ (API_SpikeInAPITraffic)
+
+**Description**: A suspicious spike in API traffic was detected from a client IP to the API endpoint. The detection system used historical traffic patterns to establish a baseline for routine API traffic volume to the endpoint coming from a specific IP to the endpoint. The detection system flagged an unusual deviation from this baseline leading to the detection of suspicious activity.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Impact
+
+**Severity**: Medium
+
+### **Unusually large response payload transmitted between a single IP address and an API endpoint**
+
+ (API_SpikeInPayload)
+
+**Description**: A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints. Based on historical traffic patterns from the last 30 days, Defender for APIs learns a baseline that represents the typical API response payload size between a specific IP and API endpoint. The learned baseline is specific to API traffic for each status code (for example, 200 Success). The alert was triggered because an API response payload size deviated significantly from the historical baseline.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial access
+
+**Severity**: Medium
+
+### **Unusually large request body transmitted between a single IP address and an API endpoint**
+
+ (API_SpikeInPayload)
+
+**Description**: A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints. Based on historical traffic patterns from the last 30 days, Defender for APIs learns a baseline that represents the typical API request body size between a specific IP and API endpoint. The learned baseline is specific to API traffic for each status code (for example, 200 Success). The alert was triggered because an API request size deviated significantly from the historical baseline.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial access
+
+**Severity**: Medium
+
+### **(Preview) Suspicious spike in latency for traffic between a single IP address and an API endpoint**
+
+ (API_SpikeInLatency)
+
+**Description**: A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints. Based on historical traffic patterns from the last 30 days, Defender for APIs learns a baseline that represents the routine API traffic latency between a specific IP and API endpoint. The learned baseline is specific to API traffic for each status code (for example, 200 Success). The alert was triggered because an API call latency deviated significantly from the historical baseline.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial access
+
+**Severity**: Medium
+
+### **API requests spray from a single IP address to an unusually large number of distinct API endpoints**
+
+(API_SprayInRequests)
+
+**Description**: A single IP was observed making API calls to an unusually large number of distinct endpoints. Based on historical traffic patterns from the last 30 days, Defenders for APIs learns a baseline that represents the typical number of distinct endpoints called by a single IP across 20-minute windows. The alert was triggered because a single IP's behavior deviated significantly from the historical baseline.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Discovery
+
+**Severity**: Medium
+
+### **Parameter enumeration on an API endpoint**
+
+ (API_ParameterEnumeration)
+
+**Description**: A single IP was observed enumerating parameters when accessing one of the API endpoints. Based on historical traffic patterns from the last 30 days, Defender for APIs learns a baseline that represents the typical number of distinct parameter values used by a single IP when accessing this endpoint across 20-minute windows. The alert was triggered because a single client IP recently accessed an endpoint using an unusually large number of distinct parameter values.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial access
+
+**Severity**: Medium
+
+### **Distributed parameter enumeration on an API endpoint**
+
+ (API_DistributedParameterEnumeration)
+
+**Description**: The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints. Based on historical traffic patterns from the last 30 days, Defender for APIs learns a baseline that represents the typical number of distinct parameter values used by the user population (all IPs) when accessing an endpoint across 20-minute windows. The alert was triggered because the user population recently accessed an endpoint using an unusually large number of distinct parameter values.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial access
+
+**Severity**: Medium
+
+### **Parameter value(s) with anomalous data types in an API call**
+
+ (API_UnseenParamType)
+
+**Description**: A single IP was observed accessing one of your API endpoints and using parameter values of a low probability data type (for example, string, integer, etc.). Based on historical traffic patterns from the last 30 days, Defender for APIs learns the expected data types for each API parameter. The alert was triggered because an IP recently accessed an endpoint using a previously low probability data type as a parameter input.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Impact
+
+**Severity**: Medium
+
+### **Previously unseen parameter used in an API call**
+
+ (API_UnseenParam)
+
+**Description**: A single IP was observed accessing one of the API endpoints using a previously unseen or out-of-bounds parameter in the request. Based on historical traffic patterns from the last 30 days, Defender for APIs learns a set of expected parameters associated with calls to an endpoint. The alert was triggered because an IP recently accessed an endpoint using a previously unseen parameter.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Impact
+
+**Severity**: Medium
+
+### **Access from a Tor exit node to an API endpoint**
+
+ (API_AccessFromTorExitNode)
+
+**Description**: An IP address from the Tor network accessed one of your API endpoints. Tor is a network that allows people to access the Internet while keeping their real IP hidden. Though there are legitimate uses, it is frequently used by attackers to hide their identity when they target people's systems online.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Pre-attack
+
+**Severity**: Medium
+
+### **API Endpoint access from suspicious IP**
+
+ (API_AccessFromSuspiciousIP)
+
+**Description**: An IP address accessing one of your API endpoints was identified by Microsoft Threat Intelligence as having a high probability of being a threat. While observing malicious Internet traffic, this IP came up as involved in attacking other online targets.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Pre-attack
+
+**Severity**: High
+
+### **Suspicious User Agent detected**
+
+ (API_AccessFromSuspiciousUserAgent)
+
+**Description**: The user agent of a request accessing one of your API endpoints contained anomalous values indicative of an attempt at remote code execution. This does not mean that any of your API endpoints have been breached, but it does suggest that an attempted attack is underway.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Medium
+
+> [!NOTE]
+> For alerts that are in preview: [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
+
+## Next steps
+
+- [Security alerts in Microsoft Defender for Cloud](alerts-overview.md)
+- [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml)
+- [Continuously export Defender for Cloud data](continuous-export.md)
defender-for-cloud Alerts Dns https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/alerts-dns.md
+
+ Title: Alerts for DNS
+description: This article lists the security alerts for DNS visible in Microsoft Defender for Cloud.
++ Last updated : 06/03/2024
+ai-usage: ai-assisted
++
+# Alerts for DNS
+
+This article lists the security alerts you might get for DNS from Microsoft Defender for Cloud and any Microsoft Defender plans you enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration.
+
+> [!NOTE]
+> Some of the recently added alerts powered by Microsoft Defender Threat Intelligence and Microsoft Defender for Endpoint might be undocumented.
+
+[Learn how to respond to these alerts](managing-and-responding-alerts.yml).
+
+[Learn how to export alerts](continuous-export.md).
+
+> [!NOTE]
+> Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
+
+## Alerts for DNS
++
+[Further details and notes](plan-defender-for-servers-select-plan.md)
+
+### **Anomalous network protocol usage**
+
+(AzureDNS_ProtocolAnomaly)
+
+**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected anomalous protocol usage. Such traffic, while possibly benign, might indicate abuse of this common protocol to bypass network traffic filtering. Typical related attacker activity includes copying remote administration tools to a compromised host and exfiltrating user data from it.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: -
+
+### **Anonymity network activity**
+
+(AzureDNS_DarkWeb)
+
+**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected anonymity network activity. Such activity, while possibly legitimate user behavior, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: Low
+
+### **Anonymity network activity using web proxy**
+
+(AzureDNS_DarkWebProxy)
+
+**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected anonymity network activity. Such activity, while possibly legitimate user behavior, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: Low
+
+### **Attempted communication with suspicious sinkholed domain**
+
+(AzureDNS_SinkholedDomain)
+
+**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected request for sinkholed domain. Such activity, while possibly legitimate user behavior, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: Medium
+
+### **Communication with possible phishing domain**
+
+(AzureDNS_PhishingDomain)
+
+**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: Informational
+
+### **Communication with suspicious algorithmically generated domain**
+
+(AzureDNS_DomainGenerationAlgorithm)
+
+**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected possible usage of a domain generation algorithm. Such activity, while possibly benign, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: Informational
+
+### **Communication with suspicious domain identified by threat intelligence**
+
+(AzureDNS_ThreatIntelSuspectDomain)
+
+**Description**: Communication with suspicious domain was detected by analyzing DNS transactions from your resource and comparing against known malicious domains identified by threat intelligence feeds. Communication to malicious domains is frequently performed by attackers and could imply that your resource is compromised.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access
+
+**Severity**: Medium
+
+### **Communication with suspicious random domain name**
+
+(AzureDNS_RandomizedDomain)
+
+**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected usage of a suspicious randomly generated domain name. Such activity, while possibly benign, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: Informational
+
+### **Digital currency mining activity**
+
+(AzureDNS_CurrencyMining)
+
+**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected digital currency mining activity. Such activity, while possibly legitimate user behavior, is frequently performed by attackers following compromise of resources. Typical related attacker activity is likely to include the download and execution of common mining tools.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: Low
+
+### **Network intrusion detection signature activation**
+
+(AzureDNS_SuspiciousDomain)
+
+**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected a known malicious network signature. Such activity, while possibly legitimate user behavior, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: Medium
+
+### **Possible data download via DNS tunnel**
+
+(AzureDNS_DataInfiltration)
+
+**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behavior, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: Low
+
+### **Possible data exfiltration via DNS tunnel**
+
+(AzureDNS_DataExfiltration)
+
+**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behavior, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: Low
+
+### **Possible data transfer via DNS tunnel**
+
+(AzureDNS_DataObfuscation)
+
+**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behavior, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: Low
+
+> [!NOTE]
+> For alerts that are in preview: [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
+
+## Next steps
+
+- [Security alerts in Microsoft Defender for Cloud](alerts-overview.md)
+- [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml)
+- [Continuously export Defender for Cloud data](continuous-export.md)
defender-for-cloud Alerts Linux Machines https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/alerts-linux-machines.md
+
+ Title: Alerts for Linux machines
+description: This article lists the security alerts for Linux machines visible in Microsoft Defender for Cloud.
++ Last updated : 06/03/2024
+ai-usage: ai-assisted
++
+# Alerts for Linux machines
+
+This article lists the security alerts you might get for Linux machines from Microsoft Defender for Cloud and any Microsoft Defender plans you enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration.
+
+> [!NOTE]
+> Some of the recently added alerts powered by Microsoft Defender Threat Intelligence and Microsoft Defender for Endpoint might be undocumented.
+
+[Learn how to respond to these alerts](managing-and-responding-alerts.yml).
+
+[Learn how to export alerts](continuous-export.md).
+
+> [!NOTE]
+> Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
+
+## Linux machines alerts
+
+Microsoft Defender for Servers Plan 2 provides unique detections and alerts, in addition to the ones provided by Microsoft Defender for Endpoint. The alerts provided for Linux machines are:
+
+[Further details and notes](defender-for-servers-introduction.md)
+
+### **A history file has been cleared**
+
+**Description**: Analysis of host data indicates that the command history log file has been cleared. Attackers might do this to cover their traces. The operation was performed by user: '%{user name}'.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Adaptive application control policy violation was audited**
+
+(VM_AdaptiveApplicationControlLinuxViolationAudited)
+
+**Description**: The below users ran applications that are violating the application control policy of your organization on this machine. It can possibly expose the machine to malware or application vulnerabilities.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Informational
+
+### **Antimalware broad files exclusion in your virtual machine**
+
+(VM_AmBroadFilesExclusion)
+
+**Description**: Files exclusion from antimalware extension with broad exclusion rule was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Such exclusion practically disabling the Antimalware protection.
+Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Antimalware disabled and code execution in your virtual machine**
+
+(VM_AmDisablementAndCodeExecution)
+
+**Description**: Antimalware disabled at the same time as code execution on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
+Attackers disable antimalware scanners to prevent detection while running unauthorized tools or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Antimalware disabled in your virtual machine**
+
+(VM_AmDisablement)
+
+**Description**: Antimalware disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
+Attackers might disable the antimalware on your virtual machine to prevent detection.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion
+
+**Severity**: Medium
+
+### **Antimalware file exclusion and code execution in your virtual machine**
+
+(VM_AmFileExclusionAndCodeExecution)
+
+**Description**: File excluded from your antimalware scanner at the same time as code was executed via a custom script extension on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
+Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion, Execution
+
+**Severity**: High
+
+### **Antimalware file exclusion and code execution in your virtual machine (temporary)**
+
+(VM_AmTempFileExclusionAndCodeExecution)
+
+**Description**: Temporary file exclusion from antimalware extension in parallel to execution of code via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
+Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion, Execution
+
+**Severity**: High
+
+### **Antimalware file exclusion in your virtual machine**
+
+(VM_AmTempFileExclusion)
+
+**Description**: File excluded from your antimalware scanner on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
+Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion
+
+**Severity**: Medium
+
+### **Antimalware real-time protection was disabled in your virtual machine**
+
+(VM_AmRealtimeProtectionDisabled)
+
+**Description**: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
+Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion
+
+**Severity**: Medium
+
+### **Antimalware real-time protection was disabled temporarily in your virtual machine**
+
+(VM_AmTempRealtimeProtectionDisablement)
+
+**Description**: Real-time protection temporary disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
+Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion
+
+**Severity**: Medium
+
+### **Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine**
+
+(VM_AmRealtimeProtectionDisablementAndCodeExec)
+
+**Description**: Real-time protection temporary disablement of the antimalware extension in parallel to code execution via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
+Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Antimalware scans blocked for files potentially related to malware campaigns on your virtual machine (Preview)**
+
+(VM_AmMalwareCampaignRelatedExclusion)
+
+**Description**: An exclusion rule was detected in your virtual machine to prevent your antimalware extension scanning certain files that are suspected of being related to a malware campaign. The rule was detected by analyzing the Azure Resource Manager operations in your subscription. Attackers might exclude files from antimalware scans to prevent detection while running arbitrary code or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion
+
+**Severity**: Medium
+
+### **Antimalware temporarily disabled in your virtual machine**
+
+(VM_AmTemporarilyDisablement)
+
+**Description**: Antimalware temporarily disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
+Attackers might disable the antimalware on your virtual machine to prevent detection.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Antimalware unusual file exclusion in your virtual machine**
+
+(VM_UnusualAmFileExclusion)
+
+**Description**: Unusual file exclusion from antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
+Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion
+
+**Severity**: Medium
+
+### **Behavior similar to ransomware detected [seen multiple times]**
+
+**Description**: Analysis of host data on %{Compromised Host} detected the execution of files that have resemblance of known ransomware that can prevent users from accessing their system or personal files, and demands ransom payment in order to regain access. This behavior was seen [x] times today on the following machines: [Machine names]
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Communication with suspicious domain identified by threat intelligence**
+
+(AzureDNS_ThreatIntelSuspectDomain)
+
+**Description**: Communication with suspicious domain was detected by analyzing DNS transactions from your resource and comparing against known malicious domains identified by threat intelligence feeds. Communication to malicious domains is frequently performed by attackers and could imply that your resource is compromised.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access, Persistence, Execution, Command And Control, Exploitation
+
+**Severity**: Medium
+
+### **Container with a miner image detected**
+
+(VM_MinerInContainerImage)
+
+**Description**: Machine logs indicate execution of a Docker container that runs an image associated with a digital currency mining.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: High
+
+### **Detected anomalous mix of upper and lower case characters in command line**
+
+**Description**: Analysis of host data on %{Compromised Host} detected a command line with anomalous mix of upper and lower case characters. This kind of pattern, while possibly benign, is also typical of attackers trying to hide from case-sensitive or hash-based rule matching when performing administrative tasks on a compromised host.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Detected file download from a known malicious source**
+
+**Description**: Analysis of host data has detected the download of a file from a known malware source on %{Compromised Host}.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Detected suspicious network activity**
+
+**Description**: Analysis of network traffic from %{Compromised Host} detected suspicious network activity. Such traffic, while possibly benign, is typically used by an attacker to communicate with malicious servers for downloading of tools, command-and-control and exfiltration of data. Typical related attacker activity includes copying remote administration tools to a compromised host and exfiltrating user data from it.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Low
+
+### **Digital currency mining related behavior detected**
+
+**Description**: Analysis of host data on %{Compromised Host} detected the execution of a process or command normally associated with digital currency mining.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Disabling of auditd logging [seen multiple times]**
+
+**Description**: The Linux Audit system provides a way to track security-relevant information on the system. It records as much information about the events that are happening on your system as possible. Disabling auditd logging could hamper discovering violations of security policies used on the system. This behavior was seen [x] times today on the following machines: [Machine names]
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Low
+
+### **Exploitation of Xorg vulnerability [seen multiple times]**
+
+**Description**: Analysis of host data on %{Compromised Host} detected the user of Xorg with suspicious arguments. Attackers might use this technique in privilege escalation attempts. This behavior was seen [x] times today on the following machines: [Machine names]
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Failed SSH brute force attack**
+
+(VM_SshBruteForceFailed)
+
+**Description**: Failed brute force attacks were detected from the following attackers: %{Attackers}. Attackers were trying to access the host with the following user names: %{Accounts used on failed sign in to host attempts}.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Probing
+
+**Severity**: Medium
+
+### **Fileless attack behavior detected**
+
+(VM_FilelessAttackBehavior.Linux)
+
+**Description**: The memory of the process specified below contains behaviors commonly used by fileless attacks.
+Specific behaviors include: {list of observed behaviors}
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Low
+
+### **Fileless attack technique detected**
+
+(VM_FilelessAttackTechnique.Linux)
+
+**Description**: The memory of the process specified below contains evidence of a fileless attack technique. Fileless attacks are used by attackers to execute code while evading detection by security software.
+Specific behaviors include: {list of observed behaviors}
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: High
+
+### **Fileless attack toolkit detected**
+
+(VM_FilelessAttackToolkit.Linux)
+
+**Description**: The memory of the process specified below contains a fileless attack toolkit: {ToolKitName}. Fileless attack toolkits typically don't have a presence on the filesystem, making detection by traditional anti-virus software difficult.
+Specific behaviors include: {list of observed behaviors}
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion, Execution
+
+**Severity**: High
+
+### **Hidden file execution detected**
+
+**Description**: Analysis of host data indicates that a hidden file was executed by %{user name}. This activity could either be legitimate activity, or an indication of a compromised host.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Informational
+
+### **New SSH key added [seen multiple times]**
+
+(VM_SshKeyAddition)
+
+**Description**: A new SSH key was added to the authorized keys file. This behavior was seen [x] times today on the following machines: [Machine names]
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence
+
+**Severity**: Low
+
+### **New SSH key added**
+
+**Description**: A new SSH key was added to the authorized keys file.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Low
+
+### **Possible backdoor detected [seen multiple times]**
+
+**Description**: Analysis of host data has detected a suspicious file being downloaded then run on %{Compromised Host} in your subscription. This activity has previously been associated with installation of a backdoor. This behavior was seen [x] times today on the following machines: [Machine names]
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Possible exploitation of the mailserver detected**
+
+(VM_MailserverExploitation )
+
+**Description**: Analysis of host data on %{Compromised Host} detected an unusual execution under the mail server account
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exploitation
+
+**Severity**: Medium
+
+### **Possible malicious web shell detected**
+
+**Description**: Analysis of host data on %{Compromised Host} detected a possible web shell. Attackers will often upload a web shell to a machine they've compromised to gain persistence or for further exploitation.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Possible password change using crypt-method detected [seen multiple times]**
+
+**Description**: Analysis of host data on %{Compromised Host} detected password change using crypt method. Attackers can make this change to continue access and gaining persistence after compromise. This behavior was seen [x] times today on the following machines: [Machine names]
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Process associated with digital currency mining detected [seen multiple times]**
+
+**Description**: Analysis of host data on %{Compromised Host} detected the execution of a process normally associated with digital currency mining. This behavior was seen over 100 times today on the following machines: [Machine name]
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Process associated with digital currency mining detected**
+
+**Description**: Host data analysis detected the execution of a process that is normally associated with digital currency mining.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exploitation, Execution
+
+**Severity**: Medium
+
+### **Python encoded downloader detected [seen multiple times]**
+
+**Description**: Analysis of host data on %{Compromised Host} detected the execution of encoded Python that downloads and runs code from a remote location. This might be an indication of malicious activity. This behavior was seen [x] times today on the following machines: [Machine names]
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Low
+
+### **Screenshot taken on host [seen multiple times]**
+
+**Description**: Analysis of host data on %{Compromised Host} detected the user of a screen capture tool. Attackers might use these tools to access private data. This behavior was seen [x] times today on the following machines: [Machine names]
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Low
+
+### **Shellcode detected [seen multiple times]**
+
+**Description**: Analysis of host data on %{Compromised Host} detected shellcode being generated from the command line. This process could be legitimate activity, or an indication that one of your machines has been compromised. This behavior was seen [x] times today on the following machines: [Machine names]
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Successful SSH brute force attack**
+
+(VM_SshBruteForceSuccess)
+
+**Description**: Analysis of host data has detected a successful brute force attack. The IP %{Attacker source IP} was seen making multiple login attempts. Successful logins were made from that IP with the following user(s): %{Accounts used to successfully sign in to host}. This means that the host might be compromised and controlled by a malicious actor.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exploitation
+
+**Severity**: High
+
+### **Suspicious Account Creation Detected**
+
+**Description**: Analysis of host data on %{Compromised Host} detected creation or use of a local account %{Suspicious account name} : this account name closely resembles a standard Windows account or group name '%{Similar To Account Name}'. This is potentially a rogue account created by an attacker, so named in order to avoid being noticed by a human administrator.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Suspicious kernel module detected [seen multiple times]**
+
+**Description**: Analysis of host data on %{Compromised Host} detected a shared object file being loaded as a kernel module. This could be legitimate activity, or an indication that one of your machines has been compromised. This behavior was seen [x] times today on the following machines: [Machine names]
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Suspicious password access [seen multiple times]**
+
+**Description**: Analysis of host data has detected suspicious access to encrypted user passwords on %{Compromised Host}. This behavior was seen [x] times today on the following machines: [Machine names]
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Informational
+
+### **Suspicious password access**
+
+**Description**: Analysis of host data has detected suspicious access to encrypted user passwords on %{Compromised Host}.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Informational
+
+### **Suspicious request to the Kubernetes Dashboard**
+
+(VM_KubernetesDashboard)
+
+**Description**: Machine logs indicate that a suspicious request was made to the Kubernetes Dashboard. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: LateralMovement
+
+**Severity**: Medium
+
+### **Unusual config reset in your virtual machine**
+
+(VM_VMAccessUnusualConfigReset)
+
+**Description**: An unusual config reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
+While this action might be legitimate, attackers can try utilizing VM Access extension to reset the configuration in your virtual machine and compromise it.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: Medium
+
+### **Unusual user password reset in your virtual machine**
+
+(VM_VMAccessUnusualPasswordReset)
+
+**Description**: An unusual user password reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
+While this action might be legitimate, attackers can try utilizing the VM Access extension to reset the credentials of a local user in your virtual machine and compromise it.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: Medium
+
+### **Unusual user SSH key reset in your virtual machine**
+
+(VM_VMAccessUnusualSSHReset)
+
+**Description**: An unusual user SSH key reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
+While this action might be legitimate, attackers can try utilizing VM Access extension to reset SSH key of a user account in your virtual machine and compromise it.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: Medium
+
+### **Suspicious installation of GPU extension in your virtual machine (Preview)**
+
+ (VM_GPUDriverExtensionUnusualExecution)
+
+**Description**: Suspicious installation of a GPU extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use the GPU driver extension to install GPU drivers on your virtual machine via the Azure Resource Manager to perform cryptojacking.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Impact
+
+**Severity**: Low
+
+> [!NOTE]
+> For alerts that are in preview: [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
+
+## Next steps
+
+- [Security alerts in Microsoft Defender for Cloud](alerts-overview.md)
+- [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml)
+- [Continuously export Defender for Cloud data](continuous-export.md)
defender-for-cloud Alerts Open Source Relational Databases https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/alerts-open-source-relational-databases.md
+
+ Title: Alerts for open-source relational databases
+description: This article lists the security alerts for open-source relational databases visible in Microsoft Defender for Cloud.
++ Last updated : 06/03/2024
+ai-usage: ai-assisted
++
+# Alerts for open-source relational databases
+
+This article lists the security alerts you might get for open-source relational databases from Microsoft Defender for Cloud and any Microsoft Defender plans you enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration.
+
+> [!NOTE]
+> Some of the recently added alerts powered by Microsoft Defender Threat Intelligence and Microsoft Defender for Endpoint might be undocumented.
+
+[Learn how to respond to these alerts](managing-and-responding-alerts.yml).
+
+[Learn how to export alerts](continuous-export.md).
+
+> [!NOTE]
+> Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
+
+## Open-source relational databases alerts
+
+[Further details and notes](defender-for-databases-introduction.md)
+
+### **Suspected brute force attack using a valid user**
+
+(SQL.PostgreSQL_BruteForce
+SQL.MariaDB_BruteForce
+SQL.MySQL_BruteForce)
+
+**Description**: A potential brute force attack has been detected on your resource. The attacker is using the valid user (username), which has permissions to log in.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: Medium
+
+### **Suspected successful brute force attack**
+
+(SQL.PostgreSQL_BruteForce
+SQL.MySQL_BruteForce
+SQL.MariaDB_BruteForce)
+
+**Description**: A successful login occurred after an apparent brute force attack on your resource.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: High
+
+### **Suspected brute force attack**
+
+(SQL.PostgreSQL_BruteForce
+SQL.MySQL_BruteForce
+SQL.MariaDB_BruteForce)
+
+**Description**: A potential brute force attack has been detected on your resource.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: Medium
+
+### **Attempted logon by a potentially harmful application**
+
+(SQL.PostgreSQL_HarmfulApplication
+SQL.MariaDB_HarmfulApplication
+SQL.MySQL_HarmfulApplication)
+
+**Description**: A potentially harmful application attempted to access your resource.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: High/Medium
+
+### **Login from a principal user not seen in 60 days**
+
+(SQL.PostgreSQL_PrincipalAnomaly
+SQL.MariaDB_PrincipalAnomaly
+SQL.MySQL_PrincipalAnomaly)
+
+**Description**: A principal user not seen in the last 60 days has logged into your database. If this database is new or this is expected behavior caused by recent changes in the users accessing the database, Defender for Cloud will identify significant changes to the access patterns and attempt to prevent future false positives.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exploitation
+
+**Severity**: Low
+
+### **Login from a domain not seen in 60 days**
+
+(SQL.MariaDB_DomainAnomaly
+SQL.PostgreSQL_DomainAnomaly
+SQL.MySQL_DomainAnomaly)
+
+**Description**: A user has logged in to your resource from a domain no other users have connected from in the last 60 days. If this resource is new or this is expected behavior caused by recent changes in the users accessing the resource, Defender for Cloud will identify significant changes to the access patterns and attempt to prevent future false positives.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exploitation
+
+**Severity**: Medium
+
+### **Log on from an unusual Azure Data Center**
+
+(SQL.PostgreSQL_DataCenterAnomaly
+SQL.MariaDB_DataCenterAnomaly
+SQL.MySQL_DataCenterAnomaly)
+
+**Description**: Someone logged on to your resource from an unusual Azure Data Center.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Probing
+
+**Severity**: Low
+
+### **Logon from an unusual cloud provider**
+
+(SQL.PostgreSQL_CloudProviderAnomaly
+SQL.MariaDB_CloudProviderAnomaly
+SQL.MySQL_CloudProviderAnomaly)
+
+**Description**: Someone logged on to your resource from a cloud provider not seen in the last 60 days. It's quick and easy for threat actors to obtain disposable compute power for use in their campaigns. If this is expected behavior caused by the recent adoption of a new cloud provider, Defender for Cloud will learn over time and attempt to prevent future false positives.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exploitation
+
+**Severity**: Medium
+
+### **Log on from an unusual location**
+
+(SQL.MariaDB_GeoAnomaly
+SQL.PostgreSQL_GeoAnomaly
+SQL.MySQL_GeoAnomaly)
+
+**Description**: Someone logged on to your resource from an unusual Azure Data Center.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exploitation
+
+**Severity**: Medium
+
+### **Login from a suspicious IP**
+
+(SQL.PostgreSQL_SuspiciousIpAnomaly
+SQL.MariaDB_SuspiciousIpAnomaly
+SQL.MySQL_SuspiciousIpAnomaly)
+
+**Description**: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: Medium
+
+> [!NOTE]
+> For alerts that are in preview: [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
+
+## Next steps
+
+- [Security alerts in Microsoft Defender for Cloud](alerts-overview.md)
+- [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml)
+- [Continuously export Defender for Cloud data](continuous-export.md)
defender-for-cloud Alerts Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/alerts-reference.md
Title: Reference table for all security alerts
-description: This article lists the security alerts visible in Microsoft Defender for Cloud.
+ Title: Reference guide for security alerts
+description: This article links to the various security alerts visible in Microsoft Defender for Cloud.
Last updated 06/03/2024
ai-usage: ai-assisted
# Security alerts - a reference guide
-This article lists the security alerts you might get from Microsoft Defender for Cloud and any Microsoft Defender plans you enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration.
+This article provides links to pages listing the security alerts you may receive from Microsoft Defender for Cloud and any enabled Microsoft Defender plans. The alerts displayed in your environment depend on the resources and services you are protecting and your customized configuration.
> [!NOTE] > Some of the recently added alerts powered by Microsoft Defender Threat Intelligence and Microsoft Defender for Endpoint might be undocumented.
-At the bottom of this page, there's a table describing the Microsoft Defender for Cloud kill chain aligned with version 9 of the [MITRE ATT&CK matrix](https://attack.mitre.org/versions/v9/).
+This page also includes a table describing the Microsoft Defender for Cloud kill chain aligned with version 9 of the [MITRE ATT&CK matrix](https://attack.mitre.org/versions/v9/).
[Learn how to respond to these alerts](managing-and-responding-alerts.yml).
At the bottom of this page, there's a table describing the Microsoft Defender fo
> [!NOTE] > Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
-## Alerts for Windows machines
-
-Microsoft Defender for Servers Plan 2 provides unique detections and alerts, in addition to the ones provided by Microsoft Defender for Endpoint. The alerts provided for Windows machines are:
-
-[Further details and notes](defender-for-servers-introduction.md)
-
-### **A logon from a malicious IP has been detected. [seen multiple times]**
-
-**Description**: A successful remote authentication for the account [account] and process [process] occurred, however the logon IP address (x.x.x.x) has previously been reported as malicious or highly unusual. A successful attack has probably occurred. Files with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Adaptive application control policy violation was audited**
-
-VM_AdaptiveApplicationControlWindowsViolationAudited
-
-**Description**: The below users ran applications that are violating the application control policy of your organization on this machine. It can possibly expose the machine to malware or application vulnerabilities.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Informational
-
-### **Addition of Guest account to Local Administrators group**
-
-**Description**: Analysis of host data has detected the addition of the built-in Guest account to the Local Administrators group on %{Compromised Host}, which is strongly associated with attacker activity.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **An event log was cleared**
-
-**Description**: Machine logs indicate a suspicious event log clearing operation by user: '%{user name}' in Machine: '%{CompromisedEntity}'. The %{log channel} log was cleared.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Informational
-
-### **Antimalware Action Failed**
-
-**Description**: Microsoft Antimalware has encountered an error when taking an action on malware or other potentially unwanted software.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Antimalware Action Taken**
-
-**Description**: Microsoft Antimalware for Azure has taken an action to protect this machine from malware or other potentially unwanted software.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Antimalware broad files exclusion in your virtual machine**
-
-(VM_AmBroadFilesExclusion)
-
-**Description**: Files exclusion from antimalware extension with broad exclusion rule was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Such exclusion practically disabling the Antimalware protection.
-Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Antimalware disabled and code execution in your virtual machine**
-
-(VM_AmDisablementAndCodeExecution)
-
-**Description**: Antimalware disabled at the same time as code execution on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
-Attackers disable antimalware scanners to prevent detection while running unauthorized tools or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Antimalware disabled in your virtual machine**
-
-(VM_AmDisablement)
-
-**Description**: Antimalware disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
-Attackers might disable the antimalware on your virtual machine to prevent detection.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion
-
-**Severity**: Medium
-
-### **Antimalware file exclusion and code execution in your virtual machine**
-
-(VM_AmFileExclusionAndCodeExecution)
-
-**Description**: File excluded from your antimalware scanner at the same time as code was executed via a custom script extension on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
-Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion, Execution
-
-**Severity**: High
-
-### **Antimalware file exclusion and code execution in your virtual machine**
-
-(VM_AmTempFileExclusionAndCodeExecution)
-
-**Description**: Temporary file exclusion from antimalware extension in parallel to execution of code via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
-Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion, Execution
-
-**Severity**: High
-
-### **Antimalware file exclusion in your virtual machine**
-
-(VM_AmTempFileExclusion)
-
-**Description**: File excluded from your antimalware scanner on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
-Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion
-
-**Severity**: Medium
-
-### **Antimalware real-time protection was disabled in your virtual machine**
-
-(VM_AmRealtimeProtectionDisabled)
-
-**Description**: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
-Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion
-
-**Severity**: Medium
-
-### **Antimalware real-time protection was disabled temporarily in your virtual machine**
-
-(VM_AmTempRealtimeProtectionDisablement)
-
-**Description**: Real-time protection temporary disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
-Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion
-
-**Severity**: Medium
-
-### **Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine**
-
-(VM_AmRealtimeProtectionDisablementAndCodeExec)
-
-**Description**: Real-time protection temporary disablement of the antimalware extension in parallel to code execution via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
-Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Antimalware scans blocked for files potentially related to malware campaigns on your virtual machine (Preview)**
-
-(VM_AmMalwareCampaignRelatedExclusion)
-
-**Description**: An exclusion rule was detected in your virtual machine to prevent your antimalware extension scanning certain files that are suspected of being related to a malware campaign. The rule was detected by analyzing the Azure Resource Manager operations in your subscription. Attackers might exclude files from antimalware scans to prevent detection while running arbitrary code or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion
-
-**Severity**: Medium
-
-### **Antimalware temporarily disabled in your virtual machine**
-
-(VM_AmTemporarilyDisablement)
-
-**Description**: Antimalware temporarily disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
-Attackers might disable the antimalware on your virtual machine to prevent detection.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Antimalware unusual file exclusion in your virtual machine**
-
-(VM_UnusualAmFileExclusion)
-
-**Description**: Unusual file exclusion from antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
-Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion
-
-**Severity**: Medium
-
-### **Communication with suspicious domain identified by threat intelligence**
-
-(AzureDNS_ThreatIntelSuspectDomain)
-
-**Description**: Communication with suspicious domain was detected by analyzing DNS transactions from your resource and comparing against known malicious domains identified by threat intelligence feeds. Communication to malicious domains is frequently performed by attackers and could imply that your resource is compromised.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access, Persistence, Execution, Command And Control, Exploitation
-
-**Severity**: Medium
-
-### **Detected actions indicative of disabling and deleting IIS log files**
-
-**Description**: Analysis of host data detected actions that show IIS log files being disabled and/or deleted.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Detected anomalous mix of upper and lower case characters in command-line**
-
-**Description**: Analysis of host data on %{Compromised Host} detected a command line with anomalous mix of upper and lower case characters. This kind of pattern, while possibly benign, is also typical of attackers trying to hide from case-sensitive or hash-based rule matching when performing administrative tasks on a compromised host.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Detected change to a registry key that can be abused to bypass UAC**
-
-**Description**: Analysis of host data on %{Compromised Host} detected that a registry key that can be abused to bypass UAC (User Account Control) was changed. This kind of configuration, while possibly benign, is also typical of attacker activity when trying to move from unprivileged (standard user) to privileged (for example administrator) access on a compromised host.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Detected decoding of an executable using built-in certutil.exe tool**
-
-**Description**: Analysis of host data on %{Compromised Host} detected that certutil.exe, a built-in administrator utility, was being used to decode an executable instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using a tool such as certutil.exe to decode a malicious executable that will then be subsequently executed.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Detected enabling of the WDigest UseLogonCredential registry key**
-
-**Description**: Analysis of host data detected a change in the registry key HKLM\SYSTEM\ CurrentControlSet\Control\SecurityProviders\WDigest\ "UseLogonCredential". Specifically this key has been updated to allow logon credentials to be stored in clear text in LSA memory. Once enabled, an attacker can dump clear text passwords from LSA memory with credential harvesting tools such as Mimikatz.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Detected encoded executable in command line data**
-
-**Description**: Analysis of host data on %{Compromised Host} detected a base-64 encoded executable. This has previously been associated with attackers attempting to construct executables on-the-fly through a sequence of commands, and attempting to evade intrusion detection systems by ensuring that no individual command would trigger an alert. This could be legitimate activity, or an indication of a compromised host.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Detected obfuscated command line**
-
-**Description**: Attackers use increasingly complex obfuscation techniques to evade detections that run against the underlying data. Analysis of host data on %{Compromised Host} detected suspicious indicators of obfuscation on the commandline.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Informational
-
-### **Detected possible execution of keygen executable**
-
-**Description**: Analysis of host data on %{Compromised Host} detected execution of a process whose name is indicative of a keygen tool; such tools are typically used to defeat software licensing mechanisms but their download is often bundled with other malicious software. Activity group GOLD has been known to make use of such keygens to covertly gain back door access to hosts that they compromise.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Detected possible execution of malware dropper**
-
-**Description**: Analysis of host data on %{Compromised Host} detected a filename that has previously been associated with one of activity group GOLD's methods of installing malware on a victim host.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Detected possible local reconnaissance activity**
-
-**Description**: Analysis of host data on %{Compromised Host} detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing reconnaissance activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession in the way that has occurred here is rare.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Low
-
-### **Detected potentially suspicious use of Telegram tool**
-
-**Description**: Analysis of host data shows installation of Telegram, a free cloud-based instant messaging service that exists both for mobile and desktop system. Attackers are known to abuse this service to transfer malicious binaries to any other computer, phone, or tablet.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Detected suppression of legal notice displayed to users at logon**
-
-**Description**: Analysis of host data on %{Compromised Host} detected changes to the registry key that controls whether a legal notice is displayed to users when they log on. Microsoft security analysis has determined that this is a common activity undertaken by attackers after having compromised a host.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Low
-
-### **Detected suspicious combination of HTA and PowerShell**
-
-**Description**: mshta.exe (Microsoft HTML Application Host) which is a signed Microsoft binary is being used by the attackers to launch malicious PowerShell commands. Attackers often resort to having an HTA file with inline VBScript. When a victim browses to the HTA file and chooses to run it, the PowerShell commands and scripts that it contains are executed. Analysis of host data on %{Compromised Host} detected mshta.exe launching PowerShell commands.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Detected suspicious commandline arguments**
-
-**Description**: Analysis of host data on %{Compromised Host} detected suspicious commandline arguments that have been used in conjunction with a reverse shell used by activity group HYDROGEN.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Detected suspicious commandline used to start all executables in a directory**
-
-**Description**: Analysis of host data has detected a suspicious process running on %{Compromised Host}. The commandline indicates an attempt to start all executables (*.exe) that might reside in a directory. This could be an indication of a compromised host.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Detected suspicious credentials in commandline**
-
-**Description**: Analysis of host data on %{Compromised Host} detected a suspicious password being used to execute a file by activity group BORON. This activity group has been known to use this password to execute Pirpi malware on a victim host.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Detected suspicious document credentials**
-
-**Description**: Analysis of host data on %{Compromised Host} detected a suspicious, common precomputed password hash used by malware being used to execute a file. Activity group HYDROGEN has been known to use this password to execute malware on a victim host.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Detected suspicious execution of VBScript.Encode command**
-
-**Description**: Analysis of host data on %{Compromised Host} detected the execution of VBScript.Encode command. This encodes the scripts into unreadable text, making it more difficult for users to examine the code. Microsoft threat research shows that attackers often use encoded VBscript files as part of their attack to evade detection systems. This could be legitimate activity, or an indication of a compromised host.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Detected suspicious execution via rundll32.exe**
-
-**Description**: Analysis of host data on %{Compromised Host} detected rundll32.exe being used to execute a process with an uncommon name, consistent with the process naming scheme previously seen used by activity group GOLD when installing their first stage implant on a compromised host.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Detected suspicious file cleanup commands**
-
-**Description**: Analysis of host data on %{Compromised Host} detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Detected suspicious file creation**
-
-**Description**: Analysis of host data on %{Compromised Host} detected creation or execution of a process that has previously indicated post-compromise action taken on a victim host by activity group BARIUM. This activity group has been known to use this technique to download more malware to a compromised host after an attachment in a phishing doc has been opened.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Detected suspicious named pipe communications**
-
-**Description**: Analysis of host data on %{Compromised Host} detected data being written to a local named pipe from a Windows console command. Named pipes are known to be a channel used by attackers to task and communicate with a malicious implant. This could be legitimate activity, or an indication of a compromised host.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Detected suspicious network activity**
-
-**Description**: Analysis of network traffic from %{Compromised Host} detected suspicious network activity. Such traffic, while possibly benign, is typically used by an attacker to communicate with malicious servers for downloading of tools, command-and-control and exfiltration of data. Typical related attacker activity includes copying remote administration tools to a compromised host and exfiltrating user data from it.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Low
-
-### **Detected suspicious new firewall rule**
-
-**Description**: Analysis of host data detected a new firewall rule has been added via netsh.exe to allow traffic from an executable in a suspicious location.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Detected suspicious use of Cacls to lower the security state of the system**
-
-**Description**: Attackers use myriad ways like brute force, spear phishing etc. to achieve initial compromise and get a foothold on the network. Once initial compromise is achieved they often take steps to lower the security settings of a system. Cacls—short for change access control list is Microsoft Windows native command-line utility often used for modifying the security permission on folders and files. A lot of time the binary is used by the attackers to lower the security settings of a system. This is done by giving Everyone full access to some of the system binaries like ftp.exe, net.exe, wscript.exe etc. Analysis of host data on %{Compromised Host} detected suspicious use of Cacls to lower the security of a system.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Detected suspicious use of FTP -s Switch**
-
-**Description**: Analysis of process creation data from the %{Compromised Host} detected the use of the FTP "-s:filename" switch. This switch is used to specify an FTP script file for the client to run. Malware or malicious processes are known to use this FTP switch (-s:filename) to point to a script file, which is configured to connect to a remote FTP server and download more malicious binaries.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Detected suspicious use of Pcalua.exe to launch executable code**
-
-**Description**: Analysis of host data on %{Compromised Host} detected the use of pcalua.exe to launch executable code. Pcalua.exe is component of the Microsoft Windows "Program Compatibility Assistant", which detects compatibility issues during the installation or execution of a program. Attackers are known to abuse functionality of legitimate Windows system tools to perform malicious actions, for example using pcalua.exe with the -a switch to launch malicious executables either locally or from remote shares.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Detected the disabling of critical services**
-
-**Description**: The analysis of host data on %{Compromised Host} detected execution of "net.exe stop" command being used to stop critical services like SharedAccess or the Windows Security app. The stopping of either of these services can be indication of a malicious behavior.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Digital currency mining related behavior detected**
-
-**Description**: Analysis of host data on %{Compromised Host} detected the execution of a process or command normally associated with digital currency mining.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Dynamic PS script construction**
-
-**Description**: Analysis of host data on %{Compromised Host} detected a PowerShell script being constructed dynamically. Attackers sometimes use this approach of progressively building up a script in order to evade IDS systems. This could be legitimate activity, or an indication that one of your machines has been compromised.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Executable found running from a suspicious location**
-
-**Description**: Analysis of host data detected an executable file on %{Compromised Host} that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Fileless attack behavior detected**
-
-(VM_FilelessAttackBehavior.Windows)
-
-**Description**: The memory of the process specified contains behaviors commonly used by fileless attacks. Specific behaviors include:
-
-1) Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.
-2) Active network connections. See NetworkConnections below for details.
-3) Function calls to security sensitive operating system interfaces. See Capabilities below for referenced OS capabilities.
-4) Contains a thread that was started in a dynamically allocated code segment. This is a common pattern for process injection attacks.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion
-
-**Severity**: Low
-
-### **Fileless attack technique detected**
-
-(VM_FilelessAttackTechnique.Windows)
-
-**Description**: The memory of the process specified below contains evidence of a fileless attack technique. Fileless attacks are used by attackers to execute code while evading detection by security software. Specific behaviors include:
-
-1) Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.
-2) Executable image injected into the process, such as in a code injection attack.
-3) Active network connections. See NetworkConnections below for details.
-4) Function calls to security sensitive operating system interfaces. See Capabilities below for referenced OS capabilities.
-5) Process hollowing, which is a technique used by malware in which a legitimate process is loaded on the system to act as a container for hostile code.
-6) Contains a thread that was started in a dynamically allocated code segment. This is a common pattern for process injection attacks.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion, Execution
-
-**Severity**: High
-
-### **Fileless attack toolkit detected**
-
-(VM_FilelessAttackToolkit.Windows)
-
-**Description**: The memory of the process specified contains a fileless attack toolkit: [toolkit name]. Fileless attack toolkits use techniques that minimize or eliminate traces of malware on disk, and greatly reduce the chances of detection by disk-based malware scanning solutions. Specific behaviors include:
-
-1) Well-known toolkits and crypto mining software.
-2) Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.
-3) Injected malicious executable in process memory.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion, Execution
-
-**Severity**: Medium
-
-### **High risk software detected**
-
-**Description**: Analysis of host data from %{Compromised Host} detected the usage of software that has been associated with the installation of malware in the past. A common technique utilized in the distribution of malicious software is to package it within otherwise benign tools such as the one seen in this alert. When you use these tools, the malware can be silently installed in the background.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Local Administrators group members were enumerated**
-
-**Description**: Machine logs indicate a successful enumeration on group %{Enumerated Group Domain Name}\%{Enumerated Group Name}. Specifically, %{Enumerating User Domain Name}\%{Enumerating User Name} remotely enumerated the members of the %{Enumerated Group Domain Name}\%{Enumerated Group Name} group. This activity could either be legitimate activity, or an indication that a machine in your organization has been compromised and used to reconnaissance %{vmname}.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Informational
-
-### **Malicious firewall rule created by ZINC server implant [seen multiple times]**
-
-**Description**: A firewall rule was created using techniques that match a known actor, ZINC. The rule was possibly used to open a port on %{Compromised Host} to allow for Command & Control communications. This behavior was seen [x] times today on the following machines: [Machine names]
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Malicious SQL activity**
-
-**Description**: Machine logs indicate that '%{process name}' was executed by account: %{user name}. This activity is considered malicious.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Multiple Domain Accounts Queried**
-
-**Description**: Analysis of host data has determined that an unusual number of distinct domain accounts are being queried within a short time period from %{Compromised Host}. This kind of activity could be legitimate, but can also be an indication of compromise.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Possible credential dumping detected [seen multiple times]**
-
-**Description**: Analysis of host data has detected use of native windows tool (for example, sqldumper.exe) being used in a way that allows to extract credentials from memory. Attackers often use these techniques to extract credentials that they then further use for lateral movement and privilege escalation. This behavior was seen [x] times today on the following machines: [Machine names]
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Potential attempt to bypass AppLocker detected**
-
-**Description**: Analysis of host data on %{Compromised Host} detected a potential attempt to bypass AppLocker restrictions. AppLocker can be configured to implement a policy that limits what executables are allowed to run on a Windows system. The command-line pattern similar to that identified in this alert has been previously associated with attacker attempts to circumvent AppLocker policy by using trusted executables (allowed by AppLocker policy) to execute untrusted code. This could be legitimate activity, or an indication of a compromised host.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Rare SVCHOST service group executed**
-
-(VM_SvcHostRunInRareServiceGroup)
-
-**Description**: The system process SVCHOST was observed running a rare service group. Malware often uses SVCHOST to masquerade its malicious activity.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion, Execution
-
-**Severity**: Informational
-
-### **Sticky keys attack detected**
-
-**Description**: Analysis of host data indicates that an attacker might be subverting an accessibility binary (for example sticky keys, onscreen keyboard, narrator) in order to provide backdoor access to the host %{Compromised Host}.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Successful brute force attack**
-
-(VM_LoginBruteForceSuccess)
-
-**Description**: Several sign in attempts were detected from the same source. Some successfully authenticated to the host.
-This resembles a burst attack, in which an attacker performs numerous authentication attempts to find valid account credentials.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exploitation
-
-**Severity**: Medium/High
-
-### **Suspect integrity level indicative of RDP hijacking**
-
-**Description**: Analysis of host data has detected the tscon.exe running with SYSTEM privileges - this can be indicative of an attacker abusing this binary in order to switch context to any other logged on user on this host; it's a known attacker technique to compromise more user accounts and move laterally across a network.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Suspect service installation**
-
-**Description**: Analysis of host data has detected the installation of tscon.exe as a service: this binary being started as a service potentially allows an attacker to trivially switch to any other logged on user on this host by hijacking RDP connections; it's a known attacker technique to compromise more user accounts and move laterally across a network.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Suspected Kerberos Golden Ticket attack parameters observed**
-
-**Description**: Analysis of host data detected commandline parameters consistent with a Kerberos Golden Ticket attack.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Suspicious Account Creation Detected**
-
-**Description**: Analysis of host data on %{Compromised Host} detected creation or use of a local account %{Suspicious account name} : this account name closely resembles a standard Windows account or group name '%{Similar To Account Name}'. This is potentially a rogue account created by an attacker, so named in order to avoid being noticed by a human administrator.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Suspicious Activity Detected**
-
-(VM_SuspiciousActivity)
-
-**Description**: Analysis of host data has detected a sequence of one or more processes running on %{machine name} that have historically been associated with malicious activity. While individual commands might appear benign the alert is scored based on an aggregation of these commands. This could either be legitimate activity, or an indication of a compromised host.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Medium
-
-### **Suspicious authentication activity**
-
-(VM_LoginBruteForceValidUserFailed)
-
-**Description**: Although none of them succeeded, some of them used accounts were recognized by the host. This resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host. This indicates that some of your host account names might exist in a well-known account name dictionary.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Probing
-
-**Severity**: Medium
-
-### **Suspicious code segment detected**
-
-**Description**: Indicates that a code segment has been allocated by using non-standard methods, such as reflective injection and process hollowing. The alert provides more characteristics of the code segment that have been processed to provide context for the capabilities and behaviors of the reported code segment.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Suspicious double extension file executed**
-
-**Description**: Analysis of host data indicates an execution of a process with a suspicious double extension. This extension might trick users into thinking files are safe to be opened and might indicate the presence of malware on the system.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Suspicious download using Certutil detected [seen multiple times]**
-
-**Description**: Analysis of host data on %{Compromised Host} detected the use of certutil.exe, a built-in administrator utility, for the download of a binary instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using certutil.exe to download and decode a malicious executable that will then be subsequently executed. This behavior was seen [x] times today on the following machines: [Machine names]
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Suspicious download using Certutil detected**
-
-**Description**: Analysis of host data on %{Compromised Host} detected the use of certutil.exe, a built-in administrator utility, for the download of a binary instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using certutil.exe to download and decode a malicious executable that will then be subsequently executed.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Suspicious PowerShell Activity Detected**
-
-**Description**: Analysis of host data detected a PowerShell script running on %{Compromised Host} that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Suspicious PowerShell cmdlets executed**
-
-**Description**: Analysis of host data indicates execution of known malicious PowerShell PowerSploit cmdlets.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Suspicious process executed [seen multiple times]**
-
-**Description**: Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on the machine, often associated with attacker attempts to access credentials. This behavior was seen [x] times today on the following machines: [Machine names]
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Suspicious process executed**
-
-**Description**: Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on the machine, often associated with attacker attempts to access credentials.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Suspicious process name detected [seen multiple times]**
-
-**Description**: Analysis of host data on %{Compromised Host} detected a process whose name is suspicious, for example corresponding to a known attacker tool or named in a way that is suggestive of attacker tools that try to hide in plain sight. This process could be legitimate activity, or an indication that one of your machines has been compromised. This behavior was seen [x] times today on the following machines: [Machine names]
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Suspicious process name detected**
-
-**Description**: Analysis of host data on %{Compromised Host} detected a process whose name is suspicious, for example corresponding to a known attacker tool or named in a way that is suggestive of attacker tools that try to hide in plain sight. This process could be legitimate activity, or an indication that one of your machines has been compromised.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Suspicious SQL activity**
-
-**Description**: Machine logs indicate that '%{process name}' was executed by account: %{user name}. This activity is uncommon with this account.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Suspicious SVCHOST process executed**
-
-**Description**: The system process SVCHOST was observed running in an abnormal context. Malware often uses SVCHOST to masquerade its malicious activity.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Suspicious system process executed**
-
-(VM_SystemProcessInAbnormalContext)
-
-**Description**: The system process %{process name} was observed running in an abnormal context. Malware often uses this process name to masquerade its malicious activity.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion, Execution
-
-**Severity**: High
-
-### **Suspicious Volume Shadow Copy Activity**
-
-**Description**: Analysis of host data has detected a shadow copy deletion activity on the resource. Volume Shadow Copy (VSC) is an important artifact that stores data snapshots. Some malware and specifically Ransomware, targets VSC to sabotage backup strategies.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Suspicious WindowPosition registry value detected**
-
-**Description**: Analysis of host data on %{Compromised Host} detected an attempted WindowPosition registry configuration change that could be indicative of hiding application windows in nonvisible sections of the desktop. This could be legitimate activity, or an indication of a compromised machine: this type of activity has been previously associated with known adware (or unwanted software) such as Win32/OneSystemCare and Win32/SystemHealer and malware such as Win32/Creprote. When the WindowPosition value is set to 201329664, (Hex: 0x0c00 0c00, corresponding to X-axis=0c00 and the Y-axis=0c00) this places the console app's window in a non-visible section of the user's screen in an area that is hidden from view below the visible start menu/taskbar. Known suspect Hex value includes, but not limited to c000c000.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Low
-
-### **Suspiciously named process detected**
-
-**Description**: Analysis of host data on %{Compromised Host} detected a process whose name is very similar to but different from a very commonly run process (%{Similar To Process Name}). While this process could be benign attackers are known to sometimes hide in plain sight by naming their malicious tools to resemble legitimate process names.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Unusual config reset in your virtual machine**
-
-(VM_VMAccessUnusualConfigReset)
-
-**Description**: An unusual config reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
-While this action might be legitimate, attackers can try utilizing VM Access extension to reset the configuration in your virtual machine and compromise it.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: Medium
-
-### **Unusual process execution detected**
-
-**Description**: Analysis of host data on %{Compromised Host} detected the execution of a process by %{User Name} that was unusual. Accounts such as %{User Name} tend to perform a limited set of operations, this execution was determined to be out of character and might be suspicious.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Unusual user password reset in your virtual machine**
-
-(VM_VMAccessUnusualPasswordReset)
-
-**Description**: An unusual user password reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
-While this action might be legitimate, attackers can try utilizing the VM Access extension to reset the credentials of a local user in your virtual machine and compromise it.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: Medium
-
-### **Unusual user SSH key reset in your virtual machine**
-
-(VM_VMAccessUnusualSSHReset)
-
-**Description**: An unusual user SSH key reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
-While this action might be legitimate, attackers can try utilizing VM Access extension to reset SSH key of a user account in your virtual machine and compromise it.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: Medium
-
-### **VBScript HTTP object allocation detected**
-
-**Description**: Creation of a VBScript file using Command Prompt has been detected. The following script contains HTTP object allocation command. This action can be used to download malicious files.
-
-### **Suspicious installation of GPU extension in your virtual machine (Preview)**
-
- (VM_GPUDriverExtensionUnusualExecution)
-
-**Description**: Suspicious installation of a GPU extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use the GPU driver extension to install GPU drivers on your virtual machine via the Azure Resource Manager to perform cryptojacking.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Impact
-
-**Severity**: Low
-
-### **AzureHound tool invocation detected**
-
-(ARM_AzureHound)
-
-**Description**: AzureHound was run in your subscription and performed information gathering operations to enumerate resources. Threat actors use automated tools, like AzureHound, to enumerate resources and use them to access sensitive data or perform lateral movement. This was detected by analyzing Azure Resource Manager operations in your subscription. This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise your environment.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Discovery
-
-**Severity**: Medium
-
-## Alerts for Linux machines
-
-Microsoft Defender for Servers Plan 2 provides unique detections and alerts, in addition to the ones provided by Microsoft Defender for Endpoint. The alerts provided for Linux machines are:
-
-[Further details and notes](defender-for-servers-introduction.md)
-
-### **a history file has been cleared**
-
-**Description**: Analysis of host data indicates that the command history log file has been cleared. Attackers might do this to cover their traces. The operation was performed by user: '%{user name}'.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Adaptive application control policy violation was audited**
-
-(VM_AdaptiveApplicationControlLinuxViolationAudited)
-
-**Description**: The below users ran applications that are violating the application control policy of your organization on this machine. It can possibly expose the machine to malware or application vulnerabilities.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Informational
-
-### **Antimalware broad files exclusion in your virtual machine**
-
-(VM_AmBroadFilesExclusion)
-
-**Description**: Files exclusion from antimalware extension with broad exclusion rule was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Such exclusion practically disabling the Antimalware protection.
-Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Antimalware disabled and code execution in your virtual machine**
-
-(VM_AmDisablementAndCodeExecution)
-
-**Description**: Antimalware disabled at the same time as code execution on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
-Attackers disable antimalware scanners to prevent detection while running unauthorized tools or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Antimalware disabled in your virtual machine**
-
-(VM_AmDisablement)
-
-**Description**: Antimalware disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
-Attackers might disable the antimalware on your virtual machine to prevent detection.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion
-
-**Severity**: Medium
-
-### **Antimalware file exclusion and code execution in your virtual machine**
-
-(VM_AmFileExclusionAndCodeExecution)
-
-**Description**: File excluded from your antimalware scanner at the same time as code was executed via a custom script extension on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
-Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion, Execution
-
-**Severity**: High
-
-### **Antimalware file exclusion and code execution in your virtual machine**
-
-(VM_AmTempFileExclusionAndCodeExecution)
-
-**Description**: Temporary file exclusion from antimalware extension in parallel to execution of code via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
-Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion, Execution
-
-**Severity**: High
-
-### **Antimalware file exclusion in your virtual machine**
-
-(VM_AmTempFileExclusion)
-
-**Description**: File excluded from your antimalware scanner on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
-Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion
-
-**Severity**: Medium
-
-### **Antimalware real-time protection was disabled in your virtual machine**
-
-(VM_AmRealtimeProtectionDisabled)
-
-**Description**: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
-Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion
-
-**Severity**: Medium
-
-### **Antimalware real-time protection was disabled temporarily in your virtual machine**
-
-(VM_AmTempRealtimeProtectionDisablement)
-
-**Description**: Real-time protection temporary disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
-Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion
-
-**Severity**: Medium
-
-### **Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine**
-
-(VM_AmRealtimeProtectionDisablementAndCodeExec)
-
-**Description**: Real-time protection temporary disablement of the antimalware extension in parallel to code execution via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
-Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Antimalware scans blocked for files potentially related to malware campaigns on your virtual machine (Preview)**
-
-(VM_AmMalwareCampaignRelatedExclusion)
-
-**Description**: An exclusion rule was detected in your virtual machine to prevent your antimalware extension scanning certain files that are suspected of being related to a malware campaign. The rule was detected by analyzing the Azure Resource Manager operations in your subscription. Attackers might exclude files from antimalware scans to prevent detection while running arbitrary code or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion
-
-**Severity**: Medium
-
-### **Antimalware temporarily disabled in your virtual machine**
-
-(VM_AmTemporarilyDisablement)
-
-**Description**: Antimalware temporarily disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
-Attackers might disable the antimalware on your virtual machine to prevent detection.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Antimalware unusual file exclusion in your virtual machine**
-
-(VM_UnusualAmFileExclusion)
-
-**Description**: Unusual file exclusion from antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
-Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion
-
-**Severity**: Medium
-
-### **Behavior similar to ransomware detected [seen multiple times]**
-
-**Description**: Analysis of host data on %{Compromised Host} detected the execution of files that have resemblance of known ransomware that can prevent users from accessing their system or personal files, and demands ransom payment in order to regain access. This behavior was seen [x] times today on the following machines: [Machine names]
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Communication with suspicious domain identified by threat intelligence**
-
-(AzureDNS_ThreatIntelSuspectDomain)
-
-**Description**: Communication with suspicious domain was detected by analyzing DNS transactions from your resource and comparing against known malicious domains identified by threat intelligence feeds. Communication to malicious domains is frequently performed by attackers and could imply that your resource is compromised.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access, Persistence, Execution, Command And Control, Exploitation
-
-**Severity**: Medium
-
-### **Container with a miner image detected**
-
-(VM_MinerInContainerImage)
-
-**Description**: Machine logs indicate execution of a Docker container that runs an image associated with a digital currency mining.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: High
-
-### **Detected anomalous mix of upper and lower case characters in command line**
-
-**Description**: Analysis of host data on %{Compromised Host} detected a command line with anomalous mix of upper and lower case characters. This kind of pattern, while possibly benign, is also typical of attackers trying to hide from case-sensitive or hash-based rule matching when performing administrative tasks on a compromised host.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Detected file download from a known malicious source**
-
-**Description**: Analysis of host data has detected the download of a file from a known malware source on %{Compromised Host}.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Detected suspicious network activity**
-
-**Description**: Analysis of network traffic from %{Compromised Host} detected suspicious network activity. Such traffic, while possibly benign, is typically used by an attacker to communicate with malicious servers for downloading of tools, command-and-control and exfiltration of data. Typical related attacker activity includes copying remote administration tools to a compromised host and exfiltrating user data from it.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Low
-
-### **Digital currency mining related behavior detected**
-
-**Description**: Analysis of host data on %{Compromised Host} detected the execution of a process or command normally associated with digital currency mining.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Disabling of auditd logging [seen multiple times]**
-
-**Description**: The Linux Audit system provides a way to track security-relevant information on the system. It records as much information about the events that are happening on your system as possible. Disabling auditd logging could hamper discovering violations of security policies used on the system. This behavior was seen [x] times today on the following machines: [Machine names]
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Low
-
-### **Exploitation of Xorg vulnerability [seen multiple times]**
-
-**Description**: Analysis of host data on %{Compromised Host} detected the user of Xorg with suspicious arguments. Attackers might use this technique in privilege escalation attempts. This behavior was seen [x] times today on the following machines: [Machine names]
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Failed SSH brute force attack**
-
-(VM_SshBruteForceFailed)
-
-**Description**: Failed brute force attacks were detected from the following attackers: %{Attackers}. Attackers were trying to access the host with the following user names: %{Accounts used on failed sign in to host attempts}.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Probing
-
-**Severity**: Medium
-
-### **Fileless Attack Behavior Detected**
-
-(VM_FilelessAttackBehavior.Linux)
-
-**Description**: The memory of the process specified below contains behaviors commonly used by fileless attacks.
-Specific behaviors include: {list of observed behaviors}
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Low
-
-### **Fileless Attack Technique Detected**
-
-(VM_FilelessAttackTechnique.Linux)
-
-**Description**: The memory of the process specified below contains evidence of a fileless attack technique. Fileless attacks are used by attackers to execute code while evading detection by security software.
-Specific behaviors include: {list of observed behaviors}
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: High
-
-### **Fileless Attack Toolkit Detected**
-
-(VM_FilelessAttackToolkit.Linux)
-
-**Description**: The memory of the process specified below contains a fileless attack toolkit: {ToolKitName}. Fileless attack toolkits typically don't have a presence on the filesystem, making detection by traditional anti-virus software difficult.
-Specific behaviors include: {list of observed behaviors}
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion, Execution
-
-**Severity**: High
-
-### **Hidden file execution detected**
-
-**Description**: Analysis of host data indicates that a hidden file was executed by %{user name}. This activity could either be legitimate activity, or an indication of a compromised host.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Informational
-
-### **New SSH key added [seen multiple times]**
-
-(VM_SshKeyAddition)
-
-**Description**: A new SSH key was added to the authorized keys file. This behavior was seen [x] times today on the following machines: [Machine names]
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence
-
-**Severity**: Low
-
-### **New SSH key added**
-
-**Description**: A new SSH key was added to the authorized keys file.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Low
-
-### **Possible backdoor detected [seen multiple times]**
-
-**Description**: Analysis of host data has detected a suspicious file being downloaded then run on %{Compromised Host} in your subscription. This activity has previously been associated with installation of a backdoor. This behavior was seen [x] times today on the following machines: [Machine names]
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Possible exploitation of the mailserver detected**
-
-(VM_MailserverExploitation )
-
-**Description**: Analysis of host data on %{Compromised Host} detected an unusual execution under the mail server account
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exploitation
-
-**Severity**: Medium
-
-### **Possible malicious web shell detected**
-
-**Description**: Analysis of host data on %{Compromised Host} detected a possible web shell. Attackers will often upload a web shell to a machine they've compromised to gain persistence or for further exploitation.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Possible password change using crypt-method detected [seen multiple times]**
-
-**Description**: Analysis of host data on %{Compromised Host} detected password change using crypt method. Attackers can make this change to continue access and gaining persistence after compromise. This behavior was seen [x] times today on the following machines: [Machine names]
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Process associated with digital currency mining detected [seen multiple times]**
-
-**Description**: Analysis of host data on %{Compromised Host} detected the execution of a process normally associated with digital currency mining. This behavior was seen over 100 times today on the following machines: [Machine name]
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Process associated with digital currency mining detected**
-
-**Description**: Host data analysis detected the execution of a process that is normally associated with digital currency mining.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exploitation, Execution
-
-**Severity**: Medium
-
-### **Python encoded downloader detected [seen multiple times]**
-
-**Description**: Analysis of host data on %{Compromised Host} detected the execution of encoded Python that downloads and runs code from a remote location. This might be an indication of malicious activity. This behavior was seen [x] times today on the following machines: [Machine names]
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Low
-
-### **Screenshot taken on host [seen multiple times]**
-
-**Description**: Analysis of host data on %{Compromised Host} detected the user of a screen capture tool. Attackers might use these tools to access private data. This behavior was seen [x] times today on the following machines: [Machine names]
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Low
-
-### **Shellcode detected [seen multiple times]**
-
-**Description**: Analysis of host data on %{Compromised Host} detected shellcode being generated from the command line. This process could be legitimate activity, or an indication that one of your machines has been compromised. This behavior was seen [x] times today on the following machines: [Machine names]
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Successful SSH brute force attack**
-
-(VM_SshBruteForceSuccess)
-
-**Description**: Analysis of host data has detected a successful brute force attack. The IP %{Attacker source IP} was seen making multiple login attempts. Successful logins were made from that IP with the following user(s): %{Accounts used to successfully sign in to host}. This means that the host might be compromised and controlled by a malicious actor.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exploitation
-
-**Severity**: High
-
-### **Suspicious Account Creation Detected**
-
-**Description**: Analysis of host data on %{Compromised Host} detected creation or use of a local account %{Suspicious account name} : this account name closely resembles a standard Windows account or group name '%{Similar To Account Name}'. This is potentially a rogue account created by an attacker, so named in order to avoid being noticed by a human administrator.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Suspicious kernel module detected [seen multiple times]**
-
-**Description**: Analysis of host data on %{Compromised Host} detected a shared object file being loaded as a kernel module. This could be legitimate activity, or an indication that one of your machines has been compromised. This behavior was seen [x] times today on the following machines: [Machine names]
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Suspicious password access [seen multiple times]**
-
-**Description**: Analysis of host data has detected suspicious access to encrypted user passwords on %{Compromised Host}. This behavior was seen [x] times today on the following machines: [Machine names]
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Informational
-
-### **Suspicious password access**
-
-**Description**: Analysis of host data has detected suspicious access to encrypted user passwords on %{Compromised Host}.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Informational
-
-### **Suspicious request to the Kubernetes Dashboard**
-
-(VM_KubernetesDashboard)
-
-**Description**: Machine logs indicate that a suspicious request was made to the Kubernetes Dashboard. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container.
-
-**[MITRE tactics](#mitre-attck-tactics)**: LateralMovement
-
-**Severity**: Medium
-
-### **Unusual config reset in your virtual machine**
-
-(VM_VMAccessUnusualConfigReset)
-
-**Description**: An unusual config reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
-While this action might be legitimate, attackers can try utilizing VM Access extension to reset the configuration in your virtual machine and compromise it.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: Medium
-
-### **Unusual user password reset in your virtual machine**
-
-(VM_VMAccessUnusualPasswordReset)
-
-**Description**: An unusual user password reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
-While this action might be legitimate, attackers can try utilizing the VM Access extension to reset the credentials of a local user in your virtual machine and compromise it.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: Medium
-
-### **Unusual user SSH key reset in your virtual machine**
-
-(VM_VMAccessUnusualSSHReset)
-
-**Description**: An unusual user SSH key reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
-While this action might be legitimate, attackers can try utilizing VM Access extension to reset SSH key of a user account in your virtual machine and compromise it.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: Medium
-
-### **Suspicious installation of GPU extension in your virtual machine (Preview)**
-
- (VM_GPUDriverExtensionUnusualExecution)
-
-**Description**: Suspicious installation of a GPU extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use the GPU driver extension to install GPU drivers on your virtual machine via the Azure Resource Manager to perform cryptojacking.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Impact
-
-**Severity**: Low
-
-## Alerts for DNS
--
-[Further details and notes](plan-defender-for-servers-select-plan.md)
-
-### **Anomalous network protocol usage**
-
-(AzureDNS_ProtocolAnomaly)
-
-**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected anomalous protocol usage. Such traffic, while possibly benign, might indicate abuse of this common protocol to bypass network traffic filtering. Typical related attacker activity includes copying remote administration tools to a compromised host and exfiltrating user data from it.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: -
-
-### **Anonymity network activity**
-
-(AzureDNS_DarkWeb)
-
-**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected anonymity network activity. Such activity, while possibly legitimate user behavior, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: Low
-
-### **Anonymity network activity using web proxy**
-
-(AzureDNS_DarkWebProxy)
-
-**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected anonymity network activity. Such activity, while possibly legitimate user behavior, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: Low
-
-### **Attempted communication with suspicious sinkholed domain**
-
-(AzureDNS_SinkholedDomain)
-
-**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected request for sinkholed domain. Such activity, while possibly legitimate user behavior, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: Medium
-
-### **Communication with possible phishing domain**
-
-(AzureDNS_PhishingDomain)
-
-**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: Informational
-
-### **Communication with suspicious algorithmically generated domain**
-
-(AzureDNS_DomainGenerationAlgorithm)
-
-**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected possible usage of a domain generation algorithm. Such activity, while possibly benign, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: Informational
-
-### **Communication with suspicious domain identified by threat intelligence**
-
-(AzureDNS_ThreatIntelSuspectDomain)
-
-**Description**: Communication with suspicious domain was detected by analyzing DNS transactions from your resource and comparing against known malicious domains identified by threat intelligence feeds. Communication to malicious domains is frequently performed by attackers and could imply that your resource is compromised.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access
-
-**Severity**: Medium
-
-### **Communication with suspicious random domain name**
-
-(AzureDNS_RandomizedDomain)
-
-**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected usage of a suspicious randomly generated domain name. Such activity, while possibly benign, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: Informational
-
-### **Digital currency mining activity**
-
-(AzureDNS_CurrencyMining)
-
-**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected digital currency mining activity. Such activity, while possibly legitimate user behavior, is frequently performed by attackers following compromise of resources. Typical related attacker activity is likely to include the download and execution of common mining tools.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: Low
-
-### **Network intrusion detection signature activation**
-
-(AzureDNS_SuspiciousDomain)
-
-**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected a known malicious network signature. Such activity, while possibly legitimate user behavior, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: Medium
-
-### **Possible data download via DNS tunnel**
-
-(AzureDNS_DataInfiltration)
-
-**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behavior, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: Low
-
-### **Possible data exfiltration via DNS tunnel**
-
-(AzureDNS_DataExfiltration)
-
-**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behavior, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: Low
-
-### **Possible data transfer via DNS tunnel**
-
-(AzureDNS_DataObfuscation)
-
-**Description**: Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behavior, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: Low
-
-## Alerts for Azure VM extensions
-
-These alerts focus on detecting suspicious activities of Azure virtual machine extensions and provides insights into attackers' attempts to compromise and perform malicious activities on your virtual machines.
-
-Azure virtual machine extensions are small applications that run post-deployment on virtual machines and provide capabilities such as configuration, automation, monitoring, security, and more. While extensions are a powerful tool, they can be used by threat actors for various malicious intents, for example:
--- Data collection and monitoring--- Code execution and configuration deployment with high privileges--- Resetting credentials and creating administrative users--- Encrypting disks-
-Learn more about [Defender for Cloud latest protections against the abuse of Azure VM extensions](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-latest-protection-against/ba-p/3970121).
-
-### **Suspicious failure installing GPU extension in your subscription (Preview)**
-
-(VM_GPUExtensionSuspiciousFailure)
-
-**Description**: Suspicious intent of installing a GPU extension on unsupported VMs. This extension should be installed on virtual machines equipped with a graphic processor, and in this case the virtual machines are not equipped with such. These failures can be seen when malicious adversaries execute multiple installations of such extension for crypto-mining purposes.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Impact
-
-**Severity**: Medium
-
-### **Suspicious installation of a GPU extension was detected on your virtual machine (Preview)**
-
-(VM_GPUDriverExtensionUnusualExecution)
-
-**Description**: Suspicious installation of a GPU extension was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use the GPU driver extension to install GPU drivers on your virtual machine via the Azure Resource Manager to perform cryptojacking. This activity is deemed suspicious as the principal's behavior departs from its usual patterns.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Impact
-
-**Severity**: Low
-
-### **Run Command with a suspicious script was detected on your virtual machine (Preview)**
-
-(VM_RunCommandSuspiciousScript)
-
-**Description**: A Run Command with a suspicious script was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use Run Command to execute malicious code with high privileges on your virtual machine via the Azure Resource Manager. The script is deemed suspicious as certain parts were identified as being potentially malicious.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: High
-
-### **Suspicious unauthorized Run Command usage was detected on your virtual machine (Preview)**
-
-(VM_RunCommandSuspiciousFailure)
-
-**Description**: Suspicious unauthorized usage of Run Command has failed and was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might attempt to use Run Command to execute malicious code with high privileges on your virtual machines via the Azure Resource Manager. This activity is deemed suspicious as it hasn't been commonly seen before.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Medium
-
-### **Suspicious Run Command usage was detected on your virtual machine (Preview)**
-
-(VM_RunCommandSuspiciousUsage)
-
-**Description**: Suspicious usage of Run Command was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use Run Command to execute malicious code with high privileges on your virtual machines via the Azure Resource Manager. This activity is deemed suspicious as it hasn't been commonly seen before.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Low
-
-### **Suspicious usage of multiple monitoring or data collection extensions was detected on your virtual machines (Preview)**
-
-(VM_SuspiciousMultiExtensionUsage)
-
-**Description**: Suspicious usage of multiple monitoring or data collection extensions was detected on your virtual machines by analyzing the Azure Resource Manager operations in your subscription. Attackers might abuse such extensions for data collection, network traffic monitoring, and more, in your subscription. This usage is deemed suspicious as it hasn't been commonly seen before.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Reconnaissance
-
-**Severity**: Medium
-
-### **Suspicious installation of disk encryption extensions was detected on your virtual machines (Preview)**
-
-(VM_DiskEncryptionSuspiciousUsage)
-
-**Description**: Suspicious installation of disk encryption extensions was detected on your virtual machines by analyzing the Azure Resource Manager operations in your subscription. Attackers might abuse the disk encryption extension to deploy full disk encryptions on your virtual machines via the Azure Resource Manager in an attempt to perform ransomware activity. This activity is deemed suspicious as it hasn't been commonly seen before and due to the high number of extension installations.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Impact
-
-**Severity**: Medium
-
-### **Suspicious usage of VMAccess extension was detected on your virtual machines (Preview)**
-
-(VM_VMAccessSuspiciousUsage)
-
-**Description**: Suspicious usage of VMAccess extension was detected on your virtual machines. Attackers might abuse the VMAccess extension to gain access and compromise your virtual machines with high privileges by resetting access or managing administrative users. This activity is deemed suspicious as the principal's behavior departs from its usual patterns, and due to the high number of the extension installations.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence
-
-**Severity**: Medium
-
-### **Desired State Configuration (DSC) extension with a suspicious script was detected on your virtual machine (Preview)**
-
-(VM_DSCExtensionSuspiciousScript)
-
-**Description**: Desired State Configuration (DSC) extension with a suspicious script was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use the Desired State Configuration (DSC) extension to deploy malicious configurations, such as persistence mechanisms, malicious scripts, and more, with high privileges, on your virtual machines. The script is deemed suspicious as certain parts were identified as being potentially malicious.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: High
-
-### **Suspicious usage of a Desired State Configuration (DSC) extension was detected on your virtual machines (Preview)**
-
-(VM_DSCExtensionSuspiciousUsage)
-
-**Description**: Suspicious usage of a Desired State Configuration (DSC) extension was detected on your virtual machines by analyzing the Azure Resource Manager operations in your subscription. Attackers might use the Desired State Configuration (DSC) extension to deploy malicious configurations, such as persistence mechanisms, malicious scripts, and more, with high privileges, on your virtual machines. This activity is deemed suspicious as the principal's behavior departs from its usual patterns, and due to the high number of the extension installations.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Low
-
-### **Custom script extension with a suspicious script was detected on your virtual machine (Preview)**
-
-(VM_CustomScriptExtensionSuspiciousCmd)
-
-**Description**: Custom script extension with a suspicious script was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use Custom script extension to execute malicious code with high privileges on your virtual machine via the Azure Resource Manager. The script is deemed suspicious as certain parts were identified as being potentially malicious.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: High
-
-### **Suspicious failed execution of custom script extension in your virtual machine**
-
-(VM_CustomScriptExtensionSuspiciousFailure)
-
-**Description**: Suspicious failure of a custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Such failures might be associated with malicious scripts run by this extension.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Medium
-
-### **Unusual deletion of custom script extension in your virtual machine**
-
-(VM_CustomScriptExtensionUnusualDeletion)
-
-**Description**: Unusual deletion of a custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Medium
-
-### **Unusual execution of custom script extension in your virtual machine**
-
-(VM_CustomScriptExtensionUnusualExecution)
-
-**Description**: Unusual execution of a custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Medium
-
-### **Custom script extension with suspicious entry-point in your virtual machine**
-
-(VM_CustomScriptExtensionSuspiciousEntryPoint)
-
-**Description**: Custom script extension with a suspicious entry-point was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. The entry-point refers to a suspicious GitHub repository. Attackers might use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Medium
-
-### **Custom script extension with suspicious payload in your virtual machine**
-
-(VM_CustomScriptExtensionSuspiciousPayload)
-
-**Description**: Custom script extension with a payload from a suspicious GitHub repository was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Medium
-
-## Alerts for Azure App Service
-
-[Further details and notes](defender-for-app-service-introduction.md)
-
-### **An attempt to run Linux commands on a Windows App Service**
-
-(AppServices_LinuxCommandOnWindows)
-
-**Description**: Analysis of App Service processes detected an attempt to run a Linux command on a Windows App Service. This action was running by the web application. This behavior is often seen during campaigns that exploit a vulnerability in a common web application.
-(Applies to: App Service on Windows)
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **An IP that connected to your Azure App Service FTP Interface was found in Threat Intelligence**
-
-(AppServices_IncomingTiClientIpFtp)
-
-**Description**: Azure App Service FTP log indicates a connection from a source address that was found in the threat intelligence feed. During this connection, a user accessed the pages listed.
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access
-
-**Severity**: Medium
-
-### **Attempt to run high privilege command detected**
-
-(AppServices_HighPrivilegeCommand)
-
-**Description**: Analysis of App Service processes detected an attempt to run a command that requires high privileges.
-The command ran in the web application context. While this behavior can be legitimate, in web applications this behavior is also observed in malicious activities.
-(Applies to: App Service on Windows)
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Medium
-
-### **Communication with suspicious domain identified by threat intelligence**
-
-(AzureDNS_ThreatIntelSuspectDomain)
-
-**Description**: Communication with suspicious domain was detected by analyzing DNS transactions from your resource and comparing against known malicious domains identified by threat intelligence feeds. Communication to malicious domains is frequently performed by attackers and could imply that your resource is compromised.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access, Persistence, Execution, Command And Control, Exploitation
-
-**Severity**: Medium
-
-### **Connection to web page from anomalous IP address detected**
-
-(AppServices_AnomalousPageAccess)
-
-**Description**: Azure App Service activity log indicates an anomalous connection to a sensitive web page from the listed source IP address. This might indicate that someone is attempting a brute force attack into your web app administration pages. It might also be the result of a new IP address being used by a legitimate user. If the source IP address is trusted, you can safely suppress this alert for this resource. To learn how to suppress security alerts, see [Suppress alerts from Microsoft Defender for Cloud](alerts-suppression-rules.md).
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access
-
-**Severity**: Low
-
-### **Dangling DNS record for an App Service resource detected**
-
-(AppServices_DanglingDomain)
-
-**Description**: A DNS record that points to a recently deleted App Service resource (also known as "dangling DNS" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization's domain to a site performing malicious activity.
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Detected encoded executable in command line data**
-
-(AppServices_Base64EncodedExecutableInCommandLineParams)
-
-**Description**: Analysis of host data on {Compromised host} detected a base-64 encoded executable. This has previously been associated with attackers attempting to construct executables on-the-fly through a sequence of commands, and attempting to evade intrusion detection systems by ensuring that no individual command would trigger an alert. This could be legitimate activity, or an indication of a compromised host.
-(Applies to: App Service on Windows)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion, Execution
-
-**Severity**: High
-
-### **Detected file download from a known malicious source**
-
-(AppServices_SuspectDownload)
-
-**Description**: Analysis of host data has detected the download of a file from a known malware source on your host.
-(Applies to: App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Privilege Escalation, Execution, Exfiltration, Command and Control
-
-**Severity**: Medium
-
-### **Detected suspicious file download**
-
-(AppServices_SuspectDownloadArtifacts)
-
-**Description**: Analysis of host data has detected suspicious download of remote file.
-(Applies to: App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence
-
-**Severity**: Medium
-
-### **Digital currency mining related behavior detected**
-
-(AppServices_DigitalCurrencyMining)
-
-**Description**: Analysis of host data on Inn-Flow-WebJobs detected the execution of a process or command normally associated with digital currency mining.
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: High
-
-### **Executable decoded using certutil**
-
-(AppServices_ExecutableDecodedUsingCertutil)
-
-**Description**: Analysis of host data on [Compromised entity] detected that certutil.exe, a built-in administrator utility, was being used to decode an executable instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using a tool such as certutil.exe to decode a malicious executable that will then be subsequently executed.
-(Applies to: App Service on Windows)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion, Execution
-
-**Severity**: High
-
-### **Fileless Attack Behavior Detected**
-
-(AppServices_FilelessAttackBehaviorDetection)
-
-**Description**: The memory of the process specified below contains behaviors commonly used by fileless attacks.
-Specific behaviors include: {list of observed behaviors}
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Medium
-
-### **Fileless Attack Technique Detected**
-
-(AppServices_FilelessAttackTechniqueDetection)
-
-**Description**: The memory of the process specified below contains evidence of a fileless attack technique. Fileless attacks are used by attackers to execute code while evading detection by security software.
-Specific behaviors include: {list of observed behaviors}
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: High
-
-### **Fileless Attack Toolkit Detected**
-
-(AppServices_FilelessAttackToolkitDetection)
-
-**Description**: The memory of the process specified below contains a fileless attack toolkit: {ToolKitName}. Fileless attack toolkits typically do not have a presence on the filesystem, making detection by traditional anti-virus software difficult.
-Specific behaviors include: {list of observed behaviors}
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion, Execution
-
-**Severity**: High
-
-### **Microsoft Defender for Cloud test alert for App Service (not a threat)**
-
-(AppServices_EICAR)
-
-**Description**: This is a test alert generated by Microsoft Defender for Cloud. No further action is needed.
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **NMap scanning detected**
-
-(AppServices_Nmap)
-
-**Description**: Azure App Service activity log indicates a possible web fingerprinting activity on your App Service resource.
-The suspicious activity detected is associated with NMAP. Attackers often use this tool for probing the web application to find vulnerabilities.
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: Informational
-
-### **Phishing content hosted on Azure Webapps**
-
-(AppServices_PhishingContent)
-
-**Description**: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to Microsoft 365 customers. The content typically lures visitors into entering their corporate credentials or financial information into a legitimate looking website.
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Collection
-
-**Severity**: High
-
-### **PHP file in upload folder**
-
-(AppServices_PhpInUploadFolder)
-
-**Description**: Azure App Service activity log indicates an access to a suspicious PHP page located in the upload folder.
-This type of folder doesn't usually contain PHP files. The existence of this type of file might indicate an exploitation taking advantage of arbitrary file upload vulnerabilities.
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Medium
-
-### **Possible Cryptocoinminer download detected**
-
-(AppServices_CryptoCoinMinerDownload)
-
-**Description**: Analysis of host data has detected the download of a file normally associated with digital currency mining.
-(Applies to: App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion, Command and Control, Exploitation
-
-**Severity**: Medium
-
-### **Possible data exfiltration detected**
-
-(AppServices_DataEgressArtifacts)
-
-**Description**: Analysis of host/device data detected a possible data egress condition. Attackers will often egress data from machines they have compromised.
-(Applies to: App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Collection, Exfiltration
-
-**Severity**: Medium
-
-### **Potential dangling DNS record for an App Service resource detected**
-
-(AppServices_PotentialDanglingDomain)
-
-**Description**: A DNS record that points to a recently deleted App Service resource (also known as "dangling DNS" entry) has been detected. This might leave you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization's domain to a site performing malicious activity. In this case, a text record with the Domain Verification ID was found. Such text records prevent subdomain takeover but we still recommend removing the dangling domain. If you leave the DNS record pointing at the subdomain you're at risk if anyone in your organization deletes the TXT file or record in the future.
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Low
-
-### **Potential reverse shell detected**
-
-(AppServices_ReverseShell)
-
-**Description**: Analysis of host data detected a potential reverse shell. These are used to get a compromised machine to call back into a machine an attacker owns.
-(Applies to: App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration, Exploitation
-
-**Severity**: Medium
-
-### **Raw data download detected**
-
-(AppServices_DownloadCodeFromWebsite)
-
-**Description**: Analysis of App Service processes detected an attempt to download code from raw-data websites such as Pastebin. This action was run by a PHP process. This behavior is associated with attempts to download web shells or other malicious components to the App Service.
-(Applies to: App Service on Windows)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Medium
-
-### **Saving curl output to disk detected**
-
-(AppServices_CurlToDisk)
-
-**Description**: Analysis of App Service processes detected the running of a curl command in which the output was saved to the disk. While this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.
-(Applies to: App Service on Windows)
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Low
-
-### **Spam folder referrer detected**
-
-(AppServices_SpamReferrer)
-
-**Description**: Azure App Service activity log indicates web activity that was identified as originating from a web site associated with spam activity. This can occur if your website is compromised and used for spam activity.
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Low
-
-### **Suspicious access to possibly vulnerable web page detected**
-
-(AppServices_ScanSensitivePage)
-
-**Description**: Azure App Service activity log indicates a web page that seems to be sensitive was accessed. This suspicious activity originated from a source IP address whose access pattern resembles that of a web scanner.
-This activity is often associated with an attempt by an attacker to scan your network to try to gain access to sensitive or vulnerable web pages.
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Low
-
-### **Suspicious domain name reference**
-
-(AppServices_CommandlineSuspectDomain)
-
-**Description**: Analysis of host data detected reference to suspicious domain name. Such activity, while possibly legitimate user behavior, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.
-(Applies to: App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: Low
-
-### **Suspicious download using Certutil detected**
-
-(AppServices_DownloadUsingCertutil)
-
-**Description**: Analysis of host data on {NAME} detected the use of certutil.exe, a built-in administrator utility, for the download of a binary instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using certutil.exe to download and decode a malicious executable that will then be subsequently executed.
-(Applies to: App Service on Windows)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Medium
-
-### **Suspicious PHP execution detected**
-
-(AppServices_SuspectPhp)
-
-**Description**: Machine logs indicate that a suspicious PHP process is running. The action included an attempt to run operating system commands or PHP code from the command line, by using the PHP process. While this behavior can be legitimate, in web applications this behavior might indicate malicious activities, such as attempts to infect websites with web shells.
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Medium
-
-### **Suspicious PowerShell cmdlets executed**
-
-(AppServices_PowerShellPowerSploitScriptExecution)
-
-**Description**: Analysis of host data indicates execution of known malicious PowerShell PowerSploit cmdlets.
-(Applies to: App Service on Windows)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Medium
-
-### **Suspicious process executed**
-
-(AppServices_KnownCredential AccessTools)
-
-**Description**: Machine logs indicate that the suspicious process: '%{process path}' was running on the machine, often associated with attacker attempts to access credentials.
-(Applies to: App Service on Windows)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: High
-
-### **Suspicious process name detected**
-
-(AppServices_ProcessWithKnownSuspiciousExtension)
-
-**Description**: Analysis of host data on {NAME} detected a process whose name is suspicious, for example corresponding to a known attacker tool or named in a way that is suggestive of attacker tools that try to hide in plain sight. This process could be legitimate activity, or an indication that one of your machines has been compromised.
-(Applies to: App Service on Windows)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence, Defense Evasion
-
-**Severity**: Medium
-
-### **Suspicious SVCHOST process executed**
-
-(AppServices_SVCHostFromInvalidPath)
-
-**Description**: The system process SVCHOST was observed running in an abnormal context. Malware often uses SVCHOST to mask its malicious activity.
-(Applies to: App Service on Windows)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion, Execution
-
-**Severity**: High
-
-### **Suspicious User Agent detected**
-
-(AppServices_UserAgentInjection)
-
-**Description**: Azure App Service activity log indicates requests with suspicious user agent. This behavior can indicate on attempts to exploit a vulnerability in your App Service application.
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access
-
-**Severity**: Informational
-
-### **Suspicious WordPress theme invocation detected**
-
-(AppServices_WpThemeInjection)
-
-**Description**: Azure App Service activity log indicates a possible code injection activity on your App Service resource.
-The suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.
-This type of activity was seen in the past as part of an attack campaign over WordPress.
-If your App Service resource isn't hosting a WordPress site, it isn't vulnerable to this specific code injection exploit and you can safely suppress this alert for the resource. To learn how to suppress security alerts, see [Suppress alerts from Microsoft Defender for Cloud](alerts-suppression-rules.md).
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: High
-
-### **Vulnerability scanner detected**
-
-(AppServices_DrupalScanner)
-
-**Description**: Azure App Service activity log indicates that a possible vulnerability scanner was used on your App Service resource.
-The suspicious activity detected resembles that of tools targeting a content management system (CMS).
-If your App Service resource isn't hosting a Drupal site, it isn't vulnerable to this specific code injection exploit and you can safely suppress this alert for the resource. To learn how to suppress security alerts, see [Suppress alerts from Microsoft Defender for Cloud](alerts-suppression-rules.md).
-(Applies to: App Service on Windows)
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: Low
-
-### **Vulnerability scanner detected**
-
-(AppServices_JoomlaScanner)
-
-**Description**: Azure App Service activity log indicates that a possible vulnerability scanner was used on your App Service resource.
-The suspicious activity detected resembles that of tools targeting Joomla applications.
-If your App Service resource isn't hosting a Joomla site, it isn't vulnerable to this specific code injection exploit and you can safely suppress this alert for the resource. To learn how to suppress security alerts, see [Suppress alerts from Microsoft Defender for Cloud](alerts-suppression-rules.md).
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: Low
-
-### **Vulnerability scanner detected**
-
-(AppServices_WpScanner)
-
-**Description**: Azure App Service activity log indicates that a possible vulnerability scanner was used on your App Service resource.
-The suspicious activity detected resembles that of tools targeting WordPress applications.
-If your App Service resource isn't hosting a WordPress site, it isn't vulnerable to this specific code injection exploit and you can safely suppress this alert for the resource. To learn how to suppress security alerts, see [Suppress alerts from Microsoft Defender for Cloud](alerts-suppression-rules.md).
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: Low
-
-### **Web fingerprinting detected**
-
-(AppServices_WebFingerprinting)
-
-**Description**: Azure App Service activity log indicates a possible web fingerprinting activity on your App Service resource.
-The suspicious activity detected is associated with a tool called Blind Elephant. The tool fingerprint web servers and tries to detect the installed applications and version.
-Attackers often use this tool for probing the web application to find vulnerabilities.
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: Medium
-
-### **Website is tagged as malicious in threat intelligence feed**
-
-(AppServices_SmartScreen)
-
-**Description**: Your website as described below is marked as a malicious site by Windows SmartScreen. If you think this is a false positive, contact Windows SmartScreen via report feedback link provided.
-(Applies to: App Service on Windows and App Service on Linux)
-
-**[MITRE tactics](#mitre-attck-tactics)**: Collection
-
-**Severity**: Medium
-
-## Alerts for containers - Kubernetes clusters
-
-Microsoft Defender for Containers provides security alerts on the cluster level and on the underlying cluster nodes by monitoring both control plane (API server) and the containerized workload itself. Control plane security alerts can be recognized by a prefix of `K8S_` of the alert type. Security alerts for runtime workload in the clusters can be recognized by the `K8S.NODE_` prefix of the alert type. All alerts are supported on Linux only, unless otherwise indicated.
-
-[Further details and notes](defender-for-containers-introduction.md#run-time-protection-for-kubernetes-nodes-and-clusters)
-
-### **Exposed Postgres service with trust authentication configuration in Kubernetes detected (Preview)**
-
-(K8S_ExposedPostgresTrustAuth)
-
-**Description**: Kubernetes cluster configuration analysis detected exposure of a Postgres service by a load balancer. The service is configured with trust authentication method, which doesn't require credentials.
-
-**[MITRE tactics](#mitre-attck-tactics)**: InitialAccess
-
-**Severity**: Medium
-
-### **Exposed Postgres service with risky configuration in Kubernetes detected (Preview)**
-
-(K8S_ExposedPostgresBroadIPRange)
-
-**Description**: Kubernetes cluster configuration analysis detected exposure of a Postgres service by a load balancer with a risky configuration. Exposing the service to a wide range of IP addresses poses a security risk.
-
-**[MITRE tactics](#mitre-attck-tactics)**: InitialAccess
-
-**Severity**: Medium
-
-### **Attempt to create a new Linux namespace from a container detected**
-
-(K8S.NODE_NamespaceCreation) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container in Kubernetes cluster detected an attempt to create a new Linux namespace. While this behavior might be legitimate, it might indicate that an attacker tries to escape from the container to the node. Some CVE-2022-0185 exploitations use this technique.
-
-**[MITRE tactics](#mitre-attck-tactics)**: PrivilegeEscalation
-
-**Severity**: Informational
-
-### **A history file has been cleared**
-
-(K8S.NODE_HistoryFileCleared) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected that the command history log file has been cleared. Attackers might do this to cover their tracks. The operation was performed by the specified user account.
-
-**[MITRE tactics](#mitre-attck-tactics)**: DefenseEvasion
-
-**Severity**: Medium
-
-### **Abnormal activity of managed identity associated with Kubernetes (Preview)**
-
-(K8S_AbnormalMiActivity)
-
-**Description**: Analysis of Azure Resource Manager operations detected an abnormal behavior of a managed identity used by an AKS addon. The detected activity isn\'t consistent with the behavior of the associated addon. While this activity can be legitimate, such behavior might indicate that the identity was gained by an attacker, possibly from a compromised container in the Kubernetes cluster.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Lateral Movement
-
-**Severity**: Medium
-
-### **Abnormal Kubernetes service account operation detected**
-
-(K8S_ServiceAccountRareOperation)
-
-**Description**: Kubernetes audit log analysis detected abnormal behavior by a service account in your Kubernetes cluster. The service account was used for an operation, which isn't common for this service account. While this activity can be legitimate, such behavior might indicate that the service account is being used for malicious purposes.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Lateral Movement, Credential Access
-
-**Severity**: Medium
-
-### **An uncommon connection attempt detected**
-
-(K8S.NODE_SuspectConnection) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected an uncommon connection attempt utilizing a socks protocol. This is very rare in normal operations, but a known technique for attackers attempting to bypass network-layer detections.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution, Exfiltration, Exploitation
-
-**Severity**: Medium
-
-### **Attempt to stop apt-daily-upgrade.timer service detected**
-
-(K8S.NODE_TimerServiceDisabled) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected an attempt to stop apt-daily-upgrade.timer service. Attackers have been observed stopping this service to download malicious files and grant execution privileges for their attacks. This activity can also happen if the service is updated through normal administrative actions.
-
-**[MITRE tactics](#mitre-attck-tactics)**: DefenseEvasion
-
-**Severity**: Informational
-
-### **Behavior similar to common Linux bots detected (Preview)**
-
-(K8S.NODE_CommonBot)
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected the execution of a process normally associated with common Linux botnets.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution, Collection, Command And Control
-
-**Severity**: Medium
-
-### **Command within a container running with high privileges**
-
-(K8S.NODE_PrivilegedExecutionInContainer) <sup>[1](#footnote1)</sup>
-
-**Description**: Machine logs indicate that a privileged command was run in a Docker container. A privileged command has extended privileges on the host machine.
-
-**[MITRE tactics](#mitre-attck-tactics)**: PrivilegeEscalation
-
-**Severity**: Informational
-
-### **Container running in privileged mode**
-
-(K8S.NODE_PrivilegedContainerArtifacts) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected the execution of a Docker command that is running a privileged container. The privileged container has full access to the hosting pod or host resource. If compromised, an attacker might use the privileged container to gain access to the hosting pod or host.
-
-**[MITRE tactics](#mitre-attck-tactics)**: PrivilegeEscalation, Execution
-
-**Severity**: Informational
-
-### **Container with a sensitive volume mount detected**
-
-(K8S_SensitiveMount)
-
-**Description**: Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Privilege Escalation
-
-**Severity**: Informational
-
-### **CoreDNS modification in Kubernetes detected**
-
-(K8S_CoreDnsModification) <sup>[2](#footnote2)</sup> <sup>[3](#footnote3)</sup>
-
-**Description**: Kubernetes audit log analysis detected a modification of the CoreDNS configuration. The configuration of CoreDNS can be modified by overriding its configmap. While this activity can be legitimate, if attackers have permissions to modify the configmap, they can change the behavior of the cluster's DNS server and poison it.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Lateral Movement
-
-**Severity**: Low
-
-### **Creation of admission webhook configuration detected**
-
-(K8S_AdmissionController) <sup>[3](#footnote3)</sup>
-
-**Description**: Kubernetes audit log analysis detected a new admission webhook configuration. Kubernetes has two built-in generic admission controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. The behavior of these admission controllers is determined by an admission webhook that the user deploys to the cluster. The usage of such admission controllers can be legitimate, however attackers can use such webhooks for modifying the requests (in case of MutatingAdmissionWebhook) or inspecting the requests and gain sensitive information (in case of ValidatingAdmissionWebhook).
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access, Persistence
-
-**Severity**: Informational
-
-### **Detected file download from a known malicious source**
-
-(K8S.NODE_SuspectDownload) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a download of a file from a source frequently used to distribute malware.
-
-**[MITRE tactics](#mitre-attck-tactics)**: PrivilegeEscalation, Execution, Exfiltration, Command And Control
-
-**Severity**: Medium
-
-### **Detected suspicious file download**
-
-(K8S.NODE_SuspectDownloadArtifacts) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious download of a remote file.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence
-
-**Severity**: Informational
-
-### **Detected suspicious use of the nohup command**
-
-(K8S.NODE_SuspectNohup) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious use of the nohup command. Attackers have been seen using the command nohup to run hidden files from a temporary directory to allow their executables to run in the background. It's rare to see this command run on hidden files located in a temporary directory.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence, DefenseEvasion
-
-**Severity**: Medium
-
-### **Detected suspicious use of the useradd command**
-
-(K8S.NODE_SuspectUserAddition) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious use of the useradd command.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence
-
-**Severity**: Medium
-
-### **Digital currency mining container detected**
-
-(K8S_MaliciousContainerImage) <sup>[3](#footnote3)</sup>
-
-**Description**: Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: High
-
-### **Digital currency mining related behavior detected**
-
-(K8S.NODE_DigitalCurrencyMining) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected an execution of a process or command normally associated with digital currency mining.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: High
-
-### **Docker build operation detected on a Kubernetes node**
-
-(K8S.NODE_ImageBuildOnNode) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a build operation of a container image on a Kubernetes node. While this behavior might be legitimate, attackers might build their malicious images locally to avoid detection.
-
-**[MITRE tactics](#mitre-attck-tactics)**: DefenseEvasion
-
-**Severity**: Informational
-
-### **Exposed Kubeflow dashboard detected**
-
-(K8S_ExposedKubeflow)
-
-**Description**: The Kubernetes audit log analysis detected exposure of the Istio Ingress by a load balancer in a cluster that runs Kubeflow. This action might expose the Kubeflow dashboard to the internet. If the dashboard is exposed to the internet, attackers can access it and run malicious containers or code on the cluster. Find more details in the following article: <https://aka.ms/exposedkubeflow-blog>
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access
-
-**Severity**: Medium
-
-### **Exposed Kubernetes dashboard detected**
-
-(K8S_ExposedDashboard)
-
-**Description**: Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service. Exposed dashboard allows an unauthenticated access to the cluster management and poses a security threat.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access
-
-**Severity**: High
-
-### **Exposed Kubernetes service detected**
-
-(K8S_ExposedService)
-
-**Description**: The Kubernetes audit log analysis detected exposure of a service by a load balancer. This service is related to a sensitive application that allows high impact operations in the cluster such as running processes on the node or creating new containers. In some cases, this service doesn't require authentication. If the service doesn't require authentication, exposing it to the internet poses a security risk.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access
-
-**Severity**: Medium
-
-### **Exposed Redis service in AKS detected**
-
-(K8S_ExposedRedis)
-
-**Description**: The Kubernetes audit log analysis detected exposure of a Redis service by a load balancer. If the service doesn't require authentication, exposing it to the internet poses a security risk.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access
-
-**Severity**: Low
-
-### **Indicators associated with DDOS toolkit detected**
-
-(K8S.NODE_KnownLinuxDDoSToolkit) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected file names that are part of a toolkit associated with malware capable of launching DDoS attacks, opening ports and services, and taking full control over the infected system. This could also possibly be legitimate activity.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence, LateralMovement, Execution, Exploitation
-
-**Severity**: Medium
-
-### **K8S API requests from proxy IP address detected**
-
-(K8S_TI_Proxy) <sup>[3](#footnote3)</sup>
-
-**Description**: Kubernetes audit log analysis detected API requests to your cluster from an IP address that is associated with proxy services, such as TOR. While this behavior can be legitimate, it's often seen in malicious activities, when attackers try to hide their source IP.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Low
-
-### **Kubernetes events deleted**
-
-(K8S_DeleteEvents) <sup>[2](#footnote2)</sup> <sup>[3](#footnote3)</sup>
-
-**Description**: Defender for Cloud detected that some Kubernetes events have been deleted. Kubernetes events are objects in Kubernetes that contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion
-
-**Severity**: Low
-
-### **Kubernetes penetration testing tool detected**
-
-(K8S_PenTestToolsKubeHunter)
-
-**Description**: Kubernetes audit log analysis detected usage of Kubernetes penetration testing tool in the AKS cluster. While this behavior can be legitimate, attackers might use such public tools for malicious purposes.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Low
-
-### **Microsoft Defender for Cloud test alert (not a threat).**
-
-(K8S.NODE_EICAR) <sup>[1](#footnote1)</sup>
-
-**Description**: This is a test alert generated by Microsoft Defender for Cloud. No further action is needed.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: High
-
-### **New container in the kube-system namespace detected**
-
-(K8S_KubeSystemContainer) <sup>[3](#footnote3)</sup>
-
-**Description**: Kubernetes audit log analysis detected a new container in the kube-system namespace that isn't among the containers that normally run in this namespace. The kube-system namespaces shouldn't contain user resources. Attackers can use this namespace for hiding malicious components.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence
-
-**Severity**: Informational
-
-### **New high privileges role detected**
-
-(K8S_HighPrivilegesRole) <sup>[3](#footnote3)</sup>
-
-**Description**: Kubernetes audit log analysis detected a new role with high privileges. A binding to a role with high privileges gives the user\group high privileges in the cluster. Unnecessary privileges might cause privilege escalation in the cluster.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence
-
-**Severity**: Informational
-
-### **Possible attack tool detected**
-
-(K8S.NODE_KnownLinuxAttackTool) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious tool invocation. This tool is often associated with malicious users attacking others.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution, Collection, Command And Control, Probing
-
-**Severity**: Medium
-
-### **Possible backdoor detected**
-
-(K8S.NODE_LinuxBackdoorArtifact) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious file being downloaded and run. This activity has previously been associated with installation of a backdoor.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence, DefenseEvasion, Execution, Exploitation
-
-**Severity**: Medium
-
-### **Possible command line exploitation attempt**
-
-(K8S.NODE_ExploitAttempt) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible exploitation attempt against a known vulnerability.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exploitation
-
-**Severity**: Medium
-
-### **Possible credential access tool detected**
-
-(K8S.NODE_KnownLinuxCredentialAccessTool) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible known credential access tool was running on the container, as identified by the specified process and commandline history item. This tool is often associated with attacker attempts to access credentials.
-
-**[MITRE tactics](#mitre-attck-tactics)**: CredentialAccess
-
-**Severity**: Medium
-
-### **Possible Cryptocoinminer download detected**
-
-(K8S.NODE_CryptoCoinMinerDownload) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected download of a file normally associated with digital currency mining.
-
-**[MITRE tactics](#mitre-attck-tactics)**: DefenseEvasion, Command And Control, Exploitation
-
-**Severity**: Medium
-
-### **Possible Log Tampering Activity Detected**
-
-(K8S.NODE_SystemLogRemoval) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible removal of files that tracks user's activity during the course of its operation. Attackers often try to evade detection and leave no trace of malicious activities by deleting such log files.
-
-**[MITRE tactics](#mitre-attck-tactics)**: DefenseEvasion
-
-**Severity**: Medium
-
-### **Possible password change using crypt-method detected**
-
-(K8S.NODE_SuspectPasswordChange) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a password change using the crypt method. Attackers can make this change to continue access and gain persistence after compromise.
-
-**[MITRE tactics](#mitre-attck-tactics)**: CredentialAccess
-
-**Severity**: Medium
-
-### **Potential port forwarding to external IP address**
-
-(K8S.NODE_SuspectPortForwarding) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected an initiation of port forwarding to an external IP address.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration, Command And Control
-
-**Severity**: Medium
-
-### **Potential reverse shell detected**
-
-(K8S.NODE_ReverseShell) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a potential reverse shell. These are used to get a compromised machine to call back into a machine an attacker owns.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration, Exploitation
-
-**Severity**: Medium
-
-### **Privileged container detected**
-
-(K8S_PrivilegedContainer)
-
-**Description**: Kubernetes audit log analysis detected a new privileged container. A privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the node.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Privilege Escalation
-
-**Severity**: Informational
-
-### **Process associated with digital currency mining detected**
-
-(K8S.NODE_CryptoCoinMinerArtifacts) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container detected the execution of a process normally associated with digital currency mining.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution, Exploitation
-
-**Severity**: Medium
-
-### **Process seen accessing the SSH authorized keys file in an unusual way**
-
-(K8S.NODE_SshKeyAccess) <sup>[1](#footnote1)</sup>
-
-**Description**: An SSH authorized_keys file was accessed in a method similar to known malware campaigns. This access could signify that an actor is attempting to gain persistent access to a machine.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Unknown
-
-**Severity**: Informational
-
-### **Role binding to the cluster-admin role detected**
-
-(K8S_ClusterAdminBinding)
-
-**Description**: Kubernetes audit log analysis detected a new binding to the cluster-admin role which gives administrator privileges. Unnecessary administrator privileges might cause privilege escalation in the cluster.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence
-
-**Severity**: Informational
-
-### **Security-related process termination detected**
-
-(K8S.NODE_SuspectProcessTermination) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected an attempt to terminate processes related to security monitoring on the container. Attackers will often try to terminate such processes using predefined scripts post-compromise.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence
-
-**Severity**: Low
-
-### **SSH server is running inside a container**
-
-(K8S.NODE_ContainerSSH) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container detected an SSH server running inside the container.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Informational
-
-### **Suspicious file timestamp modification**
-
-(K8S.NODE_TimestampTampering) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious timestamp modification. Attackers will often copy timestamps from existing legitimate files to new tools to avoid detection of these newly dropped files.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence, DefenseEvasion
-
-**Severity**: Low
-
-### **Suspicious request to Kubernetes API**
-
-(K8S.NODE_KubernetesAPI) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container indicates that a suspicious request was made to the Kubernetes API. The request was sent from a container in the cluster. Although this behavior can be intentional, it might indicate that a compromised container is running in the cluster.
-
-**[MITRE tactics](#mitre-attck-tactics)**: LateralMovement
-
-**Severity**: Medium
-
-### **Suspicious request to the Kubernetes Dashboard**
-
-(K8S.NODE_KubernetesDashboard) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container indicates that a suspicious request was made to the Kubernetes Dashboard. The request was sent from a container in the cluster. Although this behavior can be intentional, it might indicate that a compromised container is running in the cluster.
-
-**[MITRE tactics](#mitre-attck-tactics)**: LateralMovement
-
-**Severity**: Medium
-
-### **Potential crypto coin miner started**
-
-(K8S.NODE_CryptoCoinMinerExecution) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a process being started in a way normally associated with digital currency mining.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Medium
-
-### **Suspicious password access**
-
-(K8S.NODE_SuspectPasswordFileAccess) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected suspicious attempt to access encrypted user passwords.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence
-
-**Severity**: Informational
-
-### **Possible malicious web shell detected.**
-
-(K8S.NODE_Webshell) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container detected a possible web shell. Attackers will often upload a web shell to a compute resource they have compromised to gain persistence or for further exploitation.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence, Exploitation
-
-**Severity**: Medium
-
-### **Burst of multiple reconnaissance commands could indicate initial activity after compromise**
-
-(K8S.NODE_ReconnaissanceArtifactsBurst) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of host/device data detected execution of multiple reconnaissance commands related to gathering system or host details performed by attackers after initial compromise.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Discovery, Collection
-
-**Severity**: Low
-
-### **Suspicious Download Then Run Activity**
-
-(K8S.NODE_DownloadAndRunCombo) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a file being downloaded then run in the same command. While this isn't always malicious, this is a very common technique attackers use to get malicious files onto victim machines.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution, CommandAndControl, Exploitation
-
-**Severity**: Medium
-
-### **Access to kubelet kubeconfig file detected**
-
-(K8S.NODE_KubeConfigAccess) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running on a Kubernetes cluster node detected access to kubeconfig file on the host. The kubeconfig file, normally used by the Kubelet process, contains credentials to the Kubernetes cluster API server. Access to this file is often associated with attackers attempting to access those credentials, or with security scanning tools which check if the file is accessible.
-
-**[MITRE tactics](#mitre-attck-tactics)**: CredentialAccess
-
-**Severity**: Medium
-
-### **Access to cloud metadata service detected**
-
-(K8S.NODE_ImdsCall) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container detected access to the cloud metadata service for acquiring identity token. The container doesn't normally perform such operation. While this behavior might be legitimate, attackers might use this technique to access cloud resources after gaining initial access to a running container.
-
-**[MITRE tactics](#mitre-attck-tactics)**: CredentialAccess
-
-**Severity**: Medium
-
-### **MITRE Caldera agent detected**
-
-(K8S.NODE_MitreCalderaTools) <sup>[1](#footnote1)</sup>
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious process. This is often associated with the MITRE 54ndc47 agent, which could be used maliciously to attack other machines.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence, PrivilegeEscalation, DefenseEvasion, CredentialAccess, Discovery, LateralMovement, Execution, Collection, Exfiltration, Command And Control, Probing, Exploitation
-
-**Severity**: Medium
-
-<sup><a name="footnote1"></a>1</sup>: **Preview for non-AKS clusters**: This alert is generally available for AKS clusters, but it is in preview for other environments, such as Azure Arc, EKS, and GKE.
-
-<sup><a name="footnote2"></a>2</sup>: **Limitations on GKE clusters**: GKE uses a Kubernetes audit policy that doesn't support all alert types. As a result, this security alert, which is based on Kubernetes audit events, is not supported for GKE clusters.
-
-<sup><a name="footnote3"></a>3</sup>: This alert is supported on Windows nodes/containers.
-
-## Alerts for SQL Database and Azure Synapse Analytics
-
-[Further details and notes](defender-for-sql-introduction.md)
-
-### **A possible vulnerability to SQL Injection**
-
-(SQL.DB_VulnerabilityToSqlInjection
-SQL.VM_VulnerabilityToSqlInjection
-SQL.MI_VulnerabilityToSqlInjection
-SQL.DW_VulnerabilityToSqlInjection
-Synapse.SQLPool_VulnerabilityToSqlInjection)
-
-**Description**: An application has generated a faulty SQL statement in the database. This can indicate a possible vulnerability to SQL injection attacks. There are two possible reasons for a faulty statement. A defect in application code might have constructed the faulty SQL statement. Or, application code or stored procedures didn't sanitize user input when constructing the faulty SQL statement, which can be exploited for SQL injection.
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: Medium
-
-### **Logon activity from a potentially harmful application**
-
-(SQL.DB_HarmfulApplication
-SQL.VM_HarmfulApplication
-SQL.MI_HarmfulApplication
-SQL.DW_HarmfulApplication
-Synapse.SQLPool_HarmfulApplication)
-
-**Description**: A potentially harmful application attempted to access your resource.
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: High
-
-### **Log on from an unusual Azure Data Center**
-
-(SQL.DB_DataCenterAnomaly
-SQL.VM_DataCenterAnomaly
-SQL.DW_DataCenterAnomaly
-SQL.MI_DataCenterAnomaly
-Synapse.SQLPool_DataCenterAnomaly)
-
-**Description**: There has been a change in the access pattern to an SQL Server, where someone has signed in to the server from an unusual Azure Data Center. In some cases, the alert detects a legitimate action (a new application or Azure service). In other cases, the alert detects a malicious action (attacker operating from breached resource in Azure).
-
-**[MITRE tactics](#mitre-attck-tactics)**: Probing
-
-**Severity**: Low
-
-### **Log on from an unusual location**
-
-(SQL.DB_GeoAnomaly
-SQL.VM_GeoAnomaly
-SQL.DW_GeoAnomaly
-SQL.MI_GeoAnomaly
-Synapse.SQLPool_GeoAnomaly)
-
-**Description**: There has been a change in the access pattern to SQL Server, where someone has signed in to the server from an unusual geographical location. In some cases, the alert detects a legitimate action (a new application or developer maintenance). In other cases, the alert detects a malicious action (a former employee or external attacker).
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exploitation
-
-**Severity**: Medium
-
-### **Login from a principal user not seen in 60 days**
-
-(SQL.DB_PrincipalAnomaly
-SQL.VM_PrincipalAnomaly
-SQL.DW_PrincipalAnomaly
-SQL.MI_PrincipalAnomaly
-Synapse.SQLPool_PrincipalAnomaly)
-
-**Description**: A principal user not seen in the last 60 days has logged into your database. If this database is new or this is expected behavior caused by recent changes in the users accessing the database, Defender for Cloud will identify significant changes to the access patterns and attempt to prevent future false positives.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exploitation
-
-**Severity**: Medium
-
-### **Login from a domain not seen in 60 days**
-
-(SQL.DB_DomainAnomaly
-SQL.VM_DomainAnomaly
-SQL.DW_DomainAnomaly
-SQL.MI_DomainAnomaly
-Synapse.SQLPool_DomainAnomaly)
-
-**Description**: A user has logged in to your resource from a domain no other users have connected from in the last 60 days. If this resource is new or this is expected behavior caused by recent changes in the users accessing the resource, Defender for Cloud will identify significant changes to the access patterns and attempt to prevent future false positives.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exploitation
-
-**Severity**: Medium
-
-### **Login from a suspicious IP**
-
-(SQL.DB_SuspiciousIpAnomaly
-SQL.VM_SuspiciousIpAnomaly
-SQL.DW_SuspiciousIpAnomaly
-SQL.MI_SuspiciousIpAnomaly
-Synapse.SQLPool_SuspiciousIpAnomaly)
-
-**Description**: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: Medium
-
-### **Potential SQL injection**
-
-(SQL.DB_PotentialSqlInjection
-SQL.VM_PotentialSqlInjection
-SQL.MI_PotentialSqlInjection
-SQL.DW_PotentialSqlInjection
-Synapse.SQLPool_PotentialSqlInjection)
-
-**Description**: An active exploit has occurred against an identified application vulnerable to SQL injection. This means an attacker is trying to inject malicious SQL statements by using the vulnerable application code or stored procedures.
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: High
-
-### **Suspected brute force attack using a valid user**
-
-(SQL.DB_BruteForce
-SQL.VM_BruteForce
-SQL.DW_BruteForce
-SQL.MI_BruteForce
-Synapse.SQLPool_BruteForce)
-
-**Description**: A potential brute force attack has been detected on your resource. The attacker is using the valid user (username), which has permissions to log in.
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: High
-
-### **Suspected brute force attack**
-
-(SQL.DB_BruteForce
-SQL.VM_BruteForce
-SQL.DW_BruteForce
-SQL.MI_BruteForce
-Synapse.SQLPool_BruteForce)
-
-**Description**: A potential brute force attack has been detected on your resource.
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: High
-
-### **Suspected successful brute force attack**
-
-(SQL.DB_BruteForce
-SQL.VM_BruteForce
-SQL.DW_BruteForce
-SQL.MI_BruteForce
-Synapse.SQLPool_BruteForce)
-
-**Description**: A successful login occurred after an apparent brute force attack on your resource.
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: High
-
-### **SQL Server potentially spawned a Windows command shell and accessed an abnormal external source**
-
-(SQL.DB_ShellExternalSourceAnomaly
-SQL.VM_ShellExternalSourceAnomaly
-SQL.DW_ShellExternalSourceAnomaly
-SQL.MI_ShellExternalSourceAnomaly
-Synapse.SQLPool_ShellExternalSourceAnomaly)
-
-**Description**: A suspicious SQL statement potentially spawned a Windows command shell with an external source that hasn't been seen before. Executing a shell that accesses an external source is a method used by attackers to download malicious payload and then execute it on the machine and compromise it. This enables an attacker to perform malicious tasks under remote direction. Alternatively, accessing an external source can be used to exfiltrate data to an external destination.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: High/Medium
-
-### **Unusual payload with obfuscated parts has been initiated by SQL Server**
-
-(SQL.VM_PotentialSqlInjection)
-
-**Description**: Someone has initiated a new payload utilizing the layer in SQL Server that communicates with the operating system while concealing the command in the SQL query. Attackers commonly hide impactful commands which are popularly monitored like xp_cmdshell, sp_add_job and others. Obfuscation techniques abuse legitimate commands like string concatenation, casting, base changing, and others, to avoid regex detection and hurt the readability of the logs.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: High/Medium
-
-## Alerts for open-source relational databases
-
-[Further details and notes](defender-for-databases-introduction.md)
-
-### **Suspected brute force attack using a valid user**
-
-(SQL.PostgreSQL_BruteForce
-SQL.MariaDB_BruteForce
-SQL.MySQL_BruteForce)
-
-**Description**: A potential brute force attack has been detected on your resource. The attacker is using the valid user (username), which has permissions to log in.
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: Medium
-
-### **Suspected successful brute force attack**
-
-(SQL.PostgreSQL_BruteForce
-SQL.MySQL_BruteForce
-SQL.MariaDB_BruteForce)
-
-**Description**: A successful login occurred after an apparent brute force attack on your resource.
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: High
-
-### **Suspected brute force attack**
-
-(SQL.PostgreSQL_BruteForce
-SQL.MySQL_BruteForce
-SQL.MariaDB_BruteForce)
-
-**Description**: A potential brute force attack has been detected on your resource.
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: Medium
-
-### **Attempted logon by a potentially harmful application**
-
-(SQL.PostgreSQL_HarmfulApplication
-SQL.MariaDB_HarmfulApplication
-SQL.MySQL_HarmfulApplication)
-
-**Description**: A potentially harmful application attempted to access your resource.
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: High/Medium
-
-### **Login from a principal user not seen in 60 days**
-
-(SQL.PostgreSQL_PrincipalAnomaly
-SQL.MariaDB_PrincipalAnomaly
-SQL.MySQL_PrincipalAnomaly)
-
-**Description**: A principal user not seen in the last 60 days has logged into your database. If this database is new or this is expected behavior caused by recent changes in the users accessing the database, Defender for Cloud will identify significant changes to the access patterns and attempt to prevent future false positives.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exploitation
-
-**Severity**: Low
-
-### **Login from a domain not seen in 60 days**
-
-(SQL.MariaDB_DomainAnomaly
-SQL.PostgreSQL_DomainAnomaly
-SQL.MySQL_DomainAnomaly)
-
-**Description**: A user has logged in to your resource from a domain no other users have connected from in the last 60 days. If this resource is new or this is expected behavior caused by recent changes in the users accessing the resource, Defender for Cloud will identify significant changes to the access patterns and attempt to prevent future false positives.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exploitation
-
-**Severity**: Medium
-
-### **Log on from an unusual Azure Data Center**
-
-(SQL.PostgreSQL_DataCenterAnomaly
-SQL.MariaDB_DataCenterAnomaly
-SQL.MySQL_DataCenterAnomaly)
-
-**Description**: Someone logged on to your resource from an unusual Azure Data Center.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Probing
-
-**Severity**: Low
-
-### **Logon from an unusual cloud provider**
-
-(SQL.PostgreSQL_CloudProviderAnomaly
-SQL.MariaDB_CloudProviderAnomaly
-SQL.MySQL_CloudProviderAnomaly)
-
-**Description**: Someone logged on to your resource from a cloud provider not seen in the last 60 days. It's quick and easy for threat actors to obtain disposable compute power for use in their campaigns. If this is expected behavior caused by the recent adoption of a new cloud provider, Defender for Cloud will learn over time and attempt to prevent future false positives.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exploitation
-
-**Severity**: Medium
-
-### **Log on from an unusual location**
-
-(SQL.MariaDB_GeoAnomaly
-SQL.PostgreSQL_GeoAnomaly
-SQL.MySQL_GeoAnomaly)
-
-**Description**: Someone logged on to your resource from an unusual Azure Data Center.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exploitation
-
-**Severity**: Medium
-
-### **Login from a suspicious IP**
-
-(SQL.PostgreSQL_SuspiciousIpAnomaly
-SQL.MariaDB_SuspiciousIpAnomaly
-SQL.MySQL_SuspiciousIpAnomaly)
-
-**Description**: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: Medium
-
-## Alerts for Resource Manager
-
-> [!NOTE]
-> Alerts with a **delegated access** indication are triggered due to activity of third-party service providers. learn more about [service providers activity indications](defender-for-resource-manager-usage.md).
-
-[Further details and notes](defender-for-resource-manager-introduction.md)
-
-### **Azure Resource Manager operation from suspicious IP address**
-
-(ARM_OperationFromSuspiciousIP)
-
-**Description**: Microsoft Defender for Resource Manager detected an operation from an IP address that has been marked as suspicious in threat intelligence feeds.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Medium
-
-### **Azure Resource Manager operation from suspicious proxy IP address**
-
-(ARM_OperationFromSuspiciousProxyIP)
-
-**Description**: Microsoft Defender for Resource Manager detected a resource management operation from an IP address that is associated with proxy services, such as TOR. While this behavior can be legitimate, it's often seen in malicious activities, when threat actors try to hide their source IP.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion
-
-**Severity**: Medium
-
-### **MicroBurst exploitation toolkit used to enumerate resources in your subscriptions**
-
-(ARM_MicroBurst.AzDomainInfo)
-
-**Description**: A PowerShell script was run in your subscription and performed suspicious pattern of executing an information gathering operations to discover resources, permissions, and network structures. Threat actors use automated scripts, like MicroBurst, to gather information for malicious activities. This was detected by analyzing Azure Resource Manager operations in your subscription. This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise your environment for malicious intentions.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Low
-
-### **MicroBurst exploitation toolkit used to enumerate resources in your subscriptions**
-
-(ARM_MicroBurst.AzureDomainInfo)
-
-**Description**: A PowerShell script was run in your subscription and performed suspicious pattern of executing an information gathering operations to discover resources, permissions, and network structures. Threat actors use automated scripts, like MicroBurst, to gather information for malicious activities. This was detected by analyzing Azure Resource Manager operations in your subscription. This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise your environment for malicious intentions.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: Low
-
-### **MicroBurst exploitation toolkit used to execute code on your virtual machine**
-
-(ARM_MicroBurst.AzVMBulkCMD)
-
-**Description**: A PowerShell script was run in your subscription and performed a suspicious pattern of executing code on a VM or a list of VMs. Threat actors use automated scripts, like MicroBurst, to run a script on a VM for malicious activities. This was detected by analyzing Azure Resource Manager operations in your subscription. This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise your environment for malicious intentions.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: High
-
-### **MicroBurst exploitation toolkit used to execute code on your virtual machine**
-
-(RM_MicroBurst.AzureRmVMBulkCMD)
-
-**Description**: MicroBurst's exploitation toolkit was used to execute code on your virtual machines. This was detected by analyzing Azure Resource Manager operations in your subscription.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **MicroBurst exploitation toolkit used to extract keys from your Azure key vaults**
-
-(ARM_MicroBurst.AzKeyVaultKeysREST)
-
-**Description**: A PowerShell script was run in your subscription and performed a suspicious pattern of extracting keys from an Azure Key Vault(s). Threat actors use automated scripts, like MicroBurst, to list keys and use them to access sensitive data or perform lateral movement. This was detected by analyzing Azure Resource Manager operations in your subscription. This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise your environment for malicious intentions.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **MicroBurst exploitation toolkit used to extract keys to your storage accounts**
-
-(ARM_MicroBurst.AZStorageKeysREST)
-
-**Description**: A PowerShell script was run in your subscription and performed a suspicious pattern of extracting keys to Storage Account(s). Threat actors use automated scripts, like MicroBurst, to list keys and use them to access sensitive data in your Storage Account(s). This was detected by analyzing Azure Resource Manager operations in your subscription. This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise your environment for malicious intentions.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Collection
-
-**Severity**: High
-
-### **MicroBurst exploitation toolkit used to extract secrets from your Azure key vaults**
-
-(ARM_MicroBurst.AzKeyVaultSecretsREST)
-
-**Description**: A PowerShell script was run in your subscription and performed a suspicious pattern of extracting secrets from an Azure Key Vault(s). Threat actors use automated scripts, like MicroBurst, to list secrets and use them to access sensitive data or perform lateral movement. This was detected by analyzing Azure Resource Manager operations in your subscription. This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise your environment for malicious intentions.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **PowerZure exploitation toolkit used to elevate access from Azure AD to Azure**
-
-(ARM_PowerZure.AzureElevatedPrivileges)
-
-**Description**: PowerZure exploitation toolkit was used to elevate access from AzureAD to Azure. This was detected by analyzing Azure Resource Manager operations in your tenant.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **PowerZure exploitation toolkit used to enumerate resources**
-
-(ARM_PowerZure.GetAzureTargets)
-
-**Description**: PowerZure exploitation toolkit was used to enumerate resources on behalf of a legitimate user account in your organization. This was detected by analyzing Azure Resource Manager operations in your subscription.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Collection
-
-**Severity**: High
-
-### **PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables**
-
-(ARM_PowerZure.ShowStorageContent)
-
-**Description**: PowerZure exploitation toolkit was used to enumerate storage shares, tables, and containers. This was detected by analyzing Azure Resource Manager operations in your subscription.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **PowerZure exploitation toolkit used to execute a Runbook in your subscription**
-
-(ARM_PowerZure.StartRunbook)
-
-**Description**: PowerZure exploitation toolkit was used to execute a Runbook. This was detected by analyzing Azure Resource Manager operations in your subscription.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **PowerZure exploitation toolkit used to extract Runbooks content**
-
-(ARM_PowerZure.AzureRunbookContent)
-
-**Description**: PowerZure exploitation toolkit was used to extract Runbook content. This was detected by analyzing Azure Resource Manager operations in your subscription.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Collection
-
-**Severity**: High
-
-### **PREVIEW - Azurite toolkit run detected**
-
-(ARM_Azurite)
-
-**Description**: A known cloud-environment reconnaissance toolkit run has been detected in your environment. The tool [Azurite](https://github.com/mwrlabs/Azurite) can be used by an attacker (or penetration tester) to map your subscriptions' resources and identify insecure configurations.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Collection
-
-**Severity**: High
-
-### **PREVIEW - Suspicious creation of compute resources detected**
-
-(ARM_SuspiciousComputeCreation)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious creation of compute resources in your subscription utilizing Virtual Machines/Azure Scale Set. The identified operations are designed to allow administrators to efficiently manage their environments by deploying new resources when needed. While this activity might be legitimate, a threat actor might utilize such operations to conduct crypto mining.
- The activity is deemed suspicious as the compute resources scale is higher than previously observed in the subscription.
- This can indicate that the principal is compromised and is being used with malicious intent.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Impact
-
-**Severity**: Medium
-
-### **PREVIEW - Suspicious key vault recovery detected**
-
-(Arm_Suspicious_Vault_Recovering)
-
-**Description**: Microsoft Defender for Resource Manager detected a suspicious recovery operation for a soft-deleted key vault resource.
- The user recovering the resource is different from the user that deleted it. This is highly suspicious because the user rarely invokes such an operation. In addition, the user logged on without multifactor authentication (MFA).
- This might indicate that the user is compromised and is attempting to discover secrets and keys to gain access to sensitive resources, or to perform lateral movement across your network.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Lateral movement
-
-**Severity**: Medium/high
-
-### **PREVIEW - Suspicious management session using an inactive account detected**
-
-(ARM_UnusedAccountPersistence)
-
-**Description**: Subscription activity logs analysis has detected suspicious behavior. A principal not in use for a long period of time is now performing actions that can secure persistence for an attacker.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence
-
-**Severity**: Medium
-
-### **PREVIEW - Suspicious invocation of a high-risk 'Credential Access' operation by a service principal detected**
-
-(ARM_AnomalousServiceOperation.CredentialAccess)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to access credentials. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to access restricted credentials and compromise resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential access
-
-**Severity**: Medium
-
-### **PREVIEW - Suspicious invocation of a high-risk 'Data Collection' operation by a service principal detected**
-
-(ARM_AnomalousServiceOperation.Collection)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to collect data. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to collect sensitive data on resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Collection
-
-**Severity**: Medium
-
-### **PREVIEW - Suspicious invocation of a high-risk 'Defense Evasion' operation by a service principal detected**
-
-(ARM_AnomalousServiceOperation.DefenseEvasion)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to evade defenses. The identified operations are designed to allow administrators to efficiently manage the security posture of their environments. While this activity might be legitimate, a threat actor might utilize such operations to avoid being detected while compromising resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion
-
-**Severity**: Medium
-
-### **PREVIEW - Suspicious invocation of a high-risk 'Execution' operation by a service principal detected**
-
-(ARM_AnomalousServiceOperation.Execution)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation on a machine in your subscription, which might indicate an attempt to execute code. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to access restricted credentials and compromise resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Execution
-
-**Severity**: Medium
-
-### **PREVIEW - Suspicious invocation of a high-risk 'Impact' operation by a service principal detected**
-
-(ARM_AnomalousServiceOperation.Impact)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempted configuration change. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to access restricted credentials and compromise resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Impact
-
-**Severity**: Medium
-
-### **PREVIEW - Suspicious invocation of a high-risk 'Initial Access' operation by a service principal detected**
-
-(ARM_AnomalousServiceOperation.InitialAccess)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to access restricted resources. The identified operations are designed to allow administrators to efficiently access their environments. While this activity might be legitimate, a threat actor might utilize such operations to gain initial access to restricted resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial access
-
-**Severity**: Medium
-
-### **PREVIEW - Suspicious invocation of a high-risk 'Lateral Movement Access' operation by a service principal detected**
-
-(ARM_AnomalousServiceOperation.LateralMovement)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to perform lateral movement. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to compromise more resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Lateral movement
-
-**Severity**: Medium
-
-### **PREVIEW - Suspicious invocation of a high-risk 'persistence' operation by a service principal detected**
-
-(ARM_AnomalousServiceOperation.Persistence)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to establish persistence. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to establish persistence in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence
-
-**Severity**: Medium
-
-### **PREVIEW - Suspicious invocation of a high-risk 'Privilege Escalation' operation by a service principal detected**
-
-(ARM_AnomalousServiceOperation.PrivilegeEscalation)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to escalate privileges. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to escalate privileges while compromising resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Privilege escalation
-
-**Severity**: Medium
-
-### **PREVIEW - Suspicious management session using an inactive account detected**
-
-(ARM_UnusedAccountPersistence)
-
-**Description**: Subscription activity logs analysis has detected suspicious behavior. A principal not in use for a long period of time is now performing actions that can secure persistence for an attacker.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence
-
-**Severity**: Medium
-
-### **PREVIEW - Suspicious management session using PowerShell detected**
-
-(ARM_UnusedAppPowershellPersistence)
-
-**Description**: Subscription activity logs analysis has detected suspicious behavior. A principal that doesn't regularly use PowerShell to manage the subscription environment is now using PowerShell, and performing actions that can secure persistence for an attacker.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence
-
-**Severity**: Medium
-
-### **PREVIEW – Suspicious management session using Azure portal detected**
-
-(ARM_UnusedAppIbizaPersistence)
-
-**Description**: Analysis of your subscription activity logs has detected a suspicious behavior. A principal that doesn't regularly use the Azure portal (Ibiza) to manage the subscription environment (hasn't used Azure portal to manage for the last 45 days, or a subscription that it is actively managing), is now using the Azure portal and performing actions that can secure persistence for an attacker.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence
-
-**Severity**: Medium
-
-### **Privileged custom role created for your subscription in a suspicious way (Preview)**
-
-(ARM_PrivilegedRoleDefinitionCreation)
-
-**Description**: Microsoft Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Privilege Escalation, Defense Evasion
-
-**Severity**: Informational
-
-### **Suspicious Azure role assignment detected (Preview)**
-
-(ARM_AnomalousRBACRoleAssignment)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious Azure role assignment / performed using PIM (Privileged Identity Management) in your tenant, which might indicate that an account in your organization was compromised. The identified operations are designed to allow administrators to grant principals access to Azure resources. While this activity might be legitimate, a threat actor might utilize role assignment to escalate their permissions allowing them to advance their attack.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Lateral Movement, Defense Evasion
-
-**Severity**: Low (PIM) / High
-
-### **Suspicious invocation of a high-risk 'Credential Access' operation detected (Preview)**
-
-(ARM_AnomalousOperation.CredentialAccess)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to access credentials. The identified operations are designed to allow administrators to efficiently access their environments. While this activity might be legitimate, a threat actor might utilize such operations to access restricted credentials and compromise resources in your environment. This can indicate that the account is compromised and is being used with malicious intent.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: Medium
-
-### **Suspicious invocation of a high-risk 'Data Collection' operation detected (Preview)**
-
-(ARM_AnomalousOperation.Collection)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to collect data. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to collect sensitive data on resources in your environment. This can indicate that the account is compromised and is being used with malicious intent.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Collection
-
-**Severity**: Medium
-
-### **Suspicious invocation of a high-risk 'Defense Evasion' operation detected (Preview)**
-
-(ARM_AnomalousOperation.DefenseEvasion)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to evade defenses. The identified operations are designed to allow administrators to efficiently manage the security posture of their environments. While this activity might be legitimate, a threat actor might utilize such operations to avoid being detected while compromising resources in your environment. This can indicate that the account is compromised and is being used with malicious intent.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Defense Evasion
-
-**Severity**: Medium
-
-### **Suspicious invocation of a high-risk 'Execution' operation detected (Preview)**
-
-(ARM_AnomalousOperation.Execution)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation on a machine in your subscription, which might indicate an attempt to execute code. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to access restricted credentials and compromise resources in your environment. This can indicate that the account is compromised and is being used with malicious intent.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Medium
-
-### **Suspicious invocation of a high-risk 'Impact' operation detected (Preview)**
-
-(ARM_AnomalousOperation.Impact)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempted configuration change. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to access restricted credentials and compromise resources in your environment. This can indicate that the account is compromised and is being used with malicious intent.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Impact
-
-**Severity**: Medium
-
-### **Suspicious invocation of a high-risk 'Initial Access' operation detected (Preview)**
-
-(ARM_AnomalousOperation.InitialAccess)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to access restricted resources. The identified operations are designed to allow administrators to efficiently access their environments. While this activity might be legitimate, a threat actor might utilize such operations to gain initial access to restricted resources in your environment. This can indicate that the account is compromised and is being used with malicious intent.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access
-
-**Severity**: Medium
-
-### **Suspicious invocation of a high-risk 'Lateral Movement' operation detected (Preview)**
-
-(ARM_AnomalousOperation.LateralMovement)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to perform lateral movement. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to compromise more resources in your environment. This can indicate that the account is compromised and is being used with malicious intent.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Lateral Movement
-
-**Severity**: Medium
-
-### **Suspicious elevate access operation (Preview)**(ARM_AnomalousElevateAccess)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious "Elevate Access" operation. The activity is deemed suspicious, as this principal rarely invokes such operations. While this activity might be legitimate, a threat actor might utilize an "Elevate Access" operation to perform privilege escalation for a compromised user.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Privilege Escalation
-
-**Severity**: Medium
-
-### **Suspicious invocation of a high-risk 'Persistence' operation detected (Preview)**
-
-(ARM_AnomalousOperation.Persistence)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to establish persistence. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to establish persistence in your environment. This can indicate that the account is compromised and is being used with malicious intent.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence
-
-**Severity**: Medium
-
-### **Suspicious invocation of a high-risk 'Privilege Escalation' operation detected (Preview)**
-
-(ARM_AnomalousOperation.PrivilegeEscalation)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to escalate privileges. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to escalate privileges while compromising resources in your environment. This can indicate that the account is compromised and is being used with malicious intent.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Privilege Escalation
-
-**Severity**: Medium
-
-### **Usage of MicroBurst exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials**
-
-(ARM_MicroBurst.RunCodeOnBehalf)
-
-**Description**: A PowerShell script was run in your subscription and performed a suspicious pattern of executing an arbitrary code or exfiltrate Azure Automation account credentials. Threat actors use automated scripts, like MicroBurst, to run arbitrary code for malicious activities. This was detected by analyzing Azure Resource Manager operations in your subscription. This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise your environment for malicious intentions.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Persistence, Credential Access
-
-**Severity**: High
-
-### **Usage of NetSPI techniques to maintain persistence in your Azure environment**
-
-(ARM_NetSPI.MaintainPersistence)
-
-**Description**: Usage of NetSPI persistence technique to create a webhook backdoor and maintain persistence in your Azure environment. This was detected by analyzing Azure Resource Manager operations in your subscription.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Usage of PowerZure exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials**
-
-(ARM_PowerZure.RunCodeOnBehalf)
-
-**Description**: PowerZure exploitation toolkit detected attempting to run code or exfiltrate Azure Automation account credentials. This was detected by analyzing Azure Resource Manager operations in your subscription.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Usage of PowerZure function to maintain persistence in your Azure environment**
-
-(ARM_PowerZure.MaintainPersistence)
-
-**Description**: PowerZure exploitation toolkit detected creating a webhook backdoor to maintain persistence in your Azure environment. This was detected by analyzing Azure Resource Manager operations in your subscription.
-
-**[MITRE tactics](#mitre-attck-tactics)**: -
-
-**Severity**: High
-
-### **Suspicious classic role assignment detected (Preview)**
-
-(ARM_AnomalousClassicRoleAssignment)
-
-**Description**: Microsoft Defender for Resource Manager identified a suspicious classic role assignment in your tenant, which might indicate that an account in your organization was compromised. The identified operations are designed to provide backward compatibility with classic roles that are no longer commonly used. While this activity might be legitimate, a threat actor might utilize such assignment to grant permissions to another user account under their control.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Lateral Movement, Defense Evasion
-
-**Severity**: High
-
-## Alerts for Azure Storage
-
-[Further details and notes](defender-for-storage-introduction.md)
-
-### **Access from a suspicious application**
-
-(Storage.Blob_SuspiciousApp)
-
-**Description**: Indicates that a suspicious application has successfully accessed a container of a storage account with authentication.
-This might indicate that an attacker has obtained the credentials necessary to access the account, and is exploiting it. This could also be an indication of a penetration test carried out in your organization.
-Applies to: Azure Blob Storage, Azure Data Lake Storage Gen2
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access
-
-**Severity**: High/Medium
-
-### **Access from a suspicious IP address**
-
-(Storage.Blob_SuspiciousIp
-Storage.Files_SuspiciousIp)
-
-**Description**: Indicates that this storage account has been successfully accessed from an IP address that is considered suspicious. This alert is powered by Microsoft Threat Intelligence.
-Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684).
-Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2
-
-**[MITRE tactics](#mitre-attck-tactics)**: Pre Attack
-
-**Severity**: High/Medium/Low
-
-### **Phishing content hosted on a storage account**
-
-(Storage.Blob_PhishingContent
-Storage.Files_PhishingContent)
-
-**Description**: A URL used in a phishing attack points to your Azure Storage account. This URL was part of a phishing attack affecting users of Microsoft 365.
-Typically, content hosted on such pages is designed to trick visitors into entering their corporate credentials or financial information into a web form that looks legitimate.
-This alert is powered by Microsoft Threat Intelligence.
-Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684).
-Applies to: Azure Blob Storage, Azure Files
-
-**[MITRE tactics](#mitre-attck-tactics)**: Collection
-
-**Severity**: High
-
-### **Storage account identified as source for distribution of malware**
-
-(Storage.Files_WidespreadeAm)
-
-**Description**: Antimalware alerts indicate that an infected file(s) is stored in an Azure file share that is mounted to multiple VMs. If attackers gain access to a VM with a mounted Azure file share, they can use it to spread malware to other VMs that mount the same share.
-Applies to: Azure Files
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Medium
-
-### **The access level of a potentially sensitive storage blob container was changed to allow unauthenticated public access**
-
-(Storage.Blob_OpenACL)
-
-**Description**: The alert indicates that someone has changed the access level of a blob container in the storage account, which might contain sensitive data, to the 'Container' level, to allow unauthenticated (anonymous) public access. The change was made through the Azure portal.
-Based on statistical analysis, the blob container is flagged as possibly containing sensitive data. This analysis suggests that blob containers or storage accounts with similar names are typically not exposed to public access.
-Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Collection
-
-**Severity**: Medium
-
-### **Authenticated access from a Tor exit node**
-
-(Storage.Blob_TorAnomaly
-Storage.Files_TorAnomaly)
-
-**Description**: One or more storage container(s) / file share(s) in your storage account were successfully accessed from an IP address known to be an active exit node of Tor (an anonymizing proxy). Threat actors use Tor to make it difficult to trace the activity back to them. Authenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity.
-Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access / Pre Attack
-
-**Severity**: High/Medium
-
-### **Access from an unusual location to a storage account**
-
-(Storage.Blob_GeoAnomaly
-Storage.Files_GeoAnomaly)
-
-**Description**: Indicates that there was a change in the access pattern to an Azure Storage account. Someone has accessed this account from an IP address considered unfamiliar when compared with recent activity. Either an attacker has gained access to the account, or a legitimate user has connected from a new or unusual geographic location. An example of the latter is remote maintenance from a new application or developer.
-Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access
-
-**Severity**: High/Medium/Low
-
-### **Unusual unauthenticated access to a storage container**
-
-(Storage.Blob_AnonymousAccessAnomaly)
-
-**Description**: This storage account was accessed without authentication, which is a change in the common access pattern. Read access to this container is usually authenticated. This might indicate that a threat actor was able to exploit public read access to storage container(s) in this storage account(s).
-Applies to: Azure Blob Storage
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access
-
-**Severity**: High/Low
-
-### **Potential malware uploaded to a storage account**
-
-(Storage.Blob_MalwareHashReputation
-Storage.Files_MalwareHashReputation)
-
-**Description**: Indicates that a blob containing potential malware has been uploaded to a blob container or a file share in a storage account. This alert is based on hash reputation analysis leveraging the power of Microsoft threat intelligence, which includes hashes for viruses, trojans, spyware and ransomware. Potential causes might include an intentional malware upload by an attacker, or an unintentional upload of a potentially malicious blob by a legitimate user.
-Applies to: Azure Blob Storage, Azure Files (Only for transactions over REST API)
-Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684).
-
-**[MITRE tactics](#mitre-attck-tactics)**: Lateral Movement
-
-**Severity**: High
-
-### **Publicly accessible storage containers successfully discovered**
-
-(Storage.Blob_OpenContainersScanning.SuccessfulDiscovery)
-
-**Description**: A successful discovery of publicly open storage container(s) in your storage account was performed in the last hour by a scanning script or tool.
-
-This usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storage containers with sensitive data in them.
-
-The threat actor might use their own script or use known scanning tools like Microburst to scan for publicly open containers.
-
-Γ£ö Azure Blob Storage
-Γ£û Azure Files
-Γ£û Azure Data Lake Storage Gen2
-
-**[MITRE tactics](#mitre-attck-tactics)**: Collection
-
-**Severity**: High/Medium
-
-### **Publicly accessible storage containers unsuccessfully scanned**
-
-(Storage.Blob_OpenContainersScanning.FailedAttempt)
-
-**Description**: A series of failed attempts to scan for publicly open storage containers were performed in the last hour.
-
-This usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storage containers with sensitive data in them.
-
-The threat actor might use their own script or use known scanning tools like Microburst to scan for publicly open containers.
-
-Γ£ö Azure Blob Storage
-Γ£û Azure Files
-Γ£û Azure Data Lake Storage Gen2
-
-**[MITRE tactics](#mitre-attck-tactics)**: Collection
-
-**Severity**: High/Low
-
-### **Unusual access inspection in a storage account**
-
-(Storage.Blob_AccessInspectionAnomaly
-Storage.Files_AccessInspectionAnomaly)
-
-**Description**: Indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has performed reconnaissance for a future attack.
-Applies to: Azure Blob Storage, Azure Files
-
-**[MITRE tactics](#mitre-attck-tactics)**: Discovery
-
-**Severity**: High/Medium
-
-### **Unusual amount of data extracted from a storage account**
-
-(Storage.Blob_DataExfiltration.AmountOfDataAnomaly
-Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly
-Storage.Files_DataExfiltration.AmountOfDataAnomaly
-Storage.Files_DataExfiltration.NumberOfFilesAnomaly)
-
-**Description**: Indicates that an unusually large amount of data has been extracted compared to recent activity on this storage container. A potential cause is that an attacker has extracted a large amount of data from a container that holds blob storage.
-Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: High/Low
-
-### **Unusual application accessed a storage account**
-
-(Storage.Blob_ApplicationAnomaly
-Storage.Files_ApplicationAnomaly)
-
-**Description**: Indicates that an unusual application has accessed this storage account. A potential cause is that an attacker has accessed your storage account by using a new application.
-Applies to: Azure Blob Storage, Azure Files
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: High/Medium
-
-### **Unusual data exploration in a storage account**
-
-(Storage.Blob_DataExplorationAnomaly
-Storage.Files_DataExplorationAnomaly)
-
-**Description**: Indicates that blobs or containers in a storage account have been enumerated in an abnormal way, compared to recent activity on this account. A potential cause is that an attacker has performed reconnaissance for a future attack.
-Applies to: Azure Blob Storage, Azure Files
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: High/Medium
-
-### **Unusual deletion in a storage account**
-
-(Storage.Blob_DeletionAnomaly
-Storage.Files_DeletionAnomaly)
-
-**Description**: Indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account. A potential cause is that an attacker has deleted data from your storage account.
-Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: High/Medium
-
-### **Unusual unauthenticated public access to a sensitive blob container (Preview)**
-
-Storage.Blob_AnonymousAccessAnomaly.Sensitive
-
-**Description**: The alert indicates that someone accessed a blob container with sensitive data in the storage account without authentication, using an external (public) IP address. This access is suspicious since the blob container is open to public access and is typically only accessed with authentication from internal networks (private IP addresses). This access could indicate that the blob container's access level is misconfigured, and a malicious actor might have exploited the public access. The security alert includes the discovered sensitive information context (scanning time, classification label, information types, and file types). Learn more on sensitive data threat detection.
- Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access
-
-**Severity**: High
-
-### **Unusual amount of data extracted from a sensitive blob container (Preview)**
-
-Storage.Blob_DataExfiltration.AmountOfDataAnomaly.Sensitive
-
-**Description**: The alert indicates that someone has extracted an unusually large amount of data from a blob container with sensitive data in the storage account. Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: Medium
-
-### **Unusual number of blobs extracted from a sensitive blob container (Preview)**
-
-Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly.Sensitive
-
-**Description**: The alert indicates that someone has extracted an unusually large number of blobs from a blob container with sensitive data in the storage account. Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2 or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-### **Access from a known suspicious application to a sensitive blob container (Preview)**
-
-Storage.Blob_SuspiciousApp.Sensitive
-
-**Description**: The alert indicates that someone with a known suspicious application accessed a blob container with sensitive data in the storage account and performed authenticated operations.
-The access might indicate that a threat actor obtained credentials to access the storage account by using a known suspicious application. However, the access could also indicate a penetration test carried out in the organization.
-Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2 or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access
-
-**Severity**: High
-
-### **Access from a known suspicious IP address to a sensitive blob container (Preview)**
-
-Storage.Blob_SuspiciousIp.Sensitive
-
-**Description**: The alert indicates that someone accessed a blob container with sensitive data in the storage account from a known suspicious IP address associated with threat intel by Microsoft Threat Intelligence. Since the access was authenticated, it's possible that the credentials allowing access to this storage account were compromised.
-Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684).
-Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Pre-Attack
-
-**Severity**: High
-
-### **Access from a Tor exit node to a sensitive blob container (Preview)**
-
-Storage.Blob_TorAnomaly.Sensitive
-
-**Description**: The alert indicates that someone with an IP address known to be a Tor exit node accessed a blob container with sensitive data in the storage account with authenticated access. Authenticated access from a Tor exit node strongly indicates that the actor is attempting to remain anonymous for possible malicious intent. Since the access was authenticated, it's possible that the credentials allowing access to this storage account were compromised.
-Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Pre-Attack
-
-**Severity**: High
-
-### **Access from an unusual location to a sensitive blob container (Preview)**
-
-Storage.Blob_GeoAnomaly.Sensitive
-
-**Description**: The alert indicates that someone has accessed blob container with sensitive data in the storage account with authentication from an unusual location. Since the access was authenticated, it's possible that the credentials allowing access to this storage account were compromised.
-Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access
-
-**Severity**: Medium
-
-### **The access level of a sensitive storage blob container was changed to allow unauthenticated public access (Preview)**
-
-Storage.Blob_OpenACL.Sensitive
-
-**Description**: The alert indicates that someone has changed the access level of a blob container in the storage account, which contains sensitive data, to the 'Container' level, which allows unauthenticated (anonymous) public access. The change was made through the Azure portal.
-The access level change might compromise the security of the data. We recommend taking immediate action to secure the data and prevent unauthorized access in case this alert is triggered.
-Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan with the data sensitivity threat detection feature enabled.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Collection
-
-**Severity**: High
-
-### **Suspicious external access to an Azure storage account with overly permissive SAS token (Preview)**
-
-Storage.Blob_AccountSas.InternalSasUsedExternally
-
-**Description**: The alert indicates that someone with an external (public) IP address accessed the storage account using an overly permissive SAS token with a long expiration date. This type of access is considered suspicious because the SAS token is typically only used in internal networks (from private IP addresses).
-The activity might indicate that a SAS token has been leaked by a malicious actor or leaked unintentionally from a legitimate source.
-Even if the access is legitimate, using a high-permission SAS token with a long expiration date goes against security best practices and poses a potential security risk.
-Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration / Resource Development / Impact
-
-**Severity**: Medium
-
-### **Suspicious external operation to an Azure storage account with overly permissive SAS token (Preview)**
-
-Storage.Blob_AccountSas.UnusualOperationFromExternalIp
-
-**Description**: The alert indicates that someone with an external (public) IP address accessed the storage account using an overly permissive SAS token with a long expiration date. The access is considered suspicious because operations invoked outside your network (not from private IP addresses) with this SAS token are typically used for a specific set of Read/Write/Delete operations, but other operations occurred, which makes this access suspicious.
-This activity might indicate that a SAS token has been leaked by a malicious actor or leaked unintentionally from a legitimate source.
-Even if the access is legitimate, using a high-permission SAS token with a long expiration date goes against security best practices and poses a potential security risk.
-Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration / Resource Development / Impact
-
-**Severity**: Medium
-
-### **Unusual SAS token was used to access an Azure storage account from a public IP address (Preview)**
-
-Storage.Blob_AccountSas.UnusualExternalAccess
-
-**Description**: The alert indicates that someone with an external (public) IP address has accessed the storage account using an account SAS token. The access is highly unusual and considered suspicious, as access to the storage account using SAS tokens typically comes only from internal (private) IP addresses.
-It's possible that a SAS token was leaked or generated by a malicious actor either from within your organization or externally to gain access to this storage account.
-Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration / Resource Development / Impact
-
-**Severity**: Low
-
-### **Malicious file uploaded to storage account**
-
-Storage.Blob_AM.MalwareFound
-
-**Description**: The alert indicates that a malicious blob was uploaded to a storage account. This security alert is generated by the Malware Scanning feature in Defender for Storage.
-Potential causes might include an intentional upload of malware by a threat actor or an unintentional upload of a malicious file by a legitimate user.
-Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts with the new Defender for Storage plan with the Malware Scanning feature enabled.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Lateral Movement
-
-**Severity**: High
-
-### **Malicious blob was downloaded from a storage account (Preview)**
-
-Storage.Blob_MalwareDownload
-
-**Description**: The alert indicates that a malicious blob was downloaded from a storage account. Potential causes might include malware that was uploaded to the storage account and not removed or quarantined, thereby enabling a threat actor to download it, or an unintentional download of the malware by legitimate users or applications.
-Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2 or premium block blobs) storage accounts with the new Defender for Storage plan with the Malware Scanning feature enabled.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Lateral Movement
-
-**Severity**: High, if Eicar - low
-
-## Alerts for Azure Cosmos DB
-
-[Further details and notes](concept-defender-for-cosmos.md)
-
-### **Access from a Tor exit node**
-
- (CosmosDB_TorAnomaly)
-
-**Description**: This Azure Cosmos DB account was successfully accessed from an IP address known to be an active exit node of Tor, an anonymizing proxy. Authenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access
-
-**Severity**: High/Medium
-
-### **Access from a suspicious IP**
-
-(CosmosDB_SuspiciousIp)
-
-**Description**: This Azure Cosmos DB account was successfully accessed from an IP address that was identified as a threat by Microsoft Threat Intelligence.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access
-
-**Severity**: Medium
-
-### **Access from an unusual location**
-
-(CosmosDB_GeoAnomaly)
-
-**Description**: This Azure Cosmos DB account was accessed from a location considered unfamiliar, based on the usual access pattern.
-
- Either a threat actor has gained access to the account, or a legitimate user has connected from a new or unusual geographic location
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access
-
-**Severity**: Low
-
-### **Unusual volume of data extracted**
-
-(CosmosDB_DataExfiltrationAnomaly)
-
-**Description**: An unusually large volume of data has been extracted from this Azure Cosmos DB account. This might indicate that a threat actor exfiltrated data.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: Medium
-
-### **Extraction of Azure Cosmos DB accounts keys via a potentially malicious script**
-
-(CosmosDB_SuspiciousListKeys.MaliciousScript)
-
-**Description**: A PowerShell script was run in your subscription and performed a suspicious pattern of key-listing operations to get the keys of Azure Cosmos DB accounts in your subscription. Threat actors use automated scripts, like Microburst, to list keys and find Azure Cosmos DB accounts they can access.
-
- This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise Azure Cosmos DB accounts in your environment for malicious intentions.
-
- Alternatively, a malicious insider could be trying to access sensitive data and perform lateral movement.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Collection
-
-**Severity**: Medium
-
-### **Suspicious extraction of Azure Cosmos DB account keys** (AzureCosmosDB_SuspiciousListKeys.SuspiciousPrincipal)
-
-**Description**: A suspicious source extracted Azure Cosmos DB account access keys from your subscription. If this source is not a legitimate source, this might be a high impact issue. The access key that was extracted provides full control over the associated databases and the data stored within. See the details of each specific alert to understand why the source was flagged as suspicious.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: high
-
-### **SQL injection: potential data exfiltration**
-
-(CosmosDB_SqlInjection.DataExfiltration)
-
-**Description**: A suspicious SQL statement was used to query a container in this Azure Cosmos DB account.
-
- The injected statement might have succeeded in exfiltrating data that the threat actor isn't authorized to access.
-
- Due to the structure and capabilities of Azure Cosmos DB queries, many known SQL injection attacks on Azure Cosmos DB accounts can't work. However, the variation used in this attack might work and threat actors can exfiltrate data.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: Medium
-
-### **SQL injection: fuzzing attempt**
-
-(CosmosDB_SqlInjection.FailedFuzzingAttempt)
-
-**Description**: A suspicious SQL statement was used to query a container in this Azure Cosmos DB account.
-
- Like other well-known SQL injection attacks, this attack won't succeed in compromising the Azure Cosmos DB account.
-
- Nevertheless, it's an indication that a threat actor is trying to attack the resources in this account, and your application might be compromised.
-
- Some SQL injection attacks can succeed and be used to exfiltrate data. This means that if the attacker continues performing SQL injection attempts, they might be able to compromise your Azure Cosmos DB account and exfiltrate data.
-
- You can prevent this threat by using parameterized queries.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Pre-attack
-
-**Severity**: Low
-
-## Alerts for Azure network layer
-
-[Further details and notes](other-threat-protections.md#network-layer)
-
-### **Network communication with a malicious machine detected**
-
-(Network_CommunicationWithC2)
-
-**Description**: Network traffic analysis indicates that your machine (IP %{Victim IP}) has communicated with what is possibly a Command and Control center. When the compromised resource is a load balancer or an application gateway, the suspected activity might indicate that one or more of the resources in the backend pool (of the load balancer or application gateway) has communicated with what is possibly a Command and Control center.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Command and Control
-
-**Severity**: Medium
-
-### **Possible compromised machine detected**
-
-(Network_ResourceIpIndicatedAsMalicious)
-
-**Description**: Threat intelligence indicates that your machine (at IP %{Machine IP}) might have been compromised by a malware of type Conficker. Conficker was a computer worm that targets the Microsoft Windows operating system and was first detected in November 2008. Conficker infected millions of computers including government, business and home computers in over 200 countries/regions, making it the largest known computer worm infection since the 2003 Welchia worm.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Command and Control
-
-**Severity**: Medium
-
-### **Possible incoming %{Service Name} brute force attempts detected**
-
-(Generic_Incoming_BF_OneToOne)
-
-**Description**: Network traffic analysis detected incoming %{Service Name} communication to %{Victim IP}, associated with your resource %{Compromised Host} from %{Attacker IP}. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows suspicious activity between %{Start Time} and %{End Time} on port %{Victim Port}. This activity is consistent with brute force attempts against %{Service Name} servers.
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: Informational
-
-### **Possible incoming SQL brute force attempts detected**
-
-(SQL_Incoming_BF_OneToOne)
-
-**Description**: Network traffic analysis detected incoming SQL communication to %{Victim IP}, associated with your resource %{Compromised Host}, from %{Attacker IP}. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows suspicious activity between %{Start Time} and %{End Time} on port %{Port Number} (%{SQL Service Type}). This activity is consistent with brute force attempts against SQL servers.
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: Medium
-
-### **Possible outgoing denial-of-service attack detected**
-
-(DDOS)
-
-**Description**: Network traffic analysis detected anomalous outgoing activity originating from %{Compromised Host}, a resource in your deployment. This activity might indicate that your resource was compromised and is now engaged in denial-of-service attacks against external endpoints. When the compromised resource is a load balancer or an application gateway, the suspected activity might indicate that one or more of the resources in the backend pool (of the load balancer or application gateway) was compromised. Based on the volume of connections, we believe that the following IPs are possibly the targets of the DOS attack: %{Possible Victims}. Note that it is possible that the communication to some of these IPs is legitimate.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Impact
-
-**Severity**: Medium
-
-### **Suspicious incoming RDP network activity from multiple sources**
-
-(RDP_Incoming_BF_ManyToOne)
-
-**Description**: Network traffic analysis detected anomalous incoming Remote Desktop Protocol (RDP) communication to %{Victim IP}, associated with your resource %{Compromised Host}, from multiple sources. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Attacking IPs} unique IPs connecting to your resource, which is considered abnormal for this environment. This activity might indicate an attempt to brute force your RDP end point from multiple hosts (Botnet).
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: Medium
-
-### **Suspicious incoming RDP network activity**
-
-(RDP_Incoming_BF_OneToOne)
-
-**Description**: Network traffic analysis detected anomalous incoming Remote Desktop Protocol (RDP) communication to %{Victim IP}, associated with your resource %{Compromised Host}, from %{Attacker IP}. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Connections} incoming connections to your resource, which is considered abnormal for this environment. This activity might indicate an attempt to brute force your RDP end point
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: Medium
-
-### **Suspicious incoming SSH network activity from multiple sources**
-
-(SSH_Incoming_BF_ManyToOne)
-
-**Description**: Network traffic analysis detected anomalous incoming SSH communication to %{Victim IP}, associated with your resource %{Compromised Host}, from multiple sources. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Attacking IPs} unique IPs connecting to your resource, which is considered abnormal for this environment. This activity might indicate an attempt to brute force your SSH end point from multiple hosts (Botnet)
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: Medium
-
-### **Suspicious incoming SSH network activity**
-
-(SSH_Incoming_BF_OneToOne)
-
-**Description**: Network traffic analysis detected anomalous incoming SSH communication to %{Victim IP}, associated with your resource %{Compromised Host}, from %{Attacker IP}. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Connections} incoming connections to your resource, which is considered abnormal for this environment. This activity might indicate an attempt to brute force your SSH end point
-
-**[MITRE tactics](#mitre-attck-tactics)**: PreAttack
-
-**Severity**: Medium
-
-### **Suspicious outgoing %{Attacked Protocol} traffic detected**
-
-(PortScanning)
-
-**Description**: Network traffic analysis detected suspicious outgoing traffic from %{Compromised Host} to destination port %{Most Common Port}. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). This behavior might indicate that your resource is taking part in %{Attacked Protocol} brute force attempts or port sweeping attacks.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Discovery
-
-**Severity**: Medium
-
-### **Suspicious outgoing RDP network activity to multiple destinations**
-
-(RDP_Outgoing_BF_OneToMany)
-
-**Description**: Network traffic analysis detected anomalous outgoing Remote Desktop Protocol (RDP) communication to multiple destinations originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows your machine connecting to %{Number of Attacked IPs} unique IPs, which is considered abnormal for this environment. This activity might indicate that your resource was compromised and is now used to brute force external RDP end points. Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Discovery
-
-**Severity**: High
-
-### **Suspicious outgoing RDP network activity**
-
-(RDP_Outgoing_BF_OneToOne)
-
-**Description**: Network traffic analysis detected anomalous outgoing Remote Desktop Protocol (RDP) communication to %{Victim IP} originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Connections} outgoing connections from your resource, which is considered abnormal for this environment. This activity might indicate that your machine was compromised and is now used to brute force external RDP end points. Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Lateral Movement
-
-**Severity**: High
-
-### **Suspicious outgoing SSH network activity to multiple destinations**
-
-(SSH_Outgoing_BF_OneToMany)
-
-**Description**: Network traffic analysis detected anomalous outgoing SSH communication to multiple destinations originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows your resource connecting to %{Number of Attacked IPs} unique IPs, which is considered abnormal for this environment. This activity might indicate that your resource was compromised and is now used to brute force external SSH end points. Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Discovery
-
-**Severity**: Medium
-
-### **Suspicious outgoing SSH network activity**
-
-(SSH_Outgoing_BF_OneToOne)
-
-**Description**: Network traffic analysis detected anomalous outgoing SSH communication to %{Victim IP} originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows %{Number of Connections} outgoing connections from your resource, which is considered abnormal for this environment. This activity might indicate that your resource was compromised and is now used to brute force external SSH end points. Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Lateral Movement
-
-**Severity**: Medium
-
-### **Traffic detected from IP addresses recommended for blocking**
-
-(Network_TrafficFromUnrecommendedIP)
-
-**Description**: Microsoft Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Defender for Cloud's threat intelligence sources.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Probing
-
-**Severity**: Informational
-
-## Alerts for Azure Key Vault
-
-[Further details and notes](defender-for-key-vault-introduction.md)
-
-### **Access from a suspicious IP address to a key vault**
-
-(KV_SuspiciousIPAccess)
-
-**Description**: A key vault has been successfully accessed by an IP that has been identified by Microsoft Threat Intelligence as a suspicious IP address. This might indicate that your infrastructure has been compromised. We recommend further investigation. Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684).
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: Medium
-
-### **Access from a TOR exit node to a key vault**
-
-(KV_TORAccess)
-
-**Description**: A key vault has been accessed from a known TOR exit node. This could be an indication that a threat actor has accessed the key vault and is using the TOR network to hide their source location. We recommend further investigations.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: Medium
-
-### **High volume of operations in a key vault**
-
-(KV_OperationVolumeAnomaly)
-
-**Description**: An anomalous number of key vault operations were performed by a user, service principal, and/or a specific key vault. This anomalous activity pattern might be legitimate, but it could be an indication that a threat actor has gained access to the key vault and the secrets contained within it. We recommend further investigations.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: Medium
-
-### **Suspicious policy change and secret query in a key vault**
-
-(KV_PutGetAnomaly)
-
-**Description**: A user or service principal has performed an anomalous Vault Put policy change operation followed by one or more Secret Get operations. This pattern is not normally performed by the specified user or service principal. This might be legitimate activity, but it could be an indication that a threat actor has updated the key vault policy to access previously inaccessible secrets. We recommend further investigations.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: Medium
-
-### **Suspicious secret listing and query in a key vault**
-
-(KV_ListGetAnomaly)
-
-**Description**: A user or service principal has performed an anomalous Secret List operation followed by one or more Secret Get operations. This pattern is not normally performed by the specified user or service principal and is typically associated with secret dumping. This might be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault and is trying to discover secrets that can be used to move laterally through your network and/or gain access to sensitive resources. We recommend further investigations.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: Medium
-
-### **Unusual access denied - User accessing high volume of key vaults denied**
-
-(KV_AccountVolumeAccessDeniedAnomaly)
-
-**Description**: A user or service principal has attempted access to anomalously high volume of key vaults in the last 24 hours. This anomalous access pattern might be legitimate activity. Though this attempt was unsuccessful, it could be an indication of a possible attempt to gain access of key vault and the secrets contained within it. We recommend further investigations.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Discovery
-
-**Severity**: Low
-
-### **Unusual access denied - Unusual user accessing key vault denied**
-
-(KV_UserAccessDeniedAnomaly)
-
-**Description**: A key vault access was attempted by a user that does not normally access it, this anomalous access pattern might be legitimate activity. Though this attempt was unsuccessful, it could be an indication of a possible attempt to gain access of key vault and the secrets contained within it.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial Access, Discovery
-
-**Severity**: Low
-
-### **Unusual application accessed a key vault**
-
-(KV_AppAnomaly)
-
-**Description**: A key vault has been accessed by a service principal that doesn't normally access it. This anomalous access pattern might be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault in an attempt to access the secrets contained within it. We recommend further investigations.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: Medium
-
-### **Unusual operation pattern in a key vault**
-
-(KV_OperationPatternAnomaly)
-
-**Description**: An anomalous pattern of key vault operations was performed by a user, service principal, and/or a specific key vault. This anomalous activity pattern might be legitimate, but it could be an indication that a threat actor has gained access to the key vault and the secrets contained within it. We recommend further investigations.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: Medium
-
-### **Unusual user accessed a key vault**
-
-(KV_UserAnomaly)
-
-**Description**: A key vault has been accessed by a user that does not normally access it. This anomalous access pattern might be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault in an attempt to access the secrets contained within it. We recommend further investigations.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: Medium
-
-### **Unusual user-application pair accessed a key vault**
-
-(KV_UserAppAnomaly)
-
-**Description**: A key vault has been accessed by a user-service principal pair that doesn't normally access it. This anomalous access pattern might be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault in an attempt to access the secrets contained within it. We recommend further investigations.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: Medium
-
-### **User accessed high volume of key vaults**
-
-(KV_AccountVolumeAnomaly)
-
-**Description**: A user or service principal has accessed an anomalously high volume of key vaults. This anomalous access pattern might be legitimate activity, but it could be an indication that a threat actor has gained access to multiple key vaults in an attempt to access the secrets contained within them. We recommend further investigations.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: Medium
-
-### **Denied access from a suspicious IP to a key vault**
-
-(KV_SuspiciousIPAccessDenied)
-
-**Description**: An unsuccessful key vault access has been attempted by an IP that has been identified by Microsoft Threat Intelligence as a suspicious IP address. Though this attempt was unsuccessful, it indicates that your infrastructure might have been compromised. We recommend further investigations.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: Low
-
-### **Unusual access to the key vault from a suspicious IP (Non-Microsoft or External)**
-
-(KV_UnusualAccessSuspiciousIP)
-
-**Description**: A user or service principal has attempted anomalous access to key vaults from a non-Microsoft IP in the last 24 hours. This anomalous access pattern might be legitimate activity. It could be an indication of a possible attempt to gain access of the key vault and the secrets contained within it. We recommend further investigations.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access
-
-**Severity**: Medium
-
-## Alerts for Azure DDoS Protection
-
-[Further details and notes](other-threat-protections.md#azure-ddos)
-
-### **DDoS Attack detected for Public IP**
-
-(NETWORK_DDOS_DETECTED)
-
-**Description**: DDoS Attack detected for Public IP (IP address) and being mitigated.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Probing
-
-**Severity**: High
-
-### **DDoS Attack mitigated for Public IP**
-
-(NETWORK_DDOS_MITIGATED)
-
-**Description**: DDoS Attack mitigated for Public IP (IP address).
-
-**[MITRE tactics](#mitre-attck-tactics)**: Probing
-
-**Severity**: Low
-
-## Alerts for Defender for APIs
-
-### **Suspicious population-level spike in API traffic to an API endpoint**
-
- (API_PopulationSpikeInAPITraffic)
-
-**Description**: A suspicious spike in API traffic was detected at one of the API endpoints. The detection system used historical traffic patterns to establish a baseline for routine API traffic volume between all IPs and the endpoint, with the baseline being specific to API traffic for each status code (such as 200 Success). The detection system flagged an unusual deviation from this baseline leading to the detection of suspicious activity.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Impact
-
-**Severity**: Medium
-
-### **Suspicious spike in API traffic from a single IP address to an API endpoint**
-
- (API_SpikeInAPITraffic)
-
-**Description**: A suspicious spike in API traffic was detected from a client IP to the API endpoint. The detection system used historical traffic patterns to establish a baseline for routine API traffic volume to the endpoint coming from a specific IP to the endpoint. The detection system flagged an unusual deviation from this baseline leading to the detection of suspicious activity.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Impact
-
-**Severity**: Medium
-
-### **Unusually large response payload transmitted between a single IP address and an API endpoint**
-
- (API_SpikeInPayload)
-
-**Description**: A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints. Based on historical traffic patterns from the last 30 days, Defender for APIs learns a baseline that represents the typical API response payload size between a specific IP and API endpoint. The learned baseline is specific to API traffic for each status code (for example, 200 Success). The alert was triggered because an API response payload size deviated significantly from the historical baseline.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial access
-
-**Severity**: Medium
-
-### **Unusually large request body transmitted between a single IP address and an API endpoint**
-
- (API_SpikeInPayload)
-
-**Description**: A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints. Based on historical traffic patterns from the last 30 days, Defender for APIs learns a baseline that represents the typical API request body size between a specific IP and API endpoint. The learned baseline is specific to API traffic for each status code (for example, 200 Success). The alert was triggered because an API request size deviated significantly from the historical baseline.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial access
-
-**Severity**: Medium
-
-### **(Preview) Suspicious spike in latency for traffic between a single IP address and an API endpoint**
-
- (API_SpikeInLatency)
-
-**Description**: A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints. Based on historical traffic patterns from the last 30 days, Defender for APIs learns a baseline that represents the routine API traffic latency between a specific IP and API endpoint. The learned baseline is specific to API traffic for each status code (for example, 200 Success). The alert was triggered because an API call latency deviated significantly from the historical baseline.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial access
-
-**Severity**: Medium
-
-### **API requests spray from a single IP address to an unusually large number of distinct API endpoints**
-
-(API_SprayInRequests)
-
-**Description**: A single IP was observed making API calls to an unusually large number of distinct endpoints. Based on historical traffic patterns from the last 30 days, Defenders for APIs learns a baseline that represents the typical number of distinct endpoints called by a single IP across 20-minute windows. The alert was triggered because a single IP's behavior deviated significantly from the historical baseline.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Discovery
-
-**Severity**: Medium
-
-### **Parameter enumeration on an API endpoint**
-
- (API_ParameterEnumeration)
-
-**Description**: A single IP was observed enumerating parameters when accessing one of the API endpoints. Based on historical traffic patterns from the last 30 days, Defender for APIs learns a baseline that represents the typical number of distinct parameter values used by a single IP when accessing this endpoint across 20-minute windows. The alert was triggered because a single client IP recently accessed an endpoint using an unusually large number of distinct parameter values.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial access
-
-**Severity**: Medium
-
-### **Distributed parameter enumeration on an API endpoint**
-
- (API_DistributedParameterEnumeration)
-
-**Description**: The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints. Based on historical traffic patterns from the last 30 days, Defender for APIs learns a baseline that represents the typical number of distinct parameter values used by the user population (all IPs) when accessing an endpoint across 20-minute windows. The alert was triggered because the user population recently accessed an endpoint using an unusually large number of distinct parameter values.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Initial access
-
-**Severity**: Medium
-
-### **Parameter value(s) with anomalous data types in an API call**
-
- (API_UnseenParamType)
-
-**Description**: A single IP was observed accessing one of your API endpoints and using parameter values of a low probability data type (for example, string, integer, etc.). Based on historical traffic patterns from the last 30 days, Defender for APIs learns the expected data types for each API parameter. The alert was triggered because an IP recently accessed an endpoint using a previously low probability data type as a parameter input.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Impact
-
-**Severity**: Medium
-
-### **Previously unseen parameter used in an API call**
-
- (API_UnseenParam)
-
-**Description**: A single IP was observed accessing one of the API endpoints using a previously unseen or out-of-bounds parameter in the request. Based on historical traffic patterns from the last 30 days, Defender for APIs learns a set of expected parameters associated with calls to an endpoint. The alert was triggered because an IP recently accessed an endpoint using a previously unseen parameter.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Impact
-
-**Severity**: Medium
-
-### **Access from a Tor exit node to an API endpoint**
-
- (API_AccessFromTorExitNode)
-
-**Description**: An IP address from the Tor network accessed one of your API endpoints. Tor is a network that allows people to access the Internet while keeping their real IP hidden. Though there are legitimate uses, it is frequently used by attackers to hide their identity when they target people's systems online.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Pre-attack
-
-**Severity**: Medium
-
-### **API Endpoint access from suspicious IP**
-
- (API_AccessFromSuspiciousIP)
-
-**Description**: An IP address accessing one of your API endpoints was identified by Microsoft Threat Intelligence as having a high probability of being a threat. While observing malicious Internet traffic, this IP came up as involved in attacking other online targets.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Pre-attack
-
-**Severity**: High
-
-### **Suspicious User Agent detected**
-
- (API_AccessFromSuspiciousUserAgent)
-
-**Description**: The user agent of a request accessing one of your API endpoints contained anomalous values indicative of an attempt at remote code execution. This does not mean that any of your API endpoints have been breached, but it does suggest that an attempted attack is underway.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Execution
-
-**Severity**: Medium
-
-## Alerts for AI workloads
-
-### Detected credential theft attempts on an Azure OpenAI model deployment
-
-(AI.Azure_CredentialTheftAttempt)
-
-**Description**: The credential theft alert is designed to notify the SOC when credentials are detected within GenAI model responses to a user prompt, indicating a potential breach. This alert is crucial for detecting cases of credential leak or theft, which are unique to generative AI and can have severe consequences if successful.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Credential Access, Lateral Movement, Exfiltration
-
-**Severity**: Medium
-
-### A Jailbreak attempt on an Azure OpenAI model deployment was blocked by Azure AI Content Safety Prompt Shields
-
-(AI.Azure_Jailbreak.ContentFiltering.BlockedAttempt)
-
-**Description**: The Jailbreak alert, carried out using a direct prompt injection technique, is designed to notify the SOC there was an attempt to manipulate the system prompt to bypass the generative AIΓÇÖs safeguards, potentially accessing sensitive data or privileged functions. It indicated that such attempts were blocked by Azure Responsible AI Content Safety (AKA Prompt Shields), ensuring the integrity of the AI resources and the data security.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Privilege Escalation, Defense Evasion
-
-**Severity**: Medium
-
-### A Jailbreak attempt on an Azure OpenAI model deployment was detected by Azure AI Content Safety Prompt Shields
-
-(AI.Azure_Jailbreak.ContentFiltering.DetectedAttempt)
-
-**Description**: The Jailbreak alert, carried out using a direct prompt injection technique, is designed to notify the SOC there was an attempt to manipulate the system prompt to bypass the generative AIΓÇÖs safeguards, potentially accessing sensitive data or privileged functions. It indicated that such attempts were detected by Azure Responsible AI Content Safety (AKA Prompt Shields), but were not blocked due to content filtering settings or due to low confidence.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Privilege Escalation, Defense Evasion
-
-**Severity**: Medium
-
-### Sensitive Data Exposure Detected in Azure OpenAI Model Deployment
-
-(AI.Azure_DataLeakInModelResponse.Sensitive)
-
-**Description**: The sensitive data leakage alert is designed to notify the SOC that a GenAI model responded to a user prompt with sensitive information, potentially due to a malicious user attempting to bypass the generative AIΓÇÖs safeguards to access unauthorized sensitive data.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Collection
-
-**Severity**: Medium
-
-## Deprecated Defender for Containers alerts
-
-The following lists include the Defender for Containers security alerts which were deprecated.
-
-### **Manipulation of host firewall detected**
-
-(K8S.NODE_FirewallDisabled)
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible manipulation of the on-host firewall. Attackers will often disable this to exfiltrate data.
-
-**[MITRE tactics](#mitre-attck-tactics)**: DefenseEvasion, Exfiltration
-
-**Severity**: Medium
-
-### **Suspicious use of DNS over HTTPS**
-
-(K8S.NODE_SuspiciousDNSOverHttps)
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected the use of a DNS call over HTTPS in an uncommon fashion. This technique is used by attackers to hide calls out to suspect or malicious sites.
-
-**[MITRE tactics](#mitre-attck-tactics)**: DefenseEvasion, Exfiltration
-
-**Severity**: Medium
-
-### **A possible connection to malicious location has been detected.**
-
-(K8S.NODE_ThreatIntelCommandLineSuspectDomain)
-
-**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a connection to a location that has been reported to be malicious or unusual. This is an indicator that a compromise might have occurred.
-
-**[MITRE tactics](#mitre-attck-tactics)**: InitialAccess
-
-**Severity**: Medium
-
-### **Digital currency mining activity**
-
-(K8S.NODE_CurrencyMining)
-
-**Description**: Analysis of DNS transactions detected digital currency mining activity. Such activity, while possibly legitimate user behavior, is frequently performed by attackers following compromise of resources. Typical related attacker activity is likely to include the download and execution of common mining tools.
-
-**[MITRE tactics](#mitre-attck-tactics)**: Exfiltration
-
-**Severity**: Low
-
-## Deprecated Defender for Servers Linux alerts
-
-### VM_AbnormalDaemonTermination
-
-**Alert Display Name**: Abnormal Termination
-
-**Severity**: Low
-
-### VM_BinaryGeneratedFromCommandLine
-
-**Alert Display Name**: Suspicious binary detected
-
-**Severity**: Medium
-
-### VM_CommandlineSuspectDomain Suspicious
-
-**Alert Display Name**: domain name reference
-
-**Severity**: Low
-
-### VM_CommonBot
-
-**Alert Display Name**: Behavior similar to common Linux bots detected
-
-**Severity**: Medium
-
-### VM_CompCommonBots
-
-**Alert Display Name**: Commands similar to common Linux bots detected
-
-**Severity**: Medium
-
-### VM_CompSuspiciousScript
-
-**Alert Display Name**: Shell Script Detected
-
-**Severity**: Medium
-
-### VM_CompTestRule
-
-**Alert Display Name**: Composite Analytic Test Alert
-
-**Severity**: Low
-
-### VM_CronJobAccess
-
-**Alert Display Name**: Manipulation of scheduled tasks detected
-
-**Severity**: Informational
-
-### VM_CryptoCoinMinerArtifacts
-
-**Alert Display Name**: Process associated with digital currency mining detected
-
-**Severity**: Medium
-
-### VM_CryptoCoinMinerDownload
-
-**Alert Display Name**: Possible Cryptocoinminer download detected
-
-**Severity**: Medium
-
-### VM_CryptoCoinMinerExecution
-
-**Alert Display Name**: Potential crypto coin miner started
-
-**Severity**: Medium
-
-### VM_DataEgressArtifacts
-
-**Alert Display Name**: Possible data exfiltration detected
-
-**Severity**: Medium
-
-### VM_DigitalCurrencyMining
-
-**Alert Display Name**: Digital currency mining related behavior detected
-
-**Severity**: High
-
-### VM_DownloadAndRunCombo
-
-**Alert Display Name**: Suspicious Download Then Run Activity
-
-**Severity**: Medium
-
-### VM_EICAR
-
-**Alert Display Name**: Microsoft Defender for Cloud test alert (not a threat)
-
-**Severity**: High
-
-### VM_ExecuteHiddenFile
-
-**Alert Display Name**: Execution of hidden file
-
-**Severity**: Informational
-
-### VM_ExploitAttempt
-
-**Alert Display Name**: Possible command line exploitation attempt
-
-**Severity**: Medium
-
-### VM_ExposedDocker
-
-**Alert Display Name**: Exposed Docker daemon on TCP socket
-
-**Severity**: Medium
-
-### VM_FairwareMalware
-
-**Alert Display Name**: Behavior similar to Fairware ransomware detected
-
-**Severity**: Medium
-
-### VM_FirewallDisabled
-
-**Alert Display Name**: Manipulation of host firewall detected
-
-**Severity**: Medium
-
-### VM_HadoopYarnExploit
-
-**Alert Display Name**: Possible exploitation of Hadoop Yarn
-
-**Severity**: Medium
-
-### VM_HistoryFileCleared
-
-**Alert Display Name**: A history file has been cleared
-
-**Severity**: Medium
-
-### VM_KnownLinuxAttackTool
-
-**Alert Display Name**: Possible attack tool detected
-
-**Severity**: Medium
-
-### VM_KnownLinuxCredentialAccessTool
-
-**Alert Display Name**: Possible credential access tool detected
-
-**Severity**: Medium
-
-### VM_KnownLinuxDDoSToolkit
-
-**Alert Display Name**: Indicators associated with DDOS toolkit detected
-
-**Severity**: Medium
-
-### VM_KnownLinuxScreenshotTool
-
-**Alert Display Name**: Screenshot taken on host
-
-**Severity**: Low
-
-### VM_LinuxBackdoorArtifact
-
-**Alert Display Name**: Possible backdoor detected
-
-**Severity**: Medium
-
-### VM_LinuxReconnaissance
-
-**Alert Display Name**: Local host reconnaissance detected
-
-**Severity**: Medium
-
-### VM_MismatchedScriptFeatures
-
-**Alert Display Name**: Script extension mismatch detected
-
-**Severity**: Medium
-
-### VM_MitreCalderaTools
-
-**Alert Display Name**: MITRE Caldera agent detected
-
-**Severity**: Medium
-
-### VM_NewSingleUserModeStartupScript
-
-**Alert Display Name**: Detected Persistence Attempt
-
-**Severity**: Medium
-
-### VM_NewSudoerAccount
-
-**Alert Display Name**: Account added to sudo group
-
-**Severity**: Low
-
-### VM_OverridingCommonFiles
-
-**Alert Display Name**: Potential overriding of common files
-
-**Severity**: Medium
-
-### VM_PrivilegedContainerArtifacts
-
-**Alert Display Name**: Container running in privileged mode
-
-**Severity**: Low
-
-### VM_PrivilegedExecutionInContainer
-
-**Alert Display Name**: Command within a container running with high privileges
-
-**Severity**: Low
-
-### VM_ReadingHistoryFile
-
-**Alert Display Name**: Unusual access to bash history file
-
-**Severity**: Informational
-
-### VM_ReverseShell
-
-**Alert Display Name**: Potential reverse shell detected
-
-**Severity**: Medium
-
-### VM_SshKeyAccess
-
-**Alert Display Name**: Process seen accessing the SSH authorized keys file in an unusual way
-
-**Severity**: Low
-
-### VM_SshKeyAddition
-
-**Alert Display Name**: New SSH key added
-
-**Severity**: Low
-
-### VM_SuspectCompilation
-
-**Alert Display Name**: Suspicious compilation detected
-
-**Severity**: Medium
-
-### VM_SuspectConnection
-
-**Alert Display Name**: An uncommon connection attempt detected
-
-**Severity**: Medium
-
-### VM_SuspectDownload
-
-**Alert Display Name**: Detected file download from a known malicious source
-
-**Severity**: Medium
-
-### VM_SuspectDownloadArtifacts
-
-**Alert Display Name**: Detected suspicious file download
-
-**Severity**: Low
-
-### VM_SuspectExecutablePath
-
-**Alert Display Name**: Executable found running from a suspicious location
-
-**Severity**: Medium
-
-### VM_SuspectHtaccessFileAccess
-
-**Alert Display Name**: Access of htaccess file detected
-
-**Severity**: Medium
-
-### VM_SuspectInitialShellCommand
-
-**Alert Display Name**: Suspicious first command in shell
-
-**Severity**: Low
-
-### VM_SuspectMixedCaseText
-
-**Alert Display Name**: Detected anomalous mix of uppercase and lowercase characters in command line
-
-**Severity**: Medium
-
-### VM_SuspectNetworkConnection
-
-**Alert Display Name**: Suspicious network connection
-
-**Severity**: Informational
-
-### VM_SuspectNohup
-
-**Alert Display Name**: Detected suspicious use of the nohup command
-
-**Severity**: Medium
-
-### VM_SuspectPasswordChange
-
-**Alert Display Name**: Possible password change using crypt-method detected
-
-**Severity**: Medium
-
-### VM_SuspectPasswordFileAccess
-
-**Alert Display Name**: Suspicious password access
-
-**Severity**: Informational
-
-### VM_SuspectPhp
-
-**Alert Display Name**: Suspicious PHP execution detected
-
-**Severity**: Medium
-
-### VM_SuspectPortForwarding
-
-**Alert Display Name**: Potential port forwarding to external IP address
-
-**Severity**: Medium
-
-### VM_SuspectProcessAccountPrivilegeCombo
-
-**Alert Display Name**: Process running in a service account became root unexpectedly
-
-**Severity**: Medium
-
-### VM_SuspectProcessTermination
-
-**Alert Display Name**: Security-related process termination detected
-
-**Severity**: Low
-
-### VM_SuspectUserAddition
-
-**Alert Display Name**: Detected suspicious use of the useradd command
-
-**Severity**: Medium
-
-### VM_SuspiciousCommandLineExecution
-
-**Alert Display Name**: Suspicious command execution
-
-**Severity**: High
-
-### VM_SuspiciousDNSOverHttps
-
-**Alert Display Name**: Suspicious use of DNS over HTTPS
-
-**Severity**: Medium
-
-### VM_SystemLogRemoval
-
-**Alert Display Name**: Possible Log Tampering Activity Detected
-
-**Severity**: Medium
-
-### VM_ThreatIntelCommandLineSuspectDomain
-
-**Alert Display Name**: A possible connection to malicious location has been detected
-
-**Severity**: Medium
-
-### VM_ThreatIntelSuspectLogon
-
-**Alert Display Name**: A logon from a malicious IP has been detected
-
-**Severity**: High
-
-### VM_TimerServiceDisabled
-
-**Alert Display Name**: Attempt to stop apt-daily-upgrade.timer service detected
-
-**Severity**: Informational
-
-### VM_TimestampTampering
-
-**Alert Display Name**: Suspicious file timestamp modification
-
-**Severity**: Low
-
-### VM_Webshell
-
-**Alert Display Name**: Possible malicious web shell detected
-
-**Severity**: Medium
-
-## Deprecated Defender for Servers Windows alerts
-
-### SCUBA_MULTIPLEACCOUNTCREATE
-
-**Alert Display Name**: Suspicious creation of accounts on multiple hosts
-
-**Severity**: Medium
-
-### SCUBA_PSINSIGHT_CONTEXT
-
-**Alert Display Name**: Suspicious use of PowerShell detected
-
-**Severity**: Informational
-
-### SCUBA_RULE_AddGuestToAdministrators
-
-**Alert Display Name**: Addition of Guest account to Local Administrators group
-
-**Severity**: Medium
-
-### SCUBA_RULE_Apache_Tomcat_executing_suspicious_commands
-
-**Alert Display Name**: Apache_Tomcat_executing_suspicious_commands
-
-**Severity**: Medium
-
-### SCUBA_RULE_KnownBruteForcingTools
-
-**Alert Display Name**: Suspicious process executed
-
-**Severity**: High
-
-### SCUBA_RULE_KnownCollectionTools
-
-**Alert Display Name**: Suspicious process executed
-
-**Severity**: High
-
-### SCUBA_RULE_KnownDefenseEvasionTools
-
-**Alert Display Name**: Suspicious process executed
-
-**Severity**: High
-
-### SCUBA_RULE_KnownExecutionTools
-
-**Alert Display Name**: Suspicious process executed
-
-**Severity**: High
-
-### SCUBA_RULE_KnownPassTheHashTools
-
-**Alert Display Name**: Suspicious process executed
-
-**Severity**: High
-
-### SCUBA_RULE_KnownSpammingTools
-
-**Alert Display Name**: Suspicious process executed
-
-**Severity**: Medium
-
-### SCUBA_RULE_Lowering_Security_Settings
-
-**Alert Display Name**: Detected the disabling of critical services
-
-**Severity**: Medium
-
-### SCUBA_RULE_OtherKnownHackerTools
-
-**Alert Display Name**: Suspicious process executed
-
-**Severity**: High
-
-### SCUBA_RULE_RDP_session_hijacking_via_tscon
-
-**Alert Display Name**: Suspect integrity level indicative of RDP hijacking
-
-**Severity**: Medium
-
-### SCUBA_RULE_RDP_session_hijacking_via_tscon_service
-
-**Alert Display Name**: Suspect service installation
-
-**Severity**: Medium
-
-### SCUBA_RULE_Suppress_pesky_unauthorized_use_prohibited_notices
-
-**Alert Display Name**: Detected suppression of legal notice displayed to users at logon
-
-**Severity**: Low
-
-### SCUBA_RULE_WDigest_Enabling
-
-**Alert Display Name**: Detected enabling of the WDigest UseLogonCredential registry key
-
-**Severity**: Medium
-
-### VM.Windows_ApplockerBypass
-
-**Alert Display Name**: Potential attempt to bypass AppLocker detected
-
-**Severity**: High
-
-### VM.Windows_BariumKnownSuspiciousProcessExecution
-
-**Alert Display Name**: Detected suspicious file creation
-
-**Severity**: High
-
-### VM.Windows_Base64EncodedExecutableInCommandLineParams
-
-**Alert Display Name**: Detected encoded executable in command line data
-
-**Severity**: High
-
-### VM.Windows_CalcsCommandLineUse
-
-**Alert Display Name**: Detected suspicious use of Cacls to lower the security state of the system
-
-**Severity**: Medium
-
-### VM.Windows_CommandLineStartingAllExe
-
-**Alert Display Name**: Detected suspicious command line used to start all executables in a directory
-
-**Severity**: Medium
-
-### VM.Windows_DisablingAndDeletingIISLogFiles
-
-**Alert Display Name**: Detected actions indicative of disabling and deleting IIS log files
-
-**Severity**: Medium
-
-### VM.Windows_DownloadUsingCertutil
-
-**Alert Display Name**: Suspicious download using Certutil detected
-
-**Severity**: Medium
-
-### VM.Windows_EchoOverPipeOnLocalhost
-
-**Alert Display Name**: Detected suspicious named pipe communications
-
-**Severity**: High
-
-### VM.Windows_EchoToConstructPowerShellScript
-
-**Alert Display Name**: Dynamic PowerShell script construction
-
-**Severity**: Medium
-
-### VM.Windows_ExecutableDecodedUsingCertutil
-
-**Alert Display Name**: Detected decoding of an executable using built-in certutil.exe tool
-
-**Severity**: Medium
-
-### VM.Windows_FileDeletionIsSospisiousLocation
-
-**Alert Display Name**: Suspicious file deletion detected
-
-**Severity**: Medium
-
-### VM.Windows_KerberosGoldenTicketAttack
-
-**Alert Display Name**: Suspected Kerberos Golden Ticket attack parameters observed
-
-**Severity**: Medium
-
-### VM.Windows_KeygenToolKnownProcessName
-
-**Alert Display Name**: Detected possible execution of keygen executable Suspicious process executed
-
-**Severity**: Medium
-
-### VM.Windows_KnownCredentialAccessTools
-
-**Alert Display Name**: Suspicious process executed
-
-**Severity**: High
-
-### VM.Windows_KnownSuspiciousPowerShellScript
-
-**Alert Display Name**: Suspicious use of PowerShell detected
-
-**Severity**: High
-
-### VM.Windows_KnownSuspiciousSoftwareInstallation
-
-**Alert Display Name**: High risk software detected
-
-**Severity**: Medium
-
-### VM.Windows_MsHtaAndPowerShellCombination
-
-**Alert Display Name**: Detected suspicious combination of HTA and PowerShell
-
-**Severity**: Medium
-
-### VM.Windows_MultipleAccountsQuery
-
-**Alert Display Name**: Multiple Domain Accounts Queried
-
-**Severity**: Medium
-
-### VM.Windows_NewAccountCreation
-
-**Alert Display Name**: Account creation detected
-
-**Severity**: Informational
-
-### VM.Windows_ObfuscatedCommandLine
-
-**Alert Display Name**: Detected obfuscated command line.
-
-**Severity**: High
-
-### VM.Windows_PcaluaUseToLaunchExecutable
-
-**Alert Display Name**: Detected suspicious use of Pcalua.exe to launch executable code
-
-**Severity**: Medium
-
-### VM.Windows_PetyaRansomware
-
-**Alert Display Name**: Detected Petya ransomware indicators
-
-**Severity**: High
-
-### VM.Windows_PowerShellPowerSploitScriptExecution
-
-**Alert Display Name**: Suspicious PowerShell cmdlets executed
-
-**Severity**: Medium
-
-### VM.Windows_RansomwareIndication
-
-**Alert Display Name**: Ransomware indicators detected
-
-**Severity**: High
-
-### VM.Windows_SqlDumperUsedSuspiciously
-
-**Alert Display Name**: Possible credential dumping detected [seen multiple times]
-
-**Severity**: Medium
-
-### VM.Windows_StopCriticalServices
-
-**Alert Display Name**: Detected the disabling of critical services
-
-**Severity**: Medium
-
-### VM.Windows_SubvertingAccessibilityBinary
-
-**Alert Display Name**: Sticky keys attack detected
- Suspicious account creation detected Medium
-
-### VM.Windows_SuspiciousAccountCreation
-
-**Alert Display Name**: Suspicious Account Creation Detected
-
-**Severity**: Medium
-
-### VM.Windows_SuspiciousFirewallRuleAdded
-
-**Alert Display Name**: Detected suspicious new firewall rule
-
-**Severity**: Medium
-
-### VM.Windows_SuspiciousFTPSSwitchUsage
-
-**Alert Display Name**: Detected suspicious use of FTP -s switch
-
-**Severity**: Medium
-
-### VM.Windows_SuspiciousSQLActivity
-
-**Alert Display Name**: Suspicious SQL activity
-
-**Severity**: Medium
-
-### VM.Windows_SVCHostFromInvalidPath
-
-**Alert Display Name**: Suspicious process executed
-
-**Severity**: High
-
-### VM.Windows_SystemEventLogCleared
-
-**Alert Display Name**: The Windows Security log was cleared
-
-**Severity**: Informational
-
-### VM.Windows_TelegramInstallation
-
-**Alert Display Name**: Detected potentially suspicious use of Telegram tool
-
-**Severity**: Medium
-
-### VM.Windows_UndercoverProcess
-
-**Alert Display Name**: Suspiciously named process detected
-
-**Severity**: High
-
-### VM.Windows_UserAccountControlBypass
-
-**Alert Display Name**: Detected change to a registry key that can be abused to bypass UAC
-
-**Severity**: Medium
-
-### VM.Windows_VBScriptEncoding
-
-**Alert Display Name**: Detected suspicious execution of VBScript.Encode command
-
-**Severity**: Medium
-
-### VM.Windows_WindowPositionRegisteryChange
-
-**Alert Display Name**: Suspicious WindowPosition registry value detected
-
-**Severity**: Low
-
-### VM.Windows_ZincPortOpenningUsingFirewallRule
-
-**Alert Display Name**: Malicious firewall rule created by ZINC server implant
-
-**Severity**: High
-
-### VM_DigitalCurrencyMining
-
-**Alert Display Name**: Digital currency mining related behavior detected
-
-**Severity**: High
-
-### VM_MaliciousSQLActivity
-
-**Alert Display Name**: Malicious SQL activity
-
-**Severity**: High
-
-### VM_ProcessWithDoubleExtensionExecution
-
-**Alert Display Name**: Suspicious double extension file executed
-
-**Severity**: High
-
-### VM_RegistryPersistencyKey
-
-**Alert Display Name**: Windows registry persistence method detected
-
-**Severity**: Low
-
-### VM_ShadowCopyDeletion
-
-**Alert Display Name**: Suspicious Volume Shadow Copy Activity
- Executable found running from a suspicious location
-
-**Severity**: High
-
-### VM_SuspectExecutablePath
-
-**Alert Display Name**: Executable found running from a suspicious location
- Detected anomalous mix of uppercase and lowercase characters in command line
-
-**Severity**: Informational
-
- Medium
-
-### VM_SuspectPhp
-
-**Alert Display Name**: Suspicious PHP execution detected
-
-**Severity**: Medium
-
-### VM_SuspiciousCommandLineExecution
-
-**Alert Display Name**: Suspicious command execution
-
-**Severity**: High
-
-### VM_SuspiciousScreenSaverExecution
-
-**Alert Display Name**: Suspicious Screensaver process executed
-
-**Severity**: Medium
-
-### VM_SvcHostRunInRareServiceGroup
-
-**Alert Display Name**: Rare SVCHOST service group executed
-
-**Severity**: Informational
-
-### VM_SystemProcessInAbnormalContext
-
-**Alert Display Name**: Suspicious system process executed
-
-**Severity**: Medium
-
-### VM_ThreatIntelCommandLineSuspectDomain
-
-**Alert Display Name**: A possible connection to malicious location has been detected
-
-**Severity**: Medium
-
-### VM_ThreatIntelSuspectLogon
-
-**Alert Display Name**: A logon from a malicious IP has been detected
-
-**Severity**: High
-
-### VM_VbScriptHttpObjectAllocation
-
-**Alert Display Name**: VBScript HTTP object allocation detected
-
-**Severity**: High
-
-### VM_TaskkillBurst
-
-**Alert Display Name**: Suspicious process termination burst
-
-**Severity**: Low
-
-### VM_RunByPsExec
-
-**Alert Display Name**: PsExec execution detected
-
-**Severity**: Informational
+## Security alert pages by category
+
+- [Alerts for Windows machines](alerts-windows-machines.md)
+- [Alerts for Linux machines](alerts-linux-machines.md)
+- [Alerts for DNS](alerts-dns.md)
+- [Alerts for Azure VM extensions](alerts-azure-vm-extensions.md)
+- [Alerts for Azure App Service](alerts-azure-app-service.md)
+- [Alerts for containers - Kubernetes clusters](alerts-containers.md)
+- [Alerts for SQL Database and Azure Synapse Analytics](alerts-sql-database-and-azure-synapse-analytics.md)
+- [Alerts for open-source relational databases](alerts-open-source-relational-databases.md)
+- [Alerts for Resource Manager](alerts-resource-manager.md)
+- [Alerts for Azure Storage](alerts-azure-storage.md)
+- [Alerts for Azure Cosmos DB](alerts-azure-cosmos-db.md)
+- [Alerts for Azure network layer](alerts-azure-network-layer.md)
+- [Alerts for Azure Key Vault](alerts-azure-key-vault.md)
+- [Alerts for Azure DDoS Protection](alerts-azure-ddos-protection.md)
+- [Alerts for Defender for APIs](alerts-defender-for-apis.md)
+- [Alerts for AI workloads](alerts-ai-workloads.md)
+- [Deprecated security alerts](deprecated-alerts.md)
## MITRE ATT&CK tactics
defender-for-cloud Alerts Resource Manager https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/alerts-resource-manager.md
+
+ Title: Alerts for Resource Manager
+description: This article lists the security alerts for Resource Manager visible in Microsoft Defender for Cloud.
++ Last updated : 06/03/2024
+ai-usage: ai-assisted
++
+# Alerts for Resource Manager
+
+This article lists the security alerts you might get for Resource Manager from Microsoft Defender for Cloud and any Microsoft Defender plans you enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration.
+
+> [!NOTE]
+> Some of the recently added alerts powered by Microsoft Defender Threat Intelligence and Microsoft Defender for Endpoint might be undocumented.
+
+[Learn how to respond to these alerts](managing-and-responding-alerts.yml).
+
+[Learn how to export alerts](continuous-export.md).
+
+> [!NOTE]
+> Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
+
+## Resource Manager alerts
+
+> [!NOTE]
+> Alerts with a **delegated access** indication are triggered due to activity of third-party service providers. learn more about [service providers activity indications](defender-for-resource-manager-usage.md).
+
+[Further details and notes](defender-for-resource-manager-introduction.md)
+
+### **Azure Resource Manager operation from suspicious IP address**
+
+(ARM_OperationFromSuspiciousIP)
+
+**Description**: Microsoft Defender for Resource Manager detected an operation from an IP address that has been marked as suspicious in threat intelligence feeds.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Medium
+
+### **Azure Resource Manager operation from suspicious proxy IP address**
+
+(ARM_OperationFromSuspiciousProxyIP)
+
+**Description**: Microsoft Defender for Resource Manager detected a resource management operation from an IP address that is associated with proxy services, such as TOR. While this behavior can be legitimate, it's often seen in malicious activities, when threat actors try to hide their source IP.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion
+
+**Severity**: Medium
+
+### **MicroBurst exploitation toolkit used to enumerate resources in your subscriptions**
+
+(ARM_MicroBurst.AzDomainInfo)
+
+**Description**: A PowerShell script was run in your subscription and performed suspicious pattern of executing an information gathering operations to discover resources, permissions, and network structures. Threat actors use automated scripts, like MicroBurst, to gather information for malicious activities. This was detected by analyzing Azure Resource Manager operations in your subscription. This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise your environment for malicious intentions.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Low
+
+### **MicroBurst exploitation toolkit used to enumerate resources in your subscriptions**
+
+(ARM_MicroBurst.AzureDomainInfo)
+
+**Description**: A PowerShell script was run in your subscription and performed suspicious pattern of executing an information gathering operations to discover resources, permissions, and network structures. Threat actors use automated scripts, like MicroBurst, to gather information for malicious activities. This was detected by analyzing Azure Resource Manager operations in your subscription. This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise your environment for malicious intentions.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Low
+
+### **MicroBurst exploitation toolkit used to execute code on your virtual machine**
+
+(ARM_MicroBurst.AzVMBulkCMD)
+
+**Description**: A PowerShell script was run in your subscription and performed a suspicious pattern of executing code on a VM or a list of VMs. Threat actors use automated scripts, like MicroBurst, to run a script on a VM for malicious activities. This was detected by analyzing Azure Resource Manager operations in your subscription. This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise your environment for malicious intentions.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: High
+
+### **MicroBurst exploitation toolkit used to execute code on your virtual machine**
+
+(RM_MicroBurst.AzureRmVMBulkCMD)
+
+**Description**: MicroBurst's exploitation toolkit was used to execute code on your virtual machines. This was detected by analyzing Azure Resource Manager operations in your subscription.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **MicroBurst exploitation toolkit used to extract keys from your Azure key vaults**
+
+(ARM_MicroBurst.AzKeyVaultKeysREST)
+
+**Description**: A PowerShell script was run in your subscription and performed a suspicious pattern of extracting keys from an Azure Key Vault(s). Threat actors use automated scripts, like MicroBurst, to list keys and use them to access sensitive data or perform lateral movement. This was detected by analyzing Azure Resource Manager operations in your subscription. This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise your environment for malicious intentions.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **MicroBurst exploitation toolkit used to extract keys to your storage accounts**
+
+(ARM_MicroBurst.AZStorageKeysREST)
+
+**Description**: A PowerShell script was run in your subscription and performed a suspicious pattern of extracting keys to Storage Account(s). Threat actors use automated scripts, like MicroBurst, to list keys and use them to access sensitive data in your Storage Account(s). This was detected by analyzing Azure Resource Manager operations in your subscription. This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise your environment for malicious intentions.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Collection
+
+**Severity**: High
+
+### **MicroBurst exploitation toolkit used to extract secrets from your Azure key vaults**
+
+(ARM_MicroBurst.AzKeyVaultSecretsREST)
+
+**Description**: A PowerShell script was run in your subscription and performed a suspicious pattern of extracting secrets from an Azure Key Vault(s). Threat actors use automated scripts, like MicroBurst, to list secrets and use them to access sensitive data or perform lateral movement. This was detected by analyzing Azure Resource Manager operations in your subscription. This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise your environment for malicious intentions.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **PowerZure exploitation toolkit used to elevate access from Azure AD to Azure**
+
+(ARM_PowerZure.AzureElevatedPrivileges)
+
+**Description**: PowerZure exploitation toolkit was used to elevate access from AzureAD to Azure. This was detected by analyzing Azure Resource Manager operations in your tenant.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **PowerZure exploitation toolkit used to enumerate resources**
+
+(ARM_PowerZure.GetAzureTargets)
+
+**Description**: PowerZure exploitation toolkit was used to enumerate resources on behalf of a legitimate user account in your organization. This was detected by analyzing Azure Resource Manager operations in your subscription.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Collection
+
+**Severity**: High
+
+### **PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables**
+
+(ARM_PowerZure.ShowStorageContent)
+
+**Description**: PowerZure exploitation toolkit was used to enumerate storage shares, tables, and containers. This was detected by analyzing Azure Resource Manager operations in your subscription.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **PowerZure exploitation toolkit used to execute a Runbook in your subscription**
+
+(ARM_PowerZure.StartRunbook)
+
+**Description**: PowerZure exploitation toolkit was used to execute a Runbook. This was detected by analyzing Azure Resource Manager operations in your subscription.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **PowerZure exploitation toolkit used to extract Runbooks content**
+
+(ARM_PowerZure.AzureRunbookContent)
+
+**Description**: PowerZure exploitation toolkit was used to extract Runbook content. This was detected by analyzing Azure Resource Manager operations in your subscription.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Collection
+
+**Severity**: High
+
+### **PREVIEW - Azurite toolkit run detected**
+
+(ARM_Azurite)
+
+**Description**: A known cloud-environment reconnaissance toolkit run has been detected in your environment. The tool [Azurite](https://github.com/mwrlabs/Azurite) can be used by an attacker (or penetration tester) to map your subscriptions' resources and identify insecure configurations.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Collection
+
+**Severity**: High
+
+### **PREVIEW - Suspicious creation of compute resources detected**
+
+(ARM_SuspiciousComputeCreation)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious creation of compute resources in your subscription utilizing Virtual Machines/Azure Scale Set. The identified operations are designed to allow administrators to efficiently manage their environments by deploying new resources when needed. While this activity might be legitimate, a threat actor might utilize such operations to conduct crypto mining.
+ The activity is deemed suspicious as the compute resources scale is higher than previously observed in the subscription.
+ This can indicate that the principal is compromised and is being used with malicious intent.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Impact
+
+**Severity**: Medium
+
+### **PREVIEW - Suspicious key vault recovery detected**
+
+(Arm_Suspicious_Vault_Recovering)
+
+**Description**: Microsoft Defender for Resource Manager detected a suspicious recovery operation for a soft-deleted key vault resource.
+ The user recovering the resource is different from the user that deleted it. This is highly suspicious because the user rarely invokes such an operation. In addition, the user logged on without multifactor authentication (MFA).
+ This might indicate that the user is compromised and is attempting to discover secrets and keys to gain access to sensitive resources, or to perform lateral movement across your network.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Lateral movement
+
+**Severity**: Medium/high
+
+### **PREVIEW - Suspicious management session using an inactive account detected**
+
+(ARM_UnusedAccountPersistence)
+
+**Description**: Subscription activity logs analysis has detected suspicious behavior. A principal not in use for a long period of time is now performing actions that can secure persistence for an attacker.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence
+
+**Severity**: Medium
+
+### **PREVIEW - Suspicious invocation of a high-risk 'Credential Access' operation by a service principal detected**
+
+(ARM_AnomalousServiceOperation.CredentialAccess)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to access credentials. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to access restricted credentials and compromise resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential access
+
+**Severity**: Medium
+
+### **PREVIEW - Suspicious invocation of a high-risk 'Data Collection' operation by a service principal detected**
+
+(ARM_AnomalousServiceOperation.Collection)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to collect data. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to collect sensitive data on resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Collection
+
+**Severity**: Medium
+
+### **PREVIEW - Suspicious invocation of a high-risk 'Defense Evasion' operation by a service principal detected**
+
+(ARM_AnomalousServiceOperation.DefenseEvasion)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to evade defenses. The identified operations are designed to allow administrators to efficiently manage the security posture of their environments. While this activity might be legitimate, a threat actor might utilize such operations to avoid being detected while compromising resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion
+
+**Severity**: Medium
+
+### **PREVIEW - Suspicious invocation of a high-risk 'Execution' operation by a service principal detected**
+
+(ARM_AnomalousServiceOperation.Execution)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation on a machine in your subscription, which might indicate an attempt to execute code. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to access restricted credentials and compromise resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Execution
+
+**Severity**: Medium
+
+### **PREVIEW - Suspicious invocation of a high-risk 'Impact' operation by a service principal detected**
+
+(ARM_AnomalousServiceOperation.Impact)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempted configuration change. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to access restricted credentials and compromise resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Impact
+
+**Severity**: Medium
+
+### **PREVIEW - Suspicious invocation of a high-risk 'Initial Access' operation by a service principal detected**
+
+(ARM_AnomalousServiceOperation.InitialAccess)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to access restricted resources. The identified operations are designed to allow administrators to efficiently access their environments. While this activity might be legitimate, a threat actor might utilize such operations to gain initial access to restricted resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial access
+
+**Severity**: Medium
+
+### **PREVIEW - Suspicious invocation of a high-risk 'Lateral Movement Access' operation by a service principal detected**
+
+(ARM_AnomalousServiceOperation.LateralMovement)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to perform lateral movement. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to compromise more resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Lateral movement
+
+**Severity**: Medium
+
+### **PREVIEW - Suspicious invocation of a high-risk 'persistence' operation by a service principal detected**
+
+(ARM_AnomalousServiceOperation.Persistence)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to establish persistence. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to establish persistence in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence
+
+**Severity**: Medium
+
+### **PREVIEW - Suspicious invocation of a high-risk 'Privilege Escalation' operation by a service principal detected**
+
+(ARM_AnomalousServiceOperation.PrivilegeEscalation)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to escalate privileges. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to escalate privileges while compromising resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Privilege escalation
+
+**Severity**: Medium
+
+### **PREVIEW - Suspicious management session using an inactive account detected**
+
+(ARM_UnusedAccountPersistence)
+
+**Description**: Subscription activity logs analysis has detected suspicious behavior. A principal not in use for a long period of time is now performing actions that can secure persistence for an attacker.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence
+
+**Severity**: Medium
+
+### **PREVIEW - Suspicious management session using PowerShell detected**
+
+(ARM_UnusedAppPowershellPersistence)
+
+**Description**: Subscription activity logs analysis has detected suspicious behavior. A principal that doesn't regularly use PowerShell to manage the subscription environment is now using PowerShell, and performing actions that can secure persistence for an attacker.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence
+
+**Severity**: Medium
+
+### **PREVIEW – Suspicious management session using Azure portal detected**
+
+(ARM_UnusedAppIbizaPersistence)
+
+**Description**: Analysis of your subscription activity logs has detected a suspicious behavior. A principal that doesn't regularly use the Azure portal (Ibiza) to manage the subscription environment (hasn't used Azure portal to manage for the last 45 days, or a subscription that it is actively managing), is now using the Azure portal and performing actions that can secure persistence for an attacker.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence
+
+**Severity**: Medium
+
+### **Privileged custom role created for your subscription in a suspicious way (Preview)**
+
+(ARM_PrivilegedRoleDefinitionCreation)
+
+**Description**: Microsoft Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Privilege Escalation, Defense Evasion
+
+**Severity**: Informational
+
+### **Suspicious Azure role assignment detected (Preview)**
+
+(ARM_AnomalousRBACRoleAssignment)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious Azure role assignment / performed using PIM (Privileged Identity Management) in your tenant, which might indicate that an account in your organization was compromised. The identified operations are designed to allow administrators to grant principals access to Azure resources. While this activity might be legitimate, a threat actor might utilize role assignment to escalate their permissions allowing them to advance their attack.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Lateral Movement, Defense Evasion
+
+**Severity**: Low (PIM) / High
+
+### **Suspicious invocation of a high-risk 'Credential Access' operation detected (Preview)**
+
+(ARM_AnomalousOperation.CredentialAccess)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to access credentials. The identified operations are designed to allow administrators to efficiently access their environments. While this activity might be legitimate, a threat actor might utilize such operations to access restricted credentials and compromise resources in your environment. This can indicate that the account is compromised and is being used with malicious intent.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: Medium
+
+### **Suspicious invocation of a high-risk 'Data Collection' operation detected (Preview)**
+
+(ARM_AnomalousOperation.Collection)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to collect data. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to collect sensitive data on resources in your environment. This can indicate that the account is compromised and is being used with malicious intent.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Collection
+
+**Severity**: Medium
+
+### **Suspicious invocation of a high-risk 'Defense Evasion' operation detected (Preview)**
+
+(ARM_AnomalousOperation.DefenseEvasion)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to evade defenses. The identified operations are designed to allow administrators to efficiently manage the security posture of their environments. While this activity might be legitimate, a threat actor might utilize such operations to avoid being detected while compromising resources in your environment. This can indicate that the account is compromised and is being used with malicious intent.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion
+
+**Severity**: Medium
+
+### **Suspicious invocation of a high-risk 'Execution' operation detected (Preview)**
+
+(ARM_AnomalousOperation.Execution)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation on a machine in your subscription, which might indicate an attempt to execute code. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to access restricted credentials and compromise resources in your environment. This can indicate that the account is compromised and is being used with malicious intent.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Medium
+
+### **Suspicious invocation of a high-risk 'Impact' operation detected (Preview)**
+
+(ARM_AnomalousOperation.Impact)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempted configuration change. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to access restricted credentials and compromise resources in your environment. This can indicate that the account is compromised and is being used with malicious intent.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Impact
+
+**Severity**: Medium
+
+### **Suspicious invocation of a high-risk 'Initial Access' operation detected (Preview)**
+
+(ARM_AnomalousOperation.InitialAccess)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to access restricted resources. The identified operations are designed to allow administrators to efficiently access their environments. While this activity might be legitimate, a threat actor might utilize such operations to gain initial access to restricted resources in your environment. This can indicate that the account is compromised and is being used with malicious intent.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access
+
+**Severity**: Medium
+
+### **Suspicious invocation of a high-risk 'Lateral Movement' operation detected (Preview)**
+
+(ARM_AnomalousOperation.LateralMovement)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to perform lateral movement. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to compromise more resources in your environment. This can indicate that the account is compromised and is being used with malicious intent.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Lateral Movement
+
+**Severity**: Medium
+
+### **Suspicious elevate access operation (Preview)**(ARM_AnomalousElevateAccess)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious "Elevate Access" operation. The activity is deemed suspicious, as this principal rarely invokes such operations. While this activity might be legitimate, a threat actor might utilize an "Elevate Access" operation to perform privilege escalation for a compromised user.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Privilege Escalation
+
+**Severity**: Medium
+
+### **Suspicious invocation of a high-risk 'Persistence' operation detected (Preview)**
+
+(ARM_AnomalousOperation.Persistence)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to establish persistence. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to establish persistence in your environment. This can indicate that the account is compromised and is being used with malicious intent.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence
+
+**Severity**: Medium
+
+### **Suspicious invocation of a high-risk 'Privilege Escalation' operation detected (Preview)**
+
+(ARM_AnomalousOperation.PrivilegeEscalation)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to escalate privileges. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity might be legitimate, a threat actor might utilize such operations to escalate privileges while compromising resources in your environment. This can indicate that the account is compromised and is being used with malicious intent.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Privilege Escalation
+
+**Severity**: Medium
+
+### **Usage of MicroBurst exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials**
+
+(ARM_MicroBurst.RunCodeOnBehalf)
+
+**Description**: A PowerShell script was run in your subscription and performed a suspicious pattern of executing an arbitrary code or exfiltrate Azure Automation account credentials. Threat actors use automated scripts, like MicroBurst, to run arbitrary code for malicious activities. This was detected by analyzing Azure Resource Manager operations in your subscription. This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise your environment for malicious intentions.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Persistence, Credential Access
+
+**Severity**: High
+
+### **Usage of NetSPI techniques to maintain persistence in your Azure environment**
+
+(ARM_NetSPI.MaintainPersistence)
+
+**Description**: Usage of NetSPI persistence technique to create a webhook backdoor and maintain persistence in your Azure environment. This was detected by analyzing Azure Resource Manager operations in your subscription.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Usage of PowerZure exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials**
+
+(ARM_PowerZure.RunCodeOnBehalf)
+
+**Description**: PowerZure exploitation toolkit detected attempting to run code or exfiltrate Azure Automation account credentials. This was detected by analyzing Azure Resource Manager operations in your subscription.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Usage of PowerZure function to maintain persistence in your Azure environment**
+
+(ARM_PowerZure.MaintainPersistence)
+
+**Description**: PowerZure exploitation toolkit detected creating a webhook backdoor to maintain persistence in your Azure environment. This was detected by analyzing Azure Resource Manager operations in your subscription.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Suspicious classic role assignment detected (Preview)**
+
+(ARM_AnomalousClassicRoleAssignment)
+
+**Description**: Microsoft Defender for Resource Manager identified a suspicious classic role assignment in your tenant, which might indicate that an account in your organization was compromised. The identified operations are designed to provide backward compatibility with classic roles that are no longer commonly used. While this activity might be legitimate, a threat actor might utilize such assignment to grant permissions to another user account under their control.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Lateral Movement, Defense Evasion
+
+**Severity**: High
+
+> [!NOTE]
+> For alerts that are in preview: [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
+
+## Next steps
+
+- [Security alerts in Microsoft Defender for Cloud](alerts-overview.md)
+- [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml)
+- [Continuously export Defender for Cloud data](continuous-export.md)
defender-for-cloud Alerts Sql Database And Azure Synapse Analytics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/alerts-sql-database-and-azure-synapse-analytics.md
+
+ Title: Alerts for SQL Database and Azure Synapse Analytics
+description: This article lists the security alerts for SQL Database and Azure Synapse Analytics visible in Microsoft Defender for Cloud.
++ Last updated : 06/03/2024
+ai-usage: ai-assisted
++
+# Alerts for SQL Database and Azure Synapse Analytics
+
+This article lists the security alerts you might get for SQL Database and Azure Synapse Analytics from Microsoft Defender for Cloud and any Microsoft Defender plans you enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration.
+
+> [!NOTE]
+> Some of the recently added alerts powered by Microsoft Defender Threat Intelligence and Microsoft Defender for Endpoint might be undocumented.
+
+[Learn how to respond to these alerts](managing-and-responding-alerts.yml).
+
+[Learn how to export alerts](continuous-export.md).
+
+> [!NOTE]
+> Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
+
+## SQL Database and Azure Synapse Analytics alerts
+
+[Further details and notes](defender-for-sql-introduction.md)
+
+### **A possible vulnerability to SQL Injection**
+
+(SQL.DB_VulnerabilityToSqlInjection
+SQL.VM_VulnerabilityToSqlInjection
+SQL.MI_VulnerabilityToSqlInjection
+SQL.DW_VulnerabilityToSqlInjection
+Synapse.SQLPool_VulnerabilityToSqlInjection)
+
+**Description**: An application has generated a faulty SQL statement in the database. This can indicate a possible vulnerability to SQL injection attacks. There are two possible reasons for a faulty statement. A defect in application code might have constructed the faulty SQL statement. Or, application code or stored procedures didn't sanitize user input when constructing the faulty SQL statement, which can be exploited for SQL injection.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: Medium
+
+### **Logon activity from a potentially harmful application**
+
+(SQL.DB_HarmfulApplication
+SQL.VM_HarmfulApplication
+SQL.MI_HarmfulApplication
+SQL.DW_HarmfulApplication
+Synapse.SQLPool_HarmfulApplication)
+
+**Description**: A potentially harmful application attempted to access your resource.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: High
+
+### **Log on from an unusual Azure Data Center**
+
+(SQL.DB_DataCenterAnomaly
+SQL.VM_DataCenterAnomaly
+SQL.DW_DataCenterAnomaly
+SQL.MI_DataCenterAnomaly
+Synapse.SQLPool_DataCenterAnomaly)
+
+**Description**: There has been a change in the access pattern to an SQL Server, where someone has signed in to the server from an unusual Azure Data Center. In some cases, the alert detects a legitimate action (a new application or Azure service). In other cases, the alert detects a malicious action (attacker operating from breached resource in Azure).
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Probing
+
+**Severity**: Low
+
+### **Log on from an unusual location**
+
+(SQL.DB_GeoAnomaly
+SQL.VM_GeoAnomaly
+SQL.DW_GeoAnomaly
+SQL.MI_GeoAnomaly
+Synapse.SQLPool_GeoAnomaly)
+
+**Description**: There has been a change in the access pattern to SQL Server, where someone has signed in to the server from an unusual geographical location. In some cases, the alert detects a legitimate action (a new application or developer maintenance). In other cases, the alert detects a malicious action (a former employee or external attacker).
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exploitation
+
+**Severity**: Medium
+
+### **Login from a principal user not seen in 60 days**
+
+(SQL.DB_PrincipalAnomaly
+SQL.VM_PrincipalAnomaly
+SQL.DW_PrincipalAnomaly
+SQL.MI_PrincipalAnomaly
+Synapse.SQLPool_PrincipalAnomaly)
+
+**Description**: A principal user not seen in the last 60 days has logged into your database. If this database is new or this is expected behavior caused by recent changes in the users accessing the database, Defender for Cloud will identify significant changes to the access patterns and attempt to prevent future false positives.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exploitation
+
+**Severity**: Medium
+
+### **Login from a domain not seen in 60 days**
+
+(SQL.DB_DomainAnomaly
+SQL.VM_DomainAnomaly
+SQL.DW_DomainAnomaly
+SQL.MI_DomainAnomaly
+Synapse.SQLPool_DomainAnomaly)
+
+**Description**: A user has logged in to your resource from a domain no other users have connected from in the last 60 days. If this resource is new or this is expected behavior caused by recent changes in the users accessing the resource, Defender for Cloud will identify significant changes to the access patterns and attempt to prevent future false positives.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exploitation
+
+**Severity**: Medium
+
+### **Login from a suspicious IP**
+
+(SQL.DB_SuspiciousIpAnomaly
+SQL.VM_SuspiciousIpAnomaly
+SQL.DW_SuspiciousIpAnomaly
+SQL.MI_SuspiciousIpAnomaly
+Synapse.SQLPool_SuspiciousIpAnomaly)
+
+**Description**: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: Medium
+
+### **Potential SQL injection**
+
+(SQL.DB_PotentialSqlInjection
+SQL.VM_PotentialSqlInjection
+SQL.MI_PotentialSqlInjection
+SQL.DW_PotentialSqlInjection
+Synapse.SQLPool_PotentialSqlInjection)
+
+**Description**: An active exploit has occurred against an identified application vulnerable to SQL injection. This means an attacker is trying to inject malicious SQL statements by using the vulnerable application code or stored procedures.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: High
+
+### **Suspected brute force attack using a valid user**
+
+(SQL.DB_BruteForce
+SQL.VM_BruteForce
+SQL.DW_BruteForce
+SQL.MI_BruteForce
+Synapse.SQLPool_BruteForce)
+
+**Description**: A potential brute force attack has been detected on your resource. The attacker is using the valid user (username), which has permissions to log in.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: High
+
+### **Suspected brute force attack**
+
+(SQL.DB_BruteForce
+SQL.VM_BruteForce
+SQL.DW_BruteForce
+SQL.MI_BruteForce
+Synapse.SQLPool_BruteForce)
+
+**Description**: A potential brute force attack has been detected on your resource.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: High
+
+### **Suspected successful brute force attack**
+
+(SQL.DB_BruteForce
+SQL.VM_BruteForce
+SQL.DW_BruteForce
+SQL.MI_BruteForce
+Synapse.SQLPool_BruteForce)
+
+**Description**: A successful login occurred after an apparent brute force attack on your resource.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: PreAttack
+
+**Severity**: High
+
+### **SQL Server potentially spawned a Windows command shell and accessed an abnormal external source**
+
+(SQL.DB_ShellExternalSourceAnomaly
+SQL.VM_ShellExternalSourceAnomaly
+SQL.DW_ShellExternalSourceAnomaly
+SQL.MI_ShellExternalSourceAnomaly
+Synapse.SQLPool_ShellExternalSourceAnomaly)
+
+**Description**: A suspicious SQL statement potentially spawned a Windows command shell with an external source that hasn't been seen before. Executing a shell that accesses an external source is a method used by attackers to download malicious payload and then execute it on the machine and compromise it. This enables an attacker to perform malicious tasks under remote direction. Alternatively, accessing an external source can be used to exfiltrate data to an external destination.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: High/Medium
+
+### **Unusual payload with obfuscated parts has been initiated by SQL Server**
+
+(SQL.VM_PotentialSqlInjection)
+
+**Description**: Someone has initiated a new payload utilizing the layer in SQL Server that communicates with the operating system while concealing the command in the SQL query. Attackers commonly hide impactful commands which are popularly monitored like xp_cmdshell, sp_add_job and others. Obfuscation techniques abuse legitimate commands like string concatenation, casting, base changing, and others, to avoid regex detection and hurt the readability of the logs.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: High/Medium
+
+> [!NOTE]
+> For alerts that are in preview: [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
+
+## Next steps
+
+- [Security alerts in Microsoft Defender for Cloud](alerts-overview.md)
+- [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml)
+- [Continuously export Defender for Cloud data](continuous-export.md)
defender-for-cloud Alerts Windows Machines https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/alerts-windows-machines.md
+
+ Title: Alerts for Windows machines
+description: This article lists the security alerts visible for Windows machines in Microsoft Defender for Cloud.
++ Last updated : 06/03/2024
+ai-usage: ai-assisted
++
+# Alerts for Windows machines
+
+This article lists the security alerts you might get for Windows machines in Microsoft Defender for Cloud and any Microsoft Defender plans you enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration.
+
+[Learn how to respond to these alerts](managing-and-responding-alerts.yml).
+
+[Learn how to export alerts](continuous-export.md).
+
+## Windows machines alerts
+
+Microsoft Defender for Servers Plan 2 provides unique detections and alerts, in addition to the ones provided by Microsoft Defender for Endpoint. The alerts provided for Windows machines are:
+
+[Further details and notes](defender-for-servers-introduction.md)
+
+### **A logon from a malicious IP has been detected. [seen multiple times]**
+
+**Description**: A successful remote authentication for the account [account] and process [process] occurred, however the logon IP address (x.x.x.x) has previously been reported as malicious or highly unusual. A successful attack has probably occurred. Files with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Adaptive application control policy violation was audited**
+
+VM_AdaptiveApplicationControlWindowsViolationAudited
+
+**Description**: The below users ran applications that are violating the application control policy of your organization on this machine. It can possibly expose the machine to malware or application vulnerabilities.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Informational
+
+### **Addition of Guest account to Local Administrators group**
+
+**Description**: Analysis of host data has detected the addition of the built-in Guest account to the Local Administrators group on %{Compromised Host}, which is strongly associated with attacker activity.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **An event log was cleared**
+
+**Description**: Machine logs indicate a suspicious event log clearing operation by user: '%{user name}' in Machine: '%{CompromisedEntity}'. The %{log channel} log was cleared.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Informational
+
+### **Antimalware Action Failed**
+
+**Description**: Microsoft Antimalware has encountered an error when taking an action on malware or other potentially unwanted software.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Antimalware Action Taken**
+
+**Description**: Microsoft Antimalware for Azure has taken an action to protect this machine from malware or other potentially unwanted software.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Antimalware broad files exclusion in your virtual machine**
+
+(VM_AmBroadFilesExclusion)
+
+**Description**: Files exclusion from antimalware extension with broad exclusion rule was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Such exclusion practically disabling the Antimalware protection.
+Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Antimalware disabled and code execution in your virtual machine**
+
+(VM_AmDisablementAndCodeExecution)
+
+**Description**: Antimalware disabled at the same time as code execution on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
+Attackers disable antimalware scanners to prevent detection while running unauthorized tools or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Antimalware disabled in your virtual machine**
+
+(VM_AmDisablement)
+
+**Description**: Antimalware disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
+Attackers might disable the antimalware on your virtual machine to prevent detection.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion
+
+**Severity**: Medium
+
+### **Antimalware file exclusion and code execution in your virtual machine**
+
+(VM_AmFileExclusionAndCodeExecution)
+
+**Description**: File excluded from your antimalware scanner at the same time as code was executed via a custom script extension on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
+Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion, Execution
+
+**Severity**: High
+
+### **Antimalware file exclusion and code execution in your virtual machine (temporary)**
+
+(VM_AmTempFileExclusionAndCodeExecution)
+
+**Description**: Temporary file exclusion from antimalware extension in parallel to execution of code via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
+Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion, Execution
+
+**Severity**: High
+
+### **Antimalware file exclusion in your virtual machine**
+
+(VM_AmTempFileExclusion)
+
+**Description**: File excluded from your antimalware scanner on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
+Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion
+
+**Severity**: Medium
+
+### **Antimalware real-time protection was disabled in your virtual machine**
+
+(VM_AmRealtimeProtectionDisabled)
+
+**Description**: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
+Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion
+
+**Severity**: Medium
+
+### **Antimalware real-time protection was disabled temporarily in your virtual machine**
+
+(VM_AmTempRealtimeProtectionDisablement)
+
+**Description**: Real-time protection temporary disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
+Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion
+
+**Severity**: Medium
+
+### **Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine**
+
+(VM_AmRealtimeProtectionDisablementAndCodeExec)
+
+**Description**: Real-time protection temporary disablement of the antimalware extension in parallel to code execution via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
+Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Antimalware scans blocked for files potentially related to malware campaigns on your virtual machine (Preview)**
+
+(VM_AmMalwareCampaignRelatedExclusion)
+
+**Description**: An exclusion rule was detected in your virtual machine to prevent your antimalware extension scanning certain files that are suspected of being related to a malware campaign. The rule was detected by analyzing the Azure Resource Manager operations in your subscription. Attackers might exclude files from antimalware scans to prevent detection while running arbitrary code or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion
+
+**Severity**: Medium
+
+### **Antimalware temporarily disabled in your virtual machine**
+
+(VM_AmTemporarilyDisablement)
+
+**Description**: Antimalware temporarily disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
+Attackers might disable the antimalware on your virtual machine to prevent detection.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Antimalware unusual file exclusion in your virtual machine**
+
+(VM_UnusualAmFileExclusion)
+
+**Description**: Unusual file exclusion from antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
+Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion
+
+**Severity**: Medium
+
+### **Communication with suspicious domain identified by threat intelligence**
+
+(AzureDNS_ThreatIntelSuspectDomain)
+
+**Description**: Communication with suspicious domain was detected by analyzing DNS transactions from your resource and comparing against known malicious domains identified by threat intelligence feeds. Communication to malicious domains is frequently performed by attackers and could imply that your resource is compromised.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Initial Access, Persistence, Execution, Command And Control, Exploitation
+
+**Severity**: Medium
+
+### **Detected actions indicative of disabling and deleting IIS log files**
+
+**Description**: Analysis of host data detected actions that show IIS log files being disabled and/or deleted.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Detected anomalous mix of upper and lower case characters in command-line**
+
+**Description**: Analysis of host data on %{Compromised Host} detected a command line with anomalous mix of upper and lower case characters. This kind of pattern, while possibly benign, is also typical of attackers trying to hide from case-sensitive or hash-based rule matching when performing administrative tasks on a compromised host.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Detected change to a registry key that can be abused to bypass UAC**
+
+**Description**: Analysis of host data on %{Compromised Host} detected that a registry key that can be abused to bypass UAC (User Account Control) was changed. This kind of configuration, while possibly benign, is also typical of attacker activity when trying to move from unprivileged (standard user) to privileged (for example administrator) access on a compromised host.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Detected decoding of an executable using built-in certutil.exe tool**
+
+**Description**: Analysis of host data on %{Compromised Host} detected that certutil.exe, a built-in administrator utility, was being used to decode an executable instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using a tool such as certutil.exe to decode a malicious executable that will then be subsequently executed.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Detected enabling of the WDigest UseLogonCredential registry key**
+
+**Description**: Analysis of host data detected a change in the registry key HKLM\SYSTEM\ CurrentControlSet\Control\SecurityProviders\WDigest\ "UseLogonCredential". Specifically this key has been updated to allow logon credentials to be stored in clear text in LSA memory. Once enabled, an attacker can dump clear text passwords from LSA memory with credential harvesting tools such as Mimikatz.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Detected encoded executable in command line data**
+
+**Description**: Analysis of host data on %{Compromised Host} detected a base-64 encoded executable. This has previously been associated with attackers attempting to construct executables on-the-fly through a sequence of commands, and attempting to evade intrusion detection systems by ensuring that no individual command would trigger an alert. This could be legitimate activity, or an indication of a compromised host.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Detected obfuscated command line**
+
+**Description**: Attackers use increasingly complex obfuscation techniques to evade detections that run against the underlying data. Analysis of host data on %{Compromised Host} detected suspicious indicators of obfuscation on the commandline.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Informational
+
+### **Detected possible execution of keygen executable**
+
+**Description**: Analysis of host data on %{Compromised Host} detected execution of a process whose name is indicative of a keygen tool; such tools are typically used to defeat software licensing mechanisms but their download is often bundled with other malicious software. Activity group GOLD has been known to make use of such keygens to covertly gain back door access to hosts that they compromise.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Detected possible execution of malware dropper**
+
+**Description**: Analysis of host data on %{Compromised Host} detected a filename that has previously been associated with one of activity group GOLD's methods of installing malware on a victim host.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Detected possible local reconnaissance activity**
+
+**Description**: Analysis of host data on %{Compromised Host} detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing reconnaissance activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession in the way that has occurred here is rare.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Low
+
+### **Detected potentially suspicious use of Telegram tool**
+
+**Description**: Analysis of host data shows installation of Telegram, a free cloud-based instant messaging service that exists both for mobile and desktop system. Attackers are known to abuse this service to transfer malicious binaries to any other computer, phone, or tablet.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Detected suppression of legal notice displayed to users at logon**
+
+**Description**: Analysis of host data on %{Compromised Host} detected changes to the registry key that controls whether a legal notice is displayed to users when they log on. Microsoft security analysis has determined that this is a common activity undertaken by attackers after having compromised a host.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Low
+
+### **Detected suspicious combination of HTA and PowerShell**
+
+**Description**: mshta.exe (Microsoft HTML Application Host) which is a signed Microsoft binary is being used by the attackers to launch malicious PowerShell commands. Attackers often resort to having an HTA file with inline VBScript. When a victim browses to the HTA file and chooses to run it, the PowerShell commands and scripts that it contains are executed. Analysis of host data on %{Compromised Host} detected mshta.exe launching PowerShell commands.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Detected suspicious commandline arguments**
+
+**Description**: Analysis of host data on %{Compromised Host} detected suspicious commandline arguments that have been used in conjunction with a reverse shell used by activity group HYDROGEN.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Detected suspicious commandline used to start all executables in a directory**
+
+**Description**: Analysis of host data has detected a suspicious process running on %{Compromised Host}. The commandline indicates an attempt to start all executables (*.exe) that might reside in a directory. This could be an indication of a compromised host.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Detected suspicious credentials in commandline**
+
+**Description**: Analysis of host data on %{Compromised Host} detected a suspicious password being used to execute a file by activity group BORON. This activity group has been known to use this password to execute Pirpi malware on a victim host.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Detected suspicious document credentials**
+
+**Description**: Analysis of host data on %{Compromised Host} detected a suspicious, common precomputed password hash used by malware being used to execute a file. Activity group HYDROGEN has been known to use this password to execute malware on a victim host.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Detected suspicious execution of VBScript.Encode command**
+
+**Description**: Analysis of host data on %{Compromised Host} detected the execution of VBScript.Encode command. This encodes the scripts into unreadable text, making it more difficult for users to examine the code. Microsoft threat research shows that attackers often use encoded VBscript files as part of their attack to evade detection systems. This could be legitimate activity, or an indication of a compromised host.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Detected suspicious execution via rundll32.exe**
+
+**Description**: Analysis of host data on %{Compromised Host} detected rundll32.exe being used to execute a process with an uncommon name, consistent with the process naming scheme previously seen used by activity group GOLD when installing their first stage implant on a compromised host.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Detected suspicious file cleanup commands**
+
+**Description**: Analysis of host data on %{Compromised Host} detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Detected suspicious file creation**
+
+**Description**: Analysis of host data on %{Compromised Host} detected creation or execution of a process that has previously indicated post-compromise action taken on a victim host by activity group BARIUM. This activity group has been known to use this technique to download more malware to a compromised host after an attachment in a phishing doc has been opened.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Detected suspicious named pipe communications**
+
+**Description**: Analysis of host data on %{Compromised Host} detected data being written to a local named pipe from a Windows console command. Named pipes are known to be a channel used by attackers to task and communicate with a malicious implant. This could be legitimate activity, or an indication of a compromised host.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Detected suspicious network activity**
+
+**Description**: Analysis of network traffic from %{Compromised Host} detected suspicious network activity. Such traffic, while possibly benign, is typically used by an attacker to communicate with malicious servers for downloading of tools, command-and-control and exfiltration of data. Typical related attacker activity includes copying remote administration tools to a compromised host and exfiltrating user data from it.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Low
+
+### **Detected suspicious new firewall rule**
+
+**Description**: Analysis of host data detected a new firewall rule has been added via netsh.exe to allow traffic from an executable in a suspicious location.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Detected suspicious use of Cacls to lower the security state of the system**
+
+**Description**: Attackers use myriad ways like brute force, spear phishing etc. to achieve initial compromise and get a foothold on the network. Once initial compromise is achieved they often take steps to lower the security settings of a system. Cacls—short for change access control list is Microsoft Windows native command-line utility often used for modifying the security permission on folders and files. A lot of time the binary is used by the attackers to lower the security settings of a system. This is done by giving Everyone full access to some of the system binaries like ftp.exe, net.exe, wscript.exe etc. Analysis of host data on %{Compromised Host} detected suspicious use of Cacls to lower the security of a system.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Detected suspicious use of FTP -s Switch**
+
+**Description**: Analysis of process creation data from the %{Compromised Host} detected the use of the FTP "-s:filename" switch. This switch is used to specify an FTP script file for the client to run. Malware or malicious processes are known to use this FTP switch (-s:filename) to point to a script file, which is configured to connect to a remote FTP server and download more malicious binaries.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Detected suspicious use of Pcalua.exe to launch executable code**
+
+**Description**: Analysis of host data on %{Compromised Host} detected the use of pcalua.exe to launch executable code. Pcalua.exe is component of the Microsoft Windows "Program Compatibility Assistant", which detects compatibility issues during the installation or execution of a program. Attackers are known to abuse functionality of legitimate Windows system tools to perform malicious actions, for example using pcalua.exe with the -a switch to launch malicious executables either locally or from remote shares.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Detected the disabling of critical services**
+
+**Description**: The analysis of host data on %{Compromised Host} detected execution of "net.exe stop" command being used to stop critical services like SharedAccess or the Windows Security app. The stopping of either of these services can be indication of a malicious behavior.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Digital currency mining related behavior detected**
+
+**Description**: Analysis of host data on %{Compromised Host} detected the execution of a process or command normally associated with digital currency mining.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Dynamic PS script construction**
+
+**Description**: Analysis of host data on %{Compromised Host} detected a PowerShell script being constructed dynamically. Attackers sometimes use this approach of progressively building up a script in order to evade IDS systems. This could be legitimate activity, or an indication that one of your machines has been compromised.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Executable found running from a suspicious location**
+
+**Description**: Analysis of host data detected an executable file on %{Compromised Host} that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Fileless attack behavior detected**
+
+(VM_FilelessAttackBehavior.Windows)
+
+**Description**: The memory of the process specified contains behaviors commonly used by fileless attacks. Specific behaviors include:
+
+1) Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.
+2) Active network connections. See NetworkConnections below for details.
+3) Function calls to security sensitive operating system interfaces. See Capabilities below for referenced OS capabilities.
+4) Contains a thread that was started in a dynamically allocated code segment. This is a common pattern for process injection attacks.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion
+
+**Severity**: Low
+
+### **Fileless attack technique detected**
+
+(VM_FilelessAttackTechnique.Windows)
+
+**Description**: The memory of the process specified below contains evidence of a fileless attack technique. Fileless attacks are used by attackers to execute code while evading detection by security software. Specific behaviors include:
+
+1) Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.
+2) Executable image injected into the process, such as in a code injection attack.
+3) Active network connections. See NetworkConnections below for details.
+4) Function calls to security sensitive operating system interfaces. See Capabilities below for referenced OS capabilities.
+5) Process hollowing, which is a technique used by malware in which a legitimate process is loaded on the system to act as a container for hostile code.
+6) Contains a thread that was started in a dynamically allocated code segment. This is a common pattern for process injection attacks.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion, Execution
+
+**Severity**: High
+
+### **Fileless attack toolkit detected**
+
+(VM_FilelessAttackToolkit.Windows)
+
+**Description**: The memory of the process specified contains a fileless attack toolkit: [toolkit name]. Fileless attack toolkits use techniques that minimize or eliminate traces of malware on disk, and greatly reduce the chances of detection by disk-based malware scanning solutions. Specific behaviors include:
+
+1) Well-known toolkits and crypto mining software.
+2) Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.
+3) Injected malicious executable in process memory.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion, Execution
+
+**Severity**: Medium
+
+### **High risk software detected**
+
+**Description**: Analysis of host data from %{Compromised Host} detected the usage of software that has been associated with the installation of malware in the past. A common technique utilized in the distribution of malicious software is to package it within otherwise benign tools such as the one seen in this alert. When you use these tools, the malware can be silently installed in the background.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Local Administrators group members were enumerated**
+
+**Description**: Machine logs indicate a successful enumeration on group %{Enumerated Group Domain Name}\%{Enumerated Group Name}. Specifically, %{Enumerating User Domain Name}\%{Enumerating User Name} remotely enumerated the members of the %{Enumerated Group Domain Name}\%{Enumerated Group Name} group. This activity could either be legitimate activity, or an indication that a machine in your organization has been compromised and used to reconnaissance %{vmname}.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Informational
+
+### **Malicious firewall rule created by ZINC server implant [seen multiple times]**
+
+**Description**: A firewall rule was created using techniques that match a known actor, ZINC. The rule was possibly used to open a port on %{Compromised Host} to allow for Command & Control communications. This behavior was seen [x] times today on the following machines: [Machine names]
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Malicious SQL activity**
+
+**Description**: Machine logs indicate that '%{process name}' was executed by account: %{user name}. This activity is considered malicious.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Multiple Domain Accounts Queried**
+
+**Description**: Analysis of host data has determined that an unusual number of distinct domain accounts are being queried within a short time period from %{Compromised Host}. This kind of activity could be legitimate, but can also be an indication of compromise.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Possible credential dumping detected [seen multiple times]**
+
+**Description**: Analysis of host data has detected use of native windows tool (for example, sqldumper.exe) being used in a way that allows to extract credentials from memory. Attackers often use these techniques to extract credentials that they then further use for lateral movement and privilege escalation. This behavior was seen [x] times today on the following machines: [Machine names]
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Potential attempt to bypass AppLocker detected**
+
+**Description**: Analysis of host data on %{Compromised Host} detected a potential attempt to bypass AppLocker restrictions. AppLocker can be configured to implement a policy that limits what executables are allowed to run on a Windows system. The command-line pattern similar to that identified in this alert has been previously associated with attacker attempts to circumvent AppLocker policy by using trusted executables (allowed by AppLocker policy) to execute untrusted code. This could be legitimate activity, or an indication of a compromised host.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Rare SVCHOST service group executed**
+
+(VM_SvcHostRunInRareServiceGroup)
+
+**Description**: The system process SVCHOST was observed running a rare service group. Malware often uses SVCHOST to masquerade its malicious activity.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion, Execution
+
+**Severity**: Informational
+
+### **Sticky keys attack detected**
+
+**Description**: Analysis of host data indicates that an attacker might be subverting an accessibility binary (for example sticky keys, onscreen keyboard, narrator) in order to provide backdoor access to the host %{Compromised Host}.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Successful brute force attack**
+
+(VM_LoginBruteForceSuccess)
+
+**Description**: Several sign in attempts were detected from the same source. Some successfully authenticated to the host.
+This resembles a burst attack, in which an attacker performs numerous authentication attempts to find valid account credentials.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exploitation
+
+**Severity**: Medium/High
+
+### **Suspect integrity level indicative of RDP hijacking**
+
+**Description**: Analysis of host data has detected the tscon.exe running with SYSTEM privileges - this can be indicative of an attacker abusing this binary in order to switch context to any other logged on user on this host; it's a known attacker technique to compromise more user accounts and move laterally across a network.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Suspect service installation**
+
+**Description**: Analysis of host data has detected the installation of tscon.exe as a service: this binary being started as a service potentially allows an attacker to trivially switch to any other logged on user on this host by hijacking RDP connections; it's a known attacker technique to compromise more user accounts and move laterally across a network.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Suspected Kerberos Golden Ticket attack parameters observed**
+
+**Description**: Analysis of host data detected commandline parameters consistent with a Kerberos Golden Ticket attack.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Suspicious Account Creation Detected**
+
+**Description**: Analysis of host data on %{Compromised Host} detected creation or use of a local account %{Suspicious account name} : this account name closely resembles a standard Windows account or group name '%{Similar To Account Name}'. This is potentially a rogue account created by an attacker, so named in order to avoid being noticed by a human administrator.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Suspicious Activity Detected**
+
+(VM_SuspiciousActivity)
+
+**Description**: Analysis of host data has detected a sequence of one or more processes running on %{machine name} that have historically been associated with malicious activity. While individual commands might appear benign the alert is scored based on an aggregation of these commands. This could either be legitimate activity, or an indication of a compromised host.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Medium
+
+### **Suspicious authentication activity**
+
+(VM_LoginBruteForceValidUserFailed)
+
+**Description**: Although none of them succeeded, some of them used accounts were recognized by the host. This resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host. This indicates that some of your host account names might exist in a well-known account name dictionary.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Probing
+
+**Severity**: Medium
+
+### **Suspicious code segment detected**
+
+**Description**: Indicates that a code segment has been allocated by using non-standard methods, such as reflective injection and process hollowing. The alert provides more characteristics of the code segment that have been processed to provide context for the capabilities and behaviors of the reported code segment.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Suspicious double extension file executed**
+
+**Description**: Analysis of host data indicates an execution of a process with a suspicious double extension. This extension might trick users into thinking files are safe to be opened and might indicate the presence of malware on the system.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Suspicious download using Certutil detected [seen multiple times]**
+
+**Description**: Analysis of host data on %{Compromised Host} detected the use of certutil.exe, a built-in administrator utility, for the download of a binary instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using certutil.exe to download and decode a malicious executable that will then be subsequently executed. This behavior was seen [x] times today on the following machines: [Machine names]
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Suspicious download using Certutil detected**
+
+**Description**: Analysis of host data on %{Compromised Host} detected the use of certutil.exe, a built-in administrator utility, for the download of a binary instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using certutil.exe to download and decode a malicious executable that will then be subsequently executed.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Suspicious PowerShell Activity Detected**
+
+**Description**: Analysis of host data detected a PowerShell script running on %{Compromised Host} that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Suspicious PowerShell cmdlets executed**
+
+**Description**: Analysis of host data indicates execution of known malicious PowerShell PowerSploit cmdlets.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Suspicious process executed [seen multiple times]**
+
+**Description**: Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on the machine, often associated with attacker attempts to access credentials. This behavior was seen [x] times today on the following machines: [Machine names]
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Suspicious process executed**
+
+**Description**: Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on the machine, often associated with attacker attempts to access credentials.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Suspicious process name detected [seen multiple times]**
+
+**Description**: Analysis of host data on %{Compromised Host} detected a process whose name is suspicious, for example corresponding to a known attacker tool or named in a way that is suggestive of attacker tools that try to hide in plain sight. This process could be legitimate activity, or an indication that one of your machines has been compromised. This behavior was seen [x] times today on the following machines: [Machine names]
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Suspicious process name detected**
+
+**Description**: Analysis of host data on %{Compromised Host} detected a process whose name is suspicious, for example corresponding to a known attacker tool or named in a way that is suggestive of attacker tools that try to hide in plain sight. This process could be legitimate activity, or an indication that one of your machines has been compromised.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Suspicious SQL activity**
+
+**Description**: Machine logs indicate that '%{process name}' was executed by account: %{user name}. This activity is uncommon with this account.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Suspicious SVCHOST process executed**
+
+**Description**: The system process SVCHOST was observed running in an abnormal context. Malware often uses SVCHOST to masquerade its malicious activity.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Suspicious system process executed**
+
+(VM_SystemProcessInAbnormalContext)
+
+**Description**: The system process %{process name} was observed running in an abnormal context. Malware often uses this process name to masquerade its malicious activity.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Defense Evasion, Execution
+
+**Severity**: High
+
+### **Suspicious Volume Shadow Copy Activity**
+
+**Description**: Analysis of host data has detected a shadow copy deletion activity on the resource. Volume Shadow Copy (VSC) is an important artifact that stores data snapshots. Some malware and specifically Ransomware, targets VSC to sabotage backup strategies.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Suspicious WindowPosition registry value detected**
+
+**Description**: Analysis of host data on %{Compromised Host} detected an attempted WindowPosition registry configuration change that could be indicative of hiding application windows in nonvisible sections of the desktop. This could be legitimate activity, or an indication of a compromised machine: this type of activity has been previously associated with known adware (or unwanted software) such as Win32/OneSystemCare and Win32/SystemHealer and malware such as Win32/Creprote. When the WindowPosition value is set to 201329664, (Hex: 0x0c00 0c00, corresponding to X-axis=0c00 and the Y-axis=0c00) this places the console app's window in a non-visible section of the user's screen in an area that is hidden from view below the visible start menu/taskbar. Known suspect Hex value includes, but not limited to c000c000.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Low
+
+### **Suspiciously named process detected**
+
+**Description**: Analysis of host data on %{Compromised Host} detected a process whose name is very similar to but different from a very commonly run process (%{Similar To Process Name}). While this process could be benign attackers are known to sometimes hide in plain sight by naming their malicious tools to resemble legitimate process names.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: Medium
+
+### **Unusual config reset in your virtual machine**
+
+(VM_VMAccessUnusualConfigReset)
+
+**Description**: An unusual config reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
+While this action might be legitimate, attackers can try utilizing VM Access extension to reset the configuration in your virtual machine and compromise it.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: Medium
+
+### **Unusual process execution detected**
+
+**Description**: Analysis of host data on %{Compromised Host} detected the execution of a process by %{User Name} that was unusual. Accounts such as %{User Name} tend to perform a limited set of operations, this execution was determined to be out of character and might be suspicious.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: -
+
+**Severity**: High
+
+### **Unusual user password reset in your virtual machine**
+
+(VM_VMAccessUnusualPasswordReset)
+
+**Description**: An unusual user password reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
+While this action might be legitimate, attackers can try utilizing the VM Access extension to reset the credentials of a local user in your virtual machine and compromise it.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: Medium
+
+### **Unusual user SSH key reset in your virtual machine**
+
+(VM_VMAccessUnusualSSHReset)
+
+**Description**: An unusual user SSH key reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
+While this action might be legitimate, attackers can try utilizing VM Access extension to reset SSH key of a user account in your virtual machine and compromise it.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Credential Access
+
+**Severity**: Medium
+
+### **VBScript HTTP object allocation detected**
+
+**Description**: Creation of a VBScript file using Command Prompt has been detected. The following script contains HTTP object allocation command. This action can be used to download malicious files.
+
+### **Suspicious installation of GPU extension in your virtual machine (Preview)**
+
+ (VM_GPUDriverExtensionUnusualExecution)
+
+**Description**: Suspicious installation of a GPU extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use the GPU driver extension to install GPU drivers on your virtual machine via the Azure Resource Manager to perform cryptojacking.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Impact
+
+**Severity**: Low
+
+### **AzureHound tool invocation detected**
+
+(ARM_AzureHound)
+
+**Description**: AzureHound was run in your subscription and performed information gathering operations to enumerate resources. Threat actors use automated tools, like AzureHound, to enumerate resources and use them to access sensitive data or perform lateral movement. This was detected by analyzing Azure Resource Manager operations in your subscription. This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise your environment.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Discovery
+
+**Severity**: Medium
+
+> [!NOTE]
+> For alerts that are in preview: [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
+
+## Next steps
+
+- [Security alerts in Microsoft Defender for Cloud](alerts-overview.md)
+- [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml)
+- [Continuously export Defender for Cloud data](continuous-export.md)
defender-for-cloud Concept Defender For Cosmos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/concept-defender-for-cosmos.md
You can use this information to quickly remediate security issues and improve th
Alerts include details of the incident that triggered them, and recommendations on how to investigate and remediate threats. Alerts can be exported to Microsoft Sentinel or any other third-party SIEM or any other external tool. To learn how to stream alerts, see [Stream alerts to a SIEM, SOAR, or IT classic deployment model solution](export-to-siem.md). > [!TIP]
-> For a comprehensive list of all Defender for Azure Cosmos DB alerts, see the [alerts reference page](alerts-reference.md#alerts-for-azure-cosmos-db). This is useful for workload owners who want to know what threats can be detected and help SOC teams gain familiarity with detections before investigating them. Learn more about what's in a Defender for Cloud security alert, and how to manage your alerts in [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml).
+> For a comprehensive list of all Defender for Azure Cosmos DB alerts, see the [alerts reference page](alerts-azure-cosmos-db.md). This is useful for workload owners who want to know what threats can be detected and help SOC teams gain familiarity with detections before investigating them. Learn more about what's in a Defender for Cloud security alert, and how to manage your alerts in [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml).
## Alert types
defender-for-cloud Defender For App Service Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-app-service-introduction.md
Dangling DNS protection is available whether your domains are managed with Azure
Learn more about dangling DNS and the threat of subdomain takeover, in [Prevent dangling DNS entries and avoid subdomain takeover](../security/fundamentals/subdomain-takeover.md).
-For a full list of the App Service alerts, see the [Reference table of alerts](alerts-reference.md#alerts-for-azure-app-service).
+For a full list of the App Service alerts, see the [Reference table of alerts](alerts-azure-app-service.md).
> [!NOTE] > Defender for Cloud might not trigger dangling DNS alerts if your custom domain doesn't point directly to an App Service resource, or if Defender for Cloud hasn't monitored traffic to your website since the dangling DNS protection was enabled (because there won't be logs to help identify the custom domain).
In this article, you learned about Microsoft Defender for App Service.
For related material, see the following articles: - To export your alerts to Microsoft Sentinel, any third-party SIEM, or any other external tool, follow the instructions in [Stream alerts to monitoring solutions](export-to-siem.md).-- For a list of the Microsoft Defender for App Service alerts, see the [Reference table of alerts](alerts-reference.md#alerts-for-azure-app-service).
+- For a list of the Microsoft Defender for App Service alerts, see the [Reference table of alerts](alerts-azure-app-service.md).
- For more information on App Service plans, see [App Service plans](https://azure.microsoft.com/pricing/details/app-service/plans/).
defender-for-cloud Defender For Containers Enable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-containers-enable.md
You can also learn more by watching these videos from the Defender for Cloud in
## Simulate security alerts from Microsoft Defender for Containers
-A full list of supported alerts is available in the [reference table of all Defender for Cloud security alerts](alerts-reference.md#alerts-for-containerskubernetes-clusters).
+A full list of supported alerts is available in the [reference table of all Defender for Cloud security alerts](alerts-containers.md).
1. To simulate a security alert, run the following command from the cluster:
defender-for-cloud Defender For Containers Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-containers-introduction.md
The security alerts page opens:
:::image type="content" source="media/defender-for-containers/view-containers-alerts.png" alt-text="Screenshot showing you where to view the list of alerts." lightbox="media/defender-for-containers/view-containers-alerts.png":::
-Security alerts for runtime workload in the clusters can be recognized by the `K8S.NODE_` prefix of the alert type. For a full list of the cluster level alerts, see the [reference table of alerts](alerts-reference.md#alerts-for-containerskubernetes-clusters).
+Security alerts for runtime workload in the clusters can be recognized by the `K8S.NODE_` prefix of the alert type. For a full list of the cluster level alerts, see the [reference table of alerts](alerts-containers.md).
Defender for Containers also includes host-level threat detection with over 60 Kubernetes-aware analytics, AI, and anomaly detections based on your runtime workload.
defender-for-cloud Defender For Databases Enable Cosmos Protections https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-databases-enable-cosmos-protections.md
Use an Azure Policy to enable Microsoft Defender for Cloud across storage accoun
## Simulate security alerts from Microsoft Defender for Azure Cosmos DB
-A full list of [supported alerts](alerts-reference.md#alerts-for-azure-cosmos-db) is available in the reference table of all Defender for Cloud security alerts.
+A full list of [supported alerts](alerts-azure-cosmos-db.md) is available in the reference table of all Defender for Cloud security alerts.
You can use sample Microsoft Defender for Azure Cosmos DB alerts to evaluate their value, and capabilities. Sample alerts will also validate any configurations you've made for your security alerts (such as SIEM integrations, workflow automation, and email notifications).
defender-for-cloud Defender For Databases Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-databases-introduction.md
Threat intelligence enriched multicloud alerts are triggered when there are:
- **Brute-force attacks** ΓÇô With the ability to separate simple brute force or a successful brute force. > [!TIP]
-> View the full list of multicloud alerts for database servers [in the alerts reference page](alerts-reference.md#alerts-for-open-source-relational-databases).
+> View the full list of multicloud alerts for database servers [in the alerts reference page](alerts-open-source-relational-databases.md).
## Related articles
defender-for-cloud Defender For Dns Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-dns-introduction.md
Microsoft Defender for DNS detects suspicious and anomalous activities such as:
- **DNS attacks** - communication with malicious DNS resolvers - **Communication with domains used for malicious activities** such as phishing and crypto mining
-A full list of the alerts provided by Microsoft Defender for DNS is on the [alerts reference page](alerts-reference.md#alerts-for-dns).
+A full list of the alerts provided by Microsoft Defender for DNS is on the [alerts reference page](alerts-dns.md).
## Dependencies
defender-for-cloud Defender For Key Vault Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-key-vault-introduction.md
In this article, you learned about Microsoft Defender for Key Vault.
For related material, see the following articles: -- [Key Vault security alerts](alerts-reference.md#alerts-for-azure-key-vault)--The Key Vault section of the reference table for all Microsoft Defender for Cloud alerts
+- [Key Vault security alerts](alerts-azure-key-vault.md)--The Key Vault section of the reference table for all Microsoft Defender for Cloud alerts
- [Continuously export Defender for Cloud data](continuous-export.md) - [Suppress security alerts](alerts-suppression-rules.md)
defender-for-cloud Defender For Kubernetes Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-kubernetes-introduction.md
Examples of security events that Microsoft Defenders for Kubernetes monitors inc
- Creation of high privileged roles - Creation of sensitive mounts.
-For a full list of the cluster level alerts, see alerts with "K8S_" prefix in the alert type in the [reference table of alerts](alerts-reference.md#alerts-for-containerskubernetes-clusters).
+For a full list of the cluster level alerts, see alerts with "K8S_" prefix in the alert type in the [reference table of alerts](alerts-containers.md).
## FAQ - Microsoft Defender for Kubernetes
defender-for-cloud Defender For Resource Manager Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-resource-manager-introduction.md
Microsoft Defender for Resource Manager protects against issues including:
:::image type="content" source="media/defender-for-resource-manager-introduction/consistent-management-layer-with-defender.png" alt-text="Azure Resource Manager overview diagram.":::
-A full list of the alerts provided by Microsoft Defender for Resource Manager is on the [alerts reference page](alerts-reference.md#alerts-for-resource-manager).
+A full list of the alerts provided by Microsoft Defender for Resource Manager is on the [alerts reference page](alerts-resource-manager.md).
## Next steps
defender-for-cloud Defender For Sql Autoprovisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-sql-autoprovisioning.md
Once the SQL server-targeted AMA autoprovisioning process has been enabled, you
For related information, see these resources: - [How Microsoft Defender for Azure SQL can protect SQL servers anywhere](https://www.youtube.com/watch?v=V7RdB6RSVpc).-- [Security alerts for SQL Database and Azure Synapse Analytics](alerts-reference.md#alerts-for-sql-database-and-azure-synapse-analytics)
+- [Security alerts for SQL Database and Azure Synapse Analytics](alerts-sql-database-and-azure-synapse-analytics.md)
- [Set up email notifications for security alerts](configure-email-notifications.md) - [Learn more about Microsoft Sentinel](../sentinel/index.yml) - Check out [common questions](faq-defender-for-databases.yml) about Defender for Databases.
defender-for-cloud Defender For Sql Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-sql-introduction.md
Threat intelligence enriched security alerts are triggered when there's:
- **Anomalous database access and query patterns** - for example, an abnormally high number of failed sign-in attempts with different credentials (a brute force attempt) - **Suspicious database activity** - for example, a legitimate user accessing an SQL Server from a breached computer that communicated with a crypto-mining C&C server
-Alerts include details of the incident that triggered them, and recommendations on how to investigate and remediate threats. Learn more about the [security alerts for SQL servers](alerts-reference.md#alerts-for-sql-database-and-azure-synapse-analytics).
+Alerts include details of the incident that triggered them, and recommendations on how to investigate and remediate threats. Learn more about the [security alerts for SQL servers](alerts-sql-database-and-azure-synapse-analytics.md).
## Next steps
defender-for-cloud Defender For Sql Usage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-sql-usage.md
Last updated 09/21/2023
Defender for SQL protects your IaaS SQL Servers by identifying and mitigating potential database vulnerabilities and detecting anomalous activities that could indicate threats to your databases.
-Defender for Cloud populates with alerts when it detects suspicious database activities, potentially harmful attempts to access or exploit SQL machines, SQL injection attacks, anomalous database access, and query patterns. The alerts created by these types of events appear on the [alerts reference page](alerts-reference.md#alerts-for-sql-database-and-azure-synapse-analytics).
+Defender for Cloud populates with alerts when it detects suspicious database activities, potentially harmful attempts to access or exploit SQL machines, SQL injection attacks, anomalous database access, and query patterns. The alerts created by these types of events appear on the [alerts reference page](alerts-sql-database-and-azure-synapse-analytics.md).
Defender for Cloud uses vulnerability assessment to discover, track, and assist you in the remediation of potential database vulnerabilities. Assessment scans provide an overview of your SQL machines' security state and provide details of any security findings.
Alerts are designed to be self-contained, with detailed remediation steps and in
For related information, see these resources: - [How Microsoft Defender for Azure SQL can protect SQL servers anywhere](https://www.youtube.com/watch?v=V7RdB6RSVpc).-- [Security alerts for SQL Database and Azure Synapse Analytics](alerts-reference.md#alerts-for-sql-database-and-azure-synapse-analytics)
+- [Security alerts for SQL Database and Azure Synapse Analytics](alerts-sql-database-and-azure-synapse-analytics.md)
- [Set up email notifications for security alerts](configure-email-notifications.md) - [Learn more about Microsoft Sentinel](../sentinel/index.yml) - Check out [common questions](faq-defender-for-databases.yml) about Defender for Databases.
defender-for-cloud Defender For Storage Classic Enable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-storage-classic-enable.md
The Microsoft Defender for Storage account inherits the tag of the Databricks wo
## Next steps -- Check out the [alerts for Azure Storage](alerts-reference.md#alerts-for-azure-storage)
+- Check out the [alerts for Azure Storage](alerts-azure-storage.md)
- Learn about the [features and benefits of Defender for Storage](defender-for-storage-introduction.md) - Check out [common questions](faq-defender-for-storage-classic.yml) about Defender for Storage classic.
defender-for-cloud Defender For Storage Classic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-storage-classic.md
Security alerts are triggered for the following scenarios (typically from 1-2 ho
| **Phishing campaigns** | When content that's hosted on Azure Storage is identified as part of a phishing attack that's impacting Microsoft 365 users. | > [!TIP]
-> For a comprehensive list of all Defender for Storage (classic) alerts, see the [alerts reference page](alerts-reference.md#alerts-for-azure-storage). It is essential to review the prerequisites, as certain security alerts are only accessible under the new Defender for Storage plan. The information in the reference page is beneficial for workload owners seeking to understand detectable threats and enables Security Operations Center (SOC) teams to familiarize themselves with detections prior to conducting investigations. Learn more about what's in a Defender for Cloud security alert, and how to manage your alerts in [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml).
+> For a comprehensive list of all Defender for Storage (classic) alerts, see the [alerts reference page](alerts-azure-storage.md). It is essential to review the prerequisites, as certain security alerts are only accessible under the new Defender for Storage plan. The information in the reference page is beneficial for workload owners seeking to understand detectable threats and enables Security Operations Center (SOC) teams to familiarize themselves with detections prior to conducting investigations. Learn more about what's in a Defender for Cloud security alert, and how to manage your alerts in [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml).
Alerts include details of the incident that triggered them, and recommendations on how to investigate and remediate threats. Alerts can be exported to Microsoft Sentinel or any other third-party SIEM or any other external tool. Learn more in [Stream alerts to a SIEM, SOAR, or IT classic deployment model solution](export-to-siem.md).
defender-for-cloud Defender For Storage Test https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-storage-test.md
To simulate a malware upload using an EICAR test file, follow these steps:
1. b. Select on the alertΓÇÖs **View full details** button to see all the related details.
-1. Learn more about Defender for Storage security alerts in the [reference table for all security alerts in Microsoft Defender for Cloud](alerts-reference.md#alerts-for-azure-storage).
+1. Learn more about Defender for Storage security alerts in the [reference table for all security alerts in Microsoft Defender for Cloud](alerts-azure-storage.md).
## Testing sensitive data threat detection
To test the sensitive data threat detection feature by uploading test data that
:::image type="content" source="media/defender-for-storage-test/sensitive-data-alert.png" alt-text="Screenshot showing how to see an alert for a test file in Malware Scanning.":::
-Learn more about Defender for Storage security alerts in the [reference table for all security alerts in Microsoft Defender for Cloud](alerts-reference.md#alerts-for-azure-storage).
+Learn more about Defender for Storage security alerts in the [reference table for all security alerts in Microsoft Defender for Cloud](alerts-azure-storage.md).
## Testing activity monitoring
To test the activity monitoring feature by simulating access from a Tor exit nod
1. Select on the alertΓÇÖs **View full details** button to see all the related details.
-Learn more about Defender for Storage security alerts in the [reference table for all security alerts in Microsoft Defender for Cloud](alerts-reference.md#alerts-for-azure-storage).
+Learn more about Defender for Storage security alerts in the [reference table for all security alerts in Microsoft Defender for Cloud](alerts-azure-storage.md).
## Next steps
defender-for-cloud Defender For Storage Threats Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-storage-threats-alerts.md
Microsoft security researchers have analyzed the attack surface of storage servi
## What kind of security alerts does Microsoft Defender for Storage provide? > [!TIP]
-> For a comprehensive list of all Defender for Storage alerts, see the [alerts reference guide](alerts-reference.md#alerts-for-azure-storage) page. This is useful for workload owners who want to know what threats can be detected and help SOC teams gain familiarity with detections before investigating them. Learn more about [Defender for Cloud security alerts and how to respond to them](managing-and-responding-alerts.yml).
+> For a comprehensive list of all Defender for Storage alerts, see the [alerts reference guide](alerts-azure-storage.md) page. This is useful for workload owners who want to know what threats can be detected and help SOC teams gain familiarity with detections before investigating them. Learn more about [Defender for Cloud security alerts and how to respond to them](managing-and-responding-alerts.yml).
Security alerts are triggered in the following scenarios:
defender-for-cloud Deprecated Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/deprecated-alerts.md
+
+ Title: Reference table for deprecated security alerts
+description: This article lists deprecated security alerts in Microsoft Defender for Cloud.
++ Last updated : 06/03/2024
+ai-usage: ai-assisted
++
+# Deprecated security alerts
+
+This article lists deprecated security alerts in Microsoft Defender for Cloud.
+
+## Deprecated Defender for Containers alerts
+
+The following lists include the Defender for Containers security alerts which were deprecated.
+
+### **Manipulation of host firewall detected**
+
+(K8S.NODE_FirewallDisabled)
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible manipulation of the on-host firewall. Attackers will often disable this to exfiltrate data.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: DefenseEvasion, Exfiltration
+
+**Severity**: Medium
+
+### **Suspicious use of DNS over HTTPS**
+
+(K8S.NODE_SuspiciousDNSOverHttps)
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected the use of a DNS call over HTTPS in an uncommon fashion. This technique is used by attackers to hide calls out to suspect or malicious sites.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: DefenseEvasion, Exfiltration
+
+**Severity**: Medium
+
+### **A possible connection to malicious location has been detected**
+
+(K8S.NODE_ThreatIntelCommandLineSuspectDomain)
+
+**Description**: Analysis of processes running within a container or directly on a Kubernetes node, has detected a connection to a location that has been reported to be malicious or unusual. This is an indicator that a compromise might have occurred.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: InitialAccess
+
+**Severity**: Medium
+
+### **Digital currency mining activity**
+
+(K8S.NODE_CurrencyMining)
+
+**Description**: Analysis of DNS transactions detected digital currency mining activity. Such activity, while possibly legitimate user behavior, is frequently performed by attackers following compromise of resources. Typical related attacker activity is likely to include the download and execution of common mining tools.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Exfiltration
+
+**Severity**: Low
+
+## Deprecated Defender for Servers Linux alerts
+
+### VM_AbnormalDaemonTermination
+
+**Alert Display Name**: Abnormal Termination
+
+**Severity**: Low
+
+### VM_BinaryGeneratedFromCommandLine
+
+**Alert Display Name**: Suspicious binary detected
+
+**Severity**: Medium
+
+### VM_CommandlineSuspectDomain Suspicious
+
+**Alert Display Name**: domain name reference
+
+**Severity**: Low
+
+### VM_CommonBot
+
+**Alert Display Name**: Behavior similar to common Linux bots detected
+
+**Severity**: Medium
+
+### VM_CompCommonBots
+
+**Alert Display Name**: Commands similar to common Linux bots detected
+
+**Severity**: Medium
+
+### VM_CompSuspiciousScript
+
+**Alert Display Name**: Shell Script Detected
+
+**Severity**: Medium
+
+### VM_CompTestRule
+
+**Alert Display Name**: Composite Analytic Test Alert
+
+**Severity**: Low
+
+### VM_CronJobAccess
+
+**Alert Display Name**: Manipulation of scheduled tasks detected
+
+**Severity**: Informational
+
+### VM_CryptoCoinMinerArtifacts
+
+**Alert Display Name**: Process associated with digital currency mining detected
+
+**Severity**: Medium
+
+### VM_CryptoCoinMinerDownload
+
+**Alert Display Name**: Possible Cryptocoinminer download detected
+
+**Severity**: Medium
+
+### VM_CryptoCoinMinerExecution
+
+**Alert Display Name**: Potential crypto coin miner started
+
+**Severity**: Medium
+
+### VM_DataEgressArtifacts
+
+**Alert Display Name**: Possible data exfiltration detected
+
+**Severity**: Medium
+
+### VM_DigitalCurrencyMining
+
+**Alert Display Name**: Digital currency mining related behavior detected
+
+**Severity**: High
+
+### VM_DownloadAndRunCombo
+
+**Alert Display Name**: Suspicious Download Then Run Activity
+
+**Severity**: Medium
+
+### VM_EICAR
+
+**Alert Display Name**: Microsoft Defender for Cloud test alert (not a threat)
+
+**Severity**: High
+
+### VM_ExecuteHiddenFile
+
+**Alert Display Name**: Execution of hidden file
+
+**Severity**: Informational
+
+### VM_ExploitAttempt
+
+**Alert Display Name**: Possible command line exploitation attempt
+
+**Severity**: Medium
+
+### VM_ExposedDocker
+
+**Alert Display Name**: Exposed Docker daemon on TCP socket
+
+**Severity**: Medium
+
+### VM_FairwareMalware
+
+**Alert Display Name**: Behavior similar to Fairware ransomware detected
+
+**Severity**: Medium
+
+### VM_FirewallDisabled
+
+**Alert Display Name**: Manipulation of host firewall detected
+
+**Severity**: Medium
+
+### VM_HadoopYarnExploit
+
+**Alert Display Name**: Possible exploitation of Hadoop Yarn
+
+**Severity**: Medium
+
+### VM_HistoryFileCleared
+
+**Alert Display Name**: A history file has been cleared
+
+**Severity**: Medium
+
+### VM_KnownLinuxAttackTool
+
+**Alert Display Name**: Possible attack tool detected
+
+**Severity**: Medium
+
+### VM_KnownLinuxCredentialAccessTool
+
+**Alert Display Name**: Possible credential access tool detected
+
+**Severity**: Medium
+
+### VM_KnownLinuxDDoSToolkit
+
+**Alert Display Name**: Indicators associated with DDOS toolkit detected
+
+**Severity**: Medium
+
+### VM_KnownLinuxScreenshotTool
+
+**Alert Display Name**: Screenshot taken on host
+
+**Severity**: Low
+
+### VM_LinuxBackdoorArtifact
+
+**Alert Display Name**: Possible backdoor detected
+
+**Severity**: Medium
+
+### VM_LinuxReconnaissance
+
+**Alert Display Name**: Local host reconnaissance detected
+
+**Severity**: Medium
+
+### VM_MismatchedScriptFeatures
+
+**Alert Display Name**: Script extension mismatch detected
+
+**Severity**: Medium
+
+### VM_MitreCalderaTools
+
+**Alert Display Name**: MITRE Caldera agent detected
+
+**Severity**: Medium
+
+### VM_NewSingleUserModeStartupScript
+
+**Alert Display Name**: Detected Persistence Attempt
+
+**Severity**: Medium
+
+### VM_NewSudoerAccount
+
+**Alert Display Name**: Account added to sudo group
+
+**Severity**: Low
+
+### VM_OverridingCommonFiles
+
+**Alert Display Name**: Potential overriding of common files
+
+**Severity**: Medium
+
+### VM_PrivilegedContainerArtifacts
+
+**Alert Display Name**: Container running in privileged mode
+
+**Severity**: Low
+
+### VM_PrivilegedExecutionInContainer
+
+**Alert Display Name**: Command within a container running with high privileges
+
+**Severity**: Low
+
+### VM_ReadingHistoryFile
+
+**Alert Display Name**: Unusual access to bash history file
+
+**Severity**: Informational
+
+### VM_ReverseShell
+
+**Alert Display Name**: Potential reverse shell detected
+
+**Severity**: Medium
+
+### VM_SshKeyAccess
+
+**Alert Display Name**: Process seen accessing the SSH authorized keys file in an unusual way
+
+**Severity**: Low
+
+### VM_SshKeyAddition
+
+**Alert Display Name**: New SSH key added
+
+**Severity**: Low
+
+### VM_SuspectCompilation
+
+**Alert Display Name**: Suspicious compilation detected
+
+**Severity**: Medium
+
+### VM_SuspectConnection
+
+**Alert Display Name**: An uncommon connection attempt detected
+
+**Severity**: Medium
+
+### VM_SuspectDownload
+
+**Alert Display Name**: Detected file download from a known malicious source
+
+**Severity**: Medium
+
+### VM_SuspectDownloadArtifacts
+
+**Alert Display Name**: Detected suspicious file download
+
+**Severity**: Low
+
+### VM_SuspectExecutablePath
+
+**Alert Display Name**: Executable found running from a suspicious location
+
+**Severity**: Medium
+
+### VM_SuspectHtaccessFileAccess
+
+**Alert Display Name**: Access of htaccess file detected
+
+**Severity**: Medium
+
+### VM_SuspectInitialShellCommand
+
+**Alert Display Name**: Suspicious first command in shell
+
+**Severity**: Low
+
+### VM_SuspectMixedCaseText
+
+**Alert Display Name**: Detected anomalous mix of uppercase and lowercase characters in command line
+
+**Severity**: Medium
+
+### VM_SuspectNetworkConnection
+
+**Alert Display Name**: Suspicious network connection
+
+**Severity**: Informational
+
+### VM_SuspectNohup
+
+**Alert Display Name**: Detected suspicious use of the nohup command
+
+**Severity**: Medium
+
+### VM_SuspectPasswordChange
+
+**Alert Display Name**: Possible password change using crypt-method detected
+
+**Severity**: Medium
+
+### VM_SuspectPasswordFileAccess
+
+**Alert Display Name**: Suspicious password access
+
+**Severity**: Informational
+
+### VM_SuspectPhp
+
+**Alert Display Name**: Suspicious PHP execution detected
+
+**Severity**: Medium
+
+### VM_SuspectPortForwarding
+
+**Alert Display Name**: Potential port forwarding to external IP address
+
+**Severity**: Medium
+
+### VM_SuspectProcessAccountPrivilegeCombo
+
+**Alert Display Name**: Process running in a service account became root unexpectedly
+
+**Severity**: Medium
+
+### VM_SuspectProcessTermination
+
+**Alert Display Name**: Security-related process termination detected
+
+**Severity**: Low
+
+### VM_SuspectUserAddition
+
+**Alert Display Name**: Detected suspicious use of the useradd command
+
+**Severity**: Medium
+
+### VM_SuspiciousCommandLineExecution
+
+**Alert Display Name**: Suspicious command execution
+
+**Severity**: High
+
+### VM_SuspiciousDNSOverHttps
+
+**Alert Display Name**: Suspicious use of DNS over HTTPS
+
+**Severity**: Medium
+
+### VM_SystemLogRemoval
+
+**Alert Display Name**: Possible Log Tampering Activity Detected
+
+**Severity**: Medium
+
+### VM_ThreatIntelCommandLineSuspectDomain
+
+**Alert Display Name**: A possible connection to malicious location has been detected
+
+**Severity**: Medium
+
+### VM_ThreatIntelSuspectLogon
+
+**Alert Display Name**: A logon from a malicious IP has been detected
+
+**Severity**: High
+
+### VM_TimerServiceDisabled
+
+**Alert Display Name**: Attempt to stop apt-daily-upgrade.timer service detected
+
+**Severity**: Informational
+
+### VM_TimestampTampering
+
+**Alert Display Name**: Suspicious file timestamp modification
+
+**Severity**: Low
+
+### VM_Webshell
+
+**Alert Display Name**: Possible malicious web shell detected
+
+**Severity**: Medium
+
+## Deprecated Defender for Servers Windows alerts
+
+### SCUBA_MULTIPLEACCOUNTCREATE
+
+**Alert Display Name**: Suspicious creation of accounts on multiple hosts
+
+**Severity**: Medium
+
+### SCUBA_PSINSIGHT_CONTEXT
+
+**Alert Display Name**: Suspicious use of PowerShell detected
+
+**Severity**: Informational
+
+### SCUBA_RULE_AddGuestToAdministrators
+
+**Alert Display Name**: Addition of Guest account to Local Administrators group
+
+**Severity**: Medium
+
+### SCUBA_RULE_Apache_Tomcat_executing_suspicious_commands
+
+**Alert Display Name**: Apache_Tomcat_executing_suspicious_commands
+
+**Severity**: Medium
+
+### SCUBA_RULE_KnownBruteForcingTools
+
+**Alert Display Name**: Suspicious process executed
+
+**Severity**: High
+
+### SCUBA_RULE_KnownCollectionTools
+
+**Alert Display Name**: Suspicious process executed
+
+**Severity**: High
+
+### SCUBA_RULE_KnownDefenseEvasionTools
+
+**Alert Display Name**: Suspicious process executed
+
+**Severity**: High
+
+### SCUBA_RULE_KnownExecutionTools
+
+**Alert Display Name**: Suspicious process executed
+
+**Severity**: High
+
+### SCUBA_RULE_KnownPassTheHashTools
+
+**Alert Display Name**: Suspicious process executed
+
+**Severity**: High
+
+### SCUBA_RULE_KnownSpammingTools
+
+**Alert Display Name**: Suspicious process executed
+
+**Severity**: Medium
+
+### SCUBA_RULE_Lowering_Security_Settings
+
+**Alert Display Name**: Detected the disabling of critical services
+
+**Severity**: Medium
+
+### SCUBA_RULE_OtherKnownHackerTools
+
+**Alert Display Name**: Suspicious process executed
+
+**Severity**: High
+
+### SCUBA_RULE_RDP_session_hijacking_via_tscon
+
+**Alert Display Name**: Suspect integrity level indicative of RDP hijacking
+
+**Severity**: Medium
+
+### SCUBA_RULE_RDP_session_hijacking_via_tscon_service
+
+**Alert Display Name**: Suspect service installation
+
+**Severity**: Medium
+
+### SCUBA_RULE_Suppress_pesky_unauthorized_use_prohibited_notices
+
+**Alert Display Name**: Detected suppression of legal notice displayed to users at logon
+
+**Severity**: Low
+
+### SCUBA_RULE_WDigest_Enabling
+
+**Alert Display Name**: Detected enabling of the WDigest UseLogonCredential registry key
+
+**Severity**: Medium
+
+### VM.Windows_ApplockerBypass
+
+**Alert Display Name**: Potential attempt to bypass AppLocker detected
+
+**Severity**: High
+
+### VM.Windows_BariumKnownSuspiciousProcessExecution
+
+**Alert Display Name**: Detected suspicious file creation
+
+**Severity**: High
+
+### VM.Windows_Base64EncodedExecutableInCommandLineParams
+
+**Alert Display Name**: Detected encoded executable in command line data
+
+**Severity**: High
+
+### VM.Windows_CalcsCommandLineUse
+
+**Alert Display Name**: Detected suspicious use of Cacls to lower the security state of the system
+
+**Severity**: Medium
+
+### VM.Windows_CommandLineStartingAllExe
+
+**Alert Display Name**: Detected suspicious command line used to start all executables in a directory
+
+**Severity**: Medium
+
+### VM.Windows_DisablingAndDeletingIISLogFiles
+
+**Alert Display Name**: Detected actions indicative of disabling and deleting IIS log files
+
+**Severity**: Medium
+
+### VM.Windows_DownloadUsingCertutil
+
+**Alert Display Name**: Suspicious download using Certutil detected
+
+**Severity**: Medium
+
+### VM.Windows_EchoOverPipeOnLocalhost
+
+**Alert Display Name**: Detected suspicious named pipe communications
+
+**Severity**: High
+
+### VM.Windows_EchoToConstructPowerShellScript
+
+**Alert Display Name**: Dynamic PowerShell script construction
+
+**Severity**: Medium
+
+### VM.Windows_ExecutableDecodedUsingCertutil
+
+**Alert Display Name**: Detected decoding of an executable using built-in certutil.exe tool
+
+**Severity**: Medium
+
+### VM.Windows_FileDeletionIsSospisiousLocation
+
+**Alert Display Name**: Suspicious file deletion detected
+
+**Severity**: Medium
+
+### VM.Windows_KerberosGoldenTicketAttack
+
+**Alert Display Name**: Suspected Kerberos Golden Ticket attack parameters observed
+
+**Severity**: Medium
+
+### VM.Windows_KeygenToolKnownProcessName
+
+**Alert Display Name**: Detected possible execution of keygen executable Suspicious process executed
+
+**Severity**: Medium
+
+### VM.Windows_KnownCredentialAccessTools
+
+**Alert Display Name**: Suspicious process executed
+
+**Severity**: High
+
+### VM.Windows_KnownSuspiciousPowerShellScript
+
+**Alert Display Name**: Suspicious use of PowerShell detected
+
+**Severity**: High
+
+### VM.Windows_KnownSuspiciousSoftwareInstallation
+
+**Alert Display Name**: High risk software detected
+
+**Severity**: Medium
+
+### VM.Windows_MsHtaAndPowerShellCombination
+
+**Alert Display Name**: Detected suspicious combination of HTA and PowerShell
+
+**Severity**: Medium
+
+### VM.Windows_MultipleAccountsQuery
+
+**Alert Display Name**: Multiple Domain Accounts Queried
+
+**Severity**: Medium
+
+### VM.Windows_NewAccountCreation
+
+**Alert Display Name**: Account creation detected
+
+**Severity**: Informational
+
+### VM.Windows_ObfuscatedCommandLine
+
+**Alert Display Name**: Detected obfuscated command line.
+
+**Severity**: High
+
+### VM.Windows_PcaluaUseToLaunchExecutable
+
+**Alert Display Name**: Detected suspicious use of Pcalua.exe to launch executable code
+
+**Severity**: Medium
+
+### VM.Windows_PetyaRansomware
+
+**Alert Display Name**: Detected Petya ransomware indicators
+
+**Severity**: High
+
+### VM.Windows_PowerShellPowerSploitScriptExecution
+
+**Alert Display Name**: Suspicious PowerShell cmdlets executed
+
+**Severity**: Medium
+
+### VM.Windows_RansomwareIndication
+
+**Alert Display Name**: Ransomware indicators detected
+
+**Severity**: High
+
+### VM.Windows_SqlDumperUsedSuspiciously
+
+**Alert Display Name**: Possible credential dumping detected [seen multiple times]
+
+**Severity**: Medium
+
+### VM.Windows_StopCriticalServices
+
+**Alert Display Name**: Detected the disabling of critical services
+
+**Severity**: Medium
+
+### VM.Windows_SubvertingAccessibilityBinary
+
+**Alert Display Name**: Sticky keys attack detected
+ Suspicious account creation detected Medium
+
+### VM.Windows_SuspiciousAccountCreation
+
+**Alert Display Name**: Suspicious Account Creation Detected
+
+**Severity**: Medium
+
+### VM.Windows_SuspiciousFirewallRuleAdded
+
+**Alert Display Name**: Detected suspicious new firewall rule
+
+**Severity**: Medium
+
+### VM.Windows_SuspiciousFTPSSwitchUsage
+
+**Alert Display Name**: Detected suspicious use of FTP -s switch
+
+**Severity**: Medium
+
+### VM.Windows_SuspiciousSQLActivity
+
+**Alert Display Name**: Suspicious SQL activity
+
+**Severity**: Medium
+
+### VM.Windows_SVCHostFromInvalidPath
+
+**Alert Display Name**: Suspicious process executed
+
+**Severity**: High
+
+### VM.Windows_SystemEventLogCleared
+
+**Alert Display Name**: The Windows Security log was cleared
+
+**Severity**: Informational
+
+### VM.Windows_TelegramInstallation
+
+**Alert Display Name**: Detected potentially suspicious use of Telegram tool
+
+**Severity**: Medium
+
+### VM.Windows_UndercoverProcess
+
+**Alert Display Name**: Suspiciously named process detected
+
+**Severity**: High
+
+### VM.Windows_UserAccountControlBypass
+
+**Alert Display Name**: Detected change to a registry key that can be abused to bypass UAC
+
+**Severity**: Medium
+
+### VM.Windows_VBScriptEncoding
+
+**Alert Display Name**: Detected suspicious execution of VBScript.Encode command
+
+**Severity**: Medium
+
+### VM.Windows_WindowPositionRegisteryChange
+
+**Alert Display Name**: Suspicious WindowPosition registry value detected
+
+**Severity**: Low
+
+### VM.Windows_ZincPortOpenningUsingFirewallRule
+
+**Alert Display Name**: Malicious firewall rule created by ZINC server implant
+
+**Severity**: High
+
+### VM_DigitalCurrencyMining
+
+**Alert Display Name**: Digital currency mining related behavior detected
+
+**Severity**: High
+
+### VM_MaliciousSQLActivity
+
+**Alert Display Name**: Malicious SQL activity
+
+**Severity**: High
+
+### VM_ProcessWithDoubleExtensionExecution
+
+**Alert Display Name**: Suspicious double extension file executed
+
+**Severity**: High
+
+### VM_RegistryPersistencyKey
+
+**Alert Display Name**: Windows registry persistence method detected
+
+**Severity**: Low
+
+### VM_ShadowCopyDeletion
+
+**Alert Display Name**: Suspicious Volume Shadow Copy Activity
+ Executable found running from a suspicious location
+
+**Severity**: High
+
+### VM_SuspectExecutablePath
+
+**Alert Display Name**: Executable found running from a suspicious location
+ Detected anomalous mix of uppercase and lowercase characters in command line
+
+**Severity**: Informational
+
+ Medium
+
+### VM_SuspectPhp
+
+**Alert Display Name**: Suspicious PHP execution detected
+
+**Severity**: Medium
+
+### VM_SuspiciousCommandLineExecution
+
+**Alert Display Name**: Suspicious command execution
+
+**Severity**: High
+
+### VM_SuspiciousScreenSaverExecution
+
+**Alert Display Name**: Suspicious Screensaver process executed
+
+**Severity**: Medium
+
+### VM_SvcHostRunInRareServiceGroup
+
+**Alert Display Name**: Rare SVCHOST service group executed
+
+**Severity**: Informational
+
+### VM_SystemProcessInAbnormalContext
+
+**Alert Display Name**: Suspicious system process executed
+
+**Severity**: Medium
+
+### VM_ThreatIntelCommandLineSuspectDomain
+
+**Alert Display Name**: A possible connection to malicious location has been detected
+
+**Severity**: Medium
+
+### VM_ThreatIntelSuspectLogon
+
+**Alert Display Name**: A logon from a malicious IP has been detected
+
+**Severity**: High
+
+### VM_VbScriptHttpObjectAllocation
+
+**Alert Display Name**: VBScript HTTP object allocation detected
+
+**Severity**: High
+
+### VM_TaskkillBurst
+
+**Alert Display Name**: Suspicious process termination burst
+
+**Severity**: Low
+
+### VM_RunByPsExec
+
+**Alert Display Name**: PsExec execution detected
+
+**Severity**: Informational
+
+> [!NOTE]
+> For alerts that are in preview: [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
+
+## Next steps
+
+- [Security alerts in Microsoft Defender for Cloud](alerts-overview.md)
+- [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.yml)
+- [Continuously export Defender for Cloud data](continuous-export.md)
defender-for-cloud Gain End User Context Ai https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/gain-end-user-context-ai.md
+
+ Title: Gain end-user context for AI alerts
+description: Learn how to enhance AI security by adding user context for alerts with Microsoft Defender for Cloud threat protection.
+ Last updated : 07/18/2024
+#Customer intent: I want to learn how to enhance the security of my AI workloads by adding end-user context for AI alerts with Microsoft Defender for Cloud threat protection for AI workloads.
++
+# Gain end-user context for AI alerts
+
+Microsoft Defender for Cloud's threat protection for AI workloads allows you to enhance the actionability and security value of the generated AI alerts by providing end-user context.
+
+By adding parameters to your Azure OpenAI API calls, you enable your Azure AI to pass critical end-user context to Defender for Cloud's AI alerts. This addition of end-user context provides greater visibility on end-users and leads to better investigations and results. For example, you can block a specific user or correlate incidents and alerts by end-user.
++
+## Prerequisites
+
+- Read up on [Overview - AI threat protection](ai-threat-protection.md).
+
+- [Enable threat protection for AI workloads (preview)](ai-onboarding.md) on an AI application, with Azure OpenAI as its underlying model.
+
+## Add security parameters to your Azure OpenAI call
+
+To receive AI security alerts with more context, you can add any or all of the following sample `SecurityContext` parameters to your [Azure OpenAI API](../ai-services/openai/reference.md) calls.
+
+All of the fields in the `SecurityContext` are optional. We recommend passing the `EndUserId` and `SourceIP` fields at a minimum. The `EndUserId` and `SourceIP` fields provide Security Operations Center (SOC) analysts the ability to investigate security incidents that involve AI resources and generative AI applications. For examples, see the [SecurityContext schema](#securitycontext-schema).
+
+If a fieldΓÇÖs name is misspelled, the Azure OpenAI API call will still succeed. The `SecurityContext` schema doesn't require validation to pass through the Azure OpenAI user field. Application developers should ensure that a valid JSON is passed to the `user` field in every request made by the application to Azure OpenAI.
+
+## SecurityContext schema
+
+The provided schema consists of the `SecurityContext` objects that contains several parameters that describe the application itself, and the end user that interacts with the application. These fields assist your security operations teams to investigate and mitigate security incidents by providing a comprehensive approach to protecting your AI applications.
+
+- End used ID
+- End user type
+- End user tenant's ID
+- Source IP address.
+- Source request headers
+- Application name
+
+| Field name | Type | Description | Optional | Example |
+|||-|-||
+| EndUserId | string | Acts as a unique identifier for the end user within the generative AI application. If Microsoft Entra ID authorization is used to authenticate end-users in the generative AI application, this should be a Microsoft Entra ID (previously known as Microsoft Entra ID) user object ID, otherwise this can be a GUID or some other identifier that uniquely identify the user. | Yes | 1234a123-12a3-1234-1ab2-a1b2c34d56e |
+| EndUserIdType | string | Specifies the type of end user identifier. It should be set to Microsoft Entra ID when using Microsoft Entra (previously known as Microsoft Entra ID) user object ID. | Yes, unless EndUserId is passed, in that case this must be set to proper value. | Microsoft Entra ID, Google, Other |
+| EndUserTenantId | string | This property specifies the Microsoft 365 tenant ID the end user belongs to. It's required when the generative AI application is multitenant and end users from different tenants can sign-in. | Yes | 1234a123-12a3-1234-1ab2-a1b2c34d56e |
+| SourceIP | string | Captures the IP address of the client as seen directly by the server. It represents the most immediate client IP address that made the connection to the server. If the client connects through a proxy or load balancer, SourceIP is the IP address of that proxy or load balancer, not the original client's IP address: <br> - ASP.NET: HttpContext.Connection.RemoteIpAddress <br> - Python: request.remote_addr | Yes | 12.34.567.891, 1234:1:123a:123:1a2b:ab1:ab1c:ab12 |
+| SourceRequestHeaders | Dictionary<string, string> | Captures a subset of end user's request headers that proxies or load balancers add. Headers like X-Forwarded-For, X-Real-IP, or Forwarded are used by Microsoft Defender for Cloud to get the original client's IP address. User-Agent headers provide context about the client software initiating the API request. <br><br> Recommended header names include: User-Agent, X-Forwarded-For, X-Real-IP, Forwarded, CF-Connecting-IP, True-Client-IP, X-Client-IP, X-Forwarded, Forwarded-For | Yes | - |
+| ApplicationName | string | The name of the application, used for identification and UI purposes. | Yes | Contoso HR Copilot, Customer sales chat bot. |
+
+## Add the SecurityContext to your application
+
+We recommend adding all of the parameters provided in this document to your generative AI application's API calls to Azure OpenAI.
+
+1. Select one of these examples:
+
+ - [sample-app-aoai-chatGPT](https://github.com/microsoft/sample-app-aoai-chatGPT)
+ - [ms_defender_utils.py](https://github.com/microsoft/sample-app-aoai-chatGPT/blob/f3f19bf5f4cd9754ff0f759ade72057ca1e01fbc/backend/security/ms_defender_utils.py#L3)
+ - [app.py](https://github.com/microsoft/sample-app-aoai-chatGPT/blob/f3f19bf5f4cd9754ff0f759ade72057ca1e01fbc/app.py#L741C1-L742C1).
+
+1. Locate and copy the sample code.
+
+ :::image type="content" source="media/gain-end-user-context-ai/sample-code-security-context.png" alt-text="Screenshot of the sample code provided from GitHub." lightbox="media/gain-end-user-context-ai/sample-code-security-context.png":::
+
+1. Add the code to your generative AI application's code where Azure OpenAI API is called.
+
+1. Alter the code parameters to match your requirements.
+
+1. Save the changes.
+
+After following the procedure, you should ensure that a valid JSON is passed to the `user` field in every request made by the application to Azure OpenAI.
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [Overview - AI threat protection](ai-threat-protection.md)
defender-for-cloud Kubernetes Workload Protections https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/kubernetes-workload-protections.md
In this article, you learned how to configure Kubernetes data plane hardening.
For related material, see the following pages: - [Defender for Cloud recommendations for compute](recommendations-reference-compute.md)-- [Alerts for AKS cluster level](alerts-reference.md#alerts-for-containerskubernetes-clusters)
+- [Alerts for AKS cluster level](alerts-containers.md)
defender-for-cloud Other Threat Protections https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/other-threat-protections.md
Some network configurations restrict Defender for Cloud from generating alerts o
- Your virtual machine has a public IP address (or is on a load balancer with a public IP address). - Your virtual machine's network egress traffic isn't blocked by an external IDS solution.
-For a list of the Azure network layer alerts, see the [Reference table of alerts](alerts-reference.md#alerts-for-azure-network-layer).
+For a list of the Azure network layer alerts, see the [Reference table of alerts](alerts-azure-network-layer.md).
<a name="alerts-other"></a>
Distributed denial of service (DDoS) attacks are known to be easy to execute. Th
To defend against DDoS attacks, purchase a license for Azure DDoS Protection and ensure you're following application design best practices. DDoS Protection provides different service tiers. For more information, see [Azure DDoS Protection overview](../ddos-protection/ddos-protection-overview.md).
-If you have Azure DDoS Protection enabled, your DDoS alerts are streamed to Defender for Cloud with no other configuration needed. For more information on the alerts generated by DDoS Protection, see [Reference table of alerts](alerts-reference.md#alerts-for-azure-ddos-protection).
+If you have Azure DDoS Protection enabled, your DDoS alerts are streamed to Defender for Cloud with no other configuration needed. For more information on the alerts generated by DDoS Protection, see [Reference table of alerts](alerts-azure-ddos-protection.md).
<a name='entra-permission-management-formerly-cloudknox'></a>
defender-for-cloud Plan Defender For Servers Select Plan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/plan-defender-for-servers-select-plan.md
You can choose from two paid plans:
| **Licensing** | Defender for Servers covers licensing for Defender for Endpoint. Licensing is charged per hour instead of per seat, lowering costs by protecting virtual machines only when they're in use.| :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: | | **Defender for Endpoint provisioning** | Defender for Servers automatically provisions the Defender for Endpoint sensor on every supported machine that's connected to Defender for Cloud.| :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: | | **Unified view** | Alerts from Defender for Endpoint appear in the Defender for Cloud portal. You can get detailed information in the Defender for Endpoint portal.| :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |
-| **Threat detection for OS-level (agent-based)** | Defender for Servers and Defender for Endpoint detect threats at the OS level, including virtual machine behavioral detections and *fileless attack detection*, which generates detailed security alerts that accelerate alert triage, correlation, and downstream response time.<br><br />[Learn more about alerts for Windows machines](alerts-reference.md#alerts-for-windows-machines)<br /><br />[Learn more about alerts for Linux machines](alerts-reference.md#alerts-for-linux-machines)<br /><br /><br />[Learn more about alerts for DNS](alerts-reference.md#alerts-for-dns) | :::image type="icon" source="./mediE](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response) | :::image type="icon" source="./media/icons/yes-icon.png"::: |
+| **Threat detection for OS-level (agent-based)** | Defender for Servers and Defender for Endpoint detect threats at the OS level, including virtual machine behavioral detections and *fileless attack detection*, which generates detailed security alerts that accelerate alert triage, correlation, and downstream response time.<br><br />[Learn more about alerts for Windows machines](alerts-windows-machines.md)<br /><br />[Learn more about alerts for Linux machines](alerts-linux-machines.md)<br /><br /><br />[Learn more about alerts for DNS](alerts-dns.md) | :::image type="icon" source="./mediE](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response) | :::image type="icon" source="./media/icons/yes-icon.png"::: |
| **Threat detection for network-level (agentless security alerts)** | Defender for Servers detects threats that are directed at the control plane on the network, including network-based security alerts for Azure virtual machines. [Learn more](alerts-reference.md) | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png"::: | | **Microsoft Defender Vulnerability Management (MDVM) Add-on** | Enhance your vulnerability management program consolidated asset inventories, security baselines assessments, application block feature, and more. [Learn more](deploy-vulnerability-assessment-defender-vulnerability-management.md). | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png"::: | | **Security Policy and Regulatory Compliance** | Customize a security policy for your subscription and also compare the configuration of your resources with requirements in industry standards, regulations, and benchmarks. Learn more about [regulatory compliance](regulatory-compliance-dashboard.md) and [security policies](security-policy-concept.md) | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png":::|
defender-for-cloud Prepare Deprecation Log Analytics Mma Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent.md
The following table summarizes how Defender for Servers features will be provide
| Feature | Current support | New support | New experience status | |-|-|-|-|
-| Defender for Endpoint integration for down-level Windows machines (Windows Server 2016/2012 R2) | Legacy Defender for Endpoint sensor, based on the Log Analytics agent | [Unified agent integration](/microsoft-365/security/defender-endpoint/configure-server-endpoints) | - Functionality with the unified agent is GA.<br/>- Functionality with the legacy Defender for Endpoint sensor using the Log Analytics agent will be deprecated in August 2024. |
+| Defender for Endpoint integration for down-level Windows machines (Windows Server 2016/2012 R2) | Legacy Defender for Endpoint sensor, based on the Log Analytics agent | [Unified agent integration](/microsoft-365/security/defender-endpoint/configure-server-endpoints) | - Functionality with the MDE unified agent is GA.<br/>- Functionality with the legacy Defender for Endpoint sensor using the Log Analytics agent will be deprecated in August 2024.|
| OS-level threat detection | Log Analytics agent | Defender for Endpoint agent integration | Functionality with the Defender for Endpoint agent is GA. | | Adaptive application controls | Log Analytics agent (GA), AMA (Preview) | | The adaptive application control feature is set to be deprecated in August 2024. |
-| Endpoint protection discovery recommendations | Recommendations that are available through the Foundational Cloud Security Posture Management (CSPM) plan and Defender for Servers, using the Log Analytics agent (GA), AMA (Preview)ΓÇ»| Agentless machine scanning | - Functionality with agentless machine scanning will be released to preview in February 2024 as part of Defender for Servers Plan 2 and the Defender CSPM plan.<br/>- Azure VMs, Google Cloud Platform (GCP) instances, and Amazon Web Services (AWS) instances will be supported. On-premises machines wonΓÇÖt be supported. |
+| Endpoint protection discovery recommendations | Recommendations that are available through the Foundational Cloud Security Posture Management (CSPM) plan and Defender for Servers, using the Log Analytics agent (GA), AMA (Preview)ΓÇ»| Agentless machine scanning | - Functionality with agentless machine scanning has been released to preview in early 2024 as part of Defender for Servers Plan 2 and the Defender CSPM plan.<br/>- Azure VMs, Google Cloud Platform (GCP) instances, and Amazon Web Services (AWS) instances are supported. On-premises machines are not supported.|
| Missing OS update recommendation | Recommendations available in the Foundational CSPM and Defender for Servers plans using the Log Analytics agent. | Integration with Update Manager, Microsoft | New recommendations based on Azure Update Manager integration [are GA](release-notes-archive.md#two-recommendations-related-to-missing-operating-system-os-updates-were-released-to-ga), with no agent dependencies. |
-| OS misconfigurations (Microsoft Cloud Security Benchmark) | Recommendations that are available through the Foundational CSPM and Defender for Servers plans using the Log Analytics agent, Guest Configuration agent (Preview). | Microsoft Defender Vulnerability Management premium, as part of Defender for Servers Plan 2. | - Functionality based on integration with Microsoft Defender Vulnerability Management premium will be available in preview around April 2024.<br/>- Functionality with the Log Analytics agent will be deprecated in August 2024<br/>- Functionality with Guest Configuration agent (Preview) will deprecate when the Microsoft Defender Vulnerability Management is available.<br/>- Support of this feature for Docker-hub and Azure Virtual Machine Scale Sets will be deprecated in Aug 2024. |
-| File integrity monitoring | Log Analytics agent, AMA (Preview) | Defender for Endpoint agent integration | Functionality with the Defender for Endpoint agent will be available around April 2024.<br/>- Functionality with the Log Analytics agent will be deprecated in August 2024.<br/>- Functionality with AMA will deprecate when the Defender for Endpoint integration is released. |
+| OS misconfigurations (Microsoft Cloud Security Benchmark) | Recommendations that are available through the Foundational CSPM and Defender for Servers plans using the Log Analytics agent, Guest Configuration extension (Preview). | Guest Configuration extension, as part of Defender for Servers Plan 2.| - Functionality based on Guest Configuration extension will be released to GA in September 2024<br/>- Functionality with the Log Analytics agent will be deprecated in November 2024.<br/>- Support of this feature for Docker-hub and Azure Virtual Machine Scale Sets will be deprecated in Aug 2024.|
+| File integrity monitoring | Log Analytics agent, AMA (Preview) | Defender for Endpoint agent integration | Functionality with the Defender for Endpoint agent will be available in August 2024.<br/>- Functionality with the Log Analytics agent will be deprecated in November 2024.<br/>- Functionality with AMA will deprecate when the Defender for Endpoint integration is released.|
-The [500-MB benefit](faq-defender-for-servers.yml#is-the-500-mb-of-free-data-ingestion-allowance-applied-per-workspace-or-per-machine-) for data ingestion over the defined tables remains supported via the AMA agent for the machines under subscriptions covered by Defender for Servers Plan 2. Every machine is eligible for the benefit only once, even if both Log Analytics agent and Azure Monitor agent are installed on it.
+The [500-MB benefit](faq-defender-for-servers.yml#is-the-500-mb-of-free-data-ingestion-allowance-applied-per-workspace-or-per-machine-) for data ingestion over the defined tables remains supported via the AMA agent for machines under subscriptions covered by Defender for Servers Plan 2. Every machine is eligible for the benefit only once, even if both Log Analytics agent and Azure Monitor agent are installed on it. For the data allowance to be granted, Defender for Servers Plan 2 needs to be enabled on the Log Analytics workspace AMA is connected to and on the machine's subscription.
Learn more about how to [deploy AMA](../azure-monitor/vm/monitor-virtual-machine-agent.md#agent-deployment-options). For SQL servers on machines, we recommend to [migrate to SQL server-targeted Azure Monitoring Agent's (AMA) autoprovisioning process](defender-for-sql-autoprovisioning.md). ### Endpoint protection recommendations experience - changes and migration guidance
-Endpoint discovery and recommendations are currently provided by the Defender for Cloud Foundational CSPM and the Defender for Servers plans using the Log Analytics agent in GA, or in preview via the AMA. This experience will be replaced by security recommendations that are gathered using agentless machine scanning.ΓÇ»
+Endpoint discovery and recommendations are currently provided by the Defender for Cloud Foundational CSPM and the Defender for Servers plans using the Log Analytics agent in GA, or in preview via the AMA. This experience will be replaced by security recommendations that are gathered using agentless machine scanning.ΓÇ»
Endpoint protection recommendations are constructed in two stages. The first stage is [discovery](#endpoint-detection-and-response-solutiondiscovery) of an endpoint detection and response solution. The second isΓÇ»[assessment](#endpoint-detection-and-response-solutionconfiguration-assessment) of the solutionΓÇÖs configuration. The following tables provide details of the current and new experiences for each stage.
The following table summarizes the timetable for recommendations being deprecate
| Recommendation | Agent | Supported resources | Deprecation date | Replacement recommendation | |-|-|-|-|-|
-| [Endpoint protection should be installed on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/4fb67663-9ab9-475d-b026-8c544cced439) (public) | MM#changes-in-endpoint-protection-recommendations) |
-| [Endpoint protection health issues should be resolved on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/37a3689a-818e-4a0e-82ac-b1392b9bb000) (public)| MM#changes-in-endpoint-protection-recommendations) |
+| [Endpoint protection should be installed on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/4fb67663-9ab9-475d-b026-8c544cced439) (public) | MM#changes-in-endpoint-protection-recommendations) |
+| [Endpoint protection health issues should be resolved on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/37a3689a-818e-4a0e-82ac-b1392b9bb000) (public)| MM#changes-in-endpoint-protection-recommendations) |
| [Endpoint protection health failures on virtual machine scale sets should be resolved](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/e71020c2-860c-3235-cd39-04f3f8c936d2) | MMA | Azure Virtual Machine Scale Sets | August 2024 | No replacement | | [Endpoint protection solution should be installed on virtual machine scale sets](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/21300918-b2e3-0346-785f-c77ff57d243b) | MMA | Azure Virtual Machine Scale Sets | August 2024 | No replacement | | [Endpoint protection solution should be on machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee) | MMA | Non-Azure resources (Windows)| August 2024 | No replacement |
The [new recommendations](upcoming-changes.md#changes-in-endpoint-protection-rec
### File Integrity Monitoring experience - changes and migration guidance
-Microsoft Defender for Servers Plan 2 now offers a new File Integrity Monitoring (FIM) solution powered by Microsoft Defender for Endpoint (MDE) integration. Once FIM powered by MDE is public, the FIM powered by AMA experience in the Defender for Cloud portal will be removed. In October, FIM powered by MMA will be deprecated.
+Microsoft Defender for Servers Plan 2 now offers a new File Integrity Monitoring (FIM) solution powered by Microsoft Defender for Endpoint (MDE) integration. Once FIM powered by MDE is public, the FIM powered by AMA experience in the Defender for Cloud portal will be removed. In November, FIM powered by MMA will be deprecated.
#### Migration from FIM over AMA
After you disable the file events collection using one of the methods above:
If you currently use FIM over the Log Analytics Agent (MMA): -- File Integrity Monitoring based on Log Analytics Agent (MMA) will be deprecated in October 2024.
+- File Integrity Monitoring based on Log Analytics Agent (MMA) will be deprecated at he end of November 2024.
+ - Microsoft Defender for Cloud recommends disabling FIM over MMA, and onboarding your environment to the new FIM version based on Defender for Endpoint upon release. #### Disabling FIM over MMA
defender-for-cloud Recommendations Reference Ai https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/recommendations-reference-ai.md
This recommendation replaces the old recommendation *Cognitive Services accounts
**Description**: By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service resource. -- This recommendation is covered by another networking recommendation for Azure AI services - [Cognitive Services accounts should restrict network access](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/f738efb8-005f-680d-3d43-b3db762d6243/showSecurityCenterCommandBar%7E/false).-- The Cognitive Services accounts should restrict network access recommendation is now in turn replaced by a new one (Azure AI Services should restrict network access).-- This recommendation replaces the old recommendation *Cognitive Services accounts should restrict network access*. It was formerly in category Cognitive Services and Cognitive Search, and was updated to comply with the Azure AI Services naming format and align with the relevant resources. -- The related policy definition [Cognitive Services accounts should disable public network access](https://ms.portal.azure.com/?feature.msaljs=true#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) has been removed from the regulatory compliance dashboard.--
+This recommendation replaces the old recommendation *Cognitive Services accounts should restrict network access*. It was formerly in category Cognitive Services and Cognitive Search, and was updated to comply with the Azure AI Services naming format and align with the relevant resources.
**Severity**: Medium
defender-for-cloud Recommendations Reference Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/recommendations-reference-data.md
Secure your storage account with greater flexibility using customer-managed keys
**Severity**: Low
-### [Cognitive Services accounts should have local authentication methods disabled](recommendations-reference-data.md)
--
-**Description**: Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. (Related policy: Cognitive Services accounts should have local authentication methods disabled).
-
-**Severity**: Low
--
-### [Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/f738efb8-005f-680d-3d43-b3db762d6243)
-
-**Description**: Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.
-(Related policy: [Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f037eea7a-bd0a-46c5-9a66-03aea78705d3)).
-
-**Severity**: Medium
- ### [Cognitive Services accounts should use customer owned storage or enable data encryption](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/aa395469-1687-78a7-bf76-f4614ef72977) **Description**: This policy audits any Cognitive Services account not using customer owned storage nor data encryption. For each Cognitive Services account with storage, use either customer owned storage or enable data encryption. Aligns with Microsoft Cloud Security Benchmark.
defender-for-cloud Release Notes Archive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/release-notes-archive.md
This page provides you with information about features, fixes, and deprecations
| January 24 | Preview | [Agentless container posture for GCP in Defender for Containers and Defender CSPM](#preview-agentless-container-posture-for-gcp-in-defender-for-containers-and-defender-cspm). | | January 16 | Preview | [Agentless malware scanning for servers](#preview-agentless-malware-scanning-for-servers).| | January 15 | GA | [Defender for Cloud's integration with Microsoft Defender XDR](#general-availability-of-defender-for-clouds-integration-with-microsoft-defender-xdr). |
-| January 14 | Update |[Update to agentless VM scanning built-in Azure role](#update-agentless-vm-scanning-built-in-azure-role)<br/><br/> Expected: March 2024 |
+| January 14 | Update |[Update to agentless VM scanning built-in Azure role](#update-agentless-vm-scanning-built-in-azure-role)<br/><br/> Expected: March 2024 |
| January 12 | Update |[DevOps security Pull Request annotations are now enabled by default for Azure DevOps connectors](#update-devops-security-pull-request-annotations-enabled-by-default-for-azure-devops-connectors). |
-| January 9 | Deprecation |[Defender for Servers built-in vulnerability assessment (Qualys) retirement path](#deprecation-defender-for-servers-built-in-vulnerability-assessment-qualys-retirement-path).<br/><br/> Expected: May 2024 |
-| January 3 | Upcoming update |[Upcoming change for the Defender for CloudΓÇÖs multicloud network requirements](#update-defender-for-clouds-multicloud-network-requirements).<br/><br/> Expected: May 2024. |
+| January 9 | Deprecation |[Defender for Servers built-in vulnerability assessment (Qualys) retirement path](#deprecation-defender-for-servers-built-in-vulnerability-assessment-qualys-retirement-path).<br/><br/> Expected: May 2024 |
+| January 3 | Upcoming update |[Upcoming change for the Defender for CloudΓÇÖs multicloud network requirements](#update-defender-for-clouds-multicloud-network-requirements).<br/><br/> Expected: May 2024. |
### Update: New insight for active repositories in Cloud Security Explorer
The list is applicable to all plans and sufficient for full capability of the CS
| December 13 | [General availability (GA) support for PostgreSQL Flexible Server in Defender for open-source relational databases plan](#general-availability-support-for-postgresql-flexible-server-in-defender-for-open-source-relational-databases-plan) | | December 12 | [Container vulnerability assessment powered by Microsoft Defender Vulnerability Management now supports Google Distroless](#container-vulnerability-assessment-powered-by-microsoft-defender-vulnerability-management-now-supports-google-distroless) | --- ### Consolidation of Defender for Cloud's Service Level 2 names December 30, 2023
Vulnerability assessment (VA) for Linux container images in Azure container regi
Qualys recommendations for Containers Vulnerability Assessment have been renamed and continue to be available for customers who enabled Defender for Containers on any of their subscriptions prior to this release. New customers onboarding Defender for Containers after this release will only see the new Container vulnerability assessment recommendations powered by Microsoft Defender Vulnerability Management. - ### Public preview of Windows support for Containers Vulnerability Assessment powered by Microsoft Defender Vulnerability Management December 14, 2023
Container vulnerability assessments powered by Microsoft Defender Vulnerability
For a list of all supported operating systems, see [Registries and images support for Azure - Vulnerability assessment powered by Microsoft Defender Vulnerability Management](support-matrix-defender-for-containers.md#registries-and-images-support-for-azurevulnerability-assessment-powered-by-microsoft-defender-vulnerability-management). -- ## November 2023 | Date | Update |
Here's a table of the new alerts.
| **Suspicious usage of a Desired State Configuration (DSC) extension was detected on your virtual machines (Preview)**<br>(VM_DSCExtensionSuspiciousUsage) | Suspicious usage of a Desired State Configuration (DSC) extension was detected on your virtual machines by analyzing the Azure Resource Manager operations in your subscription. Attackers might use the Desired State Configuration (DSC) extension to deploy malicious configurations, such as persistence mechanisms, malicious scripts, and more, with high privileges, on your virtual machines. This activity is deemed suspicious as the principal's behavior departs from its usual patterns, and due to the high number of the extension installations. | Impact | Low | | **Custom script extension with a suspicious script was detected on your virtual machine (Preview)**<br>(VM_CustomScriptExtensionSuspiciousCmd)<br>*(This alert already exists and has been improved with more enhanced logic and detection methods.)* | Custom script extension with a suspicious script was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use Custom script extension to execute malicious code with high privileges on your virtual machine via the Azure Resource Manager. The script is deemed suspicious as certain parts were identified as being potentially malicious. | Execution | High |
- See the [extension-based alerts in Defender for Servers](alerts-reference.md#alerts-for-azure-vm-extensions).
+ See the [extension-based alerts in Defender for Servers](alerts-azure-vm-extensions.md).
For a complete list of alerts, see the [reference table for all security alerts in Microsoft Defender for Cloud](alerts-reference.md).
Updates in July include:
| July 9 | [Support for disabling specific vulnerability findings](#support-for-disabling-specific-vulnerability-findings) | | July 1 | [Data Aware Security Posture is now Generally Available](#data-aware-security-posture-is-now-generally-available) |
-### Preview release of containers vulnerability assessment with Microsoft Defender Vulnerability Management
+### Preview release of containers vulnerability assessment with Microsoft Defender Vulnerability Management
July 31, 2023
Updates in May include:
|||:-:|| | **Unusual access to the key vault from a suspicious IP (Non-Microsoft or External)**<br>(KV_UnusualAccessSuspiciousIP) | A user or service principal has attempted anomalous access to key vaults from a non-Microsoft IP in the last 24 hours. This anomalous access pattern might be legitimate activity. It could be an indication of a possible attempt to gain access of the key vault and the secrets contained within it. We recommend further investigations. | Credential Access | Medium |
-For all of the available alerts, see [Alerts for Azure Key Vault](alerts-reference.md#alerts-for-azure-key-vault).
+For all of the available alerts, see [Alerts for Azure Key Vault](alerts-azure-key-vault.md).
### Agentless scanning now supports encrypted disks in AWS
Defender for Resource Manager has the following new alert:
|||:-:|| | **PREVIEW - Suspicious creation of compute resources detected**<br>(ARM_SuspiciousComputeCreation) | Microsoft Defender for Resource Manager identified a suspicious creation of compute resources in your subscription utilizing Virtual Machines/Azure Scale Set. The identified operations are designed to allow administrators to efficiently manage their environments by deploying new resources when needed. While this activity might be legitimate, a threat actor might utilize such operations to conduct crypto mining.<br> The activity is deemed suspicious as the compute resources scale is higher than previously observed in the subscription. <br> This can indicate that the principal is compromised and is being used with malicious intent. | Impact | Medium |
-You can see a list of all of the [alerts available for Resource Manager](alerts-reference.md#alerts-for-resource-manager).
+You can see a list of all of the [alerts available for Resource Manager](alerts-resource-manager.md).
### Three alerts in the Defender for Resource Manager plan have been deprecated
With this announcement, the runtime protection - threat detection (workload) is
Learn more about the Defender for Container's [feature availability](supported-machines-endpoint-solutions-clouds-containers.md).
-You can also review [all available alerts](alerts-reference.md#alerts-for-containerskubernetes-clusters).
+You can also review [all available alerts](alerts-containers.md).
Note, if you're using the preview version, the `AKS-AzureDefender` feature flag is no longer required.
The following preview alert is deprecated:
A new alert was created that provides this information and adds to it. In addition, the newer alerts (ARM_OperationFromSuspiciousIP, ARM_OperationFromSuspiciousProxyIP) don't require a license for Microsoft Defender for Cloud Apps (formerly known as Microsoft Cloud App Security).
-See more alerts for [Resource Manager](alerts-reference.md#alerts-for-resource-manager).
+See more alerts for [Resource Manager](alerts-resource-manager.md).
### Moved the recommendation Vulnerabilities in container security configurations should be remediated from the secure score to best practices
For more information, see:
- [Threat matrix for storage services](https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/) - [Overview of Microsoft Defender for Storage](defender-for-storage-introduction.md)-- [List of alerts provided by Microsoft Defender for Storage](alerts-reference.md#alerts-for-azure-storage)
+- [List of alerts provided by Microsoft Defender for Storage](alerts-azure-storage.md)
### Improvements to alerts for Microsoft Defender for Storage
For more information, see:
- [Threat matrix for storage services](https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/) - [Introduction to Microsoft Defender for Storage](defender-for-storage-introduction.md)-- [List of alerts provided by Microsoft Defender for Storage](alerts-reference.md#alerts-for-azure-storage)
+- [List of alerts provided by Microsoft Defender for Storage](alerts-azure-storage.md)
### 'PortSweeping' alert removed from network layer alerts
These alerts are generated based on a new machine learning model and Kubernetes
| **Anomalous pod deployment (Preview)**<br>(K8S_AnomalousPodDeployment) | Kubernetes audit log analysis detected pod deployment that is anomalous, based on previous pod deployment activity. This activity is considered an anomaly when taking into account how the different features seen in the deployment operation are in relations to one another. The features monitored by this analytics include the container image registry used, the account performing the deployment, day of the week, how often does this account performs pod deployments, user agent used in the operation, is this a namespace which is pod deployment occur to often, or other feature. Top contributing reasons for raising this alert as anomalous activity are detailed under the alert extended properties. | Execution | Medium | | **Excessive role permissions assigned in Kubernetes cluster (Preview)**<br>(K8S_ServiceAcountPermissionAnomaly) | Analysis of the Kubernetes audit logs detected an excessive permissions role assignment to your cluster. From examining role assignments, the listed permissions are uncommon to the specific service account. This detection considers previous role assignments to the same service account across clusters monitored by Azure, volume per permission, and the impact of the specific permission. The anomaly detection model used for this alert takes into account how this permission is used across all clusters monitored by Azure Defender. | Privilege Escalation | Low |
-For a full list of the Kubernetes alerts, see [Alerts for Kubernetes clusters](alerts-reference.md#alerts-for-containerskubernetes-clusters).
+For a full list of the Kubernetes alerts, see [Alerts for Kubernetes clusters](alerts-containers.md).
## September 2021
For more information, see:
- [Introduction to Azure Defender for Key Vault](defender-for-resource-manager-introduction.md) - [Respond to Azure Defender for Key Vault alerts](defender-for-key-vault-usage.md)-- [List of alerts provided by Azure Defender for Key Vault](alerts-reference.md#alerts-for-azure-key-vault)
+- [List of alerts provided by Azure Defender for Key Vault](alerts-azure-key-vault.md)
### Recommendations to encrypt with customer-managed keys (CMKs) disabled by default
Changed to this alert:
Any suppression rules that refer to alerts beginning "AKS_" were automatically converted. If you've setup SIEM exports, or custom automation scripts that refer to Kubernetes alerts by alert type, you'll need to update them with the new alert types.
-For a full list of the Kubernetes alerts, see [Alerts for Kubernetes clusters](alerts-reference.md#alerts-for-containerskubernetes-clusters).
+For a full list of the Kubernetes alerts, see [Alerts for Kubernetes clusters](alerts-containers.md).
### Deprecated two recommendations from "Apply system updates" security control
These new protections greatly enhance your resiliency against attacks from threa
- **Azure Defender for Resource Manager** - automatically monitors all resource management operations performed in your organization. For more information, see: - [Introduction to Azure Defender for Resource Manager](defender-for-resource-manager-introduction.md) - [Respond to Azure Defender for Resource Manager alerts](defender-for-resource-manager-usage.md)
- - [List of alerts provided by Azure Defender for Resource Manager](alerts-reference.md#alerts-for-resource-manager)
+ - [List of alerts provided by Azure Defender for Resource Manager](alerts-resource-manager.md)
- **Azure Defender for DNS** - continuously monitors all DNS queries from your Azure resources. For more information, see: - [Introduction to Azure Defender for DNS](defender-for-dns-introduction.md) - [Respond to Azure Defender for DNS alerts](defender-for-dns-usage.md)
- - [List of alerts provided by Azure Defender for DNS](alerts-reference.md#alerts-for-dns)
+ - [List of alerts provided by Azure Defender for DNS](alerts-dns.md)
To simplify the process of enabling these plans, use the recommendations:
For more information, see:
- [Introduction to Azure Defender for Resource Manager](defender-for-resource-manager-introduction.md) - [Respond to Azure Defender for Resource Manager alerts](defender-for-resource-manager-usage.md)-- [List of alerts provided by Azure Defender for Resource Manager](alerts-reference.md#alerts-for-resource-manager)
+- [List of alerts provided by Azure Defender for Resource Manager](alerts-resource-manager.md)
### CI/CD vulnerability scanning of container images with GitHub workflows and Azure Defender (preview)
The following two recommendations were deprecated and the changes might result i
We recommend checking your continuous export and workflow automation configurations to see whether these recommendations are included in them. Also, any dashboards or other monitoring tools that might be using them should be updated accordingly. - ### Azure Defender for SQL on machine tile removed from Azure Defender dashboard The Azure Defender dashboard's coverage area includes tiles for the relevant Azure Defender plans for your environment. Due to an issue with the reporting of the numbers of protected and unprotected resources, we've decided to temporarily remove the resource coverage status for **Azure Defender for SQL on machines** until the issue is resolved.
When you're reviewing the details of a recommendation, it's often helpful to be
Use this link to view the policy definition and review the evaluation logic. -- ### SQL data classification recommendation no longer affects your secure score The recommendation **Sensitive data in your SQL databases should be classified** no longer affects your secure score. The security control **Apply data classification** that contains it now has a secure score value of 0.
Azure Defender for App Service now detects dangling DNS entries when an App Serv
Learn more: -- [App Service alert reference table](alerts-reference.md#alerts-for-azure-app-service) - Includes two new Azure Defender alerts that trigger when a dangling DNS entry is detected
+- [App Service alert reference table](alerts-azure-app-service.md) - Includes two new Azure Defender alerts that trigger when a dangling DNS entry is detected
- [Prevent dangling DNS entries and avoid subdomain takeover](../security/fundamentals/subdomain-takeover.md) - Learn about the threat of subdomain takeover and the dangling DNS aspect - [Introduction to Azure Defender for App Service](defender-for-app-service-introduction.md)
These new protections greatly enhance your resiliency against attacks from threa
- **Azure Defender for Resource Manager** - automatically monitors all resource management operations performed in your organization. For more information, see: - [Introduction to Azure Defender for Resource Manager](defender-for-resource-manager-introduction.md) - [Respond to Azure Defender for Resource Manager alerts](defender-for-resource-manager-usage.md)
- - [List of alerts provided by Azure Defender for Resource Manager](alerts-reference.md#alerts-for-resource-manager)
+ - [List of alerts provided by Azure Defender for Resource Manager](alerts-resource-manager.md)
- **Azure Defender for DNS** - continuously monitors all DNS queries from your Azure resources. For more information, see: - [Introduction to Azure Defender for DNS](defender-for-dns-introduction.md) - [Respond to Azure Defender for DNS alerts](defender-for-dns-usage.md)
- - [List of alerts provided by Azure Defender for DNS](alerts-reference.md#alerts-for-dns)
+ - [List of alerts provided by Azure Defender for DNS](alerts-dns.md)
### New security alerts page in the Azure portal (preview)
Learn more about [Azure Firewall](https://azure.microsoft.com/services/azure-fir
The recommendation **Authorized IP ranges should be defined on Kubernetes Services** now has a quick fix option. -- :::image type="content" source="./media/release-notes/authorized-ip-ranges-recommendation.png" alt-text="The authorized IP ranges should be defined on Kubernetes Services recommendation with the quick fix option."::: ### Regulatory compliance dashboard now includes option to remove standards
The recommendations also include the quick fix capability.
> > For example, if you don't have any Azure Kubernetes Service clusters in your subscription and you enable the threat protection, no charges will be incurred. If, in the future, you add a cluster on the same subscription, it will automatically be protected and charges will begin at that time. -- Learn more about [threat protection in Azure Security Center](azure-defender.md). ### Container security improvements - faster registry scanning and refreshed documentation
As part of the continuous investments in the container security domain, we are h
To improve the clarity and guidance regarding Azure Security Center's container security capabilities, we've also refreshed the container security documentation pages. - ### Adaptive application controls updated with a new recommendation and support for wildcards in path rules The adaptive application controls feature has received two significant updates:
The adaptive application controls feature has received two significant updates:
- Using a wildcard in the middle of a path to enable a known executable name with a changing folder name (e.g. personal user folders with a known executable, automatically generated folder names, etc.). - ### Six policies for SQL advanced data security deprecated Six policies related to advanced data security for SQL machines are being deprecated:
These new recommendations will appear in the same four security controls as the
The recommendations also include the Quick fix capability to accelerate the deployment process. -- Learn more about how Azure Security Center uses the agent in [What is the Log Analytics agent?](./faq-data-collection-agents.yml#what-is-the-log-analytics-agent-). Learn more about [extensions for Azure Arc machines](../azure-arc/servers/manage-vm-extensions.md).
The "implement security best practices" security control now includes the follow
An existing recommendation, **Internet-facing virtual machines should be protected with network security groups**, didn't distinguish between internet-facing and non-internet facing VMs. For both, a high-severity recommendation was generated if a VM wasn't assigned to a network security group. This new recommendation separates the non-internet-facing machines to reduce the false positives and avoid unnecessary high-severity alerts. - ### New policies for enabling threat protection and advanced data security The new policy definitions below were added to the ASC Default initiative and are designed to assist with enabling threat protection or advanced data security for the relevant resource types.
Examples of identity and access recommendations include:
If you have subscriptions on the free pricing tier, their secure scores will be impacted by this change because they were never assessed for their identity and access security. -- ## March 2020 Updates in March include:
Two security recommendations related to web applications are being deprecated:
These recommendations will no longer appear in the Security Center list of recommendations. The related policies will no longer be included in the initiative named "Security Center Default". -- ## February 2020 ### Fileless attack detection for Linux (preview)
This operation will allow you to select the resources you want to apply the reme
Quick fix is generally available today customers as part of the Security Center recommendations page. - ### Scan container images for vulnerabilities (preview) Azure Security Center can now scan container images in Azure Container Registry for vulnerabilities.
In order to simplify remediation of security misconfigurations and help you to q
This operation will allow you to select the resources you want to apply the remediation to and launch a remediation action that will configure the setting on your behalf. -- ### Cross-tenant management Security Center now supports cross-tenant management scenarios as part of Azure Lighthouse. This enables you to gain visibility and manage the security posture of multiple tenants in Security Center.
Security Center now supports cross-tenant management scenarios as part of Azure
Azure Security Center (ASC) has launched new networking recommendations and improved some existing ones. Now, using Security Center ensures even greater networking protection for your resources. - ## June 2019 ### Adaptive network hardening - generally available One of the biggest attack surfaces for workloads running in the public cloud are connections to and from the public Internet. Our customers find it hard to know which Network Security Group (NSG) rules should be in place to make sure that Azure workloads are only available to required source ranges. With this feature, Security Center learns the network traffic and connectivity patterns of Azure workloads and provides NSG rule recommendations, for Internet facing virtual machines. This helps our customer better configure their network access policies and limit their exposure to attacks.--
defender-for-cloud Release Notes Recommendations Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/release-notes-recommendations-alerts.md
New and updated recommendations and alerts are added to the table in date order.
| January 25 | Alert (Azure network layer) | Update to informational | `Possible incoming SMTP brute force attempts detected (Generic_Incoming_BF_OneToOne)` | | January 25 | Alert (Azure network layer) | Update to informational | `Traffic detected from IP addresses recommended for blocking (Network_TrafficFromUnrecommendedIP)` | | January 25 | Alert (Azure Resource Manager) | Update to informational | `Privileged custom role created for your subscription in a suspicious way (Preview)(ARM_PrivilegedRoleDefinitionCreation)` |
-| January 4 | Recommendation | Preview | [Cognitive Services accounts should have local authentication methods disabled](recommendations-reference-data.md#cognitive-services-accounts-should-have-local-authentication-methods-disabled)<br/> Microsoft Cloud Security Benchmark |
-| January 4 | Recommendation preview | [Cognitive Services should use private link](recommendations-reference-data.md#cognitive-services-should-use-private-link)<br/> Microsoft Cloud Security Benchmark | |
+| January 4 | Recommendation | Preview | Cognitive Services accounts should have local authentication methods disabled<br/> Microsoft Cloud Security Benchmark |
+| January 4 | Recommendation preview | Cognitive Services should use private link<br/> Microsoft Cloud Security Benchmark | |
| January 4 | Recommendation | Preview | [Virtual machines and virtual machine scale sets should have encryption at host enabled](recommendations-reference-compute.md#virtual-machines-and-virtual-machine-scale-sets-should-have-encryption-at-host-enabled)<br/> Microsoft Cloud Security Benchmark | | January 4 | Recommendation | Preview | [Azure Cosmos DB should disable public network access](recommendations-reference-data.md#azure-cosmos-db-should-disable-public-network-access)<br/> Microsoft Cloud Security Benchmark | | January 4 | Recommendation | Preview | [Cosmos DB accounts should use private link](recommendations-reference-data.md#cosmos-db-accounts-should-use-private-link)<br/> Microsoft Cloud Security Benchmark |
defender-for-cloud Support Matrix Defender For Servers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/support-matrix-defender-for-servers.md
This table summarizes Azure cloud support for Defender for Servers features.
| [Adaptive network hardening](./adaptive-network-hardening.md) | GA | NA | NA | | [Docker host hardening](./harden-docker-hosts.md) | GA | GA | GA | | [Agentless secret scanning](secrets-scanning.md) | GA | NA | NA |
-| [Agentless malware scanning](agentless-malware-scanning.md) | Preview | NA | NA |
+| [Agentless malware scanning](agentless-malware-scanning.md) | Preview | NA | NA |
| [Endpoint detection and response](endpoint-detection-response.md) | Preview | NA | NA | ## Windows machine support
The following table shows feature support for Windows machines in Azure, Azure A
|--|:-:|:-:|:-:| | [Microsoft Defender for Endpoint integration](integration-defender-for-endpoint.md) | Γ£ö</br> Available on: Windows Server 2022, 2019, 2016, 2012 R2, 2008 R2 SP1, [Windows 10/11 Enterprise multi-session](../virtual-desktop/windows-10-multisession-faq.yml) (formerly Enterprise for Virtual Desktops)<br>Not available on: Azure VMs running Windows 10 or Windows 11 (except if running Windows 10/11 Enterprise multi-session) | Γ£ö | Yes | | [Virtual machine behavioral analytics (and security alerts)](alerts-reference.md) | Γ£ö | Γ£ö | Yes |
-| [Fileless security alerts](alerts-reference.md#alerts-for-windows-machines) | Γ£ö | Γ£ö | Yes |
+| [Fileless security alerts](alerts-windows-machines.md) | Γ£ö | Γ£ö | Yes |
| [Network-based security alerts](other-threat-protections.md#network-layer) | Γ£ö | - | Yes | | [Just-in-time VM access](just-in-time-access-usage.yml) | Γ£ö | - | Yes | | [Integrated Qualys vulnerability scanner](deploy-vulnerability-assessment-vm.md#overview-of-the-integrated-vulnerability-scanner) | Γ£ö | Γ£ö | Yes |
The following table shows feature support for Linux machines in Azure, Azure Arc
|--|:-:|:-:|:-:| | [Microsoft Defender for Endpoint integration](integration-defender-for-endpoint.md) | Γ£ö <br> ([supported versions](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux)) | Γ£ö | Yes | | [Virtual machine behavioral analytics (and security alerts)](./azure-defender.md) | Γ£ö</br> Supported versions | Γ£ö | Yes |
-| [Fileless security alerts](alerts-reference.md#alerts-for-windows-machines) | - | - | Yes |
+| [Fileless security alerts](alerts-windows-machines.md) | - | - | Yes |
| [Network-based security alerts](other-threat-protections.md#network-layer) | Γ£ö | - | Yes | | [Just-in-time VM access](just-in-time-access-usage.yml) | Γ£ö | - | Yes | | [Integrated Qualys vulnerability scanner](deploy-vulnerability-assessment-vm.md#overview-of-the-integrated-vulnerability-scanner) | Γ£ö | Γ£ö | Yes |
The following table shows feature support for AWS and GCP machines.
|--|:-:| | [Microsoft Defender for Endpoint integration](integration-defender-for-endpoint.md) | Γ£ö | Γ£ö | | [Virtual machine behavioral analytics (and security alerts)](alerts-reference.md) | Γ£ö | Γ£ö |
-| [Fileless security alerts](alerts-reference.md#alerts-for-windows-machines) | Γ£ö | Γ£ö |
+| [Fileless security alerts](alerts-windows-machines.md) | Γ£ö | Γ£ö |
| [Network-based security alerts](other-threat-protections.md#network-layer) | - | - | | [Just-in-time VM access](just-in-time-access-usage.yml) | Γ£ö | - | | [Integrated Qualys vulnerability scanner](deploy-vulnerability-assessment-vm.md#overview-of-the-integrated-vulnerability-scanner) | Γ£ö | Γ£ö |
defender-for-cloud Tenant Wide Permissions Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/tenant-wide-permissions-management.md
To request elevated permissions from your global administrator:
After the global administrator selects **Review the request** and completes the process, the decision is emailed to the requesting user.
+## Removing permissions
+
+To remove permissions from the root tenant group, follow these steps:
+
+1. Go to the Azure portal.
+1. In the Azure portal, search for **Management Groups** in the search bar at the top.
+1. In the **Management Groups** pane, find and select the **Tenant Root Group** from the list of management groups.
+1. Once inside the **Tenant Root Group**, select **Access Control (IAM)** in the left-hand menu.
+1. In the **Access Control (IAM)** pane, select the **Role assignments** tab. This shows a list of all role assignments for the **Tenant Root Group**.
+1. Review the list of role assignments to identify which one you need to remove.
+1. Select the role assignment you want to remove (**Security admin** or **Security reader**) and select **Remove**. Ensure you have the necessary permissions to make changes to role assignments in the **Tenant Root Group**.
+ ## Next steps Learn more about Defender for Cloud permissions in the following related page:
defender-for-cloud Troubleshooting Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/troubleshooting-guide.md
Defender for Cloud uses connectors to collect monitoring data from Amazon Web Se
- Make sure that the subscription associated with the connector is selected in the subscription filter located in the **Directories + subscriptions** section of the Azure portal. - Standards should be assigned on the security connector. To check, go to **Environment settings** on the Defender for Cloud left menu, select the connector, and then select **Settings**. If no standards are assigned, select the three dots to check if you have permissions to assign standards. - A connector resource should be present in Azure Resource Graph. Use the following Resource Graph query to check: `resources | where ['type'] =~ "microsoft.security/securityconnectors"`.-- Make sure that sending Kubernetes audit logs is enabled on the AWS or GCP connector so that you can get [threat detection alerts for the control plane](alerts-reference.md#alerts-for-containerskubernetes-clusters).
+- Make sure that sending Kubernetes audit logs is enabled on the AWS or GCP connector so that you can get [threat detection alerts for the control plane](alerts-containers.md).
- Make sure that the Microsoft Defender sensor and the Azure Policy for Azure Arc-enabled Kubernetes extensions were installed successfully to your Amazon Elastic Kubernetes Service (EKS) and Google Kubernetes Engine (GKE) clusters. You can verify and install the agent with the following Defender for Cloud recommendations: - **EKS clusters should have Microsoft Defender's extension for Azure Arc installed** - **GKE clusters should have Microsoft Defender's extension for Azure Arc installed**
defender-for-cloud Zero Trust https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/zero-trust.md
# Zero Trust infrastructure and integrations Infrastructure comprises the hardware, software, micro-services, networking infrastructure, and facilities required to support IT services for an organization. Zero Trust infrastructure solutions assess, monitor, and prevent security threats to these services.
defender-for-iot Concept Zero Trust https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/concept-zero-trust.md
# Zero Trust and your OT networks Implement Zero Trust principles across your operational technology (OT) networks to help you with challenges, such as:
defender-for-iot Monitor Zero Trust https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/monitor-zero-trust.md
# Tutorial: Monitor your OT networks with Zero Trust principles Defender for IoT uses site and zone definitions across your OT network to ensure that you're maintaining network hygiene and keeping each subsystem separate and secure.
defender-for-iot Ot Appliance Sizing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/ot-appliance-sizing.md
Use the following hardware profiles for production line monitoring, typically in
|Hardware profile |SPAN/TAP throughput |Max monitored assets |Deployment | ||||| |L500 | Up to 200 Mbps | 1,000 |Physical / Virtual |
-|L100 | Up to 60 Mbps | 800 | Physical / Virtual |
+|L100 | Up to 10 Mbps | 800 | Physical / Virtual |
> [!IMPORTANT] > Defender for IoT software versions require a minimum disk size of 100 GB. The L60 hardware profile, which only supports 60 GB of hard disk, has been deprecated.
defender-for-iot Ot Pre Configured Appliances https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/ot-pre-configured-appliances.md
Last updated 04/08/2024
-# Pre-configured physical appliances for OT monitoring
+# Preconfigured physical appliances for OT monitoring
-This article is one in a series of articles describing the [deployment path](ot-deploy/ot-deploy-path.md) for OT monitoring with Microsoft Defender for IoT, and lists the catalog of the pre-configured appliances available for Microsoft Defender for IoT OT appliances. Use the links in the tables below to jump to articles with more details about each appliance.
+This article is one in a series of articles describing the [deployment path](ot-deploy/ot-deploy-path.md) for OT monitoring with Microsoft Defender for IoT, and lists the catalog of the preconfigured appliances available for Microsoft Defender for IoT OT appliances. Use the links in the tables below to jump to articles with more details about each appliance.
:::image type="content" source="media/deployment-paths/progress-plan-and-prepare.png" alt-text="Diagram of a progress bar with Plan and prepare highlighted." border="false" lightbox="media/deployment-paths/progress-plan-and-prepare.png":::
-Microsoft has partnered with [Arrow Electronics](https://www.arrow.com/) to provide pre-configured appliances. To purchase a pre-configured appliance, contact Arrow at: [hardware.sales@arrow.com](mailto:hardware.sales@arrow.com?cc=DIoTHardwarePurchase@microsoft.com&subject=Information%20about%20Microsoft%20Defender%20for%20IoT%20pre-configured%20appliances&body=Dear%20Arrow%20Representative,%0D%0DOur%20organization%20is%20interested%20in%20receiving%20quotes%20for%20Microsoft%20Defender%20for%20IoT%20appliances%20as%20well%20as%20fulfillment%20options.%0D%0DThe%20purpose%20of%20this%20communication%20is%20to%20inform%20you%20of%20a%20project%20which%20involves%20[NUMBER]%20sites%20and%20[NUMBER]%20sensors%20for%20[ORGANIZATION%20NAME].%20Having%20reviewed%20potential%20appliances%20suitable%20for%20our%20project,%20we%20would%20like%20to%20obtain%20more%20information%20about:%20___________%0D%0D%0DI%20would%20appreciate%20being%20contacted%20by%20an%20Arrow%20representative%20to%20receive%20a%20quote%20for%20the%20items%20mentioned%20above.%0DI%20understand%20the%20quote%20and%20appliance%20delivery%20shall%20be%20in%20accordance%20with%20the%20relevant%20Arrow%20terms%20and%20conditions%20for%20Microsoft%20Defender%20for%20IoT%20pre-configured%20appliances.%0D%0D%0DBest%20Regards,%0D%0D%0D%0D%0D%0D//////////////////////////////%20%0D/////////%20Replace%20[NUMBER]%20with%20appropriate%20values%20related%20to%20your%20request.%0D/////////%20Replace%20[ORGANIZATION%20NAME]%20with%20the%20name%20of%20the%20organization%20you%20represent.%0D//////////////////////////////%0D%0D).
+Microsoft has partnered with [Arrow Electronics](https://www.arrow.com/) to provide preconfigured appliances. To purchase a preconfigured appliance, contact Arrow at: [hardware.sales@arrow.com](mailto:hardware.sales@arrow.com?cc=DIoTHardwarePurchase@microsoft.com&subject=Information%20about%20Microsoft%20Defender%20for%20IoT%20pre-configured%20appliances&body=Dear%20Arrow%20Representative,%0D%0DOur%20organization%20is%20interested%20in%20receiving%20quotes%20for%20Microsoft%20Defender%20for%20IoT%20appliances%20as%20well%20as%20fulfillment%20options.%0D%0DThe%20purpose%20of%20this%20communication%20is%20to%20inform%20you%20of%20a%20project%20which%20involves%20[NUMBER]%20sites%20and%20[NUMBER]%20sensors%20for%20[ORGANIZATION%20NAME].%20Having%20reviewed%20potential%20appliances%20suitable%20for%20our%20project,%20we%20would%20like%20to%20obtain%20more%20information%20about:%20___________%0D%0D%0DI%20would%20appreciate%20being%20contacted%20by%20an%20Arrow%20representative%20to%20receive%20a%20quote%20for%20the%20items%20mentioned%20above.%0DI%20understand%20the%20quote%20and%20appliance%20delivery%20shall%20be%20in%20accordance%20with%20the%20relevant%20Arrow%20terms%20and%20conditions%20for%20Microsoft%20Defender%20for%20IoT%20pre-configured%20appliances.%0D%0D%0DBest%20Regards,%0D%0D%0D%0D%0D%0D//////////////////////////////%20%0D/////////%20Replace%20[NUMBER]%20with%20appropriate%20values%20related%20to%20your%20request.%0D/////////%20Replace%20[ORGANIZATION%20NAME]%20with%20the%20name%20of%20the%20organization%20you%20represent.%0D//////////////////////////////%0D%0D).
> [!NOTE] > This article also includes information relevant for on-premises management consoles. For more information, see the [Air-gapped OT sensor management deployment path](ot-deploy/air-gapped-deploy.md).
-## Advantages of pre-configured appliances
+## Advantages of preconfigured appliances
-Pre-configured physical appliances have been validated for Defender for IoT OT system monitoring, and have the following advantages over installing your own software:
+Preconfigured physical appliances have been validated for Defender for IoT OT system monitoring, and have the following advantages over installing your own software:
- **Performance** over the total assets monitored - **Compatibility** with new Defender for IoT releases, with validations for upgrades and driver support
Pre-configured physical appliances have been validated for Defender for IoT OT s
## Appliances for OT network sensors
-You can [order](mailto:hardware.sales@arrow.com?cc=DIoTHardwarePurchase@microsoft.com&subject=Information%20about%20Microsoft%20Defender%20for%20IoT%20pre-configured%20appliances&body=Dear%20Arrow%20Representative,%0D%0DOur%20organization%20is%20interested%20in%20receiving%20quotes%20for%20Microsoft%20Defender%20for%20IoT%20appliances%20as%20well%20as%20fulfillment%20options.%0D%0DThe%20purpose%20of%20this%20communication%20is%20to%20inform%20you%20of%20a%20project%20which%20involves%20[NUMBER]%20sites%20and%20[NUMBER]%20sensors%20for%20[ORGANIZATION%20NAME].%20Having%20reviewed%20potential%20appliances%20suitable%20for%20our%20project,%20we%20would%20like%20to%20obtain%20more%20information%20about:%20___________%0D%0D%0DI%20would%20appreciate%20being%20contacted%20by%20an%20Arrow%20representative%20to%20receive%20a%20quote%20for%20the%20items%20mentioned%20above.%0DI%20understand%20the%20quote%20and%20appliance%20delivery%20shall%20be%20in%20accordance%20with%20the%20relevant%20Arrow%20terms%20and%20conditions%20for%20Microsoft%20Defender%20for%20IoT%20pre-configured%20appliances.%0D%0D%0DBest%20Regards,%0D%0D%0D%0D%0D%0D//////////////////////////////%20%0D/////////%20Replace%20[NUMBER]%20with%20appropriate%20values%20related%20to%20your%20request.%0D/////////%20Replace%20[ORGANIZATION%20NAME]%20with%20the%20name%20of%20the%20organization%20you%20represent.%0D//////////////////////////////%0D%0D) any of the following pre-configured appliances for monitoring your OT networks:
+You can [order](mailto:hardware.sales@arrow.com?cc=DIoTHardwarePurchase@microsoft.com&subject=Information%20about%20Microsoft%20Defender%20for%20IoT%20pre-configured%20appliances&body=Dear%20Arrow%20Representative,%0D%0DOur%20organization%20is%20interested%20in%20receiving%20quotes%20for%20Microsoft%20Defender%20for%20IoT%20appliances%20as%20well%20as%20fulfillment%20options.%0D%0DThe%20purpose%20of%20this%20communication%20is%20to%20inform%20you%20of%20a%20project%20which%20involves%20[NUMBER]%20sites%20and%20[NUMBER]%20sensors%20for%20[ORGANIZATION%20NAME].%20Having%20reviewed%20potential%20appliances%20suitable%20for%20our%20project,%20we%20would%20like%20to%20obtain%20more%20information%20about:%20___________%0D%0D%0DI%20would%20appreciate%20being%20contacted%20by%20an%20Arrow%20representative%20to%20receive%20a%20quote%20for%20the%20items%20mentioned%20above.%0DI%20understand%20the%20quote%20and%20appliance%20delivery%20shall%20be%20in%20accordance%20with%20the%20relevant%20Arrow%20terms%20and%20conditions%20for%20Microsoft%20Defender%20for%20IoT%20pre-configured%20appliances.%0D%0D%0DBest%20Regards,%0D%0D%0D%0D%0D%0D//////////////////////////////%20%0D/////////%20Replace%20[NUMBER]%20with%20appropriate%20values%20related%20to%20your%20request.%0D/////////%20Replace%20[ORGANIZATION%20NAME]%20with%20the%20name%20of%20the%20organization%20you%20represent.%0D//////////////////////////////%0D%0D) any of the following preconfigured appliances for monitoring your OT networks:
|Hardware profile |Appliance |SPAN/TAP throughput |Physical specifications | ||||| |**C5600** | [HPE ProLiant DL360](appliance-catalog/hpe-proliant-dl360.md) | **Max bandwidth**: Up to 3 Gbps <br>**Max devices**: 12K <br> 16C[32T] CPU/32G RAM/5.6TB | **Mounting**: 1U <br>**Ports**: 15x RJ45 or 8x SFP (OPT) |
-|**E1800** | [HPE ProLiant DL20 Gen10 Plus](appliance-catalog/hpe-proliant-dl20-plus-enterprise.md) (4SFF) <br><br> [Dell PowerEdge R350](appliance-catalog/dell-poweredge-r350-e1800.md) | **Max bandwidth**: Up to 1 Gbps<br>**Max devices**: 10K <br> 4C[8T] CPU/32G RAM/1.8TB | **Mounting**: 1U <br>**Ports**: 8x RJ45 or 6x SFP (OPT) |
+|**E1800** | [HPE ProLiant DL20 Gen10 Plus](appliance-catalog/hpe-proliant-dl20-plus-enterprise.md) (4SFF) | **Max bandwidth**: Up to 1 Gbps<br>**Max devices**: 10K <br> 4C[8T] CPU/32G RAM/1.8TB | **Mounting**: 1U <br>**Ports**: 8x RJ45 or 6x SFP (OPT) |
|**E500** | [Dell Edge 5200](appliance-catalog/dell-edge-5200.md) <br> (Rugged MIL-STD-810G) | **Max bandwidth**: Up to 1 Gbps<br>**Max devices**: 10K <br> 8C[8T] CPU/32G RAM/512GB | **Mounting**: Wall Mount<br>**Ports**: 3x RJ45 | |**L500** | [HPE ProLiant DL20 Gen10 Plus](appliance-catalog/hpe-proliant-dl20-plus-smb.md) <br> (NHP 2LFF) | **Max bandwidth**: Up to 200 Mbps<br>**Max devices**: 1,000 <br> 4C[8T] CPU/8G RAM/500GB | **Mounting**: 1U<br>**Ports**: 4x RJ45 | |**L100** | [YS-Techsystems YS-FIT2](appliance-catalog/ys-techsystems-ys-fit2.md) <br>(Rugged MIL-STD-810G) | **Max bandwidth**: Up to 10 Mbps <br>**Max devices**: 100 <br> 4C[4T] CPU/8G RAM/128GB | **Mounting**: DIN/VESA<br>**Ports**: 2x RJ45 |
digital-twins Concepts Ontologies Adopt https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/concepts-ontologies-adopt.md
Microsoft has partnered with domain experts to create DTDL model sets based on i
| Industry | Ontology repository | Description | Learn more | | | | | |
-| Smart buildings | [Digital Twins Definition Language-based RealEstateCore ontology for smart buildings](https://github.com/Azure/opendigitaltwins-building) | Microsoft has partnered with [RealEstateCore](https://www.realestatecore.io/) to deliver this open-source DTDL ontology for the real estate industry. [RealEstateCore](https://www.realestatecore.io/) is a consortium of real estate owners, software vendors, and research institutions.<br><br>This smart buildings ontology provides common ground for modeling smart buildings, using industry standards (like [BRICK Schema](https://brickschema.org/ontology/) or [W3C Building Topology Ontology](https://w3c-lbd-cg.github.io/bot/https://docsupdatetracker.net/index.html)) to avoid reinvention. The ontology also comes with best practices for how to consume and properly extend it. | You can read more about the partnership with RealEstateCore and goals for this initiative in the following blog post and embedded video: [RealEstateCore, a smart building ontology for digital twins, is now available](https://techcommunity.microsoft.com/t5/internet-of-things/realestatecore-a-smart-building-ontology-for-digital-twins-is/ba-p/1914794). |
+| Smart buildings | [Digital Twins Definition Language-based RealEstateCore ontology for smart buildings](https://github.com/Azure/opendigitaltwins-building) | Microsoft has partnered with [RealEstateCore](https://www.realestatecore.io/) to deliver this open-source DTDL ontology for the real estate industry. [RealEstateCore](https://www.realestatecore.io/) is a consortium of real estate owners, software vendors, and research institutions.<br><br>This smart buildings ontology provides common ground for modeling smart buildings, using industry standards (like [BRICK Schema](https://ontology.brickschema.org/) or [W3C Building Topology Ontology](https://w3c-lbd-cg.github.io/bot/https://docsupdatetracker.net/index.html)) to avoid reinvention. The ontology also comes with best practices for how to consume and properly extend it. | You can read more about the partnership with RealEstateCore and goals for this initiative in the following blog post and embedded video: [RealEstateCore, a smart building ontology for digital twins, is now available](https://techcommunity.microsoft.com/t5/internet-of-things/realestatecore-a-smart-building-ontology-for-digital-twins-is/ba-p/1914794). |
| Smart cities | [Digital Twins Definition Language (DTDL) ontology for Smart Cities](https://github.com/Azure/opendigitaltwins-smartcities) | Microsoft has collaborated with [Open Agile Smart Cities (OASC)](https://oascities.org/) and [Sirus](https://sirus.be/) to provide a DTDL-based ontology for smart cities, starting with [ETSI CIM NGSI-LD](https://www.etsi.org/committee/cim). | You can also read more about the partnerships and approach for smart cities in the following blog post and embedded video: [Smart Cities Ontology for Digital Twins](https://techcommunity.microsoft.com/t5/internet-of-things/smart-cities-ontology-for-digital-twins/ba-p/2166585). | | Energy grids | [Digital Twins Definition Language (DTDL) ontology for Energy Grid](https://github.com/Azure/opendigitaltwins-energygrid/) | This ontology was created to help solution providers accelerate development of digital twin solutions for energy use cases like monitoring grid assets, outage and impact analysis, simulation, and predictive maintenance. Additionally, the ontology can be used to enable the digital transformation and modernization of the energy grid. It's adapted from the [Common Information Model (CIM)](https://cimug.ucaiug.org/), a global standard for energy grid assets management, power system operations modeling, and physical energy commodity market. | You can also read more about the partnerships and approach for energy grids in the following blog post: [Energy Grid Ontology for Digital Twins](https://techcommunity.microsoft.com/t5/internet-of-things/energy-grid-ontology-for-digital-twins-is-now-available/ba-p/2325134). | | Manufacturing | [Manufacturing Ontologies](https://github.com/digitaltwinconsortium/ManufacturingOntologies) | These ontologies were created to help solution providers accelerate development of digital twin solutions for manufacturing use cases like asset condition monitoring, simulation, OEE calculation, and predictive maintenance. Additionally, the ontologies can be used to enable the digital transformation and modernization of factories and plants. They are adapted from [OPC UA](https://opcfoundation.org), [ISA95](https://www.isa.org/standards-and-publications/isa-standards/isa-standards-committees/isa95) and the [Asset Administration Shell](https://reference.opcfoundation.org/I4AAS/v100/docs/4.1), three global standards widely used in the manufacturing space. | Visit the repository to read more about this ontology and explore a sample solution for ingesting OPC UA data into Azure Digital Twins. |
digital-twins Concepts Ontologies Convert https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/concepts-ontologies-convert.md
This section contains sample converter code for RDF and OWL converters, which ca
There's a sample application available that converts an RDF-based model file to [DTDL Version 2 (v2)](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.v2.md). DTDL v2 is supported by Azure Digital Twins, but you can also follow [these instructions](how-to-manage-model.md#convert-v2-models-to-v3) to convert DTDL v2 models to the newer DTDL v3.
-The sample application has been validated for the [Brick](https://brickschema.org/ontology/) schema, and can be extended for other schemas in the building industry (such as [Building Topology Ontology (BOT)](https://w3c-lbd-cg.github.io/bot/), [Semantic Sensor Network](https://www.w3.org/TR/vocab-ssn/), or [buildingSmart Industry Foundation Classes (IFC)](https://technical.buildingsmart.org/standards/ifc/ifc-schema-specifications/)).
+The sample application has been validated for the [Brick](https://ontology.brickschema.org/) schema, and can be extended for other schemas in the building industry (such as [Building Topology Ontology (BOT)](https://w3c-lbd-cg.github.io/bot/), [Semantic Sensor Network](https://www.w3.org/TR/vocab-ssn/), or [buildingSmart Industry Foundation Classes (IFC)](https://technical.buildingsmart.org/standards/ifc/ifc-schema-specifications/)).
The sample is a [.NET Core command-line application called RdfToDtdlConverter](/samples/azure-samples/rdftodtdlconverter/digital-twins-model-conversion-samples/).
digital-twins How To Create App Registration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/how-to-create-app-registration.md
Use these steps to create the role assignment for your registration.
| Members > Assign access to | User, group, or service principal | | Members > Members | **+ Select members**, then search for the name of the app registration |
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-page.png" alt-text="Screenshot of the Roles tab in the Add role assignment page." lightbox="../../includes/role-based-access-control/media/add-role-assignment-page.png":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png" alt-text="Screenshot of the Roles tab in the Add role assignment page." lightbox="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png":::
:::image type="content" source="media/how-to-create-app-registration/add-role.png" alt-text="Screenshot of the Members tab in the Add role assignment page." lightbox="media/how-to-create-app-registration/add-role.png":::
digital-twins How To Create Endpoints https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/how-to-create-endpoints.md
To assign a role to the identity, start by opening the [Azure portal](https://po
| Assign access to | **Managed identity** | | Members | Select the user-assigned or system-assigned managed identity of your Azure Digital Twins instance that's being assigned the role. A user-assigned identity will have the name you chose when you created the identity, and a system-assigned identity will have a name that matches the name of your Azure Digital Twins instance. |
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-page.png" alt-text="Screenshot of the 'Add role assignment' page for an Azure Digital Twins instance." lightbox="../../includes/role-based-access-control/media/add-role-assignment-page.png":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png" alt-text="Screenshot of the 'Add role assignment' page for an Azure Digital Twins instance." lightbox="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png":::
# [CLI](#tab/cli)
digital-twins How To Set Up Instance Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/how-to-set-up-instance-portal.md
You can also assign the **Azure Digital Twins Data Owner** role using the access
| Assign access to | User, group, or service principal | | Members | Search for the name or email address of the user to assign |
- ![Add role assignment page](../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Add role assignment page](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
### Verify success
dms Quickstart Create Data Migration Service Hybrid Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dms/quickstart-create-data-migration-service-hybrid-portal.md
You need to create an Azure App registration ID that the on-premises hybrid work
7. Select **Add** > **Add role assignment**.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot showing Access control (IAM) page with Add role assignment menu open.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot showing Access control (IAM) page with Add role assignment menu open.":::
8. On the **Role** tab, select the **Contributor** role.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-role-generic.png" alt-text="Screenshot showing Add role assignment page with Role tab selected.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-role-generic.png" alt-text="Screenshot showing Add role assignment page with Role tab selected.":::
9. On the **Members** tab, select **User, group, or service principal**, and then select the App ID name.
energy-data-services Concepts Ddms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/energy-data-services/concepts-ddms.md
OSDU&reg; R3 M8 is the base for the scope of the Azure Data Manager for Energy F
## Learn more: OSDU&reg; DDMS community principles
-[OSDU&reg; community DDMS Overview](https://community.opengroup.org/osdu/documentation/-/wikis/OSDU&reg;-(C)/Design-and-Implementation/Domain-&-Data-Management-Services#ddms-requirements) provides an extensive overview of DDMS motivation and community requirements from a user, technical, and business perspective. These principles are extended to Azure Data Manager for Energy.
+[OSDU&reg; community DDMS Overview](https://community.opengroup.org/groups/osdu/platform/-/wikis/home) provides an extensive overview of DDMS motivation and community requirements from a user, technical, and business perspective. These principles are extended to Azure Data Manager for Energy.
## DDMS requirements
energy-data-services Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/energy-data-services/release-notes.md
Now you can configure diagnostic settings of your Azure Data Manager for Energy
### Monitoring and investigating actions with Audit logs
-Knowing who is taking what action on which item is critical in helping organizations meet regulatory compliance and record management requirements. Azure Data Manager for Energy captures audit logs for data plane APIs of OSDU services and audit events listed [here](https://community.opengroup.org/osdu/documentation/-/wikis/Releases/R3.0/GCP/GCP-Operation/Logging/Audit-Logging-Status). Learn more about [audit logging in Azure Data Manager for Energy](how-to-manage-audit-logs.md).
+Knowing who is taking what action on which item is critical in helping organizations meet regulatory compliance and record management requirements. Azure Data Manager for Energy captures audit logs for data plane APIs of OSDU services and audit events listed [here](https://community.opengroup.org/osdu/platform/deployment-and-operations/audit-and-metrics). Learn more about [audit logging in Azure Data Manager for Energy](how-to-manage-audit-logs.md).
<hr width = 100%>
event-hubs Passwordless Migration Event Hubs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/passwordless-migration-event-hubs.md
Passwordless connections can be configured to work for both local and Azure-host
### Sign-in to Azure locally ### Update the application code to use passwordless connections
Once your application is configured to use passwordless connections and runs loc
### Create the managed identity #### Associate the managed identity with your web app
Complete the following steps in the Azure portal to associate an identity with y
# [Azure CLI](#tab/azure-cli-associate) # [Service Connector](#tab/service-connector-associate)
If you connected your services using Service Connector you don't need to complet
### Test the app
governance Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/management-groups/manage.md
Title: Manage your Azure subscriptions at scale with management groups - Azure Governance description: Learn how to view, maintain, update, and delete your management group hierarchy. Previously updated : 12/01/2022 Last updated : 07/18/2024 --++ # Manage your Azure subscriptions at scale with management groups
governance Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/management-groups/overview.md
Title: Organize your resources with management groups - Azure Governance description: Learn about the management groups, how their permissions work, and how to use them. Previously updated : 04/20/2023 Last updated : 07/18/2024 --++ # What are Azure management groups?
above subscriptions. You organize subscriptions into management groups; the gove
cascade by inheritance to all associated subscriptions. Management groups give you enterprise-grade management at scale, no matter what type of subscriptions you might have.
-However, all subscriptions within a single management group must trust the same Entra ID tenant.
+However, all subscriptions within a single management group must trust the same Microsoft Entra ID tenant.
For example, you can apply policies to a management group that limits the regions available for virtual machine (VM) creation. This policy would be applied to all nested management groups, subscriptions, and resources and allow VM creation only in authorized regions.
subscriptions.
Each directory is given a single top-level management group called the **root** management group. The root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to
-be applied at the directory level. The [Entra ID Global Administrator needs to elevate
+be applied at the directory level. The [Microsoft Entra ID Global Administrator needs to elevate
themselves](../../role-based-access-control/elevate-access-global-admin.md) to the User Access Administrator role of this root group initially. After elevating access, the administrator can assign any Azure role to other directory users or groups to manage the hierarchy. As an administrator,
you can assign your account as the owner of the root management group.
### Important facts about the root management group -- By default, the root management group's display name is **Tenant root group** and operates itself as a management group. The ID is the same value as the Entra ID tenant ID.
+- By default, the root management group's display name is **Tenant root group** and operates itself as a management group. The ID is the same value as the Microsoft Entra ID tenant ID.
- To change the display name, your account must be assigned the **Owner** or **Contributor** role on the root management group. See [Change the name of a management group](manage.md#change-the-name-of-a-management-group) to update
you can assign your account as the owner of the root management group.
that root management group. - Everyone who has access to a subscription can see the context of where that subscription is in the hierarchy.
- - No one is given default access to the root management group. Entra ID Global Administrators are
+ - No one is given default access to the root management group. Microsoft Entra ID Global Administrators are
the only users that can elevate themselves to gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage it.
The reason for this process is to make sure there's only one management group hi
directory. The single hierarchy within the directory allows administrative customers to apply global access and policies that other customers within the directory can't bypass. Anything assigned on the root will apply to the entire hierarchy, which includes all management groups, subscriptions,
-resource groups, and resources within that Entra ID tenant.
+resource groups, and resources within that Microsoft Entra ID tenant.
## Management group access
governance First Query Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/resource-graph/first-query-rest-api.md
Title: "Quickstart: Your first REST API query"
-description: In this quickstart, you follow the steps to call the Resource Graph endpoint for REST API and run your first query.
Previously updated : 07/09/2021
+ Title: Run Azure Resource Graph query using REST API
+description: In this quickstart, you run an Azure Resource Graph query using REST API and Azure CLI.
Last updated : 07/18/2024
-# Quickstart: Run your first Resource Graph query using REST API
-The first step to using Azure Resource Graph with REST API is to check that you have a tool for
-calling REST APIs available. This quickstart then walks you through the process of running a query
-and retrieving the results by calling the Azure Resource Graph REST API endpoint.
+# Quickstart: Run Resource Graph query using REST API
-At the end of this process, you'll have the tools for calling REST API endpoints and run your first
-Resource Graph query.
+This quickstart describes how to run an Azure Resource Graph query with REST API and view the results. The REST API elements are a URI that includes the API version and request body that contains the query. The examples use Azure CLI to sign into Azure and that authenticates your account to run `az rest` commands.
+
+If you're unfamiliar with REST API, start by reviewing [Azure REST API Reference](/rest/api/azure/)
+to get a general understanding of REST API, specifically request URI and request body. For the Azure Resource Graph specifications, see [Azure Resource Graph REST API](/rest/api/azureresourcegraph/resourcegraph/operation-groups).
## Prerequisites
-If you don't have an Azure subscription, create a [free](https://azure.microsoft.com/free/) account
-before you begin.
+- If you don't have an Azure account, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+- Latest version of [PowerShell](/powershell/scripting/install/installing-powershell) or Bash shell like Git Bash.
+- Latest version of [Azure CLI](/cli/azure/install-azure-cli).
+- [Visual Studio Code](https://code.visualstudio.com/).
+## Connect to Azure
-## Getting started with REST API
+From a Visual Studio Code terminal session, connect to Azure. If you have more than one subscription, run the commands to set context to your subscription. Replace `{subscriptionID}` with your Azure subscription ID.
-If you're unfamiliar with REST API, start by reviewing [Azure REST API Reference](/rest/api/azure/)
-to get a general understanding of REST API, specifically request URI and request body. This article
-uses these concepts to provide directions for working with Azure Resource Graph and assumes a
-working knowledge of them. Tools such as [ARMClient](https://github.com/projectkudu/ARMClient) and
-others may handle authorization automatically and are recommended for beginners.
-
-For the Azure Resource Graph specs, see
-[Azure Resource Graph REST API](/rest/api/azure-resourcegraph/).
-
-### REST API and PowerShell
-
-If you don't already have a tool for making REST API calls, consider using PowerShell for these
-instructions. The following code sample gets a header for authenticating with Azure. Generate an
-authentication header, sometimes called a **Bearer token**, and provide the REST API URI to connect
-to with any parameters or a **Request Body**:
-
-```azurepowershell-interactive
-# Log in first with Connect-AzAccount if not using Cloud Shell
-
-$azContext = Get-AzContext
-$azProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
-$profileClient = New-Object -TypeName Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient -ArgumentList ($azProfile)
-$token = $profileClient.AcquireAccessToken($azContext.Subscription.TenantId)
-$authHeader = @{
- 'Content-Type'='application/json'
- 'Authorization'='Bearer ' + $token.AccessToken
-}
+```azurecli
+az login
-# Invoke the REST API
-$restUri = "https://management.azure.com/subscriptions/$($azContext.Subscription.Id)?api-version=2020-01-01"
-$response = Invoke-RestMethod -Uri $restUri -Method Get -Headers $authHeader
+# Run these commands if you have multiple subscriptions
+az account list --output table
+az account set --subscription {subscriptionID}
```
-The `$response` variable holds the result of the `Invoke-RestMethod` cmdlet, which can be parsed
-with cmdlets such as
-[ConvertFrom-Json](/powershell/module/microsoft.powershell.utility/convertfrom-json). If the REST
-API service endpoint expects a **Request Body**, provide a JSON formatted variable to the `-Body`
-parameter of `Invoke-RestMethod`.
+Use `az login` even if you're using PowerShell because the examples use Azure CLI [az rest](/cli/azure/reference-index#az-rest) commands.
-## Run your first Resource Graph query
+## Review the REST API syntax
-With the REST API tools added to your environment of choice, it's time to try out a simple
-subscription-based Resource Graph query. The query returns the first five Azure resources with the
-**Name** and **Resource Type** of each resource. To query by
-[management group](../management-groups/overview.md), use `managementgroups` instead of
-`subscriptions`. To query the entire tenant, omit both the `managementgroups` and `subscriptions`
-properties from the request body.
+There are two elements to run REST API commands: the REST API URI and the request body. For information, go to [Resources](/rest/api/azureresourcegraph/resourcegraph/resources/resources). To query by [management group](../management-groups/overview.md), use `managementGroups` instead of `subscriptions`. To query the entire tenant, omit both the `managementGroups` and `subscriptions` properties from the request body.
-In the request body of each REST API call, there's a variable that is used that you need to replace
-with your own value:
+The following example shows the REST API URI syntax to run a query for an Azure subscription.
-- `{subscriptionID}` - Replace with your subscription ID
+```http
+POST https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2022-10-01
+```
-1. Run your first Azure Resource Graph query using the REST API and the `resources` endpoint:
+A request body is needed to run a query with REST API. The following example is the JSON to create a request body file.
- - REST API URI
+```json
+{
+ "subscriptions": [
+ "{subscriptionID}"
+ ],
+ "query": "Resources | project name, type | limit 5"
+}
+```
- ```http
- POST https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01
- ```
+## Run Resource Graph query
- - Request Body
+The examples use the same `az rest` command but you change the request body to get different results. The examples list resources, order resources by the `name` property, and order resources by the `name` property and limit the number of results.
- ```json
- {
- "subscriptions": [
- "{subscriptionID}"
- ],
- "query": "Resources | project name, type | limit 5"
- }
- ```
+To run all the query examples, use the following `az rest` command for your shell environment:
- > [!NOTE]
- > As this query example doesn't provide a sort modifier such as `order by`, running this query
- > multiple times is likely to yield a different set of resources per request.
+# [PowerShell](#tab/powershell)
-1. Update the call to the `resouces` endpoint and change the **query** to `order by` the **Name**
- property:
+```powershell
+az rest --method post --uri https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2022-10-01 --body `@request-body.json
+```
- - REST API URI
+In PowerShell, the backtick (``` ` ```) is needed to escape the `at sign` (`@`) to specify a filename for the request body.
- ```http
- POST https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01
- ```
+# [Bash](#tab/bash)
- - Request Body
+```bash
+az rest --method post --uri https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2022-10-01 --body @request-body.json
+```
+
+In a Bash shell like Git Bash, the backtick isn't needed to escape the `at sign` (`@`) to specify a filename for the request body.
- ```json
- {
- "subscriptions": [
- "{subscriptionID}"
- ],
- "query": "Resources | project name, type | limit 5 | order by name asc"
- }
- ```
+
- > [!NOTE]
- > Just as with the first query, running this query multiple times is likely to yield a different
- > set of resources per request. The order of the query commands is important. In this example,
- > the `order by` comes after the `limit`. This command order first limits the query results and
- > then orders them.
+In each request body example, replace `{subscriptionID}` with your Azure subscription ID. Run the following command to get your Azure subscription ID for the request body:
-1. Update the call to the `resources` endpoint and change the **query** to first `order by` the
- **Name** property and then `limit` to the top five results:
+```azurecli
+az account show --query id --output tsv
+```
- - REST API URI
+### List resources
- ```http
- POST https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01
- ```
+In Visual Studio Code, create a new file named _request-body.json_. Copy and paste the following JSON into the file and save the file.
- - Request Body
+The query returns five Azure resources with the `name` and `resource type` of each resource.
+
+```json
+{
+ "subscriptions": [
+ "{subscriptionID}"
+ ],
+ "query": "Resources | project name, type | limit 5"
+}
+```
- ```json
- {
- "subscriptions": [
- "{subscriptionID}"
- ],
- "query": "Resources | project name, type | order by name asc | limit 5"
- }
- ```
+Because this query example doesn't provide a sort modifier like `order by`, running this query multiple times yields a different set of resources per request.
-When the final query is run several times, assuming that nothing in your environment is changing,
-the results returned are consistent and ordered by the **Name** property, but still limited to the
-top five results.
+### Order by name property
-For more examples of REST API calls for Azure Resource Graph, see the
-[Azure Resource Graph REST Examples](/rest/api/azureresourcegraph/resourcegraph(2021-03-01)/resources/resources#examples).
+Update _request-body.json_ with the following code that changes the query to `order by` the `name` property. Save the file and use the `az rest` command to run the query.
+
+```json
+{
+ "subscriptions": [
+ "{subscriptionID}"
+ ],
+ "query": "Resources | project name, type | limit 5 | order by name asc"
+}
+```
+
+If you run this query multiple times, it yields a different set of resources per request.
+
+The order of the query commands is important. In this example, the `order by` comes after the `limit`. This command order limits the query results to five resources and then orders them.
+
+### Order by name property and limit results
+
+Update _request-body.json_ with the following code to `order by` the `name` property and then `limit` to the top five results. Save the file and use the same `az rest` command to run the query.
++
+```json
+{
+ "subscriptions": [
+ "{subscriptionID}"
+ ],
+ "query": "Resources | project name, type | order by name asc | limit 5"
+}
+```
+
+If the query is run several times, assuming that nothing in your environment changed, the results returned are consistent and ordered by the `name` property, but limited to the top five results.
## Clean up resources
-REST API has no libraries or modules to uninstall. If you installed a tool like _ARMClient_ to make the calls and no longer need it, you may uninstall the tool now.
+Sign out of your Azure CLI session.
+
+```azurecli
+az logout
+```
## Next steps
-In this quickstart, you've called the Resource Graph REST API endpoint and run your first query. To
-learn more about the Resource Graph language, continue to the query language details page.
+In this quickstart, you used the Azure Resource Graph REST API endpoint to run a query. To learn more about the Resource Graph language, continue to the query language details page.
> [!div class="nextstepaction"]
-> [Get more information about the query language](./concepts/query-language.md)
+> [Understanding the Azure Resource Graph query language](./concepts/query-language.md)
hdinsight Hdinsight Hadoop Use Data Lake Storage Gen2 Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-hadoop-use-data-lake-storage-gen2-portal.md
Assign the managed identity to the **Storage Blob Data Owner** role on the stora
1. Select **Add > Add role assignment**.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot showing Access control (IAM) page with Add role assignment menu open.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot showing Access control (IAM) page with Add role assignment menu open.":::
1. On the **Role** tab, select **Storage Blob Data Owner**.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-role-generic.png" alt-text="Screenshot showing Add role assignment page with Role tab selected.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-role-generic.png" alt-text="Screenshot showing Add role assignment page with Role tab selected.":::
1. On the **Members** tab, select **Managed identity**, and then select **Select members**.
hdinsight Hdinsight Retired Versions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-retired-versions.md
The following table lists the retired versions of HDInsight.
## Call to action
-To maintain the security posture,ΓÇ» migrate to [HDInsight 5.1](./hdinsight-5x-component-versioning.md#open-source-components-available-with-hdinsight-5x), which is Generally Available since November 1, 2023. This release contains all theΓÇ»[latest versions of supported software](./hdinsight-5x-component-versioning.md) along with significant improvements on the security patches on open-source components.ΓÇ» ΓÇï
+To maintain the security posture,ΓÇ» migrate to the latest image of [HDInsight 5.1](./hdinsight-5x-component-versioning.md#open-source-components-available-with-hdinsight-5x), which is Generally Available since November 1, 2023. This release contains all theΓÇ»[latest versions of supported software](./hdinsight-5x-component-versioning.md) along with significant improvements on the security patches on open-source components.ΓÇ» ΓÇï
## Next steps
healthcare-apis Configure Export Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/configure-export-data.md
For more information, see [Azure built-in roles](../../role-based-access-control
It's here that you add the role [Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor) to the service name, and then select **Save**. Next, select the storage account in Azure API for FHIR as a default storage account for $export.
healthcare-apis Convert Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/convert-data.md
Change the status to **On** to enable managed identity in Azure API for FHIR.
1. Assign the [AcrPull](../../role-based-access-control/built-in-roles.md#acrpull) role.
- [ ![Screen image of Add role assignment page.](../../../includes/role-based-access-control/media/add-role-assignment-page.png) ](../../../includes/role-based-access-control/media/add-role-assignment-page.png#lightbox)
+ [ ![Screen image of Add role assignment page.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png) ](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png#lightbox)
For more information about assigning roles in the Azure portal, see [Azure built-in roles](../../role-based-access-control/role-assignments-portal.yml).
healthcare-apis Configure Export Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/fhir/configure-export-data.md
In this step, browse to your FHIR service in the Azure portal and select the **I
3. Select **Add > Add role assignment**. If the **Add role assignment** option is grayed out, ask your Azure administrator for help with this step.
- :::image type="content" source="../../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::
4. On the **Role** tab, select the [Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor) role.
- [![Screen shot showing user interface of Add role assignment page.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)](../../../includes/role-based-access-control/media/add-role-assignment-page.png#lightbox)
+ [![Screen shot showing user interface of Add role assignment page.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png#lightbox)
5. On the **Members** tab, select **Managed identity**, and then click **Select members**.
healthcare-apis Convert Data Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/fhir/convert-data-configuration.md
To reference specific template versions in the API, be sure to use the exact ima
2. Select **Add** > **Add role assignment**. If the **Add role assignment** option is unavailable, ask your Azure administrator to grant you the permissions for performing this task.
- :::image type="content" source="../../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot of the Access control pane and the 'Add role assignment' menu.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot of the Access control pane and the 'Add role assignment' menu.":::
3. On the **Role** pane, select the [AcrPull](../../role-based-access-control/built-in-roles.md#acrpull) role.
- :::image type="content" source="../../../includes/role-based-access-control/media/add-role-assignment-page.png" alt-text="Screenshot showing the add role assignment pane." lightbox="../../../includes/role-based-access-control/media/add-role-assignment-page.png":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png" alt-text="Screenshot showing the add role assignment pane." lightbox="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png":::
4. On the **Members** tab, select **Managed identity**, and then select **Select members**.
hpc-cache Hpc Cache Add Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hpc-cache/hpc-cache-add-storage.md
You can do this ahead of time, or by clicking a link on the portal page where yo
| Roles | [Storage Account Contributor](../role-based-access-control/built-in-roles.md#storage-account-contributor) <br/> [Storage Blob Data Contributor](../role-based-access-control/built-in-roles.md#storage-blob-data-contributor) | | Assign access to | "HPC Cache Resource Provider" or "StorageCache Resource Provider" |
- ![Add role assignment page](../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Add role assignment page](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
<!-- > [!NOTE] > If you can't find the HPC Cache Resource Provider, try a search for the string "storagecache" instead. This was a pre-GA name for the service principal. -->
iot-hub Iot Hub Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-managed-identity.md
In this section, we use the [message routing](iot-hub-devguide-messages-d2c.md)
1. Select **Add > Add role assignment**.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot showing Access control (IAM) page with Add role assignment menu open.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot showing Access control (IAM) page with Add role assignment menu open.":::
1. On the **Role** tab, select **Azure Event Hubs Data Sender**. > [!NOTE] > For a storage account, select **Storage Blob Data Contributor** ([*not* Contributor or Storage Account Contributor](../storage/blobs/assign-azure-role-data-access.md)) as the role. For a service bus, select **Azure Service Bus Data Sender**.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-role-generic.png" alt-text="Screenshot showing Add role assignment page with Role tab selected.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-role-generic.png" alt-text="Screenshot showing Add role assignment page with Role tab selected.":::
1. On the **Members** tab, select **Managed identity**, and then select **Select members**.
IoT Hub's [file upload](iot-hub-devguide-file-upload.md) feature allows devices
1. Select **Add > Add role assignment**.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot showing Access control (IAM) page with Add role assignment menu open.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot showing Access control (IAM) page with Add role assignment menu open.":::
1. On the **Role** tab, select **Storage Blob Data Contributor**. (Don't select **Contributor** or **Storage Account Contributor**.)
IoT Hub supports the functionality to [import/export devices](iot-hub-bulk-ident
1. Select **Add > Add role assignment**.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot showing Access control (IAM) page with Add role assignment menu open.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot showing Access control (IAM) page with Add role assignment menu open.":::
1. On the **Role** tab, select **Storage Blob Data Contributor**. (Don't select **Contributor** or **Storage Account Contributor**.)
key-vault Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/overview.md
Azure Key Vault is one of several [key management solutions in Azure](../../secu
Azure Key Vault has two service tiers: Standard, which encrypts with a software key, and a Premium tier, which includes hardware security module(HSM)-protected keys. To see a comparison between the Standard and Premium tiers, see the [Azure Key Vault pricing page](https://azure.microsoft.com/pricing/details/key-vault/). ## Why use Azure Key Vault?
key-vault Rbac Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/rbac-guide.md
To assign roles using the Azure portal, see [Assign Azure roles using the Azure
| Assign access to | Current user | | Members | Search by email address |
- ![Add role assignment page in Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
# [Azure CLI](#tab/azure-cli) ```azurecli
Above role assignment provides ability to list key vault objects in key vault.
| Assign access to | Current user | | Members | Search by email address |
- ![Add role assignment page in Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
# [Azure CLI](#tab/azure-cli) ```azurecli
For full details, see [Assign Azure roles using Azure PowerShell](../../role-bas
| Assign access to | Current user | | Members | Search by email address |
- ![Add role assignment page in Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
# [Azure CLI](#tab/azure-cli)
key-vault Rest Error Codes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/rest-error-codes.md
After logging is turned on, you can determine if the 403 is due to access policy
"Client address (00.00.00.00) is not authorized and caller is not a trusted service"
-There is a limited list of "Azure Trusted Services". Azure Web Sites are **not** a Trusted Azure Service. For more information, see the blog post [Key Vault Firewall access by Azure App Services](https://azidentity.azurewebsites.net/post/2019/01/03/key-vault-firewall-access-by-azure-app-services).
+There is a limited list of "Azure Trusted Services". Azure Web Sites are **not** a Trusted Azure Service. For more information, see the blog post [Trusted services](/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services).
You must add the IP address of the Azure Web Site to the Key Vault in order for it to work.
key-vault Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/managed-hsm/overview.md
For pricing information, please see Managed HSM Pools section on [Azure Key Vaul
The term "Managed HSM instance" is synonymous with "Managed HSM pool". To avoid confusion, we use "Managed HSM instance" throughout these articles. ## Why use Managed HSM?
lab-services How To Add Lab Creator https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/how-to-add-lab-creator.md
Follow these steps to [assign Azure roles using the Azure portal](../role-based-
1. From the **Access control (IAM)** page, select **Add** > **Add role assignment**.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows the Access control (I A M) page with Add role assignment menu option highlighted.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows the Access control (I A M) page with Add role assignment menu option highlighted.":::
1. On the **Role** tab, select the **Lab Creator** role.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-role-generic.png" alt-text="Screenshot that shows the Add role assignment page with Role tab selected.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-role-generic.png" alt-text="Screenshot that shows the Add role assignment page with Role tab selected.":::
1. On the **Members** tab, select the user you want to add to the Lab Creators role.
lab-services How To Add User Lab Owner https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/how-to-add-user-lab-owner.md
This article shows you how you, as an administrator, can add additional owners t
1. Select **Add** > **Add role assignment**.
- ![Access control (IAM) page with Add role assignment menu open.](../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png)
+ ![Access control (IAM) page with Add role assignment menu open.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png)
1. On the **Role** tab, select the **Reader** role.
- ![Add role assignment page with Role tab selected.](../../includes/role-based-access-control/media/add-role-assignment-role-generic.png)
+ ![Add role assignment page with Role tab selected.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-role-generic.png)
1. On the **Members** tab, select the user you want to add to the Reader role.
This article shows you how you, as an administrator, can add additional owners t
1. Select **Add** > **Add role assignment**.
- ![Access control (IAM) page with Add role assignment menu open.](../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png)
+ ![Access control (IAM) page with Add role assignment menu open.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png)
1. On the **Role** tab, select the **Owner** role.
- ![Add role assignment page with Role tab selected.](../../includes/role-based-access-control/media/add-role-assignment-role-generic.png)
+ ![Add role assignment page with Role tab selected.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-role-generic.png)
1. On the **Members** tab, select the user you want to add to the Owner's role
machine-learning Concept Vector Stores https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/concept-vector-stores.md
Title: Concept Vector Stores in Azure Machine Learning (preview)
+ Title: Concept vector stores in Azure Machine Learning (preview)
-description: This concept article helps you use a vector index in Azure Machine Learning for performing Retrieval Augmented Generation.
+description: Explore concepts about vector indexes in Azure Machine Learning and how you can use them for retrieval-augmented generation.
- ignite-2023 Previously updated : 07/27/2023- Last updated : 07/17/2024++
+#customer intent: As a developer, I want to use vector indexes in Azure Machine Learning so that I can perform retrieval-augmented generation.
# Vector stores in Azure Machine Learning (preview) [!INCLUDE [machine-learning-preview-generic-disclaimer](includes/machine-learning-preview-generic-disclaimer.md)]
-This concept article helps you use a vector index in Azure Machine Learning for performing Retrieval Augmented Generation (RAG). A vector index stores embeddings, which are numerical representations of concepts (data) converted to number sequences, which enable LLMs to understand the relationships between those concepts. Creating vector stores helps you to hook up your data with a large language model (LLM) like GPT-4 and retrieve the data efficiently.
+This article describes vector indexes in Azure Machine Learning that you can use to perform retrieval-augmented generation (RAG). A vector index stores embeddings that are numerical representations of _concepts_ (data) converted to number sequences. Embeddings enable large language models (LLMs) to understand the relationships between the concepts. You can create vector stores to connect your data with LLMs like GPT-4, and retrieve the data efficiently.
+
+Azure Machine Learning supports two vector stores that contain your supplemental data used in a RAG workflow:
+
+| Vector store | Description | Features and usage |
+| | | |
+| **Faiss** | Open source library | - Use local file-based store <br> - Incur minimal costs <br> - Support vector-only data <br> - Support development and testing |
+| **Azure AI Search** | Azure PaaS resource | - Store text data in search index <br> - Host large number of indexes with single service <br> - Support enterprise-level business requirements <br> - Access hybrid information retrieval |
-Azure Machine Learning supports two types of vector stores that contain your supplemental data used in a RAG workflow:
+The following sections explore considerations for working with these vector stores.
-+ [Faiss](https://github.com/facebookresearch/faiss) is an open source library that provides a local file-based store. The vector index is stored in the storage account of your Azure Machine Learning workspace. Since it's stored locally, the costs are minimal making it ideal for development and testing.
+## Faiss library
-+ [Azure AI Search](/azure/search/search-what-is-azure-search) (formerly Cognitive Search) is an Azure resource that supports information retrieval over your vector and textual data stored in search indexes. A prompt flow can create, populate, and query your vector data stored in Azure AI Search.
+[Faiss](https://github.com/facebookresearch/faiss) is an open source library that provides a local file-based store. The vector index is stored in the Azure storage account of your Azure Machine Learning workspace. To work with Faiss, you download the library and use it as a component of your solution. Because the index is stored locally, the costs are minimal.
-## Choose a vector store
+You can use the Faiss library as your vector store and perform the following actions:
-You can use either store in prompt flow, so which one should you use?
+- Store vector data locally, with no costs for creating an index (only storage cost)
-**Faiss** is an open source library that you download and use a component of your solution. This library might be the best place to start if you have vector-only data. Some key points about working with Faiss:
+- Build and query an index in memory
-+ Local storage, with no costs for creating an index (only storage cost).
+- Share copies for individual use, and configure hosting of the index for an application
-+ You can build and query an index in memory.
+- Scale with underlying compute loading index
-+ You can share copies for individual use. If you want to host the index for an application, you need to set that up.
+## Azure AI Search
-+ Faiss scales with underlying compute loading index.
+[Azure AI Search](/azure/search/search-what-is-azure-search) (formerly Cognitive Search) is a dedicated Azure PaaS resource that you create in an Azure subscription. The resource supports information retrieval over your vector and textual data stored in search indexes. A prompt flow can create, populate, and query your vector data stored in Azure AI Search. A single search service can host a large number of indexes, which can be queried and used in a RAG pattern.
-**Azure AI Search** is a dedicated PaaS resource that you create in an Azure subscription. A single search service can host a large number of indexes, which can be queried and used in a RAG pattern. Some key points about using Azure AI Search for your vector store:
+Here are some key points about using Azure AI Search for your vector store:
-+ Supports enterprise level business requirements for scale, security, and availability.
+- Support enterprise level business requirements for scale, security, and availability.
-+ Supports hybrid information retrieval. Vector data can coexist with non-vector data, which means you can use any of the [features of Azure AI Search](/azure/search/search-features-list) for indexing and queries, including [hybrid search](/azure/search/vector-search-how-to-query) and [semantic reranking](/azure/search/semantic-ranking).
+- Access hybrid information retrieval. Vector data can coexist with nonvector data, which means you can use any of the [features of Azure AI Search](/azure/search/search-features-list) for indexing and queries, including [hybrid search](/azure/search/vector-search-how-to-query) and [semantic reranking](/azure/search/semantic-search-overview).
-+ [Vector support is in public preview](/azure/search/vector-search-overview). Currently, vectors must be generated externally and then passed to Azure AI Search for indexing and query encoding. The prompt flow handles these transitions for you.
+- Keep in mind that [vector support is in preview](/azure/search/vector-search-overview). Currently, vectors must be generated externally and then passed to Azure AI Search for indexing and query encoding. The prompt flow handles these transitions for you.
-To use AI Search as a vector store for Azure Machine Learning, [you must have a search service](/azure/search/search-create-service-portal). Once the service exists and you've granted access to developers, you can choose **Azure AI Search** as a vector index in a prompt flow. The prompt flow creates the index on Azure AI Search, generates vectors from your source data, sends the vectors to the index, invokes similarity search on AI Search, and returns the response.
+To use AI Search as a vector store for Azure Machine Learning, [you must have a search service](/azure/search/search-create-service-portal). After the service exists, and you grant access to developers, you can choose **Azure AI Search** as a vector index in a prompt flow. The prompt flow creates the index on Azure AI Search, generates vectors from your source data, sends the vectors to the index, invokes similarity search on AI Search, and returns the response.
-## Next steps
+## Related content
-[How to create vector index in Azure Machine Learning prompt flow (preview)](how-to-create-vector-index.md)
+- [Create vector index in Azure Machine Learning prompt flow (preview)](how-to-create-vector-index.md)
+- [Vectors in Azure AI Search](/azure/search/vector-search-overview)
machine-learning How To Manage Quotas https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-manage-quotas.md
For example, consider a subscription with a US East total VM core limit of 30, a
You can't raise limits for virtual machines above the values shown in the following table. ### Container Instances
machine-learning How To Network Isolation Model Catalog https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-network-isolation-model-catalog.md
Last updated 12/15/2023
In this article, you learn how to use the various collections in the Model Catalog within an isolated network.
-Workspace [managed virtual network](./how-to-network-isolation-planning.md) is the recommended way to support network isolation with the Model Catalog. It provides easily configuration to secure your workspace. After you enable managed virtual network in the workspace level, resources related to workspace in the same virtual network, will use the same network setting in the workspace level. You can also configure the workspace to use private endpoint to access other Azure resources such as Azure OpenAI. Furthermore, you can configure FQDN rule to approve outbound to non-Azure resources, which is required to use some of the collections in the Model Catalog. See [how to Workspace managed network isolation](./how-to-managed-network.md) to enable workspace managed virtual network.
+Workspace [managed virtual network](./how-to-network-isolation-planning.md) is the only way to support network isolation with the Model Catalog. It provides easily configuration to secure your workspace. After you enable managed virtual network in the workspace level, resources related to workspace in the same virtual network, will use the same network setting in the workspace level. You can also configure the workspace to use private endpoint to access other Azure resources such as Azure OpenAI. Furthermore, you can configure FQDN rule to approve outbound to non-Azure resources, which is required to use some of the collections in the Model Catalog. See [how to Workspace managed network isolation](./how-to-managed-network.md) to enable workspace managed virtual network.
The creation of the managed virtual network is deferred until a compute resource is created or provisioning is manually started. You can use following command to manually trigger network provisioning. ```bash
machine-learning Tutorial Create Secure Workspace Vnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/tutorial-create-secure-workspace-vnet.md
Azure Machine Learning studio is a web-based application that lets you easily ma
1. Select __Access control (IAM)__ from the left side. 1. Select __+ Add__, and then __Add role assignment (Preview)__.
- ![Access control (IAM) page with Add role assignment menu open.](../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png)
+ ![Access control (IAM) page with Add role assignment menu open.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png)
1. On the __Role__ tab, select the __Reader__.
- ![Add role assignment page with Role tab selected.](../../includes/role-based-access-control/media/add-role-assignment-role-generic.png)
+ ![Add role assignment page with Role tab selected.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-role-generic.png)
1. On the __Members__ tab, select __User, group, or service principal__ in the __Assign access to__ area and then select __+ Select members__. In the __Select members__ dialog, enter the name as your Azure Machine Learning workspace. Select the service principal for the workspace, and then use the __Select__ button.
machine-learning How To Setup Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/how-to-setup-authentication.md
The easiest way to create an SP and grant access to your workspace is by using t
| Assign access to | Managed Identity | | Members | The managed identity you created earlier |
- ![Add role assignment page in Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
### Managed identity with compute cluster
machine-learning Migrate Execute R Script https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/migrate-execute-r-script.md
Last updated 03/08/2021
# Migrate Execute R Script modules in Studio (classic) In this article, you learn how to rebuild a Studio (classic) **Execute R Script** module in Azure Machine Learning.
machine-learning Migrate Rebuild Experiment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/migrate-rebuild-experiment.md
Last updated 10/21/2021
# Rebuild a Studio (classic) experiment in Azure Machine Learning In this article, you learn how to rebuild an ML Studio (classic) experiment in Azure Machine Learning. For more information on migrating from Studio (classic), see [the migration overview article](migrate-overview.md).
machine-learning Migrate Rebuild Integrate With Client App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/migrate-rebuild-integrate-with-client-app.md
Last updated 05/31/2022
# Consume pipeline endpoints from client applications In this article, you learn how to integrate client applications with Azure Machine Learning endpoints.
machine-learning Migrate Rebuild Web Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/migrate-rebuild-web-service.md
Last updated 03/08/2021
# Rebuild a Studio (classic) web service in Azure Machine Learning In this article, you learn how to rebuild an ML Studio (classic) web service as an **endpoint** in Azure Machine Learning.
machine-learning Migrate Register Dataset https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/migrate-register-dataset.md
Last updated 09/28/2022
# Migrate a Studio (classic) dataset to Azure Machine Learning In this article, you learn how to migrate a Studio (classic) dataset to Azure Machine Learning. For more information on migrating from Studio (classic), see [the migration overview article](migrate-overview.md).
migrate Tutorial App Containerization Aspnet Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-app-containerization-aspnet-kubernetes.md
If you just created a free Azure account, you're the owner of your subscription.
| Assign access to | User | | Members | azmigrateuser (in this example) |
- ![Screenshot of add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Screenshot of add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
1. Your Azure account also needs **permissions to register Microsoft Entra apps.**
migrate Tutorial App Containerization Java Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-app-containerization-java-kubernetes.md
If you just created a free Azure account, you're the owner of your subscription.
| Assign access to | User | | Members | azmigrateuser (in this example) |
- ![Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
1. Your Azure account also needs **permissions to register Microsoft Entra apps.**
migrate Tutorial Discover Aws https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-discover-aws.md
If you just created a free Azure account, you're the owner of your subscription.
| Assign access to | User | | Members | azmigrateuser |
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-page.png" alt-text="Screenshot of Add role assignment page in Azure portal.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png" alt-text="Screenshot of Add role assignment page in Azure portal.":::
1. To register the appliance, your Azure account needs **permissions to register Microsoft Entra apps.**
migrate Tutorial Discover Gcp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-discover-gcp.md
If you just created a free Azure account, you're the owner of your subscription.
| Assign access to | User | | Members | azmigrateuser |
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-page.png" alt-text="Screenshot of role assignment page in Azure portal.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png" alt-text="Screenshot of role assignment page in Azure portal.":::
1. To register the appliance, your Azure account needs **permissions to register Microsoft Entra apps**.
migrate Tutorial Discover Hyper V https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-discover-hyper-v.md
If you just created a free Azure account, you're the owner of your subscription.
| Assign access to | User | | Members | azmigrateuser |
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-page.png" alt-text="Screenshot of add role assignment page in Azure portal.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png" alt-text="Screenshot of add role assignment page in Azure portal.":::
1. To register the appliance, your Azure account needs **permissions to register Microsoft Entra apps.**
migrate Tutorial Discover Import https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-discover-import.md
If you just created a free Azure account, you're the owner of your subscription.
| Assign access to | User | | Members | azmigrateuser |
- ![Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
1. In the portal, search for users, and under **Services**, select **Users**.
migrate Tutorial Discover Physical https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-discover-physical.md
If you just created a free Azure account, you're the owner of your subscription.
| Assign access to | User | | Members | azmigrateuser |
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-page.png" alt-text="Screenshot of Add role assignment page in Azure portal.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png" alt-text="Screenshot of Add role assignment page in Azure portal.":::
1. To register the appliance, your Azure account needs **permissions to register Microsoft Entra apps.**
migrate Tutorial Discover Vmware https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/vmware/tutorial-discover-vmware.md
To set Contributor or Owner permissions in the Azure subscription:
| Assign access to | User | | Members | azmigrateuser |
- :::image type="content" source="../../../includes/role-based-access-control/media/add-role-assignment-page.png" alt-text="Add role assignment page in Azure portal.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png" alt-text="Add role assignment page in Azure portal.":::
To give the account the required permissions to register Microsoft Entra apps:
mysql Migrate Single Flexible In Place Auto Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/migrate/migrate-single-flexible-in-place-auto-migration.md
**In-place automigration** from Azure Database for MySQL ΓÇô Single Server to Flexible Server is a service-initiated in-place migration during planned maintenance window for Single Server database workloads with **Basic, General Purpose or Memory Optimized SKU**, data storage used **<= 100 GiB** and **no complex features (CMK, Microsoft Entra ID, Read Replica, Virtual Network, Double Infra encryption, Service endpoint/VNet Rules) enabled**. The eligible servers are identified by the service and are sent an advance notification detailing steps to review migration details.
+> [!IMPORTANT]
+> Some Single Server instances may require mandatory inputs to perform a successful in-place automigration. Review the migration details in the Migration blade on Azure portal to provide those inputs. Failure to provide mandatory inputs 7 days before the scheduled migration will lead to re-scheduling of the migration to a later date.
+ The in-place migration provides a highly resilient and self-healing offline migration experience during a planned maintenance window, with less than **5 mins** of downtime. It uses backup and restore technology for faster migration time. This migration removes the overhead to manually migrate your server and ensure you can take advantage of the benefits of Flexible Server, including better price & performance, granular control over database configuration, and custom maintenance windows. Following described are the key phases of the migration: - **Target Flexible Server is deployed**, inheriting all feature set and properties (including server parameters and firewall rules) from source Single Server. Source Single Server is set to read-only and backup from source Single Server is copied to the target Flexible Server.
Following described are the ways to review your migration schedule once you rece
- **Review** the private endpoints listed to be migrated. Ensure they are marked as **Ready to Migrate**. If they are marked as ineligible, select the appropriate subscription and private DNS Zone. - Select the **confirmation checkbox** after performing the listed pre-requisite checks for migrating private endpoints. - Click on the **Authenticate** button to authenticate ARM connection required to migrate the private endpoints from source to target server.
+ - Click on **Save** to save all the above steps.
> [!NOTE] > If the mandatory inputs for migration are not provided atleast 7 days before the scheduled migration, the migration will be rescheduled to a later date.
mysql Whats Happening To Mysql Single Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/migrate/whats-happening-to-mysql-single-server.md
For more information on migrating from Single Server to Flexible Server using ot
- If your source Azure Database for MySQL Single Server has engine version v8.x, ensure to upgrade your source server's .NET client driver version to 8.0.32 to avoid any encoding incompatibilities post migration to Flexible Server. - If your source Azure Database for MySQL Single Server has engine version v8.x, ensure to upgrade your source server's TLS version from v1.0 or v1.1 to TLS v1.2 before the migration as the older TLS versions have been deprecated for Flexible Server. - If your source Azure Database for MySQL Single Server utilizes nondefault ports such as 3308,3309 and 3310, change your connectivity port to 3306 as the above mentioned nondefault ports aren't supported on Flexible Server.
+- Service tags (SQL) in Outbound Rules are not supported on Azure Database for MySQL Flexible Server. Please use Fully Qualified Domain name(FQDN) in Outbound Rules when configuring teh firewall settings for the Flexible Server.
## What happens post sunset date (September 16, 2024)?
openshift Support Lifecycle https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/openshift/support-lifecycle.md
Previously updated : 12/18/2023 Last updated : 07/17/2024 # Support lifecycle for Azure Red Hat OpenShift 4
Red Hat OpenShift Container Platform uses semantic versioning. Semantic versioni
* **Minor version**: Released approximately every four months. Minor version updates can include feature additions, enhancements, deprecations, removals, bug fixes, security enhancements, and other improvements. * **Patch version**: Typically released each week, or as needed. Patch version updates can include bug fixes, security enhancements, and other improvements.
-You should aim to run the latest minor release of the major version you are running. For example, if your production cluster is on 4.14, and 4.15 is the latest generally available minor version for the 4 series, you should update to 4.15 as soon as you can.
+You should aim to run the latest minor release of the major version you're running. For example, if your production cluster is on 4.14, and 4.15 is the latest generally available minor version for the 4 series, you should update to 4.15 as soon as you can.
### Update channels
-Update channels are the mechanism by which users state the OpenShift Container Platform minor version they intend to update their clusters to. Update channels are tied to a minor version of Red Hat OpenShift Container Platform. The version number in the channel represents the target minor version that the cluster will eventually be updated to. An update channel does not recommend updates to a version above the selected channel's version. For instance, the OCP `stable-4.14` update channel does not include an update to a 4.15 release. Update channels only control release selection and do not modify the current version of the cluster. See [Understanding update channels and releases](https://docs.openshift.com/container-platform/latest/updating/understanding_updates/understanding-update-channels-release.html) for more information.
+Update channels are the mechanism by which users state the OpenShift Container Platform minor version they intend to update their clusters to. Update channels are tied to a minor version of Red Hat OpenShift Container Platform. The version number in the channel represents the target minor version that the cluster will eventually be updated to. An update channel doesn't recommend updates to a version above the selected channel's version. For instance, the OCP `stable-4.14` update channel doesn't include an update to a 4.15 release. Update channels only control release selection and don't modify the current version of the cluster. See [Understanding update channels and releases](https://docs.openshift.com/container-platform/latest/updating/understanding_updates/understanding-update-channels-release.html) for more information.
> [!IMPORTANT] > Azure Red Hat OpenShift provides support for stable channels only. For example: `stable-4.15`.
An Azure Red Hat OpenShift release is available through one of two mechanisms:
Azure Red Hat OpenShift supports generally available (GA) minor versions of Red Hat OpenShift Container Platform from when an update is available in the OpenShift `stable` channel. Update availability can be checked at the following page, [Red Hat OpenShift Container Platform Update Graph](https://access.redhat.com/labs/ocpupgradegraph/update_path). #### Install availability
-Installable versions can be validated by using the [Azure Red Hat OpenShift release calendar](#azure-red-hat-openshift-release-calendar) below or by running the following Azure CLI command:
+Installable versions can be validated by using the [Azure Red Hat OpenShift release calendar](#azure-red-hat-openshift-release-calendar) or by running the following Azure CLI command:
``` az aro get-versions --location [region] ``` ### Version end-of-life
-The end-of-life date for a version of Azure Red Hat OpenShift can be found in the [Azure Red Hat OpenShift release calendar](#azure-red-hat-openshift-release-calendar) below.
+The end-of-life date for a version of Azure Red Hat OpenShift can be found in the [Azure Red Hat OpenShift release calendar](#azure-red-hat-openshift-release-calendar).
> [!NOTE] > If you are running an unsupported Red Hat OpenShift version, you may be asked to update when requesting support for the cluster. Clusters running unsupported Red Hat OpenShift releases are not covered by the Azure Red Hat OpenShift SLA. ### Mandatory updates
-In extreme circumstances and based on the assessment of the CVE criticality to the environment, a critical patch update may be applied to clusters automatically by Azure Red Hat OpenShift Site Reliability Engineers (SRE) which will then be followed with a notification informing you of the change. It is a best practice to install patch (z-stream) updates as soon as they are available.
+In extreme circumstances and based on the assessment of the CVE criticality to the environment, a critical patch update may be applied to clusters automatically by Azure Red Hat OpenShift Site Reliability Engineers (SRE) which will then be followed with a notification informing you of the change. It's best practice to install patch (z-stream) updates as soon as they're available.
## Limited support status
-When a cluster transitions to a limited support status (or also called outside of support) Azure Red Hat OpenShift SREs no longer proactively monitor the cluster. Furthermore the SLA is no longer applicable and credits requested against the SLA are denied. Though it does not mean that you no longer have product support.
+When a cluster transitions to a limited support status (or also called outside of support) Azure Red Hat OpenShift SREs no longer proactively monitor the cluster. Furthermore, the SLA is no longer applicable and credits requested against the SLA are denied, though it doesn't mean that you no longer have product support.
A cluster might transition to a Limited Support status for many reasons, including the following scenarios:-- If you do not update a cluster to a supported version before the end-of-life date.
- - There are no runtime or SLA guarantees for versions after their end-of-life date. To avoid this and continue receiving full support, update the cluster to a supported version prior to the end-of-life date. If you do not update the cluster prior to the end-of-life date, the cluster transitions to a Limited Support status until it is updated to a supported version.
+- If you don't update a cluster to a supported version before the end-of-life date.
+ - There are no runtime or SLA guarantees for versions after their end-of-life date. To avoid this and continue receiving full support, update the cluster to a supported version before the end-of-life date. If you don't update the cluster before the end-of-life date, the cluster transitions to a Limited Support status until it's updated to a supported version.
- Azure Red Hat OpenShift SREs provide commercially reasonable support to update from an unsupported version to a supported version. However, if a supported update path is no longer available, you might have to create a new cluster and migrate your workloads. - If you remove or replace any native Azure Red Hat OpenShift components or any other component that is installed and managed by the service.
- - If admin permissions were used, Azure Red Hat OpenShift is not responsible for any of your or your authorized usersΓÇÖ actions, including those that affect infrastructure services, service availability, or data loss. If any such actions are detected, the cluster might transition to a Limited Support status. You should then either revert the action or create a support case to explore remediation steps.
- - In some cases, the cluster can return to a fully-supported status if you remediate the violating factors. However, in other cases, you might have to delete and recreate the cluster.
- - Please see the Azure Red Hat OpenShift support policy for more information about [cluster configuration requirements](./support-policies-v4.md#cluster-configuration-requirements).
+ - If admin permissions were used, Azure Red Hat OpenShift isn't responsible for any of your or your authorized usersΓÇÖ actions, including those that affect infrastructure services, service availability, or data loss. If any such actions are detected, the cluster might transition to a Limited Support status. You should then either revert the action or create a support case to explore remediation steps.
+ - In some cases, the cluster can return to a fully supported status if you remediate the violating factors. However, in other cases, you might have to delete and recreate the cluster.
+ - See the Azure Red Hat OpenShift support policy for more information about [cluster configuration requirements](./support-policies-v4.md#cluster-configuration-requirements).
## Supported versions policy exceptions
See the following guide for the [past Red Hat OpenShift Container Platform (upst
|4.9|November 2021| February 1 2022|March 2 2023| |4.10|March 2022| June 21 2022|August 19 2023| |4.11|August 2022| March 2 2023|February 10 2024|
-|4.12|January 2023| August 19 2023|July 17 2024|
+|4.12|January 2023| August 19 2023|October 17 2024|
|4.13|May 2023| December 15 2023|November 17 2024| |4.14|October 2023| April 25 2024|May 1 2025| |4.15|February 2024| Coming soon|June 27 2025|
See the following guide for the [past Red Hat OpenShift Container Platform (upst
**What happens when a user updates an OpenShift cluster with a minor version that is not supported?**
-Azure Red Hat OpenShift supports installing minor versions consistent with the dates in the table above. A version is supported as soon as an update path to that version is available in the stable channel. If you are running a version past the EOL date above, you are outside of support and may be asked to update to continue receiving support. Updating from an older version to a supported version can be challenging, and in some cases not possible. We recommend you keep your cluster on the latest OpenShift version to avoid potential update issues.
+Azure Red Hat OpenShift supports installing minor versions consistent with the dates in the previous table. A version is supported as soon as an update path to that version is available in the stable channel. If you're running a version past the End of Life date, you're outside of support and may be asked to update to continue receiving support. Updating from an older version to a supported version can be challenging, and in some cases not possible. We recommend you keep your cluster on the latest OpenShift version to avoid potential update issues.
-For example, if the oldest supported Azure Red Hat OpenShift version is 4.13 and you are on 4.12 or older, you are outside of support. When the update from 4.12 to 4.13 or higher succeeds, you will be back within our support policies.
+For example, if the oldest supported Azure Red Hat OpenShift version is 4.13 and you are on 4.12 or older, you're outside of support. When the update from 4.12 to 4.13 or higher succeeds, you'll be back within our support policies.
-Reverting your cluster to a previous version, or a rollback, is not supported. Only updating to a newer version is supported.
+Reverting your cluster to a previous version, or a rollback, isn't supported. Only updating to a newer version is supported.
**What does "Outside of Support" or "Limited Support" mean?**
-If your ARO cluster is running an OpenShift version that is not on the supported versions list, or is using an [unsupported cluster configuration](./support-policies-v4.md#cluster-configuration-requirements), your cluster is "outside of support". As a result:
+If your ARO cluster is running an OpenShift version that isn't on the supported versions list, or is using an [unsupported cluster configuration](./support-policies-v4.md#cluster-configuration-requirements), your cluster is "outside of support". As a result:
- When opening a support ticket for your cluster, you may be asked to update the cluster to a supported version before receiving support. - Any runtime or SLA guarantees for clusters outside of support are voided. - Clusters outside of support will be patched only on a best effort basis.-- Clusters outside of support will not be monitored.
+- Clusters outside of support won't be monitored.
postgresql Concepts Scaling Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-scaling-resources.md
description: This article describes the resource scaling in Azure Database for P
Previously updated : 04/27/2024 Last updated : 07/18/2024
For read replica configured servers, scaling operations must follow a specific s
- Near-zero downtime scaling doesn't work if a [virtual network-injected server with a delegated subnet](../flexible-server/concepts-networking-private.md#virtual-network-concepts) doesn't have sufficient usable IP addresses. If you have a standalone server, one extra IP address is necessary. For an HA-enabled server, two extra IP addresses are required. - Logical replication slots aren't preserved during a near-zero downtime failover event. To maintain logical replication slots and ensure data consistency after a scale operation, use the [pg_failover_slot](https://github.com/EnterpriseDB/pg_failover_slots) extension. For more information, see [Enabling extension in a flexible server](../flexible-server/concepts-extensions.md#pg_failover_slots-preview). - For HA-enabled servers, near-zero downtime scaling is currently enabled for a limited set of regions. More regions will be enabled in a phased manner based on regional capacity.
+- Near-zero downtime scaling doesn't work with [unlogged tables](https://www.postgresql.org/docs/current/sql-createtable.html#SQL-CREATETABLE-UNLOGGED). Customers using unlogged tables for any of their data will lose all the data in those tables after the near-zero downtime scaling.
## Related content
postgresql Concepts Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-security.md
When you're running Azure Database for PostgreSQL - Flexible Server, you have tw
## Microsoft Defender for Cloud support
-**[Microsoft Defender for open-source relational databases](../../defender-for-cloud/defender-for-databases-introduction.md)** detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Defender for Cloud provides [security alerts](../../defender-for-cloud/alerts-reference.md#alerts-for-open-source-relational-databases) on anomalous activities so that you can detect potential threats and respond to them as they occur.
+**[Microsoft Defender for open-source relational databases](../../defender-for-cloud/defender-for-databases-introduction.md)** detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Defender for Cloud provides [security alerts](../../defender-for-cloud/alerts-open-source-relational-databases.md) on anomalous activities so that you can detect potential threats and respond to them as they occur.
When you enable this plan, Defender for Cloud provides alerts when it detects anomalous database access and query patterns and suspicious database activities. These alerts appear in Defender for Cloud's security alerts page and include:
postgresql Best Practices Migration Service Postgresql https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/migrate/migration-service/best-practices-migration-service-postgresql.md
The following phases are considered for calculating the total downtime to perfor
- Comparing maximum or minimum IDs of key application-related columns. > [!NOTE]
- > The size of databases needs to be the right metric for validation. The source instance might have bloats or dead tuples, which can bump up the size of the source instance. It's normal to have size differences between source instances and target servers. An issue in the first three steps of validation indicates a problem with the migration.
+ > The comparative size of databases is not the right metric for validation. The source instance might have bloats or dead tuples, which can bump up the size of the source instance. It's normal to have size differences between source instances and target servers. An issue in the preceding three steps of validation indicates a problem with the migration.
- **Migration of server settings**: Any custom server parameters, firewall rules (if applicable), tags, and alerts must be manually copied from the source instance to the target. - **Changing connection strings**: The application should change its connection strings to a flexible server after successful validation. This activity is coordinated with the application team to change all the references of connection strings pointing to the source instance. In the flexible server, the user parameter can be used in the **user=username** format in the connection string.
The preceding numbers give you an approximation of the time taken to complete th
We recommend a powerful SKU for the target because the PostgreSQL migration service runs out of a container on the flexible server. A powerful SKU enables more tables to be migrated in parallel. You can scale the SKU back to your preferred configuration after the migration. This section contains steps to improve the migration speed if the data distribution among the tables needs to be more balanced or a more powerful SKU doesn't significantly affect the migration speed.
-If the data distribution on the source is highly skewed, with most of the data present in one table, the allocated compute for migration needs to be fully utilized, which creates a bottleneck. So, split large tables into smaller chunks, which are then migrated in parallel. This feature applies to tables with more than 10,000,000 (10 m) tuples. Splitting the table into smaller chunks is possible if one of the following conditions is satisfied:
+If the data distribution on the source is highly skewed, with most of the data present in one table, the allocated compute for migration needs to be fully utilized, which creates a bottleneck. So, split large tables into smaller chunks, which are then migrated in parallel. This feature applies to tables with more than 1,000,000 (1 m) tuples. Splitting the table into smaller chunks is possible if one of the following conditions is satisfied:
- The table must have a column with a simple (not composite) primary key or unique index of type `int` or `significant int`.
If any of the preceding conditions are satisfied, the table is migrated in multi
#### How it works - The migration service looks up the maximum and minimum integer value of the table's primary key/unique index that must be split up and migrated in parallel.-- If the difference between the minimum and maximum value is more than 10,000,000 (10 m), the table is split into multiple parts and each part is migrated in parallel.
+- If the difference between the minimum and maximum value is more than 1,000,000 (1 m), the table is split into multiple parts and each part is migrated in parallel.
In summary, the PostgreSQL migration service migrates a table in parallel threads and reduces the migration time if: - The table has a column with a simple primary key or unique index of type int or significant int.-- The table has at least 10,000,000 (10 m) rows so that the difference between the minimum and maximum value of the primary key is more than 10,000,000 (10 m).
+- The table has at least 1,000,000 (1 m) rows so that the difference between the minimum and maximum value of the primary key is more than 1,000,000 (1 m).
- The SKU used has idle cores, which can be used for migrating the table in parallel. ## Vacuum bloat in the PostgreSQL database
remote-rendering Create An Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/remote-rendering/how-tos/create-an-account.md
The steps in this paragraph have to be performed for each storage account that s
1. Select **Select members**, select your subscription, select **Remote Rendering Account**, select your remote rendering account, and then click **Select**. 1. Select **Review + assign** and select **Review + assign** again.
- ![Screenshot showing Add role assignment page in Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Screenshot showing Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
> [!WARNING] > If your Remote Rendering account is not listed, refer to this [troubleshoot section](../resources/troubleshoot.md#cant-link-storage-account-to-arr-account).
role-based-access-control Ai Machine Learning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/ai-machine-learning.md
Access and manage the predictive models that you created and deployed as web ser
Azure service: [Machine Learning Studio (classic)](/azure/machine-learning/classic/) > [!div class="mx-tableFixed"] > | Action | Description |
role-based-access-control Quickstart Assign Role User Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/quickstart-assign-role-user-portal.md
In Azure RBAC, to grant access, you assign an Azure role.
If you don't have permissions to assign roles, the Add role assignment option will be disabled.
- ![Access control (IAM) page with Add role assignment menu open.](../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png)
+ ![Access control (IAM) page with Add role assignment menu open.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png)
1. On the **Role** tab, select the **Virtual Machine Contributor** role.
- ![Add role assignment page with Role tab selected.](../../includes/role-based-access-control/media/add-role-assignment-role-generic.png)
+ ![Add role assignment page with Role tab selected.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-role-generic.png)
1. On the **Members** tab, select yourself or another user.
route-server Quickstart Configure Route Server Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/route-server/quickstart-configure-route-server-cli.md
az network routeserver peering list-learned-routes \
--resource-group myRouteServerRG \ ``` ## Clean up resources
sap Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/get-started.md
Previously updated : 06/28/2024 Last updated : 07/18/2024
In the SAP workload documentation space, you can find the following areas:
## Change Log
+- July 18, 2024: Add note about metadata heavy workload to Azure Premium Files in [Azure Storage types for SAP workload](./planning-guide-storage.md)
- June 26, 2024: Adapt [Azure Storage types for SAP workload](./planning-guide-storage.md) to latest features, like snapshot capabilities for Premium SSD v2 and Ultra disk. Adapt ANF to support of mix of NFS and block storage between /hana/data and /hana/log - June 26, 2024: Fix wrong memory stated for some VMs in [SAP HANA Azure virtual machine Premium SSD storage configurations](./hana-vm-premium-ssd-v1.md) and [SAP HANA Azure virtual machine Premium SSD v2 storage configurations](./hana-vm-premium-ssd-v2.md) - June 19, 2024: Update the SAP high availability guides to lift the restriction of using floating IP on the NIC secondary IP address in load-balancing scenarios
sap Planning Guide Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/planning-guide-storage.md
ms.assetid: d7c59cc1-b2d0-4d90-9126-628f9c7a5538
Previously updated : 06/26/2024 Last updated : 07/17/2024
Remark about the units used throughout this article. The public cloud vendors mo
## Microsoft Azure Storage resiliency
-Microsoft Azure storage of Standard HDD, Standard SSD, Azure premium storage, Premium SSD v2, and Ultra disk keeps the base VHD (with OS) and VM attached data disks or VHDs in three copies on three different storage nodes. Failing over to another replica and seeding of a new replica if there's a storage node failure, is transparent. As a result of this redundancy, it's **NOT** required to use any kind of storage redundancy layer across multiple Azure disks. This fact is called Local Redundant Storage (LRS). LRS is default for these types of storage in Azure. [Azure NetApp Files](https://azure.microsoft.com/services/netapp/) provides sufficient redundancy to achieve the same SLAs as other native Azure storage.
+Microsoft Azure storage of Standard HDD, Standard SSD, Azure premium storage, Premium SSD v2, and Ultra disk keeps the base VHD (with OS) and VM attached data disks or VHDs (Virtual Hard Disk) in three copies on three different storage nodes. Failing over to another replica and seeding of a new replica if there's a storage node failure, is transparent. As a result of this redundancy, it's **NOT** required to use any kind of storage redundancy layer across multiple Azure disks. This fact is called Local Redundant Storage (LRS). LRS is default for these types of storage in Azure. [Azure NetApp Files](https://azure.microsoft.com/services/netapp/) provides sufficient redundancy to achieve the same SLAs (Serive Level Agreements) as other native Azure storage.
There are several more redundancy methods, which are all described in the article [Azure Storage replication](../../storage/common/storage-redundancy.md?toc=%2fazure%2fstorage%2fqueues%2ftoc.json) that applies to some of the different storage types Azure has to offer.
Persisted storage is needed in SAP workload in various components of the stack t
- Persistent the base VHD of your VM that holds the operating system and other software you install in that disk. This disk/VHD is the root of your VM. Any changes made to it, need to be persisted. So, that the next time, you stop and restart the VM, all the changes made before still exist. Especially in cases where the VM is getting deployed by Azure onto another host than it was running originally - Persisted data disks. These disks are VHDs you attach to store application data in. This application data could be data and log/redo files of a database, backup files, or software installations. Means any disk beyond your base VHD that holds the operating system - File shares or shared disks that contain your global transport directory for NetWeaver or S/4HANA. Content of those shares is either consumed by software running in multiple VMs or is used to build high-availability failover cluster scenarios-- The /sapmnt directory or common file shares for EDI processes or similar. Content of those shares is either consumed by software running in multiple VMs or is used to build high-availability failover cluster scenarios
+- The /sapmnt directory or common file shares for EDI (Electronic Data Interchange) processes or similar. Content of those shares is either consumed by software running in multiple VMs or is used to build high-availability failover cluster scenarios
In the next few sections, the different Azure storage types and their usability for the four SAP workload scenarios gets discussed. A general categorization of how the different Azure storage types should be used is documented in the article [What disk types are available in Azure?](../../virtual-machines/disks-types.md). The recommendations for using the different Azure storage types for SAP workload aren't going to be majorly different.
For support restrictions on Azure storage types for SAP NetWeaver/application la
The sections describing the different Azure storage types will give you more background about the restrictions and possibilities using the SAP supported storage. ### Storage choices when using DBMS replication
-Our reference architectures foresee the usage of DBMS functionality like SQL Server Always On, HANA System Replication, Db2 HADR, or Oracle Data Guard. In case, you're using these technologies between two or multiple Azure virtual machines, the storage types chosen for each of the VMs is required to be the same. Means the storage configuration between active node and replica node in DBMS HA configuration needs to be the same.
+Our reference architectures foresee the usage of DBMS (Database Management System) functionality like SQL Server Always On, HANA System Replication, Db2 HADR, or Oracle Data Guard. In case, you're using these technologies between two or multiple Azure virtual machines, the storage types chosen for each of the VMs is required to be the same. Means the storage configuration between active node and replica node in DBMS HA configuration needs to be the same.
## Storage recommendations for SAP storage scenarios
Azure premium SSD storage got introduced with the goal to provide:
This type of storage is targeting DBMS workloads, storage traffic that requires low single digit millisecond latency, and SLAs on IOPS and throughput. Cost basis for Azure premium storage isn't the actual data volume stored in such disks, but the size category of such a disk, independent of the amount of the data that is stored within the disk. You also can create disks on premium storage that aren't directly mapping into the size categories shown in the article [Premium SSD](../../virtual-machines/disks-types.md#premium-ssds). Conclusions out of this article are: -- The storage is organized in ranges. For example, a disk in the range 513 GiB to 1024 GiB capacity share the same capabilities and the same monthly costs-- The IOPS per GiB aren't tracking linear across the size categories. Smaller disks below 32 GiB have higher IOPS rates per GiB. For disks beyond 32 GiB to 1024 GiB, the IOPS rate per GiB is between 4-5 IOPS per GiB. For larger disks up to 32,767 GiB, the IOPS rate per GiB is going below 1
+- The storage is organized in ranges. For example, a disk in the range 513 GiB to 1,024 GiB capacity share the same capabilities and the same monthly costs
+- The IOPS per GiB aren't tracking linear across the size categories. Smaller disks below 32 GiB have higher IOPS rates per GiB. For disks beyond 32 GiB to 1,024 GiB, the IOPS rate per GiB is between 4-5 IOPS per GiB. For larger disks up to 32,767 GiB, the IOPS rate per GiB is going below 1
- The I/O throughput for this storage isn't linear with the size of the disk category. For smaller disks, like the category between 65 GiB and 128 GiB capacity, the throughput is around 780 KB per GiB. Whereas for the extreme large disks like a 32,767 GiB disk, the throughput is around 28 KB per GiB - The IOPS and throughput SLAs can't be changed without changing the capacity of the disk
Azure premium storage doesn't fulfill SAP HANA storage latency KPIs with the com
-**Summary:** Azure premium storage is one of the Azure storage types recommended for SAP workload. This recommendation applies for non-production and production systems. Azure premium storage is suited to handle database workloads. The usage of Azure Write Accelerator is going to improve write latency against Azure premium disks substantially. However, for DBMS systems with high IOPS and throughput rates, you need to either overprovision storage capacity. Or you need to use functionality like Windows Storage Spaces or logical volume managers in Linux to build stripe sets that give you the desired capacity on the one side. But also the necessary IOPS or throughput at best cost efficiency.
+**Summary:** Azure premium storage is one of the Azure storage types recommended for SAP workload. This recommendation applies for nonproduction and production systems. Azure premium storage is suited to handle database workloads. The usage of Azure Write Accelerator is going to improve write latency against Azure premium disks substantially. However, for DBMS systems with high IOPS and throughput rates, you need to either overprovision storage capacity. Or you need to use functionality like Windows Storage Spaces or logical volume managers in Linux to build stripe sets that give you the desired capacity on the one side. But also the necessary IOPS or throughput at best cost efficiency.
### Azure burst functionality for premium storage
Azure Premium SSD v2 storage is a new version of premium storage that got introd
* Give the possibility to add more IOPS and throughput to each disk and pay separately for these extra provisioned resources * Pass SAP HANA certification without the help of other functionality like Azure Write Accelerator or other caches
-This type of storage is targeting DBMS workloads, storage traffic that requires submillisecond latency, and SLAs on IOPS and throughput. The Premium SSD v2 disks are delivered with a default set of 3,000 IOPS and 125 MBps throughput. And the possibility to add more IOPS and throughput to individual disks. The pricing of the storage is structured in a way that adding more throughput or IOPS isn't influencing the price majorly. Nevertheless, we leave it up to you to decide how the storage configuration for Premium SSD v2 will look like. For a base start, read [SAP HANA Azure virtual machine Premium SSD v2 storage configurations](./hana-vm-premium-ssd-v2.md).
+This type of storage is targeting DBMS workloads, storage traffic that requires submillisecond latency, and SLAs on IOPS and throughput. The Premium SSD v2 disks are delivered with a default set of 3,000 IOPS and 125 MBps throughput. And the possibility to add more IOPS and throughput to individual disks. The pricing of the storage is structured in a way that adding more throughput or IOPS isn't influencing the price majorly. Nevertheless, we leave it up to you to decide how your storage configuration for Premium SSD v2 is going to look like. For a base start, read [SAP HANA Azure virtual machine Premium SSD v2 storage configurations](./hana-vm-premium-ssd-v2.md).
For the actual regions, this new block storage type is available and the actual restrictions read the document [Premium SSD v2](../../virtual-machines/disks-types.md#premium-ssd-v2).
The capability matrix for SAP workload looks like:
| Latency | Very low | Typically less than 1 ms | | IOPS SLA | Yes | - | | IOPS linear to capacity | Linear with auto QoS; independent with Manual QoS | Three [service levels](../../azure-netapp-files/azure-netapp-files-service-levels.md) available |
-| Throughput SLA | Yes | Sizing recommendations are available in the SAP on Azure NetApp FIles TCO Esti |
+| Throughput SLA | Yes | Sizing recommendations are available in the SAP on Azure NetApp FIles TCO Estimator |
| Throughput linear to capacity | Linear with auto QoS; independent with Manual QoS | Three [service levels](../../azure-netapp-files/azure-netapp-files-service-levels.md) available | | HANA certified | Yes | - | | Disk snapshots possible | Yes | - |
Other built-in functionality of Azure NetApp Files storage:
> Even for non-DBMS usage, you should use the functionality that allows you to create the NFS share in the same Azure Availability Zones as you placed your VM(s) that should mount the NFS shares into. This functionality is documented in the article [Manage availability zone volume placement for Azure NetApp Files](../../azure-netapp-files/manage-availability-zone-volume-placement.md). The motivation to have this type of Availability Zone alignment is the reduction of risk surface by having the NFS shares yet in another AvZone where you don't run VMs in. -- You go for the closest proximity between VM and NFS share that can be arranged by using [Application Volume Groups](../../azure-netapp-files/application-volume-group-introduction.md). The advantage of Application Volume Groups, besides allocating best proximity and with that creating lowest latency, is that your different NFS shares for SAP HANA deployments are distributed across different controllers in the Azure NetApp Files backend clusters. Disadvantage of this method is that you need to go through a pinning process again. A process that will end restricting your VM deployment to a single datacenter. Instead of an Availability Zones as the first method introduced. This means less flexibility in changing VM sizes and VM families of the VMs that have the NFS volumes mounted.
+- You go for the closest proximity between VM and NFS share that can be arranged by using [Application Volume Groups](../../azure-netapp-files/application-volume-group-introduction.md). The advantage of Application Volume Groups, besides allocating best proximity and with that creating lowest latency, is that your different NFS shares for SAP HANA deployments are distributed across different controllers in the Azure NetApp Files backend clusters. Disadvantage of this method is that you need to go through a pinning process again. A process that ends restricting your VM deployment to a single datacenter. Instead of an Availability Zones as the first method introduced. This means less flexibility in changing VM sizes and VM families of the VMs that have the NFS volumes mounted.
- Current process of not using Availability Placement Groups. Which so far are available for SAP HANA only. This process also uses the same manual pinning process as this is the case with Availability Volume groups. This method is the method used for the last three years. It has the same flexibility restrictions as the process has with Availability Volume Groups.
-As preferences for allocating NFS volumes based on Azure NetApp Files for database specific usage, you should attempt to allocate the NFS volume in the same zone as your VM first. Especially for non-HANA databases. Only if latency proves to be insufficient you should go through a manual pinning process. For smaller HANA workload or non-production HANA workload, you should follow a zonal allocation method as well. Only in cases where performance and latency aren't sufficient you should use Application Volume Groups.
+As preferences for allocating NFS volumes based on Azure NetApp Files for database specific usage, you should attempt to allocate the NFS volume in the same zone as your VM first. Especially for non-HANA databases. Only if latency proves to be insufficient you should go through a manual pinning process. For smaller HANA workload or nonproduction HANA workload, you should follow a zonal allocation method as well. Only in cases where performance and latency aren't sufficient you should use Application Volume Groups.
**Summary**: Azure NetApp Files is a HANA certified low latency storage that allows to deploy NFS and SMB volumes or shares. The storage comes with three different service levels that provide different throughput and IOPS in a linear manner per GiB capacity of the volume. The Azure NetApp Files storage is enabling to deploy SAP HANA scale-out scenarios with a standby node. The storage is suitable for providing file shares as needed for /sapmnt or SAP global transport directory. Azure NetApp Files storage come with functionality availability that is available as native NetApp functionality.
As preferences for allocating NFS volumes based on Azure NetApp Files for databa
SAP scenarios supported on Azure Premium Files list like: - Providing SMB or NFS shares for SAP's global transport directory
+- Usage as share for interfaces to SAP systems and EDI processes
- The share sapmnt in high availability scenarios as documented in: - [High availability for SAP NetWeaver on Azure VMs on SUSE Linux Enterprise Server with NFS on Azure Files](./high-availability-guide-suse-nfs-azure-files.md) - [High availability for SAP NetWeaver on Azure VMs on Red Hat Enterprise Linux with NFS on Azure Files](./high-availability-guide-rhel-nfs-azure-files.md)
SAP scenarios supported on Azure Premium Files list like:
Azure Premium Files is starting with larger amount of IOPS at the minimum share size of 100 GB compared to Azure NetApp Files. This higher bar of IOPS can avoid capacity overprovisioning to achieve certain IOPS and throughput values. For IOPS and storage throughput, read the section [Azure file share scale targets in Azure Files scalability and performance targets](../../storage/files/storage-files-scale-targets.md).
+> [!NOTE]
+> Due to the tiered architecture of Azure Premium Files, the latency accessing metadata of the files stored in shares is significantly higher than with Azure NetApp Files. This higher latency can impact for instance mass creation and deletion of files. But it can also have noticeable impact on the time it takes to list the content of large directories, containing hundreds of thousands of files. The main use case we see this higher metadata latency affecting is the usage as interface share where customers can encounter hundreds of thousands or even millions of file creations and mass deletions every day. Therefore, you should test the interface share scenarios diligently. To determine if your workload is metadata heavy, check [Metadata or namespace heavy workload](/troubleshoot/azure/azure-storage/files-troubleshoot-performance?toc=/azure/storage/files/toc.json#cause-2-metadata-or-namespace-heavy-workload)
+ The capability matrix for SAP workload looks like: | Capability| Comment| Notes/Links |
The capability matrix for SAP workload looks like:
| Costs | low | - |
-**Summary**: Azure Premium Files is a low latency storage that allows to deploy NFS and SMB volumes or shares. Azure Premium Files provides excellent price/performance ratio for SAP application layer shares. It also provides synchronous zonal replication for these shares. So far, we don't support this storage type for SAP DBMS workload. Though it can be used for **/hana/shared** volumes.
+**Summary**: Azure Premium Files is a low latency storage that allows to deploy NFS and SMB volumes or shares. Azure Premium Files provides excellent price/performance ratio for SAP application layer shares. It also provides synchronous zonal replication for these shares. So far, we don't support this storage type for SAP DBMS workload. Though it can be used for **/hana/shared** volumes.
## Azure standard SSD storage
-Compared to Azure standard HDD storage, Azure standard SSD storage delivers better availability, consistency, reliability, and latency. It's optimized for workloads that need consistent performance at lower IOPS levels. This storage is the minimum storage used for non-production SAP systems that have low IOPS and throughput demands. The capability matrix for SAP workload looks like:
+Compared to Azure standard HDD storage, Azure standard SSD storage delivers better availability, consistency, reliability, and latency. It's optimized for workloads that need consistent performance at lower IOPS levels. This storage is the minimum storage used for nonproduction SAP systems that have low IOPS and throughput demands. The capability matrix for SAP workload looks like:
| Capability| Comment| Notes/Links | | | | |
-| OS base VHD | Restricted suitable | Non-production systems |
-| Data disk | Restricted suitable | Some non-production systems with low IOPS and latency demands |
+| OS base VHD | Restricted suitable | Nonproduction systems |
+| Data disk | Restricted suitable | Some nonproduction systems with low IOPS and latency demands |
| SAP global transport directory | No | [Not supported](https://launchpad.support.sap.com/#/notes/2015553) |
-| SAP sapmnt | Restricted suitable | Non-production systems |
+| SAP sapmnt | Restricted suitable | Nonproduction systems |
| Backup storage | Suitable | - | | Shares/shared disk | Not available | Needs third party | | Resiliency | LRS, GRS | No ZRS available for disks |
Compared to Azure standard HDD storage, Azure standard SSD storage delivers bett
-**Summary:** Azure standard SSD storage is the minimum recommendation for non-production VMs for base VHD, eventual DBMS deployments with relative latency insensitivity and/or low IOPS and throughput rates. This Azure storage type isn't supported anymore for hosting the SAP Global Transport Directory.
+**Summary:** Azure standard SSD storage is the minimum recommendation for nonproduction VMs for base VHD, eventual DBMS deployments with relative latency insensitivity and/or low IOPS and throughput rates. This Azure storage type isn't supported anymore for hosting the SAP Global Transport Directory.
search Search Howto Managed Identities Sql https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-howto-managed-identities-sql.md
In this section you'll, give your Azure AI Search service permission to read dat
1. Select **Add > Add role assignment**.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::
1. On the **Role** tab, select the appropriate **Reader** role.
search Search Indexer Howto Access Private https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-indexer-howto-access-private.md
You can create a shared private link for the following resources.
<sup>3</sup> The `Microsoft.Sql/servers` resource type is used for connections to Azure SQL database. There's currently no support for a shared private link to Azure Synapse SQL.
-<sup>4</sup> The `Microsoft.Web/sites` resource type is used for App service and Azure functions. In the context of Azure AI Search, an Azure function is the more likely scenario. An Azure function is commonly used for hosting the logic of a custom skill. Azure Function has Consumption, Premium, and Dedicated [App Service hosting plans](../app-service/overview-hosting-plans.md). The [App Service Environment (ASE)](../app-service/environment/overview.md) and [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) aren't supported at this time.
+<sup>4</sup> The `Microsoft.Web/sites` resource type is used for App service and Azure functions. In the context of Azure AI Search, an Azure function is the more likely scenario. An Azure function is commonly used for hosting the logic of a custom skill. Azure Function has Consumption, Premium, and Dedicated [App Service hosting plans](../app-service/overview-hosting-plans.md). The [App Service Environment (ASE)](../app-service/environment/overview.md), [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) and [Azure API Management](../api-management/api-management-key-concepts.md) aren't supported at this time.
<sup>5</sup> See [Create a shared private link for a SQL Managed Instance](search-indexer-how-to-access-private-sql.md) for instructions.
search Search Security Rbac https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-security-rbac.md
Another combination of roles that provides full access is Contributor or Owner,
1. Select **+ Add** > **Add role assignment**.
- ![Access control (IAM) page with Add role assignment menu open.](../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png)
+ ![Access control (IAM) page with Add role assignment menu open.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png)
1. Select a role:
security Isolation Choices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/isolation-choices.md
Microsoft Azure provides various cloud-based computing services that include a w
### Isolated Virtual Machine Sizes ### Dedicated hosts
security Key Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/key-management.md
# Key management in Azure In Azure, encryption keys can be either platform managed or customer managed.
sentinel Forescout https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/forescout.md
ForescoutEvent
> [!NOTE]
- > This data connector depends on a parser based on a Kusto Function to work as expected [**ForescoutEvent**](https://aka.ms/sentinel-forescout-parser) which is deployed with the Microsoft Sentinel Solution.
+ > This data connector depends on a parser based on a Kusto Function to work as expected [**ForescoutEvent**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Forescout%20(Legacy)/Parsers/ForescoutEvent.yaml) which is deployed with the Microsoft Sentinel Solution.
> [!NOTE]
sentinel Sentinel Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/sentinel-solution.md
# Monitor Zero Trust (TIC 3.0) security architectures with Microsoft Sentinel This article describes how to use the Microsoft Sentinel **Zero Trust (TIC 3.0)** solution, which helps governance and compliance teams monitor and respond to Zero Trust requirements according to the [TRUSTED INTERNET CONNECTIONS (TIC) 3.0](https://www.cisa.gov/resources-tools/programs/trusted-internet-connections-tic) initiative.
service-bus-messaging Service Bus Filter Examples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-filter-examples.md
Title: Set subscriptions filters in Azure Service Bus | Microsoft Docs description: This article provides examples for defining filters and actions on Azure Service Bus topic subscriptions. Previously updated : 02/23/2024 Last updated : 07/18/2024 ms.devlang: csharp
# Set subscription filters (Azure Service Bus) This article provides a few examples on setting filters on subscriptions for Service Bus topics. For conceptual information about filters, see [Filters](topic-filters.md).
+## Use Azure portal
+
+To set subscription filters in the Azure portal, use the **Filters** section of the **Service Bus Subscription** page.
++
+## Use Azure CLI
+
+Use the [`az servicebus topic subscription rule create`](/cli/azure/servicebus/topic/subscription/rule) to create a rule or filter on a subscription.
+
+## Use Azure PowerShell
+
+Use the [`Set-AzServiceBusRule`](/powershell/module/az.servicebus/set-azservicebusrule) to create a rule or filter on a subscription.
+
+> [!NOTE]
+> A subscription rule consists of filters and actions. You can specify actions using CLI and PowerShell, but not using the Azure portal.
++ ## Filter on system properties To refer to a system property in a filter, use the following format: `sys.<system-property-name>`.
Here's a .NET C# example that creates the following Service Bus entities:
- Subscription named `ColorRed` with a SQL filter expression `color='red'` and an action - Subscription named `HighPriorityRedOrders` with a correlation filter expression `Subject = "red", CorrelationId = "high"`
-See the inline code comments for more details.
+For more information, see the inline code comments.
```csharp namespace CreateTopicsAndSubscriptionsWithFilters
See the following samples:
- [Azure Resource Manager template](/azure/templates/microsoft.servicebus/2017-04-01/namespaces/topics/subscriptions/rules)
-Try the samples in the language of your choice to explore Azure Service Bus features.
+To explore Azure Service Bus features, try the samples in the language of your choice.
- [Azure Service Bus client library samples for .NET (latest)](/samples/azure/azure-sdk-for-net/azuremessagingservicebus-samples/) - [Azure Service Bus client library samples for Java (latest)](/samples/azure/azure-sdk-for-java/servicebus-samples/)
service-bus-messaging Service Bus Migrate Azure Credentials https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-migrate-azure-credentials.md
The following steps explain how to migrate an existing application to use passwo
For local development, make sure you're authenticated with the same Microsoft Entra account you assigned the role to for the Service Bus namespace. You can authenticate via the Azure CLI, Visual Studio, Azure PowerShell, or other tools such as IntelliJ. Next, update your code to use passwordless connections.
service-fabric How To Managed Cluster Modify Node Type https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/how-to-managed-cluster-modify-node-type.md
The cluster begins upgrading automatically. You see the additional nodes when co
You can choose to enable automatic OS image upgrades to the virtual machines running your managed cluster nodes. Although the virtual machine scale set resources are managed on your behalf with Service Fabric managed clusters, it's your choice to enable automatic OS image upgrades for your cluster nodes. As with [classic Service Fabric](service-fabric-best-practices-infrastructure-as-code.md#virtual-machine-os-automatic-upgrade-configuration) clusters, managed cluster nodes aren't upgraded by default, in order to prevent unintended disruptions to your cluster. > [!NOTE]
-> Automatic OS image upgrade is supported for both platform and gallery based OS images.
+> Automatic OS image upgrade is supported for both marketplace and custom images.
To enable automatic OS upgrades:
service-fabric Managed Cluster Deny Assignment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/managed-cluster-deny-assignment.md
Previously updated : 08/18/2023 Last updated : 07/17/2024 # Deny assignment policy for Service Fabric managed clusters
-Deny assignment policies for Service Fabric managed clusters enable customers to protect the resources of their clusters. Deny assignments attach a set of deny actions to a user, group, or service principal at a particular scope to deny access. Limiting access to certain actions can help users from inadvertently damaging their clusters when they delete, deallocate restart, or reimage their clusters' scale set directly in the infrastructure resource group, which can cause the resources of the cluster to be unsynchronized with the data in the managed cluster.
+Deny assignment policies for Service Fabric managed clusters enable customers to protect their clusters' resources. Limiting access to certain actions can help users prevent inadvertent damage to their clusters when they delete, deallocate, restart, or reimage their clusters' scale sets. These actions, when done directly in the infrastructure resource group, can cause the resources of the cluster to desynchronize with the data in the cluster.
-All actions that are related to managed clusters should be done through the managed cluster resource APIs instead of directly against the infrastructure resource group. Using the resource APIs ensures the resources of the cluster are synchronized with the data in the managed cluster.
+Deny assignments deny access by attaching a set of deny actions to a user, group, or service principal at a particular scope. You can learn more about deny assignments in the [Azure role-based access control (RBAC) documentation](../role-based-access-control/deny-assignments.md).
-This feature ensures that the correct, supported APIs are used when performing delete operations to avoid any errors.
+This article pertains to Service Fabric managed clusters, but we make callouts when the information pertains to classic clusters as well.
-You can learn more about deny assignments in the [Azure role-based access control (RBAC) documentation](../role-based-access-control/deny-assignments.md).
+## Proper actions
+
+All actions related to managed clusters should be done through the managed cluster resource APIs instead of directly against the infrastructure resource group. Using the resource APIs ensures the resources of the cluster are synchronized with the data in the managed cluster.
+
+See the [Best practices section](#best-practices) for guidance on what tools to use to go through the proper resource APIs.
+
+## Blocked actions
+
+The following actions are blocked when using managed clusters and don't apply to classic clusters.
+
+* **VMSS deletes**
+ * "Microsoft.Compute/virtualMachineScaleSets/delete"
+* **VMSS reimages, restarts, deallocates**
+ * "Microsoft.Compute/virtualMachineScaleSets/reimage/action"
+ * "Microsoft.Compute/virtualMachineScaleSets/restart/action"
+ * "Microsoft.Compute/virtualMachineScaleSets/deallocate/action"
+* **VM deletes**
+ * "Microsoft.Compute/virtualMachineScaleSets/delete/action"
+* **Storage account writes and deletes**
+ * "Microsoft.Storage/storageAccounts/delete"
+ * "Microsoft.Storage/storageAccounts/write"
+* **Resource group delete**
+ * "Microsoft.Resources/subscriptions/resourceGroups/delete"
+* **Load balancer writes**
+ * "Microsoft.Network/loadBalancers/write"
## Best practices The following are some best practices to minimize the threat of desyncing your cluster's resources:+ * Instead of deleting virtual machine scale sets directly from the managed resource group, use NodeType level APIs to delete the NodeType or virtual machine scale set. Options include the Node blade on the Azure portal and [Azure PowerShell](/powershell/module/az.servicefabric/remove-azservicefabricmanagednodetype). * Use the correct APIs to restart or reimage your scale sets: * [Virtual machine scale set restarts](/powershell/module/az.servicefabric/restart-azservicefabricmanagednodetype) * [Virtual machine scale set reimage](/powershell/module/az.servicefabric/set-azservicefabricmanagednodetype)
+When managing resources in managed clusters, use ARM or ARM-backed tools to ensure the use of the proper resource APIs.
+
+| Utility | ARM or ARM-backed |
+| - | - |
+| [ARM and ARM templates](/azure/templates/microsoft.servicefabric/clusters?pivots=deployment-language-arm-template) | Yes |
+| [Bicep](/azure/templates/microsoft.servicefabric/clusters?pivots=deployment-language-bicep) | Yes |
+| [Azure portal](https://portal.azure.com) | Yes |
+| [Azure CLI](/cli/azure/sf?view=azure-cli-latest&preserve-view=true) | Yes |
+| [Azure PowerShell](/powershell/module/az.servicefabric/?view=azps-12.1.0&preserve-view=true) | Yes |
+| [Service Fabric PowerShell](/powershell/module/servicefabric/?view=azureservicefabricps&preserve-view=true) | **No** |
+| [sfctl](service-fabric-sfctl.md) | **No** |
+
+> [!IMPORTANT]
+> When managing resources in a **classic cluster** that were *created* by ARM or ARM-backed tools, continue to use those tools. There's risk of error when modifying the configuration of resources created in ARM with a non-ARM tool (for example, using Service Fabric PowerShell to update or delete a resource created in ARM).
+ ## Next steps * Learn more about [granting permission to access resources on managed clusters](how-to-managed-cluster-grant-access-other-resources.md)
site-recovery Azure To Azure How To Enable Replication Private Endpoints https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints.md
The following steps describe how to add a role assignment to your storage accoun
1. Select **Add > Add role assignment**.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::
1. On the **Role** tab, select one of the roles listed in the beginning of this section.
site-recovery Hybrid How To Enable Replication Private Endpoints https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/hybrid-how-to-enable-replication-private-endpoints.md
The following steps describe how to add a role assignment to your storage accoun
1. Select **Access control (IAM)**. 1. Select **Add > Add role assignment**.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::
1. On the **Role** tab, select one of the roles listed in the beginning of this section. 1. On the **Members** tab, select **Managed identity**, and then select **Select members**.
site-recovery Vmware Azure Multi Tenant Csp Disaster Recovery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-multi-tenant-csp-disaster-recovery.md
The following steps describe how to assign a role to a user. For detailed steps,
1. Select **Add** > **Add role assignment**.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::
1. On the **Role** tab, select a role.
The following steps describe how to assign a role to a user. For detailed steps,
Site Recovery also has three [predefined user roles](site-recovery-role-based-linked-access-control.md), that can be used to further restrict access levels as required.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-role-generic.png" alt-text="Screenshot that shows Add role assignment page with the Role tab selected.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-role-generic.png" alt-text="Screenshot that shows Add role assignment page with the Role tab selected.":::
1. On the **Members** tab, select **User, group, or service principal**, and then select a user with the relevant access level. The users that were created through the CSP portal are displayed here.
spring-apps Tutorial Managed Identities Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/tutorial-managed-identities-functions.md
By default, functions use key-based authentication to secure HTTP endpoints. To
} ```
-For more information, see the [Secure an HTTP endpoint in production](../../azure-functions/functions-bindings-http-webhook-trigger.md#secure-an-http-endpoint-in-production) section of [Azure Functions HTTP trigger](../../azure-functions/functions-bindings-http-webhook-trigger.md).
+For more information, see the [Secure HTTP endpoints](../../azure-functions/security-concepts.md#secure-http-endpoints) section of [Securing Azure Functions](../../azure-functions/security-concepts.md).
Use the following command to publish the app to the instance created in the previous step:
storage Migrate Gen2 Wandisco Live Data Platform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/migrate-gen2-wandisco-live-data-platform.md
LiveData Plane for Azure consistently replicates data changes across all environ
## Test drive or Trial
-From [LiveData Platform for Azure's Marketplace page](https://azuremarketplace.microsoft.com/marketplace/apps/wandisco.ldma?tab=Overview), you have two options:
+From [LiveData Platform for Azure's Marketplace page](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/wandisco.livedata-pipeline-azure-mp?tab=Overview), you have two options:
- The **Get It Now** button launches the service in your subscription. From there, you may use your own Hadoop cluster or WANdisco's Trial cluster.
From [LiveData Platform for Azure's Marketplace page](https://azuremarketplace.m
## Next Steps -- [Plan and create a migration in LiveData Migrator for Azure](https://azuremarketplace.microsoft.com/marketplace/apps/wandisco.ldma).
+- [Plan and create a migration in LiveData Migrator for Azure](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/wandisco.livedata-pipeline-azure-mp?tab=Overview).
## See also -- [LiveData Migrator for Azure on Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/wandisco.ldma?tab=Overview)
+- [LiveData Migrator for Azure on Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/wandisco.livedata-pipeline-azure-mp?tab=Overview)
-- [LiveData Migrator for Azure plans and pricing](https://azuremarketplace.microsoft.com/marketplace/apps/wandisco.ldma?tab=PlansAndPricee)
+- [LiveData Migrator for Azure plans and pricing](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/wandisco.livedata-pipeline-azure-mp?tab=Overview)
- [LiveData Platform for Azure Frequently Asked Questions](https://docs.wandisco.com/live-data-platform/docs/faq/)
storage Migrate Azure Credentials https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/migrate-azure-credentials.md
## Sign-in and migrate the app code to use passwordless connections Next, update your code to use passwordless connections.
Once your application is configured to use passwordless connections and runs loc
### Create the managed identity #### Associate the managed identity with your web app
Complete the following steps in the Azure portal to associate an identity with y
# [Azure CLI](#tab/azure-cli-associate) # [Service Connector](#tab/service-connector-associate)
If you connected your services using Service Connector you don't need to complet
### Test the app
storage Files Nfs Protocol https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/files-nfs-protocol.md
The status of items that appear in this table might change over time as support
## Regional availability ## Performance
storage Storage Files How To Mount Nfs Shares https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-how-to-mount-nfs-shares.md
Azure file shares can be mounted in Linux distributions using either the Server
### Regional availability ## Prerequisites
storage Passwordless Migrate Queues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/queues/passwordless-migrate-queues.md
Passwordless connections can be configured to work for both local and Azure-host
### Sign-in to Azure locally ### Update the application code to use passwordless connections
Once your application is configured to use passwordless connections and runs loc
### Create the managed identity #### Associate the managed identity with your web app
Complete the following steps in the Azure portal to associate an identity with y
# [Azure CLI](#tab/azure-cli-associate) # [Service Connector](#tab/service-connector-associate)
If you connected your services using Service Connector you don't need to complet
### Test the app
storage Storage Quickstart Queues Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/queues/storage-quickstart-queues-dotnet.md
These example code snippets show you how to perform the following actions with t
### Authorize access and create a client object Once authenticated, you can create and authorize a `QueueClient` object using `DefaultAzureCredential` to access queue data in the storage account. `DefaultAzureCredential` automatically discovers and uses the account you signed in with in the previous step.
storage Partner Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/solution-integration/validated-partners/analytics/partner-overview.md
This article highlights Microsoft partner companies that are integrated with Azu
![Striim company logo](./media/striim-logo.png) |**Striim**<br>Striim enables continuous data movement and in-stream transformations from a wide variety of sources into multiple Azure solutions including Azure Synapse Analytics, Azure Cosmos DB, and Azure cloud databases. The Striim solution enables Azure Data Lake Storage customers to quickly build streaming data pipelines. Customers can choose their desired data latency (real-time, micro-batch, or batch) and enrich the data with more context. These pipelines can then support any application or big data analytics solution, including Azure SQL Data Warehouse and Azure Databricks. |[Partner ](https://www.striim.com/partners/striim-and-microsoft-azure/)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/striim.azurestorageintegration?tab=overview)| ![Talend company logo](./media/talend-logo.png) |**Talend**<br>Talend Data Fabric is a platform that brings together multiple integration and governance capabilities. Using a single unified platform, Talend delivers complete, clean, and uncompromised data in real time. The Talend Trust Score helps assess the reliability of any data set. |[Partner page](https://www.talend.com/partners/microsoft-azure/)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/talend.talendclouddi)| ![Unravel](./media/unravel-logo.png) |**Unravel Data**<br>Unravel Data provides observability and automatic management through a single pane of glass. AI-powered recommendations proactively improve reliability, speed, and resource allocations of your data pipelines and jobs. Unravel connects easily with Azure Databricks, HDInsight, Azure Data Lake Storage, and more through the Azure Marketplace or Unravel SaaS service. Unravel Data also helps migrate to Azure by providing an assessment of your environment. This assessment uncovers usage details, dependency maps, cost, and effort needed for a fast move with less risk.|[Partner page](https://www.unraveldata.com/azure-databricks/)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/unravel-data.unravel4databrickssubscriptionasaservice?tab=Overview)
-|![Wandisco company logo](./medi) is tightly integrated with Azure. Besides having an Azure portal deployment experience, it also uses role-based access control, Microsoft Entra ID, Azure Policy enforcement, and Activity log integration. With Azure Billing integration, you don't need to add a vendor contract or get more vendor approvals.<br><br>Accelerate the replication of Hadoop data between multiple sources and targets for any data architecture. With LiveData Cloud Services, your data will be available for Azure Databricks, Synapse Analytics, and HDInsight as soon as it lands, with guaranteed 100% data consistency. |[Partner page](https://www.wandisco.com/microsoft/)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/wandisco.ldma?tab=Overview)|
+|![Wandisco company logo](./media/wandisco-logo.jpg) |**WANdisco**<br>WANdiscoΓÇÖs migration engine lets you migrate Hadoop data to Data Lake Storage while it remains in active use at any scale, with zero downtime and zero data loss.<br><br>Developed in partnership with Microsoft, [WANdisco LiveData Platform for Azure](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/wandisco.livedata-pipeline-azure-mp?tab=Overview) is tightly integrated with Azure. Besides having an Azure portal deployment experience, it also uses role-based access control, Microsoft Entra ID, Azure Policy enforcement, and Activity log integration. With Azure Billing integration, you don't need to add a vendor contract or get more vendor approvals.<br><br>Accelerate the replication of Hadoop data between multiple sources and targets for any data architecture. With LiveData Cloud Services, your data will be available for Azure Databricks, Synapse Analytics, and HDInsight as soon as it lands, with guaranteed 100% data consistency. |[Partner page](https://www.wandisco.com/microsoft/)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/wandisco.livedata-pipeline-azure-mp?tab=Overview)|
Are you a storage partner but your solution is not listed yet? Send us your info [here](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR3i8TQB_XnRAsV3-7XmQFpFUQjY4QlJYUzFHQ0ZBVDNYWERaUlNRVU5IMyQlQCN0PWcu). ## Next steps
stream-analytics Azure Data Explorer Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/azure-data-explorer-managed-identity.md
For the Stream Analytics job to access your Azure Data Explorer cluster using ma
| Assign access to | User, group, or service principal | | Members | \<Name of your Stream Analytics job> |
- ![Screenshot that shows Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Screenshot that shows Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
> [!NOTE] > Due to global replication or caching latency, there may be a delay when permissions are revoked or granted. Changes should be reflected within 8 minutes.
stream-analytics Blob Output Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/blob-output-managed-identity.md
Unless you need the job to create containers on your behalf, you should choose *
| Assign access to | User, group, or service principal | | Members | \<Name of your Stream Analytics job> |
- ![Screenshot that shows Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Screenshot that shows Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
#### Account level access
Unless you need the job to create containers on your behalf, you should choose *
| Assign access to | User, group, or service principal | | Members | \<Name of your Stream Analytics job> |
- ![Screenshot that shows Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Screenshot that shows Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
### Grant access via the command line
stream-analytics Event Hubs Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/event-hubs-managed-identity.md
For the Stream Analytics job to access your event hub using managed identity, th
| Assign access to | User, group, or service principal | | Members | \<Name of your Stream Analytics job> |
- ![Screenshot that shows Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Screenshot that shows Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
You can also grant this role at the Event Hubs Namespace level, which will naturally propagate the permissions to all event hubs created under it. That is, all event hubs under a Namespace can be used as a managed-identity-authenticating resource in your Stream Analytics job.
stream-analytics Service Bus Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/service-bus-managed-identity.md
For the Stream Analytics job to access your Service Bus using managed identity,
| Assign access to | User, group, or service principal | | Members | \<Name of your Stream Analytics job> |
- ![Screenshot that shows Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Screenshot that shows Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
> [!NOTE] > Due to global replication or caching latency, there may be a delay when permissions are revoked or granted. Changes should be reflected within 8 minutes.
stream-analytics Stream Analytics How To Configure Azure Machine Learning Endpoints In Stream Analytics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-how-to-configure-azure-machine-learning-endpoints-in-stream-analytics.md
Last updated 06/11/2019
# Machine Learning Studio (classic) integration in Stream Analytics Azure Stream Analytics supports user-defined functions (UDFs) that call out to Azure Machine Learning Studio (classic) endpoints. The [Stream Analytics REST API library](/rest/api/streamanalytics/) describes REST API support for this feature.
stream-analytics Stream Analytics Machine Learning Integration Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-machine-learning-integration-tutorial.md
Last updated 08/12/2020
# Do sentiment analysis with Azure Stream Analytics and Machine Learning Studio (classic) This article shows you how to set up a simple Azure Stream Analytics job that uses Machine Learning Studio (classic) for sentiment analysis. You use a Studio (classic) sentiment analytics model from the Cortana Intelligence Gallery to analyze streaming text data and determine the sentiment score.
stream-analytics Stream Analytics Scale With Machine Learning Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-scale-with-machine-learning-functions.md
Last updated 01/15/2021
> [!TIP] > It is highly recommended to use [Azure Machine Learning UDFs](machine-learning-udf.md) instead of Machine Learning Studio (classic) UDF for improved performance and reliability. This article discusses how to efficiently scale Azure Stream Analytics jobs that use Machine Learning Studio (classic) functions. For information on how to scale Stream Analytics jobs in general see the article [Scaling jobs](stream-analytics-scale-jobs.md).
synapse-analytics Get Started Add Admin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/get-started-add-admin.md
So far in the get started guide, we've focused on activities *you* do in the wor
| Assign access to | USER | | Member | ryan@contoso.com |
- ![Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
1. Select **Save**.
Assign to `ryan@contoso.com` to the **Synapse Administrator** role on the worksp
| Assign access to | USER | | Member | ryan@contoso.com |
- ![Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
## Dedicated SQL pools: db_owner role
synapse-analytics Quickstart Create Workspace https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/quickstart-create-workspace.md
After your Azure Synapse workspace is created, you have two ways to open Synapse
| Assign access to | USER | | Members | your user name |
- ![Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
1. On the left pane, select **Containers** and create a container. 1. You can give the container any name. In this document, we'll name the container **users**. 1. Accept the default setting **Public access level**, and then select **Create**.
Managed identities for your Azure Synapse workspace might already have access to
> [!NOTE] > The managed identity name is also the workspace name.
- ![Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
1. Select **Save**. ## Next steps
synapse-analytics How To Grant Workspace Managed Identity Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/security/how-to-grant-workspace-managed-identity-permissions.md
Select that same container or file system to grant the *Storage Blob Data Contri
> [!NOTE] > The managed identity name is also the workspace name.
- :::image type="content" source="../../../includes/role-based-access-control/media/add-role-assignment-page.png" alt-text="Screenshot of the add role assignment page in the Azure portal.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png" alt-text="Screenshot of the add role assignment page in the Azure portal.":::
1. Select **Save** to add the role assignment.
synapse-analytics How To Set Up Access Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/security/how-to-set-up-access-control.md
Identify the following information about your storage:
| Assign access to |SERVICEPRINCIPAL | | Members |workspace1_SynapseAdministrators, workspace1_SynapseContributors, and workspace1_SynapseComputeOperators|
- ![Add role assignment page in Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
## Step 3: Create and configure your Synapse workspace
To run pipelines and perform system tasks, Azure Synapse requires managed servic
> [!NOTE] > The managed identity name is also the workspace name.
- ![Add role assignment page in Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
## Step 5: Grant Synapse administrators an Azure Contributor role for the workspace
To create SQL pools, Apache Spark pools and Integration runtimes, users need an
| Assign access to | SERVICEPRINCIPAL | | Members | workspace1_SynapseAdministrators |
- ![Add role assignment page in Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
## Step 6: Assign an SQL Active Directory Admin role
synapse-analytics Apache Spark 24 Runtime https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/spark/apache-spark-24-runtime.md
Azure Synapse Analytics supports multiple runtimes for Apache Spark. This docume
> [!CAUTION] > Deprecation and disablement notification for Azure Synapse Runtime for Apache Spark 2.4
-> * Effective July 23, 2024, **disablement** of jobs running on Azure Synapse Runtime for Apache Spark 2.4 will be executed. **Immediately** migrate to higher runtime versions otherwise your jobs will stop executing.
-> * **All Spark jobs running on Azure Synapse Runtime for Apache Spark 2.4 will be disabled as of July 23, 2024.**
-> * Effective September 29, 2023, Azure Synapse will discontinue official support for Spark 2.4 Runtimes.
-> * Post September 29, we will not be addressing any support tickets related to Spark 2.4. There will be no release pipeline in place for bug or security fixes for Spark 2.4. Utilizing Spark 2.4 post the support cutoff date is undertaken at one's own risk. We strongly discourage its continued use due to potential security and functionality concerns.
-> * Recognizing that certain customers may need additional time to transition to a higher runtime version, we are temporarily extending the usage option for Spark 2.4, but we will not provide any official support for it.
-> * **We strongly advise proactively upgrading workloads to a more recent version of the runtime (e.g., [Azure Synapse Runtime for Apache Spark 3.4 (GA)](./apache-spark-34-runtime.md)).**
+> * Effective August 15, 2024, **disablement** of jobs running on Azure Synapse Runtime for Apache Spark 2.4 will be executed. **Immediately** migrate to higher runtime versions otherwise your jobs will stop executing.
+> * **All Spark jobs running on Azure Synapse Runtime for Apache Spark 2.4 will be disabled as of August 15, 2024.**
+* Effective September 29, 2023, Azure Synapse will discontinue official support for Spark 2.4 Runtimes.
+* Post September 29, we will not be addressing any support tickets related to Spark 2.4. There will be no release pipeline in place for bug or security fixes for Spark 2.4. Utilizing Spark 2.4 post the support cutoff date is undertaken at one's own risk. We strongly discourage its continued use due to potential security and functionality concerns.
+* Recognizing that certain customers may need additional time to transition to a higher runtime version, we are temporarily extending the usage option for Spark 2.4, but we will not provide any official support for it.
+* **We strongly advise proactively upgrading workloads to a more recent version of the runtime (e.g., [Azure Synapse Runtime for Apache Spark 3.4 (GA)](./apache-spark-34-runtime.md)).**
## Component versions
synapse-analytics Microsoft Spark Utilities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/spark/microsoft-spark-utilities.md
Follow these steps to make sure your Microsoft Entra ID and workspace MSI have a
> [!NOTE] > The managed identity name is also the workspace name.
- ![Add role assignment page in Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
1. Select **Save**.
synapse-analytics Quickstart Bulk Load Copy Tsql Examples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql-data-warehouse/quickstart-bulk-load-copy-tsql-examples.md
Managed Identity authentication is required when your storage account is attache
| Assign access to | SERVICEPRINCIPAL | | Members | server or workspace hosting your dedicated SQL pool that you've registered with Microsoft Entra ID |
- ![Add role assignment page in Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
> [!NOTE]
Managed Identity authentication is required when your storage account is attache
| Assign access to | USER | | Members | Microsoft Entra user |
- ![Add role assignment page in Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
+ ![Add role assignment page in Azure portal.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-page.png)
> [!IMPORTANT] > Specify the **Storage** **Blob Data** Owner, Contributor, or Reader Azure role. These roles are different than the Azure built-in roles of Owner, Contributor, and Reader.
synapse-analytics Synapse Service Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/synapse-service-identity.md
To grant permissions, follow these steps. For detailed steps, see [Assign Azure
1. Select **Add** > **Add role assignment**.
- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::
+ :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::
1. On the **Members** tab, select **Managed identity**, and then select **Select members**.
traffic-manager Traffic Manager Use Azure App Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-use-azure-app-service.md
+
+ Title: Use Azure App Service with Azure Traffic Manager
+description: Learn how to use Azure App Service with Azure Traffic Manager.
++++ Last updated : 07/17/2024++++
+# Use Azure App Service with Azure Traffic Manager
+
+Azure App Service is a fully managed platform as a service (PaaS) offering that allows developers to quickly build, deploy, and scale web, mobile, and API applications without worrying about the underlying infrastructure. Azure Traffic Manager can be used with Azure App Service to control how requests from web clients are distributed to apps in Azure App Service.
+
+## Scenarios for using Azure Traffic Manager with Azure App Service
+
+* **High availability**: Azure Traffic Manager can help ensure that your app is always available by directing traffic to a healthy instance of your app in the event of an outage or other issue.
+* **Geographic distribution**: If you have apps in different geographic locations, you can use Azure Traffic Manager to direct users to the closest app in terms of the lowest network latency.
+* **Load balancing**: Azure Traffic Manager can distribute traffic across a set of apps, either evenly or according to weights, which you define.
+
+By using Azure Traffic Manager with Azure App Service, you can ensure that your app is always available, provide better user experience by directing users to the closest app, and distribute traffic across a set of apps.
+
+## Considerations when using Azure Traffic Manager with Azure App Service
+
+* For app-only deployments within the same region, App Service already provides failover and round-robin functionality without regard to app mode.
+* For deployments in the same region that use App Service in conjunction with another Azure cloud service, you can combine both types of endpoints to enable hybrid scenarios.
+* You can only specify one App Service endpoint per region in a profile.
+* When you select an app as an endpoint for one region, the remaining apps in that region become unavailable for selection for that profile.
+
+## Process overview: Steps to use Azure Traffic Manager with Azure App Service
+
+1. [Create an Azure App Service](../app-service/getting-started.md): Start by creating an Azure App Service. This will host your web, mobile, or API application. The following example is a Dotnet 8.0 web app.
+
+ ![A screenshot of the app service.](media/traffic-manager-use-azure-app-service/create-app-service.png)
+2. Create an Azure Traffic Manager Profile: In the Azure portal, create a new Traffic Manager profile. Choose the routing method that best suits your needs (Priority, Weighted, Performance, Geographic).
+
+ <br><img src="./media/traffic-manager-use-with-app-gateway/create-profile.png" alt="A screenshot of creating a traffic manager profile." width="60%">
+3. [Add an endpoint](quickstart-create-traffic-manager-profile.md#add-traffic-manager-endpoints) to your Traffic Manager profile: Add your Azure App Service as an endpoint in your Traffic Manager profile. Remember, you can only specify one App Service endpoint per region in a profile.
+
+ ![A screenshot of the adding a traffic manager endpoint.](media/traffic-manager-use-azure-app-service/add-endpoint.png)
+4. [Configure Endpoint Weights or Priorities](traffic-manager-routing-methods.md): If youΓÇÖre using the [weighted](traffic-manager-configure-weighted-routing-method.md) or [priority](traffic-manager-configure-priority-routing-method.md) routing methods, configure the weights or priorities of your endpoints.
+5. Test Your Setup: Use different devices or services to send requests to your Traffic Manager profileΓÇÖs DNS name. Verify that the requests are routed to the expected endpoint. The following example displays a web app request.
+
+ ![A screenshot of testing the web app.](media/traffic-manager-use-azure-app-service/test-web-app.png)
+
+Remember to monitor the health of your endpoints and adjust your Traffic Manager configuration as needed to ensure high availability, optimal geographic distribution, and effective load balancing.
+
+> [!NOTE]
+> If your web app uses SSL (settings > certificates), you can enable SSL on the **trafficmanager.net** domain by adding a binding for **trafficmanager.net** under **settings > custom domains** for the web app.
+
+## Next steps
+
+- Learn about [weighted traffic routing method](traffic-manager-configure-weighted-routing-method.md).
+- Learn about [priority routing method](traffic-manager-configure-priority-routing-method.md).
+- Learn about [geographic routing method](traffic-manager-configure-geographic-routing-method.md).
+- Learn how to [test Traffic Manager settings](traffic-manager-testing-settings.md).
traffic-manager Traffic Manager Use With Application Gateway https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-use-with-application-gateway.md
+
+ Title: Use Azure App Gateway with Azure Traffic Manager
+description: This article explains how to use Azure App Gateway with Azure Traffic Manager.
++++ Last updated : 07/17/2024++++
+# Use Azure App Gateway with Azure Traffic Manager
+
+Azure Traffic Manager and [Azure Application Gateway](../application-gateway/overview.md) can be used together to provide global load balancing and failover capabilities for your web applications. Azure Traffic Manager uses DNS-based routing to distribute incoming traffic across multiple regions, while Azure Application Gateway provides application-level routing and load balancing within a region.
+
+## Scenarios for using Azure App Gateway with Azure Traffic Manager
+
+* **Improve application performance**: By using Azure Traffic Manager to route traffic to the closest Azure Application Gateway, you can reduce latency and improve application performance for your users.
+* **Increase application availability**: By using Azure Traffic Manager to distribute traffic across multiple Azure Application Gateways, you can ensure that your application remains available even if one or more gateways become unavailable.
+* **Scale your application**: By using Azure Application Gateway to load balance traffic within a region, you can scale your application horizontally to handle increased traffic.
+* **Secure your application**: By using Azure Application Gateway to terminate SSL/TLS connections and protect against web attacks, you can secure your application from external threats.
+
+## Process overview: How to use Azure App Gateway with Azure Traffic Manager
+
+1. [Create an Azure Traffic Manager profile](quickstart-create-traffic-manager-profile.md): Start by creating an Azure Traffic Manager profile. Configure it to use the desired traffic routing method (priority, weighted, performance, or geographic).
+
+ <br><img src="./media/traffic-manager-use-with-app-gateway/create-profile.png" alt="A screenshot of creating a traffic manager profile." width="60%">
+2. [Create an Azure Application Gateway](../application-gateway/quick-create-portal.md): Next, create an Azure Application Gateway. Configure it to use the desired backend pool and routing rules.
+
+ ![A screenshot of creating an application gateway.](media/traffic-manager-use-with-app-gateway/create-app-gateway.png)
+3. Copy the Azure Application Gateway [frontend public IP address](../application-gateway/application-gateway-components.md#frontend-ip-addresses) and then use this IP address to [add an endpoint](quickstart-create-traffic-manager-profile.md#add-traffic-manager-endpoints) to your Azure Traffic Manager profile.
+
+ ![A screenshot of the application gateway frontend configuration.](media/traffic-manager-use-with-app-gateway/app-gateway-frontend.png)
+
+ ![A screenshot of adding an endpoint to the traffic manager profile.](media/traffic-manager-use-with-app-gateway/add-endpoint.png)
+4. Test Your Setup: Finally, test the configuration by accessing the Azure Traffic Manager DNS name from a web browser. This will help ensure that traffic is being correctly routed and is load balanced. In the following example, the application gateway backend target is a web server.
+
+ ![A screenshot of the DNS name for the traffic manager profile.](media/traffic-manager-use-with-app-gateway/dns-name.png)
+
+ ![A screenshot of testing the traffic manager connection.](media/traffic-manager-use-with-app-gateway/test-connection.png)
+
+By using Azure Traffic Manager with Azure Application Gateway, you can achieve high availability and scalability for your web applications across multiple regions. This combination of services can help you to improve application performance, increase application availability, scale your application, and secure your application.
+
+Remember to monitor the health of your endpoints and adjust your Traffic Manager and Application Gateway configurations as needed to ensure high availability, optimal geographic distribution, and effective load balancing.
+
+## Next steps
+
+- Learn about [weighted traffic routing method](traffic-manager-configure-weighted-routing-method.md).
+- Learn about [priority routing method](traffic-manager-configure-priority-routing-method.md).
+- Learn about [geographic routing method](traffic-manager-configure-geographic-routing-method.md).
+- Learn how to [test Traffic Manager settings](traffic-manager-testing-settings.md).
update-manager Guidance Migration Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/update-manager/guidance-migration-azure.md
As a first step in MCM user's journey towards Azure Update Manager, you need to
### Prerequisites for Azure Update Manager and MCM co-existence -- Ensure that the Auto updates are disabled on the machine. For more information, see [Manage additional Windows Update- Windows Deployment](https://learn.microsoft.com/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry).
+- Ensure that the Auto updates are disabled on the machine. For more information, see [Manage additional Windows Update- Windows Deployment](/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry).
Ensure that the registry path *HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU, NoAutoUpdate* is set to 1. - Azure Update Manager can get updates from WSUS server and for this, ensure to configure WSUS server as part of SCCM. - Ensure that the WSUS server has enough space.
- - Ensure to update language option to download the packages in WSUS config. We recommend that you select the languages that are required. For more information, see [Step 2 - Configure WSUS](https://learn.microsoft.com/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus#to-configure-wsus).
+ - Ensure to update language option to download the packages in WSUS config. We recommend that you select the languages that are required. For more information, see [Step 2 - Configure WSUS](/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus#to-configure-wsus).
- Ensure to create a rule for auto approving updates in WSUS to download the applicable packages on the WSUS server so that Azure Update Manager can get the updates from this WSUS server. - Select classifications you want as per your requirements or keep them same as selected in SCCM. - Select products as per requirements or keep them same as selected in SCCM.
update-manager Support Matrix https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/update-manager/support-matrix.md
The following table lists the operating systems supported on [Azure Arc-enabled
| Debian 10 and 11| | Rocky Linux 8|
+# [Windows IoT on Arc enabled IaaS VMs](#tab/winio-arc)
+
+ - Windows 10 IoT Enterprise LTSC 2021
+ - Windows 10 IoT Enterprise LTSC 2019
+ - Windows 11 IoT Enterprise, version 23H2
+ - Windows 11 IoT Enterprise LTSC 2024
+ ## Unsupported workloads
virtual-machine-scale-sets Disk Encryption Key Vault https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machine-scale-sets/disk-encryption-key-vault.md
You may also, if you wish, generate or import a key encryption key (KEK).
The steps in this article can be completed with the [Azure CLI](/cli/azure/), the [Azure PowerShell Az module](/powershell/azure/), or the [Azure portal](https://portal.azure.com). ## Next steps
virtual-machine-scale-sets Virtual Machine Scale Sets Set Upgrade Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machine-scale-sets/virtual-machine-scale-sets-set-upgrade-policy.md
If using a rolling upgrade policy, see [configure rolling upgrade policy](virtua
### [CLI](#tab/cli)
-> [!NOTE]
-> Setting the upgrade policy to automatic during scale set creation using CLI or PowerShell on Virtual Machine Scale Sets with Flexible Orchestration is not yet available. To set the upgrade policy to automatic, update the upgrade policy after scale set deployment. See [changing the upgrade policy on a Virtual Machine Scale Set](virtual-machine-scale-sets-change-upgrade-policy.md).
- When creating a new scale set using Azure CLI, use [az vmss create](/cli/azure/vmss#az-vmss-create) and the `-upgrade-policy-mode` to set the upgrade policy mode. If using a rolling upgrade policy, see [configure rolling upgrade policy](virtual-machine-scale-sets-configure-rolling-upgrades.md) for configuration settings and suggestions.
az vmss create \
### [PowerShell](#tab/powershell) > [!NOTE]
-> Setting the upgrade policy to automatic during scale set creation using CLI or PowerShell on Virtual Machine Scale Sets with Flexible Orchestration is not yet available. To set the upgrade policy to automatic, update the upgrade policy after scale set deployment. See [changing the upgrade policy on a Virtual Machine Scale Set](virtual-machine-scale-sets-change-upgrade-policy.md).
+> Setting the upgrade policy to automatic during scale set creation using PowerShell on Virtual Machine Scale Sets with Flexible Orchestration is not yet available. To set the upgrade policy to automatic, update the upgrade policy after scale set deployment. See [changing the upgrade policy on a Virtual Machine Scale Set](virtual-machine-scale-sets-change-upgrade-policy.md).
When creating a new scale set using Azure PowerShell, use [New-AzVmss](/powershell/module/az.compute/new-azvmss) and the `-UpgradePolicyMode` parameter to set the upgrade policy mode.
virtual-machines Automatic Vm Guest Patching https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/automatic-vm-guest-patching.md
Automatic VM guest patching has the following characteristics:
## How does automatic VM guest patching work?
-If automatic VM guest patching is enabled on a VM, then the available *Critical* and *Security* patches are downloaded and applied automatically on the VM. This process kicks off automatically every month when new patches are released. Patch assessment and installation are automatic, and the process includes rebooting the VM as configured. The rebootSetting parameter on the VM Model takes precedence over settings in another system, such as [Maintenance Configuration](https://learn.microsoft.com/azure/virtual-machines/maintenance-configurations#guest).
+If automatic VM guest patching is enabled on a VM, then the available *Critical* and *Security* patches are downloaded and applied automatically on the VM. This process kicks off automatically every month when new patches are released. Patch assessment and installation are automatic, and the process includes rebooting the VM as configured. The rebootSetting parameter on the VM Model takes precedence over settings in another system, such as [Maintenance Configuration](/azure/virtual-machines/maintenance-configurations#guest).
The VM is assessed periodically every few days and multiple times within any 30-day period to determine the applicable patches for that VM. The patches can be installed any day on the VM during off-peak hours for the VM. This automatic assessment ensures that any missing patches are discovered at the earliest possible opportunity.
virtual-machines Disks Reserved Capacity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/disks-reserved-capacity.md
A disk reservation is made per disk SKU. As a result, the reservation consumptio
For example, assume you reserve one P40 disk that has 2 TiB of provisioned storage capacity. Also assume you allocate only two P30 disks. The P40 reservation in that case doesn't account for P30 consumption, and you pay the pay-as-you-go rate on the P30 disks. <br/> <br/> ## Purchase considerations
virtual-machines Disks Scalability Targets https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/disks-scalability-targets.md
**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets See [VM sizes](sizes.md) for more details. ## Managed virtual machine disks ## Unmanaged virtual machine disks ## See also
virtual-machines Disks Types https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/disks-types.md
Azure Premium SSDs deliver high-performance and low-latency disk support for vir
To learn more about individual Azure VM types and sizes for Windows or Linux, including size compatibility for premium storage, see [Sizes for virtual machines in Azure](sizes.md). You'll need to check each individual VM size article to determine if it's premium storage-compatible. ### Premium SSD size Capacity, IOPS, and throughput are guaranteed when a premium storage disk is provisioned. For example, if you create a P50 disk, Azure provisions 4,095-GB storage capacity, 7,500 IOPS, and 250-MB/s throughput for that disk. Your application can use all or part of the capacity and performance. Premium SSDs are designed to provide the single-digit millisecond latencies, target IOPS, and throughput described in the preceding table 99.9% of the time.
Azure standard SSDs are optimized for workloads that need consistent performance
### Standard SSD size Standard SSDs are designed to provide single-digit millisecond latencies and the IOPS and throughput up to the limits described in the preceding table 99% of the time. Actual IOPS and throughput may vary sometimes depending on the traffic patterns. Standard SSDs provide more consistent performance than the HDD disks with the lower latency.
Standard SSDs offer disk bursting, which provides better tolerance for the unpre
Azure standard HDDs deliver reliable, low-cost disk support for VMs running latency-tolerant workloads. With standard storage, your data is stored on HDDs, and performance may vary more widely than that of SSD-based disks. Standard HDDs are designed to deliver write latencies of less than 10 ms and read latencies of less than 20 ms for most IO operations. Actual performance may vary depending on IO size and workload pattern, however. When working with VMs, you can use standard HDD disks for dev/test scenarios and less critical workloads. Standard HDDs are available in all Azure regions and can be used with all Azure VMs. Standard HDDs support the [512E sector size](https://en.wikipedia.org/wiki/Advanced_Format#512_emulation_(512e)). ### Standard HDD size ### Standard HDD Transactions
virtual-machines Dsv6 Ddsv6 Series https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/dsv6-ddsv6-series.md
+
+ Title: Dsv6 and Ddsv6-series
+description: Specifications for Dsv6 and Ddsv6-series
++++ Last updated : 07/17/2024+++
+# Dsv6 and Ddsv6-series (Preview)
+
+Applies to ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets ✔️ Uniform scale sets
++
+>[!NOTE]
+>Azure Virtual Machine Series Dsv6 and Ddsv6 are currently in **Preview**. See the [Preview Terms Of Use | Microsoft Azure](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+The new Dsv6 and Ddsv6 Virtual Machine (VM) series only works on OS images that are tagged with NVMe support. If your current OS image is not supported for NVMe, an error message is shown. NVMe support is available in 50+ of the most popular OS images, and we continuously improve the OS image coverage. Refer to our up-to-date [**lists**](https://learn.microsoft.com/azure/virtual-machines/enable-nvme-interface) for information on which OS images are tagged as NVMe supported. For more information on NVMe enablement, see our [**FAQ**](https://learn.microsoft.com/azure/virtual-machines/enable-nvme-faqs).
+
+The new Dsv6 and Ddsv6 VM series virtual machines public preview is now available. To get more information or sign up for the preview, visit our announcement and follow the link to the sign-up form. This is an opportunity to experience our latest innovation.
+
+The Dsv6-series and Ddsv6-series Virtual Machines run on the 5<sup>th</sup> Generation Intel® Xeon® Platinum 8473C (Emerald Rapids) CPU processor in a multi-threaded configuration and the latest DDR5 memory technology, providing a better value proposition for most general-purpose workloads. This new processor features [Intel® Turbo Boost Technology](https://www.intel.com/content/www/us/en/architecture-and-technology/turbo-boost/turbo-boost-technology.html), [Intel® Advanced-Vector Extensions 512 (Intel® AVX-512)](https://www.intel.com/content/www/us/en/architecture-and-technology/avx-512-overview.html) and [Intel](https://software.intel.com/content/www/us/en/develop/topics/ai/deep-learning-boost.html) Advanced Matrix Extensions (AMX). The Dsv6 and Ddsv6 VM series offer 4 GiBs of RAM per vCPU to meet the requirements associated with most enterprise workloads including e-commerce systems, web front ends, desktop virtualization solutions, customer relationship management applications, entry-level and mid-range databases, application servers, and more.
+
+These new Intel based VMs have two variants: Dsv6 without local SSD and Ddsv6 with local SSD.
+
+## Dsv6-series
+
+Dsv6-series virtual machines run on the 5<sup>th</sup> Generation Intel® Xeon® Platinum 8473C (Emerald Rapids) processor reaching an all-core turbo clock speed of 3.0 GHz . These virtual machines offer up to 128 vCPU and 512 GiB of RAM. Dsv6-series virtual machines provide a better performance for most general-purpose workloads compared to the prior generation (for example, increased scalability, upgraded CPU, elevated memory bandwidth, faster remote storage access)
+
+Dsv6-series virtual machines do not have any temporary storage thus lowering the price of entry. You can attach Standard SSDs, Standard HDDs, Premium SSDs, and Premium SSD V2 disk storage to these virtual machines. You can also attach Ultra Disk storage based on its regional availability. Disk storage is billed separately from virtual machines.
+
+[Premium Storage](https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance): Supported <br>[Premium Storage caching](https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance): Supported <br>Live Migration: Not Supported for Preview <br>Memory Preserving Updates: Supported <br>[VM Generation Support](https://learn.microsoft.com/azure/virtual-machines/generation-2): Generation 2 <br>[Accelerated Networking](https://learn.microsoft.com/azure/virtual-network/create-vm-accelerated-networking-cli): Supported <br>[Ephemeral OS Disks](https://learn.microsoft.com/azure/virtual-machines/ephemeral-os-disks): Not Supported for Preview<br>[Nested Virtualization](https://learn.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Supported
+
+| **Size** | **vCPU** | **Memory: GiB** | **Temp storage (SSD) GiB** | **Max data disks** | **Max temp storage throughput: IOPS/MBPS (RR)** | **Max temp storage throughput: IOPS/MBPS (RW)** | **Max** **uncached Premium SSD and Standard SSD/HDD disk throughput: IOPS/MBps** | **Max burst** **uncached Premium SSD and Standard SSD/HDD disk throughput: IOPS/MBps** | **Max** **uncached Ultra Disk and Premium SSD V2 disk throughput: IOPS/MBps** | **Max burst** **uncached Ultra Disk and Premium SSD V2 disk throughput: IOPS/MBps** | **Max NICs** | **Network bandwidth** |
+||||||||||||||
+| **Standard_D2s_v6** | 2 | 8 | 0 | 8 | NA | NA | 3750/106 | 40000/1250 | 4167/124 | 44444/1463 | 2 | 12500 |
+| **Standard_D4s_v6** | 4 | 16 | 0 | 12 | NA | NA | 6400/212 | 40000/1250 | 8333/248 | 52083/1463 | 2 | 12500 |
+| **Standard_D8s_v6** | 8 | 32 | 0 | 24 | NA | NA | 12800/424 | 40000/1250 | 16667/496 | 52083/1463 | 4 | 12500 |
+| **Standard_D16s_v6** | 16 | 64 | 0 | 48 | NA | NA | 25600/848 | 40000/1250 | 33333/992 | 52083/1463 | 8 | 12500 |
+| **Standard_D32s_v6** | 32 | 128 | 0 | 64 | NA | NA | 51200/1696 | 80000/1696 | 66667/1984 | 104167/1984 | 8 | 16000 |
+| **Standard_D48s_v6** | 48 | 192 | 0 | 64 | NA | NA | 76800/2544 | 80000/2544 | 100000/2976 | 104167/2976 | 8 | 24000 |
+| **Standard_D64s_v6** | 64 | 256 | 0 | 64 | NA | NA | 102400/3392 | 102400/3392 | 133333/3969 | 133333/3969 | 8 | 30000 |
+| **Standard_D96s_v6** | 96 | 384 | 0 | 64 | NA | NA | 153600/5088 | 153600/5088 | 200000/5953 | 200000/5953 | 8 | 41000 |
+| **Standard_D128s_v6** | 128 | 512 | 0 | 64 | NA | NA | 204800/6782 | 204800/6782 | 266667/7935 | 266667/7935 | 8 | 54000 |
+
+## Ddsv6-series
+
+Ddsv6-series virtual machines run on the 5<sup>th</sup> Generation Intel® Xeon® Platinum 8473C (Emerald Rapids) processor reaching an all- core turbo clock speed of 3.0 GHz. These virtual machines offer up to 128 vCPU and 512 GiB of RAM. Ddsv6-series virtual machines provide a better performance for most general-purpose workloads compared to the prior generation (for example, increased scalability, upgraded CPU, elevated memory bandwidth, faster NVMe local and remote storage access, larger local storage capacity)
+
+Ddsv6-series virtual machines offer local storage disks. You can attach Standard SSDs, Standard HDDs, Premium SSDs, and Premium SSD V2 disk storage to these virtual machines. You can also attach Ultra Disk storage based on its regional availability. Disk storage is billed separately from virtual machines.
+
+[Premium Storage](https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance): Supported <br>[Premium Storage caching](https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance): Supported <br>[Live Migration](https://learn.microsoft.com/azure/virtual-machines/maintenance-and-updates): Not Supported for Preview <br>[Memory Preserving Updates](https://learn.microsoft.com/azure/virtual-machines/maintenance-and-updates): Supported <br>[VM Generation Support](https://learn.microsoft.com/azure/virtual-machines/generation-2): Generation 2<br>[Accelerated Networking](https://learn.microsoft.com/azure/virtual-network/create-vm-accelerated-networking-cli): Supported <br>[Ephemeral OS Disks](https://learn.microsoft.com/azure/virtual-machines/ephemeral-os-disks): Not Supported for Preview <br>[Nested Virtualization](https://learn.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Supported
+
+| **Size** | **vCPU** | **Memory: GiB** | **Temp storage (SSD) GiB** | **Max data disks** | **Max temp storage throughput: IOPS/MBPS (RR)** | **Max temp storage throughput: IOPS/MBPS (RW)** | **Max** **uncached Premium SSD and Standard SSD/HDD disk throughput: IOPS/MBps** | **Max burst** **uncached Premium SSD and Standard SSD/HDD disk throughput: IOPS/MBps** | **Max** **uncached Ultra Disk and Premium SSD V2 disk throughput: IOPS/MBps** | **Max burst** **uncached Ultra Disk and Premium SSD V2 disk throughput: IOPS/MBps** | **Max NICs** | **Network bandwidth** |
+||||||||||||||
+| **Standard_D2ds_v6** | 2 | 8 | 1x110 | 8 | 37500/180 | 15000/90 | 3750/106 | 40000/1250 | 4167/124 | 44444/1463 | 2 | 12500 |
+| **Standard_D4ds_v6** | 4 | 16 | 1x220 | 12 | 75000/360 | 30000/180 | 6400/212 | 40000/1250 | 8333/248 | 52083/1463 | 2 | 12500 |
+| **Standard_D8ds_v6** | 8 | 32 | 1x440 | 24 | 150000/720 | 60000/360 | 12800/424 | 40000/1250 | 16667/496 | 52083/1463 | 4 | 12500 |
+| **Standard_D16ds_v6** | 16 | 64 | 2x440 | 48 | 300000/1440 | 120000/720 | 25600/848 | 40000/1250 | 33333/992 | 52083/1463 | 8 | 12500 |
+| **Standard_D32ds_v6** | 32 | 128 | 4x440 | 64 | 600000/2880 | 240000/1440 | 51200/1696 | 80000/1696 | 66667/1984 | 104167/1984 | 8 | 16000 |
+| **Standard_D48ds_v6** | 48 | 192 | 6x440 | 64 | 900000/4320 | 360000/2160 | 76800/2544 | 80000/2544 | 100000/2976 | 104167/2976 | 8 | 24000 |
+| **Standard_D64ds_v6** | 64 | 256 | 4x880 | 64 | 1200000/5760 | 480000/2880 | 102400/3392 | 102400/3392 | 133333/3969 | 133333/3969 | 8 | 30000 |
+| **Standard_D96ds_v6** | 96 | 384 | 6x880 | 64 | 1800000/8640 | 720000/4320 | 153600/5088 | 153600/5088 | 200000/5953 | 200000/5953 | 8 | 41000 |
+| **Standard_D128ds_v6** | 128 | 512 | 4x1760 | 64 | 2400000/11520 | 960000/5760 | 204800/6782 | 204800/6782 | 266667/7935 | 266667/7935 | 8 | 54000 |
+
+## Size table definitions
+
+Storage capacity is shown in units of GiB or 1024^3 bytes. When you compare disks measured in GB (1000^3 bytes) to disks measured in GiB (1024^3) remember that capacity numbers given in GiB may appear smaller. For example, 1023 GiB = 1098.4 GB.
+
+Disk throughput is measured in input/output operations per second (IOPS) and MBps where MBps = 10^6 bytes/sec.
+
+Data disks can operate in cached or uncached modes. For cached data disk operation, the host cache mode is set to **ReadOnly** or **ReadWrite**. For uncached data disk operation, the host cache mode is set to **None**.
+
+To learn how to get the best storage performance for your VMs, see [Virtual machine and disk performance](https://learn.microsoft.com/azure/virtual-machines/disks-performance).
+
+**Expected network bandwidth** is the maximum aggregated bandwidth allocated per VM type across all NICs, for all destinations. For more information, see [Virtual machine network bandwidth](https://learn.microsoft.com/azure/virtual-network/virtual-machine-network-throughput).
+
+Upper limits aren't guaranteed. Limits offer guidance for selecting the right VM type for the intended application. Actual network performance depends on several factors including network congestion, application loads, and network settings. For information on optimizing network throughput, see [Optimize network throughput for Azure virtual machines](https://learn.microsoft.com/azure/virtual-network/virtual-network-optimize-network-bandwidth). To achieve the expected network performance on Linux or Windows, you may need to select a specific version or optimize your VM. For more information, see [Bandwidth/Throughput testing (NTTTCP)](https://learn.microsoft.com/azure/virtual-network/virtual-network-bandwidth-testing).
+
virtual-machines Custom Script Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/extensions/custom-script-linux.md
The output looks like the following text:
### Azure CLI syntax issues ## Next steps
virtual-machines Key Vault Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/extensions/key-vault-linux.md
Get-AzVMExtension -VMName <vmName> -ResourceGroupname <resource group name>
az vm get-instance-view --resource-group <resource group name> --name <vmName> --query "instanceView.extensions" ``` ### Logs and configuration
virtual-machines Network Watcher Update https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/extensions/network-watcher-update.md
## Latest version ### Identify latest version
virtual-machines Isolation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/isolation.md
**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets
virtual-machines Disk Encryption Key Vault https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/disk-encryption-key-vault.md
az login
Connect-AzAccount ``` ## Next steps
virtual-machines Disks Upload Vhd To Managed Disk Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/disks-upload-vhd-to-managed-disk-cli.md
If you're using [Microsoft Entra ID](../../active-directory/fundamentals/active-
- [Install the Azure CLI](/cli/azure/install-azure-cli). ### Restrictions ### Assign RBAC role
virtual-machines Image Builder Json https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/image-builder-json.md
Size of the proxy virtual machine used to pass traffic to the build VM and valid
## Properties: autoRun
-You can use the `autoRun` property to control whether the image template build process should automatically start when the template is created or updated. It's an enum with two possible values:
-- **Enabled** - Auto run is enabled, so your image template build process will automatically start when the template is created or updated. -- **Disabled** - Auto run is disabled, so you will have to manually start the image build process after the template is created or updated.
+You can use the `autoRun` property to control whether the image template build process should automatically start when the template is created. It's an enum with two possible values:
+- **Enabled** - Auto run is enabled, so your image template build process will automatically start when the template is created.
+- **Disabled** - Auto run is disabled, so you will have to manually start the image build process after the template is created.
```json "properties": {
- "autoRun": "Enabled"
-}
+ "autoRun": {
+ "state": "Enabled"
+ }
``` > [!NOTE]
-> When you set `autoRun` to "Enabled," the image build process runs **once** upon template creation or update. It ensures that the initial image build occurs seamlessly. However, it does not provide consistent and ongoing image builds. For consistent and ongoing image builds that run once an image template is updated, see [How to use Azure Image Builder triggers to set up an automatic image build](../image-builder-triggers-how-to.md).
+> When you set `autoRun` to "Enabled," the image build process runs **once** upon template creation. It ensures that the initial image build occurs seamlessly. However, it does not provide consistent and ongoing image builds. For consistent and ongoing image builds that run once an image template is updated, see [How to use Azure Image Builder triggers to set up an automatic image build](../image-builder-triggers-how-to.md).
> > Unlike `autoRun`, automatic image creation via the Azure Image Builder trigger resource ensures that image builds occur consistently. Whenever there are changes to the template, the Azure Image Builder service will automatically trigger the image build process. >
-> Choose `autoRun` for immediate image builds upon template creation or update. Opt for automatic image creation when you need ongoing consistency in image builds. Consider your specific requirements and use the appropriate option based on your workflow.
+> Choose `autoRun` for immediate image builds upon template creation. Opt for automatic image creation when you need ongoing consistency in image builds. Consider your specific requirements and use the appropriate option based on your workflow.
## Properties: managedResourceTags
virtual-machines Redhat Create Upload Vhd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/redhat-create-upload-vhd.md
This section assumes that you've already obtained an ISO file from the Red Hat w
# Accelerated Networking on Azure exposes a new SRIOV interface to the VM. # This interface is transparentlybonded to the synthetic interface, # so NetworkManager should just ignore any SRIOV interfaces.
- SUBSYSTEM=="net", DRIVERS=="hv_pci", ACTION=="add", ENV{NM_UNMANAGED}="1"
+ SUBSYSTEM=="net", DRIVERS=="hv_pci", ACTION!="remove", ENV{NM_UNMANAGED}="1"
EOF ```
This section assumes that you've already obtained an ISO file from the Red Hat w
NM_CONTROLLED=yes ```
+ > [!NOTE]
+ > When you use Accelerated Networking, the synthetic interface that's created must be configured to be unmanaged by using a udev rule. This action prevents `NetworkManager` from assigning the same IP to it as the primary interface. <br>
+
+ To apply it:<br>
+
+ ```
+ sudo cat <<EOF>> /etc/udev/rules.d/68-azure-sriov-nm-unmanaged.rules
+ # Accelerated Networking on Azure exposes a new SRIOV interface to the VM.
+ # This interface is transparentlybonded to the synthetic interface,
+ # so NetworkManager should just ignore any SRIOV interfaces.
+ SUBSYSTEM=="net", DRIVERS=="hv_pci", ACTION!="remove", ENV{NM_UNMANAGED}="1"
+ EOF
+ ```
1. Ensure that the network service starts at boot time: ```bash
This section assumes that you've already obtained an ISO file from the Red Hat w
```bash sudo nmcli con mod eth0 connection.autoconnect yes ipv4.method auto ```-
+
+ > [!NOTE]
+ > When you use Accelerated Networking, the synthetic interface that's created must be configured to be unmanaged by using a udev rule. This action prevents `NetworkManager` from assigning the same IP to it as the primary interface. <br>
+
+ To apply it:<br>
+
+ ```
+ sudo cat <<EOF>> /etc/udev/rules.d/68-azure-sriov-nm-unmanaged.rules
+ # Accelerated Networking on Azure exposes a new SRIOV interface to the VM.
+ # This interface is transparentlybonded to the synthetic interface,
+ # so NetworkManager should just ignore any SRIOV interfaces.
+ SUBSYSTEM=="net", DRIVERS=="hv_pci", ACTION!="remove", ENV{NM_UNMANAGED}="1"
+ EOF
+ ```
1. Register your Red Hat subscription to enable the installation of packages from the RHEL repository: ```bash
This section shows you how to use KVM to prepare a [RHEL 6](#rhel-6-using-kvm) o
# Accelerated Networking on Azure exposes a new SRIOV interface to the VM. # This interface is transparently bonded to the synthetic interface, # so NetworkManager should just ignore any SRIOV interfaces.
- SUBSYSTEM=="net", DRIVERS=="hv_pci", ACTION=="add", ENV{NM_UNMANAGED}="1"
+ SUBSYSTEM=="net", DRIVERS=="hv_pci", ACTION!="remove", ENV{NM_UNMANAGED}="1"
EOF ```
This section shows you how to use KVM to prepare a [RHEL 6](#rhel-6-using-kvm) o
PERSISTENT_DHCLIENT=yes NM_CONTROLLED=yes ```-
+ > [!NOTE]
+ > When you use Accelerated Networking, the synthetic interface that's created must be configured to be unmanaged by using a udev rule. This action prevents `NetworkManager` from assigning the same IP to it as the primary interface. <br>
+
+ To apply it:<br>
+
+ ```
+ sudo cat <<EOF>> /etc/udev/rules.d/68-azure-sriov-nm-unmanaged.rules
+ # Accelerated Networking on Azure exposes a new SRIOV interface to the VM.
+ # This interface is transparentlybonded to the synthetic interface,
+ # so NetworkManager should just ignore any SRIOV interfaces.
+ SUBSYSTEM=="net", DRIVERS=="hv_pci", ACTION!="remove", ENV{NM_UNMANAGED}="1"
+ EOF
+ ```
1. Ensure that the network service starts at boot time: ```bash
This section assumes that you've already installed a RHEL VM in VMware. For info
# Accelerated Networking on Azure exposes a new SRIOV interface to the VM. # This interface is transparently bonded to the synthetic interface, # so NetworkManager should just ignore any SRIOV interfaces.
- SUBSYSTEM=="net", DRIVERS=="hv_pci", ACTION=="add", ENV{NM_UNMANAGED}="1"
+ SUBSYSTEM=="net", DRIVERS=="hv_pci", ACTION!="remove", ENV{NM_UNMANAGED}="1"
EOF ```
This section assumes that you've already installed a RHEL VM in VMware. For info
PERSISTENT_DHCLIENT=yes NM_CONTROLLED=yes ```-
+ > [!NOTE]
+ > When you use Accelerated Networking, the synthetic interface that's created must be configured to be unmanaged by using a udev rule. This action prevents `NetworkManager` from assigning the same IP to it as the primary interface. <br>
+
+ To apply it:<br>
+
+ ```
+ sudo cat <<EOF>> /etc/udev/rules.d/68-azure-sriov-nm-unmanaged.rules
+ # Accelerated Networking on Azure exposes a new SRIOV interface to the VM.
+ # This interface is transparentlybonded to the synthetic interface,
+ # so NetworkManager should just ignore any SRIOV interfaces.
+ SUBSYSTEM=="net", DRIVERS=="hv_pci", ACTION!="remove", ENV{NM_UNMANAGED}="1"
+ EOF
+ ```
1. Ensure that the network service starts at boot time: ```bash
This section shows you how to prepare a RHEL 7 distro from an ISO by using a kic
PERSISTENT_DHCLIENT=yes NM_CONTROLLED=yes EOF
+
+ sudo cat <<EOF>> /etc/udev/rules.d/68-azure-sriov-nm-unmanaged.rules
+ # Accelerated Networking on Azure exposes a new SRIOV interface to the VM.
+ # This interface is transparentlybonded to the synthetic interface,
+ # so NetworkManager should just ignore any SRIOV interfaces.
+ SUBSYSTEM=="net", DRIVERS=="hv_pci", ACTION!="remove", ENV{NM_UNMANAGED}="1"
+ EOF
# Deprovision and prepare for Azure if you are creating a generalized image sudo cloud-init clean --logs --seed
virtual-machines Tutorial Manage Disks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/tutorial-manage-disks.md
Azure provides two types of disks.
<br> When you provision a premium storage disk, unlike standard storage, you are guaranteed the capacity, IOPS, and throughput of that disk. For example, if you create a P50 disk, Azure provisions 4,095-GB storage capacity, 7,500 IOPS, and 250-MB/s throughput for that disk. Your application can use all or part of the capacity and performance. Premium SSD disks are designed to provide low single-digit millisecond latencies and target IOPS and throughput described in the preceding table 99.9% of the time.
virtual-machines Mitigate Se https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/mitigate-se.md
**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets
virtual-machines Premium Storage Performance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/premium-storage-performance.md
When you run Linux with premium storage, check the latest updates about required
Premium storage offers various sizes so you can choose one that best suits your needs. Each disk size has a different scale limit for IOPS, bandwidth, and storage. Choose the right premium storage disk size depending on the application requirements and the high-scale VM size. The following table shows the disks sizes and their capabilities. P4, P6, P15, P60, P70, and P80 sizes are currently only supported for managed disks. How many disks you choose depends on the disk size chosen. You could use a single P50 disk or multiple P10 disks to meet your application requirement. Take into account considerations listed here when you're making the choice.
virtual-machines Trusted Launch Existing Vmss https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/trusted-launch-existing-vmss.md
Azure Virtual machine Scale sets supports enabling Trusted launch on existing [U
## Limitations - Enabling Trusted launch on existing [virtual machine Scale sets with data disks attached](../virtual-machine-scale-sets/virtual-machine-scale-sets-attached-disks.md) is currently not supported.
- - To validate if scale set is configured with data disk, navigate to scale set -> **Disks** under **Settings** menu -> check under heading **Data disks**
+ - To validate if scale set is configured with data disk, navigate to scale set -> **Disks** under **Settings** menu -> check under heading **Data disks**
:::image type="content" source="./media/trusted-launch/00-vmss-with-data-disks.png" alt-text="Screenshot of the scale set with data disks."::: - Enabling Trusted launch on existing [virtual machine Scale sets Flex](../virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes.md) is currently not supported.
To roll-back changes from Trusted launch to previous known good configuration, s
> [!NOTE] >
-> - Azure CLI currently does not supports roll-back of Scale set Uniform from Trusted launch to Standard. As workaround, use Azure PowerShell or ARM template to execute roll-back.
+> Required Azure CLI version **2.62.0** or above for roll-back of VMSS uniform from Trusted launch to Non-Trusted launch configuration.
+
+To roll-back changes from Trusted launch to previous known good configuration, set `--security-type` to `Standard` as shown. Optionally, you can also revert other parameter changes - OS image, virtual machine size, and repeat steps 2-5 described with [Enable Trusted launch on existing scale set](#enable-trusted-launch-on-existing-scale-set-uniform)
+
+```azurecli-interactive
+az vmss update --name MyScaleSet `
+ --resource-group MyResourceGroup `
+ --security-type Standard
+```
### [PowerShell](#tab/powershell)
virtual-machines Trusted Launch https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/trusted-launch.md
Trusted Launch doesn't increase existing VM pricing costs.
Currently, the following VM features aren't supported with Trusted Launch: -- [Azure Site Recovery](../site-recovery/concepts-trusted-vm.md) (currently in preview).
+- [Azure Site Recovery](../site-recovery/concepts-trusted-vm.md) (*Generally available for Windows*).
- [Managed Image](capture-image-resource.yml) (customers are encouraged to use [Azure Compute Gallery](trusted-launch-portal.md#trusted-launch-vm-supported-images)). - Nested virtualization (v5 VM size families supported).
+- [Linux VM Hibernation](./linux/hibernate-resume-linux.md)
## Secure Boot
Trusted Launch is integrated with Defender for Cloud to ensure that your VMs are
- **Alert for VM attestation failure**: Defender for Cloud periodically performs attestation on your VMs. The attestation also happens after your VM boots. If the attestation fails, it triggers a medium-severity alert. VM attestation can fail for the following reasons:
- - The attested information, which includes a boot log, deviates from a trusted baseline. Any deviation can indicate that untrusted modules have been loaded, and the OS could be compromised.
- - The attestation quote couldn't be verified to originate from the vTPM of the attested VM. An unverified origin can indicate that malware is present and could be intercepting traffic to the vTPM.
+ - The attested information, which includes a boot log, deviates from a trusted baseline. Any deviation can indicate that untrusted modules have been loaded, and the OS could be compromised.
+ - The attestation quote couldn't be verified to originate from the vTPM of the attested VM. An unverified origin can indicate that malware is present and could be intercepting traffic to the vTPM.
> [!NOTE] > Alerts are available for VMs with vTPM enabled and the Attestation extension installed. Secure Boot must be enabled for attestation to pass. Attestation fails if Secure Boot is disabled. If you must disable Secure Boot, you can suppress this alert to avoid false positives. - **Alert for untrusted Linux kernel module**: For Trusted Launch with Secure Boot enabled, it's possible for a VM to boot even if a kernel driver fails validation and is prohibited from loading. If this scenario happens, Defender for Cloud issues low-severity alerts. While there's no immediate threat, because the untrusted driver hasn't been loaded, these events should be investigated. Ask yourself:
- - Which kernel driver failed? Am I familiar with this driver and do I expect it to load?
- - Is this the exact version of the driver I'm expecting? Are the driver binaries intact? If this is a third-party driver, did the vendor pass the OS compliance tests to get it signed?
+ - Which kernel driver failed? Am I familiar with this driver and do I expect it to load?
+ - Is this the exact version of the driver I'm expecting? Are the driver binaries intact? If this is a third-party driver, did the vendor pass the OS compliance tests to get it signed?
## Related content
virtual-machines Disks Upload Vhd To Managed Disk Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/disks-upload-vhd-to-managed-disk-powershell.md
If you're using [Microsoft Entra ID](../../active-directory/fundamentals/active-
[!INCLUDE [disks-azure-ad-upload-download-prereqs](../../../includes/disks-azure-ad-upload-download-prereqs.md)] ### Restrictions ### Assign RBAC role
virtual-machines Key Vault Setup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/key-vault-setup.md
ms.devlang: azurecli
**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets In Azure Resource Manager stack, secrets/certificates are modeled as resources that are provided by the resource provider of Key Vault. To learn more about Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md)
virtual-machines Oracle Database Backup Strategies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/workloads/oracle/oracle-database-backup-strategies.md
You can also help protect Azure file shares by using Azure Backup for a Recovery
You can mount Azure file shares in Linux distributions by using the NFS v4.1 protocol. There are limitations to supported features. For more information, see [Support for Azure Storage features](../../../storage/files/files-nfs-protocol.md#support-for-azure-storage-features). #### Azure Files with SMB 3.0
vpn-gateway Create Gateway Basic Sku Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/create-gateway-basic-sku-powershell.md
+
+ Title: 'Create a Basic SKU virtual network gateway: PowerShell'
+
+description: Learn how to create a Basic SKU virtual network gateway for a VPN connection to your on-premises network, or to connect virtual networks. Use these instructions to create either a policy-based, or route-based VPN gateway.
+++ Last updated : 07/17/2024++++
+# Create a Basic SKU VPN gateway using PowerShell
+
+This article helps you create a Basic SKU Azure VPN gateway using PowerShell. The VPN gateway you create can be either RouteBased, or PolicyBased, depending on your connection requirements. A VPN gateway is used when creating a VPN connection to your on-premises network. You can also use a VPN gateway to connect VNets.
++
+* The left side of the diagram shows the virtual network and the VPN gateway that you create by using the steps in this article.
+* You can later add different types of connections, as shown on the right side of the diagram. For example, you can create [site-to-site](tutorial-site-to-site-portal.md) and [point-to-site](point-to-site-about.md) connections. To view different design architectures that you can build, see [VPN gateway design](design.md).
+
+The steps in this article create a virtual network, a subnet, a gateway subnet, and a VPN gateway (virtual network gateway) using the Basic SKU. The article steps specify a **RouteBased** VPN type. You can also specify a **PolicyBased** VPN type using the steps in this article. Once the gateway creation completes, you can then create connections. If you want to create a gateway using a SKU other than the Basic SKU, see the [Portal article](tutorial-create-gateway-portal.md).
+
+Basic SKU VPN gateways have limitations. For more information about SKUs and Basic SKU limitations, see [About gateway SKUs](about-gateway-skus.md). A few of the limitations that affect the settings used in this article are:
+
+* A Basic SKU VPN gateway must use the Dynamic allocation method for public IP address, not Static.
+* A Basic SKU VPN gateway uses a Basic SKU public IP address, not Standard.
+* You can't create a Basic SKU VPN gateway using the Azure portal.
+
+## Before you begin
+
+These steps require an Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+
+### Working with Azure PowerShell
++
+## Create a resource group
+
+Create an Azure resource group with [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup). A resource group is a logical container into which Azure resources are deployed and managed. If you're running PowerShell locally, open your PowerShell console with elevated privileges and connect to Azure using the `Connect-AzAccount` command.
+
+```azurepowershell-interactive
+New-AzResourceGroup -Name TestRG1 -Location EastUS
+```
+
+## <a name="vnet"></a>Create a virtual network
+
+Create a virtual network with [New-AzVirtualNetwork](/powershell/module/az.network/new-azvirtualnetwork). The following example creates a virtual network named **VNet1** in the **EastUS** location:
+
+```azurepowershell-interactive
+$virtualnetwork = New-AzVirtualNetwork `
+ -ResourceGroupName TestRG1 `
+ -Location EastUS `
+ -Name VNet1 `
+ -AddressPrefix 10.1.0.0/16
+```
+
+Create a subnet configuration using the [New-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/new-azvirtualnetworksubnetconfig) cmdlet.
+
+```azurepowershell-interactive
+$subnetConfig = Add-AzVirtualNetworkSubnetConfig `
+ -Name Frontend `
+ -AddressPrefix 10.1.0.0/24 `
+ -VirtualNetwork $virtualnetwork
+```
+
+Set the subnet configuration for the virtual network using the [Set-AzVirtualNetwork](/powershell/module/az.network/Set-azVirtualNetwork) cmdlet.
+
+```azurepowershell-interactive
+$virtualnetwork | Set-AzVirtualNetwork
+```
+
+## <a name="gwsubnet"></a>Add a gateway subnet
+
+The gateway subnet contains the reserved IP addresses that the virtual network gateway services use. Use the following examples to add a gateway subnet:
+
+Set a variable for your virtual network.
+
+```azurepowershell-interactive
+$vnet = Get-AzVirtualNetwork -ResourceGroupName TestRG1 -Name VNet1
+```
+
+Create the gateway subnet using the [Add-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/Add-azVirtualNetworkSubnetConfig) cmdlet.
+
+```azurepowershell-interactive
+Add-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.1.255.0/27 -VirtualNetwork $vnet
+```
+
+Set the subnet configuration for the virtual network using the [Set-AzVirtualNetwork](/powershell/module/az.network/Set-azVirtualNetwork) cmdlet.
+
+```azurepowershell-interactive
+$vnet | Set-AzVirtualNetwork
+```
+
+## <a name="PublicIP"></a>Request a public IP address
+
+Each VPN gateway must have an allocated public IP address. At this time, Basic SKU VPN gateways still use **Dynamic** allocation method public IP address and the **Basic** public IP address SKU. These requirements are different from other VPN Gateway SKUs.
+
+```azurepowershell-interactive
+$gwpip = New-AzPublicIpAddress -Name "VNet1GWIP" -ResourceGroupName "TestRG1" -Location "EastUS" -AllocationMethod Dynamic -Sku Basic
+```
+
+## <a name="GatewayIPConfig"></a>Create the gateway IP address configuration
+
+The gateway configuration defines the subnet and the public IP address to use. Use the following example to create your gateway configuration.
+
+```azurepowershell-interactive
+$vnet = Get-AzVirtualNetwork -Name VNet1 -ResourceGroupName TestRG1
+$subnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet
+$gwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name gwipconfig -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id
+```
+
+## <a name="CreateGateway"></a>Create the VPN gateway
+
+Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU. Once the gateway is created, you can create a connection between your virtual network and another virtual network. Or, create a connection between your virtual network and an on-premises location.
+
+Create a VPN gateway using the [New-AzVirtualNetworkGateway](/powershell/module/az.network/New-azVirtualNetworkGateway) cmdlet. In this example, we create a route-based Basic SKU VPN gateway. You can create a policy-based gateway instead by specifying `-VpnType "PolicyBased"`.
+
+```azurepowershell-interactive
+New-AzVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1 `
+-Location "East US" -IpConfigurations $gwipconfig -GatewayType "Vpn" `
+-VpnType "RouteBased" -GatewaySku Basic
+```
+
+## <a name="viewgw"></a>View the VPN gateway
+
+You can view the VPN gateway using the [Get-AzVirtualNetworkGateway](/powershell/module/az.network/Get-azVirtualNetworkGateway) cmdlet.
+
+```azurepowershell-interactive
+Get-AzVirtualNetworkGateway -Name Vnet1GW -ResourceGroup TestRG1
+```
+
+## <a name="viewgwpip"></a>View the public IP addresses
+
+To view the public IP address for your VPN gateway, use the [Get-AzPublicIpAddress](/powershell/module/az.network/Get-azPublicIpAddress) cmdlet. Example:
+
+```azurepowershell-interactive
+Get-AzPublicIpAddress -Name VNet1GWpip1 -ResourceGroupName TestRG1
+```
+
+## Clean up resources
+
+When you no longer need the resources you created, use the [Remove-AzResourceGroup](/powershell/module/az.resources/remove-azresourcegroup) command to delete the resource group. This deletes the resource group and all of the resources it contains.
+
+```azurepowershell-interactive
+Remove-AzResourceGroup -Name TestRG1
+```
+
+## Next steps
+
+Once the gateway finishes creating, you can create a connection between your virtual network and another virtual network. Or, create a connection between your virtual network and an on-premises location. See the following articles:
+
+* [Create a site-to-site connection](vpn-gateway-create-site-to-site-rm-powershell.md)
+* [Create a point-to-site connection](vpn-gateway-howto-point-to-site-rm-ps.md)
+* [Create a connection to another virtual network](vpn-gateway-vnet-vnet-rm-ps.md)
vpn-gateway Openvpn Azure Ad Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/openvpn-azure-ad-tenant.md
# Configure P2S VPN Gateway for Microsoft Entra ID authentication ΓÇô manually registered app
-This article helps you configure your Microsoft Entra tenant and point-to-site (P2S) VPN Gateway settings for Microsoft Entra ID authentication. For more information about point-to-site protocols and authentication, see [About VPN Gateway point-to-site VPN](point-to-site-about.md). To authenticate using Microsoft Entra ID authentication, you must include the OpenVPN tunnel type in your point-to-site configuration.
+This article helps you configure a point-to-site (P2S) VPN gateway for Microsoft Entra ID authentication and manually register the Azure VPN client. This type of configuration is supported only for OpenVPN protocol connections.
+You can also create this type of P2S VPN Gateway configuration using the steps for the new [Microsoft-registered VPN Client app](point-to-site-entra-gateway.md). Using the newer version bypasses the steps to register the Azure VPN Client with your Microsoft Entra tenant. It also supports more client operating systems. However, it might not yet support certain audience values. For more information about point-to-site protocols and authentication, see [About VPN Gateway point-to-site VPN](point-to-site-about.md).
## Prerequisites
If you already have an existing P2S gateway, the steps in this article help you
* Global administrator account * User account
- The global administrator account will be used to grant consent to the Azure VPN app registration. The user account can be used to test OpenVPN authentication.
+ The global administrator account is used to grant consent to the Azure VPN app registration. The user account can be used to test OpenVPN authentication.
1. Assign one of the accounts the **Global administrator** role. For steps, see [Assign administrator and non-administrator roles to users with Microsoft Entra ID](/azure/active-directory-b2c/tenant-management-read-tenant-name). ## Authorize the Azure VPN application
web-application-firewall Waf Front Door Tuning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/web-application-firewall/afds/waf-front-door-tuning.md
With this information, and the knowledge that rule 942110 is the one that matche
### Use exclusion lists
-One benefit of using an exclusion list is that only the match variable you select to exclude will be no longer inspected for that given request. That is, you can choose between specific request headers, request cookies, query string arguments, or request body post arguments to be excluded if a certain condition is met, as opposed to excluding the whole request from being inspected. The other nonspecified variables of the request are inspected normally.
+One benefit of using an exclusion list is that only the match variable you select to exclude will no longer be inspected for that given request. That is, you can choose between specific request headers, request cookies, query string arguments, or request body post arguments to be excluded if a certain condition is met, as opposed to excluding the whole request from being inspected. The other nonspecified variables of the request are inspected normally.
Exclusions are a global setting. The configured exclusion applies to all traffic that passes through your WAF, not just a specific web app or URI. For example, this could be a concern if `1=1` is a valid request in the body for a certain web app, but not for others under the same WAF policy.