Added expectations regarding deployment time

memildin · memildin · commit 7542fe38e8e7 · 2020-04-27T09:48:55.000+03:00
To answer customer query here: https://github.com/MicrosoftDocs/azure-docs/issues/52775
diff --git a/articles/security-center/security-center-enable-data-collection.md b/articles/security-center/security-center-enable-data-collection.md
@@ -1,61 +1,59 @@
 ---
 title: Data Collection in Azure Security Center | Microsoft Docs
-description: This article describes how to install a Log Analytics Agent and set a Log Analytics workspace in which to store the collected data.
+description: This article describes how to install a Log Analytics agent and set a Log Analytics workspace in which to store the collected data.
 services: security-center
 author: memildin
 manager: rkarlin
 
 ms.service: security-center
 ms.topic: conceptual
-ms.date: 09/10/2019
+ms.date: 04/27/2020
 ms.author: memildin
 
 ---
 # Data collection in Azure Security Center
-Security Center collects data from your Azure virtual machines (VMs), virtual machine scale sets, IaaS containers, and non-Azure (including on-premises) computers to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics Agent, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, and logged in user. The Log Analytics Agent also copies crash dump files to your workspace.
+Security Center collects data from your Azure virtual machines (VMs), virtual machine scale sets, IaaS containers, and non-Azure (including on-premises) computers to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, and logged in user. The Log Analytics agent also copies crash dump files to your workspace.
 
 Data collection is required to provide visibility into missing updates, misconfigured OS security settings, endpoint protection status, and health and threat protection. 
 
-This article describes how to install a Log Analytics Agent and set a Log Analytics workspace in which to store the collected data. Both operations are required to enable data collection. 
+This article describes how to install a Log Analytics agent and set a Log Analytics workspace in which to store the collected data. Both operations are required to enable data collection. 
 
 > [!NOTE]
 > - Data collection is only needed for Compute resources (VMs, virtual machine scale sets, IaaS containers, and non-Azure computers). You can benefit from Azure Security Center even if you don’t provision agents; however, you will have limited security and the capabilities listed above are not supported.  
 > - For the list of supported platforms, see [Supported platforms in Azure Security Center](security-center-os-coverage.md).
 > - Storing data in Log Analytics, whether you use a new or existing workspace, might incur additional charges for data storage. For more information, see the [pricing page](https://azure.microsoft.com/pricing/details/security-center/).
 
-## Enable automatic provisioning of the Log Analytics Agent <a name="auto-provision-mma"></a>
+## Enable automatic provisioning of the Log Analytics agent <a name="auto-provision-mma"></a>
 
-To collect the data from the machines, you should have the Log Analytics Agent installed. Installation of the agent can be done automatically (recommended) or you can install the agent manually.  
+To collect the data from the machines, you should have the Log Analytics agent installed. Installation of the agent can be done automatically (recommended) or you can install the agent manually. By default, automatic provisioning is off.
 
->[!NOTE]
-> Automatic provisioning is off by default. To set Security Center to install automatic provisioning by default, set it to **On**.
->
-
-When automatic provisioning is On, Security Center provisions the Log Analytics Agent on all supported Azure VMs and any new ones that are created. Automatic provisioning is strongly recommended but manual agent installation is also available. [Learn how to install the Log Analytics Agent extension](#manual-agent).
+When automatic provisioning is on, Security Center deploys the Log Analytics agent on all supported Azure VMs and any new ones that are created. Automatic provisioning is recommended but you can install the agent manually if necessary (see [Manual installation of the Log Analytics agent](#manual-agent)).
 
 
-
-To enable automatic provisioning of the Log Analytics Agent:
-1. Under the Security Center main menu, select **Pricing & settings**.
-2. Click on the applicable subscription
+To enable automatic provisioning of the Log Analytics agent:
+1. From Security Center's menu in the portal, select **Pricing & settings**.
+2. Select the relevant subscription.
 
    ![Select subscription][7]
 
 3. Select **Data Collection**.
 4. Under **Auto Provisioning**, select **On** to enable automatic provisioning.
-5. Select **Save**.
+5. Select **Save**. The agent will be deployed on all VMs within 15 minutes. 
+
+>[!TIP]
+> If a workspace needs to be provisioned, agent installation might take up to 25 minutes.
 
    ![Enable automatic provisioning][1]
 
 >[!NOTE]
 > - For instructions on how to provision a pre-existing installation, see [Automatic provisioning in cases of a preexisting agent installation](#preexisting).
-> - For instructions on manual provisioning, see [Install the Log Analytics Agent extension manually](#manual-agent).
+> - For instructions on manual provisioning, see [Install the Log Analytics agent extension manually](#manual-agent).
 > - For instructions on turning off automatic provisioning, see [Turn off automatic provisioning](#offprovisioning).
 > - For instructions on how to onboard Security Center using PowerShell, see [Automate onboarding of Azure Security Center using PowerShell](security-center-powershell-onboarding.md).
 >
 
 ## Workspace configuration
-Data collected by Security Center is stored in Log Analytics workspace(s). You can select to have data collected from Azure VMs stored in workspaces created by Security Center or in an existing workspace you created. 
+Data collected by Security Center is stored in Log Analytics workspace(s). Your data can be collected from Azure VMs stored in workspaces created by Security Center or in an existing workspace you created. 
 
 Workspace configuration is set per subscription, and many subscriptions may use the same workspace.
 
@@ -108,7 +106,7 @@ To select an existing Log Analytics workspace:
 3. Select **Save**.
 4. After selecting **Save**, you will be asked if you would like to reconfigure monitored VMs that were previously connected to a default workspace.
 
-   - Select **No** if you want the new workspace settings to apply on new VMs only. The new workspace settings only apply to new agent installations; newly discovered VMs that do not have the Log Analytics Agent installed.
+   - Select **No** if you want the new workspace settings to apply on new VMs only. The new workspace settings only apply to new agent installations; newly discovered VMs that do not have the Log Analytics agent installed.
    - Select **Yes** if you want the new workspace settings to apply on all VMs. In addition, every VM connected to a Security Center created workspace is reconnected to the new target workspace.
 
    > [!NOTE]
@@ -120,7 +118,7 @@ To select an existing Log Analytics workspace:
 
      ![Select existing workspace][3]
 
-5. Select the pricing tier for the desired workspace you intend to set the Log Analytics Agent. <br>To use an existing workspace, set the pricing tier for the workspace. This will install a security Center solution on the workspace if one is not already present.
+5. Select the pricing tier for the desired workspace you intend to set the Log Analytics agent. <br>To use an existing workspace, set the pricing tier for the workspace. This will install a security Center solution on the workspace if one is not already present.
 
     a.  In the Security Center main menu, select **Pricing & settings**.
      
@@ -192,19 +190,18 @@ To choose your filtering policy:
 
 The following use cases specify how automatic provision works in cases when there is already an agent or extension installed. 
 
-- Log Analytics Agent is installed on the machine, but not as an extension (Direct agent)<br>
-If the Log Analytics Agent is installed directly on the VM (not as an Azure extension), Security Center will install the Log Analytics Agent extension, and may upgrade the Log Analytics Agent to the latest version.
+- Log Analytics agent is installed on the machine, but not as an extension (Direct agent)<br>
+If the Log Analytics agent is installed directly on the VM (not as an Azure extension), Security Center will install the Log Analytics agent extension, and may upgrade the Log Analytics agent to the latest version.
 The agent installed will continue to report to its already configured workspace(s), and additionally will report to the workspace configured in Security Center (Multi-homing is supported on Windows machines).
 If the configured workspace is a user workspace (not Security Center's default workspace), then you will need to install the "security/"securityFree" solution on it for Security Center to start processing events from VMs and computers reporting to that workspace.<br>
 <br>
 For Linux machines, Agent multi-homing is not yet supported - hence, if an existing agent installation is detected, automatic provisioning will not occur and the machine's configuration will not be altered.
 <br>
-For existing machines on subscriptions onboarded to Security Center before 2019-03-17, when an existing agent will be detected, the Log Analytics Agent extension will not be installed and the machine will not be affected. For these machines, see to the "Resolve monitoring agent health issues on your machines" recommendation to resolve the agent installation issues on these machines.
+For existing machines on subscriptions onboarded to Security Center before 2019-03-17, when an existing agent will be detected, the Log Analytics agent extension will not be installed and the machine will not be affected. For these machines, see to the "Resolve monitoring agent health issues on your machines" recommendation to resolve the agent installation issues on these machines.
 
   
 - System Center Operations Manager agent is installed on the machine<br>
-Security center will install the Log Analytics Agent extension side-by-side to the existing Operations Manager. The existing Operations Manager agent will continue to report to the Operations Manager server normally. Note that the Operations Manager agent and Log Analytics Agent share common run-time libraries, which will be updated to the latest version during this process.
-Note - If Operations Manager agent version 2012 is installed, **do not** turn automatic provisioning On.<br>
+Security center will install the Log Analytics agent extension side by side to the existing Operations Manager. The existing Operations Manager agent will continue to report to the Operations Manager server normally. The Operations Manager agent and Log Analytics agent share common run-time libraries, which will be updated to the latest version during this process. If Operations Manager agent version 2012 is installed, **do not** enable automatic provisioning.<br>
 
 - A pre-existing VM extension is present<br>
     - When the Monitoring Agent is installed as an extension, the extension configuration allows reporting to only a single workspace. Security Center does not override existing connections to user workspaces. Security Center will store security data from the VM in the workspace already connected, provided that the "security" or "securityFree" solution has been installed on it. Security Center may upgrade the extension version to the latest version in this process.  
@@ -217,7 +214,7 @@ You can turn off automatic provisioning from resources at any time by turning of
 
 1. Return to the Security Center main menu and select the Security policy.
 2. Click **Edit settings** in the row of the subscription for which you want to disable automatic provisioning.
-3. On the **Security policy – Data Collection** blade, under **Auto provisioning** select **Off**.
+3. On the **Security policy – Data Collection** page, under **Auto provisioning** select **Off**.
 4. Select **Save**.
 
    ![Disable auto provisioning][6]
@@ -229,18 +226,18 @@ If you switch off auto provision after it was previously on:
 -	Security Center stops collecting data from the default workspace.
  
 > [!NOTE]
->  Disabling automatic provisioning does not remove the Log Analytics Agent from Azure VMs where the agent was provisioned. For information on removing the OMS extension, see [How do I remove OMS extensions installed by Security Center](faq-data-collection-agents.md#remove-oms).
+>  Disabling automatic provisioning does not remove the Log Analytics agent from Azure VMs where the agent was provisioned. For information on removing the OMS extension, see [How do I remove OMS extensions installed by Security Center](faq-data-collection-agents.md#remove-oms).
 >
 	
 ## Manual agent provisioning <a name="manual-agent"></a>
  
-There are several ways to install the Log Analytics Agent manually. When installing manually, make sure you disable auto provisioning.
+There are several ways to install the Log Analytics agent manually. When installing manually, make sure you disable auto provisioning.
 
 ### Operations Management Suite VM extension deployment 
 
-You can manually install the Log Analytics Agent, so Security Center can collect security data from your VMs and provide recommendations and alerts.
+You can manually install the Log Analytics agent, so Security Center can collect security data from your VMs and provide recommendations and alerts.
 1. Select Auto provision – OFF.
-2. Create a workspace and set the pricing tier for the workspace you intend to set the Log Analytics Agent:
+2. Create a workspace and set the pricing tier for the workspace you intend to set the Log Analytics agent:
 
    a.  In the Security Center main menu, select **Security policy**.
      
@@ -310,7 +307,7 @@ You can manually install the Log Analytics Agent, so Security Center can collect
 
 
 ## Next steps
-This article showed you how data collection and automatic provisioning in Security Center works. To learn more about Security Center, see the following:
+This article showed you how data collection and automatic provisioning in Security Center works. To learn more about Security Center, see the following pages:
 
 * [Azure Security Center FAQ](faq-general.md)--Find frequently asked questions about using the service.
 * [Security health monitoring in Azure Security Center](security-center-monitoring.md)--Learn how to monitor the health of your Azure resources.
