Removed external blog reference text from several hunting query descr…

[v-sabiraj]

…iptions

Remove external blog reference text from several hunting query descriptions and sanitize UI text. Bump hunting query versions (e.g. 1.1.1→1.1.2, 1.0.2→1.0.3, 1.0.0→1.0.1) and propagate those version changes into solution mainTemplate.json. Update package artifacts: modify Endpoint Threat Protection Essentials package files and add Windows Security Events package 3.0.12.zip. Also normalize entityMappings ordering/formatting and adjust an alert override format in the main template.

Required items, please complete

Change(s):

• See guidance below

Reason for Change(s):

• See guidance below

Version Updated:

• Required only for Detections/Analytic Rule templates
• See guidance below

Testing Completed:

• See guidance below

Checked that the validations are passing and have addressed any issues that are present:

• See guidance below

Guidance <- remove section before submitting

---

Before submitting this PR please ensure that you have read the following sections and filled out the changes, reason for change and testing complete sections:

Thank you for your contribution to the Microsoft Sentinel Github repo.

Details of the code changes in your submitted PR. Providing descriptions for pull requests ensures there is context to changes being made and greatly enhances the code review process. Providing associated Issues that this resolves also easily connects the reason.

Change(s):

• Updated syntax for XYZ.yaml

Reason for Change(s):

• New schema used for XYZ.yaml
• Resolves ISSUE Add Logstash required version to Readme file #1234

Version updated:

• Yes
• Detections/Analytic Rule templates are required to have the version updated

The code should have been tested in a Microsoft Sentinel environment that does not have any custom parsers, functions or tables, so that you validate no incorrect syntax and execution functions properly. If your submission requires a custom parser or function, it must be submitted with the PR.

Testing Completed:

• Yes/No/Need Help

Note: If updating a detection, you must update the version field.

Before the submission has been made, please look at running the KQL and Yaml Validation Checks locally.
https://github.com/Azure/Azure-Sentinel#run-kql-validation-locally

Checked that the validations are passing and have addressed any issues that are present:

• Yes/No/Need Help

Note: Let us know if you have tried fixing the validation error and need help.

References:

• Guidance for Detection checks
• General contribution guidance
• PR validation troubleshooting

---

[Copilot]

Pull request overview

Removes external blog reference text from hunting query descriptions/UI text and bumps solution/hunting query versions, propagating the version changes through packaged templates.

Changes:

• Updated Windows Security Events solution/package version to 3.0.12 and bumped a hunting query version (1.0.0 → 1.0.1) with corresponding product IDs.
• Updated Endpoint Threat Protection Essentials hunting query versions (1.1.1 → 1.1.2, 1.0.2 → 1.0.3) and removed external “Ref” text from package/UI descriptions.
• Normalized JSON formatting/order for entityMappings and adjusted alertDetailsOverride property ordering.

Reviewed changes

Copilot reviewed 7 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
Solutions/Windows Security Events/Package/mainTemplate.json	Bumps solution/package version to 3.0.12 and propagates a hunting query version update into IDs/version fields.
Solutions/Windows Security Events/Hunting Queries/RemoteScheduledTaskCreationUpdateviaSchtasks.yaml	Removes external blog reference and bumps hunting query version to 1.0.1.
Solutions/Endpoint Threat Protection Essentials/Package/mainTemplate.json	Bumps hunting query versions, removes external “Ref” from description tags, normalizes mappings format, and reorders alert override fields.
Solutions/Endpoint Threat Protection Essentials/Package/createUiDefinition.json	Removes external blog reference from UI text block.
Solutions/Endpoint Threat Protection Essentials/Hunting Queries/ScheduledTaskCreationUpdateFromUserWritableDrectory.yaml	Removes external blog reference and bumps hunting query version to 1.0.3.
Solutions/Endpoint Threat Protection Essentials/Hunting Queries/RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe.yaml	Removes external blog reference and bumps hunting query version to 1.1.2.
Hunting Queries/SecurityEvent/RemoteScheduledTaskCreationUpdateviaSchtasks.yaml	Removes external blog reference from the non-solution hunting query description.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.