MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 5 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 5 additions & 0 deletions
diff --git a/‎articles/sentinel/TOC.yml
Lines changed: 4 additions & 7 deletions b/‎articles/sentinel/TOC.yml
Lines changed: 4 additions & 7 deletions
diff --git a/‎articles/sentinel/media/qs-get-visibility/overview.png
85.4 KB b/‎articles/sentinel/media/qs-get-visibility/overview.png
85.4 KB
diff --git a/‎articles/sentinel/media/tutorial-detect-threats-custom/review-tab.png
-1.18 KB b/‎articles/sentinel/media/tutorial-detect-threats-custom/review-tab.png
-1.18 KB
diff --git a/‎articles/sentinel/multiple-tenants-service-providers.md
Lines changed: 1 addition & 1 deletion b/‎articles/sentinel/multiple-tenants-service-providers.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/sentinel/offboard.md
Lines changed: 7 additions & 9 deletions b/‎articles/sentinel/offboard.md
Lines changed: 7 additions & 9 deletions
diff --git a/‎articles/sentinel/quickstart-get-visibility.md
Lines changed: 23 additions & 28 deletions b/‎articles/sentinel/quickstart-get-visibility.md
Lines changed: 23 additions & 28 deletions
diff --git a/‎articles/sentinel/quickstart-onboard.md
Lines changed: 1 addition & 1 deletion b/‎articles/sentinel/quickstart-onboard.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/sentinel/tutorial-detect-threats-built-in.md
Lines changed: 3 additions & 5 deletions b/‎articles/sentinel/tutorial-detect-threats-built-in.md
Lines changed: 3 additions & 5 deletions
@@ -26034,6 +26034,11 @@
       "redirect_url": "/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-powershell",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/sentinel/tutorial-detect-threats.md",
+      "redirect_url": "/azure/sentinel/tutorial-detect-threats-built-in",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/sentinel/user-analytics.md",
       "redirect_url": "/azure/sentinel/overview",
 
@@ -11,13 +11,10 @@
     href: quickstart-get-visibility.md
 - name: Tutorials
   items:
-  - name: Detect suspicious threats
-    href: tutorial-detect-threats.md
-    items:
-    - name: Use built-in analytics
-      href: tutorial-detect-threats-built-in.md
-    - name: Use custom rules
-      href: tutorial-detect-threats-custom.md  
+  - name: Use built-in analytics to detect threats
+    href: tutorial-detect-threats-built-in.md
+  - name: Create custom rules to detect threats
+    href: tutorial-detect-threats-custom.md  
   - name: Monitor your data
     href: tutorial-monitor-your-data.md
   - name: Investigate incidents
 
@@ -33,7 +33,7 @@ If you’re a managed security service provider (MSSP) and you’re using [Azure
 1. Open Azure Sentinel. You will see all the workspaces in the selected subscriptions, and you’ll be able to work with them seamlessly, like any workspace in your own tenant.
 
 > [!NOTE]
-> You will not be able to connect connectors in Azure Sentinel from within a managed workspace. To connect a connector, you must directly sign into the tenant on which you want to connect a connector and authenticate there with the required permissions.
+> You will not be able to deploy connectors in Azure Sentinel from within a managed workspace. To deploy a connector, you must directly sign into the tenant on which you want to deploy a connector and authenticate there with the required permissions.
 
 
 
 
@@ -23,9 +23,9 @@ If you no longer want to use the Azure Sentinel, this article explains how to re
 
 ## How to delete Azure Sentinel
 
-In the background, when you install Azure Sentinel, the **SecurityInsights** solution is installed on your selected workspace. So the first thing you need to do is remove the solution. In the Azure portal, you need to delete the SecurityInsights solution.
+In the background, when you install Azure Sentinel, the **SecurityInsights** solution is installed on your selected workspace. So the first thing you need to do is remove the **SecurityInsights** solution.
 
-1.  Go to **Workspace settings** and then **Solutions**.
+1.  Go to **Azure Sentinel**, followed by **Configuration**, followed by **Workspace settings**, and then **Solutions**.
 
 2.  Select `SecurityInsights` and click on it.
 
@@ -34,7 +34,7 @@ In the background, when you install Azure Sentinel, the **SecurityInsights** sol
 3.  At the top of the page select **Delete**.
 
     > [!IMPORTANT]
-    > If you delete the workspace, the removal process is also triggered.
+    > If you delete the workspace, the the workspace and Azure Sentinel are removed from your tenant in Azure Monitor.
 
     ![Delete the SecurityInsights solution](media/offboard/delete-solution.png)
 
@@ -45,19 +45,17 @@ When you delete the solution, Azure Sentinel takes up to 48 hours to complete th
 After the disconnection is identified, the offboarding process begins.
 
 **The configuration of these connectors is deleted:**
--   Office activity
+-   Office 365
 
--   AWS cloud trail
+-   AWS
 
 -   Microsoft services security alerts (Azure ATP, Microsoft Cloud App Security including Cloud Discovery Shadow IT reporting, Azure AD Identity Protection, Microsoft Defender ATP, Azure Security Center)
 
--   Threat Intelligence indicator
-
--   CloudTrail
+-   Threat Intelligence
 
 -   Common security logs (including CEF-based logs, Barracuda, and Syslog) (If you have Azure Security Center, these logs will continue to be collected.)
 
--   Windows security events (If you have Azure Security Center, these logs will continue to be collected.)
+-   Windows Security Events (If you have Azure Security Center, these logs will continue to be collected.)
 
 Within the first 48 hours, the data and alert rules (including real-time automation configuration) will no longer be accessible or queryable in Azure Sentinel.
 
 
@@ -7,7 +7,6 @@ author: rkarlin
 manager: rkarlin
 editor: ''
 
-ms.assetid: 5a4ae93c-d648-41fb-8fb8-96a025d2f73e
 ms.service: azure-sentinel
 ms.subservice: azure-sentinel
 ms.devlang: na
@@ -26,7 +25,7 @@ ms.author: rkarlin
 
 
 
-In this quickstart, you will learn how to quickly be able to view and monitor what's happening across your environment using Azure Sentinel. After you connected your data sources to Azure Sentinel, you get instant visualization and analysis of data so that you can know what's happening across all your connected data sources. Azure Sentinel gives you dashboards that provide you with the full power of tools already available in Azure as well as tables and charts that are built in to provide you with analytics for your logs and queries. You can either use built-in dashboards or create a new dashboard easily, from scratch or based on an existing dashboard. 
+In this quickstart, you will learn how to quickly be able to view and monitor what's happening across your environment using Azure Sentinel. After you connected your data sources to Azure Sentinel, you get instant visualization and analysis of data so that you can know what's happening across all your connected data sources. Azure Sentinel gives you workbooks that provide you with the full power of tools already available in Azure as well as tables and charts that are built in to provide you with analytics for your logs and queries. You can either use built-in dashboards or create a new dashboard easily, from scratch or based on an existing dashboard. 
 
 ## Get visualization
 
@@ -55,43 +54,43 @@ The main body of the overview page gives insight at a glance into the security s
 
    ![Azure Sentinel map](./media/qs-get-visibility/anomolies.png)
 
-## Use built-in dashboards<a name="dashboards"></a>
+## Use built-in workbooks<a name="dashboards"></a>
 
-Built-in dashboards provide integrated data from your connected data sources to let you deep dive into the events generated in those services. The built-in dashboards include Azure ID, Azure activity events, and on-premises, which can be data from Windows Events from servers, from first party alerts, from any third-party including firewall traffic logs, Office 365, and insecure protocols based on Windows events. The dashboards are based on Azure Monitor Workbooks to provide you with enhanced customizability and flexibility in designing your own dashboard. For more information, see [Workbooks](../azure-monitor/app/usage-workbooks.md).
+Built-in workbooks provide integrated data from your connected data sources to let you deep dive into the events generated in those services. The built-in workbooks include Azure ID, Azure activity events, and on-premises, which can be data from Windows Events from servers, from first party alerts, from any third-party including firewall traffic logs, Office 365, and insecure protocols based on Windows events. The workbooks are based on Azure Monitor Workbooks to provide you with enhanced customizability and flexibility in designing your own workbook. For more information, see [Workbooks](../azure-monitor/app/usage-workbooks.md).
 
-1. Under **Settings**, select **Dashboards**. Under **Installed**, you can see all your installed dashboards. Under **All**, you can see the whole gallery of built-in dashboards that are available for installation. 
-2. Search for a specific dashboard to see the whole list and description of what each offers. 
-3. Assuming you use Azure AD, to get up and running with Azure Sentinel, we recommend that you install at least the following dashboards:
+1. Under **Settings**, select **Workbooks**. Under **Installed**, you can see all your installed workbook. Under **All**, you can see the whole gallery of built-in workbooks that are available for installation. 
+2. Search for a specific workbook to see the whole list and description of what each offers. 
+3. Assuming you use Azure AD, to get up and running with Azure Sentinel, we recommend that you install at least the following workbooks:
    - **Azure AD**: Use either or both of the following:
-       - **Azure AD sign-ins** analyzes sign-ins over time to see if there are anomalies. This dashboard provides failed sign-ins by applications, devices, and locations so that you can notice, at a glance if something unusual happens. Pay attention to multiple failed sign-ins. 
+       - **Azure AD sign-ins** analyzes sign-ins over time to see if there are anomalies. This workbooks provides failed sign-ins by applications, devices, and locations so that you can notice, at a glance if something unusual happens. Pay attention to multiple failed sign-ins. 
        - **Azure AD audit logs** analyzes admin activities, such as changes in users (add, remove, etc.), group creation, and modifications.  
 
-   - Add a dashboard for your firewall. For example, add the Palo Alto dashboard. The dashboard analyzes your firewall traffic, providing you with correlations between your firewall data and threat events, and highlights suspicious events across entities. Dashboards provide you with information about trends in your traffic and let you drill down into and filter results. 
+   - Add a workbook for your firewall. For example, add the Palo Alto workbook. The workbook analyzes your firewall traffic, providing you with correlations between your firewall data and threat events, and highlights suspicious events across entities. Workbooks provide you with information about trends in your traffic and let you drill down into and filter results. 
 
       ![Pal Alto dashboard](./media/qs-get-visibility/palo-alto-week-query.png)
 
 
-You can customize the dashboards either by editing the main query ![button](./media/qs-get-visibility/edit-query-button.png). You can click the button ![button](./media/qs-get-visibility/go-to-la-button.png) to go to [Log Analytics to edit the query there](../azure-monitor/log-query/get-started-portal.md), and you can select the ellipsis (...) and select **Customize tile data**, which enables you to edit the main time filter, or remove the specific tiles from the dashboard.
+You can customize the workbooks either by editing the main query ![button](./media/qs-get-visibility/edit-query-button.png). You can click the button ![button](./media/qs-get-visibility/go-to-la-button.png) to go to [Log Analytics to edit the query there](../azure-monitor/log-query/get-started-portal.md), and you can select the ellipsis (...) and select **Customize tile data**, which enables you to edit the main time filter, or remove the specific tiles from the workbook.
 
 For more information on working with queries, see [Tutorial: Visual data in Log Analytics](../azure-monitor/learn/tutorial-logs-dashboards.md)
 
 ### Add a new tile
 
-If you want to add a new tile, you can add it to an existing dashboard, either one that you create or an Azure Sentinel built-in dashboard. 
+If you want to add a new tile, you can add it to an existing workbook, either one that you create or an Azure Sentinel built-in workbook. 
 1. In Log Analytics, create a tile using the instructions found in [Tutorial: Visual data in Log Analytics](../azure-monitor/learn/tutorial-logs-dashboards.md). 
-2. After the tile is created, under **Pin**, select the dashboard in which you want the tile to appear.
+2. After the tile is created, under **Pin**, select the workbook in which you want the tile to appear.
 
-## Create new dashboards
-You can create a new dashboard from scratch or use a built-in dashboard as the basis for your new dashboard.
+## Create new workbooks
+You can create a new workbook from scratch or use a built-in workbook as the basis for your new workbook.
 
-1. To create a new dashboard from scratch, select **Dashboards** and then **+New dashboard**.
-2. Select the subscription the dashboard is created in and give it a descriptive name. Each dashboard is an Azure resource like any other, and you can assign it roles (RBAC) to define and limit who can access. 
-3. To enable it to show up in your dashboards to pin visualizations to, you have to share it. Click **Share** and then **Manage users**. 
+1. To create a new workbook from scratch, select **Workbooks** and then **+New workbook**.
+2. Select the subscription the workbook is created in and give it a descriptive name. Each workbook is an Azure resource like any other, and you can assign it roles (RBAC) to define and limit who can access. 
+3. To enable it to show up in your workbooks to pin visualizations to, you have to share it. Click **Share** and then **Manage users**. 
 
-1. Use the **Check access** and **Role assignments** as you would for any other Azure resource. For more information, see [Share Azure dashboards by using RBAC](../azure-portal/azure-portal-dashboard-share-access.md).
+1. Use the **Check access** and **Role assignments** as you would for any other Azure resource. For more information, see [Share Azure workbooks by using RBAC](../azure-portal/azure-portal-dashboard-share-access.md).
 
 
-## New dashboard examples
+## New workbook examples
 
 The following sample query enables you to compare trends of traffic across weeks. You can easily switch which device vendor and data source you run the query on. This example uses SecurityEvent from Windows, you can switch it to run on AzureActivity or CommonSecurityLog on any other firewall.
 
@@ -113,26 +112,22 @@ You might want to create a query that incorporates data from multiples sources.
     | project OperationName, RoleAssignmentTime = TimeGenerated, user = Caller) on user
     | project-away user1
 
-You can create different dashboards based on role of person looking at the data and what they're looking for. For example, you can create a dashboard for your network admin that includes the firewall data. You can also create dashboards based on how frequently you want to look at them, whether there are things you want to review daily, and others items you want to check once an hour, for example, you might want to look at your Azure AD sign-ins every hour to search for anomalies. 
+You can create different workbooks based on role of person looking at the data and what they're looking for. For example, you can create a dashboard for your network admin that includes the firewall data. You can also create workbooks based on how frequently you want to look at them, whether there are things you want to review daily, and others items you want to check once an hour, for example, you might want to look at your Azure AD sign-ins every hour to search for anomalies. 
 
 ## Create new detections
 
 Generate detections on the [data sources that you connected to Azure Sentinel](connect-data-sources.md) to investigate threats in your organization.
 
 When you create a new detection, leverage the built-in detections crafted by Microsoft security researchers that are tailored to the data sources you connected.
 
-1. [In the GitHub community,](https://github.com/Azure/Azure-Sentinel/tree/master/Detections) go to the **Detections** folder and select the relevant folders.
-   ![relevant folders](./media/qs-get-visibility/detection-folders.png)
- 
-3.	Go to the **Analytics** tab and select **add**.
-   ![create rule in Log Analytics](./media/qs-get-visibility/query-params.png)
+To view all the out-of-the-box detections, go to **Analytics** and then **Rule templates**. This tab contains all the Azure Sentinel built-in rules.
 
-3.	Copy all parameters to the rule and click **Create**.
-   ![create alert rule](./media/qs-get-visibility/create-alert-rule.png)
+   ![Use built-in detections to find threats with Azure Sentinel](media/tutorial-detect-built-in/view-oob-detections.png)
 
+For more information about getting out-of-the-box detections, see [Tutorial: Get built-in-analytics](tutorial-detect-threats-built-in.md).
 
 ## Next steps
 In this quickstart, you learned how to get started using Azure Sentinel. Continue to the tutorial for [how to detect threats](tutorial-detect-threats-built-in.md).
 > [!div class="nextstepaction"]
-> [Detect threats](tutorial-detect-threats-built-in.md) to automate your responses to threats.
+> [Create custom threat detection rules](tutorial-detect-threats-custom.md) to automate your responses to threats.
 
@@ -38,7 +38,7 @@ After you connect your data sources, choose from a gallery of expertly created d
 -  To enable Azure Sentinel, you need contributor permissions to the subscription in which the Azure Sentinel workspace resides. 
 - To use Azure Sentinel, you need either contributor or reader permissions on the resource group that the workspace belongs to.
 - Additional permissions may be needed to connect specific data sources.
-- Azure Sentinel is a paid service. For pricing information see 
+- Azure Sentinel is a paid service. For pricing information see [About Azure Sentinel](https://go.microsoft.com/fwlink/?linkid=2104058).
 
 ## Enable Azure Sentinel <a name="enable"></a>
 
 
@@ -17,7 +17,7 @@ ms.date: 09/23/2019
 ms.author: rkarlin
 
 ---
-# Tutorial: Detect threats out-of-the-box - Preview
+# Tutorial: Detect threats out-of-the-box
 
 
 > [!IMPORTANT]
@@ -48,7 +48,7 @@ This following template types are available:
 
 ## Use out-of-the-box detections
 
-1. In order to use a built-in template, click on **Create rule** to create a new active rule based on that template.  
+1. In order to use a built-in template, click on **Create rule** to create a new active rule based on that template. Each entry has a list of required data sources that are automatically checked and this can result in **Create rule** being disabled.
 
    ![Use built-in detections to find threats with Azure Sentinel](media/tutorial-detect-built-in/use-built-in-template.png)
 
@@ -61,7 +61,5 @@ For more information on the fields in the wizard, see [Tutorial: Create custom a
 ## Next steps
 In this tutorial, you learned how to get started detecting threats using Azure Sentinel. 
 
-To learn how to automate your responses to threats, [how to respond to threats using automated playbooks](tutorial-respond-threats-playbook.md).
-> [!div class="nextstepaction"]
-> [Respond to threats](tutorial-respond-threats-playbook.md) to automate your responses to threats.
+To learn how to automate your responses to threats, [Set up automated threat responses in Azure Sentinel](tutorial-respond-threats-playbook.md).