add_analytic_rules__first_commit

[averbn]

Required items, please complete

Change(s):

• See guidance below

Reason for Change(s):

• See guidance below

Version Updated:

• Required only for Detections/Analytic Rule templates
• See guidance below

Testing Completed:

• See guidance below

Checked that the validations are passing and have addressed any issues that are present:

• See guidance below

Guidance <- remove section before submitting

---

Before submitting this PR please ensure that you have read the following sections and filled out the changes, reason for change and testing complete sections:

Thank you for your contribution to the Microsoft Sentinel Github repo.

Details of the code changes in your submitted PR. Providing descriptions for pull requests ensures there is context to changes being made and greatly enhances the code review process. Providing associated Issues that this resolves also easily connects the reason.

Change(s):

• Updated syntax for XYZ.yaml

Reason for Change(s):

• New schema used for XYZ.yaml
• Resolves ISSUE Add Logstash required version to Readme file #1234

Version updated:

• Yes
• Detections/Analytic Rule templates are required to have the version updated

The code should have been tested in a Microsoft Sentinel environment that does not have any custom parsers, functions or tables, so that you validate no incorrect syntax and execution functions properly. If your submission requires a custom parser or function, it must be submitted with the PR.

Testing Completed:

• Yes/No/Need Help

Note: If updating a detection, you must update the version field.

Before the submission has been made, please look at running the KQL and Yaml Validation Checks locally.
https://github.com/Azure/Azure-Sentinel#run-kql-validation-locally

Checked that the validations are passing and have addressed any issues that are present:

• Yes/No/Need Help

Note: Let us know if you have tried fixing the validation error and need help.

References:

• Guidance for Detection checks
• General contribution guidance
• PR validation troubleshooting

---

[v-maheshbh]

Hi @averbn

Kindly add the analytical rule to the data file and package the solution using V3 tool - https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/README.md.

Thanks!

[averbn]

Hi @averbn

Kindly add the analytical rule to the data file and package the solution using V3 tool - https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/README.md.

Thanks!

Hi @v-maheshbh , added info, thanks.

[averbn]

Changed rule names to *yaml

[averbn]

I see that checking failed with message:

What is the reason for that? I`m trying to use the connector logs in the rules.

[v-maheshbh]

Hi @averbn

Kindly add the latest version at the top of the release notes and update branch from the master branch.

Thanks!

[Copilot]

Pull request overview

This PR adds three new analytic rules to the SOC Prime CCF solution and updates the solution version from 3.0.0 to 3.0.1. The analytic rules detect suspicious activities in SOC Prime platform audit logs, including deletion of tenants, deletion of custom field mapping profiles, and successful logins from malicious IP addresses.

Changes:

• Added three new analytic rules for detecting suspicious SOC Prime platform activities
• Updated solution version from 3.0.0 to 3.0.1 across all solution files
• Added the new connector ID to the validation schema

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
Solutions/SOC Prime CCF/ReleaseNotes.md	Added release note entry for version 3.0.1 documenting the addition of analytic rules
Solutions/SOC Prime CCF/Package/mainTemplate.json	Updated solution version, added three analytic rule resource definitions, and updated API versions to earlier preview versions
Solutions/SOC Prime CCF/Package/createUiDefinition.json	Added analytics configuration section to the UI with descriptions for the three new analytic rules
Solutions/SOC Prime CCF/Data/Solution_SOCPrimeAuditLogs.json	Added references to the three new analytic rule YAML files and updated solution version
Solutions/SOC Prime CCF/Data Connectors/SOCPrime_ccp/SOCPrime_DataConnectorDefinition.json	Removed null permission fields and trailing comma from JSON structure
Solutions/SOC Prime CCF/Analytic Rules/SuccessLoginFromBadIp.yaml	New analytic rule for detecting successful logins from blacklisted IP addresses
Solutions/SOC Prime CCF/Analytic Rules/SOCPrimeDeletedTenant.yaml	New analytic rule for detecting tenant deletion events
Solutions/SOC Prime CCF/Analytic Rules/SOCPrimeDeletedCustomFieldMappingProfile.yaml	New analytic rule for detecting custom field mapping profile deletion events
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json	Added SOCPrimeAuditLogsDataConnector to the list of valid connector IDs

[Copilot]

Corrected spelling of 'PRime' to 'Prime'.

Suggested change

	"displayName": "Successful logins to SOC PRime platform from bad IP addresses",
	"displayName": "Successful logins to SOC Prime platform from bad IP addresses",

[Copilot]

Corrected spelling of 'PRime' to 'Prime'.

Suggested change

	"displayName": "Successful logins to SOC PRime platform from bad IP addresses",
	"displayName": "Successful logins to SOC Prime platform from bad IP addresses",

[Copilot]

Corrected spelling of 'PRime' to 'Prime'.

Suggested change

	"label": "Successful logins to SOC PRime platform from bad IP addresses",
	"label": "Successful logins to SOC Prime platform from bad IP addresses",

[Copilot]

Corrected spelling of 'PRime' to 'Prime'.

Suggested change

	name: Successful logins to SOC PRime platform from bad IP addresses
	name: Successful logins to SOC Prime platform from bad IP addresses

[rahul0216]

1. Please check the spelling error raised by copilot review.
2. See if you can add entity mappings to rule as well. Entity mappings bring the actionable details for SOC analysts.