Merge pull request #49926 from KenMAG/main

Revised units for content freshness

Author: v-shils

learn-pr/wwl-sci/connect-windows-hosts-to-azure-sentinel/2-plan-for-windows-hosts-security-events-connector.yml

@@ -4,8 +4,8 @@ title: Plan for Windows hosts security events connector
 metadata:
   title: Plan for Windows hosts security events connector
   description: "Plan for Windows hosts security events connector"
-  ms.date: 08/16/2022
-  author: wwlpublish
+  ms.date: 04/09/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: unit
 azureSandbox: false

learn-pr/wwl-sci/connect-windows-hosts-to-azure-sentinel/2a-configure-data-collection-rules.yml

@@ -4,8 +4,8 @@ title: Connect using the Windows Security Events via AMA Connector
 metadata:
   title: Connect using the Windows Security Events via AMA Connector
   description: "Connect using the Windows Security Events via AMA Connector"
-  ms.date: 08/16/2022
-  author: wwlpublish
+  ms.date: 04/09/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: unit
 azureSandbox: false

learn-pr/wwl-sci/connect-windows-hosts-to-azure-sentinel/includes/2-plan-for-windows-hosts-security-events-connector.md

@@ -1,30 +1,34 @@
-You have three Windows security events connector options to stream events from Windows devices to Microsoft Sentinel.  
+You have two Windows security events Content Hub solution options to stream events from Windows devices to Microsoft Sentinel.
+
+The first option is to install the *Windows Security Events* Content Hub solution. You can choose either of the two agent data connectors available:
 
-Based on your organization requirements, you have the option of installing an agent on each windows device to forward events to Microsoft Sentinel.  There are two agents available:
 - Windows Security Events via AMA Connector
 - Security Events via Legacy Agent Connector
 
-The third option is to configure a Windows Event Collector device to receive events from the Windows devices. The Windows Event Collector device would then forward events to Microsoft Sentinel with the **Windows Forwarded Events connector**.  
+The second option is to install the *Windows Forwarded Events* Content Hub solution and configure a Windows Event Collector device to receive events from the Windows devices. The Windows Event Collector device would then forward events to Microsoft Sentinel with the *Windows Forwarded Events* data connector.  
 
  > [!NOTE]
- > All three connectors are installed from corresponding Content Hub solutions.
+ > Microsoft recommends installation of Windows Security Events via AMA Connector. The Legacy connector uses the Log Analytics agent which was deprecated Aug 31, 2024, and thus should only be installed where AMA isn't supported.
 
 ## Windows Security Events via AMA Connector vs. Security Events via Legacy Agent Connector
 
 The Windows Security Events via AMA Connector has the following differences from the Security Events via Legacy Agent Connector:
 
 Benefits:
-- Manage collection settings at scale 
+
+- Manage collection settings at scale
 - Azure Monitoring Agent shared with other solutions
 - Performance improvements
 - Security improvements
 
 Limitations:
- - None.
+
+- None.
 
 Requirements:
-- non-Azure VM's/devices require Azure Arc.
 
+- non-Azure VM's/devices require Azure Arc.
 
 ### Azure Arc
-Azure Arc is an agent installed on the device or VM that allows the device to be managed the same as an Azure VM. Azure Arc provides other functionality including running Azure based services in a hybrid environment.  
+
+Azure Arc uses the *Azure Connected Machine* agent (azcmagent) installed on the device or VM that allows the device to be managed the same as an Azure VM. Azure Arc provides other functionality including running Azure based services in a hybrid environment.  

learn-pr/wwl-sci/connect-windows-hosts-to-azure-sentinel/includes/2a-configure-data-collection-rules.md

@@ -4,33 +4,31 @@ The Windows Security Events via AMA Connector uses Data Collection Rules (DCRs)
 
 - **Build custom filters** to choose the exact events you want to ingest. The Azure Monitor Agent uses these rules to filter the data at the source and ingest only the events you want, while leaving everything else behind. 
 
-
-
 ## Prerequisites
 
 - You must have read and write permissions on the Microsoft Sentinel workspace.
 
 - To collect events from any system that isn't an Azure virtual machine, the system must have **Azure Arc** installed and enabled before you enable the Azure Monitor Agent-based connector.
 
-This includes:
+These include:
 
-    - Windows servers installed on physical machines
-    - Windows servers installed on on-premises virtual machines
-    - Windows servers installed on virtual machines in non-Azure clouds
+- Windows servers installed on physical machines
+- Windows servers installed on on-premises virtual machines
+- Windows servers installed on virtual machines in non-Azure clouds
 
 ## Connect Windows Hosts
 
+1. From the Microsoft Sentinel navigation menu, select Data connectors.
 
-1. From the Microsoft Sentinel navigation menu, select Data connectors. 
-1. Select the Windows Security Events via AMA connector from the list, and then select Open connector page on the details pane. 
+1. Select the Windows Security Events via AMA connector from the list, and then select Open connector page on the details pane.
 
 1. Verify that you have the appropriate permissions as described under the Prerequisites section on the connector page.
 
-1. Under Configuration, select +Add data collection rule. The Create data collection rule wizard will open to the right.
+1. Under Configuration, select +Add data collection rule. The Create data collection rule wizard opens.
 
 1. Under Basics, enter a Rule name and specify a Subscription and Resource group where the data collection rule (DCR) will be created. This doesn't have to be the same resource group or subscription the monitored machines and their associations are in, as long as they are in the same tenant.
 
-1. In the Resources tab, select +Add resource(s) to add machines to which the Data Collection Rule will apply. The Select a scope dialog will open, and you'll see a list of available subscriptions. Expand a subscription to see its resource groups, and expand a resource group to see the available machines. You'll see Azure virtual machines and Azure Arc-enabled servers in the list. You can mark the check boxes of subscriptions or resource groups to select all the machines they contain, or you can select individual machines. Select Apply when you've chosen all your machines. At the end of this process, the Azure Monitor Agent will be installed on any selected machines that don't already have it installed.
+1. In the Resources tab, select +Add resource(s) to add machines to which the Data Collection Rule will apply. The Select a scope dialog opens, and you see a list of available subscriptions. Expand a subscription to see its resource groups, and expand a resource group to see the available machines. You see Azure virtual machines and Azure Arc-enabled servers in the list. You can mark the check boxes of subscriptions or resource groups to select all the machines they contain, or you can select individual machines. Select Apply when you've chosen all your machines. At the end of this process, the Azure Monitor Agent is installed on any selected machines that don't already have the agent.
 
 1. On the Collect tab, choose the events you would like to collect. Select:
     - All security events
@@ -41,7 +39,7 @@ This includes:
     > [!NOTE]
     >Custom allows you to specify other logs or to filter events using XPath queries. For XPath queries you can enter up to 20 expressions in a single box, and up to 100 boxes in a rule. The Azure Monitor agent supports XPath queries for XPath version 1.0 only.
 
-1. When you've added all the filter expressions you want, select Next: Review + create.
+1. When you add all the filter expressions you want, select Next: Review + create.
 
 1. When you see the "Validation passed" message, select Create.
 
@@ -51,7 +49,7 @@ You'll see all your data collection rules (including those created through the A
 
 Use the PowerShell cmdlet Get-WinEvent with the -FilterXPath parameter to test the validity of an XPath query. The following script shows an example:
 
-```PowerShell
+```powershell
 $XPath = '*[System[EventID=1035]]'
 Get-WinEvent -LogName 'Application' -FilterXPath $XPath
 ```

learn-pr/wwl-sci/connect-windows-hosts-to-azure-sentinel/index.yml

@@ -3,15 +3,15 @@ uid: learn.wwl.connect-windows-hosts-to-azure-sentinel
 metadata:
   title: Connect Windows hosts to Microsoft Sentinel
   description: "Connect Windows hosts to Microsoft Sentinel"
-  ms.date: 08/16/2022
-  author: wwlpublish
+  ms.date: 04/09/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: module
   ms.service: microsoft-sentinel
 title: Connect Windows hosts to Microsoft Sentinel
 summary: One of the most common logs to collect is Windows security events.  Learn how Microsoft Sentinel makes this easy with the Security Events connector.
 abstract: |
-  Upon completion of this module, the learner will be able to:
+  Upon completion of this module, the learner is able to:
   - Connect Azure Windows Virtual Machines to Microsoft Sentinel
   - Connect non-Azure Windows hosts to Microsoft Sentinel
   - Configure Log Analytics agent to collect Sysmon events