Alibaba Cloud Networking: New CCF Connector Brings VPC Flow, WAF, and API Gateway Visibility

What Changed

New Alibaba Cloud Networking solution (v3.0.0) adds Microsoft Sentinel integration for Alibaba Cloud network security monitoring through a CCF-based Data Connector.

Data Source

External System: Alibaba Cloud Simple Log Service (SLS) REST API
Log Types: Three distinct network data streams:

• VPC Flow Logs (AlibabaCloudVPCFlowLogs) — network traffic flows within Virtual Private Cloud
• WAF Logs (AlibabaCloudWAFLogs) — web application firewall events and blocks
• API Gateway Logs (AlibabaCloudAPIGatewayLogs) — API request/response activity and access patterns

Ingestion Mechanism

CCF-based connector using Alibaba Cloud SLS authentication (AliCloudSlsV1)
Polling configuration: 5-minute query windows, 2 QPS rate limit, offset-based pagination (200 events/page)
Sentinel Tables: Three dedicated tables via DCR streams:

• SENTINEL_ALIBABACLOUDVPCFLOWLOGS
• SENTINEL_ALIBABACLOUDWAFLOGS
• SENTINEL_ALIBABACLOUDAPIGATEWAYLOGS

Authentication: RAM user access key pair with SLS permissions

Detection Surface Unlocked

VPC Flow monitoring — network traversal, lateral movement detection, unusual traffic patterns
WAF event analysis — web application attack attempts, blocked malicious requests, bypass attempts
API Gateway security — API abuse, authentication failures, suspicious access patterns

No bundled detections included in this release — pure data ingestion capability requiring custom detection development.

Configuration Requirements

• Alibaba Cloud RAM user with SLS access permissions
• Access Key ID/Secret pair
• Log Project, Log Store, and Log Region parameters per data stream
• Separate connector instance required for each data type (VPC/WAF/API Gateway)

Affected Files

Solutions/Alibaba Cloud Networking/Data Connectors/AlibabaCloudNetworking_CCP/AlibabaCloudNetworking_ConnectorDefinition.json
Solutions/Alibaba Cloud Networking/Data Connectors/AlibabaCloudNetworking_CCP/AlibabaCloudNetworking_DCR.json
Solutions/Alibaba Cloud Networking/Data Connectors/AlibabaCloudNetworking_CCP/AlibabaCloudNetworking_PollingConfig.json
Solutions/Alibaba Cloud Networking/Package/testParameters.json
Solutions/Alibaba Cloud Networking/Parsers/parser_AlibabaCloudAPIGatewayLogsAliasFunction.json
Solutions/Alibaba Cloud Networking/Parsers/parser_AlibabaCloudVPCFlowLogsAliasFunction.json
Solutions/Alibaba Cloud Networking/Parsers/parser_AlibabaCloudWAFLogsAliasFunction.json
Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Alibaba Cloud Networking.json, createUiDefinition.json, mainTemplate.json)