What Changed

The Fortinet FortiNDR Cloud connector (v3.1.0) has been fully rewritten to replace the deprecated HTTP Data Collector API with the Azure Monitor Log Ingestion API. This is a breaking infrastructure change affecting the connector code, parser, ARM deployment template, and workbook.

Security Impact (Visibility & Fidelity)

Deployments running v3.0.x have been sending data to the retired ods.opinsights.azure.com HMAC-signed endpoint. Microsoft has deprecated this API; any deployment that has not migrated is experiencing complete ingestion failure for FortiNDR Cloud network detection data.

What was broken: sentinel.py previously built HMAC-SHA256 signatures using WorkspaceKey and POSTed to the legacy ODS endpoint. This API is retired.

What is now required: The connector now uses the azure-monitor-ingestion SDK with ClientSecretCredential (TENANT_ID, CLIENT_ID, CLIENT_SECRET) and a Data Collection Endpoint (DceUri). The Function App validates these four environment variables at startup; absence of any one raises InputError and halts ingestion.

Credential migration required: The following environment variables must be set on redeployment:

  • TENANT_ID / CLIENT_ID / CLIENT_SECRET – Entra ID App Registration with Monitoring Metrics Publisher role on the DCR
  • DceUri – Data Collection Endpoint URI
  • DcrImmutableId – DCR immutable ID

The old WorkspaceId and WorkspaceKey variables are no longer used.

Parser Changes

The Fortinet_FortiNDR_Cloud parser (YAML) has been substantially rewritten to align with the new custom table schema FortinetFortiNdrCloudRaw_CL. The new table stores events as a raw JSON blob with three projected fields (TimeGenerated, LogTypeSuffix, RawData), replacing the prior flat column-per-field schema. All existing saved searches or hunting queries that referenced the old FncEventsSuricata_CL or other FncEvents* tables will return no results against the new schema – these need to be repointed to the new parser.

ARM Template Changes

azuredeploy_FortinetFortiNdrCloud_API_FunctionApp.json now provisions DCE and DCR resources in addition to the Function App, and requires TENANT_ID, CLIENT_ID, CLIENT_SECRET, and DceUri parameters instead of WorkspaceId/WorkspaceKey.

Requirements

requirements.txt adds azure-monitor-ingestion, azure-identity, and azure-core, replacing the prior requests-based HTTP approach.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/FortinetFortiNdrCloudRaw_CL.json
Solutions/Fortinet FortiNDR Cloud/Data Connectors/FortinetFortiNdrCloud_API_AzureFunctionApp.json
Solutions/Fortinet FortiNDR Cloud/Data Connectors/azuredeploy_FortinetFortiNdrCloud_API_FunctionApp.json
Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/OrchestratorWatchdog/__init__.py
Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/globalVariables.py
Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/sentinel/sentinel.py
Solutions/Fortinet FortiNDR Cloud/Data Connectors/requirements.txt
Solutions/Fortinet FortiNDR Cloud/Parsers/Fortinet_FortiNDR_Cloud.md
Solutions/Fortinet FortiNDR Cloud/Parsers/Fortinet_FortiNDR_Cloud.yaml
Solutions/Fortinet FortiNDR Cloud/Workbooks/FortinetFortiNdrCloudWorkbook.json
(packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_FortiNdrCloud.json, fortinetFortiNdrCloudDataConn.zip, fortinetFortiNdrCloudDataConn_v2.zip, mainTemplate.json)