Merge pull request #229474 from v-edmckillop/patch-133

Update azure-sentinel.md

Author: denrea

articles/active-directory-b2c/azure-sentinel.md

@@ -1,156 +1,184 @@
 ---
-title: Secure Azure AD B2C with Microsoft Sentinel
+title: Configure security analytics for Azure Active Directory B2C data with Microsoft Sentinel
 titleSuffix: Azure AD B2C
-description: In this tutorial, you use Microsoft Sentinel to perform security analytics for Azure Active Directory B2C data.
+description: Use Microsoft Sentinel to perform security analytics for Azure Active Directory B2C data.
 services: active-directory-b2c
 author: gargi-sinha
-manager: CelesteDG
+manager: martinco
 ms.reviewer: kengaderdus
-
 ms.service: active-directory
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 08/17/2021
+ms.date: 03/06/2023
 ms.author: gasinh
 ms.subservice: B2C
-#Customer intent: As an IT professional, I want to gather logs and audit data by using Microsoft Sentinel and Azure Monitor so that I can secure my applications that use Azure Active Directory B2C.
+#Customer intent: As an IT professional, I want to gather logs and audit data using Microsoft Sentinel and Azure Monitor to secure applications that use Azure Active Directory B2C.
 ---
 
 # Tutorial: Configure security analytics for Azure Active Directory B2C data with Microsoft Sentinel
 
-You can further secure your Azure Active Directory B2C (Azure AD B2C) environment by routing logs and audit information to Microsoft Sentinel. Microsoft Sentinel is a cloud-native SIEM (security information and event management) and SOAR (security orchestration, automation, and response) solution. Microsoft Sentinel provides alert detection, threat visibility, proactive hunting, and threat response for Azure AD B2C.
+Increase the security of your Azure Active Directory B2C (Azure AD B2C) environment by routing logs and audit information to Microsoft Sentinel. The scalable Microsoft Sentinel is a cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Use the solution for alert detection, threat visibility, proactive hunting, and threat response for Azure AD B2C.
+
+Learn more: 
 
-By using Microsoft Sentinel with Azure AD B2C, you can:
+* [What is Microsoft Sentinel?](../sentinel/overview.md)
+* [What is SOAR?](https://www.microsoft.com/security/business/security-101/what-is-soar)
 
-- Detect previously undetected threats and minimize false positives by using Microsoft's analytics and threat intelligence.
-- Investigate threats with AI. Hunt for suspicious activities at scale, and tap into years of cybersecurity-related work at Microsoft.
-- Respond to incidents rapidly with built-in orchestration and automation of common tasks.
-- Meet security and compliance requirements for your organization.
+More uses for Microsoft Sentinel, with Azure AD B2C, are:
 
-In this tutorial, you'll learn how to:
+* Detect previously undetected threats and minimize false positives with analytics and threat intelligence features
+* Investigate threats with artificial intelligence (AI)
+  * Hunt for suspicious activities at scale, and benefit from the experience of years of cybersecurity work at Microsoft
+* Respond to incidents rapidly with common task orchestration and automation 
+* Meet your organization's security and compliance requirements 
 
-> [!div class="checklist"]
-> * Transfer Azure AD B2C logs to a Log Analytics workspace.
-> * Enable Microsoft Sentinel in a Log Analytics workspace.
-> * Create a sample rule in Microsoft Sentinel that will trigger an incident.
-> * Configure an automated response.
+In this tutorial, learn how to:
+
+* Transfer Azure AD B2C logs to a Log Analytics workspace
+* Enable Microsoft Sentinel in a Log Analytics workspace
+* Create a sample rule in Microsoft Sentinel to trigger an incident
+* Configure an automated response
 
 ## Configure Azure AD B2C with Azure Monitor Log Analytics
 
-To define where logs and metrics for a resource should be sent, enable **Diagnostic settings** in Azure AD within your Azure AD B2C tenant. Then, [configure Azure AD B2C to send logs to Azure Monitor](./azure-monitor.md).
+To define where logs and metrics for a resource are sent, 
 
-## Deploy a Microsoft Sentinel instance
+1. Enable **Diagnostic settings** in Azure AD, in your Azure AD B2C tenant.
+2. Configure Azure AD B2C to send logs to Azure Monitor.
 
-After you've configured your Azure AD B2C instance to send logs to Azure Monitor, you need to enable a Microsoft Sentinel instance.
+Learn more, [Monitor Azure AD B2C with Azure Monitor](./azure-monitor.md).
 
->[!IMPORTANT]
->To enable Microsoft Sentinel, you need contributor permissions to the subscription in which the Microsoft Sentinel workspace resides. To use Microsoft Sentinel, you need either contributor or reader permissions on the resource group that the workspace belongs to.
+## Deploy a Microsoft Sentinel instance
 
-1. Go to the [Azure portal](https://portal.azure.com). Select the subscription where the Log Analytics workspace is created.
+After you configure your Azure AD B2C instance to send logs to Azure Monitor, enable an instance of Microsoft Sentinel.
 
-2. Search for and select **Microsoft Sentinel**.
+   >[!IMPORTANT]
+   >To enable Microsoft Sentinel, obtain Contributor permissions to the subscription in which the Microsoft Sentinel workspace resides. To use Microsoft Sentinel, use Contributor or Reader permissions on the resource group to which the workspace belongs.
 
-   ![Screenshot that shows searching for Microsoft Sentinel in the Azure portal.](./media/azure-sentinel/azure-sentinel-add.png)
+1. Go to the [Azure portal](https://portal.azure.com). 
+2. Select the subscription where the Log Analytics workspace is created.
+3. Search for and select **Microsoft Sentinel**.
 
-3. Select **Add**.
+   ![Screenshot of Azure Sentinel entered into the search field and the Azure Sentinel option that appears.](./media/azure-sentinel/azure-sentinel-add.png)
 
-4. Select the new workspace.
+3. Select **Add**.
+4. In the **search workspaces** field, select the new workspace.
 
-   ![Screenshot that shows where to select a Microsoft Sentinel workspace.](./media/azure-sentinel/create-new-workspace.png)
+   ![Screenshot of the search workspaces field under Choose a workspace to add to Azure Sentinel.](./media/azure-sentinel/create-new-workspace.png)
 
 5. Select **Add Microsoft Sentinel**.
 
->[!NOTE]
->You can [run Microsoft Sentinel](../sentinel/quickstart-onboard.md) on more than one workspace, but the data is isolated to a single workspace.
+   >[!NOTE]
+   >It's possible to run Microsoft Sentinel on more than one workspace, however data is isolated in a single workspace.</br> See, [Quickstart: Onboard Microsoft Sentinel](../sentinel/quickstart-onboard.md)
 
 ## Create a Microsoft Sentinel rule
 
-Now that you've enabled Microsoft Sentinel, get notified when something suspicious occurs in your Azure AD B2C tenant.
+After you enable Microsoft Sentinel, get notified when something suspicious occurs in your Azure AD B2C tenant.
 
-You can create [custom analytics rules](../sentinel/detect-threats-custom.md) to discover threats and anomalous behaviors in your environment. These rules search for specific events or sets of events and alert you when certain event thresholds or conditions are reached. Then they generate incidents for further investigation.
+You can create custom analytics rules to discover threats and anomalous behaviors in your environment. These rules search for specific events, or event sets, and alert you when event thresholds or conditions are met. Then incidents are generated for investigation.
 
->[!NOTE]
->Microsoft Sentinel provides built-in templates to help you create threat detection rules designed by Microsoft's team of security experts and analysts. Rules created from these templates automatically search across your data for any suspicious activity. There are no native Azure AD B2C connectors available at this time. For the example in this tutorial, we'll create our own rule.
+See, [Create custom analytics rules to detect threats](../sentinel/detect-threats-custom.md)
 
-In the following example, you receive a notification if someone tries to force access to your environment but isn't successful. It might mean a brute-force attack. You want to get notified for two or more unsuccessful logins within 60 seconds.
+   >[!NOTE]
+   >Microsoft Sentinel has templates to create threat detection rules that search your data for suspicious activity. For this tutorial, you create a rule.
 
-1. From the left menu in Microsoft Sentinel, select **Analytics**.
+### Notification rule for unsuccessful forced access
 
-2. On the action bar at the top, select **+ Create** > **Scheduled query rule**. 
+Use the following steps to receive notification about two or more unsuccessful, forced access attempts into your environment. An example is brute-force attack. 
 
-    ![Screenshot that shows selections for creating a scheduled query rule.](./media/azure-sentinel/create-scheduled-rule.png)
+1. In Microsoft Sentinel, from the left menu, select **Analytics**.
+2. On the top bar, select **+ Create** > **Scheduled query rule**. 
 
-3. In the Analytics Rule wizard, go to the **General** tab and enter the following information:
+   ![Screenshot of the Create option under Analytics.](./media/azure-sentinel/create-scheduled-rule.png)
 
-    | Field | Value |
-    |:--|:--|
-    |**Name** | Enter a name that's appropriate for Azure AD B2C unsuccessful logins. |
-    |**Description** | Enter a description that says the rule will notify on two or more unsuccessful logins within 60 seconds. |
-    | **Tactics** | Choose from the categories of attacks by which to classify the rule. These categories are based on the tactics of the [MITRE ATT&CK](https://attack.mitre.org/) framework.<BR>For our example, we'll choose **PreAttack**. <BR> MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. This knowledge base is used as a foundation for the development of specific threat models and methodologies.
-    | **Severity** | Select an appropriate severity level. |
-    | **Status** | When you create the rule, its status is **Enabled** by default. That status means the rule will run immediately after you finish creating it. If you don't want it to run immediately, select **Disabled**. The rule will then be added to your **Active rules** tab, and you can enable it from there when you need it.|
+3. In the Analytics Rule wizard, go to **General**.
+4. For **Name**, enter a name for unsuccessful logins.
+5. For **Description**, indicate the rule notifies for two or more unsuccessful sign-ins, within 60 seconds.
+6. For **Tactics**, select a category. For example, select **PreAttack**.
+7. For **Severity**, select a severity level.
+8. **Status** is **Enabled** by default. To change a rule, go to the **Active rules** tab.
 
-    ![Screenshot that shows basic rule properties.](./media/azure-sentinel/create-new-rule.png)
+   ![Screenshot of Create new rule with options and selections.](./media/azure-sentinel/create-new-rule.png)
 
-4. To define the rule query logic and configure settings, on the **Set rule logic** tab, write a query directly in the
-**Rule query** box. 
+9. Select the **Set rule logic** tab.
+10. Enter a query in the **Rule query** field. The query example organizes the sign-ins by `UserPrincipalName`.
 
-    ![Screenshot that shows entering the rule query in the tab for setting rule logic.](./media/azure-sentinel/rule-query.png)
+    ![Screenshot of query text in the Rule query field under Set rule logic.](./media/azure-sentinel/rule-query.png)
 
-    This query will alert you when there are two or more unsuccessful logins within 60 seconds to your Azure AD B2C tenant. It will organize the logins by `UserPrincipalName`.
+11. Go to **Query scheduling**.
+12. For **Run query every**, enter **5** and **Minutes**.
+13. For **Lookup data from the last**, enter **5** and **Minutes**.
+14. For **Generate alert when number of query results**, select **Is greater than**, and **0**.
+15. For **Event grouping**, select **Group all events into a single alert**. 
+16. For **Stop running query after alert is generated**, select **Off**.
+17. Select **Next: Incident settings (Preview)**. 
 
-5. In the **Query scheduling** section, set the following parameters:
+   ![Screenshot of Query scheduling selections and options.](./media/azure-sentinel/query-scheduling.png)
 
-    ![Screenshot that shows setting query scheduling parameters.](./media/azure-sentinel/query-scheduling.png)
+18. Go to the **Review and create** tab to review rule settings. 
+19. When the **Validation passed** banner appears, select **Create**.
 
-6. Select **Next: Incident settings (Preview)**. You'll configure and add the automated response later.
+    ![Screenshot of selected settings, the Validation passed banner, and the Create option.](./media/azure-sentinel/review-create.png)
 
-7. Go to the **Review and create** tab to review all the settings for your new alert rule. When the **Validation passed** message appears, select **Create** to initialize your alert rule.
+#### View a rule and related incidents
 
-    ![Screenshot that shows the tab for reviewing and creating a rule.](./media/azure-sentinel/review-create.png)
+View the rule and the incidents it generates. Find your newly created custom rule of type **Scheduled** in the table under the **Active rules** tab on the main 
 
-8. View the rule and the incidents that it generates. Find your newly created custom rule of type **Scheduled** in the table under the **Active rules** tab on the main **Analytics** screen. From this list, you can edit, enable, disable, or delete rules by using the corresponding buttons.
+1. Go to the **Analytics** screen.
+2. Select the **Active rules** tab.
+3. In the table, under **Scheduled**, find the rule.  
 
-    ![Screenshot that shows active rules with options to edit, enable, disable or delete.](./media/azure-sentinel/rule-crud.png)
+You can edit, enable, disable, or delete the rule.
 
-9. View the results of your new rule for Azure AD B2C unsuccessful logins. Go to the **Incidents** page, where you can triage, investigate, and remediate the threats. 
+   ![Screenshot of active rules with Enable, Disable, Delete, and Edit options.](./media/azure-sentinel/rule-crud.png)
 
-    An incident can include multiple alerts. It's an aggregation of all the relevant evidence for a specific investigation. You can set properties such as severity and status at the incident level.
+#### Triage, investigate, and remediate incidents
 
-    > [!NOTE]
-    > A key feature of Microsoft Sentinel is [incident investigation](../sentinel/investigate-cases.md).
-    
-10. To begin an investigation, select a specific incident. 
+An incident can include multiple alerts, and is an aggregation of relevant evidence for an investigation. At the incident level, you can set properties such as Severity and Status.
 
-    On the right, you can see detailed information for the incident. This information includes severity, entities involved, the raw events that triggered the incident, and the incident's unique ID.
+Learn more: [Investigate incidents with Microsoft Sentinel](../sentinel/investigate-cases.md).
+    
+1. Go to the **Incidents** page.
+2. Select an incident. 
+3. On the right, detailed incident information appears, including severity, entities, events, and the incident ID.
 
     ![Screenshot that shows incident information.](./media/azure-sentinel/select-incident.png)
 
-11. Select **View full details** on the incident pane. Review the tabs that summarize the incident information and provide more details.
+4. On the **Incidents** pane, elect **View full details**. 
+5. Review tabs that summarize the incident.
 
-    ![Screenshot that shows tabs for incident information.](./media/azure-sentinel/full-details.png)
+    ![Screenshot of a list of incidents.](./media/azure-sentinel/full-details.png)
 
-12. Select **Evidence** > **Events** > **Link to Log Analytics**. The result displays the `UserPrincipalName` value of the identity that's trying to log in with the number of attempts.
+6. Select **Evidence** > **Events** > **Link to Log Analytics**. 
+7. In the results, see the identity `UserPrincipalName` value attempting sign-in.
 
-    ![Screenshot that shows full details of a selected incident.](./media/azure-sentinel/logs.png)
+    ![Screenshot of incident details.](./media/azure-sentinel/logs.png)
 
 ## Automated response
 
-Microsoft Sentinel provides a [robust SOAR capability](../sentinel/automation-in-azure-sentinel.md). Automated actions, called a *playbook* in Microsoft Sentinel, can be attached to analytics rules to suit your requirements.
+Microsoft Sentinel has security orchestration, automation, and response (SOAR) functions. Attach automated actions, or a playbook, to analytics rules.
 
-In this example, we add an email notification for an incident that the rule creates. To accomplish this task, use an [existing playbook from the Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Incident-Email-Notification). After the playbook is configured, edit the existing rule and select the playbook on the **Automated response** tab.
+See, [What is SOAR?](https://www.microsoft.com/security/business/security-101/what-is-soar)
 
-![Screenshot that shows the image configuration screen for the automated response associated with a rule.](./media/azure-sentinel/automation-tab.png)
+### Email notification for an incident
 
-## Related information
+For this task, use a playbook from the Microsoft Sentinel GitHub repository. 
 
-For more information about Microsoft Sentinel and Azure AD B2C, see:
+1. Go to a configured playbook.
+2. Edit the rule.
+3. On the **Automated response** tab, select the playbook.
+
+Learn more: [Incident-Email-Notification](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Incident-Email-Notification)
 
-- [Sample workbooks](https://github.com/azure-ad-b2c/siem#workbooks)
+   ![Screenshot of automated response options for a rule.](./media/azure-sentinel/automation-tab.png)
+
+## Resources
+
+For more information about Microsoft Sentinel and Azure AD B2C, see:
 
-- [Microsoft Sentinel documentation](../sentinel/index.yml)
+* [Azure AD B2C Reports & Alerts, Workbooks](https://github.com/azure-ad-b2c/siem#workbooks)
+* [Microsoft Sentinel documentation](../sentinel/index.yml)
 
-## Next steps
+## Next step
 
-> [!div class="nextstepaction"]
-> [Handle false positives in Microsoft Sentinel](../sentinel/false-positives.md)
+[Handle false positives in Microsoft Sentinel](../sentinel/false-positives.md)