Merge pull request #292507 from MicrosoftDocs/main

12/31/2024 AM Publish

Author: PhilKang0704

articles/sap/workloads/sap-hana-high-availability.md

@@ -144,7 +144,7 @@ Replace `<placeholders>` with the values for your SAP HANA installation.
    1. Run this command to list all the available disks:
 
       ```bash
-      /dev/disk/azure/scsi1/lun*
+      ls /dev/disk/azure/scsi1/lun*
       ```
 
       Example output:

articles/sentinel/create-analytics-rules.md

@@ -174,8 +174,12 @@ In the **Incident settings** tab, choose whether Microsoft Sentinel turns alerts
 
      > [!IMPORTANT]
      > If you onboarded Microsoft Sentinel to the Microsoft Defender portal, leave this setting **Enabled**.
+     >
+     > - In this scenario, incidents are created by Microsoft Defender XDR, not by Microsoft Sentinel.
+     > - These incidents appear in the incidents queue in both the Azure and Defender portals.
+     > - In the Azure portal, new incidents are displayed with "Microsoft Defender XDR" as the **incident provider name**.
 
-   - If you want a single incident to be created from a group of alerts, instead of one for every single alert, see the next section.
+   - If you want a single incident to be created from a group of alerts, instead of one for every single alert, see the next step.
 
 1. <a name="alert-grouping"></a>**Set alert grouping settings.**
 
@@ -193,12 +197,22 @@ In the **Incident settings** tab, choose whether Microsoft Sentinel turns alerts
 
    1. **Re-open closed matching incidents**: If an incident has been resolved and closed, and later on another alert is generated that should belong to that incident, set this setting to **Enabled** if you want the closed incident re-opened, and leave as **Disabled** if you want the alert to create a new incident.
 
+      This option is not available when Microsoft Sentinel is onboarded to the Microsoft Defender portal.
+
+   > [!IMPORTANT]
+   > If you onboarded Microsoft Sentinel to the Microsoft Defender portal, the **alert grouping** settings take effect only at the moment that the incident is created.
+   > 
+   > Because the Defender portal's correlation engine is responsible for alert correlation in this scenario, it accepts these settings as initial instructions, but it also might make decisions about alert correlation that don't take these settings into account.
+   >
+   > Therefore, the way alerts are grouped into incidents might often be different than you would expect based on these settings.
+
    > [!NOTE]
    >
    > **Up to 150 alerts** can be grouped into a single incident.
    > - The incident will only be created after all the alerts have been generated. All of the alerts will be added to the incident immediately upon its creation.
    >
    > - If more than 150 alerts are generated by a rule that groups them into a single incident, a new incident will be generated with the same incident details as the original, and the excess alerts will be grouped into the new incident.
+
 1. Select **Next: Automated response**.
 
     # [Azure portal](#tab/azure-portal)

articles/sentinel/includes/kusto-reference-general-no-alert.md

@@ -0,0 +1,17 @@
+---
+title: "include file" 
+description: "include file" 
+services: microsoft-sentinel
+author: yelevin
+ms.author: yelevin
+ms.topic: "include"
+ms.date: 12/26/2024
+ms.custom: "include file"
+---
+<!-- docutune:disable -->
+
+For more information on KQL, see [Kusto Query Language (KQL) overview](/kusto/query/?view=microsoft-sentinel&preserve-view=true).
+
+Other resources:
+- [KQL quick reference](/kusto/query/kql-quick-reference?view=microsoft-sentinel&preserve-view=true)
+- [Kusto Query Language learning resources](/kusto/query/kql-learning-resources?view=microsoft-sentinel&preserve-view=true)

articles/sentinel/includes/kusto-reference-general.md

@@ -0,0 +1,18 @@
+---
+title: "include file" 
+description: "include file" 
+services: microsoft-sentinel
+author: yelevin
+ms.author: yelevin
+ms.topic: "include"
+ms.date: 12/26/2024
+ms.custom: "include file"
+---
+<!-- docutune:disable -->
+
+> [!NOTE]
+> For more information on KQL, see [Kusto Query Language (KQL) overview](/kusto/query/?view=microsoft-sentinel&preserve-view=true).
+>
+> Other resources:
+> - [KQL quick reference](/kusto/query/kql-quick-reference?view=microsoft-sentinel&preserve-view=true)
+> - [Kusto Query Language learning resources](/kusto/query/kql-learning-resources?view=microsoft-sentinel&preserve-view=true)

articles/sentinel/media/unified-connector-custom-device/kusto-query-screenshot.png

@@ -110,7 +110,7 @@ Event | where Source == "Microsoft-Windows-Sysmon" and EventID == 1
 ```
 
 > [!IMPORTANT]
-> A parser should not filter by time. The query which uses the parser will apply a time range. 
+> A parser should not filter by time. The query that uses the parser will apply a time range. 
 
 #### Filtering by source type using a Watchlist
 
@@ -146,8 +146,11 @@ srcipaddr=='*' or ClientIP==srcipaddr
 array_length(domain_has_any) == 0 or Name has_any (domain_has_any)
 ```
 
-#### <a name="optimization"></a>Filtering optimization
+See more information on the following items in the Kusto documentation:
+- [***array_length*** function](/kusto/query/array-length-function?view=microsoft-sentinel&preserve-view=true)
+- [***has_any*** operator](/kusto/query/has-any-operator?view=microsoft-sentinel&preserve-view=true)
 
+#### <a name="optimization"></a>Filtering optimization
 
 To ensure the performance of the parser, note the following filtering recommendations:
 
@@ -304,7 +307,7 @@ This function will set the fields as follows:
 | server1.microsoft.com | SrcHostname: server1<br>SrcDomain: microsoft.com<br> SrcDomainType: FQDN<br>SrcFQDN:server1.microsoft.com |
 
 
-The functions `_ASIM_ResolveDstFQDN` and `_ASIM_ResolveDvcFQDN` perform a similar task populating the related `Dst` and `Dvc` fields.For a full list of ASIM help functions, refer to [ASIM functions](normalization-functions.md)
+The functions `_ASIM_ResolveDstFQDN` and `_ASIM_ResolveDvcFQDN` perform a similar task populating the related `Dst` and `Dvc` fields. For a full list of ASIM help functions, refer to [ASIM functions](normalization-functions.md)
 
 ### Select fields in the result set
 
@@ -497,7 +500,7 @@ To submit the event samples, use the following steps:
 
 - In the `Logs` screen, run a query that will extract from the source table only the events selected by the parser. For example, for the [Infoblox DNS parser](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsInfobloxNIOS.yaml), use the following query:
 
-``` KQL
+```kusto
     Syslog
     | where ProcessName == "named"
 ```
@@ -506,7 +509,7 @@ To submit the event samples, use the following steps:
 
 - In the `Logs` screen, run a query that will output the schema or the parser input table. For example, for the same Infoblox DNS parser, the query is:
 
-``` KQL
+```kusto
     Syslog
     | getschema
 ```

articles/sentinel/normalization-develop-parsers.md

@@ -19,27 +19,31 @@ Advanced Security Information Model (ASIM) helper functions extend the KQL langu
 
 Enrichment lookup functions provide an easy method of looking up known values, based on their numerical representation. Such functions are useful as events often use the short form numeric code, while users prefer the textual form. Most of the functions have two forms:
 
-The **lookup** version is a scalar function that accepts as input the numeric code and returns the textual form. Use the following KQL snippet with the **lookup** version:
+- The **lookup** version is a scalar function that accepts as input the numeric code and returns the textual form. 
 
-```kusto
-| extend ProtocolName = _ASIM_LookupNetworkProtocol (ProtocolNumber)
-``` 
+    Use the following KQL snippet with the **lookup** version:
 
-The **resolve** version is a tabular function that:
+    ```kusto
+    | extend ProtocolName = _ASIM_LookupNetworkProtocol (ProtocolNumber)
+    ``` 
 
-- Is used a KQL pipeline operator. 
-- Accepts as input the name of the field holding the value to look up.
-- Sets the ASIM fields typically holding both the input value and the resulting lookup value. 
+- The **resolve** version is a tabular function that:
 
-Use the following KQL snippet with the **resolve** version:
+    - Is used as a KQL pipeline operator. 
+    - Accepts as input the name of the field holding the value to look up.
+    - Sets the ASIM fields typically holding both the input value and the resulting lookup value. 
 
-```kusto
-| invoke _ASIM_ResolveNetworkProtocol (`ProtocolNumber`)
-``` 
+    Use the following KQL snippet with the **resolve** version:
 
-Which will automatically populate the NetworkProtocol field with the result of the lookup.
+    ```kusto
+    | invoke _ASIM_ResolveNetworkProtocol (`ProtocolNumber`)
+    ``` 
 
-The **resolve** version is preferable for use in ASIM parsers, while the lookup version is useful in general purpose queries. When an enrichment lookup function has to return more than one value, it will always use the **resolve** format.
+    The function automatically populates the ASIM field with the result of the lookup.
+
+The **resolve** version is preferable for use in ASIM parsers, while the **lookup** version is useful in general purpose queries. When an enrichment lookup function has to return more than one value, it will always use the **resolve** format.
+
+For more information on scalar and tabular functions (represented by the lookup and resolve versions here, respectively), see [User-defined functions](/kusto/query/functions/user-defined-functions?view=microsoft-sentinel&preserve-view=true) in the Kusto documentation.
 
 ### Lookup type functions
 

articles/sentinel/normalization-functions.md

@@ -245,6 +245,32 @@ This procedure describes a sample process for using summary rules with [auxiliar
           | make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor 
         ```
 
+See more information on the following items used in the preceding examples, in the Kusto documentation:
+- [***let*** statement](/kusto/query/let-statement?view=microsoft-sentinel&preserve-view=true)
+- [***where*** operator](/kusto/query/where-operator?view=microsoft-sentinel&preserve-view=true)
+- [***extend*** operator](/kusto/query/extend-operator?view=microsoft-sentinel&preserve-view=true)
+- [***project*** operator](/kusto/query/project-operator?view=microsoft-sentinel&preserve-view=true)
+- [***summarize*** operator](/kusto/query/summarize-operator?view=microsoft-sentinel&preserve-view=true)
+- [***lookup*** operator](/kusto/query/lookup-operator?view=microsoft-sentinel&preserve-view=true)
+- [***union*** operator](/kusto/query/union-operator?view=microsoft-sentinel&preserve-view=true)
+- [***make-series*** operator](/kusto/query/make-series-operator?view=microsoft-sentinel&preserve-view=true)
+- [***isnotempty()*** function](/kusto/query/isnotempty-function?view=microsoft-sentinel&preserve-view=true)
+- [***format_datetime()*** function](/kusto/query/format-datetime-function?view=microsoft-sentinel&preserve-view=true)
+- [***column_ifexists()*** function](/kusto/query/column-ifexists-function?view=microsoft-sentinel&preserve-view=true)
+- [***iff()*** function](/kusto/query/iff-function?view=microsoft-sentinel&preserve-view=true)
+- [***ipv4_is_private()*** function](/kusto/query/ipv4-is-private-function?view=microsoft-sentinel&preserve-view=true)
+- [***min()*** function](/kusto/query/min-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+- [***tostring()*** function](/kusto/query/tostring-function?view=microsoft-sentinel&preserve-view=true)
+- [***ago()*** function](/kusto/query/ago-function?view=microsoft-sentinel&preserve-view=true)
+- [***startofday()*** function](/kusto/query/startofday-function?view=microsoft-sentinel&preserve-view=true)
+- [***parse_json()*** function](/kusto/query/parse-json-function?view=microsoft-sentinel&preserve-view=true)
+- [***count()*** aggregation function](/kusto/query/count-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+- [***make_set()*** aggregation function](/kusto/query/make-set-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+- [***dcount()*** aggregation function](/kusto/query/dcount-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+- [***sum()*** aggregation function](/kusto/query/sum-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+
+[!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
+
 ## Related content
 
 - [Aggregate data in Log Analytics workspace with Summary rules](/azure/azure-monitor/logs/summary-rules)

articles/sentinel/summary-rules.md

@@ -102,6 +102,8 @@ To complete this tutorial, make sure you have:
 
    :::image type="content" source="media/tutorial-log4j-detection/set-rule-logic-tab.png" alt-text="Screenshot of the Set rule logic tab of the Analytics rule wizard." lightbox="media/tutorial-log4j-detection/set-rule-logic-tab.png":::
 
+    [!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
+
 ## Enrich alerts with entities and other details
 
 1. Under **Alert enrichment**, keep the **Entity mapping** settings as they are. Note the three mapped entities.
@@ -218,4 +220,4 @@ Now that you've learned how to search for exploits of a common vulnerability usi
     - [Alert properties](customize-alert-details.md)
 
 - Learn about [other kinds of analytics rules](detect-threats-built-in.md) in Microsoft Sentinel and their function.
-- Learn more about writing queries in Kusto Query Language (KQL). Learn more about KQL [concepts](/azure/data-explorer/kusto/concepts/) and [queries](/azure/data-explorer/kusto/query/), and see this handy [quick reference guide](/azure/data-explorer/kql-quick-reference).
+- Learn more about writing queries in Kusto Query Language (KQL). To learn more about KQL, see this [overview](/kusto/query/?view=microsoft-sentinel&preserve-view=true), learn some [best practices](/kusto/query/best-practices?view=microsoft-sentinel&preserve-view=true), and keep this handy [quick reference guide](/kusto/query/kql-quick-reference?view=microsoft-sentinel&preserve-view=true).

articles/sentinel/tutorial-log4j-detection.md

@@ -259,6 +259,18 @@ Follow these steps to ingest log messages from JuniperIDP:
         ```kusto
         source | parse RawData with tmp_time " " host_s " " ident_s " " tmp_pid " " msgid_s " " extradata | extend dvc_os_s = extract("\\[(junos\\S+)", 1, extradata) | extend event_end_time_s = extract(".*epoch-time=\"(\\S+)\"", 1, extradata) | extend message_type_s = extract(".*message-type=\"(\\S+)\"", 1, extradata) | extend source_address_s = extract(".*source-address=\"(\\S+)\"", 1, extradata) | extend destination_address_s = extract(".*destination-address=\"(\\S+)\"", 1, extradata) | extend destination_port_s = extract(".*destination-port=\"(\\S+)\"", 1, extradata) | extend protocol_name_s = extract(".*protocol-name=\"(\\S+)\"", 1, extradata) | extend service_name_s = extract(".*service-name=\"(\\S+)\"", 1, extradata) | extend application_name_s = extract(".*application-name=\"(\\S+)\"", 1, extradata) | extend rule_name_s = extract(".*rule-name=\"(\\S+)\"", 1, extradata) | extend rulebase_name_s = extract(".*rulebase-name=\"(\\S+)\"", 1, extradata) | extend policy_name_s = extract(".*policy-name=\"(\\S+)\"", 1, extradata) | extend export_id_s = extract(".*export-id=\"(\\S+)\"", 1, extradata) | extend repeat_count_s = extract(".*repeat-count=\"(\\S+)\"", 1, extradata) | extend action_s = extract(".*action=\"(\\S+)\"", 1, extradata) | extend threat_severity_s = extract(".*threat-severity=\"(\\S+)\"", 1, extradata) | extend attack_name_s = extract(".*attack-name=\"(\\S+)\"", 1, extradata) | extend nat_source_address_s = extract(".*nat-source-address=\"(\\S+)\"", 1, extradata) | extend nat_source_port_s = extract(".*nat-source-port=\"(\\S+)\"", 1, extradata) | extend nat_destination_address_s = extract(".*nat-destination-address=\"(\\S+)\"", 1, extradata) | extend nat_destination_port_s = extract(".*nat-destination-port=\"(\\S+)\"", 1, extradata) | extend elapsed_time_s = extract(".*elapsed-time=\"(\\S+)\"", 1, extradata) | extend inbound_bytes_s = extract(".*inbound-bytes=\"(\\S+)\"", 1, extradata) | extend outbound_bytes_s = extract(".*outbound-bytes=\"(\\S+)\"", 1, extradata) | extend inbound_packets_s = extract(".*inbound-packets=\"(\\S+)\"", 1, extradata) | extend outbound_packets_s = extract(".*outbound-packets=\"(\\S+)\"", 1, extradata) | extend source_zone_name_s = extract(".*source-zone-name=\"(\\S+)\"", 1, extradata) | extend source_interface_name_s = extract(".*source-interface-name=\"(\\S+)\"", 1, extradata) | extend destination_zone_name_s = extract(".*destination-zone-name=\"(\\S+)\"", 1, extradata) | extend destination_interface_name_s = extract(".*destination-interface-name=\"(\\S+)\"", 1, extradata) | extend packet_log_id_s = extract(".*packet-log-id=\"(\\S+)\"", 1, extradata) | extend alert_s = extract(".*alert=\"(\\S+)\"", 1, extradata) | extend username_s = extract(".*username=\"(\\S+)\"", 1, extradata) | extend roles_s = extract(".*roles=\"(\\S+)\"", 1, extradata) | extend msg_s = extract(".*message=\"(\\S+)\"", 1, extradata) | project-away RawData
         ```
+        
+        The following screenshot shows the complete query in the preceding example in a more readable format:
+
+        :::image type="content" source="media/unified-connector-custom-device/kusto-query-screenshot.png" alt-text="Screenshot showing expanded Kusto query with line breaks for readability." lightbox="media/unified-connector-custom-device/kusto-query-screenshot.png":::
+
+        See more information on the following items used in the preceding examples, in the Kusto documentation:
+        - [***parse*** operator](/kusto/query/parse-operator?view=microsoft-sentinel&preserve-view=true)
+        - [***extend*** operator](/kusto/query/extend-operator?view=microsoft-sentinel&preserve-view=true)
+        - [***extract*** function](/kusto/query/extract-function?view=microsoft-sentinel&preserve-view=true)
+        - [***project-away*** operator](/kusto/query/project-away-operator?view=microsoft-sentinel&preserve-view=true)
+
+        [!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
 
 1. Configure the machine where the Azure Monitor Agent is installed to open the syslog ports, and configure the syslog daemon there to accept messages from external sources. For detailed instructions and a script to automate this configuration, see [Configure the log forwarder to accept logs](connect-custom-logs-ama.md#configure-the-log-forwarder-to-accept-logs).