What Changed

The Transmit Security solution (v3.0.2) replaces its legacy Function App-based data connector with a Codeless Connector Framework (CCF) implementation. The old connector (TransmitSecurity_API_FunctionApp.json) required customers to deploy and maintain an Azure Function App; the new connector removes that dependency entirely and is managed by the Sentinel platform.

Four new CCF artefacts are introduced:

  • ConnectorDefinition – UI metadata; ingestion target is TransmitSecurityActivity_V2_CL (note the V2 suffix – this is a different table from the Function App connector)
  • PollerConfig – OAuth2 client-credentials flow against a configurable token endpoint; polls a configurable pull endpoint for activity events
  • DCR – Custom stream Custom-TransmitSecurityActivity_V2_CL; transformKql maps 20 raw fields (activity, app_id, user_id, ip, user_agent, device_id, tenant_id, actor_id, flow_id, correlation_id, additional_params, etc.) to PascalCase column names and derives TimeGenerated from the event timestamp field (falling back to now() if null)
  • Table schema – Defines 20 typed columns for TransmitSecurityActivity_V2_CL

Security Impact (Visibility & Fidelity)

Table rename is a breaking change for existing queries. Any KQL hunting queries, Analytic Rules, or workbooks referencing the old Function App table name will return zero results after migration. Operators must identify and update all content referencing the previous table before decommissioning the Function App connector.

The new DCR transformKql explicitly preserves SourceTenantId (mapped from tenant_id) and CorrelationId – fields that are critical for multi-tenant or cross-session correlation in CIAM attack investigations (credential stuffing, account takeover, suspicious authentication flows). The prior Function App connector had a known field-drop issue (per commit history: fix dropped fields and tenantId), which the CCF connector resolves.

Deployments that have already installed the v3.0.x Function App connector and upgrade to this package will now have two connectors in Content Hub unless the old one is manually removed. Ensure the Function App is decommissioned to avoid duplicate ingestion costs.

Authentication: The poller uses OAuth2 client credentials (Client ID + Client Secret + configurable token endpoint). Credentials are entered at connector configuration time and stored as CCF connector properties – no Key Vault or Function App application settings required.

Affected Files

Solutions/TransmitSecurity/Data Connectors/TransmitSecurityActivity_CCF/TransmitSecurityActivity_ConnectorDefinition.json
Solutions/TransmitSecurity/Data Connectors/TransmitSecurityActivity_CCF/TransmitSecurityActivity_DCR.json
Solutions/TransmitSecurity/Data Connectors/TransmitSecurityActivity_CCF/TransmitSecurityActivity_PollerConfig.json
Solutions/TransmitSecurity/Data Connectors/TransmitSecurityActivity_CCF/TransmitSecurityActivity_Table.json
Solutions/TransmitSecurity/Package/testParameters.json
(packaging artefacts: 3.0.2.zip, ReleaseNotes.md, Solution_TransmitSecurity.json, createUiDefinition.json, mainTemplate.json)