Merge pull request #103281 from rkarlin/sentinel-rsa-updates

update for fusion and O365

Author: ShannonLeavitt

articles/sentinel/connect-office-365.md

@@ -13,23 +13,22 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: na
-ms.date: 09/23/2019
+ms.date: 02/12/2020
 ms.author: rkarlin
 
 ---
 # Connect data from Office 365 Logs
 
 
 
-You can stream audit logs from [Office 365](https://docs.microsoft.com/office365/admin/admin-home?view=o365-worldwide) into Azure Sentinel with a single click. You can stream audit logs from multiple tenants to a single workspace in Azure Sentinel. The Office 365 activity log connector provides insight into ongoing user activities. You will get information about various user, admin, system, and policy actions and events from Office 365. By connecting Office 365 logs into Azure Sentinel you can use this data to view dashboards, create custom alerts, and improve your investigation process.
+You can stream audit logs from [Office 365](https://docs.microsoft.com/office365/admin/admin-home?view=o365-worldwide) into Azure Sentinel with a single click. You can stream audit logs from your Office 365 into your Azure Sentinel workspace on the same tenant. The Office 365 activity log connector provides insight into ongoing user activities. You will get information about various user, admin, system, and policy actions and events from Office 365. By connecting Office 365 logs into Azure Sentinel you can use this data to view dashboards, create custom alerts, and improve your investigation process.
 
 > [!IMPORTANT]
 > If you have an E3 license, before you can access data through the Office 365 Management Activity API, you must enable unified audit logging for your Office 365 organization. You do this by turning on the Office 365 audit log. For instructions, see [Turn Office 365 audit log search on or off](https://docs.microsoft.com/office365/securitycompliance/turn-audit-log-search-on-or-off). See [Office 365 management Activity API reference](https://docs.microsoft.com/office/office-365-management-api/office-365-management-activity-api-reference), for more information.
 
 ## Prerequisites
 
-- You must be a global administrator or security administrator on your tenant
-- On your computer, from which you logged into Azure Sentinel to create the connection, make sure that port 4433 is open to web traffic. This port can be closed again after the connection is successfully made.
+- You must be a global administrator or security administrator on your tenant.
 - If your tenant does not have an Office 365 E3 or Office 365 E5 license, you must enable unified auditing on your tenant using one of these processes:
     - [Using the Set-AdminAuditLogConfig cmdlet](https://docs.microsoft.com/powershell/module/exchange/policy-and-compliance-audit/set-adminauditlogconfig?view=exchange-ps) and enable the parameter “UnifiedAuditLogIngestionEnabled”).
     - [Or using the Security & Compliance Center UI](https://docs.microsoft.com/office365/securitycompliance/search-the-audit-log-in-security-and-compliance#before-you-begin).
@@ -38,13 +37,9 @@ You can stream audit logs from [Office 365](https://docs.microsoft.com/office365
 
 1. In Azure Sentinel, select **Data connectors** and then click the **Office 365** tile.
 
-2. If you have not already enabled it, you can do so by going to **Data Connectors** blade and selecting **Office 365** connector. Here you can click the **Open Connector Page** and under configuration section labelled **Enable the Office 365 solution on your workspace** use the **Install solution** button to enable it. If it was already enabled, it will be identified in the connection screen as already enabled.
-1. Office 365 enables you to stream data from multiple tenants to Azure Sentinel. For each tenant you want to connect to, add the tenant under **Connect tenants to Azure Sentinel**. 
-1. An Active Directory screen opens. You are prompted to authenticate with a global admin user on each tenant you want to connect to Azure Sentinel, and provide permissions to Azure Sentinel to read its logs. 
-5. Under the tenant list you would see the Azure AD directory ID (tenant ID) and two checkboxes for Exchange and Sharepoint logs . You can select any or all the listed services which you would like to ingest in Sentinel. Currently, Azure Sentinel supports Exchange and SharePoint logs within existing Office365 services.
-
-4. Once you have selected the services (Exchange, sharepoint etc. ) you can click save on the tenant addition frame on the page. 
-
+2. If you have not already enabled it, you can do so by going to **Data Connectors** blade and selecting **Office 365** connector. Here you can click the **Open Connector Page** and under configuration section labeled **Configuration** select all the Office 365 activity logs you want to connect to Azure Sentinel. 
+   > [!NOTE]
+   > If you already connected multiple tenants in a previously supported version of the Office 365 connector in Azure Sentinel, you will be able to view and modify which logs you collect from each tenant. You will not be able to add additional tenants, but you can remove previously added tenants.
 3. To use the relevant schema in Log Analytics for the Office 365 logs, search for **OfficeActivity**.
 
 

articles/sentinel/fusion.md

@@ -3,17 +3,16 @@ title: Advanced multistage attack detection in Azure Sentinel
 description: Use Fusion technology in Azure Sentinel to reduce alert fatigue and create actionable incidents that are based on advanced multistage attack detection.
 services: sentinel
 documentationcenter: na
-author: cabailey
-manager: rkarlin
+author: rkarlin
 
 ms.service: azure-sentinel
 ms.subservice: azure-sentinel
 ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: na
-ms.date: 9/24/2019
-ms.author: cabailey
+ms.date: 02/12/2020
+ms.author: rkarlin
 
 ---
 # Advanced multistage attack detection in Azure Sentinel
@@ -22,8 +21,6 @@ By using Fusion technology that’s based on machine learning, Azure Sentinel ca
 
 Customized for your environment, this detection not only reduces false positive rates but can also detect attacks with limited or missing information.
 
-For details about the alerts for the scenarios supported, see the [Scenarios supported for multistage attack detection](#scenarios-supported-for-advanced-multistage-attack-detection) section on this page.
-
 ## Configuration for advanced multistage attack detection
 
 This detection is enabled by default in Azure Sentinel. To check the status, or to disable it perhaps because you are using an alternative solution to create incidents based on multiple alerts, use the following instructions:
@@ -40,7 +37,17 @@ This detection is enabled by default in Azure Sentinel. To check the status, or
 
 Rule templates are not applicable for the advanced multistage attack detection.
 
-## Scenarios supported for advanced multistage attack detection
+## Fusion using Palo Alto Networks and Microsoft Defender ATP
+
+- Network request to TOR anonymization service followed by anomalous traffic flagged by Palo Alto Networks firewall​
+
+- PowerShell made a suspicious network connection followed by anomalous traffic flagged by Palo Alto Networks firewall​
+
+- Outbound connection to IP with a history of unauthorized access attempts followed by anomalous traffic flagged by Palo Alto Networks firewall​
+
+
+
+## Fusion using Identity Protection and Microsoft Cloud App Security
 
 Using advanced multistage attack detection, Azure Sentinel supports the following scenarios that combine anomaly events from Azure Active Directory Identity Protection and Microsoft Cloud App Security: