Updated module units, improved Acrolinx scores and fixed MD formatting

Ken Lawson · Ken Lawson · commit d697247153b8 · 2025-03-17T15:26:18.000-06:00
diff --git a/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/1-introduction.yml b/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/1-introduction.yml
@@ -4,7 +4,7 @@ title: Introduction
 metadata:
   title: Introduction
   description: "Introduction"
-  ms.date: 11/11/2022
+  ms.date: 03/14/2025
   author: wwlpublish
   ms.author: kelawson
   ms.topic: unit
diff --git a/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/2-plan-for-azure-sentinel-workspace.yml b/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/2-plan-for-azure-sentinel-workspace.yml
@@ -4,7 +4,7 @@ title: Plan for the Microsoft Sentinel workspace
 metadata:
   title: Plan for the Microsoft Sentinel workspace
   description: "Plan for the Microsoft Sentinel workspace"
-  ms.date: 11/11/2022
+  ms.date: 03/14/2025
   author: wwlpublish
   ms.author: kelawson
   ms.topic: unit
diff --git a/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/3-create-azure-sentinel-workspace.yml b/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/3-create-azure-sentinel-workspace.yml
@@ -4,7 +4,7 @@ title: Create a Microsoft Sentinel workspace
 metadata:
   title: Create a Microsoft Sentinel workspace
   description: "Create a Microsoft Sentinel workspace"
-  ms.date: 11/11/2022
+  ms.date: 03/14/2025
   author: wwlpublish
   ms.author: kelawson
   ms.topic: unit
diff --git a/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/7-configure-logs.yml b/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/7-configure-logs.yml
@@ -4,7 +4,7 @@ title: Configure logs
 metadata:
   title: Configure logs
   description: "Configure logs"
-  ms.date: 11/11/2022
+  ms.date: 03/17/2025
   author: wwlpublish
   ms.author: kelawson
   ms.topic: unit
diff --git a/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/includes/1-introduction.md b/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/includes/1-introduction.md
@@ -1,6 +1,6 @@
-Deploying the Microsoft Sentinel environment involves designing a workspace configuration to meet your security and compliance requirements.  The provisioning process includes creating a Log Analytics workspace and configuring the Microsoft Sentinel options.
+Deploying the Microsoft Sentinel environment involves designing a workspace configuration to meet your security and compliance requirements. The provisioning process includes creating a Log Analytics workspace and configuring the Microsoft Sentinel options.
 
-You're a Security Operations Analyst working at a company that is implementing Microsoft Sentinel.  You're responsible for setting up the Microsoft Sentinel environment to meet the company requirement to minimize cost, meet compliance regulations, and provide the most manageable environment for your security team to perform their daily job responsibilities.  
+You're a Security Operations Analyst working at a company that is implementing Microsoft Sentinel. You're responsible for setting up the Microsoft Sentinel environment to meet the company requirement to minimize cost, meet compliance regulations, and provide the most manageable environment for your security team to perform their daily job responsibilities.  
 
 You start by understanding the Microsoft Sentinel workspace's architecture. After you've decided on your workspace implementation options, you create your first Microsoft Sentinel workspace.
 
@@ -12,4 +12,4 @@ After completing this module, you'll be able to:
 
 ## Prerequisites
 
-Basic experience with Azure services
+Basic experience with Azure services
diff --git a/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/includes/2-plan-for-azure-sentinel-workspace.md b/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/includes/2-plan-for-azure-sentinel-workspace.md
@@ -1,20 +1,20 @@
-Before deploying Microsoft Sentinel, it's crucial to understand the workspace options.  The Microsoft Sentinel solution is installed in a Log Analytics Workspace, and most implementation considerations are focused on the Log Analytics Workspace creation.  The single most important option when creating a new Log Analytics Workspace is the region.  The region specifies the location where the log data will reside.
+Before deploying Microsoft Sentinel, it's crucial to understand the workspace options. The Microsoft Sentinel solution is installed in a Log Analytics Workspace, and most implementation considerations are focused on the Log Analytics Workspace creation. The single most important option when creating a new Log Analytics Workspace is the region. The region specifies the location where the log data resides.
 
 The three implementation options:
 
 - Single-Tenant with a single Microsoft Sentinel Workspace
 
 - Single-Tenant with regional Microsoft Sentinel Workspaces
 
-- Multi-Tenant
+- Multiple tenants
 
 ## Single-tenant single workspace
 
-The single-tenant with a single Microsoft Sentinel workspace will be the central repository for logs across all resources within the same tenant.
+The single-tenant with a single Microsoft Sentinel workspace is the central repository for logs across all resources within the same tenant.
 
-This workspace receives logs from resources in other regions within the same tenant.  Because the log data (when collected) will travel across regions and stored in another region, this creates two possible concerns.  First, it can incur a bandwidth cost. Second, if there's a data governance requirement to keep data in a specific region, the single workspace option wouldn't be an implementation option.
+This workspace receives logs from resources in other regions within the same tenant. Because the log data (when collected) travels across regions and stored in another region, this creates two possible concerns.  First, it can incur a bandwidth cost. Second, if there's a data governance requirement to keep data in a specific region, the single workspace option wouldn't be an implementation option.
 
-:::image type="content" source="../media/single-tenant-workspace.png" alt-text="Diagram of a Single Tenant Sentinel Workspace.":::
+:::image type="content" source="../media/single-tenant-workspace.png" alt-text="Diagram of a Single Tenant Microsoft Sentinel Workspace.":::
 
 Single-Tenants with a single workspace trade-off include:
 
@@ -28,9 +28,9 @@ Single-Tenants with a single workspace trade-off include:
 
 ## Single-tenant with regional Microsoft Sentinel workspaces
 
-The single-tenant with regional Microsoft Sentinel workspaces will have multiple Sentinel workspaces requiring the creation and configuration of multiple Microsoft Sentinel and Log Analytics workspaces.
+The single-tenant with regional Microsoft Sentinel workspaces, have multiple Microsoft Sentinel workspaces requiring the creation and configuration of multiple Microsoft Sentinel and Log Analytics workspaces.
 
-:::image type="content" source="../media/single-tenant-regional-workspace.png" alt-text="Diagram of a Sentinel Single Tenant Regional Workspace.":::
+:::image type="content" source="../media/single-tenant-regional-workspace.png" alt-text="Diagram of a Microsoft Sentinel Single Tenant Regional Workspace.":::
 
 | Pros| Cons|
 | :--- | :--- |
@@ -49,14 +49,12 @@ TableName
 
 ```
 
-## Multi-tenant workspaces
-
-If you're required to manage a Microsoft Sentinel workspace, not in your tenant, you implement Multi-Tenant workspaces using Azure Lighthouse.  This security configuration grants you access to the tenants.  The tenant configuration within the tenant (regional or multi-regional) is the same consideration as before.
-
-:::image type="content" source="../media/multi-tenant-workspaces.png" alt-text="Diagram of Sentinel Multi-Tenant Workspaces.":::
+## Multiple tenant workspaces
 
+If you're required to manage a Microsoft Sentinel workspace, not in your tenant, you implement Multiple tenant workspaces using Azure Lighthouse.  This security configuration grants you access to the tenants.  The tenant configuration within the tenant (regional or multi-regional) is the same consideration as before.
 
+:::image type="content" source="../media/multi-tenant-workspaces.png" alt-text="Diagram of Microsoft Sentinel Multiple tenant Workspaces.":::
 
 ## Use the same log analytics workspace as Microsoft Defender for Cloud
 
-Use the same workspace for both Microsoft Sentinel and Microsoft Defender for Cloud, so that all logs collected by Microsoft Defender for Cloud can also be ingested and used by Microsoft Sentinel. The default workspace created by Microsoft Defender for Cloud won't appear as an available workspace for Microsoft Sentinel.
+Use the same workspace for both Microsoft Sentinel and Microsoft Defender for Cloud, so that all logs collected by Microsoft Defender for Cloud can also be ingested and used by Microsoft Sentinel. The default workspace created by Microsoft Defender for Cloud won't appear as an available workspace for Microsoft Sentinel.
diff --git a/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/includes/3-create-azure-sentinel-workspace.md b/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/includes/3-create-azure-sentinel-workspace.md
@@ -1,4 +1,4 @@
-After designing the workspace architecture, log in to the Azure portal. At the search bar, search for Sentinel, then select **Microsoft Sentinel**.  The Microsoft Sentinel Workspaces shows a list of the current workspaces.  Select the **+ add** button to start the creation process.
+After designing the workspace architecture, sign-in to the Azure portal. At the search bar, search for Sentinel, then select **Microsoft Sentinel**. The Microsoft Sentinel Workspaces shows a list of the current workspaces. Select the **+ add** button to start the creation process.
 
 > [!NOTE]
 > If you choose to perform this exercise, be aware you might incur costs in your Azure Subscription. To estimate the cost, refer to [Microsoft Sentinel Pricing](https://azure.microsoft.com/pricing/details/azure-sentinel/). We have also included an interactive lab simulation after the exercise.
@@ -17,12 +17,12 @@ To enable Microsoft Sentinel, you need contributor permissions to the subscripti
     | :--- | :--- |
     | Subscription| Select the Subscription|
     | Resource Group| Select or create a Resource Group|
-    | Name| Name is the name of the Log Analytics workspace and will also be the name of your Microsoft Sentinel Workspace|
+    | Name| Name is the name of the Log Analytics workspace and is also the name of your Microsoft Sentinel Workspace|
     | Region| The region is the location the log data is stored.|
 
     > [!IMPORTANT]
-    > The Name will be the name of the Microsoft Sentinel workspace.  The Microsoft Sentinel name will default to the Log Analytics Workspace Name.
-    > The Region is the location where ingested data is stored.  The data location impacts data governance requirements.  Workspaces can't move from region to region; you will need to recreate the workspace if the region option needs to be changed.
+    > The Name is the name of the Microsoft Sentinel workspace. The Microsoft Sentinel name defaults to the Log Analytics Workspace Name.
+    > The Region is the location where ingested data is stored. The data location impacts data governance requirements.  Workspaces can't move from region to region; you'll need to recreate the workspace if the region option needs to be changed.
 
 1. Select the **Review + Create** button and then select the **Create** button.
 
@@ -52,7 +52,8 @@ The Overview tab displays a standard dashboard of information about the ingested
 
 ## Microsoft Sentinel sharing a Log Analytics Workspace
 
-Considering that Microsoft Sentinel workspace uses a Log Analytics workspace, you have the option to enable the Sentinel workspace in a Log Analytics workspace that is used by other solutions. The most common scenario is sharing the Log Analytics workspace used by Microsoft Defender for Cloud.  Sharing the workspace enables one central workspace to query security data.  
+Considering that Microsoft Sentinel workspace uses a Log Analytics workspace, you have the option to enable the Microsoft Sentinel workspace in a Log Analytics workspace that is used by other solutions. The most common scenario is sharing the Log Analytics workspace used by Microsoft Defender for Cloud. Sharing the workspace enables one central workspace to query security data.  
 
 ## Microsoft Defender for Cloud
-When creating your Microsoft Sentinel workspace, you aren't allowed to use the **Default** Microsoft Defender for Cloud Log Analytics workspace.  You need to manually create a Log Analytics workspace then update the Microsoft Defender for Cloud tier.  Now you can select the manually created Log Analytics workspace for use with Microsoft Defender for Cloud.
+
+When creating your Microsoft Sentinel workspace, you aren't allowed to use the **Default** Microsoft Defender for Cloud Log Analytics workspace. You need to manually create a Log Analytics workspace then update the Microsoft Defender for Cloud tier. Now you can select the manually created Log Analytics workspace for use with Microsoft Defender for Cloud.
diff --git a/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/includes/7-configure-logs.md b/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/includes/7-configure-logs.md
@@ -1,33 +1,29 @@
-
 There are three primary log types in Microsoft Sentinel:
 
 - Analytics Logs
 - Basic Logs
-- Archive Logs
-
+- Auxilary Logs (Preview)
 
 Data in each table in a Log Analytics workspace is retained for a specified period of time after which it's either removed or archived with a reduced retention fee. Set the retention time to balance your requirement for having data available with reducing your cost for data retention.
 
 To access archived data, you must first retrieve data from it in an Analytics Logs table using one of the following methods:
+
 - Search Jobs
 - Restore
 
-
-
-
 :::image type="content" source="../media/workspace-plan-overview.png" alt-text="Diagram of different Workspace Log Types.":::
 
-
-
 ## Analytical Logs
 
-By default, all tables in a workspace are of type Analytics Logs, which are available to all features of a Log Analytics workspace and any other services that use the workspace. 
+By default, all tables in a workspace are of type Analytics Logs, which are available to all features of a Log Analytics workspace and any other services that use the workspace.
 
+## Basic Logs
 
+ You can configure certain tables as **Basic Logs** to reduce the cost of storing high-volume verbose logs you use for debugging, troubleshooting and auditing, but not for analytics and alerts. Tables configured for Basic Logs have a lower ingestion cost in exchange for reduced features. Basic logs are only **retained for 8 days**.
 
-## Basic Logs
+## Auxiliary Logs (Preview)
 
- You can configure certain tables as **Basic Logs** to reduce the cost of storing high-volume verbose logs you use for debugging, troubleshooting and auditing, but not for analytics and alerts. Tables configured for Basic Logs have a lower ingestion cost in exchange for reduced features.  Basic logs are only **retained for 8 days**.
+Auxiliary Logs are suited for low-touch data, such as verbose logs, and data required for auditing and compliance. This plan offers low-cost ingestion and unoptimized single-table queries for 30 days.
 
 ### KQL language limits
 
@@ -44,14 +40,13 @@ Queries against Basic Logs are optimized for simple data retrieval using a subse
 - parse-where
 
 The following KQL isn't supported:
+
 - join
 - union
 - aggregates (summarize)
 
 ### Table support Basic Logs
 
-
-
 All tables in your Log Analytics are Analytics tables, by default. You can configure particular tables to use Basic Logs. You can't configure a table for Basic Logs if Azure Monitor relies on that table for specific features.
 
 You can currently configure the following tables for Basic Logs:
@@ -60,42 +55,34 @@ You can currently configure the following tables for Basic Logs:
 - ContainerLogV2, which Container Insights uses and which include verbose text-based log records.
 - AppTraces, which contain freeform log records for application traces in Application Insights.
 
-> [!NOTE] 
-> Basic Logs are currently in *Preview*.  The supported/eligible tables documentation will be updated with current information when the feature is *Generally Available*. 
-
-
-
 ### Configure log type
 
 To adjust the log type for an **eligible** table, select the workspace settings in the Microsoft Sentinel Settings area.  
-The next screen is in the Log Analytics portal.  
+The next screen is in the Log Analytics portal.
+
 1. Select the "Tables" tab.  
 1. Select the table then **...** at the end of the row.
 1. Select Manage table
 1. Change the *Table plan*.
 1. Select **Save**
 
+## Long-term retention
 
+By default, all tables in a Log Analytics workspace retain data for 30 days, except for log tables with 90-day default retention. During this period - the interactive retention period - you can retrieve the data from the table through queries, and the data is available for visualizations, alerts, and other features and services, based on the table plan.
 
-## Archive Logs
-
-Archiving lets you keep older, less used data in your workspace at a reduced cost. Each workspace has a default retention policy that's applied to all tables. You can set a different retention policy on individual tables.  
+You can extend the interactive retention period of tables with the Analytics plan to up to two years. The Basic and Auxiliary plans have a fixed interactive retention period of 30 days.  
 
+:::image type="content" source="../media/retention-long-term.png" alt-text="Diagram of the Retention archive process.":::
 
-:::image type="content" source="../media/retention-archive.png" alt-text="Diagram of the Retention archive process.":::
-
-
-
-During the interactive retention period, data is available for monitoring, troubleshooting and analytics. When you no longer use the logs, but still need to keep the data for compliance or occasional investigation, archive the logs to save costs. You can access archived data by running a search job or restoring archived logs.
-
+To retain data in the same table beyond the interactive retention period, extend the table's total retention to up to 12 years. At the end of the interactive retention period, the data stays in the table for the remainder of the total retention period you configure. During this period - the long-term retention period - run a search job to retrieve the specific data you need from the table and make it available for interactive queries in a search results table.
 
 ### Configure table retention
 
 To adjust the retention days for a table, select the workspace settings in the Microsoft Sentinel Settings area.  
-The next screen is in the Log Analytics portal.  
+The next screen is in the Log Analytics portal.
+  
 1. Select the "Tables" tab.  
 1. Select the table then **...** at the end of the row.
 1. Select Manage table
 1. Change the *Total retention period*.
 1. Select **Save**
-
diff --git a/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/index.yml b/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/index.yml
@@ -3,7 +3,7 @@ uid: learn.wwl.create-manage-azure-sentinel-workspaces
 metadata:
   title: Create and manage Microsoft Sentinel workspaces
   description: "Create and manage Microsoft Sentinel workspaces"
-  ms.date: 11/11/2022
+  ms.date: 03/14/2025
   author: wwlpublish
   ms.author: kelawson
   ms.topic: module
diff --git a/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/media/retention-long-term.png b/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/media/retention-long-term.png
diff --git a/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/media/workspace-plan-overview.png b/learn-pr/wwl-sci/create-manage-azure-sentinel-workspaces/media/workspace-plan-overview.png
