continued freshness

Author: batamig

articles/sentinel/audit-sentinel-data.md

@@ -1,10 +1,10 @@
 ---
 title: Audit Microsoft Sentinel queries and activities | Microsoft Docs
 description: This article describes how to audit queries and activities performed in Microsoft Sentinel.
-author: limwainstein
+author: batamig
 ms.topic: how-to
-ms.date: 01/09/2023
-ms.author: lwainstein
+ms.date: 09/26/2024
+ms.author: bagol
 ---
 
 # Audit Microsoft Sentinel queries and activities
@@ -22,6 +22,12 @@ Microsoft Sentinel provides access to:
 >
 > In the Microsoft Sentinel **Workbooks** area, search for the **Workspace audit** workbook.
 
+## Prerequisites
+
+- Before you can successfully run the sample queries in this article, you need to have relevant data in your Microsoft Sentinel workspace to query on and access to Microsoft Sentinel.
+
+  For more information, see [Configure Microsoft Sentinel content](configure-content.md) and [Roles and permissions in Microsoft Sentinel](roles.md).
+
 ## Auditing with Azure Activity logs
 
 Microsoft Sentinel's audit logs are maintained in the [Azure Activity Logs](/azure/azure-monitor/essentials/platform-logs-overview), where the **AzureActivity** table includes all actions taken in your Microsoft Sentinel workspace.
@@ -30,9 +36,9 @@ You can use the **AzureActivity** table when auditing activity in your SOC envir
 
 **To query the AzureActivity table**:
 
-1. Connect the [Azure Activity](./data-connectors/azure-activity.md) data source to start streaming audit events into a new table in the **Logs** screen called AzureActivity.
+1. Connect the [Azure Activity](./data-connectors/azure-activity.md) data source to start streaming audit events into a new table called `AzureActivity`. In the Azure portal, query this table in the **[Logs](hunts-custom-queries.md)** page. In the Defender portal, query this table in the **Investigation & response > Hunting > [Advanced hunting](/defender-xdr/advanced-hunting-overview)** page. For more information, see 
 
-1. Then, query the data using KQL, like you would any other table.
+1. Query the data using KQL, like you would any other table.
 
     The **AzureActivity** table includes data from many services, including Microsoft Sentinel. To filter in only data from Microsoft Sentinel, start your query with the following code:
 
@@ -129,7 +135,8 @@ LAQueryLogs data includes information such as:
 - Performance data on each query run
 
 > [!NOTE]
-> - The **LAQueryLogs** table only includes queries that have been run in the Logs blade of Microsoft Sentinel. It does not include the queries run by scheduled analytics rules, using the **Investigation Graph** or in the Microsoft Sentinel **Hunting** page.
+> - The **LAQueryLogs** table only includes queries that have been run in the Logs blade of Microsoft Sentinel. It does not include the queries run by scheduled analytics rules, using the **Investigation Graph**, in the Microsoft Sentinel **Hunting** page, or in the Defender portal's **Advanced hunting** page. <!--is this correct?-->
+>
 > - There may be a short delay between the time a query is run and the data is populated in the **LAQueryLogs** table. We recommend waiting about 5 minutes to query the **LAQueryLogs** table for audit data.
 
 **To query the LAQueryLogs table**:
@@ -207,14 +214,9 @@ LAQueryLogs
 
 Use Microsoft Sentinel's own features to monitor events and actions that occur within Microsoft Sentinel.
 
-- **Monitor with workbooks**. The following workbooks were built to monitor workspace activity:
-
-  - **Workspace Auditing**. Includes information about which users in the environment are performing actions, which actions they have performed, and more.
-  - **Analytics Efficiency**. Provides insight into which analytic rules are being used, which MITRE tactics are most covered, and incidents generated from the rules.
-  - **Security Operations Efficiency**. Presents metrics on SOC team performance, incidents opened, incidents closed, and more. This workbook can be used to show team performance and highlight any areas that might be lacking that require attention.
-  - **Data collection health monitoring**. Helps watch for stalled or stopped ingestions.
+- **Monitor with workbooks**. Several built-in Microsoft Sentinel workbooks can help you monitor workspace activity, including information about the users working in your workspace, the analytics rules being used, the MITRE tactics most covered, stalled or stopped ingestions, and SOC team performance.
 
-  For more information, see [Commonly used Microsoft Sentinel workbooks](top-workbooks.md).
+  For more information, see [Visualize and monitor your data by using workbooks in Microsoft Sentinel](monitor-your-data.md) and [Commonly used Microsoft Sentinel workbooks](top-workbooks.md)
 
 - **Watch for ingestion delay**.  If you have concerns about ingestion delay, [set a variable in an analytics rule](ingestion-delay.md) to represent the delay.
 

articles/sentinel/configure-data-retention.md

@@ -5,7 +5,7 @@ author: cwatson-cat
 ms.author: cwatson
 ms.service: microsoft-sentinel
 ms.topic: tutorial 
-ms.date: 01/05/2023
+ms.date: 09/26/2024
 ms.custom: template-tutorial
 #Customer intent: As an Azure account administrator, I want to archive older but less used data to save retention costs.
 ---
@@ -69,14 +69,16 @@ In your Log Analytics workspace, change the interactive retention policy of the
 
 ## Review interactive and total retention policies
 
-On the **Tables** page for the table you updated, review the field values for **Interactive retention** and **Total retention**. 
+On the **Tables** page, for the table you updated, review the field values for **Interactive retention** and **Total retention**. 
 
 :::image type="content" source="media/configure-data-retention/data-retention-archive-period.png" alt-text="Screenshot of the table view that shows the interactive retention and archive period columns.":::
 
 ## Clean up resources
 
 No resources were created but you might want to restore the data retention settings you changed.
 
+Depending on the settings set for your entire workspace, the settings updated in this tutorial might incur additional charges. To avoid these charges, restore the settings to their original values.
+
 ## Next steps
 
 > [!div class="nextstepaction"]

articles/sentinel/connect-defender-for-cloud.md

@@ -3,19 +3,15 @@ title: Ingest Microsoft Defender for Cloud subscription-based alerts to Microsof
 description: Learn how to connect security alerts from Microsoft Defender for Cloud and stream them into Microsoft Sentinel.
 author: yelevin
 ms.topic: how-to
-ms.date: 11/09/2021
+ms.date: 09/26/2024
 ms.author: yelevin
 ---
 
 # Ingest Microsoft Defender for Cloud alerts to Microsoft Sentinel
 
-[Microsoft Defender for Cloud](/azure/defender-for-cloud/)'s integrated cloud workload protections allow you to detect and quickly respond to threats across hybrid and multicloud workloads.
+[Microsoft Defender for Cloud](/azure/defender-for-cloud/)'s integrated cloud workload protections allow you to detect and quickly respond to threats across hybrid and multicloud workloads. The **Microsoft Defender for Cloud** connector allows you to ingest [security alerts from Defender for Cloud](/azure/defender-for-cloud/alerts-reference) into Microsoft Sentinel, so you can view, analyze, and respond to Defender alerts, and the incidents they generate, in a broader organizational threat context.
 
-This connector allows you to ingest [security alerts from Defender for Cloud](/azure/defender-for-cloud/alerts-reference) into Microsoft Sentinel, so you can view, analyze, and respond to Defender alerts, and the incidents they generate, in a broader organizational threat context.
-
-As [Microsoft Defender for Cloud Defender plans](/azure/defender-for-cloud/defender-for-cloud-introduction#protect-cloud-workloads) are enabled per subscription, this data connector is also enabled or disabled separately for each subscription.
-
-The new **Tenant-based Microsoft Defender for Cloud connector**, in PREVIEW, allows you to collect Defender for Cloud alerts over your entire tenant, without having to enable each subscription separately. It also leverages [Defender for Cloud's integration with Microsoft Defender XDR](ingest-defender-for-cloud-incidents.md) (formerly Microsoft 365 Defender) to ensure that all of your Defender for Cloud alerts are fully included in any incidents you receive through [Microsoft Defender XDR incident integration](microsoft-365-defender-sentinel-integration.md).
+[Microsoft Defender for Cloud Defender plans](/azure/defender-for-cloud/defender-for-cloud-introduction#protect-cloud-workloads) are enabled per subscription. While Microsoft Sentinel's legacy connector for Defender for Cloud Apps is also configured per subscription, the **Tenant-based Microsoft Defender for Cloud** connector, in preview, allows you to collect Defender for Cloud alerts over your entire tenant without having to enable each subscription separately. The tenant-based connector also works with [Defender for Cloud's integration with Microsoft Defender XDR](ingest-defender-for-cloud-incidents.md) to ensure that all of your Defender for Cloud alerts are fully included in any incidents you receive through [Microsoft Defender XDR incident integration](microsoft-365-defender-sentinel-integration.md).
 
 [!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
 
@@ -45,25 +41,27 @@ Enabling **bi-directional sync** will automatically sync the status of original
 
 ## Connect to Microsoft Defender for Cloud
 
-1. In Microsoft Sentinel, select **Data connectors** from the navigation menu.
+1. After installing the solution, in Microsoft Sentinel, select **Configuration > Data connectors**. 
 
-1. From the data connectors gallery, select **Microsoft Defender for Cloud**, and select **Open connector page** in the details pane.
+1. From the **Data connectors** page, select the either the **Subscription-based Microsoft Defender for Cloud (Legacy)** or the **Tenant-based Microsoft Defender for Cloud (Preview)** connector, and then select **Open connector page**.
 
 1. Under **Configuration**, you will see a list of the subscriptions in your tenant, and the status of their connection to Microsoft Defender for Cloud. Select the **Status** toggle next to each subscription whose alerts you want to stream into Microsoft Sentinel. If you want to connect several subscriptions at once, you can do this by marking the check boxes next to the relevant subscriptions and then selecting the **Connect** button on the bar above the list.
 
-    > [!NOTE]
-    > - The check boxes and **Connect** toggles will be active only on the subscriptions for which you have the required permissions.
-    > - The **Connect** button will be active only if at least one subscription's check box has been marked.
+    - The check boxes and **Connect** toggles are active only on the subscriptions for which you have the [required permissions](#prerequisites).
+    - The **Connect** button is active only if at least one subscription's check box has been marked.
 
 1. To enable bi-directional sync on a subscription, locate the subscription in the list, and choose **Enabled** from the drop-down list in the **Bi-directional sync** column. To enable bi-directional sync on several subscriptions at once, mark their check boxes and select the **Enable bi-directional sync** button on the bar above the list.
 
-    > [!NOTE]
-    > - The check boxes and drop-down lists will be active only on the subscriptions for which you have the [required permissions](#prerequisites).
-    > - The **Enable bi-directional sync** button will be active only if at least one subscription's check box has been marked.
+    - The check boxes and drop-down lists will be active only on the subscriptions for which you have the [required permissions](#prerequisites).
+    - The **Enable bi-directional sync** button will be active only if at least one subscription's check box has been marked.
+
+1. In the **Microsoft Defender plans** column of the list, you can see if Microsoft Defender plans are enabled on your subscription (a prerequisite for enabling the connector).
+
+    The value for each subscription in this column are either blank (meaning no Defender plans are enabled), **All enabled**, or **Some enabled**. Those that say **Some enabled** also have an **Enable all** link you can select, that will take you to your Microsoft Defender for Cloud configuration dashboard for that subscription, where you can choose Defender plans to enable.
 
-1. In the **Microsoft Defender plans** column of the list, you can see if Microsoft Defender plans are enabled on your subscription (a prerequisite for enabling the connector). The value for each subscription in this column will either be blank (meaning no Defender plans are enabled), "All enabled," or "Some enabled." Those that say "Some enabled" will also have an **Enable all** link you can select, that will take you to your Microsoft Defender for Cloud configuration dashboard for that subscription, where you can choose Defender plans to enable. The **Enable Microsoft Defender for all subscriptions** link button on the bar above the list will take you to your Microsoft Defender for Cloud Getting Started page, where you can choose on which subscriptions to enable Microsoft Defender for Cloud altogether.
+    The **Enable Microsoft Defender for all subscriptions** link button on the bar above the list will take you to your Microsoft Defender for Cloud Getting Started page, where you can choose on which subscriptions to enable Microsoft Defender for Cloud altogether. For example:
 
-    :::image type="content" source="./media/connect-defender-for-cloud/azure-defender-config.png" alt-text="Screenshot of Microsoft Defender for Cloud connector configuration":::
+    :::image type="content" source="./media/connect-defender-for-cloud/azure-defender-config.png" alt-text="Screenshot of Microsoft Defender for Cloud connector configuration"::: <!--this image is out of date-->
 
 1. You can select whether you want the alerts from Microsoft Defender for Cloud to automatically generate incidents in Microsoft Sentinel. Under **Create incidents**, select **Enabled** to turn on the default analytics rule that automatically [creates incidents from alerts](create-incidents-from-alerts.md). You can then edit this rule under **Analytics**, in the  **Active rules** tab.
 

articles/sentinel/data-transformation.md

@@ -114,7 +114,7 @@ Ingestion-time data transformation currently has the following known issues for
 
 - Data transformations using *workspace transformation DCRs* are supported only per table, and not per connector.
 
-    There can only be one workspace transformation DCR for an entire workspace. Within that DCR, each table can use a separate input stream with its own transformation. However, if you have two different MMA-based data connectors sending data to the *Syslog* table, they will both have to use the same input stream configuration in the DCR. Splitting data to multiple destinations (Log Analytics workspaces) with a workspace transformation DCR is not possible.
+    There can only be one workspace transformation DCR for an entire workspace. Within that DCR, each table can use a separate input stream with its own transformation. However, if you have two different MMA-based data connectors sending data to the *Syslog* table, they will both have to use the same input stream configuration in the DCR. Splitting data to multiple destinations (Log Analytics workspaces) with a workspace transformation DCR is not possible.<!--how to fix for AMA?-->
 
 - The following configurations are supported only via API:
 
@@ -130,10 +130,9 @@ Ingestion-time data transformation currently has the following known issues for
 
 ## Related content
 
-[Get started configuring ingestion-time data transformation in Microsoft Sentinel](configure-data-transformation.md).
-
-Learn more about Microsoft Sentinel data connector types. For more information, see:
+For more information, see:
 
+- [Transform or customize data at ingestion time in Microsoft Sentinel (preview)](configure-data-transformation.md)
 - [Microsoft Sentinel data connectors](connect-data-sources.md)
 - [Find your Microsoft Sentinel data connector](data-connectors-reference.md)