trying to get incidents frmo alerts article to update

Author: rkarlin

articles/sentinel/create-incidents-from-alerts.md

@@ -18,16 +18,56 @@ ms.date: 09/10/2019
 ms.author: rkarlin
 
 ---
-# Connect incidents from alerts
+# Automatically create incidents from Microsoft security alerts
 
+Alerts triggered in Microsoft security solutions that are connected to Azure Sentinel, such as Microsoft Cloud App Security and Azure Advanced Threat Protection, do not
+automatically create incidents in Azure Sentinel. By default, when you connect a Microsoft solution to Azure Sentinel, any alert generated in that service will
+be stored as raw data in Azure Sentinel, in the Security Alert table in your Azure Sentinel workspace. You can then use that data like any other raw data you
+connect into Sentinel.
 
-Alerts triggered in Azure Sentinel that stem from Microsoft solutions, such as Microsoft Cloud App Security and Azure Advanced Threat Protection, are handled differently from other alerts in Azure Sentinel. This article explains the differences.
-## Connection to Microsoft security services
-During connection to these data sources, you can select whether you want the alerts from these security solutions to automatically stream as raw data into Azure Sentinel and generate alerts. 
-To work with Microsoft Security solution alerts, under **Analytic rules**  select **Microsoft security** rules and choose the alert provider, give a name or description - for example you can call one Cloud App Security alerts. This creates incidents from the raw data that is streamed into Sentinel.
+You can easily configure Azure Sentinel to automatically create incidents every time an alert is triggered in a connected Microsoft security solution, by following the
+instructions in this article.
 
-When you connect the connector for one of these services, you will be asked in the connection phase if you want to create incidents from alerts and there's a checkbox and you say yes it'll generate this rule automatically and take all the alerts and create incidents from them. Because you can set an alert severity filter, you can create multiple **Microsoft Security** analytic rules. For example, you could create a rule to be considered high severity and set a specific playbook to run for the high severity alerts, while other alerts could trigger merely an informational alert. 
+## Prerequisites
+You must [connect Microsoft security solutions](connect-data-sources.md#data-connection-methods) to enable incident creation from security service alerts.
 
+## Using Microsoft Security incident creation analytic rules
+
+Use the built-in rules available in Azure Sentinel to choose which connected Microsoft security solutions should create Azure Sentinel incidents automatically in real time. You can also edit the rules to define more specific options for filtering which of the alerts generated by the Microsoft security solution should create incidents in Azure Sentinel. For example, you can choose to create Azure Sentinel incidents automatically only from high-severity Azure Security Center alerts.
+
+1. In the Azure portal under Azure Sentinel, select **Analytics**.
+
+1. Select the **Rule templates** tab to see all of the built-in analytic rules.
+
+    ![Rule templates](media/incidents-from-alerts/rule-templates.png)
+
+1. Choose the **Microsoft security** analytics rule template that you want to use, and click on **Create rule**.
+
+    ![Security analytics rule](media/incidents-from-alerts/security-analytics-rule.png)
+
+1. You can modify the rule details, and choose to filter the alerts that will create incidents by alert severity or by text contained in the alert’s name.  
+      
+    For example, if you choose **Azure Security Center** in the **Microsoft security service** field and choose **High** in the **Filter by severity** field,
+    only high severity Azure Security Center alerts will automatically create incidents in Azure Sentinel.  
+
+    ![Create rule wizard](media/incidents-from-alerts/create-rule-wizard.png)
+
+1. You can also create a new **Microsoft security** rule that filters alerts from different Microsoft security services by clicking on **+Create** and
+    selecting **Microsoft incident creation rule**.
+
+    ![Incident creation rule](media/incidents-from-alerts/incident-creation-rule.png)
+
+  You can create more than one **Microsoft Security** analytic rule per **Microsoft security service** type. This does not create duplicate incidents, since each rule
+is used as a filter. Even if an alert matches more than one **Microsoft Security** analytic rule, it creates just one Azure Sentinel incident.
+
+## Enable incident generation automatically during connection
+ When you connect a Microsoft security solution, you can select whether you want the alerts from the security solution to automatically generate incidents in Azure Sentinel automatically.
+
+1. Connect a Microsoft security solution data source. 
+
+   ![Generate security incidents](media/incidents-from-alerts/generate-security-incidents.png)
+
+1. Under **Create incidents** select **Enable** to enable the default analytic rule that creates incidents automatically from alerts generated in the connected security service. You can then edit this rule under **Analytics** and then **Active rules**.
 
 ## Next steps
 

articles/sentinel/overview.md

@@ -57,7 +57,7 @@ After you [connected your data sources](quickstart-onboard.md) to Azure Sentin
 
 To help you reduce noise and minimize the number of alerts you have to review and investigate, Azure Sentinel uses [analytics to correlate alerts into incidents](tutorial-detect-threats-built-in.md). **Incidents** are groups of related alerts that together create an actionable possible-threat that you can investigate and resolve. Use the built-in correlation rules as-is, or use them as a starting point to build your own. Azure Sentinel also provides machine learning rules to map your network behavior and then look for anomalies across your resources. These analytics connect the dots, by combining low fidelity alerts about different entities into potential high-fidelity security incidents.
 
-![Incidents](./media/overview/cases.png)
+![Incidents](./media/tutorial-investigate-cases/incident-severity.png)
 
 
 ## Security automation & orchestration
@@ -70,11 +70,11 @@ For example, if you use the ServiceNow ticketing system, you can use the tools p
 
 
 
-## Investigation
+## Investigation (preview)
 
 Azure Sentinel [deep investigation](tutorial-investigate-cases.md) tools help you to understand the scope and find the root cause, of a potential security threat. You can choose an entity on the interactive graph to ask interesting questions for a specific entity, and drill down into that entity and its connections to get to the root cause of the threat. 
 
-![Investigation](./media/overview/investigation.png)
+![Investigation](./media/tutorial-investigate-cases/map-timeline.png)
 
 
 ## Hunting

articles/sentinel/quickstart-onboard.md

@@ -36,8 +36,9 @@ After you connect your data sources, choose from a gallery of expertly created d
 - Log Analytics workspace. Learn how to [create a Log Analytics workspace](../log-analytics/log-analytics-quick-create-workspace.md)
 
 -  To enable Azure Sentinel, you need contributor permissions to the subscription in which the Azure Sentinel workspace resides. 
-- To use Azure Sentinel, you need either contributor or reader permissions on the resource group that the workspace belongs to
-- Additional permissions may be needed to connect specific data sources
+- To use Azure Sentinel, you need either contributor or reader permissions on the resource group that the workspace belongs to.
+- Additional permissions may be needed to connect specific data sources.
+- Azure Sentinel is a paid service. For pricing information see 
 
 ## Enable Azure Sentinel <a name="enable"></a>
 

articles/sentinel/tutorial-detect-threats-custom.md

@@ -44,12 +44,12 @@ You can create custom analytic rules to help you search for the types of threats
 
    ![Create query in Azure Sentinel](media/tutorial-detect-threats-custom/settings-tab.png)
 
-  Here's a sample query that would alert you when an anomalous number of resources is created in Azure Activity.
+   Here's a sample query that would alert you when an anomalous number of resources is created in Azure Activity.
 
-    AzureActivity
+    `AzureActivity
     \| where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment"
     \| where ActivityStatus == "Succeeded"
-    \| make-series dcount(ResourceId)  default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
+    \| make-series dcount(ResourceId)  default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller`
 
    > [!NOTE]
    > The query length should be between 1 and 1,0000 characters and cannot contain “search \*” or “union \*”.
@@ -64,7 +64,7 @@ You can create custom analytic rules to help you search for the types of threats
 
 1. Define alert trigger conditions under **Alert trigger**. Under **Entity mapping**, you can map the columns in your query to entity fields recognized by Azure Sentinel. For each field, map the relevant column in the query you created in Log Analytics to the appropriate entity field. Each entity includes multiple fields, for example SID and GUID. You can map the entity according to any  fields, not just the upper level entity.
 
-1.  In the **Response automation** tab, select any playbooks you want to run automatically when an alert is generated by the custom rule. For more information on creating and automating playbooks, see [Respond to threats](tutorial-respond-threats-playbook.md).
+1.  In the **Automate responses** tab, select any playbooks you want to run automatically when an alert is generated by the custom rule. For more information on creating and automating playbooks, see [Respond to threats](tutorial-respond-threats-playbook.md).
 
     ![Automate response to threats in Azure Sentinel](media/tutorial-detect-threats-custom/response-automation-custom.png)
 

articles/sentinel/tutorial-investigate-cases.md

@@ -19,6 +19,12 @@ ms.author: rkarlin
 ---
 # Tutorial: Investigate incidents with Azure Sentinel
 
+> [!IMPORTANT]
+> The investigation graph is currently in public preview.
+> This feature is provided without a service level agreement, and it's not recommended for production workloads.
+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+
 This tutorial helps you investigate incidents with Azure Sentinel. After you connected your data sources to Azure Sentinel, you want to be notified when something suspicious happens. To enable you to do this, Azure Sentinel lets you create advanced alert rules, that generate incidents that you can assign and investigate.
 
 This article covers:
@@ -54,7 +60,7 @@ You'll only be able to investigate the incident if you used the entity mapping f
 
 1. Select **Investigate** to view the investigation map.
 
-## Use the investigation graph to deep dive
+## Use the investigation graph to deep dive (preview)
 
 The investigation graph enables analysts to ask the right questions for each investigation. The investigation graph helps you understand the scope, and identify the root cause, of a potential security threat by correlating relevant data with any involved entity. You can dive deeper and investigate any entity presented in the graph by selecting it and choosing between different expansion options.