What Changed
Complete solution migration from deprecated HTTP Data Collector API (Workspace ID + Primary Key) to CCF Push Connector (OAuth2/Entra ID via DCE/DCR). All 11 Analytic Rules migrated from legacy table apifirewall_log_1_CL to new schema FortyTwoCrunchAPIProtectionV2_CL with PascalCase field names. Added backward-compatible parser supporting both schemas during transition period.
Security Impact (Visibility & Fidelity)
Critical API protection blind spot risk: The legacy HTTP Data Collector API is deprecated and will cease functioning. Deployments running the previous connector version will experience complete API security monitoring failure — zero visibility into API attacks, anomalies, credential stuffing, BOLA attacks, and suspicious authentication patterns once the legacy endpoint is disabled.
The migration resolves a fundamental ingestion architecture gap where OAuth2 client credentials replace vulnerable shared-key authentication, eliminating HMAC-SHA256 key rotation requirements and improving audit posture.
Migration Requirements
New deployment requires DCE/DCR configuration with OAuth2 Entra ID authentication. Solution includes validated ccf-forwarder Docker container (forwarder.py) replacing the legacy 42c-fw-2la container. Migration Guide provides step-by-step DCR setup, service principal configuration, and deployment validation.
Detection Surface Maintained
All 11 Analytic Rules preserve identical detection logic for:
- API scraping and reconnaissance (T1592, T1593)
- Account takeover attempts (T1555, T1110)
- BOLA (Broken Object Level Authorization) exploitation (T1087)
- Anomaly detection and first-time access patterns
- Password cracking and credential stuffing (T1110)
- JWT validation failures (T1528)
- Rate limiting bypass attempts (T1499)
Parser alias ensures seamless transition — existing detections continue functioning during gradual connector migration.
Affected Files
.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Solutions/42Crunch API Protection/Analytic Rules/APIAPIScaping.yaml
Solutions/42Crunch API Protection/Analytic Rules/APIAccountTakeover.yaml
Solutions/42Crunch API Protection/Analytic Rules/APIAnomalyDetection.yaml
Solutions/42Crunch API Protection/Analytic Rules/APIBOLA.yaml
Solutions/42Crunch API Protection/Analytic Rules/APIFirstTimeAccess.yaml
Solutions/42Crunch API Protection/Analytic Rules/APIInvalidHostAccess.yaml
Solutions/42Crunch API Protection/Analytic Rules/APIJWTValidation.yaml
Solutions/42Crunch API Protection/Analytic Rules/APIKiterunnerDetection.yaml
Solutions/42Crunch API Protection/Analytic Rules/APIPasswordCracking.yaml
Solutions/42Crunch API Protection/Analytic Rules/APIRateLimiting.yaml
Solutions/42Crunch API Protection/Analytic Rules/APISuspiciousLogin.yaml
Solutions/42Crunch API Protection/Data Connectors/42Crunch/42CrunchAPIProtection.json
Solutions/42Crunch API Protection/Data Connectors/42Crunch_CCF/42CrunchAPIProtection.json
Solutions/42Crunch API Protection/Data Connectors/42Crunch_CCF/DCR.json
Solutions/42Crunch API Protection/Data Connectors/42Crunch_CCF/PollingConfig.json
Solutions/42Crunch API Protection/Data Connectors/42Crunch_CCF/table_FortyTwoCrunchAPIProtectionV2.json
Solutions/42Crunch API Protection/Migration_Guide.md
Solutions/42Crunch API Protection/Package/testParameters.json
Solutions/42Crunch API Protection/Parsers/FortyTwoCrunchAPIProtection.yaml
Solutions/42Crunch API Protection/Workbooks/42CrunchAPIProtectionWorkbook.json
Solutions/42Crunch API Protection/sample-deployment/.env.example
Solutions/42Crunch API Protection/sample-deployment/ccf-forwarder/Dockerfile
Solutions/42Crunch API Protection/sample-deployment/ccf-forwarder/forwarder.py
Solutions/42Crunch API Protection/sample-deployment/ccf-forwarder/requirements.txt
Solutions/42Crunch API Protection/sample-deployment/docker-compose.yml
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.1.zip, ReleaseNotes.md, Solution_42CrunchAPIProtection.json, createUiDefinition.json, mainTemplate.json)