Update plan-monitoring-and-reporting.md

v-edmckillop · web-flow · commit 59f498712d84 · 2022-12-13T11:59:50.000-08:00
diff --git a/articles/active-directory/reports-monitoring/plan-monitoring-and-reporting.md b/articles/active-directory/reports-monitoring/plan-monitoring-and-reporting.md
@@ -3,113 +3,106 @@
 title: Plan reports & monitoring deployment - Azure AD
 description: Describes how to plan and execute implementation of reporting and monitoring.
 services: active-directory
-author: shlipsey3
-manager: amycolannino
+author: gargi-sinha
+manager: martinco
 ms.service: active-directory
 ms.topic: conceptual
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 11/01/2022
-ms.author: sarahlipsey
+ms.date: 12/13/2022
+ms.author: gasinh
 ms.reviewer: plenzke 
 
-# Customer intent: As an Azure AD administrator, I want to monitor logs and report on access to increase security 
+# Customer intent: For an Azure AD administrator to monitor logs and report on access 
 ms.collection: M365-identity-device-management
 ---
 
-# Plan an Azure Active Directory reporting and monitoring deployment
+# Azure Active Directory reporting and monitoring deployment dependencies
 
-Your Azure Active Directory (Azure AD) reporting and monitoring solution depends on your legal, security, and operational requirements and your existing environment and processes. This article presents the various design options and guides you to the right deployment strategy.
+Your Azure Active Directory (Azure AD) reporting and monitoring solution depends on legal, security, operational requirements, and your environment's processes. Use the following sections to learn about design options and deployment strategy.
 
-### Benefits of Azure AD reporting and monitoring
+## Benefits of Azure AD reporting and monitoring
 
-Azure AD reporting provides a comprehensive view and logs of Azure AD activity in your environment, including sign-in events, audit events, and changes to your directory.
+Azure AD reporting has a view, and logs, of Azure AD activity in your environment: sign-in and audit events, also changes to your directory.
 
-The provided data enables you to:
+Use data output to:
 
-* determine how your apps and services are used.
-
-* detect potential risks affecting the health of your environment.
-
-* troubleshoot issues preventing your users from getting their work done.
-
-* gain insights by seeing audit events of changes to your Azure AD directory.
+* determine how apps and services are used
+* detect potential risks affecting environment health
+* troubleshoot user issues
+* obtain insights from audits of changes to your directory
 
 > [!IMPORTANT]
-> Azure AD monitoring enables you to route your logs generated by Azure AD reporting to different target systems. You can then either retain it for long-term use or integrate it with third-party Security Information and Event Management (SIEM) tools to gain insights into your environment.
+> Use Azure AD monitoring to route Azure AD reporting logs to target systems. Retain the data, or integrate it with third-party security information and event-management (SIEM) tools for more insights.
 
 With Azure AD monitoring, you can route logs to:
 
-* an Azure storage account for archival purposes.
-* Azure Monitor logs, formerly known as Azure Log Analytics workspace, where you can analyze the data, create dashboards, and alert on specific events.
-* an Azure event hub where you can integrate with your existing SIEM tools such as Splunk, Sumologic, or QRadar.
+* an Azure storage account for archival
+* Azure Monitor logs, where you can analyze data, create dashboards, and build event alerts
+* an Azure event hub to integrate with SIEM tools, such as Splunk, Sumologic, or QRadar
 
 > [!NOTE]
-> We recently started using the term Azure Monitor logs instead of Log Analytics. Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. We are updating the terminology to better reflect the role of [logs in Azure Monitor](../../azure-monitor/data-platform.md). See [Azure Monitor terminology changes](../../azure-monitor/terminology.md) for details.
-
-[Learn more about report retention policies](./reference-reports-data-retention.md).
-
-### Licensing and prerequisites for Azure AD reporting and monitoring
-
-You'll need an Azure AD premium license to access the Azure AD sign-in logs.
+> The term Azure Monitor logs has replaced Log Analytics. Log data is stored in a Log Analytics workspace and collected and analyzed by the Log Analytics service. 
 
-For detailed feature and licensing information in the [Azure Active Directory pricing guide](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
+Learn more about: 
 
-To deploy Azure AD monitoring and reporting you'll need a user who is a global administrator or security administrator for the Azure AD tenant.
+* [Azure Monitor data platform](../../azure-monitor/data-platform.md)
+* [Azure Monitor naming and terminology changes](../../azure-monitor/terminology.md)
+* [How long does Azure AD store reporting data?](./reference-reports-data-retention.md)
 
-Depending on the final destination of your log data, you'll need one of the following:
-
-* An Azure storage account that you have ListKeys permissions for. We recommend that you use a general storage account and not a Blob storage account. For storage pricing information, see the [Azure Storage pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=storage).
-
-* An Azure Event Hubs namespace to integrate with third-party SIEM solutions.
-
-* An Azure Log Analytics workspace to send logs to Azure Monitor logs.
-
-## Plan an Azure reporting and monitoring deployment project
+### Licensing and prerequisites for Azure AD reporting and monitoring
 
-In this project, you'll define the audiences that will consume and monitor reports, and define your Azure AD monitoring architecture.
+* To access the Azure AD sign-in logs, you'll need an Azure AD premium license
+  * [Azure Active Directory plans and pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing)
+* Global Administrator or Security Administrator permissions for the Azure AD tenant
+* One of the following items:
+  * An Azure storage account with ListKeys permissions. We recommend general storage, not Blob. See the [pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=storage).
+  * An Azure Event Hubs namespace to integrate with SIEM solutions
+  * An Azure Log Analytics workspace to send logs to Azure Monitor logs
 
-### Engage the right stakeholders
+## Azure reporting and monitoring deployment project
 
-When technology projects fail, they typically do so due to mismatched expectations on effect, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../fundamentals/active-directory-deployment-plans.md). Also ensure that stakeholder roles in the project are well understood by documenting the stakeholders and their project input and accountabilities.
+Use the following sections to define the users who consume and monitor reports, and your Azure AD monitoring architecture.
 
-### Plan communications
+### Engage stakeholders
 
-Communication is critical to the success of any new service. Proactively communicate with your users how their experience will change, when it will change, and how to gain support if they experience issues.
+Successful projects align expectations, outcomes, and responsibilities. See, [Azure Active Directory deployment plans](../fundamentals/active-directory-deployment-plans.md). Document and communicate stakeholder roles that require input and accountability.
 
-### Document your current infrastructure and policies
+### Communications plan
 
-Your current infrastructure and policies will drive your reporting and monitoring design. Ensure that you know
+Tell your users how and when the experience will change. Provide contact information for support.
 
-* What, if any, SIEM tools you're using.
+### Document current infrastructure and policies
 
-* Your Azure infrastructure, including existing storage accounts and monitoring being used.
+Your current infrastructure and policies affect reporting and monitoring design. Gather and document the following information:
 
-* Your organizational retention policies for logs, including any applicable compliance frameworks required. 
+* SIEM tools in use
+* Azure infrastructure: storage accounts and monitoring in use
+* Organizational log retention policies
+  * Include required compliance frameworks
 
-## Plan an Azure AD reporting and monitoring deployment
+## Retention, analytics, insights, and SIEM integration considerations
 
-Reporting and monitoring are used to meet your business requirements, gain insights into usage patterns, and increase your organization's security posture.
+Reporting and monitoring help meet business requirements, gain insights into usage patterns, and increases security posture.
 
-### Business use cases
+Business use cases:
 
-* Required for solution to meet business needs
+* Required to meet business needs
 * Nice to have to meet business needs
 * Not applicable
 
-|Area |Description |
-|-|-|
-|Retention| **Log retention of more than 30 days**. ‎Due to legal or business requirements it's required to store audit logs and sign in logs of Azure AD longer than 30 days. |
-|Analytics| **The logs need to be searchable**. ‎The stored logs need to be searchable with analytic tools. |
-| Operational Insights| **Insights for various teams**. The need to give access for different users to gain operational insights such as application usage, sign in errors, self-service usage, trends, etc. |
-| Security Insights| **Insights for various teams**. The need to give access for different users to gain operational insights such as application usage, sign in errors, self service usage, trends, etc. |
-| Integration in SIEM systems      | **SIEM integration**. ‎The need to integrate and stream Azure AD sign-in logs and audit logs to existing SIEM systems. |
+### Considerations
+
+* **Retention** - Log retention: store audit logs and sign in logs of Azure AD longer than 30 days
+* **Analytics** - Logs are searchable with analytic tools
+* **Operational and security insights** - Provide access to application usage, sign-in errors, self-service usage, trends, etc.
+* **SIEM integration** - Integrate and stream Azure AD sign-in logs and audit logs to SIEM systems
 
-### Choose a monitoring solution architecture
+### Monitoring solution architecture
 
-With Azure AD monitoring, you can route your Azure AD activity logs to a system that best meets your business needs. You can then retain them for long-term reporting and analysis to gain insights into your environment, and integrate it with SIEM tools.
+With Azure AD monitoring, you can route Azure AD activity logs and retain them for long-term reporting and analysis to gain insights into your environment, and integrate it with SIEM tools.
 
-#### Decision flow chart![An image showing what is described in subsequent sections](media/reporting-deployment-plan/deploy-reporting-flow-diagram.png)
+Decision flow chart![An image showing what is described in subsequent sections](media/reporting-deployment-plan/deploy-reporting-flow-diagram.png)
 
 #### Archive logs in a storage account
 
