Halcyon Anti-Ransomware: New CCF v2 Connector and OCSF Parsers Unlock Full Endpoint Telemetry

Data Source

Halcyon is an anti-ransomware platform delivering endpoint protection, ransomware detection, and cyber-resilience capabilities. This PR introduces a second-generation connector that replaces or supplements the v3.1.0 connector. Data is delivered to Sentinel via webhook in OCSF (Open Cybersecurity Schema Framework) format.

Two new custom tables are introduced:

• HalcyonEventsV2_CL — endpoint telemetry events (process, file, network, DNS, kernel, auth, application lifecycle)
• HalcyonAlertUpdatesV2_CL — full alert payloads for each alert creation and state-change event

Ingestion Mechanism

CCF (Codeless Connector Framework) with a dedicated DCR (HalcyonDCRv2). The DCR ingests from a single Custom-Halcyon stream and uses two transformKql flows to fan out records by recordType:

• recordType == event -> Custom-HalcyonEventsV2_CL
• recordType == alert -> Custom-HalcyonAlertUpdatesV2_CL

The DCR KQL transforms flatten the incoming OCSF dynamic payload into typed columns at ingestion time — OCSF common fields (class_uid, severity_id, action_id, disposition_id, etc.) plus class-specific objects (file, process, actor, device, src_endpoint, dst_endpoint, query, answers, driver, app).

Parsers (8 new)

All parsers are net-new and target HalcyonEventsV2_CL or HalcyonAlertUpdatesV2_CL:

Halcyon_Alerts deduplicates alert updates with summarize arg_max(HalcyonSourceTime, *) by HalcyonAlertId, collapsing multiple webhook payloads per alert to the most-recent state.

Detection Surface Unlocked

This connector surfaces endpoint telemetry directly relevant to ransomware TTP coverage:

• Process telemetry (class 1007) — command-line execution chains visible for T1059 coverage
• File activity (class 1001) — mass file-modification or extension-change patterns indicative of T1486 (Data Encrypted for Impact)
• Kernel activity (class 1002) — driver load events relevant to T1068 and rootkit/bootkit detection
• Network activity (class 4001) — C2 and lateral movement beaconing; NefariousPeerCIDR detections populate dst_endpoint
• DNS activity (class 4003) — DNS-based C2 via query/answers fields
• Authentication events (class 3002) — credential-based movement (T1078)
• Alert stream — Halcyon platform verdicts with severity, disposition, and finding_info for direct triage

No bundled Analytic Rules are included in this PR; detection engineering against these tables requires custom KQL authored against the parsers above.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/HalcyonAlertUpdatesV2_CL.json
.script/tests/KqlvalidationsTests/CustomTables/HalcyonEventsV2_CL.json
Solutions/Halcyon/Data Connectors/Halcyon_ccp_v2/Halcyon_DCR.json
Solutions/Halcyon/Data Connectors/Halcyon_ccp_v2/Halcyon_connectorDefinition.json
Solutions/Halcyon/Data Connectors/Halcyon_ccp_v2/Halcyon_dataConnector.json
Solutions/Halcyon/Data Connectors/Halcyon_ccp_v2/Halcyon_table_alert_updates.json
Solutions/Halcyon/Data Connectors/Halcyon_ccp_v2/Halcyon_table_events.json
Solutions/Halcyon/Parsers/Halcyon_Alerts.yaml
Solutions/Halcyon/Parsers/Halcyon_OCSF_ApplicationLifecycle.yaml
Solutions/Halcyon/Parsers/Halcyon_OCSF_Authentication.yaml
Solutions/Halcyon/Parsers/Halcyon_OCSF_DnsActivity.yaml
Solutions/Halcyon/Parsers/Halcyon_OCSF_FileActivity.yaml
Solutions/Halcyon/Parsers/Halcyon_OCSF_KernelActivity.yaml
Solutions/Halcyon/Parsers/Halcyon_OCSF_NetworkActivity.yaml
Solutions/Halcyon/Parsers/Halcyon_OCSF_ProcessActivity.yaml
(packaging artefacts: 3.2.0.zip, ReleaseNotes.md, Solution_Halcyon.json, createUiDefinition.json, mainTemplate.json)