Merge branch 'MicrosoftDocs:main' into lakshmisha-new-residency-update2

Author: Lakshmisha-KS

articles/backup/azure-kubernetes-service-backup-troubleshoot.md

@@ -2,7 +2,7 @@
 title: Troubleshoot Azure Kubernetes Service backup
 description: Symptoms, causes, and resolutions of the Azure Kubernetes Service backup and restore operations.
 ms.topic: troubleshooting
-ms.date: 02/28/2024
+ms.date: 02/29/2024
 ms.service: backup
 ms.custom:
   - ignite-2023
@@ -63,10 +63,10 @@ The extension pods aren't exempt, and require the Microsoft Entra pod identity t
    kubectl get Azurepodidentityexceptions --all-namespaces
    ```
 
-3. To assign the *Storage Account Contributor* role to the extension identity, run the following command:
+3. To assign the *Storage Blob Data Contributor* role to the extension identity, run the following command:
 
    ```azurecli-interactive
-   az role assignment create --assignee-object-id $(az k8s-extension show --name azure-aks-backup --cluster-name aksclustername --resource-group aksclusterresourcegroup --cluster-type managedClusters --query aksAssignedIdentity.principalId --output tsv) --role 'Storage Account Contributor' --scope /subscriptions/subscriptionid/resourceGroups/storageaccountresourcegroup/providers/Microsoft.Storage/storageAccounts/storageaccountname
+   az role assignment create --assignee-object-id $(az k8s-extension show --name azure-aks-backup --cluster-name aksclustername --resource-group aksclusterresourcegroup --cluster-type managedClusters --query aksAssignedIdentity.principalId --output tsv) --role 'Storage Blob Data Contributor' --scope /subscriptions/subscriptionid/resourceGroups/storageaccountresourcegroup/providers/Microsoft.Storage/storageAccounts/storageaccountname
    ```
 
 ### Scenario 3
@@ -192,13 +192,13 @@ These error codes appear due to issues based on the Backup extension installed i
 
 ### UserErrorExtensionMSIMissingPermissionsOnBackupStorageLocation
 
-**Cause**: The Backup extension should have the *Storage Account Contributor* role on the Backup Storage Location (storage account). The Extension Identity gets this role assigned. 
+**Cause**: The Backup extension should have the *Storage Blob Data Contributor* role on the Backup Storage Location (storage account). The Extension Identity gets this role assigned. 
 
 **Recommended action**: If this role is missing, then use Azure portal or CLI to reassign this missing permission on the storage account.
 
 ### UserErrorBackupStorageLocationNotReady
 
-**Cause**: During extension installation, a Backup Storage Location is to be provided as input that includes a storage account and blob container. The Backup extension should have *Storage Account Contributor* role on the Backup Storage Location (storage account). The Extension Identity gets this role assigned.
+**Cause**: During extension installation, a Backup Storage Location is to be provided as input that includes a storage account and blob container. The Backup extension should have *Storage Blob Data Contributor* role on the Backup Storage Location (storage account). The Extension Identity gets this role assigned.
 
 **Recommended action**: The error appears if the Extension Identity doesn't have right permissions to access the storage account. This  error appears if AKS backup extension is installed the first time when configuring protection operation. This happens for the time taken for the granted permissions to propagate to the AKS backup extension. As a workaround, wait an hour and retry the protection configuration. Otherwise, use Azure portal or CLI to reassign this missing permission on the storage account.
 

articles/defender-for-cloud/file-integrity-monitoring-enable-log-analytics.md

@@ -174,7 +174,7 @@ The **Changes** tab (shown below) lists all changes for the workspace during the
 Use wildcards to simplify tracking across directories. The following rules apply when you configure folder monitoring using wildcards:
 
 - Wildcards are required for tracking multiple files.
-- Wildcards can only be used in the last segment of a path, such as `C:\folder\file` or` /etc/*.conf`
+- Wildcards can only be used in the last segment of a path, such as `C:\folder\file` or `/etc/*.conf`
 - If an environment variable includes a path that isn't valid, validation succeeds but the path fails when inventory runs.
 - When setting the path, avoid general paths such as `c:\*.*`, which results in too many folders being traversed.
 
@@ -239,7 +239,7 @@ File Integrity Monitoring data resides within the Azure Log Analytics/Configurat
 
     In the following example, we're retrieving all changes in the last 14 days in the categories of registry and files:
 
-    ```
+    ```kusto
     ConfigurationChange
     | where TimeGenerated > ago(14d)
     | where ConfigChangeType in ('Registry', 'Files')
@@ -251,7 +251,7 @@ File Integrity Monitoring data resides within the Azure Log Analytics/Configurat
     1. Remove **Files** from the **where** clause.
     1. Remove the summarization line and replace it with an ordering clause:
 
-    ```
+    ```kusto
     ConfigurationChange
     | where TimeGenerated > ago(14d)
     | where ConfigChangeType in ('Registry')

articles/defender-for-cloud/file-integrity-monitoring-overview.md

@@ -60,9 +60,9 @@ Defender for Cloud provides the following list of recommended items to monitor b
 
 ## Next steps
 
-In this article, you learned about File Integrity Monitoring (FIM) in Defender for Cloud. 
+In this article, you learned about File Integrity Monitoring (FIM) in Defender for Cloud.
 
 Next, you can:
 
 - [Enable File Integrity Monitoring when using the Azure Monitor Agent](file-integrity-monitoring-enable-ama.md)
-- [Enable File Integrity Monitoring when using the Log Analytics agent](file-integrity-monitoring-enable-log-analytics.md)
+- [Enable File Integrity Monitoring when using the Log Analytics agent](file-integrity-monitoring-enable-log-analytics.md)

articles/defender-for-cloud/github-action.md

@@ -1,6 +1,6 @@
 ---
 title: Configure the Microsoft Security DevOps GitHub action
-description: Learn how to configure the Microsoft Security DevOps GitHub action.
+description: Learn how to configure the Microsoft Security DevOps GitHub action to enhance your project's security and DevOps processes.
 ms.date: 06/18/2023
 ms.topic: how-to
 ---
@@ -105,10 +105,10 @@ Microsoft Security DevOps uses the following Open Source tools:
             name: alerts
             path: ${{ steps.msdo.outputs.sarifFile }}
     ```
+
     > [!NOTE]
     >  For additional tool configuration options, see [the Microsoft Security DevOps wiki](https://github.com/microsoft/security-devops-action/wiki)
 
-
 1. Select **Start commit**
 
     :::image type="content" source="media/msdo-github-action/start-commit.png" alt-text="Screenshot showing you where to select start commit.":::
@@ -141,7 +141,7 @@ Code scanning findings will be filtered by specific MSDO tools in GitHub. These
 
 - Learn how to [deploy apps from GitHub to Azure](/azure/developer/github/deploy-to-azure).
 
-## Next steps
+## Related content
 
 Learn more about [DevOps security in Defender for Cloud](defender-for-devops-introduction.md).
 

articles/defender-for-cloud/governance-rules.md

@@ -1,5 +1,5 @@
 ---
-title: Drive remediation of security recommendations with governance rules in Microsoft Defender for Cloud
+title: Drive remediation of recommendations with governance rules
 description: Learn how to drive remediation of security recommendations with governance rules in Microsoft Defender for Cloud
 services: defender-for-cloud
 ms.service: defender-for-cloud
@@ -37,8 +37,7 @@ For tracking, you can review the progress of the remediation tasks by subscripti
 
 - The [Defender Cloud Security Posture Management (CSPM) plan](concept-cloud-security-posture-management.md) must be enabled.
 - You need **Contributor**, **Security Admin**, or **Owner** permissions on the Azure subscriptions.
-- For AWS accounts and GCP projects,  you need **Contributor**, **Security Admin**, or **Owner** permissions on the Defender for Cloud AWS or GCP connectors. 
-
+- For AWS accounts and GCP projects,  you need **Contributor**, **Security Admin**, or **Owner** permissions on the Defender for Cloud AWS or GCP connectors.
 
 ## Define a governance rule
 
@@ -68,7 +67,7 @@ For tracking, you can review the progress of the remediation tasks by subscripti
 1. Specify how recommendations are impacted by the rule.
 
     - **By severity** - The rule assigns the owner and due date to any recommendation in the subscription that doesn't already have them assigned.
-    - **By specific recommendations** - Select the specific built-in or custom recommendations that the rule applies to. 
+    - **By specific recommendations** - Select the specific built-in or custom recommendations that the rule applies to.
 
     :::image type="content" source="./media/governance-rules/create-rule-conditions.png" alt-text="Screenshot of page for adding conditions for a governance rule." lightbox="media/governance-rules/create-rule-conditions.png":::
 
@@ -106,11 +105,11 @@ You can view the effect of government rules in your environment.
 1. You can search for rules, or filter rules.
 
      - Filter on **Environment** to identify rules for Azure, AWS, and GCP.
-     
+
      - Filter on rule name, owner, or time between the recommendation being issued and due date.
-     
+
      - Filter on **Grace period** to find MCSB recommendations that won't affect your secure score.
-     
+
      - Identify by status.
 
         :::image type="content" source="./media/governance-rules/view-filter-rules.png" alt-text="Screenshot of page for viewing and filtering rules." lightbox="media/governance-rules/view-filter-rules.png":::
@@ -131,6 +130,6 @@ The governance report lets you select subscriptions that have governance rules a
 
 From the governance report, you can drill down into recommendations by scope, display name, priority, remediation timeframe, owner type, owner details, grace period and cloud.
 
-## Next steps
+## Next step
 
 Learn how to [Implement security recommendations](implement-security-recommendations.md).

articles/defender-for-cloud/harden-docker-hosts.md

@@ -1,6 +1,6 @@
 ---
 title: Review Docker host hardening recommendations
-description: How-to protect your Docker hosts and verify they're compliant with the CIS Docker benchmark
+description: How to protect your Docker hosts and verify they're compliant with the CIS Docker benchmark with Microsoft Defender for Cloud.
 author: dcurwin
 ms.author: dacurwin
 ms.topic: how-to
@@ -26,21 +26,20 @@ When vulnerabilities are found, they're grouped inside a single recommendation.
 |Required roles and permissions:|**Reader** on the workspace to which the host connects|
 |Clouds:|:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: National (Azure Government, Microsoft Azure operated by 21Vianet)<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Connected AWS accounts|
 
-
 ## Identify and remediate security vulnerabilities in your Docker configuration
 
 1. From Defender for Cloud's menu, open the **Recommendations** page.
 
 1. Filter to the recommendation **Vulnerabilities in container security configurations should be remediated** and select the recommendation.
 
-    The recommendation page shows the affected resources (Docker hosts). 
+    The recommendation page shows the affected resources (Docker hosts).
 
     :::image type="content" source="./media/monitor-container-security/docker-host-vulnerabilities-found.png" alt-text="Recommendation to remediate vulnerabilities in container security configurations.":::
 
     > [!NOTE]
-    > Machines that aren't running Docker will be shown in the **Not applicable resources** tab. They'll appear in Azure Policy as Compliant. 
+    > Machines that aren't running Docker will be shown in the **Not applicable resources** tab. They'll appear in Azure Policy as Compliant.
 
-1. To view and remediate the CIS controls that a specific host failed, select the host you want to investigate. 
+1. To view and remediate the CIS controls that a specific host failed, select the host you want to investigate.
 
     > [!TIP]
     > If you started at the asset inventory page and reached this recommendation from there, select the **Take action** button on the recommendation page.
@@ -55,9 +54,8 @@ When vulnerabilities are found, they're grouped inside a single recommendation.
 
 1. When you're sure the command is appropriate and ready for your host, select **Run**.
 
+## Next step
 
-## Next steps
-
-Docker hardening is just one aspect of Defender for Cloud's container security features. 
+Docker hardening is just one aspect of Defender for Cloud's container security features.
 
 Learn more [Container security in Defender for Cloud](defender-for-containers-introduction.md).