Merge branch 'main' into wi-540425-mdc-ep-63

Author: sbreingold-ms

.openpublishing.redirection.defender-for-cloud.json

@@ -569,6 +569,11 @@
       "source_path_from_root": "/articles/defender-for-cloud/extract-resource-identifiers-support.md",
       "redirect_url": "/azure/defender-for-cloud/defender-portal/integration-faq#extracting-identifiers-for-support-cases",
       "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/defender-for-cloud/monitor-connected-aws-resources.md",
+      "redirect_url": "/azure/defender-for-cloud/quickstart-onboard-aws#validate-connector-health",
+      "redirect_document_id": false
     }
   ]
 }

articles/defender-for-cloud/TOC.yml

@@ -58,8 +58,6 @@
               href: quickstart-onboard-aws.md
             - name: Authentication architecture for AWS connectors
               href: concept-authentication-architecture-aws.md
-            - name: Monitor connected AWS resources
-              href: monitor-connected-aws-resources.md
             - name: Integrate AWS CloudTrail logs (Preview)
               href: integrate-cloud-trail.md
         - name: Connect GCP projects
@@ -509,6 +507,9 @@
               href: detect-exposed-ip-addresses.md
         - name: Review security recommendations
           items:
+            - name: Security recommendations
+              displayName: security, recommendations, overview, posture, management
+              href: security-recommendations.md
             - name: Review security recommendations
               displayName: security, recommendations, owner, azure, resource, graph, azure resource graph, csv report
               href: review-security-recommendations.md
@@ -866,20 +867,13 @@
           href: defender-for-sql-scan-results.md
       - name: Investigate and remediate
         items:
-        - name: Investigate Defender for SQL security Alerts, reporting, and queries
+        - name: Investigate Defender for SQL security alerts
           displayName: SQL, SQL servers, defender, machines
           href: defender-for-sql-alerts.md
         - name: Find and remediate vulnerabilities
           href: sql-azure-vulnerability-assessment-find.md
-        - name: Vulnerability assessment rules
-          href: sql-azure-vulnerability-assessment-rules.md
-        - name: SQL vulnerability assessment rules changelog
-          href: sql-azure-vulnerability-assessment-rules-changelog.md
         - name: Consume and export scan results
           href: defender-for-sql-scan-results.md
-        - name: Investigate Defender for SQL security alerts
-          href: defender-for-sql-alerts.md
-
   - name: Defender for App Service
     items:
       - name: Overview
@@ -1499,6 +1493,9 @@
         - name: Agentless code scanning
           DisplayName: Agentless code scanning
           href: episode-sixty-three.md
+        - name: Storage aggregated logs
+          DisplayName: Storage aggregated logs, Advanced Hunting, CloudStorageAggregatedEvents
+          href: episode-sixty-four.md
     - name: Microsoft Defender for IoT documentation
       href: /azure/defender-for-iot/
     - name: Azure security documentation

articles/defender-for-cloud/alerts-azure-storage.md

@@ -381,7 +381,7 @@ It's possible that a SAS token was leaked or generated by a malicious actor eith
 
 **Severity**: Low
 
-### **Malicious file uploaded to storage account**
+### **Malicious blob uploaded to storage account**
 
 Storage.Blob_AM.MalwareFound
 

articles/defender-for-cloud/api-security-posture-overview.md

@@ -5,7 +5,7 @@ ms.author: elkrieger
 author: Elazark
 ms.service: defender-for-cloud
 ms.topic: concept-article
-ms.date: 06/18/2025
+ms.date: 01/04/2026
 #customer intent: As a security professional, I want to understand how to manage and improve the security posture of my APIs using Microsoft Defender for Cloud, so that I can protect my cloud-native applications effectively.
 ---
 
@@ -14,7 +14,7 @@ ms.date: 06/18/2025
 APIs are entry points into cloud-native apps. They connect services, apps, and data, making them targets for attackers. API security posture management helps protect APIs by assessing risks from misconfigurations and vulnerabilities. The Defender Cloud Security Posture Management (CSPM) plan in Microsoft Defender for Cloud offers API discovery and posture across your Azure Function Apps and Logic Apps and your managed APIs across your Azure API Management Platform.
 
 > [!NOTE]
-> **API discovery and security posture for APIs hosted in Function Apps and Logic Apps is now available in Public Preview.** This includes visibility into APIs, posture insights including internet facing APIs, inactive or dormant APIs, APIs missing authentication and APIs that permit unencrypted traffic which may pose security risk.
+> **API discovery and security posture for APIs hosted in Function Apps and Logic Apps is now available in Public Preview.** This feature provides visibility into APIs and posture insights, including internet-facing APIs, inactive or dormant APIs, APIs missing authentication, and APIs that permit unencrypted traffic, which might pose a security risk.
 
 ## Capabilities
 
@@ -30,25 +30,25 @@ API security posture management in Defender for Cloud offers the following capab
 - **Identify inactive or dormant APIs**:  
   Surface APIs that are no longer in use across Azure API Management, Function Apps, and Logic Apps.
 - **Identify APIs allowing unencrypted traffic**:  
-  Surface APIs that permit unencrypted communication, which may introduce risk.
+  Surface APIs that permit unencrypted communication, which might introduce risk.
 - **Understand cloud application exposure risks** by linking APIs to backend environments like virtual machines, containers, storage, and databases.
 - **Address API-driven attack paths** and prioritize mitigation with cloud [security explorer and API-led attack path analysis](concept-attack-path.md).
 
 ## Unified inventory
 
-Defender for Cloud continuously discovers APIs across Azure API Management, Function Apps, and Logic Apps. You can view all APIs with posture insights in the Defender for Cloud [asset inventory](asset-inventory.md) and [API Security dashboard](defender-for-apis-introduction.md#review-api-security-findings). This helps you address API risks efficiently.
+Defender for Cloud continuously discovers APIs across Azure API Management, Function Apps, and Logic Apps. You can view all APIs with posture insights in the Defender for Cloud [asset inventory](asset-inventory.md) and [API Security dashboard](defender-for-apis-introduction.md#review-api-security-findings). This insight helps you address API risks efficiently.
 
 ## Prioritize and implement API security best practices
 
-Assess and secure your APIs against high-risk issues such as lack of encryption and anonymous access with broken or weak authentication. Gain insights into inactive APIs and those exposed directly to the internet. Defender for Cloud scans for API risks, considering potential exploitability and business impact. [Security recommendations](review-security-recommendations.md#understanding-risk-prioritization) are prioritized based on these factors, allowing you to fix critical vulnerabilities first.
+Assess and secure your APIs against high-risk issues such as lack of encryption and anonymous access with broken or weak authentication. Gain insights into inactive APIs and those exposed directly to the internet. Defender for Cloud scans for API risks, considering potential exploitability and business impact. [Security recommendations](security-recommendations.md#understanding-risk-prioritization) are prioritized based on these factors, so you can fix critical vulnerabilities first.
 
 ## Classify APIs exposing sensitive data
 
-Improve data security by assessing sensitive data exposed in API URL path parameters, query parameters, and request and response bodies, including the source of the data exposure. With [Microsoft Purview](/purview/sit-sensitive-information-type-learn-about), you can use custom sensitive information types and sensitivity labels to create a common taxonomy, covering data-in-transit risks.
+Improve data security by assessing sensitive data exposed in API URL path parameters, query parameters, and request and response bodies, including the source of the data exposure. By using [Microsoft Purview](/purview/sit-sensitive-information-type-learn-about), you can use custom sensitive information types and sensitivity labels to create a common taxonomy, covering data-in-transit risks.
 
 ### Sampling
 
-Sensitive data exposure in your APIs is assessed using sampling methods within the Defender CSPM plan. This approach saves both cost and time.
+Defender CSPM plan assesses sensitive data exposure in your APIs by using sampling methods. This approach saves both cost and time.
 
 ## Explore API risks and prioritize remediation
 
@@ -59,12 +59,12 @@ Attack path analysis identifies risks to your API endpoints, especially with mul
 To use API security posture capabilities in Microsoft Defender for Cloud, you must:
 
 1. **Enable the Defender Cloud Security Posture Management (CSPM) plan** in your subscription.  
-2. **Enable the [API Security Posture Management extension](enable-api-security-posture.md)** to allow Defender for Cloud to discover APIs and assess their posture.
+1. **Enable the [API Security Posture Management extension](enable-api-security-posture.md)** to allow Defender for Cloud to discover APIs and assess their posture.
 
-Once enabled, Defender for Cloud will automatically begin onboarding supported APIs and providing visibility and security insights.
+After you enable these features, Defender for Cloud automatically starts onboarding supported APIs and providing visibility and security insights.
 
 ## Related content  
 - [Enable API security posture with Defender CSPM](enable-api-security-posture.md).  
 - Review of [security recommendations](review-security-recommendations.md).  
 - [Identify and remediate attack paths](how-to-manage-attack-path.md).  
-- Monitor API threats using [Defender for APIs Workload Protection](defender-for-apis-deploy.md).
+- Monitor API threats by using [Defender for APIs Workload Protection](defender-for-apis-deploy.md).

articles/defender-for-cloud/assign-regulatory-compliance-standards.md

@@ -1,22 +1,19 @@
 ---
 title: Assign regulatory compliance standards in Microsoft Defender for Cloud
 description: Learn how to assign regulatory compliance standards in Microsoft Defender for Cloud.
-ms.date: 10/19/2025
+ms.date: 12/25/2025
 ms.author: elkrieger
 author: Elazark
 ms.topic: how-to
-ms.custom:
 ---
 
-# Assign security standards
+# Assign regulatory compliance standards in Defender for Cloud
 
-Defender for Cloud's regulatory standards and benchmarks are represented as [security standards](security-policy-concept.md). Each standard is defined as an initiative in Azure Policy.
+In Defender for Cloud, regulatory compliance standards are implemented using Azure Policy initiatives and evaluated through the Regulatory compliance dashboard.
 
-In Defender for Cloud, assign security standards to specific scopes such as Azure subscriptions, Amazon Web Services (AWS) accounts, and Google Cloud Platform (GCP) projects with Defender for Cloud enabled.
+You can assign regulatory compliance standards to specific scopes such as Azure subscriptions, Amazon Web Services (AWS) accounts, and Google Cloud Platform (GCP) projects.
 
-Defender for Cloud continually assesses the scoped environment against the standards. Based on assessments, it shows whether in-scope resources are compliant or noncompliant with the standard and provides remediation recommendations.
-
-This article explains how to add regulatory compliance standards as security standards in an Azure subscription, AWS account, or GCP project.
+Defender for Cloud continually assesses the scoped environment against the standards. Based on these assessments, it shows whether in-scope resources are compliant or noncompliant with the standard and provides remediation recommendations.
 
 ## Prerequisites
 
@@ -33,7 +30,7 @@ If you assign a regulatory standard but don't have any relevant assessed resourc
 
     :::image type="content" source="media/update-regulatory-compliance-packages/manage-compliance.png" alt-text="Screenshot of the regulatory compliance page that shows you where to select the manage compliance policy button." lightbox="media/update-regulatory-compliance-packages/manage-compliance.png":::
 
-1.  Select an account or management account (Azure subscription or management group, AWS account or management account, GCP project or organization) to assign the security standard.
+1.  Select an account or management account (Azure subscription or management group, AWS account or management account, GCP project or organization) to assign the regulatory compliance standard.
 
     > [!NOTE]
     > We recommend selecting the highest scope applicable to the standard so that compliance data is aggregated and tracked for all nested resources.
@@ -51,4 +48,5 @@ If you assign a regulatory standard but don't have any relevant assessed resourc
 
 -   [Create custom standards for Azure.](custom-security-policies.md)
 -   [Create custom standards for Amazon Web Services (AWS) accounts, and Google Cloud Platform (GCP) projects.](create-custom-recommendations.md)
--   [Improve regulatory compliance.](regulatory-compliance-dashboard.md)
+-   [Improve regulatory compliance.](regulatory-compliance-dashboard.md)
+-   [Regulatory compliance in Defender for Cloud.](concept-regulatory-compliance.md)

articles/defender-for-cloud/ci-cd-pipeline-scanning-with-defender-cli.md

@@ -15,36 +15,26 @@ Microsoft Defender for Cloud Command‑Line Interface (Defender for Cloud CLI) l
 ## Key capabilities
 
 * Container‑image vulnerability assessment and automatic ingestion into Cloud Security Explorer.
-* Unified, cross‑platform CLI that works with any CI runner (Azure Pipelines, GitHub Actions, Jenkins, Bitbucket, GitLab, CircleCI, Travis CI, AWS CodeBuild, and more).
+* Unified, cross‑platform CLI that works with any CI/CD tools.
 * Standards‑based SARIF output that integrates with pull‑request annotations and quality gates.
 * Token‑based authentication scoped to a single Azure subscription for granular control or Azure DevOps Connector authentication.
 
 ## Prerequisites
 
 * An Azure Subscription with Defender for Cloud onboarded. If you don't already have an Azure account, [create one for free](https://azure.microsoft.com/pricing/purchase-options/azure-account).
 * Defender CSPM enabled.
-* One of the following CI/CD pipeline tools: Jenkins, BitBucket Pipelines, Google Cloud Build, Bamboo, CircleCI, Travis CI, TeamCity, Oracle DevOps services, or AWS CodeBuild.
+* One of the following CI/CD pipeline tools: Azure Pipelines, GitHub Actions, Jenkins, BitBucket Pipelines, GitLab, Google Cloud Build, Bamboo, CircleCI, Travis CI, TeamCity, Oracle DevOps services, or AWS CodeBuild.
 * Windows or Linux/WSL terminal for local desktop scans.
 
 * Security Admin permission to create the client ID and secret tokens if using token‑based authentication, or an Azure DevOps or GitHub connector established if using connector‑based authentication.
 
 ## Authentication setup
 
-Defender for Cloud CLI supports two authentication methods to align with enterprise security practices.
-
-### Token‑based authentication
-
-Security admins create tokens in the Microsoft Defender for Cloud (MDC) portal and configure them as environment variables in CI/CD pipelines or local terminals. This approach offers flexibility across build systems and enables targeted scoping by subscription.
-
-### Connector-based authentication
-
-Connector-based authentication is currently available for Azure DevOps or GitHub. When you establish a connector between Azure DevOps and Defender for Cloud, the authentication process happens automatically. You don't need to add tokens to your pipelines.
-
-For detailed steps and examples, see:
-
-* [Defender for Cloud CLI Authentication token-based instructions](defender-cli-authentication.md)
-* [Connect your Azure DevOps organizations](quickstart-onboard-devops.md)
+Defender for Cloud CLI supports two authentication methods to align with enterprise security practices. Connector-based authentication is currently available and the preferred method of authentication for Azure DevOps and GitHub. 
 
+1. [Connector-based authentication](defender-cli-authentication.md#connector-based-ado-and-github)
+2. [Token‑based authentication](defender-cli-authentication.md#token-based)
+ 
 ## Configure your CI/CD pipeline
 
 Choose the configuration example that matches your CI/CD platform and authentication method.