Merge pull request #1520 from DebLanger/US319372_attack

new attack path content

Author: DebLanger

exposure-management/exposure-insights-overview.md

@@ -49,17 +49,15 @@ Security Exposure Management provides initiatives that currently include:
 > [!IMPORTANT]
 > Initiatives that are in preview are marked accordingly. Preview initiatives are still in development, and are subject to change.
 
-
 ### Initiative elements
 
 **Element** | **Goal** | **Details**
 --- | --- | ---
-**Initiative** | Initiatives help you to gather security projects that have similar resources and workloads, and to assess and remediate the security posture of each project.| Each security initiative provides an all-up score that provides a fast measure of how strong security posture is for the initiative at the current point in time.<br/><br/>	The all-up score also provides a target score indicator, the number of critical assets affected, and shows how the score has moved over the last 24 hours.
+**Initiative** | Initiatives help you to gather security projects that have similar resources and workloads, and to assess and remediate the security posture of each project.| Each security initiative provides an all-up score that provides a fast measure of how strong security posture is for the initiative at the current point in time.<br/><br/> The all-up score also provides a target score indicator, the number of critical assets affected, and shows how the score has moved over the last 24 hours.
 **Metric** | Metrics in security initiatives help you to measure exposure risk for different areas within the initiative.| Each metric gathers together one or more recommendations for similar assets.<br/><br/>Metrics can be associated with one or more initiatives.<br/><br/>**Important**: Threat analytics initiatives don't have metrics. They have recommendations only.
 **Recommendations** |Security recommendations help you to understand the compliance state for a specific security initiative.  | All security initiatives have recommendations associated with them.<br/><br/>Recommendations can be associated with one or more initiatives.<br/><br/> Within initiatives, recommendations are assigned a compliance state.
 **Events** | Events help you to  monitor initiative changes.  | Events notify you when there's a drop in an all-up initiative score or metric score, indicating that exposure risk grew.
 
-
 ## Working with initiatives
 
 You can prioritize which initiatives you want to see on the **Overview** dashboard. Review the initiative score, and drill down into initiatives to see associated metrics and understand where gaps or risks reside.
@@ -69,15 +67,15 @@ You can prioritize which initiatives you want to see on the **Overview** dashboa
 On the **Metrics** tab of an initiative, or in the **Metrics** section of **Exposure Insights**, you can see the metric state, its effect and relative importance in an initiative, and recommendations to improve the metric. For each metric you can:
 
 - Review metrics properties, including:
-    - **14-day trend**: Shows the metric value changes over the last 14 days.
-    - **Affected items**: The number of items within the metric. In most cases, these items would be assets that are exposed or that create a risk factor. In other cases, affected items would be the number of missing Microsoft secure score points to effectively implement recommended controls.
-    - **Total**:  Total number of assets under the metric scope.
-    - **Weight**: The relative weight (importance) of the metric within the initiative, and its effect on the initiative score. From one (lowest) to ten (highest). 
-    - **Score impact**: The impact that completing the metric (getting it to 0%) has on the security initiative. Meaning if a given metric is completed, the score impact is the addition seen to the initiative score.
-    - **State**: Shows whether the metric needs attention, the risk was mitigated outside Security Exposure Management and shouldn't affect the initiative score, or was mitigated and the initiative score should be adjusted accordingly.
-    - **Current value**: Current percentage of exposed assets within the total assets covered by the metric, with the state for each metric. Zero percent is best since there's no exposure, while 100% is worst.
-    - **Recommendations**: Security recommendations associated with the metric.
-    - **Last Updated** shows the last date the metric was updated.
+  - **14-day trend**: Shows the metric value changes over the last 14 days.
+  - **Affected items**: The number of items within the metric. In most cases, these items would be assets that are exposed or that create a risk factor. In other cases, affected items would be the number of missing Microsoft secure score points to effectively implement recommended controls.
+  - **Total**:  Total number of assets under the metric scope.
+  - **Weight**: The relative weight (importance) of the metric within the initiative, and its effect on the initiative score. From one (lowest) to ten (highest).
+  - **Score impact**: The impact that completing the metric (getting it to 0%) has on the security initiative. Meaning if a given metric is completed, the score impact is the addition seen to the initiative score.
+  - **State**: Shows whether the metric needs attention, the risk was mitigated outside Security Exposure Management and shouldn't affect the initiative score, or was mitigated and the initiative score should be adjusted accordingly.
+  - **Current value**: Current percentage of exposed assets within the total assets covered by the metric, with the state for each metric. Zero percent is best since there's no exposure, while 100% is worst.
+  - **Recommendations**: Security recommendations associated with the metric.
+  - **Last Updated** shows the last date the metric was updated.
 
 - Filter metrics for specific findings.
 - Drill down into metrics to review and fix associated issues.
@@ -90,7 +88,6 @@ In some cases, metrics display grayed out because the underlying data for the me
 
 Grayed out metrics aren't considered for score calculation.
 
-
 ## Working with recommendations
 
 Security Exposure Management ingests security recommendations from multiple sources, including Microsoft Defender for Cloud running the  [Defender for Cloud Security Posture Management (CSPM) plan](/azure/defender-for-cloud/concept-cloud-security-posture-management), [Microsoft Secure Score](/defender-xdr/microsoft-secure-score), Microsoft threat analytics, and other Microsoft workloads. Security Exposure Management integrates all of these recommendations into a single security catalog.
@@ -122,7 +119,7 @@ Security Exposure Management uses secure score as one of its sources for initiat
 
 The exposure state for a security initiative is reflected in the initiative score.
 
-- **Initiatives with metrics**: For initiatives with metrics, the score is calculated based on the value and weight of metrics within the initiative. 
+- **Initiatives with metrics**: For initiatives with metrics, the score is calculated based on the value and weight of metrics within the initiative.
 - **Initiatives without metrics**: For threat initiatives that don't have metrics, the initiative score is calculated in the same way that [Secure Score is calculated](/defender-xdr/microsoft-secure-score#how-recommended-actions-are-scored).
 
 For initiatives with metrics:
@@ -139,7 +136,6 @@ On the **History** tab of an initiative, you can:
 - Filter for specific time points.
 - Drill down to specific changes.
 
-
 :::image type="content" source="media/exposure-insights-overview/initiatives-history.png" alt-text="Screenshot of the Initiative history tab showing the graph and dates of changes." lightbox="media/exposure-insights-overview/initiatives-history.png":::
 
 When you drill down into a specific change, you can see the percentage effects of metrics in the initiative score, along with the change reason. Reasons include:
@@ -149,22 +145,19 @@ When you drill down into a specific change, you can see the percentage effects o
 - **Metric removed** - The metric is no longer relevant for that specific initiative. For instance, if a better suggestion is introduced or it becomes irrelevant.
 - **Metric depreciated** - The metric is removed globally.
 
-
 Selecting the metric that changed provides more details about the change. For instance, it might display the new weight of a property change, or the number of affected assets before or after the change.
 
 :::image type="content" source="media/exposure-insights-overview/initiatives-history-details.png" alt-text="Screenshot of the metric change side panel in the Initiatives history tab." lightbox="media/exposure-insights-overview/initiatives-history-details.png":::
 
 You can't control the metric or score changes in advance.
 
-
 ## Reviewing events
 
-
 Events measure the score drop or worsening in the metric status. Events include:
 
 - **Metric score drop events**: These events are issued with there's a decrease of at least 2% in metric score (exposure grew by 2%) since yesterday.
 - **Initiative score drop events**: These events are issued when there's a decrease of at least 2% in initiative score since yesterday.
-- **New Initiave event**: These events are issued when a new inititave is available in MSEM.
+- **New Initiative event**: These events are issued when a new initiative is available in MSEM.
 
 ## Next steps
 

exposure-management/media/review-attack-paths/attack-path-list.png

@@ -25,23 +25,42 @@ Security Exposure Management is currently in public preview.
   - If you don't have licenses defined for workloads integrated and represented in the attack path.
   - If you don't fully define critical assets.
 
-## View attack paths
+### Attack path dashboard
 
-1. To access [attack paths](https://security.microsoft.com/attack-paths), select  **Attack surface -> Attack path**.
+The dashboard provides a high-level overview of all identified attack paths within the environment. It enables security teams to gain valuable insights into the types of paths identified, top entry points, target assets, and more, helping to prioritize risk mitigation efforts effectively. The overview includes:
 
-    :::image type="content" source="./media/review-attack-paths/attack-paths.png" alt-text="Screenshot of the Security Exposure Management attack path window" lightbox="media/review-attack-paths/attack-paths.png":::
+- Graph of attack paths over time
+- Top choke points
+- Top attack path scenarios
+- Top targets
+- Top entry points
+
+:::image type="content" source="media/work-attack-paths-overview/attack-paths-dashboard.png" alt-text="Screenshot of attack path dashboard" lightbox="media/work-attack-paths-overview/attack-paths-dashboard.png":::
+
+### View attack paths
+
+1. You can access [attack paths](https://security.microsoft.com/attack-paths) from the attack path dashboard, or by selecting  **Attack surface -> Attack path**.
+
+   :::image type="content" source="media/review-attack-paths/attack-path-list.png" alt-text="Screenshot of attack path list" lightbox="media/review-attack-paths/attack-path-list.png":::
 
 1. To change how attack paths are displayed, you can select a heading name to sort by a specific column heading.
 
-## Group by choke points
+### Group attack paths
+
+To group attack paths by specific criteria:
+
+Select **Group** to group by **Attack path name**, **Entry point**,**Entry point type**, **Target type**, **Risk level**, **Status**, **Target criticality**, **Target**.
 
-To group by choke point:
+### View choke points and blast radius
 
-1. Select **Attack surface -> Attack path**.
+1. Go the choke points tab to view a list of choke points on the attack path dashboard. By focusing on these choke points, you can reduce risk by addressing high-impact assets, thus preventing attackers from progressing through various paths.
+1. Select a choke point to open the side panel, select **View blast radius** and explore the attack paths from a choke point. The blast radius provides a detailed visualization showing how the compromise of one asset could affect others. This enables security teams to assess the broader implications of an attack and prioritize mitigation strategies more effectively.
+ 
+:::image type="content" source="media/review-attack-paths/choke points and blast radius.png" alt-text="Screenshot of choke point and blast radius " lightbox="media/review-attack-paths/choke points and blast radius.png":::
 
-1. Select **Group** to group by **Name**, **Entry point type**, **Target type**, **Target criticality**, **Status**, or **choke point**.
+:::image type="content" source="media/review-attack-paths/choke-points on map.png" alt-text="Screenshot of choke point on attack map" lightbox="media/review-attack-paths/choke-points on map.png":::
 
-## Examine an attack path
+### Examine an attack path
 
 1. Select a specific attack path to examine it further for potential exploitable vulnerabilities.
 

exposure-management/media/review-attack-paths/choke points and blast radius.png

@@ -25,6 +25,21 @@ Security Exposure Management is currently in public preview.
 >
 > `https://aka.ms/msem/rss`
 
+## October 2024
+
+### New in attack paths
+
+We have introduced four new features designed to enhance your security management and risk mitigation efforts. These features provide valuable insights into the attack paths identified within your environment, enabling you to prioritize risk mitigation strategies effectively and reduce the impact of potential threats. 
+
+The new features include:
+
+- **Attack path widget on exposure management overview page**: Provides users with an at-a-glance, high-level view of discovered attack paths. It displays a timeline of newly identified paths, key entry points, target types, and more, ensuring security teams stay informed about emerging threats and can respond quickly.
+- **Attack path dashboard**: Provides a high-level overview of all identified attack paths within the environment. This feature enables security teams to gain valuable insights into the types of paths identified, top entry points, target assets, and more, helping to prioritize risk mitigation efforts effectively.
+- **Choke points**: Highlights critical assets that multiple attack paths intersect, identifying them as key vulnerabilities within the environment. By focusing on these choke points, security teams can efficiently reduce risk by addressing high-impact assets, thus preventing attackers from progressing through various paths.
+- **Blast radius**: Allows users to visually explore the paths from a choke point. It provides a detailed visualization showing how the compromise of one asset could affect others, enabling security teams to assess the broader implications of an attack and prioritize mitigation strategies more effectively.
+ 
+For more information, see [Overview of attack paths](work-attack-paths-overview.md).
+
 ## September 2024
 
 ### New Enterprise IoT Security Initiative

exposure-management/media/review-attack-paths/choke-points on map.png

@@ -20,9 +20,15 @@ Security Exposure Management is currently in public preview.
 
 [!INCLUDE [prerelease](../includes/prerelease.md)]
 
+## Attack path dashboard
+
+The attack path dashboard provides a high-level view of the attack paths in your organization. It shows the number of attack paths, the number of choke points, and the number of critical assets. You can use this information to understand the security posture of your organization and to prioritize your security efforts. From the dashboard, you can drill down into the details of the attack paths, choke points, and critical assets.
+
+:::image type="content" source="media/work-attack-paths-overview/attack-paths-dashboard.png" alt-text="Screenshot of attack path dashboard" lightbox="media/work-attack-paths-overview/attack-paths-dashboard.png":::
+
 ## Identifying and resolving attack paths
 
-Here's how Security Exposure Management helps you to identify and resolve attack paths.
+Here's how Exposure Management helps you to identify and resolve attack paths.
 
 - **Attack path generation**: Security Exposure Management automatically generates attack paths based on the data collected across assets and workloads. It simulates attack scenarios, and identifies vulnerabilities and weaknesses that an attacker could exploit.
   - The number of attack paths visible in the portal can fluctuate due to the dynamic nature of  IT environments. Our system dynamically generates attack paths based on the real-time conditions of each customer's environment. Changes such as the addition or removal of assets, updates to configurations, a user logging on or off from a machine, a user added or removed to a group, and the implementation of new network segmentation or security policies can all influence the number and types of attack paths identified. 
@@ -31,11 +37,14 @@ Here's how Security Exposure Management helps you to identify and resolve attack
   - Hovering over each node and connector icon provides you with additional information about how the attack path is build. For instance, from an initial virtual machine containing TLS/SSL keys all the way to permissions to storage accounts.
   - The [enterprise exposure map](enterprise-exposure-map.md) extends how you can visualize attack paths. Along with other data, it shows you multiple attack paths and choke points, nodes that create bottlenecks in the graph or map where attack paths converge. It visualizes exposure data, allowing you to see what assets are at risk, and where to prioritize your focus.
 - **Security recommendations**: Get actionable recommendations to mitigate potential attack paths.
-- **Choke point identification**: To manage choke points:
-  - Security Exposure Management provides a way to group choke point nodes through which multiple attack paths flow, or where multiple attack paths intersect on the way to a critical asset.
-  - Choke point visibility enables you to focus mitigation efforts strategically, addressing multiple attack paths by securing these critical points in the network.
-  - Ensuring that choke points are secure protects your assets from threats.
-:::image type="content" source="./media/review-attack-paths/attack-paths-graph.png" alt-text="Screenshot of the graph visualization of attack path"  lightbox="media/review-attack-paths/attack-paths-graph.png":::
+- **Choke points**: The attack path dashboard highlights critical assets where multiple attack paths intersect, identifying them as key vulnerabilities. By focusing on these choke points, security teams can efficiently reduce risk by addressing high-impact assets.
+
+  - **Identification**: View a list of choke points on the attack path dashboard.
+  - **Grouping**: Security Exposure Management groups choke point nodes where multiple attack paths flow or intersect on the way to a critical asset.
+  - **Strategic Mitigation**: Choke point visibility enables you to focus mitigation efforts strategically, addressing multiple attack paths by securing these critical points.
+  - **Protection**: Ensuring that choke points are secure protects your assets from threats.
+- **Blast radius**: Allows users to visually explore the paths from a choke point. It provides a detailed visualization showing how the compromise of one asset could affect others, enabling security teams to assess the broader implications of an attack and prioritize mitigation strategies more effectively.
+
 
 ## Next steps