Merge pull request #221348 from v-edmckillop/patch-43

Stacyrch140 · web-flow · commit 288c86ddcff6 · 2023-01-03T20:03:25.000-05:00
Update plan-monitoring-and-reporting.md
diff --git a/articles/active-directory/reports-monitoring/plan-monitoring-and-reporting.md b/articles/active-directory/reports-monitoring/plan-monitoring-and-reporting.md
@@ -3,29 +3,28 @@
 title: Plan reports & monitoring deployment - Azure AD
 description: Describes how to plan and execute implementation of reporting and monitoring.
 services: active-directory
-author: shlipsey3
-manager: amycolannino
+author: gargi-sinha
+manager: martinco
 ms.service: active-directory
 ms.topic: conceptual
 ms.workload: identity
 ms.subservice: report-monitor
 ms.date: 12/19/2022
 ms.author: sarahlipsey
 ms.reviewer: plenzke 
-
-# Customer intent: As an Azure AD administrator, I want to monitor logs and report on access to increase security 
+# Customer intent: For an Azure AD administrator to monitor logs and report on access 
 ms.collection: M365-identity-device-management
 ---
 
-# Plan an Azure Active Directory reporting and monitoring deployment
+# Azure Active Directory reporting and monitoring deployment dependencies
 
-Your Azure Active Directory (Azure AD) reporting and monitoring solution depends on your legal, security, and operational requirements and your existing environment and processes. This article presents the various design options and guides you to the right deployment strategy.
+Your Azure Active Directory (Azure AD) reporting and monitoring solution depends on legal, security, operational requirements, and your environment's processes. Use the following sections to learn about design options and deployment strategy.
 
-### Benefits of Azure AD reporting and monitoring
+## Benefits of Azure AD reporting and monitoring
 
-Azure AD reporting provides a comprehensive view and logs of Azure AD activity in your environment, including sign-in events, audit events, and changes to your directory.
+Azure AD reporting has a view, and logs, of Azure AD activity in your environment: sign-in and audit events, also changes to your directory.
 
-The provided data enables you to:
+Use data output to:
 
 * determine how your apps and services are used.
 * detect potential risks affecting the health of your environment.
@@ -48,8 +47,9 @@ For detailed feature and licensing information, see the [Azure Active Directory
 
 To deploy Azure AD monitoring and reporting you'll need a user who is a Global Administrator or Security Administrator for the Azure AD tenant.
 
-Depending on the final destination of your log data, you'll need one of the following:
-
+* [Azure Monitor data platform](../../azure-monitor/data-platform.md)
+* [Azure Monitor naming and terminology changes](../../azure-monitor/terminology.md)
+* [How long does Azure AD store reporting data?](./reference-reports-data-retention.md)
 * An Azure storage account that you have `ListKeys` permissions for. We recommend that you use a general storage account and not a Blob storage account. For storage pricing information, see the [Azure Storage pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=storage).
 * An Azure Event Hubs namespace to integrate with third-party SIEM solutions.
 * An Azure Log Analytics workspace to send logs to Azure Monitor logs.
@@ -58,7 +58,7 @@ Depending on the final destination of your log data, you'll need one of the foll
 
 Reporting and monitoring are used to meet your business requirements, gain insights into usage patterns, and increase your organization's security posture. In this project, you'll define the audiences that will consume and monitor reports, and define your Azure AD monitoring architecture.
 
-### Engage the right stakeholders
+## Stakeholders, communications, and documentation
 
 When technology projects fail, they typically do so due to mismatched expectations on effect, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../fundamentals/active-directory-deployment-plans.md). Also ensure that stakeholder roles in the project are well understood by documenting the stakeholders and their project input and responsibilities.
 
@@ -75,13 +75,13 @@ The following roles can read Azure AD reports:
 
 Learn More About [Azure AD Administrative Roles](../roles/permissions-reference.md). Always apply the concept of least privileges to reduce the risk of an account compromise. Consider implementing [Privileged Identity Management](../privileged-identity-management/pim-configure.md) to further secure your organization.
 
-### Plan communications
+### Engage stakeholders
 
-Communication is critical to the success of any new service. Proactively communicate with your users how their experience will change, when it will change, and how to gain support if they experience issues.
+Successful projects align expectations, outcomes, and responsibilities. See, [Azure Active Directory deployment plans](../fundamentals/active-directory-deployment-plans.md). Document and communicate stakeholder roles that require input and accountability.
 
-### Document your current infrastructure and policies
+### Communications plan
 
-Your current infrastructure and policies will drive your reporting and monitoring design. Ensure that you know
+Tell your users when, and how, their experience will change. Provide contact information for support.
 
 * What, if any, SIEM tools you're using.
 * Your Azure infrastructure, including existing storage accounts and monitoring being used.
@@ -91,36 +91,35 @@ Your current infrastructure and policies will drive your reporting and monitorin
 
 To better prioritize the use cases and solutions, organize the options by "required for solution to meet business needs," "nice to have to meet business needs," and "not applicable."
 
-|Area |Description |
-|-|-|
-|Retention| **Log retention of more than 30 days**. ‎Due to legal or business requirements it's required to store audit logs and sign in logs of Azure AD longer than 30 days. |
-|Analytics| **The logs need to be searchable**. ‎The stored logs need to be searchable with analytic tools. |
-| Operational Insights| **Insights for various teams**. The need to give access for different users to gain operational insights such as application usage, sign in errors, self-service usage, trends, etc. |
-| Security Insights| **Insights for various teams**. The need to give access for different users to gain operational insights such as application usage, sign in errors, self service usage, trends, etc. |
-| Integration in SIEM systems      | **SIEM integration**. ‎The need to integrate and stream Azure AD sign-in logs and audit logs to existing SIEM systems. |
+### Considerations
 
-### Choose a monitoring solution architecture
+* **Retention** - Log retention: store audit logs and sign in logs of Azure AD longer than 30 days
+* **Analytics** - Logs are searchable with analytic tools
+* **Operational and security insights** - Provide access to application usage, sign-in errors, self-service usage, trends, etc.
+* **SIEM integration** - Integrate and stream Azure AD sign-in logs and audit logs to SIEM systems
 
-With Azure AD monitoring, you can route your Azure AD activity logs to a system that best meets your business needs. You can then retain them for long-term reporting and analysis to gain insights into your environment, and integrate it with SIEM tools.
+### Monitoring solution architecture
 
-#### Decision flow chart![An image showing what is described in subsequent sections](media/reporting-deployment-plan/deploy-reporting-flow-diagram.png)
+With Azure AD monitoring, you can route Azure AD activity logs and retain them for long-term reporting and analysis to gain environment insights, and integrate it with SIEM tools. Use the following decision flow chart to help select an architecture.
 
-#### Archive logs in a storage account
+   ![Decision matrix for business-need architecture.](media/reporting-deployment-plan/deploy-reporting-flow-diagram.png)
 
-By routing logs to an Azure storage account, you can keep them for longer than the default retention period outlined in our [retention policies](./reference-reports-data-retention.md). Use this method if you need to archive your logs, but don't need to integrate them with an SIEM system, and don't need ongoing queries and analysis. You can still do on-demand searches.
+#### Archive logs in a storage account
 
-Learn how to [route data to your storage account](./quickstart-azure-monitor-route-logs-to-storage-account.md).
+You can keep logs longer than the default retention period by routing them to an Azure storage account.
 
-#### Send logs to Azure Monitor logs
+   > [!IMPORTANT]
+   > Use this archival method if there is no need to integrate logs with a SIEM system, or no need for ongoing queries and analysis. You can use on-demand searches.
 
-[Azure Monitor logs](../../azure-monitor/logs/log-query-overview.md) consolidate monitoring data from different sources. It also provides a query language and analytics engine that gives you insights into the operation of your applications and use of resources. By sending Azure AD activity logs to Azure Monitor logs, you can quickly retrieve, monitor, and alert on collected data. Use this method when you don't have an existing SIEM solution that you want to send your data to directly but do want queries and analysis. Once your data is in Azure Monitor logs, you can then send it to event hub, and from there to a SIEM if you want to.
+Learn more:
 
-Learn how to [send data to Azure Monitor logs](./howto-integrate-activity-logs-with-log-analytics.md).
+* [How long does Azure AD store reporting data?](./reference-reports-data-retention.md)
+* [Tutorial: Archive Azure AD logs to an Azure storage account](./quickstart-azure-monitor-route-logs-to-storage-account.md)
 
 #### Stream logs to storage and SIEM tools
 
-Routing logs to an Azure event hub enables integration with third-party SIEM tools. This integration allows you to combine Azure AD activity log data with other data managed by your SIEM, to provide richer insights into your environment. 
-
+* [Integrate Azure AD logs with Azure Monitor logs](./howto-integrate-activity-logs-with-log-analytics.md).
+* [Analyze Azure AD activity logs with Azure Monitor logs](/MicrosoftDocs/azure-docs/blob/main/articles/active-directory/reports-monitoring/howto-analyze-activity-logs-log-analytics.md).
 * Learn how to [stream logs to an event hub](./tutorial-azure-monitor-stream-logs-to-event-hub.md).
 * Learn how to [Archive Azure AD logs to an Azure Storage account](./quickstart-azure-monitor-route-logs-to-storage-account.md).
 * [Integrate Azure AD logs with Splunk by using Azure Monitor](./howto-integrate-activity-logs-with-splunk.md)
@@ -132,3 +131,4 @@ Routing logs to an Azure event hub enables integration with third-party SIEM too
 - Consider implementing [Azure role-based access control](../../role-based-access-control/overview.md)
 - [Learn more about report retention policies](./reference-reports-data-retention.md).
 - [Analyze Azure AD activity logs with Azure Monitor logs](./howto-analyze-activity-logs-log-analytics.md)
+
