qualyskb ccf

[m-ruiz21]

Change(s):

• Added Codeless Connector to solution

Reason for Change(s):

• new feature

Version Updated:

• yes

Testing Completed:

• completed through internal tools + manual testing

[m-ruiz21]

@microsoft-github-policy-service agree company="Microsoft"

[v-shukore]

Hi @m-ruiz21, please provide running data connector and both parsers' screenshots here and also confirm what is the reason which you have updated this file - Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1. Thanks!

[m-ruiz21]

Hey @v-shukore I updated the StandardLogStrams.ps1 to add the Qualys Knowledge Base standard log. I'll get you the screenshots shortly

[v-shukore]

Hi @m-ruiz21, I checked arm ttk locally and found it fails when there are empty properties in the maintemplate at the specified line. If possible, please remove the empty properties and update the maintemplate both outside and inside the zip. Thanks.

[m-ruiz21]

just added the sample query to resolve the build warnings @v-shukore

[v-shukore]

Hi @m-ruiz21, you have packaged the solution with version 4.0.0, but we currently do not support this version. We are using the V3 tool to package solutions. Please repackage the solution using the V3 tool.
https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/README.md

[m-ruiz21]

Hey @v-shukore, if I recall correctly, that’s just the script version number. I don’t think it has anything to do with the actual solution version and in fact I used that very script to create the solution and bump up the version to v4.0.0.

This is a breaking change, and the version number needs to signal that.

[v-shukore]

Hi @m-ruiz21, as you can see, the V3 documentation does not mention version 4.0.0 anywhere. Also, there is no solution with version 4.0.0 in our repository. Currently, we are packaging with the V3 tool, so please use the V3 tool and create the zip package with version 3.0.0. Thanks!!

[m-ruiz21]

Hey @v-shukore, I'm a bit confused as I can't see anything in the docs about not ever creating a solution with version > 3.

So, to clarify:

• On top of adding a CCF connector, I'm correcting some typos in the alias parser schema that will be a breaking change for customers.
• it is best practice to signify a breaking change through a major version update, so I went ahead and used the V3 script to bump the version of the solution utilizing a flag that seems to be made for this very use case.

Is there some sort of arbitrary rule I'm not aware of that's keeping us from having any content solution > 3, no matter how significant the change? If that's the case, if you could link me any sort of concrete documentation and/or reasoning that supports this, that would be incredibly helpful.

Otherwise, if you're against the general notion of the breaking change, I'm also okay with having that discussion.

[v-shukore]

Hi @m-ruiz21, we currently have a readme file for the package solution. It contains detailed instructions on how to create the package and the necessary changes for packaging. If you have any questions, feel free to message me on Teams at my ID v-shukore@microsoft.com. Thanks!
https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/README.md

[m-ruiz21]

Hey @v-shukore, just sent message via Teams :)

[m-ruiz21]

Forgot to upload screenshot of connector connectivity: