Merge pull request #49450 from priyamohanram/TSGs

ktoliver · web-flow · commit e45923d8150b · 2018-08-20T13:45:08.000-07:00
Add TSGs
diff --git a/articles/active-directory/TOC.md b/articles/active-directory/TOC.md
@@ -112,9 +112,9 @@
 #### [Interpret the sign-in log schema in Azure Monitor](reports-monitoring/reference-azure-monitor-sign-ins-log-schema.md)
 
 ### Troubleshoot
-#### [Missing audit data](reports-monitoring/troubleshoot-missing-audit-data.md)
+#### [Missing data in Azure AD activity logs](reports-monitoring/troubleshoot-missing-audit-data.md)
 #### [Missing data in downloads](reports-monitoring/troubleshoot-missing-data-download.md)
-#### [Azure AD Activity logs content pack errors](reports-monitoring/troubleshoot-content-pack.md)
+#### [Azure AD activity logs content pack errors](reports-monitoring/troubleshoot-content-pack.md)
 #### [Errors in Azure AD Reporting API](reports-monitoring/troubleshoot-graph-api.md)
 
 ###	[Programmatic Access](reports-monitoring/concept-reporting-api.md)
diff --git a/articles/active-directory/reports-monitoring/media/troubleshoot-missing-audit-data/02.png b/articles/active-directory/reports-monitoring/media/troubleshoot-missing-audit-data/02.png
diff --git a/articles/active-directory/reports-monitoring/media/troubleshoot-missing-audit-data/03.png b/articles/active-directory/reports-monitoring/media/troubleshoot-missing-audit-data/03.png
diff --git a/articles/active-directory/reports-monitoring/overview-activity-logs-in-azure-monitor.md b/articles/active-directory/reports-monitoring/overview-activity-logs-in-azure-monitor.md
@@ -131,6 +131,16 @@ This section answers frequently asked questions and discusses known issues with
 
 ---
 
+**Q: How do I integrate Azure AD activity logs with my SIEM system?**
+
+**A**: You can do this in two ways:
+
+- Use Azure Monitor with Event Hubs to stream logs to your SIEM system. First, [stream the logs to an event hub](quickstart-azure-monitor-stream-logs-to-event-hub.md) and then [set up your SIEM tool](quickstart-azure-monitor-stream-logs-to-event-hub.md#access-data-from-your-event-hub) with the configured event hub. 
+
+- Use the [Reporting Graph API](concept-reporting-api.md) to access the data, and push it into the SIEM system using your own scripts.
+
+---
+
 **Q: What SIEM tools are currently supported?** 
 
 **A**: Currently, Azure Monitor is supported by [Splunk](tutorial-integrate-activity-logs-with-splunk.md), QRadar, and [Sumo Logic](https://help.sumologic.com/Send-Data/Applications-and-Other-Data-Sources/Azure_Active_Directory). For more information about how the connectors work, see [Stream Azure monitoring data to an event hub for consumption by an external tool](../../monitoring-and-diagnostics/monitor-stream-monitoring-data-event-hubs.md).
diff --git a/articles/active-directory/reports-monitoring/reports-faq.md b/articles/active-directory/reports-monitoring/reports-faq.md
@@ -128,6 +128,12 @@ This article includes answers to frequently asked questions about Azure Active D
 
 ---
 
+**Q: What does the risk event "Sign-in with additional risk detected" signify?**
+
+**A:** To give you an insight into all the risky sign-ins in your environment, "Sign-in with additional risk detected" functions as placeholder for sign-ins for detections that are exclusive to Azure AD Identity Protection subscribers.
+
+---
+
 ## Conditional access
 
 **Q: What's new with this feature?**
diff --git a/articles/active-directory/reports-monitoring/troubleshoot-missing-audit-data.md b/articles/active-directory/reports-monitoring/troubleshoot-missing-audit-data.md
@@ -1,7 +1,7 @@
 ---
 
-title: 'Troubleshoot: Missing data in the Azure Active Directory activity log  | Microsoft Docs'
-description: Lists the various available reports for Azure Active Directory
+title: 'Troubleshoot Missing data in the Azure Active Directory activity logs  | Microsoft Docs'
+description: Provides you with a resolution to missing data in Azure Active Directory activity logs.
 services: active-directory
 documentationcenter: ''
 author: priyamohanram
@@ -21,17 +21,38 @@ ms.reviewer: dhanyahk
 
 ---
 
-# Troubleshoot: Missing data in the Azure Active Directory activity log 
+# Troubleshoot: Missing data in the Azure Active Directory activity logs 
 
+## I can't find audit logs for recent actions in the Azure portal
 
-## Symptoms
+### Symptoms
 
 I performed some actions in the Azure portal and expected to see the audit logs for those actions in the `Activity logs > Audit Logs` blade, but I can’t find them.
 
  ![Reporting](./media/troubleshoot-missing-audit-data/01.png)
  
+### Cause
 
-## Cause
+Actions don’t appear immediately in the activity logs. The table below enumerates our latency numbers for activity logs. 
+
+| Report | &nbsp; | Latency (P95) | Latency (P99) |
+|--------|--------|---------------|---------------|
+| Directory audit | &nbsp; | 2 mins | 5 mins |
+| Sign-in activity | &nbsp; | 2 mins | 5 mins | 
+
+### Resolution
+
+Wait for 15 minutes to two hours and see if the actions appear in the log. If you don’t see the logs even after two hours, please [file a support ticket](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest) and we will look into it.
+
+## I can’t find recent user sign-ins in the Azure Active Directory sign-ins activity log
+
+### Symptoms
+
+I recently signed into the Azure portal and expected to see the sign-in logs for those actions in the `Activity logs > Sign-ins` blade, but I can’t find them.
+
+ ![Reporting](./media/troubleshoot-missing-audit-data/02.png)
+ 
+### Cause
 
 Actions don’t appear immediately in the activity logs. The table below enumerates our latency numbers for activity logs. 
 
@@ -40,13 +61,36 @@ Actions don’t appear immediately in the activity logs. The table below enumera
 | Directory audit | &nbsp; | 2 mins | 5 mins |
 | Sign-in activity | &nbsp; | 2 mins | 5 mins | 
 
-## Resolution
+### Resolution
 
 Wait for 15 minutes to two hours and see if the actions appear in the log. If you don’t see the logs even after two hours, please [file a support ticket](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest) and we will look into it.
 
+## I can't view more than 30 days of report data in the Azure portal
+
+### Symptoms
+
+I can't view more than 30 days of sign-in and audit data from the Azure portal. Why? 
+
+ ![Reporting](./media/troubleshoot-missing-audit-data/03.png)
+
+### Cause
+
+Depending on your license, Azure Active Directory Actions stores activity reports for the following durations:
+
+| Report           | &nbsp; |  Azure AD Free | Azure AD Premium P1 | Azure AD Premium P2 |
+| ---              | ----   |  ---           | ---                 | ---                 |
+| Directory Audit  | &nbsp; |	7 days	   | 30 days             | 30 days             |
+| Sign-in Activity | &nbsp; | Not available. You can access your own sign-ins for 7 days from the individual user profile blade | 30 days | 30 days             |
+
+For more information, see [Azure Active Directory report retention policies](reference-reports-data-retention.md).  
+
+### Resolution
+
+You have two options to retain the data for longer than 30 days. You can use the [Azure AD Reporting APIs](concept-reporting-api.md) to retrieve the data programmatically and store it in a database. Alternatively, you can integrate audit logs into a third party SIEM system like Splunk or SumoLogic.
 
 ## Next steps
 
+* [Azure AD reporting retention](reference-reports-data-retention.md).
 * [Azure Active Directory reporting latencies](reference-reports-latencies.md).
 * [Azure Active Directory reporting FAQ](reports-faq.md).
 
