What Changed
Cisco Umbrella Function App connector version 3.0.10 adds null-byte sanitization for corrupted Azure File Share state manager timestamps and CSV date field handling to prevent ingestion crashes.
Security Impact (Visibility & Fidelity)
Per IcM incident 21000000951645: deployments with corrupted Azure File Share state markers experienced complete ingestion failure. When the state manager file became corrupted with null bytes, the datetime parser crashed on startup, preventing any log ingestion from resuming.
This created a complete blind spot for Cisco Umbrella DNS security telemetry - no queries, blocks, or threat intelligence matches were reaching Microsoft Sentinel until manual intervention. The corruption pattern appears to stem from Azure File Share storage layer issues that fill timestamp files with null bytes.
Technical Details
The fix implements two layers of protection:
- State Manager Sanitization: New sanitize_timestamp() function strips null bytes and validates datetime format before processing, with fallback to default state on corruption
- CSV Field Protection: Added null-byte stripping in date formatting to prevent downstream _csv.Error exceptions on corrupted log files
The fix ensures ingestion resilience against both Azure File Share corruption and malformed CSV input data, maintaining continuous visibility into DNS security events.
Affected Files
Solutions/CiscoUmbrella/Data Connectors/ciscoUmbrellaDataConn/__init__.py
(packaging artefacts: 3.0.10.zip, CiscoUmbrellaConn.zip, ReleaseNotes.md, Solution_CiscoUmbrella.json, mainTemplate.json)