Merge pull request #292062 from yelevin/yelevin/kusto-updates

v-ccolin · web-flow · commit 56b391a5515c · 2024-12-31T15:37:59.000Z
Updating Kusto links
diff --git a/articles/sentinel/includes/kusto-reference-general-no-alert.md b/articles/sentinel/includes/kusto-reference-general-no-alert.md
@@ -0,0 +1,17 @@
+---
+title: "include file" 
+description: "include file" 
+services: microsoft-sentinel
+author: yelevin
+ms.author: yelevin
+ms.topic: "include"
+ms.date: 12/26/2024
+ms.custom: "include file"
+---
+<!-- docutune:disable -->
+
+For more information on KQL, see [Kusto Query Language (KQL) overview](/kusto/query/?view=microsoft-sentinel&preserve-view=true).
+
+Other resources:
+- [KQL quick reference](/kusto/query/kql-quick-reference?view=microsoft-sentinel&preserve-view=true)
+- [Kusto Query Language learning resources](/kusto/query/kql-learning-resources?view=microsoft-sentinel&preserve-view=true)
diff --git a/articles/sentinel/includes/kusto-reference-general.md b/articles/sentinel/includes/kusto-reference-general.md
@@ -0,0 +1,18 @@
+---
+title: "include file" 
+description: "include file" 
+services: microsoft-sentinel
+author: yelevin
+ms.author: yelevin
+ms.topic: "include"
+ms.date: 12/26/2024
+ms.custom: "include file"
+---
+<!-- docutune:disable -->
+
+> [!NOTE]
+> For more information on KQL, see [Kusto Query Language (KQL) overview](/kusto/query/?view=microsoft-sentinel&preserve-view=true).
+>
+> Other resources:
+> - [KQL quick reference](/kusto/query/kql-quick-reference?view=microsoft-sentinel&preserve-view=true)
+> - [Kusto Query Language learning resources](/kusto/query/kql-learning-resources?view=microsoft-sentinel&preserve-view=true)
diff --git a/articles/sentinel/media/unified-connector-custom-device/kusto-query-screenshot.png b/articles/sentinel/media/unified-connector-custom-device/kusto-query-screenshot.png
diff --git a/articles/sentinel/normalization-develop-parsers.md b/articles/sentinel/normalization-develop-parsers.md
@@ -110,7 +110,7 @@ Event | where Source == "Microsoft-Windows-Sysmon" and EventID == 1
 ```
 
 > [!IMPORTANT]
-> A parser should not filter by time. The query which uses the parser will apply a time range. 
+> A parser should not filter by time. The query that uses the parser will apply a time range. 
 
 #### Filtering by source type using a Watchlist
 
@@ -146,8 +146,11 @@ srcipaddr=='*' or ClientIP==srcipaddr
 array_length(domain_has_any) == 0 or Name has_any (domain_has_any)
 ```
 
-#### <a name="optimization"></a>Filtering optimization
+See more information on the following items in the Kusto documentation:
+- [***array_length*** function](/kusto/query/array-length-function?view=microsoft-sentinel&preserve-view=true)
+- [***has_any*** operator](/kusto/query/has-any-operator?view=microsoft-sentinel&preserve-view=true)
 
+#### <a name="optimization"></a>Filtering optimization
 
 To ensure the performance of the parser, note the following filtering recommendations:
 
@@ -304,7 +307,7 @@ This function will set the fields as follows:
 | server1.microsoft.com | SrcHostname: server1<br>SrcDomain: microsoft.com<br> SrcDomainType: FQDN<br>SrcFQDN:server1.microsoft.com |
 
 
-The functions `_ASIM_ResolveDstFQDN` and `_ASIM_ResolveDvcFQDN` perform a similar task populating the related `Dst` and `Dvc` fields.For a full list of ASIM help functions, refer to [ASIM functions](normalization-functions.md)
+The functions `_ASIM_ResolveDstFQDN` and `_ASIM_ResolveDvcFQDN` perform a similar task populating the related `Dst` and `Dvc` fields. For a full list of ASIM help functions, refer to [ASIM functions](normalization-functions.md)
 
 ### Select fields in the result set
 
@@ -497,7 +500,7 @@ To submit the event samples, use the following steps:
 
 - In the `Logs` screen, run a query that will extract from the source table only the events selected by the parser. For example, for the [Infoblox DNS parser](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsInfobloxNIOS.yaml), use the following query:
 
-``` KQL
+```kusto
     Syslog
     | where ProcessName == "named"
 ```
@@ -506,7 +509,7 @@ To submit the event samples, use the following steps:
 
 - In the `Logs` screen, run a query that will output the schema or the parser input table. For example, for the same Infoblox DNS parser, the query is:
 
-``` KQL
+```kusto
     Syslog
     | getschema
 ```
diff --git a/articles/sentinel/normalization-functions.md b/articles/sentinel/normalization-functions.md
@@ -19,27 +19,31 @@ Advanced Security Information Model (ASIM) helper functions extend the KQL langu
 
 Enrichment lookup functions provide an easy method of looking up known values, based on their numerical representation. Such functions are useful as events often use the short form numeric code, while users prefer the textual form. Most of the functions have two forms:
 
-The **lookup** version is a scalar function that accepts as input the numeric code and returns the textual form. Use the following KQL snippet with the **lookup** version:
+- The **lookup** version is a scalar function that accepts as input the numeric code and returns the textual form. 
 
-```kusto
-| extend ProtocolName = _ASIM_LookupNetworkProtocol (ProtocolNumber)
-``` 
+    Use the following KQL snippet with the **lookup** version:
 
-The **resolve** version is a tabular function that:
+    ```kusto
+    | extend ProtocolName = _ASIM_LookupNetworkProtocol (ProtocolNumber)
+    ``` 
 
-- Is used a KQL pipeline operator. 
-- Accepts as input the name of the field holding the value to look up.
-- Sets the ASIM fields typically holding both the input value and the resulting lookup value. 
+- The **resolve** version is a tabular function that:
 
-Use the following KQL snippet with the **resolve** version:
+    - Is used as a KQL pipeline operator. 
+    - Accepts as input the name of the field holding the value to look up.
+    - Sets the ASIM fields typically holding both the input value and the resulting lookup value. 
 
-```kusto
-| invoke _ASIM_ResolveNetworkProtocol (`ProtocolNumber`)
-``` 
+    Use the following KQL snippet with the **resolve** version:
 
-Which will automatically populate the NetworkProtocol field with the result of the lookup.
+    ```kusto
+    | invoke _ASIM_ResolveNetworkProtocol (`ProtocolNumber`)
+    ``` 
 
-The **resolve** version is preferable for use in ASIM parsers, while the lookup version is useful in general purpose queries. When an enrichment lookup function has to return more than one value, it will always use the **resolve** format.
+    The function automatically populates the ASIM field with the result of the lookup.
+
+The **resolve** version is preferable for use in ASIM parsers, while the **lookup** version is useful in general purpose queries. When an enrichment lookup function has to return more than one value, it will always use the **resolve** format.
+
+For more information on scalar and tabular functions (represented by the lookup and resolve versions here, respectively), see [User-defined functions](/kusto/query/functions/user-defined-functions?view=microsoft-sentinel&preserve-view=true) in the Kusto documentation.
 
 ### Lookup type functions
 
diff --git a/articles/sentinel/summary-rules.md b/articles/sentinel/summary-rules.md
@@ -245,6 +245,32 @@ This procedure describes a sample process for using summary rules with [auxiliar
           | make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor 
         ```
 
+See more information on the following items used in the preceding examples, in the Kusto documentation:
+- [***let*** statement](/kusto/query/let-statement?view=microsoft-sentinel&preserve-view=true)
+- [***where*** operator](/kusto/query/where-operator?view=microsoft-sentinel&preserve-view=true)
+- [***extend*** operator](/kusto/query/extend-operator?view=microsoft-sentinel&preserve-view=true)
+- [***project*** operator](/kusto/query/project-operator?view=microsoft-sentinel&preserve-view=true)
+- [***summarize*** operator](/kusto/query/summarize-operator?view=microsoft-sentinel&preserve-view=true)
+- [***lookup*** operator](/kusto/query/lookup-operator?view=microsoft-sentinel&preserve-view=true)
+- [***union*** operator](/kusto/query/union-operator?view=microsoft-sentinel&preserve-view=true)
+- [***make-series*** operator](/kusto/query/make-series-operator?view=microsoft-sentinel&preserve-view=true)
+- [***isnotempty()*** function](/kusto/query/isnotempty-function?view=microsoft-sentinel&preserve-view=true)
+- [***format_datetime()*** function](/kusto/query/format-datetime-function?view=microsoft-sentinel&preserve-view=true)
+- [***column_ifexists()*** function](/kusto/query/column-ifexists-function?view=microsoft-sentinel&preserve-view=true)
+- [***iff()*** function](/kusto/query/iff-function?view=microsoft-sentinel&preserve-view=true)
+- [***ipv4_is_private()*** function](/kusto/query/ipv4-is-private-function?view=microsoft-sentinel&preserve-view=true)
+- [***min()*** function](/kusto/query/min-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+- [***tostring()*** function](/kusto/query/tostring-function?view=microsoft-sentinel&preserve-view=true)
+- [***ago()*** function](/kusto/query/ago-function?view=microsoft-sentinel&preserve-view=true)
+- [***startofday()*** function](/kusto/query/startofday-function?view=microsoft-sentinel&preserve-view=true)
+- [***parse_json()*** function](/kusto/query/parse-json-function?view=microsoft-sentinel&preserve-view=true)
+- [***count()*** aggregation function](/kusto/query/count-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+- [***make_set()*** aggregation function](/kusto/query/make-set-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+- [***dcount()*** aggregation function](/kusto/query/dcount-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+- [***sum()*** aggregation function](/kusto/query/sum-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+
+[!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
+
 ## Related content
 
 - [Aggregate data in Log Analytics workspace with Summary rules](/azure/azure-monitor/logs/summary-rules)
diff --git a/articles/sentinel/tutorial-log4j-detection.md b/articles/sentinel/tutorial-log4j-detection.md
@@ -102,6 +102,8 @@ To complete this tutorial, make sure you have:
 
    :::image type="content" source="media/tutorial-log4j-detection/set-rule-logic-tab.png" alt-text="Screenshot of the Set rule logic tab of the Analytics rule wizard." lightbox="media/tutorial-log4j-detection/set-rule-logic-tab.png":::
 
+    [!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
+
 ## Enrich alerts with entities and other details
 
 1. Under **Alert enrichment**, keep the **Entity mapping** settings as they are. Note the three mapped entities.
@@ -218,4 +220,4 @@ Now that you've learned how to search for exploits of a common vulnerability usi
     - [Alert properties](customize-alert-details.md)
 
 - Learn about [other kinds of analytics rules](detect-threats-built-in.md) in Microsoft Sentinel and their function.
-- Learn more about writing queries in Kusto Query Language (KQL). Learn more about KQL [concepts](/azure/data-explorer/kusto/concepts/) and [queries](/azure/data-explorer/kusto/query/), and see this handy [quick reference guide](/azure/data-explorer/kql-quick-reference).
+- Learn more about writing queries in Kusto Query Language (KQL). To learn more about KQL, see this [overview](/kusto/query/?view=microsoft-sentinel&preserve-view=true), learn some [best practices](/kusto/query/best-practices?view=microsoft-sentinel&preserve-view=true), and keep this handy [quick reference guide](/kusto/query/kql-quick-reference?view=microsoft-sentinel&preserve-view=true).
diff --git a/articles/sentinel/unified-connector-custom-device.md b/articles/sentinel/unified-connector-custom-device.md
@@ -259,6 +259,18 @@ Follow these steps to ingest log messages from JuniperIDP:
         ```kusto
         source | parse RawData with tmp_time " " host_s " " ident_s " " tmp_pid " " msgid_s " " extradata | extend dvc_os_s = extract("\\[(junos\\S+)", 1, extradata) | extend event_end_time_s = extract(".*epoch-time=\"(\\S+)\"", 1, extradata) | extend message_type_s = extract(".*message-type=\"(\\S+)\"", 1, extradata) | extend source_address_s = extract(".*source-address=\"(\\S+)\"", 1, extradata) | extend destination_address_s = extract(".*destination-address=\"(\\S+)\"", 1, extradata) | extend destination_port_s = extract(".*destination-port=\"(\\S+)\"", 1, extradata) | extend protocol_name_s = extract(".*protocol-name=\"(\\S+)\"", 1, extradata) | extend service_name_s = extract(".*service-name=\"(\\S+)\"", 1, extradata) | extend application_name_s = extract(".*application-name=\"(\\S+)\"", 1, extradata) | extend rule_name_s = extract(".*rule-name=\"(\\S+)\"", 1, extradata) | extend rulebase_name_s = extract(".*rulebase-name=\"(\\S+)\"", 1, extradata) | extend policy_name_s = extract(".*policy-name=\"(\\S+)\"", 1, extradata) | extend export_id_s = extract(".*export-id=\"(\\S+)\"", 1, extradata) | extend repeat_count_s = extract(".*repeat-count=\"(\\S+)\"", 1, extradata) | extend action_s = extract(".*action=\"(\\S+)\"", 1, extradata) | extend threat_severity_s = extract(".*threat-severity=\"(\\S+)\"", 1, extradata) | extend attack_name_s = extract(".*attack-name=\"(\\S+)\"", 1, extradata) | extend nat_source_address_s = extract(".*nat-source-address=\"(\\S+)\"", 1, extradata) | extend nat_source_port_s = extract(".*nat-source-port=\"(\\S+)\"", 1, extradata) | extend nat_destination_address_s = extract(".*nat-destination-address=\"(\\S+)\"", 1, extradata) | extend nat_destination_port_s = extract(".*nat-destination-port=\"(\\S+)\"", 1, extradata) | extend elapsed_time_s = extract(".*elapsed-time=\"(\\S+)\"", 1, extradata) | extend inbound_bytes_s = extract(".*inbound-bytes=\"(\\S+)\"", 1, extradata) | extend outbound_bytes_s = extract(".*outbound-bytes=\"(\\S+)\"", 1, extradata) | extend inbound_packets_s = extract(".*inbound-packets=\"(\\S+)\"", 1, extradata) | extend outbound_packets_s = extract(".*outbound-packets=\"(\\S+)\"", 1, extradata) | extend source_zone_name_s = extract(".*source-zone-name=\"(\\S+)\"", 1, extradata) | extend source_interface_name_s = extract(".*source-interface-name=\"(\\S+)\"", 1, extradata) | extend destination_zone_name_s = extract(".*destination-zone-name=\"(\\S+)\"", 1, extradata) | extend destination_interface_name_s = extract(".*destination-interface-name=\"(\\S+)\"", 1, extradata) | extend packet_log_id_s = extract(".*packet-log-id=\"(\\S+)\"", 1, extradata) | extend alert_s = extract(".*alert=\"(\\S+)\"", 1, extradata) | extend username_s = extract(".*username=\"(\\S+)\"", 1, extradata) | extend roles_s = extract(".*roles=\"(\\S+)\"", 1, extradata) | extend msg_s = extract(".*message=\"(\\S+)\"", 1, extradata) | project-away RawData
         ```
+        
+        The following screenshot shows the complete query in the preceding example in a more readable format:
+
+        :::image type="content" source="media/unified-connector-custom-device/kusto-query-screenshot.png" alt-text="Screenshot showing expanded Kusto query with line breaks for readability." lightbox="media/unified-connector-custom-device/kusto-query-screenshot.png":::
+
+        See more information on the following items used in the preceding examples, in the Kusto documentation:
+        - [***parse*** operator](/kusto/query/parse-operator?view=microsoft-sentinel&preserve-view=true)
+        - [***extend*** operator](/kusto/query/extend-operator?view=microsoft-sentinel&preserve-view=true)
+        - [***extract*** function](/kusto/query/extract-function?view=microsoft-sentinel&preserve-view=true)
+        - [***project-away*** operator](/kusto/query/project-away-operator?view=microsoft-sentinel&preserve-view=true)
+
+        [!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
 
 1. Configure the machine where the Azure Monitor Agent is installed to open the syslog ports, and configure the syslog daemon there to accept messages from external sources. For detailed instructions and a script to automate this configuration, see [Configure the log forwarder to accept logs](connect-custom-logs-ama.md#configure-the-log-forwarder-to-accept-logs).
 
diff --git a/articles/sentinel/watchlists-queries.md b/articles/sentinel/watchlists-queries.md
@@ -119,6 +119,15 @@ You might need to see a list of watchlist aliases to identify a watchlist to use
 
    :::image type="content" source="./media/watchlists-queries/sentinel-watchlist-alias.png" alt-text="Screenshot that shows a list of watchlists." lightbox="./media/watchlists-queries/sentinel-watchlist-alias.png":::
 
+See more information on the following items used in the preceding examples, in the Kusto documentation:
+- [***where*** operator](/kusto/query/where-operator?view=microsoft-sentinel&preserve-view=true)
+- [***project*** operator](/kusto/query/project-operator?view=microsoft-sentinel&preserve-view=true)
+- [***lookup*** operator](/kusto/query/lookup-operator?view=microsoft-sentinel&preserve-view=true)
+- [***in*** operator](/kusto/query/in-cs-operator?view=microsoft-sentinel&preserve-view=true)
+- [***let*** statement](/kusto/query/let-statement?view=microsoft-sentinel&preserve-view=true)
+
+[!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
+
 ## Related content
 
 In this document, you learned how to use watchlists in Microsoft Sentinel to enrich data and improve investigations. To learn more about Microsoft Sentinel, see the following articles:
diff --git a/articles/sentinel/watchlists.md b/articles/sentinel/watchlists.md
@@ -76,9 +76,9 @@ To correlate your watchlist data with other Microsoft Sentinel data, use Kusto t
 When you create a watchlist, you define the *SearchKey*. The search key is the name of a column in your watchlist that you expect to use as a join with other data or as a frequent object of searches. For example, suppose you have a server watchlist that contains country/region names and their respective two-letter country codes. You expect to use the country codes often for searches or joins. So you use the country code column as the search key.
 
   ```kusto
-     Heartbeat
-    | lookup kind=leftouter _GetWatchlist('mywatchlist') 
-     on $left.RemoteIPCountry == $right.SearchKey
+  Heartbeat
+  | lookup kind=leftouter _GetWatchlist('mywatchlist') 
+    on $left.RemoteIPCountry == $right.SearchKey
   ```
 
 Let's look some other example queries. 
@@ -117,6 +117,15 @@ The following example query uses the watchlist inline with the query and the sea
 
 For more information, see [Build queries and detection rules with watchlists in Microsoft Sentinel](watchlists-queries.md).
 
+See more information on the following items used in the preceding examples, in the Kusto documentation:
+- [***where*** operator](/kusto/query/where-operator?view=microsoft-sentinel&preserve-view=true)
+- [***project*** operator](/kusto/query/project-operator?view=microsoft-sentinel&preserve-view=true)
+- [***lookup*** operator](/kusto/query/lookup-operator?view=microsoft-sentinel&preserve-view=true)
+- [***in*** operator](/kusto/query/in-cs-operator?view=microsoft-sentinel&preserve-view=true)
+- [***let*** statement](/kusto/query/let-statement?view=microsoft-sentinel&preserve-view=true)
+
+[!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
+
 ## Next steps
 
 To learn more about Microsoft Sentinel, see the following articles:
