Merge pull request #280921 from dcurwin/fix-formatting-july16-2024

Fix formatting

Author: v-ccolin

articles/defender-for-cloud/adaptive-network-hardening.md

@@ -57,9 +57,9 @@ For example, let's say the existing NSG rule is to allow traffic from 140.20.30.
 
 1. Optionally, edit the rules:
 
-    - [Modify a rule](#modify-rule)
-    - [Delete a rule](#delete-rule)
-    - [Add a rule](#add-rule)
+    - [Modify a rule](#modify-a-rule)
+    - [Delete a rule](#delete-a-rule)
+    - [Add a rule](#add-a-new-rule)
 
 1. Select the rules that you want to apply on the NSG, and select **Enforce**.
 
@@ -71,7 +71,7 @@ For example, let's say the existing NSG rule is to allow traffic from 140.20.30.
       > [!NOTE]
       > The enforced rules are added to the NSG(s) protecting the VM. (A VM could be protected by an NSG that is associated to its NIC, or the subnet in which the VM resides, or both)
 
-## Modify a rule  <a name ="modify-rule"> </a>
+## Modify a rule
 
 You might want to modify the parameters of a rule that has been recommended. For example, you might want to change the recommended IP ranges.
 
@@ -83,7 +83,7 @@ Some important guidelines for modifying an adaptive network hardening rule:
 
     Creating and modifying "deny" rules is done directly on the NSG. For more information, see [Create, change, or delete a network security group](../virtual-network/manage-network-security-group.md).
 
-- A **Deny all traffic** rule is the only type of "deny" rule that would be listed here, and it cannot be modified. You can, however, delete it (see [Delete a rule](#delete-rule)). To learn about this type of rule, see the common questions entry [When should I use a "Deny all traffic" rule?](faq-defender-for-servers.yml).
+- A **Deny all traffic** rule is the only type of "deny" rule that would be listed here, and it cannot be modified. You can, however, delete it (see [Delete a rule](#delete-a-rule)). To learn about this type of rule, see the common questions entry [When should I use a "Deny all traffic" rule?](faq-defender-for-servers.yml).
 
 To modify an adaptive network hardening rule:
 
@@ -102,7 +102,7 @@ To modify an adaptive network hardening rule:
 
     ![enforce rule.](./media/adaptive-network-hardening/enforce-hard-rule.png)
 
-## Add a new rule <a name ="add-rule"> </a>
+## Add a new rule
 
 You can add an "allow" rule that was not recommended by Defender for Cloud.
 
@@ -124,7 +124,7 @@ To add an adaptive network hardening rule:
 
     ![enforce rule.](./media/adaptive-network-hardening/enforce-hard-rule.png)
 
-## Delete a rule <a name ="delete-rule"> </a>
+## Delete a rule
 
 When necessary, you can delete a recommended rule for the current session. For example, you might determine that applying a suggested rule could block legitimate traffic.
 

articles/defender-for-cloud/ai-security-posture.md

@@ -20,11 +20,13 @@ The Defender Cloud Security Posture Management (CSPM) plan in Microsoft Defender
 
 > [!IMPORTANT]
 > To enable AI security posture management's capabilities on an AWS account that already:
+>
 > - Is connected to your Azure account.
-> - Has Defender CSPM enabled. 
+> - Has Defender CSPM enabled.
 > - Has permissions type set as **Least privilege access**.
 >
 > You must reconfigure the permissions on that connector to enable the relevant permissions using these steps:
+>
 > 1. In the Azure Portal navigate to Environment Settings page and select the appropriate AWS connector.
 > 1. Select **Configure access**.
 > 1. Ensure the permissions type is set to **Least privilege access**.
@@ -34,7 +36,7 @@ The Defender Cloud Security Posture Management (CSPM) plan in Microsoft Defender
 
 Defender for Cloud discovers AI workloads and identifies details of your organization's AI BOM. This visibility allows you to identify and address vulnerabilities and protect generative AI applications from potential threats.
 
-Defenders for Cloud automatically and continuously discover deployed AI workloads across the following services: 
+Defenders for Cloud automatically and continuously discover deployed AI workloads across the following services:
 
 - Azure OpenAI Service
 - Azure Machine Learning
@@ -56,9 +58,9 @@ Defender for Cloud assesses AI workloads and issues recommendations around ident
 
 DevOps security detects IaC misconfigurations, which can expose generative AI applications to security vulnerabilities, such as over-exposed access controls or inadvertent publicly exposed services. These misconfigurations could lead to data breaches, unauthorized access, and compliance issues, especially when handling strict data privacy regulations.
 
-Defender for Cloud assesses your generative AI apps configuration and provides security recommendations to improve AI security posture. 
+Defender for Cloud assesses your generative AI apps configuration and provides security recommendations to improve AI security posture.
 
-Detected misconfigurations should be remediated early in the development cycle to prevent more complex problems later on. 
+Detected misconfigurations should be remediated early in the development cycle to prevent more complex problems later on.
 
 Current IaC AI security checks include:
 
@@ -69,7 +71,7 @@ Current IaC AI security checks include:
 
 ### Exploring risks with attack path analysis
 
-Attack paths analysis detects and mitigates risks to AI workloads, particularly during grounding (linking AI models to specific data) and fine-tuning (adjusting a pretrained model on a specific dataset to improve its performance on a related task) stages, where data might be exposed. 
+Attack paths analysis detects and mitigates risks to AI workloads, particularly during grounding (linking AI models to specific data) and fine-tuning (adjusting a pretrained model on a specific dataset to improve its performance on a related task) stages, where data might be exposed.
 
 By monitoring AI workloads continuously, attack path analysis can identify weaknesses and potential vulnerabilities and follow up with recommendations. Additionally, it extends to cases where the data and compute resources are distributed across Azure, AWS, and GCP.
 

articles/defender-for-cloud/assign-access-to-workload.md

@@ -12,7 +12,6 @@ ms.date: 07/01/2024
 
 When you onboard your AWS or GCP environments, Defender for Cloud automatically creates a security connector as an Azure resource inside the connected subscription and resource group. Defender for cloud also creates the identity provider as an IAM role it requires during the onboarding process.
 
-
 Assign permission to users, on specific security connectors, below the parent connector? Yes, you can. You need to determine to which AWS accounts or GCP projects you want users to have access to. Meaning, you need to identify the security connectors that correspond to the AWS account or GCP project to which you want to assign users access.
 
 ## Prerequisites
@@ -23,7 +22,7 @@ Assign permission to users, on specific security connectors, below the parent co
 
 ## Configure permissions on the security connector
 
-Permissions for security connectors are managed through Azure role-based access control (RBAC). You can assign roles to users, groups, and applications at a subscription, resource group, or resource level. 
+Permissions for security connectors are managed through Azure role-based access control (RBAC). You can assign roles to users, groups, and applications at a subscription, resource group, or resource level.
 
 1. Sign in to the [Azure portal](https://portal.azure.com/).
 
@@ -34,86 +33,85 @@ Permissions for security connectors are managed through Azure role-based access
 1. Assign permissions to the workload owners with All resources or the Azure Resource Graph option in the Azure portal.
 
     ### [All resources](#tab/all-resources)
-    
+
     1. Search for and select **All resources**.
-    
+
         :::image type="content" source="media/assign-access-to-workload/all-resources.png" alt-text="Screenshot that shows you how to search for and select all resources." lightbox="media/assign-access-to-workload/all-resources.png":::
-    
+
     1. Select **Manage view** > **Show hidden types**.
-    
+
         :::image type="content" source="media/assign-access-to-workload/show-hidden-types.png" alt-text="Screenshot that shows you where on the screen to find the show hidden types option." lightbox="media/assign-access-to-workload/show-hidden-types.png":::
-    
+
     1. Select the **Types equals all** filter.
-    
+
     1. Enter `securityconnector` in the value field and add a check to the `microsoft.security/securityconnectors`.
-    
+
         :::image type="content" source="media/assign-access-to-workload/security-connector.png" alt-text="Screenshot that shows where the field is located and where to enter the value on the screen." lightbox="media/assign-access-to-workload/security-connector.png":::
-    
+
     1. Select **Apply**.
-    
-    1. Select the relevant resource connector.
 
+    1. Select the relevant resource connector.
 
     ### [Azure Resource Graph](#tab/azure-resource-graph)
 
     1. Search for and select **Resource Graph Explorer**.
-    
+
         :::image type="content" source="media/assign-access-to-workload/resource-graph-explorer.png" alt-text="Screenshot that shows you how to search for and select resource graph explorer." lightbox="media/assign-access-to-workload/resource-graph-explorer.png":::
-    
+
     1. Copy and paste the following query to locate the security connector:
-    
+
         ### [AWS](#tab/aws)
-        
+
         ```bash
         resources 
         | where type == "microsoft.security/securityconnectors" 
         | extend source = tostring(properties.environmentName)  
         | where source == "AWS" 
         | project name, subscriptionId, resourceGroup, accountId = properties.hierarchyIdentifier, cloud = properties.environmentName  
         ```
-        
+
         ### [GCP](#tab/gcp)
-        
+
         ```bash
         resources 
         | where type == "microsoft.security/securityconnectors" 
         | extend source = tostring(properties.environmentName)  
         | where source == "GCP" 
         | project name, subscriptionId, resourceGroup, projectId = properties.hierarchyIdentifier, cloud = properties.environmentName  
         ```
-        
+
         ---
-    
+
     1. Select **Run query**.
-    
+
     1. Toggle formatted results to **On**.
-    
+
         :::image type="content" source="media/assign-access-to-workload/formatted-results.png" alt-text="Screenshot that shows where the formatted results toggle is located on the screen." lightbox="media/assign-access-to-workload/formatted-results.png":::
-    
+
     1. Select the relevant subscription and resource group to locate the relevant security connector.
-    
+
     ---
-    
+
 1. Select **Access control (IAM)**.
-    
+
     :::image type="content" source="media/assign-access-to-workload/control-i-am.png" alt-text="Screenshot that shows where to select Access control IAM in the resource you selected." lightbox="media/assign-access-to-workload/control-i-am.png":::
-    
+
 1. Select **+Add** > **Add role assignment**.
-    
+
 1. Select the desired role.
-    
+
 1. Select **Next**.
-    
+
 1. Select **+ Select members**.
-    
+
     :::image type="content" source="media/assign-access-to-workload/select-members.png" alt-text="Screenshot that shows where the button is on the screen to select the + select members button.":::
-    
+
 1. Search for and select the relevant user or group.
-    
+
 1. Select the **Select** button.
-    
+
 1. Select **Next**.
-    
+
 1. Select **Review + assign**.
 
 1. Review the information.

articles/defender-for-cloud/benefits-of-continuous-export.md

@@ -24,10 +24,10 @@ When you set up continuous export, you can fully customize what information to e
 You can use continuous export to export the following data types whenever they change:
 
 - Security recommendations.
-    - Recommendation severity.
-    - Security findings.
+  - Recommendation severity.
+  - Security findings.
 - Secure score.
-    - Controls.
+  - Controls.
 - Security alerts.
 - Regulatory compliance.
 - Attack paths