Merge pull request #216494 from rayne-wiselman/rayne-october31

adding plan defender for servers article

Author: ShannonLeavitt

articles/defender-for-cloud/TOC.yml

@@ -166,6 +166,24 @@
       - name: Reference list of attack paths and cloud security graph components
         displayName: attack, paths, security, graph, components
         href: attack-path-reference.md
+  - name: Protect servers
+    items:
+    - name: Plan Defender for Servers deployment
+      items:
+      - name: Get started
+        href: plan-defender-for-servers.md
+      - name: Review data residency, workspace design 
+        href: plan-defender-for-servers-data-workspace.md
+      - name: Determine roles and access
+        href: plan-defender-for-servers-roles.md
+      - name: Select a plan
+        href: plan-defender-for-servers-select-plan.md
+      - name: Review agents and extensions
+        href: plan-defender-for-servers-agents.md
+      - name: Scale Defender for Servers deployment
+        href: plan-defender-for-servers-scale.md
+      - name: Common questions
+        href: faq-defender-for-servers.yml
   - name: Protect cloud workloads
     items:
     - name: Agentless scanning

articles/defender-for-cloud/enhanced-security-features-overview.md

@@ -6,32 +6,38 @@ ms.date: 07/21/2022
 ms.custom: references_regions, ignite-2022
 ---
 
-# Microsoft Defender for Cloud's basic and enhanced security features
-
-Defender for Cloud offers many enhanced security features that can help protect your organization against threats and attacks.
-
-- **Basic security features** (Free) - When you open Defender for Cloud in the Azure portal for the first time or if you enable it through the API, Defender for Cloud is enabled for free on all your Azure subscriptions. By default, Defender for Cloud provides the [secure score](secure-score-security-controls.md), [security policy and basic recommendations](security-policy-concept.md), and [network security assessment](protect-network-resources.md) to help you protect your Azure resources.
-
-    If you want to try out the enhanced security features, [enable enhanced security features](enable-enhanced-security.md) for free for the first 30 days. At the end of 30 days, if you decide to continue using the service, we'll automatically start charging for usage. For pricing details in your local currency or region, see the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
-
-- **Enhanced security features** (Paid) - When you enable the enhanced security features, Defender for Cloud can provide unified security management and threat protection across your hybrid cloud workloads, including:
-
-    - **Microsoft Defender for Endpoint** - Microsoft Defender for Servers includes [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender) for comprehensive endpoint detection and response (EDR). Learn more about the benefits of using Microsoft Defender for Endpoint together with Defender for Cloud in [Use Defender for Cloud's integrated EDR solution](integration-defender-for-endpoint.md).
-    - **Vulnerability assessment for virtual machines, container registries, and SQL resources** - Easily enable vulnerability assessment solutions to discover, manage, and resolve vulnerabilities. View, investigate, and remediate the findings directly from within Defender for Cloud.
-    - **Multicloud security** - Connect your accounts from Amazon Web Services (AWS) and Google Cloud Platform (GCP) to protect resources and workloads on those platforms with a range of Microsoft Defender for Cloud security features.
-    - **Hybrid security** – Get a unified view of security across all of your on-premises and cloud workloads. Apply security policies and continuously assess the security of your hybrid cloud workloads to ensure compliance with security standards. Collect, search, and analyze security data from multiple sources, including firewalls and other partner solutions.
-    - **Threat protection alerts** - Advanced behavioral analytics and the Microsoft Intelligent Security Graph provide an edge over evolving cyber-attacks. Built-in behavioral analytics and machine learning can identify attacks and zero-day exploits. Monitor networks, machines, data stores (SQL servers hosted inside and outside Azure, Azure SQL databases, Azure SQL Managed Instance, and Azure Storage) and cloud services for incoming attacks and post-breach activity. Streamline investigation with interactive tools and contextual threat intelligence.
-    - **Track compliance with a range of standards** - Defender for Cloud continuously assesses your hybrid cloud environment to analyze the risk factors according to the controls and best practices in [Microsoft cloud security benchmark](/security/benchmark/azure/introduction). When you enable the enhanced security features, you can apply a range of other industry standards, regulatory standards, and benchmarks according to your organization's needs. Add standards and track your compliance with them from the [regulatory compliance dashboard](update-regulatory-compliance-packages.md).
-    - **Access and application controls** - Block malware and other unwanted applications by applying machine learning powered recommendations adapted to your specific workloads to create allowlists and blocklists. Reduce the network attack surface with just-in-time, controlled access to management ports on Azure VMs. Access and application control drastically reduce exposure to brute force and other network attacks.
-    - **Container security features** - Benefit from vulnerability management and real-time threat protection on your containerized environments. Charges are based on the number of unique container images pushed to your connected registry. After an image has been scanned once, you won't be charged for it again unless it's modified and pushed once more.
-    - **Breadth threat protection for resources connected to Azure** - Cloud-native threat protection for the Azure services common to all of your resources: Azure Resource Manager, Azure DNS, Azure network layer, and Azure Key Vault. Defender for Cloud has unique visibility into the Azure management layer and the Azure DNS layer, and can therefore protect cloud resources that are connected to those layers.
-    - **Manage your Cloud Security Posture Management (CSPM)** - CSPM offers you the ability to remediate security issues and review your security posture through the tools provided. These tools include:
-        - Security governance and regulatory compliance
-        - Cloud security graph
-        - Attack path analysis
-        - Agentless scanning for machines
+# Basic and enhanced security features
+
+Defender for Cloud offers basic, and many enhanced security features that can help protect your organization against threats and attacks.
+
+## Basic features
+
+When you open Defender for Cloud in the Azure portal for the first time or if you enable it through the API, Defender for Cloud is enabled for free on all your Azure subscriptions. By default, Defender for Cloud provides foundational cloud security and posture management (CSPM) features, including [secure score](secure-score-security-controls.md), [security policy and basic recommendations](security-policy-concept.md), and [network security assessment](protect-network-resources.md) to help you protect your Azure resources.
+
+## Try out enhanced features
+
+If you want to try out the enhanced security features, [enable enhanced security features](enable-enhanced-security.md) for free for the first 30 days. At the end of 30 days, if you decide to continue using the service, we'll automatically start charging for usage. For pricing details in your local currency or region, see the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
+
+## Enhanced features
+
+When you enable the enhanced security features (paid), Defender for Cloud can provide unified security management and threat protection across your hybrid cloud workloads, including:
+
+- **Microsoft Defender for Endpoint** - Microsoft Defender for Servers includes [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender) for comprehensive endpoint detection and response (EDR). Learn more about the benefits of using Microsoft Defender for Endpoint together with Defender for Cloud in [Use Defender for Cloud's integrated EDR solution](integration-defender-for-endpoint.md).
+- **Vulnerability assessment for virtual machines, container registries, and SQL resources** - Easily enable vulnerability assessment solutions to discover, manage, and resolve vulnerabilities. View, investigate, and remediate the findings directly from within Defender for Cloud.
+- **Multicloud security** - Connect your accounts from Amazon Web Services (AWS) and Google Cloud Platform (GCP) to protect resources and workloads on those platforms with a range of Microsoft Defender for Cloud security features.
+- **Hybrid security** – Get a unified view of security across all of your on-premises and cloud workloads. Apply security policies and continuously assess the security of your hybrid cloud workloads to ensure compliance with security standards. Collect, search, and analyze security data from multiple sources, including firewalls and other partner solutions.
+- **Threat protection alerts** - Advanced behavioral analytics and the Microsoft Intelligent Security Graph provide an edge over evolving cyber-attacks. Built-in behavioral analytics and machine learning can identify attacks and zero-day exploits. Monitor networks, machines, data stores (SQL servers hosted inside and outside Azure, Azure SQL databases, Azure SQL Managed Instance, and Azure Storage) and cloud services for incoming attacks and post-breach activity. Streamline investigation with interactive tools and contextual threat intelligence.
+- **Track compliance with a range of standards** - Defender for Cloud continuously assesses your hybrid cloud environment to analyze the risk factors according to the controls and best practices in [Microsoft cloud security benchmark](/security/benchmark/azure/introduction). When you enable the enhanced security features, you can apply a range of other industry standards, regulatory standards, and benchmarks according to your organization's needs. Add standards and track your compliance with them from the [regulatory compliance dashboard](update-regulatory-compliance-packages.md).
+- **Access and application controls** - Block malware and other unwanted applications by applying machine learning powered recommendations adapted to your specific workloads to create allowlists and blocklists. Reduce the network attack surface with just-in-time, controlled access to management ports on Azure VMs. Access and application control drastically reduce exposure to brute force and other network attacks.
+- **Container security features** - Benefit from vulnerability management and real-time threat protection on your containerized environments. Charges are based on the number of unique container images pushed to your connected registry. After an image has been scanned once, you won't be charged for it again unless it's modified and pushed once more.
+- **Breadth threat protection for resources connected to Azure** - Cloud-native threat protection for the Azure services common to all of your resources: Azure Resource Manager, Azure DNS, Azure network layer, and Azure Key Vault. Defender for Cloud has unique visibility into the Azure management layer and the Azure DNS layer, and can therefore protect cloud resources that are connected to those layers.
+- **Manage your Cloud Security Posture Management (CSPM)** - CSPM offers you the ability to remediate security issues and review your security posture through the tools provided. These tools include:
+    - Security governance and regulatory compliance
+    - Cloud security graph
+    - Attack path analysis
+    - Agentless scanning for machines
+    
 
-        Learn more about [CSPM](concept-cloud-security-posture-management.md).
 
 ## FAQ - Pricing and billing 
 
@@ -149,7 +155,7 @@ Defender for Cloud's billing is closely tied to the billing for Log Analytics. [
 
 If the workspace is in the legacy Per Node pricing tier, the Defender for Cloud and Log Analytics allocations are combined and applied jointly to all billable ingested data.
 
-### How can I monitor my daily usage
+## How can I monitor my daily usage?
 
 You can view your data usage in two different ways, the Azure portal, or by running a script.
 

articles/defender-for-cloud/faq-defender-for-servers.yml

@@ -0,0 +1,109 @@
+### YamlMime:FAQ
+metadata:
+  title: FAQ — Microsoft Defender for Servers
+  description: This article provides answers to common questions about Microsoft Defender for Servers.
+  ms.topic: faq
+  ms.service: defender-for-cloud
+  author: bmansheim
+  ms.author: benmansheim
+  ms.date: 11/29/2022
+title: Frequently asked questions – Defender for Servers
+summary: This article answers common questions about Microsoft Defender for Servers.
+
+
+sections:
+  - name: Ignored
+    questions:
+      - question: |
+          Can I enable on a subset of machines in a subscription?
+        answer: |
+          No. When you enable Microsoft Defender for Servers on an Azure subscription or a connected AWS account/GCP project, all of the connected machines are protected by Defender for Servers. This includes servers that don't have the Log Analytics/Azure Monitor agent installed.
+
+      - question: |
+          Can I get a discount if I already have Microsoft Defender for Endpoint license?
+        answer: |
+          If you already have a license for Microsoft Defender for Endpoint for Servers, you won't have to pay for that part of your Microsoft Defender for Servers Plan 2 license. 
+
+          To request your discount, contact Defender for Cloud's support team via the portal.
+
+          - You'll need to provide the relevant workspace ID, region, and number of Defender for Endpoint for servers licenses applied for machines in the given workspace.
+          - The discount will be effective starting from the approval date, and won't take place retroactively.
+
+      - question: |
+          What servers do I pay for in a subscription?
+        answer: |
+          When you enable Defender for Servers on a subscription, you're charged for all machines, in accordance with their power state.
+
+          **Azure VMs:**
+
+          State | Details | Billing
+          --- | --- | ---
+          Starting | VM starting up | Not billed
+          Running | Normal working state | Billed
+          Stopping | Transitional, will move to Stopped state when complete. | Billed
+          Stopped | VM shut down from within guest OS or using PowerOff APIs. Hardware is still allocated and the machine remains on the host. | Billed
+          Deallocating | Transitional, will move to Deallocated state when complete. | Not billed
+          Deallocated | VM stopped and removed from the host. | Not billed 
+
+          **Azure Arc machines:**
+
+          **State** | **Details* | **Billing**
+          --- | --- | ---
+          Connecting | Servers connected but heartbeat not yet received | Not billed
+          Connected | Receiving regular heartbeat from Connected Machine agent | Billed
+          Offline/Disconnected | No heartbeat received with 15-30 minutes | Not billed
+          Expired | If disconnected for 45 days status can change to Expired. | Not billed
+
+  
+      - question: |
+          Do I need to enable on the subscription and workspace?
+        answer: |
+          When you enable the Servers plan on the subscription level, Defender for Cloud automatically enables the plan on your default workspaces automatically. If you're using a custom workspace, you need to select it to enable the plan. Note that:
+          
+          - If you turn on Defender for Servers for a subscription and for a connected custom workspace, you aren't charged for both. The system identifies unique VMs.
+          - If you enable Defender for Servers on cross-subscription workspaces:
+            - For the Log Analytics agent, connected machines from all subscriptions are billed, including subscriptions that don't have the servers plan enabled.
+            - For the Azure Monitor agent, billing and feature coverage for Defender for Servers depends only on the plan being enabled in the subscription.
+          
+          
+      - question: |
+          Is the free allowance per workspace or per machine?
+        answer: |
+          You get 500-MB free data ingestion per day, for every VM connected to the workspace. This is specifically for the security data types that are directly collected by Defender for Cloud.
+          
+          This data is a daily rate averaged across all nodes. Your total daily free limit is equal to [number of machines] x 500 MB. So even if some machines send 100 MB and others send 800 MB, if the total doesn't exceed your total daily free limit, you won't be charged extra.
+
+      - question: |
+          What data types are included in the daily allowance?
+        answer: |
+          Defender for Cloud's billing is closely tied to the billing for Log Analytics. [Microsoft Defender for Servers](defender-for-servers-introduction.md) provides a 500 MB/node/day allocation for machines against the following subset of [security data types](/azure/azure-monitor/reference/tables/tables-category#security):
+
+          - [SecurityAlert](/azure/azure-monitor/reference/tables/securityalert)
+          - [SecurityBaseline](/azure/azure-monitor/reference/tables/securitybaseline)
+          - [SecurityBaselineSummary](/azure/azure-monitor/reference/tables/securitybaselinesummary)
+          - [SecurityDetection](/azure/azure-monitor/reference/tables/securitydetection)
+          - [SecurityEvent](/azure/azure-monitor/reference/tables/securityevent)
+          - [WindowsFirewall](/azure/azure-monitor/reference/tables/windowsfirewall)
+          - [SysmonEvent](/azure/azure-monitor/reference/tables/sysmonevent)
+          - [ProtectionStatus](/azure/azure-monitor/reference/tables/protectionstatus)
+          - [Update](/azure/azure-monitor/reference/tables/update) and [UpdateSummary](/azure/azure-monitor/reference/tables/updatesummary) when the Update Management solution isn't running in the workspace or solution targeting is enabled.
+
+          If the workspace is in the legacy Per Node pricing tier, the Defender for Cloud and Log Analytics allocations are combined and applied jointly to all billable ingested data.
+
+      - question: |
+          Am I charged for machines without Log Analytics installed?
+        answer: |
+          Yes. When you enable Microsoft Defender for Servers on an Azure subscription or a connected AWS/GCP account/project, you'll be charged for all machines that are connected to your Azure subscription or AWS account. The term machines include Azure virtual machines, Azure Virtual Machine Scale Sets instances, and Azure Arc-enabled servers. Machines that don't have Log Analytics installed are covered by protections that don't depend on the Log Analytics agent.
+
+      - question: |
+          If an agent reports to multiple workspaces, am I charged twice?
+        answer: |
+          If a machine, reports to multiple workspaces, and all of them have Defender for Servers enabled, the machines will be billed for each attached workspace.
+
+      
+
+additionalContent: |
+
+  ## Next steps
+  
+  [Plan  your Defender for Servers deployment](./plan-defender-for-servers.md)