Proofing planning section

Author: limwainstein

articles/sentinel/media/migration-overview/migration-phases.png

@@ -15,7 +15,7 @@ This article discusses the reasons for migrating from a legacy SIEM, and describ
 
 ## Migration steps
 
-In this section, you learn how to migrate your legacy SIEM to Microsoft Sentinel. Follow your migration process through this series of articles, in which you'll learn how to navigate different steps in the process.
+In this guide, you learn how to migrate your legacy SIEM to Microsoft Sentinel. Follow your migration process through this series of articles, in which you'll learn how to navigate different steps in the process.
 
 |Step  |Article  |
 |---------|---------|
@@ -36,26 +36,24 @@ Microsoft Sentinel is a scalable, cloud-native, security information and event m
 
 SOC teams face a set of challenges when managing a legacy SIEM:
 
-- **Slow response to threats**: Legacy SIEMs use correlation rules, which are difficult to maintain and ineffective for identifying emerging threats. SOC analysts, faced with large amounts of false positives, alerts from many different security components, and increasingly high volumes of logs, are slower to uncover and respond to critical threats in the environment.
-- **Scaling challenges**: As data ingestion rates grow, SOC teams are challenged with scaling their SIEM. Instead of focusing on protecting the organization, SOC teams must invest in infrastructure setup and maintenance, and are bound by storage or query limits.  
-- **Manual analysis and response**: SOC teams need highly skilled analysts to manually process large amounts of alerts. Teams become overworked and new analysts are hard to find.
-- **Complex and inefficient management**: SOC teams typically oversee orchestration and infrastructure, manage connections between the SIEM and various data sources, and perform updates and patches. These tasks are often at the expense of critical triage and analysis.
+- **Slow response to threats**. Legacy SIEMs use correlation rules, which are difficult to maintain and ineffective for identifying emerging threats. In addition, SOC analysts are faced with large amounts of false positives, many alerts from many different security components, and increasingly high volumes of logs. Analyzing this data slows down SOC teams in their efforts to respond to critical threats in the environment.
+- **Scaling challenges**. As data ingestion rates grow, SOC teams are challenged with scaling their SIEM. Instead of focusing on protecting the organization, SOC teams must invest in infrastructure setup and maintenance, and are bound by storage or query limits.  
+- **Manual analysis and response**. SOC teams need highly skilled analysts to manually process large amounts of alerts. Teams become overworked and new analysts are hard to find.
+- **Complex and inefficient management**. SOC teams typically oversee orchestration and infrastructure, manage connections between the SIEM and various data sources, and perform updates and patches. These tasks are often at the expense of critical triage and analysis.
 
 A cloud-native SIEM addresses these challenges. Microsoft Sentinel collects data automatically and at scale, detects unknown threats, investigates threats with artificial intelligence, and responds to incidents rapidly with built-in automation.
 
 ## Plan your migration
 
-During the planning phase, you identify your existing SIEM components, existing SOC processes, and design and plan new use cases. It’s important that each phase includes clear goals for each phase, key activities and the outcome of that phase by specifying the deliverables. Learn about [migration phases](#plan-migration-phases). Thorough planning allows you to maintain protection for both your cloud-based assets—Microsoft Azure, AWS, or GCP—and your SaaS solutions, such as Microsoft Office 365. 
+During the planning phase, you identify your existing SIEM components, your existing SOC processes, and you design and plan new use cases. Thorough planning allows you to maintain protection for both your cloud-based assets—Microsoft Azure, AWS, or GCP—and your SaaS solutions, such as Microsoft Office 365. 
 
-#### Plan migration phases
+This diagram describes the high-level phases that a typical migration includes. Each phase includes clear goals, key activities, and specified outcomes and deliverables. 
 
-This section describes the high-level phases that a typical migration includes. Each phase includes clear goals, activities, and specified outcomes and deliverables. 
-
-The phases below are a guideline to a complete and typical migration procedure. An actual migration may not include some phases or may include additional phases. Rather than reviewing the full set of phases, the following sections in this guide review specific tasks and steps that are especially important to a Microsoft Sentinel migration.
+The phases in this diagram are a guideline for how to complete a typical migration procedure. An actual migration may not include some phases or may include additional phases. Rather than reviewing the full set of phases, [the articles in this guide](#migration-steps) review specific tasks and steps that are especially important to a Microsoft Sentinel migration.
 
 :::image type="content" source="media/migration-overview/migration-phases.png" alt-text="Diagram of the Microsoft Sentinel migration phases." lightbox="media/migration-overview/migration-phases.png":::
 
-##### Considerations
+### Considerations
 
 Review these key considerations for each phase.
 
@@ -64,9 +62,9 @@ Review these key considerations for each phase.
 |Discover     |[Identify use cases](#identify-use-cases) and [migration priorities](#identify-your-migration-priorities) as part of this phase.        |
 |Design     |Define a detailed design and architecture for your Microsoft Sentinel implementation. You will use this information to get approval from the relevant stakeholders before you start the implementation phase.         |
 |Implement     |As you implement Microsoft Sentinel components according to the design phase, and before you convert your entire infrastructure, consider whether you can use Microsoft Sentinel out-of-the-box content instead of migrating all components. You can begin using Microsoft Sentinel gradually, starting with a minimum viable product (MVP) for several use cases. As you add more use cases, you can use this Microsoft Sentinel instance as a user acceptance testing (UAT) environment to validate the use cases.         |
-|Operationalize     |You migrate your content and SOC processes to ensure that the existing analyst experience is not disrupted.         |
+|Operationalize     |You [migrate your content and SOC processes](migration-soc-processes.md) to ensure that the existing analyst experience is not disrupted.         |
 
-###### Identify your migration priorities
+#### Identify your migration priorities
 
 Use these questions to pin down your migration priorities:
 - What are the most critical infrastructure components, systems, apps, and data in your business?
@@ -78,7 +76,7 @@ Use these questions to pin down your migration priorities:
 
 Before you begin migration, identify key use cases, detection rules, data, and automation in your current SIEM. Approach your migration as a gradual process. Be intentional and thoughtful about what you migrate first, what you deprioritize, and what doesn’t actually need to be migrated. Your team might have an overwhelming number of detections and use cases running in your current SIEM. Before beginning migration, decide which ones are actively useful to your business.
 
-###### Identify use cases 
+#### Identify use cases 
 
 When planning the discover phase, use the following guidance to identify your use cases.
 - Identify and analyze your current use cases by threat, operating system, product, and so on.
@@ -92,4 +90,11 @@ When planning the discover phase, use the following guidance to identify your us
         - Review rules that haven’t triggered any alerts in the last 6 to 12 months.
         - Eliminate low-level threats or alerts you routinely ignore.
 - Prepare a validation process. Define test scenarios and build a test script.
-- Can you apply a methodology to prioritize use cases? You can follow a methodology such as MoSCoW to prioritize a leaner set of use cases for migration.
+- Can you apply a methodology to prioritize use cases? You can follow a methodology such as MoSCoW to prioritize a leaner set of use cases for migration.
+
+## Next steps
+
+In this article, you learned how to plan and prepare for your migration. 
+
+> [!div class="nextstepaction"]
+> [Track your migration with a workbook](migration-track.md)

articles/sentinel/media/migration-track/migration-track-azure-deployment.png

@@ -9,7 +9,7 @@ ms.date: 05/03/2022
 
 # Track your Microsoft Sentinel migration with a workbook
 
-As your organization's Security Operations Center (SOC) handles growing amounts of data, it's essential to plan and monitor your deployment status. While you can track migration process using generic tools such as Microsoft Project, Microsoft Excel, Teams, or Azure DevOps, these tools aren’t specific to SIEM migration tracking. To help you with tracking, we provide a dedicated migration tracker workbook in Microsoft Sentinel. 
+As your organization's Security Operations Center (SOC) handles growing amounts of data, it's essential to plan and monitor your deployment status. While you can track your migration process using generic tools such as Microsoft Project, Microsoft Excel, Teams, or Azure DevOps, these tools aren’t specific to SIEM migration tracking. To help you with tracking, we provide a dedicated workbook in Microsoft Sentinel named **Microsoft Sentinel Deployment and Migration**. 
 
 The workbook helps you to:
 - Visualize migration progress
@@ -19,7 +19,7 @@ The workbook helps you to:
 - Deploy and perform automation
 - Deploy and customize user and entity behavioral analytics (UEBA)
 
-This article describes how to track your migration with the migration tracker workbook, how to customize and manage the workbook, and how to use the workbook tabs to deploy and monitor data connectors, analytics, incidents, playbooks, automation rules, UEBA, and data management. Learn more about how to use [Azure Monitor workbooks](monitor-your-data).
+This article describes how to track your migration with the **Microsoft Sentinel Deployment and Migration** workbook, how to customize and manage the workbook, and how to use the workbook tabs to deploy and monitor data connectors, analytics, incidents, playbooks, automation rules, UEBA, and data management. Learn more about how to use [Azure Monitor workbooks](monitor-your-data.md) in Microsoft Sentinel.
 
 ## Deploy the workbook content 
 
@@ -43,19 +43,15 @@ This step is crucial to the tracking setup process. If you skip this step, the w
 
 To update the watchlist with deployment and migration actions:
 
-1. In the Azure portal, select Microsoft Sentinel and then select **Watchlists**.
+1. In the Azure portal, select Microsoft Sentinel and then select **Watchlist**.
 1. Locate the watchlist with the **Deployment** alias. 
-1. Select the watchlist, and then select **Update watchlist > edit watchlist items**. 
+1. Select the watchlist, and then select **Update watchlist > edit watchlist items** on the bottom right. 
     :::image type="content" source="media/migration-track/migration-track-update-watchlist.png" alt-text="Screenshot of updating watchlist items." lightbox="media/migration-track/migration-track-update-watchlist.png":::
 1. Provide the information for the actions needed for the deployment and migration, and select **Save**.  
 
-You can now the watchlist within the migration tracker workbook. Learn how to [manage watchlists](watchlists-manage.md).  
+You can now view the watchlist within the migration tracker workbook. Learn how to [manage watchlists](watchlists-manage.md).  
 
-## Manage workbook actions
-
-Your team might update or complete tasks during the deployment process. To address these changes, you can update existing actions or add new actions as you identify new use cases or set new requirements. To update or add actions, edit the **Deployment** watchlist that you [deployed previously](#deploy-the-watchlist). To simplify the process, you can open the watchlist directly from the workbook.
-
-:::image type="content" source="media/migration-track/migration-track-update.png" alt-text="Screenshot of the Microsoft Sentinel Edit watchlist items screen, showing an example list of watchlist items." lightbox="media/migration-track/migration-track-update.png":::
+In addition, your team might update or complete tasks during the deployment process. To address these changes, you can update existing actions or add new actions as you identify new use cases or set new requirements. To update or add actions, edit the **Deployment** watchlist that you [deployed previously](#deploy-the-watchlist). To simplify the process, select **Edit Deployment Watchlist** on the bottom left to open the watchlist directly from the workbook.
 
 ## View deployment status
 
@@ -82,10 +78,10 @@ To monitor deployed resources and deploy new connectors, in the **Microsoft Sent
 - Data connector health (changes and failures)
 - Health logs within the specified time range
 
-:::image type="content" source="media/migration-track/migration-track-data-connectors.png" alt-text="Screenshot of the Microsoft Sentinel Data Connectors tab Monitor view." lightbox="media/migration-track/migration-track-data-connectors.png":::
+:::image type="content" source="media/migration-track/migration-track-data-connectors-new.png" alt-text="Screenshot of the Microsoft Sentinel Data Connectors tab Monitor view." lightbox="media/migration-track/migration-track-data-connectors-new.png":::
 
-To configure a connector: 
-1. Select **Data Connectors > Configure**. 
+To configure a data connector: 
+1. Select the **Configure** view. 
 1. Select the button with the name of the connector you want to configure. 
 1. Configure the connector in the connector status screen that opens. If you cannot find a connector you need, select the connector name to open the connector gallery or solution gallery. 
 
@@ -97,7 +93,7 @@ Once the data is reported in the workspace, you can now configure and monitor an
 
 :::image type="content" source="media/migration-track/migration-track-analytics.png" alt-text="Screenshot of the Microsoft Sentinel Deployment Tracker Analytics tab." lightbox="media/migration-track/migration-track-analytics.png":::
 
-If you need more coverage, select **Review MITRE coverage** below the table and define which areas receive more coverage and which rules are deployed, at any stage of the migration project.
+If you need more coverage, select **Review MITRE coverage** below the table on the left. Use this option to define which areas receive more coverage and which rules are deployed, at any stage of the migration project.
 
 :::image type="content" source="media/migration-track/migration-track-mitre.png" alt-text="Screenshot of the Microsoft Sentinel Deployment Tracker Review MITRE Coverage view." lightbox="media/migration-track/migration-track-mitre.png":::
 
@@ -107,11 +103,11 @@ Once the desired analytics rules are deployed and the Defender product connector
 
 ## Deploy and utilize workbooks
 
-To visualize information regarding the data ingestion and detections that Microsoft Sentinel performs, in the **Microsoft Sentinel Deployment and Migration** workbook, select **Workbooks**. Similar to the **Data Connectors** tab, you can by use the available views to view monitoring and configuration information. 
+To visualize information regarding the data ingestion and detections that Microsoft Sentinel performs, in the **Microsoft Sentinel Deployment and Migration** workbook, select **Workbooks**. Similar to the **Data Connectors** tab, you can use the **Monitor** and **Configure** views to view monitoring and configuration information. 
 
 Here are some useful tasks you can perform in the **Workbooks** tab: 
 
-- To view a list of all workbooks in the environment and how many are deployed, select **Monitor**.
+- To view a list of all workbooks in the environment and how many workbooks are deployed, select **Monitor**.
 - To view a specific workbook within the **Microsoft Sentinel Deployment and Migration** workbook, select a workbook and then select **Open Selected Workbook**.
 
     :::image type="content" source="media/migration-track/migration-track-workbook.png" alt-text="Screenshot of the Microsoft Sentinel Deployment Tracker Workbook tab Monitor view." lightbox="media/migration-track/migration-track-workbook.png":::
@@ -122,12 +118,12 @@ Here are some useful tasks you can perform in the **Workbooks** tab:
 
 ## Deploy and monitor playbooks and automation rules
 
-Once you configure data ingestion, detections, and visualizations, you can now look into automation. in the **Microsoft Sentinel Deployment and Migration** workbook, select **Automation** to view deployed playbooks, and to see which playbooks are currently connected to an automation rule. If automation rules exist, the workbook highlights the following information regarding the automation rule:
+Once you configure data ingestion, detections, and visualizations, you can now look into automation. In the **Microsoft Sentinel Deployment and Migration** workbook, select **Automation** to view deployed playbooks, and to see which playbooks are currently connected to an automation rule. If automation rules exist, the workbook highlights the following information regarding each rule:
 - Name
 - Status
 - Action or actions of the rule
 - The last date the rule was modified and the user that modified the rule
-- The date the rule was created of the user that created the rule
+- The date the rule was created
 
 To view, deploy, and test automation within the current section of the workbook, select **Deploy automation resources** on the bottom left.
 
@@ -154,13 +150,13 @@ To customize the timeline:
 1. Create a custom item, or select one of the out-of-the-box templates.
 1. To deploy the template and complete the wizard, select **Create**.
 
-Learn more about [UEBA](identify-threats-with-entity-behavior-analytics.md) or learn how to [customize the timeline](customize-entity-activities).
+Learn more about [UEBA](identify-threats-with-entity-behavior-analytics.md) or learn how to [customize the timeline](customize-entity-activities.md).
 
 ## Configure and manage the data lifecycle
 
 When you deploy or migrate to Microsoft Sentinel, it's essential to manage the usage and lifecycle of the incoming logs. To assist with this, in the **Microsoft Sentinel Deployment and Migration** workbook, select **Data Management** to view and configure table retention and archival.
 
-:::image type="content" source="media/migration-track/migration-track-data-management.png" alt-text="Screenshot of the Microsoft Sentinel Deployment Tracker Data Management tab." lightbox="media/migration-track/migration-track-data-management":::
+:::image type="content" source="media/migration-track/migration-track-data-management.png" alt-text="Screenshot of the Microsoft Sentinel Deployment Tracker Data Management tab." lightbox="media/migration-track/migration-track-data-management.png":::
 
 You can view information regarding:
 
@@ -169,9 +165,9 @@ You can view information regarding:
 - Tables configured to be archived
 - Tables on the default workspace retention
 
-To modify the existing retention policy for tables, select **Default Retention Tables view**, select the relevant table, and select **Update Retention** to edit the following information:
-1. Select **Default Retention Tables**.
-2. Select the table you want to modify, and select **Update Retention**. You can edit the following information:
+To modify the existing retention policy for tables: 
+1. Select the **Default Retention Tables** view.
+1. Select the table you want to modify, and select **Update Retention**. You can edit the following information:
     - Current retention in the workspace
     - Current retention in the archive
     - Total number of days the data will live in the environment
@@ -185,6 +181,6 @@ Learn about [data lifecycle management](../azure-monitor/logs/data-retention-arc
 
 ## Enable migration tips and instructions
 
-To assist with the deployment and migration process, the workbook includes tips that explain how to use the different tabs and links to relevant resources. The tips are based on Microsoft Sentinel migration documentation and are relevant to your current SIEM. To enable tips and instructions, in the **Microsoft Sentinel Deployment and Migration** workbook, select **Automation**, and on the top right, set **MigrationTips** and **Instruction** to **Yes**. 
+To assist with the deployment and migration process, the workbook includes tips that explain how to use the different tabs, and links to relevant resources. The tips are based on Microsoft Sentinel migration documentation and are relevant to your current SIEM. To enable tips and instructions, in the **Microsoft Sentinel Deployment and Migration** workbook, on the top right, set **MigrationTips** and **Instruction** to **Yes**. 
 
-:::image type="content" source="media/migration-track/migration-track-tips.png" alt-text="Screenshot of the Microsoft Sentinel Deployment Tracker Data Management tab." lightbox="media/migration-track/migration-track-tips":::
+:::image type="content" source="media/migration-track/migration-track-tips.png" alt-text="Screenshot of the Microsoft Sentinel Deployment Tracker migration tips and instructions." lightbox="media/migration-track/migration-track-tips.png":::