What Changed
Three distinct production defects corrected in Lookout v3.0.6:
Security Impact (Visibility and Fidelity)
1. CCF cursor timeout (complete ingestion stop)
The CCF pagingType was set to PersistentToken, which stored the last_oid cursor server-side. The cursor expired after approximately 24 hours, causing the connector to fail at the pagination step and silently halt all ingestion. Deployments running v3.0.5 or earlier have experienced periodic complete data gaps lasting until the next connector restart or redeployment.
Fix: pagingType changed to NextPageToken. The last_oid cursor is now scoped to within-cycle pagination only; between cycles the CCF advances via the start_time time-window parameter, eliminating cross-cycle cursor staleness.
2. DCR field path errors (four fields null for every ingested record)
The DCR transformKql and LookoutEvents parser referenced incorrect JSON paths from the Lookout API v2 response. The following fields were returning null for every event:
| Field in LookoutMtdV2_CL | Incorrect path | Correct path |
|---|---|---|
| threat_id / ThreatId | threat.id | threat.guid |
| threat_action / ThreatAction | threat.action | threat.details.response |
| device_email_address / DeviceEmailAddress | device.email_address | device.info.email |
| smishing_alert_id / SmishingAlertId | smishing_alert.id | smishing_alert.guid |
Any analytic rule, hunting query, or workbook filtering or joining on ThreatId, ThreatAction, or SmishingAlertId has been operating on null values. Correlation against threat identifiers was broken for all affected deployments.
3. PII exposure in diagnostics logs removed
logResponseContent: true was present in the PollingConfig, causing raw Lookout API responses (which include device email addresses and user identity data) to be written to connector diagnostics logs. This has been removed. Prior deployments should audit their diagnostics log retention if PII exposure is a compliance concern.
Remediation
Update the Lookout solution to v3.0.6 via Content Hub. Post-update, verify data flow by checking max(TimeGenerated) in LookoutMtdV2_CL and confirm ThreatId and ThreatAction fields are non-null in recent records.
Affected Files
Solutions/Lookout/Data Connectors/LookoutStreamingConnector_ccp/LookoutStreaming_DCR.json
Solutions/Lookout/Data Connectors/LookoutStreamingConnector_ccp/LookoutStreaming_PollingConfig.json
Solutions/Lookout/Parsers/LookoutEvents.yaml
Solutions/Lookout/Workbooks/LookoutEvents.json
(packaging artefacts: 3.0.6.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Lookout.json, mainTemplate.json)