SentinelOne V2 CCF Connector: UAM GraphQL Alerts Now Visible in Sentinel (Plus Packaging Fix)

The SentinelOne solution adds a new CCF-based V2 connector ingesting Unified Alert Management (UAM) alerts from the GraphQL API into SentinelOneAlertsV2_CL, closing a blind spot for Wayfinder, cloud, identity, STAR, and third-party detections that the legacy REST connector never surfaced. Read More →

Azure Firewall ASIM DNS Parsers: Silent Union Failure Fixed for Resource-Specific Log Mode

When Azure Firewall is configured to send logs only to the resource-specific AZFWDnsQuery table, the AzureDiagnostics branch of both ASimDnsAzureFirewall and vimDnsAzureFirewall parsers was aborting with a scalar resolution error, dropping all DNS query data from those branches entirely. Read More →

Agent 365: Microsoft Agent Identities Connector Page KQL Parse Error Patched by Removing Data Type Declarations

The EntraNHIAssets connector definition drops all four data type entries to eliminate an empty-subquery KQL parse error on the connector page — though reviewers flag this may break connector metadata contracts. Read More →

Azure WAF Log4j Detection Restored: Field Reference Errors Silenced the Rule Since v1.0.5

A broken column_ifexists reference caused the Azure WAF Log4j detection rule to silently miss exploit traffic in details_message and details_msg fields – any deployment running v1.0.5 had a gap in Log4Shell (CVE-2021-44228) coverage via WAF logs. Read More →

WithSecure Elements CCF Connector: Zero-Ingestion Fix for Broken OAuth2 Auth and Invalid Query Parameters

The WithSecureElementsCCF connector has been non-functional since initial release – both the OAuth2 token request and the security-events API call failed with HTTP 400 errors, meaning no WithSecure endpoint security events have been ingested into any Sentinel deployment running this connector. Read More →

Checkmarx Audit Ingestion Playbook: Pagination Fix, Deployment Simplification, and RBAC Enforcement

The AS-Checkmarx-Audit-Ingestion Playbook receives pagination loop fixes and a collapsed single-deployment model – teams running the old multi-step deployment may have incomplete audit event ingestion. Read More →

DocuSign Connector: Az Module Upgrade Restores PowerShell 7.2+ Function App Compatibility

The DocuSign Security Events Function App connector was failing to load Az module cmdlets on PowerShell 7.2+ runtimes; bumping the dependency from Az 5.* to 11.* restores ingestion. Read More →

Cisco Umbrella CCF Connector GA Promotion Fixes Template Variable Rendering in UI Queries

The Cisco Umbrella CCF connector graduates to GA while also resolving broken template variable references that caused Content Hub connectivity checks and sample queries to malfunction. Read More →

Lookout Connector v3.0.6: Silent Ingestion Stop After 24h and Four DCR Field Mapping Blind Spots Fixed

A CCF cursor expiry caused the Lookout streaming connector to silently stop ingesting data after roughly 24 hours, and four incorrect DCR field paths meant ThreatId, ThreatAction, DeviceEmail, and SmishingAlertId were null in every ingested record. Read More →

Semperis Lightning Connector: TLS Certificate Verification Restored Across All API Calls

The Semperis Lightning data connector was making all outbound API requests with TLS verification disabled (verify=False), exposing token acquisition and all data collection calls to man-in-the-middle attacks; this fix re-enables certificate validation across seven affected modules. Read More →

Google Workspace Reports: Google Meet Activity Logs Restored After Polling Window Gap

A missing queryWindowDelayInMin setting caused Google Meet audit events to be silently dropped by the CCF connector - adding a 30-minute delay restores ingestion of events that arrive late from Google API. Read More →

Cofense Intelligence Connector: SSRF and Credential Leakage Vulnerabilities Patched in DownloadThreatReports Function

Critical security hardening of the Cofense Intelligence Azure Function eliminates a Server-Side Request Forgery (SSRF) vector and credential leakage risk that allowed callers to redirect authenticated requests to arbitrary or internal hosts. Read More →

TacitRed Defender TI Playbook: Fixing Content Hub Deployment Failure on Hyphenated Workspace Names

TacitRed Defender Threat Intelligence v3.0.2 fixes an InvalidTemplate ARM error that blocked Content Hub deployment entirely on any workspace with a hyphenated name, plus resolves a sovereign cloud storage endpoint bug and adds required post-deployment RBAC guidance. Read More →

QualysVM CCF Connector: Restoring Vulnerability Data Ingestion After API Timeout Blind Spot

Customers with large Qualys environments were receiving zero vulnerability detection data due to chronic API timeouts – this fix raises the CCF timeout to the platform maximum, tightens the query window, and adds a lightweight connectivity check to unblock ingestion. Read More →

Threat Intelligence (NEW): Broken Connector Mappings and Case-Sensitive Rule Names Fixed Across 36 Analytic Rules

Two customer-reported issues are resolved: EmailEvents and EmailUrlInfo rules were mapped to the wrong connectors (Office365 instead of MicrosoftThreatProtection), and inconsistent capitalisation in rule names was silently breaking customer Playbook automations. Read More →

Illumio Insights Graph Connector: DCR Type Mismatches Were Blocking All Ingestion

The IllumioInsightsGraph CCF connector had column type mismatches between the table schema and DCR transform that caused ingestion failures – this fix corrects TimeGenerated from string to datetime and multiple numeric fields from long to int, but introduces overflow risk for byte counters in high-volume environments. Read More →

Fortinet FortiNDR Cloud Connector: Migration from Deprecated HTTP Data Collector API to Log Ingestion API

The FortiNDR Cloud Function App connector has been fully rewritten to use the Azure Monitor Log Ingestion API, replacing the retired HTTP Data Collector API – deployments still on v3.0.x have had zero ingestion since the legacy API was deprecated. Read More →

Vaikora-AzureSecurityCenter: Three Analytic Rules and Playbook Completely Non-Functional Since Initial Deployment

The v3.0.0 solution was built against a fabricated alert API schema – the playbook crashed on ingestion, all three Analytic Rules queried a table that was never populated, and two install paths wrote to divergent tables, meaning zero Vaikora AI agent threat data reached Microsoft Sentinel from day one. Read More →

Vaikora-SentinelOne Playbook: Broken IOC Push Restored After HTTP 422 API Rejection

The v3.0.0 playbook always appended an empty agent_id= parameter, causing the Vaikora API to reject every poll request with HTTP 422, silently halting all IOC delivery to SentinelOne Threat Intelligence since initial deployment. Read More →

Vaikora-CrowdStrike Playbook: Silent IOC Pipeline Failure Fixed for Monitor All Agents Mode

When VaikoraAgentId was left blank to monitor all agents, every HTTP 422 rejection from the Vaikora API silently dropped all IOCs - no high/critical-risk actions ever reached CrowdStrike Falcon. Read More →