Merge branch 'main' of https://github.com/MicrosoftDocs/azure-security-docs-pr

Author: DebLanger

.openpublishing.redirection.defender-for-cloud.json

@@ -564,6 +564,16 @@
       "source_path_from_root": "/articles/defender-for-cloud/tutorial-enable-containers-arc.md",
       "redirect_url": "/azure/defender-for-cloud/defender-for-containers-arc-enable-portal",
       "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/defender-for-cloud/extract-resource-identifiers-support.md",
+      "redirect_url": "/azure/defender-for-cloud/defender-portal/integration-faq#extracting-identifiers-for-support-cases",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/defender-for-cloud/monitor-connected-aws-resources.md",
+      "redirect_url": "/azure/defender-for-cloud/quickstart-onboard-aws#validate-connector-health",
+      "redirect_document_id": false
     }
   ]
 }

.openpublishing.redirection.key-vault.json

@@ -549,6 +549,16 @@
     "source_path_from_root": "/articles/key-vault/secrets/secrets-best-practices.md",
     "redirect_url": "/azure/key-vault/secrets/secure-secrets",
     "redirect_document_id": false
+  },
+  {
+    "source_path_from_root": "/articles/key-vault/general/dotnet2api-release-notes.md",
+    "redirect_url": "/azure/key-vault/general/client-libraries",
+    "redirect_document_id": false
+  },
+  {
+    "source_path_from_root": "/articles/key-vault/general/customer-data.md",
+    "redirect_url": "/azure/key-vault/general/monitor-key-vault",
+    "redirect_document_id": false
   }
 ]
 }

articles/cloud-hsm/authentication.md

@@ -15,7 +15,7 @@ Authentication is a crucial aspect of securely accessing and operating within Az
 
 ## Cloud HSM CLI authentication
 
-You can authenticate by using CLI tools like `azcloudhsm_util` in either interactive mode or single-command mode. In interactive mode, use the `login` command. For single-command mode, include `singlecmd` and parameters for `loginHSM`. We advise you to securely store your HSM credentials when your application isn't using them.
+You can authenticate by using CLI tools like `azcloudhsm_util` in either interactive mode or single-command mode. In interactive mode, use the `loginHSM` command. For single-command mode, include `singlecmd` and parameters for `loginHSM`. We advise you to securely store your HSM credentials when your application isn't using them.
 
 ### Interactive mode
 

articles/defender-for-cloud/TOC.yml

@@ -52,11 +52,24 @@
           displayName: enable, defender for cloud, activate, turn on, Microsoft Defender XDR, alerts, integration, m365, m365d, m365 defender, free, trial, free trial
           href: connect-azure-subscription.md
         - name: Connect AWS accounts
-          displayName: hybrid, multicloud, multicloud, amazon, arc, AWS, accounts, Microsoft Defender XDR, alerts, integration, m365, m365d, m365 defender
-          href: quickstart-onboard-aws.md
+          items:
+            - name: Connect your AWS account
+              href: quickstart-onboard-aws.md
+            - name: Authentication architecture for AWS connectors
+              href: concept-authentication-architecture-aws.md
+            - name: Integrate AWS CloudTrail logs (Preview)
+              href: integrate-cloud-trail.md
         - name: Connect GCP projects
-          displayName: hybrid, multicloud, multicloud, google, gcp, Microsoft Defender XDR, alerts, integration, m365, m365d, m365 defender
-          href: quickstart-onboard-gcp.md
+          items:
+            - name: Connect your GCP project
+              displayName: gcp, connect, onboard
+              href: quickstart-onboard-gcp.md
+            - name: Configure GCP plans
+              displayName: GCP, plans, configure
+              href: configure-google-plans.md
+            - name: Ingest GCP logging
+              displayName: GCP, logging, ingest
+              href: logging-ingestion.md
         - name: Connect individual non-Azure machines
           items:
             - name: Connect machines with Defender for Endpoint
@@ -65,6 +78,13 @@
             - name: Connect machines with Azure Arc
               displayName: azure stack, ash, windows, linux, hybrid, arc, on-premises, Microsoft Defender XDR, alerts, integration, m365, m365d, m365 defender
               href: quickstart-onboard-machines.md
+    - name: Networking and connectivity
+      items:
+      - name: Microsoft Security Private Link for Microsoft Defender for Cloud (Preview)
+        displayName: private endpoints, private link, security private link, networking, connectivity, VPN, ExpressRoute
+        href: concept-private-links.md
+      - name: Configure private endpoints with Microsoft Security Private Link (Preview)
+        href: configure-private-endpoints.md
     - name: Enable specific plans
       expanded: false
       items:
@@ -501,6 +521,9 @@
               href: detect-exposed-ip-addresses.md
         - name: Review security recommendations
           items:
+            - name: Security recommendations
+              displayName: security, recommendations, overview, posture, management
+              href: security-recommendations.md
             - name: Review security recommendations
               displayName: security, recommendations, owner, azure, resource, graph, azure resource graph, csv report
               href: review-security-recommendations.md
@@ -683,7 +706,6 @@
             href: deploy-vulnerability-assessment-byol-vm.md
           - name: Move to scanning with Defender Vulnerability Management
             displayName: qualys, rapid7, vulnerability, migrate, transition, Microsoft Defender Vulnerability Management, mdvm
-            href: transition-to-built-in.md
       - name: Machine secrets scanning
         items:
           - name: Overview
@@ -859,20 +881,13 @@
           href: defender-for-sql-scan-results.md
       - name: Investigate and remediate
         items:
-        - name: Investigate Defender for SQL security Alerts, reporting, and queries
+        - name: Investigate Defender for SQL security alerts
           displayName: SQL, SQL servers, defender, machines
           href: defender-for-sql-alerts.md
         - name: Find and remediate vulnerabilities
           href: sql-azure-vulnerability-assessment-find.md
-        - name: Vulnerability assessment rules
-          href: sql-azure-vulnerability-assessment-rules.md
-        - name: SQL vulnerability assessment rules changelog
-          href: sql-azure-vulnerability-assessment-rules-changelog.md
         - name: Consume and export scan results
           href: defender-for-sql-scan-results.md
-        - name: Investigate Defender for SQL security alerts
-          href: defender-for-sql-alerts.md
-
   - name: Defender for App Service
     items:
       - name: Overview
@@ -1489,6 +1504,21 @@
         - name: Integrate CLI with CI/CD pipelines
           DisplayName: Defender for Cloud CLI, CI/CD pipelines
           href: episode-fifty-nine.md
+        - name: Code reachability analysis
+          DisplayName: Code reachability analysis, reachable vulnerabilities
+          href: episode-sixty.md
+        - name: Kubernetes lateral movement
+          DisplayName: Kubernetes lateral movement, Kubernetes RBAC, attack paths
+          href: episode-sixty-one.md
+        - name: Kubernetes gated deployment
+          DisplayName: Kubernetes gated deployment, gated rules
+          href: episode-sixty-two.md
+        - name: Agentless code scanning
+          DisplayName: Agentless code scanning
+          href: episode-sixty-three.md
+        - name: Storage aggregated logs
+          DisplayName: Storage aggregated logs, Advanced Hunting, CloudStorageAggregatedEvents
+          href: episode-sixty-four.md
     - name: Microsoft Defender for IoT documentation
       href: /azure/defender-for-iot/
     - name: Azure security documentation

articles/defender-for-cloud/agentless-code-scanning.md

@@ -21,7 +21,9 @@ You can customize which scanners to run and define exactly which organizations,
 - **Supported use cases**:
   - [Security recommendations to prioritize and fix code vulnerabilities](defender-for-devops-introduction.md#manage-your-devops-environments-in-defender-for-cloud)
   - [Security recommendations to prioritize and fix Infrastructure-as-Code (IaC) misconfigurations](iac-vulnerabilities.md)
-
+    
+  - Cloud Security Explorer queries to locate repositories including dependencies resulting from an SBOM.
+    
 - [Supported cloud availability](support-matrix-defender-for-cloud.md).
 
 - **Supported regions**: Australia East, Canada Central, Central US, East Asia, East US, North Europe, Sweden Central, UK South, West Europe.
@@ -47,15 +49,16 @@ Some of the key benefits of agentless code scanning in Microsoft Defender for Cl
 - **Rapid insights for quick remediation**: Receive actionable vulnerability insights right after onboarding. This allows quick fixes and reduces exposure time.  
 - **Developer-friendly and seamless**: Operate independently of continuous integration and continuous deployment (CI/CD) pipelines, without changes or direct developer involvement needed. This allows for continuous security monitoring without disrupting developer productivity or workflows.
 - **Flexible coverage and control:** Choose which scanners run and what gets scanned. You can cover everything by default or customize settings to include or exclude specific organizations, projects, or repositories. This allows you to match security coverage to your risk profile and operational needs, without extra complexity.
+- **Software Bill of Materials (SBOM) creation**: Automatically generating an SBOM on every scan gives teams a precise, queryable inventory of dependencies and versions across their repositories, without additional workflow changes. This enables rapid impact analysis, faster response to newly disclosed vulnerabilities, and confident decision-making when assessing exposure to specific packages or versions.
 
 ## Risks detection capabilities
 
-Agentless code scanning improves security by offering targeted security recommendations for both code and infrastructure-as-code (IaC) templates. This is in addition to the foundational cloud security posture management security recommendations provided through the connector. Key detection capabilities include:
+Agentless code scanning improves security by delivering targeted, actionable recommendations across application code, infrastructure-as-code (IaC) templates, and third-party dependencies. This is in addition to the cloud security posture management security recommendations provided through the connector. Key detection capabilities include:
 
 - **Code vulnerabilities**: Find common coding errors, unsafe coding practices, and known vulnerabilities in multiple programming languages.
 - **Infrastructure-as-Code misconfigurations**: Detect security misconfigurations in IaC templates that could lead to insecure deployments. 
-
 - **Dependency vulnerabilities**: Identify known vulnerabilities in open-source packages and OS packages discovered in repositories. 
+- **Software Bill of Materials (SBOM)**: Automatically generate a comprehensive, queryable inventory of dependencies and their versions for each repository,
 
 Creating the connector enhances security by providing foundational cloud security posture management recommendations for repositories, pipelines, and service connections.
 
@@ -70,6 +73,7 @@ Agentless code scanning uses various open-source tools to find vulnerabilities a
 | **[Bandit](https://github.com/PyCQA/bandit)**            |Python                                                       | [Apache 2.0](https://github.com/PyCQA/bandit/blob/master/LICENSE)  |
 | **[ESLint](https://github.com/eslint/eslint)**            |JavaScript, TypeScript, JSX, TSX                             | [MIT](https://github.com/eslint/eslint/blob/main/LICENSE)         |
 | **[Trivy](https://www.github.com/aquasecurity/trivy/)**|Dependency and OS package vulnerability scanning from repository manifests and lockfiles (filesystem mode) |[Apache 2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE)|
+| **[Syft](https://github.com/anchore/syft/)**|Alpine (apk), Bitnami packages, C (conan), C++ (conan), Dart (pubs), Debian (dpkg), Dotnet (deps.json), Objective-C (cocoapods), Elixir (mix), Erlang (rebar3), Go (go.mod, Go binaries), GitHub (workflows, actions), Haskell (cabel, stack), Java (jar, ear, war, par, sar, nar, rar, native-image), JavaScript (npm, yarn), Jenkins Plugins (jpi, hpi), Linux kernel archives (vmlinz), Linux kernel modules (ko), Nix (outputs in /nix/store), PHP (composer, PECL, Pear), Python (wheel, egg, poetry, requirements.txt, uv), Red Hat (rpm), Ruby (gem), Rust (cargo.lock, auditable binary), Swift (cocoapods, swift-package-manager), Wordpress plugins, Terraform providers (.terraform.lock.hcl) | [Apache 2.0](https://github.com/anchore/syft/blob/main/LICENSE)|
 
 
 These tools support a wide range of languages and infrastructure-as-code (IaC) frameworks, ensuring thorough security analysis across your codebase.
@@ -147,7 +151,7 @@ Once you enable the agentless code scanning feature within a connector, the scan
 
 1. **Code retrieval**: It securely retrieves the latest code from the default (main) branch of each repository for analysis, initially after connector setup and then daily.
 
-1. **Analysis**: The system uses a set of built-in scanning tools managed and updated within Microsoft Defender for Cloud to find vulnerabilities and misconfigurations in code and infrastructure-as-code (IaC) templates.
+1. **Analysis**: The system uses a set of built-in scanning tools managed and updated within Microsoft Defender for Cloud to find vulnerabilities and misconfigurations in code and infrastructure-as-code (IaC) templates. It also creates an SBOM to allow for queryable package management.
 
 1. **Findings processing**: It processes scan findings through Defender for Cloud’s backend to create actionable security recommendations.
 
@@ -219,12 +223,17 @@ During the **public preview** phase, the following limitations apply:
 
 - **No binary scanning**: Only code (SAST) and IaC scanning tools are executed.  
 - **Scan frequency**: It scans repositories upon enablement, and then daily.  
-
 - **Repository size**: It limits scanning to repositories under 1 GB.
-
 - **Branch coverage**: Scans cover only the default branch (usually `main`).  
 - **Tool customization**: You can't customize scanning tools.
 
+SBOM currently has the following limitations:
+- Repository needs a lock file otherwise only direct dependencies will be found
+- The SBOM size limitation is restricted to 1MB. If there are a lot of packages identified, our ingestion into the Cloud Map will fail.
+- SBOM enablement is not configurable. An SBOM will be generated on every Agentless scan.
+- Timeout is set to 15 minutes for the SBOM tool to run.
+- Disabling Agentless doesn't delete the SBOM recommendations.
+
 ## Related content
 
 - [Overview of Microsoft Defender for Cloud DevOps security](defender-for-devops-introduction.md)

articles/defender-for-cloud/ai-security-posture.md

@@ -32,7 +32,7 @@ Defender for Cloud reduces risks to cross-cloud AI workloads by:
 > 1. In the Azure portal, go to the Environment Settings page and select the appropriate AWS connector.
 > 1. Select **Configure access**.
 > 1. Ensure the permissions type is set to **Least privilege access**.
-> 1. [Follow steps 5 - 8](quickstart-onboard-aws.md#select-defender-plans) to finish the configuration.
+> 1. [Follow steps 7 - 11](quickstart-onboard-aws.md#connect-your-aws-account) to finish the configuration.
 
 ## Discover generative AI apps
 

articles/defender-for-cloud/ai-threat-protection.md

@@ -10,17 +10,11 @@ author: Elazark
 
 # Overview - AI threat protection
 
-Microsoft Defender for Cloud's threat protection for AI services identifies threats to generative AI applications in real time and helps respond to security issues.
-
-Defender for Cloud's AI threat protection works with [Azure AI Content Safety Prompt Shields](/azure/ai-services/content-safety/concepts/jailbreak-detection) and Microsoft's threat intelligence to provide security alerts for threats like data leakage, data poisoning, jailbreak, and credential theft.
-
-:::image type="content" source="media/ai-threat-protection/threat-protection-ai.png" alt-text="Diagram that shows how enabling, detection, and response works for threat protection." lightbox="media/ai-threat-protection/threat-protection-ai.png":::
+Microsoft Defender for Cloud's threat protection for AI services identifies threats to generative AI applications in real time and helps respond to security issues. Defender for Cloud's AI threat protection works with [Azure AI Content Safety Prompt Shields](/azure/ai-services/content-safety/concepts/jailbreak-detection) and Microsoft's threat intelligence to provide security alerts for threats like data leakage, data poisoning, jailbreak, and credential theft.
 
 ## Defender XDR integration
 
-Threat protection for AI services integrates with the [Defender XDR](concept-integration-365.md), allowing security teams to centralize AI workload alerts in the Defender XDR portal.
-
-Security teams can correlate AI workload alerts and incidents in the Defender XDR portal to understand the full scope of an attack, including malicious activities related to their generative AI applications.
+Threat protection for AI services integrates with the [Defender XDR](concept-integration-365.md), allowing security teams to centralize AI workload alerts in the Defender XDR portal. Security teams can correlate AI workload alerts and incidents in the Defender XDR portal to understand the full scope of an attack, including malicious activities related to their generative AI applications.
 
 ## Availability
 

articles/defender-for-cloud/alerts-ai-workloads.md

@@ -19,6 +19,9 @@ This article lists the security alerts you might get for AI services from Micros
 
 > [!NOTE]
 > Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
+> 
+> [!NOTE]
+> For alerts that are in preview: [!INCLUDE [Legalese](./includes/defender-for-cloud-preview-legal-text.md)]
 
 ## AI services alerts
 
@@ -162,6 +165,16 @@ This article lists the security alerts you might get for AI services from Micros
 
 **Severity**: Medium
 
+### **Anomalous tool invocation**
+
+(AI.Azure_AnomalousToolInvocation)
+
+**Description:** This alert analyzes anomalous activity from an AI application connected to an Azure OpenAI model deployment. The application attempted to invoke a tool in a manner that deviates from expected behavior. This behavior may indicate potential misuse or an attempted attack through one of the tools available to the application.
+
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+
+**Severity**: Low
+
 ### (Preview) Suspicious anomaly detected in sensitive data exposed by an AI resource
 
 (AI.Azure_SensitiveDataAnomaly)
@@ -172,19 +185,16 @@ This article lists the security alerts you might get for AI services from Micros
 
 **Severity**: Medium
 
-### **Anomalous tool invocation**
+### (Preview) LLM Reconnaissance Attempt Detected
 
-(AI.Azure_AnomalousToolInvocation)
+(AI.Azure_LLMReconnaissance)
 
-**Description:** This alert analyzes anomalous activity from an AI application connected to an Azure OpenAI model deployment. The application attempted to invoke a tool in a manner that deviates from expected behavior. This behavior may indicate potential misuse or an attempted attack through one of the tools available to the application.
+**Description:** A threat actor is interacting with your AI application in a way that resembles reconnaissance behavior, including attempts to extract system instructions, model capabilities, or bypass safety guardrails. These prompts may precede attempted prompt injection or jailbreak attacks. 
 
-**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Execution
+**[MITRE tactics](alerts-reference.md#mitre-attck-tactics)**: Reconnaissance
 
 **Severity**: Low
 
-> [!NOTE]
-> For alerts that are in preview: [!INCLUDE [Legalese](./includes/defender-for-cloud-preview-legal-text.md)]
-
 ## Next steps
 
 - [Security alerts in Microsoft Defender for Cloud](alerts-overview.md)