What Changed

The Cisco Umbrella CCF connector definition (CiscoUmbrella_DataConnectorDefinition.json) has been updated with three changes:

  1. GA Promotion: isPreview set to false; apiVersion bumped from 2022-09-01-preview to 2025-09-01
  2. Publisher corrected: publisher field changed from Cisco to Microsoft (aligning with Microsoft support tier)
  3. Template variable substitution fixed: Multiple occurrences of the graphQueriesTableName template variable replaced with the hardcoded literal CiscoUmbrellaAdminAudit_CL in:
    • graphQueries[0].baseQuery
    • sampleQueries[0].query
    • dataTypes[0].name
    • dataTypes[0].lastDataReceivedQuery

Security Impact (Visibility and Fidelity)

The unresolved graphQueriesTableName template variable in lastDataReceivedQuery and dataTypes.name fields caused the Content Hub connectivity indicator for Admin Audit logs to query a literal table named using the template variable placeholder rather than CiscoUmbrellaAdminAudit_CL. This resulted in:

  • The Last data received timestamp in the connector UI showing stale or no data even when ingestion was functioning correctly
  • The sample query in the connector wizard failing at runtime

This is a UI fidelity issue, not an ingestion gap — data was still flowing into CiscoUmbrellaAdminAudit_CL via the DCR poller. However, SOC teams relying on the connector health indicator to confirm Umbrella Admin Audit data arrival would have seen misleading no-data signals.

The 10 log categories introduced in v3.1.0 (DNS, WebTraffic, CloudFirewall, AdminAudit, DLP, FileEvent, IPS, RemoteAccessVPN, ZeroTrustAccess, ZeroTrustAccessFlow) are unaffected in terms of actual ingestion. Only the Admin Audit health check was broken by the template variable issue.

Affected Files

Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrella_DataConnectorDefinition.json
(packaging artefacts: 3.2.0.zip, ReleaseNotes.md, Solution_CiscoUmbrella.json, mainTemplate.json)