Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into bedrock

Author: gitName

articles/azure-vmware/arc-enable-guest-management.md

@@ -9,7 +9,7 @@ ms.custom: references_regions, devx-track-azurecli, engagement-fy23
 
 # Enable guest management and install extensions on Arc-enabled VMs
 
-In this article, you learn how to enable guest management and install extensions on Arc-enabled VMs in Azure VMware Solution. Use guest management empowers you to manage the guest operating system of your VM, including installing and managing extensions. This feature is available for Arc-enabled VMware VMs in Azure VMware Solution private clouds.
+In this article, you learn how to enable guest management and install extensions on Arc-enabled VMs in Azure VMware Solution. Use guest management to manage the guest operating system of your VM, including installing and managing extensions. This feature is available for Arc-enabled VMware VMs in Azure VMware Solution private clouds.
 
 ## Prerequisite
 

articles/sentinel/connect-azure-active-directory.md

@@ -3,7 +3,7 @@ title: Send Microsoft Entra ID data to Microsoft Sentinel
 description: Learn how to collect data from Microsoft Entra ID, and stream Microsoft Entra sign-in, audit, and provisioning logs into Microsoft Sentinel.
 author: guywi-ms
 ms.topic: how-to
-ms.date: 03/16/2025
+ms.date: 07/03/2025
 ms.author: guywild
 
 
@@ -13,11 +13,24 @@ ms.author: guywild
 
 # Send data to Microsoft Sentinel using the Microsoft Entra ID data connector
 
-[Microsoft Entra ID](/entra/fundamentals/what-is-entra) logs provide comprehensive information about users, applications, and networks accessing your Entra tenant. This article explains the types of logs you can collect using the Microsoft Entra ID data connector, how to enable the connector to send data to Microsoft Sentinel, and how to find your data in Microsoft Sentinel.
+[Microsoft Entra ID](/entra/fundamentals/what-is-entra) logs provide comprehensive information about users, applications, and networks accessing your Microsoft Entra tenant. This article explains the types of logs you can collect using the Microsoft Entra ID data connector, how to enable the connector to send data to Microsoft Sentinel, and how to find your data in Microsoft Sentinel.
+
+
+## Prerequisites
+
+- A Microsoft Entra Workload ID Premium license is required to stream **[AADRiskyServicePrincipals](/azure/azure-monitor/reference/tables/aadriskyserviceprincipals)** and **[AADServicePrincipalRiskEvents](/azure/azure-monitor/reference/tables/aadserviceprincipalriskevents)** logs to Microsoft Sentinel.
+
+- A Microsoft Entra ID P1 or P2 license is required to ingest sign-in logs into Microsoft Sentinel. Any Microsoft Entra ID license (Free/O365/P1 or P2) is sufficient to ingest the other log types. Other per-gigabyte charges might apply for Azure Monitor (Log Analytics) and Microsoft Sentinel.
+
+- Your user must be assigned the [Microsoft Sentinel Contributor](../role-based-access-control/built-in-roles.md#microsoft-sentinel-contributor) role on the workspace.
+
+- Your user must have the [Security Administrator](../active-directory/roles/permissions-reference.md#security-administrator) role on the tenant you want to stream the logs from, or the equivalent permissions.
+
+- Your user must have read and write permissions to the Microsoft Entra diagnostic settings in order to be able to see the connection status.
 
 ## Microsoft Entra ID data connector data types
 
-This table lists the logs you can send from Microsoft Entra ID to Microsoft Sentinel using the Microsoft Entra ID data connector. Sentinel stores these logs in the Log Analytics workspace linked to your Microsoft Sentinel workspace.
+This table lists the logs you can send from Microsoft Entra ID to Microsoft Sentinel using the Microsoft Entra ID data connector. Microsoft Sentinel stores these logs in the Log Analytics workspace linked to your Microsoft Sentinel workspace.
 
 | **Log type** | **Description** | **Log schema** |
 |--------------|-----------------------------------|----------------|
@@ -42,15 +55,6 @@ This table lists the logs you can send from Microsoft Entra ID to Microsoft Sent
 
 [!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
 
-## Prerequisites
-
-- A Microsoft Entra ID P1 or P2 license is required to ingest sign-in logs into Microsoft Sentinel. Any Microsoft Entra ID license (Free/O365/P1 or P2) is sufficient to ingest the other log types. Other per-gigabyte charges might apply for Azure Monitor (Log Analytics) and Microsoft Sentinel.
-
-- Your user must be assigned the [Microsoft Sentinel Contributor](../role-based-access-control/built-in-roles.md#microsoft-sentinel-contributor) role on the workspace.
-
-- Your user must have the [Security Administrator](../active-directory/roles/permissions-reference.md#security-administrator) role on the tenant you want to stream the logs from, or the equivalent permissions.
-
-- Your user must have read and write permissions to the Microsoft Entra diagnostic settings in order to be able to see the connection status.
 
 <a name='connect-to-azure-active-directory'></a>
 

articles/sentinel/livestream.md

@@ -1,31 +1,31 @@
 ---
-title: Detect threats by using hunting livestream in Microsoft Sentinel 
-description: Learn how to use hunting livestream in Microsoft Sentinel to actively monitor a compromise event.
+title: Detect threats by using hunting livestream in Microsoft Sentinel
+description: Detect threats in real time with hunting livestream in Microsoft Sentinel. Set up sessions, receive notifications, and take action fast.
 ms.topic: how-to
-ms.date: 04/24/2024
+ms.date: 07/06/2025
 ms.author: monaberdugo
 author: mberdugo
 ms.collection: usx-security
 appliesto:
-    - Microsoft Sentinel in the Microsoft Defender portal
-    - Microsoft Sentinel in the Azure portal
-
-
-#Customer intent: As a security analyst, I want to create and manage hunting livestream sessions so that I can detect and respond to threats in real-time.
-
+  - Microsoft Sentinel in the Microsoft Defender portal
+  - Microsoft Sentinel in the Azure portal
+ms.custom:
+  - ai-gen-docs-bap
+  - ai-gen-description
+  - ai-seo-date:07/06/2025
 ---
 
 # Detect threats by using hunting livestream in Microsoft Sentinel
 
-Use hunting livestream to create interactive sessions that let you test newly created queries as events occur, get notifications from the sessions when a match is found, and launch investigations if necessary. You can quickly create a livestream session using any Log Analytics query.
+Use hunting livestream to create interactive sessions that let you test newly created queries as events occur, get notifications from the sessions when a match is found, and launch investigations if necessary. You can quickly create a livestream session using any Log Analytics query. This article is about hunting in Microsoft Sentinel which also exists in Defender. For advanced hunting in Microsoft Defender, see [Proactively hunt for threats with advanced hunting in Microsoft Defender](/defender-xdr/advanced-hunting-overview).
 
 [!INCLUDE [unified-soc-preview](includes/unified-soc-preview.md)]
 
 ## Create a livestream session
 
 You can create a livestream session from an existing hunting query, or create your session from scratch.
 
-1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Threat management**, select **Hunting**.<br> For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Threat management** > **Hunting**.
+1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Threat management**, select **Hunting**.<br> For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Threat management** > **Hunting**. Make sure you select *Hunting*, and not *Advanced hunting*.
 
 1. To create a livestream session from a hunting query: