Merge pull request #49635 from KenMAG/Bugs

v-regandowner · web-flow · commit 655fbeefee5f · 2025-03-24T16:40:16.000-04:00
Updated content per Triage app feedback
diff --git a/learn-pr/wwl-sci/understand-azure-defender-cloud-workload-protection/2-understand-azure-defender-for-servers.yml b/learn-pr/wwl-sci/understand-azure-defender-cloud-workload-protection/2-understand-azure-defender-for-servers.yml
@@ -4,7 +4,7 @@ title: Understand Microsoft Defender for servers
 metadata:
   title: Understand Microsoft Defender for servers
   description: "Understand Microsoft Defender for servers"
-  ms.date: 07/14/2022
+  ms.date: 03/24/2025
   author: wwlpublish
   ms.author: kelawson
   ms.topic: unit
diff --git a/learn-pr/wwl-sci/understand-azure-defender-cloud-workload-protection/includes/2-understand-azure-defender-for-servers.md b/learn-pr/wwl-sci/understand-azure-defender-cloud-workload-protection/includes/2-understand-azure-defender-for-servers.md
@@ -5,11 +5,11 @@ Microsoft Defender for Servers is available in two plans:
 
 - **Microsoft Defender for Servers Plan 1** - deploys Microsoft Defender for Endpoint to your servers and provides these capabilities:
 
-    - Microsoft Defender for Endpoint licenses are charged per hour instead of per seat, lowering costs for protecting virtual machines only when they are in use.
-    - Microsoft Defender for Endpoint deploys automatically to all cloud workloads so that you know they're protected when they spin up.
-    - Alerts and vulnerability data from Microsoft Defender for Endpoint is shown in Microsoft Defender for Cloud
+  - Microsoft Defender for Endpoint licenses are charged per hour instead of per device, lowering costs for protecting virtual machines only when they are in use.
+  - Microsoft Defender for Endpoint deploys automatically to all cloud workloads so that you know they're protected when they spin up.
+  - Alerts and vulnerability data from Microsoft Defender for Endpoint is shown in Microsoft Defender for Cloud
 
-- **Microsoft Defender for Servers Plan 2** (formerly Defender for Servers) - includes the benefits of Plan 1 and support for all of the other Microsoft Defender for Servers features.
+- **Microsoft Defender for Servers Plan 2** - includes the benefits of Plan 1 and support for all of the other Microsoft Defender for Servers features.
 
 To enable the Microsoft Defender for Servers plans:
 
@@ -22,99 +22,47 @@ If you want to change the Defender for Servers plan:
 In the Plan/Pricing column, select Change plan.
 Select the plan that you want and select Confirm.
 
-
 ## Plan features
-The following table describes what's included in each plan at a high level.
-
-| Feature | Defender for Servers Plan 1| Defender for Servers Plan 2|
-| :--- | :--- | :--- |
-|Automatic onboarding for resources in Azure, AWS, GCP| Yes| Yes|
-|Microsoft threat and vulnerability management| Yes| Yes|
-|Flexibility to use Microsoft Defender for Cloud or Microsoft Defender portal| Yes| Yes|
-|Integration of Microsoft Defender for Cloud and Microsoft Defender for Endpoint (alerts, software inventory, Vulnerability Assessment)| Yes| Yes|
-|Log-analytics (500 MB free)| | Yes|
-|Vulnerability Assessment using Qualys| | Yes|		
-|Threat detections: OS level, network layer, control plane| | Yes|
-|Adaptive application controls| | Yes|
-|File integrity monitoring| | Yes|
-|Just-in time VM access| | Yes|
-|Adaptive network hardening| | Yes|
 
+Plan features are summarized in the table.
+
+**Feature** | **Plan support** | **Details**
+--- | --- | ---
+**Multicloud and hybrid support** | Supported in Plan 1 and 2 | Defender for Servers can protect Azure VMs, AWS/GCP VMs, and on-premises machines connected to Microsoft Defender for Cloud.
+**Defender for Endpoint automatic onboarding** | Supported in Plan 1 and 2 | Microsoft Defender for Cloud automatically onboards machines to Defender for Endpoint by installing the Defender for Endpoint extension on connected machines.
+**Defender for Endpoint EDR** | Supported in Plan 1 and 2 | Supported endpoints receive near real-time threat detection using Defender for Endpoint's EDR capabilities.
+**Threat detection (OS-level)** | Supported in Plan 1 and 2 | Defender for Endpoint integration provides OS-level threat detection.
+**Integrated alerts and incidents** | Supported in Plan 1 and 2 | Defender for Endpoint alerts and incidents for connected machines are displayed in Microsoft Defender for Cloud, with drill-down in the Defender portal.
+**Threat detection (Azure network layer)** | Supported in Plan 2 only  | Agentless detection identifies threats directed at the control plane on the network, including network-based security alerts for Azure VMs.
+**Software inventory discovery** | Supported in Plan 1 and 2 | Software inventory discovery (provided by Defender Vulnerability Management) is integrated into Defender for Cloud.
+**Vulnerability scanning (agent-based)** | Supported in Plan 1 and 2 | The Defender for Endpoint agent allows Defender for Servers to assess machines for vulnerabilities with Defender Vulnerability Management.
+**Vulnerability scanning (agentless)** | Supported in Plan 2 only | As part of its agentless scanning capabilities, Defender for Cloud provides agentless vulnerability assessment, using Defender Vulnerability Management. Agentless assessment is in addition to agent-based vulnerability scanning.
+**OS baseline misconfigurations** | OS recommendations based on Linux and Windows compute security baselines are supported in Plan 2 only. Other MCSB recommendations in Defender for Cloud continue to be included in free foundational posture management. | Defender for Cloud assesses and enforces security configurations using built-in Azure policy initiatives, including its default Microsoft Cloud Security Benchmark (MCSB) initiative. Defender for Servers collects machine information using the Azure machine configuration extension.
+**Regulatory compliance assessment** | Supported in Plan 1 and 2 | As part of its free foundational posture management, Defender for Cloud provides a couple of default compliance standards. If you have a Defender for Servers plan enabled (or any other paid plan), you can enable other compliance standards.
+**OS system updates** | Supported in Plan 2 only | Defender for Servers assesses machine to check that updates and patches are installed. It uses Azure Update Manager to gather update information. To take advantage of Azure Update integration in Defender for Servers Plan 2, on-premises, AWS, and GCP machines should be onboarded with Azure Arc.
+**Defender for Vulnerability Management premium features** | Supported in Plan 2 only | Defender for Servers Plan 2 includes premium features in Defender Vulnerability Management. Premium features include certificate assessments, OS security baseline assessments, and more, and are available in the Defender portal only.
+**Malware scanning (agentless)** | Supported in Plan 2 only | In addition to the next-generation anti-malware protection provided by the Defender for Endpoint integration, Defender for Servers Plan 2 provides malware scanning as part of its agentless scanning capabilities.
+**Machine secrets scanning (agentless)** | Supported in Plan 2 only | As part of its agentless secrets scanning capabilities, Defender for Cloud provides machine secrets scanning to locate plain text secrets on machines. Secrets scanning is also available with the Defender Cloud Security Posture Management (CSPM) plan.
+**File integrity monitoring** | Supported in Plan 2 only | File integrity monitoring examines files and registries for changes that might indicate an attack. You configure file integrity monitoring after enabling Defender for Servers Plan 2. File integrity monitoring uses the Defender for Endpoint extension to collect information. The previous collection method that used the MMA is now deprecated.
+**Just-in-time virtual machine access** | Supported in Plan 2 only | Just-in-time virtual machine access locks down machine ports to reduce the attack surface.
+**Network map** | Supported in Plan 2 only | The network map provides a geographical view of recommendations for hardening your network resources.
+**Free data ingestion (500 MB)** | Supported in Plan 2 only | Free data ingestion is available for specific data types in Log Analytics workspaces.
 
 ## What are the benefits of Defender for Servers?
-The threat detection and protection capabilities provided with Microsoft Defender for Servers include:
-
-- **Integrated license for Microsoft Defender for Endpoint** - Microsoft Defender for Servers includes Microsoft Defender for Endpoint. Together, they provide comprehensive endpoint detection and response (EDR) capabilities. When you enable Microsoft Defender for Servers, Defender for Cloud gets access to the Microsoft Defender for Endpoint data that is related to vulnerabilities, installed software, and alerts for your endpoints.
-
-    When Defender for Endpoint detects a threat, it triggers an alert. The alert is shown in Defender for Cloud. From Defender for Cloud, you can also pivot to the Defender for Endpoint console, and perform a detailed investigation to uncover the scope of the attack. 
-
-- **Vulnerability assessment tools for machines** - Microsoft Defender for Servers includes a choice of vulnerability discovery and management tools for your machines. From Defender for Cloud's settings pages, you can select the tools to deploy to your machines. The discovered vulnerabilities are shown in a security recommendation.
-
-- **Microsoft threat and vulnerability management** - Discover vulnerabilities and misconfigurations in real time with Microsoft Defender for Endpoint, and without the need of other agents or periodic scans. Threat and vulnerability management prioritizes vulnerabilities according to the threat landscape, detections in your organization, sensitive information on vulnerable devices, and the business context. 
-
-- **Vulnerability scanner powered by Qualys** - The Qualys scanner is one of the leading tools for real-time identification of vulnerabilities in your Azure and hybrid virtual machines. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Defender for Cloud. 
-
-- **Just-in-time (JIT) virtual machine (VM) access** - Threat actors actively hunt accessible machines with open management ports, like RDP or SSH. All of your virtual machines are potential targets for an attack. When a VM is successfully compromised, it's used as the entry point to attack further resources within your environment.
-
-    When you enable Microsoft Defender for Servers, you can use just-in-time VM access to lock down the inbound traffic to your VMs. Keeping remote access ports closed until needed reduces exposure to attacks and provides easy access to connect to VMs when needed. 
-
-- **File integrity monitoring (FIM)** - File integrity monitoring (FIM), also known as change monitoring, examines files and registries of operating system, application software, and others for changes that might indicate an attack. A comparison method is used to determine if the current state of the file is different from the last scan of the file. You can use this comparison to determine if valid or suspicious modifications have been made to your files.
-
-    When you enable Microsoft Defender for Servers, you can use FIM to validate the integrity of Windows files, your Windows registries, and Linux files. 
-
-- **Adaptive application controls (AAC)** - Adaptive application controls are an intelligent and automated solution for defining allowlists of known-safe applications for your machines.
-
-    After you enable and configure adaptive application controls, you get security alerts if any application runs other than the ones you defined as safe. 
 
-- **Adaptive network hardening (ANH)** - Applying network security groups (NSG) to filter traffic to and from resources, improves your network security posture. However, there can still be some cases in which the actual traffic flowing through the NSG is a subset of the NSG rules defined. In these cases, further improving the security posture can be achieved by hardening the NSG rules, based on the actual traffic patterns.
-
-    Adaptive network hardening provides recommendations to further harden the NSG rules. It uses a machine learning algorithm that factors in actual traffic, known trusted configuration, threat intelligence, and other indicators of compromise. ANH then provides recommendations to allow traffic only from specific IP and port tuples. 
-
-- **Docker host hardening** - Microsoft Defender for Cloud identifies unmanaged containers hosted on IaaS Linux VMs, or other Linux machines running Docker containers. Defender for Cloud continuously assesses the configurations of these containers. It then compares them with the Center for Internet Security (CIS) Docker Benchmark. Defender for Cloud includes the entire ruleset of the CIS Docker Benchmark and alerts you if your containers don't satisfy any of the controls. 
-
-- **Fileless attack detection** - Fileless attacks inject malicious payloads into memory to avoid detection by disk-based scanning techniques. The attacker’s payload then persists within the memory of compromised processes and performs a wide range of malicious activities.
-
-    With fileless attack detection, automated memory forensic techniques identify fileless attack toolkits, techniques, and behaviors. This solution periodically scans your machine at runtime, and extracts insights directly from the memory of processes. Specific insights include the identification of:
-    - Well-known toolkits and crypto mining software
-    - Shellcode - a small piece of code typically used as the payload in the exploitation of a software vulnerability.
-    - Injected malicious executable in process memory
-
-    Fileless attack detection generates detailed security alerts that include descriptions with process metadata such as network activity. These details accelerate alert triage, correlation, and downstream response time. This approach complements event-based EDR solutions, and provides increased detection coverage.
-
-
-
-- **Linux auditd alerts and Log Analytics agent integration (Linux only)** - The auditd system consists of a kernel-level subsystem, which is responsible for monitoring system calls. It filters them by a specified rule set, and writes messages for them to a socket. Defender for Cloud integrates functionalities from the auditd package within the Log Analytics agent. This integration enables collection of auditd events in all supported Linux distributions, without any prerequisites.
-
-    Log Analytics agent for Linux collects auditd records and enriches and aggregates them into events. Defender for Cloud continuously adds new analytics that use Linux signals to detect malicious behaviors on cloud and on-premises Linux machines. Similar to Windows capabilities, these analytics include tests that check for suspicious processes, dubious sign-in attempts, kernel module loading, and other activities. These activities can indicate a machine is either under attack or has been breached.
+- **Protect multicloud and on-premises machines**: Defender for Servers protects Windows and Linux machines in multicloud environments (Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP)) and on-premises.
+- **Centralize management and reporting**: Defender for Cloud offers a single view of monitored resources, including machines protected by Defender for Servers. Filter, sort, and cross-reference data to understand, investigate, and analyze machine security.
+- **Integrate with Defender services**: Defender for Servers integrates with security capabilities provided by Defender for Endpoint and Microsoft Defender Vulnerability Management.
+- **Improve posture and reduce risk**: Defender for Servers assesses the security posture of machines against compliance standards and provides security recommendations to remediate and improve security posture.
+- **Benefit from agentless scanning**: Defender for Servers Plan 2 provides agentless machine scanning. Without an agent on endpoints, scan software inventory, assess machines for vulnerabilities, scan for machine secrets, and detect malware threats.
+- **Protect against threats in near real-time**: Defender for Servers identifies and analyzes real-time threats and issues security alerts as needed.
+- **Get intelligent threat detection**: Defender for Cloud evaluates events and detects threats using advanced security analytics and machine-learning technologies with multiple threat intelligence sources, including the Microsoft Security Response Center (MSRC).
 
 ## How does Defender for Servers collect data?
+
 For Windows, Microsoft Defender for Cloud integrates with Azure services to monitor and protect your Windows-based machines. Defender for Cloud presents the alerts and remediation suggestions from all of these services in an easy-to-use format.
 
 For Linux, Defender for Cloud collects audit records from Linux machines by using auditd, one of the most common Linux auditing frameworks.
 
 For hybrid and multicloud scenarios, Defender for Cloud integrates with Azure Arc to ensure these non-Azure machines are seen as Azure resources.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/learn-pr/wwl-sci/understand-azure-defender-cloud-workload-protection/index.yml b/learn-pr/wwl-sci/understand-azure-defender-cloud-workload-protection/index.yml
@@ -3,7 +3,7 @@ uid: learn.wwl.understand-azure-defender-cloud-workload-protection
 metadata:
   title: Explain cloud workload protections in Microsoft Defender for Cloud
   description: "Explain cloud workload protections in Microsoft Defender for Cloud"
-  ms.date: 07/14/2022
+  ms.date: 03/24/2025
   author: wwlpublish
   ms.author: kelawson
   ms.topic: module
