Merge pull request #84 from MicrosoftDocs/main

8/22/2024 AM Publish

articles/defender-for-cloud/binary-drift-detection.md

@@ -20,7 +20,7 @@ Binary drift detection is integrated into the Defender for Containers plan and i
 
 - To use binary drift detection, you need to run the Defender for Container sensor, which is available in AWS, GCP, and AKS in [versions](/azure/aks/supported-kubernetes-versions) 1.29 or higher.
 - The Defender for Container sensor must be enabled on the subscriptions and connectors.
-- To create and modify drift policies, you need global admin permissions on the tenant.
+- To create and modify drift policies, you need Security Admin or higher permissions on the tenant. To view drift policies, you need Security Reader or higher permissions on the tenant.
 
 ## Components
 

articles/defender-for-cloud/concept-data-security-posture-prepare.md

@@ -40,7 +40,7 @@ The table summarizes availability and supported scenarios for sensitive data dis
 |What GCP regions are supported? | europe-west1, us-east1, us-west1, us-central1, us-east4, asia-south1, northamerica-northeast1|
 |Do I need to install an agent? | No, discovery requires no agent installation. |
 |What's the cost? | The feature is included with the Defender CSPM and Defender for Storage plans, and doesn’t incur extra costs except for the respective plan costs. |
-|What permissions do I need to view/edit data sensitivity settings? | You need one of these Microsoft Entra roles: Global Administrator,  Compliance Administrator, Compliance Data Administrator, Security Administrator, Security Operator.|
+|What permissions do I need to view/edit data sensitivity settings? | You need one of these Microsoft Entra roles:<br> <li>Compliance Data Administrator, Compliance Administrator, or higher <br> <li>Security Operator, Security Administrator, or higher|
 | What permissions do I need to perform onboarding? | You need one of these [Azure role-based access control (Azure RBAC) roles](/azure/role-based-access-control/role-assignments-portal): Security Admin, Contributor, Owner on the subscription level (where the GCP project/s reside). For consuming the security findings: Security Reader, Security Admin, Reader, Contributor, Owner on the subscription level (where the GCP project/s reside). |
 
 ## Configuring data sensitivity settings

articles/defender-for-cloud/defender-for-app-service-introduction.md

@@ -29,7 +29,7 @@ To protect your Azure App Service plan with Microsoft Defender for App Service,
 | Release state:               | General availability (GA)                                                                                                                                                                      |
 | Pricing:                     | Microsoft Defender for App Service is billed as shown on the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/)<br>Billing is according to total compute instances in all plans       |
 | Supported App Service plans: | [The supported App Service plans](https://azure.microsoft.com/pricing/details/app-service/plans/) are:<br>• Free plan<br>• Basic Service plan<br>• Standard Service plan<br>• Premium v2 Service Plan<br>• Premium v3 Service Plan<br>• App Service Environment v1<br>• App Service Environment v2<br>• App Service Environment v3|
-| Clouds:                      | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/no-icon.png"::: National (Azure Government, Microsoft Azure operated by 21Vianet)                                                     |
+| Clouds:                      | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: National (Azure Government, Microsoft Azure operated by 21Vianet)                                                     |
 
 ## What are the benefits of Microsoft Defender for App Service?
 

articles/defender-for-cloud/other-threat-protections.md

@@ -33,6 +33,9 @@ For a list of the Azure network layer alerts, see the [Reference table of alerts
 
 ### Display Azure WAF alerts in Defender for Cloud
 
+> [!IMPORTANT]
+> This feature will be retired on September 25, 2024. For Sentinel customers, you can configure the Azure Web Application Firewall [connector](/azure/web-application-firewall/waf-sentinel).
+
 Azure Application Gateway offers a web application firewall (WAF) that provides centralized protection of your web applications from common exploits and vulnerabilities.
 
 Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. The Application Gateway WAF is based on Core Rule Set 3.2 or higher from the Open Web Application Security Project. The WAF is updated automatically to protect against new vulnerabilities.

articles/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent.md

@@ -2,7 +2,7 @@
 title: Prepare for retirement of the Log Analytics agent 
 description: Learn how to prepare for the deprecation of the Log Analytics (MMA) agent in Microsoft Defender for Cloud.
 ms.topic: how-to
-ms.date: 03/13/2024
+ms.date: 08/22/2024
 # customer intent: As a user, I want to understand how to prepare for the retirement of the Log Analytics agent in Microsoft Defender for Cloud.
 ---
 
@@ -58,7 +58,7 @@ For SQL servers on machines, we recommend to [migrate to SQL server-targeted Azu
 The legacy approach to onboard servers to Defender for Servers Plan 2 based on the Log Analytics agent and using Log analytics workspaces is set for retirement as well:
 - The onboarding experience for [onboarding new non-Azure machines](quickstart-onboard-machines.md) to Defender for Servers using Log Analytics agents and workspaces is removed from the **Inventory** and **Getting started** blades in the Defender for Cloud portal.
 - To avoid losing security coverage on the affected machines connected to a Log Analytics Workspace, with the Agent retirement:
-- If you onboarded non-Azure servers (both on-premises and multi-cloud) using the [legacy approach](quickstart-onboard-machines.md), you should now connect these machines via Azure Arc-enabled servers to Defender for Servers Plan 2 Azure subscriptions and connectors. [Learn more](/azure/azure-arc/servers/deployment-options) about deploying Arc machines at scale.
+- If you onboarded non-Azure servers (both on-premises and multicloud) using the [legacy approach](quickstart-onboard-machines.md), you should now connect these machines via Azure Arc-enabled servers to Defender for Servers Plan 2 Azure subscriptions and connectors. [Learn more](/azure/azure-arc/servers/deployment-options) about deploying Arc machines at scale.
 
   - If you used the legacy approach to enable Defender for Servers Plan 2 on selected Azure VMs, we recommend enabling Defender for Servers Plan 2 on the Azure subscriptions for these machines. You can then exclude individual machines from the Defender for Servers coverage using the Defender for Servers [per-resource configuration](tutorial-enable-servers-plan.md).
 
@@ -70,7 +70,7 @@ This is a summary of the required action for each of the servers onboarded to De
 | -------- | -------- |
 |On premise servers| [Onboarded to Arc ](/azure/azure-arc/servers/deployment-options) and connected to a subscription with Defender for Servers Plan 2 |
 |Azure Virtual machines|Connect to subscription with Defender for Servers Plan 2|
-|Multi Cloud Servers |Connect to [multicloud connector](/azure/defender-for-cloud/quickstart-onboard-aws) with Azure Arc provisioning and Defender for Servers plan 2|
+|Multicloud Servers |Connect to [multicloud connector](/azure/defender-for-cloud/quickstart-onboard-aws) with Azure Arc provisioning and Defender for Servers plan 2|
 
 
 ### Endpoint protection recommendations experience - changes and migration guidance
@@ -182,6 +182,115 @@ After you disable the file events collection:
 - New events will stop being collected on the selected scope.
 - The historical events that already were collected remain stored in the relevant workspace under the *ConfigurationChange* table in the **Change Tracking** section. These events will remain available in the relevant workspace according to the retention period defined in this workspace. For more information, see [How retention and archiving work](/azure/azure-monitor/logs/data-retention-archive#how-retention-and-archiving-work).
 
+## Baseline experience
+
+The baselines misconfiguration feature on VMs is designed to ensure that your VMs adhere to security best practices and organizational policies. Baselines misconfiguration evaluates the configuration of your VMs against the predefined security baselines, and identifies any deviations, or misconfigurations that could pose a risk to your environment.
+
+Machine information is collected for assessment using the Log Analytics agent (also known as the Microsoft Monitoring agent (MMA)). The MMA is set to be deprecated in November 2024, and the following changes will occur:
+
+- Machine information will be collected using the [Azure Policy guest configuration](/azure/virtual-machines/extensions/guest-configuration).
+
+- The following Azure policies are enabled with Azure Policy guest configuration:
+    - "Windows machines should meet requirements of the Azure compute security baseline"
+    - "Linux machines should meet requirements for the Azure compute security baseline"
+
+    > [!NOTE]
+    > If you remove these policies you won't be able to access the benefits of the Azure Policy guest configuration extension.
+
+- OS recommendations based on compute security baselines will no longer be included in Defender for Cloud foundational CSPM. These recommendations will be available when you [enable the Defender for Servers Plan 2](tutorial-enable-servers-plan.md).
+
+Review the [Defender for Cloud pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/) to learn about Defender Servers Plan 2 pricing information.
+
+Recommendations that are provided by the MCSB that aren't part of Windows and Linux compute security baselines, will continue to be part of free foundational CSPM.
+
+### Install Azure Policy guest configuration
+
+In order to continue receiving the baseline experience, you need to enable the Defender for Servers Plan 2 and install the Azure Policy guest configuration. This will ensure that you continue to receive the same recommendations and hardening guidance that you have been receiving through the baseline experience.
+
+Depending on your environment, you may need to take the following steps:
+
+1. Review the [support matrix for the Azure Policy guest configuration](/azure/governance/machine-configuration/overview).
+
+1. Install the Azure Policy guest configuration on your machines.
+    - **Azure machines**: In the Defender for Cloud portal, on the recommendations page, search for and select [Guest Configuration extension should be installed on machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/6c99f570-2ce7-46bc-8175-cde013df43bc), and [remediate the recommendation](implement-security-recommendations.md).
+
+    - (**Azure VMs only**) You must Assign managed Identity. 
+        - In the Defender for Cloud portal, on the recommendations page, search for and select [Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/69133b6b-695a-43eb-a763-221e19556755), and [remediate the recommendation](implement-security-recommendations.md).
+
+    - (**Azure VMs only**) Optional: To autoprovision the Azure Policy guest configuration across your entire subscription, you can enable the Guest Configuration agent (preview).
+        - To enable the Guest Configuration agent:
+            1. Sign in to the [Azure portal](https://portal.azure.com/).
+            1. Navigate to **Environment settings** > **Your subscription** > **Settings & Monitoring**.
+            1. Under **Settings**, select **Guest Configuration**.
+               :::image type="content" source="media/prepare-deprecation-log-analytics-mma-agent/setting-and-monitoring.png" alt-text="Screenshot that shows the location of the settings and monitoring button." lightbox="media/prepare-deprecation-log-analytics-mma-agent/setting-and-monitoring.png":::
+            1. Toggle the Guest Configuration agent (preview) to **On**.
+               :::image type="content" source="media/prepare-deprecation-log-analytics-mma-agent/toggle-guest.png" alt-text="Screenshot that shows the location of the toggle button to enable the Guest Configuration agent." lightbox="media/prepare-deprecation-log-analytics-mma-agent/toggle-guest.png":::
+            1. Select **Continue**.
+
+    - **GCP and AWS**: Azure Policy guest configuration is automatically installed when you [connect your GCP project](quickstart-onboard-gcp.md), or you [connect your AWS accounts](quickstart-onboard-aws.md) with Azure Arc autoprovisioning enabled, to Defender for Cloud.
+
+    - **On-premises machines**: The Azure Policy guest configuration is enabled by default when you [onboard on-premises machines as Azure Arc enabled machine or VMs](/azure/azure-arc/servers/learn/quick-enable-hybrid-vm?branch=main).
+
+Once you have completed the necessary steps to install the Azure Policy guest configuration, you will automatically gain access to the baseline features based on the Azure Policy guest configuration. This will ensure that you continue to receive the same recommendations and hardening guidance that you have been receiving through the baseline experience.
+
+### Changes to recommendations
+
+With the deprecation of the MMA, the following MMA based recommendations are set to be deprecated:
+
+- [Machines should be configured securely](recommendations-reference-compute.md)
+- [Auto provisioning of the Log Analytics agent should be enabled on subscriptions](recommendations-reference-data.md)
+
+The deprecated recommendations will be replaced by the following Azure Policy guest configuration base recommendations:
+- [Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)](recommendations-reference-compute.md)
+- [Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)](recommendations-reference-compute.md)
+- [Guest Configuration extension should be installed on machines](recommendations-reference-compute.md)
+
+### Duplicate recommendations
+
+When you enable Defender for Cloud on an Azure subscription, the [Microsoft cloud security benchmark (MCSB)](/security/benchmark/azure/introduction), including compute security baselines that assess machine OS compliance, is enabled as a default compliance standard. Free foundational cloud security posture management (CSPM) in Defender for Cloud makes security recommendations based on the MCSB.
+
+If a machine is running both the MMA and the Azure Policy guest configuration, you will see duplicate recommendations. The duplication of recommendations occurs because both methods are running at the same time and producing the same recommendations. These duplicates will affect your Compliance and Secure Score. 
+
+As a work around, you can disable the MMA recommendations, "Machines should be configured securely", and "Auto provisioning of the Log Analytics agent should be enabled on subscriptions", by navigating to the Regulatory compliance page in Defender for Cloud.
+
+:::image type="content" source="media/prepare-deprecation-log-analytics-mma-agent/exempt-recommendation.png" alt-text="Screenshot of the regulatory compliance dashboard that shows where one of the MMA recommendations exist." lightbox="media/prepare-deprecation-log-analytics-mma-agent/exempt-recommendation.png":::
+
+Once you have located the recommendation, you should select the relevant machines and exempt them.
+
+:::image type="content" source="media/prepare-deprecation-log-analytics-mma-agent/exempt-regulatory.png" alt-text="Screenshot that shows you how to select machines and exempt them." lightbox="media/prepare-deprecation-log-analytics-mma-agent/exempt-regulatory.png":::
+
+Some of the baseline configuration rules powered by the Azure Policy guest configuration tool are more current and offer broader coverage. As a result, transition to Baselines feature power by Azure Policy guest configuration can affect your compliance status since they include checks that might not have been performed previously. 
+
+### Query recommendations
+
+With the retirement of the MMA, Defender for Cloud no longer queries recommendations through the Log Analytic workspace information. Instead, Defender for Cloud now uses Azure Resource Graph for API, and portal queries, to query recommendation information. 
+
+Here are 2 sample queries you can use:
+
+- **Query all unhealthy rules for a specific resource**
+
+    ```rest
+    Securityresources 
+    | where type == "microsoft.security/assessments/subassessments" 
+    | extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id) 
+    | where assessmentKey == '1f655fb7-63ca-4980-91a3-56dbc2b715c6' or assessmentKey ==  '8c3d9ad0-3639-4686-9cd2-2b2ab2609bda' 
+    | parse-where id with machineId:string '/providers/Microsoft.Security/' * 
+    | where machineId  == '{machineId}'
+    ```
+
+- **All Unhealthy Rules and the amount if Unhealthy machines for each**
+
+    ```rest
+    securityresources 
+    | where type == "microsoft.security/assessments/subassessments" 
+    | extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id) 
+    | where assessmentKey == '1f655fb7-63ca-4980-91a3-56dbc2b715c6' or assessmentKey ==  '8c3d9ad0-3639-4686-9cd2-2b2ab2609bda' 
+    | parse-where id with * '/subassessments/' subAssessmentId:string 
+    | parse-where id with machineId:string '/providers/Microsoft.Security/' * 
+    | extend status = tostring(properties.status.code) 
+    | summarize count() by subAssessmentId, status
+    ```
+
 ## Preparing Defender for SQL on Machines
 
 You can learn more about the [Defender for SQL Server on machines Log Analytics agent's deprecation plan](upcoming-changes.md#defender-for-sql-server-on-machines).

articles/defender-for-cloud/release-notes.md

@@ -31,8 +31,17 @@ This article summarizes what's new in Microsoft Defender for Cloud. It includes
 
 |Date | Category | Update|
 |--|--|--|
+| August 22 | Upcoming deprecation | [Retirement of Defender for Cloud alert integration with Azure WAF alerts](#retirement-of-defender-for-cloud-alert-integration-with-azure-waf-alerts) |
 | August 1 | GA | [Enable Microsoft Defender for SQL servers on machines at scale](#enable-microsoft-defender-for-sql-servers-on-machines-at-scale) |
 
+## Retirement of Defender for Cloud alert integration with Azure WAF alerts
+
+August 22, 2024
+
+**Estimated date for change**: September 25, 2024
+
+Defender for Cloud alert [integration](other-threat-protections.md#display-azure-waf-alerts-in-defender-for-cloud) with Azure WAF alerts will be retired on September 25, 2024. No action is needed on your end. For Sentinel customers, you can configure the Azure Web Application Firewall [connector](/azure/web-application-firewall/waf-sentinel).
+
 ### Enable Microsoft Defender for SQL servers on machines at scale
 
 August 1, 2024

articles/key-vault/general/integrate-databricks-blob-storage.md

@@ -3,7 +3,7 @@ title: Access Azure Blob Storage using Azure Databricks and Azure Key Vault
 description: In this tutorial, you'll learn how to access Azure Blob Storage from Azure Databricks using a secret stored in Azure Key Vault
 author: msmbaldwin
 ms.author: mbaldwin
-ms.service: key-vault
+ms.service: azure-key-vault
 subservice: general
 ms.custom: devx-track-azurecli
 ms.topic: tutorial

articles/key-vault/general/monitor-key-vault-reference.md

@@ -6,7 +6,7 @@ ms.custom: horz-monitor, subject-monitoring
 ms.topic: reference
 author: msmbaldwin
 ms.author: mbaldwin
-ms.service: key-vault
+ms.service: azure-key-vault
 ---
 # Azure Key Vault monitoring data reference
 

articles/key-vault/general/versions.md

@@ -3,7 +3,7 @@ title: Azure Key Vault versions
 description: The various versions of Azure Key Vault     
 services: key-vault
 author: msmbaldwin   
-ms.service: key-vault      
+ms.service: azure-key-vault
 ms.topic: conceptual      
 ms.date: 02/20/2024
 ms.author: mbaldwin

articles/key-vault/includes/azure-key-vault.md

@@ -1,5 +1,5 @@
 ---
-ms.service: key-vault
+ms.service: azure-key-vault
 ms.topic: include
 ms.date: 07/07/2022
 author: msmbaldwin

articles/key-vault/includes/key-management-policy-grammar.md

@@ -1,6 +1,6 @@
 ---
 author: msmbaldwin
-ms.service: key-vault
+ms.service: azure-key-vault
 ms.topic: include
 ms.date: 07/20/2023
 ms.author: mbaldwin