Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into asc-melvyn-anh

memildin · memildin · commit 88306b161b6a · 2020-03-11T12:40:45.000+02:00
diff --git a/articles/azure-government/documentation-government-services-monitoringandmanagement.md b/articles/azure-government/documentation-government-services-monitoringandmanagement.md
@@ -174,6 +174,9 @@ The resources currently supported in the second generation alerts experience are
 - Microsoft.Web/sites
 - Microsoft.Web/sites/slots
 
+> [!NOTE]
+> Creating multi-resource metric alert rules on Virtual Machines is **currently not supported**. This article will be updated as soon as this functionality becomes available.
+
 You can still use [classic alerts](../azure-monitor/platform/alerts-classic.overview.md) for resources not yet available in the second generation of alerts. 
 
 When using PowerShell/ARM/Rest calls to create metric alerts, you will need to set the "Location" of the metric alert to "USGov Virginia" or "USGov Iowa". An example of the setting is below:
@@ -186,6 +189,7 @@ Add-AzMetricAlertRule -Name vmcpu_gt_1 -Location "USGov Virginia" -ResourceGroup
 
 For more information on using PowerShell, see [public documentation](../azure-monitor/platform/powershell-quickstart-samples.md).
 
+
 ## Application Insights
 
 > [!NOTE]
diff --git a/articles/industry/agriculture/query-telemetry-data-from-azure-farmbeats.md b/articles/industry/agriculture/query-telemetry-data-from-azure-farmbeats.md
@@ -0,0 +1,96 @@
+---
+title: Query ingested telemetry data
+description: This article describes how to query ingested telemetry data.
+author: sunasing
+ms.topic: article
+ms.date: 03/11/2020
+ms.author: sunasing
+---
+
+# Query ingested telemetry data
+
+This article describes how to query ingested sensor data from Azure FarmBeats.
+
+Ingesting data from Internet of Things (IoT) resources such as devices and sensors is a common scenario in FarmBeats. You create metadata for devices and sensors and then ingest the historical data to FarmBeats in a canonical format. Once the sensor data is available on FarmBeats Datahub, we can query the same to generate actionable insights or build models.
+
+## Before you begin
+
+Before you proceed with this article, make sure that you've installed FarmBeats and ingested sensor telemetry data from your IoT devices to FarmBeats
+To ingest sensor telemetry data, visit [ingest historical telemetry data](ingest-historical-telemetry-data-in-azure-farmbeats.md)
+
+Before you proceed, also make sure you are familiar with FarmBeats REST APIs as you will query ingested telemetry using APIs. For more details on FarmBeats APIs, please see [FarmBeats REST APIs](rest-api-in-azure-farmbeats.md). **Ensure that you are able to make API requests to your FarmBeats Datahub endpoint**
+
+## Query ingested sensor telemetry data
+
+Follow the below steps to query the ingested sensor telemetry data:
+
+1. Identify the sensor you are interested in. You can do this by making a GET request on /Sensor API. Note the **id** and the **sensorModelId** of the interested sensor object.
+
+2. Make a GET/{id} on /SensorModel API for the **sensorModelId** as noted in step 1. The SensorModel has all the metadata and details about the ingested telemetry from the sensor. For example, SensorMeasure within the SensorModel object has details about what measures is the sensor sending and in what types and units. For example,
+
+```json
+{
+    "name": "moist_soil_last <name of the sensor measure - this is what we will receive as part of the queried telemetry data>",
+    "dataType": "Double <Data Type - eg. Double>",
+    "type": "SoilMoisture <Type of measure eg. temperature, soil moisture etc.>",
+    "unit": "Percentage <Unit of measure eg. Celsius, Percentage etc.>",
+    "aggregationType": "None <either of None, Average, Maximum, Minimum, StandardDeviation>",
+    "description": "<Description of the measure>"
+}
+```
+Make a note of the response from the GET/{id} call for the SensorModel.
+
+3. Do a POST call on /Telemetry API with the following input payload
+
+```json
+{
+  "sensorId": "<id of the sensor as noted in step 1>",
+  "searchSpan": {
+    "from": "<desired start timestamp in ISO 8601 format; default is UTC>",
+    "to": "<desired end timestamp in ISO 8601 format; default is UTC>"
+  },
+  "filter": {
+    "tsx": "string"
+  },
+  "projectedProperties": [
+    {
+      "additionalProp1": "string",
+      "additionalProp2": "string",
+      "additionalProp3": "string"
+    }
+  ]
+}
+```
+4. The response from the /Telemetry API will look something like this:
+
+```json
+{
+  "timestamps": [
+    "2020-XX-XXT07:30:00Z",
+    "2020-XX-XXT07:45:00Z"
+  ],
+  "properties": [
+    {
+      "values": [
+        "<id of the sensor>",
+        "<id of the sensor>"
+      ],
+      "name": "Id",
+      "type": "String"
+    },
+    {
+      "values": [
+        2.1,
+        2.2
+      ],
+      "name": "moist_soil_last <name of the SensorMeasure as defined in the SensorModel object>",
+      "type": "Double <Data Type of the value - eg. Double>"
+    }
+  ]
+}
+```
+In the above example response, the queried sensor telemetry gives data for two timestamps along with the measure name ("moist_soil_last") and values of the reported telemetry in the two timestamps. You will need to refer to the associated /SensorModel (as described in step 2) to interpret the type and unit of the reported values.
+
+## Next steps
+
+You now have queried sensor data from your Azure FarmBeats instance. Now, learn how to [generate maps](generate-maps-in-azure-farmbeats.md#generate-maps) for your farms.
diff --git a/articles/industry/agriculture/toc.yml b/articles/industry/agriculture/toc.yml
@@ -9,6 +9,8 @@
      href: generate-soil-moisture-map-in-azure-farmbeats.md
    - name: Ingest historical telemetry data
      href: ingest-historical-telemetry-data-in-azure-farmbeats.md
+   - name: Query ingested telemetry data
+     href: query-telemetry-data-from-azure-farmbeats.md
 - name: Concepts
   items:
    - name: Integration patterns
diff --git a/articles/security-center/media/security-center-identity-access/two-security-controls-for-identity-and-access.png b/articles/security-center/media/security-center-identity-access/two-security-controls-for-identity-and-access.png
diff --git a/articles/security-center/recommendations-reference.md b/articles/security-center/recommendations-reference.md
@@ -10,7 +10,7 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: na
-ms.date: 12/18/2019
+ms.date: 03/11/2020
 ms.author: memildin
 
 ---
@@ -21,7 +21,10 @@ This article lists the recommendations you might see in Azure Security Center. T
 
 To learn about how to respond to these recommendations, see [Remediate recommendations in Azure Security Center](security-center-remediate-recommendations.md).
 
-Your Secure Score is based on how many Security Center recommendations you have mitigated. To prioritize the recommendations to resolve first, consider the severity of each.
+Your Secure Score is based on the number of Security Center recommendations you've completed. To decide which  recommendations to resolve first, look at the severity of each one and its potential impact on your Secure Score.
+
+>[!TIP]
+> If a recommendation's description says "No related policy", it's usually because that recommendation is dependent on a different recommendation and *its* policy. For example, the recommendation "Endpoint protection health failures should be remediated...", relies on the recommendation that checks whether an endpoint protection solution is even *installed* ("Endpoint protection solution should be installed..."). The underlying recommendation *does* have a policy. Limiting the policies to only the foundational recommendation simplifies policy management.
 
 ## <a name="recs-network"></a>Network recommendations
 
@@ -51,7 +54,7 @@ Your Secure Score is based on how many Security Center recommendations you have
 |**The Kubernetes Service should be upgraded to the latest Kubernetes version**|Upgrade Azure Kubernetes Service clusters to the latest Kubernetes version in order to benefit from up-to-date vulnerability patches. For details regarding specific Kubernetes vulnerabilities see [Kubernetes CVEs](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=kubernetes).<br>(Related policy: [Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version)|High|N|Compute resources (Containers)|
 |**Pod Security Policies should be defined to reduce the attack vector by removing unnecessary application privileges (Preview)**|Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure pod security policies so pods can only access resources which they are allowed to access.<br>(Related policy: [Preview]: Pod Security Policies should be defined on Kubernetes Services)|Medium|N|Compute resources (Containers)|
 |**Access to a Kubernetes service management API should be limited by authorizing specific IP ranges only**|Restrict access to the Kubernetes service management API by granting API access only to IP addresses in specific ranges. It is recommended to configure authorized IP ranges so only applications from allowed networks can access the cluster.<br>(Related policy: [Preview]: Authorized IP ranges should be defined on Kubernetes Services)|High|N|Compute resources (Containers)|
-|**Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)**|Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image. Resolving the vulnerabilities can greatly improve your containers’ security posture and protect them from attacks.<br>(No related policy)|High|N|Compute resources (Containers)|
+|**Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)**|Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.<br>(No related policy)|High|N|Compute resources (Containers)|
 ||||||
 
 
@@ -102,7 +105,7 @@ Your Secure Score is based on how many Security Center recommendations you have
 |**Vulnerabilities should be remediated by a Vulnerability Assessment solution**|Virtual machines for which a vulnerability assessment 3rd party solution is deployed are being continuously assessed against application and OS vulnerabilities. Whenever such vulnerabilities are found, these are available for more information as part of the recommendation.<br>(Related policy: Vulnerabilities should be remediated by a Vulnerability Assessment solution)|High|N|Machine|
 |**Vulnerabilities in security configuration on your machines should be remediated**|Remediate vulnerabilities in security configuration on your machines to protect them from attacks.<br>(Related policy: Vulnerabilities in security configuration on your machines should be remediated)|Low|N|Machine|
 |**Vulnerabilities in container security configurations should be remediated**|Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.<br>(Related policy: Vulnerabilities in container security configurations should be remediated)|High|N|Machine|
-|**Endpoint protection health issues should be resolved on your machines**|For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.<br>(No related policy - dependent upon "Install endpoint protection solution on your machines")|Medium|N|Machine|
+|**Endpoint protection health issues should be resolved on your machines**|For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.<br>(This recommendation is dependent upon the recommendation "Install endpoint protection solution on your machines" and its policy)|Medium|N|Machine|
 ||||||
 
 
diff --git a/articles/security-center/secure-score-security-controls.md b/articles/security-center/secure-score-security-controls.md
@@ -41,7 +41,7 @@ The enhanced Secure Score is shown as a percentage, as shown in the following sc
 
 ## Locating your Secure Score
 
-Security Center displays your score prominently: it's the first thing shown in the Overview page. If you click through to the dedicated Secure Score page, you'll see the score broken down by subscription. Click a single subscription to see the detailed list of prioritized recommendations and the potential impact that remediating them will have on the subscription’s score.
+Security Center displays your score prominently: it's the first thing shown in the Overview page. If you click through to the dedicated Secure Score page, you'll see the score broken down by subscription. Click a single subscription to see the detailed list of prioritized recommendations and the potential impact that remediating them will have on the subscription's score.
 
 ## How the Secure Score is calculated 
 
@@ -95,7 +95,7 @@ The table below lists the Security Controls in Azure Security Center. For each c
 |**Remediate vulnerabilities**|6|- Advanced data security should be enabled on your SQL servers<br>- Vulnerabilities in Azure Container Registry images should be remediated (Preview)<br>- Vulnerabilities on your SQL databases should be remediated<br>- Vulnerabilities should be remediated by a Vulnerability Assessment solution<br>- Vulnerability assessment should be enabled on your SQL managed instances<br>- Vulnerability assessment should be enabled on your SQL servers<br>- Vulnerability assessment solution should be installed on your virtual machines|
 |**Enable encryption at rest**|4|- Disk encryption should be applied on virtual machines<br>- Transparent Data Encryption on SQL databases should be enabled<br>- Automation account variables should be encrypted<br>- Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign<br>- SQL server TDE protector should be encrypted with your own key|
 |**Encrypt data in transit**|4|- API App should only be accessible over HTTPS<br>- Function App should only be accessible over HTTPS<br>- Only secure connections to your Redis Cache should be enabled<br>- Secure transfer to storage accounts should be enabled<br>- Web Application should only be accessible over HTTPS|
-|**Manage access and permissions**|4|- A maximum of 3 owners should be designated for your subscription<br>- Deprecated accounts should be removed from your subscription (Preview)<br>- Deprecated accounts with owner permissions should be removed from your subscription (Preview)<br>- External accounts with owner permissions should be removed from your subscription (Preview)<br>- External accounts with read permissions should be removed from your subscription<br>- External accounts with write permissions should be removed from your subscription (Preview)<br>- There should be more than one owner assigned to your subscription<br>- Role-Based Access Control (RBAC) should be used on Kubernetes Services (Preview)<br>- Service Fabric clusters should only use Azure Active Directory for client authentication|
+|**Manage access and permissions**|4|- A maximum of 3 owners should be designated for your subscription<br>- Deprecated accounts should be removed from your subscription<br>- Deprecated accounts with owner permissions should be removed from your subscription<br>- External accounts with owner permissions should be removed from your subscription<br>- External accounts with read permissions should be removed from your subscription<br>- External accounts with write permissions should be removed from your subscription<br>- There should be more than one owner assigned to your subscription<br>- Role-Based Access Control (RBAC) should be used on Kubernetes Services (Preview)<br>- Service Fabric clusters should only use Azure Active Directory for client authentication|
 |**Remediate security configurations**|4|- Pod Security Policies should be defined on Kubernetes Services (Preview)<br>- Vulnerabilities in container security configurations should be remediated<br>- Vulnerabilities in security configuration on your machines should be remediated<br>- Vulnerabilities in security configuration on your virtual machine scale sets should be remediated<br>- Monitoring agent should be installed on your virtual machines<br>- Monitoring agent should be installed on your machines<br>- Monitoring agent should be installed on virtual machine scale sets<br>- Monitoring agent health issues should be resolved on your machines|
 |**Restrict unauthorized network access**|4|- IP forwarding on your virtual machine should be disabled<br>- Authorized IP ranges should be defined on Kubernetes Services (Preview)<br>- (DEPRECATED) Access to App Services should be restricted (Preview)<br>- (DEPRECATED) The rules for web applications on IaaS NSGs should be hardened<br>- Virtual machines should be associated with a Network Security Group<br>- CORS should not allow every resource to access your API App<br>- CORS should not allow every resource to access your Function App<br>- CORS should not allow every resource to access your Web Application<br>- Remote debugging should be turned off for API App<br>- Remote debugging should be turned off for Function App<br>- Remote debugging should be turned off for Web Application<br>- Access should be restricted for permissive Network Security Groups with Internet-facing VMs<br>- Network Security Group Rules for Internet facing virtual machines should be hardened|
 |**Apply adaptive application control**|3|- Adaptive Application Controls should be enabled on virtual machines<br>- Monitoring agent should be installed on your virtual machines<br>- Monitoring agent should be installed on your machines<br>- Monitoring agent health issues should be resolved on your machines|
@@ -121,7 +121,7 @@ Yes, but for a while they'll be running side by side to ease the transition.
 Yes. We recommend disabling recommendations when they're inapplicable in your environment. For instructions on how to disable a specific recommendation, see [Disable security policies](https://docs.microsoft.com/azure/security-center/tutorial-security-policy#disable-security-policies).
 
 ### If a Security Control offers me zero points towards my Secure Score, should I ignore it?
-In some cases you'll see a control max score greater than zero, but the impact is zero. When the incremental score for fixing resources is negligible, it's rounded to zero. Don't ignore these recommendations as they still bring security improvements. The only exception is the “Additional Best Practice” control. Remediating these recommendations won't increase your score, but it will enhance your overall security.
+In some cases you'll see a control max score greater than zero, but the impact is zero. When the incremental score for fixing resources is negligible, it's rounded to zero. Don't ignore these recommendations as they still bring security improvements. The only exception is the "Additional Best Practice" control. Remediating these recommendations won't increase your score, but it will enhance your overall security.
 
 ## Next steps
 
diff --git a/articles/security-center/security-center-identity-access.md b/articles/security-center/security-center-identity-access.md
