Merge pull request #261929 from MicrosoftDocs/main

Publish to live, Sunday 4pm PST, 12/24

Author: JamesJBarnett

.openpublishing.redirection.defender-for-cloud.json

@@ -588,7 +588,7 @@
         {
             "source_path_from_root": "/articles/security-center/managing-and-responding-alerts.md",
             "redirect_url": "/azure/defender-for-cloud/managing-and-responding-alerts",
-            "redirect_document_id": true
+            "redirect_document_id": false
         },
         {
             "source_path_from_root": "/articles/security-center/os-coverage.md",
@@ -702,8 +702,8 @@
         },
         {
             "source_path_from_root": "/articles/security-center/tutorial-security-incident.md",
-            "redirect_url": "/azure/defender-for-cloud/tutorial-security-incident",
-            "redirect_document_id": true
+            "redirect_url": "/azure/defender-for-cloud/managing-and-responding-alerts",
+            "redirect_document_id": false
         },
         {
             "source_path_from_root": "/articles/security-center/tutorial-security-policy.md",
@@ -904,6 +904,11 @@
             "source_path_from_root": "/articles/defender-for-cloud/attack-path-reference.md",
             "redirect_url": "/azure/defender-for-cloud/how-to-manage-attack-path",
             "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/defender-for-cloud/tutorial-security-incident.md",
+            "redirect_url": "/azure/defender-for-cloud/managing-and-responding-alerts",
+            "redirect_document_id": true
         }
     ]
 }

articles/azure-monitor/alerts/alerts-create-rule-cli-powershell-arm.md

@@ -8,7 +8,7 @@ ms.date: 11/29/2023
 ms.reviewer: harelbr
 ---
 # Create a new alert rule using the CLI, PowerShell, or an ARM template
-You can create a new alert rule using the [Create a new alert rule using the CLI](#create-a-new-alert-rule-using-the-cli), [PowerShell](#create-a-new-alert-rule-using-powershell), or an [Azure Resource Manager template](#create-a-new-alert-rule-using-an-arm-template).
+You can create a new alert rule using the [the CLI](#create-a-new-alert-rule-using-the-cli), [PowerShell](#create-a-new-alert-rule-using-powershell), or an [Azure Resource Manager template](#create-a-new-alert-rule-using-an-arm-template).
 
 ## Create a new alert rule using the CLI
 
@@ -50,6 +50,6 @@ You can use an [Azure Resource Manager template (ARM template)](../../azure-reso
 1. Deploy the template using [PowerShell](../../azure-resource-manager/templates/deploy-powershell.md#deploy-local-template) or the [CLI](../../azure-resource-manager/templates/deploy-cli.md#deploy-local-template).
 
 ## Next steps
-[Manage alert rules](alerts-manage-alert-rules.md)
-[Manage alert instances](alerts-manage-alert-instances.md)
- 
+- [Manage alert rules](alerts-manage-alert-rules.md)
+- [Manage alert instances](alerts-manage-alert-instances.md)
+ 

articles/azure-monitor/alerts/alerts-non-common-schema-definitions.md

@@ -8,20 +8,17 @@ ms.reviewer: nolavime
 ---
 
 # Noncommon alert schema definitions
+The noncommon alert schema were historically used to customize alert email templates and webhook schemas for metric, log, and activity log alert rules. We recommend using the [common schema](./alerts-common-schema.md) for all alert types and integrations.
 
 This article describes the noncommon alert schema definitions for Azure Monitor, including definitions for:
 - Webhooks
 - Azure Logic Apps
 - Azure Functions
 - Azure Automation runbooks
 
-## What is the noncommon alert schema?
-
-The noncommon alert schema lets you customize the consumption experience for alert notifications in Azure today. Historically, the three alert types in Azure today (metric, log, and activity log) have had their own email templates and webhook schemas.
-
 ## Metric alerts
 
-See sample values for log alerts.
+See sample values for metric alerts.
 
 ### Metric alerts: Static threshold
 

articles/azure-monitor/essentials/diagnostic-settings.md

@@ -29,7 +29,7 @@ Each Azure resource requires its own diagnostic setting, which defines the follo
 A single diagnostic setting can define no more than one of each of the destinations. If you want to send data to more than one of a particular destination type (for example, two different Log Analytics workspaces), create multiple settings. Each resource can have up to five diagnostic settings.
 
 > [!WARNING]
-> If you need to delete a resource or migrate it across resource groups or subscriptions, you should first delete its diagnostic settings. Otherwise, if you recreate this resource, the diagnostic settings for the deleted resource could be included with the new resource, depending on the resource configuration for each resource. If the diagnostics settings are included with the new resource, this resumes the collection of resource logs as defined in the diagnostic setting and sends the applicable metric and log data to the previously configured destination. 
+> If you need to delete a resource, rename, or move a resource, or migrate it across resource groups or subscriptions, first delete its diagnostic settings. Otherwise, if you recreate this resource, the diagnostic settings for the deleted resource could be included with the new resource, depending on the resource configuration for each resource. If the diagnostics settings are included with the new resource, this resumes the collection of resource logs as defined in the diagnostic setting and sends the applicable metric and log data to the previously configured destination. 
 >
 > Also, it's a good practice to delete the diagnostic settings for a resource you're going to delete and don't plan on using again to keep your environment clean.
 

articles/azure-monitor/logs/basic-logs-configure.md

@@ -184,6 +184,7 @@ All custom tables created with or migrated to the [data collection rule (DCR)-ba
 | Azure Active Directory | [AADDomainServicesDNSAuditsGeneral](/azure/azure-monitor/reference/tables/AADDomainServicesDNSAuditsGeneral)<br> [AADDomainServicesDNSAuditsDynamicUpdates](/azure/azure-monitor/reference/tables/AADDomainServicesDNSAuditsDynamicUpdates)<br>[AADServicePrincipalSignInLogs](/azure/azure-monitor/reference/tables/AADServicePrincipalSignInLogs) |
 | API Management | [ApiManagementGatewayLogs](/azure/azure-monitor/reference/tables/ApiManagementGatewayLogs)<br>[ApiManagementWebSocketConnectionLogs](/azure/azure-monitor/reference/tables/ApiManagementWebSocketConnectionLogs) |
 | Application Gateways | [AGWAccessLogs](/azure/azure-monitor/reference/tables/AGWAccessLogs)<br>[AGWPerformanceLogs](/azure/azure-monitor/reference/tables/AGWPerformanceLogs)<br>[AGWFirewallLogs](/azure/azure-monitor/reference/tables/AGWFirewallLogs) |
+| Application Gateway for Containers | [AGCAccessLogs](/azure/azure-monitor/reference/tables/AGCAccessLogs) |
 | Application Insights | [AppTraces](/azure/azure-monitor/reference/tables/apptraces) |
 | Bare Metal Machines | [NCBMSystemLogs](/azure/azure-monitor/reference/tables/NCBMSystemLogs)<br>[NCBMSecurityLogs](/azure/azure-monitor/reference/tables/NCBMSecurityLogs) |
 | Chaos Experiments | [ChaosStudioExperimentEventLogs](/azure/azure-monitor/reference/tables/ChaosStudioExperimentEventLogs) |
@@ -194,6 +195,7 @@ All custom tables created with or migrated to the [data collection rule (DCR)-ba
 | Communication Services | [ACSCallAutomationIncomingOperations](/azure/azure-monitor/reference/tables/ACSCallAutomationIncomingOperations)<br>[ACSCallAutomationMediaSummary](/azure/azure-monitor/reference/tables/ACSCallAutomationMediaSummary)<br>[ACSCallClientMediaStatsTimeSeries](/azure/azure-monitor/reference/tables/ACSCallClientMediaStatsTimeSeries)<br>[ACSCallClientOperations](/azure/azure-monitor/reference/tables/ACSCallClientOperations)<br>[ACSCallRecordingIncomingOperations](/azure/azure-monitor/reference/tables/ACSCallRecordingIncomingOperations)<br>[ACSCallRecordingSummary](/azure/azure-monitor/reference/tables/ACSCallRecordingSummary)<br>[ACSCallSummary](/azure/azure-monitor/reference/tables/ACSCallSummary)<br>[ACSJobRouterIncomingOperations](/azure/azure-monitor/reference/tables/ACSJobRouterIncomingOperations)<br>[ACSRoomsIncomingOperations](/azure/azure-monitor/reference/tables/acsroomsincomingoperations) |
 | Confidential Ledgers | [CCFApplicationLogs](/azure/azure-monitor/reference/tables/CCFApplicationLogs) |
 | Cosmos DB for MongoDB (vCore) | [VCoreMongoRequests](/azure/azure-monitor/reference/tables/VCoreMongoRequests) |
+|  Kubernetes clusters - Azure Arc | [ArcK8sAudit](/azure/azure-monitor/reference/tables/ArcK8sAudit)<br>[ArcK8sAuditAdmin](/azure/azure-monitor/reference/tables/ArcK8sAuditAdmin)<br>[ArcK8sControlPlane](/azure/azure-monitor/reference/tables/ArcK8sControlPlane) |
 | Data Manager for Energy | [OEPDataplaneLogs](/azure/azure-monitor/reference/tables/OEPDataplaneLogs) |
 | Dedicated SQL Pool | [SynapseSqlPoolSqlRequests](/azure/azure-monitor/reference/tables/synapsesqlpoolsqlrequests)<br>[SynapseSqlPoolRequestSteps](/azure/azure-monitor/reference/tables/synapsesqlpoolrequeststeps)<br>[SynapseSqlPoolExecRequests](/azure/azure-monitor/reference/tables/synapsesqlpoolexecrequests)<br>[SynapseSqlPoolDmsWorkers](/azure/azure-monitor/reference/tables/synapsesqlpooldmsworkers)<br>[SynapseSqlPoolWaits](/azure/azure-monitor/reference/tables/synapsesqlpoolwaits) |
 | DNS Security Policies | [DNSQueryLogs](/azure/azure-monitor/reference/tables/DNSQueryLogs) |

articles/azure-monitor/logs/log-standard-columns.md

@@ -26,7 +26,7 @@ The **TimeGenerated**  column contains the date and time that the record was cre
 **TimeGenerated** provides a common column to use for filtering or summarizing by time. When you select a time range for a view or dashboard in the Azure portal, it uses **TimeGenerated** to filter the results. 
 
 > [!NOTE]
-> Tables supporting classic Application Insights resources use the **timestamp** column instead of the **TimeGenerated** column.
+> Tables supporting classic Application Insights resources use the **Timestamp** column instead of the **TimeGenerated** column.
 
 > [!NOTE]
 > The **TimeGenerated** value cannot be older than 2 days before received time or more than a day in the future. If in some situation, the value is older than 2 days or more than a day in the future, it would be replaced with the actual recieved time.

articles/azure-vmware/configure-azure-elastic-san.md

@@ -41,7 +41,7 @@ The following prerequisites are required to continue.
 
 ## Set up Elastic SAN
 
-In this section, you create a virtual network for your Elastic SAN. Then you create the Elastic SAN that includes creating at least one volume group and one volume that becomes your VMFS datastore. Next, you set up a Private Endpoint for your Elastic SAN that allows your SDDC to connect to the Elastic SAN volume. Then you're ready to add an Elastic SAN volume as a datastore in your private cloud.
+In this section, you create a virtual network for your Elastic SAN. Then you create the Elastic SAN that includes creating at least one volume group and one volume that becomes your VMFS datastore. Next, you set up a Private Endpoint for your Elastic SAN that allows your private cloud to connect to the Elastic SAN volume. Then you're ready to add an Elastic SAN volume as a datastore in your private cloud.
 
 1. Use one of the following instruction options to set up a dedicated virtual network for your Elastic SAN:
 	- [Azure portal](../virtual-network/quick-create-portal.md)

articles/defender-for-cloud/TOC.yml

@@ -109,9 +109,6 @@
     - name: Protect VMs
       displayName: manage, access, harden
       href: tutorial-protect-resources.md
-    - name: Investigate and respond to security alerts
-      displayName: triage, security, alerts, investigate,
-      href: tutorial-security-incident.md
     - name: Investigate the health of your resources
       displayName: health, resources, outstanding, security, issues,
       href: investigate-resource-health.md
@@ -394,7 +391,7 @@
           href: powershell-onboarding.md
     - name: Alerts, incidents, and threat reports
       items:
-        - name: Respond to security alerts
+        - name: Manage and respond to security alerts
           displayName: security alerts, alerts
           href: managing-and-responding-alerts.md
         - name: Create and manage alerts suppression rules

articles/defender-for-cloud/alerts-overview.md

@@ -115,5 +115,5 @@ In this article, you learned about the different types of alerts available in De
 
 - [Security alerts in Azure Activity log](https://go.microsoft.com/fwlink/?linkid=2114113) - In addition to being available in the Azure portal or programmatically, Security alerts and incidents are audited as events in Azure Activity Log
 - [Reference table of Defender for Cloud alerts](alerts-reference.md)
-- [Respond to security alerts](managing-and-responding-alerts.md#respond-to-security-alerts)
+- [Respond to security alerts](managing-and-responding-alerts.md#respond-to-a-security-alert)
 - Learn how to [manage security incidents in Defender for Cloud](incidents.md).

articles/defender-for-cloud/alerts-schemas.md

@@ -9,26 +9,26 @@ ms.date: 11/09/2021
 
 # Security alerts schemas
 
-If your subscription has Defender for Cloud [Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads) enabled, you'll receive security alerts when Defender for Cloud detects threats to their resources.
+If your subscription has Defender for Cloud [Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads) enabled, you receive security alerts when Defender for Cloud detects threats to their resources.
 
-You can view these security alerts in Microsoft Defender for Cloud's pages - [overview dashboard](overview-page.md), [alerts](tutorial-security-incident.md), [resource health pages](investigate-resource-health.md), or [workload protections dashboard](workload-protections-dashboard.md) - and through external tools such as:
+You can view these security alerts in Microsoft Defender for Cloud's pages - [overview dashboard](overview-page.md), [alerts](managing-and-responding-alerts.md), [resource health pages](investigate-resource-health.md), or [workload protections dashboard](workload-protections-dashboard.md) - and through external tools such as:
 
 - [Microsoft Sentinel](../sentinel/index.yml) - Microsoft's cloud-native SIEM. The Sentinel Connector gets alerts from Microsoft Defender for Cloud and sends them to the [Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md) for Microsoft Sentinel.
-- Third-party SIEMs - Send data to [Azure Event Hubs](../event-hubs/index.yml). Then integrate your Event Hub data with a third-party SIEM. Learn more in [Stream alerts to a SIEM, SOAR, or IT Service Management solution](export-to-siem.md).
+- Third-party SIEMs - Send data to [Azure Event Hubs](../event-hubs/index.yml). Then integrate your Event Hubs data with a third-party SIEM. Learn more in [Stream alerts to a SIEM, SOAR, or IT Service Management solution](export-to-siem.md).
 - [The REST API](/rest/api/defenderforcloud/) - If you're using the REST API to access alerts, see the [online Alerts API documentation](/rest/api/defenderforcloud/alerts).
 
-If you're using any programmatic methods to consume the alerts, you'll need the correct schema to find the fields that are relevant to you. Also, if you're exporting to an Event Hub or trying to trigger Workflow Automation with generic HTTP connectors, use the schemas to properly parse the JSON objects.
+If you're using any programmatic methods to consume the alerts, you need the correct schema to find the fields that are relevant to you. Also, if you're exporting to an Event Hubs or trying to trigger Workflow Automation with generic HTTP connectors, use the schemas to properly parse the JSON objects.
 
 >[!IMPORTANT]
-> The schema is slightly different for each of these scenarios, so make sure you select the relevant tab below.
+> The schema is slightly different for each of these scenarios, so make sure you select the relevant tab.
 
 ## The schemas
 
 ### [Microsoft Sentinel](#tab/schema-sentinel)
 
 The Sentinel Connector gets alerts from Microsoft Defender for Cloud and sends them to the Log Analytics Workspace for Microsoft Sentinel.
 
-To create a Microsoft Sentinel case or incident using Defender for Cloud alerts, you'll need the schema for those alerts shown below.
+To create a Microsoft Sentinel case or incident using Defender for Cloud alerts, you need the schema for those alerts shown.
 
 Learn more in the [Microsoft Sentinel documentation](../sentinel/index.yml).
 
@@ -117,16 +117,16 @@ You can view the security alerts events in Activity Log by searching for the Act
 |**id**|The fully qualified alert ID|
 |**level**|Constant, "Informational"|
 |**operationId**|See correlationId|
-|**operationName**|The value field is constant - "Microsoft.Security/locations/alerts/activate/action", and the localized value will be "Activate Alert" (can potentially be localized par the user locale)|
-|**resourceGroupName**|Will include the resource group name|
+|**operationName**|The value field is constant - `Microsoft.Security/locations/alerts/activate/action`, and the localized value is `Activate Alert` (can potentially be localized par the user locale)|
+|**resourceGroupName**| Includes the resource group name|
 |**resourceProviderName**|The value and localizedValue subfields are constant - "Microsoft.Security"|
 |**resourceType**|The value and localizedValue subfields are constant - "Microsoft.Security/locations/alerts"|
 |**resourceId**|The fully qualified Azure resource ID|
 |**status**|The value and localizedValue subfields are constant - "Active"|
 |**subStatus**|The value and localizedValue subfields are empty|
 |**submissionTimestamp**|The UTC timestamp of event submission to Activity Log|
 |**subscriptionId**|The subscription ID of the compromised resource|
-|**properties**|A JSON bag of additional properties pertaining to the alert. These can change from one alert to the other, however, the following fields will appear in all alerts:<br>- severity: The severity of the attack<br>- compromisedEntity: The name of the compromised resource<br>- remediationSteps: Array of remediation steps to be taken<br>- intent: The kill-chain intent of the alert. Possible intents are documented in the [Intentions table](alerts-reference.md#intentions)|
+|**properties**|A JSON bag of other properties pertaining to the alert. Properties can change from one alert to the other, however, the following fields appear in all alerts:<br>- severity: The severity of the attack<br>- compromisedEntity: The name of the compromised resource<br>- remediationSteps: Array of remediation steps to be taken<br>- intent: The kill-chain intent of the alert. Possible intents are documented in the [Intentions table](alerts-reference.md#intentions)|
 |**relatedEvents**|Constant - empty array|
 
 
@@ -138,8 +138,8 @@ For the alerts schema when using workflow automation, see the [connectors docume
 
 Defender for Cloud's continuous export feature passes alert data to:
 
-- Azure Event Hub using the same schema as [the alerts API](/rest/api/defenderforcloud/alerts).
-- Log Analytics workspaces according to the [SecurityAlert schema](/azure/azure-monitor/reference/tables/SecurityAlert) in the Azure Monitor data reference documentation.
+- Azure Event Hubs using the same schema as [the alerts API](/rest/api/defenderforcloud/alerts).
+- Log Analytics workspaces according to the [SecurityAlert schema](/azure/azure-monitor/reference/tables/SecurityAlert) in the Azure Monitor data documentation.
 
 ### [MS Graph API](#tab/schema-graphapi)
 
@@ -151,7 +151,7 @@ The schema and a JSON representation for security alerts sent to MS Graph, are a
 
 ## Next steps
 
-This article described the schemas that Microsoft Defender for Cloud's threat protection tools use when sending security alert information.
+This article described the schemas that Microsoft Defenders for Cloud's threat protection tools use when sending security alert information.
 
 For more information on the ways to access security alerts from outside Defender for Cloud, see: