Continued work 5

Author: yelevin

articles/sentinel/monitor-data-connector-health.md

@@ -52,7 +52,7 @@ There are three tabbed sections in this workbook:
 
 - The **Overview** tab shows the general status of data ingestion in the selected workspace: volume measures, EPS rates, and time last log received.
 
-- The **Data collection anomalies** tab will help you to detect anomalies in the data collection process, by table and data source. Each tab presents anomalies for a particular table (the **General** tab includes a collection of tables). The anomalies are calculated using the **series_decompose_anomalies()** function that returns an **anomaly score**. [Learn more about this function](/azure/data-explorer/kusto/query/series-decompose-anomaliesfunction?WT.mc_id=Portal-fx). Set the following parameters for the function to evaluate:
+- The **Data collection anomalies** tab will help you to detect anomalies in the data collection process, by table and data source. Each tab presents anomalies for a particular table (the **General** tab includes a collection of tables). The anomalies are calculated using the **series_decompose_anomalies()** function that returns an **anomaly score**. [Learn more about this function](/kusto/query/series-decompose-anomalies-function?view=microsoft-sentinel&preserve-view=true&WT.mc_id=Portal-fx). Set the following parameters for the function to evaluate:
 
     - **AnomaliesTimeRange**: This time picker applies only to the data collection anomalies view.
     - **SampleInterval**: The time interval in which data is sampled in the given time range. The anomaly score is calculated only on the last interval's data.
@@ -117,45 +117,56 @@ SentinelHealth
 **Detect connectors with changes from fail to success state**:
 
 ```kusto
-let lastestStatus = SentinelHealth
+let latestStatus = SentinelHealth
 | where TimeGenerated > ago(12h)
 | where OperationName == 'Data fetch status change'
 | where Status in ('Success', 'Failure')
 | project TimeGenerated, SentinelResourceName, SentinelResourceId, LastStatus = Status
 | summarize TimeGenerated = arg_max(TimeGenerated,*) by SentinelResourceName, SentinelResourceId;
-let nextToLastestStatus = SentinelHealth
+let nextTolatestStatus = SentinelHealth
 | where TimeGenerated > ago(12h)
 | where OperationName == 'Data fetch status change'
 | where Status in ('Success', 'Failure')
-| join kind = leftanti (lastestStatus) on SentinelResourceName, SentinelResourceId, TimeGenerated
+| join kind = leftanti (latestStatus) on SentinelResourceName, SentinelResourceId, TimeGenerated
 | project TimeGenerated, SentinelResourceName, SentinelResourceId, NextToLastStatus = Status
 | summarize TimeGenerated = arg_max(TimeGenerated,*) by SentinelResourceName, SentinelResourceId;
-lastestStatus
-| join kind=inner (nextToLastestStatus) on SentinelResourceName, SentinelResourceId
+latestStatus
+| join kind=inner (nextTolatestStatus) on SentinelResourceName, SentinelResourceId
 | where NextToLastStatus == 'Failure' and LastStatus == 'Success'
 ```
 
 **Detect connectors with changes from success to fail state**:
 
 ```kusto
-let lastestStatus = SentinelHealth
+let latestStatus = SentinelHealth
 | where TimeGenerated > ago(12h)
 | where OperationName == 'Data fetch status change'
 | where Status in ('Success', 'Failure')
 | project TimeGenerated, SentinelResourceName, SentinelResourceId, LastStatus = Status
 | summarize TimeGenerated = arg_max(TimeGenerated,*) by SentinelResourceName, SentinelResourceId;
-let nextToLastestStatus = SentinelHealth
+let nextTolatestStatus = SentinelHealth
 | where TimeGenerated > ago(12h)
 | where OperationName == 'Data fetch status change'
 | where Status in ('Success', 'Failure')
-| join kind = leftanti (lastestStatus) on SentinelResourceName, SentinelResourceId, TimeGenerated
+| join kind = leftanti (latestStatus) on SentinelResourceName, SentinelResourceId, TimeGenerated
 | project TimeGenerated, SentinelResourceName, SentinelResourceId, NextToLastStatus = Status
 | summarize TimeGenerated = arg_max(TimeGenerated,*) by SentinelResourceName, SentinelResourceId;
-lastestStatus
-| join kind=inner (nextToLastestStatus) on SentinelResourceName, SentinelResourceId
+latestStatus
+| join kind=inner (nextTolatestStatus) on SentinelResourceName, SentinelResourceId
 | where NextToLastStatus == 'Success' and LastStatus == 'Failure'
 ```
 
+See more information on the following items used in the preceding examples, in the Kusto documentation:
+- [***let*** statement](/kusto/query/let-statement?view=microsoft-sentinel&preserve-view=true)
+- [***where*** operator](/kusto/query/where-operator?view=microsoft-sentinel&preserve-view=true)
+- [***project*** operator](/kusto/query/project-operator?view=microsoft-sentinel&preserve-view=true)
+- [***summarize*** operator](/kusto/query/summarize-operator?view=microsoft-sentinel&preserve-view=true)
+- [***join*** operator](/kusto/query/join-operator?view=microsoft-sentinel&preserve-view=true)
+- [***ago()*** function](/kusto/query/ago-function?view=microsoft-sentinel&preserve-view=true)
+- [***arg_max()*** aggregation function](/kusto/query/arg-max-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+
+[!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
+
 ### Configure alerts and automated actions for health issues
 
 While you can use the Microsoft Sentinel [analytics rules](automate-incident-handling-with-automation-rules.md) to configure automation in Microsoft Sentinel logs, if you want to be notified and take immediate action for health drifts in your data connectors, we recommend that you use [Azure Monitor alert rules](/azure/azure-monitor/alerts/alerts-overview).

articles/sentinel/normalization-develop-parsers.md

@@ -410,7 +410,7 @@ Handle the results as follows:
 | Missing recommended alias [\<Field\>] aliasing existing column [\<Field\>] | Add the alias to your parser |
 | Missing optional alias [\<Field\>] aliasing existing column [\<Field\>] | Add the alias to your parser |
 | Missing mandatory alias [\<Field\>] aliasing missing column [\<Field\>] | This error accompanies a similar error for the aliased field. Correct the aliased field error and add this alias to your parser. |
-| Type mismatch for field [\<Field\>]. It is currently [\<Type\>] and should be [\<Type\>] | Make sure that the type of normalized field is correct, usually by using a [conversion function](/azure/data-explorer/kusto/query/scalarfunctions#conversion-functions) such as `tostring`. |
+| Type mismatch for field [\<Field\>]. It is currently [\<Type\>] and should be [\<Type\>] | Make sure that the type of normalized field is correct, usually by using a [conversion function](/kusto/query/scalar-functions?view=microsoft-sentinel&preserve-view=true#conversion-functions) such as `tostring`. |
 
 | Info | Action |
 | ----- | ------ |
@@ -447,7 +447,7 @@ Handle the results as follows:
 
 | Message | Action |
 | ------- | ------ |
-| **(0) Error: type mismatch for column  [\<Field\>]. It is currently [\<Type\>] and should be [\<Type\>]** | Make sure that the type of normalized field is correct, usually by using a [conversion function](/azure/data-explorer/kusto/query/scalarfunctions#conversion-functions) such as `tostring`.  |
+| **(0) Error: type mismatch for column  [\<Field\>]. It is currently [\<Type\>] and should be [\<Type\>]** | Make sure that the type of normalized field is correct, usually by using a [conversion function](/kusto/query/scalar-functions?view=microsoft-sentinel&preserve-view=true#conversion-functions) such as `tostring`.  |
 | **(0) Error: Invalid value(s) (up to 10 listed) for field [\<Field\>] of type [\<Logical Type\>]** | Make sure that the parser maps the correct source field to the output field. If mapped correctly, update the parser to transform the source value to the correct type, value or format. Refer to the [list of logical types](normalization-about-schemas.md#logical-types) for more information on the correct values and formats for each logical type. <br><br>Note that the testing tool lists only a sample of 10 invalid values.   |
 | **(1) Warning: Empty value in mandatory field [\<Field\>]** | Mandatory fields should be populated, not just defined. Check whether the field can be populated from other sources for records for which the current source is empty. |
 | **(2) Info: Empty value in recommended field [\<Field\>]** | Recommended fields should usually be populated. Check whether the field can be populated from other sources for records for which the current source is empty. |

articles/sentinel/normalization-parsers-overview.md

@@ -13,7 +13,7 @@ ms.author: ofshezaf
 
 # The Advanced Security Information Model (ASIM) parsers (Public preview)
 
-In Microsoft Sentinel, parsing and [normalizing](normalization.md) happen at query time. Parsers are built as [KQL user-defined functions](/azure/data-explorer/kusto/query/functions/user-defined-functions) that transform data in existing tables, such as **CommonSecurityLog**, custom logs tables, or Syslog, into the normalized schema.
+In Microsoft Sentinel, parsing and [normalizing](normalization.md) happen at query time. Parsers are built as [KQL user-defined functions](/kusto/query/functions/user-defined-functions?view=microsoft-sentinel&preserve-view=true) that transform data in existing tables, such as **CommonSecurityLog**, custom logs tables, or Syslog, into the normalized schema.
 
 Users [use Advanced Security Information Model (ASIM) parsers](normalization-about-parsers.md) instead of table names in their queries to view data in a normalized format, and to include all data relevant to the schema in your query. 
 

articles/sentinel/normalization-schema-audit.md

@@ -76,7 +76,7 @@ The following filtering parameters are available:
 | **object_has_any** | dynamic/string | Filter only events in which [Object](#object) field includes any of the terms provided. | 
 | **newvalue_has_any** | dynamic/string | Filter only events in which [NewValue](#object) field includes any of the terms provided. | 
 
-Some parameter can accept both list of values of type `dynamic` or a single string value. To pass a literal list to parameters that expect a dynamic value, explicitly use a [dynamic literal](/azure/data-explorer/kusto/query/scalar-data-types/dynamic#dynamic-literals.md). For example: `dynamic(['192.168.','10.'])`
+Some parameter can accept both list of values of type `dynamic` or a single string value. To pass a literal list to parameters that expect a dynamic value, explicitly use a [dynamic literal](/kusto/query/scalar-data-types/dynamic?view=microsoft-sentinel&preserve-view=true#dynamic-literals). For example: `dynamic(['192.168.','10.'])`
 
 For example, to filter only audit events with the terms `install` or `update` in their [Operation](#operation) field, from the last day , use:
 

articles/sentinel/normalization-schema-authentication.md

@@ -67,7 +67,7 @@ imAuthentication (targetusername_has = 'johndoe', starttime = ago(1d), endtime=n
 
 
 > [!TIP]
-> To pass a literal list to parameters that expect a dynamic value, explicitly use a [dynamic literal](/azure/data-explorer/kusto/query/scalar-data-types/dynamic#dynamic-literals.md). For example: `dynamic(['192.168.','10.'])`.
+> To pass a literal list to parameters that expect a dynamic value, explicitly use a [dynamic literal](/kusto/query/scalar-data-types/dynamic?view=microsoft-sentinel&preserve-view=true#dynamic-literals). For example: `dynamic(['192.168.','10.'])`.
 >
 
 

articles/sentinel/normalization-schema-dns.md

@@ -108,7 +108,7 @@ let torProxies=dynamic(["tor2web.org", "tor2web.com", "torlink.co"]);
 _Im_Dns (domain_has_any = torProxies)
 ```
 
-Some parameter can accept both list of values of type `dynamic` or a single string value. To pass a literal list to parameters that expect a dynamic value, explicitly use a [dynamic literal](/azure/data-explorer/kusto/query/scalar-data-types/dynamic#dynamic-literals.md). For example: `dynamic(['192.168.','10.'])`
+Some parameter can accept both list of values of type `dynamic` or a single string value. To pass a literal list to parameters that expect a dynamic value, explicitly use a [dynamic literal](/kusto/query/scalar-data-types/dynamic?view=microsoft-sentinel&preserve-view=true#dynamic-literals). For example: `dynamic(['192.168.','10.'])`
 
 ## Normalized content
 

articles/sentinel/normalization-schema-network.md

@@ -71,7 +71,7 @@ The following filtering parameters are available:
 | **dvcaction** | dynamic/string | Filter only network sessions for which the [Device Action field](#dvcaction) is any of the values listed. | 
 | **eventresult** | String | Filter only network sessions with a specific **EventResult** value. |
 
-Some parameter can accept both list of values of type `dynamic` or a single string value. To pass a literal list to parameters that expect a dynamic value, explicitly use a [dynamic literal](/azure/data-explorer/kusto/query/scalar-data-types/dynamic#dynamic-literals.md). For example: `dynamic(['192.168.','10.'])`
+Some parameter can accept both list of values of type `dynamic` or a single string value. To pass a literal list to parameters that expect a dynamic value, explicitly use a [dynamic literal](/kusto/query/scalar-data-types/dynamic?view=microsoft-sentinel&preserve-view=true#dynamic-literals). For example: `dynamic(['192.168.','10.'])`
 
 For example, to filter only network sessions for a specified list of domain names, use:
 
@@ -81,7 +81,7 @@ _Im_NetworkSession (hostname_has_any = torProxies)
 ```
 
 > [!TIP]
-> To pass a literal list to parameters that expect a dynamic value, explicitly use a [dynamic literal](/azure/data-explorer/kusto/query/scalar-data-types/dynamic#dynamic-literals.md). For example: `dynamic(['192.168.','10.'])`.
+> To pass a literal list to parameters that expect a dynamic value, explicitly use a [dynamic literal](/kusto/query/scalar-data-types/dynamic?view=microsoft-sentinel&preserve-view=true#dynamic-literals). For example: `dynamic(['192.168.','10.'])`.
 >
 
 ## Normalized content

articles/sentinel/normalization-schema-process-event.md

@@ -75,7 +75,7 @@ imProcessCreate (targetusername_has = 'johndoe', starttime = ago(1d), endtime=no
 ```
 
 > [!TIP]
-> To pass a literal list to parameters that expect a dynamic value, explicitly use a [dynamic literal](/azure/data-explorer/kusto/query/scalar-data-types/dynamic#dynamic-literals.md). For example: `dynamic(['192.168.','10.'])`.
+> To pass a literal list to parameters that expect a dynamic value, explicitly use a [dynamic literal](/kusto/query/scalar-data-types/dynamic?view=microsoft-sentinel&preserve-view=true#dynamic-literals). For example: `dynamic(['192.168.','10.'])`.
 >
 
 ## Normalized content

articles/sentinel/normalization-schema-web.md

@@ -86,7 +86,7 @@ The following filtering parameters are available:
 | **eventresultdetails_in** | dynamic | Filter only web sessions for which the HTTP status code, stored in the [EventResultDetails](#eventresultdetails) field, is any of the values listed. | 
 | **eventresult** | string | Filter only network sessions with a specific **EventResult** value. |
 
-Some parameter can accept both list of values of type `dynamic` or a single string value. To pass a literal list to parameters that expect a dynamic value, explicitly use a [dynamic literal](/azure/data-explorer/kusto/query/scalar-data-types/dynamic#dynamic-literals). For example: `dynamic(['192.168.','10.'])`
+Some parameter can accept both list of values of type `dynamic` or a single string value. To pass a literal list to parameters that expect a dynamic value, explicitly use a [dynamic literal](/kusto/query/scalar-data-types/dynamic?view=microsoft-sentinel&preserve-view=true#dynamic-literals). For example: `dynamic(['192.168.','10.'])`
 
 For example, to filter only Web sessions for a specified list of domain names, use:
 

articles/sentinel/normalization.md

@@ -80,7 +80,7 @@ For more information, see [ASIM schemas](normalization-about-schemas.md).
 
 ### Query time parsers
 
-ASIM uses query time parsers to map existing data to the normalized schemas using [KQL functions](/azure/data-explorer/kusto/query/functions/user-defined-functions). Many ASIM parsers are available out of the box with Microsoft Sentinel. More parsers, and versions of the built-in parsers that can be modified can be deployed from the [Microsoft Sentinel GitHub repository](https://aka.ms/AzSentinelASim).
+ASIM uses query time parsers to map existing data to the normalized schemas using [KQL functions](/kusto/query/functions/user-defined-functions?view=microsoft-sentinel&preserve-view=true). Many ASIM parsers are available out of the box with Microsoft Sentinel. More parsers, and versions of the built-in parsers that can be modified can be deployed from the [Microsoft Sentinel GitHub repository](https://aka.ms/AzSentinelASim).
 
 For more information, see [ASIM parsers](normalization-parsers-overview.md).