Merge pull request #290273 from batamig/freshness-nov

nov freshness

Author: Stacyrch140

articles/sentinel/TOC.yml

@@ -313,7 +313,7 @@
       href: data-connectors/azure-cognitive-search.md
     - name: Azure DDoS Protection
       href: data-connectors/azure-ddos-protection.md
-    - name: Azure Event Hub
+    - name: Azure Event Hubs
       href: data-connectors/azure-event-hub.md
     - name: Azure Firewall
       href: data-connectors/azure-firewall.md
@@ -703,8 +703,6 @@
       href: connect-dns-ama.md
     - name: Logstash plugin with Data Collection Rules
       href: connect-logstash-data-connection-rules.md
-    - name: Microsoft Sentinel Data Collector API
-      href: connect-rest-api-template.md      
   - name: Connection instructions for service
     items:
     - name: Amazon Web Services logs
@@ -1065,8 +1063,8 @@
       href: enroll-simplified-pricing-tier.md
     - name: Optimize costs with pre-purchase plan
       href: billing-pre-purchase-plan.md
-    - name: Tutorial - Configure data retention policy
-      href: configure-data-retention.md
+    - name: Manage data retention
+      href: /azure/azure-monitor/logs/data-retention-configure?toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json
     - name: Auxiliary logs use cases
       href: basic-logs-use-cases.md
   - name: Connect Microsoft Sentinel to Microsoft Defender XDR

articles/sentinel/audit-sentinel-data.md

@@ -3,7 +3,7 @@ title: Audit Microsoft Sentinel queries and activities | Microsoft Docs
 description: This article describes how to audit queries and activities performed in Microsoft Sentinel.
 author: batamig
 ms.topic: how-to
-ms.date: 09/26/2024
+ms.date: 11/12/2024
 ms.author: bagol
 
 #Customer intent: As a security analyst, I want to audit queries and activities in my SOC environment so that I can ensure compliance and monitor security operations effectively.
@@ -15,14 +15,12 @@ This article describes how you can view audit data for queries run and activitie
 
 Microsoft Sentinel provides access to:
 
-- The **AzureActivity** table, which provides details about all actions taken in Microsoft Sentinel, such as editing alert rules. The **AzureActivity** table does not log specific query data. For more information, see [Auditing with Azure Activity logs](#auditing-with-azure-activity-logs).
+- The **AzureActivity** table, which provides details about all actions taken in Microsoft Sentinel, such as editing alert rules. The **AzureActivity** table doesn't log specific query data. For more information, see [Auditing with Azure Activity logs](#auditing-with-azure-activity-logs).
 
 - The **LAQueryLogs** table, which provides details about the queries run in Log Analytics, including queries run from Microsoft Sentinel. For more information, see [Auditing with LAQueryLogs](#auditing-with-laquerylogs).
 
 > [!TIP]
-> In addition to the manual queries described in this article, Microsoft Sentinel provides a built-in workbook to help you audit the activities in your SOC environment.
->
-> In the Microsoft Sentinel **Workbooks** area, search for the **Workspace audit** workbook.
+> In addition to the manual queries described in this article, we recommend that you use the built-in **Workspace audit** workbook help you audit the activities in your SOC environment. For more information, see [Visualize and monitor your data by using workbooks in Microsoft Sentinel](monitor-your-data.md).
 
 ## Prerequisites
 
@@ -34,13 +32,16 @@ Microsoft Sentinel provides access to:
 
 Microsoft Sentinel's audit logs are maintained in the [Azure Activity Logs](/azure/azure-monitor/essentials/platform-logs-overview), where the **AzureActivity** table includes all actions taken in your Microsoft Sentinel workspace.
 
-You can use the **AzureActivity** table when auditing activity in your SOC environment with Microsoft Sentinel.
+Use the **AzureActivity** table when auditing activity in your SOC environment with Microsoft Sentinel.
 
 **To query the AzureActivity table**:
 
-1. Connect the [Azure Activity](./data-connectors/azure-activity.md) data source to start streaming audit events into a new table called `AzureActivity`. In the Azure portal, query this table in the **[Logs](hunts-custom-queries.md)** page. In the Defender portal, query this table in the **Investigation & response > Hunting > [Advanced hunting](/defender-xdr/advanced-hunting-overview)** page. For more information, see 
+1. Install the **Azure Activity solution for Sentinel** solution and connect the [Azure Activity](./data-connectors/azure-activity.md) data connector to start streaming audit events into a new table called `AzureActivity`.
+
+1. Query the data using Kusto Query Language (KQL), like you would any other table:
 
-1. Query the data using KQL, like you would any other table.
+    - In the Azure portal, query this table in the **[Logs](hunts-custom-queries.md)** page.
+    - In Microsoft's unified security operations platform, query this table in the **Investigation & response > Hunting > [Advanced hunting](/defender-xdr/advanced-hunting-overview)** page.
 
     The **AzureActivity** table includes data from many services, including Microsoft Sentinel. To filter in only data from Microsoft Sentinel, start your query with the following code:
 
@@ -96,9 +97,7 @@ Microsoft Sentinel's audit logs are maintained in the [Azure Activity Logs](/azu
 |**Updated**     |  Alert rules<br>Bookmarks <br> Cases <br> Data connectors <br>Incidents <br>Incident comments <br>Threat intelligence reports <br> Workbooks <br>Workflow       |
 
 
-You can also use the Azure Activity logs to check for user authorizations and licenses.
-
-For example, the following table lists selected operations found in Azure Activity logs with the specific resource the log data is pulled from.
+You can also use the Azure Activity logs to check for user authorizations and licenses. For example, the following table lists selected operations found in Azure Activity logs with the specific resource the log data is pulled from.
 
 |Operation name| Resource type|
 |----|----|
@@ -161,7 +160,7 @@ The following sections show more sample queries to run on the **LAQueryLogs** ta
 
 ### The number of queries run where the response wasn't "OK"
 
-The following **LAQueryLogs** table query shows the number of queries run, where anything other than an HTTP response of **200 OK** was received. For example, this number will include queries that had failed to run.
+The following **LAQueryLogs** table query shows the number of queries run, where anything other than an HTTP response of **200 OK** was received. For example, this number includes queries that had failed to run.
 
 ```kql
 LAQueryLogs
@@ -200,7 +199,7 @@ LAQueryLogs
 
 ## Configuring alerts for Microsoft Sentinel activities
 
-You may want to use Microsoft Sentinel auditing resources to create proactive alerts.
+You might want to use Microsoft Sentinel auditing resources to create proactive alerts.
 
 For example, if you have sensitive tables in your Microsoft Sentinel workspace, use the following query to notify you each time those tables are queried:
 
@@ -234,8 +233,6 @@ Use Microsoft Sentinel's own features to monitor events and actions that occur w
 
 - **Monitor data connector health** using the [Connector Health Push Notification Solution](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Send-ConnectorHealthStatus) playbook to watch for stalled or stopped ingestion, and send notifications when a connector has stopped collecting data or machines have stopped reporting.
 
-## Next steps
-
-In Microsoft Sentinel, use the **Workspace audit** workbook to audit the activities in your SOC environment.
+## Next step
 
-For more information, see [Visualize and monitor your data](monitor-your-data.md).
+In Microsoft Sentinel, use the **Workspace audit** workbook to audit the activities in your SOC environment. For more information, see [Visualize and monitor your data](monitor-your-data.md).

articles/sentinel/automate-incident-handling-with-automation-rules.md

@@ -189,7 +189,7 @@ Actions can be defined to run when the conditions (see above) are met. You can d
 
 - Changing the status of an incident, keeping your workflow up to date.
 
-  - When changing to “closed,” specifying the [closing reason](investigate-cases.md#closing-an-incident) and adding a comment. This helps you keep track of your performance and effectiveness, and fine-tune to reduce [false positives](false-positives.md).
+  - When changing to “closed,” specifying the [closing reason](investigate-cases.md#close-an-incident) and adding a comment. This helps you keep track of your performance and effectiveness, and fine-tune to reduce [false positives](false-positives.md).
 
 - Changing the severity of an incident – you can reevaluate and reprioritize based on the presence, absence, values, or attributes of entities involved in the incident.
 

articles/sentinel/best-practices-data.md

@@ -3,8 +3,8 @@ title: Best practices for data collection in Microsoft Sentinel
 description: Learn about best practices to employ when connecting data sources to Microsoft Sentinel.
 author: yelevin
 ms.author: yelevin
-ms.topic: conceptual
-ms.date: 01/09/2023
+ms.topic: concept-article
+ms.date: 11/12/2024
 
 
 #Customer intent: As a security analyst, I want to implement best practices for Microsoft Sentinel data collection so that I can optimize log ingestion, reduce costs, and enhance security monitoring.
@@ -21,7 +21,7 @@ Learn how to [prioritize your data connectors](prioritize-data-connectors.md) as
 
 ## Filter your logs before ingestion
 
-You may want to filter the logs collected, or even log content, before the data is ingested into Microsoft Sentinel. For example, you may want to filter out logs that are irrelevant or unimportant to security operations, or you may want to remove unwanted details from log messages. Filtering message content may also be helpful when trying to drive down costs when working with Syslog, CEF, or Windows-based logs that have many irrelevant details.
+You might want to filter the logs collected, or even log content, before the data is ingested into Microsoft Sentinel. For example, you might want to filter out logs that are irrelevant or unimportant to security operations, or you might want to remove unwanted details from log messages. Filtering message content might also be helpful when trying to drive down costs when working with Syslog, CEF, or Windows-based logs that have many irrelevant details.
 
 Filter your logs using one of the following methods:
 
@@ -37,7 +37,7 @@ Filter your logs using one of the following methods:
 
 ## Alternative data ingestion requirements
 
-Standard configuration for data collection may not work well for your organization, due to various challenges. The following tables describe common challenges or requirements, and possible solutions and considerations.
+Standard configuration for data collection might not work well for your organization, due to various challenges. The following tables describe common challenges or requirements, and possible solutions and considerations.
 
 > [!NOTE]
 > Many solutions listed in the following sections require a custom data connector. For more information, see [Resources for creating Microsoft Sentinel custom connectors](create-custom-connector.md).
@@ -48,12 +48,12 @@ Standard configuration for data collection may not work well for your organizati
 
 |Challenge / Requirement  |Possible solutions  |Considerations  |
 |---------|---------|---------|
-|**Requires log filtering**     | Use Logstash <br><br>Use Azure Functions <br><br> Use LogicApps <br><br> Use custom code (.NET, Python)  |  While filtering can lead to cost savings, and ingests only the required data, some Microsoft Sentinel features aren't supported, such as [UEBA](identify-threats-with-entity-behavior-analytics.md), [entity pages](entity-pages.md), [machine learning](bring-your-own-ml.md), and [fusion](fusion.md). <br><br>When configuring log filtering, make updates in resources such as threat hunting queries and analytics rules     |
+|**Requires log filtering**     | Use Logstash <br><br>Use Azure Functions <br><br> Use LogicApps <br><br> Use custom code (.NET, Python)  |  While filtering can lead to cost savings, and ingests only the required data, some Microsoft Sentinel features aren't supported, such as [UEBA](identify-threats-with-entity-behavior-analytics.md), [entity pages](entity-pages.md), [machine learning](bring-your-own-ml.md), and [fusion](fusion.md). <br><br>When configuring log filtering, make updates in resources such as threat hunting queries and analytics rules.     |
 |**Agent cannot be installed**     |Use Windows Event Forwarding, supported with the [Azure Monitor Agent](connect-windows-security-events.md#connector-options)       |   Using Windows Event forwarding lowers load-balancing events per second from the Windows Event Collector, from 10,000 events to 500-1000 events.|
 |**Servers do not connect to the internet**     | Use the [Log Analytics gateway](/azure/azure-monitor/agents/gateway)        | Configuring a proxy to your agent requires extra firewall rules to allow the Gateway to work.        |
-|**Requires tagging and enrichment at ingestion**     |Use Logstash to inject a ResourceID <br><br>Use an ARM template to inject the ResourceID into on-premises machines <br><br>Ingest the resource ID into separate workspaces        | Log Analytics doesn't support RBAC for custom tables <br><br>Microsoft Sentinel doesn’t support row-level RBAC <br><br>**Tip**: You may want to adopt cross workspace design and functionality for Microsoft Sentinel.        |
+|**Requires tagging and enrichment at ingestion**     |Use Logstash to inject a ResourceID <br><br>Use an ARM template to inject the ResourceID into on-premises machines <br><br>Ingest the resource ID into separate workspaces        | Log Analytics doesn't support role-based access control (RBAC) for custom tables. <br><br>Microsoft Sentinel doesn’t support row-level RBAC. <br><br>**Tip**: You might want to adopt cross workspace design and functionality for Microsoft Sentinel.        |
 |**Requires splitting operation and security logs**     | Use the [Microsoft Monitor Agent or Azure Monitor Agent](connect-windows-security-events.md) multi-home functionality        |  Multi-home functionality requires more deployment overhead for the agent.       |
-|**Requires custom logs**     |   Collect files from specific folder paths <br><br>Use API ingestion <br><br>Use PowerShell <br><br>Use Logstash     |   You may have issues filtering your logs. <br><br>Custom methods aren't supported. <br><br>Custom connectors may require developer skills.       |
+|**Requires custom logs**     |   Collect files from specific folder paths <br><br>Use API ingestion <br><br>Use PowerShell <br><br>Use Logstash     |   You might have issues filtering your logs. <br><br>Custom methods aren't supported. <br><br>Custom connectors might require developer skills.       |
 
 
 ### On-premises Linux log collection
@@ -63,7 +63,7 @@ Standard configuration for data collection may not work well for your organizati
 |**Requires log filtering**     | Use Syslog-NG <br><br>Use Rsyslog <br><br>Use FluentD configuration for the agent <br><br> Use the Azure Monitor Agent/Microsoft Monitoring Agent <br><br> Use Logstash  |  Some Linux distributions might not be supported by the agent. <br> <br>Using Syslog or FluentD requires developer knowledge. <br><br>For more information, see [Connect to Windows servers to collect security events](connect-windows-security-events.md) and [Resources for creating Microsoft Sentinel custom connectors](create-custom-connector.md).      |
 |**Agent cannot be installed**     |  Use a Syslog forwarder, such as (syslog-ng or rsyslog.       |         |
 |**Servers do not connect to the internet**       | Use the [Log Analytics gateway](/azure/azure-monitor/agents/gateway)        | Configuring a proxy to your agent requires extra firewall rules to allow the Gateway to work.          |
-|**Requires tagging and enrichment at ingestion**      | Use Logstash for enrichment, or custom methods, such as API or Event Hubs.         | You may have extra effort required for filtering.    |
+|**Requires tagging and enrichment at ingestion**      | Use Logstash for enrichment, or custom methods, such as API or Event Hubs.         | You might have extra effort required for filtering.    |
 |**Requires splitting operation and security logs**     |  Use the [Azure Monitor Agent](connect-windows-security-events.md) with the multi-homing configuration.       |         |
 |**Requires custom logs**     |    Create a custom collector using the Microsoft Monitoring (Log Analytics) agent.      |      |
 
@@ -85,7 +85,7 @@ If you need to collect Microsoft Office data, outside of the standard connector
 
 |Challenge / Requirement  |Possible solutions  |Considerations  |
 |---------|---------|---------|
-|**Collect raw data from Teams, message trace, phishing data, and so on**     |    Use the built-in [Office 365 connector](./data-connectors/office-365.md) functionality, and then create a custom connector for other raw data.  |  Mapping events to the corresponding recordID may be challenging.  |
+|**Collect raw data from Teams, message trace, phishing data, and so on**     |    Use the built-in [Office 365 connector](./data-connectors/office-365.md) functionality, and then create a custom connector for other raw data.  |  Mapping events to the corresponding recordID might be challenging.  |
 |**Requires RBAC for splitting countries/regions, departments, and so on**     | Customize your data collection by adding tags to data and creating dedicated workspaces for each separation needed.|   Custom data collection has extra ingestion costs.     |
 |**Requires multiple tenants in a single workspace**     |  Customize your data collection using Azure LightHouse and a unified incident view.|  Custom data collection has extra ingestion costs.  <br><br>For more information, see [Extend Microsoft Sentinel across workspaces and tenants](extend-sentinel-across-workspaces-tenants.md).      |
 
@@ -94,16 +94,16 @@ If you need to collect Microsoft Office data, outside of the standard connector
 
 |Challenge / Requirement  |Possible solutions  |Considerations  |
 |---------|---------|---------|
-|**Filter logs from other platforms**     | Use Logstash <br><br>Use the Azure Monitor Agent / Microsoft Monitoring (Log Analytics) agent       |    Custom collection has extra ingestion costs. <br><br>You may have a challenge of collecting all Windows events vs only security events.     |
-|**Agent cannot be used**     |   Use Windows Event Forwarding      | You may need to load balance efforts across your resources.        |
+|**Filter logs from other platforms**     | Use Logstash <br><br>Use the Azure Monitor Agent / Microsoft Monitoring (Log Analytics) agent       |    Custom collection has extra ingestion costs. <br><br>You might have a challenge of collecting all Windows events vs only security events.     |
+|**Agent cannot be used**     |   Use Windows Event Forwarding      | You might need to load balance efforts across your resources.        |
 |**Servers are in air-gapped network**     | Use the [Log Analytics gateway](/azure/azure-monitor/agents/gateway)        | Configuring a proxy to your agent requires firewall rules to allow the Gateway to work.        |
 |**RBAC, tagging, and enrichment at ingestion**     |    Create custom collection via Logstash or the Log Analytics API.     |  RBAC isn't supported for custom tables <br><br>Row-level RBAC isn't supported for any tables.       |
 
 
-## Next steps
+## Related content
 
 For more information, see:
 
-- [Pre-deployment activities and prerequisites for deploying Microsoft Sentinel](prerequisites.md)
+- [Predeployment activities and prerequisites for deploying Microsoft Sentinel](prerequisites.md)
 - [Best practices for Microsoft Sentinel](best-practices.md)
 - [Connect data sources](connect-data-sources.md)