fix table and lists

ceperezb · ceperezb · commit 4097f13d0eb7 · 2026-03-13T00:28:00.000-04:00
diff --git a/learn-pr/wwl-sci/design-solutions-security-posture-management-hybrid-multicloud-environments/includes/2-evaluate-security-posture-microsoft-cloud-security-benchmark.md b/learn-pr/wwl-sci/design-solutions-security-posture-management-hybrid-multicloud-environments/includes/2-evaluate-security-posture-microsoft-cloud-security-benchmark.md
@@ -2,7 +2,7 @@ Microsoft Defender for Cloud serves as the primary tool for evaluating security
 
 ## Understanding the Microsoft Cloud Security Benchmark
 
-MCSB is a comprehensive set of security best practices organized into security domains. Each domain groups related security recommendations that address a specific area of concern:
+MCSB is a comprehensive set of security best practices organized into security domains. Each domain groups related security recommendations that address a specific area of concern. The following table shows the 12 security domains defined in MCSB v2:
 
 | Security domain | Focus area |
 |---|---|
@@ -17,7 +17,6 @@ MCSB is a comprehensive set of security best practices organized into security d
 | Endpoint security (ES) | Endpoint detection and response, anti-malware |
 | Backup and recovery (BR) | Backup configuration, protection, validation |
 | DevOps security (DS) | Code security, pipeline integrity, supply chain security |
-| Governance and strategy (GS) | Security roles, strategy, architecture, policies |
 | Artificial intelligence security (AI) | AI platform security, AI application security, AI security monitoring |
 
 Each security domain contains security controls and security subcontrols that provide granular, actionable implementation guidance. Controls include a control ID, description, and platform-specific guidance for Azure, AWS, and GCP. MCSB also maps each control to industry frameworks including NIST SP 800-53, CIS Controls, and PCI-DSS, making it suitable as a unified standard for organizations operating across multiple cloud providers.
@@ -57,13 +56,13 @@ When designing your posture management solution, use security baselines to defin
 
 Use the following approach to evaluate your security posture against MCSB:
 
-**Assess control coverage**: Review each MCSB control domain and determine which controls apply to your environment. Not every control applies to every organization—document which controls are applicable based on your workload types and cloud platforms.
+- **Assess control coverage**: Review each MCSB control domain and determine which controls apply to your environment. Not every control applies to every organization—document which controls are applicable based on your workload types and cloud platforms.
 
-**Review recommendations by domain**: In Defender for Cloud, filter security recommendations by MCSB control domain to identify where your resources meet the benchmark and where gaps exist. Focus attention on controls in domains most relevant to your risk profile, such as data protection for environments handling sensitive information, or network security for internet-facing workloads.
+- **Review recommendations by domain**: In Defender for Cloud, filter security recommendations by MCSB control domain to identify where your resources meet the benchmark and where gaps exist. Focus attention on controls in domains most relevant to your risk profile, such as data protection for environments handling sensitive information, or network security for internet-facing workloads.
 
-**Map regulatory requirements**: If your organization must comply with standards like NIST SP 800-53, PCI-DSS, or ISO 27001, use MCSB's framework mapping to identify which controls satisfy your regulatory requirements and where extra controls are needed.
+- **Map regulatory requirements**: If your organization must comply with standards like NIST SP 800-53, PCI-DSS, or ISO 27001, use MCSB's framework mapping to identify which controls satisfy your regulatory requirements and where extra controls are needed.
 
-**Design an exception process**: For controls that don't apply to specific workloads, create documented exceptions that include the specific control and reasoning, any compensating controls in place, a review cadence for reevaluation, and approval from the appropriate stakeholder.
+- **Design an exception process**: For controls that don't apply to specific workloads, create documented exceptions that include the specific control and reasoning, any compensating controls in place, a review cadence for reevaluation, and approval from the appropriate stakeholder.
 
 ## Extending beyond MCSB
 
diff --git a/learn-pr/wwl-sci/design-solutions-security-posture-management-hybrid-multicloud-environments/includes/4-evaluate-security-posture-microsoft-defender-cloud.md b/learn-pr/wwl-sci/design-solutions-security-posture-management-hybrid-multicloud-environments/includes/4-evaluate-security-posture-microsoft-defender-cloud.md
@@ -48,11 +48,11 @@ Key security controls include:
 
 Secure score appears in multiple locations, each serving a different evaluation purpose:
 
-**Overview dashboard**: The Defender for Cloud overview shows your current score alongside other key security metrics including active recommendations, security alerts, and resource health.
+- **Overview dashboard**: The Defender for Cloud overview shows your current score alongside other key security metrics including active recommendations, security alerts, and resource health.
 
-**Secure score dedicated page**: Breaks down the score by subscription. Use this view to compare posture across subscriptions and identify which environments need the most attention.
+- **Secure score dedicated page**: Breaks down the score by subscription. Use this view to compare posture across subscriptions and identify which environments need the most attention.
 
-**Management group view**: Toggle the management group view on the secure score page to see scores organized by your Azure management group hierarchy. This helps evaluate posture across organizational units and identify management groups with the weakest security posture.
+- **Management group view**: Toggle the management group view on the secure score page to see scores organized by your Azure management group hierarchy. This helps evaluate posture across organizational units and identify management groups with the weakest security posture.
 
 # [Overview dashboard](#tab/overview)
 :::image type="content" source="../media/score-on-main-dashboard.png" alt-text="Screenshot of the Defender for Cloud overview page highlighting the secure score section." lightbox="../media/score-on-main-dashboard.png":::
diff --git a/learn-pr/wwl-sci/design-solutions-security-posture-management-hybrid-multicloud-environments/includes/6-design-cloud-workload-protection-microsoft-defender-cloud.md b/learn-pr/wwl-sci/design-solutions-security-posture-management-hybrid-multicloud-environments/includes/6-design-cloud-workload-protection-microsoft-defender-cloud.md
@@ -20,7 +20,7 @@ The key design principle: enable protection plans based on workloads present in
 | APIs | Defender for APIs | APIs published in Azure API Management |
 | Key Vault | Defender for Key Vault | Azure Key Vault secrets, keys, and certificates |
 | Resource Manager | Defender for Resource Manager | Azure Resource Manager control plane activity |
-| AI workloads | Defender for AI Services | Azure OpenAI and other Azure AI services |
+| AI workloads | Defender for AI Services | AI workloads, including  Azure OpenAI Service and Microsoft Foundry |
 
 ## Designing server protection
 
@@ -41,9 +41,7 @@ Server protection requires the most architectural decisions. Defender for Server
 
 **Plan selection**: Choose Plan 1 for EDR integration and agent-based vulnerability scanning. Choose Plan 2 for agentless scanning, just-in-time access, file integrity monitoring, or premium vulnerability management features. Consider Plan 2 for production servers and Plan 1 for development environments.
 
-:::image type="content" source="../media/agentless-scanning-process.png" alt-text="Diagram showing the agentless scanning process where a disk snapshot is taken from a virtual machine, analyzed in an isolated scanning environment, and results sent to Defender for Cloud." lightbox="../media/agentless-scanning-process.png":::
-
-**Coverage scope**: Enable at the subscription level for simplest management. Plan 1 can enable at the resource level; Plan 2 requires subscription-level enablement. For multicloud and on-premises servers, deploy Azure Arc for full functionality.
+**Coverage scope**: Enable at the subscription level to automatically protect all servers in that subscription. This is the simplest approach. Plan 1 allows you to selectively enable protection on individual VMs/servers rather than the whole subscription—useful when you only want to protect specific machines. Plan 2 can only be enabled at the subscription level—you can't pick and choose individual resources. For servers outside Azure (on-premises, AWS, GCP), you need to onboard them via Azure Arc first so Defender for Cloud can manage and protect them.
 
 ## Designing container protection
 
@@ -77,7 +75,7 @@ Defender for Storage provides activity monitoring (detecting unusual access patt
 
 **Defender for Resource Manager** monitors control plane operations for suspicious activity like persistence techniques or lateral movement. Both Key Vault and Resource Manager protection operate at subscription level with no additional configuration.
 
-**Defender for AI Services** protects Azure OpenAI and other AI resources, detecting prompt injection attacks and unusual usage patterns. Enable for subscriptions with AI deployments processing sensitive data.
+**Defender for AI Services** protects AI workloads, including Azure OpenAI Service and Microsoft Foundry, detecting prompt injection attacks and unusual usage patterns. Enable for subscriptions with AI deployments processing sensitive data.
 
 **Design consideration**: Key Vault and Resource Manager protection are foundational controls with minimal overhead - consider enabling these broadly across all production subscriptions. App Service, APIs, and AI Services protection should align with where those workloads exist.
 
diff --git a/learn-pr/wwl-sci/design-solutions-security-posture-management-hybrid-multicloud-environments/includes/9-posture-management-using-exposure-management-attack-paths.md b/learn-pr/wwl-sci/design-solutions-security-posture-management-hybrid-multicloud-environments/includes/9-posture-management-using-exposure-management-attack-paths.md
@@ -92,40 +92,40 @@ Initiatives provide structure for managing exposure across specific security are
 
 Design your posture management process with these requirements:
 
-**Critical asset identification**: Before Exposure Management provides maximum value, identify and classify critical assets. Without proper classification, attack paths may not reflect your true business risk.
+- **Critical asset identification**: Before Exposure Management provides maximum value, identify and classify critical assets. Without proper classification, attack paths may not reflect your true business risk.
 
-**Licensing and integration**: Ensure all relevant Defender workloads are licensed and contributing data. Attack paths are only as complete as the data sources feeding them.
+- **Licensing and integration**: Ensure all relevant Defender workloads are licensed and contributing data. Attack paths are only as complete as the data sources feeding them.
 
-**Scope management**: For large organizations, use device group scoping to filter data by business unit, geography, or environment. Initiative scores calculate based on the selected scope.
+- **Scope management**: For large organizations, use device group scoping to filter data by business unit, geography, or environment. Initiative scores calculate based on the selected scope.
 
-**Remediation workflows**: Design processes for:
-- Reviewing new attack paths (especially high-risk paths to critical assets)
-- Addressing choke points for maximum impact
-- Responding to security events when scores drop
-- Tracking initiative progress toward target scores
+- **Remediation workflows**: Design processes for:
+  - Reviewing new attack paths (especially high-risk paths to critical assets)
+  - Addressing choke points for maximum impact
+  - Responding to security events when scores drop
+  - Tracking initiative progress toward target scores
 
 ## Setting priorities for remediation
 
 Structure your remediation priorities using Exposure Management data:
 
-**Priority 1 - Choke points on paths to critical assets**: These represent the highest-impact remediation opportunities. Fixing one choke point can eliminate multiple attack paths.
+- **Priority 1 - Choke points on paths to critical assets**: These represent the highest-impact remediation opportunities. Fixing one choke point can eliminate multiple attack paths.
 
-**Priority 2 - High-risk attack paths**: Paths exploiting known vulnerabilities with available exploits, especially those with external entry points.
+- **Priority 2 - High-risk attack paths**: Paths exploiting known vulnerabilities with available exploits, especially those with external entry points.
 
-**Priority 3 - Initiative score improvements**: Focus on initiatives with the largest gap between current and target scores, particularly those aligned with compliance requirements or business objectives.
+- **Priority 3 - Initiative score improvements**: Focus on initiatives with the largest gap between current and target scores, particularly those aligned with compliance requirements or business objectives.
 
-**Priority 4 - Metric-specific remediation**: Address metrics showing significant exposure (low progress scores) within your priority initiatives.
+- **Priority 4 - Metric-specific remediation**: Address metrics showing significant exposure (low progress scores) within your priority initiatives.
 
 ## Integrating with security operations
 
 Design how Exposure Management integrates with your broader security operations:
 
-**Incident context**: During incident investigation, use blast radius analysis to understand potential impact and prioritize containment.
+- **Incident context**: During incident investigation, use blast radius analysis to understand potential impact and prioritize containment.
 
-**Proactive hunting**: Use the enterprise exposure graph to query for specific risk conditions before they become incidents.
+- **Proactive hunting**: Use the enterprise exposure graph to query for specific risk conditions before they become incidents.
 
-**Continuous improvement**: Track initiative scores over time to demonstrate security posture improvements. Use the 14-day trend graphs to identify positive or negative trajectories.
+- **Continuous improvement**: Track initiative scores over time to demonstrate security posture improvements. Use the 14-day trend graphs to identify positive or negative trajectories.
 
-**Collaboration**: Share initiative progress with stakeholders to demonstrate security investments' effectiveness and justify additional resources for remaining gaps.
+- **Collaboration**: Share initiative progress with stakeholders to demonstrate security investments' effectiveness and justify additional resources for remaining gaps.
 
 Your posture management design should create a continuous cycle: discover assets and attack paths, prioritize based on critical asset risk, remediate through initiative-aligned actions, and validate improvements through score tracking.
