What Changed
The detection template authoring instructions now include explicit guidance for validating connectorId values in Analytic Rules. The update adds a mandatory validation step that requires all connectorId values to be checked against the official ValidConnectorIds.json file in the repository.
Process Impact
Detection contributors and reviewers must now verify that any connectorId referenced in YAML templates exists in the official allowlist at .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json. Invalid connector IDs trigger a standardized reviewer comment requesting either use of a valid ID from the official list or addition of the new connector to the allowlist.
The guidance provides concrete examples of valid IDs (CiscoDuoSecurity, AzureActiveDirectory) versus common invalid variants (CiscoDuo, AzureAD) to reduce submission errors.
Affected Files
.github/instructions/detections.instructions.md