Merge pull request #223291 from AlizaBernstein/WI-58153-mdc-freshness-review

WI-58153 mdc freshness review

Author: ttorble

articles/defender-for-cloud/adaptive-application-controls.md

@@ -4,20 +4,19 @@ description: This document helps you use adaptive application control in Microso
 author: bmansheim
 ms.author: benmansheim
 ms.topic: how-to
-ms.date: 11/09/2021
+ms.date: 01/08/2023
 
 ---
 # Use adaptive application controls to reduce your machines' attack surfaces
 
 
-
 Learn about the benefits of Microsoft Defender for Cloud's adaptive application controls and how you can enhance your security with this data-driven, intelligent feature.
 
 ## What are adaptive application controls?
 
 Adaptive application controls are an intelligent and automated solution for defining allowlists of known-safe applications for your machines. 
 
-Often, organizations have collections of machines that routinely run the same processes. Microsoft Defender for Cloud uses machine learning to analyze the applications running on your machines and create a list of the known-safe software. Allowlists are based on your specific Azure workloads, and you can further customize the recommendations using the instructions below.
+Often, organizations have collections of machines that routinely run the same processes. Microsoft Defender for Cloud uses machine learning to analyze the applications running on your machines and create a list of the known-safe software. Allowlists are based on your specific Azure workloads, and you can further customize the recommendations using the following instructions.
 
 When you've enabled and configured adaptive application controls, you'll get security alerts if any application runs other than the ones you've defined as safe.
 
@@ -55,7 +54,7 @@ Select the recommendation, or open the adaptive application controls page to vie
 
 1. Open the Workload protections dashboard and from the advanced protection area, select **Adaptive application controls**.
 
-    :::image type="content" source="./media/adaptive-application/opening-adaptive-application-control.png" alt-text="Opening adaptive application controls from the Azure Dashboard." lightbox="./media/adaptive-application/opening-adaptive-application-control.png":::
+    :::image type="content" source="./media/adaptive-application/opening-adaptive-application-control-new.png" alt-text="Screenshot showing opening adaptive application controls from the Azure Dashboard." lightbox="./media/adaptive-application/opening-adaptive-application-control.png":::
 
     The **Adaptive application controls** page opens with your VMs grouped into the following tabs:
 
@@ -66,20 +65,20 @@ Select the recommendation, or open the adaptive application controls page to vie
     - **Recommended** - Groups of machines that consistently run the same applications, and don't have an allowlist configured. We recommend that you enable adaptive application controls for these groups.
 
       > [!TIP]
-      > If you see a group name with the prefix "REVIEWGROUP", it contains machines with a partially consistent list of applications. Microsoft Defender for Cloud can't see a pattern but recommends reviewing this group to see whether _you_ can manually define some adaptive application controls rules as described in [Editing a group's adaptive application controls rule](#edit-a-groups-adaptive-application-controls-rule).
+      > If you see a group name with the prefix "REVIEWGROUP", it contains machines with a partially consistent list of applications. Microsoft Defender for Cloud can't see a pattern but recommends reviewing this group to see whether _you_ can manually define some adaptive application controls rules as described in [Edit a group's adaptive application controls rule](#edit-a-groups-adaptive-application-controls-rule).
       >
       > You can also move machines from this group to other groups as described in [Move a machine from one group to another](#move-a-machine-from-one-group-to-another).
 
     - **No recommendation** - Machines without a defined allowlist of applications, and which don't support the feature. Your machine might be in this tab for the following reasons:
       - It's missing a Log Analytics agent
       - The Log Analytics agent isn't sending events
       - It's a Windows machine with a pre-existing [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) policy enabled by either a GPO or a local security policy
-      - AppLocker is not available (Windows Server Core installations)
+      - AppLocker isn't available (Windows Server Core installations)
 
       > [!TIP]
       > Defender for Cloud needs at least two weeks of data to define the unique recommendations per group of machines. Machines that have recently been created, or which belong to subscriptions that were only recently protected by Microsoft Defender for Servers, will appear under the **No recommendation** tab.
 
-1. Open the **Recommended** tab. The groups of machines with recommended allowlists appears.
+1. Open the **Recommended** tab. The groups of machines with recommended allowlists appear.
 
    ![Recommended tab.](./media/adaptive-application/adaptive-application-recommended-tab.png)
 
@@ -89,7 +88,7 @@ Select the recommendation, or open the adaptive application controls page to vie
 
    ![Configure a new rule.](./media/adaptive-application/adaptive-application-create-rule.png)
 
-   1. **Select machines** - By default, all machines in the identified group are selected. Unselect any to removed them from this rule.
+   1. **Select machines** - By default, all machines in the identified group are selected. Unselect any to remove them from this rule.
 
    1. **Recommended applications** - Review this list of applications that are common to the machines within this group, and recommended to be allowed to run.
 
@@ -98,7 +97,7 @@ Select the recommendation, or open the adaptive application controls page to vie
       > [!TIP]
       > Both application lists include the option to restrict a specific application to certain users. Adopt the principle of least privilege whenever possible.
       > 
-      > Applications are defined by their publishers, if an application doesn't have publisher information (it's unsigned), a path rule is created for the full path of the specific application.
+      > Applications are defined by their publishers; if an application doesn't have publisher information (it's unsigned), a path rule is created for the full path of the specific application.
 
    1. To apply the rule, select **Audit**. 
 
@@ -140,11 +139,11 @@ To edit the rules for a group of machines:
 
 ## Review and edit a group's settings
 
-1. To view the details and settings of your group, select **Group settings**
+1. To view the details and settings of your group, select **Group settings**.
 
     This pane shows the name of the group (which can be modified), the OS type, the location, and other relevant details.
 
-    :::image type="content" source="./media/adaptive-application/adaptive-application-group-settings.png" alt-text="The group settings page for adaptive application controls." lightbox="./media/adaptive-application/adaptive-application-group-settings.png":::
+    :::image type="content" source="./media/adaptive-application/adaptive-application-group-settings.png" alt-text="Screenshot showing the group settings page for adaptive application controls." lightbox="./media/adaptive-application/adaptive-application-group-settings.png":::
 
 1. Optionally, modify the group's name or file type protection modes.
 
@@ -177,25 +176,25 @@ To remediate the issues:
 
 1. To investigate further, select a group.
 
-   ![Recent alerts.](./media/adaptive-application/recent-alerts.png)
+    :::image type="content" source="./media/adaptive-application/recent-alerts.png" alt-text="Screenshot showing selecting a group the group settings page for adaptive application controls." lightbox="./media/adaptive-application/recent-alerts.png"::: 
 
 1. For further details, and the list of affected machines, select an alert.
 
     The security alerts page shows more details of the alerts and provides a **Take action** link with recommendations of how to mitigate the threat.
 
-    :::image type="content" source="media/adaptive-application/adaptive-application-alerts-start-time.png" alt-text="The start time of adaptive application controls alerts is the time that adaptive application controls created the alert.":::
+    :::image type="content" source="media/adaptive-application/adaptive-application-alerts-start-time.png" alt-text="Screenshot showing the start time of adaptive application controls alerts is the time that adaptive application controls created the alert.":::
 
     > [!NOTE]
     > Adaptive application controls calculates events once every twelve hours. The "activity start time" shown in the security alerts page is the time that adaptive application controls created the alert, **not** the time that the suspicious process was active.
 
 
 ## Move a machine from one group to another
 
-When you move a machine from one group to another, the application control policy applied to it changes to the settings of the group that you moved it to. You can also move a machine from a configured group to a non-configured group, doing so removes any application control rules that were applied to the machine.
+When you move a machine from one group to another, the application control policy applied to it changes to the settings of the group that you moved it to. You can also move a machine from a configured group to a non-configured group; doing so removes any application control rules that were applied to the machine.
 
 1. Open the **Workload protections dashboard** and from the advanced protection area, select **Adaptive application controls**.
 
-1. From the **Adaptive application controls** page, from the **Configured** tab, select the group containing the  machine to be moved.
+1. From the **Adaptive application controls** page, from the **Configured** tab, select the group containing the machine to be moved.
 
 1. Open the list of  **Configured machines**.
 
@@ -213,20 +212,20 @@ When you move a machine from one group to another, the application control polic
 
 To manage your adaptive application controls programmatically, use our REST API. 
 
-The relevant API documentation is available in [the Adaptive application Controls section of Defender for Cloud's API docs](/rest/api/defenderforcloud/adaptive-application-controls).
+The relevant API documentation is available in [the Adaptive application Controls section of Defender for Cloud's API docs](https://learn.microsoft.com/rest/api/defenderforcloud/adaptive-application-controls).
 
-Some of the functions that are available from the REST API:
+Some of the functions available from the REST API include:
 
 * **List** retrieves all your group recommendations and provides a JSON with an object for each group.
 
-* **Get** retrieves the JSON with the full recommendation data (that is, list of machines, publisher/path rules, and so on).
+* **Get** retrieves the JSON with the full recommendation data (list of machines, publisher/path rules, etc.).
 
 * **Put** configures your rule (use the JSON you retrieved with **Get** as the body for this request).
 
    > [!IMPORTANT]
-   > The **Put** function expects fewer parameters than the JSON returned by the Get command contains.
+   > The **Put** function expects fewer parameters than the JSON returned by the **Get** command contains.
    >
-   > Remove the following properties before using the JSON in the Put request: recommendationStatus, configurationStatus, issues, location, and sourceSystem.
+   > Remove the following properties before using the JSON in the **Put** request: recommendationStatus, configurationStatus, issues, location, and sourceSystem.
 
 
 ## FAQ - Adaptive application controls
@@ -235,7 +234,7 @@ Some of the functions that are available from the REST API:
 - [Why do I see a Qualys app in my recommended applications?](#why-do-i-see-a-qualys-app-in-my-recommended-applications)
 
 ### Are there any options to enforce the application controls?
-No enforcement options are currently available. Adaptive application controls are intended to provide **security alerts** if any application runs other than the ones you've defined as safe. They have a range of benefits ([What are the benefits of adaptive application controls?](#what-are-the-benefits-of-adaptive-application-controls)) and are extremely customizable as shown on this page.
+No enforcement options are currently available. Adaptive application controls are intended to provide **security alerts** if any application runs other than the ones you've defined as safe. They have a range of benefits ([What are the benefits of adaptive application controls?](#what-are-the-benefits-of-adaptive-application-controls)) and are customizable as shown on this page.
 
 ### Why do I see a Qualys app in my recommended applications?
 [Microsoft Defender for Servers](defender-for-servers-introduction.md) includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Defender for Cloud. For details of this scanner and instructions for how to deploy it, see [Defender for Cloud's integrated Qualys vulnerability assessment solution](deploy-vulnerability-assessment-vm.md).

articles/defender-for-cloud/defender-for-app-service-introduction.md

@@ -1,7 +1,7 @@
 ---
 title: Microsoft Defender for App Service - the benefits and features
 description: Learn about the capabilities of Microsoft Defender for App Service and how to enable it on your subscription
-ms.date: 11/09/2021
+ms.date: 01/10/2023
 ms.topic: overview
 ms.author: benmansheim
 author: bmansheim
@@ -66,7 +66,7 @@ Defender for Cloud monitors for many threats to your App Service resources. The
 
 ### Dangling DNS detection
 
-Defender for App Service also identifies any DNS entries remaining in your DNS registrar when an App Service website is decommissioned - these are known as dangling DNS entries. When you remove a website and don't remove its custom domain from your DNS registrar, the DNS entry is pointing at a non-existent resource and your subdomain is vulnerable to a takeover. Defender for Cloud doesn't scan your DNS registrar for *existing* dangling DNS entries; it alerts you when an App Service website is decommissioned and its custom domain (DNS entry) isn't deleted.
+Defender for App Service also identifies any DNS entries remaining in your DNS registrar when an App Service website is decommissioned - these are known as dangling DNS entries. When you remove a website and don't remove its custom domain from your DNS registrar, the DNS entry is pointing to a non-existent resource, and your subdomain is vulnerable to a takeover. Defender for Cloud doesn't scan your DNS registrar for *existing* dangling DNS entries; it alerts you when an App Service website is decommissioned and its custom domain (DNS entry) isn't deleted.
 
 Subdomain takeovers are a common, high-severity threat for organizations. When a threat actor detects a dangling DNS entry, they create their own site at the destination address. The traffic intended for the organization’s domain is then directed to the threat actor's site, and they can use that traffic for a wide range of malicious activity.
 
@@ -83,7 +83,7 @@ For a full list of the App Service alerts, see the [Reference table of alerts](a
 
 ## Next steps
 
-In this article, you learned about Microsoft Defender for App Service. 
+In this article, you learned about Microsoft Defender for App Service.
 
 > [!div class="nextstepaction"]
 > [Enable enhanced protections](enable-enhanced-security.md)

articles/defender-for-cloud/defender-for-dns-introduction.md

@@ -1,7 +1,7 @@
 ---
 title: Microsoft Defender for DNS - the benefits and features
 description: Learn about the benefits and features of Microsoft Defender for DNS
-ms.date: 11/09/2021
+ms.date: 01/10/2023
 ms.topic: overview
 ms.author: benmansheim
 author: bmansheim
@@ -37,12 +37,13 @@ A full list of the alerts provided by Microsoft Defender for DNS is on the [aler
 
 Microsoft Defender for DNS doesn't use any agents. 
 
-To protect your DNS layer, enable Microsoft Defender for DNS for each of your subscriptions as described in [Enable enhanced protections](enable-enhanced-security.md).
 
 ## Next steps
 
 In this article, you learned about Microsoft Defender for DNS. 
 
+To protect your DNS layer, enable Microsoft Defender for DNS for each of your subscriptions as described in [Enable enhanced protections](enable-enhanced-security.md).
+
 > [!div class="nextstepaction"]
 > [Enable enhanced protections](enable-enhanced-security.md)