Skip to content

Commit ff660c6

Browse files
committed
Merge branch 'master' into dependabot/pip/Solutions/VMware-SD-WAN-and-SASE/Data-Connectors/Function-App-Connector/requests-2.33.0
2 parents 0b72ad4 + 0f6bb7f commit ff660c6

119 files changed

Lines changed: 11744 additions & 5468 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/copilot-instructions.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,12 @@ When reviewing pull requests, follow these rules strictly.
3333
4. Validate GUID format, rule names, descriptions, severity levels, and other field-based validation rules
3434
5. Do NOT use general instructions for these files - only use the detections custom instructions
3535

36+
### For Hunting Queries Files (`Hunting Queries/**/*.yaml`, `Solutions/**/Hunting Queries/*.yaml`)
37+
1. **LOAD and USE:** `.github/instructions/huntingqueries.instructions.md`
38+
2. Apply ALL guidelines from that file
39+
3. Verify all required fields are present and properly formatted
40+
4. Do NOT use general instructions for these files - only use the huntingqueries custom instructions
41+
3642
---
3743

3844
## Files and folders to ignore

.github/instructions/detections.instructions.md

Lines changed: 93 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -115,6 +115,85 @@ Analytic Rules are YAML files that define scheduled queries to detect threats, s
115115
- **Pattern**: `/^\d+\.\d+\.\d+$/`
116116
- **Example**: `1.2.3`
117117

118+
#### **metadata** (Metadata Information - Required for Standalone Files)
119+
- **Required**: Yes (for standalone detections in `Detections/` folder); No (for rules in `Solutions/**/Analytic Rules/`)
120+
- **Purpose**: Provides source, author, support tier, and category information for standalone detection rules
121+
- **Type**: Object with nested properties
122+
- **Structure**:
123+
```yaml
124+
metadata:
125+
source:
126+
kind: Community # or "Microsoft" for official rules
127+
author:
128+
name: Author Name
129+
support:
130+
tier: Community # or "Microsoft" for official support
131+
categories:
132+
domains: [ "Category Name" ]
133+
```
134+
- **Rules**:
135+
- **Required for standalone files** in root `Detections/` folder (matches pattern `Detections/**/*.yaml`)
136+
- **Not required** for rules in Solutions folder (`Solutions/**/Analytic Rules/*.yaml`)
137+
- `source.kind`: Typically `Community` or `Microsoft`
138+
- `author.name`: Name of the rule author or organization
139+
- `support.tier`: Support level - `Community` or `Microsoft`
140+
- `categories.domains`: Array of domain/category classifications from the valid domains list
141+
142+
#### **Valid Domain Categories** (for `categories.domains`)
143+
- Application
144+
- Cloud Provider
145+
- Cloud Security
146+
- Compliance
147+
- DevOps
148+
- Identity
149+
- Internet of Things (IoT)
150+
- IT Operations
151+
- Migration
152+
- Networking
153+
- Platform
154+
- Security
155+
- Security - 0-day Vulnerability
156+
- Security - Automation (SOAR)
157+
- Security - Cloud Security
158+
- Security - Information Protection
159+
- Security - Insider Threat
160+
- Security - Network
161+
- Security - Others
162+
- Security - Threat Intelligence
163+
- Security - Threat Protection
164+
- Security - Vulnerability Management
165+
- Storage
166+
- Training and Tutorials
167+
- User Behavior (UEBA)
168+
169+
170+
- **Valid Examples**:
171+
```yaml
172+
metadata:
173+
source:
174+
kind: Community
175+
author:
176+
name: Alex
177+
support:
178+
tier: Community
179+
categories:
180+
domains: [ "Security - Others" ]
181+
```
182+
```yaml
183+
metadata:
184+
source:
185+
kind: Microsoft
186+
author:
187+
name: Microsoft Sentinel Team
188+
support:
189+
tier: Microsoft
190+
categories:
191+
domains: [ "Security - Threat Intelligence", "Security - Threat Protection" ]
192+
```
193+
- **Invalid Examples** (for standalone files):
194+
- Missing `metadata` section ❌
195+
- Incomplete metadata (missing `author` or `support`) ❌
196+
118197
#### **tactics** (MITRE ATT&CK Tactics)
119198
- **Required**: Yes (all rule types)
120199
- **Framework Version**: ATT&CK Framework v16 Supported
@@ -756,6 +835,20 @@ query: |
756835
# Missing: queryFrequency, queryPeriod, triggerOperator, triggerThreshold
757836
```
758837

838+
```yaml
839+
# Standalone detection file missing metadata (should not appear in Detections/ folder without metadata)
840+
id: 12345678-1234-1234-1234-123456789012
841+
name: Multiple Failed Login Attempts
842+
description: Detects multiple failed login attempts from a single IP
843+
severity: High
844+
status: Available
845+
kind: Scheduled
846+
# ❌ Missing: metadata section (required for standalone Detections/ files)
847+
# Should include: source.kind, author.name, support.tier, categories.domains
848+
query: |
849+
SecurityEvent | where EventID == 4625
850+
```
851+
759852
## Best Practices for Analytic Rules
760853
761854
### 1. **Detection Logic Philosophy**

0 commit comments

Comments
 (0)