Add KQL validations for ImAuthentication (#4187)

* added KQL validations for ImAuthentication

* updated KQL validations

* fix Acc2Host_HostWithMostFails

.script/tests/KqlvalidationsTests/Kqlvalidations.Tests.csproj

@@ -12,7 +12,7 @@
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
     <PackageReference Include="YamlDotNet" Version="6.0.0" />
-    <PackageReference Include="Microsoft.Azure.Sentinel.KustoServices" Version="3.0.0" />
+    <PackageReference Include="Microsoft.Azure.Sentinel.KustoServices" Version="3.1.1" />
   </ItemGroup>
 
 </Project>

.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json

@@ -23,15 +23,5 @@
     "id": "09c49590-4e9d-4da9-a34d-17222d0c9e7e",
     "templateName": "PotentiallyHarmfulFileTypes.yaml",
     "validationFailReason": "The name '_GetWatchList' does not refer to any known function"
-  },
-  {
-    "id": "4c541df8-a680-4da5-96c9-74456927213f",
-    "templateName": "Acc2Host_HostWithMostFails.yaml",
-    "validationFailReason": "The name 'imAuthentication' does not refer to any known function"
-  },
-  {
-    "id": "7f3989bf-1558-4d3c-bb5e-e17ac2a67a87",
-    "templateName": "UserAccount_LogonsFromIPAddress.yaml",
-    "validationFailReason": "The name 'imAuthentication' does not refer to any known function"
   }
 ]

Exploration Queries/InputEntity_Account/Acc2Host_HostWithMostFails.yaml

@@ -17,6 +17,7 @@ Tactics:
   - LateralMovement
   - Collection
 query: |
+  let SuccessfulLoginEventId = 4624;
   let FailedLoginEventId = 4625;
   let isimAuthenticationInstalled=toscalar(union isfuzzy=true  (datatable(Test:string)[]), (imAuthentication| take 0) | getschema | count | project Exists=(Count>1));
   let Legacy = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string){