MicrosoftDocs
diff --git a/‎articles/sentinel/normalization-common-fields.md‎
Lines changed: 10 additions & 9 deletions b/‎articles/sentinel/normalization-common-fields.md‎
Lines changed: 10 additions & 9 deletions
@@ -18,7 +18,7 @@ Some fields are common to all ASIM schemas. Each schema might add guidelines for
 
 ## Standard Log Analytics fields
 
-The following fields are generated by Log Analytics, in most cases, for each record. They can be overridden when you [create a custom connector](create-custom-connector.md).
+Log Analytics generates the following fields, in most cases, for each record. They can be overridden when you [create a custom connector](create-custom-connector.md).
 
 | Field         | Type     | Discussion      |
 | ------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
@@ -40,8 +40,8 @@ The following fields are defined by ASIM for all schemas:
 |---------------------|-------------|------------|--------------------|
 | <a name="eventmessage"></a>**EventMessage**        | Optional    | String     |     A general message or description, either included in or generated from the record.   |
 | <a name="eventcount"></a>**EventCount**          | Mandatory   | Integer    |     The number of events described by the record. <br><br>This value is used when the source supports aggregation, and a single record might represent multiple events. <br><br>For other sources, set to `1`.   |
-| <a name="eventstarttime"></a>**EventStartTime**      | Mandatory   | Date/time  |      The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the [TimeGenerated](#timegenerated) field. |
-| <a name="eventendtime"></a>**EventEndTime**        | Mandatory   | Date/time      | The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the [TimeGenerated](#timegenerated) field.    |
+| <a name="eventstarttime"></a>**EventStartTime**      | Mandatory   | Date/time  |      The time when the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the [TimeGenerated](#timegenerated) field. |
+| <a name="eventendtime"></a>**EventEndTime**        | Mandatory   | Date/time      | The time when the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the [TimeGenerated](#timegenerated) field.    |
 |  <a name="eventtype"></a>**EventType**           | Mandatory   | Enumerated |    Describes the operation reported by the record. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the [EventOriginalType](#eventoriginaltype) field. |
 | <a name="eventsubtype"></a>**EventSubType** | Optional | Enumerated | Describes a subdivision of the operation reported in the [EventType](#eventtype) field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the [EventOriginalSubType](#eventoriginalsubtype) field. |
 | <a name="eventresult"></a>**EventResult** | Mandatory | Enumerated | One of the following values: **Success**, **Partial**, **Failure**, **NA** (Not Applicable).<br> <br>The value might be provided in the source record by using different terms, which should be normalized to these values. Alternatively, the source might provide only the [EventResultDetails](#eventresultdetails) field, which should be analyzed to derive the EventResult value.<br><br>Example: `Success`|
@@ -72,7 +72,7 @@ Each schema document specifies the role of the device for the schema.
 
 | Field               | Class       | Type       |  Description        |
 |---------------------|-------------|------------|--------------------|
-| <a name="dvc"></a>**Dvc** | Alias       | String     | A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. <br><br>This field might alias the [DvcFQDN](#dvcfqdn), [DvcId](#dvcid), [DvcHostname](#dvchostname), or [DvcIpAddr](#dvcipaddr) fields. For cloud sources, for which there is no apparent device, use the same value as the [Event Product](#eventproduct) field.            |
+| <a name="dvc"></a>**Dvc** | Alias       | String     | A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. <br><br>This field might alias the [DvcFQDN](#dvcfqdn), [DvcId](#dvcid), [DvcHostname](#dvchostname), or [DvcIpAddr](#dvcipaddr) fields. For cloud sources, for which there's no apparent device, use the same value as the [Event Product](#eventproduct) field.            |
 | <a name ="dvcipaddr"></a>**DvcIpAddr**           | Recommended | IP address | The IP address of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `45.21.42.12`    |
 | <a name ="dvchostname"></a>**DvcHostname**         | Recommended | Hostname   | The hostname of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `ContosoDc`               |
 | <a name="dvcdomain"></a>**DvcDomain** | Recommended | Domain (String) | The domain of the device on which the event occurred or which reported the event, depending on the schema.<br><br>Example: `Contoso` |
@@ -95,12 +95,12 @@ Each schema document specifies the role of the device for the schema.
 
 | Field               | Class       | Type       |  Description        |
 |---------------------|-------------|------------|--------------------|
-| <a name="additionalfields"></a>**AdditionalFields**    | Optional    | Dynamic    | If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic **AdditionalFields** field, and add to it the extra information as key/value pairs.    |
+| <a name="additionalfields"></a>**AdditionalFields**    | Optional    | Dynamic    | If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic **AdditionalFields** field, and add the extra information as key/value pairs.    |
 
 ### Schema updates
 
-- The `EventOwner` field has been added to the common fields on Dec 1, 2022, and therefore to all of the schemas.
-- The `EventUid` field has been added to the common fields on Dec 26, 2022, and therefore to all of the schemas.
+- The `EventOwner` field was added to the common fields on December 1, 2022, and therefore to all of the schemas.
+- The `EventUid` field was added to the common fields on December 26, 2022, and therefore to all of the schemas.
 
 ## Vendors and products
 
@@ -114,10 +114,11 @@ The currently supported list of vendors and products used in the [EventVendor](#
 | `Cisco` | - `ASA`<br> - `Umbrella`<br> - `IOS`<br> - `Meraki` |
 | `Corelight` | `Zeek` | 
 | `Cynerio` | `Cynerio` |
-| `Dataminr` | `Dataminr Pulse` | 
+| `Dataminr` | `Dataminr Pulse` |
+| `Fortinet` | `Fortigate` | 
 | `GCP` | `Cloud DNS` | 
 | `Infoblox` | `NIOS` | 
-| `Microsoft` | - Microsoft Entra ID<br> - `Azure`<br> - `Azure Firewall`<br> - `Azure Blob Storage`<br>    - `Azure File Storage`<br>    - `Azure NSG flows`<br> - `Azure Queue Storage`<br>  - `Azure Table Storage` <br>      -  `DNS Server`<br> - `Microsoft Defender XDR for Endpoint`<br> - `Microsoft Defender for IoT`<br> - `Security Events`<br>- `SharePoint`<br>- `OneDrive`<br>- `Sysmon`<br> - `Sysmon for Linu`x<br> - `VMConnection`<br> - `Windows Firewall`<br> - `WireData`
+| `Microsoft` | - Microsoft Entra ID<br> - `Azure`<br> - `Azure Firewall`<br> - `Azure Blob Storage`<br>    - `Azure File Storage`<br>  - `Azure Key Vault`<br>  - `Azure NSG flows`<br> - `Azure Queue Storage`<br>  - `Azure Table Storage` <br>      -  `DNS Server`<br> - `Microsoft Defender XDR for Endpoint`<br> - `Microsoft Defender for IoT`<br> - `Security Events`<br>- `SharePoint`<br>- `OneDrive`<br>- `Sysmon`<br> - `Sysmon for Linu`x<br> - `VMConnection`<br> - `Windows Firewall`<br> - `WireData`
 | `Linux` | - `su`<br> - `sudo`|
 | `Okta` | - `Okta`<br> - `Auth0` | 
 | `OpenBSD` | `OpenSSH` |