Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Learn Build Service GitHub App

articles/sentinel/entities-reference.md

@@ -499,7 +499,7 @@ The Address identifier by itself is a weak identifier when the IP address is a p
 | **DisplayName** | String | The mailbox's display name. |
 | **Upn** | String | The mailbox's UPN. |
 | **AadId** | String | The mailbox's Azure AD identifier of the user. |
-| **RiskLevel** | RiskLevel?  | The risk level of this mailbox. Possible values:<li>None<li>Low<li>Medium<li>High |
+| **RiskLevel** | RiskLevel (Integer)  | The risk level of this mailbox. Possible values:<li>None<li>Low<li>Medium<li>High |
 | **ExternalDirectoryObjectId** | Guid? | The AzureAD identifier of mailbox. Similar to AadUserId in the Account entity, but this property is specific to mailbox object on the Office side. |
 
 #### Strong identifiers of a mailbox entity

articles/sentinel/normalization-about-schemas.md

@@ -96,6 +96,7 @@ Each schema field has a type. Some have built-in, Log Analytics types, such as `
 |**IP address**     |String         |    Microsoft Sentinel schemas don't have separate IPv4 and IPv6 addresses. Any IP address field might include either an IPv4 address or an IPv6 address, as follows: <br><br>- **IPv4** in a dot-decimal notation.<br>- **IPv6** in 8-hextets notation, allowing for the short form.<br><br>For example:<br>- **IPv4**: `192.168.10.10` <br>- **IPv6**: `FEDC:BA98:7654:3210:FEDC:BA98:7654:3210`<br>- **IPv6 short form**: `1080::8:800:200C:417A`     |
 |**FQDN**        |   String      |    A fully qualified domain name using a dot notation, for example, `learn.microsoft.com`. For more information, see [The Device entity](normalization-entity-device.md). |
 |<a name="hostname"></a>**Hostname** | String | A hostname which is not an FQDN, includes up to 63 characters including letters, numbers and hyphens. For more information, see [The Device entity](normalization-entity-device.md).|
+|**Domain**        |   String      |    the domain part of an FQDN, without the hostname, for example, `learn.microsoft.com`. For more information, see [The Device entity](normalization-entity-device.md). |
 | **DomainType** | Enumerated | The type of domain stored in domain and FQDN fields. For a list of values and more information, see [The Device entity](normalization-entity-device.md). |
 | **DvcIdType** | Enumerated | The type of the device ID stored in DvcId fields. For a list of allowed values and further information refer to [DvcIdType](normalization-entity-device.md#dvcidtype). |
 |<a name="devicetype"></a>**DeviceType** | Enumerated | The type of the device stored in DeviceType fields. Possible values include:<br>- `Computer`<br>- `Mobile Device`<br>- `IOT Device`<br>- `Other`. For more information, see [The Device entity](normalization-entity-device.md). |
@@ -113,6 +114,11 @@ Each schema field has a type. Some have built-in, Log Analytics types, such as `
 |**SHA1**     |   String      | 40-hex characters.        |
 |**SHA256**     | String        |  64-hex characters.       |
 |**SHA512**     |   String      |  128-hex characters.       |
+|**ConfidenceLevel**     |   Integer      |  A confidence level normalized to the range of 0 to a 100.       |
+|**RiskLevel**     |   Integer      |  A risk level normalized to the range of 0 to a 100.       |
+|**SchemaVersion** | String | An ASIM schema version in the format `<major>.<minor>.<sub-minor>` |
+| **DnsQueryClassName** | String | The [DNS class name](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml).|
+| **Username** | String | A simple or domain qualified username | 
 
 
 ## Entities

articles/sentinel/normalization-common-fields.md

@@ -56,9 +56,9 @@ The following fields are defined by ASIM for all schemas:
 | <a name="eventproduct"></a>**EventProduct**        | Mandatory   | String     |  The product generating the event. The value should be one of the values listed in [Vendors and Products](#vendors-and-products).<br><br>Example: `Sysmon`  |
 | <a name="eventproductversion"></a>**EventProductVersion** | Optional    | String     | The version of the product generating the event. <br><br>Example: `12.1`      |
 | <a name="eventvendor"></a>**EventVendor**  | Mandatory   | String     |   The vendor of the product generating the event. The value should be one of the values listed in [Vendors and Products](#vendors-and-products).<br><br>Example: `Microsoft`  <br><br>  |
-| <a name="eventschema"></a>**EventSchema** | Mandatory | String | The schema the event is normalized to. Each schema documents its schema name. |
-| <a name="eventschemaversion"></a>**EventSchemaVersion**  | Mandatory   | String     | The version of the schema. Each schema documents its current version.         |
-| <a name="eventreporturl"></a>**EventReportUrl**      | Optional    | String     | A URL provided in the event for a resource that provides more information about the event.|
+| <a name="eventschema"></a>**EventSchema** | Mandatory | Enumerated | The schema the event is normalized to. Each schema documents its schema name. |
+| <a name="eventschemaversion"></a>**EventSchemaVersion**  | Mandatory   | SchemaVersion (String)     | The version of the schema. Each schema documents its current version.         |
+| <a name="eventreporturl"></a>**EventReportUrl**      | Optional    | URL (String)     | A URL provided in the event for a resource that provides more information about the event.|
 | <a name="eventowner"></a>**EventOwner** | Optional | String | The owner of the event, which is usually the department or subsidiary in which it was generated. |
 
 ### Device fields
@@ -75,9 +75,9 @@ Each schema document specifies the role of the device for the schema.
 | <a name="dvc"></a>**Dvc** | Alias       | String     | A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. <br><br>This field might alias the [DvcFQDN](#dvcfqdn), [DvcId](#dvcid), [DvcHostname](#dvchostname), or [DvcIpAddr](#dvcipaddr) fields. For cloud sources, for which there is no apparent device, use the same value as the [Event Product](#eventproduct) field.            |
 | <a name ="dvcipaddr"></a>**DvcIpAddr**           | Recommended | IP address | The IP address of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `45.21.42.12`    |
 | <a name ="dvchostname"></a>**DvcHostname**         | Recommended | Hostname   | The hostname of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `ContosoDc`               |
-| <a name="dvcdomain"></a>**DvcDomain** | Recommended | String | The domain of the device on which the event occurred or which reported the event, depending on the schema.<br><br>Example: `Contoso` |
+| <a name="dvcdomain"></a>**DvcDomain** | Recommended | Domain (String) | The domain of the device on which the event occurred or which reported the event, depending on the schema.<br><br>Example: `Contoso` |
 | <a name="dvcdomaintype"></a>**DvcDomainType** | Conditional | Enumerated | The type of  [DvcDomain](#dvcdomain). For a list of allowed values and further information, refer to [DomainType](normalization-entity-device.md#domaintype).<br><br>**Note**: This field is required if the [DvcDomain](#dvcdomain) field is used. |
-| <a name="dvcfqdn"></a>**DvcFQDN** | Optional | String | The hostname of the device on which the event occurred or which reported the event, depending on the schema. <br><br> Example: `Contoso\DESKTOP-1282V4D`<br><br>**Note**: This field supports both traditional FQDN format and Windows domain\hostname format. The  [DvcDomainType](#dvcdomaintype) field reflects the format used.  |
+| <a name="dvcfqdn"></a>**DvcFQDN** | Optional | FQDN (String) | The hostname of the device on which the event occurred or which reported the event, depending on the schema. <br><br> Example: `Contoso\DESKTOP-1282V4D`<br><br>**Note**: This field supports both traditional FQDN format and Windows domain\hostname format. The  [DvcDomainType](#dvcdomaintype) field reflects the format used.  |
 | <a name = "dvcdescription"></a>**DvcDescription** | Optional | String | A descriptive text associated with the device. For example: `Primary Domain Controller`. |
 | <a name ="dvcid"></a>**DvcId**               | Optional    | String     | The unique ID of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `41502da5-21b7-48ec-81c9-baeea8d7d669`   |
 | <a name="dvcidtype"></a>**DvcIdType** | Conditional | Enumerated | The type of [DvcId](#dvcid). For a list of allowed values and further information, refer to [DvcIdType](#dvcidtype).<br>- `MDEid`<br><br>If multiple IDs are available, use the first one from the list, and store the others by using the field names **DvcAzureResourceId** and **DvcMDEid**, respectively.<br><br>**Note**: This field is required if the [DvcId](#dvcid) field is used. |
@@ -96,8 +96,6 @@ Each schema document specifies the role of the device for the schema.
 | Field               | Class       | Type       |  Description        |
 |---------------------|-------------|------------|--------------------|
 | <a name="additionalfields"></a>**AdditionalFields**    | Optional    | Dynamic    | If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic **AdditionalFields** field, and add to it the extra information as key/value pairs.    |
-| <a name="asimmatchingipaddr"></a>**ASimMatchingIpAddr** | Recommended | String | When a parser uses the `ipaddr_has_any_prefix` filtering parameters, this field  is set with the one of the values `SrcIpAddr`, `DstIpAddr`, or `Both` to reflect the matching fields or fields. | 
-| <a name="asimmatchinghostname"></a>**ASimMatchingHostname** | Recommended | String | When a parser uses the `hostname_has_any` filtering parameters, this field  is set with the one of the values `SrcHostname`, `DstHostname`, or `Both` to reflect the matching fields or fields. | 
 
 ### Schema updates
 

articles/sentinel/normalization-schema-alert.md

@@ -99,7 +99,7 @@ The following list mentions fields that have specific guidelines for Alert event
 | **IpAddr** | Alias | | Alias or friendly name for `DvcIpAddr` field. |
 | **Hostname** | Alias | | Alias or friendly name for `DvcHostname` field. |
 | **EventSchema** | Mandatory | Enumerated | The schema used for the event. The schema documented here is `AlertEvent`. |
-| **EventSchemaVersion** | Mandatory | string | The version of the schema. The version of the schema documented here is `0.1`. |
+| **EventSchemaVersion** | Mandatory | SchemaVersion (String) | The version of the schema. The version of the schema documented here is `0.1`. |
 
 ### All Common Fields
 
@@ -136,9 +136,9 @@ The following table covers fields that provide critical insights into the rules
 | **ThreatCategory** | Recommended | Enumerated | 	The category of the threat or malware identified in the alert.<br><br>Supported values are: `Malware`, `Ransomware`, `Trojan`, `Virus`, `Worm`, `Adware`, `Spyware`, `Rootkit`, `Cryptominor`, `Phishing`, `Spam`, `MaliciousUrl`, `Spoofing`, `Security Policy Violation`, `Unknown` |
 | **ThreatOriginalCategory** | Optional | string | The category of the threat as reported by the originating system. |
 | **ThreatIsActive** | Optional | bool | Indicates whether the threat is currently active.<br><br>Supported values are: `True`, `False` |
-| **ThreatRiskLevel** | Optional | int | The risk level associated with the threat. The level should be a number between 0 and 100.<br><br>Note: The value might be provided in the source record by using a different scale, which should be normalized to this scale. The original value should be stored in ThreatRiskLevelOriginal. |
+| **ThreatRiskLevel** | Optional | RiskLevel (Integer) | The risk level associated with the threat. The level should be a number between 0 and 100.<br><br>Note: The value might be provided in the source record by using a different scale, which should be normalized to this scale. The original value should be stored in ThreatRiskLevelOriginal. |
 | **ThreatOriginalRiskLevel** | Optional | string | The risk level as reported by the originating system. |
-| **ThreatConfidence** | Optional | int | The confidence level of the threat identified, normalized to a value between 0 and a 100. |
+| **ThreatConfidence** | Optional | ConfidenceLevel (Integer) | The confidence level of the threat identified, normalized to a value between 0 and a 100. |
 | **ThreatOriginalConfidence** | Optional | string | The confidence level as reported by the originating system. |
 | **IndicatorType** | Recommended | Enumerated | The type or category of the indicator<br><br>Supported values are:<br>-`Ip`<br>-`User`<br>-`Process`<br>-`Registry`<br>-`Url`<br>-`Host`<br>-`Cloud Resource`<br>-`Application`<br>-`File`<br>-`Email`<br>-`Mailbox`<br>-`Logon Session`|
 | **IndicatorAssociation** | Optional | Enumerated | Specifies whether the indicator is linked to or directly impacted by the threat.<br><br>Supported values are:<br>-`Associated`<br>-`Targeted` |
@@ -154,7 +154,7 @@ This section defines fields related to the identification and classification of
 |-------|-------|------|-------------|
 | **UserId** | Optional | string | A machine-readable, alphanumeric, unique representation of the user associated with the alert.<br><br>e.g. `A1bC2dE3fH4iJ5kL6mN7o` |
 | **UserIdType** | Conditional | Enumerated | The type of the user ID, such as `GUID`, `SID`, or `Email`.<br><br>Supported values are:<br>- `GUID`<br>- `SID`<br>- `Email`<br>- `Username`<br>- `Phone`<br>- `Other` |
-| **Username** | Recommended | string | Name of the user associated with the alert, including domain information when available.<br><br>e.g. `Contoso\JSmith` or `[email protected]` |
+| **Username** | Recommended | Username (string) | Name of the user associated with the alert, including domain information when available.<br><br>e.g. `Contoso\JSmith` or `[email protected]` |
 | **User** | Alias | string | Alias or friendly name for `Username` field. |
 | **UsernameType** | Conditional | UsernameType | Specifies the type of the user name stored in the `Username` field. For more information, and list of allowed values, see [UsernameType](normalization-entity-user.md#usernametype) in the [Schema Overview article](normalization-about-schemas.md).<br><br>e.g. `Windows` |
 | **UserType** | Optional | UserType | The type of the Actor. For more information, and list of allowed values, see [UserType](normalization-entity-user.md#usertype) in the [Schema Overview article](normalization-about-schemas.md).<br><br> e.g. `Guest`|