N3 (#4)

* Add files via upload

* Update deployment options for JoeSandbox data connector

* Revert "Update BigID package and add stepId variable"

This reverts commit d3ddbc8.

Changed support url to a valid one

* Code change

* [ASIM] ASimTester.csv Authentication change (Azure#13518)

* Changes

* Add NetworkCleartext to EventSubType

* Revert "Changes"

This reverts commit 55feb9c.

---------

Co-authored-by: Derrick Lee <derricklee@microsoft.com>

* [ASIM] UserManagement - AWSCloudTrail (New Parser) (Azure#13503)

* Work in progress

* fix source

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* Add all necessary files

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* Fix error in json

* Fix?

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* Add changelog to ASIM folder

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* Move changelog

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* Remove Other as EventType

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* Add post-filtering

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* Fixes to yaml validation

---------

Co-authored-by: Derrick Lee <derricklee@microsoft.com>
Co-authored-by: github-actions[bot] <>

* changed offer ID

* remove unused variable

* correct category and apiVersion values

* Fix ARM-TTK validation failures by removing empty properties from mainTemplate.json

- Removed empty title, description, postDeployment, and lastUpdateTime properties
  from playbook metadata blocks (playbook7 and playbook10)
- Regenerated 3.0.4.zip package with the fixes
- Preserves existing 3.0.0.zip as per reviewer feedback

* fixed null value issues

* EAII-364 WithSecure connector v. 3.0.2 application zip on Python 3.12

* Update ReleaseNotes.md to correct date and enhance change history for version 3.0.0

* Azure Firewall: add IDPS analytics, bump to 3.0.6

* EAII-364 update date in release notes

* Revert "chore: Update Solutions Analyzer CSV files (#2)"

This reverts commit a63d238

* Update WorkspaceUsage.json

Update to support Sentinel data lake
Update to improve daily checks

* Fix IPinfo connectors: runtime pinning, dependency updates, and multi-workspace ASN support

* Update release notes for version 3.0.0

Updated release notes to reflect the removal of manual deployment steps.

* Update ReleaseNotes.md

* CyrenThreatIntelligence v3.0.3: Fix duplicate data ingestion (follow-up to Azure#13603)

Changes in this PR:
- Increased 'count' from 100 to 1000 in both IP Reputation and Malware URLs pollers
  (Cyren IP Rep feed has ~800 indicators, Malware URLs ~200 — all fit in one page)
- Increased 'queryWindowInMin' from 15 to 360 minutes (6 hours)
  (Threat intelligence feeds are relatively static and do not require frequent polling)
- Preserved PersistentToken paging from v3.0.2
- Added 3.0.3.zip package (all previous versions preserved: 3.0.0, 3.0.1, 3.0.2)
- Updated ReleaseNotes.md

Root cause of duplication:
With count=100, the connector made 8+ page requests per poll cycle to fetch all ~800
indicators. Combined with 15-minute polling, this re-ingested the same data 96 times
per day. Observed: 304,000 rows with only 198 unique IPs (1,535:1 duplicate ratio).

Files changed:
- Cyren_PollerConfig.json: count 100→1000, queryWindowInMin 15→360
- Package/mainTemplate.json: Same fixes + version bump to 3.0.3
- Package/3.0.3.zip: Updated package with all changes
- ReleaseNotes.md: Added 3.0.3 entry

* changed id for one alert rule

* Change max_records from 100 (testing) to 10000 (production)

* changed id for another alert rule for same error

* removed vscode

* remove old copy

* Fix PR review feedback: remove remaining empty properties and restore ZIP packages

Removes remaining empty metadata properties (title, description, postDeployment,
lastUpdateTime) causing ARM-TTK validation failures and restores previously deleted
ZIP packages (2.0.0, 2.0.1, 2.0.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3) per reviewer request.

* Apply consistent DCR workspace validation logic to all IPinfo Azure Functions

* Add Island V2 CCP data connector and update connector descriptions

Add DCR-based V2 connector for user, admin, and system events. Mark V1
connectors (Admin Audit, User Activity) as legacy with documentation links.
Rebuild solution package at version 3.1.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* [IONIX] Regenerate package with V3 tool (v3.1.0)

- Downgrade version from 4.0.0 to 3.1.0 per reviewer request
- Regenerate mainTemplate.json and createUiDefinition.json using V3 packaging tool
- Add 3.1.0.zip package and testParameters.json
- Fix CCF files: wrap Table in array, remove dependsOn:null from ConnectorDefinition
- Fix DCR transform: add missing is_open_b column (queries depend on it)
- Fix Solution_IONIX.json: only list ConnectorDefinition (tool auto-discovers rest)
- Add DataConnectorCCFVersion, lastPublishDate, Author email
- Fix deprecation notice title to match actual CCF connector name
- Update ReleaseNotes.md version to 3.1.0

* Update ARM template deployment links

* Update soft links for flex and premium plans

* Add files via upload

* Update BloodHound Enterprise to version 3.2.2, including new zip package and updated template version in mainTemplate.json.

* url based rule creation

* Data file updated

* Solution Packaged to 3.0.14

* Packaged

* create ui file updated

* Zip updated

* TacitRed-SentinelOne v3.0.2: Fix InvalidResourceLocation and remove domain filter

- Remove non-standard 'location' parameter from inner template, use
  variables('workspace-location-inline') matching 489 other solutions
- Fix metadata resource name: change [[ (double bracket) to [ (single
  bracket) for outer template resolution, matching 481 other solutions
- Remove TacitRed_Domain parameter from deployment UI, Logic App params,
  and API URI — playbook now fetches all findings without domain filter
- Update standalone playbook template to match
- Bump version to 3.0.2
- Preserve 3.0.0 zip package

* TacitRed-IOC-CrowdStrike v3.0.1: Fix deployment errors and missing playbook template

- Remove non-standard 'location' parameter from inner template, use
  variables('workspace-location-inline') matching 489 other solutions
- Add missing hidden-SentinelTemplateName and hidden-SentinelTemplateVersion
  tags so playbook template appears in Sentinel Automation page
- Remove TacitRed_Domain parameter from deployment UI, Logic App params,
  and API URI — playbook now fetches all findings without domain filter
- Update standalone playbook template to match
- Bump version to 3.0.1
- Preserve 3.0.0 zip package

* Bump cryptography

Bumps [cryptography](https://github.com/pyca/cryptography) from 44.0.1 to 46.0.5.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@44.0.1...46.0.5)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 46.0.5
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* Add missing v3.0.1 release notes entry

* Repackage as v3.0.1 (master is 3.0.0)

* Solution version back to 3.0.1

* ReleaseNotes: single 3.0.1 entry

* Add 3.0.1.zip package

* Remove 3.0.2.zip — repackaged as 3.0.1

* Update Cisco Duo Security solution to version 3.1.1

- Bump solution version from 3.1.0 to 3.1.1
- Update solutionId from "cisco.duo-security-sentinel" to "cisco.cisco-duo-microsoft-sentinel"
- Update offerId in SolutionMetadata.json to match new solutionId
- Update all component template descriptions to reference version 3.1.1

* [IONIX] Fix ARM-TTK and branding validation failures

- Fix empty label/text nulls in createUiDefinition.json workbook section
- Add default value for workbook1-name parameter
- Fix "Sentinel" → "Microsoft Sentinel" branding across all files

* Update Azure Resource Manager API versions in Cisco Duo Security solution

- Update contentTemplates API version from 2023-04-01-preview to 2025-09-01
- Update savedSearches API version from 2022-10-01 to 2025-07-01
- Update metadata API version from 2022-01-01-preview to 2025-09-01
- Rebuild package zip file with updated template

* Update Solutions/CiscoDuoSecurity/Package/mainTemplate.json

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update Solutions/CiscoDuoSecurity/Package/mainTemplate.json

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix workbook-to-connector linkage and address PR review feedback

- Restore ReleaseNotes.md with v3.0.4 entry
- Add running Data Connector screenshots for all 15 connectors
- Rebuild 3.0.4.zip to match mainTemplate.json and createUiDefinition.json

* Removed external blog reference text from several hunting query descriptions

Remove external blog reference text from several hunting query descriptions and sanitize UI text. Bump hunting query versions (e.g. 1.1.1→1.1.2, 1.0.2→1.0.3, 1.0.0→1.0.1) and propagate those version changes into solution mainTemplate.json. Update package artifacts: modify Endpoint Threat Protection Essentials package files and add Windows Security Events package 3.0.12.zip. Also normalize entityMappings ordering/formatting and adjust an alert override format in the main template.

* Update release notes for two solutions

Modify release notes for Endpoint Threat Protection Essentials and Windows Security Events. For Endpoint Threat Protection Essentials, extend the 3.0.5 entry to note removal of a broken URL from both an Analytic Rule and a Hunting query. For Windows Security Events, add a new 3.0.12 entry (18-02-2026) documenting removal of external blog reference text from two hunting query descriptions.

* Bump savedSearches apiVersion and update package

Update Microsoft.OperationalInsights/workspaces/savedSearches apiVersion from 2022-10-01 to 2025-07-01 in mainTemplate.json (two occurrences) to align with the newer ARM API. Also update the packaged Solution (3.0.8.zip) to include these template changes.

* Updated savedSearches API version

Update savedSearchesApiVersion from 2022-10-01 to 2025-07-01 in PrepareSolutionMetadata (Tools/Create-Azure-Sentinel-Solution/common/commonFunctions.ps1). Ensures the solution metadata uses the newer saved searches API version for compatibility with recent service changes.

* Update ReleaseNotes.md

* Update packageUri for Luminar Azure Function App

* Update packageUri for Luminar Azure Function

* Updated api version to resolve arm ttk

* [IONIX] Fix deployment error: restore workbook contentId and version

The V3 packaging tool (commit e694e4e) blanked out workbookContentId1
and workbookVersion1 variables, causing ARM deployment to fail with
"BadRequestException - properties.contentId is required".

* [IONIX] Regenerate package with V3 tool (fixes reviewer comment)

Regenerated mainTemplate.json and createUiDefinition.json using the V3
packaging tool (createSolutionV3.ps1) instead of manual edits. The tool
reads the standalone CCF connector files, workbook, and analytic rule
from the Solution_IONIX.json manifest and produces the ARM template.

Fixes: "Manual updates to the main template are not recommended"

* minor changes

* updated the zip files for 17 dataconnectors

* Remove external ref URLs and bump version

Remove the external reference URL line from the descriptions in FakeComputerAccountCreated and FakeComputerAccountAuthenticationAttempt to avoid embedding the blog link in detection content. Also increment the detection version in FakeComputerAccountCreated from 1.0.3 to 1.0.4. No changes to detection logic or data connectors.

* renamed functions zip and updated reference in ARM template; also ignore .vscode folder

* Fix DCR transform query: undefined symbol 'detections'

- Changed 'smishing_detections = detections' to
  'smishing_detections = smishing_alert.detections' in:
  - LookoutStreaming_DCR.json
  - Package/mainTemplate.json
  - Package/3.0.1/mainTemplate.json
- Fixes connector resource creation failure (InvalidTransformQuery)

Amp-Thread-ID: https://ampcode.com/threads/T-019b37d6-4b66-7648-aa8e-b83e755d26ad
Co-authored-by: Amp <amp@ampcode.com>

* Update version to 3.0.2 across all solution files

- Solution version: 3.0.1 -> 3.0.2
- dataConnectorVersion1: 1.0.0 -> 3.0.2
- dataConnectorCCPVersion: 3.0.1 -> 3.0.2
- Updated SolutionMetadata.json and Solution_Lookout.json

Amp-Thread-ID: https://ampcode.com/threads/T-019b37d6-4b66-7648-aa8e-b83e755d26ad
Co-authored-by: Amp <amp@ampcode.com>

* Update Lookout solution v3.0.2: version alignment, install wizard improvements

- Updated all 13 template version description strings from 3.0.1 to 3.0.2 in mainTemplate.json
- Added Parsers and Notebooks steps to createUiDefinition.json for improved discoverability
- Added Notebooks count to solution description summary
- Added standalone parser ARM template (LookoutEvents_ARM.json)
- Added Package/3.0.1 archive folder
- Updated ReleaseNotes.md with all changes

* build ccf mainTemplate json using v3 tool (#3)

* recompile using v3 tool

* recompile using v3 tool

* self review

* follow up from claude on depends for contentPackages

* revert

* cleanup

* minimize diff

* update version in Data/Solution_Feedly.json

* updated zip folder with latest template files

* release note

* Revert "Asim workflow"

* Updated as commented on PR

* main template updated

* Zip updated

* Resolved arm tkk failed check

* Links fixed. Removed review.

* Add Parser reviewers as CODEOWNERS for .script

* [ASIM] AuditEvent - AWS Cloud Trail (New Parser) (Azure#13428)

* Create new parser for AWS Cloud Trail

* Parser update

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* KQL fixes

* Update parsers and changelog

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* KQL fix

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* Fix KQL

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* Add to test script

* Fixes.

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

---------

Co-authored-by: Derrick Lee <derricklee@microsoft.com>
Co-authored-by: github-actions[bot] <>

* Bump aiohttp in /Solutions/ESET Protect Platform/Data Connectors (Azure#13660)

---
updated-dependencies:
- dependency-name: aiohttp
  dependency-version: 3.13.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump aiohttp in /Solutions/Rapid7InsightVM/Data Connectors (Azure#13663)

---
updated-dependencies:
- dependency-name: aiohttp
  dependency-version: 3.13.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump requests in /DataConnectors/AWS-S3-AzureFunction (Azure#13664)

Bumps [requests](https://github.com/psf/requests) from 2.31.0 to 2.32.4.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.31.0...v2.32.4)

---
updated-dependencies:
- dependency-name: requests
  dependency-version: 2.32.4
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add Kusto uploader tool to Solutions Analyzer (v7.9)

- New upload_to_kusto.py script for uploading CSV files to Azure Data Explorer
- Solution Analyzer mode uploads all 10 CSVs with predefined table names
- Supports local source directory (--source-dir) or GitHub download
- Added script documentation in script-docs/upload_to_kusto.md
- Updated README.md with new tool entry and v7.9 changelog

* Fix: skip CSV header row during Kusto ingestion

Add ignore_first_record=True to both ingestion paths to prevent
the CSV header line from being uploaded as a data row.

* Revert "chore: Update Solutions Analyzer CSV files (#2)"

This reverts commit a63d238

* Bump Azure.Identity from 1.10.2 to 1.11.4 (Azure#13665)

---
updated-dependencies:
- dependency-name: Azure.Identity
  dependency-version: 1.11.4
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* revert to state 2c59b20

* Add CCF Push collection method, CCF config file discovery, and CCF capabilities extraction

- New 'CCF Push' collection method for connectors using DCR/DCE push ingestion
  (11 connectors, detected via DeployPushConnectorButton pattern)
- New ccf_config_file column in connectors.csv with GitHub URL to CCF config
  (122 out of 133 CCF/CCF Push connectors have config files identified)
- New ccf_capabilities column extracting auth type, paging, POST, MvExpand
  from CCF config JSON (103 connectors with capabilities)
- CCF Push entry in COLLECTION_METHODS_METADATA for doc generation
- Connector detail pages now show CCF Configuration link and CCF Capabilities
- Updated script-docs and README with v7.9.1 changelog
- Added --skip-input-generation to copilot-instructions.md

* Add CCF (Legacy) collection method and fix config file detection\n\n- New CCF (Legacy) type for 9 connectors with embedded pollingConfig and no\n  separate CCF config file (Dynatrace x4, Egress, Island x2, LastPass, Seraphic)\n- extract_legacy_ccf_capabilities() extracts auth/paging/POST from pollingConfig\n- Improved find_ccf_config_file(): finds connectors.json (Bitwarden) and\n  searches sibling *_ccp/ directories (GCP)\n- CCF (Legacy) added to doc generator COLLECTION_METHODS_METADATA and stats\n- Updated README changelog, mapper and doc generator script docs

* Fix CCF config detection: skip azuredeploy ARM templates\n\nThe _poller pattern in CCF_CONFIG_PATTERNS was matching azuredeploy ARM\ntemplate files (e.g., azuredeploy_Okta_native_poller_connector_v2.json)\ninstead of actual CCF config files (e.g., OktaSSOv2_PollingConfig.json).\n\nAdded azuredeploy and mainTemplate to skip patterns in find_ccf_config_file().\nFixes 16 connectors that had wrong config files, including OktaSSOv2.\nOktaSSO_Polling (v1) correctly reclassified as CCF (Legacy) since its\nonly file was the azuredeploy ARM template with embedded pollingConfig.

* Replace em-dash with ? for missing info, update copilot instructions\n\n- Replace misleading em-dash (—) with ? for 'no information available' in\n  generated docs (table features, tables count, solution links, etc.)\n- Copilot instructions: add isBackground:false and timeout:0 for both\n  mapper and doc generator scripts to ensure full output visibility

* adding Storage Blob CCF template

* Fix CCF config self-referencing and add child _ccp dir search\n\nfind_ccf_config_file() now skips the connector JSON file itself, preventing\nself-referencing where the primary file was returned as the config file.\nAlso searches child *_ccp/ directories (not just siblings), fixing\nCortexXDR which has CortexXDR_ccp/ as a child of Data Connectors/.\n\nFixes: Phosphorus_Polling, EgressSiemPolling -> CCF (Legacy)\n       CortexXDRIncidents -> CCF (finds PollingConfig.json in child _ccp/)

* fixed typo

* CyrenThreatIntelligence v3.0.4: Fix credential scanner + version alignment

- Remove default values from securestring token parameters
  (cyrenIpReputationToken, cyrenMalwareUrlToken) to pass Partner Center
  automated validation credential scanner
- Fix contentPackages version alignment (3.0.2 -> 3.0.4)
- Add 3.0.4.zip package

* fix: _CL tables always support Ingestion API; lake-only _CL tables support transformations

Custom log tables (_CL suffix) are not listed in Microsoft's reference docs,
so their capabilities were incorrectly reported. Applied rules:
- All _CL tables: ingestion_api_supported = Yes
- _CL tables with lake-only support: supports_transformations = Yes

Fix applied in both collect_table_info.py (for tables_reference.csv) and
map_solutions_connectors_tables.py (for tables.csv, covering _CL tables
not in the reference).

* Finalize CCF analysis

* Commit (Azure#13672)

Co-authored-by: Derrick Lee <derricklee@microsoft.com>

* Update version and add parser reviewers to asimParsersTest (Azure#13673)

Co-authored-by: Derrick Lee <derricklee@microsoft.com>

* [ASIM] FileEvent - AWSCloudTrail (New Parser) (Azure#13569)

* Add parser

* File changelog

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* Update AWSCloudTrail function for tests

* Fix parameter

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* Address PR comments

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* Update schema version

---------

Co-authored-by: Derrick Lee <derricklee@microsoft.com>
Co-authored-by: github-actions[bot] <>

* Add missing field (EventSchemaVersion) to ASimDnsNative parers

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* Resolve comments

* Fix #3524225: Align queryPeriod to match 5d learning window

The SWG - Abnormal Deny Rate analytics rule defines LearningPeriod = 5d but
queryPeriod was only 25h. This prevented the rule from retrieving sufficient
historical data for baseline computation. Changed queryPeriod to 7d to ensure
full coverage of the learning window with buffer.

* Bump rule version to 1.0.4

* Revert "Bump Azure.Identity from 1.10.2 to 1.11.4 (Azure#13665)"

This reverts commit 31a1ac5.

* Update azuredeploy.json

* Update Microsoft Entra ID solution to 3.3.9

Add packaged release 3.3.9 and update mainTemplate.json to bump solution and template versions from 3.3.8 to 3.3.9 across connectors, workbooks and analytics rules. Also apply template fixes and cleanups: reorder/format alert display/description fields, correct customDetails key mappings (OAuthAppId/OAuthApplication), add/update custom detail entries, and adjust incident groupingConfiguration (adding groupByAlertDetails, matchingMethod, groupByCustomDetails, groupByEntities). Minor formatting and structural tweaks throughout the template to align with the new 3.3.9 package.

* Remove empty grouping fields; update package zip

Remove redundant empty array properties (groupByAlertDetails, groupByCustomDetails, groupByEntities) from multiple groupingConfiguration blocks in mainTemplate.json while keeping matchingMethod and reopenClosedIncident. Also update the packaged artifact Solutions/Microsoft Entra ID/Package/3.3.9.zip. This cleans up the ARM template by removing unnecessary empty fields.

* Remove encodeURIComponent from Graph user URI

Use concat directly when building the Microsoft Graph users URI in ARM templates instead of wrapping it with encodeURIComponent. Updated the expression in mainTemplate.json and the Block-AADUser playbook's incident-trigger azuredeploy.json to fix the URI expression. Also updated the packaged 3.3.9.zip to include these changes.

* Fix URI concat syntax in templates

Remove an extraneous closing parenthesis in the Graph API user URI expression used for PATCH operations. Updated mainTemplate.json and the Block-AADUser incident-trigger azuredeploy.json to correct the concat(...) expression, and repackaged 3.3.9.zip to include the fix. This prevents malformed user URIs when calling https://graph.microsoft.com/v1.0/users and avoids runtime errors during playbook/template deployment.

* Update ReleaseNotes.md

* Updated technique in hunting query and Microsoft Business Applications to 3.2.3

Release bump to version 3.2.3: adds the packaged release archive (Solutions/Microsoft Business Applications/Package/3.2.3.zip) and updates mainTemplate.json to reference 3.2.3 across the solution variable, resource descriptions, content/version fields for workbooks, analytic rules, hunting queries, playbooks, and parsers. Also adjusts technique IDs in a few rule/query entries (T0819 -> T1190).

* Update ReleaseNotes.md

* Update Solution_NetworkSessionEssentials.json

* Update ExchagngeSuspiciousFileDownloads.yaml

* Checkout PR branch; block fork test infra changes

* Fix ARM-TTK validation: update API versions, remove disallowed parser and backup dir

- Update savedSearches apiVersion from 2022-10-01 to 2025-02-01 in mainTemplate.json
- Remove Parsers/LookoutEvents_ARM.json (only .yaml/.md allowed in Parsers)
- Remove Package/3.0.1/ backup directory that caused redundant ARM-TTK scan failures
- Rebuild 3.0.2.zip with corrected mainTemplate.json

Amp-Thread-ID: https://ampcode.com/threads/T-019c8ac9-300b-74ab-b4a0-a861ca47d8f4
Co-authored-by: Amp <amp@ampcode.com>

* Add CCF connector as primary data source for analytic rules

- Update requiredDataConnectors in all 5 analytic rules to reference
  LookoutStreaming_Definition (CCF) with LookoutMtdV2_CL as primary
- Retain LookoutAPI as fallback data connector
- Fixes [DEPRECATED] data source label in Analytics rule templates
- Rebuild 3.0.2.zip with updated mainTemplate.json

Amp-Thread-ID: https://ampcode.com/threads/T-019c8ac9-300b-74ab-b4a0-a861ca47d8f4
Co-authored-by: Amp <amp@ampcode.com>

* add CrowdSec playbook

* update images path

* add doc link

* remove unnecessary file

* [ASIM] Fix typos in AWSCloudTrail AuditEvent parser (Azure#13690)

* Fix typos

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

---------

Co-authored-by: Derrick Lee <derricklee@microsoft.com>
Co-authored-by: github-actions[bot] <>

* Bump aiohttp (Azure#13692)

---
updated-dependencies:
- dependency-name: aiohttp
  dependency-version: 3.13.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Remove duplicate dataconnectors text blocks

* Update savedSearches apiVersion and docs

Bump Microsoft.OperationalInsights/savedSearches apiVersion from 2022-10-01 to 2025-07-01 for hunting queries in mainTemplate.json, remove the HTML deprecation note about the legacy Log Analytics agent from solution metadata (Solution_Windows Security Events.json, createUiDefinition.json, mainTemplate.json), and refresh the packaged solution zip (3.0.12.zip). These changes align saved search resources with a newer API version and clean up installer documentation.

* Update ReleaseNotes.md

* Update 3.0.0.zip

* revert to state 2c59b20

* revert to master

* Update WorkbooksMetadata.json

forgot to add this version change to PR 135629

* Update README.md

* add release 1.1.9

* Update base path

* Bump OperationalInsights API versions

Update mainTemplate.json to use Microsoft.OperationalInsights API version 2025-07-01 for savedSearches and workspace savedSearches resources. Also bump the ExchagngeSuspiciousFileDownloads.yaml detection version from 1.0.4 to 1.0.5 and refresh the packaged solution (3.2.3.zip) to include these changes.

* fix(cyren): repackage as v3.0.3 using V3 tool per reviewer request

Reviewer Shubham Kore flagged that since v3.0.3 is not yet live on Partner Center,
we should not increase the solution version. Updated content with same version 3.0.3.

Changes:
- Updated Solution_Cyren.json Version: 3.0.4 → 3.0.3
- Ran createSolutionV3.ps1 — regenerated mainTemplate.json at version 3.0.3
- Regenerated 3.0.3.zip with V3 tool output (includes cred scanner + alignment fixes)
- Removed incorrect 3.0.4.zip (version bump that should not have happened)

* Revert "fix(cyren): repackage as v3.0.3 using V3 tool per reviewer request"

This reverts commit c30b4d0.

* fix(cyren): surgical fix — repackage at v3.0.3 per reviewer request

Per reviewer Shubham Kore: since v3.0.3 is not yet live on Partner Center,
do not increase the solution version. Update content and repackage at same version.

Surgical changes only:
- Solution_Cyren.json Version: 3.0.4 → 3.0.3
- mainTemplate.json _solutionVersion: 3.0.4 → 3.0.3
- mainTemplate.json contentPackages.version: 3.0.4 → 3.0.3
- Rebuilt 3.0.3.zip with updated content
- Removed incorrect 3.0.4.zip

All other content (credential scanner fix, version alignment) preserved exactly.

* Address PR review: use template variables, bump to v3.0.0, repackage

- Updated connector files to use {{...}} template variables for
  dataCollectionEndpoint, dataCollectionRuleImmutableId, location, appId
- Bumped solution version to 3.0.0 in Solution_DataBahn.json
- Deleted unnecessary solutionMetadata.json under Data Connectors/DataBahn_PUSH_CCP
- Fixed 404 documentation link to valid URL
- Updated ReleaseNotes.md with v3.0.0 entry
- Repackaged solution using V3 packaging tool

Co-authored-by: Cursor <cursoragent@cursor.com>

* Convert parameter types to securestring in template

Change parameter types from "string" to "securestring" for sensitive parameters (connectorDefinitionName, workspace, tenantId, clientId, clientSecret, auditHost, innerWorkspace, etc.) across multiple parameter blocks in Solutions/Microsoft Business Applications/Package/mainTemplate.json. The packaged artifact Solutions/Microsoft Business Applications/Package/3.2.3.zip was also updated to reflect these template changes.

* Update README.md

* Fix punctuation and spacing in release notes

Add a missing period and normalize trailing spaces on the 3.0.2 entry in Solutions/WithSecureElementsViaFunction/ReleaseNotes.md for consistency.

* update minimum tls version from 1.0 to 1.2 Azure storage account

* Remove v1.0.0 entry from ReleaseNotes.md per review feedback

Co-authored-by: Cursor <cursoragent@cursor.com>

* Update Solution_Island.json

* Update ReleaseNotes.md

* Scrubbed sample data

* Reverted 3.2.0.zip to original state.

* Packaged

* Fix publisherId to databahninc1771934525923 and repackage

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix: update content template version descriptions from 3.0.1 to 3.0.3

* Updated description

* build(deps): bump diff (Azure#13474)

Bumps  and [diff](https://github.com/kpdecker/jsdiff). These dependencies needed to be updated together.

Updates `diff` from 5.2.0 to 5.2.2
- [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md)
- [Commits](kpdecker/jsdiff@v5.2.0...v5.2.2)

Updates `diff` from 4.0.2 to 4.0.4
- [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md)
- [Commits](kpdecker/jsdiff@v5.2.0...v5.2.2)

---
updated-dependencies:
- dependency-name: diff
  dependency-version: 5.2.2
  dependency-type: indirect
- dependency-name: diff
  dependency-version: 4.0.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: v-atulyadav <v-atulyadav@microsoft.com>

* Update WEBSITE_RUN_FROM_PACKAGE URLs to aka.ms shortlinks for 16 connectors

* Update ASN connector WEBSITE_RUN_FROM_PACKAGE to aka.ms shortlink

* Update packaged solution

* bugfixes

* update filtering arm template

* Update README with new Logstash version support

Added support for Logstash versions 8.19.2, 9.0.8, 9.1.10, and 9.2.4 - 9.2.5, after testing.

* update data connector blade text

* Create cleanup-stale-branch.yaml

* Remove unused environment variables from stale branch cleanup workflow

* Update cron schedule to run stale branch cleanup daily

* Update stale-branches action to a specific commit for stability

* Update cron schedule to run stale branch cleanup daily

* Remove 3.0.4 entry from ReleaseNotes per reviewer request

* fix versioning

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Rambatla Venkat Rao <68921481+RamboV@users.noreply.github.com>
Co-authored-by: Marc Hébrard <mhebrard@bigid.com>
Co-authored-by: Derrick Lee <derricklee@microsoft.com>
Co-authored-by: Ofer Shezaf <39997089+oshezaf@users.noreply.github.com>
Co-authored-by: Derrick Lee <derricklee91@gmail.com>
Co-authored-by: Shams Zawoad <szawoad@visa.com>
Co-authored-by: Sreedhar Ande <22670063+sreedharande@users.noreply.github.com>
Co-authored-by: prlopez <prlopez@gmail.com>
Co-authored-by: AndreyGlushok <andrey.glushok@withsecure.com>
Co-authored-by: Ingebrigt Nygård <ingebrigt@securepractice.co>
Co-authored-by: v-shukore <v-shukore@microsoft.com>
Co-authored-by: v-atulyadav <v-atulyadav@microsoft.com>
Co-authored-by: v-dvedak <103933805+v-dvedak@users.noreply.github.com>
Co-authored-by: Clive Watson <clive_watson@hotmail.com>
Co-authored-by: Prasanna Sekar <prasanna.sekar@sacumen.com>
Co-authored-by: maheshji001 <v-maheshbh@microsoft.com>
Co-authored-by: mazamizo21 <mazamizo21@users.noreply.github.com>
Co-authored-by: Iddo Waxman <iddo.waxman@island.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: itai.margalit <itai.margalit@ionix.io>
Co-authored-by: Moin <121222944+moin-loginsoft@users.noreply.github.com>
Co-authored-by: Omkar Jadhav <omkar.jadhav@metronlabs.com>
Co-authored-by: v-utpalkumar <v-utpalkumar@microsoft.com>
Co-authored-by: v-kasghosh <v-kasghosh@microsoft.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: mazamizo21 <121246886+mazamizo21@users.noreply.github.com>
Co-authored-by: Prajval UM <152960029+prajval-um@users.noreply.github.com>
Co-authored-by: prajval um <pum@cisco.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: v-sabiraj <v-sabiraj@microsoft.com>
Co-authored-by: Jarod Amos <jamos@beyondtrust.com>
Co-authored-by: Your Name <you@example.com>
Co-authored-by: Amp <amp@ampcode.com>
Co-authored-by: Hector-Suarez <v-hectorsu@microsoft.com>
Co-authored-by: Ofer Shezaf <Ofer.Shezaf@microsoft.com>
Co-authored-by: javiersoriano <javisd23@gmail.com>
Co-authored-by: TwistedAlex <40569707+TwistedAlex@users.noreply.github.com>
Co-authored-by: Hung Nguyen <hunngu@microsoft.com>
Co-authored-by: github-actions[bot] <>
Co-authored-by: mirit sadon <miritsadon#microsoft.com>
Co-authored-by: rahul0216 <r.greatlove@gmail.com>
Co-authored-by: Frank Gravato <frankie.gravato@gmail.com>
Co-authored-by: Thibault Koechlin <orixxx@gmail.com>
Co-authored-by: hunngu-ms <63322431+hunngu-ms@users.noreply.github.com>
Co-authored-by: MartinPankraz <m.pankraz@gmx.de>
Co-authored-by: GaneshJDB <gjadhav@databahn.ai>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Anish_K <anish_kadwadkar@trendmicro.com>
Co-authored-by: Varun Kohli <97222872+vakohl@users.noreply.github.com>
Co-authored-by: Brandon Qiao <bqiao@microsoft.com>
Co-authored-by: ayoubkdib <103065484+ayoubkdib@users.noreply.github.com>
Co-authored-by: Taz Jack <taz.jack@data443.com>

Author: 47 people

.github/copilot-instructions.md

@@ -0,0 +1,82 @@
+# GitHub Copilot Instructions for Azure-Sentinel Repository
+
+## Solutions Analyzer Tools
+
+When working with the Solutions Analyzer tools in `Tools/Solutions Analyzer/`:
+
+### Output Locations
+
+There are THREE different output scenarios - **never confuse them**:
+
+1. **Default (development):** CSVs are written to `Tools/Solutions Analyzer/` in the current branch
+   - This is the normal case when developing/testing
+   - **Never generate documentation here**
+
+2. **Output worktree (publishing CSVs):** `C:\Users\ofshezaf\GitHub\Azure-Sentinel-solution-analyzer-output\Tools\Solutions Analyzer`
+   - Only use this when **specifically requested** to "publish CSVs to the output branch"
+   - This is a separate git worktree for the CSV output branch
+   - **Only CSVs go here, never documentation**
+
+3. **Documentation output:** `C:\Users\ofshezaf\GitHub\sentinelninja\Solutions Docs`
+   - This is where generated markdown documentation goes
+   - This is in a **separate repository** (sentinelninja)
+   - Empty the target folder before generating new docs
+
+### Key Rules
+
+- **Never generate docs locally** in the Azure-Sentinel repository
+- **Generate docs only in the sentinelninja repo** when asked or needed
+- **For official CSV releases**, generate CSVs **only** in the solution analyzer output worktree
+- Always use `--output-dir` flag when running `generate_connector_docs.py`
+
+### Running Scripts
+
+#### Mapper Script
+```powershell
+cd "Tools/Solutions Analyzer"
+python map_solutions_connectors_tables.py
+```
+
+**Note:** Do NOT truncate or filter the output (e.g., do not pipe through `Select-Object`). The script prints timestamped progress messages to the console that the user needs to see. Run with `isBackground: false` and `timeout: 0` so the full output is visible.
+
+#### Documentation Generator
+```powershell
+python generate_connector_docs.py --output-dir "C:\Users\ofshezaf\GitHub\sentinelninja\Solutions Docs" --skip-input-generation
+```
+
+**IMPORTANT:** Never run without `--output-dir` flag.
+
+**IMPORTANT:** Do NOT truncate or filter the output (e.g., do not pipe through `Select-Object`). Run with `isBackground: false` and `timeout: 0` so the full output is visible to the user.
+
+**IMPORTANT:** Always use `--skip-input-generation` unless you specifically need to regenerate the input CSVs (mapper + collect_table_info). Without this flag, the doc generator will re-run those scripts automatically, which is slow and unnecessary if the CSVs are already up-to-date.
+
+**IMPORTANT:** Run the mapper script before generating docs if:
+- The mapper script itself was modified, OR
+- Any override YAML file in the `overrides/` folder was modified (including adding, editing, or removing `additional_connectors` entries), OR
+- You specifically need to refresh the CSV data, OR
+- You are explicitly asked to run the mapper
+
+### Caching and Logging
+
+- **Cache:** `.cache/` folder for analysis caching
+- **Logs:** `.logs/` folder for log files
+
+**Log file:** `Tools/Solutions Analyzer/.logs/map_solutions_connectors_tables.log`
+
+Use `--force-refresh` with these types when modifying analysis logic:
+- `asim` - ASIM parser analysis
+- `parsers` - Non-ASIM parser analysis
+- `solutions` - Solution content analysis
+- `standalone` - Standalone content item analysis
+- `marketplace` - Marketplace availability check (requires network)
+- `tables` - Table reference info (requires network)
+
+### Script Documentation
+
+**Before updating a script:** Always review the relevant script documentation in `Tools/Solutions Analyzer/docs/` first.
+
+**When updating a script**, update the corresponding script doc to reflect:
+- Any script parameters added or changed
+- Any output file changes, including changes to CSV files (new columns, renamed columns, removed columns)
+- Any changes to analysis methods or logic
+- Update the primary readme.md if needed and add the change to the change log. Do not add a version if the previous version as manifested by the changelog, was not committed yet.

.github/workflows/cleanup-stale-branch.yaml

@@ -0,0 +1,40 @@
+# .github/workflows/cleanup-stale-branch.yaml
+name: Cleanup Stale Branches
+run-name: Stale Branches Cleanup Running 
+
+on:
+  schedule:
+  # Runs at 4:00 AM every day (Monday to Sunday)
+    - cron: '0 4 * * *'
+  # Allows to run workflow manually from the Actions tab
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  cleanup_stale_branches:
+  # Only run if the repository is not a fork and not archived
+    if: github.event.repository.fork == false && github.event.repository.archived == false
+    runs-on: ubuntu-latest
+    steps:
+      - name: Cleanup Stale Branches
+        uses: crs-k/stale-branches@593086d4e251bb26dd5cd21202d0102fcf172164
+        with:
+          repo-token: '${{ secrets.GITHUB_TOKEN }}'
+          days-before-stale: 120
+          days-before-delete: 180
+          comment-updates: false
+          max-issues: 20
+          tag-committer: false
+          stale-branch-label: 'stale-branch'
+          compare-branches: 'info'
+          branches-filter-regex: '^((?!dependabot))'
+          rate-limit: true
+          pr-check: true
+          dry-run: true
+          ignore-issue-interaction: true
+          include-protected-branches: false
+          include-ruleset-branches: false
+          ignore-commit-messages: ''
+          ignore-committers: ''

.github/workflows/runAsimSchemaAndDataTesters.yaml

@@ -43,6 +43,14 @@ jobs:
     outputs:
       approved: ${{ steps.check-approval.outputs.approved }}
     steps:
+      - name: Checkout pull request branch
+        if: github.event.pull_request != null
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          fetch-depth: 0
+
       - name: Check if PR needs approval
         id: check-approval
         run: |
@@ -96,7 +104,39 @@ jobs:
             echo "needs_approval=false" >> $GITHUB_OUTPUT
             echo "comment_needed=false" >> $GITHUB_OUTPUT
           fi
-      
+
+      - name: Prevent fork modifications to test infrastructure
+        if: github.event.pull_request.head.repo.fork == true
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          log_info() { echo "ℹ️  $1"; }
+          log_error() { echo "❌ $1"; }
+          log_success() { echo "✅ $1"; }
+
+          log_info "Checking for modifications to asimParsersTest folder in fork PR..."
+
+          # We are currently checked out at the fork's HEAD SHA (actions/checkout did that).
+          # Add the base repo as a remote and fetch the base branch, so we can diff reliably.
+          git remote remove upstream 2>/dev/null || true
+          git remote add upstream "https://github.com/${{ github.repository }}.git"
+
+          log_info "Fetching base branch ${{ github.event.pull_request.base.ref }} from upstream..."
+          git fetch --no-tags --prune upstream "${{ github.event.pull_request.base.ref }}"
+
+          # Diff base branch (FETCH_HEAD) -> current HEAD (fork head)
+          modified_files="$(git diff --name-only "FETCH_HEAD...HEAD")"
+
+          if echo "$modified_files" | grep -E "\.script/tests/asimParsersTest/" > /dev/null; then
+            log_error "Fork PRs cannot modify the asimParsersTest test infrastructure folder"
+            log_error "Modified test files detected:"
+            echo "$modified_files" | grep "\.script/tests/asimParsersTest/" | sed 's/^/  - /'
+            exit 1
+          fi
+          
+          log_success "No modifications to asimParsersTest folder detected"
+
       - name: Comment on fork PR for approval guidance
         if: |
           always() && 

.gitignore

@@ -346,3 +346,4 @@ Hunting Queries/DeployedQueries.json
 .script/**/*.js.map
 .script/**/*.d.ts
 .script/**/*.d.ts.map
+/.vscode

.script/package-automation/catalogAPI.ps1

@@ -25,6 +25,28 @@ function GetCatalogDetails($offerId)
                 return $null;
             }
             else {
+                # Handle case where multiple offers are returned with same OfferId
+                if ($offerDetails -is [System.Object[]] -and $offerDetails.Count -gt 1)
+                {
+                    Write-Host "Multiple offers found for offerId $offerId. Matching by publisherId from baseMetadata."
+                    $matched = $offerDetails | Where-Object { $_.publisherId -eq $baseMetadata.publisherId }
+                    if ($null -ne $matched)
+                    {
+                        if ($matched -is [System.Object[]])
+                        {
+                            $offerDetails = $matched[0]
+                        }
+                        else
+                        {
+                            $offerDetails = $matched
+                        }
+                    }
+                    else
+                    {
+                        Write-Host "No offer matched publisherId '$($baseMetadata.publisherId)'. Defaulting to first offer."
+                        $offerDetails = $offerDetails[0]
+                    }
+                }
                 Write-Host "CatalogAPI Details found for offerId $offerId"
                 return $offerDetails;
             }

.script/tests/KqlvalidationsTests/CustomFunctions/AWSCloudTrail.json

@@ -146,6 +146,10 @@
             "name": "EC2RoleDelivery",
             "type": "String"
         },
+        {
+            "name": "UserIdentityAccessKeyId",
+            "type": "String"
+        },
         {
             "name": "Session*",
             "type": "String"