Cybersixgill Actionable Alerts: CCF Connector Added with Unified Parser Bridging Legacy and New Tables

What Changed

The Cybersixgill Actionable Alerts solution (v3.1.0) migrates from a legacy Azure Function-based connector to a new CCF connector while preserving backward compatibility via a unified parser.

Data Connector

New CCF connector (CybersixgillAlertsCCFConnector) polls the Cybersixgill REST API using OAuth 2.0 (Client ID + Client Secret + Organization ID) and writes to a new custom table CyberSixgillAlertsV2_CL. The DCR stream is declared as Custom-CyberSixgillAlertsV2_CL with a rich schema including threat actor, threat level, CVE fields (cve, cve_url, cybersixgillcvss31, cybersixgillcvss20, cybersixgilldvescore), and nested sub_alerts (dynamic). Multi-tenant ingestion is supported – each organization is configured as an independent connection via the connector UI grid.

Parser Impact

The new CyberSixgill_Alerts unified workspace function merges rows from both CyberSixgill_Alerts_CL (legacy Function App table) and CyberSixgillAlertsV2_CL (CCF table). Hunting queries and workbooks now reference the parser rather than the raw table, eliminating a dual-table query burden. Environments that have not yet deployed the CCF connector will continue to see legacy rows via the same parser interface – no detection breakage during migration.

Security Impact

Environments running only the legacy Azure Function connector will not ingest into CyberSixgillAlertsV2_CL; the unified parser handles the gap. The CCF connector is marked isPreview: true in this release. The high-severity alert graph query (Severity >= 7) and sub-alert fan-out view (CyberSixgillAlertsExpanded) are surfaced directly in the connector health UI.

Affected Files

.script/tests/KqlvalidationsTests/CustomFunctions/CyberSixgill_Alerts.json
Solutions/Cybersixgill-Actionable-Alerts/Data Connectors/CybersixgillAlerts_CCF/Cybersixgill_ConnectorDefinition.json
Solutions/Cybersixgill-Actionable-Alerts/Data Connectors/CybersixgillAlerts_CCF/Cybersixgill_DCR.json
Solutions/Cybersixgill-Actionable-Alerts/Data Connectors/CybersixgillAlerts_CCF/Cybersixgill_PollerConfig.json
Solutions/Cybersixgill-Actionable-Alerts/Data Connectors/CybersixgillAlerts_CCF/table_CyberSixgillAlertsV2.json
Solutions/Cybersixgill-Actionable-Alerts/Hunting Queries/ActionableAlerts.yaml
Solutions/Cybersixgill-Actionable-Alerts/Package/testParameters.json
Solutions/Cybersixgill-Actionable-Alerts/Parsers/parser_CyberSixgillAlertsExpandedFunction.json
Solutions/Cybersixgill-Actionable-Alerts/Parsers/parser_CyberSixgillAlertsFunction.json
Solutions/Cybersixgill-Actionable-Alerts/Workbooks/ActionableAlertsDashboard.json
Solutions/Cybersixgill-Actionable-Alerts/Workbooks/ActionableAlertsList.json
(packaging artefacts: 3.0.2.zip, ReleaseNotes.md, Solution_Cybersixgill_Actionable_Alerts.json, createUiDefinition.json, mainTemplate.json)