Abnormal Security: New CCF Push Connector Adds Multi-Table Email Security Event Routing

What Changed

Abnormal Security solution v3.0.0 introduces a new CCF Push-based data connector alongside the existing Azure Functions connector for backward compatibility.

Data Ingestion Architecture

New CCF Push Connector:

• Authentication: OAuth 2.0 client credentials via Azure Monitor Ingestion API
• DCR routing: 9 dedicated custom streams route events by type to per-table outputs
• Tables: Each event type maps to dedicated tables (ABNORMAL_SECURITY_THREAT_LOG_CL, ABNORMAL_SECURITY_CASE_CL, etc.)
• Setup automation: DeployPushConnectorButton creates DCE, DCR, Entra app, client secret, and role assignment

Table Architecture:

• 8 event-specific tables (THREAT_LOG, CASE, AUDIT_LOG, ABUSE_MAILBOX, POSTURE_CHANGE, ATO_CASE, REMEDIATION, VENDOR_CASE)
• 1 fallback table (AbnormalSecurityLogs_CL) for unknown event types
• Standard schema: Time, abx_body (dynamic), abx_metadata (dynamic)

Security Impact (Visibility & Fidelity)

Enhanced data organisation: Event type segregation improves query performance and enables more granular monitoring compared to the single-table legacy connector.

Modern authentication: OAuth 2.0 client credentials replace API key authentication, providing better credential lifecycle management for enterprise deployments.

Migration path: Legacy Azure Functions connector remains available — no immediate action required for existing deployments.

Affected Files

Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_DCR.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_connectorDefinition.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_dataConnector.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AbnormalSecurityLogs.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AbuseMailbox.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AtoCase.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AuditLog.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_Case.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_PostureChange.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_Remediation.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_ThreatLog.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_VendorCase.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_ABUSE_MAILBOX_CL.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_ATO_CASE_CL.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_AUDIT_LOG_CL.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_CASE_CL.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_POSTURE_CHANGE_CL.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_REMEDIATION_CL.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_THREAT_LOG_CL.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_VENDOR_CASE_CL.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/AbnormalSecurityLogs_CL.json
Solutions/AbnormalSecurity/Package/testParameters.json
(packaging artefacts: 3.0.0.zip, 3.0.1.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_AbnormalSecurity.json, createUiDefinition.json, mainTemplate.json)