diff --git a/.docutune/dictionaries/dummy-guids.json b/.docutune/dictionaries/dummy-guids.json
index 8456cae3770..8949ff8d9b0 100644
--- a/.docutune/dictionaries/dummy-guids.json
+++ b/.docutune/dictionaries/dummy-guids.json
@@ -1,7 +1,7 @@
// List of the dummy GUIDs used in the documentation, and the sensitive term list that they are associated with. Refer to Learn Plaford for more information.
// Used as part of docutune-1.5.2/dictionaries/Dictionary-Security-GUIDs.ps1 workflow.
{
- "appId|applicationId|application|clientId|audience|aud": [
+ "appId|applicationId|clientId|audience|aud": [
"00001111-aaaa-2222-bbbb-3333cccc4444",
"11112222-bbbb-3333-cccc-4444dddd5555",
"22223333-cccc-4444-dddd-5555eeee6666",
diff --git a/docs/identity/enterprise-apps/whats-new-docs.md b/docs/identity/enterprise-apps/whats-new-docs.md
index ffdfb197ce4..75dd23b8002 100644
--- a/docs/identity/enterprise-apps/whats-new-docs.md
+++ b/docs/identity/enterprise-apps/whats-new-docs.md
@@ -1,7 +1,7 @@
---
title: "What's new in Microsoft Entra application management"
description: "New and updated documentation for the Microsoft Entra application management."
-ms.date: 09/02/2024
+ms.date: 01/10/2024
ms.service: entra-id
ms.subservice: enterprise-apps
ms.topic: whats-new
@@ -16,6 +16,10 @@ manager: CelesteDG
Welcome to what's new in Microsoft Entra application management documentation. This article lists new docs that have been added and those articles that have had significant updates in the last three months. To learn what's new with the application management service, see [What's new in Microsoft Entra ID](~/fundamentals/whats-new.md).
+## September 2024
+
+No updates this month.
+
## August 2024
### Updated articles
@@ -39,9 +43,3 @@ Reviewed the following articles to improve technical accuracy and clarity:
- [Tutorial: Configure F5 BIG-IP Easy Button for Kerberos single sign-on](f5-big-ip-kerberos-easy-button.md).
- [Tutorial: Configure F5 BIG-IP Easy Button for SSO to SAP ERP](f5-big-ip-sap-erp-easy-button.md).
- [Integrate F5 BIG-IP with Microsoft Entra ID](f5-integration.md).
-
-## June 2024
-
-### Updated articles
-
-- [Manage consent to applications and evaluate consent requests](manage-consent-requests.md) - Review to improve technical accuracy and clarity.
diff --git a/docs/identity/monitoring-health/concept-log-monitoring-integration-options-considerations.md b/docs/identity/monitoring-health/concept-log-monitoring-integration-options-considerations.md
index 69aeddcd7b4..560fdd5b95d 100644
--- a/docs/identity/monitoring-health/concept-log-monitoring-integration-options-considerations.md
+++ b/docs/identity/monitoring-health/concept-log-monitoring-integration-options-considerations.md
@@ -6,7 +6,7 @@ manager: amycolannino
ms.service: entra-id
ms.topic: conceptual
ms.subservice: monitoring-health
-ms.date: 11/17/2023
+ms.date: 10/02/2024
ms.author: sarahlipsey
ms.reviewer: egreenberg14
@@ -23,29 +23,29 @@ With these integrations, you can enable rich visualizations, monitoring, and ale
The following logs can be integrated with one of many endpoints:
-* The [**audit logs activity report**](concept-audit-logs.md) gives you access to the history of every task that's performed in your tenant.
+* The [**audit logs activity report**](concept-audit-logs.md) gives you access to the history of every task performed in your tenant.
* With the [**sign-in activity report**](concept-sign-ins.md), you can see when users attempt to sign in to your applications or troubleshoot sign-in errors.
-* With the [**provisioning logs**](~/identity/app-provisioning/application-provisioning-log-analytics.md), you can monitor which users were, updated, and deleted in all your third-party applications.
+* With the [**provisioning logs**](~/identity/app-provisioning/application-provisioning-log-analytics.md), you can monitor which users were, updated, and deleted in all your non-Mirosoft applications.
* The [**risky users logs**](~/id-protection/howto-identity-protection-investigate-risk.md#risky-users-report) helps you monitor changes in user risk level and remediation activity.
* With the [**risk detections logs**](~/id-protection/howto-identity-protection-investigate-risk.md#risk-detections-report), you can monitor user's risk detections and analyze trends in risk activity detected in your organization.
## Integration options
-To help choose the right method for integrating Microsoft Entra activity logs for storage or analysis, think about the overall task you're trying to accomplish. We've grouped the options into three main categories:
+To help choose the right method for integrating Microsoft Entra activity logs for storage or analysis, think about the overall task you're trying to accomplish. The options are grouped into three main categories:
* Troubleshooting
* Long-term storage
* Analysis and monitoring
-### Troubleshooting
+### Basic troubleshooting
-If you're performing troubleshooting tasks but you don't need to retain the logs for more than 30 days, we recommend using the Azure portal or Microsoft Graph to access activity logs. You can filter the logs for your scenario and export or download them as needed.
+If you're performing basic troubleshooting tasks but you don't need to retain the logs for more than 30 days, we recommend using the Microsoft Entra admin center or the Microsoft Graph APIs to access the activity logs. You can filter the logs for your scenario and export or download them as needed.
If you're performing troubleshooting tasks *and* you need to retain the logs for more than 30 days, take a look at the long-term storage options.
### Long-term storage
-If you're performing troubleshooting tasks *and* you need to retain the logs for more than 30 days, you can export your logs to an Azure storage account. This option is ideal of you don't plan on querying that data often.
+If you're performing troubleshooting tasks *and* you need to retain the logs for more than 30 days, you should export your logs to an Azure storage account. This option is ideal of you don't plan on querying that data often.
If you need to query the data that you're retaining for more than 30 days, take a look at the analysis and monitoring options.
@@ -53,9 +53,9 @@ If you need to query the data that you're retaining for more than 30 days, take
If your scenario requires that you retain data for more than 30 days *and* you plan on querying that data regularly, you've got a few options to integrate your data with SIEM tools for analysis and monitoring.
-If you have a third party SIEM tool, we recommend setting up an Event Hubs namespace and event hub that you can stream your data through. With an event hub, you can stream logs to one of the supported SIEM tools.
+If you have a non-Microsoft SIEM tool, we recommend setting up an Event Hubs namespace and event hub that you can stream your data through. With an event hub, you can stream logs to one of the supported SIEM tools.
-If you don't plan on using a third-party SIEM tool, we recommend sending your Microsoft Entra activity logs to Azure Monitor logs. With this integration, you can query your activity logs with Log Analytics. In Addition to Azure Monitor logs, Microsoft Sentinel provides near real-time security detection and threat hunting. If you decide to integrate with SIEM tools later, you can stream your Microsoft Entra activity logs along with your other Azure data through an event hub.
+If you don't plan on using a third-party SIEM tool, we recommend sending your Microsoft Entra activity logs to [Azure Monitor logs](/azure/azure-monitor/logs/data-platform-logs). With this integration, you can query your activity logs in a [Log Analytics workspace](/azure/azure-monitor/logs/log-analytics-workspace-overview). In Addition to Azure Monitor logs, [Microsoft Sentinel](/azure/sentinel/overview?tabs=azure-portal) provides near real-time security detection and threat hunting. If you decide to integrate with SIEM tools later, you can stream your Microsoft Entra activity logs along with your other Azure data through an event hub.
## Cost considerations
@@ -71,7 +71,7 @@ Other considerations for sending Microsoft Entra logs to Azure Monitor logs are
Azure Monitor provides the option to exclude whole events, fields, or parts of fields when ingesting logs from Microsoft Entra ID. Learn more about this cost saving feature in [Data collection transformation in Azure Monitor](/azure/azure-monitor/essentials/data-collection-transformations).
-## Estimate your costs
+### Estimate your costs
To estimate the costs for your organization, you can estimate either the daily log size or the daily cost for integrating your logs with an endpoint.
@@ -88,7 +88,7 @@ To estimate the daily log size, gather a sample of your logs, adjust the sample
If you haven't downloaded logs from the Microsoft Entra admin center before, review the [How to download logs in Microsoft Entra ID](howto-download-logs.md) article. Depending on the size of your organization, you might need to choose a different sample size to start your estimation. The following sample sizes are a good place to start:
-* 1000 records
+* 1,000 records
* For large tenants, 15 minutes of sign-ins
* For small to medium tenants, 1 hour of sign-ins
diff --git a/docs/identity/monitoring-health/howto-access-activity-logs.md b/docs/identity/monitoring-health/howto-access-activity-logs.md
index 2025208ef53..f238fcfe3a3 100644
--- a/docs/identity/monitoring-health/howto-access-activity-logs.md
+++ b/docs/identity/monitoring-health/howto-access-activity-logs.md
@@ -1,4 +1,5 @@
---
+
title: Access activity logs in Microsoft Entra ID
description: How to choose the right method for accessing and integrating the activity logs in Microsoft Entra ID.
author: shlipsey3
@@ -6,7 +7,7 @@ manager: amycolannino
ms.service: entra-id
ms.topic: how-to
ms.subservice: monitoring-health
-ms.date: 12/15/2023
+ms.date: 10/02/2024
ms.author: sarahlipsey
ms.reviewer: egreenberg
@@ -21,7 +22,7 @@ The data collected in your Microsoft Entra logs enables you to assess many aspec
You can access Microsoft Entra activity logs and reports using the following methods:
- [Stream activity logs to an **event hub** to integrate with other tools](#stream-logs-to-an-event-hub-to-integrate-with-siem-tools)
-- [Access activity logs through the **Microsoft Graph API**](#access-logs-with-microsoft-graph-api)
+- [Access activity logs through the **Microsoft Graph API**](#access-logs-with-the-microsoft-graph-api)
- [Integrate activity logs with **Azure Monitor logs**](#integrate-logs-with-azure-monitor-logs)
- [Monitor activity in real-time with **Microsoft Sentinel**](#monitor-events-with-microsoft-sentinel)
- [View activity logs and reports in the **Azure portal**](#view-logs-through-the-portal)
@@ -33,7 +34,55 @@ Each of these methods provides you with capabilities that might align with certa
[!INCLUDE [Microsoft Entra monitoring and health](../../includes/licensing-monitoring-health.md)]
-Audit logs are available for features that you've licensed. To access the sign-in logs using the Microsoft Graph API, your tenant must have a Microsoft Entra ID P1 or P2 license associated with it.
+Audit logs are available for features that you have licensed. To access the sign-in logs using the Microsoft Graph API, your tenant must have a Microsoft Entra ID P1 or P2 license associated with it.
+
+## View logs through the Microsoft Entra admin center
+
+
+For one-off investigations with a limited scope, the [Microsoft Entra admin center](https://entra.microsoft.com/) is often the easiest way to find the data you need. The user interface for each of these reports provides you with filter options enabling you to find the entries you need to solve your scenario.
+
+The data captured in the Microsoft Entra activity logs are used in many reports and services. You can review the sign-in, audit, and provisioning logs for one-off scenarios or use reports to look at patterns and trends. The data from the activity logs help populate the Identity Protection reports, which provide information security related risk detections that Microsoft Entra ID can detect and report on. Microsoft Entra activity logs also populate Usage and insights reports, which provide usage details for your tenant's applications.
+
+### Recommended uses
+
+The reports available in the Azure portal provide a wide range of capabilities to monitor activities and usage in your tenant. The following list of uses and scenarios isn't exhaustive, so explore the reports for your needs.
+
+- Research a user's sign-in activity or track an application's usage.
+- Review details around group name changes, device registration, and password resets with audit logs.
+- Use the Identity Protection reports for monitoring at risk users, risky workload identities, and risky sign-ins.
+- Review the sign-in success rate in the Microsoft Entra application activity (preview) report from Usage and insights to ensure that your users can access the applications in use in your tenant.
+- Compare the different authentication methods your users prefer with the Authentication methods report from Usage and insights.
+
+### Quick steps
+
+Use the following basic steps to access the reports in the Microsoft Entra admin center.
+
+#### [Microsoft Entra activity logs](#tab/microsoft-entra-activity-logs)
+
+
+1. Browse to **Identity** > **Monitoring & health** > **Audit logs**/**Sign-in logs**/**Provisioning logs**.
+1. Adjust the filter according to your needs.
+ - [Learn how to filter activity logs](howto-customize-filter-logs.md)
+ - [Explore the Microsoft Entra audit log categories and activities](reference-audit-activities.md)
+ - [Learn about basic info in the Microsoft Entra sign-in logs](concept-sign-in-log-activity-details.md)
+
+Audit logs can be accessed directly from the area of the Microsoft Entra admin center where you're working. For example, if you're in the **Groups** or **Licenses** section of Microsoft Entra ID, you can access the audit logs for those specific activities directly from that area. When you access the audit logs in this way, the filter categories are automatically set. If you're in **Groups**, the audit log filter category is set to **GroupManagement**.
+
+#### [Microsoft Entra ID Protection reports](#tab/microsoft-entra-id-protection-reports)
+
+
+1. Browse to **Protection** > **Identity Protection**.
+1. Explore the available reports.
+ - [Learn more about Identity Protection](../../id-protection/overview-identity-protection.md)
+ - [Learn how to investigate risk](../../id-protection/howto-identity-protection-investigate-risk.md)
+
+#### [Usage and insights reports](#tab/usage-and-insights-reports)
+
+1. Browse to **Identity** > **Monitoring & health** > **Usage and insights**.
+1. Explore the available reports.
+ - [Learn more about the Usage and insights report](concept-usage-insights-report.md)
+
+---
## Stream logs to an event hub to integrate with SIEM tools
@@ -43,8 +92,8 @@ Streaming your activity logs to an event hub is required to integrate your activ
The SIEM tools you can integrate with your event hub can provide analysis and monitoring capabilities. If you're already using these tools to ingest data from other sources, you can stream your identity data for more comprehensive analysis and monitoring. We recommend streaming your activity logs to an event hub for the following types of scenarios:
-- If you need a big data streaming platform and event ingestion service to receive and process millions of events per second.
-- If you're looking to transform and store data by using a real-time analytics provider or batching/storage adapters.
+- You need a big data streaming platform and event ingestion service to receive and process millions of events per second.
+- You're looking to transform and store data by using a real-time analytics provider or batching/storage adapters.
### Quick steps
@@ -57,7 +106,7 @@ The SIEM tools you can integrate with your event hub can provide analysis and mo
Your independent security vendor should provide you with instructions on how to ingest data from Azure Event Hubs into their tool.
-## Access logs with Microsoft Graph API
+## Access logs with the Microsoft Graph API
The Microsoft Graph API provides a unified programmability model that you can use to access data for your Microsoft Entra ID P1 or P2 tenants. It doesn't require an administrator or developer to set up extra infrastructure to support your script or app.
@@ -126,52 +175,6 @@ We recommend using the real-time security detection capabilities of Microsoft Se
1. [Collect Microsoft Entra data](/azure/sentinel/connect-azure-active-directory).
1. [Begin hunting for threats](/azure/sentinel/hunting).
-## View logs through the Microsoft Entra admin center
-
-
-For one-off investigations with a limited scope, the [Microsoft Entra admin center](https://entra.microsoft.com/) is often the easiest way to find the data you need. The user interface for each of these reports provides you with filter options enabling you to find the entries you need to solve your scenario.
-
-The data captured in the Microsoft Entra activity logs are used in many reports and services. You can review the sign-in, audit, and provisioning logs for one-off scenarios or use reports to look at patterns and trends. The data from the activity logs help populate the Identity Protection reports, which provide information security related risk detections that Microsoft Entra ID can detect and report on. Microsoft Entra activity logs also populate Usage and insights reports, which provide usage details for your tenant's applications.
-
-### Recommended uses
-
-The reports available in the Azure portal provide a wide range of capabilities to monitor activities and usage in your tenant. The following list of uses and scenarios isn't exhaustive, so explore the reports for your needs.
-
-- Research a user's sign-in activity or track an application's usage.
-- Review details around group name changes, device registration, and password resets with audit logs.
-- Use the Identity Protection reports for monitoring at risk users, risky workload identities, and risky sign-ins.
-- You can review the sign-in success rate in the Microsoft Entra application activity (preview) report from Usage and insights to ensure that your users can access the applications in use in your tenant.
-- Compare the different authentication methods your users prefer with the Authentication methods report from Usage and insights.
-
-### Quick steps
-
-Use the following basic steps to access the reports in the Microsoft Entra admin center.
-
-#### Microsoft Entra activity logs
-
-
-1. Browse to **Identity** > **Monitoring & health** > **Audit logs**/**Sign-in logs**/**Provisioning logs**.
-1. Adjust the filter according to your needs.
- - [Learn how to filter activity logs](howto-customize-filter-logs.md)
- - [Explore the Microsoft Entra audit log categories and activities](reference-audit-activities.md)
- - [Learn about basic info in the Microsoft Entra sign-in logs](concept-sign-in-log-activity-details.md)
-
-Audit logs can be accessed directly from the area of the Microsoft Entra admin center where you're working. For example, if you're in the **Groups** or **Licenses** section of Microsoft Entra ID, you can access the audit logs for those specific activities directly from that area. When you access the audit logs in this way, the filter categories are automatically set. If you're in **Groups**, the audit log filter category is set to **GroupManagement**.
-
-#### Microsoft Entra ID Protection reports
-
-
-1. Browse to **Protection** > **Identity Protection**.
-1. Explore the available reports.
- - [Learn more about Identity Protection](../../id-protection/overview-identity-protection.md)
- - [Learn how to investigate risk](../../id-protection/howto-identity-protection-investigate-risk.md)
-
-#### Usage and insights reports
-
-1. Browse to **Identity** > **Monitoring & health** > **Usage and insights**.
-1. Explore the available reports.
- - [Learn more about the Usage and insights report](concept-usage-insights-report.md)
-
## Export logs for storage and queries
The right solution for your long-term storage depends on your budget and what you plan on doing with the data. You've got three options:
@@ -198,7 +201,7 @@ We recommend manually downloading and storing your activity logs if you have bud
Use the following basic steps to archive or download your activity logs.
-#### Archive activity logs to a storage account
+#### [Archive activity logs to a storage account](#tab/archive-activity-logs-to-a-storage-account)
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security Administrator](../role-based-access-control/permissions-reference.md#security-administrator).
1. Create a storage account.
@@ -206,13 +209,15 @@ Use the following basic steps to archive or download your activity logs.
1. Choose the logs you want to stream, select the **Archive to a storage account** option, and complete the fields.
- [Review the data retention policies](reference-reports-data-retention.md)
-#### Manually download activity logs
+#### [Manually download activity logs](#tab/manually-download-activity-logs)
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Reports Reader](../role-based-access-control/permissions-reference.md#reports-reader).
1. Browse to **Identity** > **Monitoring & health** > **Audit logs**/**Sign-in logs**/**Provisioning logs** from the **Monitoring** menu.
1. Select **Download**.
- [Learn more about how to download logs](howto-download-logs.md).
+---
+
## Next steps
- [Stream logs to an event hub](howto-stream-logs-to-event-hub.md)
diff --git a/docs/identity/monitoring-health/howto-analyze-activity-logs-log-analytics.md b/docs/identity/monitoring-health/howto-analyze-activity-logs-log-analytics.md
index 6d3ba6f86d9..2a693800b25 100644
--- a/docs/identity/monitoring-health/howto-analyze-activity-logs-log-analytics.md
+++ b/docs/identity/monitoring-health/howto-analyze-activity-logs-log-analytics.md
@@ -6,7 +6,7 @@ manager: amycolannino
ms.service: entra-id
ms.topic: how-to
ms.subservice: monitoring-health
-ms.date: 12/15/2023
+ms.date: 10/02/2024
ms.author: sarahlipsey
ms.reviewer: egreenberg
@@ -53,7 +53,7 @@ Azure Monitor provides [two built-in roles](/azure/azure-monitor/roles-permissio
For more information on the Azure Monitor built-in roles, see [Roles, permissions, and security in Azure Monitor](/azure/azure-monitor/roles-permissions-security#monitoring-reader).
-For more information on the Log Analytics RBAC roles, see [Azure built-in roles](/azure/role-based-access-control/built-in-roles#log-analytics-contributor)
+For more information on the Log Analytics roles, see [Azure built-in roles](/azure/role-based-access-control/built-in-roles#log-analytics-contributor)
### Microsoft Entra roles
@@ -80,14 +80,12 @@ To view the Microsoft Entra ID Log Analytics, you must already be sending your a
1. Browse to **Identity** > **Monitoring & health** > **Log Analytics**. A default search query runs.
- 
+ 
1. Expand the **LogManagement** category to view the list of log related queries.
1. Select or hover over the name of a query to view a description and other useful details.
- 
-
1. Expand a query from the list to view the schema.
@@ -96,51 +94,24 @@ To view the Microsoft Entra ID Log Analytics, you must already be sending your a
You can run queries against the activity logs being routed to a Log Analytics workspace. For example, to get a list of applications with the most sign-ins from last week, enter the following query and select the **Run** button.
-```
+```kusto
SigninLogs
| where CreatedDateTime >= ago(7d)
-| summarize signInCount = count() by AppDisplayName
+| summarize signInCount = count() by AppDisplayName
| sort by signInCount desc
```
To get the top audit events over the last week, use the following query:
-```
+```kusto
AuditLogs
| where TimeGenerated >= ago(7d)
| summarize auditCount = count() by OperationName
| sort by auditCount desc
```
-## Set up alerts
-
-You can also set up alerts on a query. After you run a query, the **+ New alert rule** button becomes active.
-
-1. From Log Analytics, select the **+ New alert rule** button.
- * The **Create a rule** process involves several sections to customize the criteria for the rule.
- * For more information on creating alert rules, see [Create a new alert rule](/azure/azure-monitor/alerts/alerts-create-new-alert-rule) from the Azure Monitor documentation, starting with the **Condition** steps.
-
- 
-
-1. On the **Actions** tab, select the **Action Group** that should receive the alert when the signal occurs.
- * You can choose to notify your team via email or text message, or you could automate the action using webhooks, Azure functions or logic apps.
- * Learn more about [creating and managing alert groups in the Azure portal](/azure/azure-monitor/alerts/action-groups).
-
-1. On the **Details** tab, give the alert rule a name and associate it with a subscription and resource group.
-
-1. After configuring all necessary details, select the **Review + Create** button.
-
-## Use workbooks to analyze logs
-
-Microsoft Entra workbooks provide several reports related to common scenarios involving audit, sign-in, and provisioning events. *You can also alert on any of the data provided in the reports, using the steps described in the previous section.*
-
-* **Provisioning analysis:** This workbook shows reports related to auditing provisioning activity. Activities can include the number of new users provisioned, provisioning failures, number of users updated, update failures, the number of users deprovisioned, and corresponding failures. For more information, see [Understand how provisioning integrates with Azure Monitor logs](../app-provisioning/application-provisioning-log-analytics.md).
-
-* **Sign-ins Events**: This workbook shows the most relevant reports related to monitoring sign-in activity, such as sign-ins by application, user, device, and a summary view tracking the number of sign-ins over time.
-
-* **Conditional Access insights**: The Conditional Access insights and reporting workbook enables you to understand the effect of Conditional Access policies in your organization over time. For more information, see [Conditional Access insights and reporting](../conditional-access/howto-conditional-access-insights-reporting.md).
-
-## Next steps
+## Related content
* [Get started with queries in Azure Monitor logs](/azure/azure-monitor/logs/get-started-queries)
* [Create and manage alert groups in the Azure portal](/azure/azure-monitor/alerts/action-groups)
+* [Create a new alert rule](/azure/azure-monitor/alerts/alerts-create-new-alert-rule)
\ No newline at end of file
diff --git a/docs/identity/monitoring-health/howto-use-workbooks.md b/docs/identity/monitoring-health/howto-use-workbooks.md
index e89dc1f6e43..1e04b783a00 100644
--- a/docs/identity/monitoring-health/howto-use-workbooks.md
+++ b/docs/identity/monitoring-health/howto-use-workbooks.md
@@ -7,7 +7,7 @@ manager: amycolannino
ms.service: entra-id
ms.topic: how-to
ms.subservice: monitoring-health
-ms.date: 12/15/2023
+ms.date: 10/02/2024
ms.author: sarahlipsey
ms.reviewer: sarbar
@@ -36,7 +36,7 @@ When using workbooks, you can either start with an empty workbook, or use an exi
1. Browse to **Identity** > **Monitoring & health** > **Workbooks**.
- **Workbooks**: All workbooks created in your tenant
- **Public Templates**: Prebuilt workbooks for common or high priority scenarios
- - **My Templates**: Templates you've created
+ - **My Templates**: Templates you created
1. Select a report or template from the list. Workbooks might take a few moments to populate.
- Search for a template by name.
- Select the **Browse across galleries** to view templates that aren't specific to Microsoft Entra ID.
diff --git a/docs/identity/monitoring-health/media/howto-analyze-activity-logs-log-analytics/default-query.png b/docs/identity/monitoring-health/media/howto-analyze-activity-logs-log-analytics/default-query.png
new file mode 100644
index 00000000000..fae61093f23
Binary files /dev/null and b/docs/identity/monitoring-health/media/howto-analyze-activity-logs-log-analytics/default-query.png differ
diff --git a/docs/identity/monitoring-health/media/howto-analyze-activity-logs-log-analytics/defaultquery.png b/docs/identity/monitoring-health/media/howto-analyze-activity-logs-log-analytics/defaultquery.png
deleted file mode 100644
index bd800dcd09a..00000000000
Binary files a/docs/identity/monitoring-health/media/howto-analyze-activity-logs-log-analytics/defaultquery.png and /dev/null differ
diff --git a/docs/identity/monitoring-health/media/howto-analyze-activity-logs-log-analytics/log-analytics-new-alert.png b/docs/identity/monitoring-health/media/howto-analyze-activity-logs-log-analytics/log-analytics-new-alert.png
deleted file mode 100644
index 2ce42f36fa5..00000000000
Binary files a/docs/identity/monitoring-health/media/howto-analyze-activity-logs-log-analytics/log-analytics-new-alert.png and /dev/null differ
diff --git a/docs/identity/monitoring-health/media/howto-analyze-activity-logs-log-analytics/log-analytics-query-details.png b/docs/identity/monitoring-health/media/howto-analyze-activity-logs-log-analytics/log-analytics-query-details.png
deleted file mode 100644
index 50f647c5cb7..00000000000
Binary files a/docs/identity/monitoring-health/media/howto-analyze-activity-logs-log-analytics/log-analytics-query-details.png and /dev/null differ
diff --git a/docs/identity/monitoring-health/media/howto-analyze-activity-logs-log-analytics/log-analytics-query-schema.png b/docs/identity/monitoring-health/media/howto-analyze-activity-logs-log-analytics/log-analytics-query-schema.png
index fab921b6a60..baa2871c328 100644
Binary files a/docs/identity/monitoring-health/media/howto-analyze-activity-logs-log-analytics/log-analytics-query-schema.png and b/docs/identity/monitoring-health/media/howto-analyze-activity-logs-log-analytics/log-analytics-query-schema.png differ