Merge branch 'asc-for-iot-master' of https://github.com/mlottner/azure-docs-pr into asc-for-iot-master

Author: mlottner

articles/asc-for-iot/architecture.md

@@ -35,7 +35,7 @@ Azure Security Center for IoT is composed of the following components:
 Azure Security Center for IoT works in one of two feature workflows: Built-in and Enhanced  
 
 ### Built-in
-In **Built-in** mode, Azure Security Center for IoT is enabled when you elect to turn on the **Security** option in your IoT Hub. Offering real-time monitoring, recommendations and alerts, Built-in mode offers singe-step device visibility and unmatched security. Built-in mode does not require agent installation on any devices and uses advanced analytics on logged activities to analyze and protect your device field. 
+In **Built-in** mode, Azure Security Center for IoT is enabled when you elect to turn on the **Security** option in your IoT Hub. Offering real-time monitoring, recommendations and alerts, Built-in mode offers singe-step device visibility and unmatched security. Build-in mode does not require agent installation on any devices and uses advanced analytics on logged activities to analyze and protect your field device. 
 
 ### Enhanced 
 In **Enhanced** mode, after turning on the **Security** option in your IoT Hub and installing Azure Security Center for IoT device agents on your devices, the agents collect, aggregate and analyze raw security events from your devices. Raw security events can include IP connections, process creation, user logins, and other security-relevant information. Azure Security Center for IoT device agents also handle event aggregation to help avoid high network throughput. The agents are highly customizable, allowing you to use them for specific tasks, such as sending only important information at the fastest SLA, or for aggregating extensive security information and context into larger segments, avoiding higher service costs.
@@ -62,4 +62,3 @@ In this article, you learned about the basic architecture and workflow of Azure
 - [Enable security in IoT Hub](quickstart-onboard-iot-hub.md)
 - [Azure Security Center for IoT FAQ](resources-frequently-asked-questions.md)
 - [Azure Security Center for IoT security alerts](concept-security-alerts.md)
-

articles/asc-for-iot/event-aggregation.md

@@ -33,11 +33,11 @@ Aggregation is currently available for the following types of events:
 * ProcessTerminate (Windows only)
 
 ## How does event aggregation work?
-When event aggregation is left **On**, Azure Security Center for IoT agents aggregates events for the interval period or time window.
+When event aggregation is left **On**, Azure Security Center for IoT agents aggregate events for the interval period or time window.
 Once the interval period has passed, the agent sends the aggregated events to the Azure cloud for further analysis.
-Each security agent stores the events in the agent memory for the time period before sending them to the Azure cloud.
+The aggregated events are stored in memory until being sent to the Azure cloud.
 
-To reduce the memory load on the agent memory, whenever the agent collects an identical event to one that is already being kept in memory, the agent increases the hit count of this specific event. When the time window passes, the agent sends the hit count of each specific type of event that occurred. Event aggregation is simply the aggregation of the hit counts of each collected type of event.
+To reduce the memory footprint of the agent, whenever the agent collects an identical event to one that is already being kept in memory, the agent increases the hit count of this specific event. When the aggregation time window passes, the agent sends the hit count of each specific type of event that occurred. Event aggregation is simply the aggregation of the hit counts of each collected type of event.
 
 Events are considered identical only when the following conditions are met: 
 
@@ -92,4 +92,4 @@ To continue getting started with Azure Security Center for IoT deployment, use t
 - Select and deploy a [security agent](how-to-deploy-agent.md)
 - Review Azure Security Center for IoT [service prerequisites](service-prerequisites.md)
 - Learn how to [Enable Azure Security Center for IoT service in your IoT Hub](quickstart-onboard-iot-hub.md)
-- Learn more about the service from the [Azure Security Center for IoT FAQ](resources-frequently-asked-questions.md)
+- Learn more about the service from the [Azure Security Center for IoT FAQ](resources-frequently-asked-questions.md)

articles/asc-for-iot/getting-started.md

@@ -20,14 +20,14 @@ ms.author: mlottner
 ---
 # Get started with Azure Security Center for IoT
 
-This article provides an explanation of the different building blocks of the Azure Security Center for IoT service and explains how to get started with the service using either deployment option.  
+This article provides an explanation of the different building blocks of the Azure Security Center for IoT service and explains how to get started with the service using two possible deployment options.  
 
 ## Deployment options
 
 Choose the service scenario that best meets your IoT device and environment requirements. 
 
 ### Built-in deployment
-Using the seamless, built-in deployment option, Azure Security Center for IoT can be quickly integrated into your IoT Hub and provide security analysis of IoT hub configuration, device identity and management, and hub-device communication patterns.
+Using the seamless, built-in deployment option, Azure Security Center for IoT can be quickly integrated into your IoT Hub and provide security analysis of the IoT hub configuration, device identity and management, and hub-device communication patterns.
 
 * Start a [Built-in deployment](iot-hub-integration.md) featuring IoT Hub monitoring and recommendations. 
     <br>

articles/asc-for-iot/how-to-deploy-edge.md

@@ -40,7 +40,7 @@ Use the following steps to deploy an Azure Security Center for IoT security modu
 
 - In your IoT Hub, make sure your device is [registered as an IoT Edge device](https://docs.microsoft.com/azure/iot-edge/how-to-register-device-portal).
 
-- Azure Security Center for IoT Edge module requires [AuditD framework](https://linux.die.net/man/8/auditd) is installed on the IoT Edge device.
+- Azure Security Center for IoT Edge module requires the [AuditD framework](https://linux.die.net/man/8/auditd) be  installed on the IoT Edge device.
 
     - Install the framework by running the following command on your IoT Edge device:
 
@@ -54,7 +54,7 @@ Use the following steps to deploy an Azure Security Center for IoT security modu
 
 ### Deployment using Azure portal
 
-1. From Azure portal, open **Marketplace**.
+1. From the Azure portal, open **Marketplace**.
 
 1. Select **Internet of Things**, then search for **Azure Security Center for IoT** and select it.
 
@@ -105,9 +105,6 @@ There are three steps to create an IoT Edge deployment for Azure Security Center
 1. Click **Save**.
 1. Scroll to the bottom of the tab and select **Configure advanced Edge Runtime settings**.
 
-   >[!Note]
-   > Do **not** disable AMQP communication for the IoT Edge Hub.
-   > Azure Security Center for IoT module requires AMQP communication with the IoT Edge Hub.
 
 1. Change the **Image** under **Edge Hub** to **mcr.microsoft.com/ascforiot/edgehub:1.0.9-preview**.
 
@@ -136,14 +133,14 @@ There are three steps to create an IoT Edge deployment for Azure Security Center
 #### Step 2: Specify Routes 
 
 1. In the **Specify Routes** tab, make sure you have a route (explicit or implicit) that will forward messages from the **azureiotsecurity** module to **$upstream**, then click Next.
-    ```c#
-    // Default implicit route
+
+    ~~~Default implicit route
     "route": "FROM /messages/* INTO $upstream 
-    ```
-    ```c#
-    // Explicit route
+    ~~~
+
+    ~~~Explicit route
     "ASCForIoTRoute": "FROM /messages/modules/azureiotsecurity/* INTO $upstream
-    ```
+    ~~~
 
 #### Step 3: Review Deployment
 
@@ -175,7 +172,7 @@ If you encounter an issue, container logs are the best way to learn about the st
 
    `sudo docker logs azureiotsecurity`
 
-1. For more verbose logs, add the following environment variable to **azureiotsecurity** module deployment: `logLevel=Debug`.
+1. For more verbose logs, add the following environment variable to the **azureiotsecurity** module deployment: `logLevel=Debug`.
 
 ## Next steps
 

articles/asc-for-iot/how-to-investigate-device.md

@@ -21,7 +21,7 @@ ms.author: mlottner
 
 # Investigate a suspicious IoT device
 
-Azure Security Center for IoT service alerts and evidence provide clear indications when IoT devices are suspected of involvement in suspicious activities or when indications exist that a device is compromised. 
+Azure Security Center for IoT service alerts provide clear indications when IoT devices are suspected of involvement in suspicious activities or when indications exist that a device is compromised. 
 
 In this guide, use the investigation suggestions provided to help determine the potential risks to your organization, decide how to remediate, and discover the best ways to prevent similar attacks in the future.  
 
@@ -34,7 +34,7 @@ In this guide, use the investigation suggestions provided to help determine the
 
 By default, Azure Security Center for IoT stores your security alerts and recommendations in your Log Analytics workspace. You can also choose to store your raw security data.
 
-To locate the your Log Analytics workspace for data storage:
+To locate your Log Analytics workspace for data storage:
 
 1. Open your IoT hub, 
 1. Under **Security**, click **Overview**, and then select **Settings**.
@@ -49,9 +49,9 @@ Following configuration, do the following to access data stored in your Log Anal
 
 ## Investigation steps for suspicious IoT devices
 
-To access insights and raw data about your IoT devices, go to your Log Analytics workspace [to access your data](#how-can-i-access-my-data).
+To view insights and raw data about your IoT devices, go to your Log Analytics workspace [to access your data](#how-can-i-access-my-data).
 
-Check and investigate the device data for the following details and activities using the following kql queries.
+See the sample kql queries below to get started with investigating alerts and activities on your device.
 
 ### Related alerts
 
@@ -84,7 +84,7 @@ To find out which users have access to this device use the following kql query:
   ~~~
 Use this data to discover: 
   1. Which users have access to the device?
-  2. Do the users with access have the permission levels as expected? 
+  2. Do the users with access have the expected permission levels? 
 
 ### Open ports
 
@@ -108,14 +108,14 @@ To find out which ports in the device are currently in use or were used, use the
   | summarize MinObservedTime=min(TimestampLocal), MaxObservedTime=max(TimestampLocal), AllowedRemoteIPAddress=makeset(RemoteAddress), AllowedRemotePort=makeset(RemotePort) by Protocol, LocalPort
   ~~~
 
-    Use this data to discover:
+Use this data to discover:
   1. Which listening sockets are currently active on the device?
   2. Should the listening sockets that are currently active be allowed?
   3. Are there any suspicious remote addresses connected to the device?
 
 ### User logins
 
-To find out users that logged into the device use the following kql query: 
+To find users that logged into the device use the following kql query: 
 
   ~~~
   let device = "YOUR_DEVICE_ID";
@@ -139,7 +139,7 @@ To find out users that logged into the device use the following kql query:
   | summarize CntLoginAttempts=count(), MinObservedTime=min(TimestampLocal), MaxObservedTime=max(TimestampLocal), CntIPAddress=dcount(RemoteAddress), IPAddress=makeset(RemoteAddress) by UserName, Result, LoginHandler
   ~~~
 
-    Use the query results to discover:
+Use the query results to discover:
   1. Which users logged in to the device?
   2. Are the users that logged in, supposed to log in?
   3. Did the users that logged in connect from expected or unexpected IP addresses?
@@ -175,12 +175,12 @@ To find out if the process list is as expected, use the following kql query:
   | summarize CntExecutions=count(), MinObservedTime=min(TimestampLocal), MaxObservedTime=max(TimestampLocal), ExecutingUsers=makeset(UserIdName), ExecutionCommandLines=makeset(CommandLine) by Executable
   ~~~
 
-    Use the query results to discover:
+Use the query results to discover:
 
   1. Were there any suspicious processes running on the device?
   2. Were processes executed by appropriate users?
   3. Did any command line executions contain the correct and expected arguments?
 
 ## Next steps
 
-After investigating a device, and gaining a better understanding of your risks, you may want to consider [Configuring custom alerts](quickstart-create-custom-alerts.md) to improve your IoT solution security posture. If you don't already have a device agent, consider [Deploying a security agent](how-to-deploy-agent.md) or [changing the configuration of an existing device agent](how-to-agent-configuration.md) to improve your results. 
+After investigating a device, and gaining a better understanding of your risks, you may want to consider [Configuring custom alerts](quickstart-create-custom-alerts.md) to improve your IoT solution security posture. If you don't already have a device agent, consider [Deploying a security agent](how-to-deploy-agent.md) or [changing the configuration of an existing device agent](how-to-agent-configuration.md) to improve your results. 

articles/asc-for-iot/how-to-security-data-access.md

@@ -28,10 +28,10 @@ Azure Security Center for IoT stores security alerts, recommendations, and raw s
 To configure which Log Analytics workspace is used:
 
 1. Open your IoT hub.
-1. Click **Security**
+1. Click the **Overview** blade under the **Security** section
 2. Click **Settings**, and change your Log Analytics workspace configuration.
 
-To access your Log Analytics workspace after configuration:
+To access your alerts and recommendations in your Log Analytics workspace after configuration:
 
 1. Choose an alert or recommendation in Azure Security Center for IoT. 
 2. Click **further investigation**, then click **To see which devices have this alert click here and view the DeviceId column**.
@@ -71,10 +71,10 @@ SecurityAlert
 
 ### Device summary
 
-Select the number of distinct security alerts detected last week by IoT Hub, device, alert severity, alert type.
+Get the number of distinct security alerts detected in the last week, grouped by IoT Hub, device, alert severity, alert type.
 
 ```
-// Select number of distinct security alerts detected last week by 
+// Get the number of distinct security alerts detected in the last week, grouped by 
 //   IoT hub, device, alert severity, alert type
 //
 SecurityAlert
@@ -150,10 +150,10 @@ SecurityRecommendation
 
 ### Device summary
 
-Select the number of distinct active security recommendations by IoT Hub, device, recommendation severity, and type.
+Get the number of distinct active security recommendations, grouped by IoT Hub, device, recommendation severity, and type.
 
 ```
-// Select number of distinct active security recommendations by 
+// Get the number of distinct active security recommendations, grouped by by 
 //   IoT hub, device, recommendation severity and type
 //
 SecurityRecommendation
@@ -176,4 +176,4 @@ SecurityRecommendation
 - Read the Azure Security Center for IoT [Overview](overview.md)
 - Learn about Azure Security Center for IoT [Architecture](architecture.md)
 - Understand and explore [Azure Security Center for IoT alerts](concept-security-alerts.md)
-- Understand and explore [Azure Security Center for IoT recommendation](concept-recommendations.md)
+- Understand and explore [Azure Security Center for IoT recommendation](concept-recommendations.md)

articles/asc-for-iot/how-to-send-security-messages.md

@@ -21,7 +21,7 @@ ms.author: mlottner
 
 # Send security messages SDK
 
-This how-to guide explains Azure Security Center for IoT service capabilities when you choose to collect and send your device security messages without using an Azure Security Center for IoT agent, and explains how to do so.  
+This how-to guide explains the Azure Security Center for IoT service capabilities when you choose to collect and send your device security messages without using an Azure Security Center for IoT agent, and explains how to do so.  
 
 In this guide, you learn how to: 
 > [!div class="checklist"]
@@ -42,7 +42,7 @@ Azure Security Center for IoT defines a security message using the following cri
 Each security message includes the metadata of the sender such as `AgentId`, `AgentVersion`, `MessageSchemaVersion` and a list of security events.
 The schema defines the valid and required properties of the security message including the types of events.
 
-[!NOTE]
+>[!Note]
 > Messages sent that do not comply with the schema are ignored. Make sure to verify the schema before initiating sending data as ignored messages are not currently stored. 
 > Messages sent that were not set as a security message using the Azure IoT C/C# SDK will not be routed to the Azure Security Center for IoT pipeline
 
@@ -84,7 +84,7 @@ Once set as a security message and sent, this message will be processed by Azure
 
 Send security messages without using the Azure Security Center for IoT agent, by using the [Azure IoT C# device SDK](https://github.com/Azure/azure-iot-sdk-csharp/tree/preview) or [Azure IoT C device SDK](https://github.com/Azure/azure-iot-sdk-c/tree/public-preview).
 
-To send the device data from your devices for processing by Azure Security Center for IoT, use one of the following APIs to mark messages for correct routing to Azure Security Center for IoT processing pipeline. Messages sent this way will be processed and displayed as security insights within Azure Security Center for IoT within both IoT Hub or within Azure Security Center. 
+To send the device data from your devices for processing by Azure Security Center for IoT, use one of the following APIs to mark messages for correct routing to Azure Security Center for IoT processing pipeline. 
 
 All data that is sent, even if marked with the correct header, must also comply with the [Azure Security Center for IoT message schema](https://aka.ms/iot-security-schemas). 
 

articles/asc-for-iot/overview.md

@@ -32,11 +32,11 @@ Azure Security Center for IoT simplifies hybrid workload protection by deliverin
 
 ### Unified visibility and control
 
-Get a unified view of security across all of your on-premises and cloud workloads, including your Azure IoT solution. Automatically discover and onboard new devices and apply security policies across your workloads (Leaf devices, Edge devices, IOT Hub) to ensure compliance with security standards.
+Get a unified view of security across all of your on-premises and cloud workloads, including your Azure IoT solution. Automatically discover and onboard new devices and apply security policies across your workloads (Leaf devices, Edge devices, IoT Hub) to ensure compliance with security standards.
 
 ### Adaptive threat prevention
 
-Use Azure Security Center for IoT to continuously monitor the security of machines, networks, and Azure services, including your Azure IoT solution from edge devices to applications. You can choose to use from hundreds of built-in security assessments or create your own in the central Azure Security Center for IoT Hub dashboard. Optimize your security settings and improve your security score with actionable recommendations across virtual machines, networks, apps and data. With newly added IoT capabilities, you can now reduce attack surface for your Azure IoT solution and remediate issues before they can be exploited.
+Use Azure Security Center for IoT to continuously monitor the security of machines, networks, and Azure services, including your Azure IoT solution from edge devices to applications. You can choose from hundreds of built-in security assessments or create your own in the central Azure Security Center for IoT Hub dashboard. Optimize your security settings and improve your security score with actionable recommendations across virtual machines, networks, apps and data. With newly added IoT capabilities, you can now reduce the attack surface for your Azure IoT solution and remediate issues before they can be exploited.
 
 ### Intelligent threat detection and response