What Changed
The Lookout Mobile Risk API v2 CCF streaming connector had a critical data ingestion flaw where unique event identifiers were being silently dropped during ingestion. Live testing against the Lookout API revealed that every event returned by the streaming endpoint carries its unique identifier in the top-level oid field, not id. The CCF streamDeclarations did not declare oid, causing Azure Monitor’s ingestion pipeline to drop the identifier on every record.
Security Impact (Visibility & Fidelity)
Critical data loss affecting all event correlation: Deployments running Lookout Mobile Risk API v2 connector versions prior to 3.0.5 have had empty LookoutMtdV2_CL.id fields for every ingested record. This broke:
- All downstream
EventId-based correlation in analytic rules - Hunting queries referencing event identifiers
- Workbook visualizations and threat tracking
- Incident investigation workflows requiring event correlation
The fix preserves the existing id column contract while populating it with the correct Lookout event identifier via coalesce(tostring(id), tostring(oid)) in both the DCR transform and parser logic.
Additional Fixes
- Branding: Corrected “Azure Sentinel Solution” → “Microsoft Sentinel Solution” in workbook metadata
- Detection logic: Updated threat detection rule (
LookoutThreatEventV2) to filterThreatStatus in ("OPEN", "ACTIVE")andThreatAction == "DETECTED"to suppress alerts on remediated incidents - Packaging: Regenerated with supported V3 tooling for certification compliance
Affected Files
.script/tests/KqlvalidationsTests/CustomTables/LookoutMtdV2_CL.json
Solutions/Lookout/Analytic Rules/LookoutThreatEventV2.yaml
Solutions/Lookout/Data Connectors/LookoutStreamingConnector_ccp/LookoutStreaming_DCR.json
Solutions/Lookout/Data Connectors/LookoutStreamingConnector_ccp/LookoutStreaming_Table.json
Solutions/Lookout/Parsers/LookoutEvents.yaml
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.5.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Lookout.json, createUiDefinition.json, mainTemplate.json)