Merge pull request #270137 from dcurwin/wi-213240-risk-prioritization-containers-march25-2024

Wi 213240 risk prioritization containers

Author: JamesJBarnett

.openpublishing.redirection.defender-for-cloud.json

@@ -945,6 +945,16 @@
             "redirect_url": "/azure/defender-for-cloud/create-custom-recommendations",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/defender-for-cloud/view-and-remediate-vulnerabilities-for-images.md",
+            "redirect_url": "/azure/defender-for-cloud/view-and-remediate-vulnerabilities-containers",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/defender-for-cloud/view-and-remediate-vulnerability-assessment-findings.md",
+            "redirect_url": "/azure/defender-for-cloud/view-and-remediate-vulnerability-registry-images",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/defender-for-cloud/how-to-migrate-to-built-in.md",
             "redirect_url": "/azure/defender-for-cloud/how-to-transition-to-built-in",

articles/defender-for-cloud/TOC.yml

@@ -305,8 +305,6 @@
         - name: Integrate security solutions
           displayName: security, solutions, integrate, integrated, data sources
           href: partner-integration.md
-        - name: Enable Permissions Management
-          href: enable-permissions-management.md
     - name: Data-aware security posture
       items:
         - name: Enable data-aware security posture
@@ -341,7 +339,7 @@
           displayName: security, recommendations, owner, azure, resource, graph, azure
             resource graph, csv report
           href: review-security-recommendations.md
-        - name: Review exempted resources
+        - name: Review resources exempted from recommendations
           href: review-exemptions.md
         - name: Remediate recommendations
           displayName: remediation, steps, recommendations, fix, actions, activity log
@@ -363,6 +361,9 @@
         - name: Identify and remediate attack paths
           displayName: attack paths, paths, investigate, easm,
           href: how-to-manage-attack-path.md
+        - name: Retrieve attack path data with API
+          displayName: attack paths, paths, investigate, easm, rest api
+          href: attack-path-api.md
         - name: Build queries with cloud security explorer
           displayName: queries, security explorer, explorer, templates, query
           href: how-to-manage-cloud-security-explorer.md
@@ -650,13 +651,19 @@
             href: agentless-vulnerability-assessment-gcp.md
           - name: Enable vulnerability assessments
             href: enable-vulnerability-assessment.md
-          - name: View and remediate vulnerabilities for registry images
-            href: view-and-remediate-vulnerability-assessment-findings.md
-          - name: View and remediate vulnerabilities for running images
-            href: view-and-remediate-vulnerabilities-for-images.md
-          - name: Disable vulnerabilities on images
+          - name: View and remediate vulnerabilities for registry images (Risk based)
+            href: view-and-remediate-vulnerability-registry-images.md
+          - name: View and remediate vulnerabilities for running containers (Risk based)
+            href: view-and-remediate-vulnerabilities-containers.md
+          - name: Disable vulnerabilities on images (Risk based)
             href: disable-vulnerability-findings-containers.md
-          - name: REST API
+          - name: View and remediate vulnerabilities for registry images (Secure score)
+            href: view-and-remediate-vulnerability-assessment-findings-secure-score.md
+          - name: View and remediate vulnerabilities for running images (Secure score)
+            href: view-and-remediate-vulnerabilities-for-images-secure-score.md
+          - name: Disable vulnerabilities on images (Secure score)
+            href: disable-vulnerability-findings-containers-secure-score.md
+          - name: REST API (Secure score)
             href: subassessment-rest-api.md
           - name: Transition to Defender Vulnerability Management
             href: transition-to-defender-vulnerability-management.md

articles/defender-for-cloud/agentless-vulnerability-assessment-aws.md

@@ -26,10 +26,19 @@ Container vulnerability assessment powered by Microsoft Defender Vulnerability M
 
 - **Reporting** - Container Vulnerability Assessment for AWS powered by Microsoft Defender Vulnerability Management provides vulnerability reports using following recommendations:
 
-    | Recommendation | Description | Assessment Key|
-    |--|--|--|
-    | [AWS registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainerRegistryRecommendationDetailsBlade/assessmentKey/c27441ae-775c-45be-8ffa-655de37362ce) | Scans your AWS registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c27441ae-775c-45be-8ffa-655de37362ce |
-    | [AWS running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainersRuntimeRecommendationDetailsBlade/assessmentKey/682b2595-d045-4cff-b5aa-46624eb2dd8f) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Elastic Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | 682b2595-d045-4cff-b5aa-46624eb2dd8f |
+These are the new recommendations that report on runtime container vulnerabilities and registry image vulnerabilities. They are currently in preview, but are intended to replace the old recommendations. These new recommendations do not count toward secure score while in preview.  The scan engine for both sets of recommendations is the same.
+
+| Recommendation | Description | Assessment Key|
+|--|--|--|
+| [[Preview] Container images in AWS registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/2a139383-ec7e-462a-90ac-b1b60e87d576) | Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards. | 2a139383-ec7e-462a-90ac-b1b60e87d576 |
+| [[Preview] Containers running in AWS should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d5d1e526-363a-4223-b860-f4b6e710859f) | Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards. | d5d1e526-363a-4223-b860-f4b6e710859f |
+
+These are the older recommendations that are currently on a retirement path:
+
+| Recommendation | Description | Assessment Key|
+|--|--|--|
+| [AWS registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainerRegistryRecommendationDetailsBlade/assessmentKey/c27441ae-775c-45be-8ffa-655de37362ce) | Scans your AWS registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c27441ae-775c-45be-8ffa-655de37362ce |
+| [AWS running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainersRuntimeRecommendationDetailsBlade/assessmentKey/682b2595-d045-4cff-b5aa-46624eb2dd8f) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Elastic Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | 682b2595-d045-4cff-b5aa-46624eb2dd8f |
 
 - **Query vulnerability information via the Azure Resource Graph** - Ability to query vulnerability information via the [Azure Resource Graph](../governance/resource-graph/overview.md#how-resource-graph-complements-azure-resource-manager). Learn how to [query recommendations via ARG](review-security-recommendations.md).
 
@@ -59,8 +68,8 @@ A detailed description of the scan process is described as follows:
 
   - All newly discovered images are pulled, and an inventory is created for each image. Image inventory is kept to avoid further image pulls, unless required by new scanner capabilities.​
   - Using the inventory, vulnerability reports are generated for new images, and updated for images previously scanned which were either pushed in the last 90 days to a registry, or are currently running. To determine if an image is currently running, Defender for Cloud uses both  [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) and [inventory collected via the Defender sensor running on EKS nodes](defender-for-containers-enable.md#enablement-method-per-capability)
-  - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainerRegistryRecommendationDetailsBlade/assessmentKey/c27441ae-775c-45be-8ffa-655de37362ce).
-- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on EKS nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5) for remediating vulnerabilities for vulnerable images running on an EKS cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours.
+  - Vulnerability reports for registry container images are provided as a [recommendation](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/2a139383-ec7e-462a-90ac-b1b60e87d576).
+- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on EKS nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d5d1e526-363a-4223-b860-f4b6e710859f) for remediating vulnerabilities for vulnerable images running on an EKS cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours.
 
 > [!NOTE]
 > For [Defender for Container Registries (deprecated)](defender-for-container-registries-introduction.md), images are scanned once on push, on pull, and rescanned only once a week.