secRMM version 3.0.0 adds 'Analytic Rules' to the Microsoft Sentinel …

[anthonylamark]

The Microsoft Sentinel team informed Squadra Technologies that the 'Microsoft Sentinel secRMM' solution was not compliant because it was missing a 'Microsoft Sentinel Analytic Rule'. This pull request contains the secRMM Analytic Rule that was required.

Required items: There are no requirements for this change.

Change(s):

• Added Analytic Rules\Removable_Storage_ONLINE.yaml
• Removed Package\2.0.1.zip
• Added Package\3.0.0.zip
• Modified Data\Solution_SquadraTecnologiesSecRmmTemplateSpec.json to change version number

Reason for Change(s):

• Added Analytic Rules folder and 1 analytic rule

Version Updated: Bumped the version from 2.0.1 to 3.0.0

Testing Completed:

• Yes

Checked that the validations are passing and have addressed any issues that are present:

• No

[v-atulyadav]

Hi @anthonylamark,
Please take care of failed validations. Thanks

[anthonylamark]

Hi,
I think I have fixed the validation errors by adding file .script/tests/KqlvalidationsTests/CustomTables/secRMM_CL.json
Thanks!

[v-atulyadav]

Hi @anthonylamark,
It appears that your rule template does not comply with the standard format. Please refer to the link below to update your rule accordingly and then repackage the solution to include the updated changes. Thanks

https://github.com/Azure/Azure-Sentinel/wiki/Query-Style-Guide

[v-atulyadav]

Hi @anthonylamark,
Please work on above ask. Thanks

[anthonylamark]

I have resubmitted the analytic rule again (removed the properties line).
I have an open support case with Microsoft (Case 2509290040011442) but am not getting much help on this issue.
The documentation does not fully explain what needs to go into the yaml for a rule of type NRT.

[v-atulyadav]

Hi @anthonylamark.
Please refer to the rule mentioned below for your reference. Verify the ID (ensure it uses a GUID), name, and other properties as per the rule. Additionally, kindly uncommit the removal of the 2.0.0 ZIP file, as we do not want to remove any previous package ZIPs. Once all the changes are completed, please repackage the solution. Thanks

https://github.com/Azure/Azure-Sentinel/blob/b412520f9ea0f020bd463d2026d9c29fda6f7038/Solutions/Authomize/Analytic%20Rules/User_without_MFA.yaml

[anthonylamark]

1. In Analytic Rules\Removable_Storage_ONLINE.yaml:
   a. Added hard-coded GUID for id property
   b. Added hard-coded text for name property
   c. Removed type property
2. Uncommit the removal of the 2.0.0 ZIP file

[v-atulyadav]

Hi @anthonylamark,

I’m still seeing the 2.0.0 package along with 2.0.1 and 3.0.0. We need to retain only one commit, which should be for 3.0.0.

Additionally, please ensure that the workbook metadata is updated at the following location:
https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/WorkbooksMetadata.json

Additionally, the following validations are failing:

1. 
2. 
3. For below validation please rename property name from techniques to relevantTechniques.

[anthonylamark]

Hi,
I have:

1. removed package 2.0.1.zip
2. uncommitted package 2.0.0.zip
3. updated WorkbooksMetadata.json with version 3.0.0 (from 1.0.0)
4. updated Removable_Storage_ONLINE.yaml
   a. changed apiVersion to 2025-09-01 (from 2023-12-01-preview)
   b. changed techniques to relevantTechniques

[v-atulyadav]

Hi @anthonylamark,
There are still a few places where the API version needs to be upgraded. Please refer to the screenshot below for reference. Additionally, the domain validation is failing. Thanks

[anthonylamark]

Based on the latest comment from code owner v-atulyadav:

There are still a few places where the API version needs to be upgraded. Please refer to the screenshot below for reference. Additionally, the domain validation is failing.

The following 2 files have been modified:

In Package\mainTemplate.json:

1. modified all occurrences of:
   http://www.squadratechnologies.com/StaticContent/ProductDownload/secRMM/9.9.0.0/secRMMAzureSentinelAdministratorGuide.pdf
   to:
   https://www.squadratechnologies.com/StaticContent/ProductDownload/secRMM/9.11.0.0/secRMMAzureSentinelAdministratorGuide.pdf
2. modified all occurrences of:
   "apiVersion": "2021-05-01"
   and
   "apiVersion": "2021-03-01-preview"
   to:
   "apiVersion": "2022-05-09"
3. modified all occurrences (lines 227 and 531)of:
   "version": "1.0.0"
   to:
   "version": "3.0.0"

In Data Connectors\SquadraTechnologies.SecRMM.json

1. modified 1 occurrence of:
   http://www.squadratechnologies.com/StaticContent/ProductDownload/secRMM/9.9.0.0/secRMMAzureSentinelAdministratorGuide.pdf
   to:
   https://www.squadratechnologies.com/StaticContent/ProductDownload/secRMM/9.11.0.0/secRMMAzureSentinelAdministratorGuide.pdf

[v-atulyadav]

Hi @anthonylamark,
We’ve resolved all failed validations. Next, we’ll review the template and then proceed with the merge. Thanks

[anthonylamark]

Hi v-atulyadav,
Thank you very much!!!