Merge pull request #125158 from ArieHein/Spelling-Wave-38

Spelling Fixes

articles/sentinel/cef-name-mapping.md

@@ -51,7 +51,7 @@ The following tables map Common Event Format (CEF) field names to the names they
 | dmac | DestinationMacAddress | The destination MAC address (FQDN) |
 | dntdom | DestinationNTDomain | The Windows domain name of the destination address.|
 | dpid | DestinationProcessId |The ID of the destination process associated with the event.|
-| dpriv | DestinationUserPrivileges | Defines the destination use's privileges. <br>Valid values: `Admninistrator`, `User`, `Guest` |
+| dpriv | DestinationUserPrivileges | Defines the destination use's privileges. <br>Valid values: `Administrator`, `User`, `Guest` |
 | dproc | DestinationProcessName | The name of the event’s destination process, such as `telnetd` or `sshd.` |
 | dpt | DestinationPort | Destination port. <br>Valid values: `*0` - `65535` |
 | dst | DestinationIP | The destination IpV4 address that the event refers to in an IP network. |
@@ -113,7 +113,7 @@ The following tables map Common Event Format (CEF) field names to the names they
 | requestMethod | RequestMethod | The method used to access a URL. <br><br>Valid values include methods such as `POST`, `GET`, and so on. |
 | rt | ReceiptTime | The time at which the event related to the activity was received. |
 |Severity     |  <a name="logseverity"></a> LogSeverity       |  A string or integer that describes the importance of the event.<br><br> Valid string values: `Unknown` , `Low`, `Medium`, `High`, `Very-High` <br><br>Valid integer values are:<br> - `0`-`3` = Low <br>- `4`-`6` = Medium<br>- `7`-`8` = High<br>- `9`-`10` = Very-High |
-| shost    | SourceHostName        |Identifies the source that event refers to in an IP network. Format should be a fully qualified domain name (DQDN) associated with the source node, when a node is available. For example, `host` or `host.domain.com`. |
+| shost    | SourceHostName        |Identifies the source that event refers to in an IP network. Format should be a fully qualified domain name (FQDN) associated with the source node, when a node is available. For example, `host` or `host.domain.com`. |
 | smac | SourceMacAddress | Source MAC address. |
 | sntdom | SourceNTDomain | The Windows domain name for the source address. |
 | sourceDnsDomain | SourceDnsDomain | The DNS domain part of the complete FQDN. |

articles/sentinel/ci-cd-custom-content.md

@@ -66,7 +66,7 @@ A sample repository is available with ARM templates for each of the content type
 ## Improve performance with smart deployments
 
 > [!TIP]
-> To ensure smart deployments works in GitHub, Workflows must have read and write permissions on your repositoriy. See [Managing GitHub Actions settings for a repository](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository) for more details.
+> To ensure smart deployments works in GitHub, Workflows must have read and write permissions on your repository. See [Managing GitHub Actions settings for a repository](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository) for more details.
 >
 
 The **smart deployments** feature is a back-end capability that improves performance by actively tracking modifications made to the content files of a connected repository. It uses a CSV file within the '.sentinel' folder in your repository to audit each commit. The workflow avoids redeploying content that hasn't been modified since the last deployment. This process improves your deployment performance and prevents tampering with unchanged content in your workspace, such as resetting dynamic schedules of your analytics rules.

articles/sentinel/connect-data-sources.md

@@ -9,7 +9,7 @@ appliesto:
     - Microsoft Sentinel in the Azure portal
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.collection: usx-security
-#Customer intent: As a security eningeer, I want to use data connectors to integrate various data sources into Microsoft Sentinel so that I can enhance threat detection and response capabilities.
+#Customer intent: As a security engineer, I want to use data connectors to integrate various data sources into Microsoft Sentinel so that I can enhance threat detection and response capabilities.
 ---
 
 # Microsoft Sentinel data connectors

articles/sentinel/customer-managed-keys.md

@@ -48,7 +48,7 @@ This article provides background information and steps to configure a [customer-
 
 ## How CMK works 
 
-The Microsoft Sentinel solution uses a dedicated Log Analytics cluser for log collection and features. As part of the Microsoft Sentinel CMK configuration, you must configure the CMK settings on the related Log Analytics dedicated cluster. Data saved by Microsoft Sentinel in storage resources other than Log Analytics is also encrypted using the customer-managed key configured for the dedicated Log Analytics cluster.
+The Microsoft Sentinel solution uses a dedicated Log Analytics cluster for log collection and features. As part of the Microsoft Sentinel CMK configuration, you must configure the CMK settings on the related Log Analytics dedicated cluster. Data saved by Microsoft Sentinel in storage resources other than Log Analytics is also encrypted using the customer-managed key configured for the dedicated Log Analytics cluster.
 
 For more information, see:
 - [Azure Monitor customer-managed keys (CMK)](/azure/azure-monitor/logs/customer-managed-keys).

articles/sentinel/dynamics-365/dynamics-365-finance-operations-security-content.md

@@ -29,7 +29,7 @@ This article details the security content available for the Microsoft Sentinel s
 |**F&O – Mass update or deletion of user account records** |Identifies large delete or update operations on Finance and Operations user records based on predefined thresholds. <br><br>Default update threshold: **50**<br>Default delete threshold: **10** |Deletions or modifications in Finance and Operations portal, under **Modules > System Administration > Users**<br><br>Data source: `FinanceOperationsActivity_CL` |Impact |
 |**F&O – Bank account change following network alias reassignment** |Identifies updates to bank account number by a user account which his alias was recently modified to a new value. |Changes in bank account number, in Finance and Operations portal, under **Workspaces > Bank management > All bank accounts** correlated with a relevant change in the user account to alias mapping.<br><br>Data source: `FinanceOperationsActivity_CL` |Credential Access, Lateral Movement, Privilege Escalation |
 |**F&O – Reverted bank account number modifications** |Identifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later. |Changes in bank account number, in Finance and Operations portal, under **Workspaces > Bank management > All bank accounts**.<br><br>Data source: `FinanceOperationsActivity_CL` |Impact |
-|**F&O – Unusual sign-in activity using single factor authentication** |Identifies successful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. <br><Br>Sign-in events from tenants that aren't using MFA, coming from a Microsoft Entra ID trusted network location, or from geographic locations seen in the last 14 days are excluded.<br><br>This detection uses logs ingested from Microsoft Entra ID and you must enable the [Microsoft Entra data connector](../data-connectors/microsoft-entra-id.md). |Sign-ins to the monitored Finance and Operations environment.<br><br>Data source: `Singinlogs` |Credential Access, Initial Access |
+|**F&O – Unusual sign-in activity using single factor authentication** |Identifies successful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. <br><Br>Sign-in events from tenants that aren't using MFA, coming from a Microsoft Entra ID trusted network location, or from geographic locations seen in the last 14 days are excluded.<br><br>This detection uses logs ingested from Microsoft Entra ID and you must enable the [Microsoft Entra data connector](../data-connectors/microsoft-entra-id.md). |Sign-ins to the monitored Finance and Operations environment.<br><br>Data source: `Signinlogs` |Credential Access, Initial Access |
 
 ## Related content
 

articles/sentinel/entities-reference.md

@@ -196,7 +196,7 @@ The following section contains a more in-depth look at the full schemas of each
 - **Address**  
 \*\* Address alone is a unique, strong identifier when the IP address is a global address.
 - **Address + AddressScope**  
-\*\* For private/internal, non-global IP addresses, the AddressScope component is required to make this a strong identifer.
+\*\* For private/internal, non-global IP addresses, the AddressScope component is required to make this a strong identifier.
 
 [Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)
 

articles/sentinel/entities.md

@@ -26,13 +26,13 @@ In the Microsoft Defender portal, entities generally fall into two main categori
 
 ## Entity identifiers
 
-Microsoft Sentinel supports a wide variety of entity types. Each type has its own unique attributes, which are represented as fields in the entity schema, and are called **identifiers**. See the full list of supported entities [below](#supported-entities), and the complete set of entity schemas and identifers in [Microsoft Sentinel entity types reference](entities-reference.md).
+Microsoft Sentinel supports a wide variety of entity types. Each type has its own unique attributes, which are represented as fields in the entity schema, and are called **identifiers**. See the full list of supported entities [below](#supported-entities), and the complete set of entity schemas and identifiers in [Microsoft Sentinel entity types reference](entities-reference.md).
 
 ### Strong and weak identifiers
 
 For each type of entity there are fields, or sets of fields, that can identify particular instances of that entity. These fields or sets of fields can be referred to as **strong identifiers** if they can uniquely identify an entity without any ambiguity, or as **weak identifiers** if they can identify an entity under some circumstances, but are not guaranteed to uniquely identify an entity in all cases. In many cases, though, a selection of weak identifiers can be combined to produce a strong identifier.
 
-For example, user accounts can be identified as **account** entities in more than one way: using a single **strong identifer** like a Microsoft Entra account's numeric identifier (the **GUID** field), or its **User Principal Name (UPN)** value, or alternatively, using a combination of **weak identifiers** like its **Name** and **NTDomain** fields. Different data sources can identify the same user in different ways. Whenever Microsoft Sentinel encounters two entities that it can recognize as the same entity based on their identifiers, it merges the two entities into a single entity, so that it can be handled properly and consistently.
+For example, user accounts can be identified as **account** entities in more than one way: using a single **strong identifier** like a Microsoft Entra account's numeric identifier (the **GUID** field), or its **User Principal Name (UPN)** value, or alternatively, using a combination of **weak identifiers** like its **Name** and **NTDomain** fields. Different data sources can identify the same user in different ways. Whenever Microsoft Sentinel encounters two entities that it can recognize as the same entity based on their identifiers, it merges the two entities into a single entity, so that it can be handled properly and consistently.
 
 If, however, one of your resource providers creates an alert in which an entity is not sufficiently identified—for example, using only a single **weak identifier** like a user name without the domain name context—then the user entity cannot be merged with other instances of the same user account. Those other instances would be identified as a separate entity, and those two entities would remain separate instead of unified.
 

articles/sentinel/investigate-with-ueba.md

@@ -104,7 +104,7 @@ For example:
 
     ```kusto
     SigninLogs
-    | where AppDisplayName == "GithHub.Com"
+    | where AppDisplayName == "GitHub.Com"
     | join kind=inner  (
         IdentityInfo
         | summarize arg_max(TimeGenerated, *) by AccountObjectId) on $left.UserId == $right.AccountObjectId

articles/sentinel/migration-arcsight-detection-rules.md

@@ -204,7 +204,7 @@ As a third option, use a parameter function:
 2. Define the parameters of the function. For example:
 
     ```kusto
-        Tbl: (TimeGenerated:datatime, Computer:string, 
+        Tbl: (TimeGenerated:datetime, Computer:string, 
         EventID:string, SubjectDomainName:string, 
         TargetDomainName:string, SubjectUserName:string)
     ```

articles/sentinel/migration-qradar-historical-data.md

@@ -73,7 +73,7 @@ To execute the search query:
         ```
 
 1. Review the output. If the value in the `status` field is `COMPLETED`, continue to the next step. If the status isn't `COMPLETED`, check the value in the `progress` field, and after 5-10 minutes, run the command you ran in step 4. 
-1. Review the output and ensure that the status is `COMPELETED`. 
+1. Review the output and ensure that the status is `COMPLETED`. 
 1. Run one of these commands to download the results or returned data from the JSON file to a folder on the current system:
     - For the QRadar Console user ID method, run:
                 

articles/sentinel/migration-security-operations-center-processes.md

@@ -117,7 +117,7 @@ Use this table to compare the main concepts of your legacy SIEM to Microsoft Sen
 |  | Jupyter Notebooks | Jupyter Notebooks | Microsoft Sentinel notebooks |
 | Dashboards | Dashboards | Dashboards | Workbooks |
 | Correlation rules | Building blocks | Correlation rules | Analytics rules |
-|Incident queue |Offences tab |Incident review |**Incident** page |
+|Incident queue |Offenses tab |Incident review |**Incident** page |
 
 ## Next steps
 

articles/sentinel/normalization-develop-parsers.md

@@ -513,7 +513,7 @@ To submit the event samples, use the following steps:
 
 - Export the results using the **Export to CSV** option to a file named `<TableName>_schema.csv`, where `TableName` is the name of source table the parser uses.
 
-- Include both files in your PR in the folder `/Sample Data/ASIM`. If the file already exists, add your GitHub handle to the name, for example: `<EventVendor>_<EventProduct>_<EventSchema>_SchemaTest_<GitHubHanlde>.csv`
+- Include both files in your PR in the folder `/Sample Data/ASIM`. If the file already exists, add your GitHub handle to the name, for example: `<EventVendor>_<EventProduct>_<EventSchema>_SchemaTest_<GitHubHandle>.csv`
 
 ### Test results submission guidelines
 

articles/sentinel/normalization-parsers-list.md

@@ -26,7 +26,7 @@ To use ASIM alert event parsers, deploy the parsers from the [Microsoft Sentinel
 | **Source** | **Notes** | **Parser**
 | --- | --------------------------- | ---------- |
 | **Defender XDR Alerts** | Microsoft Defender XDR alert events (in the `AlertEvidence` table). | `ASimAlertEventMicrosoftDefenderXDR` |
-| **Exchange 365 administrative events** | SentinelOne Singlularity `Threats.` events (in the `SentinelOne_CL` table). | `ASimAlertEventSentinelOneSingularity` |
+| **SentinelOne Singularity** | SentinelOne Singularity `Threats.` events (in the `SentinelOne_CL` table). | `ASimAlertEventSentinelOneSingularity` |
 
 ## Audit event parsers
 
@@ -50,7 +50,7 @@ To use ASIM authentication parsers, deploy the parsers from the [Microsoft Senti
     - reported by Microsoft Defender XDR for Endpoint, collected using the Microsoft Defender XDR connector.
 - **Linux sign-ins** 
     - reported by Microsoft Defender XDR for Endpoint, collected using the Microsoft Defender XDR connector.
-    - `su`, `sudu`, and `sshd` activity reported using Syslog.
+    - `su`, `sudo`, and `sshd` activity reported using Syslog.
     - reported by Microsoft Defender to IoT Endpoint.
 - **Microsoft Entra sign-ins**, collected using the Microsoft Entra connector. Separate parsers are provided for regular, Non-Interactive, Managed Identities and Service Principles Sign-ins.
 - **AWS sign-ins**, collected using the AWS CloudTrail connector.

articles/sentinel/normalization-schema-audit.md

@@ -38,7 +38,7 @@ Audit events also reference the following entities, which are involved in the co
 
 - **Actor** - The user performing the configuration operation.
 - **TargetApp** - The application or system for which the configuration operation applies.
-- **Target** - The system on which **TaregtApp*** is running.
+- **Target** - The system on which **TargetApp*** is running.
 - **ActingApp** - The application used by the **Actor** to perform the configuration operation.
 - **Src** - The system used by the **Actor** to initiate the configuration operation, if different than **Target**.
 
@@ -160,7 +160,7 @@ Fields that appear in the table are common to all ASIM schemas. Any of guideline
 
 | Field          | Class        | Type       | Description   |
 |---------------|--------------|------------|-----------------|
-| <a name="dst"></a>**Dst** | Alias       | String     |    A unique identifier of the authentication target. <br><br>This field may alias the [TargerDvcId](#targetdvcid), [TargetHostname](#targethostname), [TargetIpAddr](#targetipaddr), [TargetAppId](#targetappid), or [TargetAppName](#targetappname) fields. <br><br>Example: `192.168.12.1` |
+| <a name="dst"></a>**Dst** | Alias       | String     |    A unique identifier of the authentication target. <br><br>This field may alias the [TargetDvcId](#targetdvcid), [TargetHostname](#targethostname), [TargetIpAddr](#targetipaddr), [TargetAppId](#targetappid), or [TargetAppName](#targetappname) fields. <br><br>Example: `192.168.12.1` |
 | <a name="targethostname"></a>**TargetHostname** | Recommended | Hostname | The target device hostname, excluding domain information.<br><br>Example: `DESKTOP-1282V4D` |
 | <a name="targetdomain"></a>**TargetDomain** | Recommended | String | The domain of the target device.<br><br>Example: `Contoso` |
 | <a name="targetdomaintype"></a>**TargetDomainType** | Conditional | Enumerated | The type of [TargetDomain](#targetdomain). For a list of allowed values and further information, refer to [DomainType](normalization-about-schemas.md#domaintype) in the [Schema Overview article](normalization-about-schemas.md).<br><br>Required if [TargetDomain](#targetdomain) is used. |