Merge pull request #54296 from KenMAG/rename-update-KenMAG

Updated this module for content freshness

Author: ttorble

learn-pr/wwl-sci/data-normalization-microsoft-sentinel/3-use-asim-parsers.yml

@@ -4,7 +4,7 @@ title: Use ASIM Parsers
 metadata:
   title: Use ASIM Parsers
   description: "Use ASIM Parsers"
-  ms.date: 05/18/2023
+  ms.date: 04/17/2026
   author: wwlpublish
   ms.author: kelawson
   ms.topic: unit

learn-pr/wwl-sci/data-normalization-microsoft-sentinel/4-understand-parameterized-kql-functions.yml

@@ -4,7 +4,7 @@ title: Understand parameterized KQL functions
 metadata:
   title: Understand parameterized KQL functions
   description: "Understand parameterized KQL functions"
-  ms.date: 05/18/2023
+  ms.date: 04/17/2026
   author: wwlpublish
   ms.author: kelawson
   ms.topic: unit

learn-pr/wwl-sci/data-normalization-microsoft-sentinel/6-configure-azure-monitor-data-collection-rules.yml

@@ -4,7 +4,7 @@ title: Configure Azure Monitor Data Collection Rules
 metadata:
   title: Configure Azure Monitor Data Collection Rules
   description: "Configure Azure Monitor Data Collection Rules"
-  ms.date: 05/18/2023
+  ms.date: 04/17/2026
   author: wwlpublish
   ms.author: kelawson
   ms.topic: unit

learn-pr/wwl-sci/data-normalization-microsoft-sentinel/8-summary-resources.yml

@@ -4,7 +4,7 @@ title: Summary and resources
 metadata:
   title: Summary and resources
   description: "Summary and resources"
-  ms.date: 05/18/2023
+  ms.date: 04/17/2026
   author: wwlpublish
   ms.author: kelawson
   ms.topic: unit

learn-pr/wwl-sci/data-normalization-microsoft-sentinel/includes/3-use-asim-parsers.md

@@ -40,17 +40,20 @@ _Im_Dns
 | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)
 ```
 
-The following table lists available unifying parsers:
+The following table lists key unifying parsers. For the complete current list, see [ASIM parsers overview](/azure/sentinel/normalization-parsers-overview).
 
-| Schema | Unifying parser|
+| Schema | Built-in unifying parser |
 | :--- | :--- |
-| Authentication | imAuthentication|
-| Dns| _Im_Dns|
-| File Event| imFileEvent|
-| Network Session |_Im_NetworkSession |
-| Process Event| imProcessCreate and imProcessTerminate|
-| Registry Event | imRegistry|
-| Web Session | _Im_WebSession|
+| Authentication | `_Im_Authentication` |
+| Audit Event | `_Im_AuditEvent` |
+| DHCP Event | `_Im_Dhcp` |
+| DNS | `_Im_Dns` |
+| File Event | `_Im_FileEvent` |
+| Network Session | `_Im_NetworkSession` |
+| Process Event | `_Im_ProcessEvent` |
+| Registry Event | `_Im_RegistryEvent` |
+| User Management | `_Im_UserManagement` |
+| Web Session | `_Im_WebSession` |
 
 
 ## Optimizing parsing using parameters

learn-pr/wwl-sci/data-normalization-microsoft-sentinel/includes/4-understand-parameterized-kql-functions.md

@@ -1,4 +1,4 @@
-When calling KQL functions, you can provide a set of parameters.  This is an important concept for building ASIM parsers as it allows you to filter the function results with dynamic values before returning results.
+When calling KQL functions, you can provide a set of parameters. This is an important concept for building ASIM parsers as it allows you to filter the function results with dynamic values before returning results.
 
 
 
@@ -35,7 +35,7 @@ Then create two parameters:
 Your screen should look like the image below:
 
 
-:::image type="content" source="../media/example-function-properties.png#lightbox" alt-text="Screenshot of K Q L Function properties.":::
+:::image type="content" source="../media/example-function-properties.png" alt-text="Screenshot of KQL function properties." lightbox="../media/example-function-properties.png":::
 
 Create a new query. Then enter:
 
@@ -44,7 +44,7 @@ AzureActivityByCategory("Administrative", todatetime("2021/04/05 5:40:01.032 PM"
 ```
 
 
-:::image type="content" source="../media/example-use-function.png#lightbox" alt-text="Screenshot of the K Q L calling Function.":::
+:::image type="content" source="../media/example-use-function.png" alt-text="Screenshot of a KQL query calling a parameterized function." lightbox="../media/example-use-function.png":::
 
 
 

learn-pr/wwl-sci/data-normalization-microsoft-sentinel/includes/6-configure-azure-monitor-data-collection-rules.md

@@ -1,20 +1,23 @@
-Another way of normalizing log data is transforming the data at ingestion time.  This provides the benefit of storing the data in a parsed format for use in Microsoft Sentinel.
+Another way of normalizing log data is transforming the data at ingestion time. This provides the benefit of storing the data in a parsed format for use in Microsoft Sentinel.
 
 
 ## Data collection rules in Azure Monitor
 
-Data Collection Rules (DCRs) provide an ETL-like pipeline in Azure Monitor, allowing you to define the way that data coming into Azure Monitor should be handled. Depending on the type of workflow, DCRs may specify where data should be sent and may filter or transform data before it's stored in Azure Monitor Logs. Some data collection rules will be created and managed by Azure Monitor, while you may create others to customize data collection for your particular requirements. 
+Data Collection Rules (DCRs) provide an ETL-like pipeline in Azure Monitor, allowing you to define the way that data coming into Azure Monitor should be handled. Depending on the type of workflow, DCRs may specify where data should be sent and may filter or transform data before storing it in Azure Monitor Logs. Some data collection rules are created by Azure Monitor, while you may create others to customize data collection for your particular requirements. 
 
 ## Types of data collection rules
-There are currently two types of data collection rules in Azure Monitor:
+Azure Monitor supports several types of data collection rules. Common types include:
 
-- **Standard DCR**. Used with different workflows that send data to Azure Monitor. Workflows currently supported are Azure Monitor agent and custom logs.
+- **Standard DCR**. Used with different workflows that send data to Azure Monitor, including the Azure Monitor agent and custom logs ingestion.
 
-- **Workspace transformation DCR**. Used with a Log Analytics workspace to apply ingestion-time transformations to workflows that don't currently support DCRs.
+- **Workspace transformation DCR**. Used with a Log Analytics workspace to apply ingestion-time transformations to workflows that don't currently support DCRs directly.
+
+> [!NOTE]
+> For the current complete list of DCR types and supported workflows, see [Data collection rules in Azure Monitor](/azure/azure-monitor/essentials/data-collection-rule-overview).
 
 
 ## Transformations
-Transformations in a data collection rule (DCR) allow you to filter or modify incoming data before it's stored in a Log Analytics workspace. Data transformations are defined using a Kusto Query Language (KQL) statement that is applied individually to each entry in the data source. It must understand the format of the incoming data and create output in the structure of the target table.
+Transformations in a data collection rule (DCR) allow you to filter or modify incoming data before storing it in a Log Analytics workspace. Data transformations are defined using a Kusto Query Language (KQL) statement that is applied individually to each entry in the data source. It must understand the format of the incoming data and create output in the structure of the target table.
 
 ### Transformation structure
 The input stream is represented by a virtual table named **source** with columns matching the input data stream definition. Following is a typical example of a transformation. This example includes the following functionality:

learn-pr/wwl-sci/data-normalization-microsoft-sentinel/includes/8-summary-resources.md

@@ -1,4 +1,4 @@
-You should have learned how to normalize and use ASIM Parsers in Microsoft Sentinel.
+You learned how to normalize and use ASIM Parsers in Microsoft Sentinel.
 
 You should now be able to:
 
@@ -10,6 +10,6 @@ You should now be able to:
 
 You can learn more by reviewing the following.
 
-[Become a Microsoft Sentinel Ninja](https://techcommunity.microsoft.com/t5/azure-sentinel/become-an-azure-sentinel-ninja-the-complete-level-400-training/ba-p/1246310?azure-portal=true)
+[Become a Microsoft Sentinel Ninja](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-ninja-the-complete-level-400/ba-p/1246310?azure-portal=true)
 
 [Microsoft Tech Community Security Webinars](https://techcommunity.microsoft.com/t5/microsoft-security-and/security-community-webinars/ba-p/927888?azure-portal=true)

learn-pr/wwl-sci/data-normalization-microsoft-sentinel/index.yml

@@ -3,11 +3,12 @@ uid: learn.wwl.data-normalization-microsoft-sentinel
 metadata:
   title: Data normalization in Microsoft Sentinel
   description: "Data normalization in Microsoft Sentinel"
-  ms.date: 03/13/2024
+  ms.date: 04/17/2026
   author: wwlpublish
   ms.author: kelawson
   ms.topic: module
   ms.service: microsoft-sentinel
+  ai.usage: ai-assisted
 title: Data normalization in Microsoft Sentinel
 summary: By the end of this module, you're able to use Advanced Security Information Model (ASIM) parsers to identify threats inside your organization.
 abstract: |