Merge pull request #250037 from yelevin/yelevin/entities-reference

Entities reference update

Author: JamesJBarnett

articles/sentinel/entities.md

@@ -2,15 +2,15 @@
 title: Use entities to classify and analyze data in Microsoft Sentinel
 description: Assign entity classifications (users, hostnames, IP addresses) to data items in Microsoft Sentinel, and use them to compare, analyze, and correlate data from multiple sources.
 author: yelevin
+ms.author: yelevin
 ms.topic: conceptual
 ms.date: 07/26/2022
-ms.author: yelevin
 ms.custom: ignite-fall-2021
 ---
 
 # Classify and analyze data using entities in Microsoft Sentinel
 
-When alerts are sent to or generated by Microsoft Sentinel, they contain data items that Sentinel can recognize and classify into categories as **entities**. When Microsoft Sentinel understands what kind of entity a particular data item represents, it knows the right questions to ask about it, and it can then compare insights about that item across the full range of data sources, and easily track it and refer to it throughout the entire Sentinel experience - analytics, investigation, remediation, hunting, and so on. Some common examples of entities are users, hosts, files, processes, IP addresses, and URLs.
+When alerts are sent to or generated by Microsoft Sentinel, they contain data items that Sentinel can recognize and classify into categories as **entities**. When Microsoft Sentinel understands what kind of entity a particular data item represents, it knows the right questions to ask about it, and it can then compare insights about that item across the full range of data sources, and easily track it and refer to it throughout the entire Sentinel experience - analytics, investigation, remediation, hunting, and so on. Some common examples of entities are user accounts, hosts, files, processes, IP addresses, and URLs.
 
 ## Entity identifiers
 
@@ -30,21 +30,20 @@ In order to minimize the risk of this happening, you should verify that all of y
 
 The following types of entities are currently identified in Microsoft Sentinel:
 
-- User account
+- Account
 - Host
 - IP address
-- Malware
-- File
-- Process
-- Cloud application
-- Domain name
+- URL
 - Azure resource
+- Cloud application
+- DNS resolution
+- File
 - File hash
+- Malware
+- Process
 - Registry key
 - Registry value
 - Security group
-- URL
-- IoT device
 - Mailbox
 - Mail cluster
 - Mail message

articles/sentinel/map-data-fields-to-entities.md

@@ -26,13 +26,17 @@ The procedure detailed below is part of the analytics rule creation wizard. It's
 
 1. Select a scheduled query rule and select **Edit** from the details pane. Or create a new rule by clicking **Create > Scheduled query rule** at the top of the screen.
 
-1. Select the **Set rule logic** tab. 
+1. Select the **Set rule logic** tab. If a new rule, type a query in the **Rule query** window.
 
-1. In the **Alert enrichment** section, expand **Entity mapping**.
+1. In the **Alert enhancement** section, expand **Entity mapping**.
 
     :::image type="content" source="media/map-data-fields-to-entities/alert-enrichment.png" alt-text="Expand entity mapping":::
 
-1. In the now-expanded **Entity mapping** section, select an entity type from the **Entity type** drop-down list.
+1. In the now-expanded **Entity mapping** section, select **Add new entity**.
+
+    :::image type="content" source="media/map-data-fields-to-entities/add-new-entity.png" alt-text="Screenshot shows how to add a new entity.":::
+
+1. Select an entity type from the **Entity** drop-down list.
 
     :::image type="content" source="media/map-data-fields-to-entities/choose-entity-type.png" alt-text="Choose an entity type":::