Merge pull request #50897 from KenMAG/main

Updated module for Microsoft Sentinel in both Azure and Defender portals

Author: JamesJBarnett

learn-pr/wwl-sci/connect-data-to-azure-sentinel-with-data-connectors/1-introduction.yml

@@ -4,8 +4,8 @@ title: Introduction
 metadata:
   title: Introduction
   description: "Introduction"
-  ms.date: 06/21/2022
-  author: wwlpublish
+  ms.date: 06/11/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: unit
 azureSandbox: false

learn-pr/wwl-sci/connect-data-to-azure-sentinel-with-data-connectors/3-understand-data-connector-providers.yml

@@ -4,8 +4,8 @@ title: Understand data connector providers
 metadata:
   title: Understand data connector providers
   description: "Understand data connector providers"
-  ms.date: 06/21/2022
-  author: wwlpublish
+  ms.date: 06/11/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: unit
 azureSandbox: false

learn-pr/wwl-sci/connect-data-to-azure-sentinel-with-data-connectors/4-view-connected-hosts.yml

@@ -4,8 +4,8 @@ title: View connected hosts
 metadata:
   title: View connected hosts
   description: "View connected hosts"
-  ms.date: 06/21/2022
-  author: wwlpublish
+  ms.date: 06/11/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: unit
 azureSandbox: false

learn-pr/wwl-sci/connect-data-to-azure-sentinel-with-data-connectors/5-knowledge-check.yml

@@ -4,8 +4,8 @@ title: Module assessment
 metadata:
   title: Module assessment
   description: "Knowledge check"
-  ms.date: 06/21/2022
-  author: wwlpublish
+  ms.date: 06/11/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: unit
 azureSandbox: false
@@ -31,21 +31,21 @@ quiz:
     choices:
     - content: "Microsoft Entra ID"
       isCorrect: false
-      explanation: "Incorrect.  The Azure Active Directory provides parsed data."
+      explanation: "Incorrect. The Entra ID Logs provide parsed data."
     - content: "Syslog"
       isCorrect: true
-      explanation: "Correct.  The data is stored in the SyslogMessage"
+      explanation: "Correct. The data is stored in the SyslogMessage"
     - content: "CEF"
       isCorrect: false
-      explanation: "Incorrect.  The CEF connector provides parsed data."
+      explanation: "Incorrect. The CEF connector provides parsed data."
   - content: "The vendor-provided connectors primarily use which of the following?"
     choices:
     - content: "Azure Activity Connector"
       isCorrect: false
-      explanation: "Incorrect.  Vendors don't use the Azure Activity connector."
+      explanation: "Incorrect. Vendors don't use the Azure Activity connector."
     - content: "Security Events Connector"
       isCorrect: false
-      explanation: "Incorrect.  The Security Events connector is for sending Windows event logs."
+      explanation: "Incorrect. The Security Events connector is for sending Windows event logs."
     - content: "CEF Connector"
       isCorrect: true
-      explanation: "Correct.  Most Vendor-provided connectors use the CEF connector."
+      explanation: "Correct. Most Vendor-provided connectors use the CEF connector."

learn-pr/wwl-sci/connect-data-to-azure-sentinel-with-data-connectors/includes/1-introduction.md

@@ -1,5 +1,15 @@
-Data is sent to the Microsoft Sentinel workspace by configuring the provided data connectors. The data connectors are included in out-of-the-box (OOTB), or built-in Content Hub solutions for Microsoft 365 services, Azure, and third-party specific.
-  
+Data is ingested to the Microsoft Sentinel workspace by configuring data connectors. The data connectors are included in Content Hub solutions for Microsoft services and products, and third-party solutions.
+
+## Microsoft Sentinel and Defender XDR
+
+Use one of the following methods to integrate Microsoft Sentinel with Microsoft Defender XDR services:
+
+- Ingest Microsoft Defender XDR service data into Microsoft Sentinel and view Microsoft Sentinel data in the Azure portal. Enable the Defender XDR connector in Microsoft Sentinel.
+
+- Integrate Microsoft Sentinel and Defender XDR directly in the Microsoft Defender portal. In this case, view Microsoft Sentinel data directly with the rest of your Defender incidents, alerts, vulnerabilities, and other security data. To do this, you must onboard Microsoft Sentinel to the Defender portal.
+
+## Scenario
+
 You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You need to learn how to connect log data from the many different data sources in your organization. The organization has data from Microsoft 365, Microsoft Defender XDR, Azure resources, non-azure virtual machines, and network appliances.
 
 You plan on using the Microsoft Sentinel Content Hub solutions that include the data connectors to integrate the log data from the various sources. You need to document a connector plan for management that maps each of the organization's data sources to the proper Microsoft Sentinel data connector.
@@ -13,7 +23,7 @@ After completing this module, you'll be able to:
 
 ## Prerequisites
 
-Basic experience with Microsoft Azure operations.
+Basic experience with Microsoft Azure or Microsoft Defender operations.
 
 ## Interactive lab simulation
 

learn-pr/wwl-sci/connect-data-to-azure-sentinel-with-data-connectors/includes/3-understand-data-connector-providers.md

@@ -10,20 +10,19 @@ The Microsoft Defender XDR data connector provides alerts, incidents, and raw da
 
 - Microsoft Defender for Cloud Apps
 
-
 ### Microsoft Azure Services
 
 The connectors for Microsoft and Azure-related services include (but aren't limited to):
 
-- Microsoft Entra ID 
+- Microsoft Entra ID
 
 - Azure Activity
 
 - Microsoft Entra ID Protection
 
 - Azure DDoS Protection
 
-- Microsoft Defender for IoT 
+- Microsoft Defender for IoT
 
 - Azure Information Protection
 
@@ -37,13 +36,13 @@ The connectors for Microsoft and Azure-related services include (but aren't limi
 
 - Office 365
 
-- Windows firewall
+- Windows Firewall
 
 - Security Events
 
 ### Vendor connectors
 
-Microsoft Sentinel provides an ever-growing list of vendor-specific data connectors.  These connectors primarily use the CEF and Syslog connector as their foundation.
+Microsoft Sentinel provides an ever-growing list of vendor-specific data connectors. These connectors primarily use the CEF and Syslog connector as their foundation.
 
 > [!TIP]
 > Remember to check the connector page to see the Data Type (table) that the connector writes to.
@@ -66,7 +65,7 @@ Common Event Format (CEF) is an industry-standard format on top of Syslog messag
 
 ### Syslog vs. Common Event Format
 
-CEF is always a superior choice because the log data is parsed into predefined fields in the CommonSecurityLog table.  Syslog provides header fields, but the raw log message is stored in a field named SyslogMessage in the Syslog table.  For the Syslog data to be queried, you need to write a parser to extract the specific fields. The process to create a Parser for a Syslog message is demonstrated in a later module.
+CEF is always a superior choice because the log data is parsed into predefined fields in the CommonSecurityLog table. Syslog provides header fields, but the raw log message is stored in a field named SyslogMessage in the Syslog table. For the Syslog data to be queried, you need to write a parser to extract the specific fields. The process to create a Parser for a Syslog message is demonstrated in a later module.
 
 ### Connector architecture options
 

learn-pr/wwl-sci/connect-data-to-azure-sentinel-with-data-connectors/includes/4-view-connected-hosts.md

@@ -1,9 +1,37 @@
-The Data Connector page shows the connectors that are installed and can be filtered to show the ones with a `Connected` status.  The count of Windows and Linux hosts connected with an agent is available in the Log Analytics workspace.  To see your connected hosts do the following steps:
+To view your Windows and Linux hosts connected with an agent, you can do so in the Log Analytics workspace. To see your connected hosts do the following steps:
 
-1. Select **Settings**
+## Microsoft Sentinel and Defender XDR
 
-1. Workspace Settings (this selection transfers you to Log Analytics)
+Select the appropriate tab to see the connected hosts depending on which integration method you use.
 
-1. In Log Analytics Settings area, select **Agents**
+## [Defender portal](#tab/defender-portal)
 
-1. There are two tabs to view  - one for Windows another for Linux.
+1. In the Microsoft Defender portal navigation menu, expand **System**, and select **Settings**.
+
+1. Select **Microsoft Sentinel**.
+
+1. Select the appropriate Microsoft Sentinel workspace.
+
+1. In the side panel that opens, select **Log Analytics settings**, and **Configure Log Analytics work**.
+
+    :::image type="content" source="../media/04-view-connected-hosts-defender.png" alt-text="Screen shot of Microsoft Defender Microsoft Sentinel workspace configuration page.":::
+
+1. In the Log Analytics workspace, select **Settings** from the navigation menu, and then select **Agents**.
+
+1. Select either the **Windows** or **Linux** tab to view the connected hosts.
+
+    :::image type="content" source="../media/04-log-analytics-connected-hosts.png" alt-text="Screen shot of Log Analytics Agents page.":::
+
+## [Azure portal](#tab/azure-portal)
+
+1. In the Microsoft Sentinel navigation menu, expand **Configuration**, and select **Settings**.
+
+1. Select the **Workspace settings** tab (this selection transfers you to Log Analytics).
+
+1. In the Log Analytics workspace, select **Settings** from the navigation menu, and then select **Agents**.
+
+1. Select either the **Windows** or **Linux** tab to view the connected hosts.
+
+    :::image type="content" source="../media/04-log-analytics-connected-hosts.png" alt-text="Screen shot of Log Analytics Agents page.":::
+
+---

learn-pr/wwl-sci/connect-data-to-azure-sentinel-with-data-connectors/index.yml

@@ -3,28 +3,29 @@ uid: learn.wwl.connect-data-to-azure-sentinel-with-data-connectors
 metadata:
   title: Connect data to Microsoft Sentinel using data connectors
   description: "Connect data to Microsoft Sentinel using data connectors"
-  ms.date: 08/02/2023
-  author: wwlpublish
+  ms.date: 06/11/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: module
   ms.service: microsoft-sentinel
 title: Connect data to Microsoft Sentinel using data connectors
-summary: The primary approach to connect log data is using the Microsoft Sentinel provided data connectors.  This module provides an overview of the available data connectors.
+summary: The primary approach to connect log data is using the Microsoft Sentinel provided data connectors. This module provides an overview of the available data connectors.
 abstract: |
-  Upon completion of this module, the learner will be able to:
+  Upon completion of this module, the learner is able to:
   - Describe how to install Content Hub Solutions to provision Microsoft Sentinel Data connectors
   - Explain the use of data connectors in Microsoft Sentinel
   - Describe the Microsoft Sentinel data connector providers
   - Explain the Common Event Format and Syslog connector differences in Microsoft Sentinel
 prerequisites: |
-  Basic experience with Microsoft Azure operations
+  Basic experience with Microsoft Azure and Microsoft Defender operations
 iconUrl: /training/achievements/connect-data-to-azure-sentinel-with-data-connectors.svg
 levels:
 - intermediate
 roles:
 - security-operations-analyst
 products:
 - azure
+- microsoft-defender
 - microsoft-sentinel
 - azure-log-analytics
 subjects: