pr feedback

Kyle West · Kyle West · commit 27f773797f8f · 2026-03-27T11:03:13.000-06:00
diff --git a/Solutions/Halcyon/Data/Solution_Halcyon.json b/Solutions/Halcyon/Data/Solution_Halcyon.json
@@ -1,8 +1,8 @@
 {
   "Name": "Halcyon",
-  "Author": "Halcyon",
+  "Author": "Halcyon - support@halcyon.ai",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/halcyon.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "The [Halcyon](https://www.halcyon.ai) solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\nInstalling this solution automatically provisions a Data Collection Endpoint (DCE) and Data Collection Rule (DCR) in your Azure environment. These resources are updated automatically with each solution upgrade. To complete the connector setup, use the **Deploy** button on the Halcyon connector page to create the required Entra app registration and link it to the DCR.",
+  "Description": "The [Halcyon](https://www.halcyon.ai) solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following Microsoft technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional data ingestion or operational costs:\n\na. [Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/)\n\nb. [Azure Monitor Data Collection Rules (DCR)](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview)\n\nc. [Azure Monitor Data Collection Endpoints (DCE)](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-endpoint-overview)\n\nd. [Azure Log Analytics workspaces](https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-workspace-overview)",
   "Data Connectors": [
     "Data Connectors/Halcyon_ccp/Halcyon_connectorDefinition.json"
   ],
@@ -17,9 +17,9 @@
   "Analytic Rules": [],
   "Hunting Queries": [],
   "Playbooks": [],
-  "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Halcyon",
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Halcyon",
   "Version": "3.1.0",
   "Metadata": "SolutionMetadata.json",
-  "TemplateSpec": true,
+  "TemplateSpec": false,
   "Is1PConnector": false
 }
diff --git a/Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml
@@ -35,7 +35,30 @@ FunctionQuery: |
       | extend
           User                   = ActorUsername,
           Dvc                    = DvcHostname
-      | project-away _ResourceId
+      | project
+          TimeGenerated,
+          EventVendor,
+          EventProduct,
+          EventProductVersion,
+          EventSchema,
+          EventSchemaVersion,
+          EventCount,
+          EventStartTime,
+          EventEndTime,
+          EventType,
+          EventResult,
+          EventOriginalType,
+          EventOriginalSeverity,
+          EventSeverity,
+          EventMessage,
+          ActorUsername,
+          ActorUserId,
+          ActorUsernameType,
+          DvcHostname,
+          DvcIpAddr,
+          DvcId,
+          User,
+          Dvc
   };
   parser(disabled=disabled)
 FunctionParams:
diff --git a/Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml
@@ -42,7 +42,37 @@ FunctionQuery: |
           Dvc                    = DvcHostname,
           IpAddr                 = SrcIpAddr,
           Src                    = SrcIpAddr
-      | project-away _ResourceId
+      | project
+          TimeGenerated,
+          EventVendor,
+          EventProduct,
+          EventProductVersion,
+          EventSchema,
+          EventSchemaVersion,
+          EventCount,
+          EventStartTime,
+          EventEndTime,
+          EventType,
+          EventResult,
+          EventOriginalType,
+          EventOriginalSeverity,
+          EventSeverity,
+          EventMessage,
+          DnsQuery,
+          DnsQueryTypeName,
+          DnsResponseCodeName,
+          DnsResponseCode,
+          SrcIpAddr,
+          SrcPortNumber,
+          DstIpAddr,
+          DstPortNumber,
+          DvcHostname,
+          DvcIpAddr,
+          DvcId,
+          Domain,
+          Dvc,
+          IpAddr,
+          Src
   };
   parser(disabled=disabled)
 FunctionParams:
diff --git a/Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml
@@ -42,7 +42,37 @@ FunctionQuery: |
           FilePath               = TargetFilePath,
           User                   = ActorUsername,
           Dvc                    = DvcHostname
-      | project-away _ResourceId
+      | project
+          TimeGenerated,
+          EventVendor,
+          EventProduct,
+          EventProductVersion,
+          EventSchema,
+          EventSchemaVersion,
+          EventCount,
+          EventStartTime,
+          EventEndTime,
+          EventType,
+          EventResult,
+          EventOriginalType,
+          EventOriginalSeverity,
+          EventSeverity,
+          EventMessage,
+          TargetFileName,
+          TargetFilePath,
+          TargetFileExtension,
+          ActorUsername,
+          ActorUserId,
+          ActorUsernameType,
+          ActingProcessName,
+          ActingProcessId,
+          ActingProcessCommandLine,
+          DvcHostname,
+          DvcIpAddr,
+          DvcId,
+          FilePath,
+          User,
+          Dvc
   };
   parser(disabled=disabled)
 FunctionParams:
diff --git a/Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml
@@ -45,7 +45,40 @@ FunctionQuery: |
           Dst                    = DstIpAddr,
           IpAddr                 = SrcIpAddr,
           Dvc                    = DvcHostname
-      | project-away _ResourceId
+      | project
+          TimeGenerated,
+          EventVendor,
+          EventProduct,
+          EventProductVersion,
+          EventSchema,
+          EventSchemaVersion,
+          EventCount,
+          EventStartTime,
+          EventEndTime,
+          EventType,
+          EventResult,
+          EventOriginalType,
+          EventOriginalSeverity,
+          EventSeverity,
+          EventMessage,
+          DvcAction,
+          SrcIpAddr,
+          SrcPortNumber,
+          SrcHostname,
+          SrcDomain,
+          SrcMacAddr,
+          DstIpAddr,
+          DstPortNumber,
+          DstHostname,
+          DstDomain,
+          DstMacAddr,
+          DvcHostname,
+          DvcIpAddr,
+          DvcId,
+          Src,
+          Dst,
+          IpAddr,
+          Dvc
   };
   parser(disabled=disabled)
 FunctionParams:
diff --git a/Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml
@@ -47,7 +47,42 @@ FunctionQuery: |
           User                     = ActorUsername,
           Dvc                      = DvcHostname,
           Process                  = TargetProcessName
-      | project-away _ResourceId
+      | project
+          TimeGenerated,
+          EventVendor,
+          EventProduct,
+          EventProductVersion,
+          EventSchema,
+          EventSchemaVersion,
+          EventCount,
+          EventStartTime,
+          EventEndTime,
+          EventType,
+          EventResult,
+          EventOriginalType,
+          EventOriginalSeverity,
+          EventSeverity,
+          EventMessage,
+          TargetProcessName,
+          TargetProcessId,
+          TargetProcessCommandLine,
+          TargetProcessFilename,
+          TargetProcessFilePath,
+          ParentProcessName,
+          ParentProcessId,
+          ParentProcessCommandLine,
+          ActorUsername,
+          ActorUserId,
+          ActorUsernameType,
+          ActingProcessName,
+          ActingProcessId,
+          ActingProcessCommandLine,
+          DvcHostname,
+          DvcIpAddr,
+          DvcId,
+          User,
+          Dvc,
+          Process
   };
   parser(disabled=disabled)
 FunctionParams:
diff --git a/Solutions/Halcyon/ReleaseNotes.md b/Solutions/Halcyon/ReleaseNotes.md
@@ -1,4 +1,4 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                          |
 |-------------|--------------------------------|---------------------------------------------|
-|3.1.0        | 24-03-2026                     | Update Connector to recieve events with OCSF schemas | 
+|3.1.0        | 24-03-2026                     | Update Connector to receive events with OCSF schemas | 
 |3.0.0        | 09-12-2025                     | Initial Solution release
