Merge pull request #1921 from MicrosoftDocs/main

publishing Ignite updates and items

Author: diannegali

defender-endpoint/machines-view-overview.md

@@ -136,6 +136,7 @@ The available device properties to use as filters vary based on the device inven
 |**Device subtype**|<ul><li>**All devices**</li><li>**IoT/OT**</li></ul>|The subtype value assigned to the device. Enter a value or select an available value (for example, **Video conference**).|
 |**Device type**|<ul><li>**All devices**</li><li>**IoT/OT**</li></ul>|The type value assigned to the device. Enter a value or select an available value (for example, **Audio and Video**).|
 |**Device value**|All|The assigned value of the device. The available values are **High** and **Low**.|
+|**Discovery sources**|All|The source reporting on the device.|
 |**Exclusion state**|All|The available values are **Not excluded** and **Excluded**. For more information, see [Exclude devices](exclude-devices.md).|
 |**Exposure level**|All|The exposure level of the device based on pending security recommendations. The available values are: <ul><li>**High**</li><li>**Medium**</li><li>**Low**: Devices are less vulnerable to exploitation.</li><li>**No data available**: Possible causes for this value include: <ul><li>The device is inactive (stopped reporting for more than 30 days).</li><li>The OS on the device isn't supported. For more information, see [minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md).</li><li>The agent software on the device is stale (unlikely).</li></ul></li></ul>|
 |**First seen**|All tabs except **Network devices**|How long ago the device was first seen on the network or when it was first reported by the Microsoft Defender for Endpoint sensor. The available values are **Last 7 days** or **Over 7 days ago**.|
@@ -178,6 +179,7 @@ You can sort the entries by clicking on an available column header. Select :::im
   - **OS version**<sup\*</sup>
   - **Sensor health state**<sup\*</sup>
   - **Onboarding status**<sup\*</sup>
+  - **Discovery sources**
   - **First seen**
   - **Last device update**<sup\*</sup>
   - **Tags**<sup\*</sup>
@@ -204,6 +206,7 @@ You can sort the entries by clicking on an available column header. Select :::im
   - **Criticality level**<sup\*</sup>
   - **Sensor health state**<sup\*</sup>
   - **Onboarding status**<sup\*</sup>
+  - **Discovery sources**
   - **Last device update**<sup\*</sup>
   - **First seen**
   - **Tags**<sup\*</sup>
@@ -219,6 +222,7 @@ You can sort the entries by clicking on an available column header. Select :::im
   - **Vendor**<sup>\*</sup>
   - **Model**<sup>\*</sup>
   - **Name**<sup>\*</sup>
+  - **Discovery sources**
   - **Domain**
   - **Device type**
   - **Device subtype**
@@ -241,6 +245,7 @@ You can sort the entries by clicking on an available column header. Select :::im
   - **Model**<sup>\*</sup>
   - **Risk level**<sup>\*</sup>
   - **Exposure level**<sup>\*</sup>
+  - **Discovery sources**
   - **OS distribution**<sup>\*</sup>
   - **OS version**<sup>\*</sup>
   - **First seen**
@@ -253,6 +258,7 @@ You can sort the entries by clicking on an available column header. Select :::im
   - **Name**<sup>\*</sup>
   - **Vendor**<sup>\*</sup>
   - **IP**<sup>\*</sup>
+  - **Discovery sources**
   - **MAC address**
   - **Risk level**
   - **Exposure level**

defender-xdr/TOC.yml

@@ -154,6 +154,8 @@
                    href: dlp-investigate-alerts-defender.md
                  - name: Investigate data loss prevention alerts with Microsoft Sentinel
                    href: dlp-investigate-alerts-sentinel.md
+                 - name: Investigate and respond to container threats
+                   href: investigate-respond-container-threats.md  
                  - name: Alerts
                    href: investigate-alerts.md
                  - name: Alert classification playbooks

defender-xdr/activate-defender-rbac.md

@@ -12,7 +12,7 @@ ms.collection:
 - tier3
 ms.custom: 
 ms.topic: how-to
-ms.date: 09/30/2024
+ms.date: 11/17/2024
 ms.reviewer: 
 search.appverid: met150
 ---
@@ -29,6 +29,7 @@ search.appverid: met150
 - [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/?LinkID=2158212)
 - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)
 - [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
+- [Microsoft Security Exposure Management](/security-exposure-management/)
 
 For the Microsoft Defender XDR security portal to start enforcing the permissions and assignments configured in your new [custom roles](create-custom-rbac-roles.md) or [imported roles](import-rbac-roles.md), you must activate the Microsoft Defender XDR Unified RBAC model for some or all of your workloads.
 
@@ -54,20 +55,19 @@ You can activate your workloads in two ways from the Permissions and roles page:
 :::image type="content" source="/defender/media/defender/m365-defender-rbac-activate-workloads1.png" alt-text="Screenshot of the activate workloads page" lightbox="/defender/media/defender/m365-defender-rbac-activate-workloads1.png":::
 
 1. **Activate workloads**
-   - Select **Activate workloads** on the banner above the list of roles to go directly to the **Activate workloads** screen.
-   - You must activate each workload one by one. Once you select the individual toggle, you activate (or deactivate) that workload.
 
-   :::image type="content" source="/defender/media/defender/defender-rbac-select-workload.png" alt-text="Screenshot of the choose workloads to activate screen":::
+- Select **Activate workloads** on the banner above the list of roles to go directly to the **Activate workloads** screen.
+- You must activate each workload one by one. Once you select the individual toggle, you activate (or deactivate) that workload.
+
+:::image type="content" source="/defender/media/defender/urbac-activate-workloads.png" alt-text="Screenshot of the choose workloads to activate screen":::
 
    > [!NOTE]
    > The **Activate workloads** button is only available when there is it at least one workload that's not active for Microsoft Defender XDR Unified RBAC.
-   >
    > Microsoft Defender for Cloud is active by default with Microsoft Defender XDR Unified RBAC.
-   >
-   > Defender XDR Unified RBAC is automatically active for Secure Score access. Once a custom role with one of the permissions is created, it has an immediate impact on assigned users. There is no need to activate it.
+   > Defender XDR Unified RBAC is automatically active for Exposure Management access. Once a custom role with one of the Exposure Management permissions is created, it has an immediate impact on assigned users. There is no need to activate it.
    > 
    > To activate Exchange Online permissions in Microsoft Defender XDR Unified RBAC, Defender for Office 365 permissions must be active. 
-
+   
 2. **Workload settings**
     - Select **Workload settings**.
     - This brings you to the Microsoft Defender XDR **Permission and roles** page.

defender-xdr/create-custom-rbac-roles.md

@@ -29,6 +29,7 @@ search.appverid: met150
 - [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/?LinkID=2158212)
 - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)
 - [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
+- [Microsoft Security Exposure Management](/security-exposure-management/)
 
 ## Create a custom role
 

defender-xdr/custom-permissions-details.md

@@ -31,6 +31,7 @@ In Microsoft Defender XDR Unified role-based access control (RBAC) you can selec
 - [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/?LinkID=2158212)
 - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)
 - [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
+- [Microsoft Security Exposure Management](/security-exposure-management/)
 
 <a name='microsoft-365-defender-unified-rbac-permission-details'></a>
 
@@ -74,7 +75,7 @@ Permissions for managing the organization's security posture and performing vuln
 |Remediation handling|Manage|Create remediation tickets, submit new requests, and manage remediation activities in Defender Vulnerability Management.|
 |Application handling|Manage|Manage vulnerable applications and software, including blocking and unblocking them in Defender Vulnerability Management.|
 |Security baseline assessment|Manage|Create and manage profiles so you can assess if your devices comply to security industry baselines.|
-|Exposure Management|Read / Manage|View or manage Secure Score recommendations from all products included in Secure Score.|
+|Exposure Management|Read / Manage|View or manage Exposure Management insights, including Microsoft Secure Score recommendations from all products that are covered by Secure Score.|
 
 ### Authorization and settings
 

defender-xdr/edit-delete-rbac-roles.md

@@ -29,6 +29,7 @@ search.appverid: met150
 - [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/?LinkID=2158212)
 - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)
 - [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
+- [Microsoft Security Exposure Management](/security-exposure-management/)
 
 In Microsoft Defender XDR Unified role-based access control (RBAC), you can edit and delete custom roles or roles that were imported from Defender for Endpoint, Defender for Identity, or Defender for Office 365.
 

defender-xdr/investigate-respond-container-threats.md

@@ -0,0 +1,111 @@
+---
+title: Investigate and respond to container threats in the Microsoft Defender portal
+description: Investigate and respond to container attacks and threats with cloud investigation and response actions in the Microsoft Defender portal.
+ms.service: defender-xdr
+f1.keywords: 
+  - NOCSH
+ms.author: diannegali
+author: diannegali
+ms.localizationpriority: medium
+manager: deniseb
+audience: ITPro
+ms.collection: 
+  - m365-security
+  - tier1
+ms.topic: conceptual
+search.appverid: 
+  - MOE150
+  - MET150
+ms.date: 11/18/2024
+appliesto:
+- Microsoft Defender XDR
+---
+# Investigate and respond to container threats in the Microsoft Defender portal
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> Some information in this article relates to a prereleased product, which may be substantially modified before it’s commercially released. Microsoft makes no warranties expressed or implied, with respect to the information provided here
+
+Security operations can now investigate and respond to container-related alerts in near real-time in the Microsoft Defender portal with the integration of cloud-native response actions and investigation logs to hunt for related activities. The availability of attack paths can also help analysts immediately investigate and address critical security issues to prevent a potential breach.
+
+As organizations use containers and Kubernetes on platforms like Azure Kubernetes Service (AKS), Google Kubernetes Engine (GKE), ad Amazon Elastic Kubernetes Service (EKS), the attack surface expands, increasing security challenges. Containers can also be targeted by threat actors and used for malicious purposes.
+
+Security operations center (SOC) analysts can now easily track container threats with near real-time alerts and immediately respond to these threats by isolating or terminating container pods. This integration allows analysts to instantly mitigate a container attack from their environment in a click.
+
+Analysts can then investigate the full scope of the attack with the ability to hunt for related activities within the incident graph. They can also further apply preventive actions with the availability of potential attack paths in the incident graph. Using the information from the attack paths allows security teams to inspect the paths and prevent possible breaches. In addition, Threat analytics reports specific to container threats and attacks are available for analysts to gain more information and apply recommendations for container attack response and prevention.
+
+## Prerequisites
+
+The following licenses are required to view and resolve container-related alerts in the Microsoft Defender portal:
+
+- [Microsoft Defender for Containers](/azure/defender-for-cloud/defender-for-containers-introduction)
+- [Microsoft Defender XDR](prerequisites.md#licensing-requirements)
+
+> [!NOTE]
+> The **isolate pod** response action requires a network policy enforcer. Check whether your Kubernetes cluster has a network policy installed.
+
+Users on the [Microsoft Defender for Cloud Security Posture Management](/azure/defender-for-cloud/concept-cloud-security-posture-management) plan can view attack paths in the incident graph.
+
+Users with provisioned access to [Microsoft Security Copilot](/copilot/security/microsoft-security-copilot) can also take advantage of the [guided responses](security-copilot-m365d-guided-response.md) to investigate and remediate container threats.
+
+## Permissions
+
+To perform any of the response actions, users must have the following permissions for Microsoft Defender for Cloud in the Microsoft Defender XDR unified role-based access control:
+
+|Permission name|Level|
+|:---|:---|
+|Alerts|Manage|
+|Response|Manage|
+
+For more information on these permissions, see [Permissions in Microsoft Defender XDR Unified role-based access control (RBAC)](custom-permissions-details.md).
+
+## Investigate container threats
+
+To investigate container threats in the Microsoft Defender portal:
+
+1. Select **Investigation & response > Incidents and alerts** in the left-hand navigation menu to open the incident or alert queues.
+2. In the queue, select **Filter** and choose **Microsoft Defender for Cloud > Microsoft Defender for Containers** under Service source.
+   :::image type="content" source="/defender/media/defender-containers/incident-queue-small.png" alt-text="Incident queue filtered to show container-related incidents." lightbox="/defender/media/defender-containers/incident-queue.png":::
+3. In the incident graph, select the pod/service/cluster entity you need to investigate. Select **Kubernetes service details**, **Kubernetes pod details**, **Kubernetes cluster details**, or **Container registry details** to view relevant information about the service, pod, or registry.
+
+Using [Threat analytics](threat-analytics.md) reports, analysts can utilize threat intelligence from expert Microsoft security researchers to learn about active threat actors and campaigns exploiting containers, new attack techniques that might affect containers, and prevalent threats that affect containers.
+
+Access threat analytics reports from **Threat intelligence > Threat analytics**. You can also open a specific report from the incident page by selecting **View threat analytics report** under **Related threats** on the incident side pane.
+
+:::image type="content" source="/defender/media/defender-containers/view-threat-analytics-small.png" alt-text="Highlighting how to view threat analytics reports from the incident page." lightbox="/defender/media/defender-containers/view-threat-analytics.png":::
+
+Threat analytics reports also contain relevant mitigation, recovery, and prevention methods that analysts can assess and apply to their environment. Using the information in threat analytics reports helps SOC teams defend and protect their environment from container attacks. Here’s an example of an analyst report about a container attack.
+
+:::image type="content" source="/defender/media/defender-containers/threat-analytics-sample-small.png" alt-text="Sample page of a container attack threat analytics report." lightbox="/defender/media/defender-containers/threat-analytics-sample.png":::
+
+## Respond to container threats
+
+You can **isolate** or **terminate** a pod once you determine that a pod is compromised or malicious. In the incident graph, select the pod then go to **Actions** to view the available response actions. You can also find these response actions on the entity side pane.
+
+:::image type="content" source="/defender/media/defender-containers/container-actions-small.png" alt-text="Highlighting the cloud response actions in an incident." lightbox="/defender/media/defender-containers/container-actions.png":::
+
+You can release a pod from isolation with the **release from isolation** action once your investigation is complete. This option appears on the side pane for isolated pods.
+
+Details of all response actions can be viewed in the [Action center](m365d-action-center.md). In the Action center page, select the response action you want to inspect to view more information about the action like which entity was acted on, when the action was done, and view the comments on the action. For isolated pods, the **release from isolation** action is also available in the Action center details pane.
+
+:::image type="content" source="/defender/media/defender-containers/action-center-sample-small.png" alt-text="Sample of cloud response actions listed in the Action center." lightbox="/defender/media/defender-containers/action-center-sample.png":::
+
+## Hunt for container-related activities
+
+To determine the full scope of a container attack, you can deepen your investigation with the **Go hunt** action available in the incident graph. You can immediately view all process events and activities related to container-related incidents from the incident graph.
+
+:::image type="content" source="/defender/media/defender-containers/azure-go-hunt-small.png" alt-text="Highlighting the go hunt action in the incident graph." lightbox="/defender/media/defender-containers/azure-go-hunt.png":::
+
+In the [Advanced hunting](advanced-hunting-overview.md) page, you can extend your search for container-related activities using the **CloudProcessEvents** and **CloudAuditEvents** tables.
+
+:::image type="content" source="/defender/media/defender-containers/adv-hunting-cloud-small.png" alt-text="Highlighting the advanced hunting tables related to cloud events." lightbox="/defender/media/defender-containers/adv-hunting-cloud.png":::
+
+The **CloudProcessEvents** table contains information about process events in multi-cloud hosted environments such as Azure Kubernetes Service, Amazon Elastic Kubernetes Service, and Google Kubernetes Engine.
+
+The **CloudAuditEvents table** contains cloud audit events from cloud platforms protected by Microsoft Defender for Cloud. It also contains Kubeaudit logs, which holds information about Kubernetes-related events.
+
+## See also
+
+- [Microsoft Defender for Containers architecture](/azure/defender-for-cloud/defender-for-containers-architecture?tabs=defender-for-container-arch-aks)
+- [Kubeaudit events in advanced hunting](/azure/defender-for-cloud/kubeaudit-events-advanced-hunting)