Revert untouched files

cdpark · cdpark · commit 74b8be1b906a · 2025-04-24T14:18:28.000-07:00
diff --git a/articles/sentinel/feature-availability.md b/articles/sentinel/feature-availability.md
@@ -23,7 +23,7 @@ This article describes the features available in Microsoft Sentinel across diffe
 
 ## Experience in the Defender portal 
 
-Microsoft Sentinel is also available in the [Microsoft Defender portal](microsoft-sentinel-defender-portal.md). In the Defender portal, all features in general availability are available in both commercial and GCC High and DoD clouds. Features still in preview are available only in the commercial cloud.
+Microsoft Sentinel is also available in the [Microsoft Defender portal](microsoft-sentinel-defender-portal.md). In the Defender portal, all features in general availability are available in commercial, GCC, GCC High and DoD clouds. Features still in preview are available only in the commercial cloud.
 
 While [attack disruption in the Defender portal](/defender-xdr/automatic-attack-disruption) is generally available, [SAP support for attack disruption](/defender-xdr/automatic-attack-disruption#automated-response-actions-for-sap-with-microsoft-sentinel) in the Defender portal available only in the commercial cloud.
 
diff --git a/articles/sentinel/microsoft-sentinel-defender-portal.md b/articles/sentinel/microsoft-sentinel-defender-portal.md
@@ -16,14 +16,12 @@ ms.collection: usx-security
 
 # Microsoft Sentinel in the Microsoft Defender portal
 
-This article describes the Microsoft Sentinel experience in the Microsoft Defender portal. Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal with Microsoft Defender XDR. For more information, see:
+This article describes the Microsoft Sentinel experience in the Microsoft Defender portal. Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal either with Microsoft Defender XDR, or on its own. For more information, see:
 
 - [What is Microsoft's unified security operations platform?](/unified-secops-platform/overview-unified-security)
 - [Connect Microsoft Sentinel to Microsoft Defender XDR](/unified-secops-platform/microsoft-sentinel-onboard)
 - [Microsoft Sentinel feature support for Azure commercial/other clouds](feature-availability.md)
 
-For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license.
-
 ## New and improved capabilities
 
 The following table describes the new or improved capabilities available in the Defender portal with the integration of Microsoft Sentinel. Microsoft continues to innovate in this new experience with features that might be exclusive to the Defender portal.
diff --git a/articles/sentinel/migration-splunk-detection-rules.md b/articles/sentinel/migration-splunk-detection-rules.md
@@ -250,16 +250,16 @@ series_decompose_anomalies(Trend)
 |`cos(X)` |Calculates the cosine of X. |`n=cos(0)` |[cos()](/kusto/query/cos-function?view=microsoft-sentinel&preserve-view=true) |`cos(X)` |
 |`exact(X)`	     |Evaluates an expression X using double precision floating point arithmetic.         |`exact(3.14*num)`         |[`todecimal()`](/kusto/query/todecimal-function?view=microsoft-sentinel&preserve-view=true)         |`todecimal(3.14*2)` |
 |`exp(X)`    |Returns eX.         |`exp(3)`         |[exp()](/kusto/query/exp-function?view=microsoft-sentinel&preserve-view=true)         |`exp(3)` |
-|`if(X,Y,Z)`     |If `X` evaluates to `TRUE`, the result is the second argument `Y`. If `X` evaluates to `FALSE`, the result evaluates to the third argument `Z`.         |`if(error==200,`<br> `"OK", "Error")`         |[`iif()`](/kusto/query/iif-function?view=microsoft-sentinel&preserve-view=true)         |[KQL example](#ifxyz-kql-example) |
-|`isbool(X)`	     |Returns `TRUE` if `X` is boolean.	         |`isbool(field)`         |• [`iif()`](/kusto/query/iif-function?view=microsoft-sentinel&preserve-view=true)<br>• [`gettype`](/kusto/query/gettype-function?view=microsoft-sentinel&preserve-view=true)    |`iif(gettype(X) =="bool","TRUE","FALSE")` |
-|`isint(X)`     |Returns `TRUE` if `X` is an integer.	         |`isint(field)`         |• [`iif()`](/kusto/query/iif-function?view=microsoft-sentinel&preserve-view=true)<br>• [`gettype`](/kusto/query/gettype-function?view=microsoft-sentinel&preserve-view=true)         |[KQL example](#isintx-kql-example) |
+|`if(X,Y,Z)`     |If `X` evaluates to `TRUE`, the result is the second argument `Y`. If `X` evaluates to `FALSE`, the result evaluates to the third argument `Z`.         |`if(error==200,`<br> `"OK", "Error")`         |[`iff()`](/kusto/query/iff-function?view=microsoft-sentinel&preserve-view=true)         |[KQL example](#ifxyz-kql-example) |
+|`isbool(X)`	     |Returns `TRUE` if `X` is boolean.	         |`isbool(field)`         |• [`iff()`](/kusto/query/iff-function?view=microsoft-sentinel&preserve-view=true)<br>• [`gettype`](/kusto/query/gettype-function?view=microsoft-sentinel&preserve-view=true)    |`iff(gettype(X) =="bool","TRUE","FALSE")` |
+|`isint(X)`     |Returns `TRUE` if `X` is an integer.	         |`isint(field)`         |• [`iff()`](/kusto/query/iff-function?view=microsoft-sentinel&preserve-view=true)<br>• [`gettype`](/kusto/query/gettype-function?view=microsoft-sentinel&preserve-view=true)         |[KQL example](#isintx-kql-example) |
 |`isnull(X)`	     |Returns `TRUE` if `X` is null.	         |`isnull(field)`	 |[`isnull()`](/kusto/query/isnull-function?view=microsoft-sentinel&preserve-view=true)         |`isnull(field)` |
-|`isstr(X)`    |Returns `TRUE` if `X` is a string.	        |`isstr(field)`         |• [`iif()`](/kusto/query/iif-function?view=microsoft-sentinel&preserve-view=true)<br>• [`gettype`](/kusto/query/gettype-function?view=microsoft-sentinel&preserve-view=true)    |[KQL example](#isstrx-kql-example) |
+|`isstr(X)`    |Returns `TRUE` if `X` is a string.	        |`isstr(field)`         |• [`iff()`](/kusto/query/iff-function?view=microsoft-sentinel&preserve-view=true)<br>• [`gettype`](/kusto/query/gettype-function?view=microsoft-sentinel&preserve-view=true)    |[KQL example](#isstrx-kql-example) |
 |`len(X)`	     |This function returns the character length of a string `X`.	         |`len(field)`	         |[`strlen()`](/kusto/query/strlen-function?view=microsoft-sentinel&preserve-view=true)         |`strlen(field)` |
 |`like(X,"y")`     |Returns `TRUE` if and only if `X` is like the SQLite pattern in `Y`.       |`like(field, "addr%")`         |• [`has`](/kusto/query/has-any-operator?view=microsoft-sentinel&preserve-view=true)<br>• [`contains`](/kusto/query/datatypes-string-operators?view=microsoft-sentinel&preserve-view=true)<br>• [`startswith`](/kusto/query/datatypes-string-operators?view=microsoft-sentinel&preserve-view=true)<br>• [matches regex](/kusto/query/regex?view=microsoft-sentinel&preserve-view=true)	 |[KQL example](#likexy-example) |
 |`log(X,Y)`     |Returns the log of the first argument `X` using the second argument `Y` as the base. The default value of `Y` is `10`.       |`log(number,2)`         |• [`log`](/kusto/query/log-function?view=microsoft-sentinel&preserve-view=true)<br>• [`log2`](/kusto/query/log2-function?view=microsoft-sentinel&preserve-view=true)<br>• [`log10`](/kusto/query/log10-function?view=microsoft-sentinel&preserve-view=true)         |`log(X)`<br><br>`log2(X)`<br><br>`log10(X)` |
 |`lower(X)`	     |Returns the lowercase value of `X`.	         |`lower(username)`         |[tolower](/kusto/query/tolower-function?view=microsoft-sentinel&preserve-view=true)         |`tolower(username)` |
-|`ltrim(X,Y)`     |Returns `X` with the characters in parameter `Y` trimmed from the left side. The default output of `Y` is spaces and tabs.	         |`ltrim(" ZZZabcZZ ", " Z")`	         |[`trim_start()`](/kusto/query/trimstart-function?view=microsoft-sentinel&preserve-view=true)         |`trim_start(“ ZZZabcZZ”,” ZZZ”)` |
+|`ltrim(X,Y)`     |Returns `X` with the characters in parameter `Y` trimmed from the left side. The default output of `Y` is spaces and tabs.	         |`ltrim(" ZZZabcZZ ", " Z")`	         |[`trim_start()`](/kusto/query/trim-start-function?view=microsoft-sentinel&preserve-view=true)         |`trim_start(“ ZZZabcZZ”,” ZZZ”)` |
 |`match(X,Y)`	     |Returns if X matches the regex pattern Y.	         |`match(field, "^\d{1,3}.\d$")`         |[`matches regex`](/kusto/query/regex?view=microsoft-sentinel&preserve-view=true)         |`… | where field matches regex @"^\d{1,3}.\d$")` |
 |`max(X,…)`	    |Returns the maximum value in a column.	         |`max(delay, mydelay)`         |• [`max()`](/kusto/query/max-aggregation-function?view=microsoft-sentinel&preserve-view=true)<br>• [`arg_max()`](/kusto/query/arg-max-aggregation-function?view=microsoft-sentinel&preserve-view=true)         |`… | summarize max(field)` |
 |`md5(X)`	     |Returns the MD5 hash of a string value `X`.	         |`md5(field)`         |[`hash_md5`](/kusto/query/hash-md5-function?view=microsoft-sentinel&preserve-view=true)         |`hash_md5("X")` |
@@ -270,13 +270,13 @@ series_decompose_anomalies(Trend)
 |`mvjoin(X,Y)`     |Given a multi-valued field `X` and string delimiter `Y`, and joins the individual values of `X` using `Y`.		         |`mvjoin(address, ";")`         |[`strcat_array`](/kusto/query/strcat-array-function?view=microsoft-sentinel&preserve-view=true)         |[KQL example](#mvjoinxy-kql-example) |
 |`now()`     |Returns the current time, represented in Unix time.         |`now()`         |[`now()`](/kusto/query/now-function?view=microsoft-sentinel&preserve-view=true)         |`now()`<br><br>`now(-2d)` |
 |`null()`     |Doesn't accept arguments and returns `NULL`.	         |`null()`         |[null](/kusto/query/scalar-data-types/null-values)         |`null`
-|`nullif(X,Y)`	     |Includes two arguments, `X` and `Y`, and returns `X` if the arguments are different. Otherwise, returns `NULL`. |`nullif(fieldA, fieldB)`         |[`iif`](/kusto/query/iif-function?view=microsoft-sentinel&preserve-view=true)         |`iif(fieldA==fieldB, null, fieldA)` |
+|`nullif(X,Y)`	     |Includes two arguments, `X` and `Y`, and returns `X` if the arguments are different. Otherwise, returns `NULL`. |`nullif(fieldA, fieldB)`         |[`iff`](/kusto/query/iff-function?view=microsoft-sentinel&preserve-view=true)         |`iff(fieldA==fieldB, null, fieldA)` |
 |`random()`     |Returns a pseudo-random number between `0` to `2147483647`.         |`random()`         |[`rand()`](/kusto/query/rand-function?view=microsoft-sentinel&preserve-view=true)         |`rand()` |
 |`relative_ time(X,Y)`    |Given an epoch time `X` and relative time specifier `Y`, returns the epoch time value of `Y` applied to `X`.	         |`relative_time(now(),"-1d@d")`	         |[unix time](/kusto/query/datetime-timespan-arithmetic?view=microsoft-sentinel&preserve-view=true#example-unix-time)         |[KQL example](#relative-timexy-kql-example) |
-|`replace(X,Y,Z)` |Returns a string formed by substituting string `Z` for every occurrence of regular expression string `Y` in string `X`. |Returns date with the month and day numbers switched.<br>For example, for the `4/30/2015` input, the output is `30/4/2009`:<br><br>`replace(date, "^(\d{1,2})/ (\d{1,2})/", "\2/\1/")`	|[`replace()`](/kusto/query/replace-function?view=microsoft-sentinel&preserve-view=true)	|[KQL example](#replacexyz-kql-example) |
+|`replace(X,Y,Z)` |Returns a string formed by substituting string `Z` for every occurrence of regular expression string `Y` in string `X`. |Returns date with the month and day numbers switched.<br>For example, for the `4/30/2015` input, the output is `30/4/2009`:<br><br>`replace(date, "^(\d{1,2})/ (\d{1,2})/", "\2/\1/")`	|[`replace()`](/kusto/query/replace-string-function?view=microsoft-sentinel&preserve-view=true)	|[KQL example](#replacexyz-kql-example) |
 |`round(X,Y)` |Returns `X` rounded to the number of decimal places specified by `Y`. The default is to round to an integer. |`round(3.5)` |[`round`](/kusto/query/round-function?view=microsoft-sentinel&preserve-view=true) |`round(3.5)` |
 |`rtrim(X,Y)` |Returns `X` with the characters of `Y` trimmed from the right side. If `Y` isn't specified, spaces and tabs are trimmed. |`rtrim(" ZZZZabcZZ ", " Z")` |[`trim_end()`](/kusto/query/trim-end-function?view=microsoft-sentinel&preserve-view=true) |`trim_end(@"[ Z]+",A)` |
-|`searchmatch(X)` |Returns `TRUE` if the event matches the search string `X`. |`searchmatch("foo AND bar")` |[iif()](/kusto/query/iif-function?view=microsoft-sentinel&preserve-view=true) |`iif(field has "X","Yes","No")` |
+|`searchmatch(X)` |Returns `TRUE` if the event matches the search string `X`. |`searchmatch("foo AND bar")` |[iff()](/kusto/query/iff-function?view=microsoft-sentinel&preserve-view=true) |`iff(field has "X","Yes","No")` |
 | `split(X,"Y")` |Returns `X` as a multi-valued field, split by delimiter `Y`. |`split(address, ";")` |[`split()`](/kusto/query/split-function?view=microsoft-sentinel&preserve-view=true) |`split(address, ";")` |
 |`sqrt(X)` |Returns the square root of `X`. |`sqrt(9)` |[`sqrt()`](/kusto/query/sqrt-function?view=microsoft-sentinel&preserve-view=true) |`sqrt(9)` |
 |`strftime(X,Y)` |Returns the epoch time value `X` rendered using the format specified by `Y`. |`strftime(_time, "%H:%M")` |[`format_datetime()`](/kusto/query/format-datetime-function?view=microsoft-sentinel&preserve-view=true) |`format_datetime(time,'HH:mm')` |
