Merge pull request #262765 from MicrosoftDocs/main

Publish to live, Tuesday 4 AM PST, 1/9

Author: ttorble

.openpublishing.redirection.active-directory.json

@@ -914,6 +914,11 @@
             "source_path_from_root": "/articles/defender-for-cloud/tutorial-security-incident.md",
             "redirect_url": "/azure/defender-for-cloud/managing-and-responding-alerts",
             "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/defender-for-cloud/how-to-migrate-to-built-in.md",
+            "redirect_url": "/azure/defender-for-cloud/how-to-transition-to-built-in",
+            "redirect_document_id": true
         }
     ]
 }

.openpublishing.redirection.defender-for-cloud.json

@@ -5,13 +5,13 @@ author: maud-lv
 ms.author: malev
 ms.service: azure-app-configuration
 ms.topic: sample
-ms.date: 08/09/2022 
+ms.date: 1/9/2024
 ms.custom: devx-track-azurecli, devdivchpfy22
 ---
 
 # Azure CLI samples
 
-The following table includes links to bash scripts for Azure App Configuration by using the [az appconfig](/cli/azure/appconfig) commands in the Azure CLI:
+The following table includes links to Azure CLI scripts for Azure App Configuration using the [az appconfig](/cli/azure/appconfig) commands in the Azure CLI:
 
 | Script | Description |
 |-|-|

.openpublishing.redirection.json

@@ -87,7 +87,7 @@ The following parameters are used by the Azure App Configuration task:
 - **Selection Mode**: Specifies how the key-values read from a configuration store are selected. The 'Default' selection mode allows the use of key and label filters. The 'Snapshot' selection mode allows key-values to be selected from a snapshot. Default value is **Default**.
 - **Key Filter**: The filter can be used to select what key-values are requested from Azure App Configuration. A value of * will select all key-values. For more information on, see [Query key values](concept-key-value.md#query-key-values).
 - **Label**: Specifies which label should be used when selecting key-values from the App Configuration store. If no label is provided, then key-values with the no label will be retrieved. The following characters are not allowed: , *.
--**Snapshot Name**: Specifies snapshot from which key-values should be retrieved in Azure App Configuration.
+- **Snapshot Name**: Specifies snapshot from which key-values should be retrieved in Azure App Configuration.
 - **Trim Key Prefix**: Specifies one or more prefixes that should be trimmed from App Configuration keys before setting them as variables. Multiple prefixes can be separated by a new-line character.
 - **Suppress Warning For Overridden Keys**: Default value is unchecked. Specifies whether to show warnings when existing keys are overridden. Enable this option when it is expected that the key-values downloaded from App Configuration have overlapping keys with what exists in pipeline variables.
 

articles/azure-app-configuration/cli-samples.md

@@ -10,13 +10,24 @@ ms.reviewer: nolavime
 
 # Sample log alert queries that include ADX and ARG
 
-A log alert rule monitors a resource by using a Log Analytics query to evaluate resource logs at a set frequency. You can include data from Azure Data Explorer and Azure Resource Graph in your log alert rule queries.
+A log alert rule monitors a resource by using a Log Analytics query to evaluate logs at a set frequency. You can include data from Azure Data Explorer and Azure Resource Graph in your log alert rule queries.
 
 This article provides examples of log alert rule queries that use Azure Data Explorer and Azure Resource Graph. For more information about creating a log alert rule, see [Create a log alert rule](./alerts-create-log-alert-rule.md).
 
-## Query that checks virtual machine health
+## Queries that check virtual machine health
 
-This query finds virtual machines that are marked as critical and that had a heartbeat more than 24 hours ago, but that haven't had a heartbeat in the last 2 minutes.
+This query finds virtual machines marked as critical that haven't had a heartbeat in the last 2 minutes.
+
+```kusto
+    arg("").Resources
+    | where type == "microsoft.compute/virtualmachines"
+    | summarize LastCall = max(case(isnull(TimeGenerated), make_datetime(1970, 1, 1), TimeGenerated)) by name, id
+    | extend SystemDown = case(LastCall < ago(2m), 1, 0)
+    | where SystemDown == 1
+```
+
+
+This query finds virtual machines marked as critical that had a heartbeat more than 24 hours ago, but that haven't had a heartbeat in the last 2 minutes.
 
 ```kusto
 {
@@ -38,15 +49,15 @@ This query finds virtual machines that are marked as critical and that had a hea
 ## Query that filters virtual machines that need to be monitored
 
 ```kusto
-{
+   {
     let RuleGroupTags = dynamic(['Linux']);
-    Perf | where ObjectName == 'Processor' and CounterName == '% Idle Time' and (InstanceName == '_Total' or InstanceName == 'total')
+    Perf | where ObjectName == 'Processor' and CounterName == '% Idle Time' and (InstanceName in ('_Total,'total'))
     | extend CpuUtilisation = (100 - CounterValue)   
     | join kind=inner hint.remote=left (arg("").Resources
-    | where type =~ 'Microsoft.Compute/virtualMachines'
+        | where type =~ 'Microsoft.Compute/virtualMachines'
     | project _ResourceId=tolower(id), tags) on _ResourceId
     | project-away _ResourceId1
-    | where (isnull(tags.monitored) or tolower(tostring(tags.monitored)) != 'false') and (tostring(tags.monitorRuleGroup) in (RuleGroupTags) or isnull(tags.monitorRuleGroup) or tostring(tags.monitorRuleGroup) == '')
+    | where  (tostring(tags.monitorRuleGroup) in (RuleGroupTags)) 
 }
 ```
 
@@ -68,10 +79,10 @@ This query finds virtual machines that are marked as critical and that had a hea
 ```kusto
 {
     arg("").resourcechanges
-    | extend changeTime = todatetime(properties.changeAttributes.timestamp), targetResourceId = tostring(properties.targetResourceId),
+    | extend changeTime = todatetime(properties.changeAttributes.timestamp), 
     changeType = tostring(properties.changeType),targetResourceType = tostring(properties.targetResourceType),
     changedBy = tostring(properties.changeAttributes.changedBy)
-    | where changeType == "Create"
+    | where changeType == "Create" and changeTime <ago(1h)
     | project changeTime,targetResourceId,changedBy
 }
 ```

articles/azure-app-configuration/pull-key-value-devops-pipeline.md

@@ -517,22 +517,22 @@
               displayName: mde, tvm, vulnerability, va, arc, hybrid, defender vulnerability
                 management
               href: deploy-vulnerability-assessment-defender-vulnerability-management.md
-            - name: Enable vulnerability scanning with the integrated Qualys scanner
-              displayName: qualys, va, vulnerability, arc, hybrid
-              href: deploy-vulnerability-assessment-vm.md
             - name: Enable vulnerability scanning with a Bring Your Own License (BYOL)
                 solution
               displayName: qualys, rapid7, vulnerability
               href: deploy-vulnerability-assessment-byol-vm.md
             - name: Automatically enable a vulnerability assessment solution
               displayName: qualys, rapid7, vulnerability, auto provision
               href: auto-deploy-vulnerability-assessment.md
-            - name: Transition to the integrated Microsoft Defender Vulnerability Management vulnerability assessment solution
+            - name: Transition to Microsoft Defender Vulnerability Management for servers
               displayName: qualys, rapid7, vulnerability, migrate, transition, Microsoft Defender Vulnerability Management, mdvm
               href: how-to-transition-to-built-in.md
             - name: Common questions 
               displayName: questions, common, MDVM, Qualys, BYOL, bring your own license, agent, consolidated, vulnerability, management, faq, frequently asked questions
               href: faq-scanner-detection.yml
+            - name: Enable vulnerability scanning with the integrated Qualys scanner (deprecated)
+              displayName: qualys, va, vulnerability, arc, hybrid
+              href: deploy-vulnerability-assessment-vm.md
         - name: Enable just-in-time access on VMs
           displayName: jit, management, ports
           href: just-in-time-access-usage.md
@@ -599,9 +599,6 @@
       - name: How does Defender for Containers work?
         displayName: containers
         href: defender-for-containers-architecture.md
-      - name: Vulnerability assessment for Azure powered by Qualys
-        displayName: ACR, registry, images, qualys
-        href: defender-for-containers-vulnerability-assessment-azure.md
       - name: Vulnerability assessments powered by Microsoft Defender Vulnerability Management
         items:
           - name: Vulnerability assessments for Azure
@@ -622,12 +619,15 @@
             href: transition-to-defender-vulnerability-management.md
           - name: Common questions 
             href: common-questions-microsoft-defender-vulnerability-management.md
-      - name: Vulnerability assessment for AWS powered by Trivy (deprecated)
-        displayName: AWS, ECR, registry, images, qualys
-        href: defender-for-containers-vulnerability-assessment-elastic.md
       - name: Kubernetes data plane hardening
         displayName: k8s, containers, aks
         href: kubernetes-workload-protections.md
+      - name: Vulnerability assessment for Azure powered by Qualys (Deprecated)
+        displayName: ACR, registry, images, qualys
+        href: defender-for-containers-vulnerability-assessment-azure.md
+      - name: Vulnerability assessment for AWS powered by Trivy (deprecated)
+        displayName: AWS, ECR, registry, images, qualys
+        href: defender-for-containers-vulnerability-assessment-elastic.md
       - name: Defender for Kubernetes (deprecated)
         displayName: clusters, k8s, aks
         href: defender-for-kubernetes-introduction.md

articles/azure-monitor/alerts/alerts-log-alert-query-samples.md

@@ -1,14 +1,24 @@
 ---
-title: Vulnerability assessment for Azure powered by Qualys 
+title: Vulnerability assessment for Azure powered by Qualys (Deprecated)
 description: Learn how to use Defender for Containers to scan images in your Azure Container Registry to find vulnerabilities.
 author: dcurwin
 ms.author: dacurwin
-ms.date: 12/19/2023
+ms.date: 12/25/2023
 ms.topic: how-to
 ms.custom: ignite-2022, build-2023
 ---
 
-# Vulnerability assessment for Azure powered by Qualys 
+# Vulnerability assessment for Azure powered by Qualys (Deprecated)
+
+> [!IMPORTANT]
+>
+> The Defender for Cloud Containers Vulnerability Assessment powered by Qualys is now on a retirement path completing on **March 1st, 2024**. If you are currently using container vulnerability assessment powered by Qualys, start planning your transition to [Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-azure.md).
+>
+> - For more information about our decision to unify our vulnerability assessment offering with Microsoft Defender Vulnerability Management, see [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-for-cloud-unified-vulnerability-assessment-powered-by/ba-p/3990112).
+>
+> - For more information about migrating to our new container vulnerability assessment offering powered by Microsoft Defender Vulnerability Management, see [Transition from Qualys to Microsoft Defender Vulnerability Management](transition-to-defender-vulnerability-management.md).
+>
+> - For common questions about the transition to Microsoft Defender Vulnerability Management, see [Common questions about the Microsoft Defender Vulnerability Management solution](common-questions-microsoft-defender-vulnerability-management.md).
 
 Vulnerability assessment for Azure, powered by Qualys, is an out-of-box solution that empowers security teams to easily discover and remediate vulnerabilities in Linux container images, with zero configuration for onboarding, and without deployment of any agents.
 

articles/defender-for-cloud/TOC.yml

@@ -3,13 +3,22 @@ title: Enable vulnerability scanning with Microsoft Defender Vulnerability Manag
 description: Enable, deploy, and use Microsoft Defender Vulnerability Management with Microsoft Defender for Cloud to discover weaknesses in your Azure and hybrid machines
 ms.topic: how-to
 ms.custom: ignite-2022
-ms.date: 06/29/2023
+ms.date: 01/08/2024
 ms.author: dacurwin
 author: dcurwin
 ---
 
 # Enable vulnerability scanning with Microsoft Defender Vulnerability Management
 
+> [!IMPORTANT]
+> Defender for Server's vulnerability assessment solution powered by Qualys, is on a retirement path that set to complete on **May 1st, 2024**. If you are a currently using the built-in vulnerability assessment powered by Qualys, you should plan to [transition to the Microsoft Defender Vulnerability Management vulnerability scanning solution](how-to-transition-to-built-in.md). 
+>
+> For more information about our decision to unify our vulnerability assessment offering with Microsoft Defender Vulnerability Management, see [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-for-cloud-unified-vulnerability-assessment-powered-by/ba-p/3990112).
+>
+> Check out the [common questions](faq-scanner-detection.yml) regarding the transition to Microsoft Defender Vulnerability Management.
+>
+> Customers who want to continue using Qualys, can do so with the [Bring Your Own License (BYOL) method](deploy-vulnerability-assessment-byol-vm.md).
+
 [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management) is included with Microsoft Defender for Servers and uses built-in and agentless scanners to:
 
 - Discover vulnerabilities and misconfigurations in near real time

articles/defender-for-cloud/defender-for-containers-vulnerability-assessment-azure.md

@@ -1,14 +1,23 @@
 ---
-title: Enable vulnerability scanning with the integrated Qualys scanner
+title: Enable vulnerability scanning with the integrated Qualys scanner (deprecated)
 description: Install a vulnerability assessment solution on your Azure machines to get recommendations in Microsoft Defender for Cloud that can help you protect your Azure and hybrid machines
 author: dcurwin
 ms.author: dacurwin
 ms.topic: how-to
 ms.custom: ignite-2022
-ms.date: 12/18/2023
+ms.date: 01/08/2024
 ---
 
-# Enable vulnerability scanning with the integrated Qualys scanner
+# Enable vulnerability scanning with the integrated Qualys scanner (deprecated)
+
+> [!IMPORTANT]
+> Defender for Server's vulnerability assessment solution powered by Qualys, is on a retirement path that set to complete on **May 1st, 2024**. If you are a currently using the built-in vulnerability assessment powered by Qualys, you should plan to [transition to the Microsoft Defender Vulnerability Management vulnerability scanning solution](how-to-transition-to-built-in.md). 
+>
+> For more information about our decision to unify our vulnerability assessment offering with Microsoft Defender Vulnerability Management, see [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-for-cloud-unified-vulnerability-assessment-powered-by/ba-p/3990112).
+>
+> Check out the [common questions](faq-scanner-detection.yml) regarding the transition to Microsoft Defender Vulnerability Management.
+>
+> Customers who want to continue using Qualys, can do so with the [Bring Your Own License (BYOL) method](deploy-vulnerability-assessment-byol-vm.md).
 
 A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Defender for Cloud regularly checks your connected machines to ensure they're running vulnerability assessment tools.