SecOps - 41207 - Active analytics rules are configured in Microsoft Sentinel to detect threats

[aahmed-spec]

No description provided.

[Copilot]

Pull request overview

Adds a new Zero Trust Assessment test (ID 41207) to evaluate whether Microsoft Sentinel workspaces have active, actionable analytics rules enabled (excluding “Fusion-only” as compliant), and provides accompanying end-user remediation guidance.

Changes:

• Introduces Test-Assessment-41207 PowerShell test to enumerate Sentinel-onboarded workspaces and evaluate enabled analytics rule kinds.
• Generates per-workspace result details (counts, rule kinds, MITRE tactics) and summary markdown output.
• Adds the corresponding markdown description/remediation file for Test 41207.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
src/powershell/tests/Test-Assessment.41207.ps1	New assessment test to query Sentinel alert rules per onboarded workspace and emit pass/fail/investigate results with a markdown report.
src/powershell/tests/Test-Assessment.41207.md	New end-user explanation/remediation content for Test 41207, including a %TestResult% placeholder.

[alexandair]

@aahmed-spec Please, address my feedback.

[alexandair]

Overall status is $passed = $passedItems.Count -gt 0 — the test passes if any onboarded workspace has an actionable rule. In a tenant with several Sentinel workspaces where only one is configured, the others (zero rules / Fusion-only) are reduced to table rows while the tenant scores ✅. The spec's evaluation logic is written strictly per-workspace and is silent on cross-workspace aggregation, and the .ps1 synopsis documents the "at least one" choice — so this is a deliberate interpretation rather than a bug.

Please confirm with the spec author that "any passing workspace ⇒ Pass" is intended; an "all onboarded workspaces must have ≥1 actionable rule" interpretation is equally defensible and stricter.