Merge branch 'SSWConsulting:main' into main

rules/microsoft-defender-365/rule.md

@@ -1,20 +1,25 @@
 ---
-seoDescription: Microsoft Defender 365 helps enterprises prevent, detect, and respond to advanced threats with its robust endpoint security platform.
 type: rule
-title: Do you use Microsoft Defender 365?
+title: Do you use Microsoft Defender for Endpoint?
+seoDescription: Microsoft Defender for Endpoint helps enterprises prevent,
+  detect, and respond to advanced threats with its robust endpoint security
+  platform.
 uri: microsoft-defender-365
 authors:
   - title: Ash Anil
     url: https://www.ssw.com.au/people/ash-anil
+  - title: Chris Schultz
+    url: https://www.ssw.com.au/people/chris-schultz
+related:
+  - implementing-intune
 created: 2022-08-11T00:59:55.755Z
 guid: f5ae8a73-d3f7-451f-b695-a03ef47844ad
 ---
-
-Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It is managed at <https://security.microsoft.com/>
+Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. As part of Microsoft Defender XDR, it is managed at <https://security.microsoft.com/>
 
 <!--endintro-->
 
-![Figure: Microsoft Defender 365 – Dashboard ](defender365_2022-08-10.jpg " ")
+![Figure: Microsoft Defender XDR – Dashboard ](defender365_2022-08-10.jpg " ")
 
 There are a number of licensing options - check out [Microsoft's documentation](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) for information.
 
@@ -24,54 +29,47 @@ To onboard devices with a GPO, [follow the instructions here.](https://learn.mic
 
 To onboard devices through Intune, [follow the instructions here.](https://learn.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection-configure#enable-microsoft-defender-for-endpoint-in-intune)
 
-### Secure Score:
+### Secure Score
 
-Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more improvement actions taken. It can be found at <https://security.microsoft.com/securescore>
+Microsoft Secure Score is a measurement of an organization's security posture, based on data from Defender for Endpoint and other Microsoft security products. It can be found at <https://security.microsoft.com/securescore>
 
 Points are given as per the following actions:
 
-- Configuring recommended security features
-- Remediating vulnerabilities
-- Addressing the improvement action with a third-party application or software, or an alternate mitigation
+* Configuring recommended security features
+* Remediating vulnerabilities
+* Addressing the improvement action with a third-party application or software, or an alternate mitigation
 
-![Figure: Microsoft Secure score  ](secure_score-2022-08-10.jpg)
+![Figure: Microsoft Secure Score  ](secure_score-2022-08-10.jpg)
 
 ### How to increase Secure Score:
 
-Each improvement activity is worth no more than ten points, and most of them are assessed in a binary manner. Points are received if we carry out the improvement activity, such as setting up a new policy or turning on a certain setting, or updating recommended software. Points are awarded as a proportion of the overall configuration for additional enhancement actions.
+Each improvement activity is worth up to 10 points, based on their importance. Points are obtained by implementing security recommendations, such as updating software or configuring Intune policies (or GPOs) to secure user accounts and devices.
 
-There are many Recommendation actions suggested by Microsoft with Ranks. Score impact, Points achieved, and status
+Security admins should check this score regularly and improve the score where possible.
 
 ## Device Inventory
 
-The Device inventory shows a list of the devices in your network where alerts were generated. Devices are gradually added to the device inventory throughout the Microsoft Defender for the Endpoint onboarding process. Briefly, you'll see information such as device name, domain, risk level, exposure level, OS platform, onboarding status, sensor health state, and other details for easy identification of devices most at risk.
+Device inventory shows a list of the devices in your network. Devices are added to the device inventory through the Microsoft Defender for the Endpoint onboarding process. You’ll see information such as device name, domain, risk level, exposure level, OS platform, onboarding status, sensor health state, and other details for easy identification of devices most at risk.
 
-The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
+Risk level reflects the overall risk assessment of the device based on combination of factors, including the types and severity of active alerts on the device. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.
 
-- Weaknesses, such as vulnerabilities discovered on the device
-- External and internal threats such as public exploit code and security alerts
-- Likelihood of the device getting breached given its current security posture
-- Value of the device to the organization given its role and content
+Exposure level reflects the current exposure of this device based on the cumulative impact of its pending security recommendations.
 
 ![Figure:❌Bad Example - High exposure level  ](badexample_exposure-2022-08-10.jpg)
 
 ![Figure: ✅ Good Example – No High exposure level](goodexample_exposure-2022-08-10.jpg)
 
-For all the high exposure level devices, address the discovered vulnerabilities starting with Critical severity recommendations. Once remediated, we can get those devices or servers from High exposure to Low exposure.
+Security admins should check this page regularly and reduce the risk/exposure/criticality levels where possible.
 
 ![Figure: Severity level – High Exposure ](discoveredvulner-2022-08-10.jpg)
 
 ### Security Recommendations
 
-The Microsoft Defender portal has security recommendations for exposed devices which can be remediated manually after doing the needful (maybe a simple update).
-
-![Figure: Security Recommendation - Request remediation ](security_recommendation-2022-08-10.jpg)
-
-When you request remediation, you will need to add notes, which should show the remediation activity details.
+The Microsoft Defender portal has security recommendations for exposed devices which can be remediated manually after doing the needful (maybe a simple update): https://security.microsoft.com/security-recommendations/
 
 ### Incidents & Alerts
 
-An incident in Microsoft Defender is a collection of correlated alerts and associated data that define the complete story of an attack. Defender for Office 365 alerts, automated investigation and response (AIR), and the outcome of the investigations are natively integrated and correlated on the Incidents page in Microsoft Defender.
+In Microsoft Defender XDR, an incident is a collection of correlated alerts and associated data that define the complete story of an attack. Defender for Office 365 alerts, automated investigation and response (AIR), and the outcome of the investigations are natively integrated and correlated on the Incidents page.
 
 When critical incidents occur, you should receive an email notification so that you can act on the alert immediately.
 

rules/triaging-do-you-correctly-triage-additional-item-requests/rule.md

@@ -23,32 +23,37 @@ guid: 368379e7-2a52-439c-973f-e58de293d65b
 
 <!--endintro-->
 
-Managing additional work requests can reduce the adverse impact on estimates and deadlines.
+Managing additional work requests can reduce the adverse impact on estimates and deadlines. These work requests can include new feature requests, non-critical bug fixes, modifications and undiscovered work (i.e. work you didn't initially anticipate).
 
 ![Figure: Only if it's life and death does it get added "in this Sprint"](SuccessfulProjects\_Triage.jpg)  
 
-The first step is to analyse the priority of the additional item. Let's look at the rules to how to prioritize:
+## Prioritization
 
-### By default, move new work into the next Sprint
+The first step is to prioritize the new work item.
 
-Priority is dependent upon the severity of the request. Only if it is a 'critical bug', then it will be done "in this Sprint", most tasks however go "into the Backlog". They can include new feature requests, non-critical bug fixes, modifications and undiscovered work (i.e. work you didn't initially anticipate).   
+1. If it is a critical bug, call your Product Owner and add it to the current Sprint
+2. Otherwise, it should be added to the backlog:
 
-::: info 
+     1. If the item is assessed as important, it should be placed immediately after the current Sprint items
+
+     2. Otherwise, you should attempt to prioritize the item based on the existing items in the backlog
+
+::: info
 **Note:** On a fixed price contract, the rules change. Bugs should be fixed in the current Sprint if time allows, otherwise first thing in the next Sprint as they are stopping you from being paid.  
 :::
 
-### Exception #1 - Critical Bugs go into the current Sprint 
+### Exception #1 - Critical Bugs go into the current Sprint
 
 If you have a crash-to-code bug, most of the time it will go into the current Sprint. If it prevents one or more users accessing the system, it will also go into the current Sprint. High-priority bugs are fixed "in this Sprint".
 
 Bugs are usually prioritised, so even non-critical bugs will likely end up in the next Sprint (via the Backlog).
 
 ### Exception #2 - A client can override
 
-A request for a new screen with a new look-up table that doesn't prevent users from operating the system, should be allocated to "a later Sprint". 
-If the client really *needs* it done now, they must specify "must be in this Sprint". This will become an 'additional item' in the current Sprint. 
+A request for a new screen with a new look-up table that doesn't prevent users from operating the system, should be allocated to "a later Sprint".
+If the client really *needs* it done now, they must specify "must be in this Sprint". This will become an 'additional item' in the current Sprint.
 
-If this request from the client will have a material impact on inflexible time and budget restraints, you need to speak and inform the client. 
+If this request from the client will have a material impact on inflexible time and budget restraints, you need to speak and inform the client.
 
 For example: *"Hi Bill, this task you specified 'must be in this Sprint' will take an extra 4 days. Our critical deadline will be missed. Is that OK?"*
 
@@ -65,13 +70,12 @@ If the work is over budget, then you need to obtain approval for any 'additional
 | Subject: | Northwind - Client List for Administrators  |  
 ::: email-content  
 
-### Hi Dave,  
+### Hi Dave  
 
-1. Please add a sort function (like the one in Office) next to the fields: Last Name, First Name, Advisers and Organization. 
-2. Apply to other relevant pages which have these fields in a list i.e. adviser list for administrators, client list for advisers etc. 
+1. Please add a sort function (like the one in Office) next to the fields: Last Name, First Name, Advisers and Organization.
+2. Apply to other relevant pages which have these fields in a list i.e. adviser list for administrators, client list for advisers etc.
 3. Please use the text Ascending instead of "smallest to Largest" and Descending for "Largest to Smallest".
 
 :::  
 :::  
 **Figure: The above email sample from a customer will, by default, go into a future Sprint, not the current**
-

rules/turn-emails-into-pbis/rule.md

@@ -70,9 +70,13 @@ It's important that you follow the right steps so that the PBI contains all the
 
 4. Fill out the Description
 
-5. Add an Acceptance Criteria: *"Reply 'Done' to all emails mentioned in this PBI and @mention the sender with 'Done'"*
+5. Ensure that the Product Owner is @mentioned in the PBI
 
-6. Reply back to the original email saying: *"That's awesome feedback, we have a PBI for prioritization: {{ URL }}\
+6. Add an Acceptance Criteria: *"Reply 'Done' to all emails mentioned in this PBI and @mention the sender with 'Done'"*
+
+7. Prioritize the PBI. If it is important, then it should be added at the top of the Product Backlog after the current Sprint items. Otherwise, you should make your best guess as to its priority.
+
+8. Reply back to the original email saying: *"That's awesome feedback, we have a PBI for prioritization: {{ URL }}\
    For future issues, if you have access, please add your comments to items in that backlog 🙂"*
 
 ::: greybox