adding defender tabs and screenshots

Author: batamig

articles/sentinel/media/quickstart-onboard/azure-activity-logs-query-defender.png

@@ -1,10 +1,10 @@
 ---
 title: 'Quickstart: Onboard to Microsoft Sentinel'
 description: In this quickstart, you enable Microsoft Sentinel, and set up data connectors to monitor and protect your environment.
-author: yelevin
-ms.author: yelevin
+author: batamig
+ms.author: bagol
 ms.topic: quickstart
-ms.date: 06/18/2024
+ms.date: 04/03/2025
 ms.custom: references_regions, mode-other
 #Customer intent: As a security operator, set up data connectors in one place so I can monitor and protect my environment.
 
@@ -76,79 +76,95 @@ The content hub in Microsoft Sentinel is the centralized location to discover an
 
 1. Find and select the **Azure Activity** solution.
 
-   :::image type="content" source="media/quickstart-onboard/content-hub-azure-activity.png" alt-text="Screenshot of the content hub with the solution for Azure Activity selected.":::
+   #### [Azure portal](#tab/azure-portal)
 
-1. On the toolbar at the top of the page, select :::image type="icon" source="media/quickstart-onboard/install-update-button.png"::: **Install/Update**.
+   :::image type="content" source="media/quickstart-onboard/content-hub-azure-activity.png" alt-text="Screenshot of the content hub in the Azure portal with the solution for Azure Activity selected.":::
 
-## Set up the data connector
+   #### [Defender portal](#tab/defender-portal)
 
-Microsoft Sentinel ingests data from services and apps by connecting to the service and forwarding the events and logs to Microsoft Sentinel. For this quickstart, install the data connector to forward data for Azure Activity to Microsoft Sentinel.
- 
-1. In Microsoft Sentinel, select **Data connectors**.
+   :::image type="content" source="media/quickstart-onboar/content-hub-azure-activity-defender.png" alt-text="Screenshot of the content hub in the Defender portal with the solution for Azure Activity selected.":::
 
-1. Search for and select the **Azure Activity** data connector.
+   ---
 
-1. In the details pane for the connector, select **Open connector page**.
+1. On the solution details pane on the side, select **Install**. 
 
-1. Review the instructions to configure the connector.
+## Set up the data connector
 
-1. Select **Launch Azure Policy Assignment Wizard**.
+Microsoft Sentinel ingests data from services and apps by connecting to the service and forwarding the events and logs to Microsoft Sentinel. For this quickstart, install the data connector to forward data for Azure Activity to Microsoft Sentinel.
 
-1. On the **Basics** tab, set the **Scope** to the subscription and resource group that has activity to send to Microsoft Sentinel. For example, select the subscription that contains your Microsoft Sentinel instance.
+1. In Microsoft Sentinel, select **Configuration** > **Data connectors** and search for and select the **Azure Activity** data connector.
 
-1. Select the **Parameters** tab.
+1. In the connector details pane, select **Open connector page**. Use the instructions on the **Azure Activity** connector page to set up the data connector.
 
-1. Set the **Primary Log Analytics workspace**. This should be the workspace where Microsoft Sentinel is installed.
+    1. Select **Launch Azure Policy Assignment Wizard**.
 
-1. Select **Review + create** and **Create**.
+    1. On the **Basics** tab, set the **Scope** to the subscription and resource group that has activity to send to Microsoft Sentinel. For example, select the subscription that contains your Microsoft Sentinel instance.
 
-## Generate activity data
+    1. Select the **Parameters** tab, and set the **Primary Log Analytics workspace**. This should be the workspace where Microsoft Sentinel is installed.
 
-Let's generate some activity data by enabling a rule that was included in the Azure Activity solution for Microsoft Sentinel. This step also shows you how to manage content in the content hub.
+    1. Select **Review + create** and **Create**.
 
-1. In Microsoft Sentinel, select **Content hub**.
-
-1. Find and select the **Azure Activity** solution.
-
-1. From the right-hand side pane, select **Manage**.
+## Generate activity data
 
-1. Find and select the rule template **Suspicious Resource deployment**.
+Let's generate some activity data by enabling a rule that was included in the Azure Activity solution for Microsoft Sentinel. This step also shows you how to manage content in the content hub.
 
-1. Select **Configuration**.
+1. In Microsoft Sentinel, select **Content hub** and search for and select **Suspicious Resource deployment** rule template in the **Azure Activity** solution.
 
-1. Select the rule and **Create rule**.
+1. In the details pane, select **Create rule** to create a new rule using the **Analytics rule wizard**.
 
-1. On the **General** tab, change the **Status** to enabled. Leave the rest of the default values.
+1. In the **Analytics rule wizard - Create a new Scheduled rule** page, change the **Status** to **Enabled**. 
 
-1. Accept the defaults on the other tabs.
+    On this tab and all other tabs in the wizard, leave the default values as they are.
 
 1. On the **Review and create** tab, select **Create**.
 
 ## View data ingested into Microsoft Sentinel
 
 Now that you've enabled the Azure Activity data connector and generated some activity data let's view the activity data added to the workspace.
 
-1. In Microsoft Sentinel, select **Data connectors**.
+1. In Microsoft Sentinel, select **Configuration** > **Data connectors** and search for and select the **Azure Activity** data connector.
 
-1. Search for and select the **Azure Activity** data connector.
-
-1. In the details pane for the connector, select **Open connector page**.
+1. In the connector details pane, select **Open connector page**. 
 
 1. Review the **Status** of the data connector. It should be **Connected**.
 
    :::image type="content" source="media/quickstart-onboard/azure-activity-connected-status.png" alt-text="Screenshot of data connector for Azure Activity with the status showing as connected.":::
 
-1. In the left-hand side pane above the chart, select **Go to log analytics**.
+1. Select a tab to continue, depending on which portal you're using:
+
+   #### [Azure portal](#tab/azure-portal)
+
+    1. Select **Go to query** to open the **Logs** page in the Azure portal.
+
+    1. On the top of the pane, next to the **New query 1** tab, select the **+** to add a new query tab.
+
+    1. On the side, switch from **Simple mode** to **KQL mode**, and run the following query to view the activity date ingested into the workspace:
+
+        ```kusto
+        AzureActivity
+       ```
+
+    For example:
+
+   :::image type="content" source="media/quickstart-onboard/azure-activity-logs-query.png" alt-text="Screenshot of the AzureActivity query in the Logs page of the Azure portal.":::
+
+   #### [Defender portal](#tab/defender-portal)
+
+   1. Select **Go to log analytics** to open the **Advanced hunting** page.
+
+    1. On the top of the pane, next to the **New query** tab, select the **+** to add a new query tab.
+
+    1. Run the following query to view the activity date ingested into the workspace:
 
-1. On the top of the pane, next to the **New query 1** tab, select the **+** to add a new query tab.
+        ```kusto
+        AzureActivity
+       ```
 
-1. In the query pane, run the following query to view the activity date ingested into the workspace.
+    For example:
 
-   ```kusto
-    AzureActivity
-   ```
+   :::image type="content" source="media/quickstart-onboard/content-hub-azure-activity-defender.png" alt-text="Screenshot of the content hub in the Defender portal with the solution for Azure Activity selected.":::
 
-   :::image type="content" source="media/quickstart-onboard/azure-activity-logs-query.png" alt-text="Screenshot of the log query window with results returned for the Azure Activity query.":::
+   ---
 
 ## Next steps