Merge pull request #175219 from MicrosoftDocs/master

Merge master to live, Sunday 4 PM

Author: jborsecnik

articles/security-center/release-notes.md

@@ -42,6 +42,7 @@ Use the security recommendation "[A vulnerability assessment solution should be
 
 To automatically surface the vulnerabilities, on existing and new machines, without the need to manually remediate the recommendation, see [Vulnerability assessment solutions can now be auto enabled (in preview)](#vulnerability-assessment-solutions-can-now-be-auto-enabled-in-preview).
 
+Learn more in [Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management](deploy-vulnerability-assessment-tvm.md).
 
 ### Vulnerability assessment solutions can now be auto enabled (in preview)
 
@@ -64,6 +65,8 @@ The [asset inventory](asset-inventory.md) page now includes a filter to select m
 
 Additionally, you can query the software inventory data in **Azure Resource Graph Explorer**.
 
+To use these new features, you'll need to enable the [integration with Microsoft Defender for Endpoint](security-center-wdatp.md). 
+
 For full details, including sample Kusto queries for Azure Resource Graph, see [Access a software inventory](asset-inventory.md#access-a-software-inventory).
 
 :::image type="content" source="media/deploy-vulnerability-assessment-tvm/software-inventory.png" alt-text="If you've enabled the threat and vulnerability solution, Security Center's asset inventory offers a filter to select resources by their installed software.":::

articles/security-center/upcoming-changes.md

@@ -5,7 +5,7 @@ author: memildin
 manager: rkarlin
 ms.service: security-center
 ms.topic: overview
-ms.date: 10/08/2021
+ms.date: 10/10/2021
 ms.author: memildin
 
 ---
@@ -27,6 +27,7 @@ If you're looking for the latest release notes, you'll find them in the [What's
 | [Deprecating a preview alert: ARM.MCAS_ActivityFromAnonymousIPAddresses](#deprecating-a-preview-alert-armmcas_activityfromanonymousipaddresses)             | October 2021|
 | [Legacy implementation of ISO 27001 is being replaced with new ISO 27001:2013](#legacy-implementation-of-iso-27001-is-being-replaced-with-new-iso-270012013)| October 2021|
 | [Changes to recommendations for managing endpoint protection solutions](#changes-to-recommendations-for-managing-endpoint-protection-solutions)             | November 2021    |
+| [Multiple changes to identity recommendations](#multiple-changes-to-identity-recommendations)             | November 2021    |
 | [Enhancements to recommendation to classify sensitive data in SQL databases](#enhancements-to-recommendation-to-classify-sensitive-data-in-sql-databases)   | Q1 2022    |
 |||
 
@@ -71,6 +72,56 @@ Learn more:
 - [Security Center's supported endpoint protection solutions](security-center-services.md#endpoint-supported)
 - [How these recommendations assess the status of your deployed solutions](security-center-endpoint-protection.md)
 
+### Multiple changes to identity recommendations
+
+**Estimated date for change:** November 2021
+
+Security Center includes multiple recommendations for improving the management of users and accounts. In November, we'll be making the changes outlined below.
+
+- **Improved freshness interval** - Currently, the identity recommendations have a freshness interval of 24 hours. This update will reduce that interval to 12 hours.
+
+- **Account exemption capability** - Security Center has many features for customizing the experience and making sure your secure score reflects your organization's security priorities. The exempt option on security recommendations is one such feature. For a full overview and instructions, see [Exempting resources and recommendations from your secure score](exempt-resource.md). With this update, you'll be able to exempt specific accounts from evaluation by the eight recommendations listed in the following table.
+
+    Typically, you'd exempt emergency “break glass” accounts from MFA recommendations, because such accounts are often deliberately excluded from an organization's MFA requirements. Alternatively, you might have external accounts that you'd like to permit access to but which don't have MFA enabled.
+
+    > [!TIP]
+    > When you exempt an account, it won't be shown as unhealthy and also won't cause a subscription to appear  unhealthy.
+
+    |Recommendation| Assessment key|
+    |-|-|
+    |[MFA should be enabled on accounts with owner permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/94290b00-4d0c-d7b4-7cea-064a9554e681)|94290b00-4d0c-d7b4-7cea-064a9554e681|
+    |[MFA should be enabled on accounts with read permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/151e82c5-5341-a74b-1eb0-bc38d2c84bb5)|151e82c5-5341-a74b-1eb0-bc38d2c84bb5|
+    |[MFA should be enabled on accounts with write permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/57e98606-6b1e-6193-0e3d-fe621387c16b)|57e98606-6b1e-6193-0e3d-fe621387c16b|
+    |[External accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d)|c3b6ae71-f1f0-31b4-e6c1-d5951285d03d|
+    |[External accounts with read permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b)|a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b|
+    |[External accounts with write permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/04e7147b-0deb-9796-2e5c-0336343ceb3d)|04e7147b-0deb-9796-2e5c-0336343ceb3d|
+    |[Deprecated accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e52064aa-6853-e252-a11e-dffc675689c2)|e52064aa-6853-e252-a11e-dffc675689c2|
+    |[Deprecated accounts should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/00c6d40b-e990-6acf-d4f3-471e747a27c4)|00c6d40b-e990-6acf-d4f3-471e747a27c4|
+    |||
+ 
+- **Recommendations rename** - From this update, we're renaming two recommendations. We're also revising their descriptions. The assessment keys will remain unchanged. 
+
+
+    |Property  |Current value  | From the update|
+    |---------|---------|---------|
+    |Assessment key     | e52064aa-6853-e252-a11e-dffc675689c2        | Unchanged|
+    |Name     |[Deprecated accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e52064aa-6853-e252-a11e-dffc675689c2)         |Subscriptions should be purged of accounts that are blocked in Active Directory and have owner permissions        |
+    |Description     |User accounts that have been blocked from signing in, should be removed from your subscriptions.<br>These accounts can be targets for attackers looking to find ways to access your data without being noticed.|User accounts that have been blocked from signing into Active Directory, should be removed from your subscriptions. These accounts can be targets for attackers looking to find ways to access your data without being noticed.<br>Learn more about securing the identity perimeter in [Azure Identity Management and access control security best practices](/azure/security/fundamentals/identity-management-best-practices.md).|
+    |Related policy     |[Deprecated accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2febb62a0c-3560-49e1-89ed-27e074e9f8ad)         |Subscriptions should be purged of accounts that are blocked in Active Directory and have owner permissions |
+    |||
+
+    |Property  |Current value  | From the update|
+    |---------|---------|---------|
+    |Assessment key     | 00c6d40b-e990-6acf-d4f3-471e747a27c4        | Unchanged|
+    |Name     |[Deprecated accounts should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/00c6d40b-e990-6acf-d4f3-471e747a27c4)|Subscriptions should be purged of accounts that are blocked in Active Directory and have read and write permissions|
+    |Description     |User accounts that have been blocked from signing in, should be removed from your subscriptions.<br>These accounts can be targets for attackers looking to find ways to access your data without being noticed.|User accounts that have been blocked from signing into Active Directory, should be removed from your subscriptions. These accounts can be targets for attackers looking to find ways to access your data without being noticed.<br>Learn more about securing the identity perimeter in [Azure Identity Management and access control security best practices](/azure/security/fundamentals/identity-management-best-practices.md).|
+    |Related policy     |[Deprecated accounts should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f6b1cbf55-e8b6-442f-ba4c-7246b6381474)|Subscriptions should be purged of accounts that are blocked in Active Directory and have read and write permissions|
+    |||
+ 
+
+
+
+
 ### Enhancements to recommendation to classify sensitive data in SQL databases
 
 **Estimated date for change:** Q1 2022

articles/sentinel/TOC.yml

@@ -188,6 +188,8 @@
         href: import-export-analytics-rules.md
       - name: Work with SOC-ML anomaly rules
         href: work-with-anomaly-rules.md
+      - name: Manage template versions for analytics rules
+        href: manage-analytics-rule-templates.md
     - name: Enable User and Entity Behavior Analytics (UEBA)
       href: enable-entity-behavior-analytics.md
     - name: Work with SOC-ML anomaly rules

articles/sentinel/manage-analytics-rule-templates.md

@@ -0,0 +1,120 @@
+---
+title: Manage template versions for your scheduled analytics rules in Azure Sentinel
+description: Learn how to manage the relationship between your scheduled analytics rule templates and the rules created from those templates. Merge updates to the templates into your rules, and revert changes in your rules back to the original template.
+services: sentinel
+documentationcenter: na
+author: yelevin
+manager: rkarlin
+editor: ''
+
+ms.service: azure-sentinel
+ms.subservice: azure-sentinel
+ms.devlang: na
+ms.topic: how-to
+ms.tgt_pltfrm: na
+ms.workload: na
+ms.date: 10/03/2021
+ms.author: yelevin
+
+---
+# Manage template versions for your scheduled analytics rules in Azure Sentinel
+
+> [!IMPORTANT]
+>
+> This feature is in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+## Introduction
+
+Azure Sentinel comes with [analytics rule templates](detect-threats-built-in.md) that you turn into active rules by effectively creating a copy of them – that’s what happens when you create a rule from a template. At that point, however, the active rule is no longer connected to the template. If changes are made to a rule template, by Microsoft engineers or anyone else, any rules created from that template beforehand are ***not*** dynamically updated to match the new template.
+
+However, rules created from templates ***do*** remember which templates they came from, which allows you two advantages:
+
+- If you made changes to a rule when creating it from a template (or at any time after that), you can always revert the rule back to its original version (as a copy of the template).
+
+- You can get notified when a template is updated, and you'll have the choice to update your rules to the new version of their templates or leave them as they are.
+
+This article will show you how to manage these tasks, and what to keep in mind. The procedures discussed below apply to any **[Scheduled](detect-threats-built-in.md#scheduled)** analytics rules created from templates.
+
+## Discover your rule's template version number
+
+With the implementation of template version control, you can see and track the versions of your rule templates and the rules created from them. Rules whose templates have been updated display an "*Update available*" badge next to the rule name.
+
+1. On the **Analytics** blade, select the **Active rules** tab.
+
+1. Select any rule of type **Scheduled**.  
+
+    - If the rule displays the "*Update available*" badge, its details pane will have a **Review and update** button next to the **Edit** button (see image 1 in the next step below).
+
+    - If the rule was created from a template but does not have the "*Update available*" badge, its details pane will have a **Compare with template** button next to the **Edit** button (see images 2 and 3 in the next step below).
+
+    - If there is only an **Edit** button, the rule was created from scratch, not from a template.
+
+        :::image type="content" source="media/manage-analytics-rule-templates/see-rules-with-updated-template.png" alt-text="Screenshot of active rules list, with badge indicating a template update is available." lightbox="media/manage-analytics-rule-templates/see-rules-with-updated-template.png":::
+
+1. Scroll down to the bottom of the details pane, where you'll see two version numbers: the version of the template from which the rule was created, and the latest available version of the template. 
+
+    :::image type="content" source="media/manage-analytics-rule-templates/see-template-versions.png" alt-text="Screenshot of details pane. Scroll down to see template version numbers." border="false":::
+
+    The number is in a “1.0.0” format – major version, minor version, and build.  
+    (For the time being, the build number is not in use and will always be 0.)
+
+    - A difference in the *major version* number indicates that something essential in the template was changed, that could affect how the rule detects threats or even its ability to function altogether. This is a change you will want to include in your rules.
+
+    - A difference in the *minor version* number indicates a minor improvement in the template – a cosmetic change or something similar – that would be “nice to have” but is not critical to maintaining the rule’s functionality, efficacy, or performance. This is a change that you could just as easily take or leave.
+
+    > [!NOTE]
+    > Images 2 and 3 above show two examples of rules created from templates, where the template has not been updated.
+    > - Image 2 shows a rule that has a version number for its current template. This signals that the rule was created after Azure Sentinel's initial implementation of template version control in October 2021.
+    > - Image 3 shows a rule that doesn't have a current template version. This shows that the rule had been created before October 2021. If there is a latest template version available, it's likely a newer version of the template than the one used to create the rule.
+
+## Compare your active rule with its template
+
+Choose one of the following tabs according to the action you wish to take, to see the instructions for that action:
+
+# [Update template](#tab/update)
+
+Having selected a rule and determined that you want to consider updating it, select **Review and update** on the details pane (see above). You'll see that the **Analytics rule wizard** now has a **Compare to latest version** tab.
+
+On this tab you'll see a side-by-side comparison between the YAML representations of the existing rule and the latest version of the template. 
+
+:::image type="content" source="media/manage-analytics-rule-templates/compare-template-versions.png" alt-text="Screenshot of 'Compare to latest version' tab in Analytics rule wizard.":::
+
+> [!NOTE]
+> Updating this rule will overwrite your existing rule with the latest version of the template.
+Any automation step or logic that makes reference to the existing rule should be verified, in case the referenced names have changed. Also, any customizations you made in creating the original rule - changes to the query, scheduling, grouping, or other settings - may be overwritten.
+
+### Update your rule with the new template version
+
+- If the changes made to the new version of the template are acceptable to you, and nothing else in your original rule has been affected, select **Review and update** to validate and apply the changes. 
+
+- If you want to further customize the rule or re-apply any changes that might otherwise be overwritten, select **Next : Custom changes**. If you choose this, you will cycle through the remaining tabs of the [Analytics rule wizard](detect-threats-custom.md) to make those changes, after which you will validate and apply the changes on the **Review and update** tab.
+
+- If you don't want to make any changes to your existing rule, but rather to keep the existing template version, simply exit the wizard by selecting the X in the upper right corner.
+
+# [Revert to template](#tab/revert)
+
+Having selected a rule and determined that you want to revert to its original version, select **Compare with template** on the details pane (see above). You'll see that the **Analytics rule wizard** now has a **Compare to latest version** tab.
+
+On this tab you'll see a side-by-side comparison between the YAML representations of the existing rule and the latest version of the template. These two version numbers may be the same, but the left side shows the active rule including any changes that have been made to it during or after its creation from the template, while the right side shows the unchanged template.
+
+:::image type="content" source="media/manage-analytics-rule-templates/compare-template-versions-2.png" alt-text="Screenshot of 'Compare to latest version' tab in Analytics rule wizard.":::
+
+> [!NOTE]
+> Updating this rule will overwrite your existing rule with the latest version of the template.
+Any automation step or logic that makes reference to the existing rule should be verified, in case the referenced names have changed. Also, any customizations you made in creating the original rule - changes to the query, scheduling, grouping, or other settings - may be overwritten.
+
+### Revert your rule to its original template version
+
+- If you want to revert completely to the original version of this rule - a clean copy of the template - select **Review and update** to validate and apply the changes. 
+
+- If you want to customize the rule differently or re-apply any changes that might otherwise be overwritten, select **Next : Custom changes**. If you choose this, you will cycle through the remaining tabs of the [Analytics rule wizard](detect-threats-custom.md) to make those changes, after which you will validate and apply the changes on the **Review and update** tab.
+
+- If you don't want to make any changes to your existing rule, simply exit the wizard by selecting the X in the upper right corner.
+
+---
+
+## Next steps
+In this document, you learned how to track the versions of your Azure Sentinel analytics rule templates, and either to revert active rules to existing template versions, or update them to new ones. To learn more about Azure Sentinel, see the following articles:
+
+- Learn more about [analytics rules](detect-threats-built-in.md).
+- See more details about the [analytics rule wizard](detect-threats-custom.md).