Merge pull request #2551 from MicrosoftDocs/main

Auto Publish – main to live - 2026-02-24 18:10 UTC

Author: learn-build-service-prod[bot]

articles/defender-for-cloud/anti-malware.md

@@ -22,7 +22,7 @@ Container runtime anti-malware detection and blocking is part of the Defender fo
 
 - To use container runtime anti-malware detection and blocking, you need to run the Defender for Container sensor, which is available for the AWS, GCP, and AKS clouds. Currently, this feature is in preview and is only supported for:
     - **AKS**: Helm provisioning with sensor version **0.10.2**.
-    - **Multicloud**: Helm provisioning with sensor version **0.10.2** or the ARC extension using `release-train=preview`, with the command `--configuration-settings collectors.antimalwareCollector.enable='true`.
+    - **Multicloud**: Helm provisioning with sensor version **0.10.2** or the ARC extension using `release-train=preview`, with the command `--configuration-settings collectors.antimalwareCollector.enable='true'`.
 
     For example:
 

articles/defender-for-cloud/cloud-infrastructure-dashboard.md

@@ -37,9 +37,10 @@ The Cloud Overview dashboard is the landing page for Microsoft Defender for Clou
 
 ## Access the dashboard
 
-You can access the Cloud Overview dashboard from the left navigation bar in the Microsoft Defender portal:
+You can access the Cloud Overview dashboard from the navigation bar in the Microsoft Defender portal:
 
-1. Navigate to **Cloud security** > **Overview**
+1. Sign in to the [Defender portal](https://security.microsoft.com).
+1. Go to **Cloud security** > **Overview**
 
 ## Top controls
 
@@ -86,7 +87,7 @@ Track how your security posture and threat detection evolve.
 
 :::image type="content" source="media/defender-portal-dashboard/security-posture.png" alt-text="Screenshot of cloud overview dashboard security posture trends.":::
 
-**Threat Detection**: View alert trends by severity.
+**Threat Detection**: View security alert trends by severity.
 
 :::image type="content" source="media/defender-portal-dashboard/threat-detection.png" alt-text="Screenshot of cloud overview dashboard threat detection trends.":::
 
@@ -98,10 +99,11 @@ Each tile in this section surfaces insights from Microsoft’s CNAPP (Cloud-Nati
 
 Workloads include:
 
-- Virtual Machines (VMs)
+- Compute (including virtual machines)
+- Data
 - Containers
+- AI
 - APIs
-- Data
 - DevOps
 - CIEM
 

articles/defender-for-cloud/concept-integration-365.md

@@ -31,7 +31,7 @@ Incidents and alerts are now part of [Microsoft Defender XDR's public API](/micr
 > [!NOTE]
 > Permissions to view Defender for Cloud alerts and correlations are automatic for the entire tenant. Viewing specific subscriptions isn't supported. Use the **alert subscription ID** filter to view Defender for Cloud alerts associated with a specific Defender for Cloud subscription in the alert and incident queues. Learn more about [filters](/defender-xdr/incident-queue#filters).
 
-The integration is available only by applying the appropriate [Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/manage-rbac) role for Defender for Cloud. To view Defender for Cloud alerts and correlations without Defender XDR Unified RBAC, you must be a Global Administrator or Security Administrator in Azure Active Directory.
+The integration is available only by applying the appropriate [Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/manage-rbac) role for Defender for Cloud. To view Defender for Cloud alerts and correlations without Defender XDR Unified RBAC, you must be a Global Administrator or Security Administrator in Microsoft Entra ID.
 
 ## Investigation experience in Microsoft Defender XDR
 

articles/defender-for-cloud/release-notes-recommendations-alerts.md

@@ -2,7 +2,7 @@
 title: New and upcoming changes in recommendations, alerts, and incidents
 description: Get release notes for new and upcoming changes in recommendations, alerts, and incidents in Microsoft Defender for Cloud. 
 ms.topic: overview
-ms.date: 02/17/2026
+ms.date: 02/24/2026
 #customer intent: As a Defender for Cloud admin, I want to stay up to date on the latest new and changed security recommendations and alerts.
 ---
 
@@ -48,6 +48,7 @@ New and updated recommendations, alerts, and incidents are added to the table in
 
 | **Date announced**     | **Type**       | **State**            | **Name**                                                     |
 | ------------ | -------------- | -------------------- | ------------------------------------------------------------ |
+| February 24, 2026 | Recommendation | GA | The following data recommendations are GA: <br><br> - [Storage accounts should restrict network access using virtual network rules](recommendations-reference-data.md#storage-accounts-should-restrict-network-access-using-virtual-network-rules). <br><br> - [Storage account should use a private link connection](recommendations-reference-data.md#storage-account-should-use-a-private-link-connection). <br><br> - [Storage accounts should prevent shared key access](recommendations-reference-data.md#storage-accounts-should-prevent-shared-key-access). |
 | February 16 2026 | Recommendation | Upcoming deprecation <br> (March 19, 2026) | The preview recommendation `Machines should be configured securely (powered by MDVM)`, which applied to Window machines, is set for deprecation. The recommendation is set to be replaced by the following OS-specific recommendations, which include Linux support using Guest configuration: <br><br> - **Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)** <br><br> - **Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)**.<br><br> These replacement recommendations are already available in Defender for Cloud. <br><br> If you have any governance rules, reports, or workflows that reference the deprecated recommendation, update them to use the replacement recommendations. To ensure the new recommendations can assess your machines, verify that the required prerequisites are in place: <br><br> - **Azure machines** should have the [Azure Machine Configuration extension](/azure/virtual-machines/extensions/guest-configuration) installed. <br> - **Non-Azure machines** should be onboarded via [Azure Arc](/azure/azure-arc/servers/overview), which includes the Machine Configuration extension by default. |
 | February 10, 2026 | Recommendation | Preview | The following recommendations are released in Preview:<br>\* Execute permissions on xp_cmdshell from all users (except dbo) should be revoked for SQL Servers<br>\* Latest updates should be installed for SQL Servers<br>\* Database user GUEST should not be a member of any role in SQL databases<br>\* Ad hoc distributed queries should be disabled for SQL Servers<br>\* CLR should be disabled for SQL Servers<br>\* Untracked trusted assemblies should be removed for SQL Servers<br>\* Database ownership chaining should be disabled for all databases except for 'master', 'msdb' and 'tempdb' on SQL Servers<br>\* Principal GUEST should not have access to any user SQL database<br>\* Remote Admin Connections should be disabled unless specifically required for SQL databases<br>\* Default trace should be enabled for SQL Servers<br>\* CHECK_POLICY should be enabled for all SQL logins for SQL Servers<br>\* Password expiration check should be enabled for all SQL logins on SQL Servers<br>\* Database principals should not be mapped to the sa account in SQL databases<br>\* AUTO_CLOSE should be disabled for SQL databases<br>\* BUILTIN\Administrators should be removed as a server login for SQL Servers<br>\* Account with default name 'sa' should be renamed and disabled on SQL Servers<br>\* Excessive permissions should not be granted to PUBLIC role on objects or columns in SQL databases<br>\* 'sa' login should be disabled for SQL Servers<br>\* xp_cmdshell should be disabled for SQL Servers<br>\* Unused service broker endpoints should be removed for SQL Servers<br>\* Database Mail XPs should be disabled when it is not in use on SQL Servers<br>\* Server permissions shouldn't be granted directly to principals for SQL Servers<br>\* Database users shouldn't share the same name as a server login for Model SQL database<br>\* 'Scan for startup stored procedures' option should be disabled for SQL Servers<br>\* Authentication mode should be Windows Authentication for SQL Servers<br>\* Auditing of both successful and failed login attempts (default trace) should be enabled when 'Login auditing' is set up to track logins for SQL Servers<br>\* SQL Server instance shouldn't be advertised by the SQL Server Browser service for SQL Servers<br>\* Maximum number of error logs should be 12 or more for SQL Servers<br>\* Database permissions shouldn't be granted directly to principals for SQL Servers<br>\* Excessive permissions should not be granted to PUBLIC role in SQL databases<br>\* Principal GUEST should not be granted permissions in SQL databases<br>\* Principal GUEST should not be granted permissions on objects or columns in SQL databases<br>\* AES encryption should be required for any Existing Mirroring or SSB endpoint on SQL Databases<br>\* GUEST user should not be granted permissions on SQL database securables<br>\* The Trustworthy bit should be disabled on all databases except MSDB for SQL Databases<br>\* 'dbo' user should not be used for normal service operation in SQL databases<br>\* Only 'dbo' should have access to Model SQL database<br>\* Transparent data encryption should be enabled for SQL databases<br>\* Database communication using TDS should be protected through TLS for SQL Servers<br>\* Database Encryption Symmetric Keys should use AES algorithm in SQL databases<br>\* Cell-Level Encryption keys should use AES algorithm in SQL databases<br>\* Certificate keys should use at least 2048 bits for SQL Databases<br>\* Asymmetric keys' length should be at least 2048 bits in SQL databases<br>\* Filestream should be disabled for SQL Servers<br>\* Server configuration 'Replication XPs' should be disabled for SQL Servers<br>\* Orphaned users should be removed from SQL server databases<br>\* The database owner information in the database should match the respective database owner information in the master database for SQL databases<br>\* Application roles should not be used in SQL databases<br>* There should be no SPs marked as auto-start for SQL Servers<br>\* User-defined database roles should not be members of fixed roles in SQL databases<br>\* User CLR assemblies should not be defined in SQL databases<br>\* Database owners should be as expected for SQL databases<br>\* Auditing of both successful and failed login attempts should be enabled for SQL Servers<br>\* Auditing of both successful and failed login attempts for contained DB authentication should be enabled for SQL databases<br>\* Contained users should use Windows Authentication in SQL Server databases<br>\* Polybase network encryption should be enabled for SQL databases<br>\* Create a baseline of External Key Management Providers for SQL Servers<br>\* Force encryption should be enabled for TDS for SQL Servers<br>* Server Permissions granted to public should be minimized for SQL Servers<br>\* All memberships for user-defined roles should be intended in SQL databases<br>\* Orphan database roles should be removed from SQL databases<br>\* There should be at least 1 active audit in the system for SQL Servers<br>\* Minimal set of principals should be granted ALTER or ALTER ANY USER database-scoped permissions in SQL databases<br>\* Minimal set of principals should be granted EXECUTE permission on objects or columns in SQL databases<br>\* SQL Threat Detection should be enabled at the SQL server level<br>\* Auditing should be enabled at the server level for SQL Servers<br>\* Database-level firewall rules should not grant excessive access for SQL Servers<br>\* Server-level firewall rules shouldn't grant excessive access for SQL Servers<br>\* Database-level firewall rules should be tracked and maintained at a strict minimum for SQL Servers<br>\* Server-level firewall rules should be tracked and maintained at a strict minimum on SQL Servers<br>\* Unnecessary execute permissions on extended stored procedures should be revoked for SQL Servers<br>\* Minimal set of principals should be members of fixed Azure SQL Database master database roles<br>\* Minimal set of principals should be members of fixed high impact database roles in SQL databases<br>\* Minimal set of principals should be members of fixed low impact database roles in SQL databases<br>\* Execute permissions to access the registry should be restricted for SQL Servers<br>\* Sample databases should be removed for SQL Servers<br>\* Data Transformation Services (DTS) permissions should only be granted to SSIS roles in MSDB SQL database<br>\* Minimal set of principals should be members of fixed server roles for SQL Servers<br>\* Features that may affect security should be disabled for SQL Servers<br>\* 'OLE Automation Procedures' feature should be disabled for SQL Servers<br>\* 'User Options' feature should be disabled for SQL Servers<br>\* Extensibility-features that may affect security should be disabled if not needed for SQL Servers<br>\* Vulnerability Assessment should be configured on SQL Server 2012 and higher only<br>\* Changes to signed modules should be authorized for SQL databases<br>\* Track all users with access to the database for SQL Databases<br>\* SQL logins with commonly used names should be disabled for SQL Servers<br>\* See the full [rules and recommendations mapping](sql-azure-vulnerability-assessment-rules.md) |
 | December 11, 2025  | Alert          | Deprecated | The following alerts are now deprecated. <br>\* AppServices_AnomalousPageAccess<br>\* AppServices_CurlToDisk<br>\* AppServices_WpThemeInjection<br>\* AppServices_SmartScreen<br>\* AppServices_ScanSensitivePage<br>\* AppServices_CommandlineSuspectDomain<br>\* AzureDNS_ThreatIntelSuspectDomain<br>\* AppServices_FilelessAttackBehaviorDetection<br>\* AppServices_FilelessAttackTechniqueDetection<br>\* AppServices_FilelessAttackToolkitDetection<br>\* AppServices_PhishingContent<br>\* AppServices_ProcessWithKnownSuspiciousExtension<br><br>These alerts are being retired as part of a quality improvement process and replaced by newer, more advanced alerts that provide greater accuracy and improved threat detection capabilities. This update ensures enhanced security coverage and reduced noise. |