Fixing feedback to remove marketing material and converting to sentence case

Author: anilgodavarthy

articles/sentinel/sentinel-summary-rules-creation.md

@@ -16,17 +16,7 @@ Summary rules in Microsoft Sentinel are scheduled queries that aggregate and tra
 
 This article walks you through the process of creating and publishing summary rules to Microsoft Sentinel solutions.
 
-## Importance of summary rules in Microsoft Sentinel solutions
-
-Including summary rules in Microsoft Sentinel solutions is important to ensure that the solution offerings are cost-conscious, powerful, and user-friendly. It reflects a commitment to maximizing security value while minimizing overhead. For example, an ISV providing a cloud application firewall solution might include a summary rule that aggregates all blocked requests by IP and reason, and an analytic rule to alert on IPs with unusually high blocks. This gives clients immediate insight into potential attacks filtered by the firewall, without forcing them to ingest every single request log. The overall result is a win-win: customers get comprehensive protection and insights at lower cost, and ISVs can differentiate their solutions by delivering efficient analytics rather than raw data. Listed next are some of the most important benefits of including summary rules in your Microsoft Sentinel solutions - 
-
-- **Cost-Efficiency for Customers:** One of the strongest motivators is that summary rules help your solution’s users (the customers) manage costs. If your product generates a lot of log data (for example, a security appliance that logs every network flow or an application that audits user actions), a Microsoft Sentinel solution that naively ingests all that data into the Analytics tier could become expensive for the customer. By providing summary rules as part of the solution, you offer a method to ingest the product’s logs in a cost-efficient tier and only promote the useful insights. This shows that as an ISV, you're mindful of cloud costs and are delivering a solution that is optimized for the Microsoft Sentinel data tiering model. In competitive terms, a cost-effective solution is more attractive for clients. Microsoft’s guidance indicates analytics costs can be dramatically reduced (often by orders of magnitude) using a strategy of Basic/Auxiliary logs + summary rules. By baking this strategy into your offering, you help clients "do more with less" – they get security value from your product’s data without an exorbitant SIEM bill. This not only benefits customers directly but can also remove barriers in product adoption (since cost concerns are mitigated).
-- **Improved Data Management and Retention:** Solutions that incorporate summary rules encourage a best-practice data management approach. Rather than dumping all data blindly, they enable a tiered logging strategy: less critical data to cheaper storage, critical insights to Analytics. For example, an ISV building a Microsoft Sentinel solution for an IoT security system might guide the user to ingest verbose sensor logs into Auxiliary and use a summary rule to pull anomaly counts daily into an Analytics table. This structured approach ensures the customer’s Microsoft Sentinel workspace stays organized and lean. It also inherently provides a long-term record of key information – your solution can advertise that it keeps important security metrics for extended periods (beyond standard retention), because the summaries are small and cheap to retain. This is a value-add for users who care about compliance or historical analysis, and it reflects well on the ISV as providing a comprehensive solution lifecycle (immediate detection plus historical insight). Essentially, summary rules in your solution help manage the firehose of data, taming it into something actionable and keeping the data around in a usable form for as long as needed.
-- **Enhanced Analytics & Detection Capabilities:** By using summary rules, ISVs can deliver more advanced detection logic out-of-the-box. Many modern threats require analyzing patterns over time or correlating across large datasets – exactly what summary rules excel at. If you include summary rules in the solution, you can implement detections that would be otherwise impractical. For instance, instead of simple threshold alerts, your solution could detect trends like "a 200% increase in data exports by an account compared to its 30-day baseline" or "a sudden appearance of 10 new administrative roles in one day" by using summary data. This provides richer security analytics that differentiate your solution. It helps the customer find subtle issues (for example, low-and-slow attacks, creeping changes) that single-event rules might miss. Including ready-made summary rules for such scenarios demonstrates that your content isn’t just doing the bare minimum, but is using Microsoft Sentinel’s full power for depth of detection. Additionally, summary rules can facilitate multi-step detection workflows: For example, one summary rule aggregates unusual events and a second analytic rule triggers on that summary. As an ISV, showing these layered analytical approaches in your solution can highlight your expertise and the thoroughness of your security logic.
-- **Better Performance and User Experience:** Solutions that utilize summary rules will often yield faster performance when the customer is querying data or investigating incidents. If a customer installs your solution and it includes some custom tables populated by summary rules (instead of forcing them to run heavy queries on raw data), they notice that the provided workbooks and queries in the solution run quicker and feel more responsive. For example, a workbook that shows a 6-month trend of events can pull from a summary table of daily counts, returning the visualization in a second, whereas a workbook trying to count raw events over six months might time out or take minutes. By designing solution content that uses preaggregated data, you create a smoother user experience and prove the solution’s scalability. Moreover, this approach reduces the load on the customer’s Microsoft Sentinel workspace – fewer gigantic queries means lower risk of hitting query limits or impacting other operations. In summary, summary rules help your solution to scale well for the user, maintaining performance even as their data grows.
-- **Holistic Security Coverage (“No Data Left Behind”):** Including summary rules helps ensure that your solution can derive value from all of the data generated by your product, not just the obvious parts. Often an ISV’s product might produce logs that aren't purely security events but can still contain useful signals (think of application logs, or debug logs). A summary rule allows you to incorporate those into the security monitoring story by extracting relevant info. This means when a customer deploys your solution, they benefit from a more complete security visibility regarding your product. They won’t have to decide between ingesting tons of data for minimal gain or ignoring that data completely – your solution will handle it smartly. Microsoft’s ethos with Microsoft Sentinel + Summary Rules is indeed to not have to throw away any data permanently, but to store it appropriately and examine it intelligently. Your solution, by following this principle, ensures the customer isn’t blind to certain activity just because of volume or cost. This can improve security outcomes and also customer satisfaction with your product’s integration.
-
-## Best Practices for Using Summary Rules in Solutions
+## Best practices for using summary rules in solutions
 
 To ensure both the ISV and the end-user get the most out of summary rules, here are a few best practices (largely derived from Microsoft’s guidance and early user experiences):