Merge pull request #185233 from oshezaf/asim/update_resourceid

PRMerger9 · web-flow · commit d4ff3d6c2b89 · 2022-01-17T01:46:28.000-08:00
ASIM update ResourceId note
diff --git a/articles/sentinel/normalization-about-schemas.md b/articles/sentinel/normalization-about-schemas.md
@@ -75,7 +75,7 @@ The following fields are generated by Log Analytics for each record. They can be
 | Field         | Type     | Discussion      |
 | ------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
 | <a name="timegenerated"></a>**TimeGenerated** | datetime | The time the event was generated by the reporting device.|
-| **_ResourceId**   | guid     | The Azure Resource ID of the reporting device or service, or the log forwarder resource ID for events forwarded by using Syslog, CEF, or WEF. |
+| **_ResourceId**   | guid     | The Azure Resource ID of the reporting device or service, or the log forwarder resource ID for events forwarded by using Syslog, CEF, or WEF. **_ResourceId** is not generated for sources for that do not have a resource concept, such as Microsoft Defender for Endpoint and will be empty for events from these sources.   |
 | **Type** | String | The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same [EventVendor](#eventvendor) and [EventProduct](#eventproduct) values.<br><br>For example, a Sysmon event can be collected either to the `Event` table or to the `WindowsEvent` table. |
 | | | |
 
