Fixes to non-blocking issues and two blocking ones

Author: memildin

articles/security-center/azure-container-registry-integration.md

@@ -19,7 +19,7 @@ ms.author: memildin
 
 Azure Container Registry (ACR) is a managed, private Docker registry service that stores and manages your container images for Azure deployments in a central registry. It's based on the open-source Docker Registry 2.0.
 
-For deeper visibility into your registry and images' vulnerabilities, users of Azure Security Center's standard tier can enable the optional Container Registries bundle. For more information, see [pricing](security-center-pricing.md). With the bundle enabled, Security Center automatically scans images in your registry whenever an image is pushed to the registry.
+For deeper visibility into your registry and images' vulnerabilities, users of Azure Security Center's standard tier can enable the optional Container Registries bundle. The cost for using this feature is charged per image, not per scan.For more information, see [pricing](security-center-pricing.md). With the bundle enabled, Security Center automatically scans images in your registry whenever an image is pushed to the registry.
 
 > [!NOTE]
 > Security Center's first scan of a registry will only occur after the Container Registries bundle is enabled and an image is pushed to the registry.

articles/security-center/recommendations-reference.md

@@ -61,13 +61,13 @@ Your secure score is based on how many Security Center recommendations you have
 |**Role-Based Access Control should be used to restrict access to a Kubernetes Service Cluster (Preview)**|To provide granular filtering of the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information see [Azure role-based access control](https://docs.microsoft.com/azure/aks/concepts-identity#role-based-access-controls-rbac).<br>(Related policy: [Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services)|Medium|N|Compute resources (Containers)|
 |**The Kubernetes Service should be upgraded to the latest Kubernetes version (Preview)**|Upgrade Azure Kubernetes Service clusters to the latest Kubernetes version in order to benefit from up-to-date vulnerability patches. For details regarding specific Kubernetes vulnerabilities see [Kubernetes CVEs](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=kubernetes).<br>(Related policy: [Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version)|High|N|Compute resources (Containers)|
 |**Pod Security Policies should be defined to reduce the attack vector by removing unnecessary application privileges (Preview)**|Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure pod security policies so pods can only access resources which they are allowed to access.<br>(Related policy: [Preview]: Pod Security Policies should be defined on Kubernetes Services)|Medium|N|Compute resources (Containers)|
-|**Access to a Kubernetes Service Management API should be limited by authorizing specific IP ranges only (Preview)**|Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to configure authorized IP ranges so only applications from allowed networks can access the cluster.<br>(Related policy: [Preview]: Authorized IP ranges should be defined on Kubernetes Services)|High|N|Compute resources (Containers)|
+|**Access to a Kubernetes service management API should be limited by authorizing specific IP ranges only (Preview)**|Restrict access to the Kubernetes service management API by granting API access only to IP addresses in specific ranges. It is recommended to configure authorized IP ranges so only applications from allowed networks can access the cluster.<br>(Related policy: [Preview]: Authorized IP ranges should be defined on Kubernetes Services)|High|N|Compute resources (Containers)|
 |**Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys) (Preview)**|Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image. Resolving the vulnerabilities can greatly improve your containers’ security posture and protect them from attacks.<br>(No related policy)|High|N|Compute resources (Containers)|
 |**Service Fabric clusters should only use Azure Active Directory for client authentication**|Perform Client authentication only via Azure Active Directory in Service Fabric.<br>(Related policy: Service Fabric clusters should only use Azure Active Directory for client authentication)|High|N|Compute resources (service fabric)|
 |**Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign**|Service Fabric provides three levels of protection (None, Sign, and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.<br>(Related policy: The ClusterProtectionLevel property to EncryptAndSign in Service Fabric should be set)|High|N|Compute resources (service fabric)|
 |**All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace**|Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity.<br>(Related policy: All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace)|Low|N|Compute resources (service bus)|
 |**All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace**|Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity.<br>(Related policy: All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace)|Low|N|Compute resources (event hub)|
-|**Authorization rules on the Event Hub entity should be defined**|Audit authorization rules on the Event Hub entity to grant least-privileged access.<br>(No related policy)|N|Compute resources (event hub)|
+|**Authorization rules on the Event Hub entity should be defined**|Audit authorization rules on the Event Hub entity to grant least-privileged access.<br>(No related policy)|Low|N|Compute resources (event hub)|
 |**Install monitoring agent on your virtual machines**|Install the Monitoring agent to enable data collection, updates scanning, baseline scanning, and endpoint protection on each machine.<br>(Related policy: Monitoring agent should be enabled on your virtual machines)|High|**Y**|Machine|
 |**Monitoring agent health issues should be resolved on your machines**|For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide<br>(No related policy)|Medium|N|Machine|
 |**Adaptive Application Controls should be enabled on virtual machines**|Enable application control to control which applications can run on your VMs located in Azure. This will help harden your VMs against malware. Security Center uses machine learning to analyze the applications running on each VM and helps you apply allow rules using this intelligence. This capability simplifies the process of configuring and maintaining application allow rules.<br>(Related policy: Adaptive Application Controls should be enabled on virtual machines)|High|N|Machine|
@@ -119,9 +119,4 @@ To learn more about recommendations, see the following:
 
 * [Security recommendations in Azure Security Center](security-center-recommendations.md)
 * [Protecting your machines and applications](security-center-virtual-machine-protection.md)
-* [Protecting your network in Azure Security Center](security-center-network-recommendations.md)
-
-
-
-
-. 
+* [Protecting your network in Azure Security Center](security-center-network-recommendations.md)

articles/security-center/security-center-identity-access.md

@@ -14,7 +14,7 @@ ms.workload: na
 ms.date: 12/19/2019
 ms.author: memildin
 ---
-# Monitor identity and access (Preview)
+# Monitor identity and access (preview)
 When Security Center identifies potential security vulnerabilities, it creates recommendations that guide you through the process of configuring the needed controls to harden and protect your resources.
 
 This article explains the **Identity and Access** page of the resource security section of Azure Security Center.

articles/security-center/security-center-sql-service-recommendations.md

@@ -31,7 +31,7 @@ For a full list of the recommendations you might see on this page, see [Data and
 
     The **Data security** page opens with recommendations for data resources.
 
-    [![Data Resources](./media/security-center-monitoring/sql-overview.png)](./media/security-center-monitoring/sql-overview.png)#lightbox)
+    [![Data Resources](./media/security-center-monitoring/sql-overview.png)](./media/security-center-monitoring/sql-overview.png#lightbox)
 
     From this page, you can: