Updating Kusto links

yelevin · yelevin · commit 2ef14a23be20 · 2024-12-17T16:39:12.000+02:00
diff --git a/articles/sentinel/normalization-develop-parsers.md b/articles/sentinel/normalization-develop-parsers.md
@@ -110,7 +110,7 @@ Event | where Source == "Microsoft-Windows-Sysmon" and EventID == 1
 ```
 
 > [!IMPORTANT]
-> A parser should not filter by time. The query which uses the parser will apply a time range. 
+> A parser should not filter by time. The query that uses the parser will apply a time range. 
 
 #### Filtering by source type using a Watchlist
 
@@ -146,8 +146,11 @@ srcipaddr=='*' or ClientIP==srcipaddr
 array_length(domain_has_any) == 0 or Name has_any (domain_has_any)
 ```
 
-#### <a name="optimization"></a>Filtering optimization
+See more information on the following items in the Kusto documentation:
+- [***array_length*** function](/kusto/query/array-length-function?view=microsoft-sentinel&preserve-view=true)
+- [***has_any*** operator](/kusto/query/has-any-operator?view=microsoft-sentinel&preserve-view=true)
 
+#### <a name="optimization"></a>Filtering optimization
 
 To ensure the performance of the parser, note the following filtering recommendations:
 
@@ -497,7 +500,7 @@ To submit the event samples, use the following steps:
 
 - In the `Logs` screen, run a query that will extract from the source table only the events selected by the parser. For example, for the [Infoblox DNS parser](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsInfobloxNIOS.yaml), use the following query:
 
-``` KQL
+```kusto
     Syslog
     | where ProcessName == "named"
 ```
@@ -506,7 +509,7 @@ To submit the event samples, use the following steps:
 
 - In the `Logs` screen, run a query that will output the schema or the parser input table. For example, for the same Infoblox DNS parser, the query is:
 
-``` KQL
+```kusto
     Syslog
     | getschema
 ```
diff --git a/articles/sentinel/normalization-functions.md b/articles/sentinel/normalization-functions.md
@@ -19,27 +19,31 @@ Advanced Security Information Model (ASIM) helper functions extend the KQL langu
 
 Enrichment lookup functions provide an easy method of looking up known values, based on their numerical representation. Such functions are useful as events often use the short form numeric code, while users prefer the textual form. Most of the functions have two forms:
 
-The **lookup** version is a scalar function that accepts as input the numeric code and returns the textual form. Use the following KQL snippet with the **lookup** version:
+- The **lookup** version is a scalar function that accepts as input the numeric code and returns the textual form. 
 
-```kusto
-| extend ProtocolName = _ASIM_LookupNetworkProtocol (ProtocolNumber)
-``` 
+    Use the following KQL snippet with the **lookup** version:
 
-The **resolve** version is a tabular function that:
+    ```kusto
+    | extend ProtocolName = _ASIM_LookupNetworkProtocol (ProtocolNumber)
+    ``` 
 
-- Is used a KQL pipeline operator. 
-- Accepts as input the name of the field holding the value to look up.
-- Sets the ASIM fields typically holding both the input value and the resulting lookup value. 
+- The **resolve** version is a tabular function that:
 
-Use the following KQL snippet with the **resolve** version:
+    - Is used as a KQL pipeline operator. 
+    - Accepts as input the name of the field holding the value to look up.
+    - Sets the ASIM fields typically holding both the input value and the resulting lookup value. 
 
-```kusto
-| invoke _ASIM_ResolveNetworkProtocol (`ProtocolNumber`)
-``` 
+    Use the following KQL snippet with the **resolve** version:
 
-Which will automatically populate the NetworkProtocol field with the result of the lookup.
+    ```kusto
+    | invoke _ASIM_ResolveNetworkProtocol (`ProtocolNumber`)
+    ``` 
 
-The **resolve** version is preferable for use in ASIM parsers, while the lookup version is useful in general purpose queries. When an enrichment lookup function has to return more than one value, it will always use the **resolve** format.
+    The function automatically populates the ASIM field with the result of the lookup.
+
+The **resolve** version is preferable for use in ASIM parsers, while the **lookup** version is useful in general purpose queries. When an enrichment lookup function has to return more than one value, it will always use the **resolve** format.
+
+For more information on scalar and tabular functions (represented by the lookup and resolve versions here, respectively), see [User-defined functions](/kusto/query/functions/user-defined-functions?view=microsoft-sentinel&preserve-view=true) in the Kusto documentation.
 
 ### Lookup type functions
 
