acrolinx and style

batamig · batamig · commit ba799c89a1be · 2024-11-19T11:25:35.000+02:00
diff --git a/articles/sentinel/connect-defender-for-cloud.md b/articles/sentinel/connect-defender-for-cloud.md
@@ -3,7 +3,7 @@ title: Ingest Microsoft Defender for Cloud subscription-based alerts to Microsof
 description: Learn how to connect security alerts from Microsoft Defender for Cloud and stream them into Microsoft Sentinel.
 author: yelevin
 ms.topic: how-to
-ms.date: 09/26/2024
+ms.date: 11/19/2024
 ms.author: yelevin
 
 
@@ -17,53 +17,51 @@ ms.author: yelevin
 
 [Microsoft Defender for Cloud Defender plans](/azure/defender-for-cloud/defender-for-cloud-introduction#protect-cloud-workloads) are enabled per subscription. While Microsoft Sentinel's legacy connector for Defender for Cloud Apps is also configured per subscription, the **Tenant-based Microsoft Defender for Cloud** connector, in preview, allows you to collect Defender for Cloud alerts over your entire tenant without having to enable each subscription separately. The tenant-based connector also works with [Defender for Cloud's integration with Microsoft Defender XDR](ingest-defender-for-cloud-incidents.md) to ensure that all of your Defender for Cloud alerts are fully included in any incidents you receive through [Microsoft Defender XDR incident integration](microsoft-365-defender-sentinel-integration.md).
 
-[!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
-
-## Alert synchronization
+- **Alert synchronization**:
 
-- When you connect Microsoft Defender for Cloud to Microsoft Sentinel, the status of security alerts that get ingested into Microsoft Sentinel is synchronized between the two services. So, for example, when an alert is closed in Defender for Cloud, that alert will display as closed in Microsoft Sentinel as well.
+    - When you connect Microsoft Defender for Cloud to Microsoft Sentinel, the status of security alerts that get ingested into Microsoft Sentinel is synchronized between the two services. So, for example, when an alert is closed in Defender for Cloud, that alert displays as closed in Microsoft Sentinel as well.
 
-- Changing the status of an alert in Defender for Cloud will *not* affect the status of any Microsoft Sentinel **incidents** that contain the Microsoft Sentinel alert, only that of the alert itself.
+    - Changing the status of an alert in Defender for Cloud won't* affect the status of any Microsoft Sentinel **incidents** that contain the Microsoft Sentinel alert, only that of the alert itself.
 
-## Bi-directional alert synchronization
+- **Bi-directional alert synchronization**: Enabling **bi-directional sync** automatically syncs the status of original security alerts with that of the Microsoft Sentinel incidents that contain those alerts. So, for example, when a Microsoft Sentinel incident containing a security alerts is closed, the corresponding original alert is closed in Microsoft Defender for Cloud automatically.
 
-Enabling **bi-directional sync** will automatically sync the status of original security alerts with that of the Microsoft Sentinel incidents that contain those alerts. So, for example, when a Microsoft Sentinel incident containing a security alerts is closed, the corresponding original alert will be closed in Microsoft Defender for Cloud automatically.
+[!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
 
 ## Prerequisites
 
 - You must have read and write permissions on your Microsoft Sentinel workspace.
 
 - You must have the **Contributor** or **Owner** role on the subscription you want to connect to Microsoft Sentinel.
 
-- You will need to enable at least one plan within Microsoft Defender for Cloud for each subscription where you want to enable the connector. To enable Microsoft Defender plans on a subscription, you must have the **Security Admin** role for that subscription.
+- You'll need to enable at least one plan within Microsoft Defender for Cloud for each subscription where you want to enable the connector. To enable Microsoft Defender plans on a subscription, you must have the **Security Admin** role for that subscription.
 
-- You will need the `SecurityInsights` resource provider to be registered for each subscription where you want to enable the connector. Review the guidance on the [resource provider registration status](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider) and the ways to register it.
+- You'll need the `SecurityInsights` resource provider to be registered for each subscription where you want to enable the connector. Review the guidance on the [resource provider registration status](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider) and the ways to register it.
 
 - To enable bi-directional sync, you must have the **Contributor** or **Security Admin** role on the relevant subscription.
 
 - Install the solution for **Microsoft Defender for Cloud** from the **Content Hub** in Microsoft Sentinel. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).
 
 ## Connect to Microsoft Defender for Cloud
 
-1. After installing the solution, in Microsoft Sentinel, select **Configuration > Data connectors**. 
+1. After installing the solution, in Microsoft Sentinel, select **Configuration > Data connectors**.
 
-1. From the **Data connectors** page, select the either the **Subscription-based Microsoft Defender for Cloud (Legacy)** or the **Tenant-based Microsoft Defender for Cloud (Preview)** connector, and then select **Open connector page**.
+1. From the **Data connectors** page, select either the **Subscription-based Microsoft Defender for Cloud (Legacy)** or the **Tenant-based Microsoft Defender for Cloud (Preview)** connector, and then select **Open connector page**.
 
-1. Under **Configuration**, you will see a list of the subscriptions in your tenant, and the status of their connection to Microsoft Defender for Cloud. Select the **Status** toggle next to each subscription whose alerts you want to stream into Microsoft Sentinel. If you want to connect several subscriptions at once, you can do this by marking the check boxes next to the relevant subscriptions and then selecting the **Connect** button on the bar above the list.
+1. Under **Configuration**, you'll see a list of the subscriptions in your tenant, and the status of their connection to Microsoft Defender for Cloud. Select the **Status** toggle next to each subscription whose alerts you want to stream into Microsoft Sentinel. If you want to connect several subscriptions at once, you can do this by marking the check boxes next to the relevant subscriptions and then selecting the **Connect** button on the bar above the list.
 
     - The check boxes and **Connect** toggles are active only on the subscriptions for which you have the [required permissions](#prerequisites).
     - The **Connect** button is active only if at least one subscription's check box has been marked.
 
 1. To enable bi-directional sync on a subscription, locate the subscription in the list, and choose **Enabled** from the drop-down list in the **Bi-directional sync** column. To enable bi-directional sync on several subscriptions at once, mark their check boxes and select the **Enable bi-directional sync** button on the bar above the list.
 
-    - The check boxes and drop-down lists will be active only on the subscriptions for which you have the [required permissions](#prerequisites).
-    - The **Enable bi-directional sync** button will be active only if at least one subscription's check box has been marked.
+    - The check boxes and drop-down lists are active only on the subscriptions for which you have the [required permissions](#prerequisites).
+    - The **Enable bi-directional sync** button is active only if at least one subscription's check box has been marked.
 
-1. In the **Microsoft Defender plans** column of the list, you can see if Microsoft Defender plans are enabled on your subscription (a prerequisite for enabling the connector).
+1. In the **Microsoft Defender plans** column of the list, you can see if Microsoft Defender plans are enabled on your subscription, which is a [prerequisite](#prerequisites) for enabling the connector.
 
-    The value for each subscription in this column is either blank (meaning no Defender plans are enabled), **All enabled**, or **Some enabled**. Those that say **Some enabled** also have an **Enable all** link you can select, that will take you to your Microsoft Defender for Cloud configuration dashboard for that subscription, where you can choose Defender plans to enable.
+    The value for each subscription in this column is either blank, meaning no Defender plans are enabled, **All enabled**, or **Some enabled**. Those that say **Some enabled** also have an **Enable all** link you can select, that takes you to your Microsoft Defender for Cloud configuration dashboard for that subscription, where you can choose Defender plans to enable.
 
-    The **Enable Microsoft Defender for all subscriptions** link button on the bar above the list will take you to your Microsoft Defender for Cloud Getting Started page, where you can choose on which subscriptions to enable Microsoft Defender for Cloud altogether. For example:
+    The **Enable Microsoft Defender for all subscriptions** link button on the bar above the list takes you to your Microsoft Defender for Cloud Getting Started page, where you can choose on which subscriptions to enable Microsoft Defender for Cloud altogether. For example:
 
     :::image type="content" source="./media/connect-defender-for-cloud/azure-defender-config.png" alt-text="Screenshot of Microsoft Defender for Cloud connector configuration."::: 
 
@@ -77,21 +75,18 @@ Enabling **bi-directional sync** will automatically sync the status of original
 
 ## Find and analyze your data
 
-> [!NOTE]
-> Alert synchronization *in both directions* can take a few minutes. Changes in the status of alerts might not be displayed immediately.
-
-- Security alerts are stored in the *SecurityAlert* table in your Log Analytics workspace.
+Security alerts are stored in the *SecurityAlert* table in your Log Analytics workspace. To query security alerts in Log Analytics, copy the following into your query window as a starting point:
 
-- To query security alerts in Log Analytics, copy the following into your query window as a starting point:
+```kusto
+SecurityAlert 
+| where ProductName == "Azure Security Center"
+```
 
-    ```kusto
-    SecurityAlert 
-    | where ProductName == "Azure Security Center"
-    ```
+Alert synchronization *in both directions* can take a few minutes. Changes in the status of alerts might not be displayed immediately.
 
-- See the **Next steps** tab in the connector page for additional useful sample queries, analytics rule templates, and recommended workbooks.
+See the **Next steps** tab in the connector page for more useful sample queries, analytics rule templates, and recommended workbooks.
 
-## Next steps
+## Related content
 
 In this document, you learned how to connect Microsoft Defender for Cloud to Microsoft Sentinel and synchronize alerts between them. To learn more about Microsoft Sentinel, see the following articles:
 
