Gigamon AMX Connector: Migration to CCF Push Restores Network Visibility After Deprecation

What Changed

The Gigamon AMX connector has been completely migrated from the deprecated Log Analytics ingestion method to Microsoft Sentinel’‘’s modern CCF (Codeless Connector Framework) push architecture. This is a breaking change that requires redeployment but prevents a complete connector failure.

Security Impact (Visibility & Fidelity)

Critical Migration Required: The previous Log Analytics-based integration method has been deprecated by Microsoft, meaning existing deployments would have lost all network visibility from Gigamon devices without this update. This migration restores and future-proofs visibility into:

• Network flow data (source/destination IPs, ports, protocols, byte counts)
• DNS resolution events and response codes
• SSL/TLS certificate details and JA3/JA3S fingerprints
• HTTP transactions and response codes
• Industrial protocol monitoring (DNP3, Modbus, SNMP)
• Medical protocol visibility (HL7, DICOM)

The connector now uses DCR-based ingestion via the Custom-GigamonV2_CL stream, requiring manual reconfiguration but providing more robust data delivery guarantees than the legacy method.

Deployment Changes

Breaking Change: Existing Gigamon connectors will stop functioning and must be redeployed using the new CCF method. The migration adds:

• Data Collection Rule (DCR) with 130+ network telemetry fields
• Entra ID application for secure token-based authentication
• Data Collection Endpoint (DCE) for direct ingestion API access
• Push connector configuration replacing polling-based collection

Organizations must obtain new authentication credentials and reconfigure their Gigamon AMX appliances to push data to the new DCE endpoint rather than the deprecated Log Analytics API.

Detection Surface Preserved

All existing detection logic targeting GigamonV2_CL table remains functional. Field schema is preserved including critical hunting fields:

• Network flow metadata (src_ip, dst_ip, src_port, dst_port, protocol)
• SSL fingerprinting (ssl_fingerprint_ja3, ssl_fingerprint_ja3s)
• DNS analysis (dns_name, dns_reply_code, dns_query_type)
• Application identification (app_name, app_id, app_tags)

Affected Files

Solutions/Gigamon Connector/Data Connectors/Gigamon_CCF/Gigamon_ConnectorDefinition.json
Solutions/Gigamon Connector/Data Connectors/Gigamon_CCF/Gigamon_DCR.json
Solutions/Gigamon Connector/Data Connectors/Gigamon_CCF/Gigamon_dataConnector.json
Solutions/Gigamon Connector/Data Connectors/Gigamon_CCF/Gigamon_table.json
Solutions/Gigamon Connector/Data Connectors/Gigamon_Connector_Analytics_Gigamon.json
Solutions/Gigamon Connector/Package/testParameters.json
Solutions/Gigamon Connector/Workbooks/Gigamon.json
Solutions/Gigamon Connector/Workbooks/Images/Logo/gigamon.svg
(packaging artefacts: 3.0.1.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Gigamon.json, createUiDefinition.json, mainTemplate.json)