diff --git a/articles/sentinel/cef-name-mapping.md b/articles/sentinel/cef-name-mapping.md
index e7533609d3874..0e47ef0aa9ff0 100644
--- a/articles/sentinel/cef-name-mapping.md
+++ b/articles/sentinel/cef-name-mapping.md
@@ -51,7 +51,7 @@ The following tables map Common Event Format (CEF) field names to the names they
| dmac | DestinationMacAddress | The destination MAC address (FQDN) |
| dntdom | DestinationNTDomain | The Windows domain name of the destination address.|
| dpid | DestinationProcessId |The ID of the destination process associated with the event.|
-| dpriv | DestinationUserPrivileges | Defines the destination use's privileges.
Valid values: `Admninistrator`, `User`, `Guest` |
+| dpriv | DestinationUserPrivileges | Defines the destination use's privileges.
Valid values: `Administrator`, `User`, `Guest` |
| dproc | DestinationProcessName | The name of the event’s destination process, such as `telnetd` or `sshd.` |
| dpt | DestinationPort | Destination port.
Valid values: `*0` - `65535` |
| dst | DestinationIP | The destination IpV4 address that the event refers to in an IP network. |
@@ -113,7 +113,7 @@ The following tables map Common Event Format (CEF) field names to the names they
| requestMethod | RequestMethod | The method used to access a URL.
Valid values include methods such as `POST`, `GET`, and so on. |
| rt | ReceiptTime | The time at which the event related to the activity was received. |
|Severity | LogSeverity | A string or integer that describes the importance of the event.
Valid string values: `Unknown` , `Low`, `Medium`, `High`, `Very-High`
Valid integer values are:
- `0`-`3` = Low
- `4`-`6` = Medium
- `7`-`8` = High
- `9`-`10` = Very-High |
-| shost | SourceHostName |Identifies the source that event refers to in an IP network. Format should be a fully qualified domain name (DQDN) associated with the source node, when a node is available. For example, `host` or `host.domain.com`. |
+| shost | SourceHostName |Identifies the source that event refers to in an IP network. Format should be a fully qualified domain name (FQDN) associated with the source node, when a node is available. For example, `host` or `host.domain.com`. |
| smac | SourceMacAddress | Source MAC address. |
| sntdom | SourceNTDomain | The Windows domain name for the source address. |
| sourceDnsDomain | SourceDnsDomain | The DNS domain part of the complete FQDN. |
diff --git a/articles/sentinel/ci-cd-custom-content.md b/articles/sentinel/ci-cd-custom-content.md
index c0ebf2979b953..6c1fe5e8af1d2 100644
--- a/articles/sentinel/ci-cd-custom-content.md
+++ b/articles/sentinel/ci-cd-custom-content.md
@@ -66,7 +66,7 @@ A sample repository is available with ARM templates for each of the content type
## Improve performance with smart deployments
> [!TIP]
-> To ensure smart deployments works in GitHub, Workflows must have read and write permissions on your repositoriy. See [Managing GitHub Actions settings for a repository](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository) for more details.
+> To ensure smart deployments works in GitHub, Workflows must have read and write permissions on your repository. See [Managing GitHub Actions settings for a repository](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository) for more details.
>
The **smart deployments** feature is a back-end capability that improves performance by actively tracking modifications made to the content files of a connected repository. It uses a CSV file within the '.sentinel' folder in your repository to audit each commit. The workflow avoids redeploying content that hasn't been modified since the last deployment. This process improves your deployment performance and prevents tampering with unchanged content in your workspace, such as resetting dynamic schedules of your analytics rules.
diff --git a/articles/sentinel/connect-data-sources.md b/articles/sentinel/connect-data-sources.md
index dcb36697174d2..c2767bd6d3e11 100644
--- a/articles/sentinel/connect-data-sources.md
+++ b/articles/sentinel/connect-data-sources.md
@@ -9,7 +9,7 @@ appliesto:
- Microsoft Sentinel in the Azure portal
- Microsoft Sentinel in the Microsoft Defender portal
ms.collection: usx-security
-#Customer intent: As a security eningeer, I want to use data connectors to integrate various data sources into Microsoft Sentinel so that I can enhance threat detection and response capabilities.
+#Customer intent: As a security engineer, I want to use data connectors to integrate various data sources into Microsoft Sentinel so that I can enhance threat detection and response capabilities.
---
# Microsoft Sentinel data connectors
diff --git a/articles/sentinel/customer-managed-keys.md b/articles/sentinel/customer-managed-keys.md
index d14a6a993603e..b013ba58074ce 100644
--- a/articles/sentinel/customer-managed-keys.md
+++ b/articles/sentinel/customer-managed-keys.md
@@ -48,7 +48,7 @@ This article provides background information and steps to configure a [customer-
## How CMK works
-The Microsoft Sentinel solution uses a dedicated Log Analytics cluser for log collection and features. As part of the Microsoft Sentinel CMK configuration, you must configure the CMK settings on the related Log Analytics dedicated cluster. Data saved by Microsoft Sentinel in storage resources other than Log Analytics is also encrypted using the customer-managed key configured for the dedicated Log Analytics cluster.
+The Microsoft Sentinel solution uses a dedicated Log Analytics cluster for log collection and features. As part of the Microsoft Sentinel CMK configuration, you must configure the CMK settings on the related Log Analytics dedicated cluster. Data saved by Microsoft Sentinel in storage resources other than Log Analytics is also encrypted using the customer-managed key configured for the dedicated Log Analytics cluster.
For more information, see:
- [Azure Monitor customer-managed keys (CMK)](/azure/azure-monitor/logs/customer-managed-keys).
diff --git a/articles/sentinel/dynamics-365/dynamics-365-finance-operations-security-content.md b/articles/sentinel/dynamics-365/dynamics-365-finance-operations-security-content.md
index 84c5099b8a9b2..8c38d663de0cd 100644
--- a/articles/sentinel/dynamics-365/dynamics-365-finance-operations-security-content.md
+++ b/articles/sentinel/dynamics-365/dynamics-365-finance-operations-security-content.md
@@ -29,7 +29,7 @@ This article details the security content available for the Microsoft Sentinel s
|**F&O – Mass update or deletion of user account records** |Identifies large delete or update operations on Finance and Operations user records based on predefined thresholds.
Default update threshold: **50**
Default delete threshold: **10** |Deletions or modifications in Finance and Operations portal, under **Modules > System Administration > Users**
Data source: `FinanceOperationsActivity_CL` |Impact |
|**F&O – Bank account change following network alias reassignment** |Identifies updates to bank account number by a user account which his alias was recently modified to a new value. |Changes in bank account number, in Finance and Operations portal, under **Workspaces > Bank management > All bank accounts** correlated with a relevant change in the user account to alias mapping.
Data source: `FinanceOperationsActivity_CL` |Credential Access, Lateral Movement, Privilege Escalation |
|**F&O – Reverted bank account number modifications** |Identifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later. |Changes in bank account number, in Finance and Operations portal, under **Workspaces > Bank management > All bank accounts**.
Data source: `FinanceOperationsActivity_CL` |Impact |
-|**F&O – Unusual sign-in activity using single factor authentication** |Identifies successful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication.
Sign-in events from tenants that aren't using MFA, coming from a Microsoft Entra ID trusted network location, or from geographic locations seen in the last 14 days are excluded.
This detection uses logs ingested from Microsoft Entra ID and you must enable the [Microsoft Entra data connector](../data-connectors/microsoft-entra-id.md). |Sign-ins to the monitored Finance and Operations environment.
Data source: `Singinlogs` |Credential Access, Initial Access |
+|**F&O – Unusual sign-in activity using single factor authentication** |Identifies successful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication.
Sign-in events from tenants that aren't using MFA, coming from a Microsoft Entra ID trusted network location, or from geographic locations seen in the last 14 days are excluded.
This detection uses logs ingested from Microsoft Entra ID and you must enable the [Microsoft Entra data connector](../data-connectors/microsoft-entra-id.md). |Sign-ins to the monitored Finance and Operations environment.
Data source: `Signinlogs` |Credential Access, Initial Access |
## Related content
diff --git a/articles/sentinel/entities-reference.md b/articles/sentinel/entities-reference.md
index 59c235533712d..e29e4c427a4cc 100644
--- a/articles/sentinel/entities-reference.md
+++ b/articles/sentinel/entities-reference.md
@@ -196,7 +196,7 @@ The following section contains a more in-depth look at the full schemas of each
- **Address**
\*\* Address alone is a unique, strong identifier when the IP address is a global address.
- **Address + AddressScope**
-\*\* For private/internal, non-global IP addresses, the AddressScope component is required to make this a strong identifer.
+\*\* For private/internal, non-global IP addresses, the AddressScope component is required to make this a strong identifier.
[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)
diff --git a/articles/sentinel/entities.md b/articles/sentinel/entities.md
index ca1c6d79feb14..e6621da0f7330 100644
--- a/articles/sentinel/entities.md
+++ b/articles/sentinel/entities.md
@@ -26,13 +26,13 @@ In the Microsoft Defender portal, entities generally fall into two main categori
## Entity identifiers
-Microsoft Sentinel supports a wide variety of entity types. Each type has its own unique attributes, which are represented as fields in the entity schema, and are called **identifiers**. See the full list of supported entities [below](#supported-entities), and the complete set of entity schemas and identifers in [Microsoft Sentinel entity types reference](entities-reference.md).
+Microsoft Sentinel supports a wide variety of entity types. Each type has its own unique attributes, which are represented as fields in the entity schema, and are called **identifiers**. See the full list of supported entities [below](#supported-entities), and the complete set of entity schemas and identifiers in [Microsoft Sentinel entity types reference](entities-reference.md).
### Strong and weak identifiers
For each type of entity there are fields, or sets of fields, that can identify particular instances of that entity. These fields or sets of fields can be referred to as **strong identifiers** if they can uniquely identify an entity without any ambiguity, or as **weak identifiers** if they can identify an entity under some circumstances, but are not guaranteed to uniquely identify an entity in all cases. In many cases, though, a selection of weak identifiers can be combined to produce a strong identifier.
-For example, user accounts can be identified as **account** entities in more than one way: using a single **strong identifer** like a Microsoft Entra account's numeric identifier (the **GUID** field), or its **User Principal Name (UPN)** value, or alternatively, using a combination of **weak identifiers** like its **Name** and **NTDomain** fields. Different data sources can identify the same user in different ways. Whenever Microsoft Sentinel encounters two entities that it can recognize as the same entity based on their identifiers, it merges the two entities into a single entity, so that it can be handled properly and consistently.
+For example, user accounts can be identified as **account** entities in more than one way: using a single **strong identifier** like a Microsoft Entra account's numeric identifier (the **GUID** field), or its **User Principal Name (UPN)** value, or alternatively, using a combination of **weak identifiers** like its **Name** and **NTDomain** fields. Different data sources can identify the same user in different ways. Whenever Microsoft Sentinel encounters two entities that it can recognize as the same entity based on their identifiers, it merges the two entities into a single entity, so that it can be handled properly and consistently.
If, however, one of your resource providers creates an alert in which an entity is not sufficiently identified—for example, using only a single **weak identifier** like a user name without the domain name context—then the user entity cannot be merged with other instances of the same user account. Those other instances would be identified as a separate entity, and those two entities would remain separate instead of unified.
diff --git a/articles/sentinel/investigate-with-ueba.md b/articles/sentinel/investigate-with-ueba.md
index 1dd4b32ccc7eb..7b6697a91bad7 100644
--- a/articles/sentinel/investigate-with-ueba.md
+++ b/articles/sentinel/investigate-with-ueba.md
@@ -104,7 +104,7 @@ For example:
```kusto
SigninLogs
- | where AppDisplayName == "GithHub.Com"
+ | where AppDisplayName == "GitHub.Com"
| join kind=inner (
IdentityInfo
| summarize arg_max(TimeGenerated, *) by AccountObjectId) on $left.UserId == $right.AccountObjectId
diff --git a/articles/sentinel/migration-arcsight-detection-rules.md b/articles/sentinel/migration-arcsight-detection-rules.md
index a07e495775d6a..1d2ab75abeaeb 100644
--- a/articles/sentinel/migration-arcsight-detection-rules.md
+++ b/articles/sentinel/migration-arcsight-detection-rules.md
@@ -204,7 +204,7 @@ As a third option, use a parameter function:
2. Define the parameters of the function. For example:
```kusto
- Tbl: (TimeGenerated:datatime, Computer:string,
+ Tbl: (TimeGenerated:datetime, Computer:string,
EventID:string, SubjectDomainName:string,
TargetDomainName:string, SubjectUserName:string)
```
diff --git a/articles/sentinel/migration-qradar-historical-data.md b/articles/sentinel/migration-qradar-historical-data.md
index cc5942af1a85e..4cba306d3b255 100644
--- a/articles/sentinel/migration-qradar-historical-data.md
+++ b/articles/sentinel/migration-qradar-historical-data.md
@@ -73,7 +73,7 @@ To execute the search query:
```
1. Review the output. If the value in the `status` field is `COMPLETED`, continue to the next step. If the status isn't `COMPLETED`, check the value in the `progress` field, and after 5-10 minutes, run the command you ran in step 4.
-1. Review the output and ensure that the status is `COMPELETED`.
+1. Review the output and ensure that the status is `COMPLETED`.
1. Run one of these commands to download the results or returned data from the JSON file to a folder on the current system:
- For the QRadar Console user ID method, run:
diff --git a/articles/sentinel/migration-security-operations-center-processes.md b/articles/sentinel/migration-security-operations-center-processes.md
index 1a98cda0ea64b..d3e51b7a9c75e 100644
--- a/articles/sentinel/migration-security-operations-center-processes.md
+++ b/articles/sentinel/migration-security-operations-center-processes.md
@@ -117,7 +117,7 @@ Use this table to compare the main concepts of your legacy SIEM to Microsoft Sen
| | Jupyter Notebooks | Jupyter Notebooks | Microsoft Sentinel notebooks |
| Dashboards | Dashboards | Dashboards | Workbooks |
| Correlation rules | Building blocks | Correlation rules | Analytics rules |
-|Incident queue |Offences tab |Incident review |**Incident** page |
+|Incident queue |Offenses tab |Incident review |**Incident** page |
## Next steps
diff --git a/articles/sentinel/normalization-develop-parsers.md b/articles/sentinel/normalization-develop-parsers.md
index a618a41ff99f2..6121f907d0467 100644
--- a/articles/sentinel/normalization-develop-parsers.md
+++ b/articles/sentinel/normalization-develop-parsers.md
@@ -513,7 +513,7 @@ To submit the event samples, use the following steps:
- Export the results using the **Export to CSV** option to a file named `_schema.csv`, where `TableName` is the name of source table the parser uses.
-- Include both files in your PR in the folder `/Sample Data/ASIM`. If the file already exists, add your GitHub handle to the name, for example: `___SchemaTest_.csv`
+- Include both files in your PR in the folder `/Sample Data/ASIM`. If the file already exists, add your GitHub handle to the name, for example: `___SchemaTest_.csv`
### Test results submission guidelines
diff --git a/articles/sentinel/normalization-parsers-list.md b/articles/sentinel/normalization-parsers-list.md
index 14bc889cdf9fd..8444c04edc549 100644
--- a/articles/sentinel/normalization-parsers-list.md
+++ b/articles/sentinel/normalization-parsers-list.md
@@ -26,7 +26,7 @@ To use ASIM alert event parsers, deploy the parsers from the [Microsoft Sentinel
| **Source** | **Notes** | **Parser**
| --- | --------------------------- | ---------- |
| **Defender XDR Alerts** | Microsoft Defender XDR alert events (in the `AlertEvidence` table). | `ASimAlertEventMicrosoftDefenderXDR` |
-| **Exchange 365 administrative events** | SentinelOne Singlularity `Threats.` events (in the `SentinelOne_CL` table). | `ASimAlertEventSentinelOneSingularity` |
+| **SentinelOne Singularity** | SentinelOne Singularity `Threats.` events (in the `SentinelOne_CL` table). | `ASimAlertEventSentinelOneSingularity` |
## Audit event parsers
@@ -50,7 +50,7 @@ To use ASIM authentication parsers, deploy the parsers from the [Microsoft Senti
- reported by Microsoft Defender XDR for Endpoint, collected using the Microsoft Defender XDR connector.
- **Linux sign-ins**
- reported by Microsoft Defender XDR for Endpoint, collected using the Microsoft Defender XDR connector.
- - `su`, `sudu`, and `sshd` activity reported using Syslog.
+ - `su`, `sudo`, and `sshd` activity reported using Syslog.
- reported by Microsoft Defender to IoT Endpoint.
- **Microsoft Entra sign-ins**, collected using the Microsoft Entra connector. Separate parsers are provided for regular, Non-Interactive, Managed Identities and Service Principles Sign-ins.
- **AWS sign-ins**, collected using the AWS CloudTrail connector.
diff --git a/articles/sentinel/normalization-schema-audit.md b/articles/sentinel/normalization-schema-audit.md
index 346a9ae968228..99dd9611064b1 100644
--- a/articles/sentinel/normalization-schema-audit.md
+++ b/articles/sentinel/normalization-schema-audit.md
@@ -38,7 +38,7 @@ Audit events also reference the following entities, which are involved in the co
- **Actor** - The user performing the configuration operation.
- **TargetApp** - The application or system for which the configuration operation applies.
-- **Target** - The system on which **TaregtApp*** is running.
+- **Target** - The system on which **TargetApp*** is running.
- **ActingApp** - The application used by the **Actor** to perform the configuration operation.
- **Src** - The system used by the **Actor** to initiate the configuration operation, if different than **Target**.
@@ -160,7 +160,7 @@ Fields that appear in the table are common to all ASIM schemas. Any of guideline
| Field | Class | Type | Description |
|---------------|--------------|------------|-----------------|
-| **Dst** | Alias | String | A unique identifier of the authentication target.
This field may alias the [TargerDvcId](#targetdvcid), [TargetHostname](#targethostname), [TargetIpAddr](#targetipaddr), [TargetAppId](#targetappid), or [TargetAppName](#targetappname) fields.
Example: `192.168.12.1` |
+| **Dst** | Alias | String | A unique identifier of the authentication target.
This field may alias the [TargetDvcId](#targetdvcid), [TargetHostname](#targethostname), [TargetIpAddr](#targetipaddr), [TargetAppId](#targetappid), or [TargetAppName](#targetappname) fields.
Example: `192.168.12.1` |
| **TargetHostname** | Recommended | Hostname | The target device hostname, excluding domain information.
Example: `DESKTOP-1282V4D` |
| **TargetDomain** | Recommended | String | The domain of the target device.
Example: `Contoso` |
| **TargetDomainType** | Conditional | Enumerated | The type of [TargetDomain](#targetdomain). For a list of allowed values and further information, refer to [DomainType](normalization-about-schemas.md#domaintype) in the [Schema Overview article](normalization-about-schemas.md).
Required if [TargetDomain](#targetdomain) is used. |
diff --git a/articles/sentinel/normalization-schema-authentication.md b/articles/sentinel/normalization-schema-authentication.md
index 506b9b8fc65e3..68a569864900f 100644
--- a/articles/sentinel/normalization-schema-authentication.md
+++ b/articles/sentinel/normalization-schema-authentication.md
@@ -224,7 +224,7 @@ Fields that appear in the table below are common to all ASIM schemas. Any guidel
| Field | Class | Type | Description |
|---------------|--------------|------------|-----------------|
-| **Dst** | Alias | String | A unique identifier of the authentication target.
This field may alias the [TargerDvcId](#targetdvcid), [TargetHostname](#targethostname), [TargetIpAddr](#targetipaddr), [TargetAppId](#targetappid), or [TargetAppName](#targetappname) fields.
Example: `192.168.12.1` |
+| **Dst** | Alias | String | A unique identifier of the authentication target.
This field may alias the [TargetDvcId](#targetdvcid), [TargetHostname](#targethostname), [TargetIpAddr](#targetipaddr), [TargetAppId](#targetappid), or [TargetAppName](#targetappname) fields.
Example: `192.168.12.1` |
| **TargetHostname** | Recommended | Hostname | The target device hostname, excluding domain information.
Example: `DESKTOP-1282V4D` |
| **TargetDomain** | Recommended | String | The domain of the target device.
Example: `Contoso` |
| **TargetDomainType** | Conditional | Enumerated | The type of [TargetDomain](#targetdomain). For a list of allowed values and further information refer to [DomainType](normalization-about-schemas.md#domaintype) in the [Schema Overview article](normalization-about-schemas.md).
Required if [TargetDomain](#targetdomain) is used. |
@@ -232,7 +232,7 @@ Fields that appear in the table below are common to all ASIM schemas. Any guidel
| **TargetDescription** | Optional | String | A descriptive text associated with the device. For example: `Primary Domain Controller`. |
| **TargetDvcId** | Optional | String | The ID of the target device. If multiple IDs are available, use the most important one, and store the others in the fields `TargetDvc`.
Example: `ac7e9755-8eae-4ffc-8a02-50ed7a2216c3` |
| **TargetDvcScopeId** | Optional | String | The cloud platform scope ID the device belongs to. **TargetDvcScopeId** map to a subscription ID on Azure and to an account ID on AWS. |
-| **TargerDvcScope** | Optional | String | The cloud platform scope the device belongs to. **TargetDvcScope** map to a subscription ID on Azure and to an account ID on AWS. |
+| **TargetDvcScope** | Optional | String | The cloud platform scope the device belongs to. **TargetDvcScope** map to a subscription ID on Azure and to an account ID on AWS. |
| **TargetDvcIdType** | Conditional | Enumerated | The type of [TargetDvcId](#targetdvcid). For a list of allowed values and further information refer to [DvcIdType](normalization-about-schemas.md#dvcidtype) in the [Schema Overview article](normalization-about-schemas.md).
Required if **TargetDeviceId** is used.|
| **TargetDeviceType** | Optional | Enumerated | The type of the target device. For a list of allowed values and further information refer to [DeviceType](normalization-about-schemas.md#devicetype) in the [Schema Overview article](normalization-about-schemas.md). |
|**TargetIpAddr** |Optional | IP Address|The IP address of the target device.
Example: `2.2.2.2` |
diff --git a/articles/sentinel/normalization-schema-dns.md b/articles/sentinel/normalization-schema-dns.md
index 80538e2f9b8c2..6389360af911b 100644
--- a/articles/sentinel/normalization-schema-dns.md
+++ b/articles/sentinel/normalization-schema-dns.md
@@ -298,7 +298,7 @@ The following fields are aliases that are maintained for backwards compatibility
- `Query` (alias to `DnsQuery`)
- `QueryType` (alias to `DnsQueryType`)
- `QueryTypeName` (alias to `DnsQueryTypeName`)
-- `ResponseName` (alias to `DnsReasponseName`)
+- `ResponseName` (alias to `DnsResponseName`)
- `ResponseCodeName` (alias to `DnsResponseCodeName`)
- `ResponseCode` (alias to `DnsResponseCode`)
- `QueryClass` (alias to `DnsQueryClass`)
diff --git a/articles/sentinel/normalization-schema-user-management.md b/articles/sentinel/normalization-schema-user-management.md
index c5131c32e7786..efc02e4b387cd 100644
--- a/articles/sentinel/normalization-schema-user-management.md
+++ b/articles/sentinel/normalization-schema-user-management.md
@@ -116,7 +116,7 @@ Fields that appear in the table below are common to all ASIM schemas. Any guidel
|-------|-------|------|-------------|
| **GroupId** | Optional | String | A machine-readable, alphanumeric, unique representation of the group, for activities involving a group.
Supported formats and types include:
- **SID** (Windows): `S-1-5-21-1377283216-344919071-3415362939-500`
- **UID** (Linux): `4578`
Store the ID type in the [GroupIdType](#groupidtype) field. If other IDs are available, we recommend that you normalize the field names to **GroupSid** or **GroupUid**, respectively. For more information, see [The User entity](normalization-about-schemas.md#the-user-entity).
Example: `S-1-12` |
| **GroupIdType** | Optional | Enumerated | The type of the ID stored in the [GroupId](#groupid) field.
Supported values are `SID`, and `UID`. |
-| **GroupName** | Optional | String | The group name, including domain information when available, for activities involving a group.
Use one of the following formats and in the following order of priority:
- **Upn/Email**: `grp@contoso.com`
- **Windows**: `Contoso\grp`
- **DN**: `CN=grp,OU=Sales,DC=Fabrikam,DC=COM`
- **Simple**: `grp`. Use the Simple form only if domain information isn't available.
Store the group name type in the [GroupNameType](#groupnametype) field. If other IDs are available, we recommend that you normalize the field names to **GroupUpn**, **GorupNameWindows**, and **GroupDn**.
Example: `Contoso\Finance` |
+| **GroupName** | Optional | String | The group name, including domain information when available, for activities involving a group.
Use one of the following formats and in the following order of priority:
- **Upn/Email**: `grp@contoso.com`
- **Windows**: `Contoso\grp`
- **DN**: `CN=grp,OU=Sales,DC=Fabrikam,DC=COM`
- **Simple**: `grp`. Use the Simple form only if domain information isn't available.
Store the group name type in the [GroupNameType](#groupnametype) field. If other IDs are available, we recommend that you normalize the field names to **GroupUpn**, **GroupNameWindows**, and **GroupDn**.
Example: `Contoso\Finance` |
| **GroupNameType** | Optional | Enumerated | Specifies the type of the group name stored in the [GroupName](#groupname) field. Supported values include `UPN`, `Windows`, `DN`, and `Simple`.
Example: `Windows` |
| **GroupType** | Optional | Enumerated | The type of the group, for activities involving a group. Supported values include:
- `Local Distribution`
- `Local Security Enabled`
- `Global Distribution`
- `Global Security Enabled`
- `Universal Distribution`
- `Universal Security Enabled`
- `Other`
**Note**: The value might be provided in the source record by using different terms, which should be normalized to these values. Store the original value in the [GroupOriginalType](#grouporiginaltype) field. |
| **GroupOriginalType** | Optional | String | The original group type, if provided by the source. |
diff --git a/articles/sentinel/normalization-schema-v1.md b/articles/sentinel/normalization-schema-v1.md
index dfdf0e6b23adc..c3a7381417606 100644
--- a/articles/sentinel/normalization-schema-v1.md
+++ b/articles/sentinel/normalization-schema-v1.md
@@ -135,7 +135,7 @@ Below is the schema of the network sessions table, versioned 1.0.0
| **SrcDvcModelName** | String | Samsung Galaxy Note | The model name of the source device | Source,
Device |
| **SrcDvcModelNumber** | String | 10.0 | The model number of the source device | Source,
Device |
| **SrcDvcType** | String | Mobile | The type of the source device | Source,
Device |
-| **SrcIntefaceName** | String | eth01 | The network interface used for the connection or session by the source device. | Source |
+| **SrcInterfaceName** | String | eth01 | The network interface used for the connection or session by the source device. | Source |
| **SrcInterfaceGuid** | String | 46ad544b-eaf0-47ef-827c-266030f545a6 | GUID of the network interface used | Source |
| **SrcIpAddr** | IP address | 77.138.103.108 | The IP address from which the connection or session originated. | Source,
IP |
| **SrcDvcIpAddr** | IP address | 77.138.103.108 | The source IP address of a device not directly associated with the network packet (collected by a provider or explicitly calculated). | Source,
Device,
IP |
@@ -307,8 +307,8 @@ The following fields were renamed in [version 0.2.x](normalization-schema-networ
|Field in version 0.1 |Renamed in version 0.2 |
|---------|---------|
- | DstResourceId | SrcDvcAzureRerouceId |
- | SrcResourceId | SrcDvcAzureRerouceId |
+ | DstResourceId | SrcDvcAzureResourceId |
+ | SrcResourceId | SrcDvcAzureResourceId |
- **Renamed to remove the `Dvc` string from field names, as handling in version 0.1 was inconsistent**:
diff --git a/articles/sentinel/notebook-get-started.md b/articles/sentinel/notebook-get-started.md
index 5fc2ccbcd7a2d..82e9f29d7ce97 100644
--- a/articles/sentinel/notebook-get-started.md
+++ b/articles/sentinel/notebook-get-started.md
@@ -98,7 +98,7 @@ This procedure describes how to launch your notebook and initialize MSTICpy.
display(HTML("Checking upgrade to latest msticpy version"))
%pip install --upgrade --quiet msticpy[azuresentinel]>=$REQ_MSTICPY_VER
- # intialize msticpy
+ # initialize msticpy
from msticpy.nbtools import nbinit
nbinit.init_notebook(
namespace=globals(),
@@ -359,7 +359,7 @@ MSTICPy also includes many built-in queries available for you to run. List avail
Table name
(default value is: SigninLogs)
Query:
- {table} | where TimeGenerated >= datetime({start}) | where TimeGenerated <= datetime({end}) | extend Result = iif(ResultType==0, "Sucess", "Failed") | extend Latitude = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude) | extend Longitude = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)
+ {table} | where TimeGenerated >= datetime({start}) | where TimeGenerated <= datetime({end}) | extend Result = iif(ResultType==0, "Success", "Failed") | extend Latitude = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude) | extend Longitude = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)
```
1. To view both tables and queries in a scrollable, filterable list, proceed to the next cell, with the following code, and run it.
@@ -401,7 +401,7 @@ Query results return as a [Pandas DataFrame](https://pandas.pydata.org), which i
```python
# The time parameters are taken from the qry_prov time settings
- # but you can override this by supplying explict "start" and "end" datetimes
+ # but you can override this by supplying explicit "start" and "end" datetimes
signins_df = qry_prov.Azure.list_all_signins_geo()
# display first 5 rows of any results
diff --git a/articles/sentinel/notebooks-msticpy-advanced.md b/articles/sentinel/notebooks-msticpy-advanced.md
index aaecd56a458e2..7442e91c08b94 100644
--- a/articles/sentinel/notebooks-msticpy-advanced.md
+++ b/articles/sentinel/notebooks-msticpy-advanced.md
@@ -40,7 +40,7 @@ This procedure describes how to configure authentication parameters for Microsof
1. Select the authentication methods to use:
- While you can use a different set of methods from the [Azure defaults](notebook-get-started.md#specify-the-azure-cloud-and-azure-authentication-methods), this usage isn't a typical configuration.
- - Unless you want to use the **env** (environment variable) authentication, leave the **clientId**, **tenantiId**, and **clientSecret** fields empty.
+ - Unless you want to use the **env** (environment variable) authentication, leave the **clientId**, **tenantId**, and **clientSecret** fields empty.
- While not recommended, MSTICPy also supports using client app IDs and secrets for your authentication. In such cases, define your **clientId**, **tenantId**, and **clientSecret** fields directly in the **Data Providers** tab.
1. Select **Save File** to save your changes.
diff --git a/articles/sentinel/publish-sentinel-solutions.md b/articles/sentinel/publish-sentinel-solutions.md
index 577fe260621fa..2cca8da99f6b2 100644
--- a/articles/sentinel/publish-sentinel-solutions.md
+++ b/articles/sentinel/publish-sentinel-solutions.md
@@ -72,7 +72,7 @@ Complete the following steps to configure the properties under the **Properties*
|**Application type**| Leave application type as *Default (Azure Application)*. Make no changes.|
|**Legal**| Here you have three options to choose from - (1) Use the standard contract (2) Provide terms and conditions link (3) Provide terms and conditions text. Choose the option that works best for you. If you select the standard contract, the options to share Terms & Conditions are hidden.|
- :::image type="content" source="media/publish-sentinel-solutions/partner-center-offer-properties.png" alt-text="Screenshot of offer properies tab in partner center." lightbox="media/publish-sentinel-solutions/partner-center-offer-properties.png" :::
+ :::image type="content" source="media/publish-sentinel-solutions/partner-center-offer-properties.png" alt-text="Screenshot of offer properties tab in partner center." lightbox="media/publish-sentinel-solutions/partner-center-offer-properties.png" :::
## Offer listing
Complete the following steps to configure the properties under the **Offer listing** tab in Microsoft Partner Center. The parameters that you set in this tab define how customers can find your solution and what information they see for your solution.
diff --git a/articles/sentinel/resource-context-rbac.md b/articles/sentinel/resource-context-rbac.md
index 4beaa9520afc9..20db22838b5c2 100644
--- a/articles/sentinel/resource-context-rbac.md
+++ b/articles/sentinel/resource-context-rbac.md
@@ -99,7 +99,7 @@ For example, separating your VMs ensures that Syslog events that belong to Team
> [!TIP]
> - When using an on-premises VM or another cloud VM, such as AWS, as your log forwarder, ensure that it has a resource ID by implementing [Azure Arc](/azure/azure-arc/servers/overview).
-> - To scale your log forwarding VM environment, consider creating a [VM scale set](https://techcommunity.microsoft.com/t5/azure-sentinel/scaling-up-syslog-cef-collection/ba-p/1185854) to collect your CEF and Sylog logs.
+> - To scale your log forwarding VM environment, consider creating a [VM scale set](https://techcommunity.microsoft.com/t5/azure-sentinel/scaling-up-syslog-cef-collection/ba-p/1185854) to collect your CEF and Syslog logs.
### Resource IDs with Logstash collection
diff --git a/articles/sentinel/sap/sap-solution-function-reference.md b/articles/sentinel/sap/sap-solution-function-reference.md
index ccda3528563d3..f3c1317536ee9 100644
--- a/articles/sentinel/sap/sap-solution-function-reference.md
+++ b/articles/sentinel/sap/sap-solution-function-reference.md
@@ -91,7 +91,7 @@ The **SAPUsersAuthorizations** function returns the following data:
| -------- | ----------- | ----- |
| User | SAP user ID | |
| Roles | Set of roles (default max set size = 50) | `["Role 1", "Role 2",...,"Role 50"]` |
-| AuthorizationsDetails | Set of authorizations (default max set size = 100) | `{{AuthorizationsDeatils1}`,
`{AuthorizationsDeatils2}`,
...,
`{AuthorizationsDeatils100}}` |
+| AuthorizationsDetails | Set of authorizations (default max set size = 100) | `{{AuthorizationsDetails1}`,
`{AuthorizationsDetails2}`,
...,
`{AuthorizationsDetails100}}` |
| Client | Client ID | |
| SystemID | System ID | |
diff --git a/articles/sentinel/sap/sap-solution-log-reference.md b/articles/sentinel/sap/sap-solution-log-reference.md
index f8935359d440b..2fee7de8223da 100644
--- a/articles/sentinel/sap/sap-solution-log-reference.md
+++ b/articles/sentinel/sap/sap-solution-log-reference.md
@@ -352,7 +352,7 @@ To have this log sent to Microsoft Sentinel, you must [add it manually to the **
| MessageText | Message text |
| MonitoringObjectName | MTE Monitor object name, XAL only |
| MonitorShortName | MTE Monitor short name, XAL only |
-| SAPProcesType | System Log: SAP process type, SAL only |
+| SAPProcessType | System Log: SAP process type, SAL only |
| B* - Background Processing | |
| D* - Dialog Processing | |
| U* - Update Tasks | |
diff --git a/articles/sentinel/summary-rules.md b/articles/sentinel/summary-rules.md
index 843f04ea6f23c..949cd8fd8dc17 100644
--- a/articles/sentinel/summary-rules.md
+++ b/articles/sentinel/summary-rules.md
@@ -169,7 +169,7 @@ Most of the data sources are raw logs that are noisy and have high volume, but h
1. **Create a summary rule**:
- 1. Extend your query to extract key fields, such as the source address, destination address, and destination port from the **CommonSecurityLog_CL** table, which is the **CommonSecurityLog** with the Auxilairy plan.
+ 1. Extend your query to extract key fields, such as the source address, destination address, and destination port from the **CommonSecurityLog_CL** table, which is the **CommonSecurityLog** with the Auxiliary plan.
1. Perform an inner lookup against the active Threat Intelligence Indicators to identify any matches with our source address. This allows you to cross-reference your data with known threats.