Merge pull request #202094 from MicrosoftDocs/main

4 P.M. Sunday Publish, 6/19/22

Author: hmacgregor1

articles/azure-monitor/alerts/alerts-common-schema-definitions.md

@@ -276,18 +276,18 @@ Any alert instance describes the resource that was affected and the cause of the
             ]
           ]
         }
+      ],
+      "dataSources": [
+        {
+          "resourceId": "/subscriptions/a5ea55e2-7482-49ba-90b3-60e7496dd873/resourcegroups/test/providers/microsoft.operationalinsights/workspaces/test",
+          "tables": [
+            "Heartbeat"
+          ]
+        }
       ]
     },
-    "dataSources": [
-      {
-        "resourceId": "/subscriptions/a5ea55e2-7482-49ba-90b3-60e7496dd873/resourcegroups/test/providers/microsoft.operationalinsights/workspaces/test",
-        "tables": [
-          "Heartbeat"
-        ]
-      }
-    ],
-  "IncludedSearchResults": "True",
-  "AlertType": "Metric measurement"
+    "IncludedSearchResults": "True",
+    "AlertType": "Metric measurement"
   }
 }
 ```

articles/defender-for-cloud/includes/defender-for-containers-enable-plan-aks.md

@@ -1,9 +1,9 @@
 ---
-author: bmansheim
-ms.author: benmansheim
+author: ElazarK
+ms.author: elkrieger
 ms.service: defender-for-cloud
 ms.topic: include
-ms.date: 05/26/2022
+ms.date: 06/19/2022
 ---
 
 ## Enable the plan
@@ -171,10 +171,10 @@ Request body parameters:
 1. To verify that the profile was successfully added, run the following command on your machine with the `kubeconfig` file pointed to your cluster:
 
     ```console
-    kubectl get pods -n azuredefender
+    kubectl get pods -n kube-system
     ```
 
-    When the profile is added, you should see a pod called `azuredefender-XXXXX` in `Running` state. It might take a few minutes for pods to be added.
+    When the profile is added, you should see a pods called `azuredefender-XXXXX` in `Running` state. It might take a few minutes for pods to be added.
 
 ### [**Resource Manager**](#tab/aks-deploy-arm)
 

articles/defender-for-cloud/permissions.md

@@ -30,7 +30,7 @@ The following table displays roles and allowed actions in Defender for Cloud.
 | Edit security policy | - | ✔ | - | ✔ | ✔ |
 | Enable / disable Microsoft Defender plans | - | ✔ | - | ✔ | ✔ |
 | Dismiss alerts | - | ✔ | - | ✔ | ✔ |
-| Apply security recommendations for a resource</br> (and use [Fix](implement-security-recommendations.md#fix-button)) | - | ✔ | ✔ | ✔ | ✔ |
+| Apply security recommendations for a resource</br> (and use [Fix](implement-security-recommendations.md#fix-button)) | - | - | ✔ | ✔ | ✔ |
 | View alerts and recommendations | ✔ | ✔ | ✔ | ✔ | ✔ |
 
 

articles/defender-for-iot/organizations/appliance-catalog/hpe-edgeline-el300.md

@@ -34,7 +34,7 @@ The following image shows a view of the back panel of the HPE Edgeline EL300.
 |CPU|Intel Core i7-8650U (1.9GHz/4-core/15W)|
 |Chipset|Intel® Q170 Platform Controller Hub|
 |Memory|8 GB DDR4 2133 MHz Wide Temperature SODIMM|
-|Storage|128 GB 3ME3 Wide Temperature mSATA SSD|
+|Storage|256-GB SATA 6G Read Intensive M.2 2242 3 year warranty wide temperature SSD|
 |Network controller|6x Gigabit Ethernet ports by Intel® I219|
 |Device access|4 USBs: Two fronts; two rears; 1 internal|
 |Power Adapter|250V/10A|

articles/defender-for-iot/organizations/appliance-catalog/hpe-proliant-dl20-plus-enterprise.md

@@ -144,6 +144,10 @@ This procedure describes how to update the HPE BIOS configuration for your OT de
 
 1. In the **Create Array** form, select all the options. Three options are available for the **Enterprise** appliance.
 
+> [!NOTE]
+> For **Data-at-Rest** encryption, see the HPE guidance for activating RAID Secure Encryption or using Self-Encrypting-Drives (SED).
+>
+
 ### Install Defender for IoT software on the HPE ProLiant DL20 or HPE ProLiant DL20 Plus
 
 This procedure describes how to install Defender for IoT software on the HPE ProLiant DL20 or HPE ProLiant DL20 Plus.

articles/defender-for-iot/organizations/appliance-catalog/hpe-proliant-dl360.md

@@ -47,6 +47,7 @@ The following image shows a view of the HPE ProLiant Dl360 back panel:
 |**Power**            |Two HPE 500-W flex slot platinum hot plug low halogen power supply kit
 |**Rack support**     | HPE 1U Gen10 SFF easy install rail kit        |
 
+
 ## HPE DL360 BOM
 
 |PN	|Description	|Quantity|
@@ -136,6 +137,9 @@ This procedure describes how to update the HPE BIOS configuration for your OT se
 
 1. In the **Create Array** form, select all the options.
 
+> [!NOTE]
+> For **Data-at-Rest** encryption, see the HPE guidance for activating RAID Secure Encryption or using Self-Encrypting-Drives (SED).
+>
 
 ### Install iLO remotely from a virtual drive
 

articles/defender-for-iot/organizations/how-to-create-and-manage-users.md

@@ -134,18 +134,54 @@ To update sign-out counting periods, adjust the `= <number>` value to the requir
 
 ## Track user activity
 
-You can track user activity in the event timeline on each sensor. The timeline displays the event or affected device, and the time and date that the user carried out the activity.
+Track user activity on a sensor's event timeline, or by viewing audit logs generated on an on-premises management console.
 
-**To view user activity**:
+- **The timeline** displays the event or affected device, and the time and date that the user carried out the activity.
 
-1. Select **Event Timeline** from the sensor side menu.
+- **Audit logs** record key activity data at the time of occurrence. Use audit logs generated on the on-premises management console to understand which changes were made, when, and by whom.
 
-1. Verify that  **User Operations** filter is set to **Show**.  
+### View user activity on the sensor's Event Timeline
 
-   :::image type="content" source="media/how-to-create-and-manage-users/track-user-activity.png" alt-text="Screenshot of the Event timeline showing a user that signed in to Defender for IoT.":::
+Select **Event Timeline** from the sensor side menu. If needed, verify that  **User Operations** filter is set to **Show**.
 
-1. Use the filters or Ctrl F option to find the information of interest to you.
+For example:
 
+:::image type="content" source="media/how-to-create-and-manage-users/track-user-activity.png" alt-text="Screenshot of the Event timeline showing a user that signed in to Defender for IoT.":::
+
+Use the filters or search using CTRL+F to find the information of interest to you.
+
+### View audit log data on the on-premises management console
+
+In the on-premises management console, select **System Settings > System Statistics**, and then select **Audit log**.
+
+The dialog displays data from the currently active audit log. For example:
+
+For example:
+
+:::image type="content" source="media/how-to-create-and-manage-users/view-audit-logs.png" alt-text="Screenshot of the on-premises management console showing audit logs." lightbox="media/how-to-create-and-manage-users/view-audit-logs.png":::
+
+New audit logs are generated at every 10 MB. One previous log is stored in addition to the current active log file.
+
+Audit logs include the following data:
+
+| Action | Information logged |
+|--|--|
+| **Learn, and remediation of alerts** | Alert ID |
+| **Password changes** | User, User ID |
+| **Login** | User |
+| **User creation** | User, User role |
+| **Password reset** | User name |
+| **Exclusion rules-Creation**| Rule summary |
+| **Exclusion rules-Editing**| Rule ID, Rule Summary |
+| **Exclusion rules-Deletion** | Rule ID |
+| **Management Console Upgrade** | The upgrade file used |
+| **Sensor upgrade retry** | Sensor ID |
+| **Uploaded TI package** | No additional information recorded. |
+
+
+> [!TIP]
+> You may also want to export your audit logs to send them to the support team for extra troubleshooting. For more information, see [Export audit logs for troubleshooting](how-to-troubleshoot-the-sensor-and-on-premises-management-console.md#export-audit-logs-for-troubleshooting)
+>
 
 ## Change a user's password
 
@@ -232,6 +268,7 @@ You can recover the password for the on-premises management console or the senso
 
 1. Select **Next**, and your user, and a system-generated password for your management console will then appear.
 
+
 ## Next steps
 
 - [Activate and set up your sensor](how-to-activate-and-set-up-your-sensor.md)

articles/defender-for-iot/organizations/how-to-troubleshoot-the-sensor-and-on-premises-management-console.md

@@ -1,7 +1,7 @@
 ---
 title: Troubleshoot the sensor and on-premises management console
 description: Troubleshoot your sensor and on-premises management console to eliminate any problems you might be having.
-ms.date: 05/22/2022
+ms.date: 06/15/2022
 ms.topic: article
 ---
 # Troubleshoot the sensor and on-premises management console
@@ -262,13 +262,14 @@ All allowlists, policies, and configuration settings are cleared, and the sensor
 
 
 ## Troubleshoot an on-premises management console
-### Investigate a lack of expected alerts on the management console
 
-If an expected alert is not shown in the **Alerts** window, verify the following:
+### Investigate a lack of expected alerts
+
+If you don't see an expected alert on the on-premises **Alerts** page, do the following to troubleshoot:
 
-- Check if the same alert already appears in the **Alerts** window as a reaction to a different security instance. If yes, and this alert has not been handled yet, a new alert is not shown.
+- Verify whether the alert is already listed as a reaction to a different security instance. If it has, and that alert hasn't yet been handled, a new alert isn't shown elsewhere.
 
-- Verify that you did not exclude this alert by using the **Alert Exclusion** rules in the on-premises management console.
+- Verify that the alert isn't being excluded by **Alert Exclusion** rules. For more information, see [Create alert exclusion rules](how-to-work-with-alerts-on-premises-management-console.md#create-alert-exclusion-rules).
 
 ### Tweak the Quality of Service (QoS)
 
@@ -310,39 +311,33 @@ To limit the number of alerts, use the `notifications.max_number_to_report` prop
 
 1. Save the changes. No restart is required.
 
+### Export audit logs for troubleshooting
 
+Audit logs record key activity data at the time of occurrence. Use audit logs generated on the on-premises management console to understand which changes were made, when, and by whom.
 
-### Export audit logs from the management console
+You may also want to export your audit logs to send them to the support team for extra troubleshooting.
+
+> [!NOTE]
+> New audit logs are generated at every 10 MB. One previous log is stored in addition to the current active log file.
+>
 
-Audit logs record key information at the time of occurrence. Audit logs are useful when you are trying to figure out what changes were made, and by who. Audit logs can be exported in the management console, and contain the following information:
+**To export audit log data**:
 
-| Action | Information logged |
-|--|--|
-| **Learn, and remediation of alerts** | Alert ID |
-| **Password changes** | User, User ID |
-| **Login** | User |
-| **User creation** | User, User role |
-| **Password reset** | User name |
-| **Exclusion rules-Creation**| Rule summary |
-| **Exclusion rules-Editing**| Rule ID, Rule Summary |
-| **Exclusion rules-Deletion** | Rule ID |
-| **Management Console Upgrade** | The upgrade file used |
-| **Sensor upgrade retry** | Sensor ID |
-| **Uploaded TI package** | No additional information recorded. |
+1. In the on-premises management console, select **System Settings > Export**.
 
-**To export the audit log**:
+1. In the **Export Troubleshooting Information** dialog:
 
-1. In the management console, in the left pane, select **System Settings**.
+    1. In the **File Name** field, enter a meaningful name for the exported log. The default filename uses the current date, such as **13:10-June-14-2022.tar.gz**.
 
-1. Select **Export**.
+    1. Select **Audit Logs**.
 
-1. In the File Name field, enter the file name that you want to use for the exported log. If no name is entered, the default file name will be the current date.
+    1. Select **Export**.
 
-1. Select **Audit Logs**.
+    The file is exported and is linked from the **Archived Files** list at the bottom of the **Export Troubleshooting Information** dialog. Select the link to download the file.
 
-1. Select **Export**.
+1. Exported audit logs are encrypted for your security, and require a password to open. In the **Archived Files** list, select the :::image type="icon" source="media/how-to-troubleshoot-the-sensor-and-on-premises-management-console/eye-icon.png" border="false"::: button for your exported logs to view its password. If you're forwarding the audit logs to the support team, make sure to send the password to support separately from the exported logs.
 
-The exported log is added to the **Archived Logs** list. Select the :::image type="icon" source="media/how-to-troubleshoot-the-sensor-and-on-premises-management-console/eye-icon.png" border="false"::: button to view the OTP. Send the OTP string to the support team in a separate message from the exported logs. The support team will be able to extract exported logs only by using the unique OTP that's used to encrypt the logs.
+For more information, see [View audit log data on the on-premises management console](how-to-create-and-manage-users.md#view-audit-log-data-on-the-on-premises-management-console).
 
 ## Next steps
 

articles/defender-for-iot/organizations/media/how-to-create-and-manage-users/view-audit-logs.png

@@ -169,15 +169,15 @@ Flexible servers that are configured with high availability, log data is replica
   2. If you just want to restore an object, you can then export the object from the restored database server and import it to your production database server.
   3. If you want to clone your database server for testing and development purposes, or you want to restore for any other purposes, you can perform point-in-time restore.
 
-## Zone redundant high availability - features
+## High availability - features
 
 * Standby replica will be deployed in an exact VM configuration same as the primary server, including vCores, storage, network settings (VNET, Firewall), etc.
 
 * You can add high availability for an existing database server.
 
 * You can remove standby replica by disabling high availability.
 
-* You can only choose your availability zone for your primary database server. Standby zone is auto-selected.
+* For zone-redundant HA, you can choose your availability zones for your primary and standby database servers.
 
 * Operations such as stop, start, and restart are performed on both primary and standby database servers at the same time.
 
@@ -191,11 +191,11 @@ Flexible servers that are configured with high availability, log data is replica
 
 * Periodic maintenance activities such as minor version upgrades happen at the standby first and the service is failed over to reduce downtime.  
 
-## Zone redundant high availability - limitations
+## High availability - limitations
 
 * High availability is not supported with burstable compute tier.
 * High availability is supported only in regions where multiple zones are available.
-* Due to synchronous replication to another availability zone, applications can experience elevated write and commit latency.
+* Due to synchronous replication to the standby server, especially with zone-redundant HA, applications can experience elevated write and commit latency.
 
 * Standby replica cannot be used for read queries.
 
@@ -212,7 +212,7 @@ Flexible servers that are configured with high availability, log data is replica
 
 * If logical decoding or logical replication is configured with a HA configured flexible server, in the event of a failover to the standby server, the logical replication slots are not copied over to the standby server.  
 
-## Availability without high availability
+## Availability for non-HA servers
 
 For Flexible servers configured **without** high availability, the service still provides built-in availability, storage redundancy and resiliency to help to recover from any planned or unplanned downtime events.
 
@@ -257,7 +257,7 @@ Here are some failure scenarios that require user action to recover:
 
 * **Can I choose the availability zones for my primary and standby servers?** <br>
     If you choose same zone HA, then you can only choose the primary server. If you choose zone redundant HA, then you can choose both primary and standby AZs.
-    
+
 * **Is zone redundant HA available in all regions?** <br>
     Zone-redundant HA is available in regions that support multiple AZs in the region. For the latest region support, please see [this documentation](overview.md#azure-regions). We are continuously adding more regions and enabling multiple AZs. Note that same-zone HA is available in all regions.