Merge pull request #172353 from oshezaf/normalization/rename-dns-ti-rules

PRMerger15 · web-flow · commit e9adba92deee · 2021-09-14T01:44:41.000-07:00
Updated network and DNS content/parser lists
diff --git a/articles/sentinel/network-normalization-schema.md b/articles/sentinel/network-normalization-schema.md
@@ -102,7 +102,19 @@ To use a source-agnostic parser that unifies all built-in parsers, and ensure th
 
 Deploy the [source-agnostic and source-specific parsers](normalization-about-parsers.md) from the [Azure Sentinel GitHub repository](https://aka.ms/AzSentinelNetworkSession).
 
-## Add your own normalized parsers
+### Built-in source-specific parsers
+
+Azure Sentinel provides the following built-in, product-specific Network Session parsers:
+
+- Source specific parsers:
+  - **Microsoft 365 Defender for Endpoints** - vimNetworkSessionMicrosoft365Defender
+  - **Microsoft Defender for IoT - Endpoint (MD4IoT)** - vimNetworkSessionMD4IoT
+  - **Microsoft Sysmon for Linux** - vimNetworkSessionSysmonLinux
+  - **Windows Events Firewall** - Windows firewall activity as collected using Windows Events 515x, collected using either the Log Analytics Agent or the Azure Monitor Agent into either the Event or the WindowsEvent table, vimNetworkSessionMicrosoftWindowsEventFirewall 
+
+The parsers can be deployed from the [Azure Sentinel GitHub repository](https://aka.ms/AzSentinelNetworkSession).
+
+### Add your own normalized parsers
 
 When implementing custom parsers for the Network Session information model, name your KQL functions using the following syntax: `imNetworkSession<vendor><Product>`. This function should map all fields relevant for the source.
 
diff --git a/articles/sentinel/normalization-content.md b/articles/sentinel/normalization-content.md
@@ -53,8 +53,8 @@ The following built-in DNS query content is supported for ASIM normalization.
 
 ### Analytics rules
 
- - (Preview) TI map Domain entity to Dns Event (Normalized DNS)
- - (Preview) TI map IP entity to DnsEvents (Normalized DNS)
+ - (Preview) TI map Domain entity to DNS Events (Normalized DNS)
+ - (Preview) TI map IP entity to DNS Events (Normalized DNS)
  - [Potential DGA detected (ASimDNS)](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml)
   - [Excessive NXDOMAIN DNS Queries (Normalized DNS)](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml)
  - [DNS events related to mining pools (Normalized DNS)](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml)
