Create Protocols passing authentication in cleartext (ASIM Network Se…

[praveenthepro]

…ssion schema)

Required items, please complete

Change(s):

• See guidance below

Reason for Change(s):

• See guidance below

Version Updated:

• Required only for Detections/Analytic Rule templates
• See guidance below

Testing Completed:

• See guidance below

Checked that the validations are passing and have addressed any issues that are present:

• See guidance below

Guidance <- remove section before submitting

---

Before submitting this PR please ensure that you have read the following sections and filled out the changes, reason for change and testing complete sections:

Thank you for your contribution to the Microsoft Sentinel Github repo.

Details of the code changes in your submitted PR. Providing descriptions for pull requests ensures there is context to changes being made and greatly enhances the code review process. Providing associated Issues that this resolves also easily connects the reason.

Change(s):

• Updated syntax for XYZ.yaml

Reason for Change(s):

• New schema used for XYZ.yaml
• Resolves ISSUE Add Logstash required version to Readme file #1234

Version updated:

• Yes
• Detections/Analytic Rule templates are required to have the version updated

The code should have been tested in a Microsoft Sentinel environment that does not have any custom parsers, functions or tables, so that you validate no incorrect syntax and execution functions properly. If your submission requires a custom parser or function, it must be submitted with the PR.

Testing Completed:

• Yes/No/Need Help

Note: If updating a detection, you must update the version field.

Before the submission has been made, please look at running the KQL and Yaml Validation Checks locally.
https://github.com/Azure/Azure-Sentinel#run-kql-validation-locally

Checked that the validations are passing and have addressed any issues that are present:

• Yes/No/Need Help

Note: Let us know if you have tried fixing the validation error and need help.

References:

• Guidance for Detection checks
• General contribution guidance
• PR validation troubleshooting

---

[v-prasadboke]

Hello @praveenthepro, any reason behind adding multiple connector id's

[praveenthepro]

Hello @praveenthepro, any reason behind adding multiple connector id's

@v-prasadboke The hunting query was written using the ASIM functions that's why I used all the related connectors, but I removed all the connectors after validating with the engineer team, So kindly checkout again

[v-prasadboke]

#10015 #10031
mentioning common content PR

[v-prasadboke]

Hello @praveenthepro, Please let me know if you have any pending updates/modification from your side so that I can investigate the PR.

[praveenthepro]

Hello @praveenthepro, Please let me know if you have any pending updates/modification from your side so that I can investigate the PR.

@v-prasadboke go ahead and start investigating the PR

[rahul0216]

@praveenthepro Few suggestions for Hunting queries,

1. Add entity mappings
2. For every entity mapping extend the KQL as entity_0_field = column_name
3. Add version property
   Refer this hunting query for reference, https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml

[praveenthepro]

@praveenthepro Few suggestions for Hunting queries,

1. Add entity mappings
2. For every entity mapping extend the KQL as entity_0_field = column_name
3. Add version property
   Refer this hunting query for reference, https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml

@v-prasadboke added the entity and version

[v-prasadboke]

Hello @praveenthepro, I see you have committed changes which were requested by Rahul. But these are incomplete commits.
Rahul has mentioned to update KQL query with adding entity_0_field = column_name to it.

I have attached a screenshot for your reference.

Thanks,
Prasad

[praveenthepro]

Hello @praveenthepro, I see you have committed changes which were requested by Rahul. But these are incomplete commits. Rahul has mentioned to update KQL query with adding **entity_0_field = column_name** to it.

I have attached a screenshot for your reference.

Thanks, Prasad

@v-prasadboke Thanks Prasad, Added the new entities as like on the screenshot,

[rahul0216]

@praveenthepro Please address the inline comment.

[rahul0216]

@praveenthepro There is one more inline comment.

[rahul0216]

Changes look good.

[v-prasadboke]

Thank you Rahul for the approval.
Will get this solution packaged and review it once.