MicrosoftDocs
diff --git a/‎.openpublishing.redirection.azure-monitor.json
Lines changed: 5 additions & 0 deletions b/‎.openpublishing.redirection.azure-monitor.json
Lines changed: 5 additions & 0 deletions
diff --git a/‎articles/active-directory/roles/security-planning.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/roles/security-planning.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/attestation/audit-logs.md
Lines changed: 60 additions & 108 deletions b/‎articles/attestation/audit-logs.md
Lines changed: 60 additions & 108 deletions
diff --git a/‎articles/attestation/overview.md
Lines changed: 1 addition & 1 deletion b/‎articles/attestation/overview.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/attestation/toc.yml
Lines changed: 2 additions & 0 deletions b/‎articles/attestation/toc.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/azure-monitor/app/troubleshoot-portal-connectivity.md
Lines changed: 0 additions & 24 deletions b/‎articles/azure-monitor/app/troubleshoot-portal-connectivity.md
Lines changed: 0 additions & 24 deletions
diff --git a/‎articles/azure-monitor/logs/cost-logs.md
Lines changed: 2 additions & 6 deletions b/‎articles/azure-monitor/logs/cost-logs.md
Lines changed: 2 additions & 6 deletions
diff --git a/‎articles/azure-monitor/toc.yml
Lines changed: 0 additions & 4 deletions b/‎articles/azure-monitor/toc.yml
Lines changed: 0 additions & 4 deletions
diff --git a/‎articles/azure-monitor/whats-new.md
Lines changed: 0 additions & 1 deletion b/‎articles/azure-monitor/whats-new.md
Lines changed: 0 additions & 1 deletion
@@ -30,6 +30,11 @@
             "redirect_url": "/azure/azure-monitor/change/change-analysis-visualizations",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/troubleshoot-portal-connectivity.md",
+            "redirect_url": "https://docs.microsoft.com/troubleshoot/azure/azure-monitor/app-insights/troubleshoot-portal-connectivity",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-monitor/app/change-analysis-troubleshoot.md",
             "redirect_url": "/azure/azure-monitor/change/change-analysis-troubleshoot",
 
@@ -7,7 +7,7 @@ keywords:
 author: rolyon
 manager: karenhoran
 ms.author: rolyon
-ms.date: 11/04/2021
+ms.date: 04/19/2022
 ms.topic: conceptual
 ms.service: active-directory
 ms.workload: identity
@@ -110,7 +110,7 @@ Evaluate the accounts that are assigned or eligible for the Global Administrator
 
 #### Turn on multi-factor authentication and register all other highly privileged single-user non-federated administrator accounts
 
-Require Azure AD Multi-Factor Authentication (MFA) at sign-in for all individual users who are permanently assigned to one or more of the Azure AD administrator roles: Global Administrator, Privileged Role Administrator, Exchange Administrator, and SharePoint Administrator. Use the guide to enable [Multi-factor Authentication (MFA) for your administrator accounts](../authentication/howto-mfa-userstates.md) and ensure that all those users have registered at [https://aka.ms/mfasetup](https://aka.ms/mfasetup). More information can be found under step 2 and step 3 of the guide [Protect access to data and services in Microsoft 365](https://support.office.com/article/Protect-access-to-data-and-services-in-Office-365-a6ef28a4-2447-4b43-aae2-f5af6d53c68e). 
+Require Azure AD Multi-Factor Authentication (MFA) at sign-in for all individual users who are permanently assigned to one or more of the Azure AD administrator roles: Global Administrator, Privileged Role Administrator, Exchange Administrator, and SharePoint Administrator. Use the guidance at [Enforce multifactor authentication on your administrators](../authentication/how-to-authentication-find-coverage-gaps.md#enforce-multifactor-authentication-on-your-administrators) and ensure that all those users have registered at [https://aka.ms/mfasetup](https://aka.ms/mfasetup). More information can be found under step 2 and step 3 of the guide [Protect user and device access in Microsoft 365](/microsoft-365/compliance/protect-access-to-data-and-services). 
 
 ## Stage 2: Mitigate frequently used attacks
 
 
@@ -11,123 +11,75 @@ ms.author: mbaldwin
 
 ---
 
-# Audit logs for Azure Attestation
+# Azure Attestation logging
 
-Audit logs are secure, immutable, timestamped records of discrete events that happened over time. These logs capture important events that may affect the functionality of your attestation instance.
+If you create one or more Azure Attestation resources, you’ll want to monitor how and when your attestation instance is accessed, and by whom. You can do this by enabling logging for Microsoft Azure Attestation, which saves information in an Azure storage account you provide.  
 
-Azure Attestation manages attestation instances and the policies associated with them. Actions associated with instance management and policy changes are audited and logged.
+Logging information will be available up to 10 minutes after the operation occurred (in most cases, it will be quicker than this). Since you provide the storage account, you can secure your logs via standard Azure access controls and delete logs you no longer want to keep in your storage account. 
 
-This article contains information on the events that are logged, the information collected, and the location of these logs.
+## Interpret your Azure Attestation logs
 
-## About Audit logs
+When logging is enabled, up to three containers may be automatically created for you in your specified storage account:  **insights-logs-auditevent, insights-logs-operational, insights-logs-notprocessed**. It is recommended to only use **insights-logs-operational** and **insights-logs-notprocessed**. **insights-logs-auditevent** was created to provide early access to logs for customers using VBS. Future enhancements to logging will occur in the **insights-logs-operational** and **insights-logs-notprocessed**.  
 
-Azure Attestation uses code to produce audit logs for events that affect the way attestation is performed. This typically boils down to how or when policy changes are made to your attestation instance as well as some admin actions.
+**Insights-logs-operational** contains generic information across all TEE types. 
 
-### Auditable Events
-Here are some of the audit logs we collect:
+**Insights-logs-notprocessed** contains requests which the service was unable to process, typically due to malformed HTTP headers, incomplete message bodies, or similar issues.  
 
-|     Event/API                              |     Event Description                                                                         |
-|--------------------------------------------|-----------------------------------------------------------------------------------------------|
-|     Create Instance                        |     Creates a new instance of an attestation service. |
-|     Destroy Instance                       |     Destroys an instance of an attestation service. |
-|     Add Policy Certificate                 |     Addition of a certificate to the current set of policy management certificates. |
-|     Remove Policy Certificate              |     Remove a certificate from the current set of policy management certificates. |
-|     Set Current Policy                     |     Sets the attestation policy for a given TEE type. |
-|     Reset Attestation Policy               |     Resets the attestation policy for a given TEE type. |
-|     Prepare to Update Policy               |     Prepare to update attestation policy for a given TEE type. |
-|     Rehydrate Tenants After Disaster       |     Re-seals all of the attestation tenants on this instance of the attestation service. This can only be performed by Attestation Service admins. |
+Individual blobs are stored as text, formatted as a JSON blob. Let’s look at an example log entry: 
 
-### Collected  information
-For each of these events, Azure Attestation collects the following information:
 
-- Operation Name
-- Operation Success
-- Operation Caller, which could be any of the following:
-    - Azure AD UPN
-    - Object ID
-    - Certificate
-    - Azure AD Tenant ID
-- Operation Target, which could be any of the following:
-    - Environment
-    - Service Region
-    - Service Role
-    - Service Role Instance
-    - Resource ID
-    - Resource Region
+```json
+{  
+ "Time": "2021-11-03T19:33:54.3318081Z", 
+ "resourceId": "/subscriptions/<subscription ID>/resourceGroups/<resource group name>/providers/Microsoft.Attestation/attestationProviders/<instance name>",
+ "region": "EastUS", 
+ "operationName": "AttestSgxEnclave", 
+ "category": "Operational", 
+ "resultType": "Succeeded", 
+ "resultSignature": "400", 
+ "durationMs": 636, 
+ "callerIpAddress": "::ffff:24.17.183.201", 
+ "traceContext": "{\"traceId\":\"e4c24ac88f33c53f875e5141a0f4ce13\",\"parentId\":\"0000000000000000\",}", 
+ "identity": "{\"callerAadUPN\":\"[email protected]\",\"callerAadObjectId\":\"6ab02abe-6ca2-44ac-834d-42947dbde2b2\",\"callerId\":\"[email protected]\"}",
+ "uri": "https://deschumatestrp.eus.test.attest.azure.net:443/attest/SgxEnclave?api-version=2018-09-01-preview", 
+ "level": "Informational", 
+ "location": "EastUS", 
+ "properties": 
+  { 
+    "failureResourceId": "", 
+    "failureCategory": "None", 
+    "failureDetails": "", 
+    "infoDataReceived": 
+    { 
+      "Headers": 
+      { 
+      "User-Agent": "PostmanRuntime/7.28.4" 
+      }, 
+      "HeaderCount": 10,
+      "ContentType": "application/json",
+      "ContentLength": 6912, 
+      "CookieCount": 0, 
+      "TraceParent": "" 
+    } 
+   } 
+ } 
+```
 
-### Sample Audit log
+Most of these fields are documented in the [Top-level common schema](/azure-monitor/essentials/resource-logs-schema#top-level-common-schema). The following table lists the field names and descriptions for the entries not included in the top-level common schema: 
 
-Audit logs are provided in JSON format. Here is an example of what an audit log may look like.
+|     Field Name                           |     Description                                                                         |
+|------------------------------------------|-----------------------------------------------------------------------------------------------|
+|     traceContext                        |     JSON blob representing the W3C trace-context |
+|    uri                       |     Request URI  |
 
-```json
-{
-    "operationName": "SetCurrentPolicy",
-    "resultType": "Success",
-    "resultDescription": null,
-    "auditEventCategory": [
-        "ApplicationManagement"
-    ],
-    "nCloud": null,
-    "requestId": null,
-    "callerIpAddress": null,
-    "callerDisplayName": null,
-    "callerIdentities": [
-        {
-            "callerIdentityType": "ObjectID",
-            "callerIdentity": "<some object ID>"
-        },
-        {
-            "callerIdentityType": "TenantId",
-            "callerIdentity": "<some tenant ID>"
-        }
-    ],
-    "targetResources": [
-        {
-            "targetResourceType": "Environment",
-            "targetResourceName": "PublicCloud"
-        },
-        {
-            "targetResourceType": "ServiceRegion",
-            "targetResourceName": "EastUS2"
-        },
-        {
-            "targetResourceType": "ServiceRole",
-            "targetResourceName": "AttestationRpType"
-        },
-        {
-            "targetResourceType": "ServiceRoleInstance",
-            "targetResourceName": "<some service role instance>"
-        },
-        {
-            "targetResourceType": "ResourceId",
-            "targetResourceName": "/subscriptions/<some subscription ID>/resourceGroups/<some resource group name>/providers/Microsoft.Attestation/attestationProviders/<some instance name>"
-        },
-        {
-            "targetResourceType": "ResourceRegion",
-            "targetResourceName": "EastUS2"
-        }
-    ],
-    "ifxAuditFormat": "Json",
-    "env_ver": "2.1",
-    "env_name": "#Ifx.AuditSchema",
-    "env_time": "2020-11-23T18:23:29.9427158Z",
-    "env_epoch": "MKZ6G",
-    "env_seqNum": 1277,
-    "env_popSample": 0.0,
-    "env_iKey": null,
-    "env_flags": 257,
-    "env_cv": "##00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000",
-    "env_os": null,
-    "env_osVer": null,
-    "env_appId": null,
-    "env_appVer": null,
-    "env_cloud_ver": "1.0",
-    "env_cloud_name": null,
-    "env_cloud_role": null,
-    "env_cloud_roleVer": null,
-    "env_cloud_roleInstance": null,
-    "env_cloud_environment": null,
-    "env_cloud_location": null,
-    "env_cloud_deploymentUnit": null
-}
-```
+The properties contain additional Azure attestation specific context: 
+
+|     Field Name                           |     Description                                                                         |
+|------------------------------------------|-----------------------------------------------------------------------------------------------|
+|     failureResourceId                        |     Resource ID of component which resulted in request failure  |
+|    failureCategory                       |     Broad category indicating category of a request failure. Includes categories such as AzureNetworkingPhysical, AzureAuthorization etc.   |
+|    failureDetails                       |     Detailed information about a request failure, if available   |
+|    infoDataReceived                       |     Information about the request received from the client. Includes some HTTP headers, the number of headers received, the content type and content length    |
+
+## Next steps
+- [How to enable Microsoft Azure Attestation logging ](azure-diagnostic-monitoring.md)
@@ -46,7 +46,7 @@ OE standardizes specific requirements for verification of an enclave evidence. T
 
 Client applications can be designed to take advantage of TPM attestation by delegating security-sensitive tasks to only take place after a platform has been validated to be secure. Such applications can then make use of Azure Attestation to routinely establish trust in the platform and its ability to access sensitive data.
 
-### Azure Confidential VM attestation 
+### AMD SEV-SNP attestation 
 
 Azure [Confidential VM](../confidential-computing/confidential-vm-overview.md) (CVM) is based on [AMD processors with SEV-SNP technology](../confidential-computing/virtual-machine-solutions-amd.md) and aims to improve VM security posture by removing trust in host, hypervisor and Cloud Service Provider (CSP). To achieve this, CVM offers VM OS disk encryption option with platform-managed keys and binds the disk encryption keys to the virtual machine's TPM. When a CVM boots up, SNP report containing the guest VM firmware measurements will be sent to Azure Attestation. The service validates the measurements and issues an attestation token that is used to release keys from [Managed-HSM](../key-vault/managed-hsm/overview.md) or [Azure Key Vault](../key-vault/general/basic-concepts.md). These keys are used to decrypt the vTPM state of the guest VM, unlock the OS disk and start the CVM. The attestation and key release process is performed automatically on each CVM boot, and the process ensures the CVM boots up only upon successful attestation of the hardware.
 
 
@@ -47,6 +47,8 @@
         href: claim-sets.md
   - name: Workflow
     href: workflow.md
+  - name: Azure Attestation logging
+    href: audit-logs.md
 - name: References
   items:
   - name: Regional availability
 
@@ -41,20 +41,16 @@ Some solutions have more specific policies about free data ingestion. For exampl
 See the documentation for different services and solutions for any unique billing calculations.
 
 ## Commitment Tiers
-In addition to the Pay-As-You-Go model, Log Analytics has **Commitment Tiers**, which can save you as much as 30 percent compared to the Pay-As-You-Go price. With commitment tier pricing, you can commit to buy data ingestion starting at 100 GB/day at a lower price than Pay-As-You-Go pricing. Any usage above the commitment level (overage) is billed at that same price per GB as provided by the current commitment tier. The commitment tiers have a 31-day commitment period from the time a commitment tier is selected. 
+In addition to the Pay-As-You-Go model, Log Analytics has **Commitment Tiers**, which can save you as much as 30 percent compared to the Pay-As-You-Go price. With commitment tier pricing, you can commit to buy data ingestion for a workspace, starting at 100 GB/day, at a lower price than Pay-As-You-Go pricing. Any usage above the commitment level (overage) is billed at that same price per GB as provided by the current commitment tier. The commitment tiers have a 31-day commitment period from the time a commitment tier is selected. 
 
 - During the commitment period, you can change to a higher commitment tier (which restarts the 31-day commitment period), but you can't move back to Pay-As-You-Go or to a lower commitment tier until after you finish the commitment period. 
 - At the end of the commitment period, the workspace retains the selected commitment tier, and the workspace can be moved to Pay-As-You-Go or to a different commitment tier at any time. 
 
-Billing for the commitment tiers is done on a daily basis. See [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/) for a detailed listing of the commitment tiers and their prices. 
+Billing for the commitment tiers is done per workspace on a daily basis. If the workspace is part of a [dedicated cluster](#dedicated-clusters), the billing is done for the cluster (see below). See [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/) for a detailed listing of the commitment tiers and their prices. 
 
 > [!TIP]
 > The **Usage and estimated costs** menu item for each Log Analytics workspace hows an estimate of your monthly charges at each commitment level. You should periodically review this information to determine if you can reduce your charges by moving to another tier. See [Usage and estimated costs](../usage-estimated-costs.md#usage-and-estimated-costs) for information on this view.
 
-
-> [!NOTE]
-> Starting June 2, 2021, **Capacity Reservations** were renamed to **Commitment Tiers**. Data collected above your commitment tier level (overage) is now billed at the same price-per-GB as the current commitment tier level, lowering costs compared to the old method of billing at the Pay-As-You-Go rate, and reducing the need for users with large data volumes to fine-tune their commitment level. Three new commitment tiers were also added: 1000, 2000, and 5000 GB/day. 
-
 ## Dedicated clusters
 An [Azure Monitor Logs dedicated cluster](logs-dedicated-clusters.md) is a collection of workspaces in a single managed Azure Data Explorer cluster. Dedicated clusters support advanced features such as [customer-managed keys](customer-managed-keys.md) and use the same commitment tier pricing model as workspaces although they must have a commitment level of at least 500 GB/day. Any usage above the commitment level (overage) is billed at that same price per GB as provided by the current commitment tier.  There is no Pay-As-You-Go option for clusters. 
 
 
@@ -785,10 +785,6 @@ items:
       href: app/app-insights-overview.md
     - name: FAQ
       href: /azure/azure-monitor/faq#application-insights
-    - name: Troubleshooting
-      items:
-      - name: Error retrieving data in Portal
-        href: app/troubleshoot-portal-connectivity.md
     - name: Auto-instrumentation
       items:
       - name: Overview
 
@@ -29,7 +29,6 @@ This article lists significant changes to Azure Monitor documentation.
 
 **New articles**
 
-- [Error retrieving data message on Application Insights portal](app/troubleshoot-portal-connectivity.md)
 - [Troubleshooting Azure Application Insights auto-instrumentation](app/auto-instrumentation-troubleshoot.md)
 
 **Updated articles**