Cisco Secure Endpoint ASIM AlertEvent Parser: Missing Mandatory Fields Causing Data Fidelity Gap

TimeGenerated and Type fields were absent from the Cisco Secure Endpoint ASIM AlertEvent parser output, causing null returns for all rows referencing these now-mandatory schema fields in downstream queries. Read More →

Okta SSO Detection Suite: Richer Alert Context, Configurable Thresholds, and Corrected Entity Mappings Across 9 Rules and 10 Hunting Queries

Nine Analytic Rules and ten Hunting Queries for Okta SSO have been overhauled with configurable thresholds, allowlist variables, improved JSON parsing, and corrected entity mappings, closing fidelity gaps that degraded Sentinel entity behaviour and alert context. Read More →

Infoblox SOC Insights: New CCF Connector Replaces Deprecated Legacy Integration

Infoblox SOC Insights gains a native CCF-based data connector via REST API polling, restoring structured ingestion of BloxOne Threat Defense insights into the InfobloxInsight_CL table after prior connectors were deprecated. Read More →

Cisco Meraki CCF Connector Expands to Cover Rogue AP Detection and Network Inventory

The Cisco Meraki CCF connector (v3.1.0) adds four new ingestion streams - Organizations, Organization Networks, Network Clients, and Wireless Air Marshal Events - extending coverage beyond the original ASIM event types to include wireless threat detection and full network inventory visibility. Read More →

Imperva Cloud WAF CCF Connector Graduates to General Availability

The Imperva Cloud WAF CCF connector moves from Public Preview to GA, with connector UI template variables replaced by the literal ImpervaWAFCloud table name - no ingestion logic changes. Read More →

Azure WAF Log4j Detection: Schema Gap Closed for details_message_s and details_msg_s Fields

The AzureWAFmatching_log4j_vuln Analytic Rule was silently missing CVE-2021-44228 exploit attempts in WAF logs that surfaced details_message_s via AdditionalFields or used the details_msg_s column variant, leaving a schema-dependent blind spot in Log4Shell detection. Read More →

ESET PROTECT Platform Connector: Dependency Rollback Including Cryptography Downgrade Warrants Review

The ESET PROTECT Platform Function App connector rolls back several Python dependencies to lower versions, including cryptography from 48.0.0 to 43.0.1, without documented CVE justification – operators should verify no security regressions are introduced. Read More →

Recorded Future: Defender Portal Migration Breaks Incident Creation -- Playbooks Redesigned Around Analytic Rules

Recorded Future v3.2.20 removes direct incident creation from four playbooks (now incompatible with the unified Microsoft Defender portal) and introduces new Analytic Rules to restore incident generation from custom log tables. Read More →

Wiz Connector Overhaul: Agentless DCR Push Integration Adds Detections Stream, Eliminates Function App Attack Surface

Wiz v3.0.1 replaces the legacy Azure Function pull connector with a native DCR push integration, adding a new WizDetectionsV3_CL data stream and removing the need for customer-hosted infrastructure or shared workspace keys. Read More →

BlueVoyant Claude Compliance Connector: DCR Schema Expanded with Activity Fields, Sensitive request_body Removed

The BlueVoyant Anthropic Claude Compliance CCF connector v1.0.1 expands the DCR schema with dozens of activity-specific fields required for hunting and detection, and removes the request_body column to prevent ingestion of potentially sensitive data. Read More →

Entra ID Brute-Force Detection: Sort Order Fix Corrects Anomaly Decomposition Input

The BruteForceAgainstanEntraAuthenticatedWindowsDevice Analytic Rule was building unsorted time-series arrays for series_decompose_anomalies, meaning anomaly detection results could be incorrect or inconsistent across executions – this fix enforces chronological ordering and stable serialization before make_list. Read More →

GitHub AzStorage Connector: Expanded api.request Fields Land in New GitHubAuditLogsV3_CL Table

The GitHub Azure Storage CCF connector gains a new V3 table with 10 additional api.request fields including token_scopes, request_method, request_body, status_code, and url_path, improving visibility into API-level attacker activity in GitHub audit logs. Read More →

AI Agents Hunting Queries Migrated to Unified AgentsInfo Table -- Connector-Split Queries Retired

Seven consolidated AI agent hunting queries now target the unified Defender XDR AgentsInfo table, replacing 26 connector-specific queries split across the A365 and Copilot Studio connectors; existing deployments still running the old AIAgentsInfo-based queries have had no effective hunting coverage since the table split was introduced. Read More →

Rapid7 InsightVM CCF Connector Promoted to General Availability

The Rapid7 InsightVM CCF data connector moves out of Public Preview to GA, updating the API version to the stable 2025-09-01 release. Read More →

QRadar Migration Tool: Summary Row and Delimiter Changes Affect CSV Output Format

The QRadar collector script (v0.4.1) appends a sentinel summary row of all active Log Source Types to the exported rules CSV and switches bracket-list formatting from comma to pipe separators, breaking any downstream parsers expecting the previous format. Read More →

Fortinet FortiNDR Cloud Connector: Migration from Deprecated HTTP Data Collector API to Log Ingestion API with Managed Identity

The Fortinet FortiNDR Cloud Function App connector has been migrated from the deprecated HTTP Data Collector API (using client secret credentials) to the Log Ingestion API using Managed Identity - deployments running the previous version were heading toward a complete ingestion failure as the old API reaches end-of-life. Read More →

Microsoft Entra ID Assets Connector: EntraEligibleMembers Table Added (Preview)

The Microsoft Entra ID Assets connector gains a new EntraEligibleMembers table checkbox in the portal, expanding Privileged Identity Management (PIM) visibility for eligible role assignment tracking. Read More →

Salesforce Service Cloud ASIM Authentication Parser: Extended to Cover CCF V2/V3 Connector Tables

The ASIM Authentication parser for Salesforce Service Cloud now normalises logs from the V2 and V3 CCF connector tables – environments using the updated codeless connectors were previously producing zero normalised authentication events. Read More →

Cisco ISE ASIM Auth Parser: Regex Fix Restores EventOriginalType Extraction Across Log Format Variants

A broken regex in both the ASimAuthenticationCiscoISE and vimAuthenticationCiscoISE parsers caused EventOriginalType to return null for Cisco ISE syslog messages that include extended timestamp/sequence prefixes, silently dropping event classification for those log variants. Read More →

Cybersixgill Actionable Alerts: Packaging Fix for Channel and Step ID Variables (P0)

P0-labeled packaging-only update to the Cybersixgill Actionable Alerts solution that extracts hardcoded channel and step IDs into template variables in mainTemplate.json – no YAML content or detection logic changes. Read More →