CyberArk Audit: New CCF Connector Alternative Replaces Function App Dependency

What Changed

CyberArk Audit solution adds a new Codeless Connector Framework (CCF) data connector as an alternative to the existing Azure Functions-based connector. The CCF implementation uses OAuth2 authentication with CyberArk Identity Administration and ingests audit events via REST API polling into the Custom-CyberArk_AuditEvents_CL table.

Ingestion Mechanism

• CCF-based polling: Replaces Azure Functions dependency with native Sentinel CCF framework
• OAuth2 authentication: Uses client credentials flow with CyberArk Identity Administration
• Custom DCR: Streams to Custom-CyberArk_AuditEvents_CL via transformKql normalisation
• API polling: 5-minute query windows with 10 QPS rate limiting and configurable field filtering

Security Impact (Visibility & Fidelity)

This connector alternative provides the same audit visibility as the Function App version but eliminates deployment complexity and Azure Functions management overhead. The DCR schema captures comprehensive audit fields including privileged access events (safe operations, account access), cloud workspaces/roles, and custom data for correlation. No data fidelity changes — existing detections remain compatible with the same table structure.

Detection Surface Unlocked

Maintains existing detection coverage for:

• Privileged credential access monitoring via accountId, safe, and targetAccount fields
• Multi-cloud identity tracking through cloudProvider and cloudIdentities
• Session correlation using sessionId and correlationId
• Access method analysis for different authentication mechanisms

Affected Files

Solutions/CyberArkAudit/Analytics Rules/CyberArkAuditHighRiskActions.yaml
Solutions/CyberArkAudit/Analytics Rules/CyberArkAuditMultiFailedAndSuccess.yaml
Solutions/CyberArkAudit/Analytics Rules/CyberArkAuditSensitiveChanges.yaml
Solutions/CyberArkAudit/Data Connectors/CyberArkAuditConnector/audit.py
Solutions/CyberArkAudit/Data Connectors/CyberArkAudit_CCP/CyberArkAudit_DCR.json
Solutions/CyberArkAudit/Data Connectors/CyberArkAudit_CCP/CyberArkAudit_DataConnectorDefinition.json
Solutions/CyberArkAudit/Data Connectors/CyberArkAudit_CCP/CyberArkAudit_PollingConfig.json
Solutions/CyberArkAudit/Data Connectors/CyberArkAudit_CCP/CyberArkAudit_Tables.json
Solutions/CyberArkAudit/Data Connectors/azuredeploy_CyberArkAudit_MainTemplate.json
Solutions/CyberArkAudit/Package/testParameters.json
(packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_CyberArkAudit.json, createUiDefinition.json, mainTemplate.json)