Merge pull request #313912 from mberdugo/Freshness

Freshness

Author: prmerger-automator[bot]

articles/sentinel/ci-cd-custom-content.md

@@ -1,12 +1,12 @@
 ---
 title: Manage custom content with repository connections
 titleSuffix: Microsoft Sentinel
-description: This article explains custom Sentinel content like GitHub or Azure DevOps repositories that can utilize source control features. 
+description: This article explains custom Microsoft Sentinel content like GitHub or Azure DevOps repositories that can utilize source control features. 
 author: mberdugo 
 ms.author: monaberdugo 
 ms.service: microsoft-sentinel
 ms.topic: article
-ms.date: 12/31/2024
+ms.date: 3/30/2026
 ms.custom:
   - template-concept
   - build-2025
@@ -29,21 +29,21 @@ For more information on Sentinel content, see [About Microsoft Sentinel content
 
 You can deploy these Microsoft Sentinel custom content types from an external source control repository you connect to Microsoft Sentinel:
 
-- Analytics rules 
+- Analytics rules
 - Automation rules
 - Hunting queries
 - Parsers
 - Playbooks
 - Workbooks
 
-Updates you make to the content in your Microsoft Sentinel repositories are synchronized to your Microsoft Sentinel workspace and  overwrite any changes you make to that content through the Microsoft Sentinel portal. Your Microsoft Sentinel repositories become your “single source of truth” for custom content in the connected workspaces. 
+Updates you make to the content in your Microsoft Sentinel repositories are synchronized to your Microsoft Sentinel workspace and  overwrite any changes you make to that content through the Microsoft Sentinel portal. Your Microsoft Sentinel repositories become your *single source of truth* for custom content in the connected workspaces.
 
 ## Plan your repository connection
 
-Microsoft Sentinel repositories require careful planning to ensure you have the proper permissions from your workspace to the repository (repo) you want connected. 
+Microsoft Sentinel repositories require careful planning to ensure you have the proper permissions from your workspace to the repository (repo) you want connected.
 
 - Only connections to GitHub and Azure DevOps repositories are supported.
-- Collaborator access to your GitHub repository or Project Administrator access to your Azure DevOps repository is required. 
+- Collaborator access to your GitHub repository or Project Administrator access to your Azure DevOps repository is required.
 - The Microsoft Sentinel application needs authorization to your repo.
 - Actions must be enabled for GitHub.
 - Pipelines must be enabled for Azure DevOps.
@@ -56,19 +56,19 @@ If you find content in a public repository where you aren't a contributor, first
 ### Maximum connections and deployments
 
 - Each Microsoft Sentinel workspace is currently limited to **five repository connections**.
-- Each Azure resource group is limited to **800 deployments** in its deployment history. If you have a high volume of template deployments one or more of your resource groups, you may see the `Deployment QuotaExceeded` error. For more information, see [DeploymentQuotaExceeded](/azure/azure-resource-manager/templates/deployment-quota-exceeded) in the Azure Resource Manager templates documentation.
+- Each Azure resource group is limited to **800 deployments** in its deployment history. If you have a high volume of template deployments in one or more of your resource groups, you might see the `Deployment QuotaExceeded` error. For more information, see [DeploymentQuotaExceeded](/azure/azure-resource-manager/templates/deployment-quota-exceeded) in the Azure Resource Manager templates documentation.
 
 ## Plan your repository content
 
-Microsoft Sentinel repositories support deployment of content you store as [Bicep files](../azure-resource-manager/bicep/overview.md) or [Azure Resource Manager (ARM) templates](../azure-resource-manager/templates/overview.md). We recommend using Bicep, which is more intuitive and makes it easier to describe Azure resources and Microsoft Sentinel content. 
+Microsoft Sentinel repositories support deployment of content you store as [Bicep files](../azure-resource-manager/bicep/overview.md) or [Azure Resource Manager (ARM) templates](../azure-resource-manager/templates/overview.md). We recommend using Bicep, which is more intuitive and makes it easier to describe Azure resources and Microsoft Sentinel content.
 
 The template for each content type has a specific structure and parameter name, as documented in the [Sentinel resources template reference](/azure/templates/microsoft.securityinsights/allversions). For samples of each content type, see [RepositoriesSampleContent repository](https://github.com/SentinelCICD/RepositoriesSampleContent).
 
-We've provided a sample repository with templates for each of the content types listed. The repo also demonstrates how to use advanced features of repository connections. For more information, see [Microsoft Sentinel CI/CD repositories sample](https://github.com/SentinelCICD/RepositoriesSampleContent). 
+We provided a sample repository with templates for each of the content types listed. The repo also demonstrates how to use advanced features of repository connections. For more information, see [Microsoft Sentinel CI/CD repositories sample](https://github.com/SentinelCICD/RepositoriesSampleContent).
 
 :::image type="content" source="media/ci-cd-custom-content/repositories-connection-success.png" alt-text="Screenshot of a successful repository connection. The RepositoriesSampleContent is shown. This screenshot is after the sample was imported from the SentinelCICD repo to a private GitHub repo in the FourthCoffee organization." lightbox="media/ci-cd-custom-content/repositories-connection-success.png":::
 
-Although you can build templates from scratch, it's often easier to start from either the Sentinel Public GitHub repository YAML files or from out-of-the-box Microsoft Sentinel content. This table outlines how to convert an ARM template for use with Microsoft Sentinel Repositories. 
+Although you can build templates from scratch, it's often easier to start from either the Sentinel Public GitHub repository YAML files or from out-of-the-box Microsoft Sentinel content. This table outlines how to convert an ARM template for use with Microsoft Sentinel Repositories.
 
 | Content Type      | Convert from Sentinel Public YAML                                                                                     | Export from Sentinel                                                                                                   | Template Reference                                                                                      | Sample Templates                                                                                       |
 |-------------------|-----------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|
@@ -79,9 +79,9 @@ Although you can build templates from scratch, it's often easier to start from e
 | **Playbooks**     | N/A                                                                                                                 | [PowerShell utility](https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator)       | [Reference](/azure/logic-apps/logic-apps-azure-resource-manager-templates-overview) | N/A                                                                                                    |
 | **Workbooks**     | N/A                                                                                                                 | [Exporting workbooks as ARM templates](/azure/azure-monitor/visualize/workbooks-automate#arm-template-for-deploying-a-workbook-template) | [Reference](/azure/azure-monitor/visualize/workbooks-automate#arm-template-for-deploying-a-workbook-template) | N/A                    |                                                                                
 
-
 > [!IMPORTANT]
 > Bicep considerations:
+>
 > - To use Bicep files, your repositories connection needs to be updated if your connection was created before November 1, 2024. Repositories connections must be [removed](ci-cd.md#remove-a-repository-connection) and recreated in order to update.
 > - Bicep files don't support the `id` property. When decompiling ARM JSON to Bicep, make sure you don't have this property. For example, analytic rule templates exported from Microsoft Sentinel have the `id` property that needs removal.
 > - Change the ARM JSON schema to version `2019-04-01` for best results when decompiling.
@@ -90,19 +90,16 @@ Although you can build templates from scratch, it's often easier to start from e
 > [!IMPORTANT]
 > Analytic rules deployed using the Microsoft Sentinel **Repositories** feature can use cross-workspace queries only if the destination workspace is in the same Resource Group as the workspace connected to the repository.
 
-
 For information on creating custom content from scratch, see the relevant [Microsoft Sentinel GitHub wiki](https://github.com/Azure/Azure-Sentinel/wiki#get-started) for each content type.
 
-
 ## Improve performance with smart deployments
 
 > [!TIP]
-> To ensure smart deployments works in GitHub, Workflows must have read and write permissions on your repository. See [Managing GitHub Actions settings for a repository](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository) for more details.
->
+> To ensure smart deployments works in GitHub, Workflows must have read and write permissions on your repository. For more information, see [Managing GitHub Actions settings for a repository](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository).
 
-The **smart deployments** feature is a back-end capability that improves performance by actively tracking modifications made to the content files of a connected repository. It uses a CSV file within the `.sentinel` folder in your repository to audit each commit. The workflow avoids redeploying content that hasn't been modified since the last deployment. This process improves your deployment performance and prevents tampering with unchanged content in your workspace, such as resetting dynamic schedules of your analytics rules.
+The **smart deployments** feature is a back-end capability that improves performance by actively tracking modifications made to the content files of a connected repository. It uses a CSV file within the `.sentinel` folder in your repository to audit each commit. The workflow avoids redeploying content that wasn't modified since the last deployment. This process improves your deployment performance and prevents tampering with unchanged content in your workspace, such as resetting dynamic schedules of your analytics rules.
 
-Smart deployments are enabled by default on newly created connections. If you prefer all source control content deployed every time a deployment is triggered, whether that content was modified or not, modify your workflow to disable smart deployments. For more information, see [Customize the workflow or pipeline](ci-cd-custom-deploy.md#customize-the-workflow-or-pipeline). 
+Smart deployments are enabled by default on newly created connections. If you prefer all source control content deployed every time a deployment is triggered, whether that content was modified or not, modify your workflow to disable smart deployments. For more information, see [Customize the workflow or pipeline](ci-cd-custom-deploy.md#customize-the-workflow-or-pipeline).
 
 ## Consider deployment customization options
 
@@ -126,7 +123,7 @@ Once the workflow or pipeline is triggered, the deployment supports the followin
 
 - prioritize content to be deployed before the rest of the repo content
 - exclude content from deployment
-- specify ARM template parameter files 
+- specify ARM template parameter files
 
 These options are available through a feature of the PowerShell deployment script called from the workflow or pipeline. For more information on how to implement these customizations, see [Customize repository deployments](ci-cd-custom-deploy.md#customize-your-connection-configuration).
 
@@ -135,7 +132,7 @@ These options are available through a feature of the PowerShell deployment scrip
 For information on managing Microsoft Sentinel repositories using the API, see the [Source Control](/rest/api/securityinsights/source-control) and [Source Controls](/rest/api/securityinsights/source-controls) actions in the Microsoft Sentinel REST API.
 
 > [!IMPORTANT]
-> Starting **June 2026**, older API versions used by Microsoft Sentinel repositories will no longer be supported. If you are using APIs to create and manage repository connections, transition to API version **2025-09-01**, **2025-06-01**, or **2025-07-01-preview** before June 15, 2026 to avoid service disruption. Existing repository connections aren't affected.
+> Starting **June 2026**, older API versions used by Microsoft Sentinel repositories will no longer be supported. If you're using APIs to create and manage repository connections, transition to API version **2025-09-01**, **2025-06-01**, or **2025-07-01-preview** before June 15, 2026 to avoid service disruption. Existing repository connections aren't affected.
 
 ## Next steps
 

articles/sentinel/hunting.md

@@ -40,7 +40,7 @@ To get started, see [Conduct end-to-end proactive threat hunting in Microsoft Se
 
 ## Hunting queries
 
-In Microsoft Sentinel, select **Hunting** > **Queries** tab to run all your queries, or a selected subset. The **Queries** tab lists all the hunting queries installed with security solutions from the **Content hub**, and any extra query you created or modified. Each query provides a description of what it hunts for, and what kind of data it runs on. These queries are grouped by their MITRE ATT&CK **tactics**. The icons on the right categorize the type of threat, such as initial access, persistence, and exfiltration. MITRE ATT&CK **techniques** are shown in the **Techniques** column and describe the specific behavior identified by the hunting query.
+In Microsoft Sentinel in Defender, select **Threat management** > **Hunting**, then the **Queries** tab to run all your queries, or a selected subset. The **Queries** tab lists all the hunting queries installed with security solutions from the **Content hub**, and any extra query you created or modified. Each query provides a description of what it hunts for, and what kind of data it runs on. These queries are grouped by their MITRE ATT&CK **tactics**. The icons on top categorize the type of threat, such as initial access, persistence, and exfiltration. MITRE ATT&CK **techniques** are shown in the **Techniques** column and describe the specific behavior identified by the hunting query.
 
 :::image type="content" source="media/hunting/hunting-start.png" alt-text="Microsoft Sentinel starts hunting" lightbox="media/hunting/hunting-start.png":::