Update faq-data-collection-agents.yml

Acrolinx check, fixed contractions, grammar and spelling

Author: AlizaBernstein

articles/defender-for-cloud/faq-data-collection-agents.yml

@@ -11,7 +11,7 @@ metadata:
   ms.date: 01/24/2023
 title: 'FAQ - Questions about data collection, agents, and workspaces'
 summary: |
-  Defender for Cloud collects data from your Azure virtual machines (VMs), Virtual Machine Scale Sets, IaaS containers, and non-Azure computers (including on-premises machines) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis.
+  Defender for Cloud collects data from your Azure virtual machines (VMs), Virtual Machine Scale Sets, IaaS containers, and non-Azure computers (including on-premises machines) to monitor for security vulnerabilities and threats. The Log Analytics agent collects data, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis.
   
   
 
@@ -21,7 +21,7 @@ sections:
       - question: |
           Am I billed for Azure Monitor logs on the workspaces created by Defender for Cloud?
         answer: |
-          As explained in the [pricing and billing FAQ](enhanced-security-features-overview.md#faq---pricing-and-billing), there is a 500-MB free data ingestion for each workspace. It's calculated per node, per reported workspace, per day, and available for every workspace that has a 'Security' or 'AntiMalware' solution installed. You'll be charged for any data ingested over the 500-MB limit.
+          As explained in the [pricing and billing FAQ](enhanced-security-features-overview.md#faq---pricing-and-billing), there's a 500-MB free data ingestion for each workspace. It's calculated per node, per reported workspace, per day, and available for every workspace that has a 'Security' or 'AntiMalware' solution installed. You'll be charged for any data ingested over the 500-MB limit.
 
           Workspaces created by Defender for Cloud, while configured for Azure Monitor logs per node billing, don't incur Azure Monitor logs charges. Defender for Cloud billing is always based on your Defender for Cloud security policy and the solutions installed on a workspace:
           
@@ -32,14 +32,14 @@ sections:
           For pricing details in your local currency or region, see the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
           
           > [!NOTE]
-          > The log analytics pricing tier of workspaces created by Defender for Cloud does not affect Defender for Cloud billing.
+          > The log analytics pricing tier of workspaces created by Defender for Cloud doesn't affect Defender for Cloud billing.
           
           [!INCLUDE [azure-monitor-log-analytics-rebrand](../../includes/azure-monitor-log-analytics-rebrand.md)]
 
       - question: |
           What is the Log Analytics agent?
         answer: |
-          To monitor for security vulnerabilities and threats, Microsoft Defender for Cloud depends on the [Log Analytics Agent](../azure-monitor/agents/log-analytics-agent.md) - this is the same agent used by the Azure Monitor service. 
+          To monitor for security vulnerabilities and threats, Microsoft Defender for Cloud depends on the [Log Analytics Agent](../azure-monitor/agents/log-analytics-agent.md) - this agent is the same used by the Azure Monitor service. 
           
           The agent is sometimes referred to as the Azure Monitor Agent (or "AMA"). 
           
@@ -61,10 +61,10 @@ sections:
         answer: |
           Windows or Linux IaaS VMs qualify if:
           
-          - The Log Analytics agent extension is not currently installed on the VM.
+          - The Log Analytics agent extension isn't currently installed on the VM.
           - The VM is in running state.
           - The Windows or Linux [Azure Virtual Machine Agent](../virtual-machines/extensions/agent-windows.md) is installed.
-          - The VM is not used as an appliance such as web application firewall or next generation firewall.
+          - The VM isn't used as an appliance such as web application firewall or next generation firewall.
           
           
       - question: |
@@ -74,9 +74,9 @@ sections:
           
           - For VMs in the United States and Brazil the workspace location is the United States
           - For VMs in Canada, the workspace location is Canada
-          - For VMs in Europe the workspace location is Europe
-          - For VMs in the UK the workspace location is the UK
-          - For VMs in East Asia and Southeast Asia the workspace location is Asia
+          - For VMs in Europe, the workspace location is Europe
+          - For VMs in the UK, the workspace location is the UK
+          - For VMs in East Asia and Southeast Asia, the workspace location is Asia
           - For VMs in Korea, the workspace location is Korea
           - For VMs in India, the workspace location is India
           - For VMs in Japan, the workspace location is Japan
@@ -85,7 +85,7 @@ sections:
           
           
       - question: |
-          What security events are collected by the Log Analytics agent?
+          What security events does Log Analytics agent collect?
         answer: |
           For a full list of the security events collected by the agent, see [What event types are stored for the "Common" and "Minimal" security events settings?](working-with-log-analytics-agent.md#what-event-types-are-stored-for-common-and-minimal).
           
@@ -96,7 +96,7 @@ sections:
       - question: |
           Can I delete the default workspaces created by Defender for Cloud?
         answer: |
-          **Deleting the default workspace is not recommended.** Defender for Cloud uses the default workspaces to store security data from your VMs. If you delete a workspace, Defender for Cloud is unable to collect this data and some security recommendations and alerts are unavailable.
+          **Deleting the default workspace isn't recommended.** Defender for Cloud uses the default workspaces to store security data from your VMs. If you delete a workspace, Defender for Cloud is unable to collect this data and some security recommendations and alerts are unavailable.
           
           To recover, remove the Log Analytics agent on the VMs connected to the deleted workspace. Defender for Cloud reinstalls the agent and creates new default workspaces.
           
@@ -127,12 +127,12 @@ sections:
               > [!TIP]
               > The list only includes workspaces to which you have access and which are in your Azure subscription.
           
-          1. Select **Save**. You will be asked if you would like to reconfigure monitored VMs.
+          1. Select **Save**. You'll be asked if you'd like to reconfigure monitored VMs.
 
               > [!IMPORTANT]
               > This choice is only relevant if you're changing the configuration from the default workspace to a custom workspace. If you're changing the setting from one custom workspace to another, or from a custom workspace to the default workspace, the change won't be applied to existing machines.
 
-              - Select **No** if you want the new workspace settings to **apply on new VMs only**. The new workspace settings only apply to new agent installations; newly discovered VMs that do not have the Log Analytics agent installed.
+              - Select **No** if you want the new workspace settings to **apply on new VMs only**. The new workspace settings only apply to new agent installations; newly discovered VMs that don't have the Log Analytics agent installed.
               - Select **Yes** if you want the new workspace settings to **apply on all VMs**. In addition, every VM connected to a Defender for Cloud created workspace is reconnected to the new target workspace.
 
               > [!NOTE]
@@ -142,7 +142,7 @@ sections:
       - question: |
           What if the Log Analytics agent was already installed as an extension on the VM?
         answer: |
-          When the Monitoring Agent is installed as an extension, the extension configuration allows reporting to only a single workspace. Defender for Cloud does not override existing connections to user workspaces. Defender for Cloud will store security data from a VM in a workspace that is already connected, provided that the "Security" or "SecurityCenterFree" solution has been installed on it. Defender for Cloud may upgrade the extension version to the latest version in this process.
+          When the Monitoring Agent is installed as an extension, the extension configuration allows reporting to only a single workspace. Defender for Cloud doesn't override existing connections to user workspaces. Defender for Cloud stores security data from a VM in a workspace that is already connected, provided that the "Security" or "SecurityCenterFree" solution has been installed on it. Defender for Cloud may upgrade the extension version to the latest version in this process.
           
           For more information, see [Automatic provisioning in cases of a pre-existing agent installation](monitoring-components.md#preexisting).
           
@@ -155,24 +155,24 @@ sections:
           
           The agent installed will continue to report to its already configured workspace(s), and in addition will report to the workspace configured in Defender for Cloud (Multi-homing is supported on Windows machines).
           
-          If the configured workspace is a user workspace (not Defender for Cloud's default workspace), you will need to install the "Security" or "SecurityCenterFree" solution on it for Defender for Cloud to start processing events from VMs and computers reporting to that workspace.
+          If the configured workspace is a user workspace (not Defender for Cloud's default workspace), you'll need to install the "Security" or "SecurityCenterFree" solution on it for Defender for Cloud to start processing events from VMs and computers reporting to that workspace.
           
-          For Linux machines, Agent multi-homing is not yet supported - hence, if an existing agent installation is detected, automatic provisioning will not occur and the machine's configuration will not be altered.
+          For Linux machines, Agent multi-homing isn't yet supported - hence, if an existing agent installation is detected, automatic provisioning won't occur and the machine's configuration won't be altered.
           
-          For existing machines on subscriptions onboarded to Defender for Cloud before March 17 2019, when an existing agent will be detected, the Log Analytics agent extension will not be installed and the machine will not be affected. For these machines, see the "Resolve monitoring agent health issues on your machines" recommendation to resolve the agent installation issues on these machines
+          For existing machines on subscriptions onboarded to Defender for Cloud before March 17 2019, when an existing agent will be detected, the Log Analytics agent extension won't be installed and the machine won't be affected. For these machines, see the "Resolve monitoring agent health issues on your machines" recommendation to resolve the agent installation issues on these machines
           
           For more information, see the next section [What happens if a System Center Operations Manager or OMS direct agent is already installed on my VM?](#what-if-a-system-center-operations-manager-agent-is-already-installed-on-my-vm-)
           
       - question: |
           What if a System Center Operations Manager agent is already installed on my VM?
         answer: |
-          Defender for Cloud will install the Log Analytics agent extension side by side to the existing System Center Operations Manager agent. The existing agent will continue to report to the System Center Operations Manager server normally. Note that the Operations Manager agent and Log Analytics agent share common run-time libraries, which will be updated to the latest version during this process. Note - If version 2012 of the Operations Manager agent is installed, do not turn on automatic provisioning (manageability capabilities can be lost when the Operations Manager server is also version 2012).
+          Defender for Cloud will install the Log Analytics agent extension side by side to the existing System Center Operations Manager agent. The existing agent will continue to report to the System Center Operations Manager server normally. The Operations Manager agent and Log Analytics agent share common run-time libraries, which will be updated to the latest version during this process. Note - If version 2012 of the Operations Manager agent is installed, don't turn on automatic provisioning (manageability capabilities can be lost when the Operations Manager server is also version 2012).
           
           
       - question: |
           What is the impact of removing these extensions?
         answer: |
-          If you remove the Microsoft Monitoring Extension, Defender for Cloud is not able to collect security data from the VM and some security recommendations and alerts are unavailable. Within 24 hours, Defender for Cloud determines that the VM is missing the extension and reinstalls the extension.
+          If you remove the Microsoft Monitoring Extension, Defender for Cloud isn't able to collect security data from the VM and some security recommendations and alerts are unavailable. Within 24 hours, Defender for Cloud determines that the VM is missing the extension and reinstalls the extension.
           
           
       - question: |
@@ -205,7 +205,7 @@ sections:
           
           You may want to opt out of automatic provisioning if the following applies to you:
           
-          - Automatic agent installation by Defender for Cloud applies to the entire subscription. You cannot apply automatic installation to a subset of VMs. If there are critical VMs that cannot be installed with the Log Analytics agent, then you should opt out of automatic provisioning.
+          - Automatic agent installation by Defender for Cloud applies to the entire subscription. You can't apply automatic installation to a subset of VMs. If there are critical VMs that can't be installed with the Log Analytics agent, then you should opt out of automatic provisioning.
           - Installation of the Log Analytics agent extension updates the agent's version. This applies to a direct agent and a System Center Operations Manager agent (in the latter, the Operations Manager and Log Analytics agent share common runtime libraries - which will be updated in the process). If the installed Operations Manager agent is version 2012 and is upgraded, manageability capabilities can be lost when the Operations Manager server is also version 2012. Consider opting out of automatic provisioning if the installed Operations Manager agent is version 2012.
           - If you want to avoid creation of multiple workspaces per subscription and you have your own custom workspace within the subscription, then you have two options:
           
@@ -225,15 +225,15 @@ sections:
         answer: |
           Manually install the Log Analytics agent extension so Defender for Cloud can collect security data from your VMs and provide recommendations and alerts. See [agent installation for Windows VM](../virtual-machines/extensions/oms-windows.md) or [agent installation for Linux VM](../virtual-machines/extensions/oms-linux.md) for guidance on installation.
           
-          You can connect the agent to any existing custom workspace or Defender for Cloud created workspace. If a custom workspace does not have the "Security" or "SecurityCenterFree" solutions enabled, then you will need to apply a solution. To apply, select the custom workspace and apply a pricing tier via the **Environment settings** > **Defender plans** page.
+          You can connect the agent to any existing custom workspace or Defender for Cloud created workspace. If a custom workspace doesn't have the "Security" or "SecurityCenterFree" solutions enabled, then you'll need to apply a solution. To apply, select the custom workspace and apply a pricing tier via the **Environment settings** > **Defender plans** page.
                     
           Defender for Cloud will enable the correct solution on the workspace based on the selected options.
           
           
       - question: |
           How do I remove OMS extensions installed by Defender for Cloud?
         answer: |
-          You can manually remove the Log Analytics agent. This is not recommended as it limits Defender for Cloud's recommendations and alerts.
+          You can manually remove the Log Analytics agent. This isn't recommended as it limits Defender for Cloud's recommendations and alerts.
           
           > [!NOTE]
           > If data collection is enabled, Defender for Cloud will reinstall the agent after you remove it. You must disable data collection before manually removing the agent. See How do I stop the automatic agent installation and workspace creation? for instructions on disabling data collection.
@@ -265,7 +265,7 @@ sections:
           
           The agent enables the process creation event 4688 and the *CommandLine* field inside event 4688. New processes created on the VM are recorded by EventLog and monitored by Defender for Cloud's detection services. For more information on the details recorded for each new process, see [description fields in 4688](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688#fields). The agent also collects the 4688 events created on the VM and stores them in search.
           
-          The agent also enables data collection for [Adaptive application controls](adaptive-application-controls.md), Defender for Cloud configures a local AppLocker policy in Audit mode to allow all applications. This policy will cause AppLocker to generate events, which are then collected and leveraged by Defender for Cloud. It is important to note that this policy will not be configured on any machines on which there is already a configured AppLocker policy. 
+          The agent also enables data collection for [Adaptive application controls](adaptive-application-controls.md), Defender for Cloud configures a local AppLocker policy in Audit mode to allow all applications. This policy causes AppLocker to generate events, which are then collected and leveraged by Defender for Cloud. It's important to note that this policy won't be configured on any machines on which there's already a configured AppLocker policy. 
           
           When Defender for Cloud detects suspicious activity on the VM, the customer is notified by email if [security contact information](configure-email-notifications.md) has been provided. An alert is also visible in Defender for Cloud's security alerts dashboard.