update module

Author: ceperezb

learn-pr/wwl-sci/design-solutions-security-operations/2-design-security-operations-capabilities-hybrid-multicloud-environments.yml

@@ -8,6 +8,6 @@ metadata:
   author: ceperezb
   ms.author: ceperezb
   ms.topic: unit
-durationInMinutes: 11
+durationInMinutes: 12
 content: |
   [!include[](includes/2-design-security-operations-capabilities-hybrid-multicloud-environments.md)]

learn-pr/wwl-sci/design-solutions-security-operations/3-design-centralized-logging-auditing.yml

@@ -8,6 +8,6 @@ metadata:
   author: ceperezb
   ms.author: ceperezb
   ms.topic: unit
-durationInMinutes: 15
+durationInMinutes: 17
 content: |
   [!include[](includes/3-design-centralized-logging-auditing.md)]

learn-pr/wwl-sci/design-solutions-security-operations/5-design-solutions-detection-response.yml

@@ -8,6 +8,6 @@ metadata:
   author: ceperezb
   ms.author: ceperezb
   ms.topic: unit
-durationInMinutes: 6
+durationInMinutes: 12
 content: |
   [!include[](includes/5-design-solutions-detection-response.md)]

learn-pr/wwl-sci/design-solutions-security-operations/6-design-solution-security-orchestration-automation-response.yml

@@ -8,7 +8,7 @@ metadata:
   author: ceperezb
   ms.author: ceperezb
   ms.topic: unit
-durationInMinutes: 6
+durationInMinutes: 9
 content: |
   [!include[](includes/6-design-solution-security-orchestration-automation-response.md)]
 

learn-pr/wwl-sci/design-solutions-security-operations/7-design-security-workflows.yml

@@ -8,7 +8,7 @@ metadata:
   author: ceperezb
   ms.author: ceperezb
   ms.topic: unit
-durationInMinutes: 7
+durationInMinutes: 8
 content: |
   [!include[](includes/7-design-security-workflows.md)]
 

learn-pr/wwl-sci/design-solutions-security-operations/8-design-threat-detection-coverage.yml

@@ -8,7 +8,7 @@ metadata:
   author: ceperezb
   ms.author: ceperezb
   ms.topic: unit
-durationInMinutes: 8
+durationInMinutes: 9
 content: |
   [!include[](includes/8-design-threat-detection-coverage.md)]
 

learn-pr/wwl-sci/design-solutions-security-operations/includes/2-design-security-operations-capabilities-hybrid-multicloud-environments.md

@@ -95,6 +95,9 @@ The Microsoft Defender portal provides a unified view of security monitoring dat
 
 This centralized visibility eliminates the need for security teams to switch between multiple consoles when monitoring hybrid environments, reducing mean time to detect (MTTD) threats.
 
+> [!NOTE]
+> This unit focuses on infrastructure monitoring across hybrid and multicloud environments. Microsoft 365 productivity workloads (email, files, identity, collaboration) have their own monitoring capabilities through Microsoft Defender XDR services, and is covered in [Design solutions for securing Microsoft 365](/training/modules/design-solutions-secure-microsoft-365/). The Defender portal serves as the convergence point where infrastructure and productivity monitoring combine for unified incident correlation and response.
+
 ## Architect-level design considerations
 
 ### Workspace architecture decisions

learn-pr/wwl-sci/design-solutions-security-operations/includes/3-design-centralized-logging-auditing.md

@@ -2,6 +2,24 @@ Centralized logging and auditing are fundamental to security operations, providi
 
 **Logging** focuses on recording events for historical analysis, compliance evidence, and forensic investigations. It answers the questions "What happened?" and "Can we prove compliance?" **Auditing** specifically tracks user and administrator activities to establish accountability and meet regulatory requirements. While monitoring (covered in the previous unit) provides real-time visibility, logging ensures you have a durable record of events—sometimes retained for years—to support investigations and demonstrate compliance.
 
+## Understanding security data domains
+
+As a security architect, it's important to understand that security log data comes from two distinct domains that converge in Microsoft Sentinel for unified analysis:
+
+| Domain | What it covers | Primary tools | Log characteristics |
+|--------|---------------|---------------|--------------------|
+| **Infrastructure** | VMs, containers, networks, databases, cloud resources, AI services | Azure Monitor, Defender for Cloud, Azure Activity logs | Agent-based collection, resource-focused, high volume |
+| **Productivity** | Email, files, identity, collaboration, Copilot activities | Microsoft Purview Audit, Defender XDR, Entra ID logs | Service-based collection, user-focused, compliance-critical |
+
+Both domains are essential for comprehensive security operations:
+
+- **Infrastructure logs** help you detect attacks on workloads, investigate lateral movement, and understand resource-level threats
+- **Productivity logs** help you detect compromised accounts, investigate data exfiltration, and establish user accountability
+
+Microsoft Sentinel serves as the convergence point, ingesting logs from both domains into a unified Log Analytics workspace. This enables security analysts to correlate an identity-based attack (detected in Entra ID or M365 logs) with subsequent infrastructure activity (detected in Azure or multicloud logs)—providing the complete attack story.
+
+The rest of this unit covers logging solutions for both domains: Log Analytics workspaces and Microsoft Sentinel for infrastructure data, and Microsoft Purview Audit for productivity data.
+
 ## Design guidance for centralized logging
 
 The Microsoft Cloud Security Benchmark (MCSB) provides guidance on designing logging capabilities:
@@ -48,26 +66,29 @@ The Microsoft Sentinel data lake is a fully managed, cloud-native data lake purp
 - **Open format Parquet data files** for interoperability and extensibility
 - **Single copy of data** mirrored from analytics tier for efficient storage
 - **Separation of storage and compute** for flexibility and cost optimization
-- **Multiple analytics engines** including KQL jobs, Spark notebooks, and graph analytics
+- **Multiple analytics engines** including KQL and Jupyter notebooks
 - **Up to 12 years of retention** for compliance requirements
+- **Activity auditing** tracks data lake activities including data access, job management, and query events
 
 Data in the analytics tier is automatically mirrored to the data lake tier at no extra cost when retention periods match. Organizations can choose to ingest data exclusively into the data lake tier for high-volume, lower-security-value logs.
 
+The data lake's built-in activity audit provides accountability for security operations activities—you can monitor who accessed data, ran notebooks, or created and modified jobs. This auditing is enabled by default and supports compliance requirements for tracking access to security data.
+
 ### Data lake analytics capabilities
 
 The data lake provides multiple ways to analyze historical log data:
 
 | Capability | Purpose | Best for |
 |------------|---------|----------|
 | **KQL jobs** | Run one-time or scheduled asynchronous queries against data lake data with full KQL support including joins and unions | Incident investigations using historical logs, threat intelligence matching, anomaly detection across months of data |
-| **Summary rules** | Run frequent summarization jobs (every 20 minutes to 24 hours) to aggregate high-volume data | Aggregating network and firewall logs, creating baseline tables for detection |
-| **Search jobs** | Run long-running asynchronous queries to hydrate large volumes of data from a single table | Forensic analysis requiring restoration of archived data |
-| **Spark notebooks** | Use Python-based advanced analytics with Jupyter notebooks | Machine learning models, complex statistical analysis, custom visualizations |
+| **Summary rules** | Run scheduled aggregation jobs (bin sizes from 20 minutes to 24 hours) to precompute data into custom log tables | Aggregating network and firewall logs, creating baseline tables for detection, cost optimization for verbose logs |
+| **Search jobs** | Run long-running searches through up to a year of data in a table, sending results to a new Analytics table | Forensic analysis when query timeout is insufficient, searching large datasets for specific events |
+| **Jupyter notebooks** | Use Python-based advanced analytics with machine learning libraries | Machine learning models, complex statistical analysis, custom visualizations |
 
 KQL jobs can promote data from the data lake tier to the analytics tier, enabling investigation of historical events alongside current incidents. This is particularly valuable for zero-day threat detection and retrospective threat hunting.
 
 > [!TIP]
-> Use KQL jobs for complex queries involving joins across multiple tables. Use summary rules for recurring aggregations. Use search jobs when you need to hydrate large volumes from a single archived table.
+> Use KQL jobs for incident investigations, threat intelligence matching, and promoting data from data lake to analytics tier. Use summary rules for recurring aggregations that support detection rules. Use search jobs when you need to scan large datasets for specific events.
 
 ### Data connectors and data flow
 
@@ -77,6 +98,9 @@ When you onboard to Microsoft Sentinel data lake, your existing data connectors
 - **Analytics tier with data lake mirroring** - Default configuration for most security data
 - **Data lake tier only** - For high-volume logs with limited real-time security value
 
+
+:::image type="content" source="../media/data-lake-tiers-data-flow.png" lightbox="../media/data-lake-tiers-data-flow.png" alt-text="A block diagram that depicts the mirroring of data from analytics tier to the data lake tier.":::
+
 ## Microsoft Purview Audit for compliance
 
 Microsoft Purview Audit provides an integrated auditing solution to help organizations respond to security events, forensic investigations, and compliance obligations.

learn-pr/wwl-sci/design-solutions-security-operations/includes/5-design-solutions-detection-response.md

@@ -4,6 +4,8 @@
 
 **SIEM** solutions collect, aggregate, normalize, and analyze large volumes of data from organization-wide applications, devices, servers, and users in near real time. By consolidating telemetry into a unified platform, SIEM solutions provide a comprehensive view of an organization's security posture.
 
+Together, XDR and SIEM cover both security data domains discussed in the previous unit: XDR provides deep detection across the productivity domain (email, identity, collaboration) while SIEM correlates data from both productivity and infrastructure domains for comprehensive threat visibility.
+
 ## Design guidance for detection and response
 
 When designing detection and response solutions, consider these best practices:
@@ -13,6 +15,7 @@ When designing detection and response solutions, consider these best practices:
 - **Enable automatic attack disruption** to contain threats at machine speed
 - **Design for unified incident management** to correlate alerts across all security tools
 - **Plan for threat intelligence integration** to enrich detections with context
+- **Leverage AI-assisted detection** to identify sophisticated threats that rule-based detection might miss
 
 ## Microsoft Defender XDR
 
@@ -26,25 +29,67 @@ Microsoft Defender XDR provides XDR capabilities across the Microsoft 365 enviro
 | Protect operational technology (OT) and IT resources | Microsoft Defender for IoT |
 | Identify assets and assess device security posture | Microsoft Defender Vulnerability Management |
 | Protect and control access to SaaS cloud apps | Microsoft Defender for Cloud Apps |
+| Detect threats across Azure, AWS, and GCP workloads | Microsoft Defender for Cloud |
 
 Microsoft Defender XDR automatically correlates alerts into incidents, providing end-to-end attack chain visibility and AI-powered automation for faster detection and response.
 
 ## Microsoft Sentinel as SIEM and security platform
 
-Microsoft Sentinel is a cloud-native SIEM that delivers AI-driven security across multicloud and multiplatform environments with capabilities for threat detection, investigation, hunting, response, and automated attack disruption.
+Microsoft Sentinel is a cloud-native SIEM and unified security platform for agentic defense. It has evolved beyond traditional SIEM to provide an AI-ready, data-first foundation that transforms telemetry into a security graph, standardizes access for AI agents, and coordinates autonomous actions while keeping humans in command of strategy and high-impact investigations.
+
+As a SIEM, Microsoft Sentinel delivers AI-driven security across multicloud and multiplatform environments with capabilities for threat detection, investigation, hunting, response, and automated attack disruption. As a platform, it provides a foundation built on a modern data lake, graph capabilities for contextual analysis, and a hosted Model Context Protocol (MCP) server for agent-ready tooling.
+
+:::image type="content" source="../media/microsoft-sentinel-overview.png" alt-text="A diagram that depicts the Microsoft Sentinel AI-first, end-to-end SIEM and security platform." lightbox="../media/microsoft-sentinel-overview.png":::
 
-### Key capabilities
+### SIEM capabilities
 
 - **Comprehensive data collection** across users, devices, identities, applications, infrastructure, and operational technology via 350+ connectors
 - **Advanced threat detection** with built-in analytics rules, machine learning models, and threat intelligence enrichment
 - **SOC efficiency tools** including unified incidents, entity pages, investigation graph, hunting notebooks, and Security Copilot integration
-- **Automatic attack disruption** signals that integrate with Microsoft Defender XDR for machine-speed response
 
-### Platform components
+### Core platform components
+
+| Component | Description | Design relevance |
+|-----------|-------------|------------------|
+| **Microsoft Sentinel data lake** | Fully managed, cloud-native data lake that unifies, retains, and analyzes security data at scale with support for up to 12 years retention | Enables multi-modal analytics including KQL queries, graph analysis, and AI-powered notebooks on a single copy of open-format data |
+| **Microsoft Sentinel graph** | Unified graph analytics that models relationships across assets, identities, activities, and threat intelligence | Enables reasoning over interconnected data to answer complex questions like attack paths from compromised entities to critical assets |
+| **Microsoft Sentinel MCP server** | Hosted interface enabling natural language interaction with security data and building intelligent security agents | Accelerates agent creation and enables security teams to query data without schema knowledge or coding |
+| **Content Hub** | Solutions, analytics rules, playbooks, and workbooks from Microsoft and partners | Provides pre-built detection and response content to accelerate deployment |
+
+### Data tiering for detection and retention
+
+Microsoft Sentinel's tiered data architecture supports both real-time detection and long-term investigation:
+
+- **Analytics tier** - High-performance storage for real-time detection, alerting, and interactive investigation
+- **Data lake tier** - Cost-efficient storage for historical analysis, behavioral baselines, and compliance retention
+- **Automatic mirroring** - Data ingested into the analytics tier is automatically mirrored to the data lake tier, ensuring a unified repository
+
+This architecture allows security architects to design solutions that balance detection latency, investigation depth, and cost optimization.
+
+## AI-powered detection and investigation
+
+AI and machine learning are fundamental to modern detection and response, enabling capabilities that traditional rule-based detection cannot achieve:
+
+### Detection capabilities
 
-- **Microsoft Sentinel data lake**: Fully managed data lake for security data retention up to 12 years
-- **Content Hub**: Solutions, analytics rules, playbooks, and workbooks from Microsoft and partners
-- **Security Copilot integration**: AI-powered investigation assistance and natural language queries
+| AI capability | How it helps detection |
+|---------------|----------------------|
+| **Behavioral analytics (UEBA)** | Establishes baseline behavior for users and entities, detecting anomalies that indicate compromised accounts or insider threats |
+| **Machine learning anomaly detection** | Identifies unusual patterns in network traffic, authentication, and resource access without predefined rules |
+| **Threat intelligence correlation** | Automatically matches indicators of compromise (IOCs) against incoming telemetry at scale |
+| **Attack chain detection** | Correlates low-fidelity signals across multiple data sources to identify sophisticated multi-stage attacks |
+
+### Security Copilot for SOC efficiency
+
+Microsoft Security Copilot transforms how analysts investigate and respond to threats:
+
+- **Incident summarization** - Automatically generates plain-language summaries of complex incidents, reducing triage time from hours to minutes
+- **Guided investigation** - Suggests next investigation steps based on incident context and attack patterns
+- **Natural language queries** - Enables analysts to query security data using conversational language instead of KQL
+- **Script analysis** - Analyzes malicious scripts and explains their behavior in plain language
+- **Report generation** - Creates investigation reports and executive summaries automatically
+
+For security architects, designing for Security Copilot means ensuring comprehensive data collection (Copilot can only analyze data that's available in your workspace) and training SOC teams to effectively prompt the AI for investigation assistance.
 
 ## Unified security operations in the Defender portal
 
@@ -68,7 +113,28 @@ When Microsoft Sentinel is connected with Microsoft Defender XDR in the unified
 - **Enriched investigation paths** combine XDR deep insights with SIEM breadth
 
 > [!IMPORTANT]
-> Starting July 2025, new customers are automatically onboarded to the Defender portal. After March 31, 2027, Microsoft Sentinel will be available only in the Microsoft Defender portal.
+> New customers are automatically onboarded to the unified Defender portal. After March 31, 2027, Microsoft Sentinel will be available only in the Microsoft Defender portal. Plan your security operations architecture with this unified experience in mind.
+
+## Detection engineering considerations
+
+As a security architect, design your detection strategy to balance coverage, quality, and maintainability:
+
+### Analytics rule design
+
+| Rule type | Use case | Design consideration |
+|-----------|----------|---------------------|
+| **Scheduled rules** | Custom detection logic using KQL queries | Run frequency vs. cost; lookback period vs. detection latency |
+| **Near-real-time (NRT) rules** | Time-sensitive detections requiring sub-minute response | Limited to specific data sources; higher resource consumption |
+| **Microsoft security rules** | Automatic incident creation from Defender alerts | Configure filtering to avoid duplicate incidents |
+| **ML behavior analytics** | Anomaly detection without predefined thresholds | Requires sufficient baseline data; tune sensitivity over time |
+| **Threat intelligence rules** | IOC matching against threat feeds | Ensure TI feeds are current and relevant to your threat landscape |
+
+### Detection coverage strategy
+
+- **Map detections to MITRE ATT&CK** - Use the coverage matrix in Sentinel to identify gaps across tactics and techniques
+- **Layer detection types** - Combine rule-based, ML-based, and threat intelligence detections for defense in depth
+- **Prioritize high-impact techniques** - Focus detection engineering on techniques most commonly used against your industry
+- **Plan for detection maintenance** - Allocate ongoing effort to tune rules, reduce false positives, and adapt to evolving threats
 
 ## Design considerations for detection and response
 
@@ -79,4 +145,6 @@ When Microsoft Sentinel is connected with Microsoft Defender XDR in the unified
 | **Automation** | Enable automatic attack disruption for high-confidence threats to contain attacks at machine speed |
 | **Integration** | Design for unified incident management across XDR and SIEM |
 | **Threat intelligence** | Integrate threat intelligence feeds to enrich detections and provide investigation context |
+| **AI enablement** | Ensure comprehensive data collection to maximize Security Copilot effectiveness |
+| **Detection engineering** | Plan for ongoing rule development, tuning, and MITRE ATT&CK coverage assessment |
 | **Compliance** | Consider data residency and retention requirements when designing the solution |