update module

Author: ceperezb

learn-pr/wwl-sci/design-solutions-security-operations/3-design-centralized-logging-auditing.yml

@@ -1,9 +1,9 @@
 ### YamlMime:ModuleUnit
 uid: learn.wwl.design-solutions-security-operations.design-centralized-logging-auditing
-title: Design centralized logging and auditing, including Microsoft Purview Audit 
+title: Design solutions to support centralized logging and auditing 
 metadata:
-  title: Design centralized logging and auditing, including Microsoft Purview Audit 
-  description: "SC-100 preparatory unit on the topic: design centralized logging and auditing, including Microsoft Purview Audit."
+  title: Design solutions to support centralized logging and auditing 
+  description: "SC-100 preparatory unit on the topic: design centralized logging and auditing."
   ms.date: 02/02/2026
   author: ceperezb
   ms.author: ceperezb

learn-pr/wwl-sci/design-solutions-security-operations/includes/0-introduction.md

@@ -1,6 +1,6 @@
-This module covers designing security operations solutions in hybrid, multicloud, and edge environments. You learn about Microsoft's unified security operations platform that combines extended detection and response (XDR), security information and event management (SIEM), and security orchestration, automation, and response (SOAR) capabilities.
+This module covers designing security operations solutions in hybrid and multicloud environments. You learn about Microsoft's unified security operations platform that combines extended detection and response (XDR), security information and event management (SIEM), and security orchestration, automation, and response (SOAR) capabilities.
 
-Imagine you're a security architect in an organization operating across hybrid, multicloud, and edge environments. Your security operations center (SOC) faces challenges managing security consistently across different platforms while controlling costs and analyst workload. This module guides you through designing security operations solutions using Microsoft's unified approach.
+Imagine you're a security architect in an organization operating across hybrid and multicloud environments. Your security operations center (SOC) faces challenges managing security consistently across different platforms while controlling costs and analyst workload. This module guides you through designing security operations solutions using Microsoft's unified approach.
 
 ## Learning objectives
 

learn-pr/wwl-sci/design-solutions-security-operations/includes/1-introduction-security-operations-secops.md

@@ -4,7 +4,7 @@ The primary objective of a cloud security operations (SecOps) function is to det
 - Reactively respond to attacks detected by tools
 - Proactively hunt for attacks that slipped past reactive detections
 
-The Microsoft Cybersecurity Reference Architecture (MCRA) provides guidance for designing end-to-end security using Zero Trust principles. The MCRA includes detailed diagrams for security operations (SecOps/SOC), helping organizations plan unified operations across hybrid and multicloud environments.
+[The Microsoft Cybersecurity Reference Architecture (MCRA)](https://aka.ms/MCRA) provides guidance for designing end-to-end security using Zero Trust principles and includes detailed diagrams for security operations (SecOps/SOC), helping organizations plan unified operations across hybrid and multicloud environments.
 
 ## Security operations strategy overview 
 
@@ -18,7 +18,6 @@ Modern security operations platforms address this challenge by integrating SIEM,
 
 ## Security operations functions
 
-
 Security operations teams often focus on three key outcomes:
 
 - **Incident management:** Manage active attacks on the environment, including:
@@ -36,7 +35,6 @@ To deliver against these outcomes, security operations teams should be structure
 
 :::image type="content" source="../media/security-operations-functions.png" alt-text="Diagram that shows security Operations functions (Tiers)." lightbox="../media/security-operations-functions.png":::
 
-
 ## Modernization
 
 Detecting and responding to threats is currently undergoing significant modernization at all levels.
@@ -46,8 +44,10 @@ Detecting and responding to threats is currently undergoing significant moderniz
   - **Responsiveness** via mean time to acknowledge (MTTA).
   - **Remediation speed** via mean time to remediate (MTTR).
 - **Technology evolution:** SOC technology is evolving from exclusive use of static analysis of logs in a SIEM to add the use of specialized tooling and sophisticated analysis techniques. This provides deep insights into assets that provide high quality alerts and investigation experience that complement the breadth view of the SIEM. Both types of tooling are increasingly using AI and machine learning, behavior analytics, and integrated threat intelligence to help spot and prioritize anomalous actions that could be a malicious attacker.
+- **AI-assisted security operations:** Generative AI is transforming how SOC analysts work by accelerating investigation and response. AI copilots help analysts quickly summarize incidents, correlate alerts across data sources, generate investigation queries using natural language, and recommend response actions. This assistance reduces the expertise barrier for junior analysts, helps experienced analysts work faster, and enables teams to handle higher alert volumes without proportional staffing increases.
 - **Threat hunting:** SOCs are adding hypothesis driven threat hunting to proactively identify advanced attackers and shift noisy alerts out of frontline analyst queues.
-- **Incident management:** Discipline is becoming formalized to coordinate nontechnical elements of incidents with legal, communications, and other teams. **Integration of internal context:** To help prioritize SOC activities such as the relative risk scores of user accounts and devices, sensitivity of data and applications, and key security isolation boundaries to closely defend.
+- **Incident management:** Discipline is becoming formalized to coordinate nontechnical elements of incidents with legal, communications, and other teams.
+- **Integration of internal context:** SOCs are incorporating business context to prioritize activities, including relative risk scores of user accounts and devices, sensitivity of data and applications, and key security isolation boundaries to defend.
 
 ## Team composition and key relationships
 

learn-pr/wwl-sci/design-solutions-security-operations/includes/2-design-security-operations-capabilities-hybrid-multicloud-environments.md

@@ -99,7 +99,14 @@ This centralized visibility eliminates the need for security teams to switch bet
 
 ### Workspace architecture decisions
 
-As a cybersecurity architect, one of your key decisions is workspace topology. Consider these patterns:
+As a cybersecurity architect, one of your key decisions is workspace topology. This decision directly impacts your monitoring effectiveness because:
+
+- **Threat correlation** - Security analysts need to correlate events across identities, endpoints, and network traffic. Data in separate workspaces requires cross-workspace queries, which are slower and more complex.
+- **Alert context** - When an alert fires, analysts need surrounding context from related logs. Fragmented workspaces mean analysts may miss critical context during investigations.
+- **Detection rules** - Analytics rules and detection logic work most efficiently when all relevant data sources are in the same workspace.
+- **Cost efficiency** - Commitment tier pricing applies per workspace, so consolidation can reduce costs, but data egress charges may offset savings if sources are geographically dispersed.
+
+Consider these patterns:
 
 | Pattern | When to use | Trade-offs |
 |---------|-------------|------------|
@@ -111,14 +118,13 @@ For most hybrid and multicloud scenarios, a primary workspace with Azure Lightho
 
 ### Agent deployment strategy at scale
 
-Design your agent deployment approach based on environment characteristics:
+Deploying the Azure Monitor agent consistently across hybrid environments ensures complete monitoring coverage. For non-Azure machines, the Azure Arc agent must be installed first to enable Azure Monitor agent deployment. Design your agent deployment approach based on environment characteristics:
 
 - **Azure Policy with remediation tasks** - Automatically deploy Azure Monitor agent to Arc-enabled servers that don't have it installed. Best for enforcing consistent monitoring across large estates.
 - **Defender for Cloud auto-provisioning** - Automatically deploys Arc agent and monitoring extensions to AWS EC2 and GCP VM instances when connectors are configured. Simplifies multicloud onboarding.
-- **Configuration management tools** - Use Ansible, Puppet, or DSC for environments with existing automation. Provides flexibility but requires maintenance.
 
 > [!TIP]
-> Use Azure Resource Graph queries to identify monitoring coverage gaps—resources that are Arc-enabled but missing the Azure Monitor agent or required data collection rules.
+> Use Azure Resource Graph queries to identify monitoring coverage gaps—resources that are Arc-enabled but missing the Azure Monitor agent or required data collection rules. For sample queries, see [Azure Resource Graph sample queries for Azure Arc-enabled servers](/azure/azure-arc/servers/resource-graph-samples).
 
 ### Monitoring coverage and resilience