Merge pull request #256251 from ElazarK/WI158655-&-WI158654

attack path and risk

Author: v-ccolin

.openpublishing.redirection.defender-for-cloud.json

@@ -884,6 +884,11 @@
             "source_path_from_root": "/articles/defender-for-cloud/defender-for-storage-exclude.md",
             "redirect_url": "/azure/defender-for-cloud/defender-for-storage-classic-enable#exclude-a-storage-account-from-a-protected-subscription-in-the-per-transaction-plan",
             "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/defender-for-cloud/attack-path-reference.md",
+            "redirect_url": "/azure/defender-for-cloud/how-to-manage-attack-path",
+            "redirect_document_id": true
         }
     ]
 }

articles/defender-for-cloud/TOC.yml

@@ -250,9 +250,6 @@
         - name: Reference list of DevOps recommendations
           displayName: devops, recommendations
           href: recommendations-reference-devops.md
-        - name: Reference list of attack paths and cloud security graph components
-          displayName: attack, paths, security, graph, components
-          href: attack-path-reference.md
     - name: Security alerts and incidents
       items:
         - name: About security alerts and incidents

articles/defender-for-cloud/attack-path-reference.md

@@ -5,7 +5,7 @@ author: dcurwin
 ms.author: dacurwin
 ms.service: defender-for-cloud
 ms.topic: conceptual
-ms.date: 09/05/2023
+ms.date: 10/26/2023
 ---
 # About data-aware security posture
 
@@ -37,7 +37,7 @@ Defender CSPM provides visibility and contextual insights into your organization
 
 Attack path analysis helps you to address security issues that pose immediate threats, and have the greatest potential for exploit in your environment. Defender for Cloud analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. It also highlights the security recommendations that need to be resolved in order to mitigate the risks.
 
-You can discover risk of data breaches by attack paths of internet-exposed VMs that have access to sensitive data stores. Hackers can exploit exposed VMs to move laterally across the enterprise to access these stores. Review [attack paths](attack-path-reference.md#attack-paths).
+You can discover risk of data breaches by attack paths of internet-exposed VMs that have access to sensitive data stores. Hackers can exploit exposed VMs to move laterally across the enterprise to access these stores.
 
 ### Cloud Security Explorer
 

articles/defender-for-cloud/concept-data-security-posture.md

@@ -1,7 +1,7 @@
 ---
 title: Defender for Cloud glossary
 description: The glossary provides a brief description of important Defender for Cloud platform terms and concepts.
-ms.date: 07/18/2023
+ms.date: 11/08/2023
 ms.topic: article
 ---
 
@@ -67,7 +67,7 @@ Azure Security Benchmark provides recommendations on how you can secure your clo
 
 ### **Attack Path Analysis**
 
-A graph-based algorithm that scans the cloud security graph, exposes attack paths and suggests recommendations as to how best remediate issues that will break the attack path and prevent successful breach. See [What is attack path analysis?](concept-attack-path.md#what-is-attack-path-analysis).
+A graph-based algorithm that scans the cloud security graph, exposes attack paths and suggests recommendations as to how best remediate issues that break the attack path and prevent successful breach. See [What is attack path analysis?](concept-attack-path.md#what-is-attack-path-analysis).
 
 ### **Auto-provisioning**
 
@@ -129,7 +129,7 @@ Data-aware security posture automatically discovers datastores containing sensit
 
 ### Defender agent
 
-The DaemonSet that is deployed on each node, collects signals from hosts using eBPF technology, and provides runtime protection. The agent is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. It is deployed under AKS Security profile in AKS clusters and as an Arc extension in Arc enabled Kubernetes clusters. For more information, see [Architecture for each Kubernetes environment](defender-for-containers-architecture.md#architecture-for-each-kubernetes-environment).
+The DaemonSet that is deployed on each node, collects signals from hosts using eBPF technology, and provides runtime protection. The agent is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. It's deployed under AKS Security profile in AKS clusters and as an Arc extension in Arc enabled Kubernetes clusters. For more information, see [Architecture for each Kubernetes environment](defender-for-containers-architecture.md#architecture-for-each-kubernetes-environment).
 
 ### **DDOS Attack**
 
@@ -139,7 +139,7 @@ Distributed denial-of-service, a type of attack where an attacker sends more req
 
 ### **EASM**
 
-External Attack Surface Management. See [EASM Overview](how-to-manage-attack-path.md#external-attack-surface-management-easm).
+External Attack Surface Management. See [EASM Overview](concept-easm.md).
 
 ### **EDR**
 
@@ -229,7 +229,7 @@ Microsoft Defender Vulnerability Management. Learn how to [enable vulnerability
 
 ### **MFA**
 
-Multi-factor authentication, a process in which users are prompted during the sign-in process for an extra form of identification, such as a code on their cellphone or a fingerprint scan.[How it works: Azure Multi Factor Authentication](../active-directory/authentication/concept-mfa-howitworks.md).
+Multifactor authentication, a process in which users are prompted during the sign-in process for an extra form of identification, such as a code on their cellphone or a fingerprint scan.[How it works: Azure multifactor authentication](../active-directory/authentication/concept-mfa-howitworks.md).
 
 ### **MITRE ATT&CK**
 
@@ -301,7 +301,7 @@ Security alerts are the notifications generated by Defender for Cloud and Defend
 
 ### **Security Initiative**
 
-A collection of Azure Policy Definitions, or rules, that are grouped together towards a specific goal or purpose. [What are security policies, initiatives, and recommendations?](security-policy-concept.md)
+A collection of Azure Policy Definitions, or rules that are grouped together towards a specific goal or purpose. [What are security policies, initiatives, and recommendations?](security-policy-concept.md)
 
 ### **Security Policy**
 

articles/defender-for-cloud/defender-for-cloud-glossary.md

@@ -2,7 +2,7 @@
 title: Identify and remediate attack paths in Microsoft Defender for Cloud
 description: Learn how to identify and remediate attack paths in Microsoft Defender for Cloud
 ms.topic: how-to
-ms.custom: ignite-2022
+ms.custom: ignite-2023
 ms.date: 11/01/2023
 ---
 
@@ -30,11 +30,11 @@ The attack path page shows you an overview of all of your attack paths. You can
 
 :::image type="content" source="media/concept-cloud-map/attack-path-homepage.png" alt-text="Screenshot of a sample attack path homepage." lightbox="media/concept-cloud-map/attack-path-homepage.png":::
 
-On this page you can organize your attack paths based on name, environment, paths count, risk categories.
+On this page you can organize your attack paths based on risk level, name, environment, paths count, risk factors, entry point, target, the number of affected resources, or the number of active recommendations. 
 
-For each attack path, you can see all of risk categories and any affected resources.
+For each attack path, you can see all of risk factors and any affected resources.
 
-The potential risk categories include credentials exposure, compute abuse, data exposure, subscription and account takeover.
+The potential risk factors include credentials exposure, compute abuse, data exposure, subscription and account takeover.
 
 Learn more about [the cloud security graph, attack path analysis, and the cloud security explorer?](concept-attack-path.md).
 
@@ -48,15 +48,10 @@ You can use Attack path analysis  to locate the biggest risks to your environmen
 
 1. Navigate to **Microsoft Defender for Cloud** > **Attack path analysis**.
 
-    :::image type="content" source="media/how-to-manage-attack-path/attack-path-blade.png" alt-text="Screenshot that shows the attack path analysis blade on the main screen." lightbox="media/how-to-manage-attack-path/attack-path-blade.png":::
+    :::image type="content" source="media/how-to-manage-attack-path/attack-path-blade.png" alt-text="Screenshot that shows the attack path analysis page on the main screen." lightbox="media/how-to-manage-attack-path/attack-path-blade.png":::
 
 1. Select an attack path.
 
-    :::image type="content" source="media/how-to-manage-cloud-map/attack-path.png" alt-text="Screenshot that shows a sample of attack paths." lightbox="media/how-to-manage-cloud-map/attack-path.png" :::
-
-    > [!NOTE]
-    > An attack path might have more than one path that is at risk. The path count will tell you how many paths need to be remediated. If the attack path has more than one path, you will need to select each path within that attack path to remediate all risks.
-
 1. Select a node.
 
     :::image type="content" source="media/how-to-manage-cloud-map/node-select.png" alt-text="Screenshot of the attack path screen that shows you where the nodes are located for selection." lightbox="media/how-to-manage-cloud-map/node-select.png":::
@@ -81,6 +76,11 @@ Once an attack path is resolved, it can take up to 24 hours for an attack path t
 
 Attack path analysis also gives you the ability to see all recommendations by attack path without having to check each node individually. You can resolve all recommendations without having to view each node individually.
 
+The remediation path contains two types of recommendation:
+
+- **Recommendations** - Recommendations that mitigate the attack path.
+- **Additional recommendations** - Recommendations that reduce the exploitation risks, but don’t mitigate the attack path.
+
 **To resolve all recommendations**:
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
@@ -89,7 +89,7 @@ Attack path analysis also gives you the ability to see all recommendations by at
 
 1. Select an attack path.
 
-1. Select **Recommendations**.
+1. Select **Remediation**.
 
     :::image type="content" source="media/how-to-manage-cloud-map/bulk-recommendations.png" alt-text="Screenshot that shows where to select on the screen to see the attack paths full list of recommendations." lightbox="media/how-to-manage-cloud-map/bulk-recommendations.png":::
 
@@ -115,7 +115,7 @@ securityresources
 ```
 
 **Get all instances for a specific attack path**:
-For example, ‘Internet exposed VM with high severity vulnerabilities and read permission to a Key Vault’.
+For example, `Internet exposed VM with high severity vulnerabilities and read permission to a Key Vault`.
 
 ```kusto
 securityresources
@@ -133,7 +133,7 @@ The following table lists the data fields returned from the API response:
 |--|--|
 | ID | The Azure resource ID of the attack path instance|
 | Name | The Unique identifier of the attack path instance|
-| Type | The Azure resource type, always equals “microsoft.security/attackpaths”|
+| Type | The Azure resource type, always equals `microsoft.security/attackpaths`|
 | Tenant ID | The tenant ID of the attack path instance |
 | Location | The location of the attack path |
 | Subscription ID | The subscription of the attack path |
@@ -153,33 +153,6 @@ The following table lists the data fields returned from the API response:
 | Properties.graphComponent.connections | List of connections graph components related to the attack path |
 | Properties.AttackPathID | The unique identifier of the attack path instance |
 
-## External attack surface management (EASM)
-
-An external attack surface is the entire area of an organization or system that is susceptible to an attack from an external source. An organization's attack surface is made up of all the points of access that an unauthorized person could use to enter their system. The larger your attack surface is, the harder it's to protect.
-
-While you're [investigating and remediating an attack path](#investigate-and-remediate-attack-paths), you can also view your EASM if it's available, and if you've enabled Defender EASM to your subscription.
-
-> [!NOTE]
-> To manage your EASM, you must [deploy the Defender EASM Azure resource](../external-attack-surface-management/deploying-the-defender-easm-azure-resource.md) to your subscription. Defender EASM has its own cost and is separate from Defender for Cloud. To learn more about Defender for EASM pricing options, you can check out the [pricing page](https://azure.microsoft.com/pricing/details/defender-external-attack-surface-management/).
-
-**To manage your EASM**:
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-
-1. Navigate to **Microsoft Defender for Cloud** > **Attack path analysis**.
-
-1. Select an attack path.
-
-1. Select a resource.
-
-1. Select **Insights**.
-
-1. Select **Open EASM**.
-
-    :::image type="content" source="media/how-to-manage-attack-path/open-easm.png" alt-text="Screenshot that shows you where on the screen you need to select open Defender EASM from." lightbox="media/how-to-manage-attack-path/easm-zoom.png":::
-
-1. Follow the [Using and managing discovery](../external-attack-surface-management/using-and-managing-discovery.md) instructions.
-
 ## Next Steps
 
 Learn how to [build queries with cloud security explorer](how-to-manage-cloud-security-explorer.md).

articles/defender-for-cloud/how-to-manage-attack-path.md

@@ -3,15 +3,15 @@ title: Test attack paths and cloud security explorer in Microsoft Defender for C
 description: Learn how to test attack paths and cloud security explorer in Microsoft Defender for Cloud
 ms.service: defender-for-cloud
 ms.topic: how-to
-ms.date: 07/17/2023
+ms.date: 11/08/2023
 ---
 
 # Test attack paths and cloud security explorer
 
 
-Attack path analysis is a graph-based algorithm that scans the cloud security graph. The scans expose exploitable paths that attackers might use to breach your environment to reach your high-impact assets. Attack path analysis exposes attack paths and suggests recommendations as to how best remediate issues that will break the attack path and prevent successful breach.
+Attack path analysis is a graph-based algorithm that scans the cloud security graph. The scans expose exploitable paths that attackers might use to breach your environment to reach your high-impact assets. Attack path analysis exposes attack paths and suggests recommendations as to how best remediate issues that break the attack path and prevent successful breach.
 
-Explore and investigate [attack paths](how-to-manage-attack-path.md) by sorting them based on name, environment, path count, and risk categories. Explore cloud security graph Insights on the resource. Examples of Insight types are:
+Explore and investigate [attack paths](how-to-manage-attack-path.md) by sorting them based on risk level, name, environment, and risk factors, entry point, target, affected resources and active recommendations. Explore cloud security graph Insights on the resource. Examples of Insight types are:
 
 -	Pod exposed to the internet 
 -	Privileged container 
@@ -73,14 +73,13 @@ You can build queries in one of the following ways:
 
 ### Find the security issue under attack paths
 
-1.Go to **Recommendations** in the Defender for Cloud menu.
-1. Select the **Attack Path** link to open the attack paths view.
+1. Sign in to the [Azure portal](https://portal.azure.com).
 
-    :::image type="content" source="media/how-to-test-attack-path/attack-path.png" alt-text="Screenshot of showing where to select Attack Path." lightbox="media/how-to-test-attack-path/attack-path.png":::
+1. Navigate to **Attack path analysis**.
 
-1.	Locate the entry that details this security issue under “Internet exposed Kubernetes pod is running a container with high severity vulnerabilities.”
+1. Select an attack path.
 
-       :::image type="content" source="media/how-to-test-attack-path/attack-path-kubernetes-pods-vulnerabilities.png" alt-text="Screenshot showing the security issue details." lightbox="media/how-to-test-attack-path/attack-path-kubernetes-pods-vulnerabilities.png"::: 
+1.	Locate the entry that details this security issue under `Internet exposed Kubernetes pod is running a container with high severity vulnerabilities`.
 
 ###  Explore risks with cloud security explorer templates
 

articles/defender-for-cloud/how-to-test-attack-path-and-security-explorer-with-vulnerable-container-image.md

@@ -4,7 +4,7 @@ description: Learn how to remediate security recommendations in Microsoft Defend
 ms.topic: how-to
 ms.author: dacurwin
 author: dcurwin
-ms.date: 10/20/2022
+ms.date: 11/08/2023
 ---
 # Remediate security recommendations