updates from Tomer

Author: David Curwin

articles/defender-for-cloud/TOC.yml

@@ -145,6 +145,8 @@
     - name: Defender for Containers support matrices
       displayName: Containers, features availability, environment information
       href: support-matrix-defender-for-containers.md
+    - name: Defender for Containers CSPM support matrices
+      href: support-agentless-containers-posture.md
   - name: Protect multicloud resources
     items:
     - name: The Defender for Cloud multicloud solution
@@ -223,8 +225,6 @@
     items:
     - name: Agentless Container Posture (Preview)
       href: concept-agentless-containers.md
-    - name: Support and prerequisites
-      href: support-agentless-containers-posture.md
   - name: Security recommendations
     items:
     - name: Reference list of Azure recommendations
@@ -300,12 +300,6 @@
     items:
     - name: Onboard agentless containers for CSPM
       href: how-to-enable-agentless-containers.md
-    - name: View and remediate vulnerability assessment findings for registry images 
-      href: view-and-remediate-vulnerability-assessment-findings.md
-    - name: View and remediate vulnerabilities for images running on your AKS clusters 
-      href: view-and-remediate-vulnerabilities-for-images-running-on-aks.md
-    - name: Disable vulnerability assessment findings on Container registry images
-      href: disable-vulnerability-findings-containers.md  
   - name: Security recommendations
     items:
     - name: Create custom Azure security initiatives and policies
@@ -559,8 +553,18 @@
     - name: Vulnerability assessment for Azure Container Registry
       displayName: ACR, registry, images, qualys
       href: defender-for-containers-vulnerability-assessment-azure.md
-    - name: Vulnerability assessment for Agentless Container registry
-      href: agentless-container-registry-vulnerability-assessment.md
+    - name: Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management
+      items:
+      - name: Overview
+        href: agentless-container-registry-vulnerability-assessment.md
+      - name: Enable vulnerability assessment
+        href: enable-vulnerability-assessment.md
+      - name: View and remediate vulnerabilities for registry images 
+        href: view-and-remediate-vulnerability-assessment-findings.md
+      - name: View and remediate vulnerabilities for running images
+        href: view-and-remediate-vulnerabilities-for-images-running-on-aks.md
+      - name: Disable vulnerabilities on images
+        href: disable-vulnerability-findings-containers.md  
     - name: Vulnerability assessment for Amazon Elastic Container Registry
       displayName: AWS, ECR, registry, images, qualys
       href: defender-for-containers-vulnerability-assessment-elastic.md

articles/defender-for-cloud/agentless-container-registry-vulnerability-assessment.md

@@ -1,13 +1,13 @@
 ---
-title: Agentless Container registry vulnerability assessment
-description: Learn about Agentless Container registry vulnerability assessment.
+title: Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management
+description: Learn about vulnerability assessments for Azure with Microsoft Defender Vulnerability Management.
 author: dcurwin
 ms.author: dacurwin
 ms.date: 07/11/2023
 ms.topic: how-to
 ---
 
-# Agentless Container registry vulnerability assessment
+# Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management
 
 > [!NOTE]
 > This feature supports scanning of images in the Azure Container Registry (ACR) only. If you want to find vulnerabilities stored in other container registries, you can import the images into ACR, after which the imported images are scanned by the built-in vulnerability assessment solution. Learn how to [import container images to a container registry](/azure/container-registry/container-registry-import-images).
@@ -22,8 +22,8 @@ Azure Container Vulnerability Assessment provides automatic coverage for all reg
 
 Container vulnerability assessment powered by MDVM (Microsoft Defender Vulnerability Management) has the following capabilities:  
 
-- **Scanning OS packages** - container vulnerability assessment has the ability to scan vulnerabilities in packages installed by the OS package manager in Linux. See the [full list of the supported OS and their versions](support-agentless-containers-posture.md#registries-and-images).
-- **Language specific packages** – support for language specific packages and files, and their dependencies installed or copied without the OS package manager. See the [complete list of supported languages](support-agentless-containers-posture.md#registries-and-images).  
+- **Scanning OS packages** - container vulnerability assessment has the ability to scan vulnerabilities in packages installed by the OS package manager in Linux. See the [full list of the supported OS and their versions](support-agentless-containers-posture.md#registries-and-images---powered-by-mdvm).
+- **Language specific packages** – support for language specific packages and files, and their dependencies installed or copied without the OS package manager. See the [complete list of supported languages](support-agentless-containers-posture.md#registries-and-images---powered-by-mdvm).  
 - **Image scanning in Azure Private Link** - Azure container vulnerability assessment provides the ability to scan images in container registries that are accessible via Azure Private Links. This capability requires access to trusted services and authentication with the registry. Learn how to [connect privately to an Azure container registry using Azure Private Link](/azure/container-registry/container-registry-private-link#set-up-private-endpoint---portal-recommended).
 - **Exploitability information** - Each vulnerability report is searched through exploitability databases to assist our customers with determining actual risk associated with each reported vulnerability.  
 - **Reporting** - Defender for Containers powered by Microsoft Defender Vulnerability Management (MDVM)  reports the vulnerabilities as the following recommendations:

articles/defender-for-cloud/defender-for-containers-introduction.md

@@ -56,11 +56,14 @@ You can learn more about [Kubernetes data plane hardening](kubernetes-workload-p
 
 ## Vulnerability assessment
 
-Defender for Containers scans the container images in Azure Container Registry (ACR) and Amazon AWS Elastic Container Registry (ECR) to notify you if there are known vulnerabilities in your images. When the scan completes, Defender for Containers provides details for each vulnerability detected, a security classification for each vulnerability detected, and guidance on how to remediate issues and protect vulnerable attack surfaces.
+Defender for Containers scans the container images in Azure Container Registry (ACR) and Amazon AWS Elastic Container Registry (ECR) to notify you if there are known vulnerabilities in your images. When the scan completes, Defender for Containers provides details for each vulnerability detected, a security classification for each vulnerability detected, and guidance on how to remediate issues and protect vulnerable attack surfaces. 
+
+There are two solutions for vulnerability assessment in Azure, one powered by Microsoft Defender Vulnerability Management and one powered by Qualys.
 
 Learn more about:
 
-- [Vulnerability assessment for Azure Container Registry (ACR)](defender-for-containers-vulnerability-assessment-azure.md)
+- [Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management](agentless-container-registry-vulnerability-assessment.md)
+- [Vulnerability assessment for Azure powered by Qualys](defender-for-containers-vulnerability-assessment-azure.md)
 - [Vulnerability assessment for Amazon AWS Elastic Container Registry (ECR)](defender-for-containers-vulnerability-assessment-elastic.md)
 
 ## Run-time protection for Kubernetes nodes and clusters

articles/defender-for-cloud/defender-for-containers-vulnerability-assessment-azure.md

@@ -1,14 +1,14 @@
 ---
-title: Identify vulnerabilities in Azure Container Registry 
+title: Vulnerability assessment for Azure powered by Qualys
 description: Learn how to use Defender for Containers to scan images in your Azure Container Registry to find vulnerabilities.
 author: dcurwin
 ms.author: dacurwin
-ms.date: 06/21/2023
+ms.date: 07/20/2023
 ms.topic: how-to
 ms.custom: ignite-2022, build-2023
 ---
 
-# Scan your Azure Container Registry images for vulnerabilities
+# Vulnerability assessment for Azure powered by Qualys
 
 As part of the protections provided within Microsoft Defender for Cloud, you can scan the container images that are stored in your Azure Resource Manager-based Azure Container Registry.
 

articles/defender-for-cloud/enable-vulnerability-assessment.md

@@ -0,0 +1,53 @@
+---
+title: Enable vulnerability assessment in Microsoft Defender CSPM
+description: Learn how to enable vulnerability assessment in Microsoft Defender CSPM
+ms.service: defender-for-cloud
+ms.topic: how-to
+ms.date: 07/20/2023
+---
+
+# Enable vulnerability assessment in Microsoft Defender CSPM
+
+Onboarding Agentless Container posture in Defender CSPM will allow you to gain all its [capabilities](concept-agentless-containers.md#capabilities).
+
+Defender CSPM includes [two extensions](#what-are-the-extensions-for-agentless-container-posture-management) that allow for agentless visibility into Kubernetes and containers registries across your organization's SDLC and runtime.
+
+**To onboard Agentless Container posture in Defender CSPM:**
+
+1. Before starting, verify that the subscription is [onboarded to Defender CSPM](enable-enhanced-security.md).
+
+1. In the Azure portal, navigate to the Defender for Cloud's **Environment Settings** page.
+
+1. Select the subscription that's onboarded to the Defender CSPM plan, then select **Settings**.
+
+1. Ensure the **Agentless discovery for Kubernetes** and **Container registries vulnerability assessments** extensions are toggled to **On**.
+
+1. Select **Continue**.
+
+    :::image type="content" source="media/concept-agentless-containers/settings-continue.png" alt-text="Screenshot of selecting agentless discovery for Kubernetes and Container registries vulnerability assessments." lightbox="media/concept-agentless-containers/settings-continue.png":::
+
+1. Select **Save**.
+
+A notification message pops up in the top right corner that will verify that the settings were saved successfully.
+
+## What are the extensions for Agentless Container Posture management?
+
+There are two extensions that provide agentless CSPM functionality:
+
+- **Container registries vulnerability assessments**: Provides agentless containers registries vulnerability assessments. Recommendations are available based on the vulnerability assessment timeline. Learn more about [image scanning](agentless-container-registry-vulnerability-assessment.md).
+- **Agentless discovery for Kubernetes**: Provides API-based discovery of information about Kubernetes cluster architecture, workload objects, and setup.
+
+## How can I onboard multiple subscriptions at once?
+
+To onboard multiple subscriptions at once, you can use this [script](https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Powershell%20scripts/Agentless%20Container%20Posture).
+
+## Support for exemptions
+
+You can customize your vulnerability assessment experience by exempting management groups, subscriptions, or specific resources from your secure score. Learn how to [create an exemption](exempt-resource.md) for a resource or subscription.
+
+## Next Steps
+
+- Learn more about [Trusted Access](/azure/aks/trusted-access-feature).
+- Learn how to [view and remediate vulnerability assessment findings for registry images and running images](view-and-remediate-vulnerability-assessment-findings.md).
+- Learn how to [create an exemption](exempt-resource.md) for a resource or subscription.
+- Learn more about [Cloud Security Posture Management](concept-cloud-security-posture-management.md).

articles/defender-for-cloud/support-agentless-containers-posture.md

@@ -13,7 +13,7 @@ All of the agentless container capabilities are available as part of the [Defend
 Review the requirements on this page before setting up [agentless containers posture](concept-agentless-containers.md) in Microsoft Defender for Cloud.
 
 > [!IMPORTANT]
->  Agentless Posture is currently in Preview. Previews are provided "as is" and "as available" and are excluded from the service-level agreements and limited warranty.
+> Agentless Posture is currently in Preview. Previews are provided "as is" and "as available" and are excluded from the service-level agreements and limited warranty.
 
 ## Availability
 
@@ -24,7 +24,7 @@ Review the requirements on this page before setting up [agentless containers pos
 | Clouds:    | :::image type="icon" source="./media/icons/yes-icon.png"::: Azure Commercial clouds<br> :::image type="icon" source="./media/icons/no-icon.png"::: Azure Government<br>:::image type="icon" source="./media/icons/no-icon.png"::: Azure China 21Vianet<br>:::image type="icon" source="./media/icons/no-icon.png"::: Connected AWS accounts<br>:::image type="icon" source="./media/icons/no-icon.png"::: Connected GCP accounts         |
 | Permissions | You need to have access as a:<br><br> - Subscription Owner, **or** <br> - User Access Admin and Security Admin permissions for the Azure subscription used for onboarding |
 
-## Registries and images
+## Registries and images - powered by MDVM
 
 | Aspect | Details |
 |--|--|
@@ -44,9 +44,8 @@ Learn more about [supported Kubernetes versions in Azure Kubernetes Service (AKS
 
 ### Are attack paths triggered on workloads that are running on Azure Container Instances?
 
-Attack paths are currently not triggered for workloads running on[ Azure Container Instances](/azure/container-instances/).
+Attack paths are currently not triggered for workloads running on [Azure Container Instances](/azure/container-instances/).
 
 ## Next steps
 
 Learn how to [enable agentless containers](how-to-enable-agentless-containers.md).
-

articles/defender-for-cloud/support-matrix-defender-for-containers.md

@@ -20,9 +20,11 @@ This article summarizes support information for the [Defender for Containers pla
 | Feature | Supported Resources | Linux release state | Windows release state   | Agentless/Agent-based | Pricing Tier | Azure clouds availability |
 |--|--|--|--|--|--|--|
 | Compliance-Docker CIS | VM, Virtual Machine Scale Set | GA | - | Log Analytics agent | Defender for Servers Plan 2 | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |
-| [Vulnerability assessment](defender-for-containers-vulnerability-assessment-azure.md)-registry scan [OS packages](#registries-and-images-support-aks)| ACR, Private ACR | GA | Preview | Agentless | Defender for Containers  | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |
-| [Vulnerability assessment](defender-for-containers-vulnerability-assessment-azure.md)-registry scan [language packages](#registries-and-images-support-aks) | ACR, Private ACR | Preview | - | Agentless | Defender for Containers  | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |
-| [Vulnerability assessment-running images](defender-for-containers-vulnerability-assessment-azure.md#view-vulnerabilities-for-images-running-on-your-aks-clusters) | AKS | GA | Preview | Defender profile | Defender for Containers | Commercial clouds |
+| [Vulnerability assessment](defender-for-containers-vulnerability-assessment-azure.md) (powered by Qualys) -registry scan [OS packages](#registries-and-images-support-for-aks---powered-by-qualys) | ACR, Private ACR | GA | Preview | Agentless | Defender for Containers  | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |
+| [Vulnerability assessment](defender-for-containers-vulnerability-assessment-azure.md) (powered by Qualys) -registry scan [language packages](#registries-and-images-support-for-aks---powered-by-qualys) | ACR, Private ACR | Preview | - | Agentless | Defender for Containers  | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |
+| [Vulnerability assessment (powered by Qualys) -running images](defender-for-containers-vulnerability-assessment-azure.md#view-vulnerabilities-for-images-running-on-your-aks-clusters) | AKS | GA | Preview | Defender profile | Defender for Containers | Commercial clouds |
+| [Vulnerability assessment](agentless-container-registry-vulnerability-assessment.md) powered by MDVM -registry scan | ACR, Private ACR | Preview |  | Agentless | Defender for Containers | Commercial clouds |
+| [Vulnerability assessment](agentless-container-registry-vulnerability-assessment.md) powered by MDVM - running image | AKS | Preview |  | Defender profile | Defender for Containers | Commercial clouds |
 | [Hardening  (control plane)](defender-for-containers-architecture.md) | ACR, AKS | GA | Preview | Agentless | Free | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |
 | [Hardening (Kubernetes data plane)](kubernetes-workload-protections.md) | AKS | GA | - | Azure Policy | Free | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |
 | [Runtime threat detection](defender-for-containers-introduction.md#run-time-protection-for-kubernetes-nodes-and-clusters) (control plane)| AKS | GA | GA | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |
@@ -32,7 +34,7 @@ This article summarizes support information for the [Defender for Containers pla
 | Discovery/provisioning-Defender profile auto provisioning | AKS | GA | - | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |
 | Discovery/provisioning-Azure policy add-on auto provisioning | AKS | GA | - | Agentless | Free | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |
 
-### Registries and images support-AKS
+### Registries and images support for AKS - powered by Qualys
 
 | Aspect | Details |
 |--|--|