Merge pull request #223339 from yelevin/yelevin/analytics-tutorial

Analytics tutorial

Author: PMEds28

articles/sentinel/TOC.yml

@@ -23,6 +23,8 @@
     href: tutorial-respond-threats-playbook.md
   - name: Automatically enrich incident information
     href: tutorial-enrich-ip-information.md
+  - name: Detect Log4j vulnerability exploits
+    href: tutorial-log4j-detection.md
   - name: Get started with notebooks and MSTICPy
     href: notebook-get-started.md
   - name: Create a Power BI report from Microsoft Sentinel

articles/sentinel/detect-threats-custom.md

@@ -2,10 +2,9 @@
 title: Create custom analytics rules to detect threats with Microsoft Sentinel | Microsoft Docs
 description: Learn how to create custom analytics rules to detect security threats with Microsoft Sentinel. Take advantage of event grouping, alert grouping, and alert enrichment, and understand AUTO DISABLED.
 author: yelevin
-ms.topic: how-to
-ms.date: 01/30/2022
 ms.author: yelevin
-ms.custom: ignite-fall-2021
+ms.topic: how-to
+ms.date: 01/08/2023
 ---
 
 # Create custom analytics rules to detect threats
@@ -221,15 +220,15 @@ In the **Alert grouping** section, if you want a single incident to be generated
 
     :::image type="content" source="media/tutorial-detect-threats-custom/automated-response-tab.png" alt-text="Define the automated response settings":::
 
-1. Select **Review and create** to review all the settings for your new alert rule. When the "Validation passed" message appears, select **Create** to initialize your alert rule.
+1. Select **Review and create** to review all the settings for your new analytics rule. When the "Validation passed" message appears, select **Create**.
 
     :::image type="content" source="media/tutorial-detect-threats-custom/review-and-create-tab.png" alt-text="Review all settings and create the rule":::
 
 ## View the rule and its output
   
 - You can find your newly created custom rule (of type "Scheduled") in the table under the **Active rules** tab on the main **Analytics** screen. From this list you can enable, disable, or delete each rule.
 
-- To view the results of the alert rules you create, go to the **Incidents** page, where you can triage, [investigate incidents](investigate-cases.md), and remediate the threats.
+- To view the results of the analytics rules you create, go to the **Incidents** page, where you can triage incidents, [investigate them](investigate-cases.md), and [remediate the threats](respond-threats-during-investigation.md).
 
 - You can update the rule query to exclude false positives. For more information, see [Handle false positives in Microsoft Sentinel](false-positives.md).
 
@@ -295,8 +294,6 @@ You can also push rules to Microsoft Sentinel via [API](/rest/api/securityinsigh
 
 For more information, see:
 
-For more information, see:
-
 - [Tutorial: Investigate incidents with Microsoft Sentinel](investigate-cases.md)
 - [Classify and analyze data using entities in Microsoft Sentinel](entities.md)
 - [Tutorial: Use playbooks with automation rules in Microsoft Sentinel](tutorial-respond-threats-playbook.md)