MicrosoftDocs
diff --git a/‎articles/active-directory/governance/entitlement-management-logs-and-reporting.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/governance/entitlement-management-logs-and-reporting.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md
Lines changed: 64 additions & 107 deletions b/‎articles/active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md
Lines changed: 64 additions & 107 deletions
diff --git a/‎articles/active-directory/reports-monitoring/howto-access-activity-logs.md
Lines changed: 140 additions & 106 deletions b/‎articles/active-directory/reports-monitoring/howto-access-activity-logs.md
Lines changed: 140 additions & 106 deletions
diff --git a/‎articles/active-directory/reports-monitoring/howto-analyze-activity-logs-log-analytics.md
Lines changed: 49 additions & 42 deletions b/‎articles/active-directory/reports-monitoring/howto-analyze-activity-logs-log-analytics.md
Lines changed: 49 additions & 42 deletions
@@ -40,7 +40,7 @@ Archiving Azure AD audit logs requires you to have Azure Monitor in an Azure sub
 
 1. Select **Azure Active Directory** then select **Diagnostic settings** under Monitoring in the left navigation menu. Check if there's already a setting to send the audit logs to that workspace.
 
-1. If there isn't already a setting, select **Add diagnostic setting**. Use the instructions in [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md#send-logs-to-azure-monitor) to send the Azure AD audit log to the Azure Monitor workspace.
+1. If there isn't already a setting, select **Add diagnostic setting**. Use the instructions in [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) to send the Azure AD audit log to the Azure Monitor workspace.
 
     ![Diagnostics settings pane](./media/entitlement-management-logs-and-reporting/audit-log-diagnostics-settings.png)
 
 
@@ -1,63 +1,69 @@
 ---
-title: Analyze activity logs using Azure Monitor logs
-description: Learn how to analyze Azure Active Directory activity logs using Azure Monitor logs
+title: Analyze activity logs using Log Analytics
+description: Learn how to analyze Azure Active Directory activity logs using Log Analytics
 services: active-directory
 author: shlipsey3
 manager: amycolannino
 ms.service: active-directory
 ms.topic: how-to
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 10/31/2022
+ms.date: 06/26/2023
 ms.author: sarahlipsey
 ms.reviewer: besiler
 
 ms.collection: M365-identity-device-management
 ---
 
-# Analyze Azure AD activity logs with Azure Monitor logs
+# Analyze Azure AD activity logs with Log Analytics
 
-After you [integrate Azure AD activity logs with Azure Monitor logs](howto-integrate-activity-logs-with-log-analytics.md), you can use the power of Azure Monitor logs to gain insights into your environment. You can also install the [Log analytics views for Azure AD activity logs](howto-install-use-log-analytics-views.md) to get access to pre-built reports around audit and sign-in events in your environment.
+After you [integrate Azure AD activity logs with Azure Monitor logs](howto-integrate-activity-logs-with-log-analytics.md), you can use the power of Log Analytics and Azure Monitor logs to gain insights into your environment.
 
-In this article, you learn how to analyze the Azure AD activity logs in your Log Analytics workspace. 
+ * Compare your Azure AD sign-in logs against security logs published by Microsoft Defender for Cloud.
+  
+ * Troubleshoot performance bottlenecks on your application’s sign-in page by correlating application performance data from Azure Application Insights.
 
-[!INCLUDE [azure-monitor-log-analytics-rebrand](../../../includes/azure-monitor-log-analytics-rebrand.md)]
+ * Analyze the Identity Protection risky users and risk detections logs to detect threats in your environment.
 
-## Prerequisites 
+This article describes to analyze the Azure AD activity logs in your Log Analytics workspace. 
 
-To follow along, you need:
+## Roles and licenses
 
-* A [Log Analytics workspace](../../azure-monitor/logs/log-analytics-workspace-overview.md) in your Azure subscription. Learn how to [create a Log Analytics workspace](../../azure-monitor/logs/quick-create-workspace.md).
-* First, complete the steps to [route the Azure AD activity logs to your Log Analytics workspace](howto-integrate-activity-logs-with-log-analytics.md).
-*  [Access](../../azure-monitor/logs/manage-access.md#azure-rbac) to the log analytics workspace
-* The following roles in Azure Active Directory (if you're accessing Log Analytics through Azure portal)
-    - Security Admin
-    - Security Reader
-    - Reports Reader
-    - Global Administrator
-    
-## Navigate to the Log Analytics workspace
+To analyze Azure AD logs with Azure Monitor, you need the following roles and licenses:
+
+* **An Azure subscription:** If you don't have an Azure subscription, you can [sign up for a free trial](https://azure.microsoft.com/free/).
+
+* **An Azure AD Premium P1 or P2 tenant:** You can find the license type of your tenant on the [Overview](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) page in Azure AD.
+
+* **Reports Reader**, **Security Reader**, or **Security Administrator** access for the Azure AD tenant: These roles are required to view Log Analytics through the Azure AD portal.
+
+* **Permission to access data in a Log Analytics workspace:** See [Manage access to log data and workspaces in Azure Monitor](../../azure-monitor/logs/manage-access.md) for information on the different permission options and how to configure permissions.
+
+## Access Log Analytics
+
+To view the Azure AD Log Analytics, you must already be sending your activity logs from Azure AD to a Log Analytics workspace. This process is covered in the [How to integrate activity logs with Azure Monitor](howto-integrate-activity-logs-with-log-analytics.md) article.
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
 1. Sign in to the [Azure portal](https://portal.azure.com). 
 
-2. Select **Azure Active Directory**, and then select **Logs** from the **Monitoring** section to open your Log Analytics workspace. The workspace will open with a default query.
+1. Go to **Azure Active Directory** > **Log Analytics**. A default search query runs.
 
     ![Default query](./media/howto-analyze-activity-logs-log-analytics/defaultquery.png)
 
+1. Expand the **LogManagement** category to view the list of log related queries.
 
-## View the schema for Azure AD activity logs
+1. Select or hover over the name of a query to view a description and other useful details.
 
-The logs are pushed to the **AuditLogs** and **SigninLogs** tables in the workspace. To view the schema for these tables:
+    ![Screenshot of the details of a query.](media/howto-analyze-activity-logs-log-analytics/log-analytics-query-details.png)
 
-1. From the default query view in the previous section, select **Schema** and expand the workspace. 
+1. Expand a query from the list to view the schema.
 
-2. Expand the **Log Management** section and then expand either **AuditLogs** or **SigninLogs** to view the log schema.
+    ![Screenshot of the schema of a query.](media/howto-analyze-activity-logs-log-analytics/log-analytics-query-schema.png)
 
-## Query the Azure AD activity logs
+## Query activity logs
 
-Now that you have the logs in your workspace, you can now run queries against them. For example, to get the top applications used in the last week, replace the default query with the following and select **Run**
+You can run queries against the activity logs being routed to a Log Analytics workspace. For example, to get a list of applications with the most sign-ins from last week, enter the following query and select the **Run** button.
 
 ```
 SigninLogs 
@@ -74,34 +80,35 @@ AuditLogs
 | summarize auditCount = count() by OperationName 
 | sort by auditCount desc 
 ```
-## Alert on Azure AD activity log data
-
-You can also set up alerts on your query. For example, to configure an alert when more than 10 applications have been used in the last week:
-
-1. From the workspace, select **Set alert** to open the **Create rule** page.
+## Set up alerts
 
-    ![Set alert](./media/howto-analyze-activity-logs-log-analytics/setalert.png)
+You can also set up alerts on a query. After running a query, the **+ New alert rule** button becomes active.
 
-2. Select the default **alert criteria** created in the alert and update the **Threshold** in the default metric to 10.
+1. From Log Analytics, select the **+ New alert rule** button.
+    - The **Create a rule** process involves several sections to customize the criteria for the rule.
+    - For more information on creating alert rules, see [Create a new alert rule](../../azure-monitor/alerts/alerts-create-new-alert-rule.md) from the Azure Monitor documentation, starting with the **Condition** steps.
+    
+    ![Screenshot of the "+ New alert rule" button in Log Analytics.](media/howto-analyze-activity-logs-log-analytics/log-analytics-new-alert.png)
 
-    ![Alert criteria](./media/howto-analyze-activity-logs-log-analytics/alertcriteria.png)
+1. On the **Actions** tab, select the **Action Group** that will receive the alert when the signal occurs.
+    - You can choose to notify your team via email or text message, or you could automate the action using webhooks, Azure functions or logic apps.
+    - Learn more about [creating and managing alert groups in the Azure portal](../../azure-monitor/alerts/action-groups.md).
 
-3. Enter a name and description for the alert, and choose the severity level. For our example, we could set it to **Informational**.
+1. On the **Details** tab, give the alert rule a name and associate it with a subscription and resource group.
 
-4. Select the **Action Group** that will be alerted when the signal occurs. You can choose to notify your team via email or text message, or you could automate the action using webhooks, Azure functions or logic apps. Learn more about [creating and managing alert groups in the Azure portal](../../azure-monitor/alerts/action-groups.md).
+1. After configuring all necessary details, select the **Review + Create** button. 
 
-5. Once you've configured the alert, select **Create alert** to enable it. 
+## Use workbooks to analyze logs
 
-## Use pre-built workbooks for Azure AD activity logs
+Azure AD workbooks provide several reports related to common scenarios involving audit, sign-in, and provisioning events. *You can also alert on any of the data provided in the reports, using the steps described in the previous section.*
 
-The workbooks provide several reports related to common scenarios involving audit, sign-in, and provisioning events. You can also alert on any of the data provided in the reports, using the steps described in the previous section.
+* **Provisioning analysis:** This workbook shows reports related to auditing provisioning activity. Activities can include the number of new users provisioned, provisioning failures, number of users updated, update failures, the number of users deprovisioned, and corresponding failures. For more information, see [Understand how provisioning integrates with Azure Monitor logs](../app-provisioning/application-provisioning-log-analytics.md).
 
-* **Provisioning analysis**: This [workbook](../app-provisioning/application-provisioning-log-analytics.md) shows reports related to auditing provisioning activity. Activities can include the number of new users provisioned, provisioning failures, number of users updated, update failures, the number of users de-provisioned, and corresponding failures.    
 * **Sign-ins Events**: This workbook shows the most relevant reports related to monitoring sign-in activity, such as sign-ins by application, user, device, and a summary view tracking the number of sign-ins over time.
-* **Conditional access insights**: The Conditional Access insights and reporting [workbook](../conditional-access/howto-conditional-access-insights-reporting.md) enables you to understand the effect of Conditional Access policies in your organization over time. 
+
+* **Conditional access insights**: The Conditional Access insights and reporting workbook enables you to understand the effect of Conditional Access policies in your organization over time. For more information, see [Conditional Access insights and reporting](../conditional-access/howto-conditional-access-insights-reporting.md).
 
 ## Next steps
 
 * [Get started with queries in Azure Monitor logs](../../azure-monitor/logs/get-started-queries.md)
 * [Create and manage alert groups in the Azure portal](../../azure-monitor/alerts/action-groups.md)
-* [Install and use the log analytics views for Azure Active Directory](howto-install-use-log-analytics-views.md)