Merge pull request #280837 from MicrosoftDocs/main

7/15/2024 OOB Live Publishing

Author: Taojunshen

articles/azure-web-pubsub/overview.md

@@ -5,20 +5,20 @@ author: yjin81
 ms.author: yajin1
 ms.service: azure-web-pubsub
 ms.topic: overview 
-ms.date: 11/08/2021
+ms.date: 07/12/2024
 ---
 
 # What is Azure Web PubSub service?
 
-The Azure Web PubSub Service helps you build real-time messaging web applications using WebSockets and the publish-subscribe pattern easily. This real-time functionality allows publishing content updates between server and connected clients (for example a single page web application or mobile application). The clients do not need to poll the latest updates, or submit new HTTP requests for updates.
+The Azure Web PubSub Service makes it easy to build real-time messaging web applications using WebSockets and the publish-subscribe pattern. This real-time functionality allows publishing content updates between server and connected clients (for example, a single page web application or mobile application). The clients don't need to poll for the latest updates, or submit new HTTP requests for updates.
 
-This article provides an overview of Azure Web PubSub service.
+This article provides an overview of the Azure Web PubSub service.
 
 ## What is Azure Web PubSub service used for?
 
-Any scenario that requires real-time publish-subscribe messaging between server and clients or among clients, can use Azure Web PubSub service. Traditional real-time features that often require polling from server or submitting HTTP requests, can also use Azure Web PubSub service.
+Any scenario that requires real-time publish-subscribe messaging between the server and clients or among clients, can use the Azure Web PubSub service. Traditional real-time features that often require polling from the server or submitting HTTP requests, can also use the Azure Web PubSub service.
 
-Azure Web PubSub service can be used in any application type that requires real-time content updates. We list some examples that are good to use Azure Web PubSub service:
+The Azure Web PubSub service can be used in any application type that requires real-time content updates. We list some examples that are good to use the Azure Web PubSub service:
 
 * **High frequency data updates:** gaming, voting, polling, auction.
 * **Live dashboards and monitoring:** company dashboard, financial market data, instant sales update, multi-player game leader board, and IoT monitoring.
@@ -35,17 +35,17 @@ Azure Web PubSub service can be used in any application type that requires real-
 
 **Built-in support for large-scale client connections and highly available architectures:**
 
-Azure Web PubSub service is designed for large-scale real-time applications. The service allows multiple instances to work together and scale to millions of client connections. Meanwhile, it also supports multiple global regions for sharding, high availability, or disaster recovery purposes.
+The Azure Web PubSub service is designed for large-scale real-time applications. The service allows multiple instances to work together and scale to millions of client connections. Meanwhile, it also supports multiple global regions for sharding, high availability, or disaster recovery purposes.
 
 **Support for a wide variety of client SDKs and programming languages:**
 
-Azure Web PubSub service works with a broad range of clients, such as web and mobile browsers, desktop apps, mobile apps, server process, IoT devices, and game consoles. Since this service supports the standard WebSocket connection with publish-subscribe pattern, it is easily to use any standard WebSocket client SDK in different languages with this service. 
+The Azure Web PubSub service works with a broad range of clients. These clients include web and mobile browsers, desktop apps, mobile apps, server processes, IoT devices, and game consoles. Since this service supports the standard WebSocket connection with publish-subscribe pattern, it's easy to use any standard WebSocket client SDK in different languages with this service. 
 
 **Offer rich APIs for different messaging patterns:**
 
 Azure Web PubSub service is a bi-directional messaging service that allows different messaging patterns among server and clients, for example:
 
-* The server sends messages to a particular client, all clients, or a subset of clients that belong to a specific user, or have been placed in an arbitrary group. 
+* The server sends messages to individual clients, all clients, or groups of clients that are associated with a specific user or categorized into arbitrary groups.
 * The client sends messages to clients that belong to an arbitrary group.
 * The clients send messages to server.
 

articles/defender-for-cloud/TOC.yml

@@ -756,6 +756,9 @@
             href: transition-to-defender-vulnerability-management.md
           - name: Common questions 
             href: common-questions-microsoft-defender-vulnerability-management.md
+      - name: Binary drift detection (preview)
+        displayName: k8s, containers, aks
+        href: binary-drift-detection.md
       - name: Kubernetes data plane hardening
         displayName: k8s, containers, aks
         href: kubernetes-workload-protections.md

articles/defender-for-cloud/alerts-reference.md

@@ -2850,7 +2850,7 @@ Synapse.SQLPool_ShellExternalSourceAnomaly)
 
 **[MITRE tactics](#mitre-attck-tactics)**: Execution
 
-**Severity**: High
+**Severity**: High/Medium
 
 ### **Unusual payload with obfuscated parts has been initiated by SQL Server**
 
@@ -2860,7 +2860,7 @@ Synapse.SQLPool_ShellExternalSourceAnomaly)
 
 **[MITRE tactics](#mitre-attck-tactics)**: Execution
 
-**Severity**: High
+**Severity**: High/Medium
 
 ## Alerts for open-source relational databases
 
@@ -2876,7 +2876,7 @@ SQL.MySQL_BruteForce)
 
 **[MITRE tactics](#mitre-attck-tactics)**: PreAttack
 
-**Severity**: High
+**Severity**: Medium
 
 ### **Suspected successful brute force attack**
 
@@ -2900,7 +2900,7 @@ SQL.MariaDB_BruteForce)
 
 **[MITRE tactics](#mitre-attck-tactics)**: PreAttack
 
-**Severity**: High
+**Severity**: Medium
 
 ### **Attempted logon by a potentially harmful application**
 
@@ -2912,7 +2912,7 @@ SQL.MySQL_HarmfulApplication)
 
 **[MITRE tactics](#mitre-attck-tactics)**: PreAttack
 
-**Severity**: High
+**Severity**: High/Medium
 
 ### **Login from a principal user not seen in 60 days**
 
@@ -2924,7 +2924,7 @@ SQL.MySQL_PrincipalAnomaly)
 
 **[MITRE tactics](#mitre-attck-tactics)**: Exploitation
 
-**Severity**: Medium
+**Severity**: Low
 
 ### **Login from a domain not seen in 60 days**
 

articles/defender-for-cloud/binary-drift-detection.md

@@ -0,0 +1,89 @@
+---
+title: Binary drift detection (preview)
+description: Learn how binary drift detection can help you detect unauthorized external processes within containers.
+ms.topic: how-to
+author: dcurwin
+ms.author: dacurwin
+ms.date: 06/17/2024
+#customer intent: As a user, I want to understand how binary drift detection can help me detect unauthorized external processes within containers.
+---
+
+# Binary drift detection (preview)
+
+A binary drift happens when a container is running an executable that didn’t come from the original image. This can either be intentional and legitimate, or it can indicate an attack. Since container images should be immutable, any processes launched from binaries not included in the original image should be evaluated as suspicious activity.
+
+The binary drift detection feature alerts you when there's a difference between the workload that came from the image, and the workload running in the container. It alerts you about potential security threats by detecting unauthorized external processes within containers. You can define drift policies to specify conditions under which alerts should be generated, helping you distinguish between legitimate activities and potential threats.
+
+Binary drift detection is integrated into the Defender for Containers plan and is available in public preview. It's available for the Azure (AKS), Amazon (EKS), and Google (GKE) clouds.
+
+## Prerequisites
+
+- To use binary drift detection, you need to run the Defender for Container sensor, which is available in AWS, GCP, and AKS in [versions](/azure/aks/supported-kubernetes-versions) 1.29 or higher.
+- The Defender for Container sensor must be enabled on the subscriptions and connectors.
+- To create and modify drift policies, you need global admin permissions on the tenant.
+
+## Components
+
+The following components are part of binary drift detection:
+
+- an enhanced sensor capable of detecting binary drift
+- policy configuration options
+- a new binary drift alert
+
+## Configure drift policies
+
+Create drift policies to define when alerts should be generated. Each policy is made up of rules that define the conditions under which alerts should be generated. This allows you to tailor the feature to your specific needs, reducing false positives. You can create exclusions by setting higher priority rules for specific scopes or clusters, images, pods, Kubernetes labels, or namespaces.
+
+To create and configure policies, follow these steps:
+
+1. In Microsoft Defender for Cloud, go to **Environment settings**. Select **Containers drift policy**.
+
+    :::image type="content" source="media/binary-drift-detection/select-containers-drift-policy.png" alt-text="Screenshot of Select Containers drift policy in Environment settings." lightbox="media/binary-drift-detection/select-containers-drift-policy.png":::
+
+1. You receive two rules out of the box: the **Alert on Kube-System namespace** rule and the **Default binary drift** rule. The default rule is a special rule that applies to everything if no other rule before it is matched. You can only modify its action, either to **Drift detection alert** or return it to the default **Ignore drift detection**. The **Alert on Kube-System namespace** rule is an out-of-the-box suggestion and can be modified like any other rule.
+
+    :::image type="content" source="media/binary-drift-detection/default-rule.png" alt-text="Screenshot of Default rule appears at the bottom of the list of rules." lightbox="media/binary-drift-detection/default-rule.png":::
+
+1. To add a new rule, select **Add rule**. A side panel appears where you can configure the rule.
+
+    :::image type="content" source="media/binary-drift-detection/add-rule.png" alt-text="Screenshot of Select Add rule to create and configure a new rule." lightbox="media/binary-drift-detection/add-rule.png":::
+
+1. To configure the rule, define the following fields:
+
+    - **Rule name**: A descriptive name for the rule.
+    - **Action**: Select **Drift detection alert** if the rule should generate an alert or **Ignore drift detection** to exclude it from alert generation.
+    - **Scope description**: A description of the scope to which the rule applies.
+    - **Cloud scope**: The cloud provider to which the rule applies. You can choose any combination of Azure, AWS, or GCP. If you expand a cloud provider, you can select specific subscription. If you don't select the entire cloud provider, new subscriptions added to the cloud provider won't be included in the rule.
+    - **Resource scope**: Here you can add conditions based on the following categories: **Container name**, **Image name**, **Namespace**, **Pod labels**, **Pod name**, or **Cluster name**. Then choose an operator: **Starts with**, **Ends with**, **Equals**, or **Contains**. Finally, enter the value to match. You can add as many conditions as needed by selecting **+Add condition**.
+    - **Allow list for processes**: A list of processes that are allowed to run in the container. If a process not on this list is detected, an alert is generated.
+
+    Here's an example of a rule that allows the `dev1.exe` process to run in containers in the Azure cloud scope, whose image names start with either *Test123* or *env123*:
+
+    :::image type="content" source="media/binary-drift-detection/rule-configuration.png" alt-text="Example of a rule configuration with all the fields defined." lightbox="media/binary-drift-detection/rule-configuration.png":::
+
+1. Select **Apply** to save the rule.
+
+1. Once you configure your rule, select and drag the rule up or down on the list to change its priority. The rule with the highest priority is evaluated first. If there's a match, it either generates an alert or ignores it (based on what was chosen for that rule) and the evaluation stops. If no match is found, the next rule is evaluated. If there's no match for any rule, the default rule is applied.
+
+1. To edit an existing rule, choose the rule and select **Edit**. This opens the side panel where you can make changes to the rule.
+
+1. You can select **Duplicate rule** to create a copy of a rule. This can be useful if you want to create a similar rule with only minor changes.
+
+1. To delete a rule, select **Delete rule**.
+
+1. After you configured your rules, select **Save** to apply the changes and create the policy.
+1. Within 30 minutes, the sensors on the protected clusters are updated with the new policy.
+
+## Monitor and manage alerts
+
+The alert system is designed to notify you of any binary drifts, helping you maintain the integrity of your container images. If an unauthorized external process is detected that matches your defined policy conditions, an alert with high severity is generated for you to review.
+
+## Adjust policies as needed
+
+Based on the alerts you receive and your review of them, you might find it necessary to adjust your rules in the binary drift policy. This could involve refining conditions, adding new rules, or removing ones that generate too many false positives. The goal is to ensure that the defined binary drift policies with their rules effectively balance security needs with operational efficiency.
+
+The effectiveness of binary drift detection relies on your active engagement in configuring, monitoring, and adjusting policies to suit your environment's unique requirements.
+
+## Related content
+
+- [Overview of Container security in Microsoft Defender for Containers](defender-for-containers-introduction.md)

articles/defender-for-cloud/defender-for-containers-introduction.md

@@ -54,6 +54,8 @@ You can learn more by watching this video from the Defender for Cloud in the Fie
 
 ### Sensor-based capabilities
 
+**Binary drift detection** - Defender for Containers provides a sensor-based capability that alerts you about potential security threats by detecting unauthorized external processes within containers. You can define drift policies to specify conditions under which alerts should be generated, helping you distinguish between legitimate activities and potential threats. For more information, see [Binary drift protection (preview)](binary-drift-detection.md).
+
 **Kubernetes data plane hardening** - To protect the workloads of your Kubernetes containers with best practice recommendations, you can install the [Azure Policy for Kubernetes](../governance/policy/concepts/policy-for-kubernetes.md). Learn more about [monitoring components](monitoring-components.md) for Defender for Cloud.
 
 With the add-on on your Kubernetes cluster, every request to the Kubernetes API server is monitored against the predefined set of best practices before being persisted to the cluster. You can then configure it to enforce the best practices and mandate them for future workloads.

articles/defender-for-cloud/enable-defender-for-databases-azure.md

@@ -49,6 +49,10 @@ Learn more about this Microsoft Defender plan in [Overview of Microsoft Defender
 
 1. Select **Save**
 
+## Related content
+
+- [Optional configurations after in-place migration from Azure Database for MySQL Single Server to Flexible Server](/azure/mysql/migrate/whats-happening-to-mysql-single-server#configure-microsoft-defender-for-cloud-properties-in-flexible-server).
+
 ## Next step
 
 > [!div class="nextstepaction"]