Holm Security VMP: New CCF Connector Ingests Network and Web Asset Inventory into Sentinel

Data Source

Holm Security is a Vulnerability Management Platform (VMP) that scans and tracks network and web asset inventory. This connector ingests from two REST API endpoints:

• GET /web-assets – web-facing assets with URI, asset type, tags, and vulnerabilities_count
• GET /net-assets – network hosts with IP, IP range, hostname, OS, severity, business impact, personal data flag, and vulnerabilities_count

Both pollers run on a daily interval (queryWindowInMin: 1440) using Token-based API key authentication and offset pagination (limit/offset).

Ingestion Mechanism

CCF-based (RestApiPoller) connector using a DCR with two custom stream declarations:

• Custom-web_assets_CL to web_assets_CL table (9 columns)
• Custom-net_assets_CL to net_assets_CL table (16 columns)

The DCR transformKql normalises raw API field names (e.g., operating_system to OperatingSystem, vulnerabilities_count to VulnerabilitiesCount) and derives TimeGenerated from the created field with a fallback to now(). The connector UI accepts a configurable API base URL, supporting regional Holm Security deployments (e.g., https://se-api.holmsecurity.com/v2).

Detection Surface Unlocked

Prior to this connector, Holm Security customers had no native path to ingest asset inventory into Microsoft Sentinel. With this data now available:

• Correlate net_assets_CL IP and hostname fields against network connection logs and threat intelligence indicators to identify vulnerable hosts communicating with suspicious infrastructure
• Join VulnerabilitiesCount and Severity from net_assets_CL against alert data to prioritise incident response by asset risk posture
• Use web_assets_CL URI inventory for hunting against web access logs – identify scanning or exploitation attempts targeting known assets
• The HostsPersonalData boolean field in net_assets_CL enables data-sensitivity-aware triage

No bundled Analytic Rules or Hunting Queries are included in this release – detections leveraging these tables will need to be authored by the operator.

MITRE Coverage

No bundled detections; no MITRE techniques determinable from this PR.

Affected Files

Logos/HolmSecurity.svg
Solutions/HolmSecurity/Data Connectors/HolmSecurityAssetLogs_ccf/HolmSecurityAssetLogs_DCR.json
Solutions/HolmSecurity/Data Connectors/HolmSecurityAssetLogs_ccf/HolmSecurityAssetLogs_PollerConfig.json
Solutions/HolmSecurity/Data Connectors/HolmSecurityAssetLogs_ccf/HolmSecurityAssetLogs_connectorDefinition.json
Solutions/HolmSecurity/Data Connectors/HolmSecurityAssetLogs_ccf/HolmSecurityAssetLogs_net_assets_Table.json
Solutions/HolmSecurity/Data Connectors/HolmSecurityAssetLogs_ccf/HolmSecurityAssetLogs_web_assets_Table.json
Solutions/HolmSecurity/Data Connectors/HolmSecurityAssets_API_FunctionApp.json
Solutions/HolmSecurity/Package/testParameters.json
(packaging artefacts: 3.0.2.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_HolmSecurity.json, createUiDefinition.json, mainTemplate.json)