Merge pull request #171233 from memildin/asc-melvyn-mde-linux

v-andreaco · web-flow · commit 486652da24f3 · 2021-10-06T10:15:38.000-06:00
TVM public preview
diff --git a/articles/security-center/TOC.yml b/articles/security-center/TOC.yml
@@ -137,7 +137,7 @@
       href: apply-security-baseline.md
     - name: Vulnerability scanning
       items:
-      - name: Scan your machines with the integrated VA scanner
+      - name: Scan your machines with the integrated Qualys scanner
         displayName: qualys, vulnerability, arc, hybrid
         href: deploy-vulnerability-assessment-vm.md
       - name: Scan your VMs with a BYOL VA solution
@@ -163,6 +163,9 @@
     - name: Define lists of safe applications for machines
       displayName: aac, whitelist, allowlist, reviewgroup, adaptive application controls
       href: security-center-adaptive-application.md
+    - name: Review applications and software installed on your machines
+      displayName: inventory, apps, software inventory, mde, tvm
+      href: asset-inventory.md#access-a-software-inventory
     - name: Track changes to files and registries
       items:
       - name: Overview of file integrity monitoring
diff --git a/articles/security-center/asset-inventory.md b/articles/security-center/asset-inventory.md
@@ -126,6 +126,73 @@ Using the [Kusto Query Language (KQL)](/azure/data-explorer/kusto/query/), asset
 
 1. If you've defined some filters and left the page open, Security Center won't update the results automatically. Any changes to resources won't impact the displayed results unless you manually reload the page or select **Refresh**.
 
+## Access a software inventory
+
+If you've enabled the integration with Microsoft Defender for Endpoint and enabled Azure Defender for servers, you'll have access to the software inventory.
+
+:::image type="content" source="media/deploy-vulnerability-assessment-tvm/software-inventory.png" alt-text="If you've enabled the threat and vulnerability solution, Security Center's asset inventory offers a filter to select resources by their installed software.":::
+
+> [!NOTE]
+> The "Blank" option shows machines without Microsoft Defender for Endpoint (or without Azure Defender for servers).
+
+As well as the filters in the asset inventory page, you can explore the software inventory data from Azure Resource Graph Explorer.
+
+Examples of using Azure Resource Graph Explorer to access and explore software inventory data:
+
+1. Open **Azure Resource Graph Explorer**.
+
+    :::image type="content" source="./media/security-center-identity-access/opening-resource-graph-explorer.png" alt-text="Launching Azure Resource Graph Explorer** recommendation page" :::
+
+1. Select the following subscription scope: securityresources/softwareinventories
+
+1. Enter any of the following queries (or customize them or write your own!) and select **Run query**.
+
+    - To generate a basic list of installed software:
+
+        ```kusto
+        securityresources
+        | where type == "microsoft.security/softwareinventories"
+        | project id, Vendor=properties.vendor, Software=properties.softwareName, Version=properties.version
+        ```
+
+    - To filter by version numbers:
+
+        ```kusto
+        securityresources
+        | where type == "microsoft.security/softwareinventories"
+        | project id, Vendor=properties.vendor, Software=properties.softwareName, Version=tostring(properties.    version)
+        | where Software=="windows_server_2019" and parse_version(Version)<=parse_version("10.0.17763.1999")
+        ```
+
+    - To find machines with a combination of software products:
+
+        ```kusto
+        securityresources
+        | where type == "microsoft.security/softwareinventories"
+        | extend vmId = properties.azureVmId
+        | where properties.softwareName == "apache_http_server" or properties.softwareName == "mysql"
+        | summarize count() by tostring(vmId)
+        | where count_ > 1
+        ```
+
+    - Combination of a software product with another ASC recommendation:
+
+        (In this example – machines having MySQL installed and exposed management ports)
+
+        ```kusto
+        securityresources
+        | where type == "microsoft.security/softwareinventories"
+        | extend vmId = tolower(properties.azureVmId)
+        | where properties.softwareName == "mysql"
+        | join (
+        securityresources
+        | where type == "microsoft.security/assessments"
+        | where properties.displayName == "Management ports should be closed on your virtual machines" and properties.status.code == "Unhealthy"
+        | extend vmId = tolower(properties.resourceDetails.Id)
+        ) on vmId
+        ```
+
+
 
 ## FAQ - Inventory
 
diff --git a/articles/security-center/defender-for-servers-introduction.md b/articles/security-center/defender-for-servers-introduction.md
@@ -3,7 +3,7 @@ title: Azure Defender for servers - the benefits and features
 description: Learn about the benefits and features of Azure Defender for servers.
 author: memildin
 ms.author: memildin
-ms.date: 08/09/2021
+ms.date: 09/05/2021
 ms.topic: overview
 ms.service: security-center
 manager: rkarlin
@@ -28,13 +28,15 @@ The threat detection and protection capabilities provided with Azure Defender fo
     When Defender for Endpoint detects a threat, it triggers an alert. The alert is shown in Security Center. From Security Center, you can also pivot to the Defender for Endpoint console, and perform a detailed investigation to uncover the scope of the attack. Learn more about Microsoft Defender for Endpoint.
 
     > [!IMPORTANT]
-    > The **Microsoft Defender for Endpoint** sensor is automatically enabled on Windows machines that use Security Center.
+    > Security Center’s integration with Microsoft Defender for Endpoint (MDE) is enabled by default. So when you enable Azure Defender, you give consent for MDE and Azure Defender for servers to share the necessary data to provide security alerts for your endpoints.
     >
-    > We're currently offering the sensor for Linux machines in preview. Learn more in [Protect your endpoints with Security Center's integrated EDR solution: Microsoft Defender for Endpoint](security-center-wdatp.md). 
+    > We're currently offering the sensor for Linux machines in preview. Learn more in [Protect your endpoints with Security Center's integrated EDR solution: Microsoft Defender for Endpoint](security-center-wdatp.md).
 
-- **Vulnerability assessment scanning for VMs** - Azure Defender for servers includes a vulnerability scanner powered by Qualys.
+- **Vulnerability assessment tools for machines** - Azure Defender for servers includes a choice of  vulnerability discovery and management tools for your machines. From Security Center's settings pages, you can select which of these tools to deploy to your machines and the discovered vulnerabilities will be shown in a security recommendation.
 
-    Qualys' scanner is one of the leading tools for real-time identification of vulnerabilities in your Azure and hybrid virtual machines. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. For more information, see [Azure Defender's integrated vulnerability assessment solution for Azure and hybrid machines](deploy-vulnerability-assessment-vm.md).
+    - **Microsoft threat and vulnerability management** - Discover vulnerabilities and misconfigurations in real time with Microsoft Defender for Endpoint, and without the need of additional agents or periodic scans. [Threat and vulnerability management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context. 
+
+    - **Vulnerability scanner powered by Qualys** - Qualys' scanner is one of the leading tools for real-time identification of vulnerabilities in your Azure and hybrid virtual machines. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. Learn more in [Azure Defender's integrated Qualys scanner for Azure and hybrid machines](deploy-vulnerability-assessment-vm.md).
 
 - **Just-in-time (JIT) virtual machine (VM) access** - Threat actors actively hunt accessible machines with open management ports, like RDP or SSH. All of your virtual machines are potential targets for an attack. When a VM is successfully compromised, it's used as the entry point to attack further resources within your environment.
 
@@ -52,6 +54,7 @@ The threat detection and protection capabilities provided with Azure Defender fo
 
     Adaptive Network Hardening provides recommendations to further harden the NSG rules. It uses a machine learning algorithm that factors in actual traffic, known trusted configuration, threat intelligence, and other indicators of compromise, and then provides recommendations to allow traffic only from specific IP/port tuples. For more information, see [Improve your network security posture with adaptive network hardening](security-center-adaptive-network-hardening.md).
 
+
 - **Docker host hardening** -  Azure Security Center identifies unmanaged containers hosted on IaaS Linux VMs, or other Linux machines running Docker containers. Security Center continuously assesses the configurations of these containers. It then compares them with the Center for Internet Security (CIS) Docker Benchmark. Security Center includes the entire ruleset of the CIS Docker Benchmark and alerts you if your containers don't satisfy any of the controls. For more information, see [Harden your Docker hosts](harden-docker-hosts.md).
 
 - **Fileless attack detection** - Fileless attacks inject malicious payloads into memory to avoid detection by disk-based scanning techniques. The attacker’s payload then persists within the memory of compromised processes and performs a wide range of malicious activities.
diff --git a/articles/security-center/deploy-vulnerability-assessment-vm.md b/articles/security-center/deploy-vulnerability-assessment-vm.md
@@ -1,6 +1,6 @@
 ---
 title: Security Center's integrated vulnerability assessment solution for Azure and hybrid machines
-description: Install a vulnerability assessment solution on your Azure machines to get recommendations in Azure Security Center that can help you protect your Azure and virtual machines
+description: Install a vulnerability assessment solution on your Azure machines to get recommendations in Azure Security Center that can help you protect your Azure and hybrid machines
 services: security-center
 author: memildin
 manager: rkarlin
@@ -24,6 +24,8 @@ Use this recommendation to deploy the vulnerability assessment solution to your
 
 Deploy the vulnerability assessment solution  that best meets your needs and budget:
 
+- **Microsoft Defender for Endpoint's threat and vulnerability management tools** - Discover vulnerabilities and misconfigurations in real time with sensors, and without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context. 
+
 - **Integrated vulnerability assessment solution (powered by Qualys)** - Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. This page provides details of this scanner and instructions for how to deploy it.
 
     > [!TIP]
diff --git a/articles/security-center/media/deploy-vulnerability-assessment-tvm/auto-provision-vulnerability-assessment-agent.png b/articles/security-center/media/deploy-vulnerability-assessment-tvm/auto-provision-vulnerability-assessment-agent.png
diff --git a/articles/security-center/media/deploy-vulnerability-assessment-tvm/software-inventory.png b/articles/security-center/media/deploy-vulnerability-assessment-tvm/software-inventory.png
diff --git a/articles/security-center/release-notes.md b/articles/security-center/release-notes.md
@@ -5,7 +5,7 @@ author: memildin
 manager: rkarlin
 ms.service: security-center
 ms.topic: reference
-ms.date: 10/03/2021
+ms.date: 10/06/2021
 ms.author: memildin
 
 ---
@@ -26,8 +26,46 @@ To learn about *planned* changes that are coming soon to Security Center, see [I
 
 Updates in October include:
 
+- [Microsoft Threat and Vulnerability Management added as vulnerability assessment solution (in preview)](#microsoft-threat-and-vulnerability-management-added-as-vulnerability-assessment-solution-in-preview)
+- [Vulnerability assessment solutions can now be auto enabled (in preview)](#vulnerability-assessment-solutions-can-now-be-auto-enabled-in-preview)
+- [Software inventory filters added to asset inventory (in preview)](#software-inventory-filters-added-to-asset-inventory-in-preview)
 - [Changed prefix of some alert types from "ARM_" to "VM_"](#changed-prefix-of-some-alert-types-from-arm_-to-vm_)
 
+
+### Microsoft Threat and Vulnerability Management added as vulnerability assessment solution (in preview)
+
+We've extended the integration between [Azure Defender for servers](defender-for-servers-introduction.md) and Microsoft Defender for Endpoint, to support a new vulnerability assessment provide for your machines: [Microsoft threat and vulnerability management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt). 
+
+Use **threat and vulnerability management** to discover vulnerabilities and misconfigurations in near real time with the [integration with Microsoft Defender for Endpoint](security-center-wdatp.md) enabled, and without the need of additional agents or periodic scans. Threat and vulnerability management prioritizes vulnerabilities based on the threat landscape and detections in your organization.
+
+Use the security recommendation "[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/ffff0522-1e88-47fc-8382-2a80ba848f5d)" to surface the vulnerabilities detected by threat and vulnerability management for your [supported machines](/microsoft-365/security/defender-endpoint/tvm-supported-os?view=o365-worldwide). 
+
+To automatically surface the vulnerabilities, without the need to manually remediate the recommendation, see [Vulnerability assessment solutions can now be auto enabled (in preview)](#vulnerability-assessment-solutions-can-now-be-auto-enabled-in-preview).
+
+
+### Vulnerability assessment solutions can now be auto enabled (in preview)
+
+Security Center's auto provisioning page now includes the option to automatically enabled a vulnerability assessment solution to Azure virtual machines and Azure Arc machines on subscriptions protected by [Azure Defender for servers](defender-for-servers-introduction.md).
+
+Also, if the [integration with Microsoft Defender for Endpoint](security-center-wdatp.md) is enabled, you'll have a choice of vulnerability assessment solutions:
+
+- (**NEW**) The Microsoft threat and vulnerability management module of Microsoft Defender for Endpoint (see [the release note](#microsoft-threat-and-vulnerability-management-added-as-vulnerability-assessment-solution-in-preview))
+- The integrated Qualys agent
+
+:::image type="content" source="media/deploy-vulnerability-assessment-tvm/auto-provision-vulnerability-assessment-agent.png" alt-text="Configure auto provisioning of Microsoft's threat and vulnerability management from Azure Security Center.":::
+
+Your chosen solution will be automatically enabled on supported machines.
+
+### Software inventory filters added to asset inventory (in preview)
+
+The [asset inventory](asset-inventory.md) page now includes a filter to select machines running specific software - and even specify the versions of interest. 
+
+Additionally, you can query the software inventory data in **Azure Resource Graph Explorer**.
+
+For full details, including sample Kusto queries for Azure Resource Graph, see [Access a software inventory](asset-inventory.md#access-a-software-inventory).
+
+:::image type="content" source="media/deploy-vulnerability-assessment-tvm/software-inventory.png" alt-text="If you've enabled the threat and vulnerability solution, Security Center's asset inventory offers a filter to select resources by their installed software.":::
+
 ### Changed prefix of some alert types from "ARM_" to "VM_" 
 
 In July 2021, we announced a [logical reorganization of Azure Defender for Resource Manager alerts](release-notes.md#logical-reorganization-of-azure-defender-for-resource-manager-alerts) 
@@ -67,7 +105,7 @@ Learn more about the [Azure Defender for Resource Manager](defender-for-resource
 
 In September, the following update was released:
 
-### Two new recommendations to audit OS configurations for Azure security baseline compliance
+### Two new recommendations to audit OS configurations for Azure security baseline compliance (in preview)
 
 The following two recommendations have been released to assess your machines' compliance with the [Windows security baseline](../governance/policy/samples/guest-configuration-baseline-windows.md) and the [Linux security baseline](../governance/policy/samples/guest-configuration-baseline-linux.md):
 
