Merge pull request #281055 from yelevin/patch-2

Updates to analytics rules documents

Author: prmerger-automator[bot]

articles/sentinel/create-analytics-rules.md

@@ -78,7 +78,7 @@ In the Azure portal, stages are represented visually as tabs. In the Defender po
     | **Description** | A free-text description for your rule. |
     | **Severity** | Match the impact the activity triggering the rule might have on the target environment, should the rule be a true positive.<br><br>**Informational**: No impact on your system, but the information might be indicative of future steps planned by a threat actor.<br>**Low**: The immediate impact would be minimal. A threat actor would likely need to conduct multiple steps before achieving an impact on an environment.<br>**Medium**: The threat actor could have some impact on the environment with this activity, but it would be limited in scope or require additional activity.<br> **High**: The activity identified provides the threat actor with wide ranging access to conduct actions on the environment or is triggered by impact on the environment. |
     | **MITRE ATT&CK** | Choose those threat activities which apply to your rule. Select from among the **MITRE ATT&CK** tactics and techniques presented in the drop-down list. You can make multiple selections.<br><br>For more information on maximizing your coverage of the MITRE ATT&CK threat landscape, see [Understand security coverage by the MITRE ATT&CK® framework](mitre-coverage.md). |
-    | **Status** | If you want the rule to run immediately after you finish creating it, leave the status set to **Enabled**. Otherwise, select **Disabled**, and enable it later from your **Active rules** tab when you need it. Or enable the rule without it running immediately by scheduling the rule's first run at a specific date and time. See [Schedule and scope the query](#schedule-and-scope-the-query). |
+    | **Status** | **Enabled**: The rule runs immediately upon creation, or at the [specific date and time you choose to schedule it (currently in PREVIEW)](#schedule-and-scope-the-query).<br>**Disabled**: The rule is created but doesn't run. Enable it later from your **Active rules** tab when you need it. |
 
 1. Select **Next: Set rule logic**.
 
@@ -297,4 +297,4 @@ For more information, see:
 - [Entities in Microsoft Sentinel](entities.md)
 - [Tutorial: Use playbooks with automation rules in Microsoft Sentinel](tutorial-respond-threats-playbook.md)
 
-Also, learn from an example of using custom analytics rules when [monitoring Zoom](https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-zoom-with-azure-sentinel/ba-p/1341516) with a [custom connector](create-custom-connector.md).
+Also, learn from an example of using custom analytics rules when [monitoring Zoom](https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-zoom-with-azure-sentinel/ba-p/1341516) with a [custom connector](create-custom-connector.md).

articles/sentinel/scheduled-rules-overview.md

@@ -72,8 +72,8 @@ The MITRE ATT&CK tactics and techniques defined here in the rule apply to any al
 
 For more information on maximizing your coverage of the MITRE ATT&CK threat landscape, see [Understand security coverage by the MITRE ATT&CK® framework](mitre-coverage.md).
 
-**Status:** When you create the rule, its **Status** is **Enabled** by default, which means it will run immediately after you finish creating it. If you don’t want it to run immediately, you have two options:
-- Select **Disabled**, and the rule will be added to your **Active rules** tab. You can enable it from there when you need it.
+**Status:** When you create the rule, its **Status** is **Enabled** by default, which means it runs immediately after you finish creating it. If you don’t want it to run immediately, you have two options:
+- Select **Disabled**, and the rule is created without running. When you want the rule to run, find it in your **Active rules** tab, and enable it from there.
 - Schedule the rule to first run at a specific date and time. This method is currently in PREVIEW. See [Query scheduling](#query-scheduling) later on in this article.
 
 ### Rule query