Merge remote-tracking branch 'upstream/master'

# Conflicts:
#	Tools/Solutions Analyzer/solutions_connectors_tables_mapping.csv

Author: MartinPankraz

.github/copilot-instructions.md

@@ -0,0 +1,82 @@
+# GitHub Copilot Instructions for Azure-Sentinel Repository
+
+## Solutions Analyzer Tools
+
+When working with the Solutions Analyzer tools in `Tools/Solutions Analyzer/`:
+
+### Output Locations
+
+There are THREE different output scenarios - **never confuse them**:
+
+1. **Default (development):** CSVs are written to `Tools/Solutions Analyzer/` in the current branch
+   - This is the normal case when developing/testing
+   - **Never generate documentation here**
+
+2. **Output worktree (publishing CSVs):** `C:\Users\ofshezaf\GitHub\Azure-Sentinel-solution-analyzer-output\Tools\Solutions Analyzer`
+   - Only use this when **specifically requested** to "publish CSVs to the output branch"
+   - This is a separate git worktree for the CSV output branch
+   - **Only CSVs go here, never documentation**
+
+3. **Documentation output:** `C:\Users\ofshezaf\GitHub\sentinelninja\Solutions Docs`
+   - This is where generated markdown documentation goes
+   - This is in a **separate repository** (sentinelninja)
+   - Empty the target folder before generating new docs
+
+### Key Rules
+
+- **Never generate docs locally** in the Azure-Sentinel repository
+- **Generate docs only in the sentinelninja repo** when asked or needed
+- **For official CSV releases**, generate CSVs **only** in the solution analyzer output worktree
+- Always use `--output-dir` flag when running `generate_connector_docs.py`
+
+### Running Scripts
+
+#### Mapper Script
+```powershell
+cd "Tools/Solutions Analyzer"
+python map_solutions_connectors_tables.py
+```
+
+**Note:** Do NOT truncate or filter the output (e.g., do not pipe through `Select-Object`). The script prints timestamped progress messages to the console that the user needs to see. Run with `isBackground: false` and `timeout: 0` so the full output is visible.
+
+#### Documentation Generator
+```powershell
+python generate_connector_docs.py --output-dir "C:\Users\ofshezaf\GitHub\sentinelninja\Solutions Docs" --skip-input-generation
+```
+
+**IMPORTANT:** Never run without `--output-dir` flag.
+
+**IMPORTANT:** Do NOT truncate or filter the output (e.g., do not pipe through `Select-Object`). Run with `isBackground: false` and `timeout: 0` so the full output is visible to the user.
+
+**IMPORTANT:** Always use `--skip-input-generation` unless you specifically need to regenerate the input CSVs (mapper + collect_table_info). Without this flag, the doc generator will re-run those scripts automatically, which is slow and unnecessary if the CSVs are already up-to-date.
+
+**IMPORTANT:** Run the mapper script before generating docs if:
+- The mapper script itself was modified, OR
+- Any override YAML file in the `overrides/` folder was modified (including adding, editing, or removing `additional_connectors` entries), OR
+- You specifically need to refresh the CSV data, OR
+- You are explicitly asked to run the mapper
+
+### Caching and Logging
+
+- **Cache:** `.cache/` folder for analysis caching
+- **Logs:** `.logs/` folder for log files
+
+**Log file:** `Tools/Solutions Analyzer/.logs/map_solutions_connectors_tables.log`
+
+Use `--force-refresh` with these types when modifying analysis logic:
+- `asim` - ASIM parser analysis
+- `parsers` - Non-ASIM parser analysis
+- `solutions` - Solution content analysis
+- `standalone` - Standalone content item analysis
+- `marketplace` - Marketplace availability check (requires network)
+- `tables` - Table reference info (requires network)
+
+### Script Documentation
+
+**Before updating a script:** Always review the relevant script documentation in `Tools/Solutions Analyzer/docs/` first.
+
+**When updating a script**, update the corresponding script doc to reflect:
+- Any script parameters added or changed
+- Any output file changes, including changes to CSV files (new columns, renamed columns, removed columns)
+- Any changes to analysis methods or logic
+- Update the primary readme.md if needed and add the change to the change log. Do not add a version if the previous version as manifested by the changelog, was not committed yet.

.github/workflows/runAsimSchemaAndDataTesters.yaml

@@ -43,6 +43,14 @@ jobs:
     outputs:
       approved: ${{ steps.check-approval.outputs.approved }}
     steps:
+      - name: Checkout pull request branch
+        if: github.event.pull_request != null
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          fetch-depth: 0
+
       - name: Check if PR needs approval
         id: check-approval
         run: |
@@ -96,7 +104,39 @@ jobs:
             echo "needs_approval=false" >> $GITHUB_OUTPUT
             echo "comment_needed=false" >> $GITHUB_OUTPUT
           fi
-      
+
+      - name: Prevent fork modifications to test infrastructure
+        if: github.event.pull_request.head.repo.fork == true
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          log_info() { echo "ℹ️  $1"; }
+          log_error() { echo "❌ $1"; }
+          log_success() { echo "✅ $1"; }
+
+          log_info "Checking for modifications to asimParsersTest folder in fork PR..."
+
+          # We are currently checked out at the fork's HEAD SHA (actions/checkout did that).
+          # Add the base repo as a remote and fetch the base branch, so we can diff reliably.
+          git remote remove upstream 2>/dev/null || true
+          git remote add upstream "https://github.com/${{ github.repository }}.git"
+
+          log_info "Fetching base branch ${{ github.event.pull_request.base.ref }} from upstream..."
+          git fetch --no-tags --prune upstream "${{ github.event.pull_request.base.ref }}"
+
+          # Diff base branch (FETCH_HEAD) -> current HEAD (fork head)
+          modified_files="$(git diff --name-only "FETCH_HEAD...HEAD")"
+
+          if echo "$modified_files" | grep -E "\.script/tests/asimParsersTest/" > /dev/null; then
+            log_error "Fork PRs cannot modify the asimParsersTest test infrastructure folder"
+            log_error "Modified test files detected:"
+            echo "$modified_files" | grep "\.script/tests/asimParsersTest/" | sed 's/^/  - /'
+            exit 1
+          fi
+          
+          log_success "No modifications to asimParsersTest folder detected"
+
       - name: Comment on fork PR for approval guidance
         if: |
           always() && 

.gitignore

@@ -346,3 +346,4 @@ Hunting Queries/DeployedQueries.json
 .script/**/*.js.map
 .script/**/*.d.ts
 .script/**/*.d.ts.map
+/.vscode

.script/package-automation/catalogAPI.ps1

@@ -25,6 +25,28 @@ function GetCatalogDetails($offerId)
                 return $null;
             }
             else {
+                # Handle case where multiple offers are returned with same OfferId
+                if ($offerDetails -is [System.Object[]] -and $offerDetails.Count -gt 1)
+                {
+                    Write-Host "Multiple offers found for offerId $offerId. Matching by publisherId from baseMetadata."
+                    $matched = $offerDetails | Where-Object { $_.publisherId -eq $baseMetadata.publisherId }
+                    if ($null -ne $matched)
+                    {
+                        if ($matched -is [System.Object[]])
+                        {
+                            $offerDetails = $matched[0]
+                        }
+                        else
+                        {
+                            $offerDetails = $matched
+                        }
+                    }
+                    else
+                    {
+                        Write-Host "No offer matched publisherId '$($baseMetadata.publisherId)'. Defaulting to first offer."
+                        $offerDetails = $offerDetails[0]
+                    }
+                }
                 Write-Host "CatalogAPI Details found for offerId $offerId"
                 return $offerDetails;
             }

.script/tests/KqlvalidationsTests/CustomFunctions/AWSCloudTrail.json

@@ -146,6 +146,10 @@
             "name": "EC2RoleDelivery",
             "type": "String"
         },
+        {
+            "name": "UserIdentityAccessKeyId",
+            "type": "String"
+        },
         {
             "name": "Session*",
             "type": "String"

.script/tests/KqlvalidationsTests/CustomTables/VersasecCmsErrorLogs.json

@@ -0,0 +1,57 @@
+{
+    "Name": "VersasecCmsErrorLogs",
+    "Properties": [
+        {
+            "name": "TimeGenerated",
+            "type": "datetime"
+        },
+        {
+            "name": "EventVendor",
+            "type": "string"
+        },
+        {
+            "name": "EventProduct",
+            "type": "string"
+        },
+        {
+            "name": "CmsErrorID",
+            "type": "real"
+        },
+        {
+            "name": "ErrorCode",
+            "type": "string"
+        },
+        {
+            "name": "CmsErrorIDStrg",
+            "type": "string"
+        },
+        {
+            "name": "ErrorId",
+            "type": "real"
+        },
+        {
+            "name": "ComputerName",
+            "type": "string"
+        },
+        {
+            "name": "ClientId",
+            "type": "string"
+        },
+        {
+            "name": "ErrorMessage",
+            "type": "string"
+        },
+        {
+            "name": "TargetUsername",
+            "type": "real"
+        },
+        {
+            "name": "SupportTicket",
+            "type": "string"
+        },
+        {
+            "name": "TicketReference",
+            "type": "string"
+        }
+    ]
+}

.script/tests/KqlvalidationsTests/CustomTables/VersasecCmsErrorLogs_CL.json

@@ -0,0 +1,39 @@
+{
+    "Name": "VersasecCmsErrorLogs_CL",
+    "Properties": [
+		{
+            "name": "TimeGenerated",
+            "type": "datetime"
+        }, {
+            "name": "CmsErrorID",
+            "type": "real"
+        }, {
+            "name": "CmsErrorIDCode",
+            "type": "string"
+        }, {
+            "name": "CmsErrorIDStrg",
+            "type": "string"
+        }, {
+            "name": "ID",
+            "type": "real"
+        }, {
+            "name": "ComputerName",
+            "type": "string"
+        }, {
+            "name": "CLID",
+            "type": "string"
+        }, {
+            "name": "ErrorStrg",
+            "type": "string"
+        }, {
+            "name": "UserID",
+            "type": "real"
+        }, {
+            "name": "SupportTicket",
+            "type": "string"
+        }, {
+            "name": "TicketRef",
+            "type": "string"
+        }
+    ]
+}

.script/tests/KqlvalidationsTests/CustomTables/VersasecCmsSysLogs.json

@@ -0,0 +1,53 @@
+{
+    "Name": "VersasecCmsSysLogs",
+    "Properties": [
+        {
+            "name": "TimeGenerated",
+            "type": "datetime"
+        },
+		{
+            "name": "EventVendor",
+            "type": "string"
+        },
+		{
+            "name": "EventProduct",
+            "type": "string"
+        },
+        {
+            "name": "EventId",
+            "type": "real"
+        },
+        {
+            "name": "EventResult",
+            "type": "string"
+        },
+        {
+            "name": "ActivitySummary",
+            "type": "string"
+        },
+        {
+            "name": "SyslogID",
+            "type": "real"
+        },
+        {
+            "name": "ComputerName",
+            "type": "string"
+        },
+        {
+            "name": "TargetUsername",
+            "type": "string"
+        },
+        {
+            "name": "Parameter",
+            "type": "string"
+        },
+        {
+            "name": "UserID",
+            "type": "real"
+        },
+        {
+            "name": "TicketReference",
+            "type": "string"
+        }
+    ]
+}

.script/tests/KqlvalidationsTests/CustomTables/VersasecCmsSysLogs_CL.json

@@ -0,0 +1,45 @@
+{
+    "Name": "VersasecCmsSysLogs_CL",
+    "Properties": [
+        {
+            "name": "TimeGenerated",
+            "type": "datetime"
+        },
+        {
+            "name": "SyslogID",
+            "type": "real"
+        },
+        {
+            "name": "SyslogIDCode",
+            "type": "string"
+        },
+        {
+            "name": "SyslogIDStrg",
+            "type": "string"
+        },
+        {
+            "name": "ID",
+            "type": "real"
+        },
+        {
+            "name": "ComputerName",
+            "type": "string"
+        },
+        {
+            "name": "CLID",
+            "type": "string"
+        },
+        {
+            "name": "Param1",
+            "type": "string"
+        },
+        {
+            "name": "UserID",
+            "type": "real"
+        },
+        {
+            "name": "TicketRef",
+            "type": "string"
+        }
+    ]
+}