Merge pull request #229902 from ElazarK/WI69169-deprecate-assessments

removed custom and kql from AWS

Author: ttorble

articles/defender-for-cloud/how-to-manage-aws-assessments-standards.md

@@ -3,217 +3,57 @@ title: Manage AWS assessments and standards
 titleSuffix: Defender for Cloud
 description: Learn how to create custom security assessments and standards for your AWS environment.
 ms.topic: how-to
-ms.date: 02/07/2023
+ms.date: 03/09/2023
 ---
 
 # Manage AWS assessments and standards
 
-Security standards contain comprehensive sets of security recommendations to help secure your cloud environments. Security teams can use the readily available standards such as AWS CIS 1.2.0, AWS CIS 1.5.0, AWS Foundational Security Best Practices, and AWS PCI DSS 3.2.1, or create custom standards to meet specific internal requirements.
+Security standards contain comprehensive sets of security recommendations to help secure your cloud environments. Security teams can use the readily available standards such as AWS CIS 1.2.0, AWS CIS 1.5.0, AWS Foundational Security Best Practices, and AWS PCI DSS 3.2.1.
 
-There are three types of resources that are needed to create and manage assessments:
+There are two types of resources that are needed to create and manage assessments:
 
-- Assessment:
-    - assessment details such as name, description, severity, remediation logic, etc.
-    - assessment logic in KQL
-    - the standard it belongs to
 - Standard: defines a set of assessments
-- Standard assignment: defines the scope, which the standard will evaluate. For example, specific AWS account(s).
+- Standard assignment: defines the scope, which the standard evaluates. For example, specific AWS account(s).
 
-You can either use the built-in regulatory compliance standards or create your own custom standards.
+## Create a custom compliance standard to your AWS account
 
-## Assign a built-in compliance standard to your AWS account
-
-**To assign a built-in compliance standard to your AWS account**:
+**To create a custom compliance standard to your AWS account**:
 
 1. Sign in to the [Azure portal](https://portal.azure.com/).
 
 1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.
 
 1. Select the relevant AWS account.
 
-1. Select **Standards** > **Add** > **Standard**.
+1. Select **Standards** > **+ Create** > **Standard**.
 
     :::image type="content" source="media/how-to-manage-assessments-standards/aws-add-standard.png" alt-text="Screenshot that shows you where to navigate to in order to add an AWS standard." lightbox="media/how-to-manage-assessments-standards/aws-add-standard-zoom.png":::
 
-1. Select a built-in standard from the drop-down menu.
+1. Enter a name, description and select built-in recommendations from the drop-down menu.
+
+    :::image type="content" source="media/how-to-manage-assessments-standards/create-standard-aws.png" alt-text="Screenshot of the Create new standard window.":::
 
-1. Select **Save**.
+1. Select **Create**.
 
-## Create a new custom standard for your AWS account
+## Assign a built-in compliance standard to your AWS account
 
-**To create a new custom standard for your AWS account**:
+**To assign a built-in compliance standard to your AWS account**:
 
 1. Sign in to the [Azure portal](https://portal.azure.com/).
 
 1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.
 
 1. Select the relevant AWS account.
 
-1. Select **Standards** > **Create** > **Standard**.
-
-1. Select **New standard**.
-
-    :::image type="content" source="media/how-to-manage-assessments-standards/new-aws-standard.png" alt-text="Screenshot that shows you where to select a new AWS standard." lightbox="media/how-to-manage-assessments-standards/new-aws-standard.png":::
+1. Select **Standards**.
 
-1. Enter a name, description and select which assessments you want to add.
+1. Select the **three dot button** for the built-in standard you want to assign.
 
-1. Select **Save**.
+    :::image type="content" source="media/how-to-manage-assessments-standards/aws-built-in.png" alt-text="Screenshot that shows where the three dot button is located on the screen." lightbox="media/how-to-manage-assessments-standards/aws-built-in.png":::
 
-## Assign a built-in assessment to your AWS account
-
-**To assign a built-in assessment to your AWS account**:
-
-1. Sign in to the [Azure portal](https://portal.azure.com/).
-
-1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.
-
-1. Select the relevant AWS account.
+1. Select **Assign standard**.
 
-1. Select **Standards** > **Add** > **Assessment**.
-
-    :::image type="content" source="media/how-to-manage-assessments-standards/aws-assessment.png" alt-text="Screenshot that shows where to navigate to, to select an AWS assessment." lightbox="media/how-to-manage-assessments-standards/aws-assessment.png":::
-
-1. Select **Existing assessment**.
-
-1. Select all relevant assessments from the drop-down menu.
-
-1. Select the standards from the drop-down menu.
-
-1. Select **Save**.
-
-## How to build a query
-
-The last row of the query should return all the original columns (don’t use ‘project’, ‘project-away'). End the query with an iff statement that defines the healthy or unhealthy conditions: `| extend HealthStatus = iff([boolean-logic-here], 'UNHEALTHY','HEALTHY')`.
-
-### Sample KQL queries
-
-When building a KQL query, you should use the following table structure:
-
-```kusto
-- TimeStamp
-                 2021-10-07T10:30:21.403732Z
-        - SdksInfo
-          {
-                 "AWSSDK.EC2": "3.7.5.2"
-          }
-
-      - RecordProviderInfo
-         {
-                "CloudName": "AWS",
-                 "CspmDiscoveryCloudRoleArn": "arn:aws:iam::123456789123:role/CSPMMonitoring",
-                 "Type": "MultiCloudDiscoveryServiceDataCollector",
-                 "HierarchyIdentifier": "123456789123",
-                 "ConnectorId": "b3113210-63f9-43c5-a6a7-f14a2a5b3cd0"
-           }
-      - RecordOrganizationInfo
-          {
-                 "Type": "MyOrganization",
-                 "TenantId": "bda8bc53-d9f8-4248-b9a9-3a6c7fe0b92f",
-                 "SubscriptionId": "69444886-de6b-40c5-8b43-065f739fffb9",
-                 "ResourceGroupName": "MyResourceGroupName"
-           }
-
-     - CorrelationId
-        4f5e50e1d92c400caf507036a1237c72
-    - RecordRegionalInfo
-        {
-                "Type": "MultiCloudRegion",
-                "RegionUniqueName": "eu-west-2",
-                "RegionDisplayName": "EU West (London)",
-                "IsGlobalForRecord": false
-        }
-
-     - RecordIdentifierInfo
-        {
-               "Type": "MultiCloudDiscoveryServiceDataCollector",
-                "RecordNativeCloudUniqueIdentifier": "arn:aws:ec2:eu-west-2:123456789123:elastic-ip/eipalloc-1234abcd5678efef9",
-                "RecordAzureUniqueIdentifier": "/subscriptions/69444886-de6b-40c5-8b43-065f739fffb9/resourcegroups/MyResourceGroupName/providers/Microsoft.Security/securityconnectors/b3113210-63f9-43c5-a6a7-f14a2a5b3cd0/securityentitydata/aws-ec2-elastic-ip-eipalloc-1234abcd5678efef9-eu-west-2",
-                "RecordIdentifier": "eipalloc-1234abcd5678efef9-eu-west-2",
-                "ResourceProvider": "EC2",
-                "ResourceType": "elastic-ip"
-         }
-      - Record
-         {
-               "AllocationId": "eipalloc-1234abcd5678efef9",
-              "AssociationId": "eipassoc-234abcd5678efef90",
-              "CarrierIp": null,
-              "CustomerOwnedIp": null,
-              "CustomerOwnedIpv4Pool": null,
-              "Domain": {
-                             "Value": "vpc"
-               },
-               "InstanceId": "i-0a8fcc00493c4625d",
-               "NetworkBorderGroup": "eu-west-2",
-               "NetworkInterfaceId": "eni-34abcd5678efef901",
-               "NetworkInterfaceOwnerId": "123456789123",
-               "PrivateIpAddress": "172.31.21.88",
-               "PublicIp": "19.218.211.431",
-               "PublicIpv4Pool": "amazon",
-                "Tags": [
-                            {
-                                           "Value": "arn:aws:cloudformation:eu-west-2:123456789123:stack/awseb-e-sjuh4tkr7a-stack/4ff15da0-2512-11ec-ab59-023b28e97f64",
-                                            "Key": "aws:cloudformation:stack-id"
-                            },
-                            {
-                                           "Value": "e-sjuh4tkr7a",
-                                            "Key": "elasticbeanstalk:environment-id"
-                            },
-                            {
-                                           "Value": "AWSEBEIP",
-                                           "Key": "aws:cloudformation:logical-id"
-                            },
-                            {
-                                           "Value": "awseb-e-sjuh4tkr7a-stack",
-                                            "Key": "aws:cloudformation:stack-name"
-                            },
-                            {
-                                           "Value": "Mebrennetest3-env",
-                                            "Key": "elasticbeanstalk:environment-name"
-                             },
-                             {
-                                            "Value": "Mebrennetest3-env",
-                                             "Key": "Name"
-                             }
-                        ]
-                 }
-```
-
-> [!NOTE]
-> The `Record` field contains the data structure as it is returned from the AWS API. Use this field to define conditions which will determine if the resource is healthy or unhealthy.
->
-> You can access internal properties of `Record` filed using a dot notation. For example: `| extend EncryptionType = Record.Encryption.Type`.
-
-**Stopped EC2 instances should be removed after a specified time period**
-         
-```kusto
-EC2_Instance
-| extend State = tolower(tostring(Record.State.Name.Value))
-| extend StoppedTime = todatetime(tostring(Record.StateTransitionReason))
-| extend HealthStatus = iff(not(State == 'stopped' and StoppedTime < ago(30d)), 'HEALTHY', 'UNHEALTHY')
-```
-
-**EC2 subnets should not automatically assign public IP addresses**
-         
-
-```kusto
-EC2_Subnet
-| extend MapPublicIpOnLaunch = tolower(tostring(Record.MapPublicIpOnLaunch))
-| extend HealthStatus = iff(MapPublicIpOnLaunch == 'false' ,'HEALTHY', 'UNHEALTHY')
-```
-
-**EC2 instances should not use multiple ENIs**
-         
-```kusto
-EC2_Instance
-| extend NetworkInterfaces = parse_json(Record)['NetworkInterfaces']
-| extend NetworkInterfaceCount = array_length(parse_json(NetworkInterfaces))
-| extend HealthStatus = iff(NetworkInterfaceCount == 1 ,'HEALTHY', 'UNHEALTHY')
-```
-
-You can use the following links to learn more about Kusto queries:
-- [KQL quick reference](/azure/data-explorer/kql-quick-reference)
-- [Kusto Query Language (KQL) overview](/azure/data-explorer/kusto/query/)
-- [Must Learn KQL](https://azurecloudai.blog/2021/11/17/must-learn-kql-part-1-tools-and-resources/)
+1. Select **Yes**.
 
 ## Next steps
 

articles/defender-for-cloud/how-to-manage-gcp-assessments-standards.md

@@ -1,128 +1,60 @@
 ---
 title: Manage GCP assessments and standards
 titleSuffix: Defender for Cloud
-description: Learn how to create custom security assessments and standards for your GCP environment.
+description: Learn how to create standards for your GCP environment.
 ms.topic: how-to
-ms.date: 01/24/2023
+ms.date: 03/08/2023
 ---
 
 # Manage GCP assessments and standards
 
 Security standards contain comprehensive sets of security recommendations to help secure your cloud environments. Security teams can use the readily available regulatory standards such as GCP CIS 1.1.0, GCP CIS and 1.2.0, or create custom standards to meet specific internal requirements.
 
-There are three types of resources that are needed to create and manage assessments:
+There are two types of resources that are needed to create and manage standards:
 
-- Assessment:
-    - assessment details such as name, description, severity, remediation logic, etc.
-    - assessment logic in KQL
-    - the standard it belongs to
 - Standard: defines a set of assessments
-- Standard assignment: defines the scope, which the standard will evaluate. For example, specific GCP projects.
+- Standard assignment: defines the scope, which the standard evaluates. For example, specific GCP projects.
 
-You can either use the built-in compliance standards or create your own custom standards or built-in assessments.
+## Create a custom compliance standard to your GCP project
 
-## Assign a built-in compliance standard to your GCP project
-
-**To assign a built-in compliance standard to your GCP project**:
+**To create a custom compliance standard to your GCP project**:
 
 1. Sign in to the [Azure portal](https://portal.azure.com/).
 
 1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.
 
 1. Select the relevant GCP project.
 
-1. Select **Standards** > **Add** > **Standard**.
+1. Select **Standards** > **+ Create** > **Standard**.
 
     :::image type="content" source="media/how-to-manage-assessments-standards/gcp-standard.png" alt-text="Screenshot that shows you where to navigate to, to add a GCP standard." lightbox="media/how-to-manage-assessments-standards/gcp-standard-zoom.png":::
 
-1. Select a built-in standard from the drop-down menu.
+1. Enter a name, description and select built-in recommendations from the drop-down menu.
 
     :::image type="content" source="media/how-to-manage-assessments-standards/drop-down-menu.png" alt-text="Screenshot that shows you the standard options you can choose from the drop-down menu." lightbox="media/how-to-manage-assessments-standards/drop-down-menu.png":::
 
-1. Select **Save**.
-
-## Create a new custom standard for your GCP project
-
-**To create a new custom standard for your GCP project**:
-
-1. Sign in to the [Azure portal](https://portal.azure.com/).
-
-1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.
-
-1. Select the relevant GCP project.
-
-1. Select **Standards** > **Add** > **Standard**.
-
-1. Select **New standard**.
-
-1. Enter a name, description and select which assessments you want to add.
-
-1. Select **Save**.
+1. Select **Create**.
 
-## Assign a built-in assessment to your GCP project
+## Assign a built-in compliance standard to your GCP project
 
-**To assign a built-in assessment to your GCP project**:
+**To assign a built-in compliance standard to your GCP project**:
 
 1. Sign in to the [Azure portal](https://portal.azure.com/).
 
 1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.
 
 1. Select the relevant GCP project.
 
-1. Select **Standards** > **Add** > **Assessment**.
-
-    :::image type="content" source="media/how-to-manage-assessments-standards/gcp-assessment.png" alt-text="Screenshot that shows where to navigate to, to select GCP assessment." lightbox="media/how-to-manage-assessments-standards/gcp-assessment.png":::
-
-1. Select **Existing assessment**.
-
-1. Select all relevant assessments from the drop-down menu.
-
-1. Select the standards from the drop-down menu.
-
-1. Select **Save**.
-
-## How to build a query
-
-The last row of the query should return all the original columns (don’t use ‘project’, ‘project-away). End the query with an iff statement that defines the healthy or unhealthy conditions: `| extend HealthStatus = iff([boolean-logic-here], 'UNHEALTHY','HEALTHY')`.
-
-### Sample KQL queries
-
-**Ensure that Cloud Storage buckets have uniform bucket-level access enabled**
-
-```kusto
-let UnhealthyBuckets = Storage_Bucket 
-| extend RetentionPolicy = Record.retentionPolicy 
-| where isnull(RetentionPolicy) or isnull(RetentionPolicy.isLocked) or tobool(RetentionPolicy.isLocked)==false 
-| project BucketName = RecordIdentifierInfo.CloudNativeResourceName; Logging_LogSink 
-| extend Destination = split(Record.destination,'/')[0] 
-| where Destination == 'storage.googleapis.com' 
-| extend LogBucketName = split(Record.destination,'/')[1] 
-| extend HealthStatus = iff(LogBucketName in(UnhealthyBuckets), 'UNHEALTHY', 'HEALTHY')"
-```
-
-**Ensure VM disks for critical VMs are encrypted**
-
-```kusto
-Compute_Disk 
-| extend DiskEncryptionKey = Record.diskEncryptionKey 
-| extend IsVmNotEncrypted = isempty(tostring(DiskEncryptionKey.sha256)) 
-| extend HealthStatus = iff(IsVmNotEncrypted ,'UNHEALTHY' ,'HEALTHY')"
-```
+1. Select **Standards**.
 
-**Ensure Compute instances are launched with Shielded VM enabled**
+1. Select the **three dot button** for the built-in standard you want to assign.
 
-```kusto
-Compute_Instance 
-| extend InstanceName = tostring(Record.id)  
-| extend ShieldedVmExist = tostring(Record.shieldedInstanceConfig.enableIntegrityMonitoring) =~ 'true' and tostring(Record.shieldedInstanceConfig.enableVtpm) =~ 'true' 
-| extend HealthStatus = iff(ShieldedVmExist, 'HEALTHY', 'UNHEALTHY')"
-```
+    :::image type="content" source="media/how-to-manage-assessments-standards/gcp-built-in.png" alt-text="Screenshot that shows where the three dot button is located on the screen." lightbox="media/how-to-manage-assessments-standards/gcp-built-in.png":::
 
-You can use the following links to learn more about Kusto queries:
-- [KQL quick reference](/azure/data-explorer/kql-quick-reference)
-- [Kusto Query Language (KQL) overview](/azure/data-explorer/kusto/query/)
-- [Must Learn KQL](https://azurecloudai.blog/2021/11/17/must-learn-kql-part-1-tools-and-resources/)
+1. Select **Assign standard**.
 
+1. Select **Yes**.
+ 
 ## Next steps
 
 In this article, you learned how to manage your assessments and standards in Defender for Cloud.