Skip to content

Commit 3b28603

Browse files
authored
Merge pull request #223278 from MicrosoftDocs/main
publish main to live, Sunday 1/8 4 PM
2 parents e9b6668 + c20d714 commit 3b28603

28 files changed

+380
-258
lines changed

articles/active-directory-b2c/azure-ad-b2c-global-identity-funnel-based-design.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
---
2-
title: Azure Active Directory B2C global identity framework funnel-based design considerations
2+
title: Build a global identity solution with funnel-based approach
33
titleSuffix: Azure AD B2C
44
description: Learn the funnel-based design consideration for Azure AD B2C to provide customer identity management for global customers.
55
services: active-directory-b2c

articles/active-directory-b2c/azure-ad-b2c-global-identity-region-based-design.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
---
2-
title: Azure Active Directory B2C global identity framework region-based design considerations
2+
title: Build a global identity solution with region-based approach
33
titleSuffix: Azure AD B2C
44
description: Learn the region-based design consideration for Azure AD B2C to provide customer identity management for global customers.
55
services: active-directory-b2c

articles/azure-functions/functions-event-grid-blob-trigger.md

Lines changed: 149 additions & 145 deletions
Large diffs are not rendered by default.

articles/defender-for-cloud/TOC.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -652,7 +652,9 @@
652652
- name: Defender EASM
653653
href: episode-twenty-two.md
654654
- name: Defender Threat Intelligence (Defender TI)
655-
href: episode-twenty-three.md
655+
href: episode-twenty-three.md
656+
- name: Enhancements in Defender for SQL Vulnerability Assessment
657+
href: episode-twenty-four.md
656658
- name: Manage user data
657659
href: privacy.md
658660
- name: Microsoft Defender for IoT documentation

articles/defender-for-cloud/defender-for-cloud-planning-and-operations-guide.md

Lines changed: 31 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -3,14 +3,15 @@ title: Defender for Cloud Planning and Operations Guide
33
description: This document helps you to plan before adopting Defender for Cloud and considerations regarding daily operations.
44
ms.topic: conceptual
55
ms.custom: ignite-2022
6-
ms.date: 12/12/2022
6+
ms.date: 01/08/2023
77
---
8+
89
# Planning and operations guide
910

1011
This guide is for information technology (IT) professionals, IT architects, information security analysts, and cloud administrators planning to use Defender for Cloud.
1112

12-
1313
## Planning guide
14+
1415
This guide provides the background for how Defender for Cloud fits into your organization's security requirements and cloud management model. It's important to understand how different individuals or teams in your organization use the service to meet secure development and operations, monitoring, governance, and incident response needs. The key areas to consider when planning to use Defender for Cloud are:
1516

1617
- Security Roles and Access Controls
@@ -22,11 +23,11 @@ This guide provides the background for how Defender for Cloud fits into your org
2223

2324
In the next section, you'll learn how to plan for each one of those areas and apply those recommendations based on your requirements.
2425

25-
2626
> [!NOTE]
2727
> Read [Defender for Cloud frequently asked questions (FAQ)](faq-general.yml) for a list of common questions that can also be useful during the designing and planning phase.
2828
2929
## Security roles and access controls
30+
3031
Depending on the size and structure of your organization, multiple individuals and teams may use Defender for Cloud to perform different security-related tasks. In the following diagram, you have an example of fictitious personas and their respective roles and security responsibilities:
3132

3233
:::image type="content" source="./media/defender-for-cloud-planning-and-operations-guide/defender-for-cloud-planning-and-operations-guide-fig01-new.png" alt-text="Roles.":::
@@ -63,67 +64,78 @@ Defender for Cloud enables these individuals to meet these various responsibilit
6364
Defender for Cloud uses [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md), which provides [built-in roles](../role-based-access-control/built-in-roles.md) that can be assigned to users, groups, and services in Azure. When a user opens Defender for Cloud, they only see information related to resources they have access to. Which means the user is assigned the role of Owner, Contributor, or Reader to the subscription or resource group that a resource belongs to. In addition to these roles, there are two roles specific to Defender for Cloud:
6465

6566
- **Security reader**: a user that belongs to this role is able to view only Defender for Cloud configurations, which include recommendations, alerts, policy, and health, but it won't be able to make changes.
67+
6668
- **Security admin**: same as security reader but it can also update the security policy, dismiss recommendations and alerts.
6769

6870
The personas explained in the previous diagram need these Azure RBAC roles:
6971

7072
**Jeff (Workload Owner)**
7173

72-
- Resource Group Owner/Contributor
74+
- Resource Group Owner/Contributor.
7375

7476
**Ellen (CISO/CIO)**
7577

76-
- Subscription Owner/Contributor or Security Admin
78+
- Subscription Owner/Contributor or Security Admin.
7779

7880
**David (IT Security)**
7981

80-
- Subscription Owner/Contributor or Security Admin
82+
- Subscription Owner/Contributor or Security Admin.
8183

8284
**Judy (Security Operations)**
8385

84-
- Subscription Reader or Security Reader to view Alerts
85-
- Subscription Owner/Contributor or Security Admin required to dismiss Alerts
86+
- Subscription Reader or Security Reader to view alerts.
87+
88+
- Subscription Owner/Contributor or Security Admin required to dismiss alerts.
8689

8790
**Sam (Security Analyst)**
8891

89-
- Subscription Reader to view Alerts
90-
- Subscription Owner/Contributor required to dismiss Alerts
92+
- Subscription Reader to view alerts.
93+
94+
- Subscription Owner/Contributor required to dismiss alerts.
95+
9196
- Access to the workspace may be required
9297

9398
Some other important information to consider:
9499

95100
- Only subscription Owners/Contributors and Security Admins can edit a security policy.
101+
96102
- Only subscription and resource group Owners and Contributors can apply security recommendations for a resource.
97103

98104
When planning access control using Azure RBAC for Defender for Cloud, make sure you understand who in your organization needs access to Defender for Cloud the tasks they'll perform. Then you can configure Azure RBAC properly.
99105

100106
> [!NOTE]
101107
> We recommend that you assign the least permissive role needed for users to complete their tasks. For example, users who only need to view information about the security state of resources but not take action, such as applying recommendations or editing policies, should be assigned the Reader role.
102-
>
103-
>
104108
105109
## Security policies and recommendations
106110
A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. In Defender for Cloud, you can define policies for your Azure subscriptions, which can be tailored to the type of workload or the sensitivity of data.
107111

108-
Defender for Cloud policies contain the following components:
112+
Defenders for Cloud policies contain the following components:
113+
109114
- [Data collection](monitoring-components.md): agent provisioning and data collection settings.
115+
110116
- [Security policy](tutorial-security-policy.md): an [Azure Policy](../governance/policy/overview.md) that determines which controls are monitored and recommended by Defender for Cloud. You can also use Azure Policy to create new definitions, define more policies, and assign policies across management groups.
117+
111118
- [Email notifications](configure-email-notifications.md): security contacts and notification settings.
119+
112120
- [Pricing tier](enhanced-security-features-overview.md): with or without Microsoft Defender for Cloud's enhanced security features, which determine which Defender for Cloud features are available for resources in scope (can be specified for subscriptions and workspaces using the API).
113121

114122
> [!NOTE]
115123
> Specifying a security contact ensures that Azure can reach the right person in your organization if a security incident occurs. Read [Provide security contact details in Defender for Cloud](configure-email-notifications.md) for more information on how to enable this recommendation.
116124
117125
### Security policies definitions and recommendations
126+
118127
Defender for Cloud automatically creates a default security policy for each of your Azure subscriptions. You can edit the policy in Defender for Cloud or use Azure Policy to create new definitions, define more policies, and assign policies across management groups. Management groups can represent the entire organization or a business unit within the organization. You can monitor policy compliance across these management groups.
119128

120129
Before configuring security policies, review each of the [security recommendations](review-security-recommendations.md):
121130

122131
- See if these policies are appropriate for your various subscriptions and resource groups.
132+
123133
- Understand what actions address the security recommendations.
134+
124135
- Determine who in your organization is responsible for monitoring and remediating new recommendations.
125136

126137
## Data collection and storage
138+
127139
Defender for Cloud uses the Log Analytics agent and the Azure Monitor Agent to collect security data from your virtual machines. [Data collected](monitoring-components.md) from this agent is stored in your Log Analytics workspaces.
128140

129141
### Agent
@@ -144,6 +156,7 @@ Data collected from the Log Analytics agent can be stored in an existing Log Ana
144156
In the Azure portal, you can browse to see a list of your Log Analytics workspaces, including any created by Defender for Cloud. A related resource group is created for new workspaces. Resources are created according to this naming convention:
145157

146158
- Workspace: *DefaultWorkspace-[subscription-ID]-[geo]*
159+
147160
- Resource Group: *DefaultResourceGroup-[geo]*
148161

149162
For workspaces created by Defender for Cloud, data is retained for 30 days. For existing workspaces, retention is based on the workspace pricing tier. If you want, you can also use an existing workspace.
@@ -152,7 +165,6 @@ If your agent reports to a workspace other than the **default** workspace, any M
152165

153166
> [!NOTE]
154167
> Microsoft makes strong commitments to protect the privacy and security of this data. Microsoft adheres to strict compliance and security guidelines—from coding to operating a service. For more information about data handling and privacy, read [Defender for Cloud Data Security](data-security.md).
155-
>
156168
157169
## Onboard non-Azure resources
158170

@@ -188,6 +200,7 @@ You can use [adaptive application controls](adaptive-application-controls.md) to
188200

189201

190202
## Incident response
203+
191204
Defender for Cloud detects and alerts you to threats as they occur. Organizations should monitor for new security alerts and take action as needed to investigate further or remediate the attack. For more information on how Defender for Cloud threat protection works, read [How Defender for Cloud detects and responds to threats](alerts-overview.md#detect-threats).
192205

193206
Although we can't create your Incident Response plan, we'll use Microsoft Azure Security Response in the Cloud lifecycle as the foundation for incident response stages. The stages of incident response in the cloud lifecycle are:
@@ -196,12 +209,13 @@ Although we can't create your Incident Response plan, we'll use Microsoft Azure
196209

197210
> [!NOTE]
198211
> You can use the National Institute of Standards and Technology (NIST) [Computer Security Incident Handling Guide](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf) as a reference to assist you building your own.
199-
>
200212
201-
You can use Defender for Cloud Alerts during the following stages:
213+
You can use Defender for Cloud alerts during the following stages:
202214

203215
- **Detect**: identify a suspicious activity in one or more resources.
216+
204217
- **Assess**: perform the initial assessment to obtain more information about the suspicious activity.
218+
205219
- **Diagnose**: use the remediation steps to conduct the technical procedure to address the issue.
206220

207221
Each Security Alert provides information that can be used to better understand the nature of the attack and suggest possible mitigations. Some alerts also provide links to either more information or to other sources of information within Azure. You can use the information provided for further research and to begin mitigation, and you can also search security-related data that is stored in your workspace.
@@ -210,7 +224,7 @@ The following example shows a suspicious RDP activity taking place:
210224

211225
:::image type="content" source="./media/defender-for-cloud-planning-and-operations-guide/defender-for-cloud-planning-and-operations-guide-fig5-ga.png" alt-text="Suspicious activity.":::
212226

213-
This page shows the details regarding the time that the attack took place, the source hostname, the target VM and also gives recommendation steps. In some circumstances, the source information of the attack may be empty. Read [Missing Source Information in Defender for Cloud Alerts](/archive/blogs/azuresecurity/missing-source-information-in-azure-security-center-alerts) for more information about this type of behavior.
227+
This page shows the details regarding the time that the attack took place, the source hostname, the target VM and also gives recommendation steps. In some circumstances, the source information of the attack may be empty. Read [Missing Source Information in Defender for Cloud alerts](/archive/blogs/azuresecurity/missing-source-information-in-azure-security-center-alerts) for more information about this type of behavior.
214228

215229
Once you identify the compromised system, you can run a [workflow automation](workflow-automation.md) that was previously created. Workflow automations are a collection of procedures that can be executed from Defender for Cloud once triggered by an alert.
216230

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
---
2+
title: Enhancements in Defender for SQL vulnerability assessment | Defender for Cloud in the field
3+
titleSuffix: Microsoft Defender for Cloud
4+
description: Learn about Enhancements in Defender for SQL Vulnerability Assessment
5+
ms.topic: reference
6+
ms.date: 01/05/2023
7+
---
8+
9+
# Enhancements in Defender for SQL vulnerability assessment | Defender for Cloud in the field
10+
11+
**Episode description**: In this episode of Defender for Cloud in the Field, Catalin Esanu joins Yuri Diogenes to talk about the enhancements in Defender for SQL Vulnerability Assessment (VA) capability that were announced. Catalin explains how the new SQL VA Express changed to allow a frictionless onboarding experience and how it became easier to manage VA baselines. Catalin demonstrates how to enable this experience and how to customize the baseline with companion scripts.
12+
<br>
13+
<br>
14+
<iframe src="https://aka.ms/docs/player?id=cbd8ace6-4602-4900-bb73-cf8986605639" width="1080" height="530" allowFullScreen="true" frameBorder="0"></iframe>
15+
16+
- [01:23](/shows/mdc-in-the-field/defender-sql-enhancements#time=01m23s) - Architecture change in SQL VA
17+
- [05:30](/shows/mdc-in-the-field/defender-sql-enhancements#time=05m30s) - Enabling SQL VA Express
18+
- [06:25](/shows/mdc-in-the-field/defender-sql-enhancements#time=06m25s) - Performance considerations
19+
- [08:49](/shows/mdc-in-the-field/defender-sql-enhancements#time=08m49s) - Other additions to SQL VA Express
20+
- [12:56](/shows/mdc-in-the-field/defender-sql-enhancements#time=12m56s) - Demonstration
21+
22+
23+
## Recommended resources
24+
- [Learn more](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/new-express-configuration-for-vulnerability-assessment-in/ba-p/3695390) about Defender for SQL Vulnerability Assessment (VA).
25+
- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS)
26+
- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)
27+
- For more about [Microsoft Security](https://msft.it/6002T9HQY)
28+
29+
- Follow us on social media:
30+
31+
- [LinkedIn](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbFk5TXZuQld2NlpBRV9BQlJqMktYSm95WWhCZ3xBQ3Jtc0tsQU13MkNPWGNFZzVuem5zc05wcnp0VGxybHprVTkwS2todWw0b0VCWUl4a2ZKYVktNGM1TVFHTXpmajVLcjRKX0cwVFNJaDlzTld4MnhyenBuUGRCVmdoYzRZTjFmYXRTVlhpZGc4MHhoa3N6ZDhFMA&q=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F)
32+
- [Twitter](https://twitter.com/msftsecurity)
33+
34+
- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)
35+
36+
- Learn more about [Microsoft Security](https://msft.it/6002T9HQY)
37+
38+
## Next steps
39+
40+
> [!div class="nextstepaction"]
41+
> [New AWS Connector in Microsoft Defender for Cloud](episode-one.md)

articles/defender-for-cloud/episode-twenty-three.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,4 +40,4 @@ ms.date: 12/21/2022
4040
## Next steps
4141

4242
> [!div class="nextstepaction"]
43-
> [New AWS Connector in Microsoft Defender for Cloud](episode-one.md)
43+
> [Enhancements in Defender for SQL Vulnerability Assessment](episode-twenty-four.md)

articles/defender-for-cloud/faq-azure-monitor-logs.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ metadata:
77
ms.author: elkrieger
88
manager: raynew
99
ms.topic: faq
10-
ms.date: 11/14/2021
10+
ms.date: 01/08/2023
1111
title: 'FAQ for customers already using Azure Monitor logs'
1212
summary: |
1313

articles/defender-for-cloud/faq-general.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ metadata:
88
manager: raynew
99
ms.topic: faq
1010
ms.custom: ignite-2022
11-
ms.date: 11/09/2021
11+
ms.date: 01/08/2023
1212
title: FAQ - General questions about Microsoft Defender for Cloud
1313
summary: |
1414

articles/defender-for-cloud/faq-permissions.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ metadata:
77
ms.author: elkrieger
88
manager: raynew
99
ms.topic: faq
10-
ms.date: 11/09/2021
10+
ms.date: 01/08/2023
1111
title: Permissions
1212
summary: |
1313

0 commit comments

Comments
 (0)