What Changed
This PR resolves multiple critical issues that rendered the Abnormal Security CCF Push connector completely non-functional since its v3.0.0 introduction in March 2026. The connector could not ingest any email threat intelligence data due to DCR transform failures, missing table deployments, and incorrect stream routing.
Security Impact (Visibility & Fidelity)
Pre-fix state: Deployments running Abnormal Security CCF connector v3.0.0/3.0.1 had complete email threat detection blind spots:
- All 9 custom tables (ABNORMAL_SECURITY_*_CL) failed to deploy via ARM template — tables were defined only as Sentinel metadata, not as deployable workspace resources
- DCR transforms failed with InvalidTransformOutput errors due to type mismatch — input stream declared abx_body and abx_metadata as dynamic but output schema expected string
- Fallback stream routing to Custom-AbnormalSecurityLogs_CL pointed to non-existent table instead of Custom-ABNORMAL_SECURITY_LOGS_CL
- Result: Zero events from Abnormal Security ingested across all threat categories (email threats, cases, audit logs, ATO detection, etc.)
Post-fix: All email threat visibility restored with proper data transformation and routing to correct tables.
Technical Fixes Applied
- Table Deployment Fix: Added all 9 ABNORMAL_SECURITY_*_CL tables as top-level ARM resources in mainTemplate.json — tables now deploy correctly on solution installation
- DCR Transform Fix: Added explicit extend statements to convert abx_body and abx_metadata to string type in all 9 transformKql statements
- Stream Routing Fix: Corrected fallback outputStream from Custom-AbnormalSecurityLogs_CL to Custom-ABNORMAL_SECURITY_LOGS_CL to match actual table name
- Schema Alignment: Updated column schemas across all 9 tables to match legacy MLA connector format
Affected Email Threat Categories
The fix restores ingestion for these email threat detection streams:
- ABNORMAL_SECURITY_THREAT_LOG_CL: Email threat detections, attack vectors, remediation status
- ABNORMAL_SECURITY_CASE_CL: Investigation cases and entity analysis
- ABNORMAL_SECURITY_AUDIT_LOG_CL: Administrative actions and policy changes
- ABNORMAL_SECURITY_ATO_CASE_CL: Account takeover detection events
- ABNORMAL_SECURITY_ABUSE_MAILBOX_CL: Abuse mailbox submissions
- ABNORMAL_SECURITY_POSTURE_CHANGE_CL: Security posture modifications
- ABNORMAL_SECURITY_REMEDIATION_CL: Automated remediation actions
- ABNORMAL_SECURITY_VENDOR_CASE_CL: Third-party case integrations
- ABNORMAL_SECURITY_LOGS_CL: General fallback stream
Per PR testing: All streams now accept data via Logs Ingestion API (HTTP 204 responses) and events are visible in Log Analytics workspace.
Affected Files
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_DCR.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_connectorDefinition.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AbnormalSecurityLogs.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AbuseMailbox.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AtoCase.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AuditLog.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_Case.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_PostureChange.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_Remediation.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_ThreatLog.json
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_VendorCase.json
(packaging artefacts: 3.0.0.zip, 3.0.1.zip, ReleaseNotes.md, Solution_AbnormalSecurity.json, mainTemplate.json)