Merge pull request #100589 from memildin/asc-melvyn-containerwork

Updated screenshots and details of how to use the container security …

Author: PMEds28

articles/security-center/TOC.yml

@@ -91,6 +91,8 @@
       href: built-in-vulnerability-assessment.md
     - name: Using external scanners
       href: partner-vulnerability-assessment.md
+  - name: Monitor your containers
+    href: monitor-container-security.md
   - name: Protect your servers with Microsoft Defender ATP
     href: security-center-wdatp.md
   - name: Use advanced data security for SQL on Azure VMs

articles/security-center/advanced-threat-protection-key-vault.md

@@ -1,5 +1,5 @@
 ---
-title: Set up advanced threat protection for Azure Key Vault | Microsoft Docs
+title: Set up advanced threat protection for Azure Key Vault
 description: This article explains how to set up advanced threat protection for Azure Key Vault in Azure Security Center
 services: security-center
 author: memildin

articles/security-center/azure-container-registry-integration.md

@@ -19,13 +19,11 @@ ms.author: memildin
 
 Azure Container Registry (ACR) is a managed, private Docker registry service that stores and manages your container images for Azure deployments in a central registry. It's based on the open-source Docker Registry 2.0.
 
-If you're on Azure Security Center's standard tier, you can add the Container Registries bundle. This optional feature brings deeper visibility into the vulnerabilities of the images in your ARM-based registries. Enable or disable the bundle at the subscription level to cover all registries in a subscription. This feature is charged per image, not per scan as shown on the [pricing page](security-center-pricing.md). 
-
-Enabling the Container Registries bundle, ensures that Security Center is ready to scan images that get pushed to the registry. The scans are at the image level: Security Center isn't scanning your registry, it's scanning the images stored in the registry. 
+If you're on Azure Security Center's standard tier, you can add the Container Registries bundle. This optional feature brings deeper visibility into the vulnerabilities of the images in your ARM-based registries. Enable or disable the bundle at the subscription level to cover all registries in a subscription. This feature is charged per image, as shown on the [pricing page](security-center-pricing.md). Enabling the Container Registries bundle, ensures that Security Center is ready to scan images that get pushed to the registry. 
 
 Whenever an image is pushed to your registry, Security Center automatically scans that image. To trigger the scan of an image, push it to your repository.
 
-When the scan completes (typically after approximately 10 minutes), findings are available in Security Center recommendations such as this one:
+When the scan completes (typically after approximately 10 minutes), findings are available in Security Center recommendations like this:
 
 [![Sample Azure Security Center recommendation about vulnerabilities discovered in an Azure Container Registry (ACR) hosted image](media/azure-container-registry-integration/container-security-acr-page.png)](media/azure-container-registry-integration/container-security-acr-page.png#lightbox)
 

articles/security-center/azure-kubernetes-service-integration.md

@@ -1,5 +1,5 @@
 ---
-title: Azure Security Center and Azure Kubernetes Service | Microsoft Docs
+title: Azure Security Center and Azure Kubernetes Service
 description: "Learn about Azure Security Center's integration with Azure Kubernetes Services"
 services: security-center
 documentationcenter: na
@@ -30,22 +30,25 @@ Together, these two tools form the best cloud-native Kubernetes security offerin
 
 Using the two services together provides:
 
-* **Security recommendations** - Security Center identifies your AKS resources and categorizes them: from clusters to individual virtual machines. You can then view security recommendations per resource. For more information, see [How to implement security recommendations](security-center-recommendations.md). 
+* **Security recommendations** - Security Center identifies your AKS resources and categorizes them: from clusters to individual virtual machines. You can then view security recommendations per resource. For more information, see the containers recommendations in the [reference list of recommendations](recommendations-reference.md#recs-computeapp). 
 
     > [!NOTE]
-    > If the name of a Security Center recommendation ends with a "(Preview)" tag, it's referring to the preview nature of the recommendation; not the feature.
+    > If the name of a Security Center recommendation ends with a "(Preview)" tag, it's referring to the preview nature of the recommendation, not the feature.
 
-* **Environment hardening** - Security Center constantly monitors the configuration of your Kubernetes clusters, and generates security recommendations that reflect industry standards.
+* **Environment hardening** - Security Center constantly monitors the configuration of your Kubernetes clusters and Docker configurations, and generates security recommendations that reflect industry standards.
 
-* **Run-time protection** - Through continuous analysis of the following AKS sources, Security Center alerts you to threats and malicious activity detected at the host *and* AKS cluster level (for more information, see [threat detection for Azure containers](https://docs.microsoft.com/azure/security-center/security-center-alerts-compute#azure-containers-)):
+* **Run-time protection** - Through continuous analysis of the following AKS sources, Security Center alerts you to threats and malicious activity detected at the host *and* AKS cluster level (for more information, see [threat detection for Azure containers](security-center-alerts-compute.md#azure-containers-)):
     * Raw security events, such as network data and process creation
     * The Kubernetes audit log
 
+    For the list of possible alerts, see the following sections in the reference table of alerts: [AKS cluster level alerts](alerts-reference.md#alerts-akscluster) and [Container host level alerts](alerts-reference.md#alerts-containerhost).  
+
 ![Azure Security Center and Azure Kubernetes Service (AKS) in more detail](./media/azure-kubernetes-service-integration/aks-asc-integration-detailed.png)
 
 > [!NOTE]
 > Some of the data scanned by Azure Security Center from your Kubernetes environment may contain sensitive information.
 
+
 ## Next steps
 
 To learn more about Security Center's container security features, see:
@@ -54,6 +57,4 @@ To learn more about Security Center's container security features, see:
 
 * [Integration with Azure Container Registry](azure-container-registry-integration.md)
 
-* [Virtual Machine protection](security-center-virtual-machine-protection.md) - Describes Security Center's recommendations
-
 * [Data management at Microsoft](https://www.microsoft.com/trust-center/privacy/data-management) - Describes the data policies of Microsoft services (including Azure, Intune, and Office 365), details of Microsoft’s data management, and the retention policies that affect your data

articles/security-center/configure-security-policy-azure-policy.md

@@ -1,5 +1,5 @@
 ---
-title: Create and edit Azure Policy security policies using the REST API | Microsoft Docs
+title: Create and edit Azure Policy security policies using the REST API
 description: Learn about Azure Policy policy management via a REST API.
 services: security-center
 author: memildin

articles/security-center/container-security.md

@@ -10,7 +10,7 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: na
-ms.date: 11/04/2019
+ms.date: 02/11/2020
 ms.author: memildin
 
 ---
@@ -19,25 +19,31 @@ ms.author: memildin
 
 Azure Security Center is the Azure-native solution for container security. Security Center is also the optimal single pane of glass experience for the security of your cloud workloads, VMs, servers, and containers.
 
-This article describes how you can improve, monitor, and maintain the security of your containers and their apps. You'll learn how Security Center helps with these core aspects of container security:
+This article describes how Security Center helps you improve, monitor, and maintain the security of your containers and their apps. You'll learn how Security Center helps with these core aspects of container security:
 
 * Vulnerability management
 * Hardening of the container's environment
 * Runtime protection
 
 [![Azure Security Center's container security tab](media/container-security/container-security-tab.png)](media/container-security/container-security-tab.png#lightbox)
 
+For instructions on how to use these features, see [Monitoring the security of your containers](monitor-container-security.md).
+
 ## Vulnerability management - scanning container images (Preview)
 To monitor your ARM-based Azure Container Registry, ensure you're on Security Center's standard tier (see [pricing](/azure/security-center/security-center-pricing)). Then enable the optional Container Registries bundle. When a new image is pushed, Security Center scans the image using a scanner from the industry-leading vulnerability scanning vendor, Qualys.
 
-When issues are found – by Qualys or Security Center – you’ll get notified in the Security Center dashboard. For every vulnerability, Security Center provides actionable recommendations, along with a severity classification, and guidance for how to remediate the issue. For details of Security Center's recommendations, see the [reference list of recommendations](recommendations-reference.md).
+When issues are found – by Qualys or Security Center – you’ll get notified in the Security Center dashboard. For every vulnerability, Security Center provides actionable recommendations, along with a severity classification, and guidance for how to remediate the issue. For details of Security Center's recommendations for containers, see the [reference list of recommendations](recommendations-reference.md#recs-containers).
 
 ## Environment hardening
 
 ### Continuous monitoring of your Docker configuration
-Azure Security Center identifies unmanaged containers hosted on IaaS Linux VMs, or other Linux machines running Docker containers. Security Center continuously assesses the configurations of these containers. It then compares them with the [Center for Internet Security (CIS) Docker Benchmark](https://www.cisecurity.org/benchmark/docker/)). 
+Azure Security Center identifies unmanaged containers hosted on IaaS Linux VMs, or other Linux machines running Docker containers. Security Center continuously assesses the configurations of these containers. It then compares them with the [Center for Internet Security (CIS) Docker Benchmark](https://www.cisecurity.org/benchmark/docker/)).
+
+Security Center includes the entire ruleset of the CIS Docker Benchmark and alerts you if your containers don't satisfy any of the controls. When it finds misconfigurations, Security Center generates security recommendations. Use the **recommendations page** to view recommendations and remediate issues. You'll also see the recommendations on the **Containers** tab that displays all virtual machines deployed with Docker. 
+
+For details of the relevant Security Center recommendations that might appear for this feature, see the [container section](recommendations-reference.md#recs-containers) of the recommendations reference table.
 
-Security Center includes the entire ruleset of the CIS Docker Benchmark and alerts you if your containers don't satisfy any of the controls. When it finds misconfigurations, Security Center generates security recommendations. Use the **recommendations page** to view recommendations and remediate issues. You'll also see the recommendations on the **Containers** tab that displays all virtual machines deployed with Docker. When you're exploring the security issues on a virtual machine, Security Center provides additional information about the containers on the machine. Such information includes the Docker version and the number of images running on the host. For details of the recommendations, see [here](https://docs.microsoft.com/azure/security-center/security-center-virtual-machine-protection). 
+When you're exploring the security issues of a VM, Security Center provides additional information about the containers on the machine. Such information includes the Docker version and the number of images running on the host. 
 
 >[!NOTE]
 > These CIS benchmark checks will not run on AKS-managed instances or Databricks-managed VMs.
@@ -49,22 +55,38 @@ AKS provides security controls and visibility into the security posture of your
 * Constantly monitor the configuration of your AKS clusters
 * Generate security recommendations aligned with industry standards
 
-For details of Security Center's recommendations, see [Virtual Machine protection](security-center-virtual-machine-protection.md).
+For details of the relevant Security Center recommendations that might appear for this feature, see the [container section](recommendations-reference.md#recs-containers) of the recommendations reference table.
 
 ## Run-time protection - Real-time threat detection
 
 Security Center provides real-time threat detection for your containerized environments and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers.
 
 We detect threats at the host and AKS cluster level. For full details, see [threat detection for Azure containers](https://docs.microsoft.com/azure/security-center/security-center-alerts-compute#azure-containers-).
 
-## To view the security posture of your container-related resources
-1.	Open Security Center’s **Compute & apps** page.
-2.	Click the **Containers** tab.
-    The posture of your AKS clusters, ACR registries, and VMs running Docker appears.
+
+## Container security FAQ
+
+### What types of images can Azure Security Center scan?
+Security Center scans Linux OS based images. 
+
+The Qualys scanner doesn't support "distroless" images which only contain your application and its runtime dependencies.
+
+### How does we scan Azure Security Center scan an image?
+The image is extracted from the registry. It's then run in an isolated sandbox with the Qualys scanner which extracts a list of known vulnerabilities.
+
+### How often does Azure Security Center scan my images?
+Image scans are triggered on every push.
+
+### Can I get the scan results via REST API?
+Yes. The results are under [Sub-Assessments Rest API](/rest/api/securitycenter/subassessments/list/). In addition, you can use Azure Resource Graph (ARG), the Kusto-like API for all of your resources: a query can fetch a specific scan.
+ 
 
 ## Next steps
 
-To learn more about container security in Azure Security Center, see:
+To learn more about container security in Azure Security Center, see these related articles:
+
+* To view the security posture of your container-related resources, see the containers section of [Protect your machines and applications](security-center-virtual-machine-protection.md#containers).
+
 * Details of the [integration with Azure Kubernetes Service](azure-kubernetes-service-integration.md)
 
 * Details of the [integration with Azure Container Registry](azure-container-registry-integration.md)