What Changed
Two shared ISV connector definition templates used as the starting point for new CEF- and Syslog-based connectors were updated to reflect the current AMA ingestion model:
Connector_CEF_template.json
- Description updated to reference AMA-based ingestion and the Microsoft Common Event Format (CEF) via AMA solution dependency.
- Removed sharedKeys resourceProvider permission – this was an MMA artifact; AMA uses DCR + managed identity and does not require workspace key access.
- Added customs permissions block: Azure Arc requirement for non-Azure VMs and a marketplace link to the CEF via AMA solution.
- Replaced four MMA instruction steps (cef_installer.py download, Linux agent install, validation script, machine hardening) with a two-step AMA pattern: product-side CEF config placeholder + install CEF via AMA from marketplace.
- Sample queries updated from generic placeholders to vendor-discriminated patterns filtering CommonSecurityLog on DeviceVendor and DeviceProduct.
- isPreview set to false.
Connector_Syslog_template.json
- Description updated to reference AMA-based ingestion and Syslog via AMA solution dependency.
- Removed three MMA instruction steps (InstallAgentOnLinuxVirtualMachine, InstallAgentOnLinuxNonAzure, OpenSyslogSettings) replaced with the same two-step AMA pattern.
- Added customs permissions block (Azure Arc + Syslog via AMA marketplace link).
- baseQuery, sampleQueries, dataTypes, and connectivityCriterias updated from the non-functional DATATYPE_NAME placeholder to vendor-discriminated queries filtering Syslog on ProcessName.
- isPreview set to false.
Security Impact (Visibility and Fidelity)
These are ISV authoring templates, not deployed connectors – no production detection gap exists from this PR. However, connectors built from the old templates continued to instruct customers to install MMA, which was retired. Any new connector published using the corrected template will guide customers toward AMA, the only supported ingestion path for CEF and Syslog going forward.
The removal of the sharedKeys permission from the CEF template is a least-privilege improvement: connectors built from the old template were requesting workspace key read access unnecessarily.
Affected Files
DataConnectors/Templates/Connector_CEF_template.json
DataConnectors/Templates/Connector_Syslog_template.json