Illumio Insights Graph Connector: DCR Type Mismatches Were Blocking All Ingestion

What Changed

The IllumioInsightsGraph CCF connector (IllumioInsightsGraph_CCP) received schema type corrections across the table definition and DCR transformKql to resolve ingestion failures reported by the contributor.

Security Impact (Visibility and Fidelity)

What was broken: Custom template deployments were failing at ingestion. The root cause was a type mismatch: the table declared TimeGenerated as string, while the DCR transform cast it to datetime via todatetime(). Log Analytics rejects rows where the declared column type does not match the transform output type – this caused the connector to fail at creation or silently drop all rows, resulting in zero data ingested into Custom-IllumioInsightsGraph_CL.

What is now fixed:

• TimeGenerated: string -> datetime (critical; this field drives all time-based queries and alerting windows)
• Port, SrcPort, DestPort, SrcThreatLevel, DestThreatLevel, FlowCount: long -> int
• TotalSentBytes, TotalReceivedBytes: long -> int
• DCR transformKql updated: tolong() calls for TotalSentBytes, TotalReceivedBytes, and FlowCount replaced with toint()

Residual data fidelity risk (reviewer-flagged): Per Copilot inline review, toint() overflows and returns null for values exceeding 2,147,483,647. Byte counters (TotalSentBytes, TotalReceivedBytes) and FlowCount can realistically exceed this bound in high-bandwidth environments. Null byte counts will silently corrupt network traffic analysis queries that sum or compare these fields. If your environment generates flows with more than 2 GB transferred, these fields will be null in IllumioInsightsGraph_CL after this update.

Schema change warning for existing deployments: Log Analytics custom tables do not support in-place column type changes (long -> int). Environments where IllumioInsightsGraph_CL was previously created with long columns will require manual table deletion and recreation before this update takes effect. Applying the updated template without recreating the table will leave the old types in place.

Affected Files

Solutions/Illumio Insight/Data Connectors/IllumioInsightsGraph_CCP/IllumioInsightsGraph_DCR.json
Solutions/Illumio Insight/Data Connectors/IllumioInsightsGraph_CCP/table_IllumioInsightsGraph.json
(packaging artefacts: 3.3.3.zip, mainTemplate.json)