Continued work 4

yelevin · yelevin · commit d69e0d5144d7 · 2025-01-01T10:25:55.000+02:00
diff --git a/articles/sentinel/migration-convert-dashboards.md b/articles/sentinel/migration-convert-dashboards.md
@@ -60,7 +60,7 @@ Before finalizing your KQL queries, always review and tune the queries to improv
 
 For more information, see the following resources:
 
-- [KQL query best practices](/azure/data-explorer/kusto/query/best-practices)
+- [KQL query best practices](/kusto/query/best-practices?view=microsoft-sentinel&preserve-view=true)
 - [Optimize queries in Azure Monitor Logs](/azure/azure-monitor/logs/query-optimization)
 - [Optimizing KQL performance (webinar)](https://youtu.be/jN1Cz0JcLYU)
 
diff --git a/articles/sentinel/migration-ingestion-target-platform.md b/articles/sentinel/migration-ingestion-target-platform.md
@@ -27,7 +27,7 @@ This article compares target platforms in terms of performance, cost, usability
 |**Management overhead**:     |**Fully managed**<br><br>The search and archive options are fully managed and don't add management overhead.    |**High**<br><br>ADX is external to Microsoft Sentinel, which requires monitoring and maintenance.        |**Low**<br><br>While this platform requires little maintenance, selecting this platform adds monitoring and configuration tasks, such as setting up lifecycle management. |**Medium**<br><br>With this option, you maintain and monitor ADX and Azure Blob Storage, both of which are external components to Microsoft Sentinel. While ADX can be shut down at times, consider the extra management overhead with this option. |
 |**Performance**:     |**Medium**<br><br>You typically interact with basic logs within the archive using [search jobs](/azure/azure-monitor/logs/search-jobs), which are suitable when you want to maintain access to the data, but don't need immediate access to the data.         |**High to low**<br><br>• The query performance of an ADX cluster depends on the number of nodes in the cluster, the cluster virtual machine SKU, data partitioning, and more.<br>• As you add nodes to the cluster, the performance improves, with added cost.<br>• If you use ADX, we recommend that you configure your cluster size to balance performance and cost. This configuration depends on your organization's needs, including how fast your migration needs to complete, how often the data is accessed, and the expected response time.         |**Low**<br><br>Offers two performance tiers: Premium or Standard. Although both tiers are an option for long-term storage, Standard is more cost-efficient. Learn about [performance and scalability limits](../storage/common/scalability-targets-standard-account.md). |**Low**<br><br>Because the data resides in the Blob Storage, the performance is limited by that platform. |
 |**Cost**:     |**High**<br><br>The cost is composed of two components:<br>• **Ingestion cost**. Every GB of data ingested into Basic Logs is subject to Microsoft Sentinel and Azure Monitor Logs ingestion costs, which sum up to approximately $1/GB. See the [pricing details](https://azure.microsoft.com/pricing/details/microsoft-sentinel/).<br>• **Archival cost**. The cost for data in the archive tier sums up to approximately $0.02/GB per month. See the [pricing details](https://azure.microsoft.com/pricing/details/monitor/).<br>In addition to these two cost components, if you need frequent access to the data, extra costs apply when you access data via search jobs.     |**High to low**<br><br>• Because ADX is a cluster of virtual machines, you're charged based on compute, storage and networking usage, plus an ADX markup (see the [pricing details](https://azure.microsoft.com/pricing/details/data-explorer/). Therefore, the more nodes you add to your cluster and the more data you store, the higher the cost will be.<br>• ADX also offers autoscaling capabilities to adapt to workload on demand. ADX can also benefit from Reserved Instance pricing. You can run your own cost calculations in the [Azure Pricing Calculator](https://azure.microsoft.com/pricing/calculator/).         |**Low**<br><br>With optimal setup, Azure Blob Storage has the lowest costs. For greater efficiency and cost savings, [Azure Storage lifecycle management](../storage/blobs/lifecycle-management-overview.md) can be used to automatically place older blobs into cheaper storage tiers. |**Low**<br><br>ADX only acts as a proxy in this case, so the cluster can be small. In addition, the cluster can be shut down when you don't need access to the data and only start it when data access is needed.. |
-|**How to access data**:     |[Search jobs](search-jobs.md)      |Direct KQL queries         |[externaldata](/azure/data-explorer/kusto/query/externaldata-operator) |Modified KQL queries |
+|**How to access data**:     |[Search jobs](search-jobs.md)      |Direct KQL queries         | KQL [***externaldata*** operator](/kusto/query/externaldata-operator?view=microsoft-sentinel&preserve-view=true) |Modified KQL queries |
 |**Scenario**:     |**Occasional access**<br><br>Relevant in scenarios where you don’t need to run heavy analytics or trigger analytics rules, and you only need to access the data occasionally.    |**Frequent access**<br><br>Relevant in scenarios where you need to access the data frequently, and need to control how the cluster is sized and configured.         |**Compliance/audit**<br><br>• Optimal for storing massive amounts of unstructured data.<br>• Relevant in scenarios where you don't need quick access to the data or high performance, such as for compliance or audit purposes. |**Occasional access**<br><br>Relevant in scenarios where you want to benefit from the low cost of Azure Blob Storage, and maintain relatively quick access to the data. |
 |**Complexity**:     |Very low         |Medium         |Low |High         |
 |**Readiness**:     |GA         |GA         |GA         |GA |
diff --git a/articles/sentinel/monitor-analytics-rule-integrity.md b/articles/sentinel/monitor-analytics-rule-integrity.md
@@ -144,7 +144,14 @@ Here are some sample queries to help you get started:
     | summarize Count = count() by Caller, Activity=Description
     ```
 
- 
+ See more information on the following items used in the preceding examples, in the Kusto documentation:
+- [***where*** operator](/kusto/query/where-operator?view=microsoft-sentinel&preserve-view=true)
+- [***summarize*** operator](/kusto/query/summarize-operator?view=microsoft-sentinel&preserve-view=true)
+- [***tostring()*** function](/kusto/query/tostring-function?view=microsoft-sentinel&preserve-view=true)
+- [***count()*** aggregation function](/kusto/query/count-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+- [***dcount()*** aggregation function](/kusto/query/dcount-aggregation-function?view=microsoft-sentinel&preserve-view=true)
+
+[!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
 
 ### Statuses, errors and suggested steps
 
@@ -164,7 +171,7 @@ For either **Scheduled analytics rule run** or **NRT analytics rule run**, you m
     | A function called by the query is named with a reserved word.   | Remove or rename the function.   |
     | A syntax error occurred while running the query.   | Try resetting the analytics rule by editing and saving it (without changing any settings). |
     | The workspace does not exist.   |   |
-    | This query was found to use too many system resources and was prevented from running.   | Review and tune the analytics rule. Consult our Kusto Query Language [overview](kusto-overview.md) and [best practices](/azure/data-explorer/kusto/query/best-practices?toc=%2Fazure%2Fsentinel%2FTOC.json&bc=%2Fazure%2Fsentinel%2Fbreadcrumb%2Ftoc.json) documentation. |
+    | This query was found to use too many system resources and was prevented from running.   | Review and tune the analytics rule. Consult our Kusto Query Language [overview](kusto-overview.md) and [best practices](/kusto/query/best-practices?view=microsoft-sentinel&preserve-view=true&toc=%2Fazure%2Fsentinel%2FTOC.json&bc=%2Fazure%2Fsentinel%2Fbreadcrumb%2Ftoc.json) documentation. |
     | A function called by the query was not found.   | Verify the existence in your workspace of all functions called by the query.   |
     | The workspace used in the query was not found.   | Verify that all workspaces in the query exist.   |
     | You don't have permissions to run this query.   | Try resetting the analytics rule by editing and saving it (without changing any settings).   |
diff --git a/articles/sentinel/scheduled-rules-overview.md b/articles/sentinel/scheduled-rules-overview.md
@@ -92,15 +92,18 @@ Everything you type into the rule query window is instantly validated, so you fi
 
 - We recommend you use an [Advanced Security Information Model (ASIM) parser](normalization-about-parsers.md) as your query source, instead of using a native table. This will ensure that the query supports any current or future relevant data source or family of data sources, rather than relying on a single data source.
 
-- The query length should be between 1 and 10,000 characters and cannot contain "`search *`" or "`union *`". You can use [user-defined functions](/azure/data-explorer/kusto/query/functions/user-defined-functions) to overcome the query length limitation, as a single function can replace dozens of lines of code.
+- The query length should be between 1 and 10,000 characters and cannot contain "`search *`" or "`union *`". You can use [user-defined functions](/kusto/query/functions/user-defined-functions?view=microsoft-sentinel&preserve-view=true) to overcome the query length limitation, as a single function can replace dozens of lines of code.
 
 - Using ADX functions to create Azure Data Explorer queries inside the Log Analytics query window **is not supported**.
 
-- When using the **`bag_unpack`** function in a query, if you [project the columns](/azure/data-explorer/kusto/query/projectoperator) as fields using "`project field1`" and the column doesn't exist, the query will fail. To guard against this happening, you must [project the column](/azure/data-explorer/kusto/query/projectoperator) as follows:
+- When using the **`bag_unpack`** function in a query, if you [project the columns](/kusto/query/project-operator?view=microsoft-sentinel&preserve-view=true) as fields using "`project field1`" and the column doesn't exist, the query will fail. To guard against this happening, you must [project the column](/kusto/query/project-operator?view=microsoft-sentinel&preserve-view=true) as follows:
 
    `project field1 = column_ifexists("field1","")`
 
-For more help building Kusto queries, see [Kusto Query Language in Microsoft Sentinel](kusto-overview.md) and [Best practices for Kusto Query Language queries](/azure/data-explorer/kusto/query/best-practices?toc=%2Fazure%2Fsentinel%2FTOC.json&bc=%2Fazure%2Fsentinel%2Fbreadcrumb%2Ftoc.json).
+For more help building Kusto queries, see the following articles:
+- [Kusto Query Language in Microsoft Sentinel](kusto-overview.md)
+- [KQL quick reference guide](/kusto/query/kql-quick-reference?view=microsoft-sentinel&preserve-view=true&toc=%2Fazure%2Fsentinel%2FTOC.json&bc=%2Fazure%2Fsentinel%2Fbreadcrumb%2Ftoc.json)
+- [Best practices for Kusto Query Language queries](/kusto/query/best-practices?view=microsoft-sentinel&preserve-view=true&toc=%2Fazure%2Fsentinel%2FTOC.json&bc=%2Fazure%2Fsentinel%2Fbreadcrumb%2Ftoc.json)
 
 ### Alert enhancement
 
