Merge branch 'master' of https://github.com/Azure/Azure-Sentinel

Author: jamos-bt

.github/instructions/huntingqueries.instructions.md

@@ -75,6 +75,24 @@ Hunting Queries are YAML files that define proactive search queries in Microsoft
 - **Instead do this** (specific and clear):
   - ✅ "Calculate the count of BytesIn per Source-Destination pair over 12/24 hours. Higher values may indicate beaconing. C2 servers reply with the same data, making BytesIn value the same."
 
+#### **description-detailed** (Extended Description - Optional)
+- **Required**: No (optional field)
+- **When to Use**: When the description exceeds 255 characters and additional context is needed
+- **Format**: Extended narrative text (no hard character limit)
+- **Rules**:
+  - Only use if `description` field cannot adequately convey the hunting methodology within 255 characters
+  - Provides supplementary information about the query purpose, methodology, or hunt rationale
+  - Can include more detailed explanation of patterns, thresholds, and threat indicators
+  - Can provide context about why certain data sources or time windows were chosen
+  - Useful for complex hunts that require deeper explanation
+- **When NOT to Use**:
+  - If the 255-character description is sufficient
+  - If the additional content is just repetition of the description
+  - For implementation details or technical KQL explanations
+- **Example Usage**:
+  - **description**: "Identify service accounts with unusually high failed login attempts within a short timeframe, which may indicate credential compromise or brute force attacks."
+  - **description-detailed**: "This hunt searches for service accounts that experience more than 10 failed login attempts within a 1-hour window across multiple workstations. Service accounts should typically have successful logins; repeated failures may indicate credential compromise, brute force attempts, or misconfigured applications. Focus on investigating the affected workstations and reviewing access logs for those time periods. Check if any recent password changes or security alerts occurred before the failed attempts."
+
 #### **requiredDataConnectors** (Data Sources)
 - **Required**: Yes
 - **Type**: Array of objects with `connectorId` and `dataTypes`

.github/instructions/releasenotes.instructions.md

@@ -30,6 +30,25 @@ Exactly three columns in this order:
 | **No Duplicates** | Each version must appear only once | 3.0.1 appears twice | Each version appears once |
 | **All 3 Columns Present** | Table must have exactly 3 columns, no more, no less | 2 columns or 4 columns | Exactly 3 columns |
 
+## When to Update Release Notes
+
+Release notes **MUST be updated** for any of the following changes:
+
+- **Content changes**: Modifications to Analytical Rules, Hunting Queries, Workbooks, Data Connectors, or any other solution content
+- **Package folder changes**: ANY changes to files in `Solutions/{SolutionName}/Package/` folder (metadata, configurations, solution settings)
+- **Parser/Function updates**: Changes to KQL parsers or custom functions
+- **Documentation updates**: Updates to README or other documentation files
+- **Bug fixes**: Any bug fixes to existing content
+- **Performance improvements**: Optimizations to queries or logic
+- **New content**: Addition of new Analytical Rules, Workbooks, Hunting Queries, etc.
+- **Deprecated content**: Marking components as deprecated or removing content
+
+Release notes are **NOT required** for:
+- Changes only to non-solution files (e.g., standalone scripts outside Solutions folder)
+- Documentation-only PRs that don't affect solution content
+
+**Important:** If your PR includes changes to `Solutions/{SolutionName}/Package/` folder, updating ReleaseNotes.md is mandatory. Failure to update release notes when package folder changes will result in PR review failure.
+
 ## Best Practices
 
 - **Clear descriptions:** Specify which component changed (e.g., "Updated query in **Analytical Rule**", "Fixed bug in **Data Connector**")

.github/instructions/solution-data.instructions.md

@@ -35,8 +35,9 @@ All Solution_*.json files must contain these mandatory fields:
 **Naming Requirements:**
 - Use official product/vendor names when possible
 - Match the solution folder name (converted appropriately)
-- **Only alphanumeric characters (a-z, A-Z, 0-9) and spaces allowed**
-- No special characters including hyphens, underscores, dots, or symbols
+- **Alphanumeric characters (a-z, A-Z, 0-9), spaces, and parentheses allowed**
+- Parentheses can be used for acronyms and short forms (e.g., "Visa Threat Intelligence (VTI)")
+- No other special characters including hyphens, underscores, dots, or symbols
 - Maximum length: 100 characters
 - Must be unique across all solutions