raz updates

Author: rkarlin

articles/sentinel/connect-azure-active-directory.md

@@ -37,9 +37,11 @@ Azure Sentinel enables you to collect data from [Azure Active Directory](../acti
 
 1. In Azure Sentinel, select **Data connectors** and then click the **Azure Active Directory** tile.
 
-2. Next to the logs you want to stream into Azure Sentinel, click **Connect**.
+1. Next to the logs you want to stream into Azure Sentinel, click **Connect**.
 
-6. To use the relevant schema in Log Analytics for the Azure AD alerts, search for **SigninLogs** and **AuditLogs**.
+1. You can select whether you want the alerts from Azure AD to automatically generate incidents in Azure Sentinel automatically. Under **Create incidents** select **Enable** to enable the default analytic rule that creates incidents automatically from alerts generated in the connected security service. You can then edit this rule under **Analytics** and then **Active rules**.
+
+1. To use the relevant schema in Log Analytics for the Azure AD alerts, search for **SigninLogs** and **AuditLogs**.
 
 
 

articles/sentinel/connect-azure-atp.md

@@ -39,9 +39,11 @@ If Azure ATP is deployed and ingesting your data, the suspicious alerts can easi
 
 1. In Azure Sentinel, select **Data connectors** and then click the **Azure ATP** tile.
 
-2. Click **Connect**.
+1. You can select whether you want the alerts from Azure ATP to automatically generate incidents in Azure Sentinel automatically. Under **Create incidents** select **Enable** to enable the default analytic rule that creates incidents automatically from alerts generated in the connected security service. You can then edit this rule under **Analytics** and then **Active rules**.
 
-6. To use the relevant schema in Log Analytics for the Azure ATP alerts, search for **SecurityAlert**.
+1. Click **Connect**.
+
+1. To use the relevant schema in Log Analytics for the Azure ATP alerts, search for **SecurityAlert**.
 
 > [!NOTE]
 > If the alerts are larger than 30 KB, Azure Sentinel stops displaying the Entities field in the alerts.

articles/sentinel/connect-azure-security-center.md

@@ -38,8 +38,11 @@ Azure Sentinel enables you to connect alerts from [Azure Security Center](../sec
 ## Connect to Azure Security Center
 
 1. In Azure Sentinel, select **Data connectors** and then click the **Azure Security Center** tile.
+
 1. In the right, click **Connect** next to each subscription whose alerts you want to stream into Azure Sentinel. Make sure to upgrade each subscription to Azure Security Center Standard tier to stream alerts to Azure Sentinel.
 
+1. You can select whether you want the alerts from Azure Security Center to automatically generate incidents in Azure Sentinel automatically. Under **Create incidents** select **Enable** to enable the default analytic rule that creates incidents automatically from alerts generated in the connected security service. You can then edit this rule under **Analytics** and then **Active rules**.
+
 3. Click **Connect**.
 
 4. To use the relevant schema in Log Analytics for the Azure Security Center alerts, search for **SecurityAlert**.

articles/sentinel/connect-cloud-app-security.md

@@ -37,6 +37,8 @@ If Cloud App Security is deployed and ingesting your data, the alert data can ea
 
 1. Select which logs you want to stream into Azure Sentinel, you can choose **Alerts**. 
 
+1. You can select whether you want the alerts from Microsoft Cloud App Security to automatically generate incidents in Azure Sentinel automatically. Under **Create incidents** select **Enable** to enable the default analytic rule that creates incidents automatically from alerts generated in the connected security service. You can then edit this rule under **Analytics** and then **Active rules**.
+
 1. Click **Connect**.
 
 1. To use the relevant schema in Log Analytics for the Cloud App Security alerts, search for **SecurityAlert**.