Merge pull request #50268 from KenMAG/Bugs

Updated per triage app feedback, and improved Acrolinx scores

Author: prmerger-automator[bot]

learn-pr/wwl-sci/construct-kusto-query-language-statements/2-understand-kusto-query-language-statement-structure.yml

@@ -4,8 +4,8 @@ title: Understand the Kusto Query Language statement structure
 metadata:
   title: Understand the Kusto Query Language statement structure
   description: "Understand the Kusto Query Language statement structure"
-  ms.date: 02/23/2023
-  author: wwlpublish
+  ms.date: 05/02/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: unit
 azureSandbox: false

learn-pr/wwl-sci/construct-kusto-query-language-statements/5-use-let-statement.yml

@@ -4,8 +4,8 @@ title: Use the let statement
 metadata:
   title: Use the let statement
   description: "Use the let statement"
-  ms.date: 02/23/2023
-  author: wwlpublish
+  ms.date: 05/02/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: unit
 azureSandbox: false

learn-pr/wwl-sci/construct-kusto-query-language-statements/includes/2-understand-kusto-query-language-statement-structure.md

@@ -6,19 +6,19 @@ The tabular expression statement's syntax has tabular data flow from one tabular
 
 For example, the following query has a single statement, which is a tabular expression statement. The statement starts with a table called SecurityEvent. The EventID column's value filters the data (rows) and then the results are summarized by creating a new column for the count() by Account. Next, in the Prepare phase, the results are then limited to 10 rows.
 
-:::image type="content" source="../media/kql-pipe.png" alt-text="Diagram of K Q L Statement showing data, condition and evidence.":::
+:::image type="content" source="../media/kql-pipe.png" alt-text="Diagram of K Q L Statement showing data, condition, and evidence.":::
 
 > [!IMPORTANT]
-> It is essential to understand how the results flow through the pipe "|".  Everything on the left of the pipe is processed then passed to the right of the pipe.  
+> It's essential to understand how the results flow through the pipe "|". Everything on the left of the pipe is processed then passed to the right of the pipe.  
 
 ## Access the Log Analytics demo environment
 
-Microsoft provides access to an environment to practice writing KQL statements.  The only requirement is to have an account to log into Azure. There are no charges to your Azure account to access this environment. You can execute the KQL statements in this module in the demo environment.
+Microsoft provides access to an environment to practice writing KQL statements. The only requirement is to have an account to log into Azure. There are no charges to your Azure account to access this environment. You can execute the KQL statements in this module in the demo environment.
 
-You can access the demo environment at the [Logs Demo site](https://aka.ms/lademo). If you receive the message "No results found", try changing the time range.
+You can access the demo environment at the [Logs Demo site](https://aka.ms/lademo). If you receive the message *No results found*, try increasing the time range (or timeOffset) to > 30 days.
 
 > [!IMPORTANT]
-> The log analytics demo database is a dynamic environment.  The events recorded in the tables in that environment are continuously updating with different security events. This is similar to what a person would experience in a real-world security operations setting.  As a result, finite queries in this training may show no results depending on the state of the demo database at the time the query is run.  For example, a query on the *SecurityEvent* table for "discardEventID = 4688" within the last day may show no results if that particular event last took place three days ago.  Therefore, you may need to adjust variables in the scripts listed in this training ad hoc depending on what data is in the demo database at the time you run the script in order for the query to show results.  These script adjustments are similar to what you would perform in the real world and should help you learn how the specific parts of the script function.  
+> The log analytics demo database is a dynamic environment. The events recorded in the tables in that environment are continuously updating with different security events. This is similar to what a person would experience in a real-world security operations setting. As a result, finite queries in this training may show no results depending on the state of the demo database at the time the query is run. For example, a query on the *SecurityEvent* table for "discardEventID = 4688" within the last day may show no results if that particular event last took place three days ago. Therefore, you may need to adjust variables in the scripts listed in this training depending on what data is in the demo database at the time you run the script in order for the query to show results. These script adjustments are similar to what you would perform in the real world and should help you learn how the specific parts of the script function.  
 
 :::image type="content" source="../media/log-analytics-demo-2.png" alt-text="Screenshot of the Log Analytics Demo Environment.":::
 

learn-pr/wwl-sci/construct-kusto-query-language-statements/includes/5-use-let-statement.md

@@ -1,8 +1,11 @@
-Let statements bind names to expressions. For the rest of the scope, where the let statement appear, the name refers to its bound value.  Let statements improve modularity and reuse since they allow you to break a potentially complex expression into multiple parts. Each part is bound to a name through the let statement, and together they compose the whole. Let statements allow for the creation of user-defined functions and views. The views are expressions whose results look like a new table.
+Let statements bind names to expressions. For the rest of the scope, where the let statement appear, the name refers to its bound value. Let statements improve modularity and reuse since they allow you to break a potentially complex expression into multiple parts. Each part is bound to a name through the let statement, and together they compose the whole. Let statements allow for the creation of user-defined functions and views. The views are expressions whose results look like a new table.
 
 ## Declare and reuse variables
 
-Let statements allow for the creation of variables to be used in later statements.  In this example, timeOffSet and discardEventId are created and used as part of the SecurityEvent "where" clause.
+Let statements allow for the creation of variables to be used in later statements. In this example, timeOffSet and discardEventId are created and used as part of the SecurityEvent "where" clause.
+
+> [!NOTE]
+> You may need to increase the timeOffset and time ranges to see results in the [Logs Demo site](https://aka.ms/lademo) environment. We suggest using > 30 days if you don't see results.
 
 ```kusto
 let timeOffset = 7d;
@@ -14,7 +17,7 @@ SecurityEvent
 ```
 
 > [!TIP]
-> "ago()" is a function that will take the current Date and Time and subtract the value provided.
+> "ago()" is a function that takes the current Date and Time and subtract the value provided.
 
 ## Declare dynamic tables or lists
 
@@ -35,4 +38,3 @@ let LowActivityAccounts =
     | where cnt < 1000;
 LowActivityAccounts | where Account contains "SQL"
 ```
-

learn-pr/wwl-sci/construct-kusto-query-language-statements/index.yml

@@ -3,13 +3,13 @@ uid: learn.wwl.construct-kql-statements
 metadata:
   title: Construct KQL statements for Microsoft Sentinel
   description: "Construct KQL statements for Microsoft Sentinel"
-  ms.date: 09/20/2024
-  author: wwlpublish
+  ms.date: 05/02/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: module
   ms.service: microsoft-sentinel
 title: Construct KQL statements for Microsoft Sentinel
-summary: Kusto Query Language (KQL) is the query language used to perform analysis on data to create analytics, workbooks, and perform hunting in Microsoft Sentinel.  Learn how basic KQL statement structure provides the foundation to build more complex statements.
+summary: Kusto Query Language (KQL) is the query language used to perform analysis on data to create analytics, workbooks, and perform hunting in Microsoft Sentinel. Learn how basic KQL statement structure provides the foundation to build more complex statements.
 abstract: |
   Upon completion of this module, the learner is able to:
   - Construct KQL statements