Merge pull request #288651 from cwatson-cat/10-17-24-mnt-hlth-df

Sentinel - Upd high traffic monitor topics for Defender portal (for main)

Author: v-shils

articles/sentinel/enable-monitoring.md

@@ -4,8 +4,8 @@ description: Monitor supported data connectors by using the SentinelHealth data
 author: batamig
 ms.author: bagol
 ms.topic: how-to
-ms.date: 08/01/2024
-
+ms.date: 10/17/2024
+appliesto: Microsoft Sentinel in the Azure portal and the Microsoft Defender portal
 
 #Customer intent: As a security engineer, I want to configure auditing and health monitoring for my Microsoft Sentinel resources so that I can ensure the integrity and health of our security infrastructure.
 
@@ -30,18 +30,24 @@ To implement the health and audit feature using API (Bicep/AZURE RESOURCE MANAGE
 
 ## Turn on auditing and health monitoring for your workspace
 
-1. In Microsoft Sentinel, under the **Configuration** menu on the left, select **Settings**.
+To get started, enable auditing and health monitoring from the Microsoft Sentinel settings.
 
-1. Select **Settings** from the banner.
+1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Configuration**, select **Settings** > **Settings**.<br> For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), under **System**, select **Settings** > **Microsoft Sentinel**.
 
-1. Scroll down to the **Auditing and health monitoring** section and select it to expand.
+1. Select **Auditing and health monitoring**.
 
 1. Select **Enable** to enable auditing and health monitoring across all resource types and to send the auditing and monitoring data to your Microsoft Sentinel workspace (and nowhere else). 
 
     Or, select the **Configure diagnostic settings** link to enable health monitoring only for the data collector and/or automation resources, or to configure advanced options, like more places to send the data.
 
+    #### [Azure portal](#tab/azure-portal)
     :::image type="content" source="media/enable-monitoring/enable-health-monitoring.png" alt-text="Screenshot shows how to get to the health monitoring settings.":::
 
+    #### [Defender portal](#tab/defender-portal)
+    :::image type="content" source="media/enable-monitoring/enable-health-monitoring-defender.png" alt-text="Screenshot shows how to get to the health monitoring settings in the Defender portal.":::
+
+    ---
+
     If you selected **Enable**, then the button will gray out and change to read **Enabling...** and then **Enabled**. At that point, auditing and health monitoring is enabled, and you're done! The appropriate diagnostic settings were added behind the scenes, and you can view and edit them by selecting the **Configure diagnostic settings** link.
 
 1. If you selected **Configure diagnostic settings**, then in the **Diagnostic settings** screen, select **+ Add diagnostic setting**.
@@ -64,12 +70,23 @@ The *SentinelHealth* and *SentinelAudit* data tables are created at the first ev
 
 ## Verify that the tables are receiving data
 
-In the Microsoft Sentinel **Logs** page, run a query on the  *SentinelHealth* table. For example:
+Run Kusto Query Language (KQL) queries in the Azure portal or the Defender portal to make sure you're getting health and auditing data.
+
+1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **General**, select **Logs**.<br> For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), under **Investigation & response**, select **Hunting** > **Advanced hunting**.
+
+1. Run a query on the  *SentinelHealth* table. For example:
+
+   ```kusto
+   _SentinelHealth()
+    | take 20
+   ```
+
+1. Run a query on the  *SentinelAudit* table. For example:
 
-```kusto
-_SentinelHealth()
- | take 20
-```
+   ```kusto
+   _SentinelAudit()
+    | take 20
+   ```
 
 ## Supported data tables and resource types
 

articles/sentinel/media/enable-monitoring/enable-health-monitoring-defender.png

@@ -4,9 +4,9 @@ description: Use the SentinelHealth data table and the Health Monitoring workboo
 author: yelevin
 ms.author: yelevin
 ms.topic: how-to
-ms.date: 02/11/2024
+ms.date: 10/17/2024
 ms.service: microsoft-sentinel
-
+appliesto: Microsoft Sentinel in the Azure portal and the Microsoft Defender portal
 
 #Customer intent: As a security analyst, I want to monitor the health and performance of my data connectors so that I can ensure uninterrupted data ingestion and quickly address any issues.
 
@@ -30,13 +30,15 @@ The following features allow you to perform this monitoring from within Microsof
 
 ## Use the health monitoring workbook
 
-1. From the Microsoft Sentinel portal, select **Content hub** from the **Content management** section of the navigation menu.
+To get started, install the **Data collection health monitoring** workbook from the **Content hub** and view or create a copy of the template from the **Workbooks** section of Microsoft Sentinel.
+
+1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Content management**, select **Content hub**.<br> For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Content management** > **Content hub**.
 
 1. In the **Content hub**, enter *health* in the search bar, and select **Data collection health monitoring** from among the results.
 
 1. Select **Install** from the details pane. When you see a notification message that the workbook is installed, or if instead of *Install*, you see *Configuration*, proceed to the next step.
 
-1. Select **Workbooks** from the **Threat management** section of the navigation menu.
+1. In Microsoft Sentinel, under **Threat management**, select **Workbooks**.
 
 1. In the **Workbooks** page, select the **Templates** tab, enter *health* in the search bar, and select **Data collection health monitoring** from among the results.