Merge pull request #291893 from yelevin/yelevin/kusto-updates

Corrected "KQL" code block headings to "Kusto"

Author: v-dirichards

articles/sentinel/audit-sentinel-data.md

@@ -45,7 +45,7 @@ Use the **AzureActivity** table when auditing activity in your SOC environment w
 
     The **AzureActivity** table includes data from many services, including Microsoft Sentinel. To filter in only data from Microsoft Sentinel, start your query with the following code:
 
-    ```kql
+    ```kusto
      AzureActivity
     | where OperationNameValue startswith "MICROSOFT.SECURITYINSIGHTS"
     ```
@@ -67,7 +67,7 @@ For more information, see [Microsoft Sentinel data included in Azure Activity lo
 
 The following **AzureActivity** table query lists all actions taken by a specific Microsoft Entra user in the last 24 hours.
 
-```kql
+```kusto
 AzureActivity
 | where OperationNameValue contains "SecurityInsights"
 | where Caller == "[AzureAD username]"
@@ -78,7 +78,7 @@ AzureActivity
 
 The following **AzureActivity** table query lists all the delete operations performed in your Microsoft Sentinel workspace.
 
-```kql
+```kusto
 AzureActivity
 | where OperationNameValue contains "SecurityInsights"
 | where OperationName contains "Delete"
@@ -150,7 +150,7 @@ LAQueryLogs data includes information such as:
 
     For example, the following query shows how many queries were run in the last week, on a per-day basis:
 
-    ```kql
+    ```kusto
     LAQueryLogs
     | where TimeGenerated > ago(7d)
     | summarize events_count=count() by bin(TimeGenerated, 1d)
@@ -162,7 +162,7 @@ The following sections show more sample queries to run on the **LAQueryLogs** ta
 
 The following **LAQueryLogs** table query shows the number of queries run, where anything other than an HTTP response of **200 OK** was received. For example, this number includes queries that had failed to run.
 
-```kql
+```kusto
 LAQueryLogs
 | where ResponseCode != 200 
 | count 
@@ -172,7 +172,7 @@ LAQueryLogs
 
 The following **LAQueryLogs** table query lists the users who ran the most CPU-intensive queries, based on CPU used and length of query time.
 
-```kql
+```kusto
 LAQueryLogs
 |summarize arg_max(StatsCPUTimeMs, *) by AADClientId
 | extend User = AADEmail, QueryRunTime = StatsCPUTimeMs
@@ -184,7 +184,7 @@ LAQueryLogs
 
 The following **LAQueryLogs** table query lists the users who ran the most queries in the last week.
 
-```kql
+```kusto
 LAQueryLogs
 | where TimeGenerated > ago(7d)
 | summarize events_count=count() by AADEmail
@@ -203,7 +203,7 @@ You might want to use Microsoft Sentinel auditing resources to create proactive
 
 For example, if you have sensitive tables in your Microsoft Sentinel workspace, use the following query to notify you each time those tables are queried:
 
-```kql
+```kusto
 LAQueryLogs
 | where QueryText contains "[Name of sensitive table]"
 | where TimeGenerated > ago(1d)

articles/sentinel/customize-entity-activities.md

@@ -191,13 +191,13 @@ Add any of the following parameters to your query:
 
     The `count` parameter adds the following command to your query in the background, even though it's not displayed fully in the editor:
 
-    ```kql
+    ```kusto
     Summarize count() by <each parameter you’ve projected in the activity>
     ```
 
     Then, when you use the **Bucket Size** filter in the entity pages, the following command is also added to the query that's run in the background:
 
-    ```kql
+    ```kusto
     Summarize count() by <each parameter you’ve projected in the activity>, bin (TimeGenerated, Bucket in Hours)
     ```
 

articles/sentinel/mssp-protect-intellectual-property.md

@@ -69,7 +69,7 @@ To do this, you need a workspace in your own tenant with Microsoft Sentinel enab
 
 To create an analytic rule or hunting query in the MSSP tenant that references data in the customer tenant, you must use the `workspace` statement as follows:
 
-```kql
+```kusto
 workspace('<customer-workspace>').SecurityEvent
 | where EventID == ‘4625’
 ```

articles/sentinel/normalization-develop-parsers.md

@@ -120,7 +120,7 @@ For example, Infoblox DNS events are sent as Syslog messages, and are hard to di
 
 To use the ASimSourceType watchlist in your parsers, use the `_ASIM_GetSourceBySourceType` function in the parser filtering section. For example, the Infoblox DNS parser includes the following in the filtering section:
 
-```KQL
+```kusto
   | where Computer in (_ASIM_GetSourceBySourceType('InfobloxNIOS'))
 ```
 
@@ -193,7 +193,7 @@ The KQL operators that perform parsing are listed below, ordered by their perfor
 
 The simplest form of normalization is renaming an original field to its normalized name. Use the operator `project-rename` for that. Using project-rename ensures that the field is still managed as a physical field and handling the field is more performant. For example:
 
-```KQL
+```kusto
  | project-rename
     ActorUserId = InitiatingProcessAccountSid,
     ActorUserAadId = InitiatingProcessAccountObjectId,
@@ -208,7 +208,7 @@ Also, ensuring that parser output fields matches type defined in the schema is c
 
 For example, the original unique event ID may be sent as an integer, but ASIM requires the value to be a string, to ensure broad compatibility among data sources. Therefore, when assigning the source field use `extend` and `tostring` instead of `project-rename`:
 
-```KQL
+```kusto
   | extend EventOriginalUid = tostring(ReportId),
 ```
 
@@ -218,13 +218,13 @@ The value of the source field, once extracted, may need to be mapped to the set
 
 For example, the Microsoft DNS parser assigns the `EventResult` field based on the Event ID and Response Code using an `iff` statement, as follows:
 
-```KQL
+```kusto
    extend EventResult = iff(EventId==257 and ResponseCode==0 ,'Success','Failure')
 ```
 
 To map several values, define the mapping using the `datatable` operator and use `lookup` to perform the mapping. For example, some sources report numeric DNS response codes and the network protocol, while the schema mandates the more common text labels representation for both. The following example demonstrates how to derive the needed values using `datatable` and `lookup`:
 
-```KQL
+```kusto
    let NetworkProtocolLookup = datatable(Proto:real, NetworkProtocol:string)[
         6, 'TCP',
         17, 'UDP'
@@ -245,7 +245,7 @@ Notice that lookup is useful and efficient also when the mapping has only two po
 
 When the mapping conditions are more complex combine `iff`, `case`, and `lookup`. The example below shows how to combine `lookup` and `case`. The `lookup` example above returns an empty value in the field `DnsResponseCodeName` if the lookup value is not found. The `case` example below augments it by using the result of the `lookup` operation if available, and specifying additional conditions otherwise. 
 
-```KQL
+```kusto
    | extend DnsResponseCodeName = 
       case (
         DnsResponseCodeName != "", DnsResponseCodeName,
@@ -257,7 +257,7 @@ When the mapping conditions are more complex combine `iff`, `case`, and `lookup`
 
 Microsoft Sentinel provides handy functions for common lookup values. For example, the `DnsResponseCodeName` lookup above, can be implemented using one of the following functions:
 
-```KQL
+```kusto
 
 | extend DnsResponseCodeName = _ASIM_LookupDnsResponseCode(DnsResponseCode)
 
@@ -273,7 +273,7 @@ For a full list of ASIM help functions, refer to [ASIM functions](normalization-
 
 In addition to the fields available from the source, a resulting ASIM event includes enrichment fields that the parser should generate. In many cases, the parsers can assign a constant value to the fields, for example:
 
-```KQL
+```kusto
   | extend                  
      EventCount = int(1),
      EventProduct = 'M365 Defender for Endpoint',
@@ -286,13 +286,13 @@ Another type of enrichment fields that your parsers should set are type fields,
 
 In most cases, types are also assigned a constant value. However, in some cases the type has to be determined based on the actual value, for example:
 
-```KQL
+```kusto
    DomainType = iif (array_length(SplitHostname) > 1, 'FQDN', '')
 ```
 
 <a name="resolvefqnd"></a>Microsoft Sentinel provides useful functions for handling enrichment. For example, use the following function to automatically assign the fields `SrcHostname`, `SrcDomain`, `SrcDomainType` and `SrcFQDN` based on the value in the field `Computer`. 
 
-```KQL
+```kusto
   | invoke _ASIM_ResolveSrcFQDN('Computer')
 ```
 
@@ -319,7 +319,7 @@ The following KQL operators are used to select fields in your results set:
 
 For example, when parsing a custom log table, use the following to remove the remaining original fields that still have a type descriptor:
 
-```KQL
+```kusto
     | project-away
         *_d, *_s, *_b, *_g
 ``` 
@@ -392,7 +392,7 @@ To test ASIM, [deploy the ASIM testing tool](https://aka.ms/ASimTestingTools) to
 
 To make sure that your parser produces a valid schema, use the ASIM schema tester by running the following query in the Microsoft Sentinel **Logs** page:
 
-  ```KQL
+  ```kusto
   <parser name> | getschema | invoke ASimSchemaTester('<schema>')
   ```
 
@@ -428,7 +428,7 @@ Handle the results as follows:
 
 To make sure that your parser produces valid values, use the ASIM data tester by running the following query in the Microsoft Sentinel **Logs** page:
 
-  ```KQL
+  ```kusto
   <parser name> | limit <X> | invoke ASimDataTester ('<schema>')
   ```
 

articles/sentinel/normalization-functions.md

@@ -21,7 +21,7 @@ Enrichment lookup functions provide an easy method of looking up known values, b
 
 The **lookup** version is a scalar function that accepts as input the numeric code and returns the textual form. Use the following KQL snippet with the **lookup** version:
 
-```KQL
+```kusto
 | extend ProtocolName = _ASIM_LookupNetworkProtocol (ProtocolNumber)
 ``` 
 
@@ -33,7 +33,7 @@ The **resolve** version is a tabular function that:
 
 Use the following KQL snippet with the **resolve** version:
 
-```KQL
+```kusto
 | invoke _ASIM_ResolveNetworkProtocol (`ProtocolNumber`)
 ``` 
 

articles/sentinel/normalization-manage-parsers.md

@@ -76,7 +76,7 @@ When adding an additional parser to a unifying custom parser that already refere
 
 For example, the following code shows a custom unifying parser after having added the `added_parser`:
 
-```KQL
+```kusto
 union isfuzzy=true
 existing_parser(starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype),
 added_parser(starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype)
@@ -137,7 +137,7 @@ When adding an additional parser to a unifying parser, make sure you add a comma
 
 For example, the following example shows the DNS filtering unifying parser, after having added the custom `added_parser`:
 
-```KQL
+```kusto
   let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null) , srcipaddr:string='*' , domain_has_any:dynamic=dynamic([]) , responsecodename:string='*', response_has_ipv4:string='*' , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup' ){
   let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'imDns') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
   let imDnsBuiltInDisabled=toscalar('imDnsBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); 
@@ -159,7 +159,7 @@ Microsoft Sentinel users can directly modify workspace-deployed parsers. Create
 
 For example, the following code shows a DNS filtering unifying parser, having replaced the `vimDnsAzureFirewall` parser with a modified version:
 
-```KQL
+```kusto
   let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null) , srcipaddr:string='*' , domain_has_any:dynamic=dynamic([]) , responsecodename:string='*', response_has_ipv4:string='*' , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup' ){
   let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'imDns') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
   let imDnsBuiltInDisabled=toscalar('imDnsBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); 

articles/sentinel/normalization-schema-audit.md

@@ -80,7 +80,7 @@ Some parameter can accept both list of values of type `dynamic` or a single stri
 
 For example, to filter only audit events with the terms `install` or `update` in their [Operation](#operation) field, from the last day , use:
 
-```kql
+```kusto
 imAuditEvent (operation_has_any=dynamic(['install','update']), starttime = ago(1d), endtime=now())
 ```
 

articles/sentinel/normalization-schema-authentication.md

@@ -61,7 +61,7 @@ The following filtering parameters are available:
 
 For example, to filter only authentication events from the last day to a specific user, use:
 
-```kql
+```kusto
 imAuthentication (targetusername_has = 'johndoe', starttime = ago(1d), endtime=now())
 ```
 

articles/sentinel/normalization-schema-dns.md

@@ -59,7 +59,7 @@ If your data source supports full DNS logging and you've chosen to log multiple
 
 For example, you might modify your query with the following normalization:
 
-```kql
+```kusto
 _Im_Dns | where SrcIpAddr != "127.0.0.1" and EventSubType == "response"
 ```
 
@@ -97,13 +97,13 @@ The following filtering parameters are available:
 
 For example, to filter only DNS queries from the last day that failed to resolve the domain name, use:
 
-```kql
+```kusto
 _Im_Dns (responsecodename = 'NXDOMAIN', starttime = ago(1d), endtime=now())
 ```
 
 To filter only DNS queries for a specified list of domain names, use:
 
-```kql
+```kusto
 let torProxies=dynamic(["tor2web.org", "tor2web.com", "torlink.co"]);
 _Im_Dns (domain_has_any = torProxies)
 ```
@@ -350,7 +350,7 @@ In most cases, logged DNS events don't include response information, which may b
 
 You can also provide an extra KQL function called `_imDNS<vendor>Response_`, which takes the unparsed response as input and returns dynamic value with the following structure:
 
-```kql
+```kusto
 [
     {
         "part": "answer"

articles/sentinel/normalization-schema-network.md

@@ -75,7 +75,7 @@ Some parameter can accept both list of values of type `dynamic` or a single stri
 
 For example, to filter only network sessions for a specified list of domain names, use:
 
-```kql
+```kusto
 let torProxies=dynamic(["tor2web.org", "tor2web.com", "torlink.co"]);
 _Im_NetworkSession (hostname_has_any = torProxies)
 ```