MicrosoftDocs
diff --git a/‎articles/sentinel/TOC.yml
Lines changed: 4 additions & 4 deletions b/‎articles/sentinel/TOC.yml
Lines changed: 4 additions & 4 deletions
diff --git a/‎articles/sentinel/audit-sentinel-data.md
Lines changed: 17 additions & 1 deletion b/‎articles/sentinel/audit-sentinel-data.md
Lines changed: 17 additions & 1 deletion
diff --git a/‎articles/sentinel/audit-track-tasks.md
Lines changed: 11 additions & 3 deletions b/‎articles/sentinel/audit-track-tasks.md
Lines changed: 11 additions & 3 deletions
diff --git a/‎articles/sentinel/aws-s3-troubleshoot.md
Lines changed: 9 additions & 0 deletions b/‎articles/sentinel/aws-s3-troubleshoot.md
Lines changed: 9 additions & 0 deletions
diff --git a/‎articles/sentinel/billing-monitor-costs.md
Lines changed: 18 additions & 2 deletions b/‎articles/sentinel/billing-monitor-costs.md
Lines changed: 18 additions & 2 deletions
diff --git a/‎articles/sentinel/bookmarks.md
Lines changed: 1 addition & 1 deletion b/‎articles/sentinel/bookmarks.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/sentinel/connect-microsoft-365-defender.md
Lines changed: 17 additions & 1 deletion b/‎articles/sentinel/connect-microsoft-365-defender.md
Lines changed: 17 additions & 1 deletion
diff --git a/‎articles/sentinel/connect-microsoft-purview.md
Lines changed: 12 additions & 3 deletions b/‎articles/sentinel/connect-microsoft-purview.md
Lines changed: 12 additions & 3 deletions
diff --git a/‎articles/sentinel/create-analytics-rule-from-template.md
Lines changed: 5 additions & 0 deletions b/‎articles/sentinel/create-analytics-rule-from-template.md
Lines changed: 5 additions & 0 deletions
diff --git a/‎articles/sentinel/create-analytics-rules.md
Lines changed: 6 additions & 6 deletions b/‎articles/sentinel/create-analytics-rules.md
Lines changed: 6 additions & 6 deletions
@@ -912,13 +912,13 @@
     - name: Overview
       href: kusto-overview.md
     - name: Query best practices
-      href: /kusto/query/best-practices?toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json&view=microsoft-sentinel&preserve-view=true
+      href: /kusto/query/best-practices?view=microsoft-sentinel&preserve-view=true&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json
     - name: SQL to KQL cheat sheet
-      href: /kusto/query/sql-cheat-sheet?toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json&view=microsoft-sentinel&preserve-view=true
+      href: /kusto/query/sql-cheat-sheet?view=microsoft-sentinel&preserve-view=true&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json
     - name: Splunk to KQL cheat sheet
-      href: /kusto/query/splunk-cheat-sheet?toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json&view=microsoft-sentinel&preserve-view=true
+      href: /kusto/query/splunk-cheat-sheet?view=microsoft-sentinel&preserve-view=true&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json
     - name: KQL quick reference
-      href: /kusto/query/kql-quick-reference?toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json&view=microsoft-sentinel&preserve-view=true
+      href: /kusto/query/kql-quick-reference?view=microsoft-sentinel&preserve-view=true&toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json
     - name: Other KQL resources
       href: kusto-resources.md 
   - name: Create custom query
 
@@ -177,7 +177,7 @@ LAQueryLogs
 |summarize arg_max(StatsCPUTimeMs, *) by AADClientId
 | extend User = AADEmail, QueryRunTime = StatsCPUTimeMs
 | project User, QueryRunTime, QueryText
-| order by QueryRunTime desc
+| sort by QueryRunTime desc
 ```
 
 ### Show users who ran the most queries in the past week
@@ -233,6 +233,22 @@ Use Microsoft Sentinel's own features to monitor events and actions that occur w
 
 - **Monitor data connector health** using the [Connector Health Push Notification Solution](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Send-ConnectorHealthStatus) playbook to watch for stalled or stopped ingestion, and send notifications when a connector has stopped collecting data or machines have stopped reporting.
 
+See more information on the following items used in the preceding examples, in the Kusto documentation:
+- [***let*** statement](/kusto/query/let-statement?view=microsoft-sentinel&preserve-view=true)
+- [***where*** operator](/kusto/query/where-operator?view=microsoft-sentinel&preserve-view=true)
+- [***project*** operator](/kusto/query/project-operator?view=microsoft-sentinel&preserve-view=true)
+- [***count*** operator](/kusto/query/count-operator?view=microsoft-sentinel&preserve-view=true)
+- [***sort*** operator](/kusto/query/sort-operator?view=microsoft-sentinel&preserve-view=true)
+- [***extend*** operator](/kusto/query/extend-operator?view=microsoft-sentinel&preserve-view=true)
+- [***join*** operator](/kusto/query/join-operator?view=microsoft-sentinel&preserve-view=true)
+- [***summarize*** operator](/kusto/query/summarize-operator?view=microsoft-sentinel&preserve-view=true)
+- [***ago()*** function](/kusto/query/ago-function?view=microsoft-sentinel&preserve-view=true)
+- [***ingestion_time()*** function](/kusto/query/ingestion-time-function?view=microsoft-sentinel&preserve-view=true)
+- [***count()*** aggregation function](/kusto/query/count-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+- [***arg_max()*** aggregation function](/kusto/query/arg-max-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+
+[!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
+
 ## Next step
 
 In Microsoft Sentinel, use the **Workspace audit** workbook to audit the activities in your SOC environment. For more information, see [Visualize and monitor your data](monitor-your-data.md).
@@ -30,9 +30,9 @@ The detailed information added to the **Tasks** field consists of key-value pair
 | --- | ----- |
 | **createdBy** | The identity that created the task:<br>**- email**: email address of identity<br>**- name**: name of the identity<br>**- objectId**: GUID of the identity<br>**- userPrincipalName**: UPN of the identity |
 | **createdTimeUtc** | Time the task was created, in UTC. |
-| **lastCompletedTimeUtc** | Time the task was marked complete, in UTC.
+| **lastCompletedTimeUtc** | Time the task was marked complete, in UTC. |
 | **lastModifiedBy** | The identity that last modified the task:<br>**- email**: email address of identity<br>**- name**: name of the identity<br>**- objectId**: GUID of the identity<br>**- userPrincipalName**: UPN of the identity |
-| **lastModifiedTimeUtc** | Time the task was last modified, in UTC.
+| **lastModifiedTimeUtc** | Time the task was last modified, in UTC. |
 | **status** | Current status of the task: New, Completed, Deleted. |
 | **taskId** | Resource ID of the task. |
 | **title** | Friendly name given to the task by its creator. |
@@ -118,9 +118,17 @@ SecurityIncident
 | summarize arg_max(lastModifiedTimeUtc, *) by taskId
 | where status !in ('Completed', 'Deleted')
 | project TaskTitle = ['title'], TaskStatus = ['status'], createdTimeUtc, lastModifiedTimeUtc = column_ifexists("lastModifiedTimeUtc", datetime(null)), TaskCreator = ['createdBy'].name, lastModifiedBy, IncidentNumber, IncidentOwner = Owner.userPrincipalName
-| order by lastModifiedTimeUtc desc
+| sort by lastModifiedTimeUtc desc
 ```
 
+See more information on the following items used in the preceding examples, in the Kusto documentation:
+- [***where*** operator](/kusto/query/where-operator?view=microsoft-sentinel&preserve-view=true)
+- [***project*** operator](/kusto/query/project-operator?view=microsoft-sentinel&preserve-view=true)
+- [***sort*** operator](/kusto/query/sort-operator?view=microsoft-sentinel&preserve-view=true)
+- [***summarize*** operator](/kusto/query/summarize-operator?view=microsoft-sentinel&preserve-view=true)
+- [***arg_max()*** aggregation function](/kusto/query/arg-max-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+
+[!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
 
 ## Next steps
 
 
@@ -149,6 +149,15 @@ There might be errors in the health logs, or the health feature might not be ena
 
 1. If the health feature isn’t enabled, [enable it](enable-monitoring.md).
 
+   See more information on the following items used in the preceding example, in the Kusto documentation:
+   - [***where*** operator](/kusto/query/where-operator?view=microsoft-sentinel&preserve-view=true)
+   - [***extend*** operator](/kusto/query/extend-operator?view=microsoft-sentinel&preserve-view=true)
+   - [***project*** operator](/kusto/query/project-operator?view=microsoft-sentinel&preserve-view=true)
+   - [***mv-expand*** operator](/kusto/query/mv-expand-operator?view=microsoft-sentinel&preserve-view=true)
+   - [***ago()*** function](/kusto/query/ago-function?view=microsoft-sentinel&preserve-view=true)
+
+   [!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
+
 ## Next steps
 
 In this article, you learned how to quickly identify causes and resolve common issues with the AWS S3 connector.
 
@@ -75,7 +75,7 @@ Usage
 | where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
 | where IsBillable == true
 | summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), Solution
-| extend Solution = iif(Solution == "SecurityInsights", "AzureSentinel", Solution)
+| extend Solution = iff(Solution == "SecurityInsights", "AzureSentinel", Solution)
 | render columnchart
 ```
 
@@ -97,10 +97,26 @@ Usage
 | where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
 | where IsBillable == true
 | summarize BillableDataGB = sum(Quantity) / 1000. by Solution, DataType
-| extend Solution = iif(Solution == "SecurityInsights", "AzureSentinel", Solution)
+| extend Solution = iff(Solution == "SecurityInsights", "AzureSentinel", Solution)
 | sort by Solution asc, DataType asc
 ```
 
+See more information on the following items used in the preceding examples, in the Kusto documentation:
+- [***where*** operator](/kusto/query/where-operator?view=microsoft-sentinel&preserve-view=true)
+- [***extend*** operator](/kusto/query/extend-operator?view=microsoft-sentinel&preserve-view=true)
+- [***summarize*** operator](/kusto/query/summarize-operator?view=microsoft-sentinel&preserve-view=true)
+- [***render*** operator](/kusto/query/render-operator?view=microsoft-sentinel&preserve-view=true)
+- [***sort*** operator](/kusto/query/sort-operator?view=microsoft-sentinel&preserve-view=true)
+- [***iff()*** function](/kusto/query/iff-function?view=microsoft-sentinel&preserve-view=true)
+- [***ago()*** function](/kusto/query/ago-function?view=microsoft-sentinel&preserve-view=true)
+- [***now()*** function](/kusto/query/now-function?view=microsoft-sentinel&preserve-view=true)
+- [***bin()*** function](/kusto/query/bin-function?view=microsoft-sentinel&preserve-view=true)
+- [***startofday()*** function](/kusto/query/startofday-function?view=microsoft-sentinel&preserve-view=true)
+- [***count()*** aggregation function](/kusto/query/count-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+- [***sum()*** aggregation function](/kusto/query/sum-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+
+[!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
+
 ## Deploy a workbook to visualize data ingestion
 
 The **Workspace Usage Report workbook** provides your workspace's data consumption, cost, and usage statistics. The workbook gives the workspace's data ingestion status and amount of free and billable data. You can use the workbook logic to monitor data ingestion and costs, and to build custom views and rule-based alerts.
 
@@ -120,7 +120,7 @@ View bookmarked queries, results, or their history.
 
    :::image type="content" source="media/bookmarks/bookmark-logs.png" alt-text="Screenshot of bookmark logs command.":::
 
-This view shows all your bookmarks with associated metadata. You can use [Kusto Query Language (KQL)](/azure/data-explorer/kql-quick-reference) queries to filter down to the latest version of the specific bookmark you're looking for.
+This view shows all your bookmarks with associated metadata. You can use [Kusto Query Language (KQL)](/kusto/query/kql-quick-reference?view=microsoft-sentinel&preserve-view=true) queries to filter down to the latest version of the specific bookmark you're looking for.
 
 There can be a significant delay (measured in minutes) between the time you create a bookmark and when it's displayed in the **Bookmarks** tab.
 
 
@@ -66,7 +66,7 @@ To ingest and synchronize Microsoft Defender XDR incidents with all their alerts
 
    ```kusto
       SecurityIncident
-      |    where ProviderName == "Microsoft 365 Defender"
+      | where ProviderName == "Microsoft 365 Defender"
    ```
 
 When you enable the Microsoft Defender XDR connector, any Microsoft Defender components’ connectors that were previously connected are automatically disconnected in the background. Although they continue to *appear* connected, no data flows through them.
@@ -178,6 +178,22 @@ let Now = now();
 | render timechart
 ```
 
+See more information on the following items used in the preceding examples, in the Kusto documentation:
+- [***let*** statement](/kusto/query/let-statement?view=microsoft-sentinel&preserve-view=true)
+- [***where*** operator](/kusto/query/where-operator?view=microsoft-sentinel&preserve-view=true)
+- [***extend*** operator](/kusto/query/extend-operator?view=microsoft-sentinel&preserve-view=true)
+- [***project*** operator](/kusto/query/project-operator?view=microsoft-sentinel&preserve-view=true)
+- [***union*** operator](/kusto/query/union-operator?view=microsoft-sentinel&preserve-view=true)
+- [***sort*** operator](/kusto/query/sort-operator?view=microsoft-sentinel&preserve-view=true)
+- [***summarize*** operator](/kusto/query/summarize-operator?view=microsoft-sentinel&preserve-view=true)
+- [***render*** operator](/kusto/query/render-operator?view=microsoft-sentinel&preserve-view=true)
+- [***ago()*** function](/kusto/query/ago-function?view=microsoft-sentinel&preserve-view=true)
+- [***iff()*** function](/kusto/query/iff-function?view=microsoft-sentinel&preserve-view=true)
+- [***max()*** aggregation function](/kusto/query/max-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+- [***count()*** aggregation function](/kusto/query/count-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+
+[!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
+
 ## Next step
 
 In this document, you learned how to integrate Microsoft Defender XDR incidents, alerts, and advanced hunting event data from Microsoft Defender services, into Microsoft Sentinel, by using the Microsoft Defender XDR connector.
 
@@ -97,14 +97,23 @@ To disconnect the Azure Information Protection connector:
      '"MySensitivityLabelId": "MyLabel3"'
      '}');
      MicrosoftPurviewInformationProtection
-     | extend SensitivityLabelName = iif(isnotempty(SensitivityLabelId), 
+     | extend SensitivityLabelName = iff(isnotempty(SensitivityLabelId), 
     tostring(labelsMap[tostring(SensitivityLabelId)]), "")
-     | extend OldSensitivityLabelName = iif(isnotempty(OldSensitivityLabelId), 
+     | extend OldSensitivityLabelName = iff(isnotempty(OldSensitivityLabelId), 
     tostring(labelsMap[tostring(OldSensitivityLabelId)]), "")
     ```
  
 - The `MicrosoftPurviewInformationProtection` table and the `OfficeActivity` table might include some duplicated events.
- 
+
+See more information on the following items used in the preceding examples, in the Kusto documentation:
+- [***let*** statement](/kusto/query/let-statement?view=microsoft-sentinel&preserve-view=true)
+- [***extend*** operator](/kusto/query/extend-operator?view=microsoft-sentinel&preserve-view=true)
+- [***parse_json()*** function](/kusto/query/parse-json-function?view=microsoft-sentinel&preserve-view=true)
+- [***iff()*** function](/kusto/query/iff-function?view=microsoft-sentinel&preserve-view=true)
+- [***tostring()*** function](/kusto/query/tostring-function?view=microsoft-sentinel&preserve-view=true)
+
+[!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
+
 ## Next steps
 
 In this article, you learned how to set up the Microsoft Purview Information Protection connector to track, analyze, report on the data, and use it for compliance purposes. To learn more about Microsoft Sentinel, see the following articles:
 
@@ -84,6 +84,11 @@ From the Microsoft Defender navigation menu, expand **Microsoft Sentinel**, then
 
 1. Cycle through the tabs of the wizard, customizing the logic and other rule settings where possible to better suit your specific needs. 
 
+    If you need to make any changes to the query itself, consult the following articles from the Kusto documentation for help:
+    - [Kusto Query Language in Microsoft Sentinel](kusto-overview.md)
+    - [KQL quick reference guide](/kusto/query/kql-quick-reference?view=microsoft-sentinel&preserve-view=true)
+    - [Best practices for Kusto Query Language queries](/kusto/query/best-practices?view=microsoft-sentinel&preserve-view=true)
+
     When you get to the end of the rule creation wizard, Microsoft Sentinel creates the rule. The new rule appears in the **Active rules** tab.
 
     Repeat the process to create more rules. For more details on how to customize your rules in the rule creation wizard, see [Create a custom analytics rule from scratch](create-analytics-rules.md).
 
@@ -46,7 +46,7 @@ Before you do anything else, you should design and build a query in Kusto Query
 
 For some helpful tips for building Kusto queries, see [Best practices for analytics rule queries](scheduled-rules-overview.md#best-practices-for-analytics-rule-queries).
 
-For more help building Kusto queries, see [Kusto Query Language in Microsoft Sentinel](kusto-overview.md) and [Best practices for Kusto Query Language queries](/kusto/query/best-practices?view=microsoft-sentinel&preserve-view=true&toc=%2Fazure%2Fsentinel%2FTOC.json&bc=%2Fazure%2Fsentinel%2Fbreadcrumb%2Ftoc.json).
+For more help building Kusto queries, see [Kusto Query Language in Microsoft Sentinel](kusto-overview.md) and [Best practices for Kusto Query Language queries](/kusto/query/best-practices?view=microsoft-sentinel&preserve-view=true) (from the Kusto documentation).
 
 ## Create your analytics rule
 
@@ -239,15 +239,15 @@ In the **Incident settings** tab, choose whether Microsoft Sentinel turns alerts
 
         - If you still have any playbooks listed here, you should instead create an automation rule based on the **alert created trigger** and invoke the playbook from the automation rule. After you've done that, select the ellipsis at the end of the line of the playbook listed here, and select **Remove**. See [Migrate your Microsoft Sentinel alert-trigger playbooks to automation rules](migrate-playbooks-to-automation-rules.md) for full instructions.
 
-# [Azure portal](#tab/azure-portal)
+    # [Azure portal](#tab/azure-portal)
 
-:::image type="content" source="media/create-analytics-rules/automated-response-tab.png" alt-text="Screenshot of automated response screen of analytics rule wizard in the Azure portal.":::
+    :::image type="content" source="media/create-analytics-rules/automated-response-tab.png" alt-text="Screenshot of automated response screen of analytics rule wizard in the Azure portal.":::
 
-# [Defender portal](#tab/defender-portal)
+    # [Defender portal](#tab/defender-portal)
 
-:::image type="content" source="media/create-analytics-rules/defender-automated-response.png" alt-text="Screenshot of automated response screen of analytics rule wizard in the Defender portal.":::
+    :::image type="content" source="media/create-analytics-rules/defender-automated-response.png" alt-text="Screenshot of automated response screen of analytics rule wizard in the Defender portal.":::
 
----
+    ---
 
 1. Select **Next: Review and create** to review all the settings for your new analytics rule.