fix links 3

Author: EdB-MSFT

articles/sentinel/audit-sentinel-data.md

@@ -36,7 +36,7 @@ Use the **AzureActivity** table when auditing activity in your SOC environment w
 
 **To query the AzureActivity table**:
 
-1. Install the **Azure Activity solution for Sentinel** solution and connect the [Azure Activity](./data-connectors/azure-activity.md) data connector to start streaming audit events into a new table called `AzureActivity`.
+1. Install the **Azure Activity solution for Sentinel** solution and connect the [Azure Activity](./data-connectors-reference.md#azure-activity) data connector to start streaming audit events into a new table called `AzureActivity`.
 
 1. Query the data using Kusto Query Language (KQL), like you would any other table:
 

articles/sentinel/data-transformation.md

@@ -68,7 +68,7 @@ The following table describes DCR support for Microsoft Sentinel data connector
 
 | Data connector type | DCR support |
 | ------------------- | ----------- |
-| [**Azure Monitor agent (AMA) logs**](connect-services-windows-based.md), such as: <li>[Windows Security Events via AMA](./data-connectors/windows-security-events-via-ama.md)<li>[Windows Forwarded Events](./data-connectors/windows-forwarded-events.md)<li>[CEF data](connect-cef-ama.md)<li>[Syslog data](connect-cef-syslog.md) | One or more DCRs associated with the agent |
+| [**Azure Monitor agent (AMA) logs**](connect-services-windows-based.md), such as: <li>[Windows Security Events via AMA](./data-connectors-reference.md#windows-security-events-via-ama)<li>[Windows Forwarded Events](./data-connectors/windows-forwarded-events)<li>[CEF data](connect-cef-ama.md)<li>[Syslog data](connect-cef-syslog.md) | One or more DCRs associated with the agent |
 | **Direct ingestion via [Logs ingestion API](/azure/azure-monitor/logs/logs-ingestion-api-overview)** | DCR specified in API call |
 | **Built-in, API-based data connector**, such as: <li>[Codeless data connectors](create-codeless-connector.md) | DCR created for connector |
 | [**Diagnostic settings-based connections**](connect-services-diagnostic-setting-based.md) | Workspace transformation DCR with [supported output tables](/azure/azure-monitor/logs/tables-feature-support) |

articles/sentinel/dynamics-365/dynamics-365-finance-operations-security-content.md

@@ -25,7 +25,7 @@ This article details the security content available for the Microsoft Sentinel s
 |**F&O – Mass update or deletion of user account records** |Identifies large delete or update operations on Finance and Operations user records based on predefined thresholds. <br><br>Default update threshold: **50**<br>Default delete threshold: **10** |Deletions or modifications in Finance and Operations portal, under **Modules > System Administration > Users**<br><br>Data source: `FinanceOperationsActivity_CL` |Impact |
 |**F&O – Bank account change following network alias reassignment** |Identifies updates to bank account number by a user account which his alias was recently modified to a new value. |Changes in bank account number, in Finance and Operations portal, under **Workspaces > Bank management > All bank accounts** correlated with a relevant change in the user account to alias mapping.<br><br>Data source: `FinanceOperationsActivity_CL` |Credential Access, Lateral Movement, Privilege Escalation |
 |**F&O – Reverted bank account number modifications** |Identifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later. |Changes in bank account number, in Finance and Operations portal, under **Workspaces > Bank management > All bank accounts**.<br><br>Data source: `FinanceOperationsActivity_CL` |Impact |
-|**F&O – Unusual sign-in activity using single factor authentication** |Identifies successful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. <br><Br>Sign-in events from tenants that aren't using MFA, coming from a Microsoft Entra ID trusted network location, or from geographic locations seen in the last 14 days are excluded.<br><br>This detection uses logs ingested from Microsoft Entra ID and you must enable the [Microsoft Entra data connector](../data-connectors/microsoft-entra-id.md). |Sign-ins to the monitored Finance and Operations environment.<br><br>Data source: `Signinlogs` |Credential Access, Initial Access |
+|**F&O – Unusual sign-in activity using single factor authentication** |Identifies successful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. <br><Br>Sign-in events from tenants that aren't using MFA, coming from a Microsoft Entra ID trusted network location, or from geographic locations seen in the last 14 days are excluded.<br><br>This detection uses logs ingested from Microsoft Entra ID and you must enable the [Microsoft Entra data connector](../data-connectors-reference.md#microsoft-entra-id). |Sign-ins to the monitored Finance and Operations environment.<br><br>Data source: `Signinlogs` |Credential Access, Initial Access |
 
 ## Related content
 

articles/sentinel/feature-availability.md

@@ -55,26 +55,26 @@ For more information, see [Microsoft Defender XDR for US Government customers](/
 |[Amazon Web Services S3](connect-aws.md?tabs=s3) |GA|✅ |✅ |❌ |
 |[Microsoft Entra ID](connect-azure-active-directory.md) |GA |&#x2705; |&#x2705;|&#x2705; <sup>[1](#logsavailable)</sup> |
 |[Microsoft Entra ID Protection](connect-services-api-based.md) |GA |&#x2705;| &#x2705; |&#10060; |
-|[Azure Activity](data-connectors/azure-activity.md) |GA |&#x2705;| &#x2705;|&#x2705; |
+|[Azure Activity](data-connectors-reference.md#azure-activity) |GA |&#x2705;| &#x2705;|&#x2705; |
 |[Azure DDoS Protection](connect-services-diagnostic-setting-based.md) |GA |&#x2705;| &#x2705;|&#10060; |
-|[Azure Firewall](data-connectors/azure-firewall.md) |GA |&#x2705;| &#x2705;|&#x2705; |
-|[Azure Information Protection (Preview)](data-connectors/azure-information-protection.md) |Deprecated |&#10060; |&#10060; |&#10060; |
-|[Azure Key Vault](data-connectors/azure-key-vault.md) |Public preview |&#x2705; |&#x2705;|&#x2705; |
-|[Azure Kubernetes Service (AKS)](data-connectors/azure-kubernetes-service-aks.md) |Public preview |&#x2705;| &#x2705;|&#x2705; |
+|[Azure Firewall](data-connectors-reference.md#azure-firewall) |GA |&#x2705;| &#x2705;|&#x2705; |
+|[Azure Information Protection (Preview)](data-connectors-reference.md#azure-information-protection) |Deprecated |&#10060; |&#10060; |&#10060; |
+|[Azure Key Vault](data-connectors-reference.md#azure-key-vault) |Public preview |&#x2705; |&#x2705;|&#x2705; |
+|[Azure Kubernetes Service (AKS)](data-connectors-reference.md#azure-kubernetes-service-aks) |Public preview |&#x2705;| &#x2705;|&#x2705; |
 |[Azure SQL Databases](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-sql-solution-query-deep-dive/ba-p/2597961) |GA |&#x2705; |&#x2705;|&#x2705; |
-|[Azure Web Application Firewall (WAF)](data-connectors/azure-web-application-firewall-waf.md) |GA |&#x2705; |&#x2705;|&#x2705; |
-|[Cisco ASA](data-connectors/cisco-asa.md) |GA |&#x2705; |&#x2705;|&#x2705; |
+|[Azure Web Application Firewall (WAF)](data-connectors-reference.md#azure-web-application-firewall-waf) |GA |&#x2705; |&#x2705;|&#x2705; |
+|[Cisco ASA](data-connectors-reference.md#cisco-asa) |GA |&#x2705; |&#x2705;|&#x2705; |
 |[Codeless Connectors Platform](create-codeless-connector.md?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal) |Public preview |&#x2705; |&#10060;|&#10060; |
 |[Common Event Format (CEF)](connect-common-event-format.md) |GA |&#x2705; |&#x2705;|&#x2705; |
 |[Common Event Format (CEF) via AMA](connect-cef-syslog-ama.md) |GA |&#x2705;|&#x2705;  |&#x2705; |
-|[DNS](data-connectors/dns.md) |Public preview |&#x2705;| &#10060; |&#x2705; |
+|[DNS](data-connectors-reference.md#dns) |Public preview |&#x2705;| &#10060; |&#x2705; |
 |[GCP Pub/Sub Audit Logs](connect-google-cloud-platform.md) |Public preview |&#x2705; |&#x2705; |&#10060; |
 |[Microsoft Defender XDR](connect-microsoft-365-defender.md?tabs=MDE) |GA |&#x2705;| &#x2705;|&#10060; |
 |[Microsoft Purview Insider Risk Management (Preview)](sentinel-solutions-catalog.md#domain-solutions) |Public preview |&#x2705; |&#x2705;|&#10060; |
 |[Microsoft Defender for Cloud](connect-defender-for-cloud.md) |GA |&#x2705; |&#x2705; |&#x2705;|
 |[Microsoft Defender for IoT](connect-services-api-based.md) |GA |&#x2705;|&#x2705;|&#10060; |
-|[Microsoft Power BI (Preview)](data-connectors/microsoft-powerbi.md) |Public preview |&#x2705; |&#x2705;|&#10060; |
-|[Microsoft Project (Preview)](data-connectors/microsoft-project.md) |Public preview |&#x2705; |&#x2705;|&#10060; |
+|[Microsoft Power BI (Preview)](data-connectors-reference.md#microsoft-powerbi) |Public preview |&#x2705; |&#x2705;|&#10060; |
+|[Microsoft Project (Preview)](data-connectors-reference.md#microsoft-project) |Public preview |&#x2705; |&#x2705;|&#10060; |
 |[Microsoft Purview (Preview)](connect-services-diagnostic-setting-based.md) |Public preview |&#x2705;|&#10060; |&#10060; |
 |[Microsoft Purview Information Protection](connect-microsoft-purview.md) |Public preview |&#x2705;| &#10060;|&#10060; |
 |[Microsoft Sentinel solution for Microsoft Business Apps](business-applications/solution-overview.md) | Public Preview |&#x2705; |&#x2705; |&#x2705; |
@@ -83,7 +83,7 @@ For more information, see [Microsoft Defender XDR for US Government customers](/
 |[Syslog](connect-syslog.md) |GA |&#x2705;| &#x2705;|&#x2705; |
 |[Syslog via AMA](connect-cef-syslog-ama.md) |GA |&#x2705;| &#x2705;|&#x2705; |
 |[Windows DNS Events via AMA](connect-dns-ama.md) |GA |&#x2705; |&#x2705;|&#x2705; |
-|[Windows Firewall](data-connectors/windows-firewall.md) |GA |&#x2705; |&#x2705;|&#x2705; |
+|[Windows Firewall](data-connectors-reference.md#windows-firewall) |GA |&#x2705; |&#x2705;|&#x2705; |
 |[Windows Forwarded Events](connect-services-windows-based.md) |GA |&#x2705;|&#x2705; |&#x2705; |
 |[Windows Security Events via AMA](connect-services-windows-based.md) |GA |&#x2705; |&#x2705;|&#x2705; |
 

articles/sentinel/fusion.md

@@ -77,9 +77,9 @@ When the Fusion engine's correlations result in the detection of an emerging thr
 Microsoft Sentinel's Fusion engine generates an incident when it detects multiple alerts of different types from the following data sources, and determines that they might be related to ransomware activity:
 
 - [Microsoft Defender for Cloud](connect-defender-for-cloud.md)
-- [Microsoft Defender for Endpoint](./data-connectors/microsoft-defender-for-endpoint.md)
-- [Microsoft Defender for Identity connector](./data-connectors/microsoft-defender-for-identity.md)
-- [Microsoft Defender for Cloud Apps](./data-connectors/microsoft-defender-for-cloud-apps.md)
+- [Microsoft Defender for Endpoint](./data-connectors-reference.md#microsoft-defender-for-endpoint)
+- [Microsoft Defender for Identity connector](./data-connectors-reference.md#microsoft-defender-for-identity)
+- [Microsoft Defender for Cloud Apps](./data-connectors-reference.md#microsoft-defender-for-cloud-apps)
 - [Microsoft Sentinel scheduled analytics rules](scheduled-rules-overview.md). Fusion only considers scheduled analytics rules with tactics information and mapped entities.
 
 Such Fusion incidents are named **Multiple alerts possibly related to Ransomware activity detected**, and are generated when relevant alerts are detected during a specific time-frame and are associated with the **Execution** and **Defense Evasion** stages of an attack.

articles/sentinel/prepare-multiple-workspaces.md

@@ -47,7 +47,7 @@ When determining how many tenants and workspaces to use, consider that most Micr
 
 In case of an MSSP, many if not all of the above requirements apply, making multiple workspaces, across tenants, the best practice. Specifically, we recommend that you create at least one workspace for each Microsoft Entra tenant to support built-in, [service to service data connectors](connect-data-sources.md#service-to-service-integration-for-data-connectors) that work only within their own Microsoft Entra tenant.
 
-- Connectors that are based on diagnostics settings can't be connected to a workspace that isn't located in the same tenant where the resource resides. This applies to connectors such as [Azure Firewall](./data-connectors/azure-firewall.md), [Azure Storage](./data-connectors/azure-storage-account.md), [Azure Activity](./data-connectors/azure-activity.md) or [Microsoft Entra ID](connect-azure-active-directory.md).
+- Connectors that are based on diagnostics settings can't be connected to a workspace that isn't located in the same tenant where the resource resides. This applies to connectors such as [Azure Firewall](./data-connectors-reference.md#azure-firewall), [Azure Storage](./data-connectors-reference.md#azure-storage-account), [Azure Activity](./data-connectors-reference.md#azure-activity) or [Microsoft Entra ID](connect-azure-active-directory.md).
 
 - [Partner data connectors](data-connectors-reference.md) are often based on API or agent collections, and therefore are not attached to a specific Microsoft Entra tenant.
 

articles/sentinel/sentinel-content-centralize.md

@@ -54,7 +54,7 @@ The key to experiencing the updated behavior is to start in **Content hub**. For
 
 For more information on the new solution content behavior, see [Discover and deploy OOTB content](sentinel-solutions-deploy.md#enable-content-items-in-a-solution).
 
-If there was a particular sample query for a third party data connector you are looking for, we still publish them in our **All connectors** index. For example, here are the sample queries for the [Jamf Protect connector](data-connectors/jamf-protect.md).
+If there was a particular sample query for a third party data connector you are looking for, we still publish them in our **All connectors** index. For example, here are the sample queries for the [Jamf Protect connector](data-connectors-reference.md#jamf-protect).
 
 ## Microsoft Sentinel GitHub changes
 

articles/sentinel/sentinel-solutions-catalog.md

@@ -48,7 +48,7 @@ The following table lists the domain-specific out-of-the-box (built-in) and on-d
 |**[Log4j Vulnerability Detection](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-apachelog4jvulnerability?tab=Overview)**|Workbooks, analytic rules, hunting queries, watchlists, playbooks|Application, Security - Automation (SOAR), Security - Threat Protection, Security - Vulnerability Management|Microsoft|
 | **[Microsoft Defender for IoT](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforot?tab=Overview)** | [Analytics rules, playbooks, workbook](iot-advanced-threat-monitoring.md) | Internet of Things (IoT), Security - Threat Protection | Microsoft |
 |**[Maturity Model for Event Log Management M2131](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-maturitymodelforeventlogma?tab=Overview)** | [Analytics rules, hunting queries, playbooks, workbook](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842) | Compliance | Microsoft|
-|**[Microsoft 365 Insider Risk Management](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-insiderriskmanagement?tab=Overview)** (IRM) |[Data connector](data-connectors/microsoft-365-insider-risk-management.md), [workbook, analytics rules, hunting queries, playbook](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-microsoft-insider-risk/ba-p/2955786) |Security - Insider threat | Microsoft|
+|**[Microsoft 365 Insider Risk Management](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-insiderriskmanagement?tab=Overview)** (IRM) |[Data connector](data-connectors-reference.md#microsoft-365-insider-risk-management), [workbook, analytics rules, hunting queries, playbook](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-microsoft-insider-risk/ba-p/2955786) |Security - Insider threat | Microsoft|
 |**[Network Session Essentials](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-networksession?tab=Overview)**|[Analytics rules, hunting queries, playbooks, workbook](domain-based-essential-solutions.md)|Security - Network | Microsoft|
 |**[Network Threat Protection Essentials](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-networkthreatdetection?tab=Overview)**|Analytic rules, hunting queries|Security - Network, Security - Threat Protection|Microsoft|
 |**[NIST SP 800-53](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-nistsp80053?tab=Overview)**|[Workbooks, analytic rules, playbooks](https://techcommunity.microsoft.com/t5/public-sector-blog/microsoft-sentinel-nist-sp-800-53-solution/ba-p/3401307)|Security - Threat Protection|Microsoft|

articles/sentinel/top-workbooks.md

@@ -36,7 +36,7 @@ The following table includes workbooks we recommend and the solution or standalo
 |**Identity & Access**     |   Provides insight into identity and access operations by collecting and analyzing security logs, using the audit and sign-in logs to gather insights into use of Microsoft products.    |Windows Security Events|
 |**Incident Overview**     |   Designed to help with triage and investigation by providing in-depth information about an incident, including general information, entity data, triage time, mitigation time, and comments. <br><br>For more information, see [The Toolkit for Data-Driven SOCs](https://techcommunity.microsoft.com/t5/azure-sentinel/the-toolkit-for-data-driven-socs/ba-p/2143152).      |SOC Handbook|
 |<a name="investigation-insights"></a>**Investigation Insights**     | Provides analysts with insight into incident, bookmark, and entity data. Common queries and detailed visualizations can help analysts investigate suspicious activities.     |SOC Handbook|
-|**Microsoft Defender for Cloud Apps - discovery logs**     |   Provides details about the cloud apps that are used in your organization, and insights from usage trends and drill-down data for specific users and applications.  <br><br>For more information, see [Microsoft Defender for Cloud Apps connector for Microsoft Sentinel](./data-connectors/microsoft-defender-for-cloud-apps.md).|Microsoft Defender for Cloud Apps|
+|**Microsoft Defender for Cloud Apps - discovery logs**     |   Provides details about the cloud apps that are used in your organization, and insights from usage trends and drill-down data for specific users and applications.  <br><br>For more information, see [Microsoft Defender for Cloud Apps connector for Microsoft Sentinel](./data-connectors-reference.md#microsoft-defender-for-cloud-apps).|Microsoft Defender for Cloud Apps|
 |**Microsoft Entra Audit Logs**     |  Uses the audit logs to gather insights around Microsoft Entra ID scenarios. Learn about user operations, including password and group management, device activities, and top active users and apps.<br><br>For more information, see  [Quickstart: Get started with Microsoft Sentinel](get-visibility.md).     |Microsoft Entra ID|
 |**Microsoft Entra Sign-in logs**     |  Provides insights to sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, failed activities, and the errors that triggered the failures. |Microsoft Entra ID|
 |**MITRE ATT&CK Workbook**     |   Provides details about MITRE ATT&CK coverage for Microsoft Sentinel.      |SOC Handbook|