Zimperium MTD Gains Incident Log Ingestion via Two New CCF Tables

What Changed

Two new stream definitions and corresponding Log Analytics tables have been added to the Zimperium MTD CCF connector (v3.1.0):

• ZimperiumIncidentLog_CL captures correlated mobile incidents with fields: incident_id, incident_name, incident_confidence_level, incident_ai_summary, device_id, device_owner, device_group, countries (dynamic), mitre_tactics (dynamic), related_threats (dynamic), incident_created_date, incident_status
• ZimperiumIncidentMitigationLog_CL tracks incident lifecycle with fields: incident_id, incident_updated_date, incident_status, fix_reason

The DCR (ZimperiumMTD_DCR.json) has two new dataFlows entries routing Custom-ZimperiumIncidentLog and Custom-ZimperiumIncidentMitigationLog streams to their respective output tables using transformKql: source | extend TimeGenerated = now().

The connector UI description has been updated to allow selecting either Threats or Incidents as the data export type in zConsole, with a note that severity filtering applies only to the Threats data type.

Security Impact (Visibility and Fidelity)

Prior to this change, the Zimperium CCF connector only ingested raw threat and mitigation events (ZimperiumThreatLog_CL, ZimperiumMitigationLogV2_CL). Incident-level data representing correlated, AI-analyzed attack chains was not available in Microsoft Sentinel.

The mitre_tactics dynamic column in ZimperiumIncidentLog_CL enables direct MITRE ATT&CK correlation without parser-side enrichment. The sample data shows incidents containing Exfiltration, Persistence, Initial Access, Credential Access, Execution, Collection, Impact, and Privilege Escalation tactic labels. Hunting queries and detection rules targeting mobile device compromise can now reference the higher-fidelity incident context rather than individual threat indicators.

Deployments that do not reconfigure their zConsole Data Export settings to include an Incidents export type will not populate these new tables.

Affected Files

Solutions/Zimperium Mobile Threat Defense/Data Connectors/ZimperiumMTD_CCF/ZimperiumIncidentLog_table.json
Solutions/Zimperium Mobile Threat Defense/Data Connectors/ZimperiumMTD_CCF/ZimperiumIncidentMitigationLog_table.json
Solutions/Zimperium Mobile Threat Defense/Data Connectors/ZimperiumMTD_CCF/ZimperiumMTD_DCR.json
Solutions/Zimperium Mobile Threat Defense/Data Connectors/ZimperiumMTD_CCF/ZimperiumMTD_connectorDefinition.json
Solutions/Zimperium Mobile Threat Defense/Sample Data/ZimperiumIncidentLog_IngestedLogs.csv
Solutions/Zimperium Mobile Threat Defense/Sample Data/ZimperiumIncidentLog_RawLogs.json
Solutions/Zimperium Mobile Threat Defense/Sample Data/ZimperiumIncidentLog_Schema.csv
Solutions/Zimperium Mobile Threat Defense/Sample Data/ZimperiumIncidentMitigationLog_IngestedLogs.csv
Solutions/Zimperium Mobile Threat Defense/Sample Data/ZimperiumIncidentMitigationLog_RawLogs.json
Solutions/Zimperium Mobile Threat Defense/Sample Data/ZimperiumIncidentMitigationLog_Schema.csv
(packaging artefacts: 3.1.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_ZimperiumMTD.json, mainTemplate.json)