Merge pull request #50592 from lootle1/MR107

Technical Review 1055039: Use recommended tools to create a data-flow…

Author: AnnaMHuff

learn-pr/azure/tm-use-recommended-tools-to-create-a-data-flow-diagram/1-introduction.yml

@@ -4,7 +4,7 @@ title: Introduction
 metadata:
   title: Introduction
   description: Learn about the different tools you can use to create your data-flow diagrams
-  ms.date: 05/31/2023
+  ms.date: 05/22/2025
   author: rodsan
   ms.author: rodsan
   ms.topic: unit

learn-pr/azure/tm-use-recommended-tools-to-create-a-data-flow-diagram/1b-recommended-tools.yml

@@ -4,7 +4,7 @@ title: Recommended tools
 metadata:
   title: Recommended Tools
   description: Learn about the three recommended tools you can use to create your data-flow diagrams
-  ms.date: 05/31/2023
+  ms.date: 05/22/2025
   author: rodsan
   ms.author: rodsan
   ms.topic: unit

learn-pr/azure/tm-use-recommended-tools-to-create-a-data-flow-diagram/2-threat-modeling-tool.yml

@@ -4,7 +4,7 @@ title: Threat modeling tool
 metadata:
   title: Threat Modeling Tool
   description: Learn about the Threat Modeling Tool
-  ms.date: 05/31/2023
+  ms.date: 05/22/2025
   author: rodsan
   ms.author: rodsan
   ms.topic: unit
@@ -19,7 +19,7 @@ quiz:
     - content: "Generated threats are based on the entire diagram, not just each element or each individual interaction."
       isCorrect: true
       explanation: "The tool only looks at individual elements and single interactions"
-    - content: "Threats, stencils and stencil properties can be changed."
+    - content: "Threats, stencils, and stencil properties can be changed."
       isCorrect: false
       explanation: "The fields can be changed"
     - content: "Ways to reduce or eliminate risk are included with each generated threat."

learn-pr/azure/tm-use-recommended-tools-to-create-a-data-flow-diagram/3-visio.yml

@@ -4,7 +4,7 @@ title: Visio
 metadata:
   title: Visio
   description: Learn about Visio
-  ms.date: 05/31/2023
+  ms.date: 05/22/2025
   author: rodsan
   ms.author: rodsan
   ms.topic: unit

learn-pr/azure/tm-use-recommended-tools-to-create-a-data-flow-diagram/5-summary.yml

@@ -4,7 +4,7 @@ title: Summary
 metadata:
   title: Summary
   description: Review what you've learned about the recommended tools to help you create data-flow diagrams
-  ms.date: 05/31/2023
+  ms.date: 05/22/2025
   author: rodsan
   ms.author: rodsan
   ms.topic: unit

learn-pr/azure/tm-use-recommended-tools-to-create-a-data-flow-diagram/includes/1-introduction.md

@@ -1,16 +1,12 @@
-A data-flow diagram is a graphical representation of how your system works. It includes all data stores, processes, external entities, trust boundaries, and data-flows.
+A data-flow diagram is a graphical representation of how your system works. It includes all data stores, processes, external entities, trust boundaries, and data-flows. Using these diagrams helps all users in your organization collaborate to enhance your threat modeling work.
 
-## How to create a data-flow diagram
+## Creating a data-flow diagram
 
 You can use any canvas, physical or virtual, to create a data-flow diagram. However, you do need a working knowledge of threat modeling to analyze it properly.
 
-Some applications provide you with the tools create a data-flow diagram with a threat-generation engine and risk-reduction strategies. Other tools only provide you with the ability to create a data-flow diagram.
+Some applications provide you with the tools to create a data-flow diagram alongside a threat-generation engine and risk-reduction strategies. Other tools only provide you with the ability to create a data-flow diagram.
 
-## Goals
-
-The goal of this learning path is to teach you the fundamentals of threat modeling for you to threat model anywhere, on any canvas.
-
-To help you get there, we recommend a few tools along the way.
+The goal of this learning path is to teach you the fundamentals of threat modeling allowing you to threat model on any canvas. We also recommend a couple tools along the way to assist.
 
 ## Learning objectives
 

learn-pr/azure/tm-use-recommended-tools-to-create-a-data-flow-diagram/includes/1b-recommended-tools.md

@@ -1,10 +1,15 @@
-Threat modeling takes your data-flow diagram and applies a framework to help find threats and ways to reduce or eliminate risk.
+Threat modeling takes your data-flow diagram and applies a framework to help find threats and ways to reduce or eliminate risk. It helps meet security goals early in the development lifecycle and secures your systems, applications, networks, and services.
 
-Some tools help you create a data-flow diagram, while others also help with the threat-generation exercise. Depending on your level of expertise with threat modeling, some of these tools can be helpful.
+Some tools help you create a data-flow diagram, while others also help with the threat-generation exercise. Your level of expertise with threat modeling may dictate which tool fits best. We'll look at two tools in the next couple units.
 
-## Learn more about threat modeling tools
+## Microsoft Threat Modeling Tool
 
-Over the next few units, we take a look at how:
+The Microsoft Threat Modeling Tool enables you to create data-flow diagrams. It allows anyone to communicate about the security design of their systems, analyze those designs for potential security issues, and suggest and manage mitigations for security issues.
 
-- The Microsoft Threat Modeling Tool enables you to create data-flow diagrams and analyze them for potential threats and risk-reduction strategies.
-- Visio gives you a clean canvas to help you create data-flow diagrams.
+We look at the different sections, stencils, and elements to see how the different properties work together. Then we analyze risk-reduction strategies to specify how threat generation works.
+
+## Visio
+
+Our other recommended tool is Visio. It gives you a clean canvas to create data-flow diagrams. With the Visio desktop and web applications, you can view, edit, and share Visio diagrams as well. You can also save them in Sharepoint or OneDrive to share with others.
+
+We talk about some of the basic functionality of Visio as well as pros and cons associated with the tool.

learn-pr/azure/tm-use-recommended-tools-to-create-a-data-flow-diagram/includes/2-threat-modeling-tool.md

@@ -1,54 +1,39 @@
-## Quick overview
+The Microsoft Threat Modeling Tool, recognized by the threat-modeling community, helps engineers create data-flow diagrams. It offers customizable templates and a threat-generation engine with threats and risk-reduction strategies.
 
-The Microsoft Threat Modeling Tool, recognized by the threat-modeling community, helps engineers create data-flow diagrams and apply STRIDE for their threat-modeling work.
+The default template is called *SDL TM Knowledge Base* and gives you a basic set of elements and threat-generation capabilities. All you need is a basic understanding of data-flow diagrams and STRIDE.
 
-The Threat Modeling Tool offers:
+### STRIDE
 
-- Customizable templates
-- Threat-generation engine with threats and risk-reduction strategies
+STRIDE is a model that categorizes security threats to help identify them. The Microsoft Threat Modeling Tool helps apply STRIDE for threat-modeling work. STRIDE is the acronym for the six major threat categories:
 
-The default template is called "SDL TM Knowledge Base" and gives you a basic set of elements and threat-generation capabilities. All you need is a basic understanding of data-flow diagrams and STRIDE.
+- **Spoofing**: Pretending to be someone or something else.
+- **Tampering**: Changing data without authorization.
+- **Repudiation**: Not claiming responsibility for an action taken.
+- **Information disclosure**: Seeing data without permission.
+- **Denial of service**: Overwhelming the system.
+- **Elevation of privilege**: Having permissions I shouldn't have.
 
-### STRIDE recap
-
-STRIDE is the acronym for the six major threat categories:
-
-- **Spoofing**: pretending to be someone or something else
-- **Tampering**: changing data without authorization
-- **Repudiation**: not claiming responsibility for an action taken
-- **Information disclosure**: seeing data without permission
-- **Denial of service**: overwhelming the system
-- **Elevation of privilege**: having permissions I shouldn't have
-
-## Advanced user section
-
-For more advanced users, you can customize the template across three main sections.
+With this in mind, you can customize your template across the areas we'll discuss next in stencils, threat properties, and risk reduction strategies.
 
 ### Stencils
 
-Process, external interactor, data store, data-flow, and trust boundaries make up the parent elements.
+Stencils are made up of parent stencils that include process, external interactor, data store, data-flow, and trust boundaries. They can be drag-and-dropped onto your canvas to build your data-flow diagram.
 
 :::image type="content" source="../media/parentstencils.jpg" alt-text="Screenshot of Parent Stencils." loc-scope="other":::
 
-You can also create child elements to help provide granularity for more context, actionable threat generation, and risk-reduction strategies.
+You can also create child stencils to help provide granularity for more context, actionable threat generation, and risk-reduction strategies.
 
 :::image type="content" source="../media/expandedflowstencils.jpg" alt-text="Screenshot of Expanded Flow Stencils." loc-scope="other":::
 
 #### Example of how child elements work
 
-The **data-flow** parent element gives you the option to choose between the **HTTP** and **HTTPS** child elements.
-
-HTTP should generate more threats because tampering, information disclosure, and spoofing threats are common with unencrypted channels.
-
-##### Using HTTP
+The **data-flow** parent element gives you the option to choose between the **HTTP** and **HTTPS** child elements. HTTP should generate more threats because tampering, information disclosure, and spoofing threats are common with unencrypted channels. Following are images of using HTTP vs. HTTPS.
 
 :::image type="content" source="../media/HTTP.JPG" alt-text="Screenshot illustrating the HTTP child element." loc-scope="other":::
 
-##### Using HTTPS
-
 :::image type="content" source="../media/HTTPS.JPG" alt-text="Screenshot illustrating the HTTPS child element." loc-scope="other":::
 
-#### How to add element properties
+#### Add element properties
 
 If you have other properties that must be included in the default template, you can add them to each element in the administrator view.
 
@@ -60,69 +45,47 @@ You can see the changes whenever you drag and drop that element onto the canvas.
 
 ### Threat properties
 
-Properties allow you to create fields that are filled out for each generated threat, just like stencil properties allow you to create fields for each element.
-
-Remember: the goal is to have as much context as possible in the simplest manner.
-
-#### Example of threat properties
+These properties allow you to create fields that are filled out for each generated threat, just like stencil properties allow you to create fields for each element. Remember, the goal is to have as much context as possible in the simplest manner.
 
-##### Administrator view
+### Administrator and User Views
 
-Add fields that give you more context and actionable steps. Examples include:
+Administrators can add fields that give you more context and actionable steps. Examples include:
 
-- **Issue priority**: understand which issues need to be worked on first.
-- **Hyperlinks**: link issues to online documentation.
-- **External risk mapping**: speak the same risk language of other organizations by using reliable third-party sources, such as OWASP Top 10 and CWE Details.
+- **Issue priority**: Understand which issues need to be worked on first.
+- **Hyperlinks**: Link issues to online documentation.
+- **External risk mapping**: Speak the same risk language of other organizations by using reliable third-party sources, such as OWASP (Open Worldwide Application Security Project) Top 10 and CWE (Common Weakness Enumeration) Details.
 
 :::image type="content" source="../media/ThreatAdminView.JPG" alt-text="Screenshot of the Threat Properties Admin View." loc-scope="other":::
 
-##### User view
-
-Threat Modeling Tool users see these changes whenever they analyze their data-flow diagrams.
+Then in the User view, the Threat Modeling Tool users see changes whenever they analyze their data-flow diagrams.
 
 :::image type="content" source="../media/ThreatUserView.JPG" alt-text="Screenshot of the Threat Properties User View." loc-scope="other":::
 
 ### Threats and risk reduction strategies
 
 This section is the heart of the threat modeling tool. The threat-generation engine looks at individual and connected elements to decide which threats to generate.
 
-#### How threat generation works
-
-##### Step 1 - Specify sources and targets
-
-The threat-generation engine uses simple sentences to generate a threat. Examples include:
-
-- target is [element name]
-- source is [element name]
+**Step 1 specifies sources and targets**. The threat-generation engine uses simple sentences to generate a threat. Examples include *target is [element name]* and *source is [element name]*. You can also use the element name on titles and descriptions. The format is *{target.Name}* or *{source.Name}*.
 
-You can also use the element name on titles and descriptions. The format is: '{target.Name}' or '{source.Name}'.
-
-##### Step 2 - Combine sources and targets
-
-You can be precise with the way a threat is generated. Combine targets, sources, and their individual properties with AND OR operators. Examples include:
+**Step 2 combines sources and targets**. You can be precise with the way a threat is generated. Combine targets, sources, and their individual properties with AND/OR operators. Examples include:
 
 - target.[property name] is 'Yes' **AND** source.[property name] is 'No'
 - flow crosses [trust boundary name]
 
-##### Step 3 - Generate or ignore threats
-
-The threat-generation engine uses two fields to generate or ignore a threat:
+**Step 3 generates or ignores threats**. The threat-generation engine uses two fields to generate or ignore a threat:
 
 - **Include**: A threat is generated if sentences added in this field are true.
 - **Exclude**: A threat isn't generated if sentences added in this field are true.
 
 Here's an actual example from the default template to bring these steps together:
 
-- **Threat:** Cross Site Scripting
-- **Include:** (target is [Web Server]) **OR** (target is [Web Application])
-- **Exclude:** (target.[Sanitizes Output] is 'Yes') **AND** (target.[Sanitizes Input] is 'Yes')
-
-The Cross Site Scripting threat in this example is **only** generated when:
+- **Threat**: Cross Site Scripting
+- **Include**: (target is [Web Server]) **OR** (target is [Web Application])
+- **Exclude**: (target.[Sanitizes Output] is 'Yes') **AND** (target.[Sanitizes Input] is 'Yes')
 
-- The process is either a Web Server or a Web Application
-- Input and output aren't sanitized
+The Cross Site Scripting threat in this example is only generated when the process is either a Web Server or a Web Application and Input and output aren't sanitized.
 
 :::image type="content" source="../media/IncludeExclude.JPG" alt-text="Screenshot of Include/Exclude view." loc-scope="other":::
 
 > [!NOTE]
-> Microsoft Threat Modeling Tool template creation is a complex topic and will not be fully discussed in this learning path.
+> Microsoft Threat Modeling Tool template creation is a complex topic and won't be fully discussed in this learning path.

learn-pr/azure/tm-use-recommended-tools-to-create-a-data-flow-diagram/includes/3-visio.md

@@ -1,12 +1,17 @@
-Microsoft Visio is recognized for its robust set of features to help anyone create quality flowcharts and data-flow diagrams.
+Microsoft Visio is recognized for its robust set of features to help anyone create quality flowcharts and data-flow diagrams. Visio tools help you visualize how an application or systems is organized towards threat modeling.
+
+You can use Visio to create flowcharts, basic network diagrams, Venn diagrams, block diagrams, and business matrices. All while being able to start quickly and in a collaborative manner. Let's look at some other pros to using Visio and review any cons.
 
 ## Pros
 
 Visio provides drag-and-drop functionality and the ability to annotate diagrams. Both are helpful when creating a diagram for your system.
 
+In addition, the tool is accessible for a wide variety of users. The intuitive interface and ease of use takes minimal time to learn and set up. It shares a familiar experience to other Microsoft 365 apps.
+
+It also includes templates for diagrams and flowcharts to help you start quickly. This alongside real-time collaboration, commenting, and sharing with the Visio web app or Visio app in Microsoft Teams makes it a valuable tool across your organization towards your threat modeling goals.
+
 ## Cons
 
 The application doesn't offer automated threat-modeling capabilities. As a result, there's no threat-generation engine to help engineers brainstorm threats and risk-reduction strategies.
 
-> [!NOTE]
-> If you use Visio, you'll be responsible for threat modeling each element and interaction manually.
+Also, when you use Visio you'll be responsible for threat modeling each element and interaction manually.

learn-pr/azure/tm-use-recommended-tools-to-create-a-data-flow-diagram/index.yml

@@ -1,18 +1,19 @@
 ### YamlMime:Module
 uid: learn.tm-use-recommended-tools-to-create-a-data-flow-diagram
 metadata:
-  title: Use recommended tools to create a data-flow diagram
+  title: Use Recommended Tools to Create a Data-Flow Diagram
   description: You can use any canvas, physical or virtual, to create a data-flow diagram. Engineers at Microsoft recommend three tools to help you in your threat modeling journey.
-  ms.date: 05/31/2023
+  ms.date: 05/22/2025
   author: rodsan
   ms.author: rodsan
   ms.topic: module
+  ms.service: azure-data-factory
 title: Use recommended tools to create a data-flow diagram
 summary: You can use any canvas, physical or virtual, to create a data-flow diagram. Engineers at Microsoft recommend a few tools to help you in your threat modeling journey.
 abstract: |
   In this module, you'll:
-  - Learn about the Threat Modeling Tool
-  - Learn more about Visio
+  - Learn about the Threat Modeling Tool.
+  - Learn more about Visio.
 prerequisites: None
 iconUrl: /training/achievements/use-recommended-tools-to-create-a-data-flow-diagram.svg
 levels: