Merge pull request #259173 from ElazarK/WI181508-agentless-secret-scanning

agentless secret scanning

Author: ttorble

articles/defender-for-cloud/concept-agentless-data-collection.md

@@ -21,7 +21,7 @@ Agentless scanning for VMs provides vulnerability assessment and software invent
 |---------|---------|
 |Release state:| GA |
 |Pricing:|Requires either [Defender Cloud Security Posture Management (CSPM)](concept-cloud-security-posture-management.md) or [Microsoft Defender for Servers Plan 2](plan-defender-for-servers-select-plan.md#plan-features)|
-| Supported use cases:| :::image type="icon" source="./media/icons/yes-icon.png"::: Vulnerability assessment (powered by Defender Vulnerability Management)<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Software inventory (powered by Defender Vulnerability Management)<br />:::image type="icon" source="./media/icons/yes-icon.png":::Secret scanning (Preview) |
+| Supported use cases:| :::image type="icon" source="./media/icons/yes-icon.png"::: Vulnerability assessment (powered by Defender Vulnerability Management)<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Software inventory (powered by Defender Vulnerability Management)<br />:::image type="icon" source="./media/icons/yes-icon.png":::Secret scanning |
 | Clouds:    | :::image type="icon" source="./media/icons/yes-icon.png"::: Azure Commercial clouds<br> :::image type="icon" source="./media/icons/no-icon.png"::: Azure Government<br>:::image type="icon" source="./media/icons/no-icon.png"::: Microsoft Azure operated by 21Vianet<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Connected AWS accounts<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Connected GCP projects        |
 | Operating systems:    | :::image type="icon" source="./media/icons/yes-icon.png"::: Windows<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Linux        |
 | Instance and disk types:    | **Azure**<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Standard VMs<br>:::image type="icon" source="./media/icons/no-icon.png"::: Unmanaged disks<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Virtual machine scale set - Flex<br>:::image type="icon" source="./media/icons/no-icon.png"::: Virtual machine scale set - Uniform<br><br>**AWS**<br>:::image type="icon" source="./media/icons/yes-icon.png"::: EC2<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Auto Scale instances<br>:::image type="icon" source="./media/icons/no-icon.png"::: Instances with a ProductCode (Paid AMIs)<br><br>**GCP**<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Compute instances<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Instance groups (managed and unmanaged)       |

articles/defender-for-cloud/release-notes.md

@@ -2,7 +2,7 @@
 title: Release notes
 description: This page is updated frequently with the latest updates in Defender for Cloud.
 ms.topic: overview
-ms.date: 11/23/2023
+ms.date: 11/27/2023
 ---
 
 # What's new in Microsoft Defender for Cloud?
@@ -24,6 +24,7 @@ If you're looking for items older than six months, you can find them in the [Arc
 
 | Date | Update |
 |--|--|
+| November 27 | [General availability of agentless secret scanning in Defender for Servers and Defender CSPM](#general-availability-of-agentless-secret-scanning-in-defender-for-servers-and-defender-cspm) |
 | November 22 | [Enable permissions management with Defender for Cloud (Preview)](#enable-permissions-management-with-defender-for-cloud-preview) |
 | November 22 | [Defender for Cloud integration with ServiceNow](#defender-for-cloud-integration-with-servicenow) |
 | November 20| [General Availability of the autoprovisioning process for SQL Servers on machines plan](#general-availability-of-the-autoprovisioning-process-for-sql-servers-on-machines-plan)|
@@ -38,6 +39,20 @@ If you're looking for items older than six months, you can find them in the [Arc
 | November 15 | [General Availability release of sensitive data discovery for databases](#general-availability-release-of-sensitive-data-discovery-for-databases) |
 | November 6 | [New version of the recommendation to find missing system updates is now GA](#new-version-of-the-recommendation-to-find-missing-system-updates-is-now-ga) |
 
+### General availability of agentless secret scanning in Defender for Servers and Defender CSPM
+
+November 27, 2023
+
+Agentless secret scanning enhances the security cloud based Virtual Machines (VM) by identifying plaintext secrets on VM disks. Agentless secret scanning provides comprehensive information to help prioritize detected findings and mitigate lateral movement risks before they occur. This proactive approach prevents unauthorized access, ensuring your cloud environment remains secure.
+
+We're announcing the General Availability (GA) of agentless secret scanning, which is included in both the [Defender for Servers P2](tutorial-enable-servers-plan.md) and the [Defender CSPM](tutorial-enable-cspm-plan.md) plans. 
+
+Agentless secret scanning utilizes cloud APIs to capture snapshots of your disks, conducting out-of-band analysis that ensures that there is no effect on your VM's performance. Agentless secret scanning broadens the coverage offered by Defender for Cloud over cloud assets across Azure, AWS, and GCP environments to enhance your cloud security.
+
+With this release, Defender for Cloud's detection capabilities now support additional database types, data store signed URLs, access tokens, and more.
+
+Learn how to [manage secrets with agentless secret scanning](secret-scanning.md).
+
 ### Enable permissions management with Defender for Cloud (Preview)
 
 November 22, 2023

articles/defender-for-cloud/secret-scanning.md

@@ -1,26 +1,82 @@
 ---
-title: Manage secrets with agentless secret scanning (preview)
+title: Manage secrets with agentless secret scanning
 description: Learn how to scan your servers for secrets with Defender for Server's agentless secret scanning.
 ms.topic: overview
-ms.date: 08/15/2023
+ms.date: 11/27/2023
 ---
 
-# Manage secrets with agentless secret scanning (preview)
+# Manage secrets with agentless secret scanning
 
 Attackers can move laterally across networks, find sensitive data, and exploit vulnerabilities to damage critical information systems by accessing internet-facing workloads and exploiting exposed credentials and secrets.
 
 Defender for Cloud's agentless secret scanning for Virtual Machines (VM) locates plaintext secrets that exist in your environment. If secrets are detected, Defender for Cloud can assist your security team to prioritize and take actionable remediation steps to minimize the risk of lateral movement, all without affecting your machine's performance.
 
-By using agentless secret scanning, you can proactively discover the following types of secrets across your environments:
-
-- **Insecure SSH private keys (Azure, AWS, GCP)** - supports RSA algorithm for PuTTy files, PKCS#8 and PKCS#1 standards
-- **Plaintext Azure SQL connection strings (Azure, AWS)** - supports SQL PAAS
-- **Plaintext Azure storage account connection strings (Azure, AWS)**
-- **Plaintext Azure storage account SAS tokens (Azure, AWS)**
-- **Plaintext AWS access keys (Azure, AWS)**
-- **Plaintext AWS RDS SQL connection string (Azure, AWS)** -supports SQL PAAS
-
-In addition to detecting SSH private keys, the agentless scanner verifies whether they can be used to move laterally in the network. Keys that we didn't successfully verify are categorized as **unverified** in the **Recommendation** pane.
+By using agentless secret scanning, you can proactively discover the following types of secrets across your environments (in Azure, AWS and GCP cloud providers): 
+
+- Insecure SSH private keys:
+    - Supports RSA algorithm for PuTTy files.
+    - PKCS#8 and PKCS#1 standards.
+    - OpenSSH standard.
+- Plaintext Azure SQL connection strings, supports SQL PAAS.
+- Plaintext Azure database for PostgreSQL.
+- Plaintext Azure database for MySQL.
+- Plaintext Azure database for MariaDB.
+- Plaintext Azure Cosmos DB, including PostgreSQL, MySQL and MariaDB.
+- Plaintext AWS RDS connection string, supports SQL PAAS:
+    - Plaintext Amazon Aurora with Postgres and MySQL flavors.
+    - Plaintext Amazon custom RDS with Oracle and SQL Server flavors.
+- Plaintext Azure storage account connection strings.
+- Plaintext Azure storage account SAS tokens.
+- Plaintext AWS access keys.
+- Plaintext AWS S3 pre-signed URL.
+- Plaintext Google storage signed URL.
+- Plaintext Azure AD Client Secret.
+- Plaintext Azure DevOps Personal Access Token.
+- Plaintext GitHub Personal Access Token.
+- Plaintext Azure App Configuration Access Key.
+- Plaintext Azure Cognitive Service Key.
+- Plaintext Azure AD User Credentials.
+- Plaintext Azure Container Registry Access Key.
+- Plaintext Azure App Service Deployment Password.
+- Plaintext Azure Databricks Personal Access Token.
+- Plaintext Azure SignalR Access Key.
+- Plaintext Azure API Management Subscription Key.
+- Plaintext Azure Bot Framework Secret Key.
+- Plaintext Azure Machine Learning Web Service API Key.
+- Plaintext Azure Communication Services Access Key.
+- Plaintext Azure EventGrid Access Key.
+- Plaintext Amazon Marketplace Web Service (MWS) Access Key.
+- Plaintext Azure Maps Subscription Key.
+- Plaintext Azure Web PubSub Access Key.
+- Plaintext OpenAI API Key.
+- Plaintext Azure Batch Shared Access Key.
+- Plaintext NPM Author Token.
+- Plaintext Azure Subscription Management Certificate. 
+
+Secret findings can be found using the [Cloud Security Explorer](#remediate-secrets-with-cloud-security-explorer) and the [Secrets tab](#remediate-secrets-from-your-asset-inventory) with their metadata like secret type, file name, file path, last access time, and more.
+
+The following secrets can also be accessed from the `Security Recommendations` and `Attack Path`, across Azure, AWS and GCP cloud providers: 
+
+- Insecure SSH private keys: 
+    - Supporting RSA algorithm for PuTTy files.
+    - PKCS#8 and PKCS#1 standards.
+    - OpenSSH standard.
+- Plaintext Azure database connection string: 
+    - Plaintext Azure SQL connection strings, supports SQL PAAS.
+    - Plaintext Azure database for PostgreSQL.
+    - Plaintext Azure database for MySQL.
+    - Plaintext Azure database for MariaDB.
+    - Plaintext Azure Cosmos DB, including PostgreSQL, MySQL and MariaDB.
+- Plaintext AWS RDS connection string, supports SQL PAAS:
+    - Plaintext Amazon Aurora with Postgres and MySQL flavors.
+    - Plaintext Amazon custom RDS with Oracle and SQL Server flavors.
+- Plaintext Azure storage account connection strings.
+- Plaintext Azure storage account SAS tokens.
+- Plaintext AWS access keys.
+- Plaintext AWS S3 pre-signed URL.
+- Plaintext Google storage signed URL. 
+
+The agentless scanner verifies whether SSH private keys can be used to move laterally in your network. Keys that aren't successfully verified are categorized as `unverified` on the Recommendation page. 
 
 ## Prerequisites
 

articles/defender-for-cloud/support-matrix-defender-for-servers.md

@@ -49,7 +49,7 @@ This table summarizes Azure cloud support for Defender for Servers features.
 [Adaptive application controls](./adaptive-application-controls.md)  | GA | GA | GA
 [Adaptive network hardening](./adaptive-network-hardening.md) | GA | NA | NA
 [Docker host hardening](./harden-docker-hosts.md)  | GA | GA | GA 
-[Agentless secret scanning](secret-scanning.md) | Preview | NA | NA
+[Agentless secret scanning](secret-scanning.md) | GA | NA | NA
 
 ## Windows machine support
 
@@ -126,7 +126,7 @@ The following table shows feature support for AWS and GCP machines.
 | Third-party vulnerability assessment | - | - |
 | [Network security assessment](protect-network-resources.md) | - | - |
 | [Cloud security explorer](how-to-manage-cloud-security-explorer.md) | ✔ | - |
-| [Agentless secret scanning](secret-scanning.md) | ✔ | - |
+| [Agentless secret scanning](secret-scanning.md) | ✔ | ✔ |
 
 ## Endpoint protection support