Merge pull request #196263 from ElazarK/dine-policy

instructions to install defender profile

Author: v-regandowner

articles/defender-for-cloud/defender-for-containers-enable.md

@@ -2,11 +2,10 @@
 title: How to enable Microsoft Defender for Containers in Microsoft Defender for Cloud
 description: Enable the container protections of Microsoft Defender for Containers
 ms.topic: overview
-ms.author: elkrieger
-author: Elazark
 zone_pivot_groups: k8s-host
-ms.date: 03/27/2022
+ms.date: 05/10/2022
 ---
+
 # Enable Microsoft Defender for Containers
 
 Microsoft Defender for Containers is the cloud-native solution for securing your containers.
@@ -76,6 +75,18 @@ A full list of supported alerts is available in the [reference table of all Defe
 [!INCLUDE [Remove the extension](./includes/defender-for-containers-remove-extension.md)]
 ::: zone-end
 
+::: zone pivot="defender-for-container-aks,defender-for-container-arc"
+[!INCLUDE [Assign a custom workspace](./includes/defender-for-containers-assign-workspace.md)]
+::: zone-end
+
 ::: zone pivot="defender-for-container-aks"
 [!INCLUDE [Remove the profile](./includes/defender-for-containers-remove-profile.md)]
 ::: zone-end
+
+::: zone pivot="defender-for-container-aks,defender-for-container-arc"
+[!INCLUDE [FAQ](./includes/defender-for-containers-override-faq.md)]
+::: zone-end
+
+## Next steps
+
+[Use Defender for Containers to scan your ACR images for vulnerabilities](defender-for-container-registries-usage.md).

articles/defender-for-cloud/includes/defender-for-containers-assign-workspace.md

@@ -0,0 +1,47 @@
+---
+author: ElazarK
+ms.service: defender-for-cloud
+ms.topic: include
+ms.date: 05/10/2022
+ms.author: elkrieger
+---
+
+## Default Log Analytics workspace
+
+The Log Analytics workspace is used by the Defender profile/extension as a data pipeline to send data from the cluster to Defender for Cloud without retaining any data in the Log Analytics workspace itself. As a result, users will not be billed in this use case.
+
+The Defender profile/extension uses a default Log Analytics workspace. If you do not already have a default Log Analytics workspace, Defender for Cloud will create a new resource group and default workspace when the Defender profile/extension is installed. The default workspace is created based on your [region](../faq-data-collection-agents.yml).
+
+The naming convention for the default Log Analytics workspace and resource group is:
+- **Workspace**: DefaultWorkspace-\[subscription-ID]-\[geo]
+- **Resource Group**: DefaultResourceGroup-\[geo]
+
+### Assign a custom workspace
+
+Once the Defender profile/extension has been deployed, a default workspace will be automatically assigned. You can assign a custom workspace through Azure Policy.
+
+**To assign custom workspace**:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). 
+
+1. Search for, and select **Policy**.
+
+    :::image type="content" source="../media/defender-for-containers/find-policy.png" alt-text="Screenshot that shows how to locate the policy page." lightbox="../media/defender-for-containers/find-policy.png":::
+
+1. Select **Definitions**.
+
+1. Search for policy ID `64def556-fbad-4622-930e-72d1d5589bf5`.
+
+    :::image type="content" source="../media/defender-for-containers/policy-search.png" alt-text="Screenshot that shows where to search for the policy by I D number." lightbox="../media/defender-for-containers/policy-search.png":::
+
+1. Select **\[Preview]: Configure Azure Kubernetes Service clusters to enable Defender profile**.
+
+1. Select **Assign**.
+
+1. In the **Parameters** tab, deselect the **Only show parameters that need input or review** option.
+
+1. Enter `LogAnalyticsWorkspaceResource`.
+
+1. Select **Review + create**.
+
+1. Select **Create**.

articles/defender-for-cloud/includes/defender-for-containers-enable-plan-aks.md

@@ -1,12 +1,15 @@
 ---
-author: bmansheim
-ms.author: benmansheim
+author: ElazarK
+ms.author: elkrieger
 ms.service: defender-for-cloud
 ms.topic: include
-ms.date: 04/28/2022
+ms.date: 05/10/2022
 ---
+
 ## Enable the plan
 
+**To enable the plan**:
+
 1. From Defender for Cloud's menu, open the [Environment settings page](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/EnvironmentSettings) and select the relevant subscription.
 
 1. In the [Defender plans page](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/pricingTier), enable **Defender for Containers**
@@ -16,7 +19,7 @@ ms.date: 04/28/2022
     >
     > :::image type="content" source="../media/release-notes/defender-plans-deprecated-indicator.png" alt-text="Defender for container registries and Defender for Kubernetes plans showing 'Deprecated' and upgrade information.":::
 
-1. By default, when enabling the plan through the Azure Portal, [Microsoft Defender for Containers](../defender-for-containers-introduction.md) is configured to auto provision (automatically install) required components to provide the protections offered by plan.
+1. By default, when enabling the plan through the Azure portal, [Microsoft Defender for Containers](../defender-for-containers-introduction.md) is configured to auto provision (automatically install) required components to provide the protections offered by plan, including the assignment of a default workspace. 
 
     Optionally, you can modify this configuration from the [Defender plans page](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/pricingTier) or from the [Auto provisioning page](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/dataCollection) on the **Microsoft Defender for Containers components (preview)** row:
 
@@ -25,6 +28,8 @@ ms.date: 04/28/2022
     > [!NOTE]
     > If you choose to **disable the plan** at any time after enabling it through the portal as shown above, you'll need to manually remove Defender for Containers components deployed on your clusters.
 
+    You can assign a custom workspace through Azure Policy.
+
 1. If you disable the auto provisioning of any component, you can easily deploy the component to one or more clusters using the appropriate recommendation:
 
     - Policy Add-on for Kubernetes - [Azure Kubernetes Service clusters should have the Azure Policy Add-on for Kubernetes installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/08e628db-e2ed-4793-bc91-d13e684401c3)
@@ -40,6 +45,8 @@ ms.date: 04/28/2022
 
 You can enable the Defender for Containers plan and deploy all of the relevant components from the Azure portal, the REST API, or with a Resource Manager template. For detailed steps, select the relevant tab.
 
+Once the Defender profile has been deployed, a default workspace will be automatically assigned. You can override the default workspace and make a change through Azure Policy by assigning a custom workspace
+
 The Defender security profile is a preview feature. [!INCLUDE [Legalese](../../../includes/defender-for-cloud-preview-legal-text.md)]
 
 ### [**Azure portal**](#tab/aks-deploy-portal)
@@ -142,4 +149,4 @@ To install the 'SecurityProfile' on an existing cluster with Resource Manager:
         },
     }
 }
-```
+```

articles/defender-for-cloud/includes/defender-for-containers-enable-plan-arc.md

@@ -1,13 +1,15 @@
 ---
-author: bmansheim
-ms.author: benmansheim
+author: ElazarK
+ms.author: elkrieger
 ms.service: defender-for-cloud
 ms.topic: include
-ms.date: 04/28/2022
+ms.date: 05/10/2022
 
 ---
 ## Enable the plan
 
+**To enable the plan**:
+
 1. From Defender for Cloud's menu, open the [Environment settings page](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/EnvironmentSettings) and select the relevant subscription.
 
 1. In the [Defender plans page](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/pricingTier), enable **Defender for Containers**
@@ -17,7 +19,7 @@ ms.date: 04/28/2022
     >
     > :::image type="content" source="../media/release-notes/defender-plans-deprecated-indicator.png" alt-text="Defender for container registries and Defender for Kubernetes plans showing 'Deprecated' and upgrade information.":::
 
-1. By default, when enabling the plan through the Azure Portal, [Microsoft Defender for Containers](../defender-for-containers-introduction.md) is configured to auto provision (automatically install) required components to provide the protections offered by plan.
+1. By default, when enabling the plan through the Azure portal, [Microsoft Defender for Containers](../defender-for-containers-introduction.md) is configured to auto provision (automatically install) required components to provide the protections offered by plan, including the assignment of a default workspace.
 
     Optionally, you can modify this configuration from the [Defender plans page](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/pricingTier) or from the [Auto provisioning page](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/dataCollection) on the **Microsoft Defender for Containers components (preview)** row:
 
@@ -26,6 +28,8 @@ ms.date: 04/28/2022
     > [!NOTE]
     > If you choose to **disable the plan** at any time after enabling it through the portal as shown above, you'll need to manually remove Defender for Containers components deployed on your clusters.
 
+    You can assign a custom workspace through Azure Policy.
+
 1. If you disable the auto provisioning of any component, you can easily deploy the component to one or more clusters using the appropriate recommendation:
 
     - Policy Add-on for Kubernetes - [Azure Kubernetes Service clusters should have the Azure Policy Add-on for Kubernetes installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/08e628db-e2ed-4793-bc91-d13e684401c3)

articles/defender-for-cloud/includes/defender-for-containers-override-faq.md

@@ -0,0 +1,30 @@
+---
+author: ElazarK
+ms.author: elkrieger
+ms.service: defender-for-cloud
+ms.topic: include
+ms.date: 05/10/2022
+---
+
+## FAQ
+
+- [How can I use my existing Log Analytics workspace?](#how-can-i-use-my-existing-log-analytics-workspace)
+- [Can I delete the default workspaces created by Defender for Cloud?](#can-i-delete-the-default-workspaces-created-by-defender-for-cloud)
+- [I deleted my default workspace, how can I get it back?](#i-deleted-my-default-workspace-how-can-i-get-it-back)
+- [Where is the default Log Analytics workspace located?](#where-is-the-default-log-analytics-workspace-located)
+
+### How can I use my existing Log Analytics workspace?
+
+You can use your existing Log Analytics workspace by following the steps in the Assign a custom workspace section of this article.
+
+### Can I delete the default workspaces created by Defender for Cloud? 
+
+We do not recommend deleting the default workspace. Defender for Containers uses the default workspaces to collect security data from your clusters. Defender for Containers will be unable to collect data, and some security recommendations and alerts, will become unavailable if you delete the default workspace. 
+
+### I deleted my default workspace, how can I get it back?
+
+To recover your default workspace, you need to remove the Defender profile/extension, and reinstall the agent. Reinstalling the Defender profile/extension creates a new default workspace.
+
+### Where is the default Log Analytics workspace located?
+
+Depending on your region the default Log Analytics workspace located will be located in various locations. To check your region see [Where is the default Log Analytics workspace created?](../faq-data-collection-agents.yml)