Added Onboarding folder

Onboarding/Misc/Inventory.md

@@ -0,0 +1,17 @@
+# Inventory (for reporting purposes)
+
+Most enterprise customers today have deployed Azure Security Center at least to some extent in their organizations. In this case, they can use [Azure Resource Graph](https://docs.microsoft.com/en-us/azure/governance/resource-graph/) queries to get an overview of their current security state and answer the following questions:
+1.	How many subscriptions do I have?
+2.	How many of these subscriptions have been onboarded to ASC?
+3.	How many of these subscriptions have not yet been onboarded to ASC?
+4.	Which subscriptions have not yet been onboarded to ASC?
+5.	Which subscriptions are using ASC with Azure Defender fully enabled?
+6.	Which subscriptions are using ASC without Azure Defender fully enabled?
+7.	What is the coverage (On | On (partial) | Off) for Azure Defender across all of my subscriptions?
+8.	Which Azure Defender plans (Azure Defender for VMs, Azure Defender for KeyVaults, etc.) are enabled across all of my subscriptions?  
+
+The matching Azure Resource Graph queries can be found [here](https://github.com/Azure/Azure-Security-Center/tree/master/Kusto/Azure%20Resource%20Graph/Starter%20Kit%20-%20ASC%20Pricing).
+
+In order to run these Azure Resource Graph queries, we recommend that customers have at least *Security Admin* and *Reader* permissions on the appropriate management group level. For further details, refer to [Step #2 in Module 2 - Roles and permissions](./Modules/2-Roles-and-Permissions.md#step-2---assign-the-necessary-rbac-permissions-to-the-central-security-team).
+
+Running these queries is an optional step, but it helps to compare the customers current security state to the security state after rolling out and governing ASC centrally, and it may be useful for reporting progress to management.

Onboarding/Misc/Next-Steps.md

@@ -0,0 +1,17 @@
+# Next steps
+
+After successfully onboarding all enterprise subscriptions and customizing ASC to their needs, the customer’s central security team should regularly monitor the ASC Secure Score and see it as a key performance indicator for their security posture.
+
+The following articles can help customers to establish a routine in regularly checking ASC recommendations and alerts:
+*	[Monitor the security health of your Azure resources](https://docs.microsoft.com/en-us/azure/security-center/security-center-monitoring)
+*	[Manage security recommendations in Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-recommendations)
+*	[Learn how to remediate recommendations](https://docs.microsoft.com/en-us/azure/security-center/security-center-remediate-recommendations)
+*	[Manage and respond to security alerts in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-managing-and-responding-alerts)
+*	[Prevent misconfigurations with Enforce/Deny](https://docs.microsoft.com/en-us/azure/security-center/prevent-misconfigurations)
+*	[Deliver a Secure Score weekly briefing](https://techcommunity.microsoft.com/t5/azure-security-center/deliver-a-security-score-weekly-briefing/ba-p/1411515)
+
+
+<br />
+
+### &#8680; For some hands-on experience, we recommend to take one of our ASC Labs: [Azure Security Center Labs](https://github.com/Azure/Azure-Security-Center/tree/master/Labs)
+

Onboarding/Misc/Scheduled-Automation.md

@@ -0,0 +1,10 @@
+# Scheduled automation
+
+When using automation tools other than Azure Policy, customers need to ensure that commands and scripts run on a regular basis to keep their resources secure and their configurations up to date.
+
+The following table lists different options on how to run an automation regularly:
+Automation	| Options
+--- | ---
+Azure PowerShell	| 1)	Use Azure Functions <br /> 2)	Use Azure Automation <br /> 3) Use Azure DevOps and a scheduled pipeline with an Azure PowerShell task
+Azure CLI	| Use Azure DevOps and a scheduled pipeline with an Azure CLI task.
+Azure REST API	| 1)	Use a scheduled Logic App <li>Trigger: Recurrence (e.g., once per day)</li><li> Action: HTTP Request</li> 2)	Use Azure DevOps and a scheduled pipeline

Onboarding/Modules/1-Prerequisites.md

@@ -0,0 +1,47 @@
+# Module 1 - Prerequisites
+
+## Step #0 – Ensure the basic environment setup and knowledge are in place
+
+To follow the implementation steps in this document, it is necessary that customers have a solid understanding of Azure Security Center (ASC) and its basic functionality and features. They should also be familiar with the governance and automation options in Azure to successfully deploy ASC in their organization. We therefore assume that customers are familiar with the following concepts:
+
+* The customer understands the shared responsibility model and the threat landscape in the cloud.
+    * [Shared responsibility in the cloud](https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility)
+    *	[Respond to today’s threats](https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview#respond-to-todays-threats--)
+    *	[The threat landscape](https://www.microsoftpressstore.com/articles/article.aspx?p=2992603&seqNum=4)
+*	The customer has defined and implemented a Management Group (MG) hierarchy in their Azure environment according to the organization’s needs.
+    *	[What are Azure management groups?](https://docs.microsoft.com/en-us/azure/governance/management-groups/overview)
+    *	[Subscription decision guide](https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/decision-guides/subscriptions/)
+    *	[Management group and subscription organization](https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization)
+    *	[Governance guide for complex enterprises](https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/guides/complex/)
+    *	[Organize and manage multiple Azure subscriptions](https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions)
+*	The customer has a basic understanding of Azure Security Center and its functionalities.
+    *	[What is Azure Security Center?](https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction)
+    *	[Azure Security Center’s overview page](https://docs.microsoft.com/en-us/azure/security-center/overview-page)
+    *	[Security recommendations](https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference)
+    *	[Introduction to Azure Defender](https://docs.microsoft.com/en-us/azure/security-center/azure-defender)
+    *	[Working with security policies](https://docs.microsoft.com/en-us/azure/security-center/tutorial-security-policy)
+*	The organization understands the different roles that are available within Azure Security Center and RBAC (Role-based access control) in general.
+    *	[Permissions in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-permissions)
+    *	[What is Azure RBAC?](https://docs.microsoft.com/en-us/azure/role-based-access-control/overview)
+    *	[Azure built-in roles](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)
+*	The customer knows how to use a Log Analytics workspace and has decided on a Log Analytics workspace design (centralized or distributed).
+    *	[Best practices for designing an Azure Sentinel or Azure Security Center Log Analytics workspace](https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-designing-an-azure-sentinel-or-azure-security/ba-p/832574)
+    *	[Design a workspace deployment](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/design-logs-deployment#important-considerations-for-an-access-control-strategy)
+*	The customer understands ASC pricing, Azure Monitor pricing, and Azure bandwidth costs.
+    *	[ASC Pricing](https://azure.microsoft.com/en-us/pricing/details/security-center/)
+    *	[Azure Monitor Pricing](https://azure.microsoft.com/en-us/pricing/details/monitor/)
+    *	[Azure Bandwidth Pricing](https://azure.microsoft.com/en-us/pricing/details/bandwidth/)
+*	The customer has a solid understanding of Azure Policy and other Azure Governance constructs like Azure Blueprints and Azure Resource Graph.
+    *	[What is Azure Policy?](https://docs.microsoft.com/en-us/azure/governance/policy/overview)
+    *	[Understand Azure Policy effects](https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects)
+    *	[What is Azure Blueprints?](https://docs.microsoft.com/en-us/azure/governance/blueprints/overview)
+    *	[What is Azure Resource Graph?](https://docs.microsoft.com/en-us/azure/governance/resource-graph/overview)
+*	The customer is familiar with one or more of the following Azure Resource Manager automation options:
+    *	[Azure REST API](https://docs.microsoft.com/en-us/rest/api/azure/)
+    *	[ARM templates](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/overview)
+    *	[Azure PowerShell](https://docs.microsoft.com/en-us/powershell/azure/?view=azps-5.0.0)
+    *	[Azure CLI](https://docs.microsoft.com/en-us/cli/azure/what-is-azure-cli)
+
+<br />
+
+### &#8680; Continue with the next steps: [Module 2 - Roles & Permissions](./2-Roles-and-Permissions.md)

Onboarding/Modules/2-Roles-and-Permissions.md

@@ -0,0 +1,73 @@
+# Module 2 - Roles & Permissions
+
+## Step #1 - Create a central team that will be responsible for tracking and/or enforcing security on your Azure environment
+To manage Azure Security Center organization-wide, it is necessary that customers have named a team who is responsible for monitoring and governing their Azure environment from a security perspective.  
+Depending on the responsibility model in the organization, we most commonly see one of the following two options how a central security team operates within an organization.
+
+### Option A - Security controls are deployed  by a central team
+Deploying security controls is done by a central team. The central security team decides which security policies will be implemented in the organization and who has permissions to control the policy set. They may also have the power to remediate non-compliant resources, and enforce resource isolation in case of a security threat or configuration issue. Workload owners on the other hand are mainly responsible for managing their cloud workloads, but need to follow the security  policies that the central team has deployed.
+
+| Action |	Workload owners	| Central IT Security team
+| --- | :---: | :---:
+Manage a cloud workload and its related resources |	✓ |	✕
+Define, monitor and enforce the company’s security policies to ensure the appropriate protections are in place |&#10003; <br /> (Only in addition to what the central team defines)|	&#10003;
+Need to understand the company’s security posture across workloads |	&#10005; |	&#10003;
+Need to be informed of major attacks and risks |	&#10005;|	&#10003;
+Auto-remediate non-compliant resources |	&#10005; |	&#10003;
+
+Option A is most suitable for companies with a high level of automation, to ensure automated response processes to vulnerabilities and threats and maintain a high level of service availability.
+
+### Option B – Security controls are deployed by workload owners
+Deploying security controls is done by the workload owners, they own the policy set and can therefore decide which security policies are applicable to their resources. They need be aware of, understand and act upon security alerts and recommendations for their own resources. The central security team on the other hand only acts as a controlling entity, without write access to any of the workload subscriptions or resources. However, they have insights into the overall security posture of the organization and they may hold the workload owners accountable for improving their security posture.
+
+| Action |	Workload owners	| Central IT Security team
+| --- | :---: | :---:
+Manage a cloud workload and its related resources |	&#10003; |	&#10005;
+Define, monitor and enforce the company’s security policies to ensure the appropriate protections are in place |&#10003;|	&#10005;
+Need to understand the company’s security posture across workloads |	&#10005; |	&#10003;
+Need to be informed of major attacks and risks |	&#10003;|	&#10003;
+Depending on the criticality of the workload, they may be responsible for 24/7 operations |	&#10003; |	&#10005;
+
+Option B is most suitable for organizations that need visibility into their overall security posture, but at the same time want to keep responsibility for security with the workload owners.
+
+
+> &#x26A0;  
+> This section is intended to give customers an idea of the responsibility models we see at both ends of the spectrum. These are by no means the only options; various combinations of these two options are possible and may even be more appropriate in a specific organization setup. Often customers will choose
+<br />
+
+## Step #2 - Assign the necessary RBAC permissions to the central security team
+Customers need to make sure that the central security team has been assigned the necessary RBAC rights on the appropriate scope to follow the deployment steps in this document. We recommend to follow the principle of least privilege when assigning permissions and suggest to assign the following built-in roles:
+
+| Action |	RBAC Role	| Option A) | Option B)
+| --- | :---: | :---: | :---:
+Need to view configurations, update the security policy, and dismiss recommendations and alerts in Security Center.	| **Security Admin** on Root MG*	|	&#10003; |	&#10003;
+Need to have read and write access to Azure resources for remediation (this includes assigning the appropriate permission to the managed identity used by a deployIfNotExists or modify policy)	| **Contributor**
+on Root MG*	|	&#10003; |	&#10005;
+Need to have read only access to Azure resources for investigation. (This does not include read access to secrets or data plane details)	| **Reader** on Root MG*	|	&#10005; |	&#10003;
+> *Depending on the customer’s management group structure, an assignment lower in the management group hierarchy may be more appropriate.*
+
+In addition to the roles that need to be assigned to the central security team, other personas in the customer’s organization like security auditors or a central SOC team may also need to have read access to the company’s security state. In this case, we recommend to grant them **Security Reader** permissions on the appropriate MG scope.
+
+### Automation options
+* **[ARM Template]()**
+    * For Option A
+    * For Option B
+* **[Azure CLI]()**
+    * For Option A
+      * `az role assignment create --role 'Security Admin' --assignee-object-id '{AD-Group-ObjectID}' --scope '/providers/Microsoft.Management/managementGroups/{MG-ID}'`
+      * `az role assignment create --role 'Contributor' --assignee-object-id '{AD-Group-ObjectID}' --scope '/providers/Microsoft.Management/managementGroups/{MG-ID}'`
+    * For Option B
+      * `az role assignment create --role 'Security Admin' --assignee-object-id '{ AD-Group-ObjectID}' --scope '/providers/Microsoft.Management/managementGroups/{MG-ID}'`
+      * `az role assignment create --role 'Reader' --assignee-object-id '{AD-Group-ObjectID}' --scope '/providers/Microsoft.Management/managementGroups/{MG-ID}'` 
+* **[Azure PowerShell]()**
+    * For Option A
+      * `New-AzRoleAssignment - ObjectId '{AD-Group-ObjectID}' -RoleDefinitionName ' Security Admin'  -Scope '/providers/Microsoft.Management/managementGroups/{MG-ID}'` 
+      * `New-AzRoleAssignment - ObjectId '{AD-Group-ObjectID}' -RoleDefinitionName 'Contributor'  -Scope '/providers/Microsoft.Management/managementGroups/{MG-ID}'`
+    * For Option B
+      * `New-AzRoleAssignment - ObjectId '{AD-Group-ObjectID}' -RoleDefinitionName ' Security Admin'  -Scope '/providers/Microsoft.Management/managementGroups/{MG-ID}'`
+      * `New-AzRoleAssignment - ObjectId '{AD-Group-ObjectID}' -RoleDefinitionName 'Reader'  -Scope '/providers/Microsoft.Management/managementGroups/{MG-ID}'`
+* **[REST API]()**
+
+<br />
+
+### &#8680; Continue with the next steps: [Module 3 - Policy Management](./3-Policy-Management.md)