Merge pull request #210186 from MicrosoftDocs/main

9/5/2022 PM Publish

Author: Taojunshen

articles/active-directory/develop/apple-sso-plugin.md

@@ -18,7 +18,7 @@ ms.custom: aaddev
 # Microsoft Enterprise SSO plug-in for Apple devices (preview)
 
 > [!IMPORTANT]
-> This feature [!INCLUDE [PREVIEW BOILERPLATE](../../../includes/active-directory-develop-preview.md)]
+> This feature is in public preview. This preview is provided without a service-level agreement. For more information, see [Supplemental terms of use for Microsoft Azure public previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
 The *Microsoft Enterprise SSO plug-in for Apple devices* provides single sign-on (SSO) for Azure Active Directory (Azure AD) accounts on macOS, iOS, and iPadOS across all applications that support Apple's [enterprise single sign-on](https://developer.apple.com/documentation/authenticationservices) feature. The plug-in provides SSO for even old applications that your business might depend on but that don't yet support the latest identity libraries or protocols. Microsoft worked closely with Apple to develop this plug-in to increase your application's usability while providing the best protection available.
 

articles/active-directory/standards/memo-22-09-meet-identity-requirements.md

@@ -17,11 +17,11 @@ ms.collection: M365-identity-device-management
 
 # Meet identity requirements of memorandum 22-09 with Azure Active Directory
 
-US executive order [14028, Improving the Nation's Cyber Security](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity), directs federal agencies on advancing security measures that dramatically reduce the risk of successful cyberattacks against the federal government's digital infrastructure. On January 26, 2022, the [Office of Management and Budget (OMB)](https://www.whitehouse.gov/omb/) released the federal Zero Trust strategy in [memorandum 22-09](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf), in support of EO 14028. 
+US executive order [14028, Improving the Nation's Cyber Security](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity), directs federal agencies on advancing security measures that drastically reduce the risk of successful cyberattacks against the federal government's digital infrastructure. On January 26, 2022, the [Office of Management and Budget (OMB)](https://www.whitehouse.gov/omb/) released the federal Zero Trust strategy in [memorandum 22-09](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf), in support of EO 14028. 
 
 This series of articles offers guidance for employing Azure Active Directory (Azure AD) as a centralized identity management system for implementing Zero Trust principles, as described in memorandum 22-09. 
 
-The release of memorandum 22-09 is designed to support Zero Trust initiatives within federal agencies. It also provides regulatory guidance in supporting federal cybersecurity and data privacy paws. The memo cites the [Department of Defense (DoD) Zero Trust Reference Architecture](https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf): 
+The release of memorandum 22-09 is designed to support Zero Trust initiatives within federal agencies. It also provides regulatory guidance in supporting federal cybersecurity and data privacy laws. The memo cites the [Department of Defense (DoD) Zero Trust Reference Architecture](https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf): 
 
 >"The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction."
 

articles/expressroute/expressroute-howto-routing-portal-resource-manager.md

@@ -171,7 +171,7 @@ You can remove your Microsoft peering configuration by right-clicking the peerin
 You can remove your private peering configuration by right-clicking the peering and selecting **Delete** as shown in the following image:
 
 > [!WARNING]
-> You must ensure that all virtual networks and ExpressRoute Global Reach connections are removed before running this operation. 
+> You must ensure that all virtual network connections and ExpressRoute Global Reach connections are removed before running this operation. 
 > 
 
 :::image type="content" source="./media/expressroute-howto-routing-portal-resource-manager/delete-private-peering.png" alt-text="Screenshot showing how to delete private peering.":::

articles/key-vault/certificates/faq.yml

@@ -40,6 +40,10 @@ sections:
           When I import a certificate via the Azure portal, I get a "Something went wrong" error. How can I investigate further?
         answer: |
           To view a more descriptive error, import the certificate file by using [the Azure CLI](/cli/azure/keyvault/certificate#az_keyvault_certificate_import) or [PowerShell](/powershell/module/azurerm.keyvault/import-azurekeyvaultcertificate).          
+      - question: |
+          When I import a certificate via the Azure portal, I get a "The size of the X.509 certificate is too long" error. What should I do?
+        answer: |
+          The error indicates that your certificate might be too long, it might be including many certificates in a single file. This is a hard-limit that can't be increased. The solution is to shorten your certificate file's content so that it aligns to our size's limit.
       - question: |
           How can I resolve this error? "Error type: Access denied or user is unauthorized to import certificate"
         answer: |

articles/lab-services/reliability-in-azure-lab-services.md

@@ -8,11 +8,11 @@ ms.date: 08/18/2022
 
 # What is reliability in Azure Lab Services?
 
-This article describes reliability support in Azure Lab Services, and covers regional resiliency with availability zones. For a more detailed overview of reliability in Azure, see [Azure resiliency](/azure/availability-zones/overview.md).
+This article describes reliability support in Azure Lab Services, and covers regional resiliency with availability zones. For a more detailed overview of reliability in Azure, see [Azure resiliency](/azure/availability-zones/overview).
 
 ## Availability zone support
 
-Azure availability zones are at least three physically separate groups of datacenters within each Azure region. Datacenters within each zone are equipped with independent power, cooling, and networking infrastructure. In the case of a local zone failure, availability zones allow the services to fail over to the other availability zones to provide continuity in service with minimal interruption. Failures can range from software and hardware failures to events such as earthquakes, floods, and fires. Tolerance to failures is achieved with redundancy and logical isolation of Azure services. For more detailed information on availability zones in Azure, see [Regions and availability zones](/azure/availability-zones/az-overview.md).
+Azure availability zones are at least three physically separate groups of datacenters within each Azure region. Datacenters within each zone are equipped with independent power, cooling, and networking infrastructure. In the case of a local zone failure, availability zones allow the services to fail over to the other availability zones to provide continuity in service with minimal interruption. Failures can range from software and hardware failures to events such as earthquakes, floods, and fires. Tolerance to failures is achieved with redundancy and logical isolation of Azure services. For more detailed information on availability zones in Azure, see [Regions and availability zones](/azure/availability-zones/az-overview).
 
 Azure availability zones-enabled services are designed to provide the right level of resiliency and flexibility. They can be configured in two ways. They can be either zone redundant, with automatic replication across zones, or zonal, with instances pinned to a specific zone. You can also combine these approaches. For more information on zonal vs. zone-redundant architecture, see [Build solutions with availability zones](/azure/architecture/high-availability/building-solutions-for-high-availability).
 
@@ -126,4 +126,4 @@ Azure Lab Services does not provide any service-specific signals about an outage
 ## Next steps
 
 > [!div class="nextstepaction"]
-> [Resiliency in Azure](/azure/availability-zones/overview.md)
+> [Resiliency in Azure](/azure/availability-zones/overview)

articles/sentinel/TOC.yml

@@ -286,6 +286,8 @@
       href: indicators-bulk-file-import.md
     - name: Work with threat indicators
       href: work-with-threat-indicators.md
+    - name: Add entity to threat indicators
+      href: add-entity-to-threat-intelligence.md
   - name: Monitor and visualize data
     items:
     - name: Visualize collected data

articles/sentinel/add-entity-to-threat-intelligence.md

@@ -0,0 +1,107 @@
+---
+title: Add entities to threat intelligence in Microsoft Sentinel
+description: This article shows you, if you discover a malicious entity in an incident investigation, how to add the entity to your threat intelligence indicator lists in Microsoft Sentinel.
+author: yelevin
+ms.topic: how-to
+ms.date: 08/25/2022
+ms.author: yelevin
+---
+
+# Add entities to threat intelligence in Microsoft Sentinel
+
+When investigating an incident, you examine entities and their context as an important part of understanding the scope and nature of the incident. In the course of the investigation, you may discover a domain name, URL, file, or IP address in the incident that should be labeled and tracked as an indicator of compromise (IOC), a threat indicator.
+
+For example, you may discover an IP address performing port scans across your network, or functioning as a command and control node, sending and/or receiving transmissions from large numbers of nodes in your network.
+
+Microsoft Sentinel allows you to flag these types of entities as malicious, right from within the investigation graph, and add it to your threat indicator lists. You'll then be able to view the added indicators both in Logs and in the Threat Intelligence blade, and use them across your Microsoft Sentinel workspace.
+
+> [!IMPORTANT]
+> Adding entities as TI indicators is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+## Add an entity to your indicators list
+
+The [investigation graph](investigate-cases.md) is a visual, intuitive tool that presents connections and patterns and enables your analysts to ask the right questions and follow leads. You can use it to add entities to your threat intelligence indicator lists, making them available across your workspace.
+
+1. From the Microsoft Sentinel navigation menu, select **Incidents**.
+
+1. Select an incident to investigate. In the incident details panel, select the **Actions** button and choose **Investigate** from the pop-up menu. This will open the investigation graph.
+
+    :::image type="content" source="media/add-entity-to-threat-intelligence/select-incident-to-investigate.png" alt-text="Screenshot of selecting incident from queue to investigate.":::
+
+1. Select the entity from the graph that you want to add as a threat indicator. A side panel will open on the right. Select **Add to TI**.
+
+    Only the following types of entities can be added as threat indicators:
+    - Domain name
+    - IP address (IPv4 and IPv6)
+    - URL
+    - File (hash)
+
+    :::image type="content" source="media/add-entity-to-threat-intelligence/add-entity-to-ti.png" alt-text="Screenshot of adding entity to threat intelligence.":::
+
+1. The **New indicator** side panel will open. The following fields will be populated automatically:
+
+    - **Type**
+        - The type of indicator represented by the entity you're adding.  
+            Drop-down with possible values: *ipv4-addr*, *ipv6-addr*, *URL*, *file*, *domain-name*
+        - Required; automatically populated based on the **entity type**.
+
+    - **Value**
+        - The name of this field changes dynamically to the selected indicator type.
+        - The value of the indicator itself.
+        - Required; automatically populated by the **entity value**.
+
+    - **Tags** 
+        - Free-text tags you can add to the indicator.
+        - Optional; automatically populated by the **incident ID**. You can add others.
+    
+    - **Name**
+        - Name of the indicator - this is what will be displayed in your list of indicators.
+        - Optional; automatically populated by the **incident name.**
+    
+    - **Created by**
+        - Creator of the indicator.
+        - Optional; automatically-populated by the user logged into Microsoft Sentinel.
+
+    Fill in the remaining fields accordingly.
+
+    - **Threat type**
+        - The threat type represented by the indicator.
+        - Optional; free text.
+
+    - **Description**
+        - Description of the indicator.
+        - Optional; free text.
+
+    - **Revoked**
+        - Revoked status of the indicator. Mark checkbox to revoke the indicator, clear checkbox to make it active.
+        - Optional; boolean.
+
+    - **Confidence**
+        - Score reflecting confidence in the correctness of the data, by percent.
+        - Optional; integer, 1-100
+
+    - **Kill chain**
+        - Phases in the [*Lockheed Martin Cyber Kill Chain*](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html#OVERVIEW) to which the indicator corresponds.
+        - Optional; free text 
+
+    - **Valid from**
+        - The time from which this indicator is considered valid.
+        - Required; date/time 
+
+    - **Valid until**
+        - The time at which this indicator should no longer be considered valid.
+        - Optional; date/time 
+
+    :::image type="content" source="media/add-entity-to-threat-intelligence/new-indicator-panel.png" alt-text="Screenshot of entering information in new threat indicator panel.":::
+
+1. When all the fields are filled in to your satisfaction, select **Apply**. You'll see a confirmation message in the upper-right-hand corner that your indicator was created.
+
+1. The entity will be added as a threat indicator in your workspace. You can find it [in the list of indicators in the **Threat intelligence** page](work-with-threat-indicators.md#find-and-view-your-indicators-in-the-threat-intelligence-page), and also [in the *ThreatIntelligenceIndicators* table in **Logs**](work-with-threat-indicators.md#find-and-view-your-indicators-in-logs). 
+
+## Next steps
+
+In this article, you learned how to add entities to your threat indicator lists. For more information, see:
+
+- [Investigate incidents with Microsoft Sentinel](investigate-cases.md)
+- [Understand threat intelligence in Microsoft Sentinel](understand-threat-intelligence.md)
+- [Work with threat indicators in Microsoft Sentinel](work-with-threat-indicators.md)