What Changed
TheHive CCF Data Connector removes the excludeFields parameter from the REST API query template, changing from “excludeFields”: [] to complete removal of the field.
Security Impact (Visibility & Fidelity)
The excludeFields parameter in the queryParametersTemplate was causing TheHive API responses to potentially exclude fields even when specified as an empty array. This field filtering mechanism could have prevented complete security event data from reaching Microsoft Sentinel, creating data fidelity gaps in incident investigation and case management visibility.
Deployments running the previous connector configuration may have experienced incomplete TheHive event data ingestion, particularly affecting:
- Case update tracking (_updatedAt field integrity)
- Complete incident artifact collection
- Full case timeline visibility for security investigations
The removal ensures TheHive security incident data flows completely into the Custom-TheHiveData_CL table without field-level filtering.
Affected Files
Solutions/TheHive/Data Connectors/CCF/PollingConfig.json
Solutions/TheHive/Package/testParameters.json
Solutions/TheHive/Playbooks/TheHiveConnector/azuredeploy.json
(packaging artefacts: 3.0.1.zip, createUiDefinition.json, mainTemplate.json)