Update attack-path-reference.md

update tables

Author: AlizaBernstein

articles/defender-for-cloud/attack-path-reference.md

@@ -4,7 +4,7 @@ titleSuffix: Defender for Cloud
 description: This article lists Microsoft Defender for Cloud's list of attack paths based on resource.
 ms.topic: reference
 ms.custom: ignite-2022
-ms.date: 01/17/2023
+ms.date: 01/18/2023
 ---
 
 
@@ -22,43 +22,43 @@ Prerequisite: For a list of prerequisites, see the [Availability table](how-to-m
 
 | Attack Path Display Name | Attack Path Description |
 |--|--|
-| Internet exposed VM has high severity vulnerabilities | Virtual machine '\[MachineName]' is reachable from the internet and has high severity vulnerabilities \[RCE] |
-| Internet exposed VM has high severity vulnerabilities and high permission to a subscription | Virtual machine '\[MachineName]' is reachable from the internet, has high severity vulnerabilities \[RCE] and \[IdentityDescription] with \[PermissionType] permission to subscription '\[SubscriptionName]' |
-| Internet exposed VM has high severity vulnerabilities and read permission to a data store with sensitive data | Virtual machine '\[MachineName]' is reachable from the internet, has high severity vulnerabilities \[RCE] and \[IdentityDescription] with read permission to \[DatabaseType] '\[DatabaseName]' containing sensitive data. For more details, you can learn how to [prioritize security actions by data sensitivity](./information-protection.md). |
-| Internet exposed VM has high severity vulnerabilities and read permission to a data store | Virtual machine '\[MachineName]' is reachable from the internet, has high severity vulnerabilities \[RCE] and \[IdentityDescription] with read permission to \[DatabaseType] '\[DatabaseName]'. |
-| Internet exposed VM has high severity vulnerabilities and read permission to a Key Vault | Virtual machine '\[MachineName]' is reachable from the internet, has high severity vulnerabilities \[RCE] and \[IdentityDescription] with read permission to Key Vault '\[KVName]' |
-| VM has high severity vulnerabilities and high permission to a subscription | Virtual machine '\[MachineName]' has high severity vulnerabilities \[RCE] and has high permission to subscription '\[SubscriptionName]' |
-| VM has high severity vulnerabilities and read permission to a data store with sensitive data | Virtual machine '\[MachineName]' has high severity vulnerabilities \[RCE] and \[IdentityDescription] with read permission to \[DatabaseType] '\[DatabaseName]' containing sensitive data. For more details, you can learn how to [prioritize security actions by data sensitivity](./information-protection.md). |
-| VM has high severity vulnerabilities and read permission to a Key Vault | Virtual machine '\[MachineName]' has high severity vulnerabilities \[RCE] and \[IdentityDescription] with read permission to Key Vault '\[KVName]' |
-| VM has high severity vulnerabilities and read permission to a data store | Virtual machine '\[MachineName]' has high severity vulnerabilities \[RCE] and \[IdentityDescription] with read permission to \[DatabaseType] '\[DatabaseName]' |
+| Internet exposed VM has high severity vulnerabilities | A virtual machine is reachable from the internet and has high severity vulnerabilities |
+| Internet exposed VM has high severity vulnerabilities and high permission to a subscription | A virtual machine is reachable from the internet, has high severity vulnerabilities an identity with permission to a subscription |
+| Internet exposed VM has high severity vulnerabilities and read permission to a data store with sensitive data | A virtual machine is reachable from the internet, has high severity vulnerabilities with read permission to a data store containing sensitive data. For more details, you can learn how to [prioritize security actions by data sensitivity](./information-protection.md). |
+| Internet exposed VM has high severity vulnerabilities and read permission to a data store | A virtual machine is reachable from the internet, has high severity vulnerabilities with read permission to a data store. |
+| Internet exposed VM has high severity vulnerabilities and read permission to a Key Vault | A virtual machine is reachable from the internet, has high severity vulnerabilities with read permission to a key vault |
+| VM has high severity vulnerabilities and high permission to a subscription | A virtual machine has high severity vulnerabilities and has high permission to a subscription |
+| VM has high severity vulnerabilities and read permission to a data store with sensitive data | A virtual machine has high severity vulnerabilities with read permission to a data store containing sensitive data. For more details, you can learn how to [prioritize security actions by data sensitivity](./information-protection.md). |
+| VM has high severity vulnerabilities and read permission to a key vault | A virtual machine has high severity vulnerabilities with read permission to a key vault |
+| VM has high severity vulnerabilities and read permission to a data store | A virtual machine has high severity vulnerabilities with read permission to a data store |
 
 ### AWS Instances
 
 Prerequisite: [Enable agentless scanning](enable-vulnerability-assessment-agentless.md).
 
 | Attack Path Display Name	| Attack Path Description |
 |--|--|
-| Internet exposed EC2 instance has high severity vulnerabilities and high permission to an account | AWS EC2 instance '\[EC2Name]' is reachable from the internet, has high severity vulnerabilities\[RCE] and has '\[permission]' permission to account '\[AccountName]' |
-| Internet exposed EC2 instance has high severity vulnerabilities and read permission to a DB | AWS EC2 instance '\[MachineName]' is reachable from the internet, has high severity vulnerabilities\[RCE] and has '\[permission]' permission to DB '\[DatabaseName]'|
-| Internet exposed EC2 instance has high severity vulnerabilities and read permission to S3 bucket | Option 1 <br> AWS EC2 instance '\[MachineName]' is reachable from the internet, has high severity vulnerabilities\[RCE] and has IAM role attached with '\[Rolepermission]' permission via IAM policy to S3 bucket '\[BucketName]' <br> <br> Option 2 <br> AWS EC2 instance '\[MachineName]' is reachable from the internet, has high severity vulnerabilities\[RCE] and has IAM role attached with '\[S3permission]' permission via bucket policy to S3 bucket '\[BucketName]' <br> <br> Option 3 <br> AWS EC2 instance '\[MachineName]' is reachable from the internet, has high severity vulnerabilities\[RCE] and has IAM role attached with '\[Rolepermission]' permission via IAM policy and '\[S3permission]' permission via bucket policy to S3 bucket '\[BucketName]'|
-| Internet exposed EC2 instance has high severity vulnerabilities and read permission to a S3 bucket with sensitive data | Option 1 <br> AWS EC2 instance '\[MachineName]' is reachable from the internet, has high severity vulnerabilities\[RCE] and has IAM role attached with '\[Rolepermission]' permission via IAM policy to S3 bucket '\[BucketName]' containing sensitive data <br> <br> Option 2 <br> AWS EC2 instance '\[MachineName]' is reachable from the internet, has high severity vulnerabilities\[RCE] and has IAM role attached with '\[S3permission]' permission via bucket policy to S3 bucket '\[BucketName]' containing sensitive data <br> <br> Option 3 <br> AWS EC2 instance '\[MachineName]' is reachable from the internet, has high severity vulnerabilities\[RCE] and has IAM role attached with '\[Rolepermission]' permission via IAM policy and '\[S3permission] permission via bucket policy to S3 bucket '\[BucketName]' containing sensitive data <br><br> . For more details, you can learn how to [prioritize security actions by data sensitivity](./information-protection.md).  |
-| Internet exposed EC2 instance has high severity vulnerabilities and read permission to a KMS | Option 1 <br> AWS EC2 instance '\[MachineName]' is reachable from the internet, has high severity vulnerabilities\[RCE] and has IAM role attached with '\[Rolepermission]' permission via IAM policy to AWS Key Management Service (KMS) '\[KeyName]' <br> <br> Option 2 <br> AWS EC2 instance '\[MachineName]' is reachable from the internet, has vulnerabilities allowing remote code execution and has IAM role attached with '\[Keypermission]' permission via AWS Key Management Service (KMS) policy to key '\[KeyName]' <br> <br> Option 3 <br> AWS EC2 instance '\[MachineName]' is reachable from the internet, has vulnerabilities allowing remote code execution and has IAM role attached with '\[Rolepermission]' permission via IAM policy and '\[Keypermission] permission via AWS Key Management Service (KMS) policy to key '\[KeyName]' |
-| Internet exposed EC2 instance has high severity vulnerabilities | AWS EC2 instance '\[EC2Name]' is reachable from the internet and has high severity vulnerabilities\[RCE] | 
-| EC2 instance with high severity vulnerabilities has high privileged permissions to an account | EC2 instance '\[EC2Name]' has high severity vulnerabilities\[RCE] and has '\[Permissions]' permissions to account '\[AccountName]' | 
-| EC2 instance with high severity vulnerabilities has read permissions to a data store | Option 1 <br> EC2 instance '\[MachineName]' has high severity vulnerabilities\[RCE] and has '\[Permissions]' permissions to database '\[DatabaseName]' <br> <br> Option 2 <br> EC2 instance '\[MachineName]' has high severity vulnerabilities\[RCE] and has IAM role attached which is granted with '\[RolePermissions]' permissions through IAM policy to S3 bucket '\[BucketName]' <br><br> Option 3 <br> EC2 instance '\[MachineName]' has high severity vulnerabilities\[RCE] and has IAM role attached which is granted with '\[Permissions]' permissions through bucket policy to S3 bucket '\[BucketName]' <br><br> Option 4 <br> EC2 instance '\[MachineName]' has high severity vulnerabilities\[RCE] and has IAM role attached which is granted with '\[RolePermissions]' permissions through IAM policy and '\[Permissions]' permissions through bucket policy to S3 bucket '\[BucketName]' | 
-| EC2 instance with high severity vulnerabilities has read permissions to a data store with sensitive data | Option 1 <br> EC2 instance '\[MachineName]' has high severity vulnerabilities\[RCE] and has IAM role attached which is granted with '\[RolePermissions]' permissions through IAM policy to S3 bucket '\[BucketName]' containing sensitive data <br><br> Option 2 <br> EC2 instance '\[MachineName]' has high severity vulnerabilities\[RCE] and has IAM role attached which is granted with '\[Permissions]' permissions through bucket policy to S3 bucket '\[BucketName]' containing sensitive data <br><br> Option 3 <br> EC2 instance '\[MachineName]' has high severity vulnerabilities\[RCE] and has IAM role attached which is granted with '\[RolePermissions]' permissions through IAM policy and '\[Permissions]' permissions through bucket policy to S3 bucket '\[BucketName]' containing sensitive data | 
-| EC2 instance with high severity vulnerabilities has read permissions to a KMS key | Option 1 <br> EC2 instance '\[MachineName]' has high severity vulnerabilities\[RCE] and has IAM role attached which is granted with '\[RolePermissions]' permissions through IAM policy to AWS Key Management Service (KMS) key '\[KeyName]' <br><br> option 2 <br> EC2 instance '\[MachineName]' has vulnerabilities allowing remote code execution and has IAM role attached which is granted with '\[KeyPermissions]' permissions through AWS Key Management Service (KMS) policy to key '\[KeyName]' <br><br> Option 3 <br> EC2 instance '\[MachineName]' has vulnerabilities allowing remote code execution and has IAM role attached which is granted with '\[RolePermissions]' permissions through IAM policy and '\[KeyPermissions]' permissions through AWS Key Management Service (KMS) policy to key '\[KeyName]' |
+| Internet exposed EC2 instance has high severity vulnerabilities and high permission to an account | An AWS EC2 instance is reachable from the internet, has high severity vulnerabilities and has permission to an account |
+| Internet exposed EC2 instance has high severity vulnerabilities and read permission to a DB | AN AWS EC2 instance is reachable from the internet, has high severity vulnerabilities and has permission to a database |
+| Internet exposed EC2 instance has high severity vulnerabilities and read permission to S3 bucket | An AWS EC2 instance is reachable from the internet, has high severity vulnerabilities and has an IAM role attached with permission via an IAM policy, and/or via a bucket policy to an S3 bucket 
+| Internet exposed EC2 instance has high severity vulnerabilities and read permission to a S3 bucket with sensitive data | An AWS EC2 instance is reachable from the internet has high severity vulnerabilities and has an IAM role attached with permission via an IAM policy and/or via a bucket policy to an S3 bucket containing sensitive data. For more details, you can learn how to [prioritize security actions by data sensitivity](./information-protection.md).  |
+| Internet exposed EC2 instance has high severity vulnerabilities and read permission to a KMS | An AWS EC2 instance is reachable from the internet, has high severity vulnerabilities and has an IAM role attached with permission via IAM policy and/or via AWS Key Management Service (KMS) policy to an AWS Key Management Service (KMS)|
+| Internet exposed EC2 instance has high severity vulnerabilities | An AWS EC2 instance is reachable from the internet and has high severity vulnerabilities | 
+| EC2 instance with high severity vulnerabilities has high privileged permissions to an account | An AWS EC2 instance  has high severity vulnerabilities and has permissions to an account | 
+| EC2 instance with high severity vulnerabilities has read permissions to a data store |An AWS EC2 instance has high severity vulnerabilities and has an IAM role attached which is granted with permissions via an IAM policy and/or via a bucket policy to an S3 bucket | 
+| EC2 instance with high severity vulnerabilities has read permissions to a data store with sensitive data | An AWS EC2 instance has high severity vulnerabilities and has an IAM role attached which is granted with permissions via an IAM policy and/or via a bucket policy to an S3 bucket containing sensitive data | 
+| EC2 instance with high severity vulnerabilities has read permissions to a KMS key | An AWS EC2 instance has high severity vulnerabilities and has an IAM role attached which is granted with permissions via an IAM policy and/or via an AWS Key Management Service (KMS) policy to an AWS Key Management Service (KMS) key |
 
 ### Azure data
 
 Prerequisite: [Enable Microsoft Defender for SQL servers on machines](defender-for-sql-usage.md).
 
 | Attack Path Display Name	| Attack Path Description |
 |--|--|
-| Internet exposed SQL on VM has a user account with commonly used username and allows code execution on the VM | SQL on VM '\[SqlVirtualMachineName]' is reachable from the internet, has a local user account with commonly used username (which is prone to brute force attacks), and has vulnerabilities allowing code execution and lateral movement to the underlying VM |
-| Internet exposed SQL on VM has a user account with commonly used username and known vulnerabilities | SQL on VM '\[SqlVirtualMachineName]' is reachable from the internet, has a local user account with commonly used username (which is prone to brute force attacks), and has known vulnerabilities (CVEs) |
-| SQL on VM has a user account with commonly used username and allows code execution on the VM | SQL on VM '\[SqlVirtualMachineName]' has a local user account with commonly used username (which is prone to brute force attacks), and has vulnerabilities allowing code execution and lateral movement to the underlying VM |
-| SQL on VM has a user account with commonly used username and known vulnerabilities | SQL on VM '\[SqlVirtualMachineName]' has a local user account with commonly used username (which is prone to brute force attacks), and has known vulnerabilities (CVEs) |
+| Internet exposed SQL on VM has a user account with commonly used username and allows code execution on the VM | SQL on VM is reachable from the internet, has a local user account with a commonly used username (which is prone to brute force attacks), and has vulnerabilities allowing code execution and lateral movement to the underlying VM |
+| Internet exposed SQL on VM has a user account with commonly used username and known vulnerabilities | SQL on VM is reachable from the internet, has a local user account with a commonly used username (which is prone to brute force attacks), and has known vulnerabilities (CVEs) |
+| SQL on VM has a user account with commonly used username and allows code execution on the VM | SQL on VM has a local user account with a commonly used username (which is prone to brute force attacks), and has vulnerabilities allowing code execution and lateral movement to the underlying VM |
+| SQL on VM has a user account with commonly used username and known vulnerabilities | SQL on VM has a local user account with a commonly used username (which is prone to brute force attacks), and has known vulnerabilities (CVEs) |
 
 ### AWS Data