MicrosoftDocs
diff --git a/‎articles/defender-for-iot/organizations/best-practices/traffic-mirroring-methods.md
Lines changed: 18 additions & 7 deletions b/‎articles/defender-for-iot/organizations/best-practices/traffic-mirroring-methods.md
Lines changed: 18 additions & 7 deletions
diff --git a/‎articles/sentinel/billing-monitor-costs.md
Lines changed: 2 additions & 2 deletions b/‎articles/sentinel/billing-monitor-costs.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/sentinel/configure-content.md
Lines changed: 2 additions & 2 deletions b/‎articles/sentinel/configure-content.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/sentinel/configure-data-retention-archive.md
Lines changed: 2 additions & 2 deletions b/‎articles/sentinel/configure-data-retention-archive.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/sentinel/data-connectors-reference.md
Lines changed: 2 additions & 2 deletions b/‎articles/sentinel/data-connectors-reference.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/sentinel/datalake/sentinel-lake-onboarding.md
Lines changed: 4 additions & 2 deletions b/‎articles/sentinel/datalake/sentinel-lake-onboarding.md
Lines changed: 4 additions & 2 deletions
diff --git a/‎articles/sentinel/deploy-overview.md
Lines changed: 2 additions & 2 deletions b/‎articles/sentinel/deploy-overview.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/sentinel/deploy-side-by-side.md
Lines changed: 2 additions & 2 deletions b/‎articles/sentinel/deploy-side-by-side.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/sentinel/domain-based-essential-solutions.md
Lines changed: 2 additions & 2 deletions b/‎articles/sentinel/domain-based-essential-solutions.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/sentinel/enable-sentinel-features-content.md
Lines changed: 2 additions & 2 deletions b/‎articles/sentinel/enable-sentinel-features-content.md
Lines changed: 2 additions & 2 deletions
@@ -1,7 +1,7 @@
 ---
 title: Choose a traffic mirroring methods - Microsoft Defender for IoT
 description: This article describes traffic mirroring methods for OT monitoring with Microsoft Defender for IoT.
-ms.date: 07/04/2023
+ms.date: 07/23/2025
 ms.topic: install-set-up-deploy
 ---
 
@@ -13,7 +13,7 @@ This article is one in a series of articles describing the [deployment path](../
 
 The decision as to which traffic mirroring method to use depends on your network configuration and the needs of your organization.
 
-To ensure that Defender for IoT only analyzes the traffic that you want to monitor, we recommend that you configure traffic mirroring on a switch or a terminal access point (TAP) that includes only industrial ICS and SCADA traffic.
+To make sure Defender for IoT only analyzes the traffic that you want to monitor, we recommend that you configure traffic mirroring on a switch or a terminal access point (TAP) that includes only industrial ICS and SCADA traffic.
 
 > [!NOTE]
 > SPAN and RSPAN are Cisco terminology. Other brands of switches have similar functionality but might use different terminology.
@@ -23,7 +23,7 @@ To ensure that Defender for IoT only analyzes the traffic that you want to monit
 
 We recommend configuring your traffic mirroring from all of your switch's ports, even if no data is connected to them. If you don't, rogue devices can later be connected to an unmonitored port, and those devices won't be detected by the Defender for IoT network sensors.
 
-For OT networks that use broadcast or multicast messaging, configure traffic mirroring only for RX (*Receive*) transmissions. Multicast messages will be repeated for any relevant active ports, and you'll be using more bandwidth unnecessarily.
+For OT networks that use broadcast or multicast messaging, configure traffic mirroring only for RX (*Receive*) transmissions. Multicast messages are repeated for any relevant active ports, and you'll be using more bandwidth unnecessarily.
 
 ## Compare supported traffic mirroring methods
 
@@ -66,13 +66,13 @@ Some TAPs aggregate both *Receive* and *Transmit*, depending on the switch confi
 
 We recommend TAPs especially when traffic mirroring for forensic purposes. Advantages of mirroring traffic with TAPs include:
 
-- TAPs are hardware-based and can't be compromised
+- TAPs are hardware-based and can't be compromised.
 
-- TAPs pass all traffic, even damaged messages that are often dropped by the switches
+- TAPs pass all traffic, even damaged messages that are often dropped by the switches.
 
 - TAPs aren't processor-sensitive, which means that packet timing is exact. In contrast, switches handle mirroring functionality as a low-priority task, which can affect the timing of the mirrored packets.
 
-You can also use a TAP aggregator to monitor your traffic ports. However, TAP aggregators aren't processor-based, and aren't as intrinsically secure as hardware TAPs. TAP aggregators may not reflect exact packet timing.
+You can also use a TAP aggregator to monitor your traffic ports. However, TAP aggregators aren't processor-based, and aren't as intrinsically secure as hardware TAPs. TAP aggregators might not reflect exact packet timing.
 
 ### Common TAP models
 
@@ -99,7 +99,7 @@ The sensor's monitoring interface is a promiscuous interface and doesn't have a
 Use ERSPAN encapsulation when there's a need to extend monitored traffic across Layer 3 domains. ERSPAN is a Cisco proprietary feature and is available only on specific routers and switches. For more information, see the [Cisco documentation](https://learningnetwork.cisco.com/s/article/span-rspan-erspan).
 
 > [!NOTE]
-> This article provides high-level guidance for configuring traffic mirroring with ERSPAN. Specific implementation details will vary depending on your equipment vendor.
+> This article provides high-level guidance for configuring traffic mirroring with ERSPAN. Specific implementation details vary depending on your equipment vendor.
 >
 
 ### ERSPAN architecture
@@ -124,6 +124,17 @@ ERSPAN source options include elements such as:
 
 For more information, see [Update a sensor's monitoring interfaces (configure ERSPAN)](../how-to-manage-individual-sensors.md#update-a-sensors-monitoring-interfaces-configure-erspan).
 
+### VLAN ID considerations for ERSPAN
+
+When you set up ERSPAN, consider how VLAN IDs are handled based on the type of mirrored port:
+
+- **Tagged VLANs** exist in packets from trunk mirrored ports and remain intact within the packet's payload during encapsulation. The Defender for IoT sensor supports tagged VLANs.
+- **Untagged VLANs** originate from access mirrored ports. Untagged VLANs are stripped from the payload during decapsulation, and as a result the VLANs are lost. The Microsoft Defender for IoT sensor doesn't support untagged VLANs.
+
+To ensure accurate VLAN detection, configure your network and ERSPAN router so that all mirrored ports use tagged VLANs, where mirror ports are configured as trunk ports. With this setup, VLAN information remains in the packet payload throughout the ERSPAN process and provides full visibility for the Defender for IoT sensor monitoring.
+
+
+
 ## Traffic mirroring with virtual switches
 
 While a virtual switch doesn't have mirroring capabilities, you can use *Promiscuous mode* in a virtual switch environment as a workaround for configuring a monitoring port, similar to a [SPAN port](../traffic-mirroring/configure-mirror-span.md). A SPAN port on your switch mirrors local traffic from interfaces on the switch to a different interface on the same switch.
 
@@ -1,8 +1,8 @@
 ---
 title: Manage and monitor costs for Microsoft Sentinel
 description: Learn how to manage and monitor costs and billing for Microsoft Sentinel by using cost analysis in the Azure portal and other methods.
-author: cwatson-cat
-ms.author: cwatson
+author: EdB-MSFT
+ms.author: edbaynash
 ms.custom: subject-cost-optimization
 ms.topic: conceptual
 ms.date: 07/09/2025
 
@@ -1,10 +1,10 @@
 ---
 title: Configure Microsoft Sentinel content
 description: In this step of your deployment, you configure the Microsoft Sentinel security content, like your data connectors, analytics rules, automation rules, and more.
-author: cwatson-cat
+author: EdB-MSFT
 ms.topic: how-to
 ms.date: 07/05/2023
-ms.author: cwatson
+ms.author: edbaynash
 
 
 #Customer intent: As a security engineer, I want to configure Microsoft Sentinel security content so that analysts can detect, monitor, and respond to security threats effectively.
 
@@ -1,10 +1,10 @@
 ---
 title: Configure interactive and long-term data retention in Microsoft Sentinel
 description: Towards the end of your deployment procedure, you set up data retention to suit your organization's needs.
-author: cwatson-cat
+author: EdB-MSFT
 ms.topic: how-to
 ms.date: 07/21/2024
-ms.author: cwatson
+ms.author: edbaynash
 
 
 #Customer intent: As a security architect or SOC manager, I want to configure data retention and archiving policies so that I can ensure long-term storage of important data at a reduced cost.
 
@@ -1,11 +1,11 @@
 ---
 title: Find your Microsoft Sentinel data connector | Microsoft Docs
 description: Learn about specific configuration steps for Microsoft Sentinel data connectors.
-author: cwatson-cat
+author: EdB-MSFT
 ms.topic: reference
 ms.date: 11/18/2024
 ms.custom: linux-related-content
-ms.author: cwatson
+ms.author: edbaynash
 appliesto:
     - Microsoft Sentinel in the Microsoft Defender portal
     - Microsoft Sentinel in the Azure portal
 
@@ -77,8 +77,10 @@ The following roles that are required to set up billing and authorize ingestion
 
 ## Existing Microsoft Sentinel workspaces
 
-The Microsoft Sentinel data lake mirrors data from Microsoft Sentinel workspaces that are connected to the Defender portal. You must connect your Microsoft Sentinel workspaces to the Defender portal to include them in the data lake. If you have connected Sentinel to the Defender portal, to onboard to the data lake, the primary workspace must be in the tenant's home geographic region. If you haven't connected Microsoft Sentinel to the Defender portal, you can connect your Microsoft Sentinel workspaces to the Defender portal after onboarding, and the data will be mirrored to the data lake. For more information, see [Connect Microsoft Sentinel to the Microsoft Defender portal](/unified-secops-platform/microsoft-sentinel-onboard).
+The Microsoft Sentinel data lake mirrors data from Microsoft Sentinel workspaces that are connected to the Defender portal. You must connect your Microsoft Sentinel workspaces to the Defender portal to include them in the data lake. If you have connected Microsoft Sentinel to the Defender portal, to onboard to the data lake, the primary workspace must be in the tenant's home geographic region. If you haven't connected Microsoft Sentinel to the Defender portal, you can connect your Microsoft Sentinel workspaces to the Defender portal after onboarding, and the data will be mirrored to the data lake. For more information, see [Connect Microsoft Sentinel to the Microsoft Defender portal](/unified-secops-platform/microsoft-sentinel-onboard).
 
+> [!NOTE]
+> During preview, you can onboard up to 20 workspaces to the Microsoft Sentinel data lake. 
 
 ## Onboarding steps
 
@@ -114,7 +116,7 @@ Use the following steps to onboard to the Microsoft Sentinel data lake from the
     :::image type="content" source="./media/sentinel-lake-onboarding/setup-started.png" lightbox="./media/sentinel-lake-onboarding/setup-started.png" alt-text="A screenshot showing the progress of the onboarding process.":::
 
 
-1. While the setup process is running, the following banner is displayed on the Defender portal home page. You can select **View setup details** to re-open the panel to check progress. 
+1. While the setup process is running, the following banner is displayed on the Defender portal home page. You can select **View setup details** to reopen the panel to check progress. 
 
     :::image type="content" source="./media/sentinel-lake-onboarding/onboarding-in-progress.png" lightbox="./media/sentinel-lake-onboarding/onboarding-in-progress.png" alt-text="A screenshot showing the onboarding in progress banner.":::
 
 
@@ -1,8 +1,8 @@
 ---
 title: Deployment guide for Microsoft Sentinel
 description: Learn about the steps to deploy Microsoft Sentinel including the phases to plan and prepare, deploy, and fine tune.
-author: cwatson-cat
-ms.author: cwatson
+author: EdB-MSFT
+ms.author: edbaynash
 ms.topic: conceptual
 ms.date: 07/09/2025
 ms.service: microsoft-sentinel
 
@@ -1,10 +1,10 @@
 ---
 title: Deploying Microsoft Sentinel side-by-side to an existing SIEM.
 description: Learn how to deploy Microsoft Sentinel side-by-side to an existing SIEM.
-author: cwatson-cat
+author: EdB-MSFT
 ms.topic: conceptual
 ms.date: 07/24/2024
-ms.author: cwatson
+ms.author: edbaynash
 
 
 #Customer intent: As a SOC manager, I want to understand supported methods for deploying Microsoft Sentinel alongside my existing, on-premises SIEM, so that I can transition to a more flexible and cost-effective security solution without disrupting current operations.
 
@@ -1,10 +1,10 @@
 ---
 title: ASIM-based domain solutions - Essentials for Microsoft Sentinel
 description: Learn about the Microsoft essential solutions for Microsoft Sentinel that span across different ASIM schemas like networks, DNS, and web sessions.
-author: cwatson-cat
+author: EdB-MSFT
 ms.topic: conceptual
 ms.date: 03/01/2024
-ms.author: cwatson
+ms.author: edbaynash
 appliesto:
     - Microsoft Sentinel in the Microsoft Defender portal
     - Microsoft Sentinel in the Azure portal
 
@@ -1,10 +1,10 @@
 ---
 title: Enable Microsoft Sentinel and initial features and content
 description: As the first step of your deployment, you enable Microsoft Sentinel, and then enable the health and audit feature, solutions, and content.
-author: cwatson-cat
+author: EdB-MSFT
 ms.topic: how-to
 ms.date: 06/18/2024
-ms.author: cwatson
+ms.author: edbaynash
 
 
 #Customer intent: As a security operations analyst, I want to enable and configure Microsoft Sentinel and its key features so that I can monitor and secure my organization's environment effectively.