🐛 Don't mix ISO duration and KQL timespan formats

[pemontto]

Required items, please complete

Change(s):

• Fix rules that mix ISO8601 time durations with KQL timespans. Based on the Query Style Guide, YAML rules should be using KQL timespans

Reason for Change(s):

• Consistency

Version Updated: ✅

Testing Completed: ✅

[pemontto]

@v-prasadboke now passing validations. Same things as in #11124

[pemontto]

@v-prasadboke any feedback, or is this OK to be merged?

[v-prasadboke]

Hello @pemontto, We will repackage these Solutions. and get this PR merged by 05 December, 2024.

[v-prasadboke]

Hello @pemontto, Please repackage the Solutions.

Please go through this documentation to package the solutions
https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/README.md

[pemontto]

@v-prasadboke repackage solutions.

I noticed Veritas NetBackup and BitSight were updating existing versions. I tried to increment the Version in the data JSON file to no avail, it still overwrote/updated existing versions.

I also updated Tools/Create-Azure-Sentinel-Solution/V3/createSolutionV3.ps1 to take the path as a CLI arg so I could run them more easily.

echo -e "ARGOSCloudSecurity\nBitSight\nCTM360\nDynatrace\nMicrosoftDefenderForEndpoint\nNasuni\nJamf Protect\nMicrosoft 365\nMicrosoft Defender XDR\nPure Storage\nVectra XDR\nVeritas NetBackup" \
    | tr '\n' '\0' \
    | xargs -0 -n 1 -P 12 -I {} \
    pwsh -Command "./Tools/Create-Azure-Sentinel-Solution/V3/createSolutionV3.ps1 './Solutions/{}/data'"

[v-prasadboke]

Hello @pemontto, only time format PT5H is supported. Changing it to only 5H would not take as input while creating the Analytic Rule.

Added screenshot below.

1. Shows input as PT5H
2. Shows as 5H

ARGOSCloudSecurity

1. 
2. 

CTM360

1. 
2. 

[v-prasadboke]

I suggest to close on this PR. As this PR mainly consists Solutions with time format changes which would be irrelevant.

Thanks,
Prasad

[v-prasadboke]

We wanted to check on the status of PR #11199. PR is pending for more than 10+ days. Please let us know if you need any assistance to review this PR. Per our standard operating procedures if no response is received in the next 7 business days, we will close this PR. Thank you for your cooperation.

[v-prasadboke]

Since we have not received a response in the last 7 days, we are closing your PR #11199 per our standard operating procedures. If you still need support for this issue, you can re-open the PR at any time.

If you do re-open, we simply request that you ensure the PR has response to the last request. Thank you for your cooperation.