Merge pull request #257886 from dcurwin/wi-159239-containers-ignite-nov7-2023

Container VA powered by MDVM GA

Author: v-regandowner

.openpublishing.redirection.defender-for-cloud.json

@@ -875,6 +875,11 @@
             "redirect_url": "/azure/defender-for-cloud/defender-for-dns-introduction",
             "redirect_document_id": true
         },
+        {
+            "source_path_from_root": "/articles/defender-for-cloud/support-agentless-containers-posture.md",
+            "redirect_url": "/azure/defender-for-cloud/support-matrix-defender-for-containers",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/defender-for-cloud/defender-for-storage-exclude.md",
             "redirect_url": "/azure/defender-for-cloud/defender-for-storage-classic-enable#exclude-a-storage-account-from-a-protected-subscription-in-the-per-transaction-plan",

articles/defender-for-cloud/TOC.yml

@@ -146,11 +146,9 @@
           displayName: coverage, machines, windows, linux, multicloud, supported features,
             endpoint protections
           href: support-matrix-defender-for-servers.md
-        - name: Defender for Containers support matrices
+        - name: Support matrices for Containers
           displayName: Containers, features availability, environment information
           href: support-matrix-defender-for-containers.md
-        - name: Defender for Containers CSPM support matrices
-          href: support-agentless-containers-posture.md
     - name: Protect multicloud resources
       items:
         - name: The Defender for Cloud multicloud solution
@@ -238,9 +236,9 @@
           href: concept-data-security-posture-prepare.md
         - name: Data security dashboard
           href: data-aware-security-dashboard-overview.md
-    - name: Improve your container security posture
+    - name: Improve your container security posture with Defender CSPM
       items:
-        - name: Agentless container posture
+        - name: Agentless container posture in Defender CSPM
           href: concept-agentless-containers.md
     - name: Security recommendations
       items:
@@ -444,7 +442,7 @@
     - name: Overview
       displayName: auto, provisioning, auto-provisioning, Settings & monitoring
       href: monitoring-components.md
-    - name: Azure Monitor Agent in Defender for Cloud
+    - name: Deploy the Azure Monitor agent
       displayName: AMA, Azure monitor agent
       href: auto-deploy-azure-monitoring-agent.md
     - name: Working with the Log Analytics agent
@@ -483,7 +481,7 @@
         - name: Overview
           displayName: auto, provisioning, auto-provisioning, Settings & monitoring
           href: monitoring-components.md
-        - name: Azure Monitor Agent in Defender for Cloud
+        - name: Deploy the Azure Monitor agent
           displayName: AMA, Azure monitor agent
           href: auto-deploy-azure-monitoring-agent.md
         - name: Working with the Log Analytics agent

articles/defender-for-cloud/agentless-container-registry-vulnerability-assessment.md

@@ -18,16 +18,16 @@ In every subscription where this capability is enabled, all images stored in ACR
 
 Container vulnerability assessment powered by MDVM (Microsoft Defender Vulnerability Management) has the following capabilities:  
 
-- **Scanning OS packages** - container vulnerability assessment has the ability to scan vulnerabilities in packages installed by the OS package manager in Linux. See the [full list of the supported OS and their versions](support-matrix-defender-for-containers.md#registries-and-images-for-azure---powered-by-mdvm).
-- **Language specific packages** – support for language specific packages and files, and their dependencies installed or copied without the OS package manager. See the [complete list of supported languages](support-matrix-defender-for-containers.md#registries-and-images-for-azure---powered-by-mdvm).  
+- **Scanning OS packages** - container vulnerability assessment has the ability to scan vulnerabilities in packages installed by the OS package manager in Linux. See the [full list of the supported OS and their versions](support-matrix-defender-for-containers.md#registries-and-images-support-for-azure---vulnerability-assessment-powered-by-mdvm).
+- **Language specific packages** – support for language specific packages and files, and their dependencies installed or copied without the OS package manager. See the [complete list of supported languages](support-matrix-defender-for-containers.md#registries-and-images-support-for-azure---vulnerability-assessment-powered-by-mdvm).  
 - **Image scanning in Azure Private Link** - Azure container vulnerability assessment provides the ability to scan images in container registries that are accessible via Azure Private Links. This capability requires access to trusted services and authentication with the registry. Learn how to [allow access by trusted services](/azure/container-registry/allow-access-trusted-services).
 - **Exploitability information** - Each vulnerability report is searched through exploitability databases to assist our customers with determining actual risk associated with each reported vulnerability.  
 - **Reporting** - Container Vulnerability Assessment for Azure powered by Microsoft Defender Vulnerability Management (MDVM) provides vulnerability reports using following recommendations:
 
     | Recommendation | Description | Assessment Key
     |--|--|--|
-    | [Container registry images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)-Preview](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/PhoenixContainerRegistryRecommendationDetailsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c0b7cfc6-3172-465a-b378-53c7ff2cc0d5 |
-    | [Running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5)  | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5 |
+    | [Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/PhoenixContainerRegistryRecommendationDetailsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c0b7cfc6-3172-465a-b378-53c7ff2cc0d5 |
+    | [Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5)  | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5 |
 
 - **Query vulnerability information via the Azure Resource Graph** - Ability to query vulnerability information via the [Azure Resource Graph](/azure/governance/resource-graph/overview#how-resource-graph-complements-azure-resource-manager). Learn how to [query recommendations via ARG](review-security-recommendations.md#review-recommendation-data-in-azure-resource-graph-arg).
 - **Query scan results via REST API** - Learn how to query scan results via [REST API](subassessment-rest-api.md).
@@ -39,34 +39,28 @@ Container vulnerability assessment powered by MDVM (Microsoft Defender Vulnerabi
 The triggers for an image scan are:
 
 - **One-time triggering**:
-  - each image pushed or imported to a container registry is scanned after being pushed or imported to a registry. In most cases, the scan is completed within a few minutes, but sometimes it might take up to an hour.
-  - [Preview] each image pulled from a registry is triggered to be scanned within 24 hours.
+  - Each image pushed or imported to a container registry is scanned after being pushed or imported to a registry. In most cases, the scan is completed within a few minutes, but sometimes it might take up to an hour.
+  - Each image pulled from a registry is triggered to be scanned within 24 hours.
 
-  > [!NOTE]
-  > While Container vulnerability assessment powered by MDVM is generally available for Defender CSPM, scan-on-push and scan-on-pull is currently in public preview.
-
-- **Continuous rescan triggering** – Continuous rescan is required to ensure images that have been previously scanned for vulnerabilities are rescanned to update their vulnerability reports in case a new vulnerability is published.
+- **Continuous rescan triggering** – continuous rescan is required to ensure images that have been previously scanned for vulnerabilities are rescanned to update their vulnerability reports in case a new vulnerability is published.
   - **Re-scan** is performed once a day for:  
-    - images pushed in the last 90 days.
-    - [Preview] images pulled in the last 30 days.
-    - images currently running on the Kubernetes clusters monitored by Defender for Cloud (either via [agentless discovery and visibility for Kubernetes](how-to-enable-agentless-containers.md) or the [Defender agent](tutorial-enable-containers-azure.md#deploy-the-defender-agent-in-azure)).
+    - Images pushed in the last 90 days.
+    - Images pulled in the last 30 days.
+    - Images currently running on the Kubernetes clusters monitored by Defender for Cloud (either via [Agentless discovery for Kubernetes](/azure/defender-for-cloud/defender-for-containers-enable#enablement-method-per-capability) or the [Defender agent](/azure/defender-for-cloud/defender-for-containers-enable#enablement-method-per-capability)).
 
-  > [!NOTE]
-  > While Container vulnerability assessment powered by MDVM is generally available for Defender CSPM, scanning images pulled in the last 30 days is currently in public preview
-  
 ## How does image scanning work?
 
 A detailed description of the scan process is described as follows:
 
 - When you enable the [container vulnerability assessment for Azure powered by MDVM](enable-vulnerability-assessment.md), you authorize Defender for Cloud to scan container images in your Azure Container registries.
 - Defender for Cloud automatically discovers all containers registries, repositories and images (created before or after enabling this capability).
 - Defender for Cloud receives notifications whenever a new image is pushed to an Azure Container Registry. The new image is then immediately added to the catalog of images Defender for Cloud maintains, and queues an action to scan the image immediately.
-- Once a day, or when an image is pushed to a registry:
+- Once a day, and for new images pushed to a registry:
 
   - All newly discovered images are pulled, and an inventory is created for each image. Image inventory is kept to avoid further image pulls, unless required by new scanner capabilities.​
-  - Using the inventory, vulnerability reports are generated for new images, and updated for images previously scanned which were either pushed in the last 90 days to a registry, or are currently running. To determine if an image is currently running, Defender for Cloud uses both [agentless discovery and visibility within Kubernetes components](/azure/defender-for-cloud/concept-agentless-containers) and [inventory collected via the Defender agent running on AKS nodes](defender-for-containers-enable.md#deploy-the-defender-agent)
-  - Vulnerability reports for container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/PhoenixContainerRegistryRecommendationDetailsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5).
-- For customers using either [agentless discovery and visibility within Kubernetes components](concept-agentless-containers.md) or [inventory collected via the Defender agent running on AKS nodes](defender-for-containers-enable.md#deploy-the-defender-agent), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5) for remediating vulnerabilities for vulnerable images running on an AKS cluster.
+  - Using the inventory, vulnerability reports are generated for new images, and updated for images previously scanned which were either pushed in the last 90 days to a registry, or are currently running. To determine if an image is currently running, Defender for Cloud uses both  [Agentless discovery for Kubernetes](/azure/defender-for-cloud/defender-for-containers-enable#enablement-method-per-capability) and [inventory collected via the Defender agent running on AKS nodes](/azure/defender-for-cloud/defender-for-containers-enable#enablement-method-per-capability)
+  - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/PhoenixContainerRegistryRecommendationDetailsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5).
+- For customers using either [Agentless discovery for Kubernetes](/azure/defender-for-cloud/defender-for-containers-enable#enablement-method-per-capability) or [inventory collected via the Defender agent running on AKS nodes](/azure/defender-for-cloud/defender-for-containers-enable#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5) for remediating vulnerabilities for vulnerable images running on an AKS cluster. For customers using only [Agentless discovery for Kubernetes](/azure/defender-for-cloud/defender-for-containers-enable#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender agent](/azure/defender-for-cloud/defender-for-containers-enable#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours.
 
 > [!NOTE]
 > For [Defender for Container Registries (deprecated)](defender-for-container-registries-introduction.md), images are scanned once on push, on pull, and rescanned only once a week.