Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into mdfc-melvyn-recsupdateaws

Author: memildin

articles/defender-for-cloud/recommendations-reference.md

@@ -4,7 +4,7 @@ description: This article lists Microsoft Defender for Cloud's security recommen
 author: memildin
 ms.service: defender-for-cloud
 ms.topic: reference
-ms.date: 01/08/2022
+ms.date: 01/12/2022
 ms.author: memildin
 ms.custom: generated
 ---

articles/sentinel/work-with-threat-indicators.md

@@ -94,6 +94,8 @@ Tagging threat indicators is an easy way to group them together to make them eas
 
 :::image type="content" source="media/work-with-threat-indicators/threat-intel-tagging-indicators.png" alt-text="Apply tags to threat indicators" lightbox="media/work-with-threat-indicators/threat-intel-tagging-indicators.png":::
 
+Microsoft Sentinel also allows you to edit indicators, whether they've been created directly in Microsoft Sentinel, or come from partner sources, like TIP and TAXII servers. For indicators created in Microsoft Sentinel, all fields are editable. For indicators coming from partner sources, only specific fields are editable, including tags, *Expiration date*, *Confidence*, and *Revoked*.
+
 ## Detect threats with threat indicator-based analytics
 
 The most important use case for threat indicators in SIEM solutions like Microsoft Sentinel is to power threat detection analytics rules. These indicator-based rules compare raw events from your data sources against your threat indicators to determine the presence of security threats in your organization. In Microsoft Sentinel **Analytics**, you create analytics rules that run on a scheduled basis and generate security alerts. The rules are driven by queries, along with configurations that determine how often the rule should run, what kind of query results should generate security alerts and incidents, and which automations to trigger in response.

includes/asc-recs-appservices.md

@@ -2,7 +2,7 @@
 author: memildin
 ms.service: defender-for-cloud
 ms.topic: include
-ms.date: 01/08/2022
+ms.date: 01/12/2022
 ms.author: memildin
 ms.custom: generated
 ---
@@ -15,7 +15,7 @@ There are **31** recommendations in this category.
 |[CORS should not allow every resource to access API Apps](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e40df93c-7a7c-1b0a-c787-9987ceb98e54) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.<br />(Related policy: [CORS should not allow every resource to access your API App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fmicrosoft.authorization%2fpolicydefinitions%2f358c20a6-3f9e-4f0e-97ff-c6ce485e2aac)) |Low |
 |[CORS should not allow every resource to access Function Apps](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/7b3d4796-9400-2904-692b-4a5ede7f0a1e) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.<br />(Related policy: [CORS should not allow every resource to access your Function Apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fmicrosoft.authorization%2fpolicydefinitions%2f0820b7b9-23aa-4725-a1ce-ae4558f718e5)) |Low |
 |[CORS should not allow every resource to access Web Applications](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/df4d1739-47f0-60c7-1706-3731fea6ab03) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.<br />(Related policy: [CORS should not allow every resource to access your Web Applications](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fmicrosoft.authorization%2fpolicydefinitions%2f5744710e-cc2f-4ee8-8809-3b11e89f4bc9)) |Low |
-|[Diagnostic logs should be enabled in App Service](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/40394a2c-60fb-7cc5-1944-065772e94f05) |Audit enabling of diagnostic logs on the app.<br>This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised<br />(No related policy) |Medium |
+|[Diagnostic logs in App Service should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/40394a2c-60fb-7cc5-1944-065772e94f05) |Audit enabling of diagnostic logs on the app.<br>This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised<br />(No related policy) |Medium |
 |[Ensure API app has Client Certificates Incoming client certificates set to On](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/ce2768c3-a7c7-1bbf-22cd-f9db675a9807) |Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.<br />(Related policy: [Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f0c192fe8-9cbb-4516-85b3-0ade8bd03886)) |Medium |
 |[FTPS should be required in API apps](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/67fc622b-4ce6-8c52-08ae-9f830036b757) |Enable FTPS enforcement for enhanced security<br />(Related policy: [FTPS only should be required in your API App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f9a1b8c48-453a-4044-86c3-d8bfd823e4f5)) |High |
 |[FTPS should be required in function apps](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b) |Enable FTPS enforcement for enhanced security<br />(Related policy: [FTPS only should be required in your Function App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f399b2637-a50f-4f95-96f8-3a145476eb15)) |High |

includes/asc-recs-compute.md

@@ -2,7 +2,7 @@
 author: memildin
 ms.service: defender-for-cloud
 ms.topic: include
-ms.date: 01/08/2022
+ms.date: 01/12/2022
 ms.author: memildin
 ms.custom: generated
 ---

includes/asc-recs-container.md

@@ -2,18 +2,19 @@
 author: memildin
 ms.service: defender-for-cloud
 ms.topic: include
-ms.date: 01/08/2022
+ms.date: 01/12/2022
 ms.author: memildin
 ms.custom: generated
 ---
 
-There are **23** recommendations in this category.
+There are **24** recommendations in this category.
 
 |Recommendation |Description |Severity |
 |---|---|---|
 |[\[Enable if required\] Container registries should be encrypted with a customer-managed key (CMK)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/af560c4d-9c05-e073-b9f1-f7a94958ff25) |Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements. <br> To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in <a target="_blank" href="/azure/defender-for-cloud/tutorial-security-policy?wt.mc_id=defenderforcloud_inproduct_portal_recoremediation">Manage security policies</a>.<br>Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.<br />(Related policy: [Container registries should be encrypted with a customer-managed key (CMK)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580)) |Low |
 |[\[Preview\] Kubernetes clusters should gate deployment of vulnerable images](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/111cb068-89df-48bd-9493-2e6773444af8) |Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. <a href='https://aka.ms/AzureDefenderCICDscanning'>Use Defender for Cloud's CI/CD scanning</a> and <a href='https://aka.ms/AzureDefenderForContainerRegistries'>Microsoft Defender for container registries</a> to identify and patch vulnerabilities prior to deployment.<br>Evaluation prerequisite: Azure policy add-on/extension and the Defender profile/extension.<br>Applicable only for private preview customers.<br />(No related policy) |High |
-|[Azure Kubernetes Service clusters should have the Azure Policy Add-on for Kubernetes installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/08e628db-e2ed-4793-bc91-d13e684401c3) |Azure Policy Add-on for Kubernetes extends <a target="_blank" href="https://github.com/open-policy-agent/gatekeeper">Gatekeeper</a> v3, an admission controller webhook for <a target="_blank" href="https://www.openpolicyagent.org/">Open Policy Agent</a> (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.<p>Defender for Cloud requires the Add-on to audit and enforce security capabilities and compliance inside your clusters. <a target="_blank" href="/azure/governance/policy/concepts/policy-for-kubernetes"> Learn more</a>.</p><p>Requires Kubernetes v1.14.0 or later.</p><br />(Related policy: [Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f0a15ec92-a229-4763-bb14-0ea34a568f8d)) |High |
+|[Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/0642d770-b189-42ef-a2ce-9dcc3ec6c169) |Azure Policy extension for Kubernetes extends <a target="_blank" href="https://github.com/open-policy-agent/gatekeeper">Gatekeeper</a> v3, an admission controller webhook for <a target="_blank" href="https://www.openpolicyagent.org/">Open Policy Agent</a> (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.<br />(No related policy) |High |
+|[Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/08e628db-e2ed-4793-bc91-d13e684401c3) |Azure Policy add-on for Kubernetes extends <a target="_blank" href="https://github.com/open-policy-agent/gatekeeper">Gatekeeper</a> v3, an admission controller webhook for <a target="_blank" href="https://www.openpolicyagent.org/">Open Policy Agent</a> (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.<p>Defender for Cloud requires the Add-on to audit and enforce security capabilities and compliance inside your clusters. <a target="_blank" href="/azure/governance/policy/concepts/policy-for-kubernetes"> Learn more</a>.</p><p>Requires Kubernetes v1.14.0 or later.</p><br />(Related policy: [Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f0a15ec92-a229-4763-bb14-0ea34a568f8d)) |High |
 |[Container CPU and memory limits should be enforced](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/405c9ae6-49f9-46c4-8873-a86690f27818) |Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).<p>We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.</p><br />(Related policy: [Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fe345eecc-fa47-480f-9e88-67dcc122b164)) |Medium |
 |[Container images should be deployed from trusted registries only](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/8d244d29-fa00-4332-b935-c3a51d525417) |Images running on your Kubernetes cluster should come from known and monitored container image registries. Trusted registries reduce your cluster's exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues and malicious images.<br />(Related policy: [Ensure only allowed container images in Kubernetes cluster](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2ffebd0533-8e55-448f-b837-bd0e06f16469)) |High |
 |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/9b828565-a0ed-61c2-6bf3-1afc99a9b2ca) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet.<br />(Related policy: [Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fd0793b48-0edc-4296-a390-4c75d1bdfd71)) |Medium |

includes/asc-recs-data.md

@@ -2,7 +2,7 @@
 author: memildin
 ms.service: defender-for-cloud
 ms.topic: include
-ms.date: 01/08/2022
+ms.date: 01/12/2022
 ms.author: memildin
 ms.custom: generated
 ---

includes/asc-recs-identityandaccess.md

@@ -2,7 +2,7 @@
 author: memildin
 ms.service: defender-for-cloud
 ms.topic: include
-ms.date: 01/08/2022
+ms.date: 01/12/2022
 ms.author: memildin
 ms.custom: generated
 ---

includes/asc-recs-iot.md

@@ -2,7 +2,7 @@
 author: memildin
 ms.service: defender-for-cloud
 ms.topic: include
-ms.date: 01/08/2022
+ms.date: 01/12/2022
 ms.author: memildin
 ms.custom: generated
 ---

includes/asc-recs-networking.md

@@ -2,7 +2,7 @@
 author: memildin
 ms.service: defender-for-cloud
 ms.topic: include
-ms.date: 01/08/2022
+ms.date: 01/12/2022
 ms.author: memildin
 ms.custom: generated
 ---

includes/asc/recommendations-with-deny.md

@@ -2,7 +2,7 @@
 author: memildin
 ms.service: defender-for-cloud
 ms.topic: include
-ms.date: 01/08/2022
+ms.date: 01/12/2022
 ms.author: memildin
 ms.custom: generated
 ---