Merge pull request #276385 from ElazarK/WI245622-CIS-baseline

MDVM baseline

Author: denrea

articles/defender-for-cloud/TOC.yml

@@ -641,6 +641,9 @@
         href: enable-adaptive-application-controls.md
     - name: Review server protection
       items:
+        - name: Remediate security baselines recommendation powered by MDVM
+          displayName: security, baseline, remediate, mdvm, vulnerability, assessment, va
+          href: remediate-security-baseline.md
         - name: Review hardening recommendations
           displayName: VM, guest configuration, vulnerabilities, ASB, benchmark
           href: apply-security-baseline.md

articles/defender-for-cloud/media/remediate-security-baseline/recommendation-findings.png

@@ -2,7 +2,7 @@
 title: Release notes
 description: This page is updated frequently with the latest updates in Defender for Cloud.
 ms.topic: overview
-ms.date: 05/22/2024
+ms.date: 05/28/2024
 ---
 
 # What's new in Microsoft Defender for Cloud?
@@ -24,13 +24,22 @@ If you're looking for items older than six months, you can find them in the [Arc
 
 |Date | Update |
 |--|--|
+| May 28 | [Remediate security baseline recommendation](#remediate-security-baseline-recommendation) |
 | May 22 | [Configure email notifications for attack paths](#configure-email-notifications-for-attack-paths) |
 | May 21 | [Advanced hunting in Microsoft Defender XDR now includes Defender for Cloud alerts and incidents](#advanced-hunting-in-microsoft-defender-xdr-now-includes-defender-for-cloud-alerts-and-incidents) |
 | May 9 | [Checkov integration for IaC scanning in Defender for Cloud (Preview)](#checkov-integration-for-iac-scanning-in-defender-for-cloud-preview) |
 | May 6 | [AI multicloud security posture management is publicly available for Azure and AWS](#ai-multicloud-security-posture-management-is-publicly-available-for-azure-and-aws) |
 | May 2 | [Updated security policy management is now generally available](#updated-security-policy-management-is-now-generally-available) |
 | May 1 | [Defender for open-source databases is now available on AWS for Amazon instances (Preview)](#defender-for-open-source-databases-is-now-available-on-aws-for-amazon-instances-preview) |
 
+### Remediate security baseline recommendation
+
+May 28, 2024
+
+Microsoft Defender for Cloud enhances the Center for Internet Security (CIS) benchmarks by providing security baselines that are powered by Microsoft Defender Vulnerability Management (MDVM). The new recommendation **Machine should be configured securely (powered by MDVM)** helps you secure your servers by providing recommendations that improve your security posture.
+
+Learn how to [remediate security baseline recommendations powered by MDVM](remediate-security-baseline.md).
+
 ### Configure email notifications for attack paths
 
 May 22, 2024
@@ -67,16 +76,16 @@ We're announcing the general availability (GA) of [permissions management](permi
 
 May 6, 2024
 
-We are announcing the inclusion of AI security posture management in Defender for Cloud. This feature provides AI security posture management capabilities for Azure and AWS that enhance the security of your AI pipelines and services.
+We're announcing the inclusion of AI security posture management in Defender for Cloud. This feature provides AI security posture management capabilities for Azure and AWS that enhance the security of your AI pipelines and services.
 
 Learn more about [AI security posture management](ai-security-posture.md).
 
 ### Limited public preview of threat protection for AI workloads in Azure
 
 May 6, 2024
 
-Threat protection for AI workloads in Defender for Cloud provides contextual insights into AI workload threat protection, integrating with [Responsible AI](../ai-services/responsible-use-of-ai-overview.md) and Microsoft Threat Intelligence. Threat protection for AI workloads security alerts are integrated into Defender XDR in the Defender portal.
-This plan helps you monitor your Azure OpenAI powered applications in runtime for malicious activity, identify and remediate security risks.
+Threat protection for AI workloads in Defender for Cloud provides contextual insights into AI workload threat protection, integrating with [Responsible AI](../ai-services/responsible-use-of-ai-overview.md) and Microsoft Threat Intelligence. Threat protections for AI workloads security alerts are integrated into Defender XDR in the Defender portal.
+This plan helps you monitor your Azure OpenAI powered applications in runtime for malicious activity, identify, and remediate security risks.
 
 Learn more about [threat protection for AI workloads](ai-threat-protection.md).
 
@@ -96,7 +105,7 @@ For more information, see [Security policies in Microsoft Defender for Cloud](se
 
 May 1, 2024
 
-We are announcing the public preview of Defender for open-source databases on AWS that adds support for various types of Amazon Relational Database Service (RDS) instance types.
+We're announcing the public preview of Defender for open-source databases on AWS that adds support for various types of Amazon Relational Database Service (RDS) instance types.
 
 Learn more about [Defender for open-source databases](defender-for-databases-introduction.md) and how to [enable Defender for open-source databases on AWS](enable-defender-for-databases-aws.md).
 
@@ -118,7 +127,7 @@ April 15, 2024
 
 Runtime threat detection and agentless discovery for AWS and GCP in Defender for Containers are now Generally Available (GA). For more information, see [Containers support matrix in Defender for Cloud](support-matrix-defender-for-containers.md).
 
-In addition, there is a new authentication capability in AWS which simplifies provisioning. For more information, see [Configure Microsoft Defender for Containers components](/azure/defender-for-cloud/defender-for-containers-enable?branch=pr-en-us-269845&tabs=aks-deploy-portal%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-eks#deploying-the-defender-sensor).
+In addition, there's a new authentication capability in AWS which simplifies provisioning. For more information, see [Configure Microsoft Defender for Containers components](/azure/defender-for-cloud/defender-for-containers-enable?branch=pr-en-us-269845&tabs=aks-deploy-portal%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-eks#deploying-the-defender-sensor).
 
 ### Risk prioritization is now the default experience in Defender for Cloud
 
@@ -264,13 +273,13 @@ Learn more about [continuous export](benefits-of-continuous-export.md).
 
 March 21, 2024
 
-Until now agentless scanning covered CMK encrypted VMs in AWS and GCP. With this release we're completing support for Azure as well. The capability employs a unique scanning approach for CMK in Azure:
+Until now agentless scanning covered CMK encrypted VMs in AWS and GCP. With this release, we're completing support for Azure as well. The capability employs a unique scanning approach for CMK in Azure:
 
 - Defender for Cloud doesn't handle the key or decryption process. Key handling and decryption are seamlessly handled by Azure Compute and is transparent to Defender for Cloud's agentless scanning service.
 - The unencrypted VM disk data is never copied or re-encrypted with another key.
 - The original key isn't replicated during the process. Purging it eradicates the data on both your production VM and Defender for Cloud’s temporary snapshot.
 
-During public preview this capability isn't automatically enabled. If you're using Defender for Servers P2 or Defender CSPM and your environment has VMs with CMK encrypted disks, you can now have them scanned for vulnerabilities, secrets and malware following these [enablement steps](enable-agentless-scanning-vms.md#agentless-vulnerability-assessment-on-azure).
+During public preview this capability isn't automatically enabled. If you're using Defender for Servers P2 or Defender CSPM and your environment has VMs with CMK encrypted disks, you can now have them scanned for vulnerabilities, secrets, and malware following these [enablement steps](enable-agentless-scanning-vms.md#agentless-vulnerability-assessment-on-azure).
 
 - [Learn more on agentless scanning for VMs](concept-agentless-data-collection.md)
 - [Learn more on agentless scanning permissions](faq-permissions.yml#which-permissions-are-used-by-agentless-scanning-)

articles/defender-for-cloud/media/remediate-security-baseline/remediation-steps.png

@@ -0,0 +1,56 @@
+---
+title: Remediate security baseline recommendations powered by MDVM
+description: Learn how to secure your servers with security baselines in Microsoft Defender for Cloud powered by Microsoft Defender Vulnerability Management.
+ms.topic: how-to
+ms.author: dacurwin
+author: dcurwin
+ms.date: 05/26/2024
+# customer intent: As a user, I want to learn how to secure my servers with security baselines in Microsoft Defender for Cloud powered by Microsoft Defender Vulnerability Management.
+---
+
+# Remediate security baseline recommendations powered by MDVM
+
+Microsoft Defender for Cloud enhances the Center for Internet Security (CIS) benchmarks by providing security baselines that are powered by Microsoft Defender Vulnerability Management (MDVM). These security baselines help you secure your servers by providing recommendations that improve your security posture.
+
+MDVM's security baselines features extensive coverage of benchmarks, which are continuously updated, along with comprehensive rule coverage. Each rule is accompanied with information that details the effect of the issue, a description of the problem, and detailed recommendation steps. These checks are integrated into the Microsoft Defender for Endpoint (MDE) agent, which allows Defender for Cloud to provide extra security checks within the same agent.
+
+## Prerequisites
+
+- [Enable Defender for Servers Plan 2](tutorial-enable-servers-plan.md).
+
+- [Enable the Microsoft Defender for Endpoint agent on your servers](enable-defender-for-endpoint.md).
+
+**Supported benchmark operating systems**: 
+- windows_server_2008_r2
+- windows_server_2016
+- windows_server_2019
+- windows_server_2022
+
+## Remediate security baseline recommendation
+
+To ensure your servers are protected and secure, you should remediate all security baselines recommendation in Defender for Cloud.
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+
+1. Navigate to **Microsoft Defender for Cloud** > **Recommendations**.
+
+1. Search for and select **Machine should be configured securely (powered by MDVM)**.
+
+1. Select **View recommendation for all resources**.
+
+    :::image type="content" source="media/remediate-security-baseline/view-all-resources.png" alt-text="Screenshot that shows where the view recommendation for all resources is located in the recommendation." lightbox="media/remediate-security-baseline/view-all-resources.png":::
+
+1. Select one of the affected unhealthy resources.
+
+1. Select a security check.
+
+1. Follow the remediation step.
+
+    :::image type="content" source="media/remediate-security-baseline/remediation-steps.png" alt-text="Screenshot that shows where the remediation steps are located." lightbox="media/remediate-security-baseline/remediation-steps.png"::: 
+
+1. Repeat the process for all affected resources.
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [View and remediate findings from vulnerability assessment solutions on your VMs](remediate-vulnerability-findings-vm.md)