Add analytics rule for D3 Smart SOAR high/critical severity incidents

[brianbtzhong]

Change(s):

• Added scheduled analytics rule that detects D3 Smart SOAR incidents with High or Critical severity (Analytic Rules/D3SmartSOAR-HighOrCriticalSeverityIncident.yaml)
• Embedded analytics rule as ARM resource in mainTemplate.json with proper contentTemplate, metadata, and dependency configuration
• Updated Solution_D3SOAR.json to reference the new analytic rule
• Bumped solution version from 3.2.0 to 3.3.0
• Added 3.3.0.zip package alongside existing versions
• Added 3.3.0 entry to ReleaseNotes.md

Reason for Change(s):

• Analytics rule is required for the D3 Smart SOAR solution to provide out-of-the-box detection capability in Microsoft Sentinel. The rule queries the D3SOARIncidents_CL table every hour for incidents with High or Critical severity and creates Sentinel incidents for security team triage.

Version Updated:

• Yes — 3.2.0 → 3.3.0

Testing Completed:

• Yes — Analytics rule KQL query validated against live data in test workspace (d3devcyber). Rule successfully detected 6 High/Critical severity incidents and created corresponding Sentinel incidents. ARM template validated and deployed successfully.

Checked that the validations are passing and have addressed any issues that are present:

• Yes

[brianbtzhong]

Incidents were created successfully with the added analytics rule

[brianbtzhong]

Hi @v-shukore @v-maheshbh
I have fixed the mentioned validation errors. Can you help run the checks again and merge it if there's no other issues? THanks!

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a new scheduled Microsoft Sentinel analytic rule to the D3 Smart SOAR solution to detect ingested incidents with High/Critical severity, and updates the solution metadata/versioning to ship the new content.

Changes:

• Added a new scheduled analytic rule YAML for High/Critical severity D3 incidents.
• Updated solution data/version references (including connector id validation and KQL custom table schema for tests).
• Updated release notes for the 3.3.0 release.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
Solutions/D3SmartSOAR/ReleaseNotes.md	Adds a 3.3.0 release notes entry for the new analytic rule.
Solutions/D3SmartSOAR/Package/mainTemplate.json	Bumps solution version and embeds the analytic rule as an ARM content template.
Solutions/D3SmartSOAR/Data/Solution_D3SOAR.json	References the new analytic rule and bumps solution/data connector versions to 3.3.0.
Solutions/D3SmartSOAR/Analytic Rules/D3SmartSOAR-HighOrCriticalSeverityIncident.yaml	Introduces the scheduled analytic rule template querying D3SOARIncidents_CL.
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json	Registers the connectorId so schema validation recognizes it.
.script/tests/KqlvalidationsTests/CustomTables/D3SOARIncidents_CL.json	Adds the custom table schema used by KQL validation tests.

Comments suppressed due to low confidence (1)

Solutions/D3SmartSOAR/ReleaseNotes.md:1

• The release notes table appears to start with a double pipe (||), which creates an extra empty column and violates the required 3-column table structure. Update the table rows to start with a single leading pipe (|) so the markdown table has exactly three columns with the required headers.

| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |

[brianbtzhong]

Hi @v-maheshbh @v-shukore , I saw 2 comments flagged by Copilot on this PR and wanted to check with you do you think these fixes are necessary to address before merging, or are they safe to leave as is? Thanks!

[brianbtzhong]

Hi @v-shukore @v-maheshbh , I have fixed the comments raised by Copilot and resolved the conflicts. Can you please take a look and merge it if there's no other issues? Thanks!