Lookout Connector: Critical DCR Transform Fix Restores Mobile Threat Visibility

What Changed

Fixed critical DCR transform query error causing connector deployment failure and updated Microsoft Sentinel branding across solution components.

Security Impact (Visibility & Fidelity)

Complete detection blind spot restored: Deployments running v3.0.1 experienced total connector creation failure due to InvalidTransformQuery error referencing undefined symbol detections. The transformKql error prevented DCR creation entirely — zero mobile threat data was ingested by affected deployments.

Root cause: DCR transform query incorrectly referenced detections instead of smishing_alert.detections, causing validation failure during connector provisioning.

Current state: Fixed transform query now properly extracts smishing detection data from nested object structure, enabling successful connector deployment and mobile threat telemetry ingestion.

DCR Transform Logic Correction

• Previous (broken): smishing_detections = detections — undefined symbol caused deployment failure
• Current (fixed): smishing_detections = smishing_alert.detections — proper nested field reference enables smishing threat extraction

This was a deployment-blocking issue, not a data fidelity gap — users could not create the connector resource at all.

Additional Improvements

• Updated product branding from “Azure Sentinel” to “Microsoft Sentinel” in workbook descriptions
• Aligned data connector version from 1.0.0 to 3.0.2 for consistent version tracking
• Enhanced install wizard with improved discoverability for Parsers and Notebooks components

Affected Files

Solutions/Lookout/Data Connectors/LookoutStreamingConnector_ccp/LookoutStreaming_DCR.json
(packaging artefacts: 3.0.2.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Lookout.json, createUiDefinition.json, mainTemplate.json)