Merge branch 'master' into fixPodDuplicateDataIssue

Author: Shubhangi Pagar

.github/workflows/update-solutions-analyzer.yml

@@ -41,10 +41,15 @@ jobs:
           cd "Tools/Solutions Analyzer"
           python solution_connector_tables.py
       
+      - name: Generate Connector Documentation
+        run: |
+          cd "Tools/Solutions Analyzer"
+          python generate_connector_docs.py
+      
       - name: Check for changes
         id: check_changes
         run: |
-          if git diff --quiet "Tools/Solutions Analyzer/solutions_connectors_tables_mapping.csv" "Tools/Solutions Analyzer/solutions_connectors_tables_issues_and_exceptions_report.csv"; then
+          if git diff --quiet "Tools/Solutions Analyzer/solutions_connectors_tables_mapping.csv" "Tools/Solutions Analyzer/solutions_connectors_tables_issues_and_exceptions_report.csv" "Tools/Solutions Analyzer/connector-docs/"; then
             echo "changed=false" >> $GITHUB_OUTPUT
           else
             echo "changed=true" >> $GITHUB_OUTPUT
@@ -57,23 +62,25 @@ jobs:
           git config --local user.name "github-actions[bot]"
           git add "Tools/Solutions Analyzer/solutions_connectors_tables_mapping.csv"
           git add "Tools/Solutions Analyzer/solutions_connectors_tables_issues_and_exceptions_report.csv"
-          git commit -m "chore: Update Solutions Analyzer CSV files [skip ci]"
+          git add "Tools/Solutions Analyzer/connector-docs/"
+          git commit -m "chore: Update Solutions Analyzer CSV files and documentation [skip ci]"
           git push
       
       - name: Create summary
         if: steps.check_changes.outputs.changed == 'true'
         run: |
           echo "### Solutions Analyzer Updated :white_check_mark:" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-          echo "CSV files have been regenerated and committed." >> $GITHUB_STEP_SUMMARY
+          echo "CSV files and documentation have been regenerated and committed." >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "**Modified files:**" >> $GITHUB_STEP_SUMMARY
           echo "- Tools/Solutions Analyzer/solutions_connectors_tables_mapping.csv" >> $GITHUB_STEP_SUMMARY
           echo "- Tools/Solutions Analyzer/solutions_connectors_tables_issues_and_exceptions_report.csv" >> $GITHUB_STEP_SUMMARY
+          echo "- Tools/Solutions Analyzer/connector-docs/" >> $GITHUB_STEP_SUMMARY
       
       - name: No changes summary
         if: steps.check_changes.outputs.changed == 'false'
         run: |
           echo "### Solutions Analyzer :information_source:" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-          echo "No changes detected. CSV files are already up-to-date." >> $GITHUB_STEP_SUMMARY
+          echo "No changes detected. CSV files and documentation are already up-to-date." >> $GITHUB_STEP_SUMMARY

.script/package-automation/catalogAPI.ps1

@@ -123,15 +123,37 @@ function GetOfferVersion($offerId, $mainTemplateUrl)
 
 function GetPackageVersion($defaultPackageVersion, $offerId, $offerDetails, $packageVersionAttribute, $userInputPackageVersion)
 {
+    $setPackageVersion = $defaultPackageVersion
+
     if ($packageVersionAttribute)
     {
         $userInputMajor,$userInputMinor,$userInputBuild,$userInputRevision = $userInputPackageVersion.split(".")
         $defaultMajor,$defaultMinor,$defaultBuild,$defaultRevision = $defaultPackageVersion.split(".")
 
-        if ($userInputMajor -ge '2' -and $userInputMinor -gt $defaultMinor)
-        {
-            #return as is value of package version as middle value is greater
-            return $userInputPackageVersion 
+        # Convert to integers for proper numeric comparison
+        [int]$userInputMajor = $userInputMajor
+        [int]$userInputMinor = $userInputMinor
+        [int]$userInputBuild = $userInputBuild
+        [int]$defaultMajor = $defaultMajor
+        [int]$defaultMinor = $defaultMinor
+        [int]$defaultBuild = $defaultBuild
+
+        if ($userInputMajor -ge 3) {
+            # Version 3.x.x or higher: use user input if minor and build are greater than default
+            if ($userInputMinor -ge $defaultMinor -and $userInputBuild -gt $defaultBuild) {
+                $setPackageVersion = $userInputPackageVersion
+                if ($null -eq $offerDetails) {
+                    Write-Host "Package version set to $setPackageVersion"
+                    return $setPackageVersion
+                }
+            } elseif ($null -eq $offerDetails) {
+                Write-Host "Package version set to $userInputPackageVersion"
+                return $userInputPackageVersion
+            }
+        } elseif ($userInputMajor -le 2) {
+            # Version 2.x.x: always use default
+            Write-Host "Package version set to $defaultPackageVersion"
+            return $defaultPackageVersion
         }
     }
 
@@ -174,13 +196,13 @@ function GetPackageVersion($defaultPackageVersion, $offerId, $offerDetails, $pac
                 {
                     $identifiedOfferVersion = $offerMetadataVersion
                     $catalogMajor,$catalogminor,$catalogbuild,$catalogrevision = $identifiedOfferVersion.split(".")
-                    $defaultMajor,$defaultminor,$defaultbuild,$defaultrevision = $defaultPackageVersion.split(".")
+                    $defaultMajor,$defaultminor,$defaultbuild,$defaultrevision = $setPackageVersion.split(".")
 
-                    if ($defaultMajor -gt $catalogMajor)
+                    if ($defaultMajor -gt $catalogMajor -and $defaultminor -gt $catalogminor -and $defaultbuild -ge $catalogbuild)
                     {
-                        # eg: 3.0.0 > 2.0.1 ==> 3.0.0
-                        Write-Host "Default Package version is greater then the CatalogAPI version so $defaultVersionMessage"
-                        return $defaultPackageVersion
+                        # eg: 3.0.0 > 2.0.1 ==> 3.0.0 or 3.1.2 > 3.1.1 ==> 3.1.2
+                        Write-Host "Package version $setPackageVersion greater then the CatalogAPI version so $defaultVersionMessage"
+                        return $setPackageVersion
                     }
                     else 
                     {

.script/tests/KqlvalidationsTests/CustomTables/AZFWApplicationRule.json

@@ -9,6 +9,10 @@
         "Name": "ActionReason",
         "Type": "string"
       },
+      {
+        "Name": "_BilledSize",
+        "Type": "real"
+      },
       {
         "Name": "DestinationPort",
         "Type": "int"
@@ -17,6 +21,14 @@
         "Name": "Fqdn",
         "Type": "string"
       },
+      {
+        "Name": "_IsBillable",
+        "Type": "string"
+      },
+            {
+        "Name": "IsExplicitProxyRequest",
+        "Type": "bool"
+      },
       {
         "Name": "IsTlsInspected",
         "Type": "bool"
@@ -57,6 +69,10 @@
         "Name": "SourceSystem",
         "Type": "string"
       },
+      {
+        "Name": "_SubscriptionId",
+        "Type": "string"
+      },
       {
         "Name": "TargetUrl",
         "Type": "string"
@@ -76,6 +92,14 @@
       {
         "Name": "WebCategory",
         "Type": "string"
+      },
+      {
+        "Name": "_TimeReceived",
+        "Type": "datetime"
+      },
+      {
+        "Name": "_ItemId",
+        "Type": "string"
       }
     ]
 }

.script/tests/KqlvalidationsTests/CustomTables/AZFWDnsQuery.json

@@ -88,6 +88,14 @@
     {
       "Name": "Type",
       "Type": "string"
+    },
+    {
+      "Name": "_TimeReceived",
+      "Type": "datetime"
+    },
+    {
+      "Name": "_ItemId",
+      "Type": "string"
     }
   ]
 }

.script/tests/KqlvalidationsTests/CustomTables/AZFWIdpsSignature.json

@@ -80,6 +80,14 @@
   {
     "Name": "SignatureId",
     "Type": "string"
+  },
+  {
+    "Name": "_TimeReceived",
+    "Type": "datetime"
+  },
+  {
+    "Name": "_ItemId",
+    "Type": "string"
   }
 ]
 }

.script/tests/KqlvalidationsTests/CustomTables/AZFWNatRule.json

@@ -0,0 +1,89 @@
+{
+  "Name": "AZFWNatRule",
+  "Properties": [
+    {
+      "Name": "_BilledSized",
+      "Type": "real"
+    },
+    {
+      "Name": "DestinationIp",
+      "Type": "string"
+    },
+    {
+      "Name": "DestinationPort",
+      "Type": "int"
+    },
+{
+      "Name": "_IsBillable",
+      "Type": "string"
+    },
+    {
+      "Name": "Policy",
+      "Type": "string"
+    },
+    {
+      "Name": "Protocol",
+      "Type": "string"
+    },
+    {
+      "Name": "_ResourceId",
+      "Type": "string"
+    },
+    {
+      "Name": "Rule",
+      "Type": "string"
+    },
+    {
+      "Name": "RuleCollection",
+      "Type": "string"
+    },
+    {
+      "Name": "RuleCollectionGroup",
+      "Type": "string"
+    },
+    {
+      "Name": "SourceIp",
+      "Type": "string"
+    },
+    {
+      "Name": "SourcePort",
+      "Type": "int"
+    },
+    {
+      "Name": "SourceSystem",
+      "Type": "string"
+    },
+    {
+      "Name": "_SubscriptionId",
+      "Type": "string"
+    },
+    {
+      "Name": "TenantId",
+      "Type": "string"
+    },
+    {
+      "Name": "TimeGenerated",
+      "Type": "datetime"
+    },
+    {
+      "Name": "TranslatedIp",
+      "Type": "string"
+    },
+    {
+      "Name": "TranslatedPort",
+      "Type": "int"
+    },
+    {
+      "Name": "Type",
+      "Type": "string"
+    },
+    {
+      "Name": "_TimeReceived",
+      "Type": "datetime"
+    },
+    {
+      "Name": "_ItemId",
+      "Type": "string"
+    }
+  ]
+}

.script/tests/KqlvalidationsTests/CustomTables/AZFWNetworkRule.json

@@ -68,6 +68,14 @@
     {
       "Name": "Type",
       "Type": "string"
+    },
+    {
+      "Name": "_TimeReceived",
+      "Type": "datetime"
+    },
+    {
+      "Name": "_ItemId",
+      "Type": "string"
     }
   ]
 }

.script/tests/KqlvalidationsTests/CustomTables/AZFWThreatIntel.json

@@ -68,6 +68,14 @@
       {
         "Name": "Type",
         "Type": "string"
+      },
+      {
+        "Name": "_TimeReceived",
+        "Type": "datetime"
+      },
+      {
+        "Name": "_ItemId",
+        "Type": "string"
       }
     ]
   }

.script/tests/asimParsersTest/ExclusionListForASimTests.csv

@@ -3,6 +3,10 @@ _ASim_NetworkSession_NTANetAnalytics
 _Im_NetworkSession_NTANetAnalytics
 _Im_NetworkSession_AzureFirewall
 _ASim_NetworkSession_AzureFirewall
+_Im_WebSession_AzureFirewall
+_ASim_WebSession_AzureFirewall
+_Im_Dns_AzureFirewall
+_ASim_Dns_AzureFirewall
 _Im_Authentication_Sshd
 _ASim_Authentication_M365Defender
 _Im_Authentication_M365Defender

.script/tests/asimParsersTest/ingestASimSampleData.py

@@ -317,7 +317,7 @@ def convert_data_type(schema_result, data_result):
 SAMPLE_DATA_PATH = 'Sample%20Data/ASIM/'
 dcr_directory=[]
 
-lia_supported_builtin_table = ['ADAssessmentRecommendation','ADSecurityAssessmentRecommendation','Anomalies','ASimAuditEventLogs','ASimAuthenticationEventLogs','ASimDhcpEventLogs','ASimDnsActivityLogs','ASimDnsAuditLogs','ASimFileEventLogs','ASimNetworkSessionLogs','ASimProcessEventLogs','ASimRegistryEventLogs','ASimUserManagementActivityLogs','ASimWebSessionLogs','AWSCloudTrail','AWSCloudWatch','AWSGuardDuty','AWSVPCFlow','AzureAssessmentRecommendation','CommonSecurityLog','DeviceTvmSecureConfigurationAssessmentKB','DeviceTvmSoftwareVulnerabilitiesKB','ExchangeAssessmentRecommendation','ExchangeOnlineAssessmentRecommendation','GCPAuditLogs','GoogleCloudSCC','SCCMAssessmentRecommendation','SCOMAssessmentRecommendation','SecurityEvent','SfBAssessmentRecommendation','SharePointOnlineAssessmentRecommendation','SQLAssessmentRecommendation','StorageInsightsAccountPropertiesDaily','StorageInsightsDailyMetrics','StorageInsightsHourlyMetrics','StorageInsightsMonthlyMetrics','StorageInsightsWeeklyMetrics','Syslog','UCClient','UCClientReadinessStatus','UCClientUpdateStatus','UCDeviceAlert','UCDOAggregatedStatus','UCServiceUpdateStatus','UCUpdateAlert','WindowsEvent','WindowsServerAssessmentRecommendation','NTANetAnalytics']
+lia_supported_builtin_table = ['ADAssessmentRecommendation','ADSecurityAssessmentRecommendation','Anomalies','ASimAuditEventLogs','ASimAuthenticationEventLogs','ASimDhcpEventLogs','ASimDnsActivityLogs','ASimDnsAuditLogs','ASimFileEventLogs','ASimNetworkSessionLogs','ASimProcessEventLogs','ASimRegistryEventLogs','ASimUserManagementActivityLogs','ASimWebSessionLogs','AWSCloudTrail','AWSCloudWatch','AWSGuardDuty','AWSVPCFlow','AzureAssessmentRecommendation','CommonSecurityLog','DeviceTvmSecureConfigurationAssessmentKB','DeviceTvmSoftwareVulnerabilitiesKB','ExchangeAssessmentRecommendation','ExchangeOnlineAssessmentRecommendation','GCPAuditLogs','GoogleCloudSCC','SCCMAssessmentRecommendation','SCOMAssessmentRecommendation','SecurityEvent','SfBAssessmentRecommendation','SharePointOnlineAssessmentRecommendation','SQLAssessmentRecommendation','StorageInsightsAccountPropertiesDaily','StorageInsightsDailyMetrics','StorageInsightsHourlyMetrics','StorageInsightsMonthlyMetrics','StorageInsightsWeeklyMetrics','Syslog','UCClient','UCClientReadinessStatus','UCClientUpdateStatus','UCDeviceAlert','UCDOAggregatedStatus','UCServiceUpdateStatus','UCUpdateAlert','WindowsEvent','WindowsServerAssessmentRecommendation','NTANetAnalytics', 'AZFWNetworkRule', 'AZFWNatRule', 'AZFWApplicationRule', 'AZFWDnsQuery', 'AZFWIdspSignature', 'AZFWThreatIntel']
 reserved_columns = ["_ResourceId", "id", "_SubscriptionId", "TenantId", "Type", "UniqueId", "Title","_ItemId","verbose_b","verbose","MG","_ResourceId_s"]
 
 SentinelRepoUrl = "https://github.com/Azure/Azure-Sentinel"