Merge pull request #25242 from AlizaBernstein/WI-45775-Update-ASC-branding-to-MDC

WI-45775-Updating screens for MDC SQL

Author: PMEds28

azure-sql/database/azure-defender-for-sql.md

@@ -3,7 +3,7 @@ title: Microsoft Defender for SQL
 description: Learn about functionality for managing your database vulnerabilities and detecting anomalous activities that could indicate a threat to your database in Azure SQL Database, Azure SQL Managed Instance, or Azure Synapse.
 author: bmansheim
 ms.author: benmansheim
-ms.date: 06/15/2022
+ms.date: 01/16/2023
 ms.service: sql-db-mi
 ms.subservice: security
 ms.topic: conceptual
@@ -19,10 +19,11 @@ Microsoft Defender for SQL is a Defender plan in Microsoft Defender for Cloud. M
 ## What are the benefits of Microsoft Defender for SQL?
 
 Microsoft Defender for SQL provides a set of advanced SQL security capabilities, including SQL Vulnerability Assessment and Advanced Threat Protection.
+
 - [Vulnerability Assessment](/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview) is an easy-to-configure service that can discover, track, and help you remediate potential database vulnerabilities. It provides visibility into your security state, and it includes actionable steps to resolve security issues and enhance your database fortifications.
 - [Advanced Threat Protection](threat-detection-overview.md) detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit your database. It continuously monitors your database for suspicious activities, and it provides immediate security alerts on potential vulnerabilities, Azure SQL injection attacks, and anomalous database access patterns. Advanced Threat Protection alerts provide details of the suspicious activity and recommend action on how to investigate and mitigate the threat.
 
-Enable Microsoft Defender for SQL once to enable all these included features. With one click, you can enable Microsoft Defender for all databases on your [server](logical-servers.md) in Azure or in your SQL Managed Instance. Enabling or managing Microsoft Defender for SQL settings requires belonging to the [SQL security manager](/azure/role-based-access-control/built-in-roles#sql-security-manager) role, or one of the database or server admin roles.
+Enable Microsoft Defender for SQL once to enable all these included features. With one select, you can enable Microsoft Defender for all databases on your [server](logical-servers.md) in Azure or in your SQL Managed Instance. Enabling or managing Microsoft Defender for SQL settings requires belonging to the [SQL security manager](/azure/role-based-access-control/built-in-roles#sql-security-manager) role, or one of the database or server admin roles.
 
 For more information about Microsoft Defender for SQL pricing, see the [Microsoft Defender for Cloud pricing page](https://azure.microsoft.com/pricing/details/security-center/).
 
@@ -46,15 +47,15 @@ To enable Microsoft Defender for Azure SQL Database at the subscription level fr
 1. Select the relevant subscription.
 1. Change the plan setting to **On**.
 
-    :::image type="content" source="media/azure-defender-for-sql/enable-azure-defender-sql-subscription-level.png" alt-text="Enabling Microsoft Defender for Azure SQL Database at the subscription level.":::
+    :::image type="content" source="media/azure-defender-for-sql/defender-sql-subscription-level.png" alt-text="Screenshot showing enabling Microsoft Defender for Azure SQL Database at the subscription level." lightbox="media/azure-defender-for-sql/defender-sql-subscription-level.png":::
 
 1. Select **Save**.
 
-### Enable Microsoft Defender plans programatically 
+### Enable Microsoft Defender plans programatically
 
-The flexibility of Azure allows for a number of programmatic methods for enabling Microsoft Defender plans. 
+The flexibility of Azure allows for several programmatic methods for enabling Microsoft Defender plans.
 
-Use any of the following tools to enable Microsoft Defender for your subscription: 
+Use any of the following tools to enable Microsoft Defender for your subscription:
 
 | Method       | Instructions      |
 |--------------|----------------------|
@@ -63,7 +64,6 @@ Use any of the following tools to enable Microsoft Defender for your subscriptio
 | PowerShell   | [Set-AzSecurityPricing](/powershell/module/az.security/set-azsecuritypricing)  |
 | Azure Policy | [Bundle Pricings](https://github.com/Azure/Azure-Security-Center/blob/master/Pricing%20%26%20Settings/ARM%20Templates/Set-ASC-Bundle-Pricing.json) |
 
-
 ### Enable Microsoft Defender for Azure SQL Database at the resource level
 
 We recommend enabling Microsoft Defender plans at the subscription level so that new resources are automatically protected. However, if you have an organizational reason to enable Microsoft Defender for Cloud at the server level, use the following steps:
@@ -72,7 +72,7 @@ We recommend enabling Microsoft Defender plans at the subscription level so that
 1. Under the **Security** heading, select **Defender for Cloud**.
 1. Select **Enable Microsoft Defender for SQL**.
 
-    :::image type="content" source="media/azure-defender-for-sql/enable-azure-defender.png" alt-text="Enable Microsoft Defender for SQL from within Azure SQL databases.":::
+    :::image type="content" source="media/azure-defender-for-sql/enable-defender-sql.png" alt-text="Screenshot showing Enable Microsoft Defender for SQL from within Azure SQL databases." lightbox="media/azure-defender-for-sql/enable-defender-sql.png":::
 
 > [!NOTE]
 > A storage account is automatically created and configured to store your **Vulnerability Assessment** scan results. If you've already enabled Microsoft Defender for another server in the same resource group and region, then the existing storage account is used.
@@ -85,19 +85,18 @@ To view and manage Microsoft Defender for SQL settings:
 
 1. From the **Security** area of your server or managed instance, select **Defender for Cloud**.
 
-    On this page, you'll see the status of Microsoft Defender for SQL:
+    On this page, you'll see the status of Microsoft Defender for SQL(disabled or enabled):
 
-    :::image type="content" source="media/azure-defender-for-sql/status-of-defender-for-sql.png" alt-text="Checking the status of Microsoft Defender for SQL inside Azure SQL databases.":::
+    :::image type="content" source="media/azure-defender-for-sql/enable-defender-sql-enabled-disabled.png" alt-text="Screenshot showing status as enabled or disabled." lightbox="media/azure-defender-for-sql/enable-defender-sql-enabled-disabled.png":::
 
 1. If Microsoft Defender for SQL is enabled, you'll see a **Configure** link as shown in the previous graphic. To edit the settings for Microsoft Defender for SQL, select **Configure**.
 
-    :::image type="content" source="media/azure-defender-for-sql/security-server-settings.png" alt-text="Settings for Microsoft Defender for SQL.":::
+    :::image type="content" source="media/azure-defender-for-sql/defender-sql-configure.png" alt-text="Screenshot showing Configure screen for Microsoft Defender for SQL." lightbox="media/azure-defender-for-sql/defender-sql-configure.png":::
 
 1. Make the necessary changes and select **Save**.
 
-
 ## Next steps
 
 - Learn more about [Vulnerability Assessment](/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview)
 - Learn more about [Advanced Threat Protection](threat-detection-configure.md)
-- Learn more about [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
+- Learn more about [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)

azure-sql/database/media/azure-defender-for-sql/defender-sql-configure.png

@@ -4,33 +4,34 @@ description: Provides instructions on how to store Vulnerability Assessment (VA)
 ms.author: cesanu
 author: CESANU
 ms.reviewer: wiassaf, vanto, mathoma
-ms.date: 11/10/2021
+ms.date: 01/16/2023
 ms.service: sql-db-mi
 ms.subservice: security
 ms.topic: how-to
 monikerRange: "= azuresql || = azuresql-db || = azuresql-mi"
 ---
 
 # Store Vulnerability Assessment scan results in a storage account accessible behind firewalls and VNets
+
 [!INCLUDE[appliesto-sqldb-sqlmi-asa](../includes/appliesto-sqldb-sqlmi-asa.md)]
 
-If you are limiting access to your storage account in Azure for certain VNets or services, you'll need to enable the appropriate configuration so that Vulnerability Assessment (VA) scanning for SQL Databases or Managed Instances have access to that storage account.
+If you're limiting access to your storage account in Azure for certain VNets or services, you'll need to enable the appropriate configuration so that Vulnerability Assessment (VA) scanning for SQL Databases or Azure SQL Managed Instances have access to that storage account.
 
 ## Prerequisites
 
-1. The SQL Vulnerability Assessment service needs permission to the storage account to save baseline and scan results.  There are three methods: 
+1. The SQL Vulnerability Assessment service needs permission to the storage account to save baseline and scan results.  There are three methods:
+
 - **Use Storage Account key**: Azure creates the SAS key and saves it (though we don't save the account key)
 - **Use Storage SAS key**: The SAS key must have: Write | List | Read | Delete permissions
 - **Use SQL Server managed identity**: The SQL Server must have a managed identity. The storage account must have a role assignment for the SQL Managed Identity as [Storage Blob Data Contributor](/azure/role-based-access-control/built-in-roles#storage-blob-data-contributor). When you apply the settings, the VA fields storageContainerSasKey and storageAccountAccessKey must be empty. When storage is behind a firewall or  virtual network, then the SQL managed identity is required.
 
+    When you use the Azure portal to save SQL VA settings, Azure checks if you have permission to assign a new role assignment for the managed identity as [Storage Blob Data Contributor](/azure/role-based-access-control/built-in-roles#storage-blob-data-contributor) on the storage. If permissions are assigned, Azure uses SQL Server managed identity, otherwise Azure uses the key method.
 
-    When you use the Azure portal to save SQL VA settings, Azure checks if you have permission to assign a new role assignment for the managed identity as [Storage Blob Data Contributor](/azure/role-based-access-control/built-in-roles#storage-blob-data-contributor) on the storage. If permissions are assigned, Azure uses SQL Server managed identity, otherwise Azure uses the key method. 
-
-2. If using Azure Storage lifecycle management policies, avoid moving files on the container used by VA to the archive access tier. Reading scan results or baseline configurations stored in archive access tier is not supported.
+If using Azure Storage lifecycle management policies, avoid moving files on the container used by VA to the archive access tier. Reading scan results or baseline configurations stored in archive access tier isn't supported.
 
 ## Enable Azure SQL Database VA scanning access to the storage account
 
-If you have configured your VA storage account to only be accessible by certain networks or services, you'll need to ensure that VA scans for your Azure SQL Database are able to store the scans on the storage account. You can use the existing storage account, or create a new storage account to store VA scan results for all databases on your [logical SQL server](logical-servers.md).
+If you've configured your VA storage account to only be accessible by certain networks or services, you'll need to ensure that VA scans for your Azure SQL Database are able to store the scans on the storage account. You can use the existing storage account, or create a new storage account to store VA scan results for all databases on your [logical SQL server](logical-servers.md).
 
 > [!NOTE]
 > The vulnerability assessment service can't access storage accounts protected with firewalls or VNets if they require storage access keys.
@@ -39,40 +40,44 @@ Go to your **Resource group** that contains the storage account and access the *
 
 Ensure that **Allow trusted Microsoft services access to this storage account** is checked.
 
-:::image type="content" source="media/sql-database-vulnerability-assessment-storage/storage-allow-microsoft-services.png" alt-text="Screenshot shows Firewall and virtual networks dialog box, with Allow trusted Microsoft services to access this storage account selected.":::
+:::image type="content" source="media/sql-database-vulnerability-assessment-storage/storage-allow-microsoft-services.png" alt-text="Screenshot showing Firewall and virtual networks dialog box, with Allow trusted Microsoft services to access this storage account selected.":::
 
-To find out which storage account is being used, go to your **SQL server** pane in the [Azure portal](https://portal.azure.com), under **Security**, and then select **Defender for Cloud**.
+To find out which storage account is being used, do the following steps:
 
-:::image type="content" source="../database/media/azure-defender-for-sql/va-storage.png" alt-text="set up vulnerability assessment":::
+1. Go to your **SQL server** pane in the [Azure portal](https://portal.azure.com).
+1. Under **Security**, select **Defender for Cloud**.
+1. Select **Configure**.
+
+:::image type="content" source="../database/media/azure-defender-for-sql/storage-account.png" alt-text="Screenshot showing setup vulnerability assessment.":::
 
 > [!NOTE]
 > You can set up email alerts to notify users in your organization to view or access the scan reports. To do this, ensure that you have SQL Security Manager and Storage Blob Data Reader permissions.
 
 ## Store VA scan results for Azure SQL Managed Instance in a storage account that can be accessed behind a firewall or VNet
 
-Since Managed Instance is not a trusted Microsoft Service and has a different VNet from the storage account, executing a VA scan will result in an error.
+Since Azure SQL Managed Instance isn't a trusted Microsoft Service and has a different VNet from the storage account, executing a VA scan will result in an error.
 
-To support VA scans on Managed Instances, follow the below steps:
+To support VA scans on Azure SQL Managed Instances, follow the below steps:
 
-1. In the **SQL managed instance** pane, under the **Overview** heading, click the **Virtual network/subnet** link. This takes you to the **Virtual network** pane.
+1. In the **SQL managed instance** pane, under the **Overview** heading, select the **Virtual network/subnet** link. This link takes you to the **Virtual network** pane.
 
-   :::image type="content" source="../managed-instance/media/public-endpoint-configure/mi-overview.png" alt-text="mi-overview2":::
+   :::image type="content" source="../managed-instance/media/public-endpoint-configure/mi-overview.png" alt-text="Screenshot showing mi-overview2.":::
 
-1. Under **Settings**, select **Subnets**. Click **Subnet** in the new pane to add a subnet, and delegate it to *Microsoft.Sql\managedInstance*. For more information, see [Manage subnets](/azure/virtual-network/virtual-network-manage-subnet).
+1. Under **Settings**, select **Subnets**. Select **Subnet** in the new pane to add a subnet, and delegate it to *Microsoft.Sql\managedInstance*. For more information, see [Manage subnets](/azure/virtual-network/virtual-network-manage-subnet).
 
    :::image type="content" source="media/sql-database-vulnerability-assessment-storage/mi-subnets.png" alt-text="Screenshot shows a subnet that has been delegated Microsoft.sql\managedInstance.":::
 
-1. In your **Virtual network** pane, under **Settings**, select **Service endpoints**. Click **Add** in the new pane, and add the *Microsoft.Storage* Service as a new service endpoint. Make sure the *ManagedInstance* Subnet is selected. Click **Add**.
+1. In your **Virtual network** pane, under **Settings**, select **Service endpoints**. Select **Add** in the new pane, and add the *Microsoft.Storage* Service as a new service endpoint. Make sure the *ManagedInstance* Subnet is selected. Select **Add**.
 
    :::image type="content" source="media/sql-database-vulnerability-assessment-storage/mi-service-endpoint.png" alt-text="Screenshot shows Add service endpoints, where you add the Microsoft.Storage Service as an endpoint.":::
 
-1. Go to your **Storage account** that you've selected to store your VA scans. Under **Settings**, select **Firewall and virtual networks**. Click on **Add existing virtual network**. Select your managed instance virtual network and subnet, and click **Add**.
+1. Go to your **Storage account** that you've selected to store your VA scans. Under **Settings**, select **Firewall and virtual networks**. Select **Add existing virtual network**. Select your managed instance virtual network and subnet, and then select **Add**.
 
    :::image type="content" source="media/sql-database-vulnerability-assessment-storage/storage-firewall.png" alt-text="Screenshot shows the Firewalls and virtual networks pane, which contains the Add existing virtual network link.":::
 
-You should now be able to store your VA scans for Managed Instances in your storage account.
+You should now be able to store your VA scans for Azure SQL Managed Instances in your storage account.
 
-## Troubleshoot vulnerability assessment scan-related issues 
+## Troubleshoot vulnerability assessment scan-related issues
 
 Troubleshoot common issues related to vulnerability assessment scans.
 
@@ -90,7 +95,7 @@ The storage account in which vulnerability assessment scan results are saved mus
 
 If any of these requirements aren't met, saving changes to vulnerability assessment settings fails.
 
-#### Permissions 
+#### Permissions
 
 The following permissions are required to save changes to vulnerability assessment settings:
 
@@ -112,9 +117,9 @@ The storage account might not appear in the storage account picker for several r
 
 ### Failure to open an email link for scan results or can't view scan results
 
-You might not be able to open a link in a notification email about scan results or to view scan results if you don't have the required permissions or if you use a browser that doesn't support opening or displaying scan results.
+You might not be able to open a link in a notification email about scan results, or to view scan results if you don't have the required permissions, or if you use a browser that doesn't support opening or displaying scan results.
 
-#### Permissions
+#### Required permissions
 
 The following permissions are required to open links in email notifications about scan results or to view scan results:
 
@@ -129,4 +134,4 @@ The Firefox browser doesn't support opening or displaying scan results view. We
 
 - [Vulnerability Assessment](/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview)
 - [Create an Azure Storage account](/azure/storage/common/storage-account-create)
-- [Microsoft Defender for SQL](azure-defender-for-sql.md)
+- [Microsoft Defender for SQL](azure-defender-for-sql.md)