Karam udpates

Author: DebLanger

exposure-management/predefined-classification-rules-and-levels.md

@@ -59,8 +59,8 @@ Current asset types are:
 | Helpdesk Administrator                                       | Identity                   | High                      | Users in this role can reset passwords for nonadministrators and Helpdesk Administrators. | A compromised user in this role poses a severe risk, potentially allowing unauthorized access to other nonadmin users by resetting passwords and assuming these users’ identities and permissions, and more. |
 | Hybrid Identity Administrator                                | Identity                   | High                      | Users in this role can manage Active Directory to Microsoft Entra cloud provisioning, Microsoft Entra Connect, Pass-through Authentication (PTA), Password hash synchronization (PHS), seamless single sign-on (Seamless SSO), and federation settings. | A compromised user in this role poses a severe risk, potentially allowing unauthorized access, defense evasion, manipulation of hybrid authentication policy settings, and more. |
 | Intune Administrator                                         | Identity                   | Very High                 | Users in this role can manage all aspects of the Intune product. | A compromised user in this role poses a severe risk, potentially allowing unauthorized access, execution, management of users, devices, groups, and more. |
-| Partner Tier 1 Support                                        | Identity                   | High                      | Users in this role can reset passwords for nonadmin users, update credentials for applications, create and delete users, and create OAuth2 permission grants. This role has been deprecated and will be removed from Microsoft Entra ID in the future. Don't use - not intended for general use. | A compromised user in this role poses a severe risk, potentially allowing unauthorized access to other nonadmin users, applications, data destruction, privilege escalation, and more. |
-| Partner Tier 2 Support                                        | Identity                   | Very High                 | Users in this role can reset passwords for all users (including Global Administrators), update credentials for applications, create and delete users, and create OAuth2 permission grants. This role has been deprecated and will be removed from Microsoft Entra ID in the future. Don't use - not intended for general use. | A compromised user in this role poses a severe risk, potentially allowing unauthorized access to users, applications, secrets, and the takeover of the highest privileged role in the directory by resetting the Global Administrator’s password and assuming their identity and permissions, which can lead to accessing all administrative settings in the directory. |
+| Partner Tier1 Support                                        | Identity                   | High                      | Users in this role can reset passwords for nonadmin users, update credentials for applications, create and delete users, and create OAuth2 permission grants. This role has been deprecated and will be removed from Microsoft Entra ID in the future. Don't use - not intended for general use. | A compromised user in this role poses a severe risk, potentially allowing unauthorized access to other nonadmin users, applications, data destruction, privilege escalation, and more. |
+| Partner Tier2 Support                                        | Identity                   | Very High                 | Users in this role can reset passwords for all users (including Global Administrators), update credentials for applications, create and delete users, and create OAuth2 permission grants. This role has been deprecated and will be removed from Microsoft Entra ID in the future. Don't use - not intended for general use. | A compromised user in this role poses a severe risk, potentially allowing unauthorized access to users, applications, secrets, and the takeover of the highest privileged role in the directory by resetting the Global Administrator’s password and assuming their identity and permissions, which can lead to accessing all administrative settings in the directory. |
 | Password Administrator                                       | Identity                   | High                      | Users in this role can reset passwords for nonadministrators and Password Administrators. | A compromised user in this role poses a severe risk, potentially allowing unauthorized access to other nonadmin users by resetting passwords and assuming these users’ identities and permissions, and more. |
 | Privileged Authentication Administrator                      | Identity                   | Very High                 | Users in this role can view, set, and reset authentication method information for any user (admin or nonadmin). | A compromised user in this role poses a severe risk, potentially allowing unauthorized access to users, and the takeover of the highest privileged role in the directory by resetting the Global Administrator’s password and assuming their identity and permissions, which can lead to accessing all administrative settings in the directory. |
 | Privileged Role Administrator                                | Identity                   | High                      | Users in this role can manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management. | A compromised user in this role poses a severe risk, potentially allowing privilege escalation, and the assignment of the highest privileged role in the directory by assigning themselves to the Global Administrator role. |
@@ -77,10 +77,10 @@ Current asset types are:
 | Classification                                               | Asset type                 | Default criticality level | Description                                                  | Why is this critical?                                        |
 | ------------------------------------------------------------ | -------------------------- | ------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
 | Databases with sensitive data                                | Cloud resource             | High                      | This is a data store that contains sensitive data. Sensitivity of data can range from secrets, confidential documents, personally identifiable information, and more. | A data store that contains sensitive data is deemed critical as it might contain, sensitive business data, confidential documents, and more. Unauthorized access to this data could lead to identity theft, financial loss, data leaks, and more. |
-| Confidential Azure VM                                        | Cloud resource             | High                      | This rule applies to Azure confidential virtual machines. Confidential VMs provide increased isolation, privacy, and encryption, and are used for critical or highly sensitive data and workloads. | An Azure confidential VM provides increased isolation, privacy, and encryption, and is used for critical or highly sensitive data and workloads. A compromised or disrupted confidential machine might pose a severe risk, potentially allowing unauthorized access to sensitive data, disruption of business-critical workloads and services, and more. |
-| Locked VM                                                    | Cloud resource             | Medium                    | This is a virtual machine that is safeguarded by a lock. Locks are used to protect assets from deletion and modifications. Usually, administrators use locks to safeguard critical cloud assets in their environment, and to protect them from accidental deletion and unauthorized modifications. | Usually, administrators use resource locks to safeguard critical cloud assets in their environment. A compromised or disrupted Azure VM that is safeguarded by a lock might pose a severe risk, potentially, with the allowed permissions, allowing the modification or deletion of business-critical workloads, that are supposed to be protected. |
+| Confidential Azure Virtual Machine                                        | Cloud resource             | High                      | This rule applies to Azure confidential virtual machines. Confidential VMs provide increased isolation, privacy, and encryption, and are used for critical or highly sensitive data and workloads. | An Azure confidential VM provides increased isolation, privacy, and encryption, and is used for critical or highly sensitive data and workloads. A compromised or disrupted confidential machine might pose a severe risk, potentially allowing unauthorized access to sensitive data, disruption of business-critical workloads and services, and more. |
+| Locked Azure Virtual Machine                                                    | Cloud resource             | Medium                    | This is a virtual machine that is safeguarded by a lock. Locks are used to protect assets from deletion and modifications. Usually, administrators use locks to safeguard critical cloud assets in their environment, and to protect them from accidental deletion and unauthorized modifications. | Usually, administrators use resource locks to safeguard critical cloud assets in their environment. A compromised or disrupted Azure VM that is safeguarded by a lock might pose a severe risk, potentially, with the allowed permissions, allowing the modification or deletion of business-critical workloads, that are supposed to be protected. |
 | Azure Virtual Machine with High Availability and Performance | Cloud resource             | Medium                    | This rule applies to Azure virtual machines that use premium Azure storage and are configured with an availability set. Premium storage is used for machines with high performance requirements, such as production workloads. Availability sets improve resilience and are often indicated for business critical VMs that need high availability. | An Azure VM that uses premium Azure storage for high performance and is configured with an availability set for high availability is often used for business-critical high-demanding workloads. A compromised or disrupted Azure VM of such might pose a severe risk, potentially allowing unauthorized access to sensitive production services, sensitive data, and more. |
 | Immutable Azure Storage                                      | Cloud resource             | Medium                    | This rule applies to Azure storage accounts that have immutability support enabled. Immutability stores business data in a write once read many (WORM) state, and usually indicates that the storage account holds critical or sensitive data that must be protected from modification. | An Azure storage account that has immutability support enabled is often used for storing critical or sensitive data, that must be protected from modification. A compromised or disrupted Azure storage account of such might pose a severe risk, potentially allowing unauthorized access to highly sensitive data, business-critical workloads in use by production services, and more. |
 | Immutable and Locked Azure Storage                           | Cloud resource             | High                      | This rule applies to Azure storage accounts that have immutability support enabled with a locked policy. Immutability stores business data in a write once read many (WORM). Data protection is increased with a locked policy to ensure that data can’t be deleted or its retention time shortened. These settings usually indicate that the storage account holds critical or sensitive data that must be protected from modification or deletion. Data might also need to align with compliance policies for data protection. | An Azure storage account that has immutability support enabled with a locked policy in place is often used for storing critical or sensitive data, that must be protected from modification. A compromised or disrupted Azure storage account of such might pose a severe risk, potentially allowing unauthorized access to a currently locked and in use highly sensitive data, business-critical workloads, and more. |
-| Virtual Machine has a critical signed-in user                | Cloud resource             | High                      | This rule applies to virtual machines protected by Defender for Endpoint, where a user with a high or very high criticality level is signed in. The signed-in user can be through a joined or registered device, an active browser session, or other means. | A compromised or disrupted Azure VM where a user with high or very high criticality level is signed in poses a severe risk, potentially allowing unauthorized access to the identity by taking over the active session, privilege escalation, access to sensitive data, and more. |
+| Azure Virtual Machine with a Critical User Signed-in                | Cloud resource             | High                      | This rule applies to virtual machines protected by Defender for Endpoint, where a user with a high or very high criticality level is signed in. The signed-in user can be through a joined or registered device, an active browser session, or other means. | A compromised or disrupted Azure VM where a user with high or very high criticality level is signed in poses a severe risk, potentially allowing unauthorized access to the identity by taking over the active session, privilege escalation, access to sensitive data, and more. |
 | Azure Key Vaults with Many Connected Identities              | Cloud resource             | High                      | This rule identifies Key Vaults that can be accessed by a large number of identities, compared to other Key Vaults. This often indicates that the Key Vault is used by critical workloads, such as production services. | A compromised or disrupted Azure Key Vault that can be accessed by a large number of identities compared to other Key Vaults might pose a severe risk, potentially allowing unauthorized access to sensitive data and secrets, disruption of production services dependent on the Key Vault, and more. |