Merge pull request #270759 from MicrosoftDocs/main

Publish to live, Sunday 4:00PM PDT, 03/31

Author: Stacyrch140

articles/defender-for-cloud/alerts-schemas.md

@@ -1,26 +1,30 @@
 ---
-title: Schemas for the Microsoft Defender for Cloud alerts
+title: Alerts schema
 description: This article describes the different schemas used by Microsoft Defender for Cloud for security alerts.
-ms.topic: conceptual
+ms.topic: concept-article
 ms.author: dacurwin
 author: dcurwin
-ms.date: 11/09/2021
+ms.date: 03/25/2024
+#customer intent: As a reader, I want to understand the different schemas used by Microsoft Defender for Cloud for security alerts so that I can effectively work with the alerts.
 ---
 
-# Security alerts schemas
+# Alerts schemas
 
-If your subscription has Defender for Cloud [Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads) enabled, you receive security alerts when Defender for Cloud detects threats to their resources.
 
-You can view these security alerts in Microsoft Defender for Cloud's pages - [overview dashboard](overview-page.md), [alerts](managing-and-responding-alerts.md), [resource health pages](investigate-resource-health.md), or [workload protections dashboard](workload-protections-dashboard.md) - and through external tools such as:
+Defender for Cloud provides alerts that help you identify, understand, and respond to security threats. Alerts are generated when Defender for Cloud detects suspicious activity or a security-related issue in your environment. You can view these alerts in the Defender for Cloud portal, or you can export them to external tools for further analysis and response.
+
+You can review security alerts from the [overview dashboard](overview-page.md), [alerts](managing-and-responding-alerts.md) page, [resource health pages](investigate-resource-health.md), or [workload protections dashboard](workload-protections-dashboard.md).
+
+The following external tools can be used to consume alerts from Defender for Cloud:
 
 - [Microsoft Sentinel](../sentinel/index.yml) - Microsoft's cloud-native SIEM. The Sentinel Connector gets alerts from Microsoft Defender for Cloud and sends them to the [Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md) for Microsoft Sentinel.
 - Third-party SIEMs - Send data to [Azure Event Hubs](../event-hubs/index.yml). Then integrate your Event Hubs data with a third-party SIEM. Learn more in [Stream alerts to a SIEM, SOAR, or IT Service Management solution](export-to-siem.md).
 - [The REST API](/rest/api/defenderforcloud/operation-groups?view=rest-defenderforcloud-2020-01-01&preserve-view=true) - If you're using the REST API to access alerts, see the [online Alerts API documentation](/rest/api/defenderforcloud/alerts).
 
-If you're using any programmatic methods to consume the alerts, you need the correct schema to find the fields that are relevant to you. Also, if you're exporting to an Event Hubs or trying to trigger Workflow Automation with generic HTTP connectors, use the schemas to properly parse the JSON objects.
+If you're using any programmatic methods to consume the alerts, you need the correct schema to find the fields that are relevant to you. Also, if you're exporting to an Event Hubs or trying to trigger Workflow Automation with generic HTTP connectors, schemas should be utilized to properly parse the JSON objects.
 
 >[!IMPORTANT]
-> The schema is slightly different for each of these scenarios, so make sure you select the relevant tab.
+> Since the schema is different for each of these scenarios, ensure you select the relevant tab.
 
 ## The schemas
 
@@ -148,13 +152,13 @@ The schema and a JSON representation for security alerts sent to MS Graph, are a
 
 ---
 
-## Next steps
-
-This article described the schemas that Microsoft Defenders for Cloud's threat protection tools use when sending security alert information.
-
-For more information on the ways to access security alerts from outside Defender for Cloud, see:
+## Related articles
 
+- [Log Analytics workspaces](../azure-monitor/logs/quick-create-workspace.md) - Azure Monitor stores log data in a Log Analytics workspace, a container that includes data and configuration information
 - [Microsoft Sentinel](../sentinel/index.yml) - Microsoft's cloud-native SIEM
 - [Azure Event Hubs](../event-hubs/index.yml) - Microsoft's fully managed, real-time data ingestion service
-- [Continuously export Defender for Cloud data](continuous-export.md)
-- [Log Analytics workspaces](../azure-monitor/logs/quick-create-workspace.md) - Azure Monitor stores log data in a Log Analytics workspace, a container that includes data and configuration information
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [Continuously export Defender for Cloud data](continuous-export.md)

articles/defender-for-cloud/investigate-resource-health.md

@@ -2,14 +2,14 @@
 title: Tutorial - Investigate the health of your resources
 description: 'Tutorial: Learn how to investigate the health of your resources using Microsoft Defender for Cloud.'
 ms.topic: tutorial
-ms.date: 01/24/2023
+ms.date: 02/21/2024
 ---
 
 # Tutorial: Investigate the health of your resources
 
 The resource health page provides a snapshot view of the overall health of a single resource. You can review detailed information about the resource and all recommendations that apply to that resource. Also, if you're using any of the [advanced protection plans of Microsoft Defender for Cloud](defender-for-cloud-introduction.md), you can see outstanding security alerts for that specific resource too.
 
-This single page, currently in preview, in Defender for Cloud's portal pages shows:
+This single page, in Defender for Cloud's portal pages shows:
 
 1. **Resource information** - The resource group and subscription it's attached to, the geographic location, and more.
 1. **Applied security feature** - Whether a Microsoft Defender plan is enabled for the resource.
@@ -31,21 +31,31 @@ In this tutorial you'll learn how to:
 To step through the features covered in this tutorial:
 
 - You need an Azure subscription. If you don’t have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.
-- To apply security recommendations, you must be signed in with an account that has the relevant permissions (Resource Group Contributor, Resource Group Owner, Subscription Contributor, or Subscription Owner)
-- To dismiss alerts, you must be signed in with an account that has the relevant permissions (Security Admin, Subscription Contributor, or Subscription Owner)
+
+- [Microsoft Defender for Cloud enabled on your subscription](connect-azure-subscription.md).
+
+- **To apply security recommendations**: you must be signed in with an account that has the relevant permissions (Resource Group Contributor, Resource Group Owner, Subscription Contributor, or Subscription Owner)
+
+- **To dismiss alerts**: you must be signed in with an account that has the relevant permissions (Security Admin, Subscription Contributor, or Subscription Owner)
 
 ## Access the health information for a resource
 
 > [!TIP]
 > In the following screenshots, we're opening a virtual machine, but the resource health page can show you the details for all resource types.
 
-To open the resource health page for a resource:
+**To open the resource health page for a resource**:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+1. Search for and select **Microsoft Defender for Cloud**.
+
+1. Select **Inventory**.
 
-1. Select any resource from the [asset inventory page](asset-inventory.md).
+1. Select any resource.
 
     :::image type="content" source="media/investigate-resource-health/inventory-select-resource.png" alt-text="Select a resource from the asset inventory to view the resource health page." lightbox="./media/investigate-resource-health/inventory-select-resource.png":::
 
-1. Use the left pane of the resource health page for an overview of the subscription, status, and monitoring information about the resource. You can also see whether enhanced security features are enabled for the resource:
+1. Review the left pane of the resource health page for an overview of the subscription, status, and monitoring information about the resource. You can also see whether enhanced security features are enabled for the resource:
 
     :::image type="content" source="media/investigate-resource-health/resource-health-left-pane.png" alt-text="The left pane of Microsoft Defender for Cloud's resource health page shows the subscription, status, and monitoring information about the resource. It also includes the total number of outstanding security recommendations and security alerts.":::
 
@@ -62,18 +72,24 @@ To open the resource health page for a resource:
 
 The resource health page lists the recommendations for which your resource is "unhealthy" and the alerts that are active.
 
-- To ensure your resource is hardened according to the policies applied to your subscriptions, fix the issues described in the recommendations:
-    1. From the right pane, select a recommendation.
-    1. Continue as instructed on screen.
+### Harden a resource
+
+To ensure your resource is hardened according to the policies applied to your subscriptions, fix the issues described in the recommendations:
+
+1. From the right pane, select a recommendation.
+
+1. Continue as instructed on screen.
+
+    > [!TIP]
+    > The instructions for fixing issues raised by security recommendations differ for each of Defender for Cloud's recommendations.
+    >
+    > To decide which recommendations to resolve first, look at the severity of each one and its [potential impact on your secure score](secure-score-security-controls.md).
+
+### Investigate a security alert
 
-        > [!TIP]
-        > The instructions for fixing issues raised by security recommendations differ for each of Defender for Cloud's recommendations.
-        >
-        > To decide which recommendations to resolve first, look at the severity of each one and its [potential impact on your secure score](secure-score-security-controls.md).
+1. From the right pane, select an alert.
 
-- To investigate a security alert:
-    1. From the right pane, select an alert.
-    1. Follow the instructions in [Respond to security alerts](managing-and-responding-alerts.md#respond-to-a-security-alert).
+1. Follow the instructions in [Respond to security alerts](managing-and-responding-alerts.md#respond-to-a-security-alert).
 
 ## Next steps
 

articles/defender-for-cloud/sql-azure-vulnerability-assessment-find.md

@@ -3,7 +3,7 @@ title: Find vulnerabilities in your Azure SQL databases
 description: Learn how to find software vulnerabilities with the express configuration on Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics.
 author: dcurwin
 ms.author: dacurwin
-ms.date: 11/29/2022
+ms.date: 03/25/2024
 ms.service: defender-for-cloud
 ms.topic: how-to
 ---

articles/defender-for-cloud/sql-information-protection-policy.md

@@ -1,12 +1,14 @@
 ---
 title: SQL information protection policy
-description: Learn how to customize information protection policies in Microsoft Defender for Cloud.
+description: Learn how to customize information protection policies in Microsoft Defender for Cloud to secure your data effectively and meet compliance requirements.
 ms.topic: how-to
 ms.custom: devx-track-azurepowershell
 author: dcurwin
 ms.author: dacurwin
-ms.date: 11/09/2021
+ms.date: 03/25/2024
+#customer intent: As a user, I want to learn how to customize information protection policies in Microsoft Defender for Cloud so that I can secure my data effectively.
 ---
+
 # SQL information protection policy in Microsoft Defender for Cloud
 
 SQL information protection's [data discovery and classification mechanism](/azure/azure-sql/database/data-discovery-and-classification-overview) provides advanced capabilities for discovering, classifying, labeling, and reporting the sensitive data in your databases. It's built into [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview), [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview), and [Azure Synapse Analytics](../synapse-analytics/sql-data-warehouse/sql-data-warehouse-overview-what-is.md).
@@ -127,11 +129,13 @@ Learn more in [Grant and request tenant-wide visibility](tenant-wide-permissions
 - [Get-AzSqlInformationProtectionPolicy](/powershell/module/az.security/get-azsqlinformationprotectionpolicy): Retrieves the effective tenant SQL information protection policy.
 - [Set-AzSqlInformationProtectionPolicy](/powershell/module/az.security/set-azsqlinformationprotectionpolicy): Sets the effective tenant SQL information protection policy.
 
-## Next steps
+## Related articles
+
+- [Azure SQL Database Data Discovery and Classification](/azure/azure-sql/database/data-discovery-and-classification-overview)
 
-In this article, you learned about defining an information protection policy in Microsoft Defender for Cloud. To learn more about using SQL Information Protection to classify and protect sensitive data in your SQL databases, see [Azure SQL Database Data Discovery and Classification](/azure/azure-sql/database/data-discovery-and-classification-overview).
+- [Microsoft Defender for Cloud data security](data-security.md)
 
-For more information on security policies and data security in Defender for Cloud, see the following articles:
+## Next step
 
-- [Setting security policies in Microsoft Defender for Cloud](tutorial-security-policy.md): Learn how to configure security policies for your Azure subscriptions and resource groups
-- [Microsoft Defender for Cloud data security](data-security.md): Learn how Defender for Cloud manages and safeguards data
+> [!div class="nextstepaction"]
+> [Setting security policies in Microsoft Defender for Cloud](tutorial-security-policy.md)

articles/defender-for-iot/device-builders/concept-recommendations.md

@@ -12,9 +12,6 @@ Security recommendations are actionable and aim to aid customers in complying wi
 
 In this article, you will find a list of recommendations, which can be triggered on your IoT Hub.
 
-> [!NOTE]
-> The Microsoft Defender for IoT legacy experience under IoT Hub has been replaced by our new Defender for IoT standalone experience, in the Defender for IoT area of the Azure portal. The legacy experience under IoT Hub will not be supported after **March 31, 2023**.
-
 ## Built in recommendations in IoT Hub
 
 Recommendation alerts provide insight and suggestions for actions to improve the security posture of your environment.

articles/defender-for-iot/device-builders/how-to-investigate-cis-benchmark.md

@@ -9,9 +9,6 @@ ms.topic: how-to
 
 Perform basic and advanced investigations based on OS baseline recommendations.
 
-> [!NOTE]
-> The Microsoft Defender for IoT legacy experience under IoT Hub has been replaced by our new Defender for IoT standalone experience, in the Defender for IoT area of the Azure portal. The legacy experience under IoT Hub will not be supported after **March 31, 2023**.
-
 ## Basic OS baseline security recommendation investigation
 
 You can investigate OS baseline recommendations by navigating to [Defender for IoT in the Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started). For more information, see how to [Investigate security recommendations](quickstart-investigate-security-recommendations.md).

articles/defender-for-iot/device-builders/how-to-investigate-device.md

@@ -15,11 +15,6 @@ In this guide, use the investigation suggestions provided to help determine the
 > * Find your device data
 > * Investigate using KQL queries
 
-> [!NOTE]
-> The Microsoft Defender for IoT legacy experience under IoT Hub has been replaced by our new Defender for IoT standalone experience, in the Defender for IoT area of the Azure portal. The legacy experience under IoT Hub will not be supported after **March 31, 2023**.
->
-> For more information, see [Tutorial: Investigate security recommendations](tutorial-investigate-security-recommendations.md) and [Tutorial: Investigate security alerts](tutorial-investigate-security-alerts.md).
-
 ## How can I access my data?
 
 By default, Defender for IoT stores your security alerts and recommendations in your Log Analytics workspace. You can also choose to store your raw security data.

articles/defender-for-iot/device-builders/how-to-security-data-access.md

@@ -9,10 +9,6 @@ ms.date: 03/28/2022
 
 Defender for IoT stores security alerts, recommendations, and raw security data (if you choose to save it) in your Log Analytics workspace.
 
-> [!NOTE]
-> The Microsoft Defender for IoT legacy experience under IoT Hub has been replaced by our new Defender for IoT standalone experience, in the Defender for IoT area of the Azure portal. The legacy experience under IoT Hub will not be supported after **March 31, 2023**.
->
-> For more information, see [Tutorial: Configure Microsoft Defender for IoT agent-based solution](tutorial-configure-agent-based-solution.md).
 ## Log Analytics
 
 To configure which Log Analytics workspace is used:
@@ -32,7 +28,7 @@ For details on querying data from Log Analytics, see [Get started with log queri
 
 Security alerts are stored in _AzureSecurityOfThings.SecurityAlert_ table in the Log Analytics workspace configured for the Defender for IoT solution.
 
-We've provided a number of useful queries to help you get started exploring security alerts.
+We provide many useful queries to help you get started exploring security alerts.
 
 ### Sample records
 
@@ -111,7 +107,7 @@ SecurityAlert
 
 Security recommendations are stored in _AzureSecurityOfThings.SecurityRecommendation_ table in the Log Analytics workspace configured for the Defender for IoT solution.
 
-We've provided a number of useful queries to help you get start exploring security recommendations.
+We provide many useful queries to help you get start exploring security recommendations.
 
 ### Sample records
 
@@ -135,8 +131,8 @@ SecurityRecommendation
 
 | TimeGenerated | IoTHubId | DeviceId | RecommendationSeverity | RecommendationState | RecommendationDisplayName | Description | RecommendationAdditionalData |
 |---------------|----------|----------|------------------------|---------------------|---------------------------|-------------|------------------------------|
-| 2019-03-22T10:21:06.060 |    /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | <device_name> | Medium | Active | Permissive firewall rule in the input chain was found | A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports | {"Rules":"[{\"SourceAddress\":\"\",\"SourcePort\":\"\",\"DestinationAddress\":\"\",\"DestinationPort\":\"1337\"}]"} |
-| 2019-03-22T10:50:27.237 | /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | <device_name> | Medium | Active | Permissive firewall rule in the input chain was found | A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports | {"Rules":"[{\"SourceAddress\":\"\",\"SourcePort\":\"\",\"DestinationAddress\":\"\",\"DestinationPort\":\"1337\"}]"} |
+| 2019-03-22T10:21:06.060 |    /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | <device_name> | Medium | Active | Permissive firewall rule in the input chain was found | A rule in the firewall was found that contains a permissive pattern for a wide range of IP addresses or Ports | {"Rules":"[{\"SourceAddress\":\"\",\"SourcePort\":\"\",\"DestinationAddress\":\"\",\"DestinationPort\":\"1337\"}]"} |
+| 2019-03-22T10:50:27.237 | /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | <device_name> | Medium | Active | Permissive firewall rule in the input chain was found | A rule in the firewall was found that contains a permissive pattern for a wide range of IP addresses or Ports | {"Rules":"[{\"SourceAddress\":\"\",\"SourcePort\":\"\",\"DestinationAddress\":\"\",\"DestinationPort\":\"1337\"}]"} |
 
 ### Device summary
 

articles/defender-for-iot/device-builders/quickstart-create-custom-alerts.md

@@ -9,8 +9,6 @@ ms.date: 01/01/2023
 
 Using custom security groups and alerts, takes full advantage of the end-to-end security information and categorical device knowledge to ensure better security across your IoT solution.
 
-> [!NOTE]
-> The Microsoft Defender for IoT legacy experience under IoT Hub has been replaced by our new Defender for IoT standalone experience, in the Defender for IoT area of the Azure portal. The legacy experience under IoT Hub will not be supported after **March 31, 2023**.
 ## Why use custom alerts?
 
 You know your IoT devices best.