Fix validation issues

Author: oshezaf

articles/sentinel/normalization-common-fields.md

@@ -85,8 +85,8 @@ The role of the device fields is different for different schemas and event types
 | Field               | Class       | Type       |  Description        |
 |---------------------|-------------|------------|--------------------|
 | <a name="additionalfields"></a>**AdditionalFields**    | Optional    | Dynamic    | If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic **AdditionalFields** field, and add to it the extra information as key/value pairs.    |
-| <a href="asimmatchingipaddr"></a>**ASimMatchingIpAddr** | Recommended | String | When a parser uses the `ipaddr_has_any_prefix` filtering parameters, this field  is set with the one of the values `SrcIpAddr`, `DstIpAddr`, or `Both` to reflect the matching fields or fields. | 
-| <a href="asimmatchinghostname"></a>**ASimMatchingHostname** | Recommended | String | When a parser uses the `hostname_has_any` filtering parameters, this field  is set with the one of the values `SrcHostname`, `DstHostname`, or `Both` to reflect the matching fields or fields. | 
+| <a name="asimmatchingipaddr"></a>**ASimMatchingIpAddr** | Recommended | String | When a parser uses the `ipaddr_has_any_prefix` filtering parameters, this field  is set with the one of the values `SrcIpAddr`, `DstIpAddr`, or `Both` to reflect the matching fields or fields. | 
+| <a name="asimmatchinghostname"></a>**ASimMatchingHostname** | Recommended | String | When a parser uses the `hostname_has_any` filtering parameters, this field  is set with the one of the values `SrcHostname`, `DstHostname`, or `Both` to reflect the matching fields or fields. | 
 
 
 ## Vendors and products

articles/sentinel/normalization-develop-parsers.md

@@ -39,7 +39,7 @@ The following workflow describe the high level steps in developing a custom ASIM
 
 1. Identify the schemas or schemas that the events sent from the source represent. For more information, see [Schema overview](normalization-about-schemas.md).
 
-1. [Map](#mapping-to-schema) the source event fields to the identified schema or schemas. 
+1. [Map](#mapping) the source event fields to the identified schema or schemas. 
 
 1. [Develop](#developing-parsers) one or more ASIM parsers for your source. You'll need to develop a filtering parser and a parameter-less parser for each schema relevant to the source.
 
@@ -428,11 +428,14 @@ If warnings listed by the ASIM testing tools are considered valid for a parser,
 ``` YAML
 Exceptions:
 - Field: DnsQuery 
+  Warning: Invalid value
   Exception: May have values such as "1164-ms-7.1440-9fdc2aab.3b2bd806-978e-11ec-8bb3-aad815b5cd42" which are not valid domains names. Those are are related to TKEY RR requests.
 - Field: DnsQuery
+  Warning: Empty value in mandatory field
   Exception: May be empty for requests for root servers and for requests for RR type DNSKEY
 ```
 
+The warning specified in the YAML file should be a short form of the warning message uniquely identifying. The value is used to match warning messages when performing automated testings and ignore them.  
 
 ## <a name="next-steps"></a>Next steps
 

articles/sentinel/normalization-parsers-list.md

@@ -104,7 +104,7 @@ Microsoft Sentinel provides the following built-in, product-specific Registry Ev
 
 Deploy Registry Event parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/AsimRegistryEvent).
 
-## Web Sessions parsers
+## Web Session parsers
 
 Microsoft Sentinel provides the following out-of-the-box, product-specific Web Session parsers:
 

articles/sentinel/process-events-normalization-schema.md

@@ -146,7 +146,7 @@ The process event schema references the following entities, which are central to
 | Field          | Class        | Type       | Description   |
 |---------------|--------------|------------|-----------------|
 | <a name="actorusername"></a>**ActorUsername**  | Mandatory    | String     | The Actor username, including domain information when available. For the supported format for different ID types, refer to [the User entity](normalization-about-schemas.md#the-user-entity). Use the simple form only if domain information isn't available.<br><br>Store the Username type in the [ActorUsernameType](#actorusernametype) field. If other username formats are available, store them in the fields `ActorUsername<UsernameType>`.<br><br>Example: `AlbertE`   |
-| **ActorUsernameType**              | Mandatory    | Enumerated |   Specifies the type of the user name stored in the [ActorUsername](#actorusername) field. For a list of allowed values and further information refer to [UsernameType](normalization-about-schemas.md#usernametype) in the [Schema Overview article](normalization-about-schemas.md).<br><br>Example: `Windows`       |
+| <a name="actorusernametype"></a>**ActorUsernameType**              | Mandatory    | Enumerated |   Specifies the type of the user name stored in the [ActorUsername](#actorusername) field. For a list of allowed values and further information refer to [UsernameType](normalization-about-schemas.md#usernametype) in the [Schema Overview article](normalization-about-schemas.md).<br><br>Example: `Windows`       |
 | <a name="actoruserid"></a>**ActorUserId**    | Recommended  | String     |   A machine-readable, alphanumeric, unique representation of the Actor. For the supported format for different ID types, refer to [the User entity](normalization-about-schemas.md#the-user-entity). <br><br>Example: `S-1-12` |
 | **ActorUserIdType**| Recommended  | String     |  The type of the ID stored in the [ActorUserId](#actoruserid) field. For a list of allowed values and further information refer to [UserIdType](normalization-about-schemas.md#useridtype) in the [Schema Overview article](normalization-about-schemas.md). |
 | **ActorSessionId** | Optional     | String     |   The unique ID of the login session of the Actor.  <br><br>Example: `999`<br><br>**Note**: The type is defined as *string* to support varying systems, but on Windows this value must be numeric. <br><br>If you are using a Windows machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value.   |
@@ -206,8 +206,8 @@ The process event schema references the following entities, which are central to
 
 | Field          | Class        | Type       | Description   |
 |---------------|--------------|------------|-----------------|
-| <a name="targetusername"></a>**TargetUsername** | Mandatory for process create events. | String     | The target username, including domain information when available. For the supported format for different ID types, refer to [the User entity](normalization-about-schemas.md#the-user-entity). Use the simple form only if domain information isn't available.<br><br>Store the Username type in the [ActorUsernameType](#actorusernametype) field. If other username formats are available, store them in the fields `TargetUsername<UsernameType>`.<br><br>Example: `AlbertE`     |
-| **TargetUsernameType**             | Mandatory for process create events.   | Enumerated | Specifies the type of the user name stored in the [TargetUsername](#targetusername) field. For a list of allowed values and further information refer to [UsernameType](normalization-about-schemas.md#usernametype) in the [Schema Overview article](normalization-about-schemas.md).<br><br>Example: `Windows`       |
+| <a name="targetusername"></a>**TargetUsername** | Mandatory for process create events. | String     | The target username, including domain information when available. For the supported format for different ID types, refer to [the User entity](normalization-about-schemas.md#the-user-entity). Use the simple form only if domain information isn't available.<br><br>Store the Username type in the [TargetUsernameType](#targetusernametype) field. If other username formats are available, store them in the fields `TargetUsername<UsernameType>`.<br><br>Example: `AlbertE`     |
+| <a name="targetusernametype"></a>**TargetUsernameType**             | Mandatory for process create events.   | Enumerated | Specifies the type of the user name stored in the [TargetUsername](#targetusername) field. For a list of allowed values and further information refer to [UsernameType](normalization-about-schemas.md#usernametype) in the [Schema Overview article](normalization-about-schemas.md).<br><br>Example: `Windows`       |
 |<a name="targetuserid"></a> **TargetUserId**   | Recommended | String     | A machine-readable, alphanumeric, unique representation of the target user. For the supported format for different ID types, refer to [the User entity](normalization-about-schemas.md#the-user-entity). <br><br>Example: `S-1-12`  |
 | **TargetUserIdType**               | Recommended | String     | The type of the ID stored in the [TargetUserId](#targetuserid) field. For a list of allowed values and further information refer to [UserIdType](normalization-about-schemas.md#useridtype) in the [Schema Overview article](normalization-about-schemas.md). |
 | **TargetUserSessionId**            | Optional     | String     |The unique ID of the target user's login session. <br><br>Example: `999`          <br><br>**Note**: The type is defined as *string* to support varying systems, but on Windows this value must be numeric. <br><br>If you are using a Windows or Linux machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value.     |

articles/sentinel/web-normalization-schema.md

@@ -77,7 +77,7 @@ The following filtering parameters are available:
 | **starttime** | datetime | Filter only Web sessions that **started** at or after this time. |
 | **endtime** | datetime | Filter only Web sessions that **started** running at or before this time. |
 | **srcipaddr_has_any_prefix** | dynamic | Filter only Web sessions for which the [source IP address field](network-normalization-schema.md#srcipaddr) prefix is in one of the listed values. Note that the list of values can include IP addresses as well as IP address prefixes. Prefixes should end with a `.`, for example: `10.0.`. The length of the list is limited to 10,000 items.|
-| **ipaddr_has_any_prefix** | dynamic | Filter only network sessions for which the [destination IP address field](#dstipaddr) or [source IP address field](#srcipaddr) prefix is in one of the listed values. Prefixes should end with a `.`, for example: `10.0.`. The length of the list is limited to 10,000 items.<br><br>The field [ASimMatchingIpAddr](normalization-common-fields.md#asimmatchingipaddr) is set with the one of the values `SrcIpAddr`, `DstIpAddr`, or `Both` to reflect the matching fields or fields. |
+| **ipaddr_has_any_prefix** | dynamic | Filter only network sessions for which the [destination IP address field](network-normalization-schema.md#dstipaddr) or [source IP address field](network-normalization-schema.md#srcipaddr) prefix is in one of the listed values. Prefixes should end with a `.`, for example: `10.0.`. The length of the list is limited to 10,000 items.<br><br>The field [ASimMatchingIpAddr](normalization-common-fields.md#asimmatchingipaddr) is set with the one of the values `SrcIpAddr`, `DstIpAddr`, or `Both` to reflect the matching fields or fields. |
 | **url_has_any** | dynamic | Filter only Web sessions for which the [URL field](#url) has any of the values listed. If specified, and the session is not a web session, no result will be returned. The length of the list is limited to 10,000 items.|  
 | **httpuseragent_has_any** | dynamic | Filter only web sessions for which the [user agent field](#httpuseragent) has any of the values listed. If specified, and the session is not a web session, no result will be returned. The length of the list is limited to 10,000 items. | 
 | **eventresultdetails_in** | dynamic | Filter only web sessions for which the HTTP status code, stored in the [EventResultDetails](#eventresultdetails) field, is any of the values listed. |