Elastic Agent CCF Connector Promoted to GA: Template Variable Bug Fixed in Graph Queries

The Elastic Agent CCF connector moves from public preview to GA (v3.0.1), simultaneously fixing a connector definition bug where graphQueriesTableName template substitution failed in graph queries, leaving the Sentinel connector UI unable to render data volume metrics. Read More →

ASIM Authentication: New Palo Alto Prisma Cloud Compute Parser Brings Login Visibility to Sentinel

Two new ASIM Authentication parsers normalize Palo Alto Prisma Cloud Compute management audit login events into the unified schema, closing a previously uncovered authentication blind spot for Prisma Cloud Compute deployments. Read More →

42Crunch API Protection Solution: Publisher and Support Metadata Update (v3.0.2)

Version 3.0.2 bumps publisher and support contact information in SolutionMetadata.json only — no detection logic, connector configuration, or parser changes. Read More →

Qualys VM KnowledgeBase Connector: Restoring Vulnerability Intelligence After CCF Polling Blind Spot

The Qualys KB CCF connector was silently dropping vulnerability records – switching from publish-time to last-modified filtering and fixing optional parameter handling restores complete KB ingestion. Read More →

1Password Connector: Silent Data Loss Fixed for Late-Synced Item Usage Events

The 1Password CCF connector was silently dropping item usage events (e.g., credential reveals and secure-copies) whenever client sync was delayed by 10+ minutes, due to time-window polling advancing past client-side event timestamps – switched to cursor-based PersistentToken polling to close this blind spot. Read More →

Gambit Security Solution: Unique Offer ID to Unblock Content Hub Publishing

Metadata-only update replacing the duplicate offerId so the Gambit Security solution can be published to Microsoft Sentinel Content Hub without Partner Center conflicts. Read More →

New ASIM Authentication Parser Adds Google Workspace Login Visibility via GoogleWorkspaceReports Table

A new ASIM Authentication parser for Google Workspace Logins normalises login, logout, and suspicious sign-in events from the GoogleWorkspaceReports table, enabling source-agnostic detections to cover Google Workspace identity activity for the first time. Read More →

Atlassian Organization Audit Connector: Marketplace Validation Fix Unblocks Deployment

An empty instructions array in the connector UI definition was failing ARM-TTK validation, blocking this connector from being published or updated in the Marketplace. Read More →

Rapid7 InsightVM Solution: CCF Version Bump to 3.3.0

Packaging-only update adjusting the CCF version to 3.3.0 in the Rapid7 InsightVM solution; no connector logic or detection content changed. Read More →

Transmit Security Connector Migrated from Deprecated Function App to CCF

The legacy Azure Function App-based Transmit Security connector is replaced by a CCF connector that polls the REST API natively and writes to a new custom table, eliminating the customer-managed Function App dependency. Read More →

VMware Workspace ONE Connector: Corrupted Poller Resource Names Prevented All Deployments

A stray {{GUID}} suffix in the ARM template poller resource name expressions caused a “content template not found” error on every Connect attempt, making the VMware Workspace ONE CCF connector non-deployable since its v3.0.0 release. Read More →

CEF and Syslog Connector Templates Modernised: MMA Instructions Replaced with AMA/Marketplace Pattern

The shared ISV connector templates for CEF and Syslog were still instructing partners to install the retired Microsoft Monitoring Agent; both templates now reflect the AMA-based ingestion pattern, correct the sharedKeys permission artifact, and replace placeholder queries with vendor-discriminated KQL. Read More →

VMware Carbon Black Cloud: DCR Type Mismatch Caused Silent Data Loss in Alerts and Watchlist Streams

A type mismatch between the Carbon Black API (numeric severity, long PIDs) and the DCR schema (string) caused ingestion failures for the Alerts and Watchlist streams; v3.0.9 corrects the schema and adds tostring() casts in the transformKql. Read More →

Digital Shadows Connector: Logs Ingestion API Migration Required Before September 2026 Ingestion Cutoff

The Digital Shadows SearchLight connector has been fully migrated from the retiring HTTP Data Collector API to the Logs Ingestion API (DCE + DCR + Managed Identity), with a new table DigitalShadows_V2_CL replacing the legacy DigitalShadows_CL – customers who do not upgrade will lose all Digital Shadows ingestion on 2026-09-14. Read More →

Isolate-MDEMachine Playbook: Missing Machine.Read.All Permission Causes Runtime Failures

Any deployment of the Isolate-MDEMachine playbook that followed the existing post-deployment instructions has been silently failing with a Forbidden error at runtime – device isolation never executed. Read More →

New Check Point Harmony Email and Collaboration Solution Adds Email Threat Detection and SOAR Response

A new Microsoft Sentinel Solution for Check Point Harmony Email and Collaboration brings a CCF/DCR-based data connector ingesting into CheckpointHEC_CL, one phishing Analytic Rule, five Hunting Queries covering phishing/DLP/spam, and a Quarantine Playbook for automated response. Read More →

Sentinel Training Lab: Idempotent Bash Script Eliminates Graph Propagation Race Condition in UAMI Setup

A new Bash onboarding script for the Microsoft Sentinel Training Lab resolves a race condition where assigning the CustomDetection.ReadWrite.All Graph app role immediately after UAMI creation would fail due to service principal propagation lag. Read More →

CrowdStrike Falcon Analytic Rules Renamed to Clarify CEF via AMA Ingestion Source

Two CrowdStrike Falcon Analytic Rules are renamed to prepend “Common Event Format (CEF) via AMA -” to their titles, with no logic changes — purely a UI labeling update to clarify the ingestion mechanism. Read More →

Box CCF Connector: Restoring Classification Visibility and Fixing OAuth Auth Failure After DCR Field Mismatch

The Box CCF connector had a broken DCR field mapping (source_owned_by_id pointing to owned_by.type) and missing classification columns, causing data fidelity gaps and an OAuth 400 error that prevented connectivity for affected deployments. Read More →

Microsoft Entra ID: Sign-in Detection Blind Spot for Disabled Accounts Closed Across Commercial and Government Tenants

The SigninAttemptsByIPviaDisabledAccounts Analytic Rule was silently missing sign-in attempts that returned the shorter ResultDescription variant “The user account is disabled.” - meaning brute-force attempts against disabled accounts from a given IP were going undetected in affected tenants. Read More →