What Changed
Fixed a critical stream naming inconsistency in the ZeroFox CCF connector that prevented threat alert data from being ingested into Sentinel. The DCR stream name was corrected from “Custom-ZeroFoxAlertsPoller_CL” to “Custom-ZeroFoxAlertPoller_CL” to match the connector configuration.
Security Impact (Visibility & Fidelity)
Deployments running the previous version had a complete ingestion failure for ZeroFox threat alerts. The stream name mismatch caused the DCR to reject all incoming data, resulting in zero visibility into:
- Brand protection alerts from social media and web monitoring
- Executive protection threats
- Digital asset compromise notifications
- Physical security alerts from location monitoring
This represents a significant blind spot for organizations relying on ZeroFox for threat surface monitoring and executive protection.
Affected Files
Solutions/ZeroFox/Data Connectors/Alerts/ZeroFoxAlerts_ConnectorDefinition.json
Solutions/ZeroFox/Data Connectors/Alerts/ZeroFoxAlerts_DCR.json
(packaging artefacts: mainTemplate.json, 3.2.2.zip)