Merge pull request #267920 from MicrosoftDocs/main

Publish to live, Sunday 4:00 PM PST, 03/03

Author: Stacyrch140

articles/azure-monitor/includes/vm-insights-dependency-agent-linux-versions.md

@@ -0,0 +1,55 @@
+---
+author: KennedyDenMSFT
+ms.author: guywild
+ms.service: azure-monitor
+ms.topic: include
+ms.date: 02/27/2024
+---
+
+>[!NOTE]
+> With Dependency agent 9.10.15 and above, installation is not blocked for unsupported kernel versions, but the agent will run in degraded mode. In this mode, connection and port data stored in VMConnection and VMBoundport tables is not collected. The VMProcess table may have some data, but it will be minimal.
+
+| Distribution | OS version | Kernel version |
+|:---|:---|:---|
+| Red Hat Linux 8    | 8.6     | 4.18.0-372.\*el8.x86_64, 4.18.0-372.*el8_6.x86_64 |
+|                    | 8.5     | 4.18.0-348.\*el8_5.x86_644.18.0-348.\*el8.x86_64 |
+|                    | 8.4     | 4.18.0-305.\*el8.x86_64, 4.18.0-305.\*el8_4.x86_64 |
+|                    | 8.3     | 4.18.0-240.\*el8_3.x86_64 |
+|                    | 8.2     | 4.18.0-193.\*el8_2.x86_64 |
+|                    | 8.1     | 4.18.0-147.\*el8_1.x86_64 |
+|                    | 8.0     | 4.18.0-80.\*el8.x86_64<br>4.18.0-80.\*el8_0.x86_64 |
+| Red Hat Linux 7    | 7.9     | 3.10.0-1160 |
+|                    | 7.8     | 3.10.0-1136 |
+|                    | 7.7     | 3.10.0-1062 |
+|                    | 7.6     | 3.10.0-957  |
+|                    | 7.5     | 3.10.0-862  |
+|                    | 7.4     | 3.10.0-693  |
+| Red Hat Linux 6    | 6.10    | 2.6.32-754 |
+|                    | 6.9     | 2.6.32-696  |
+| CentOS Linux 8     | 8.6     | 4.18.0-372.\*el8.x86_64, 4.18.0-372.*el8_6.x86_64 |
+|                    | 8.5     | 4.18.0-348.\*el8_5.x86_644.18.0-348.\*el8.x86_64  |
+|                    | 8.4     | 4.18.0-305.\*el8.x86_64, 4.18.0-305.\*el8_4.x86_64 |
+|                    | 8.3     | 4.18.0-240.\*el8_3.x86_64 |
+|                    | 8.2     | 4.18.0-193.\*el8_2.x86_64 |
+|                    | 8.1     | 4.18.0-147.\*el8_1.x86_64 |
+|                    | 8.0     | 4.18.0-80.\*el8.x86_64<br>4.18.0-80.\*el8_0.x86_64 |
+| CentOS Linux 7     | 7.9     | 3.10.0-1160 |
+|                    | 7.8     | 3.10.0-1136 |
+|                    | 7.7     | 3.10.0-1062 |
+| CentOS Linux 6     | 6.10    | 2.6.32-754.3.5<br>2.6.32-696.30.1 |
+|                    | 6.9     | 2.6.32-696.30.1<br>2.6.32-696.18.7 |
+| Ubuntu Server      | 20.04   | 5.8<br>5.4\* |
+|                    | 18.04   | 5.3.0-1020<br>5.0 (includes Azure-tuned kernel)<br>4.18*<br>4.15* |
+|                    | 16.04.3 | 4.15.\* |
+|                    | 16.04   | 4.13.\*<br>4.11.\*<br>4.10.\*<br>4.8.\*<br>4.4.\* |
+|                    | 14.04   | 3.13.\*-generic<br>4.4.\*-generic|
+| SUSE Linux 12 Enterprise Server | 12 SP5     | 4.12.14-122.\*-default, 4.12.14-16.\*-azure|
+|                                 | 12 SP4 | 4.12.\* (includes Azure-tuned kernel) |
+|                                 | 12 SP3 | 4.4.\* |
+|                                 | 12 SP2 | 4.4.\* |
+| SUSE Linux 15 Enterprise Server | 15 SP1 | 4.12.14-197.\*-default, 4.12.14-8.\*-azure |
+|                                 | 15     | 4.12.14-150.\*-default |
+| Debian                          | 9      | 4.9  | 
+
+>[!NOTE]
+> Dependency agent is not supported for Azure Virtual Machines with Ampere Altra ARM–based processors.

articles/azure-monitor/includes/vm-insights-dependency-agent-windows-versions.md

@@ -0,0 +1,29 @@
+---
+author: KennedyDenMSFT
+ms.author: guywild
+ms.service: azure-monitor
+ms.topic: include
+ms.date: 02/27/2024
+---
+
+| Operating system | Azure VM Dependency agent |
+|:---|:---:|
+| Windows Server 2022                                      | ✓ |
+| Windows Server 2022 Core                                 | ✓ |
+| Windows Server 2019                                      | ✓ | 
+| Windows Server 2019 Core                                 | ✓ |
+| Windows Server 2016                                      | ✓ | 
+| Windows Server 2016 Core                                 | ✓ |
+| Windows Server 2012 R2                                   | ✓ |
+| Windows Server 2012                                      | ✓ |
+| Windows 11 Client and Pro                                | ✓<sup>1</sup>, <sup>2</sup> |
+| Windows 11 Enterprise<br>(including multi-session)       | ✓ |
+| Windows 10 1803 (RS4) and higher                         | ✓<sup>1</sup> |
+| Windows 10 Enterprise<br>(including multi-session) and Pro<br>(Server scenarios only)  | ✓ |
+| Windows 8 Enterprise and Pro<br>(Server scenarios only)  |   |
+| Windows 7 SP1<br>(Server scenarios only)                 |   | 
+| Azure Stack HCI                                          |   |
+| Windows IoT Enterprise                                   | ✓ |
+
+<sup>1</sup> Using the Azure Monitor agent [client installer](../agents/azure-monitor-agent-windows-client.md).<br>
+<sup>2</sup> Also supported on Arm64-based machines.

articles/azure-monitor/includes/waf-alerts-security.md

@@ -3,7 +3,7 @@ author: AbbyMSFT
 ms.author: abbyweisberg
 ms.service: azure-monitor
 ms.topic: include
-ms.date: 09/04/2023
+ms.date: 03/03/2024
 ---
 
 ### Design checklist
@@ -25,4 +25,3 @@ ms.date: 09/04/2023
 |To control permissions for log search alert rules, use [managed identities](../../active-directory/managed-identities-azure-resources/overview.md) for your log search alert rules.|A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials. Setting a managed identity for your log search alert rules gives you control and visibility into the exact permissions of your alert rule. At any time, you can view your rule’s query permissions and add or remove permissions directly from its managed identity. In addition, using a managed identity is required if your rule’s query is accessing Azure Data Explorer (ADX) or Azure Resource Graph (ARG). See [Managed identities](../alerts/alerts-create-new-alert-rule.md#managed-id).|
 |Assign the monitoring reader role for all users who don’t need configuration privileges.|Enhance security by giving users the least amount of privileges required for their role. See [Roles, permissions, and security in Azure Monitor](../roles-permissions-security.md).|
 |Where possible, use secure webhook actions.| If your alert rule contains an action group that uses webhook actions, prefer using secure webhook actions for additional authentication. See [Configure authentication for Secure webhook](../alerts/action-groups.md#configure-authentication-for-secure-webhook) |
-|When using action groups that use private links, use Event hub actions    |When using private links in Azure, use Event hub actions for alerts. Due to the increased security for private links, event hub actions are the only actions supported by private links. |

articles/azure-monitor/vm/vminsights-dependency-agent-maintenance.md

@@ -93,53 +93,7 @@ To uninstall Dependency Agent:
 
 Since the Dependency agent works at the kernel level, support is also dependent on the kernel version. As of Dependency agent version 9.10.* the agent supports * kernels.  The following table lists the major and minor Linux OS release and supported kernel versions for the Dependency agent.
 
->[!NOTE]
-> With Dependency agent 9.10.15 and above, installation is not blocked for unsupported kernel versions, but the agent will run in degraded mode. In this mode, connection and port data stored in VMConnection and VMBoundport tables is not collected. The VMProcess table may have some data, but it will be minimal.
-
-| Distribution | OS version | Kernel version |
-|:---|:---|:---|
-|  Red Hat Linux 8   | 8.6     | 4.18.0-372.\*el8.x86_64, 4.18.0-372.*el8_6.x86_64 |
-|                    | 8.5     | 4.18.0-348.\*el8_5.x86_644.18.0-348.\*el8.x86_64 |
-|                    | 8.4     | 4.18.0-305.\*el8.x86_64, 4.18.0-305.\*el8_4.x86_64 |
-|                    | 8.3     | 4.18.0-240.\*el8_3.x86_64 |
-|                    | 8.2     | 4.18.0-193.\*el8_2.x86_64 |
-|                    | 8.1     | 4.18.0-147.\*el8_1.x86_64 |
-|                    | 8.0     | 4.18.0-80.\*el8.x86_64<br>4.18.0-80.\*el8_0.x86_64 |
-|  Red Hat Linux 7   | 7.9     | 3.10.0-1160 |
-|                    | 7.8     | 3.10.0-1136 |
-|                    | 7.7     | 3.10.0-1062 |
-|                    | 7.6     | 3.10.0-957  |
-|                    | 7.5     | 3.10.0-862  |
-|                    | 7.4     | 3.10.0-693  |
-| Red Hat Linux 6    | 6.10    | 2.6.32-754 |
-|                    | 6.9     | 2.6.32-696  |
-| CentOS Linux 8     | 8.6     | 4.18.0-372.\*el8.x86_64, 4.18.0-372.*el8_6.x86_64 |
-|                    | 8.5     | 4.18.0-348.\*el8_5.x86_644.18.0-348.\*el8.x86_64  |
-|                    | 8.4     | 4.18.0-305.\*el8.x86_64, 4.18.0-305.\*el8_4.x86_64 |
-|                    | 8.3     | 4.18.0-240.\*el8_3.x86_64 |
-|                    | 8.2     | 4.18.0-193.\*el8_2.x86_64 |
-|                    | 8.1     | 4.18.0-147.\*el8_1.x86_64 |
-|                    | 8.0     | 4.18.0-80.\*el8.x86_64<br>4.18.0-80.\*el8_0.x86_64 |
-| CentOS Linux 7     | 7.9     | 3.10.0-1160 |
-|                    | 7.8     | 3.10.0-1136 |
-|                    | 7.7     | 3.10.0-1062 |
-| CentOS Linux 6     | 6.10    | 2.6.32-754.3.5<br>2.6.32-696.30.1 |
-|                    | 6.9     | 2.6.32-696.30.1<br>2.6.32-696.18.7 |
-| Ubuntu Server      | 20.04   | 5.8<br>5.4\* |
-|                    | 18.04   | 5.3.0-1020<br>5.0 (includes Azure-tuned kernel)<br>4.18*<br>4.15* |
-|                    | 16.04.3 | 4.15.\* |
-|                    | 16.04   | 4.13.\*<br>4.11.\*<br>4.10.\*<br>4.8.\*<br>4.4.\* |
-|                    | 14.04   | 3.13.\*-generic<br>4.4.\*-generic|
-| SUSE Linux 12 Enterprise Server | 12 SP5     | 4.12.14-122.\*-default, 4.12.14-16.\*-azure|
-|                                 | 12 SP4 | 4.12.\* (includes Azure-tuned kernel) |
-|                                 | 12 SP3 | 4.4.\* |
-|                                 | 12 SP2 | 4.4.\* |
-| SUSE Linux 15 Enterprise Server | 15 SP1 | 4.12.14-197.\*-default, 4.12.14-8.\*-azure |
-|                                 | 15     | 4.12.14-150.\*-default |
-| Debian                          | 9      | 4.9  | 
-
->[!NOTE]
-> Dependency agent is not supported for Azure Virtual Machines with Ampere Altra ARM–based processors.
+[!INCLUDE [dependency-agent-linux-versions](../includes/vm-insights-dependency-agent-linux-versions.md)]
 
 ## Next steps
 

articles/defender-for-cloud/defender-for-storage-malware-scan.md

@@ -153,9 +153,9 @@ Learn more about [setting up logging for malware scanning](advanced-configuratio
 Malware scanning is billed per GB scanned. To provide cost predictability, Malware Scanning supports setting a cap on the amount of GB scanned in a single month per storage account.
 
 > [!IMPORTANT]
-> Malware scanning in Defender for Storage is not included for free in the first 30 day trial and will be charged from the first day in accordance with the pricing scheme available on the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
+> Malware scanning in Defender for Storage is not included for free in the first 30-day trial and will be charged from the first day in accordance with the pricing scheme available on the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
 
-The "capping" mechanism is designed to set a monthly scanning limit, measured in gigabytes (GB), for each storage account, serving as an effective cost control. If a predefined scanning limit is established for a storage account in a single calendar month, the scanning operation would automatically halt once this threshold is reached (with up to a 20-GB deviation), and files wouldn't be scanned for malware. Updating the cap typically takes up to an hour to take effect.
+The "capping" mechanism is designed to set a monthly scanning limit, measured in gigabytes (GB), for each storage account, serving as an effective cost control. If a predefined scanning limit is established for a storage account in a single calendar month, the scanning operation would automatically halt once this threshold is reached (with up to a 20-GB deviation), and files wouldn't be scanned for malware. The cap is reset at the end of every month at midnight UTC. Updating the cap typically takes up to an hour to take effect.
 
 By default, a limit of 5 TB (5,000 GB) is established if no specific capping mechanism is defined.
 

articles/sentinel/connect-aws.md

@@ -215,6 +215,9 @@ The following instructions apply for public **Azure Commercial clouds** only. Fo
 
 1. Edit the new role's trust policy and add another condition:<br>`"sts:RoleSessionName": "MicrosoftSentinel_{WORKSPACE_ID)"`
 
+   > [!IMPORTANT]
+   > The value of the `sts:RoleSessionName` parameter must have the exact prefix `MicrosoftSentinel_`, otherwise the connector will not function properly.
+
    The finished trust policy should look like this:
 
    ```json

articles/sentinel/enable-entity-behavior-analytics.md

@@ -2,9 +2,9 @@
 title: Enable entity behavior analytics to detect advanced threats
 description: Enable User and Entity Behavior Analytics in Microsoft Sentinel, and configure data sources
 author: yelevin
+ms.author: yelevin
 ms.topic: how-to
 ms.date: 07/05/2023
-ms.author: yelevin
 ---
 
 # Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel 
@@ -67,4 +67,4 @@ To enable or disable this feature (these prerequisites are not required to use t
 In this article, you learned how to enable and configure User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel. For more information about UEBA:
 
 > [!div class="nextstepaction"]
->>[Configure data retention and archive](configure-data-retention-archive.md)
+>>[Investigate entities with entity pages](entity-pages.md)

articles/sentinel/identify-threats-with-entity-behavior-analytics.md

@@ -2,9 +2,9 @@
 title: Identify advanced threats with User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel | Microsoft Docs
 description: Create behavioral baselines for entities (users, hostnames, IP addresses) and use them to detect anomalous behavior and identify zero-day advanced persistent threats (APT).
 author: yelevin
+ms.author: yelevin
 ms.topic: conceptual
 ms.date: 08/08/2022
-ms.author: yelevin
 ---
 
 # Identify advanced threats with User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel
@@ -63,7 +63,7 @@ Information about **entity pages** can now be found at [Investigate entities wit
 
 ## Querying behavior analytics data
 
-Using [KQL](/azure/data-explorer/kusto/query/), we can query the Behavioral Analytics Table.
+Using [KQL](/azure/data-explorer/kusto/query/), we can query the **BehaviorAnalytics** table.
 
 For example – if we want to find all the cases of a user that failed to sign in to an Azure resource, where it was the user's first attempt to connect from a given country/region, and connections from that country/region are uncommon even for the user's peers, we can use the following query:
 
@@ -84,15 +84,8 @@ Microsoft Sentinel calculates and ranks a user's peers, based on the user’s Mi
 
 You can use the [Jupyter notebook](https://github.com/Azure/Azure-Sentinel-Notebooks/tree/master/scenario-notebooks/UserSecurityMetadata) provided in the Microsoft Sentinel GitHub repository to visualize the user peers metadata. For detailed instructions on how to use the notebook, see the [Guided Analysis - User Security Metadata](https://github.com/Azure/Azure-Sentinel-Notebooks/blob/master/scenario-notebooks/UserSecurityMetadata/Guided%20Analysis%20-%20User%20Security%20Metadata.ipynb) notebook.
 
-### Permission analytics - table and notebook
-
-Permission analytics helps determine the potential impact of the compromising of an organizational asset by an attacker. This impact is also known as the asset's "blast radius." Security analysts can use this information to prioritize investigations and incident handling.
-
-Microsoft Sentinel determines the direct and transitive access rights held by a given user to Azure resources, by evaluating the Azure subscriptions the user can access directly or via groups or service principals. This information, as well as the full list of the user's Microsoft Entra security group membership, is then stored in the **UserAccessAnalytics** table. The screenshot below shows a sample row in the UserAccessAnalytics table, for the user Alex Johnson. **Source entity** is the user or service principal account, and **target entity** is the resource that the source entity has access to. The values of **access level** and **access type** depend on the access-control model of the target entity. You can see that Alex has Contributor access to the Azure subscription *Contoso Hotels Tenant*. The access control model of the subscription is Azure RBAC.
-
-:::image type="content" source="./media/identify-threats-with-entity-behavior-analytics/user-access-analytics.png" alt-text="Screen shot of user access analytics table":::
-
-You can use the [Jupyter notebook](https://github.com/Azure/Azure-Sentinel-Notebooks/tree/master/scenario-notebooks/UserSecurityMetadata) (the same notebook mentioned above) from the Microsoft Sentinel GitHub repository to visualize the permission analytics data. For detailed instructions on how to use the notebook, see the [Guided Analysis - User Security Metadata](https://github.com/Azure/Azure-Sentinel-Notebooks/blob/master/scenario-notebooks/UserSecurityMetadata/Guided%20Analysis%20-%20User%20Security%20Metadata.ipynb) notebook.
+> [!NOTE]
+> The *UserAccessAnalytics* table has been deprecated.
 
 ### Hunting queries and exploration queries
 

articles/sentinel/investigate-with-ueba.md

@@ -112,7 +112,7 @@ The **IdentityInfo** table synchronizes with your Microsoft Entra workspace to c
 
 ## Identify password spray and spear phishing attempts
 
-Without multi-factor authentication (MFA) enabled, user credentials are vulnerable to attackers looking to compromise attacks with [password spraying](https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/) or [spear phishing](https://www.microsoft.com/security/blog/2019/12/02/spear-phishing-campaigns-sharper-than-you-think/) attempts.
+Without multifactor authentication (MFA) enabled, user credentials are vulnerable to attackers looking to compromise attacks with [password spraying](https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/) or [spear phishing](https://www.microsoft.com/security/blog/2019/12/02/spear-phishing-campaigns-sharper-than-you-think/) attempts.
 
 ### Investigate a password spray incident with UEBA insights
 
@@ -140,7 +140,6 @@ The Investigation graph includes a node for the detonated URL, as well as the fo
 
 - **DetonationVerdict**. The high-level, Boolean determination from detonation. For example, **Bad** means that the side was classified as hosting malware or phishing content.
 - **DetonationFinalURL**. The final, observed landing page URL, after all redirects from the original URL.
-- **DetonationScreenshot**. A screenshot of what the page looked like at the time that the alert was triggered. Select the screenshot to enlarge.
 
 For example: