Add Valimail Enforce Configuration Events CCF Connector#14045
Add Valimail Enforce Configuration Events CCF Connector#14045v-dvedak merged 7 commits intoAzure:masterfrom
Conversation
|
@microsoft-github-policy-service agree company="Valimail" |
v-shukore
added
the
New Solution
gborbollal
force-pushed
the
valimail-enforce-config-events
branch
4 times, most recently
from
18dcbd7 to
3f1a9a2
Compare
gborbollal
left a comment
gborbollal
left a comment
There was a problem hiding this comment.
ValidConnectorsId.json merged.
Thank you.
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds the initial Valimail Enforce solution content, centered around a new Codeless Connector Framework (CCF) connector for configuration events, plus accompanying analytics and hunting content and validation updates.
Changes:
- Added Valimail Enforce solution metadata + solution data manifest.
- Added 4 analytic rules and 4 hunting queries for Valimail Enforce events.
- Updated repo validation assets (ValidConnectorIds + custom table schema) to support the new connector/table.
Reviewed changes
Copilot reviewed 19 out of 20 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| Solutions/ValimailEnforce/SolutionMetadata.json | Introduces solution marketplace metadata (publisher/offer/support/categorization). |
| Solutions/ValimailEnforce/Package/testParameters.json | ARM test parameters for packaged deployment (ignored for review per repo rules). |
| Solutions/ValimailEnforce/Package/mainTemplate.json | Packaged ARM template for solution deployment (ignored for review per repo rules). |
| Solutions/ValimailEnforce/Package/createUiDefinition.json | Portal createUiDefinition for the solution (ignored for review per repo rules). |
| Solutions/ValimailEnforce/Hunting Queries/ValimailEnforce_HighValueEventSummary.yaml | Adds a hunting query to summarize high-value events for analyst review. |
| Solutions/ValimailEnforce/Hunting Queries/ValimailEnforce_DMARCPolicyHistory.yaml | Adds a hunting query to inspect DMARC policy change history. |
| Solutions/ValimailEnforce/Hunting Queries/ValimailEnforce_ChangeRateTrend.yaml | Adds a hunting query to trend config change rates by user/domain. |
| Solutions/ValimailEnforce/Hunting Queries/ValimailEnforce_BulkChanges.yaml | Adds a hunting query to detect bulk domain changes by a single user. |
| Solutions/ValimailEnforce/Data/Solution_ValimailEvents.json | Defines the solution package contents (connectors/rules/queries) and metadata used by packaging. |
| Solutions/ValimailEnforce/Data Connectors/ValimailEnforceEventLogs_ccp/ValimailEnforceEventLogs_connectorDefinition.json | CCF connector definition for Valimail Enforce events (ignored for review per repo rules). |
| Solutions/ValimailEnforce/Data Connectors/ValimailEnforceEventLogs_ccp/ValimailEnforceEventLogs_Table.json | Custom table schema for Valimail Enforce events (ignored for review per repo rules). |
| Solutions/ValimailEnforce/Data Connectors/ValimailEnforceEventLogs_ccp/ValimailEnforceEventLogs_PollerConfig.json | REST poller configuration for the connector (ignored for review per repo rules). |
| Solutions/ValimailEnforce/Data Connectors/ValimailEnforceEventLogs_ccp/ValimailEnforceEventLogs_DCR.json | Data Collection Rule definition for transforming/ingesting events (ignored for review per repo rules). |
| Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_UserManagementHighValue.yaml | Adds a scheduled analytic rule for high-value user management events. |
| Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_UnusualChangeRate.yaml | Adds a scheduled analytic rule for anomalous configuration change bursts. |
| Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_DMARCPolicyWeakened.yaml | Adds a scheduled analytic rule for DMARC policy weakened to none. |
| Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_AuthKeyChanged.yaml | Adds a scheduled analytic rule for deleted SPF/DKIM auth keys. |
| .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json | Allows ValimailEnforce as a valid connectorId for detections/hunts. |
| .script/tests/KqlvalidationsTests/CustomTables/ValimailEnforceEvents_CL.json | Adds KQL validation schema for the custom table used by rules/queries. |
Comments suppressed due to low confidence (1)
Solutions/ValimailEnforce/SolutionMetadata.json:1
offerIddoes not meet Partner-tier requirements (it must contain the keyword "sentinel"), andpublisherId/support email appear to have a "valmail"/"valimail" inconsistency that will likely fail validation and/or provide the wrong support contact. UpdateofferIdto include "sentinel" (and stay <= 50 chars), and alignpublisherId+ support email domain to the correct/approved values (custom publisherId also needs to be pre-approved per solution-metadata validation rules).
{
| "BasePath": "..\\..\\..\\\\Azure-Sentinel\\Solutions\\ValimailEnforce", | ||
| "Version": "1.0.1", | ||
| "Metadata": "SolutionMetadata.json", | ||
| "TemplateSpec": true, | ||
| "Is1PConnector": false |
There was a problem hiding this comment.
The Solution data file doesn’t match required solution-data conventions: (1) Logo should reference a repo-hosted asset via a raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/... URL and use the standard 75px x 75px dimensions (external vendor URL + 100px sizing will fail validation), (2) Author for a Partner solution should use the partner org/support email format rather than Microsoft support, (3) Description is missing the expected “Underlying Microsoft Technologies used” section and dependency/cost/preview notes, and (4) BasePath is machine/repo-layout specific (backslash-heavy) and is likely to break in CI—use a stable repo-relative path format instead.
| "Version": "1.0.1", | ||
| "Metadata": "SolutionMetadata.json", | ||
| "TemplateSpec": true, |
There was a problem hiding this comment.
PR description states “First release: 3.0.0”, but this solution manifest sets Version to 1.0.1. Please align the solution versioning across the PR (and note: if you update this manifest to 3.x.x, solution-data validation rules require TemplateSpec to be false for 3.. versions).
There was a problem hiding this comment.
Hi @gborbollal, please make sure version should be 3.0.0 and TemplateSpec to be false update it and commit the changes. Thanks!
Removing - we will create a name without spaces Valimail Enforce configuration - Poller completion pending Connector definition complete Solution files completed Use workspace-location instead of location; logo backgorund. Fix deployment parameters Fixes to parameters and names Fix json path and endpoint for staging. Analytic Rules, Hunting queries and transformation rules. Analytic Rules, Hunting queries and transformation rules. Solition Package Revert accidental changes in SentinelOne Remove generated Sentinel One package Remove shell to package the solution ValimailEnforceEvents_CL custom table in the .scripts directory
…meters Restore CR line endings. Generate package Remove packaging script Fix ValidConnectorIds diff Update ValidConnectorIds.json
gborbollal
force-pushed
the
valimail-enforce-config-events
branch
from
69a90a4 to
01bad05
Compare
|
Hi @gborbollal, thank you for making the updates suggested by the copilot. I’ll review the PR and let you know here if anything else is needed. Thanks! |
|
Hi @gborbollal, please make sure version should be 3.0.0 and TemplateSpec to be false update it and commit the changes. Also, add releasenotes.md file for this solution. Thanks! |
|
Thank You @v-shukore ! On it. |
Required items, please complete
Change(s):
Reason for Change(s):
Version Updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present: