Skip to content

Merge Azure Sentinel Master into fork#26

Closed
Phrozyn wants to merge 10000 commits intoarmor:masterfrom
Azure:master
Closed

Merge Azure Sentinel Master into fork#26
Phrozyn wants to merge 10000 commits intoarmor:masterfrom
Azure:master

Conversation

@Phrozyn
Copy link
Copy Markdown

@Phrozyn Phrozyn commented Jun 20, 2024

Required items, please complete

Change(s):

  • See guidance below

Reason for Change(s):

  • See guidance below

Version Updated:

  • Required only for Detections/Analytic Rule templates
  • See guidance below

Testing Completed:

  • See guidance below

Checked that the validations are passing and have addressed any issues that are present:

  • See guidance below

Guidance <- remove section before submitting

Before submitting this PR please ensure that you have read the following sections and filled out the changes, reason for change and testing complete sections:

Thank you for your contribution to the Microsoft Sentinel Github repo.

Details of the code changes in your submitted PR. Providing descriptions for pull requests ensures there is context to changes being made and greatly enhances the code review process. Providing associated Issues that this resolves also easily connects the reason.

Change(s):

  • Updated syntax for XYZ.yaml

Reason for Change(s):

Version updated:

  • Yes
  • Detections/Analytic Rule templates are required to have the version updated

The code should have been tested in a Microsoft Sentinel environment that does not have any custom parsers, functions or tables, so that you validate no incorrect syntax and execution functions properly. If your submission requires a custom parser or function, it must be submitted with the PR.

Testing Completed:

  • Yes/No/Need Help

Note: If updating a detection, you must update the version field.

Before the submission has been made, please look at running the KQL and Yaml Validation Checks locally.
https://github.com/Azure/Azure-Sentinel#run-kql-validation-locally

Checked that the validations are passing and have addressed any issues that are present:

  • Yes/No/Need Help

Note: Let us know if you have tried fixing the validation error and need help.

References:

Fuqing Wang and others added 30 commits March 24, 2026 09:29
rename Box(CCP)
9651df4
rename Netskope(CCP)
bcb0ec6
@Shams-Z
change tier from Microsft to Partner
68c3d71
Rename CCF solution to Okta Single Sign-On (via Codeless Connector Fr…
921d2a5 
…amework)
Merge branch 'master' of https://github.com/fuqing04/Azure-Sentinel i…
46e8750 
…nto user/fuqingwang/OktaRenametoCCF
Rename CCF solution to Okta Single Sign-On (via Codeless Connector Fr…
3491b93 
…amework)
Rename CCF solution to SentinelOne (via Codeless Connector Framework)
280303b
Rename CCF solution to SentinelOne (via Codeless Connector Framework)
d0212de
Rename CCF to Sophos Endpoint Protection (via Codeless Connector Plat…
dc5365c 
…form)
rename to VMware Carbon Black Cloud via AWS S3(via Codeless Connector…
45886f7 
… Framework)
@v-atulyadav
Merge branch 'master' into dependabot/pip/Solutions/XBOW/Data-Connect…
d483200 
…ors/azure-core-1.38.0
@v-atulyadav
Merge pull request #13821 from Azure/dependabot/pip/Solutions/XBOW/Da…
ee984eb 
…ta-Connectors/azure-core-1.38.0

Bump azure-core from 1.32.0 to 1.38.0 in /Solutions/XBOW/Data Connectors
@v-sabiraj
Optimize TI analytic rule deduplication and filters
a804a9a 
Reorder and simplify the Threat Intelligence analytic query to deduplicate records earlier and apply active/expiration filters afterwards. Added summarize arg_max(TimeGenerated, *) by Id, Url and by Id, ObservableValue to get the latest record before filtering, moved IsActive/ValidUntil/ExpirationDateTime checks to follow deduplication, and removed redundant time-order checks and extra arg_max usages related to EmailUrlInfo. These changes ensure the latest valid indicators are retained and simplify the join logic. Bumped version 1.0.5 -> 1.0.6.
@v-maheshbh
Add Copilot workbook and integrate into solution
ff542cf 
Introduce MicrosoftCopilotActivityMonitoring workbook and wire it into the Microsoft Copilot solution. Changes include: add workbook JSON under Workbooks/, reference it in Solution_MicrosoftCopilot.json, add Workbooks step to createUiDefinition, add workbook parameters/variables/resources/template-spec and metadata to mainTemplate.json, include the workbook in the content package manifest, add test parameter for workbook name, and fix KQL parameter quoting in the workbook queries. Updated packaged zip accordingly.
@v-sabiraj
Normalize TI URL/domain processing
a9f8ecd 
Reorder and clean up ThreatIntelIndicators handling for URL and domain matches. For URLs, summarize (arg_max) by Id/ObservableValue first, then filter for active/unexpired indicators, and normalize ObservableValue to lowercase before joining with EmailUrlInfo_. For domains, normalize DomainName to lowercase earlier and correct the projected active field name to IsActive. These changes ensure joins use the latest, active indicators and consistent casing for reliable matching.
@v-sabiraj
Bump Threat Intelligence package to 3.0.16
a1be0df 
Release update for Threat Intelligence (NEW): add packaged artifact 3.0.16.zip and bump solution/template versions to 3.0.16. Update analytic rule 6 version to 1.0.6 and refine its KQL query logic to use arg_max(TimeGenerated,*) and improved filtering for URL/domain indicators. Standardize/roll back several resource apiVersion values (various Microsoft.OperationalInsights and Microsoft.SecurityInsights providers) and update resource descriptions and field mappings formatting across templates.
@v-sabiraj
Update ReleaseNotes.md
31f516f
@v-atulyadav
Merge pull request #13904 from Azure/v-sabiraj-addinganalyticrulesins…
3a5fea0 
…tructions

Optimize TI analytic rule deduplication and filters
@rbezalelvaronis
updated release notes
15d39d4
@rbezalelvaronis
update for release notes
24f662b
@Shams-Z
remove template fixer python file
68fb837
@TwistedAlex
Merge pull request #13901 from fuqing04/user/fuqingwang/VMwareCBRenam…
2156ff7 
…etoCCF

rename to VMware Carbon Black Cloud via AWS S3(via Codeless Connector Framework)
@TwistedAlex
Merge pull request #13900 from fuqing04/user/fuqingwang/SophosRenamet…
e6b70e7 
…oCCF

Rename CCF to Sophos Endpoint Protection (via Codeless Connector Platform)
@TwistedAlex
Merge pull request #13898 from fuqing04/user/fuqingwang/SentinelOneRe…
db62d06 
…nametoCCF

Rename CCF solution to SentinelOne (via Codeless Connector Framework)
@TwistedAlex
Merge pull request #13897 from fuqing04/user/fuqingwang/OktaRenametoCCF1
ef616e9 
Rename CCF solution to Okta Single Sign-On (via Codeless Connector Framework)
@TwistedAlex
Merge pull request #13892 from fuqing04/user/fuqingwang/BoxRenametoCCF
9936daf 
rename Box Events(CCP) to Box Events (via Codeless Connector Framework)
@TwistedAlex
Merge pull request #13894 from fuqing04/user/fuqingwang/NetskopeRenam…
abc328b 
…etoCCF

rename Netskopev2(CCP) to Netskope(via Codeless Connector Framework)
@v-maheshbh
Merge pull request #13891 from rbezalelvaronis/varonis_purview_schema…
31de230 
…_changes

Varonis purview schema changes
@v-krishnachi
Fixing null byte corruption in the azure state manager timestamp and …
49ae03d 
…csv date field (#13899)

* Fixing null byte corruption in the azure state manager timestamp and date formatting filed for csv

* updated the code and .zip to address comment of Guarding the none in format_date

---------

Co-authored-by: Krishna Chilukamarri <v-krishna_microsoft.com@microsoft.com>
@yummyblabla
[ASIM] Create WebSession parser for Cisco Umbrella Proxy Logs (#13893)
23c9b6a 
* Create parser and changelog

* Update changelog

* Update asimtester

* Fix kql validation

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* FIx kql and update changelog

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* Align schema ver

* Remove Proxy from file names and keep as CiscoUmbrella

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

---------

Co-authored-by: Derrick Lee <derricklee@microsoft.com>
Co-authored-by: github-actions[bot] <>
AmirSasson and others added 29 commits April 6, 2026 14:47
@AmirSasson
remove redundant [] in arm template
00a9d08
@hunngu-ms
Merge pull request #13979 from Azure/hunngu/AddASIMParserforPaloAlto
160344e 
[ASIM Parser] Add Polo Alto Pan-OS Authentication log ASIM Parser
@AmirSasson
fix data file
aafe01c
@AmirSasson
revert
18b7735
@yummyblabla
[ASIM] Authentication - Create parser for Cisco IOS (#13966)
4fc9842 
* Create parser for Cisco IOS

* Update changelog

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* Add function

* Update dates

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

---------

Co-authored-by: Derrick Lee <derricklee@microsoft.com>
Co-authored-by: github-actions[bot] <>
@yummyblabla
Add to EntitySource (#13999)
ebe5bff 
Co-authored-by: Derrick Lee <derricklee@microsoft.com>
@BrianChung95 @claude
Repackage 3.2.0.zip to match mainTemplate.json outside the zip
3063464 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@MartinPankraz
Merge remote-tracking branch 'upstream/master'
640eba8
@MartinPankraz
Enhance reader role for reduced scope of agentless connector
581c21a
@v-atulyadav
Merge pull request #13962 from DThreeDev/d3-smart-soar-v3.2.0
fbfb318 
Update D3 Smart SOAR solution to v3.2.0 with new offer ID
@v-atulyadav
Merge branch 'master' into dependabot/pip/Solutions/Open-Systems/Data…
2ab5a83 
…Connectors/aiohttp-3.13.4
@v-atulyadav
Merge pull request #13964 from Azure/dependabot/pip/Solutions/Open-Sy…
4000d6d 
…stems/DataConnectors/aiohttp-3.13.4

Bump aiohttp from 3.13.3 to 3.13.4 in /Solutions/Open Systems/DataConnectors
@mazamizo21
fix: add workspace-name variable to Playbook source for ARM inner tem…
03160a5 
…plate compatibility
@mazamizo21
fix: repackage 3.0.1.zip after playbook workspace-name variable fix
46a35f3
@mazamizo21
fix: inner template workspaceResourceId uses variables(workspace-name…
7eb9097 
…) to fix ARM InvalidTemplate error
@mazamizo21
fix: repackage 3.0.1.zip with corrected mainTemplate workspaceResourc…
86e8419 
…eId fix
@v-atulyadav
Merge pull request #13990 from mazamizo21/fix/cyren-sentinelone-works…
c3b970c 
…pace-resourceid

Fix: Cyren-SentinelOne workspaceResourceId ARM deployment error (InvalidTemplate on workspace name)
@yummyblabla
[ASIM] Create parser for VMware vCenter for Authentication (#13929)
971afab 
* Create parser

* Update readme

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* KQL fixes

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* More kql fix

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* Adjust parser to include AVSVcSyslog

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* Create AVSVCSyslog table for validation

* update dates

* Fix parameter in asim auth

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

---------

Co-authored-by: Derrick Lee <derricklee@microsoft.com>
Co-authored-by: github-actions[bot] <>
@v-shukore
Update ReleaseNotes.md
9988b15
@v-dvedak
Merge pull request #13960 from MartinPankraz/remove-preview-s4-pc
91d54f6 
Remove preview s4 pc
@v-atulyadav
Merge pull request #13971 from ivanliu-microsoft/liubing/change-table…
de7ab79 
…-names-for-arg

Update ARG Tables' name to align with those in Tabel Management part.
@v-atulyadav
Merge pull request #13997 from AmirSasson/feature/amirsasson/thehive-…
179a52e 
…small-fix

remove redundant [] in arm template
@v-dvedak
Merge pull request #14002 from MartinPankraz/scope-agentless-sap-role
3d428e6 
Enhance reader role for reduced scope of agentless connector
@v-dvedak
Merge pull request #13918 from CharlesZhaoCitrix/citrixanalyticsccf
607728d 
Add Citrix Analytics CCF solution (Push connector via Codeless Connector Framework)
@v-atulyadav
Merge pull request #13636 from socprime/add_analityc_rules_16_02_26
a4597d4 
add_analytic_rules__first_commit
@v-atulyadav
Merge branch 'master' into dependabot/pip/Solutions/PaloAltoPrismaClo…
5c8d4fd 
…ud/Data-Connectors/aiohttp-3.13.4
@v-atulyadav
Merge pull request #13972 from Azure/dependabot/pip/Solutions/PaloAlt…
751c1f8 
…oPrismaCloud/Data-Connectors/aiohttp-3.13.4

Bump aiohttp from 3.13.3 to 3.13.4 in /Solutions/PaloAltoPrismaCloud/Data Connectors
@srikarshastry
[AtlassianConfluenceAuditConnector] - update streamDeclarations in DCR (
2ec94cd 
#14010)

* [AtlassianConfluenceAuditConnector] - update streamDeclarations in DCR

* Update Solutions/AtlassianConfluenceAudit/Data/Solution_AtlassianConfluenceAudit.json

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Srikar Shastry <Srikar.Sistla@microsoft.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@yummyblabla
Add to ParsersDatabase (#14011)
fdfa0ee 
Co-authored-by: Derrick Lee <derricklee@microsoft.com>
@Phrozyn Phrozyn closed this Apr 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.