Merge pull request #295150 from batamig/kusto-fixes-ii

[SCOPED] fixing kusto links ii

Author: denrea

.openpublishing.redirection.json

@@ -5970,5 +5970,10 @@
       "redirect_url": "/azure/nat-gateway/nat-overview",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/sentinel/kusto-resources.md",
+      "redirect_url": "/kusto/query/kql-learning-resources?view=microsoft-sentinel?view=microsoft-sentinel&preserve-view=true&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json",
+      "redirect_document_id": false
+    }
   ]
 }

articles/sentinel/TOC.yml

@@ -908,7 +908,7 @@
   - name: Kusto Query Language
     items:
     - name: Overview
-      href: /kusto/query/kusto-sentinel-overview?toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json
+      href: /kusto/query/?toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json
     - name: Query best practices
       href: /kusto/query/best-practices?view=microsoft-sentinel&preserve-view=true&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json
     - name: SQL to KQL cheat sheet
@@ -917,8 +917,10 @@
       href: /kusto/query/splunk-cheat-sheet?view=microsoft-sentinel&preserve-view=true&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json
     - name: KQL quick reference
       href: /kusto/query/kql-quick-reference?view=microsoft-sentinel&preserve-view=true&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json
+    - name: Common tasks with KQL for Microsoft Sentinel
+      href: /kusto/query/tutorials/common-tasks-microsoft-sentinel?view=microsoft-sentinel&preserve-view=true&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json
     - name: Other KQL resources
-      href: kusto-resources.md 
+      href: /kusto/query/kql-learning-resources?view=microsoft-sentinel&preserve-view=true&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json 
   - name: Create custom query
     href: hunts-custom-queries.md
   - name: Bookmarks

articles/sentinel/audit-track-tasks.md

@@ -50,7 +50,7 @@ Apart from the **Incident tasks workbook**, you can audit task activity by query
 
     You can add any number of statements to the query to filter and narrow down the results. To demonstrate how to view and understand the results, we're going to add statements to filter the results so that we only see the tasks for a single incident, and we'll also add a `project` statement so that we see only those fields that will be useful for our purposes, without a lot of clutter.
 
-    [Learn more about using Kusto Query Language](/kusto/query/kusto-sentinel-overview).
+    For more information, see [Kusto Query Language overview](/kusto/query/?view=microsoft-sentinel&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json).
 
     ```kusto
     SecurityIncident

articles/sentinel/create-analytics-rule-from-template.md

@@ -16,7 +16,7 @@ ms.collection: usx-security
 ---
 # Create scheduled analytics rules from templates
 
-By far the most common type of analytics rule, **Scheduled** rules are based on [Kusto queries](/kusto/query/kusto-sentinel-overview) that are configured to run at regular intervals and examine raw data from a defined "lookback" period. These queries can perform complex statistical operations on their target data, revealing baselines and outliers in groups of events. If the number of results captured by the query passes the threshold configured in the rule, the rule produces an alert.
+By far the most common type of analytics rule, **Scheduled** rules are based on [Kusto queries](/kusto/query/?view=microsoft-sentinel&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json) that are configured to run at regular intervals and examine raw data from a defined "lookback" period. These queries can perform complex statistical operations on their target data, revealing baselines and outliers in groups of events. If the number of results captured by the query passes the threshold configured in the rule, the rule produces an alert.
 
 Microsoft makes a vast array of **analytics rule templates** available to you through the many [solutions provided in the Content hub](sentinel-solutions.md), and strongly encourages you to use them to create your rules. The queries in scheduled rule templates are written by security and data science experts, either from Microsoft or from the vendor of the solution providing the template.
 
@@ -82,12 +82,11 @@ From the Microsoft Defender navigation menu, expand **Microsoft Sentinel**, then
 
 1. The rule creation wizard opens. All the details are autofilled.
 
-1. Cycle through the tabs of the wizard, customizing the logic and other rule settings where possible to better suit your specific needs. 
+1. Cycle through the tabs of the wizard, customizing the logic and other rule settings where possible to better suit your specific needs. For more information, see:
 
-    If you need to make any changes to the query itself, consult the following articles from the Kusto documentation for help:
-    - [Kusto Query Language in Microsoft Sentinel](/kusto/query/kusto-sentinel-overview)
+    - [Kusto Query Language in Microsoft Sentinel](/kusto/query/?view=microsoft-sentinel&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json)
     - [KQL quick reference guide](/kusto/query/kql-quick-reference?view=microsoft-sentinel&preserve-view=true)
-    - [Best practices for Kusto Query Language queries](/kusto/query/best-practices?view=microsoft-sentinel&preserve-view=true)
+    - [Best practices for Kusto Query Language queries](/kusto/query/best-practices?view=microsoft-sentinel&preserve-view=true&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json)
 
     When you get to the end of the rule creation wizard, Microsoft Sentinel creates the rule. The new rule appears in the **Active rules** tab.
 

articles/sentinel/create-analytics-rules.md

@@ -44,9 +44,11 @@ Before you do anything else, you should design and build a query in Kusto Query
 
 1. Build and test your queries in the **Logs** screen. When you’re satisfied, save the query for use in your rule.
 
-For some helpful tips for building Kusto queries, see [Best practices for analytics rule queries](scheduled-rules-overview.md#best-practices-for-analytics-rule-queries).
+For more information, see:
 
-For more help building Kusto queries, see [Kusto Query Language in Microsoft Sentinel](/kusto/query/kusto-sentinel-overview) and [Best practices for Kusto Query Language queries](/kusto/query/best-practices?view=microsoft-sentinel&preserve-view=true) (from the Kusto documentation).
+- [Best practices for analytics rule queries](scheduled-rules-overview.md#best-practices-for-analytics-rule-queries).
+- [Kusto Query Language in Microsoft Sentinel](/kusto/query/?view=microsoft-sentinel&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json)
+- [Best practices for Kusto Query Language queries](/kusto/query/best-practices?view=microsoft-sentinel&preserve-view=true&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json)
 
 ## Create your analytics rule
 

articles/sentinel/index.yml

@@ -135,8 +135,8 @@ landingContent:
             url: incident-investigation.md
           - text: Threat hunting
             url: hunting.md
-          - text: Kusto Query Language in Microsoft Sentinel
-            url: /kusto/query/kusto-sentinel-overview?toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json
+          - text: Kusto Query Language overview
+            url: /kusto/query/?view=microsoft-sentinel&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json
           - text: Automation rules
             url: automate-incident-handling-with-automation-rules.md
           - text: Playbooks

articles/sentinel/kusto-resources.md

@@ -60,7 +60,7 @@ Before finalizing your KQL queries, always review and tune the queries to improv
 
 For more information, see the following resources:
 
-- [KQL query best practices](/kusto/query/best-practices?view=microsoft-sentinel&preserve-view=true)
+- [KQL query best practices](/kusto/query/best-practices?view=microsoft-sentinel&preserve-view=true&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json)
 - [Optimize queries in Azure Monitor Logs](/azure/azure-monitor/logs/query-optimization)
 - [Optimizing KQL performance (webinar)](https://youtu.be/jN1Cz0JcLYU)
 

articles/sentinel/migration-convert-dashboards.md

@@ -171,7 +171,7 @@ For either **Scheduled analytics rule run** or **NRT analytics rule run**, you m
     | A function called by the query is named with a reserved word.   | Remove or rename the function.   |
     | A syntax error occurred while running the query.   | Try resetting the analytics rule by editing and saving it (without changing any settings). |
     | The workspace does not exist.   |   |
-    | This query was found to use too many system resources and was prevented from running.   | Review and tune the analytics rule. Consult our Kusto Query Language [overview](/kusto/query/kusto-sentinel-overview) and [best practices](/kusto/query/best-practices?view=microsoft-sentinel&preserve-view=true&toc=%2Fazure%2Fsentinel%2FTOC.json&bc=%2Fazure%2Fsentinel%2Fbreadcrumb%2Ftoc.json) documentation. |
+    | This query was found to use too many system resources and was prevented from running. | Review and tune the analytics rule. Consult our Kusto Query Language [overview](/kusto/query/?view=microsoft-sentinel&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json) and [best practices](/kusto/query/best-practices?view=microsoft-sentinel&preserve-view=true&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json) documentation. |
     | A function called by the query was not found.   | Verify the existence in your workspace of all functions called by the query.   |
     | The workspace used in the query was not found.   | Verify that all workspaces in the query exist.   |
     | You don't have permissions to run this query.   | Try resetting the analytics rule by editing and saving it (without changing any settings).   |

articles/sentinel/monitor-analytics-rule-integrity.md

@@ -61,7 +61,7 @@ Learn more about writing parsers in [Developing ASIM parsers](normalization-deve
 
 To normalize data at ingest, you need to use a [Data Collection Rule (DCR)](/azure/azure-monitor/essentials/data-collection-rule-overview). The procedure for implementing the DCR depends on the method used to ingest the data. For more information, see the article [Transform or customize data at ingestion time in Microsoft Sentinel](configure-data-transformation.md).
 
-A [KQL](/kusto/query/kusto-sentinel-overview) transformation query is the core of a DCR. The KQL version used in DCRs is slightly different than the version used elsewhere in Microsoft Sentinel to accommodate for requirements of pipeline event processing. Therefore, you need to modify any query-time parser to use it in a DCR. For more information on the differences, and how to convert a query-time parser to an ingest-time parser, read about the [DCR KQL limitations](/azure/azure-monitor/essentials/data-collection-transformations-structure#kql-limitations).
+A [KQL](/kusto/query/?view=microsoft-sentinel&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json) transformation query is the core of a DCR. The KQL version used in DCRs is slightly different than the version used elsewhere in Microsoft Sentinel to accommodate for requirements of pipeline event processing. Therefore, you need to modify any query-time parser to use it in a DCR. For more information on the differences, and how to convert a query-time parser to an ingest-time parser, read about the [DCR KQL limitations](/azure/azure-monitor/essentials/data-collection-transformations-structure#kql-limitations).
 
 
 ## <a name="next-steps"></a>Next steps