Halcyon Anti-Ransomware: Connector Overhaul from ASIM to OCSF Schema Architecture

What Changed

Halcyon solution updated to v3.1.0 with significant data architecture changes. The CCF connector now ingests events using Open Cybersecurity Schema Framework (OCSF) format instead of direct ASIM schema ingestion.

Parser Impact

Removed ASIM Tables and Parsers (5 total)

• HalcyonAuthenticationEvents_CL table and ASimAuthenticationHalcyon parser removed
• HalcyonDnsActivity_CL table and ASimDnsHalcyon parser removed
• HalcyonFileActivity_CL table and ASimFileEventHalcyon parser removed
• HalcyonNetworkSession_CL table and ASimNetworkSessionHalcyon parser removed
• HalcyonProcessEvent_CL table and ASimProcessEventHalcyon parser removed

New Unified Architecture

• Single HalcyonEvents_CL table now receives all event types in OCSF format
• ASIM parsers will be provided separately to transform OCSF data to ASIM schemas
• Significant DCR schema simplification - reduced from 1,580 field definitions to 148

Security Impact (Visibility & Fidelity)

This is a data architecture modernization rather than a capability loss. Organizations using the previous Halcyon connector will need to:

1. Redeploy the connector to provision the new HalcyonEvents_CL table
2. Update any custom queries referencing the old table names to use new ASIM parser functions
3. Expect a brief data collection gap during migration

Queries using the standardized ASIM function names (ASimAuthenticationHalcyon, etc.) will continue working once the new ASIM parsers are deployed, but direct table references to Halcyon*_CL tables will break.

The OCSF format provides richer event context and better alignment with industry standards while maintaining ASIM compatibility through transformation parsers.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/HalcyonAuthenticationEvents_CL.json
.script/tests/KqlvalidationsTests/CustomTables/HalcyonDnsActivity_CL.json
.script/tests/KqlvalidationsTests/CustomTables/HalcyonFileActivity_CL.json
.script/tests/KqlvalidationsTests/CustomTables/HalcyonNetworkSession_CL.json
.script/tests/KqlvalidationsTests/CustomTables/HalcyonProcessEvent_CL.json
Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_DCR.json
Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_connectorDefinition.json
Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_AuthenticationEvent.json
Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_DnsActivity.json
Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_FileActivity.json
Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_NetworkSession.json
Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_ProcessEvent.json
Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_events.json
Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml
Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml
Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml
Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml
Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml
(packaging artefacts: 3.1.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Halcyon.json, createUiDefinition.json, mainTemplate.json)