Merge branch 'Azure:master' into gn-3.1.0-1

Author: punkrokk

.github/instructions/detections.instructions.md

@@ -317,6 +317,26 @@ Analytic Rules are YAML files that define scheduled queries to detect threats, s
   - Must include all connectors required for query execution
   - Specify exact data types needed
   - Use official connector IDs
+  
+#### **connectorId Validation**
+- **Source of Truth**: All `connectorId` values must be validated against the official list:
+  ```
+  https://github.com/Azure/Azure-Sentinel/blob/master/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
+  ```
+- **Validation Process**:
+  - Check if the `connectorId` value exists in ValidConnectorIds.json
+  - If NOT found: Flag as invalid and request update to ValidConnectorIds.json
+  - Case-sensitive matching required
+- **Valid Examples**: 
+  - `CiscoDuoSecurity` ✅ (exists in valid list)
+  - `AzureActiveDirectory` ✅ (exists in valid list)
+  - `CiscoASA` ✅ (exists in valid list)
+- **Invalid Examples**:
+  - `CiscoDuo` ❌ (correct ID is `CiscoDuoSecurity`)
+  - `AzureAD` ❌ (correct ID is `AzureActiveDirectory`)
+  - `CustomConnectorXYZ` ❌ (not in official list - needs to be added to ValidConnectorIds.json)
+- **Action if Invalid**: 
+  - Comment: "connectorId `[value]` is not found in the ValidConnectorIds.json file. Please update ValidConnectorIds.json to include this connector or use a valid connector ID from the official list."
 
 #### **entityMappings** (Entity Extraction)
 - **Required**: Yes for Detections

.script/tests/KqlvalidationsTests/CustomFunctions/_ASIM_LookupSyslogSeverityLevel.json

@@ -0,0 +1,16 @@
+{
+  "FunctionName": "_ASIM_LookupSyslogSeverityLevel",
+  "FunctionParameters": [
+    {
+      "Name": "SeverityLevelInput",
+      "Type": "string",
+      "IsRequired": true
+    }
+  ],
+  "FunctionResultColumns": [
+    {
+      "Name": "EventSeverity",
+      "Type": "string"
+    }
+  ]
+}

.script/tests/KqlvalidationsTests/CustomFunctions/_Im_AlertEvent.json

@@ -0,0 +1,159 @@
+{
+  "FunctionName": "_Im_AlertEvent",
+  "FunctionParameters": [
+    {
+      "Name": "starttime",
+      "Type": "datetime",
+      "IsRequired": false
+    },
+    {
+      "Name": "endtime",
+      "Type": "datetime",
+      "IsRequired": false
+    },
+    {
+      "Name": "ipaddr_has_any_prefix",
+      "Type": "dynamic",
+      "IsRequired": false
+    },
+    {
+      "Name": "hostname_has_any",
+      "Type": "dynamic",
+      "IsRequired": false
+    },
+    {
+      "Name": "username_has_any",
+      "Type": "dynamic",
+      "IsRequired": false
+    },
+    {
+      "Name": "attacktactics_has_any",
+      "Type": "dynamic",
+      "IsRequired": false
+    },
+    {
+      "Name": "attacktechniques_has_any",
+      "Type": "dynamic",
+      "IsRequired": false
+    },
+    {
+      "Name": "threatcategory_has_any",
+      "Type": "dynamic",
+      "IsRequired": false
+    },
+    {
+      "Name": "alertverdict_has_any",
+      "Type": "dynamic",
+      "IsRequired": false
+    },
+    {
+      "Name": "eventseverity_has_any",
+      "Type": "dynamic",
+      "IsRequired": false
+    },
+    {
+      "Name": "pack",
+      "Type": "bool",
+      "IsRequired": false
+    }
+  ],
+  "FunctionResultColumns": [
+    { "Name": "TimeGenerated", "Type": "datetime" },
+    { "Name": "_ResourceId", "Type": "string" },
+    { "Name": "Type", "Type": "string" },
+    { "Name": "AdditionalFields", "Type": "dynamic" },
+    { "Name": "AlertDescription", "Type": "string" },
+    { "Name": "AlertId", "Type": "string" },
+    { "Name": "AlertName", "Type": "string" },
+    { "Name": "AlertOriginalStatus", "Type": "string" },
+    { "Name": "AlertStatus", "Type": "string" },
+    { "Name": "AlertVerdict", "Type": "string" },
+    { "Name": "AttackRemediationSteps", "Type": "string" },
+    { "Name": "AttackTactics", "Type": "string" },
+    { "Name": "AttackTechniques", "Type": "string" },
+    { "Name": "DetectionMethod", "Type": "string" },
+    { "Name": "DvcAction", "Type": "string" },
+    { "Name": "DvcDescription", "Type": "string" },
+    { "Name": "DvcDomain", "Type": "string" },
+    { "Name": "DvcDomainType", "Type": "string" },
+    { "Name": "DvcFQDN", "Type": "string" },
+    { "Name": "DvcHostname", "Type": "string" },
+    { "Name": "DvcId", "Type": "string" },
+    { "Name": "DvcIdType", "Type": "string" },
+    { "Name": "DvcInterface", "Type": "string" },
+    { "Name": "DvcIpAddr", "Type": "string" },
+    { "Name": "DvcMacAddr", "Type": "string" },
+    { "Name": "DvcOriginalAction", "Type": "string" },
+    { "Name": "DvcOs", "Type": "string" },
+    { "Name": "DvcOsVersion", "Type": "string" },
+    { "Name": "DvcScope", "Type": "string" },
+    { "Name": "DvcScopeId", "Type": "string" },
+    { "Name": "DvcZone", "Type": "string" },
+    { "Name": "EmailMessageId", "Type": "string" },
+    { "Name": "EmailSubject", "Type": "string" },
+    { "Name": "EventCount", "Type": "int" },
+    { "Name": "EventEndTime", "Type": "datetime" },
+    { "Name": "EventMessage", "Type": "string" },
+    { "Name": "EventOriginalSeverity", "Type": "string" },
+    { "Name": "EventOriginalSubType", "Type": "string" },
+    { "Name": "EventOriginalType", "Type": "string" },
+    { "Name": "EventOriginalUid", "Type": "string" },
+    { "Name": "EventOwner", "Type": "string" },
+    { "Name": "EventProduct", "Type": "string" },
+    { "Name": "EventProductVersion", "Type": "string" },
+    { "Name": "EventReportUrl", "Type": "string" },
+    { "Name": "EventResult", "Type": "string" },
+    { "Name": "EventSchema", "Type": "string" },
+    { "Name": "EventSchemaVersion", "Type": "string" },
+    { "Name": "EventSeverity", "Type": "string" },
+    { "Name": "EventStartTime", "Type": "datetime" },
+    { "Name": "EventSubType", "Type": "string" },
+    { "Name": "EventType", "Type": "string" },
+    { "Name": "EventUid", "Type": "string" },
+    { "Name": "EventVendor", "Type": "string" },
+    { "Name": "FileMD5", "Type": "string" },
+    { "Name": "FileName", "Type": "string" },
+    { "Name": "FilePath", "Type": "string" },
+    { "Name": "FileSHA1", "Type": "string" },
+    { "Name": "FileSHA256", "Type": "string" },
+    { "Name": "FileSize", "Type": "long" },
+    { "Name": "Hostname", "Type": "string" },
+    { "Name": "IndicatorAssociation", "Type": "string" },
+    { "Name": "IndicatorType", "Type": "string" },
+    { "Name": "IpAddr", "Type": "string" },
+    { "Name": "OriginalUserType", "Type": "string" },
+    { "Name": "ProcessCommandLine", "Type": "string" },
+    { "Name": "ProcessFileCompany", "Type": "string" },
+    { "Name": "ProcessId", "Type": "string" },
+    { "Name": "ProcessName", "Type": "string" },
+    { "Name": "RegistryKey", "Type": "string" },
+    { "Name": "RegistryValue", "Type": "string" },
+    { "Name": "RegistryValueData", "Type": "string" },
+    { "Name": "RegistryValueType", "Type": "string" },
+    { "Name": "Rule", "Type": "string" },
+    { "Name": "RuleDescription", "Type": "string" },
+    { "Name": "RuleName", "Type": "string" },
+    { "Name": "RuleNumber", "Type": "int" },
+    { "Name": "ThreatCategory", "Type": "string" },
+    { "Name": "ThreatConfidence", "Type": "int" },
+    { "Name": "ThreatFirstReportedTime", "Type": "datetime" },
+    { "Name": "ThreatId", "Type": "string" },
+    { "Name": "ThreatIsActive", "Type": "bool" },
+    { "Name": "ThreatLastReportedTime", "Type": "datetime" },
+    { "Name": "ThreatName", "Type": "string" },
+    { "Name": "ThreatOriginalCategory", "Type": "string" },
+    { "Name": "ThreatOriginalConfidence", "Type": "string" },
+    { "Name": "ThreatOriginalRiskLevel", "Type": "string" },
+    { "Name": "ThreatRiskLevel", "Type": "int" },
+    { "Name": "Url", "Type": "string" },
+    { "Name": "User", "Type": "string" },
+    { "Name": "UserId", "Type": "string" },
+    { "Name": "UserIdType", "Type": "string" },
+    { "Name": "Username", "Type": "string" },
+    { "Name": "UsernameType", "Type": "string" },
+    { "Name": "UserScope", "Type": "string" },
+    { "Name": "UserScopeId", "Type": "string" },
+    { "Name": "UserSessionId", "Type": "string" },
+    { "Name": "UserType", "Type": "string" }
+  ]
+}

.script/tests/KqlvalidationsTests/CustomFunctions/_Im_AssetEntity.json

@@ -0,0 +1,73 @@
+{
+  "FunctionName": "_Im_AssetEntity",
+  "FunctionParameters": [
+    { "Name": "starttime", "Type": "datetime", "IsRequired": false },
+    { "Name": "endtime", "Type": "datetime", "IsRequired": false },
+    { "Name": "entityid_has_any", "Type": "dynamic", "IsRequired": false },
+    { "Name": "entityname_has_any", "Type": "dynamic", "IsRequired": false },
+    { "Name": "assettype_in", "Type": "string", "IsRequired": false },
+    { "Name": "path_has_any", "Type": "dynamic", "IsRequired": false },
+    { "Name": "assetowner_has_any", "Type": "dynamic", "IsRequired": false },
+    { "Name": "entitysource_has_any", "Type": "dynamic", "IsRequired": false },
+    { "Name": "pack", "Type": "bool", "IsRequired": false }
+  ],
+  "FunctionResultColumns": [
+    { "Name": "EntitySchema", "Type": "string" },
+    { "Name": "EntitySchemaVersion", "Type": "string" },
+    { "Name": "EntityUpdatedTime", "Type": "datetime" },
+    { "Name": "EntityIngestionTime", "Type": "datetime" },
+    { "Name": "EntityId", "Type": "string" },
+    { "Name": "EntityOriginalId", "Type": "string" },
+    { "Name": "EntityName", "Type": "string" },
+    { "Name": "EntityNameType", "Type": "string" },
+    { "Name": "AssetType", "Type": "string" },
+    { "Name": "AssetOriginalType", "Type": "string" },
+    { "Name": "EntityVendor", "Type": "string" },
+    { "Name": "EntitySource", "Type": "string" },
+    { "Name": "EntityProduct", "Type": "string" },
+    { "Name": "EntitySubProduct", "Type": "string" },
+    { "Name": "EntityCreatedTime", "Type": "datetime" },
+    { "Name": "EntityLastAccessedTime", "Type": "datetime" },
+    { "Name": "EntityLastModifiedTime", "Type": "datetime" },
+    { "Name": "EntityIsDeleted", "Type": "bool" },
+    { "Name": "EntityFeedType", "Type": "string" },
+    { "Name": "AssetOwnerId", "Type": "string" },
+    { "Name": "AssetOwnerIdType", "Type": "string" },
+    { "Name": "AssetOwnerType", "Type": "string" },
+    { "Name": "AssetOwnerScope", "Type": "string" },
+    { "Name": "AssetOwnerScopeId", "Type": "string" },
+    { "Name": "AdditionalAssetOwners", "Type": "dynamic" },
+    { "Name": "AssetOriginalPermissions", "Type": "dynamic" },
+    { "Name": "AssetOriginalRiskDetails", "Type": "dynamic" },
+    { "Name": "AssetRiskName", "Type": "string" },
+    { "Name": "AssetRiskLevel", "Type": "string" },
+    { "Name": "AssetOriginalRiskLevel", "Type": "string" },
+    { "Name": "AssetRiskFirstReportedTime", "Type": "datetime" },
+    { "Name": "AssetRiskLastReportedTime", "Type": "datetime" },
+    { "Name": "AssetSensitivityLabel", "Type": "string" },
+    { "Name": "AssetOriginalSensitivityLevel", "Type": "string" },
+    { "Name": "AssetIsProtectedByDlp", "Type": "bool" },
+    { "Name": "AssetRelatedIndicators", "Type": "dynamic" },
+    { "Name": "AssetOriginalDataClassificationType", "Type": "dynamic" },
+    { "Name": "AssetClassificationLastScanDateTime", "Type": "datetime" },
+    { "Name": "AADTenantId", "Type": "string" },
+    { "Name": "IdentityDirectoryName", "Type": "string" },
+    { "Name": "IdentityDirectoryId", "Type": "string" },
+    { "Name": "AdditionalFields", "Type": "dynamic" },
+    { "Name": "InternalUsersCount", "Type": "int" },
+    { "Name": "ExternalUsersCount", "Type": "int" },
+    { "Name": "FilePath", "Type": "string" },
+    { "Name": "FileSize", "Type": "long" },
+    { "Name": "FileMD5", "Type": "string" },
+    { "Name": "FileSHA1", "Type": "string" },
+    { "Name": "FileSHA256", "Type": "string" },
+    { "Name": "FileSHA512", "Type": "string" },
+    { "Name": "FileExtension", "Type": "string" },
+    { "Name": "FileIsSignatureValid", "Type": "bool" },
+    { "Name": "FileSignatureDetails", "Type": "string" },
+    { "Name": "SitePath", "Type": "string" },
+    { "Name": "SitePrimaryUri", "Type": "string" },
+    { "Name": "AssetPath", "Type": "string" },
+    { "Name": "User", "Type": "string" }
+  ]
+}

.script/tests/KqlvalidationsTests/CustomFunctions/_Im_DhcpEvent.json

@@ -0,0 +1,120 @@
+{
+  "FunctionName": "_Im_DhcpEvent",
+  "FunctionParameters": [
+    { "Name": "starttime", "Type": "datetime", "IsRequired": false },
+    { "Name": "endtime", "Type": "datetime", "IsRequired": false },
+    { "Name": "srcipaddr_has_any_prefix", "Type": "dynamic", "IsRequired": false },
+    { "Name": "srchostname_has_any", "Type": "dynamic", "IsRequired": false },
+    { "Name": "srcusername_has_any", "Type": "dynamic", "IsRequired": false },
+    { "Name": "eventresult", "Type": "string", "IsRequired": false },
+    { "Name": "disabled", "Type": "bool", "IsRequired": false },
+    { "Name": "pack", "Type": "bool", "IsRequired": false }
+  ],
+  "FunctionResultColumns": [
+    { "Name": "TimeGenerated", "Type": "datetime" },
+    { "Name": "_ResourceId", "Type": "string" },
+    { "Name": "Type", "Type": "string" },
+    { "Name": "AdditionalFields", "Type": "dynamic" },
+    { "Name": "DhcpCircuitId", "Type": "string" },
+    { "Name": "DhcpLeaseDuration", "Type": "int" },
+    { "Name": "DhcpSessionDuration", "Type": "int" },
+    { "Name": "DhcpSessionId", "Type": "string" },
+    { "Name": "DhcpSrcDHCId", "Type": "string" },
+    { "Name": "DhcpSubscriberId", "Type": "string" },
+    { "Name": "DhcpUserClass", "Type": "string" },
+    { "Name": "DhcpUserClassId", "Type": "string" },
+    { "Name": "DhcpVendorClass", "Type": "string" },
+    { "Name": "DhcpVendorClassId", "Type": "string" },
+    { "Name": "Duration", "Type": "int" },
+    { "Name": "Dvc", "Type": "string" },
+    { "Name": "DvcAction", "Type": "string" },
+    { "Name": "DvcDescription", "Type": "string" },
+    { "Name": "DvcDomain", "Type": "string" },
+    { "Name": "DvcDomainType", "Type": "string" },
+    { "Name": "DvcFQDN", "Type": "string" },
+    { "Name": "DvcHostname", "Type": "string" },
+    { "Name": "DvcId", "Type": "string" },
+    { "Name": "DvcIdType", "Type": "string" },
+    { "Name": "DvcInterface", "Type": "string" },
+    { "Name": "DvcIpAddr", "Type": "string" },
+    { "Name": "DvcMacAddr", "Type": "string" },
+    { "Name": "DvcOriginalAction", "Type": "string" },
+    { "Name": "DvcOs", "Type": "string" },
+    { "Name": "DvcOsVersion", "Type": "string" },
+    { "Name": "DvcScope", "Type": "string" },
+    { "Name": "DvcScopeId", "Type": "string" },
+    { "Name": "DvcZone", "Type": "string" },
+    { "Name": "EventCount", "Type": "int" },
+    { "Name": "EventEndTime", "Type": "datetime" },
+    { "Name": "EventMessage", "Type": "string" },
+    { "Name": "EventOriginalResultDetails", "Type": "string" },
+    { "Name": "EventOriginalSeverity", "Type": "string" },
+    { "Name": "EventOriginalSubType", "Type": "string" },
+    { "Name": "EventOriginalType", "Type": "string" },
+    { "Name": "EventOriginalUid", "Type": "string" },
+    { "Name": "EventOwner", "Type": "string" },
+    { "Name": "EventProduct", "Type": "string" },
+    { "Name": "EventProductVersion", "Type": "string" },
+    { "Name": "EventReportUrl", "Type": "string" },
+    { "Name": "EventResult", "Type": "string" },
+    { "Name": "EventResultDetails", "Type": "string" },
+    { "Name": "EventSchema", "Type": "string" },
+    { "Name": "EventSchemaVersion", "Type": "string" },
+    { "Name": "EventSeverity", "Type": "string" },
+    { "Name": "EventStartTime", "Type": "datetime" },
+    { "Name": "EventSubType", "Type": "string" },
+    { "Name": "EventType", "Type": "string" },
+    { "Name": "EventUid", "Type": "string" },
+    { "Name": "EventVendor", "Type": "string" },
+    { "Name": "Hostname", "Type": "string" },
+    { "Name": "IpAddr", "Type": "string" },
+    { "Name": "RequestedIpAddr", "Type": "string" },
+    { "Name": "Rule", "Type": "string" },
+    { "Name": "RuleName", "Type": "string" },
+    { "Name": "RuleNumber", "Type": "int" },
+    { "Name": "SessionId", "Type": "string" },
+    { "Name": "Src", "Type": "string" },
+    { "Name": "SrcDescription", "Type": "string" },
+    { "Name": "SrcDeviceType", "Type": "string" },
+    { "Name": "SrcDomain", "Type": "string" },
+    { "Name": "SrcDomainType", "Type": "string" },
+    { "Name": "SrcDvcId", "Type": "string" },
+    { "Name": "SrcDvcIdType", "Type": "string" },
+    { "Name": "SrcDvcScope", "Type": "string" },
+    { "Name": "SrcDvcScopeId", "Type": "string" },
+    { "Name": "SrcFQDN", "Type": "string" },
+    { "Name": "SrcGeoCity", "Type": "string" },
+    { "Name": "SrcGeoCountry", "Type": "string" },
+    { "Name": "SrcGeoLatitude", "Type": "real" },
+    { "Name": "SrcGeoLongitude", "Type": "real" },
+    { "Name": "SrcGeoRegion", "Type": "string" },
+    { "Name": "SrcHostname", "Type": "string" },
+    { "Name": "SrcIpAddr", "Type": "string" },
+    { "Name": "SrcMacAddr", "Type": "string" },
+    { "Name": "SrcOriginalRiskLevel", "Type": "string" },
+    { "Name": "SrcOriginalUserType", "Type": "string" },
+    { "Name": "SrcPortNumber", "Type": "int" },
+    { "Name": "SrcRiskLevel", "Type": "int" },
+    { "Name": "SrcUserId", "Type": "string" },
+    { "Name": "SrcUserIdType", "Type": "string" },
+    { "Name": "SrcUsername", "Type": "string" },
+    { "Name": "SrcUsernameType", "Type": "string" },
+    { "Name": "SrcUserScope", "Type": "string" },
+    { "Name": "SrcUserScopeId", "Type": "string" },
+    { "Name": "SrcUserSessionId", "Type": "string" },
+    { "Name": "SrcUserType", "Type": "string" },
+    { "Name": "SrcUserUid", "Type": "string" },
+    { "Name": "ThreatCategory", "Type": "string" },
+    { "Name": "ThreatConfidence", "Type": "int" },
+    { "Name": "ThreatField", "Type": "string" },
+    { "Name": "ThreatFirstReportedTime", "Type": "datetime" },
+    { "Name": "ThreatId", "Type": "string" },
+    { "Name": "ThreatIsActive", "Type": "bool" },
+    { "Name": "ThreatLastReportedTime", "Type": "datetime" },
+    { "Name": "ThreatName", "Type": "string" },
+    { "Name": "ThreatOriginalConfidence", "Type": "string" },
+    { "Name": "ThreatOriginalRiskLevel", "Type": "string" },
+    { "Name": "ThreatRiskLevel", "Type": "int" },
+    { "Name": "User", "Type": "string" }
+  ]
+}