Fixing link errors

Author: Anil Godavarthy

articles/sentinel/sentinel-analytic-rules-creation.md

@@ -33,7 +33,7 @@ Microsoft Sentinel analytics Rules can be applied to a wide range of scenarios t
 
 ## Creating and publishing analytics rules
 
-Analytics rules should be created in [YAML](https://yaml.org/) format. You can use this analytics rule as reference for creating your own detections - [Sample analytics rule in GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Microsoft Entra ID/analytics Rules/FailedLogonToAzurePortal.yaml). In this section, we provide a detailed walkthrough of various attributes in the analytics rule.
+Analytics rules should be created in [YAML](https://yaml.org/) format. You can use this analytics rule as reference for creating your own detections - [Sample analytics rule in GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/FailedLogonToAzurePortal.yaml). In this section, we provide a detailed walkthrough of various attributes in the analytics rule.
 
 1. **ID** - ID is a standard GUID. Generate it using any development tool, online generator, or PowerShell's [New-GUID cmdlet](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-6&preserve-view=true). It must be unique among other GUIDs. **This field is mandatory**.
 1. **kind** - Represents the type of rule. **This field is mandatory**. Accepted values are:
@@ -58,7 +58,7 @@ Analytics rules should be created in [YAML](https://yaml.org/) format. You can u
     1. High: The activity identified provides the threat actor with wide ranging access to conduct actions on the environment.    
  > [!NOTE]
 > Severity level defaults aren't a guarantee of current or environment impact level. Severity level applies only to Microsoft Sentinel analytics templates. Severity in the Alerts table is otherwise controlled by the security service for which the alert came from. You can use alertDetailsOverride to provide a dynamic severity that depends on the actual outcome of the query.
-6. **requiredDataConnectors** - Represents the list of data connectors that are required for the rule to function correctly. This should include the data sources that the rule query against. If there's no current data connector mapping, then an open brace must be used - requiredDataConnectors: []
+1. **requiredDataConnectors** - Represents the list of data connectors that are required for the rule to function correctly. This should include the data sources that the rule query against. If there's no current data connector mapping, then an open brace must be used - requiredDataConnectors: []
     1. **connectorId** - Specifies the ID of data connector that is required for the rule to function correctly. If your detection query is dependent on the data fetched from a specific connector, you must specify the connector ID here. For instance, if your analytics rule query depends on the data from this [connector](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Data%20Connectors/1Password_ccpv2/1Password_DataConnectorDefinition.json), you must specify the connector ID as "1PasswordCCPDefinition"
     1. **dataTypes** - Data types that the analytics rule is dependent on. This should mention the name of the data type that is mentioned in the "dataTypes" section of the connector. For instance, if your analytics rule query depends on the data from this [connector](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Data%20Connectors/1Password_ccpv2/1Password_DataConnectorDefinition.json), you must specify the data type as "OnePasswordEventLogs_CL." If the analytics rule operates on a Kusto Function/ Parser instead of the table (like Syslog, CommonEventFormat, _CL), dataTypes should be the Kusto Function name/Parser name and not the table name.
 1. **queryPeriod** - The query runs across a specified period, such as the last 3 days. **This field is mandatory for scheduled analytics rules**.
@@ -83,7 +83,7 @@ Analytics rules should be created in [YAML](https://yaml.org/) format. You can u
     2. MUST match MITRE Tactics
     3. Names MUST NOT have any spaces. Example – T1078 or T1078.001
 1. **query** - This is the Kusto query that defines the detection logic. It should be written in Kusto Query Language (KQL) and should be well-structured and easy to understand. The query should be efficient and optimized for performance to ensure it can be run against large datasets without impacting performance. **This field is mandatory**.
-    1. The query is limited to 10,000 characters. If the query section exceeds this limit, consider reducing the number of characters. This is typically due to including a static list of items used for comparison within the query body. It's recommended to move these lists to use a [Watchlist function](/azure/sentinel/watchlists),[custom JSON/CSV](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml) with your list, or a [custom function](https://techcommunity.microsoft.com/t5/azure-sentinel/using-kql-functions-to-speed-up-analysis-in-azure-sentinel/ba-p/712381) with your list.
+    1. The query is limited to 10,000 characters. If the query section exceeds this limit, consider reducing the number of characters. This is typically due to including a static list of items used for comparison within the query body. It's recommended to move these lists to use a [Watchlist function](/azure/sentinel/watchlists), [custom JSON/CSV](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml) with your list, or a [custom function](https://techcommunity.microsoft.com/t5/azure-sentinel/using-kql-functions-to-speed-up-analysis-in-azure-sentinel/ba-p/712381) with your list.
     1. Each line in the query body must have at least one space at the beginning; we standardized on two spaces for readability. 
     1. If submitting a query for a datatype not present in the Detections or Hunting Queries folder, name the subfolder containing the YAML files after the table being queried. 
         1. For instance, if your query pertains to the AzureDevOpsAuditing table, create a folder named AzureDevOpsAuditing.
@@ -116,8 +116,8 @@ Analytics rules should be created in [YAML](https://yaml.org/) format. You can u
               aggregationKind: AlertPerResult
             ```
 1. **entityMappings** - Entity mapping is an integral part of the configuration of scheduled analytics rules. It enriches the rules' output (alerts and incidents) with essential information that serves as the building blocks of any investigative processes and remedial actions that follow. **This field is mandatory**.
-    1. **entityType** - Represents the standard list of entities recognized by Microsoft Sentinel. See allowed values under the Entity type column value at [Entity Mapping table](\azure\sentinel\entities-reference#entity-types-and-identifiers)
-1. **fieldMappings** - Represents the identifier of the field in the query output that corresponds to the entity type. See allowed values under the identifiers column value at [Entity Mapping table](\azure\sentinel\entities-reference#entity-types-and-identifiers). 
+    1. **entityType** - Represents the standard list of entities recognized by Microsoft Sentinel. See allowed values under the Entity type column value at [Entity Mapping table](/azure/sentinel/entities-reference#entity-types-and-identifiers)
+1. **fieldMappings** - Represents the identifier of the field in the query output that corresponds to the entity type. See allowed values under the identifiers column value at [Entity Mapping table](/azure/sentinel/entities-reference#entity-types-and-identifiers). 
     1. Each template can have up to 10 entity mappings.
     1. Each entity mapping can have up to three field mappings (that is, identifiers).
         ```json