Merge pull request #50389 from v-thpra/azure-triage-fix-1044281

denrea · web-flow · commit 9d95436d1f6a · 2025-05-19T12:40:25.000-07:00
Technical Review 1044281: Use a framework to identify threats and find ways to reduce or eliminate risk
diff --git a/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/1-introduction.yml b/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/1-introduction.yml
@@ -4,7 +4,7 @@ title: Introduction
 metadata:
   title: Introduction
   description: Learn how to secure your system with a threat modeling framework
-  ms.date: 07/17/2023
+  ms.date: 05/12/2025
   author: rodsan
   ms.author: rodsan
   ms.topic: unit
diff --git a/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/1b-threat-modeling-framework.yml b/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/1b-threat-modeling-framework.yml
@@ -4,7 +4,7 @@ title: Threat modeling framework
 metadata:
   title: Threat modeling framework
   description: Learn about each threat category with their corresponding security controls
-  ms.date: 07/17/2023
+  ms.date: 05/12/2025
   author: rodsan
   ms.author: rodsan
   ms.topic: unit
diff --git a/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/2-spoofing-pretending-to-be-someone-or-something-else.yml b/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/2-spoofing-pretending-to-be-someone-or-something-else.yml
@@ -4,7 +4,7 @@ title: Spoofing - pretending to be someone or something else
 metadata:
   title: Spoofing - pretending to be someone or something else
   description: Learn about Spoofing and its corresponding security control
-  ms.date: 07/17/2023
+  ms.date: 05/12/2025
   author: rodsan
   ms.author: rodsan
   ms.topic: unit
@@ -16,12 +16,12 @@ quiz:
   questions:
   - content: "Which statement describes a potential security control against spoofing?"
     choices:
-    - content: "Sender digitally signs a message so the receiver knows who the message came from"
+    - content: "Sender digitally signs a message so the receiver knows who the message came from."
       isCorrect: true
-      explanation: "This message applies to spoofing"
-    - content: "System logs all actions and users to keep everyone accountable"
+      explanation: "This message applies to spoofing."
+    - content: "System logs all actions and users to keep everyone accountable."
       isCorrect: false
-      explanation: "This statement applies to repudiation"
-    - content: "System grants administrative access to users listed on the access control list"
+      explanation: "This statement applies to repudiation."
+    - content: "System grants administrative access to users listed on the access control list."
       isCorrect: false
-      explanation: "This statement applies to tampering, information disclosure, denial of service and elevation of privilege "
+      explanation: "This statement applies to tampering, information disclosure, denial of service and elevation of privilege."
diff --git a/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/3-tampering-changing-data-without-authorization.yml b/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/3-tampering-changing-data-without-authorization.yml
@@ -4,7 +4,7 @@ title: Tampering - changing data without authorization
 metadata:
   title: Tampering - changing data without authorization
   description: Learn about Tampering and its corresponding security control
-  ms.date: 07/17/2023
+  ms.date: 05/12/2025
   author: rodsan
   ms.author: rodsan
   ms.topic: unit
@@ -16,12 +16,12 @@ quiz:
   questions:
   - content: "Which statement describes a potential security control against tampering?"
     choices:
-    - content: "Sender encrypts the attachment of an email so the receiver knows it came from them"
+    - content: "Sender encrypts the attachment of an email so the receiver knows it came from them."
       isCorrect: false
-      explanation: "Encrypting the attachment isn't enough. Digitally sign a message to ensure tampering doesn't happen"
-    - content: "System logs all actions and users to keep everyone accountable"
+      explanation: "Encrypting the attachment isn't enough. Digitally sign a message to ensure tampering doesn't happen."
+    - content: "System logs all actions and users to keep everyone accountable."
       isCorrect: false
-      explanation: "This statement applies to repudiation"
-    - content: "System grants administrative access to users listed on the access control list"
+      explanation: "This statement applies to repudiation."
+    - content: "System grants administrative access to users listed on the access control list."
       isCorrect: true
-      explanation: "This statement applies to tampering, information disclosure, denial of service and elevation of privilege "
+      explanation: "This statement applies to tampering, information disclosure, denial of service and elevation of privilege."
diff --git a/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/4-repudiation-not-claiming-responsibility-for-an-action-taken.yml b/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/4-repudiation-not-claiming-responsibility-for-an-action-taken.yml
@@ -4,7 +4,7 @@ title: Repudiation - not claiming responsibility for an action taken
 metadata:
   title: Repudiation - not claiming responsibility for an action taken
   description: Learn about Repudiation and its corresponding security control
-  ms.date: 07/17/2023
+  ms.date: 05/12/2025
   author: rodsan
   ms.author: rodsan
   ms.topic: unit
@@ -16,12 +16,12 @@ quiz:
   questions:
   - content: "Which statement describes a potential security control against repudiation?"
     choices:
-    - content: "Sender digitally signs a message so the receiver knows who the message came from"
+    - content: "Sender digitally signs a message so the receiver knows who the message came from."
       isCorrect: false
-      explanation: "This message applies to spoofing"
-    - content: "System logs all actions and users to keep everyone accountable"
+      explanation: "This message applies to spoofing."
+    - content: "System logs all actions and users to keep everyone accountable."
       isCorrect: true
-      explanation: "This statement applies to repudiation"
-    - content: "System grants administrative access to users listed on the access control list"
+      explanation: "This statement applies to repudiation."
+    - content: "System grants administrative access to users listed on the access control list."
       isCorrect: false
-      explanation: "This statement applies to tampering, information disclosure, denial of service and elevation of privilege "
+      explanation: "This statement applies to tampering, information disclosure, denial of service and elevation of privilege."
diff --git a/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/5-information-disclosure-seeing-data-i-am-not-supposed-to-see.yml b/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/5-information-disclosure-seeing-data-i-am-not-supposed-to-see.yml
@@ -4,7 +4,7 @@ title: Information disclosure - seeing data I'm not supposed to see
 metadata:
   title: Information disclosure - seeing data I'm not supposed to see
   description: Learn about Information Disclosure and its corresponding security control
-  ms.date: 07/17/2023
+  ms.date: 05/12/2025
   author: rodsan
   ms.author: rodsan
   ms.topic: unit
@@ -18,10 +18,10 @@ quiz:
     choices:
     - content: "Sender digitally signs a message so the receiver knows who the message came from."
       isCorrect: false
-      explanation: "This message applies to spoofing"
+      explanation: "This message applies to spoofing."
     - content: "System grants administrative access to users listed on the access control list."
       isCorrect: true
-      explanation: "This statement applies to tampering, information disclosure, denial of service and elevation of privilege"
+      explanation: "This statement applies to tampering, information disclosure, denial of service and elevation of privilege."
     - content: "System logs all actions and users to keep everyone accountable."
       isCorrect: false
-      explanation: "This statement applies to repudiation"
+      explanation: "This statement applies to repudiation."
diff --git a/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/6-denial-of-service-overwhelming-the-system.yml b/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/6-denial-of-service-overwhelming-the-system.yml
@@ -4,7 +4,7 @@ title: Denial of Service - overwhelming the system
 metadata:
   title: Denial of Service - Overwhelming the System
   description: Learn about Denial of Service and its corresponding security control
-  ms.date: 07/17/2023
+  ms.date: 05/12/2025
   author: rodsan
   ms.author: rodsan
   ms.topic: unit
@@ -16,12 +16,12 @@ quiz:
   questions:
   - content: "Which statement describes a potential security control against denial of service?"
     choices:
-    - content: "Sender digitally signs a message so the receiver knows who the message came from"
+    - content: "Sender digitally signs a message so the receiver knows who the message came from."
       isCorrect: false
-      explanation: "This message applies to spoofing"
-    - content: "System logs all actions and users to keep everyone accountable"
+      explanation: "This message applies to spoofing."
+    - content: "System logs all actions and users to keep everyone accountable."
       isCorrect: false
-      explanation: "This statement applies to repudiation"
-    - content: "System relies on elastic resources to handle more requests as they arrive"
+      explanation: "This statement applies to repudiation."
+    - content: "System relies on elastic resources to handle more requests as they arrive."
       isCorrect: true
-      explanation: "This statement applies to denial of service"
+      explanation: "This statement applies to denial of service."
diff --git a/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/7-elevation-of-privilege-having-permissions-i-should-not-have.yml b/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/7-elevation-of-privilege-having-permissions-i-should-not-have.yml
@@ -4,7 +4,7 @@ title: Elevation of privilege - having permissions I should not have
 metadata:
   title: Elevation of Privilege - Having Permissions I Should Not Have
   description: Learn about Elevation of Privilege and its corresponding security control
-  ms.date: 07/17/2023
+  ms.date: 05/12/2025
   author: rodsan
   ms.author: rodsan
   ms.topic: unit
@@ -16,12 +16,12 @@ quiz:
   questions:
   - content: "Which statement describes a potential security control against elevation of privilege?"
     choices:
-    - content: "System runs a process with the least possible amount of privilege"
+    - content: "System runs a process with the least possible amount of privilege."
       isCorrect: true
-      explanation: "This statement applies to elevation of privilege"
-    - content: "Sender digitally signs a message so the receiver knows who the message came from"
+      explanation: "This statement applies to elevation of privilege."
+    - content: "Sender digitally signs a message so the receiver knows who the message came from."
       isCorrect: false
-      explanation: "This message applies to spoofing"
-    - content: "System logs all actions and users to keep everyone accountable"
+      explanation: "This message applies to spoofing."
+    - content: "System logs all actions and users to keep everyone accountable."
       isCorrect: false
-      explanation: "This statement applies to repudiation"
+      explanation: "This statement applies to repudiation."
diff --git a/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/8-summary.yml b/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/8-summary.yml
@@ -3,8 +3,8 @@ uid: learn.tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eli
 title: Summary
 metadata:
   title: Summary
-  description: Review what you've learned about each threat category with their corresponding security controls
-  ms.date: 07/17/2023
+  description: Review what you learned about each threat category with their corresponding security controls.
+  ms.date: 05/12/2025
   author: rodsan
   ms.author: rodsan
   ms.topic: unit
diff --git a/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/includes/1-introduction.md b/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/includes/1-introduction.md
@@ -19,7 +19,7 @@ Using the framework, you're able to answer questions like:
 - How do I know someone can't change data in transit, in use, or at rest?
 - Can every action be tied to an identity?
 - How do I know someone can't see data in transit, in use, or at rest?
-- Are there areas in the system where resource is limited?
+- Are there areas in the system where resources are limited?
 - How do I know someone is allowed to take this action?
 
 In this module, you learn about each threat category and its corresponding security controls.
diff --git a/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/includes/2-spoofing-pretending-to-be-someone-or-something-else.md b/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/includes/2-spoofing-pretending-to-be-someone-or-something-else.md
@@ -3,7 +3,7 @@
 Examples include:
 
 - An attacker sends an email to users from an account that seems legitimate with malicious links and attachments to capture their credentials, data, and device access.
-- An attacker spoofs SSIDs and IP addresses while using open and inherently insecure TCP/IP protocols to send malicious payloads to victims.
+- An attacker spoofs Service Set Identifiers (SSIDs) and IP addresses while using open and inherently insecure TCP/IP protocols to send malicious payloads to victims.
 
 ## Elements and interactions at risk from spoofing attacks
 
@@ -29,8 +29,8 @@ Examples include:
 Examples include:
 
 - Sending and receiving messages signed with digital signatures to authenticate origin and ensure message integrity.
-- Securing data transmissions with SSL/TLS to encrypt traffic between source and target.
-- The use of unique credentials with expiring tokens, passwords, or multi-factor authentication to help secure user, admin, and service accounts.
+- Securing data transmissions with TLS/SSL to encrypt traffic between source and target.
+- The use of unique credentials with expiring tokens, passwords, or multifactor authentication to help secure user, admin, and service accounts.
 
 ### Common security controls to reduce or eliminate risk
 
@@ -45,7 +45,7 @@ For your system:
 - User Authentication
 - Cookie Authentication
 - Kerberos
-- SSL/TLS
+- TLS/SSL
 - Certificates
 - IPSec
 - Digitally Signed Packets
diff --git a/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/includes/3-tampering-changing-data-without-authorization.md b/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/includes/3-tampering-changing-data-without-authorization.md
@@ -14,26 +14,26 @@ Examples include:
 
 |Name|Shape|Definition|
 |----|-----|----------|
-|Process|![Process.](../media/process50.png)|Activity that modifies or redirects input to an output|
-|Data store|![Data store.](../media/data-store50.png)|Permanent or temporary data storage|
-|Data-flow|![Data-flow.](../media/data-flow50.png)|Data movement between elements|
+|Process|![Process.](../media/process50.png)|Activity that modifies or redirects input to an output.|
+|Data store|![Data store.](../media/data-store50.png)|Permanent or temporary data storage.|
+|Data-flow|![Data-flow.](../media/data-flow50.png)|Data movement between elements.|
 
 ### Interaction
 
 |Name|Interaction|Definition|
 |----|-----------|----------|
-|Process <-> Data store|![Process to Data Store Interaction.](../media/process-datastore.png)|A task sends or receives data to or from a data store|
-|Data-flow <-> Trust boundary|![Data-Flow to Trust Boundary Interaction.](../media/flow-trustboundary.png)|Data is transmitted from a trusted environment to someone over the internet (and vice-versa)|
+|Process <-> Data store|![Process to Data Store Interaction.](../media/process-datastore.png)|A task sends or receives data to or from a data store.|
+|Data-flow <-> Trust boundary|![Data-Flow to Trust Boundary Interaction.](../media/flow-trustboundary.png)|Data is transmitted from a trusted environment to someone over the internet (and vice-versa).|
 
 ## How to prevent tampering
 
 **Integrity** prevents data from being maliciously modified. Examples include:
 
-- Validating input to prevent the processing of malicious payloads and mishandling of unexpected behavior
-- Signing messages with digital signatures to ensure messages aren't tampered with
-- Using access-control lists to apply permissions
-- Using SSL/TLS to secure transmission
-- Creating an IPSec tunnel to secure communication between endpoints
+- Validating input to prevent the processing of malicious payloads and mishandling of unexpected behavior.
+- Signing messages with digital signatures to ensure messages aren't tampered with.
+- Using access-control lists to apply permissions.
+- Using TLS/SSL to secure transmission.
+- Creating an IPSec tunnel to secure communication between endpoints.
 
 ### Common security controls to reduce or eliminate risk
 
diff --git a/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/includes/4-repudiation-not-claiming-responsibility-for-an-action-taken.md b/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/includes/4-repudiation-not-claiming-responsibility-for-an-action-taken.md
@@ -23,9 +23,9 @@ Examples include:
 
 |Name|Interaction|Definition|
 |----|-----------|----------|
-|Process <-> Process|![Process to Process Interaction.](../media/process-process.png)|A task sends or receives data to or from another task|
-|Process <-> External Entity|![Process to External Entity Interaction.](../media/process-externalentity.png)|A task sends or receives data to or from a user|
-|Process <-> Data Store|![Process to Data Store Interaction.](../media/process-datastore.png)|A task sends or receives data to or from a data store|
+|Process <-> Process|![Process to Process Interaction.](../media/process-process.png)|A task sends or receives data to or from another task.|
+|Process <-> External Entity|![Process to External Entity Interaction.](../media/process-externalentity.png)|A task sends or receives data to or from a user.|
+|Process <-> Data Store|![Process to Data Store Interaction.](../media/process-datastore.png)|A task sends or receives data to or from a data store.|
 
 ## How to prevent repudiation
 
diff --git a/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/includes/5-information-disclosure-seeing-data-i-am-not-supposed-to-see.md b/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/includes/5-information-disclosure-seeing-data-i-am-not-supposed-to-see.md
@@ -1,4 +1,4 @@
-**Information disclosure** occurs when sensitive data is exposed to unauthorized individuals. It can happen with or without intention. 
+**Information disclosure** occurs when sensitive data is exposed to unauthorized individuals. It can happen with or without intention.
 
 Examples include:
 
@@ -12,18 +12,18 @@ Examples include:
 
 |Name|Shape|Definition|
 |----|-----|----------|
-|Process|![Process.](../media/process50.png)|Activity that modifies or redirects input to an output|
-|Data store|![Data Store.](../media/data-store50.png)|Permanent or temporary data storage|
-|Data-flow|![Data-Flow.](../media/data-flow50.png)|Data movement between elements|
+|Process|![Process.](../media/process50.png)|Activity that modifies or redirects input to an output.|
+|Data store|![Data Store.](../media/data-store50.png)|Permanent or temporary data storage.|
+|Data-flow|![Data-Flow.](../media/data-flow50.png)|Data movement between elements.|
 
 ### Interaction
 
 |Name|Interaction|Definition|
 |----|-----------|----------|
-|Process -> Process|![Process to Process Unilateral Interaction.](../media/process-process-unilateral.png)|A task sends data to another task|
-|Process <-> External entity|![Process to External Entity Interaction.](../media/process-externalentity.png)|A task sends or receives data to or from a user|
-|Process <-> Data store|![Process to Data Store Interaction.](../media/process-datastore.png)|A task sends or receives data to or from a data store|
-|Data Flow <-> Trust boundary|![Data-Flow to Trust Boundary Interaction.](../media/flow-trustboundary.png)|Data is transmitted from a trusted environment to someone over the internet (and vice-versa)|
+|Process -> Process|![Process to Process Unilateral Interaction.](../media/process-process-unilateral.png)|A task sends data to another task.|
+|Process <-> External entity|![Process to External Entity Interaction.](../media/process-externalentity.png)|A task sends or receives data to or from a user.|
+|Process <-> Data store|![Process to Data Store Interaction.](../media/process-datastore.png)|A task sends or receives data to or from a data store.|
+|Data Flow <-> Trust boundary|![Data-Flow to Trust Boundary Interaction.](../media/flow-trustboundary.png)|Data is transmitted from a trusted environment to someone over the internet (and vice-versa).|
 
 ## How to prevent information disclosure
 
@@ -33,7 +33,7 @@ Examples include:
 
 - Applying access-control lists to ensure the right users can access the right data.
 - Encrypting data at rest, in transit, and in use.
-- Enforcing SSL/TLS to secure transmission.
+- Enforcing TLS/SSL to secure transmission.
 - Using IPSec tunnels to secure communication across endpoints.
 
 ### Common security controls to reduce or eliminate risk
diff --git a/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/includes/6-denial-of-service-overwhelming-the-system.md b/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/includes/6-denial-of-service-overwhelming-the-system.md
diff --git a/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/includes/7-elevation-of-privilege-having-permissions-i-should-not-have.md b/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/includes/7-elevation-of-privilege-having-permissions-i-should-not-have.md
diff --git a/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/index.yml b/learn-pr/azure/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/index.yml
