MicrosoftDocs
diff --git a/‎articles/sentinel/media/summary-rules/diagram copy.mmd
Lines changed: 23 additions & 0 deletions b/‎articles/sentinel/media/summary-rules/diagram copy.mmd
Lines changed: 23 additions & 0 deletions
diff --git a/‎articles/sentinel/media/summary-rules/diagram.mmd
Lines changed: 26 additions & 0 deletions b/‎articles/sentinel/media/summary-rules/diagram.mmd
Lines changed: 26 additions & 0 deletions
@@ -0,0 +1,23 @@
+---
+config:
+  look: neo
+  theme: default
+---
+sequenceDiagram
+  actor User as User
+  participant Azure AD as Azure AD
+  participant Azure Monitor as Azure Monitor
+  participant Log Analytics Workspace as Log Analytics Workspace
+  participant VM as VM
+  User ->> Azure AD: 1. Register Microsoft Entra application
+  Azure AD ->> User: Provide Application ID and secret
+  User ->> Azure AD: 2. Assign the Monitoring Metrics Publisher role to the application
+  User ->> Azure Monitor: 3. Deploy ARM template to create a DCE, DCR, and CommonSecurityLog_CL Auxiliary table
+  Azure Monitor ->> User: Provide DCE URI and DCR Immutable ID
+  User ->> VM: 4. Update Logstash configuration file
+  VM ->> Azure Monitor: Send data to DCE
+  Azure Monitor ->> Log Analytics Workspace: Ingest raw data into CommonSecurityLog_CL table
+  User ->> Azure Monitor: 5. Create summary rule
+  VM ->> Azure Monitor: Send data to DCE
+  Azure Monitor ->> Log Analytics Workspace: Ingest raw data into CommonSecurityLog_CL table
+  Azure Monitor ->> Log Analytics Workspace: Ingest aggregated data into a new custom table
@@ -0,0 +1,26 @@
+diagram.mmd
+
+
+---
+config:
+  look: neo
+  theme: default
+---
+sequenceDiagram
+  actor User as User
+  participant Azure AD as Azure AD
+  participant Azure Monitor as Azure Monitor
+  participant Log Analytics Workspace as Log Analytics Workspace
+  participant VM as VM
+  participant P1 as New Participant
+  User ->> Azure AD: 1. Register Microsoft Entra application
+  Azure AD ->> User: Provide Application ID and secret
+  User ->> Azure AD: 2. Assign the Monitoring Metrics Publisher role to the application
+  User ->> Azure Monitor: 3. Create Data Collection Endpoint (DCE)
+  Azure Monitor ->> User: Provide DCE URI
+  User ->> Azure Monitor: 4. Create Data Collection Rule (DCR)
+  Azure Monitor ->> User: Provide DCR Immutable ID
+  User ->> Log Analytics Workspace: 5. Create custom table
+  User ->> VM: 6. Run LogGenerator.ps1 script
+  VM ->> Azure Monitor: Send data to DCE
+  Azure Monitor ->> Log Analytics Workspace: Ingest data into custom table