Merge branch 'main' of https://github.com/MicrosoftDocs/azure-security-docs-pr into wi540394-Devops-security-SBOM

Author: ElazarK

articles/defender-for-cloud/TOC.yml

@@ -52,7 +52,6 @@
           displayName: enable, defender for cloud, activate, turn on, Microsoft Defender XDR, alerts, integration, m365, m365d, m365 defender, free, trial, free trial
           href: connect-azure-subscription.md
         - name: Connect AWS accounts
-          displayName: hybrid, multicloud, multicloud, amazon, arc, AWS, accounts, Microsoft Defender XDR, alerts, integration, m365, m365d, m365 defender
           items:
             - name: Connect your AWS account
               href: quickstart-onboard-aws.md
@@ -61,8 +60,16 @@
             - name: Integrate AWS CloudTrail logs (Preview)
               href: integrate-cloud-trail.md
         - name: Connect GCP projects
-          displayName: hybrid, multicloud, multicloud, google, gcp, Microsoft Defender XDR, alerts, integration, m365, m365d, m365 defender
-          href: quickstart-onboard-gcp.md
+          items:
+            - name: Connect your GCP project
+              displayName: gcp, connect, onboard
+              href: quickstart-onboard-gcp.md
+            - name: Configure GCP plans
+              displayName: GCP, plans, configure
+              href: configure-google-plans.md
+            - name: Ingest GCP logging
+              displayName: GCP, logging, ingest
+              href: logging-ingestion.md
         - name: Connect individual non-Azure machines
           items:
             - name: Connect machines with Defender for Endpoint
@@ -1500,6 +1507,15 @@
         - name: Integrate CLI with CI/CD pipelines
           DisplayName: Defender for Cloud CLI, CI/CD pipelines
           href: episode-fifty-nine.md
+        - name: Code reachability analysis
+          DisplayName: Code reachability analysis, reachable vulnerabilities
+          href: episode-sixty.md
+        - name: Kubernetes lateral movement
+          DisplayName: Kubernetes lateral movement, Kubernetes RBAC, attack paths
+          href: episode-sixty-one.md
+        - name: Kubernetes gated deployment
+          DisplayName: Kubernetes gated deployment, gated rules
+          href: episode-sixty-two.md
         - name: Agentless code scanning
           DisplayName: Agentless code scanning
           href: episode-sixty-three.md

articles/defender-for-cloud/ai-threat-protection.md

@@ -10,17 +10,11 @@ author: Elazark
 
 # Overview - AI threat protection
 
-Microsoft Defender for Cloud's threat protection for AI services identifies threats to generative AI applications in real time and helps respond to security issues.
-
-Defender for Cloud's AI threat protection works with [Azure AI Content Safety Prompt Shields](/azure/ai-services/content-safety/concepts/jailbreak-detection) and Microsoft's threat intelligence to provide security alerts for threats like data leakage, data poisoning, jailbreak, and credential theft.
-
-:::image type="content" source="media/ai-threat-protection/threat-protection-ai.png" alt-text="Diagram that shows how enabling, detection, and response works for threat protection." lightbox="media/ai-threat-protection/threat-protection-ai.png":::
+Microsoft Defender for Cloud's threat protection for AI services identifies threats to generative AI applications in real time and helps respond to security issues. Defender for Cloud's AI threat protection works with [Azure AI Content Safety Prompt Shields](/azure/ai-services/content-safety/concepts/jailbreak-detection) and Microsoft's threat intelligence to provide security alerts for threats like data leakage, data poisoning, jailbreak, and credential theft.
 
 ## Defender XDR integration
 
-Threat protection for AI services integrates with the [Defender XDR](concept-integration-365.md), allowing security teams to centralize AI workload alerts in the Defender XDR portal.
-
-Security teams can correlate AI workload alerts and incidents in the Defender XDR portal to understand the full scope of an attack, including malicious activities related to their generative AI applications.
+Threat protection for AI services integrates with the [Defender XDR](concept-integration-365.md), allowing security teams to centralize AI workload alerts in the Defender XDR portal. Security teams can correlate AI workload alerts and incidents in the Defender XDR portal to understand the full scope of an attack, including malicious activities related to their generative AI applications.
 
 ## Availability
 

articles/defender-for-cloud/alerts-ai-workloads.md

@@ -19,6 +19,9 @@ This article lists the security alerts you might get for AI services from Micros
 
 > [!NOTE]
 > Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
+> 
+> [!NOTE]
+> For alerts that are in preview: [!INCLUDE [Legalese](./includes/defender-for-cloud-preview-legal-text.md)]
 
 ## AI services alerts
 
@@ -192,9 +195,6 @@ This article lists the security alerts you might get for AI services from Micros
 
 **Severity**: Low
 
-> [!NOTE]
-> For alerts that are in preview: [!INCLUDE [Legalese](./includes/defender-for-cloud-preview-legal-text.md)]
-
 ## Next steps
 
 - [Security alerts in Microsoft Defender for Cloud](alerts-overview.md)

articles/defender-for-cloud/concept-cloud-security-posture-management.md

@@ -47,7 +47,7 @@ For specific regional availability and government cloud support details, see the
 | [Agentless discovery for Kubernetes](concept-agentless-containers.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP |
 | [Agentless VM secrets scanning](secrets-scanning-servers.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP |
 | [Agentless VM vulnerability scanning](enable-agentless-scanning-vms.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP |
-| [AI security posture management](ai-security-posture.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS |
+| [AI security posture management](ai-security-posture.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP |
 | [API security posture management](api-security-posture-overview.md)| - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure |
 | [Attack path analysis](how-to-manage-attack-path.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP, Docker Hub, JFrog Artifactory |
 | [Azure Kubernetes Service security dashboard (Preview)](cluster-security-dashboard.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure |

articles/defender-for-cloud/concept-private-links.md

@@ -14,7 +14,7 @@ Microsoft Security Private Link allows workloads in your virtual network to conn
 With private endpoints, all security-related traffic from your workloads traverses the Microsoft backbone network without exposure to the public internet. This includes telemetry from Defender agents, sensors, add-ons, and extensions.
 
 > [!NOTE]
-> Microsoft Security Private Link isn't supported in sovereign cloud regions, such as Azure Government and Azure operated by 21Vianet (21Vianet).
+> Microsoft Security Private Link isn't supported in sovereign cloud regions, such as Azure Government and Azure operated by 21Vianet.
 
 ## Supported scenarios
 

articles/defender-for-cloud/configure-google-plans.md

@@ -0,0 +1,178 @@
+---
+title: Configure GCP plans
+description: Learn how to configure Microsoft Defender for Cloud plans for your Google Cloud Platform (GCP) projects.
+ms.topic: install-set-up-deploy
+ms.author: Elkrieger
+author: Elazark
+ms.date: 01/14/2026
+ms.custom: sfi-image-nochange
+---
+
+# Configure GCP plans
+
+When you onboard your Google Cloud Platform (GCP) projects to Microsoft Defender for Cloud, select the plans to enable for your projects. Each plan provides different security features and capabilities. By default, all plans are **On**, but turn off unnecessary plans.
+
+### [Defender CSPM](#tab/defender-cspm)
+
+Foundational CSPM is included for free with Defender for Cloud. It provides security posture management and threat protection for your GCP resources. However, to get the full value of Defender CSPM, you need to enable the Defender CSPM plan, which comes with additional costs. For more information about costs, see the [Defender for Cloud pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/?msockid=37d5586afa3461fd27164e8bfbe16006).
+
+Learn more about [CSPM and the differences between the plans](concept-cloud-security-posture-management.md).
+
+#### Prerequisites
+
+- The **Subscription Owner** must enable the plan.
+- To enable Cloud Infrastructure Entitlement Management (CIEM) capabilities, the Entra ID account used for the onboarding process must have either the **Application Administrator** or **Cloud Application Administrator** directory role for your tenant (or equivalent administrator rights to create app registrations). This requirement is only necessary during the onboarding process.
+
+#### Configuration
+
+To configure the Defender CSPM plan:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+ 
+1. Search for and select **Microsoft Defender for Cloud**.
+ 
+1. Go to **Environment settings**.
+
+1. Select the relevant GCP connector. 
+
+1. Locate the Defender CSPM row and select **Settings**.
+
+    :::image type="content" source="media/quickstart-onboard-gcp/view-configuration.png" alt-text="Screenshot that shows the link for configuring the Defender CSPM plan." lightbox="media/quickstart-onboard-gcp/view-configuration.png":::
+
+1. Toggle the switches to **On** or **Off**, depending on your need. To get the full value of Defender CSPM, turn all toggles to **On**.
+
+    :::image type="content" source="media/quickstart-onboard-gcp/cspm-configuration.png" alt-text="Screenshot that shows toggles for Defender CSPM." lightbox="media/quickstart-onboard-gcp/cspm-configuration.png":::
+
+1. Select **Save**.
+
+1. Continue from step 8 of the [Connect your GCP project](quickstart-onboard-gcp.md#connect-your-gcp-project) instructions.
+
+### [Defender for Servers](#tab/defender-for-servers)
+
+[Defender for Servers](defender-for-servers-overview.md) brings threat detection and advanced defenses to your GCP virtual machine (VM) instances. To have full visibility into Defender for Servers security content, connect your GCP VM instances to Azure Arc.
+
+#### Prerequisites
+
+- Azure Arc for servers installed on your VM instances.
+
+Use the autoprovisioning process to install Azure Arc on your VM instances. Autoprovisioning is enabled by default in the onboarding process and requires **Owner** permissions on the subscription. The Azure Arc autoprovisioning process uses the [OS Config agent on the GCP machines](https://cloud.google.com/compute/docs/images/os-details#vm-manager).
+
+The Azure Arc autoprovisioning process uses the VM manager on GCP to enforce policies on your VMs through the OS Config agent. A VM that has an [active OS Config agent](https://cloud.google.com/compute/docs/manage-os#agent-state) incurs a cost according to GCP. To see how this cost might affect your account, refer to the [GCP technical documentation](https://cloud.google.com/compute/docs/vm-manager#pricing).
+
+Defender for Servers doesn't install the OS Config agent to a VM that doesn't have it installed. However, Defender for Servers enables communication between the OS Config agent and the OS Config service if the agent is already installed but not communicating with the service. This communication can change the OS Config agent from `inactive` to `active` and lead to more costs.
+
+Alternatively, you can manually connect your VM instances to Azure Arc for servers. Instances in projects with the Defender for Servers plan enabled that aren't connected to Azure Arc are surfaced by the recommendation **GCP VM instances should be connected to Azure Arc**. Select the **Fix** option in the recommendation to install Azure Arc on the selected machines.
+
+The respective Azure Arc servers for GCP virtual machines that no longer exist (and the respective Azure Arc servers with a status of [Disconnected or Expired](/azure/azure-arc/servers/overview)) are removed after seven days. This process removes irrelevant Azure Arc entities to ensure that only Azure Arc servers related to existing instances are displayed.
+
+Ensure that you fulfill the [network requirements for Azure Arc](/azure/azure-arc/servers/network-requirements?tabs=azure-cloud).
+
+Enable these other extensions on the Azure Arc-connected machines:
+
+- Defender for Endpoint
+- A vulnerability assessment solution (Microsoft Defender Vulnerability Management or Qualys)
+
+Defender for Servers assigns tags to your Azure Arc GCP resources to manage the autoprovisioning process. You must have these tags properly assigned to your resources so that Defender for Servers can manage your resources: `Cloud`, `InstanceName`, `MDFCSecurityConnector`, `MachineId`, `ProjectId`, and `ProjectNumber`.
+
+#### Configuration
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+ 
+1. Search for and select **Microsoft Defender for Cloud**.
+ 
+1. Go to **Environment settings**.
+
+1. Select the relevant GCP connector. 
+
+1. Locate the Defender for Servers row and select **Settings**.
+
+    :::image type="content" source="media/quickstart-onboard-gcp/view-configuration.png" alt-text="Screenshot that shows the link for the settings are located." lightbox="media/quickstart-onboard-gcp/view-configuration.png":::
+
+1. Toggle the switches to **On** or **Off**, depending on your need.
+
+    :::image type="content" source="media/quickstart-onboard-gcp/auto-provision-screen.png" alt-text="Screenshot that shows the toggles for the Defender for Servers plan." lightbox="media/quickstart-onboard-gcp/auto-provision-screen.png":::
+
+    If **Azure Arc agent** is **Off**, you need to follow the manual installation process mentioned earlier.
+
+1. Select **Save**.
+
+1. Continue from step 8 of the [Connect your GCP project](quickstart-onboard-gcp.md#connect-your-gcp-project) instructions.
+
+### [Defender for Databases](#tab/defender-for-databases)
+
+[Defender for Databases](defender-for-databases-overview.md) brings advanced threat protection to your GCP Cloud SQL instances. Defender for Databases provides vulnerability assessments and advanced threat detection capabilities for your GCP VM instances that are connected to Azure Arc.
+
+#### Configuration
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+ 
+1. Search for and select **Microsoft Defender for Cloud**.
+ 
+1. Go to **Environment settings**.
+
+1. Select the relevant GCP connector. 
+
+1. Locate the Defender for Databases row and select **Settings**.
+
+    :::image type="content" source="media/quickstart-onboard-gcp/view-configuration.png" alt-text="Screenshot that shows the link for the settings are located." lightbox="media/quickstart-onboard-gcp/view-configuration.png":::
+
+1. Toggle the switches to **On** or **Off**, depending on your need.
+
+    :::image type="content" source="media/quickstart-onboard-gcp/auto-provision-databases-screen.png" alt-text="Screenshot that shows the toggles for the Defender for Databases plan." lightbox="media/quickstart-onboard-gcp/auto-provision-databases-screen-big.png":::
+
+    If the toggle for Azure Arc is **Off**, you need to follow the manual installation process mentioned earlier.
+   
+1. Select **Save**.
+
+1. Continue from step 8 of the [Connect your GCP project](quickstart-onboard-gcp.md#connect-your-gcp-project) instructions.
+
+### [Defender for Containers](#tab/defender-for-containers)
+
+[Defender for Containers](defender-for-containers-introduction.md) brings threat detection and advanced defenses to your GCP Google Kubernetes Engine (GKE) Standard clusters. To get the full security value out of Defender for Containers and to fully protect GCP clusters, ensure that you meet the following requirements.
+
+> [!NOTE]
+>
+> - If you choose to disable the available configuration options, the deployment process doesn't deploy any agents or components to your clusters. [Learn more about feature availability](support-matrix-defender-for-containers.md).
+> - When you deploy Defender for Containers on GCP, it might incur external costs such as [logging costs](https://cloud.google.com/stackdriver/pricing), [pub/sub costs](https://cloud.google.com/pubsub/pricing), and [egress costs](https://cloud.google.com/vpc/network-pricing#:~:text=Platform%20SKUs%20apply.-%2cInternet%20egress%20rates%2c-Premium%20Tier%20pricing).
+
+- **Kubernetes audit logs to Defender for Cloud**: Enabled by default. This configuration is available at the GCP project level only. It provides agentless collection of the audit log data through [GCP Cloud Logging](https://cloud.google.com/logging/) to the Defender for Cloud back end for further analysis. Defender for Containers requires control plane audit logs to provide [runtime threat protection](defender-for-containers-introduction.md#run-time-protection-for-kubernetes-nodes-and-clusters). To send Kubernetes audit logs to Defender, toggle the setting to **On**.
+
+    > [!NOTE]
+    > If you disable this configuration, the `Threat detection (control plane)` feature is disabled. Learn more about [features availability](support-matrix-defender-for-containers.md).
+
+- **Auto provision Defender's sensor for Azure Arc** and **Auto provision Azure Policy extension for Azure Arc**: Enabled by default. You can install Azure Arc-enabled Kubernetes and its extensions on your GKE clusters in three ways:
+  - Enable Defender for Containers autoprovisioning at the project level, as explained in the instructions in this section. Use this method.
+  - Use Defender for Cloud recommendations for per-cluster installation. They appear on the Defender for Cloud recommendations page. [Learn how to deploy the solution to specific clusters](defender-for-containers-enable.md?tabs=defender-for-container-gke#deploy-the-solution-to-specific-clusters).
+  - Manually install [Arc-enabled Kubernetes](/azure/azure-arc/kubernetes/quickstart-connect-cluster) and [extensions](/azure/azure-arc/kubernetes/extensions).
+
+- The [K8S API access](defender-for-containers-architecture.md#how-does-agentless-discovery-for-kubernetes-in-gcp-work) feature provides API-based discovery of your Kubernetes clusters. To enable, set the **K8S API access** toggle to **On**.
+- The [Registry access](agentless-vulnerability-assessment-gcp.md) feature provides vulnerability management for images stored in Google Container Registry (GCR) and Google Artifact Registry (GAR) and running images on your GKE clusters. To enable, set the **Registry access** toggle to **On**.
+
+#### Configuration
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+ 
+1. Search for and select **Microsoft Defender for Cloud**.
+ 
+1. Go to **Environment settings**.
+
+1. Select the relevant GCP connector. 
+
+1. Locate the Defender for Containers row and select **Settings**.
+
+    :::image type="content" source="media/quickstart-onboard-gcp/view-configuration.png" alt-text="Screenshot that shows the link for the settings are located." lightbox="media/quickstart-onboard-gcp/view-configuration.png":::
+
+1. Toggle the switches to **On** or **Off**, depending on your need.
+
+    :::image type="content" source="media/tutorial-enable-containers-gcp/containers-settings-gcp.png" alt-text="Screenshot of Defender for Cloud's environment settings page showing the settings for the Containers plan." lightbox="media/tutorial-enable-containers-gcp/containers-settings-gcp.png":::
+
+1. Select **Save**.
+
+1. Continue from step 8 of the [Connect your GCP project](quickstart-onboard-gcp.md#connect-your-gcp-project) instructions.
+
+---
+
+## Next step
+
+> [!div class="nextstep"]
+> [Ingest GCP cloud logging with Pub/Sub (Preview)](logging-ingestion.md)