Fix acrolinx + blocking issues

Author: cwatson-cat

articles/sentinel/billing-monitor-costs.md

@@ -5,7 +5,7 @@ author: cwatson-cat
 ms.author: cwatson
 ms.custom: subject-cost-optimization
 ms.topic: how-to
-ms.date: 02/18/2022
+ms.date: 02/22/2022
 ---
 
 # Manage and monitor costs for Microsoft Sentinel

articles/sentinel/billing-reduce-costs.md

@@ -5,7 +5,7 @@ author: cwatson-cat
 ms.author: cwatson
 ms.custom: subject-cost-optimization
 ms.topic: how-to
-ms.date: 02/18/2022
+ms.date: 02/22/2022
 ---
 
 # Reduce costs for Microsoft Sentinel
@@ -36,7 +36,7 @@ When hunting or investigating threats in Microsoft Sentinel, you might need to a
 
 ## Turn on basic logs data ingestion for data that's high-volume low security value (preview)
 
-Unlike analytics logs, [basic logs](../azure-monitor/logs/basic-logs-configure.md) are typically verbose. They contains a mix of high volume and low security value data, that isn't frequently used or accessed on demand for ad-hoc querying, investigations and search. Enable basic log data ingestion at a significantly reduced cost for eligible data tables. For more information, see [Microsoft Sentinel Pricing](https://azure.microsoft.com/pricing/details/microsoft-sentinel/).
+Unlike analytics logs, [basic logs](../azure-monitor/logs/basic-logs-configure.md) are typically verbose. They contain a mix of high volume and low security value data, that isn't frequently used or accessed on demand for ad-hoc querying, investigations and search. Enable basic log data ingestion at a significantly reduced cost for eligible data tables. For more information, see [Microsoft Sentinel Pricing](https://azure.microsoft.com/pricing/details/microsoft-sentinel/).
 
 ## Optimize Log Analytics costs with dedicated clusters
 
@@ -48,7 +48,7 @@ You can add multiple Microsoft Sentinel workspaces to a Log Analytics dedicated
 
 - Cross-workspace queries run faster if all the workspaces involved in the query are in the dedicated cluster. It's still best to have as few workspaces as possible in your environment, and a dedicated cluster still retains the [100 workspace limit](../azure-monitor/logs/cross-workspace-query.md) for inclusion in a single cross-workspace query.
 
-- All workspaces in the dedicated cluster can share the Log Analytics Commitment Tier set on the cluster. Not having to commit to separate Log Analytics Commitment Tiers for each workspace can allow for cost savings and efficiencies. By enabling a dedicated cluster, you commit to a minimum Log Analytics Commitment Tier of 500 GB ingestion per day.
+- All workspaces in the dedicated cluster can share the Log Analytics Commitment Tier set on the cluster. Not having to commit to separate Log Analytics Commitment Tiers for each workspace can allow for cost savings and efficiencies. By enabling a dedicated cluster, you commit to a minimum Log Analytics Commitment Tier of 500-GB ingestion per day.
 
 Here are some other considerations for moving to a dedicated cluster for cost optimization:
 
@@ -68,7 +68,7 @@ Microsoft Sentinel data retention is free for the first 90 days. To adjust the d
 
 Microsoft Sentinel security data might lose some of its value after a few months. Security operations center (SOC) users might not need to access older data as frequently as newer data, but still might need to access the data for sporadic investigations or audit purposes.
 
-To help you reduce Microsoft Sentinel data retention costs, Azure Monitor now offers archived logs. Archived logs store log data for very long periods of time, up to 7 years, at a reduced cost with limitations on its usage. Archived logs are in public preview. For more information, see [Configure data retention and archive policies in Azure Monitor Logs](../azure-monitor/logs/data-retention-archive.md).
+To help you reduce Microsoft Sentinel data retention costs, Azure Monitor now offers archived logs. Archived logs store log data for long periods of time, up to seven years, at a reduced cost with limitations on its usage. Archived logs are in public preview. For more information, see [Configure data retention and archive policies in Azure Monitor Logs](../azure-monitor/logs/data-retention-archive.md).
 
 Alternatively, you can use Azure Data Explorer for long-term data retention at lower cost. Azure Data Explorer provides the right balance of cost and usability for aged data that no longer needs Microsoft Sentinel security intelligence.
 

articles/sentinel/billing.md

@@ -5,14 +5,14 @@ author: cwatson-cat
 ms.author: cwatson
 ms.custom: subject-cost-optimization
 ms.topic: how-to
-ms.date: 02/18/2022
+ms.date: 02/22/2022
 ---
 
 # Plan costs for Microsoft Sentinel
 
 Microsoft Sentinel provides intelligent security analytics across your enterprise. The data for this analysis is stored in an Azure Monitor Log Analytics workspace. Microsoft Sentinel is billed based on the volume of data for analysis in Microsoft Sentinel and storage in the Azure Monitor Log Analytics workspace. For more information, see the [Microsoft Sentinel Pricing Page](https://azure.microsoft.com/pricing/details/microsoft-sentinel/).
 
-Before you add any resources for the Microsoft Sentinel use the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/) to help estimate your costs.
+Before you add any resources for the Microsoft Sentinel, use the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/) to help estimate your costs.
 
 Costs for Microsoft Sentinel are only a portion of the monthly costs in your Azure bill. Although this article explains how to plan costs and understand the billing for Microsoft Sentinel, you're billed for all Azure services and resources your Azure subscription uses, including Partner services.
 
@@ -49,10 +49,6 @@ For example, you can enter the GB of daily data you expect to ingest in Microsof
 - Data archive (archived logs)
 - Basic logs queries
 
-The costs shown in following image are for example purposes only. They're not intended to reflect actual costs.
-
-:::image type="content" source="media/billing/pricing-calculator.png" alt-text="Screenshot of sample estimated cost in the Azure pricing calculator for Microsoft Sentinel." lightbox="media/billing/pricing-calculator.png" :::
-
 ## Understand the full billing model for Microsoft Sentinel
 
 Microsoft Sentinel offers a flexible and predictable pricing model. For more information, see the [Microsoft Sentinel pricing page](https://azure.microsoft.com/pricing/details/azure-sentinel/). For the related Log Analytics charges, see [Azure Monitor Log Analytics pricing](https://azure.microsoft.com/pricing/details/log-analytics/).
@@ -61,7 +57,7 @@ Microsoft Sentinel runs on Azure infrastructure that accrues costs when you depl
 
 ### How you're charged for Microsoft Sentinel
 
-Microsoft Sentinel offers flexible pricing based on the types of logs ingested into a workspace. Analytics logs typically make up the majority of your high security value logs. Basic logs tend to be verbose with low security value.
+Microsoft Sentinel offers flexible pricing based on the types of logs ingested into a workspace. Analytics logs typically make up most of your high security value logs. Basic logs tend to be verbose with low security value.
 
 #### Analytics logs
 
@@ -212,11 +208,11 @@ The following table lists the free data sources you can enable in Microsoft Sent
 
 For data connectors that include both free and paid data types, you can select which data types you want to enable.
 
-:::image type="content" source="media/billing/data-types.png" alt-text="Screenshot of the Data connector page for Defender for Cloud Apps, with the free security alerts selected and the paid MCASShadowITReporting not selected." lightbox="media/billing/data-types.png":::
+:::image type="content" source="media/billing/data-types.png" alt-text="Screenshot of the Data connector page for Defender for Cloud Apps, with the free security alerts selected and the paid M C A S Shadow I T Reporting not selected." lightbox="media/billing/data-types.png":::
 
 For more information about free and paid data sources and connectors, see [Connect data sources](connect-data-sources.md).
 
-Data connectors listed as public preview do not generate cost. Data connectors generate cost only once becoming Generally Available (GA).
+Data connectors listed as public preview don't generate cost. Data connectors generate cost only once becoming Generally Available (GA).
 
 
 ## Next steps

articles/sentinel/design-your-workspace-architecture.md

@@ -23,7 +23,7 @@ Before working through the decision tree, make sure you have the following infor
 |**Regulatory requirements related to Azure data residency**     |  Microsoft Sentinel can run on workspaces in most, but not all regions [supported in GA for Log Analytics](https://azure.microsoft.com/global-infrastructure/services/?products=monitor). Newly supported Log Analytics regions may take some time to onboard the Microsoft Sentinel service. <br><br> Data generated by Microsoft Sentinel, such as incidents, bookmarks, and analytics rules, may contain some customer data sourced from the customer's Log Analytics workspaces.<br><br> For more information, see [Geographical availability and data residency](quickstart-onboard.md#geographical-availability-and-data-residency).|
 |**Data sources**     |   Find out which [data sources](connect-data-sources.md) you need to connect, including built-in connectors to both Microsoft and non-Microsoft solutions. You can also use Common Event Format (CEF), Syslog or REST-API to connect your data sources with Microsoft Sentinel. <br><br>If you have Azure VMs in multiple Azure locations that you need to collect the logs from and the saving on data egress cost is important to you, you need to calculate the data egress cost using [Bandwidth pricing calculator](https://azure.microsoft.com/pricing/details/bandwidth/#overview) for each Azure location.      |
 |**User roles and data access levels/permissions**     |    Microsoft Sentinel uses [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md) to provide [built-in roles](../role-based-access-control/built-in-roles.md) that can be assigned to users, groups, and services in Azure. <br><br>All Microsoft Sentinel built-in roles grant read access to the data in your Microsoft Sentinel workspace. Therefore, you need to find out whether there is a need to control data access per data source or row-level as that will impact the workspace design decision. For more information, see [Custom roles and advanced Azure RBAC](roles.md#custom-roles-and-advanced-azure-rbac).     |
-|**Daily ingestion rate**     |  The daily ingestion rate,usually in GB/day, is one of the key factors in cost management and planning considerations and workspace design for Microsoft Sentinel. <br><br>In most cloud and hybrid environments, networking devices, such as firewalls or proxies,and Windows and Linux servers produce the most ingested data. To obtain the most accurate results, Microsoft recommends an exhaustive inventory of data sources. <br><br>Alternatively, the Microsoft Sentinel [cost calculator](https://cloudpartners.transform.microsoft.com/download?assetname=assets%2FAzure_Sentinel_Calculator.xlsx&download=1) includes tables useful in estimating footprints of data sources. <br><br>**Important**: These estimates are a starting point, and log verbosity settings and workload will produce variances. We recommend that you monitor your system regularly to track any changes. Regular monitoring is recommended based on your scenario. <br><br>For more information, see [Manage usage and costs with Azure Monitor Logs](../azure-monitor/logs/manage-cost-storage.md).       |
+|**Daily ingestion rate**     |  The daily ingestion rate, usually in GB/day, is one of the key factors in cost management and planning considerations and workspace design for Microsoft Sentinel. <br><br>In most cloud and hybrid environments, networking devices, such as firewalls or proxies, and Windows and Linux servers produce the most ingested data. To obtain the most accurate results, Microsoft recommends an exhaustive inventory of data sources. <br><br>Alternatively, the Microsoft Sentinel [cost calculator](https://cloudpartners.transform.microsoft.com/download?assetname=assets%2FAzure_Sentinel_Calculator.xlsx&download=1) includes tables useful in estimating footprints of data sources. <br><br>**Important**: These estimates are a starting point, and log verbosity settings and workload will produce variances. We recommend that you monitor your system regularly to track any changes. Regular monitoring is recommended based on your scenario. <br><br>For more information, see [Manage usage and costs with Azure Monitor Logs](../azure-monitor/logs/manage-cost-storage.md).       |
 |     |         |
 
 ## Decision tree
@@ -99,7 +99,7 @@ If you need to split your billing or charge-back, consider whether the usage rep
   - **Yes**: Proceed with [step 6](#step-6-multiple-regions) for further evaluation.
   - **No**: We do not recommend using the same workspace for the sake of cost efficiency. Proceed with [step 6](#step-6-multiple-regions) for further evaluation.
 
-  In either case , for more information, see [note 10](#note10).
+  In either case, for more information, see [note 10](#note10).
 
   **If you have *no* overlapping data**, consider whether the ingestion for *both* SOC and non-SOC data individually is less than 100 GB / day, but more than 100 GB / day when combined:
 
@@ -120,17 +120,17 @@ The following table compares workspace options with and without separate workspa
 
 |Workspace architecture  |Description |
 |---------|---------|
-|The SOC team has its own workspace, with Microsoft Sentinel enabled. <br><br>The Ops team has its own workspace, without Microsoft Sentinel enabled.     |  **SOC team**: <br>Microsoft Sentinel cost for 50GB/day is $6,500 per month.<br>First three months of retention are free. <br><br>**Ops team**:<br>- Cost of Log Analytics at 50GB/day is around $3,500 per month.<br>- First 31 days of retention are free.<br><br>The total cost for both equals $10,000 per month.       |
+|The SOC team has its own workspace, with Microsoft Sentinel enabled. <br><br>The Ops team has its own workspace, without Microsoft Sentinel enabled.     |  **SOC team**: <br>Microsoft Sentinel cost for 50 GB/day is $6,500 per month.<br>First three months of retention are free. <br><br>**Ops team**:<br>- Cost of Log Analytics at 50 GB/day is around $3,500 per month.<br>- First 31 days of retention are free.<br><br>The total cost for both equals $10,000 per month.       |
 |Both SOC and Ops teams share the same workspace with Microsoft Sentinel enabled. |By combining both logs, ingestion will be 100 GB / day, qualifying for eligibility for Commitment Tier (50% for Sentinel and 15% for LA).       <br><br>Cost of Microsoft Sentinel for 100 GB / day equals $9,000 per month.      |
 |     |         |
 
 In this example, you'd have a cost savings of $1,000 per month by combining both workspaces, and the Ops team will also enjoy 3 months of free retention instead of only 31 days.
 
-This example is relevant only when both SOC and non-SOC data each have an ingestion size of >=50GB/day and <100GB/day.
+This example is relevant only when both SOC and non-SOC data each have an ingestion size of >=50 GB/day and <100 GB/day.
 
 <a name="note10"></a>[Decision tree note #10](#decision-tree): We recommend using a separate workspace for non-SOC data so that non-SOC data isn't subjected to Microsoft Sentinel costs.
 
-However, this recommendation for separate workspaces for non-SOC data comes from a purely cost-based perspective, and there are other key design factors to examine when determining whether to use a single or multiple workspaces. To avoid double ingestion costs, consider collecting overlapped data on a single workspace only with table-level Azure RBAC .
+However, this recommendation for separate workspaces for non-SOC data comes from a purely cost-based perspective, and there are other key design factors to examine when determining whether to use a single or multiple workspaces. To avoid double ingestion costs, consider collecting overlapped data on a single workspace only with table-level Azure RBAC.
 
 ### Step 6: Multiple regions?
 
@@ -149,7 +149,7 @@ However, this recommendation for separate workspaces for non-SOC data comes from
     For example, your cost might be estimated as follows:
 
     - 1,000 VMs, each generating 1 GB / day;
-    - Sending data from a US region to a EU region;
+    - Sending data from a US region to an EU region;
     - Using a 2:1 compression rate in the agent
 
     The calculation for this estimated cost would be: `1000 VMs * (1GB/day ÷ 2) * 30 days/month * $0.05/GB = $750/month bandwidth cost`
@@ -188,7 +188,7 @@ However, this recommendation for separate workspaces for non-SOC data comes from
 
 #### Considerations for resource-context or table-level RBAC
 
-When planning to use resource-context or table level RBAC, consider the following:
+When planning to use resource-context or table level RBAC, consider the following information:
 
 - <a name="note7"></a>[Decision tree note #7](#decision-tree): To configure resource-context RBAC for non-Azure resources, you may want to associate a Resource ID to the data when sending to Microsoft Sentinel, so that the permission can be scoped using resource-context RBAC. For more information, see [Explicitly configure resource-context RBAC](resource-context-rbac.md#explicitly-configure-resource-context-rbac) and [Access modes by deployment](../azure-monitor/logs/design-logs-deployment.md).