More cleanup

Author: yelevin

articles/sentinel/aws-s3-troubleshoot.md

@@ -149,6 +149,15 @@ There might be errors in the health logs, or the health feature might not be ena
 
 1. If the health feature isn’t enabled, [enable it](enable-monitoring.md).
 
+   See more information on the following items used in the preceding example, in the Kusto documentation:
+   - [***where*** operator](/kusto/query/where-operator?view=microsoft-sentinel&preserve-view=true)
+   - [***extend*** operator](/kusto/query/extend-operator?view=microsoft-sentinel&preserve-view=true)
+   - [***project*** operator](/kusto/query/project-operator?view=microsoft-sentinel&preserve-view=true)
+   - [***mv-expand*** operator](/kusto/query/mv-expand-operator?view=microsoft-sentinel&preserve-view=true)
+   - [***ago()*** function](/kusto/query/ago-function?view=microsoft-sentinel&preserve-view=true)
+
+   [!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
+
 ## Next steps
 
 In this article, you learned how to quickly identify causes and resolve common issues with the AWS S3 connector.

articles/sentinel/connect-microsoft-365-defender.md

@@ -66,7 +66,7 @@ To ingest and synchronize Microsoft Defender XDR incidents with all their alerts
 
    ```kusto
       SecurityIncident
-      |    where ProviderName == "Microsoft 365 Defender"
+      | where ProviderName == "Microsoft 365 Defender"
    ```
 
 When you enable the Microsoft Defender XDR connector, any Microsoft Defender components’ connectors that were previously connected are automatically disconnected in the background. Although they continue to *appear* connected, no data flows through them.
@@ -178,6 +178,22 @@ let Now = now();
 | render timechart
 ```
 
+See more information on the following items used in the preceding examples, in the Kusto documentation:
+- [***let*** statement](/kusto/query/let-statement?view=microsoft-sentinel&preserve-view=true)
+- [***where*** operator](/kusto/query/where-operator?view=microsoft-sentinel&preserve-view=true)
+- [***extend*** operator](/kusto/query/extend-operator?view=microsoft-sentinel&preserve-view=true)
+- [***project*** operator](/kusto/query/project-operator?view=microsoft-sentinel&preserve-view=true)
+- [***union*** operator](/kusto/query/union-operator?view=microsoft-sentinel&preserve-view=true)
+- [***sort*** operator](/kusto/query/sort-operator?view=microsoft-sentinel&preserve-view=true)
+- [***summarize*** operator](/kusto/query/summarize-operator?view=microsoft-sentinel&preserve-view=true)
+- [***render*** operator](/kusto/query/render-operator?view=microsoft-sentinel&preserve-view=true)
+- [***ago()*** function](/kusto/query/ago-function?view=microsoft-sentinel&preserve-view=true)
+- [***iff()*** function](/kusto/query/iff-function?view=microsoft-sentinel&preserve-view=true)
+- [***max()*** aggregation function](/kusto/query/max-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+- [***count()*** aggregation function](/kusto/query/count-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+
+[!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
+
 ## Next step
 
 In this document, you learned how to integrate Microsoft Defender XDR incidents, alerts, and advanced hunting event data from Microsoft Defender services, into Microsoft Sentinel, by using the Microsoft Defender XDR connector.

articles/sentinel/connect-microsoft-purview.md

@@ -97,14 +97,23 @@ To disconnect the Azure Information Protection connector:
      '"MySensitivityLabelId": "MyLabel3"'
      '}');
      MicrosoftPurviewInformationProtection
-     | extend SensitivityLabelName = iif(isnotempty(SensitivityLabelId), 
+     | extend SensitivityLabelName = iff(isnotempty(SensitivityLabelId), 
     tostring(labelsMap[tostring(SensitivityLabelId)]), "")
-     | extend OldSensitivityLabelName = iif(isnotempty(OldSensitivityLabelId), 
+     | extend OldSensitivityLabelName = iff(isnotempty(OldSensitivityLabelId), 
     tostring(labelsMap[tostring(OldSensitivityLabelId)]), "")
     ```
  
 - The `MicrosoftPurviewInformationProtection` table and the `OfficeActivity` table might include some duplicated events.
- 
+
+See more information on the following items used in the preceding examples, in the Kusto documentation:
+- [***let*** statement](/kusto/query/let-statement?view=microsoft-sentinel&preserve-view=true)
+- [***extend*** operator](/kusto/query/extend-operator?view=microsoft-sentinel&preserve-view=true)
+- [***parse_json()*** function](/kusto/query/parse-json-function?view=microsoft-sentinel&preserve-view=true)
+- [***iff()*** function](/kusto/query/iff-function?view=microsoft-sentinel&preserve-view=true)
+- [***tostring()*** function](/kusto/query/tostring-function?view=microsoft-sentinel&preserve-view=true)
+
+[!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
+
 ## Next steps
 
 In this article, you learned how to set up the Microsoft Purview Information Protection connector to track, analyze, report on the data, and use it for compliance purposes. To learn more about Microsoft Sentinel, see the following articles:

articles/sentinel/ingestion-delay.md

@@ -82,6 +82,10 @@ CommonSecurityLog
 | where ingestion_time() > ago(rule_look_back)
 ```
 
+See more information on the following items used in the preceding example, in the Kusto documentation:
+- [***let*** statement](/kusto/query/let-statement?view=microsoft-sentinel&preserve-view=true)
+- [***where*** operator](/kusto/query/where-operator?view=microsoft-sentinel&preserve-view=true)
+- [***ago()*** function](/kusto/query/ago-function?view=microsoft-sentinel&preserve-view=true)
 
 ## Calculate ingestion delay