Merge pull request #196119 from yelevin/yelevin/bugfix-alert-details

Removed Preview disclaimers from other enrichment docs

Author: Maggiemouse1

articles/sentinel/customize-alert-details.md

@@ -28,7 +28,7 @@ The procedure detailed below is part of the analytics rule creation wizard. It's
 
 1. Click the **Set rule logic** tab.
 
-1. In the **Alert enrichment (Preview)** section, expand **Alert details**.
+1. In the **Alert enrichment** section, expand **Alert details**.
 
     :::image type="content" source="media/customize-alert-details/alert-enrichment.png" alt-text="Customize alert details":::
 

articles/sentinel/map-data-fields-to-entities.md

@@ -3,7 +3,7 @@ title: Map data fields to Microsoft Sentinel entities | Microsoft Docs
 description: Map data fields in tables to Microsoft Sentinel entities in analytics rules, for better incident information
 author: yelevin
 ms.topic: how-to
-ms.date: 11/09/2021
+ms.date: 04/26/2022
 ms.author: yelevin
 ms.custom: ignite-fall-2021
 ---
@@ -14,11 +14,7 @@ ms.custom: ignite-fall-2021
 
 > [!IMPORTANT]
 >
-> - The new version of the entity mapping feature is in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
-
-> [!IMPORTANT]
->
-> - See [Notes on the new version](#notes-on-the-new-version) at the end of this document for important information about backward compatibility and differences between the new and old versions of entity mapping.
+> - See "[Notes on the new version](#notes-on-the-new-version)" at the end of this document for important information about backward compatibility and differences between the new and old versions of entity mapping.
 
 ## Introduction
 
@@ -34,7 +30,7 @@ The procedure detailed below is part of the analytics rule creation wizard. It's
 
 1. Select the **Set rule logic** tab. 
 
-1. In the **Alert enrichment (Preview)** section, expand **Entity mapping**.
+1. In the **Alert enrichment** section, expand **Entity mapping**.
 
     :::image type="content" source="media/map-data-fields-to-entities/alert-enrichment.png" alt-text="Expand entity mapping":::
 
@@ -58,24 +54,19 @@ The procedure detailed below is part of the analytics rule creation wizard. It's
 > - **Each mapped entity can identify *up to ten entities***.  
 >   - If an alert contains more than ten items that correspond to a single entity mapping, only the first ten will be recognized as entities and be able to be analyzed as such.
 >   - This limitation applies to actual mappings, not to entity types. So if you have three different mapped entities for IP addresses (say, source, destination, and gateway), each of those mappings can accommodate ten entities.
+>
 > - **The size limit for an entire alert is *64 KB***.
 >   - Alerts that grow larger than 64 KB will be truncated. As entities are identified, they are added to the alert one by one until the alert size reaches 64 KB, and any remaining entities are dropped from the alert.
 
 ## Notes on the new version
 
-- If you had previously defined entity mappings for this analytics rule using the old version, those mappings appear in the query code. Entity mappings defined under the new version **do not appear in the query code**. Analytics rules can only support one version of entity mappings at a time, and the new version takes precedence. Therefore, any single mapping you define here will cause **any and all** mappings defined in the query code to be **disregarded** when the query runs. 
-
-- If you still need to use the **old version** of entity mapping (as long as the new version is still in preview), you can still access it using a feature flag in the URL. Place your cursor between `https://portal.azure.com/` and `#blade`, and insert the text `?feature.EntityMapping=false`.
-
-  - The limits of the old version will continue to apply. You can map only the user, host, IP address, URL, and file hash entities, and only one of each.
-
-  - You must **remove** any entity mappings created using the new version **before** you return to the old version, otherwise any entity mappings that use the old version **will not work**.
-
-- Once the new version of entity mapping is in General Availability, it will no longer be possible to use the old version. It is highly recommended that you migrate your old entity mappings to the new version.
+- As the new version is now generally available (GA), the feature-flag workaround to use the old version is no longer available. 
 
+- If you had previously defined entity mappings for this analytics rule using the old version, they will be automatically converted to the new version.
 
 ## Next steps
 
 In this document, you learned how to map data fields to entities in Microsoft Sentinel analytics rules. To learn more about Microsoft Sentinel, see the following articles:
+
 - Get the complete picture on [scheduled query analytics rules](detect-threats-custom.md).
 - Learn more about [entities in Microsoft Sentinel](entities.md).

articles/sentinel/media/customize-alert-details/alert-enrichment.png

@@ -3,7 +3,7 @@ title: Surface custom details in Microsoft Sentinel alerts | Microsoft Docs
 description: Extract and surface custom event details in alerts in Microsoft Sentinel analytics rules, for better and more complete incident information
 author: yelevin
 ms.topic: how-to
-ms.date: 11/09/2021
+ms.date: 04/26/2022
 ms.author: yelevin
 ms.custom: ignite-fall-2021
 ---
@@ -12,10 +12,6 @@ ms.custom: ignite-fall-2021
 
 [!INCLUDE [Banner for top of topics](./includes/banner.md)]
 
-> [!IMPORTANT]
->
-> - The custom details feature is in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
-
 ## Introduction
 
 [Scheduled query analytics rules](detect-threats-custom.md) analyze **events** from data sources connected to Microsoft Sentinel, and produce **alerts** when the contents of these events are significant from a security perspective. These alerts are further analyzed, grouped, and filtered by Microsoft Sentinel's various engines and distilled into **incidents** that warrant a SOC analyst's attention. However, when the analyst views the incident, only the properties of the component alerts themselves are immediately visible. Getting to the actual content - the information contained in the events - requires doing some digging.
@@ -32,7 +28,7 @@ The procedure detailed below is part of the analytics rule creation wizard. It's
 
 1. Click the **Set rule logic** tab.
 
-1. In the **Alert enrichment (Preview)** section, expand **Custom details**.
+1. In the **Alert enrichment** section, expand **Custom details**.
 
     :::image type="content" source="media/surface-custom-details-in-alerts/alert-enrichment.png" alt-text="Find and select custom details":::
 
@@ -58,6 +54,8 @@ The procedure detailed below is part of the analytics rule creation wizard. It's
     > - The size limit for all custom details, collectively, is **2 KB**.
 
 ## Next steps
+
 In this document, you learned how to surface custom details in alerts using Microsoft Sentinel analytics rules. To learn more about Microsoft Sentinel, see the following articles:
+
 - Get the complete picture on [scheduled query analytics rules](detect-threats-custom.md).
 - Learn more about [entities in Microsoft Sentinel](entities.md).