status

meganbradley · meganbradley · commit 5a9eb9f2174a · 2024-10-19T21:25:15.000-06:00
diff --git a/articles/sentinel/api-dcr-reference.md b/articles/sentinel/api-dcr-reference.md
@@ -302,7 +302,7 @@ The `outputStream` parameter is required only if the transform changes the schem
 {
     "properties": {
         "immutableId": "dcr-00112233445566778899aabbccddeeff",
-        "dataCollectionEndpointId": "/subscriptions/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/resourceGroups/Contoso-RG-1/providers/Microsoft.Insights/dataCollectionEndpoints/Microsoft-Sentinel-aaaabbbbccccddddeeeefff",
+        "dataCollectionEndpointId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/Contoso-RG-1/providers/Microsoft.Insights/dataCollectionEndpoints/Microsoft-Sentinel-aaaabbbbccccddddeeeefff",
         "streamDeclarations": {
             "Custom-Text-ApacheHTTPServer_CL": {
                 "columns": [
@@ -339,7 +339,7 @@ The `outputStream` parameter is required only if the transform changes the schem
         "destinations": {
             "logAnalytics": [
                 {
-                    "workspaceResourceId": "/subscriptions/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/resourceGroups/contoso-rg-1/providers/Microsoft.OperationalInsights/workspaces/CyberSOC",
+                    "workspaceResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/contoso-rg-1/providers/Microsoft.OperationalInsights/workspaces/CyberSOC",
                     "workspaceId": "cccccccc-3333-4444-5555-dddddddddddd",
                     "name": "DataCollectionEvent"
                 }
@@ -363,7 +363,7 @@ The `outputStream` parameter is required only if the transform changes the schem
     "tags": {
         "createdBy": "Sentinel"
     },
-    "id": "/subscriptions/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/resourceGroups/Contoso-RG-1/providers/Microsoft.Insights/dataCollectionRules/DCR-CustomLogs-01",
+    "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/Contoso-RG-1/providers/Microsoft.Insights/dataCollectionRules/DCR-CustomLogs-01",
     "name": "DCR-CustomLogs-01",
     "type": "Microsoft.Insights/dataCollectionRules",
     "etag": "\"00000000-1111-2222-3333-444444444444\"",
diff --git a/articles/sentinel/connect-aws.md b/articles/sentinel/connect-aws.md
@@ -183,15 +183,15 @@ Microsoft recommends using the automatic setup script to deploy this connector.
    | **Provider type** | *OpenID Connect* | Instead of default *SAML*.|
    | **Provider URL** | Commercial:<br>`sts.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d/`<br><br>Government:<br>`sts.windows.net/cab8a31a-1906-4287-a0d8-4eef66b95f6e/` |  |
    | **Thumbprint** | `626d44e704d1ceabe3bf0d53397464ac8080142c` | If created in the IAM console, selecting **Get thumbprint** should give you this result. |
-   | **Audience** | Commercial:<br>`api://1462b192-27f7-4cb9-8523-0f4ecb54b47e`<br><br>Government:<br>`api://d4230588-5f84-4281-a9c7-2c15194b28f7` |  |
+   | **Audience** | Commercial:<br>`api://00001111-aaaa-2222-bbbb-3333cccc4444`<br><br>Government:<br>`api://11112222-bbbb-3333-cccc-4444dddd5555` |  |
    
 1. Create an **IAM assumed role**. Follow these instructions in the AWS documentation:<br>[Creating a role for web identity or OpenID Connect Federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create). 
    
    | Parameter | Selection/Value | Comments |
    | - | - | - |
    | **Trusted entity type** | *Web identity* | Instead of default *AWS service*. |
    | **Identity provider** | Commercial:<br>`sts.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d/`<br><br>Government:<br>`sts.windows.net/cab8a31a-1906-4287-a0d8-4eef66b95f6e/` | The provider you created in the previous step. |
-   | **Audience** | Commercial:<br>`api://1462b192-27f7-4cb9-8523-0f4ecb54b47e`<br><br>Government:<br>`api://d4230588-5f84-4281-a9c7-2c15194b28f7` | The audience you defined for the identity provider in the previous step. |
+   | **Audience** | Commercial:<br>`api://00001111-aaaa-2222-bbbb-3333cccc4444`<br><br>Government:<br>`api://11112222-bbbb-3333-cccc-4444dddd5555` | The audience you defined for the identity provider in the previous step. |
    | **Permissions to assign** | <ul><li>`AmazonSQSReadOnlyAccess`<li>`AWSLambdaSQSQueueExecutionRole`<li>`AmazonS3ReadOnlyAccess`<li>`ROSAKMSProviderPolicy`<li>Additional policies for ingesting the different types of AWS service logs | For information on these policies, see the relevant AWS S3 connector permissions policies page, in the Microsoft Sentinel GitHub repository.<ul><li>[AWS Commercial S3 connector permissions policies page](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/AwsRequiredPolicies.md)<li>[AWS Government S3 connector permissions policies page](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/AwsRequiredPoliciesForGov.md)|
    | **Name** | "OIDC_*MicrosoftSentinelRole*"| Choose a meaningful name that includes a reference to Microsoft Sentinel.<br><br>The name must include the exact prefix `OIDC_`, otherwise the connector will not function properly. |
    
@@ -214,7 +214,7 @@ Microsoft recommends using the automatic setup script to deploy this connector.
          "Action": "sts:AssumeRoleWithWebIdentity",
          "Condition": {
            "StringEquals": {
-             "sts.windows.net/cab8a31a-1906-4287-a0d8-4eef66b95f6e/:aud": "api://d4230588-5f84-4281-a9c7-2c15194b28f7",
+             "sts.windows.net/cab8a31a-1906-4287-a0d8-4eef66b95f6e/:aud": "api://11112222-bbbb-3333-cccc-4444dddd5555",
              "sts:RoleSessionName": "MicrosoftSentinel_XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
            }
          }
@@ -351,4 +351,3 @@ In this document, you learned how to connect to AWS resources to ingest their lo
 - Learn how to [get visibility into your data, and potential threats](get-visibility.md).
 - Get started [detecting threats with Microsoft Sentinel](detect-threats-built-in.md).
 - [Use workbooks](monitor-your-data.md) to monitor your data.
-
diff --git a/articles/sentinel/connect-google-cloud-platform.md b/articles/sentinel/connect-google-cloud-platform.md
@@ -149,14 +149,14 @@ For more information about service accounts in Google Cloud Platform, see [Servi
 1. Name the identity provider so it's recognizable for its purpose.
 
 1. Enter the following values in the provider settings (these aren't samples&mdash;use these actual values):
-   - **Issuer (URL)**: `https://sts.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d`    
-   - **Audience**: the application ID URI: `api://2041288c-b303-4ca0-9076-9612db3beeb2`
+   - **Issuer (URL)**: `https://sts.windows.net/aaaabbbb-0000-cccc-1111-dddd2222eeee`    
+   - **Audience**: the application ID URI: `api://00001111-aaaa-2222-bbbb-3333cccc4444`
    - **Attribute mapping**: `google.subject=assertion.sub`
 
    > [!NOTE]
    > To set up the connector to send logs from GCP to the **Azure Government cloud**, use the following alternate values for the provider settings instead of those above:
-   > - **Issuer (URL)**: `https://sts.windows.net/cab8a31a-1906-4287-a0d8-4eef66b95f6e`
-   > - **Audience**: `api://e9885b54-fac0-4cd6-959f-a72066026929`
+   > - **Issuer (URL)**: `https://sts.windows.net/bbbbcccc-1111-dddd-2222-eeee3333ffff`
+   > - **Audience**: `api://11112222-bbbb-3333-cccc-4444dddd5555`
 
 For more information about workload identity federation in Google Cloud Platform, see [Workload identity federation](https://cloud.google.com/iam/docs/workload-identity-federation) in the Google Cloud documentation.
 
diff --git a/articles/sentinel/create-incident-manually.md b/articles/sentinel/create-incident-manually.md
@@ -150,7 +150,7 @@ Here's an example of what a request body might look like:
     "description": "This is a demo incident",
     "title": "My incident",
     "owner": {
-      "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70"
+      "objectId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"
     },
     "severity": "High",
     "classification": "FalsePositive",
diff --git a/articles/sentinel/normalization-about-schemas.md b/articles/sentinel/normalization-about-schemas.md
@@ -119,7 +119,7 @@ The allowed values for a user ID type are:
 | ---- | ------- | ------------- |
 | **SID** | A Windows user ID. | `S-1-5-21-1377283216-344919071-3415362939-500` |
 | **UID** | A Linux user ID. | `4578` |
-| **AADID**| A Microsoft Entra user ID.| `9267d02c-5f76-40a9-a9eb-b686f3ca47aa` |
+| **AADID**| A Microsoft Entra user ID.| `00aa00aa-bb11-cc22-dd33-44ee44ee44ee` |
 | **OktaId** | An Okta user ID. |  `00urjk4znu3BcncfY0h7` |
 | **AWSId** | An AWS user ID. | `72643944673` |
 | **PUID** | A Microsoft 365 user ID. | `10032001582F435C` |
diff --git a/articles/sentinel/normalization-schema-v1.md b/articles/sentinel/normalization-schema-v1.md
@@ -70,7 +70,7 @@ Below is the schema of the network sessions table, versioned 1.0.0
 | **DvcHostname** | Device Name (String) | syslogserver1.contoso.com | The device name of the device generating the message. | Device |
 | **EventProduct** | String | OfficeSharepoint | The product generating the event. | Event |
 | **EventProductVersion** | string | 9.0 |  The version of the product generating the event. | Event |
-| **EventResourceId** | Device ID (String) | /subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05 /resourcegroups/contoso77/providers /microsoft.compute/virtualmachines /syslogserver1 | The resource ID of the device generating the message. | Event |
+| **EventResourceId** | Device ID (String) | /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e /resourcegroups/contoso77/providers /microsoft.compute/virtualmachines /syslogserver1 | The resource ID of the device generating the message. | Event |
 | **EventReportUrl** | String | https://192.168.1.1/repoerts/ae3-56.htm | A link to the full report created by the reporting device | Event |
 | **EventVendor** | String | Microsoft | The vendor of the product generating the event. | Event |
 | **EventResult** | Multivalue: Success, Partial, Failure, [Empty] (String) | Success | The result reported for the activity. Empty value when not applicable. | Event |
@@ -102,7 +102,7 @@ Below is the schema of the network sessions table, versioned 1.0.0
 | **DstDvcDomain** | String | CONTOSO | The Domain of the destination device. | Destination,<br>Device |
 | **DstPortNumber** | Integer | 443 | The destination IP port. | Destination,<br>Port |
 | **DstGeoRegion** | Region (String) | Vermont | The region associated with the destination IP address | Destination,<br>Geo |
-| **DstResourceId** | Device ID (String) |  /subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05 /resourcegroups/contoso77/providers /microsoft.compute/virtualmachines /victim | The resource ID of the destination device. | Destination |
+| **DstResourceId** | Device ID (String) |  /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e /resourcegroups/contoso77/providers /microsoft.compute/virtualmachines /victim | The resource ID of the destination device. | Destination |
 | **DstNatIpAddr** | IP address | 2::1 | If reported by an intermediary NAT device such as a firewall, the IP address used by the NAT device for communication with the source. | Destination NAT,<br>IP |
 | **DstNatPortNumber** | int | 443 | If reported by an intermediary NAT device such as a firewall, the port used by the NAT device for communication with the source. | Destination NAT,<br>Port |
 | **DstUserSid** | User SID |  S-12-1445 | The User ID of the identity associated with the session’s destination. Typically, the identity used to authenticate a server. For more information, see [Data types and formats](#data-types-and-formats). | Destination,<br>User |
@@ -145,7 +145,7 @@ Below is the schema of the network sessions table, versioned 1.0.0
 | **SrcDvcMacAddr** | String | 06:10:9f:eb:8f:14 | The source MAC address of a device that is not directly associated with the network packet. | Source,<br>Device,<br>Mac |
 | **SrcPortNumber** | Integer | 2335 | The IP port from which the connection originated. May not be relevant for a session comprising multiple connections. | Source,<br>Port |
 | **SrcGeoRegion** | Region (String) | Vermont | The region within a country associated with the source IP address | Source,<br>Geo |
-| **SrcResourceId** | String | /subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05 /resourcegroups/contoso77/providers /microsoft.compute/virtualmachines /syslogserver1 | The resource ID of the device generating the message. | Source |
+| **SrcResourceId** | String | /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e /resourcegroups/contoso77/providers /microsoft.compute/virtualmachines /syslogserver1 | The resource ID of the device generating the message. | Source |
 | **SrcNatIpAddr** | IP address | 4.3.2.1 | If reported by an intermediary NAT device such as a firewall, the IP address used by the NAT device for communication with the destination. | Source NAT,<br>IP |
 | **SrcNatPortNumber** | Integer | 345 | If reported by an intermediary NAT device such as a firewall, the port used by the NAT device for communication with the destination. | Source NAT,<br>Port |
 | **SrcUserSid** | User ID (String) | S-15-1445 | The user ID of the identity associated with the sessions source. Typically, user performing an action on the client. For more information, see [Data types and formats](#data-types-and-formats). | Source,<br>User |
diff --git a/articles/sentinel/resource-context-rbac.md b/articles/sentinel/resource-context-rbac.md
@@ -123,7 +123,7 @@ For example, the following code shows a sample Logstash configuration file:
        workspace_id => "4g5tad2b-a4u4-147v-a4r7-23148a5f2c21" # <your workspace id>
        workspace_key => "u/saRtY0JGHJ4Ce93g5WQ3Lk50ZnZ8ugfd74nk78RPLPP/KgfnjU5478Ndh64sNfdrsMni975HJP6lp==" # <your workspace key>
        custom_log_table_name => "tableName"
-       azure_resource_id => "/subscriptions/wvvu95a2-99u4-uanb-hlbg-2vatvgqtyk7b/resourceGroups/contosotest" # <your resource ID>   
+       azure_resource_id => "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/contosotest" # <your resource ID>   
      }
  }
 ```
diff --git a/articles/sentinel/ueba-reference.md b/articles/sentinel/ueba-reference.md
@@ -90,7 +90,7 @@ The following table describes the enrichments featured in the **UsersInsights**
 | --- | --- | --- |
 | **Account display name**<br>*(AccountDisplayName)* | The account display name of the user. | Admin, Hayden Cook |
 | **Account domain**<br>*(AccountDomain)* | The account domain name of the user. |  |
-| **Account object ID**<br>*(AccountObjectID)* | The account object ID of the user. | a58df659-5cab-446c-9dd0-5a3af20ce1c2 |
+| **Account object ID**<br>*(AccountObjectID)* | The account object ID of the user. | aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb |
 | **Blast radius**<br>*(BlastRadius)* | The blast radius is calculated based on several factors: the position of the user in the org tree, and the user's Microsoft Entra roles and permissions. User must have *Manager* property populated in Microsoft Entra ID for *BlastRadius* to be calculated. | Low, Medium, High |
 | **Is dormant account**<br>*(IsDormantAccount)* | The account has not been used for the past 180 days. | True, False |
 | **Is local admin**<br>*(IsLocalAdmin)* | The account has local administrator privileges. | True, False |
diff --git a/articles/sentinel/watchlist-schemas.md b/articles/sentinel/watchlist-schemas.md

Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,7 @@ For example, the following code shows a sample Logstash configuration file:`
`123`	`123`	`workspace_id => "4g5tad2b-a4u4-147v-a4r7-23148a5f2c21" # <your workspace id>`
`124`	`124`	`workspace_key => "u/saRtY0JGHJ4Ce93g5WQ3Lk50ZnZ8ugfd74nk78RPLPP/KgfnjU5478Ndh64sNfdrsMni975HJP6lp==" # <your workspace key>`
`125`	`125`	`custom_log_table_name => "tableName"`
`126`		`- azure_resource_id => "/subscriptions/wvvu95a2-99u4-uanb-hlbg-2vatvgqtyk7b/resourceGroups/contosotest" # <your resource ID>`
	`126`	`+ azure_resource_id => "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/contosotest" # <your resource ID>`
`127`	`127`	`}`
`128`	`128`	`}`
`129`	`129`	```