Edit

Share via

What's new in Defender for Cloud recommendations, alerts, and incidents

This article summarizes what's new in security recommendations, alerts, and incidents in Microsoft Defender for Cloud. It includes information about new, modified, and deprecated recommendations and alerts.

  • This page is updated frequently with the latest recommendations and alerts in Defender for Cloud.

  • Recommendations older than six months are found in the relevant recommendations reference list.

  • Find the latest information about new and updated Defender for Cloud features in What's new in Defender for Cloud features.

Tip

Get notified when this page is updated by copying and pasting the following URL into your feed reader: https://aka.ms/mdc/rss-recommendations-alerts

Recommendations, alerts, and incidents updates

New and updated recommendations, alerts, and incidents are added to the table in date order.

Date announced Type State Name
December 3, 2025 Recommendation Upcoming deprecation (30 day notice) The following recommendation is set for deprecation 30 days from now: Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers for Defender for SQL Servers on Machines plan.
December 1, 2025 Recommendation Preview (Preview) Code Signing should be enabled on Lambda
December 1, 2025 Recommendation Preview (Preview) Security mechanism should be used on lambda function API Gateway
December 1, 2025 Recommendation Preview (Preview) Authentication should be enabled on Lambda Function URLs
December 1, 2025 Recommendation Preview (Preview) Lambda function should implement Reserved Concurrency to prevent resource exhaustion
December 1, 2025 Recommendation Preview (Preview) Lambda function should be configured with automatic runtime version updates
December 1, 2025 Recommendation Preview (Preview) Authentication should be enabled on Azure Functions
December 1, 2025 Recommendation Preview (Preview) Overly permissive permissions should not be configured on Function App, Web App or Logic App
December 1, 2025 Recommendation Preview (Preview) Restricted network access should be configured on Internet exposed Function app
October 21, 2025 Alert Update The following changes will apply to K8S.Node_* Alerts for EKS and GKE clusters. The resourceIdentifiers property will reference the MDC Connector Identifier: Microsoft.Security/securityConnectors/CONNECTOR_NAME/securityentitydata/EKS_CLUSTER_NAME instead of the Arc resource ID Microsoft.Kubernetes/connectedClusters/ARC_CLUSTER_NAME. The Entitiesproperty will reference the Cloud Native Identifier arn:aws:eks:AWS_REGION:AWS_ACCOUNT:cluster/CLUSTER_NAME or container.googleapis.com/projects/PROJECT_ID/zones/ZONE/clusters/CLUSTER_NAME, rather than the Arc resource ID Microsoft.Kubernetes/connectedClusters/ARC_CLUSTER_NAME. The resourceTypefield under extendedPropertieswill change from "Kubernetes – Azure Arc" to the respective "AWS EKS Cluster" or "GCP GKE Cluster" resource type.
June 1, 2025 Alert Upcoming deprecation The following alert will be deprecated since the method is no longer supported in PowerZure:
* Usage of PowerZure function to maintain persistence in your Azure environment
May 15, 2025 Alert Upcoming Deprecation The following alerts will be deprecated and will not be available through XDR Integration:
* DDoS Attack detected for Public IP
* DDoS Attack mitigated for Public IP
Note: The alerts will be available on Defender for Cloud portal.
May 1, 2025 Alert GA AI alerts have been released to GA with the plan's official GA release
April 20 2025 Alert Preview (Preview) AI - Suspicious anomaly detected in sensitive data exposed by AI resource, this replaces the previous sensitive data exposure alert
April 29, 2025 Recommendation GA Role-Based Access Control should be used on Keyvault Services
April 20, 2025 Alert Preview AI - Suspicious anomaly detected in sensitive data exposed by AI resource, this replaces the previous sensitive data exposure alert
February 5, 2025 Recommendation Upcoming Deprecation The following recommendations will be deprecated:
* Configure Microsoft Defender for Storage (Classic) to be enabled
* Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only)
January 29, 2025 Recommendation GA We have further hardened the Running containers as root user should be avoided recommendation.

What's Changing?

We now require at least one range to be specified for the "Run as group rule". This change was needed to ensure containers will not get access to files owned by root, and groups with permissions to the root group.
January 13, 2025 Alert Preview AI - Access from a suspicious IP
January 13, 2025 Alert Preview AI - Suspected wallet attack
December 19, 2024 Alert GA The following Azure Storage alerts are GA:
Malicious blob was downloaded from a storage account
Unusual SAS token was used to access an Azure storage account from a public IP address
Suspicious external operation to an Azure storage account with overly permissive SAS token
Suspicious external access to an Azure storage account with overly permissive SAS token
Unusual unauthenticated public access to a sensitive blob container
Unusual amount of data extracted from a sensitive blob container
Unusual number of blobs extracted from a sensitive blob container
Access from an unusual location to a sensitive blob container
Access from a known suspicious application to a sensitive blob container
Access from a known suspicious IP address to a sensitive blob container
Access from a Tor exit node to a sensitive blob container
December 16, 2024 Alert Preview AI - Access from a Tor IP
November 19, 2024 Deprecation GA MFA recommendations are deprecated as Azure now requires it..
The following recommendations are deprecated:
* Accounts with read permissions on Azure resources should be MFA enabled
* Accounts with write permissions on Azure resources should be MFA enabled
* Accounts with owner permissions on Azure resources should be MFA enabled
November 19, 2024 Alert Preview AI - suspicious user agent detected
November 19, 2024 Alert Preview ASCII Smuggling prompt injection detected
October 30, 2024 Alert GA Suspicious extraction of Azure Cosmos DB account keys
October 30, 2024 Alert GA The access level of a sensitive storage blob container was changed to allow unauthenticated public access
October 30, 2024 Recommendation Upcoming Deprecation MFA recommendations are deprecated as Azure now requires it..
The following recommendations will be deprecated:
* Accounts with read permissions on Azure resources should be MFA enabled
* Accounts with write permissions on Azure resources should be MFA enabled
* Accounts with owner permissions on Azure resources should be MFA enabled
October 12, 2024 Recommendation GA Azure Database for PostgreSQL flexible server should have Microsoft Entra authentication only enabled
October 6, 2024 Recommendation Update [Preview] Containers running in GCP should have vulnerability findings resolved
October 6, 2024 Recommendation Update [Preview] Containers running in AWS should have vulnerability findings resolved
October 6, 2024 Recommendation Update [Preview] Containers running in Azure should have vulnerability findings resolved
September 10, 2024 Alert Preview Corrupted AI application\model\data directed a phishing attempt at a user
September 10, 2024 Alert Preview Phishing URL shared in an AI application
September 10, 2024 Alert Preview Phishing attempt detected in an AI application
September 5, 2024 Recommendation GA System updates should be installed on your machines (powered by Azure Update Manager)
September 5, 2024 Recommendation GA Machines should be configured to periodically check for missing system updates

Related content

For information about new features, see What's new in Defender for Cloud features.

  • Last updated on