Merge pull request #213020 from yelevin/yelevin/reassign-batamis-articles

Reassigning Batami's articles

Author: v-regandowner

articles/sentinel/audit-sentinel-data.md

@@ -1,10 +1,10 @@
 ---
 title: Audit Microsoft Sentinel queries and activities | Microsoft Docs
 description: This article describes how to audit queries and activities performed in Microsoft Sentinel.
-author: batamig
+author: limwainstein
 ms.topic: how-to
 ms.date: 11/09/2021
-ms.author: bagol
+ms.author: lwainstein
 ms.custom: ignite-fall-2021
 ---
 

articles/sentinel/cef-name-mapping.md

@@ -1,8 +1,8 @@
 ---
 title: Common Event Format (CEF) key and CommonSecurityLog field mapping
 description: This article maps CEF keys to the corresponding field names in the CommonSecurityLog in Microsoft Sentinel.
-author: batamig
-ms.author: bagol
+author: limwainstein
+ms.author: lwainstein
 ms.topic: reference
 ms.date: 11/09/2021
 ms.custom: ignite-fall-2021

articles/sentinel/connect-azure-virtual-desktop.md

@@ -1,10 +1,10 @@
 ---
 title: Connect Azure Virtual Desktop to Microsoft Sentinel | Microsoft Docs
 description: Learn to connect your Azure Virtual Desktop data to Microsoft Sentinel.
-author: batamig
+author: limwainstein
 ms.topic: how-to
 ms.date: 11/09/2021
-ms.author: bagol
+ms.author: lwainstein
 ms.custom: ignite-fall-2021
 ---
 

articles/sentinel/connect-log-forwarder.md

@@ -1,10 +1,10 @@
 ---
 title: Deploy a log forwarder to ingest Syslog and CEF logs to Microsoft Sentinel | Microsoft Docs
 description: Learn how to deploy a log forwarder, consisting of a Syslog daemon and the Log Analytics agent, as part of the process of ingesting Syslog and CEF logs to Microsoft Sentinel.
-author: batamig
+author: limwainstein
 ms.topic: how-to
 ms.date: 12/23/2021
-ms.author: bagol
+ms.author: lwainstein
 ms.custom: ignite-fall-2021
 ---
 

articles/sentinel/create-custom-connector.md

@@ -1,11 +1,11 @@
 ---
 title: Resources for creating Microsoft Sentinel custom connectors | Microsoft Docs
 description: Learn about available resources for creating custom connectors for Microsoft Sentinel. Methods include the Log Analytics agent and API, Logstash, Logic Apps, PowerShell, and Azure Functions.
-author: batamig
+author: limwainstein
 ms.topic: conceptual
 ms.custom: mvc, ignite-fall-2021
 ms.date: 11/21/2021
-ms.author: bagol
+ms.author: lwainstein
 ---
 
 # Resources for creating Microsoft Sentinel custom connectors

articles/sentinel/create-nrt-rules.md

@@ -55,7 +55,7 @@ You create NRT rules the same way you create regular [scheduled-query analytics
 
     - **Query scheduling** is not configurable, since queries are automatically scheduled to run once per minute with a one-minute lookback period. 
     - **Alert threshold** is irrelevant, since an alert is always generated.
-    - **Event grouping** configuration is not available, since events are always grouped into the alert created by the rule that captures the events. NRT rules cannot produce an alert for each event.
+    - **Event grouping** configuration is now available to a limited degree. You can choose to have an NRT rule generate an alert for each event for up to 30 events. If you choose this option and the rule results in more than 30 events, single-event alerts will be generated for the first 29 events, and a 30th alert will summarize all the events in the result set.
 
     In addition, the query itself has the following requirements:
 

articles/sentinel/data-source-schema-reference.md

@@ -1,8 +1,8 @@
 ---
 title: Microsoft Sentinel data source schema reference
 description: This article lists Azure and third-party data source schemas supported by Microsoft Sentinel, with links to their reference documentation.
-author: batamig
-ms.author: bagol
+author: limwainstein
+ms.author: lwainstein
 ms.topic: reference
 ms.custom: ignite-fall-2021
 ms.date: 11/09/2021

articles/sentinel/detect-threats-custom.md

@@ -120,12 +120,12 @@ In the **Set rule logic** tab, you can either write a query directly in the **Ru
     > **Query intervals and lookback period**
     >
     >  These two settings are independent of each other, up to a point. You can run a query at a short interval covering a time period longer than the interval (in effect having overlapping queries), but you cannot run a query at an interval that exceeds the coverage period, otherwise you will have gaps in the overall query coverage.
-        >
-        > **Ingestion delay**
-        >
-        > To account for **latency** that may occur between an event's generation at the source and its ingestion into Microsoft Sentinel, and to ensure complete coverage without data duplication, Microsoft Sentinel runs scheduled analytics rules on a **five-minute delay** from their scheduled time.
-        >
-        > For more information, see [Handle ingestion delay in scheduled analytics rules](ingestion-delay.md).
+    >
+    > **Ingestion delay**
+    >
+    > To account for **latency** that may occur between an event's generation at the source and its ingestion into Microsoft Sentinel, and to ensure complete coverage without data duplication, Microsoft Sentinel runs scheduled analytics rules on a **five-minute delay** from their scheduled time.
+    >
+    > For more information, see [Handle ingestion delay in scheduled analytics rules](ingestion-delay.md).
 
 - Use the **Alert threshold** section to define the sensitivity level of the rule. For example, set **Generate alert when number of query results** to **Is greater than** and enter the number 1000 if you want the rule to generate an alert only if the query returns more than 1000 results each time it runs. This is a required field, so if you don’t want to set a threshold – that is, if you want your alert to register every event – enter 0 in the number field.
 

articles/sentinel/dhcp-normalization-schema.md

@@ -1,10 +1,10 @@
 ---
 title: The Advanced Security Information Model (ASIM) DHCP normalization schema reference (Public preview) | Microsoft Docs
 description: This article describes the Microsoft Sentinel DHCP normalization schema.
-author: batamig
+author: limwainstein
 ms.topic: reference
 ms.date: 11/09/2021
-ms.author: bagol
+ms.author: lwainstein
 ms.custom: ignite-fall-2021
 ---
 

articles/sentinel/file-event-normalization-schema.md

@@ -1,10 +1,10 @@
 ---
 title: The Advanced Security Information Model (ASIM) File Event normalization schema reference (Public preview)| Microsoft Docs
 description: This article describes the Microsoft Sentinel File Event normalization schema.
-author: batamig
+author: limwainstein
 ms.topic: reference
 ms.date: 11/09/2021
-ms.author: bagol
+ms.author: lwainstein
 ms.custom: ignite-fall-2021
 ---