Add Red Sift solution (Push connector via Codeless Connector Framework)#14036
Open
earada wants to merge 8 commits intoAzure:masterfrom
Open
Add Red Sift solution (Push connector via Codeless Connector Framework)#14036earada wants to merge 8 commits intoAzure:masterfrom
earada wants to merge 8 commits intoAzure:masterfrom
Conversation
New Microsoft Sentinel solution that ingests Red Sift events via a push CCF connector. Includes: - connector definition, DCR, and table schemas for RedSiftAuth_CL and RedSiftEmailForensics_CL - five analytic rules for new IP logins, MFA disabled events, and suspicious email URL activity - solution data and metadata for the initial Red Sift release
Author
|
@microsoft-github-policy-service agree company="Red Sift" |
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a new Red Sift Microsoft Sentinel solution package, including solution metadata/release notes, solution definition, analytic rules, and validation artifacts to support ingestion and detections for Red Sift auth + email forensics signals.
Changes:
- Added SolutionMetadata.json, ReleaseNotes.md, and Solution_RedSift.json for the new solution.
- Added five Scheduled analytic rules for new-IP logins, MFA disabled, and suspicious email URL scenarios.
- Updated repo validation artifacts (connector ID allowlist + custom table schemas for KQL validation).
Reviewed changes
Copilot reviewed 19 out of 21 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| Solutions/Red Sift/SolutionMetadata.json | Introduces marketplace metadata (publisher/offer/support info) for the Red Sift solution |
| Solutions/Red Sift/ReleaseNotes.md | Adds initial release notes entry for the solution version |
| Solutions/Red Sift/Package/testParameters.json | (Ignored for review per repo guidance) ARM test parameters for the packaged solution |
| Solutions/Red Sift/Package/mainTemplate.json | (Ignored for review per repo guidance) Main ARM template for solution packaging/content deployment |
| Solutions/Red Sift/Package/createUiDefinition.json | (Ignored for review per repo guidance) Portal UI definition for solution deployment experience |
| Solutions/Red Sift/Data/Solution_RedSift.json | Defines solution composition (connectors/rules), metadata linkage, and versioning for packaging |
| Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_table.json | (Ignored for review per repo guidance) Custom table artifact for RedSiftAuth_CL |
| Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_EmailForensics_table.json | (Ignored for review per repo guidance) Custom table artifact for RedSiftEmailForensics_CL |
| Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_Definition.json | (Ignored for review per repo guidance) Push connector definition for CCF/CCP |
| Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_DCR.json | (Ignored for review per repo guidance) DCR artifact for CCP ingestion + transforms |
| Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_Connector.json | (Ignored for review per repo guidance) Connector instance artifact for push connector |
| Solutions/Red Sift/Analytic Rules/RedSiftMFADisabled.yaml | Adds detection for MFA disablement events in Red Sift auth telemetry |
| Solutions/Red Sift/Analytic Rules/RedSiftLoginFromNewIP.yaml | Adds detection for successful logons from previously unseen IPs |
| Solutions/Red Sift/Analytic Rules/RedSiftEmailUrlWithNewDomain.yaml | Adds detection for email URLs pointing to previously unseen domains |
| Solutions/Red Sift/Analytic Rules/RedSiftEmailUrlFromNewSource.yaml | Adds detection for URL-bearing email from previously unseen source IPs |
| Solutions/Red Sift/Analytic Rules/RedSiftEmailUrlFromNewSender.yaml | Adds detection for URL-bearing email from previously unseen senders |
| .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json | Allows RedSiftPush as a valid connectorId for detection templates |
| .script/tests/KqlvalidationsTests/CustomTables/RedSiftEmailForensics_CL.json | Adds custom table schema for KQL validation of email forensics queries |
| .script/tests/KqlvalidationsTests/CustomTables/RedSiftAuth_CL.json | Adds custom table schema for KQL validation of auth queries |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Change(s):
RedSiftAuth_CLandRedSiftEmailForensics_CL.Reason for Change(s):
Version Updated:
Testing Completed:
RedSiftAuth_CLandRedSiftEmailForensics_CL.Checked that the validations are passing and have addressed any issues that are present: