final edits

Author: ktoliver

articles/defender-for-cloud/plan-defender-for-servers-agents.md

@@ -14,24 +14,20 @@ This article helps you plan your agents, extensions, and Azure Arc resources for
 
 ## Before you begin
 
-This article is the *fifth* article in the Defender for Servers planning guide series. Before you begin, review the earlier articles:
+This article is the *fifth* article in the Defender for Servers planning guide. Before you begin, review the earlier articles:
 
 1. [Start planning your deployment](plan-defender-for-servers.md)
 1. [Understand where your data is stored and Log Analytics workspace requirements](plan-defender-for-servers-data-workspace.md)
 1. [Review Defender for Servers access roles](plan-defender-for-servers-roles.md)
 1. [Select a Defender for Servers plan](plan-defender-for-servers-select-plan.md)
 
-## Review agents and extensions
-
-Defender for Servers plans use agents and extensions.
-
 ## Review Azure Arc requirements
 
 Azure Arc helps you onboard Amazon Web Services (AWS), Google Cloud Platform (GCP), and on-premises machines to Azure. Defender for Cloud uses Azure Arc to protect non-Azure machines.
 
 ### Foundational cloud security posture management
 
-For free foundational cloud security posture management (CSPM) features, Azure Arc running on AWS or GCP machines isn't required. But for full functionality, we recommend that you do have Azure Arc running on AWS or GCP machines.
+For free foundational cloud security posture management (CSPM) features, Azure Arc running on AWS or GCP machines isn't required. For full functionality, we recommend that you *do* have Azure Arc running on AWS or GCP machines.
 
 Azure Arc onboarding is required for on-premises machines.
 
@@ -52,31 +48,35 @@ To plan for Azure Arc deployment:
     - [Network and internet access ](../azure-arc/servers/network-requirements.md) for the agent.
     - [Connection options](../azure-arc/servers/deployment-options.md) for the agent.
 
-## The Log Analytics agent and the Azure Monitor agent
+## Log Analytics agent and Azure Monitor agent
 
-Defender for Cloud uses the Log Analytics agent and Azure Monitor agent to collect information from compute resources. Then, it sends the data to a Log Analytics workspace for more analysis. Review the [differences and recommendations for both agents](../azure-monitor/agents/agents-overview.md). 
+Defender for Cloud uses the Log Analytics agent and the Azure Monitor agent to collect information from compute resources. Then, it sends the data to a Log Analytics workspace for more analysis. Review the [differences and recommendations for both agents](../azure-monitor/agents/agents-overview.md).
 
 The following table describes the agents that are used in Defender for Servers:
 
 Feature | Log Analytics agent | Azure Monitor agent
---- | --- | --- 
+--- | --- | ---
 Foundational CSPM recommendations (free) that depend on the agent: [OS baseline recommendation](apply-security-baseline.md) (Azure VMs) | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported by the Log Analytics agent.":::| :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported by the Azure Monitor agent.":::<br/><br/> With the Azure Monitor agent, the Azure Policy [guest configuration extension](../virtual-machines/extensions/guest-configuration.md) is used.
 Foundational CSPM: [System updates recommendations](recommendations-reference.md#compute-recommendations) (Azure VMs) | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported by the Log Analytics agent"::: | Not yet available.
-Foundational CSPM: [Antimalware/Endpoint protection recommendations](endpoint-protection-recommendations-technical.md) (Azure VMs) | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported by the Log Analytics agent."::: | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported by the Azure Monitor agent.":::
-Attack detection at the OS level and network layer, including fileless attack detection).<br/><br/> Plan 1 relies on Defender for Endpoint capabilities for attack detection. | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported by the Log Analytics agent. Plan 1 relies on Defender for Endpoint.":::<br/><br/> Plan 2| :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported by the Azure Monitor agent. Plan 1 relies on Defender for Endpoint.":::<br/><br/> Plan 2
+Foundational CSPM: [Antimalware/endpoint protection recommendations](endpoint-protection-recommendations-technical.md) (Azure VMs) | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported by the Log Analytics agent."::: | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported by the Azure Monitor agent.":::
+Attack detection at the OS level and network layer, including fileless attack detection<br/><br/> Plan 1 relies on Defender for Endpoint capabilities for attack detection. | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported by the Log Analytics agent. Plan 1 relies on Defender for Endpoint.":::<br/><br/> Plan 2| :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported by the Azure Monitor agent. Plan 1 relies on Defender for Endpoint.":::<br/><br/> Plan 2
 File integrity monitoring (Plan 2 only)  | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported by the Log Analytics agent."::: | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported by the Azure Monitor agent."::: 
 [Adaptive application controls](adaptive-application-controls.md) (Plan 2 only) | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported by the Log Analytics agent."::: | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported by the Azure Monitor agent.":::
 
 ## Qualys extension
 
 The Qualys extension is available in Defender for Servers Plan 2. The extension is deployed if you want to use Qualys for vulnerability assessment.
 
+Here's more information:
+
 - The Qualys extension sends metadata for analysis to one of two Qualys datacenter regions, depending on your Azure region.
-    - If you're in a European Azure geography, data is processed in the Qualys European datacenter.
-    - For other regions, data is processed in the US datacenter.
+
+  - If you're in a European Azure geography, data is processed in the Qualys European datacenter.
+  - For other regions, data is processed in the US datacenter.
+
 - To use Qualys on a machine, the extension must be installed and the machine must be able to communicate with the relevant network endpoint:
-    - Europe datacenter: `https://qagpublic.qg2.apps.qualys.eu`
-    - US datacenter: `https://qagpublic.qg3.apps.qualys.com`
+  - Europe datacenter: `https://qagpublic.qg2.apps.qualys.eu`
+  - US datacenter: `https://qagpublic.qg3.apps.qualys.com`
 
 ## Guest configuration extension
 
@@ -91,18 +91,18 @@ Learn more about the Azure Policy [guest configuration extension](../virtual-mac
 
 When you enable Defender for Servers, Defender for Cloud automatically deploys a Defender for Endpoint extension. The extension is a management interface that runs a script inside the operating system to deploy and integrate the Defender for Endpoint sensor on the machine.
 
-- Windows machines extension: MDE.Windows
-- Linux machines extension: MDE.Linux
+- Windows machines extension: `MDE.Windows`
+- Linux machines extension: `MDE.Linux`
 - Machines must meet [minimum requirements](/microsoft-365/security/defender-endpoint/minimum-requirements).
-- There are some [specific requirements](/microsoft-365/security/defender-endpoint/configure-server-endpoints) for some Windows Server versions.
+- Some Windows Server versions have [specific requirements](/microsoft-365/security/defender-endpoint/configure-server-endpoints).
 
 ## Verify operating system support
 
-Before deployment, verify operating system support for agents and extensions.
+Before you deploy Defender for Servers, verify operating system support for agents and extensions:
 
 - Verify that your [operating systems are supported](/microsoft-365/security/defender-endpoint/minimum-requirements) by Defender for Endpoint.
-- [Check requirements](../azure-arc/servers/prerequisites.md) for Azure Arc Connect Machine agent.
-- Check operating system support for the [Log Analytics agent](../azure-monitor/agents/log-analytics-agent.md#supported-operating-systems) and [Azure Monitor agent](../azure-monitor/agents/agents-overview.md)
+- [Check requirements](../azure-arc/servers/prerequisites.md) for the Azure Arc Connect Machine agent.
+- Check operating system support for the [Log Analytics agent](../azure-monitor/agents/log-analytics-agent.md#supported-operating-systems) and [Azure Monitor agent](../azure-monitor/agents/agents-overview.md).
 
 ## Review agent provisioning
 
@@ -113,28 +113,30 @@ When you enable Defender for Cloud plans, including Defender for Servers, you ca
 - Qualys agent
 - Guest configuration agent
 
-Also, when you enable Defender for Servers Plan 1 or Plan 2, the Defender for Endpoint extension is automatically provisioned on all supported machines in the subscription.
+When you enable Defender for Servers Plan 1 or Plan 2, the Defender for Endpoint extension is automatically provisioned on all supported machines in the subscription.
 
 ## Provisioning considerations
 
+The following table describes provisioning considerations to be aware of:
+
 Provisioning | Details
 --- | ---
-Defender for Endpoint sensor |  If machines are running Microsoft Antimalware, also known as System Center Endpoint Protection (SCEP), the Windows extension automatically removes it from the machine.<br/><br/> If you deploy on a machine that already has the legacy Microsoft Monitoring agent (MMA) Defender for Endpoint sensor running, after the Defender for Cloud and Defender for Endpoint unified solution are successfully installed, the extension stops and it disables the legacy sensor. The change is transparent. The machine’s protection history is preserved.
+Defender for Endpoint sensor |  If machines are running Microsoft Antimalware, also known as System Center Endpoint Protection (SCEP), the Windows extension automatically removes it from the machine.<br/><br/> If you deploy on a machine that already has the legacy Microsoft Monitoring agent (MMA) Defender for Endpoint sensor running, after the Defender for Cloud and Defender for Endpoint unified solution is successfully installed, the extension stops and it disables the legacy sensor. The change is transparent and the machine’s protection history is preserved.
 AWS and GCP machines | Configure automatic provisioning when you set up the AWS or GCP connector.
 Manual installation | If you don't want Defender for Cloud to provision the Log Analytics agent and Azure Monitor agent, you can install agents manually.<br/><br/> You can connect the agent to the default Defender for Cloud workspace or to a custom workspace.<br/><br/> The workspace must have the *SecurityCenterFree* (for free foundational CSPM) or *Security* solution enabled (Defender for Servers Plan 2).
-[Log Analytics agent running directly](faq-data-collection-agents.yml#what-if-a-log-analytics-agent-is-directly-installed-on-the-machine-but-not-as-an-extension--direct-agent--) | If a Windows VM has the Log Analytics agent running but not as a VM extension, Defender for Cloud installs the extension. The agent reports to the Defender for Cloud workspace and to the existing agent workspace. <br/><br/> On Linux VMs, multi-homing isn't supported. If an existing agent is, the agent isn't automatically provisioned.
+[Log Analytics agent running directly](faq-data-collection-agents.yml#what-if-a-log-analytics-agent-is-directly-installed-on-the-machine-but-not-as-an-extension--direct-agent--) | If a Windows VM has the Log Analytics agent running but not as a VM extension, Defender for Cloud installs the extension. The agent reports to the Defender for Cloud workspace and to the existing agent workspace. <br/><br/> On Linux VMs, multi-homing isn't supported. If an existing agent exists, the Log Analytics agent isn't automatically provisioned.
 [Operations Manager agent](faq-data-collection-agents.yml#what-if-a-system-center-operations-manager-agent-is-already-installed-on-my-vm-) | The Log Analytics agent can work side by side with the Operations Manager agent. The agents share common runtime libraries that are updated when the Log Analytics agent is deployed.
 Removing the Log Analytics extension | If you remove the Log Analytics extension, Defender for Cloud can't collect security data and recommendations, and alerts will be missing. Within 24 hours, Defender for Cloud determines that the extension is missing and reinstalls it.
 
-## When shouldn't I use auto provisioning?
+## When to opt out of auto provisioning
 
-You might want to opt out of automatic provisioning in the circumstances described in the following table:
+You might want to opt out of automatic provisioning in the circumstances that are described in the following table:
 
 Situation | Relevant agent | Details
 --- | --- | ---
-You have critical VMs that shouldn't have agents installed. | Log Analytics agent, Azure Monitor agent | Automatic provisioning is for an entire subscription. You can't opt out for specific machines.
-You're running the System Center Operations Manager agent version 2012 with Operations Manager 2012. | Log Analytics agent | With this configuration, don't turn on automatic provisioning because management capabilities might be lost.
-You want to configure a custom workspace. | Log Analytics agent, Azure Monitor agent | You have two options with a custom workspace:<br/><br/> - Opt out of automatic provisioning when you first set up Defender for Cloud. Then, configure provisioning on your custom workspace.<br/><br/>- Let automatic provisioning run to install the Log Analytics agents on machines. Set a custom workspace, and then reconfigure existing VMs with the new workspace setting.
+You have critical VMs that shouldn't have agents installed | Log Analytics agent, Azure Monitor agent | Automatic provisioning is for an entire subscription. You can't opt out for specific machines.
+You're running the System Center Operations Manager agent version 2012 with Operations Manager 2012 | Log Analytics agent | With this configuration, don't turn on automatic provisioning. Management capabilities might be lost.
+You want to configure a custom workspace | Log Analytics agent, Azure Monitor agent | You have two options with a custom workspace:<br/><br/> - Opt out of automatic provisioning when you first set up Defender for Cloud. Then, configure provisioning on your custom workspace.<br/><br/>- Let automatic provisioning run to install the Log Analytics agents on machines. Set a custom workspace, and then reconfigure existing VMs with the new workspace setting.
 
 ## Next steps
 

articles/defender-for-cloud/plan-defender-for-servers-data-workspace.md

@@ -1,21 +1,21 @@
 ---
-title: Review data residency and workspace design for Defender for Servers 
-description: Plan data residency and review workspace design for Microsoft Defender for Servers.
+title: Plan Defender for Servers data residency and workspaces 
+description: Review data residency and workspace design for Microsoft Defender for Servers.
 ms.topic: conceptual
 ms.author: benmansheim
 author: bmansheim
 ms.date: 11/06/2022
 ms.custom: references_regions
 ---
-# Review data residency and workspace design
+# Plan data residency and workspaces for Defender for Servers
 
 This article helps you understand how your data is stored in Microsoft Defender for Servers and how Log Analytics workspaces are used in Defender for Servers.
 
 [Microsoft Defender for Cloud](defender-for-cloud-introduction.md) offers two paid plans for Defender for Servers.
 
 ## Before you begin
 
-This article is the *second* article in the Defender for Servers planning guide series. Before you begin, review [Start planning your deployment](plan-defender-for-servers.md).
+This article is the *second* article in the Defender for Servers planning guide series. Begin by [planning your deployment](plan-defender-for-servers.md).
 
 ## Understand data residency
 
@@ -28,6 +28,8 @@ Before you deploy Defender for Servers, it's important for you to understand dat
 
 ### Storage locations
 
+Understand where Defender for Cloud stores data and how you can work with your data:
+
 **Data** | **Location**
 --- | ---  
 **Security alerts and recommendations** | - Stored in the Defender for Cloud back end and accessible via the Azure portal, Azure Resource Graph, and REST APIs.<br/><br/> - You can export the data to a Log Analytics workspace by using [continuous export](continuous-export.md).
@@ -37,6 +39,8 @@ Before you deploy Defender for Servers, it's important for you to understand dat
 
 In Defender for Cloud, you can store server data in the default Log Analytics workspace for your Defender for Cloud deployment or in a custom workspace.
 
+Here's more information:
+
 - By default, when you first create your Defender for Cloud deployment, a new resource group and a default workspace are created in the subscription region for each subscription that has Defender for Cloud enabled.
 - When you use only free foundational cloud security posture management (CSPM), Defender for Cloud sets up the default workspace with the *SecurityCenterFree* solution enabled.
 - When you turn on a Defender for Cloud plan (including Defender for Servers), the plan is enabled for the default workspace, and the *Security* solution is enabled.
@@ -59,7 +63,7 @@ You can store your server information in the default workspace or you can use a
 
 - You must enable the Defender for Servers plan in the custom workspace.
 - The custom workspace must be associated with the Azure subscription in which Defender for Cloud is enabled.
-- You must have read permissions for the workspace at a minimum.
+- You must have at least read permissions for the workspace.
 - If the *Security & Audit* solution is installed in a workspace, Defender for Cloud uses the existing solution.
 
 Learn more about [Log Analytics workspace design strategy and criteria](../azure-monitor/logs/workspace-design.md).