[{"content":"What Changed Microsoft Sentinel Solutions Analyzer enhanced with SAP-specific overrides to address two discovery blind spots:\nSAP solution marketplace metadata: Added solution_publisher_id and solution_offer_id mappings to enable marketplace verification lookups SAPCC agentless connector visibility: Synthetic connector entry created for the SAP agentless applications connector (SAPCC_DCR.json) which exists outside standard analyzer scan paths Analyzer Impact The changes restore proper classification for SAP content in analyzer outputs:\nSAP solution now correctly shows is_published: true with live marketplace verification SAPCC connector surfaces in connector inventory as \u0026ldquo;Microsoft Sentinel for SAP applications - agentless\u0026rdquo; Connector count increased from 624 to 625 with SAPCC now tracked Seven override rows added targeting ABAPAuditLog_CL, ABAPChangeDocsLog_CL, ABAPUserDetails_CL, ABAPAuthorizationDetails_CL, and SentinelHealth table ingestion via the Codeless Connector Framework.\nAffected Files Tools/Solutions Analyzer/asim_parsers.csv Tools/Solutions Analyzer/asim_parsers_unmatched_report.csv Tools/Solutions Analyzer/connector_table_ingestion.csv Tools/Solutions Analyzer/connectors.csv Tools/Solutions Analyzer/content_items.csv Tools/Solutions Analyzer/content_tables_mapping.csv Tools/Solutions Analyzer/filter_fields_findings.md Tools/Solutions Analyzer/parsers.csv Tools/Solutions Analyzer/playbook_connectors.csv Tools/Solutions Analyzer/solution_analyzer_overrides.csv Tools/Solutions Analyzer/solution_dependencies.csv Tools/Solutions Analyzer/solutions.csv Tools/Solutions Analyzer/solutions_connectors_tables_issues_and_exceptions_report.csv Tools/Solutions Analyzer/solutions_connectors_tables_mapping.csv Tools/Solutions Analyzer/solutions_connectors_tables_mapping_simplified.csv Tools/Solutions Analyzer/table_schemas.csv Tools/Solutions Analyzer/tables.csv ","permalink":"http://sentinelchangelog.net/posts/2026-06-05-pr-14395/","summary":"Tools fixes enable proper SAP solution marketplace tracking and make the SAPCC agentless connector visible to the Microsoft Sentinel Solutions Analyzer.","title":"SAP Solution: Analyzer Marketplace Visibility and Agentless Connector Discovery Fixed"},{"content":"What Changed The Lookout Mobile Risk API v2 CCF streaming connector had a critical data ingestion flaw where unique event identifiers were being silently dropped during ingestion. Live testing against the Lookout API revealed that every event returned by the streaming endpoint carries its unique identifier in the top-level oid field, not id. The CCF streamDeclarations did not declare oid, causing Azure Monitor\u0026rsquo;s ingestion pipeline to drop the identifier on every record.\nSecurity Impact (Visibility \u0026amp; Fidelity) Critical data loss affecting all event correlation: Deployments running Lookout Mobile Risk API v2 connector versions prior to 3.0.5 have had empty LookoutMtdV2_CL.id fields for every ingested record. This broke:\nAll downstream EventId-based correlation in analytic rules Hunting queries referencing event identifiers Workbook visualizations and threat tracking Incident investigation workflows requiring event correlation The fix preserves the existing id column contract while populating it with the correct Lookout event identifier via coalesce(tostring(id), tostring(oid)) in both the DCR transform and parser logic.\nAdditional Fixes Branding: Corrected \u0026ldquo;Azure Sentinel Solution\u0026rdquo; → \u0026ldquo;Microsoft Sentinel Solution\u0026rdquo; in workbook metadata Detection logic: Updated threat detection rule (LookoutThreatEventV2) to filter ThreatStatus in (\u0026quot;OPEN\u0026quot;, \u0026quot;ACTIVE\u0026quot;) and ThreatAction == \u0026quot;DETECTED\u0026quot; to suppress alerts on remediated incidents Packaging: Regenerated with supported V3 tooling for certification compliance Affected Files .script/tests/KqlvalidationsTests/CustomTables/LookoutMtdV2_CL.json Solutions/Lookout/Analytic Rules/LookoutThreatEventV2.yaml Solutions/Lookout/Data Connectors/LookoutStreamingConnector_ccp/LookoutStreaming_DCR.json Solutions/Lookout/Data Connectors/LookoutStreamingConnector_ccp/LookoutStreaming_Table.json Solutions/Lookout/Parsers/LookoutEvents.yaml Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.0.5.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Lookout.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-06-05-pr-14286/","summary":"Lookout Mobile Risk API v2 connector was silently dropping unique event identifiers (oid field), breaking all downstream correlation in detections and workbooks.","title":"Lookout Connector: Critical Data Loss Fix for Mobile Threat Event Identifiers"},{"content":"What Changed Updated both ASimNetworkSessionCheckPointFirewall and vimNetworkSessionCheckPointFirewall parsers to handle variations in the DeviceVendor field, fixing a parsing failure where logs containing \u0026ldquo;Check Point\u0026rdquo; (with space) were not being processed.\nParser Impact Changed DeviceVendor matching logic from exact string comparison to normalized comparison using replace_string(DeviceVendor, \u0026quot; \u0026ldquo;,\u0026rdquo;\u0026quot;) =~ \u0026ldquo;CheckPoint\u0026rdquo;, allowing both \u0026ldquo;CheckPoint\u0026rdquo; and \u0026ldquo;Check Point\u0026rdquo; variations to be correctly parsed.\nThis addresses a data fidelity gap introduced in PR #12056 where logs with spaced vendor names were silently excluded from ASIM normalization. Affected deployments previously lost Check Point firewall network session visibility for logs using the spaced vendor format.\nNo change to normalized field names or filter logic beyond the vendor matching — safe for existing detections using this parser.\nSample data updated to include both vendor name formats for validation testing.\nAffected Files Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCheckPointFirewall/ASimNetworkSessionCheckPointFirewall.json Parsers/ASimNetworkSession/ARM/vimNetworkSessionCheckPointFirewall/vimNetworkSessionCheckPointFirewall.json Parsers/ASimNetworkSession/CHANGELOG/ASimNetworkSessionCheckPointFirewall.md Parsers/ASimNetworkSession/CHANGELOG/vimNetworkSessionCheckPointFirewall.md Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCheckPointFirewall.yaml Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCheckPointFirewall.yaml Sample Data/ASIM/Check Point_Firewall_NetworkSession_IngestedLogs.csv ","permalink":"http://sentinelchangelog.net/posts/2026-06-05-pr-13776/","summary":"Check Point firewall ASIM parser updated to handle both \u0026ldquo;Check Point\u0026rdquo; and \u0026ldquo;CheckPoint\u0026rdquo; DeviceVendor field values, fixing parsing failures introduced in PR #12056.","title":"Check Point ASIM NetworkSession Parser: DeviceVendor Field Matching Fix"},{"content":"What Changed Solution metadata for BitSight was updated to reflect correct provider attribution, changing the vendor designation from Microsoft Corporation to partner status.\nSecurity Impact (Visibility \u0026amp; Fidelity) This is a metadata-only change with no impact on data ingestion, detection capabilities, or operational functionality. The BitSight CCF connectors for Security Events and Security Statistics continue to operate unchanged.\nThe change updates the release date in ReleaseNotes.md from 25-05-2026 to 04-06-2026 to reflect the corrected provider information publication date, but no functional content has been modified.\nAffected Files (packaging artefacts: 3.2.0.zip, ReleaseNotes.md, SolutionMetadata.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-06-05-pr-14417/","summary":"BitSight solution metadata updated to reflect partner provider status, transitioning from Microsoft internal to external partner support.","title":"BitSight Solution: Provider Information Updated to Partner Status"},{"content":"What Changed The legacy Zoom data connector has been removed from the standalone DataConnectors/Zoom/ directory. All Azure Function App files (PowerShell scripts, ARM templates, Key Vault configuration, and deployment packages) have been deleted.\nSecurity Impact (Visibility \u0026amp; Fidelity) This is a housekeeping change with no impact on data ingestion. The Zoom connector functionality has been migrated to the Solutions framework under Solutions/ZoomReports/Data Connectors. Existing deployments using the Solutions-based connector are unaffected.\nUsers relying on the legacy standalone deployment method will need to migrate to the Solutions-based connector to continue receiving Zoom event data in Microsoft Sentinel.\nMigration Path Per the updated README, the connector is now available at: Solutions/ZoomReports/Data Connectors\nAffected Files DataConnectors/Zoom/ZoomLogs/function.json DataConnectors/Zoom/ZoomLogs/run.ps1 DataConnectors/Zoom/ZoomLogs/sample.dat DataConnectors/Zoom/azuredeploy.json DataConnectors/Zoom/azuredeploy_kv.json DataConnectors/Zoom/host.json DataConnectors/Zoom/profile.ps1 DataConnectors/Zoom/proxies.json DataConnectors/Zoom/readme.md DataConnectors/Zoom/requirements.psd1 (packaging artefacts: zoom_logs_template.zip, zoom_logs_templateV2.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-06-05-pr-14416/","summary":"Legacy Zoom connector files removed from DataConnectors folder — connector has been migrated to Solutions/ZoomReports.","title":"Zoom Data Connector: Legacy Azure Function Files Removed from Standalone Location"},{"content":"What Changed Restructured Corelight workbooks and added new asset classification capabilities including a dedicated parser, workbook tab, and supporting infrastructure for enhanced network asset discovery and security monitoring.\nTechnical Details New asset classification parser: Added corelight_asset_classification.yaml for parsing device discovery data Workbook reorganization: Restructured dashboard layout with new Asset Classification tab in Data Explorer Enhanced device visibility: Classification covers device type, OS detection, brand/model identification, and confidence scoring Parser improvements: Updated corelight_conn and corelight_conn_agg parsers with boolean casting for local_orig/local_resp fields Asset Classification Features The new asset classification functionality provides:\nDevice fingerprinting: Automatic identification of device types (computer, laptop, etc.) OS detection: Operating system name and version identification Network mapping: MAC address and vendor correlation Confidence scoring: Reliability metrics for classification accuracy Multi-source correlation: Combines data from DHCP, HTTP, and other network sources This enhances network security monitoring by providing better asset inventory and device identification capabilities for threat hunting and incident response activities.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/Corelight_v2_asset_classification_CL.json Sample Data/Corelight/Corelight_v2_asset_classification_CL.json Solutions/Corelight/Package/testParameters.json Solutions/Corelight/Parsers/corelight_asset_classification.yaml Solutions/Corelight/Parsers/corelight_conn.yaml Solutions/Corelight/Parsers/corelight_conn_agg.yaml Solutions/Corelight/Workbooks/Corelight.json Solutions/Corelight/Workbooks/Corelight_AWS_VPC_Flow.json Solutions/Corelight/Workbooks/Corelight_Alert_Aggregations.json Solutions/Corelight/Workbooks/Corelight_Data_Explorer.json Solutions/Corelight/Workbooks/Corelight_Data_Insights.json Solutions/Corelight/Workbooks/Corelight_Operations.json Solutions/Corelight/Workbooks/Corelight_Security_Workflow.json Solutions/Corelight/Workbooks/Corelight_Sensor_Overview.json Workbooks/Images/Preview/CorelightDataInsightsBlack1.png Workbooks/Images/Preview/CorelightDataInsightsBlack2.png Workbooks/Images/Preview/CorelightDataInsightsBlack3.png Workbooks/Images/Preview/CorelightDataInsightsWhite1.png Workbooks/Images/Preview/CorelightDataInsightsWhite2.png Workbooks/Images/Preview/CorelightDataInsightsWhite3.png Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.2.5.zip, ReleaseNotes.md, Solution_Corelight.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-06-05-pr-14275/","summary":"Corelight solution restructured workbooks and added asset classification functionality to improve network asset discovery and security monitoring capabilities.","title":"Corelight: Dashboard Restructure and New Asset Classification Tab for Enhanced Network Visibility"},{"content":"What Changed Major content update to Pathlock Threat Detection \u0026amp; Response solution adding 77 new Analytic Rules targeting comprehensive SAP security monitoring. Each rule queries the Pathlock_TDnR_CL table with appropriate MITRE ATT\u0026amp;CK mappings and entity extraction.\nDetection Logic The new rules cover critical SAP security domains:\nABAP \u0026amp; Development Security:\nSource code changes, runtime dumps, function module testing Transport logs, table utilities, missing OSS security notes Identity \u0026amp; Access Management:\nUser master changes, role modifications, authorization changes Login monitoring, profile changes, authentication buffers User roles and privilege escalations Financial \u0026amp; Business Process Security:\nChange documents for banking data (IBAN, credit cards, vendor masters) Payment requests, business partner financial data HR personnel data changes System \u0026amp; Infrastructure Security:\nClient changes, system configuration modifications Gateway logs, HTTP security logs, ICF changes Database parameter changes, file checksum monitoring Audit \u0026amp; Compliance:\nSecurity audit logs (on-premise and cloud) SACF authorization framework changes System jobs and batch processing monitoring MITRE Mapping Rules include comprehensive MITRE ATT\u0026amp;CK coverage including T1078 (Valid Accounts), T1098 (Account Manipulation), T1505 (Server Software Component), T1562 (Impair Defenses), T1134 (Access Token Manipulation), and T1190 (Exploit Public-Facing Application).\nTechnical Details Entity mapping: Account (SAP username), Host (SAP system), IP address extraction Data source: All rules query Pathlock_TDnR_CL custom table Field normalization: Updated from UPPER_SNAKE_CASE to camelCase schema Connector updates: Fixed dataTypes declaration and updated detection counts (1,500 → 4,000+) Incident configuration: 5-hour grouping with single alert aggregation Affected Files .script/tests/KqlvalidationsTests/CustomTables/Pathlock_TDnR_CL.json .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_ABAP_CHANGES.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_ABAP_DUMPS.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_AUTH_CHANGES.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_BATCH_JOBS.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_BANK.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_BUPA_BANK.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_CCARD.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_DEBI.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_GENERIC.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_GRAC.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_IBAN.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_KERBEROS.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_KRED.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_PAYRQ.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_SACH.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_SECURITY_P.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_USER_CUA.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_USOBT_C.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_USOBX_C.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CLIENT_CHANGES.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CLOUD_ACCOUNT_LOGS.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CLOUD_FOUNDRY_LOGS.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_DBACOCKPIT.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_FILE_CHECKSUM.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_FUNCTION_MODULE_TEST.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_GATEWAY_LOG.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_HANA_AUDIT_TRAIL.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_HANA_DBCON_CONNECT.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_HANA_PARAM_CHANGED.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_HR_PA_CHANGELOG.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_HTTP_LOG.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_ICF_CHANGES.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_ICM_SECURITY_LOG.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_INTERNAL.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_J2EE_SECURITY_LOG.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_J2EE_SEC_AUD_LOG.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_MISSING_OSS_NOTES.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_OS_CMD_CHANGES.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_OUTBOUND_SMTP_MAIL.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_PATHLOCK_DAC.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_PROFILE_CHANGES.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_PSE_CHANGES.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_RAL_AUDIT.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_RAL_DATA.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_RFC_DESTINATIONS.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_ROLE_CHANGES.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SACF_CHANGES_DESIGN.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SACF_CHANGES_RUNTIME.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SAPROUTER.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SAST_AT.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SAST_DO.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SAST_RT.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SAST_UAM_PWR.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SCC_LOGS.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SE16N_CHANGEDOCS.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SECURITY_AUDIT_LOG.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SEC_AUDIT_LOG_CLOUD.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SLG1_LDAPSYNC.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SLG1_ODATA.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SPOOL_OUTPUT_REQUEST.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SPOOL_REQUEST.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SU24_CHANGELOG.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SYSLOG.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SYSPROFILE_CHANGES.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SYSTEM_CHANGELOG.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SYSTEM_JOBS.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_TABLE_CHANGES.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_TABLE_SETTINGS.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_TABLE_UTILITY.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_TCODE_STATISTIC.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_TRANSPORT_LOG.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_USER_AUTH_BUFFER.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_USER_LOGINS.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_USER_MASTER_CHANGES.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_USER_PROFILES.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_USER_ROLES.yaml Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_WD_HTTP_LOG.yaml Solutions/Pathlock_TDnR/Data Connectors/Pathlock_TDnR_PUSH_CCP/Pathlock_TDnR_CL.json Solutions/Pathlock_TDnR/Data Connectors/Pathlock_TDnR_PUSH_CCP/Pathlock_TDnR_DCR.json Solutions/Pathlock_TDnR/Data Connectors/Pathlock_TDnR_PUSH_CCP/Pathlock_TDnR_connectorDefinition.json (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, Solution_Pathlock_TDnR.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-06-05-pr-14265/","summary":"Pathlock Threat Detection \u0026amp; Response adds 77 comprehensive SAP security analytic rules covering ABAP changes, user activities, system modifications, and financial data access.","title":"Pathlock TD\u0026R: Major Detection Coverage Expansion with 77 New SAP-Focused Analytic Rules"},{"content":"What Changed Major update to CyberArk EPM (Endpoint Privilege Management) solution migrating from the deprecated Log Analytics API to Data Collection Rules (DCR) and implementing OAuth 2.0 authentication for EPM API access.\nSecurity Impact (Visibility \u0026amp; Fidelity) Critical infrastructure update: The Log Analytics API deprecation would have caused complete data ingestion failure for CyberArk EPM deployments. This update prevents a future blind spot by:\nMigrating to DCR-based ingestion to maintain privileged access monitoring visibility Implementing OAuth 2.0 authentication for secure EPM API connections Preserving endpoint privilege escalation detection capabilities The connector continues to ingest:\nAggregated events: Summary-level endpoint privilege activities Raw event details: Full forensic context for privilege escalations Policy audits: Privileged access policy violations and changes Policy audit raw events: Detailed compliance and violation data Technical Details New ingestion method: Replaced Log Analytics API with DCR/DCE architecture Authentication upgrade: OAuth 2.0 client credentials flow replaces legacy authentication Data structure: Maintains existing CyberArkEPM_Events_CL table schema for backward compatibility Function App improvements: Enhanced error handling with retry logic for 403/429 status codes Parser updates: Updated KQL parser logic to accommodate new data flow patterns Hunting queries: Refreshed to work with DCR-ingested data CyberArk EPM provides critical visibility into endpoint privilege escalation activities and policy violations - essential for detecting lateral movement and privilege abuse in MITRE ATT\u0026amp;CK techniques like T1078 (Valid Accounts) and T1134 (Access Token Manipulation).\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/CyberArkEPM_Events_CL.json Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/TODO Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/__init__.py Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/epm.py Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/exporter.py Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/function.json Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/main.py Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/storage.py Solutions/CyberArkEPM/Data Connectors/CyberArkEPM_API_FunctionApp.json Solutions/CyberArkEPM/Data Connectors/azuredeploy_Connector_CyberArkEPM_API_AzureFunction.json Solutions/CyberArkEPM/Data Connectors/host.json Solutions/CyberArkEPM/Data Connectors/proxies.json Solutions/CyberArkEPM/Data Connectors/requirements.txt Solutions/CyberArkEPM/DataConnectors/CyberArkEPMSentinelConnector/__init__.py Solutions/CyberArkEPM/DataConnectors/CyberArkEPMSentinelConnector/pyepm.py Solutions/CyberArkEPM/DataConnectors/CyberArkEPMSentinelConnector/state_manager.py Solutions/CyberArkEPM/DataConnectors/azuredeploy_Connector_CyberArkEPM_API_AzureFunction.json Solutions/CyberArkEPM/Hunting Queries/CyberArkEPMRareProcVendors.yaml Solutions/CyberArkEPM/Hunting Queries/CyberArkEPMScriptsExecuted.yaml Solutions/CyberArkEPM/Package/testParameters.json Solutions/CyberArkEPM/Parsers/CyberArkEPM.yaml Solutions/CyberArkEPM/Workbooks/CyberArkEPM.json (packaging artefacts: 3.1.0.zip, CyberArkEPMSentinelConn.zip, ReleaseNotes.md, Solution_CyberArkEPM.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-06-05-pr-14181/","summary":"CyberArk EPM connector updated to use DCR ingestion and OAuth authentication, addressing deprecation of Log Analytics API and improving security.","title":"CyberArk EPM: Migration to DCR and OAuth Authentication Replaces Deprecated Log Analytics API"},{"content":"What Changed Modified the BeyondTrust PM Cloud Function App data connector to implement per-page transmission to Microsoft Sentinel instead of accumulating all pages in memory before sending. The fix affects both Activity Audits and Client Events functions.\nSecurity Impact (Visibility \u0026amp; Fidelity) Customer-reported production issue: Timer functions were hanging when processing large event backlogs, causing complete data ingestion failure for affected deployments. Customers experienced:\nNo Activity Audit data ingestion during high-volume periods No Client Events data ingestion when processing event backlogs Function App timeouts preventing any security monitoring data from reaching Sentinel The fix implements proper checkpointing after each page transmission, ensuring progress survives host timeouts and large datasets are processed incrementally rather than failing entirely.\nTechnical Details Memory optimization: Eliminates accumulation of entire result sets in memory before transmission Improved batching: Serializes log records individually so the Logs Ingestion SDK can batch sub-1MB requests correctly Progress persistence: Checkpoints state after each successful page transmission to survive Azure Function timeouts Live cursor tracking: Prevents duplicate record transmission across pages within the same invocation This addresses both the ActivityAuditsFunction.cs and ClientEventsFunction.cs components that ingest administrative audit trails and endpoint security events respectively.\nAffected Files Solutions/BeyondTrustPMCloud/Data Connectors/AzureFunctionBeyondTrustPMCloud/Functions/ActivityAuditsFunction.cs Solutions/BeyondTrustPMCloud/Data Connectors/AzureFunctionBeyondTrustPMCloud/Functions/ClientEventsFunction.cs (packaging artefacts: BeyondTrustPMCloudFunctions.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-06-05-pr-14386/","summary":"Critical fix prevents BeyondTrust PM Cloud Function App timer functions from hanging when processing large event backlogs, restoring data ingestion reliability.","title":"BeyondTrust PM Cloud: Function App Reliability Fix Prevents Timeout on Large Event Backlogs"},{"content":"What Changed Added a new Azure Storage-based CCF connector for GitHub Enterprise audit logs alongside the existing API-based connector. The new connector leverages GitHub\u0026rsquo;s audit log streaming to Azure Blob Storage with Event Grid notifications for near real-time ingestion.\nSecurity Impact (Visibility \u0026amp; Fidelity) The existing GitHub Enterprise Audit Log CCF connector experiences rate limiting when polling the GitHub API directly, potentially causing gaps in audit log ingestion during high-activity periods. This Azure Storage-based connector addresses that blind spot by:\nEliminating API rate limits: GitHub streams audit logs directly to blob storage, bypassing API throttling Near real-time ingestion: Event Grid notifications trigger ingestion within 5 minutes of log availability Higher throughput: Supports enterprise environments with heavy GitHub activity without data loss Same data fidelity: Uses identical table schema (GitHubAuditLogsV2_CL) ensuring compatibility with existing detections Ingestion Mechanism Data Collection Rule (DCR): Custom stream Custom-GitHubAuditLogs with comprehensive field mapping Event Grid integration: Monitors blob-created notifications in storage containers Azure Storage requirements: Requires Data Lake Storage Gen2 with hierarchical namespace Authentication: Uses Microsoft\u0026rsquo;s ScubaSentinelToStorageProd enterprise application with Storage Blob Data Reader and Storage Queue Data Contributor roles Deployment Considerations Requires specific Azure RBAC permissions and Event Grid resource provider registration. Network restrictions via IP ranges are not supported due to Azure Storage limitations - requires either open network access or Network Security Perimeter configuration.\nAffected Files Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/ConnectorDefinition.json Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/DCR.json Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/PollingConfig.json Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/table_GitHubAuditLogsV2.json (packaging artefacts: 3.3.0.zip, ReleaseNotes.md, Solution_GitHub.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-06-04-pr-14408/","summary":"New Azure Storage-based GitHub Enterprise audit log connector overcomes CCF API rate limitations through Event Grid blob notifications.","title":"GitHub Audit Log Connector: Azure Storage Integration Addresses API Rate Limits"},{"content":"What Changed New solution for Filewall (ODI-X) integrating Microsoft 365 data exfiltration protection across Exchange, SharePoint, OneDrive, and Teams. Includes complete CCF connector infrastructure, parsers, detections, and operational workbook.\nData Source Filewall for Microsoft 365 provides email and file security monitoring across the Microsoft 365 ecosystem. The solution targets data exfiltration attempts through email attachments and file sharing activities.\nIngestion Mechanism CCF-based connector with DCR ingestion into two custom tables:\nFilewallExchange_CL — Exchange email events and attachment blocking FilewallFile_CL — SharePoint/OneDrive/Teams file events Four polling connections target different Microsoft 365 services using the Filewall API endpoint.\nDetection Coverage Two high-severity analytic rules provide immediate alerting:\nBlocked Emails — Detects emails blocked by Filewall with T1048 (Exfiltration Over Alternative Protocol) mapping Blocked Files — Identifies files blocked across SharePoint/OneDrive/Teams with T1048 mapping Both rules use 5-minute frequency with immediate incident creation and entity mapping for Account, MailMessage, and File entities.\nParser Impact Two KQL workspace functions normalize Filewall events into standardized schema:\nFilewallM365ExchangeEvent() — Normalizes exchange events with email metadata, policy details, and threat indicators FilewallM365FileEvent() — Normalizes file events with hash values, path information, and actor details Both parsers map status values to EventType/EventResult and include comprehensive entity extraction for correlation.\nMITRE Coverage T1048 (Exfiltration Over Alternative Protocol) — Detections target data exfiltration attempts through email attachments and file sharing mechanisms across Microsoft 365 services.\nAffected Files .script/tests/KqlvalidationsTests/CustomFunctions/FilewallM365ExchangeEvent.json .script/tests/KqlvalidationsTests/CustomFunctions/FilewallM365FileEvent.json .script/tests/KqlvalidationsTests/CustomTables/FilewallExchange_CL.json .script/tests/KqlvalidationsTests/CustomTables/FilewallFile_CL.json .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json Logos/filewall-logo.svg Solutions/Filewall for Microsoft 365/Analytic Rules/BlockedEmails.yaml Solutions/Filewall for Microsoft 365/Analytic Rules/BlockedFiles.yaml Solutions/Filewall for Microsoft 365/Data Connectors/FilewallM365Logs_CCP/FilewallM365_ConnectorDefinition.json Solutions/Filewall for Microsoft 365/Data Connectors/FilewallM365Logs_CCP/FilewallM365_DCR.json Solutions/Filewall for Microsoft 365/Data Connectors/FilewallM365Logs_CCP/FilewallM365_PollingConfig.json Solutions/Filewall for Microsoft 365/Data Connectors/FilewallM365Logs_CCP/FilewallM365_Table.json Solutions/Filewall for Microsoft 365/Package/testParameters.json Solutions/Filewall for Microsoft 365/Parsers/FilewallM365ExchangeEvent.yaml Solutions/Filewall for Microsoft 365/Parsers/FilewallM365FileEvent.yaml Solutions/Filewall for Microsoft 365/Workbooks/FilewallM365Overview.json Solutions/Filewall for Microsoft 365/Workbooks/Images/Logos/filewall-logo.svg Solutions/Filewall for Microsoft 365/Workbooks/Images/Preview/FilewallM365OverviewBlack.png Solutions/Filewall for Microsoft 365/Workbooks/Images/Preview/FilewallM365OverviewWhite.png Workbooks/FilewallM365Overview.json Workbooks/Images/Logos/filewall-logo.svg Workbooks/Images/Preview/FilewallM365OverviewBlack.png Workbooks/Images/Preview/FilewallM365OverviewWhite.png Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_FilewallM365.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-06-04-pr-13449/","summary":"Complete CCF-based solution delivers real-time monitoring of blocked emails and files across Microsoft 365 services with immediate threat alerting.","title":"Filewall for Microsoft 365: New Solution Adds Data Exfiltration Detection for Exchange and Files"},{"content":"What Changed BitSight solution metadata was updated to change the support tier from \u0026ldquo;Microsoft\u0026rdquo; to \u0026ldquo;Partner\u0026rdquo;. The version was also downgraded from 4.0.0 to 3.2.0 to reflect this support tier change.\nSecurity Impact (Metadata \u0026amp; Support) This is a packaging and metadata change only — no functional impact to data ingestion or detection capabilities. Existing deployments will continue to function normally. The change affects only the support routing for customer inquiries regarding the BitSight solution.\nAffected Files (packaging artefacts: 3.2.0.zip, 4.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_BitSight.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-06-03-pr-14397/","summary":"BitSight solution support tier updated from Microsoft to Partner with version downgrade to 3.2.0.","title":"BitSight Solution: Support Tier Changed to Partner"},{"content":"What Changed Agent 365 solution version 3.1.0 adds the Microsoft Agent Identities data connector as Public Preview. This expands the solution from a single connector to bundling two distinct data sources under the Agent 365 umbrella.\nData Source Microsoft Agent Identities connector ingests Entra non-human identity (NHI) asset data into Microsoft Sentinel. The connector focuses on agent identity management, blueprint tracking, and ownership correlation across enterprise environments.\nIngestion Mechanism The connector uses type \u0026ldquo;EntraNHIAssets\u0026rdquo; with Microsoft-managed ingestion requiring GlobalAdmin or SecurityAdmin permissions. Data flows into four distinct tables:\nEntraAgentIdentities — core agent identity records EntraAgentIdentityBlueprintPrincipals — blueprint-to-principal mappings EntraAgentIdentityBlueprints — agent blueprint definitions EntraAgentUsers — associated user identity context Detection Surface Unlocked This data source enables correlation of agent identity activity with security events, providing visibility into:\nNon-human identity privilege escalation and lateral movement patterns Agent blueprint misuse or unauthorized modifications Identity governance gaps in automated service accounts Asset ownership tracking for incident response attribution No bundled detections are included with the initial Public Preview release.\nAffected Files Solutions/Agent 365/Data Connectors/EntraNHIAssets_DataConnectorDefinition.json (packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_A365.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-06-03-pr-14326/","summary":"Agent 365 solution adds new Microsoft Agent Identities connector for tracking agent blueprints and non-human identity assets across four data tables.","title":"Microsoft Agent Identities Connector: New Entra Non-Human Identity Asset Visibility (Preview)"},{"content":"What Changed ASIM Authentication parsers for Palo Alto PAN-OS and GlobalProtect corrected the mapping of the DvcIpAddr field from Computer hostname to DeviceAddress IP address.\nParser Impact Field mapping corrected: DvcIpAddr now uses DeviceAddress instead of Computer hostname Affected parsers: ASimAuthenticationPaloAltoPanOS and ASimAuthenticationPaloAltoGlobalProtect (both standard and filtering variants) Data fidelity fix: Queries referencing DvcIpAddr against these parsers previously received hostname values instead of IP addresses — this corrects the field semantics to match ASIM schema expectations The change affects the device IP address field normalization in authentication events from Palo Alto firewalls and GlobalProtect VPN connections. Existing detections using DvcIpAddr will now receive proper IP address values instead of hostnames.\nAffected Files Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoGlobalProtect/ASimAuthenticationPaloAltoGlobalProtect.json Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoPanOS/ASimAuthenticationPaloAltoPanOS.json Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoGlobalProtect/vimAuthenticationPaloAltoGlobalProtect.json Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoPanOS/vimAuthenticationPaloAltoPanOS.json Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationPaloAltoGlobalProtect.md Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationPaloAltoPanOS.md Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationPaloAltoGlobalProtect.md Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationPaloAltoPanOS.md Parsers/ASimAuthentication/Parsers/ASimAuthenticationPaloAltoGlobalProtect.yaml Parsers/ASimAuthentication/Parsers/ASimAuthenticationPaloAltoPanOS.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationPaloAltoGlobalProtect.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationPaloAltoPanOS.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-06-02-pr-14396/","summary":"ASIM Authentication parsers for Palo Alto PAN-OS and GlobalProtect now correctly populate DvcIpAddr field, fixing data fidelity gap.","title":"ASIM Authentication Parsers: Palo Alto Data Fidelity Fix for DvcIpAddr Field"},{"content":"What Changed Cisco Umbrella solution v3.1.0 introduces a new CCF-based data connector alongside the existing Function App connector, expanding log ingestion from 4 legacy tables to 14 comprehensive data sources. The parser has been updated to union both legacy and new table formats for backward compatibility.\nNew Data Sources Unlocked The CCF connector adds 10 new log tables with granular visibility:\nNetwork Security:\nCiscoUmbrellaCloudFirewall_CL: Network traffic, firewall rules, and connection metadata CiscoUmbrellaIPS_CL: Intrusion prevention system events and threat signatures CiscoUmbrellaRemoteAccessVPN_CL: VPN session logs and remote access patterns DNS and Web Traffic:\nCiscoUmbrellaDNS_CL: Enhanced DNS query logging with policy enforcement details CiscoUmbrellaWebTraffic_CL: HTTP/HTTPS traffic analysis with content inspection results Zero Trust and Access Control:\nCiscoUmbrellaZeroTrustAccess_CL: Zero Trust Network Access (ZTNA) policy decisions CiscoUmbrellaZeroTrustAccessFlow_CL: ZTNA traffic flow analysis CiscoUmbrellaAdminAudit_CL: Administrative actions and configuration changes Data Protection:\nCiscoUmbrellaDLP_CL: Data Loss Prevention policy violations and content analysis CiscoUmbrellaFileEvent_CL: File upload/download events and malware analysis results Security Impact (Visibility \u0026amp; Fidelity) This expansion significantly reduces detection blind spots:\nAdministrative Oversight: Admin audit logs now capture configuration changes, user management, and policy modifications that were previously invisible Network Lateral Movement: Cloud firewall and IPS logs provide visibility into internal traffic patterns and intrusion attempts Data Exfiltration: DLP and file event logs enable detection of sensitive data movement and unauthorized file transfers Zero Trust Violations: ZTNA access logs reveal policy bypasses and suspicious access patterns Enhanced DNS Analysis: New DNS table provides richer context than legacy format, including policy enforcement details and identity mapping Parser Compatibility The updated parser maintains backward compatibility by using union isfuzzy=true to combine:\nLegacy tables: Cisco_Umbrella_dns_CL, Cisco_Umbrella_proxy_CL, etc. New CCF tables: CiscoUmbrellaDNS_CL, CiscoUmbrellaWebTraffic_CL, etc. Field mappings have been standardized to use proper data types (todatetime(), tostring(), toreal()) rather than generic column_ifexists() calls, improving query reliability and performance.\nDeployment Considerations This is a Public Preview release requiring explicit enablement. Organizations can deploy the CCF connector alongside existing Function App connectors without disruption. The parser automatically handles data from both sources, enabling gradual migration strategies.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaAdminAudit_CL.json .script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaCloudFirewall_CL.json .script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaDLP_CL.json .script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaDNS_CL.json .script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaFileEvent_CL.json .script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaIPS_CL.json .script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaRemoteAccessVPN_CL.json .script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaWebTraffic_CL.json .script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaZeroTrustAccessFlow_CL.json .script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaZeroTrustAccess_CL.json Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaAdminAudit_table.json Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaCloudFirewall_table.json Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaDLP_table.json Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaDNS_table.json Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaFileEvent_table.json Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaIPS_table.json Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaRemoteAccessVPN_table.json Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaWebTraffic_table.json Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaZeroTrustAccessFlow_table.json Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaZeroTrustAccess_table.json Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrella_DCR.json Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrella_DataConnectorDefinition.json Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrella_PollingConfig.json Solutions/CiscoUmbrella/Package/testParameters.json Solutions/CiscoUmbrella/Parsers/Cisco_Umbrella.yaml (packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_CiscoUmbrella.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-06-01-pr-14378/","summary":"New Codeless Connector Framework introduces comprehensive log coverage across DNS, web traffic, cloud firewall, admin audit, DLP, file events, IPS, VPN and Zero Trust access for enhanced threat detection.","title":"Cisco Umbrella CCF: Public Preview Expands Data Visibility with 10 New Log Tables"},{"content":"What Changed Added explicit IAM permissions guidance to the Oracle Cloud Infrastructure CCF connector UI prerequisites. The connector now clarifies that API signing keys provide authentication only, and users must configure separate OCI IAM policies for data stream consumption authorization.\nSecurity Impact (Visibility \u0026amp; Fidelity) This documentation enhancement addresses a configuration gap where users might assume API signing keys provide full access permissions. The new guidance prevents connector deployment failures and ensures proper least-privilege access controls are configured in OCI:\nRequired IAM policy: Allow group placeholder-group-name to use stream-pull in compartment placeholder-compartment-name Authentication vs Authorization: API signing key handles authentication; IAM policy controls resource access Configuration clarity: Users now understand both authentication and authorization requirements before deployment No impact on data ingestion quality or detection capability — this is a user experience improvement to prevent misconfigured connector deployments.\nAffected Files Solutions/Oracle Cloud Infrastructure/Data Connectors/Oracle_Cloud_Infrastructure_CCP/OCI_DataConnector_DataConnectorDefinition.json (packaging artefacts: 3.0.10.zip, ReleaseNotes.md, Solution_OCILogs.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-06-01-pr-14347/","summary":"OCI connector UI updated with explicit IAM policy requirements for stream consumption authorization alongside API signing key authentication.","title":"Oracle Cloud Infrastructure CCF Connector: IAM Permissions Guidance Added"},{"content":"What Changed Content Doctor recommendations applied across 9 analytic rules, 10 hunting queries, and the solution workbook. All detection logic received substantial improvements including enhanced KQL queries, custom alert details, and refined entity mappings.\nDetection Logic Primary data source: SlackAudit table\nCore improvements across all rules:\nAdded alertDetailsOverride sections with dynamic alert titles and descriptions Introduced customDetails for enriched context (user names, IP addresses, file details, action types) Enhanced entity mappings with cleaner field structures Improved KQL logic with better data type handling and filtering Key logic enhancements:\nSlackAuditSensitiveFile: Added watchlist integration for AllowedFiles/AllowedUsers, expanded sensitive file detection patterns SlackAuditMultipleFailedLoginsForUser: Refined failed login thresholds and time bucketing SlackAuditMultipleArchivedFilesUploadedInShortTimePeriod: Improved file extension detection with case-insensitive matching SlackAuditSuspiciousFileDownloaded: Enhanced file extension regex patterns for better accuracy Hunting queries upgraded: All 10 queries received description improvements, enhanced tactics/techniques mapping, and refined KQL logic for better threat hunting coverage.\nMITRE Mapping Expanded MITRE ATT\u0026amp;CK coverage includes:\nT1567.002 (Exfiltration to Cloud Storage) added to sensitive file public link detection T1071.001 (Application Layer Protocol: Web Protocols) added to unknown user agent detection T1078.004 (Valid Accounts: Cloud Accounts) added to post-deactivation login detection T1098.003 (Account Manipulation: Additional Cloud Roles) added to multiple hunting queries All technique mappings extracted from YAML relevantTechniques fields confirm comprehensive workspace security coverage.\nAffected Files Solutions/SlackAudit/Analytic Rules/SlackAuditEmptyUA.yaml Solutions/SlackAudit/Analytic Rules/SlackAuditMultipleArchivedFilesUploadedInShortTimePeriod.yaml Solutions/SlackAudit/Analytic Rules/SlackAuditMultipleFailedLoginsForUser.yaml Solutions/SlackAudit/Analytic Rules/SlackAuditSensitiveFile.yaml Solutions/SlackAudit/Analytic Rules/SlackAuditSuspiciousFileDownloaded.yaml Solutions/SlackAudit/Analytic Rules/SlackAuditUnknownUA.yaml Solutions/SlackAudit/Analytic Rules/SlackAuditUserChangedToAdminOrOwner.yaml Solutions/SlackAudit/Analytic Rules/SlackAuditUserEmailChanged.yaml Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml Solutions/SlackAudit/Hunting Queries/SlackAuditApplicationsInstalled.yaml Solutions/SlackAudit/Hunting Queries/SlackAuditDeactivatedUsers.yaml Solutions/SlackAudit/Hunting Queries/SlackAuditDownloadedFilesByUser.yaml Solutions/SlackAudit/Hunting Queries/SlackAuditFailedLoginsUnknownUsername.yaml Solutions/SlackAudit/Hunting Queries/SlackAuditNewUsers.yaml Solutions/SlackAudit/Hunting Queries/SlackAuditSuspiciousFilesDownloaded.yaml Solutions/SlackAudit/Hunting Queries/SlackAuditUploadedFilesByUser.yaml Solutions/SlackAudit/Hunting Queries/SlackAuditUserLoginsByIP.yaml Solutions/SlackAudit/Hunting Queries/SlackAuditUserPermissionsChanged.yaml Solutions/SlackAudit/Hunting Queries/SlackAuditUsersJoinedChannelsWithoutInvites.yaml Solutions/SlackAudit/Workbooks/SlackAudit.json (packaging artefacts: 3.0.6.zip, ReleaseNotes.md, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-06-01-pr-14245/","summary":"Slack Audit analytic rules, hunting queries, and workbook upgraded with improved KQL logic, custom alert details, and enhanced entity mappings for stronger workspace monitoring.","title":"Slack Audit Solution: Enhanced Detection Logic and Alert Enrichment"},{"content":"What Changed New GitHub Copilot agent skills provide an automated workflow for creating, validating, deploying, and packaging ASIM parsers. Eight specialized skills guide developers through the complete parser lifecycle — from requirements gathering to production deployment.\nDetection Engineering Impact ASIM parser creation previously required extensive KQL expertise and manual validation cycles. This automation addresses the primary bottleneck in expanding Sentinel normalization coverage — the technical barrier to creating schema-compliant parsers.\nDevelopment workflow acceleration:\nAutomated source table sampling and schema mapping Built-in validation against ASIM schema requirements using ASimSchemaTester and ASimDataTester Guided parameter implementation for filtering optimization Direct deployment to Log Analytics workspaces Quality assurance integration:\nAutomatic schema compliance validation before deployment Iterative refinement cycles for error resolution Performance optimization guidance (recommends split over regex parsing) Standardized file naming conventions (ASim\u0026lt;Schema\u0026gt;\u0026lt;Vendor\u0026gt;\u0026lt;Product\u0026gt;.kql) Skills Available Skill Purpose Production Impact asim-parser-creator-orchestrator End-to-end workflow coordination Reduces parser creation time by 80% asim-parser-create-parser Generates parameter-less parsers Ensures mandatory field mapping compliance asim-parser-create-parameter-parser Adds filtering parameters Improves query performance through early filtering asim-parser-validator Schema and data validation Prevents deployment of non-compliant parsers asim-parser-la-deployer Direct workspace deployment Eliminates manual deployment errors asim-parser-github-pr-packager Automated PR creation Streamlines contribution workflow Security Operations Value Expanding ASIM coverage enables source-agnostic detection rules, reducing blind spots across heterogeneous security tool environments. The skills specifically target the technical expertise gap that has limited ASIM adoption for custom data sources.\nDetection engineering teams can now:\nRapidly normalize custom log sources without deep KQL expertise Validate parser output against schema requirements before production use Deploy parsers directly to test environments for validation Package contributions back to the community repository The automation maintains security best practices — credentials are never exposed to Copilot Chat, and validation cycles prevent deployment of broken or incomplete parsers.\nAffected Files .github/skills/asim-parser-create-parameter-parser/SKILL.md .github/skills/asim-parser-create-parser/SKILL.md .github/skills/asim-parser-creator-orchestrator/SKILL.md .github/skills/asim-parser-github-pr-packager/SKILL.md .github/skills/asim-parser-la-deployer/SKILL.md .github/skills/asim-parser-user-prompter/SKILL.md .github/skills/asim-parser-validator/SKILL.md .github/skills/log-analytics-workspace-queryer/SKILL.md ASIM/README.md ASIM/tools/ASIMParserCreation-Agentic/README.md ","permalink":"http://sentinelchangelog.net/posts/2026-05-29-pr-14383/","summary":"GitHub Copilot agent skills now automate the complete ASIM parser creation workflow, reducing parser development time from days to hours for security engineers.","title":"ASIM Parser Development Automation: GitHub Copilot Skills for Accelerated Detection Engineering"},{"content":"What Changed Complete solution migration from deprecated HTTP Data Collector API (Workspace ID + Primary Key) to CCF Push Connector (OAuth2/Entra ID via DCE/DCR). All 11 Analytic Rules migrated from legacy table apifirewall_log_1_CL to new schema FortyTwoCrunchAPIProtectionV2_CL with PascalCase field names. Added backward-compatible parser supporting both schemas during transition period.\nSecurity Impact (Visibility \u0026amp; Fidelity) Critical API protection blind spot risk: The legacy HTTP Data Collector API is deprecated and will cease functioning. Deployments running the previous connector version will experience complete API security monitoring failure — zero visibility into API attacks, anomalies, credential stuffing, BOLA attacks, and suspicious authentication patterns once the legacy endpoint is disabled.\nThe migration resolves a fundamental ingestion architecture gap where OAuth2 client credentials replace vulnerable shared-key authentication, eliminating HMAC-SHA256 key rotation requirements and improving audit posture.\nMigration Requirements New deployment requires DCE/DCR configuration with OAuth2 Entra ID authentication. Solution includes validated ccf-forwarder Docker container (forwarder.py) replacing the legacy 42c-fw-2la container. Migration Guide provides step-by-step DCR setup, service principal configuration, and deployment validation.\nDetection Surface Maintained All 11 Analytic Rules preserve identical detection logic for:\nAPI scraping and reconnaissance (T1592, T1593) Account takeover attempts (T1555, T1110) BOLA (Broken Object Level Authorization) exploitation (T1087) Anomaly detection and first-time access patterns Password cracking and credential stuffing (T1110) JWT validation failures (T1528) Rate limiting bypass attempts (T1499) Parser alias ensures seamless transition — existing detections continue functioning during gradual connector migration.\nAffected Files .script/tests/KqlvalidationsTests/SkipValidationsTemplates.json .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json Solutions/42Crunch API Protection/Analytic Rules/APIAPIScaping.yaml Solutions/42Crunch API Protection/Analytic Rules/APIAccountTakeover.yaml Solutions/42Crunch API Protection/Analytic Rules/APIAnomalyDetection.yaml Solutions/42Crunch API Protection/Analytic Rules/APIBOLA.yaml Solutions/42Crunch API Protection/Analytic Rules/APIFirstTimeAccess.yaml Solutions/42Crunch API Protection/Analytic Rules/APIInvalidHostAccess.yaml Solutions/42Crunch API Protection/Analytic Rules/APIJWTValidation.yaml Solutions/42Crunch API Protection/Analytic Rules/APIKiterunnerDetection.yaml Solutions/42Crunch API Protection/Analytic Rules/APIPasswordCracking.yaml Solutions/42Crunch API Protection/Analytic Rules/APIRateLimiting.yaml Solutions/42Crunch API Protection/Analytic Rules/APISuspiciousLogin.yaml Solutions/42Crunch API Protection/Data Connectors/42Crunch/42CrunchAPIProtection.json Solutions/42Crunch API Protection/Data Connectors/42Crunch_CCF/42CrunchAPIProtection.json Solutions/42Crunch API Protection/Data Connectors/42Crunch_CCF/DCR.json Solutions/42Crunch API Protection/Data Connectors/42Crunch_CCF/PollingConfig.json Solutions/42Crunch API Protection/Data Connectors/42Crunch_CCF/table_FortyTwoCrunchAPIProtectionV2.json Solutions/42Crunch API Protection/Migration_Guide.md Solutions/42Crunch API Protection/Package/testParameters.json Solutions/42Crunch API Protection/Parsers/FortyTwoCrunchAPIProtection.yaml Solutions/42Crunch API Protection/Workbooks/42CrunchAPIProtectionWorkbook.json Solutions/42Crunch API Protection/sample-deployment/.env.example Solutions/42Crunch API Protection/sample-deployment/ccf-forwarder/Dockerfile Solutions/42Crunch API Protection/sample-deployment/ccf-forwarder/forwarder.py Solutions/42Crunch API Protection/sample-deployment/ccf-forwarder/requirements.txt Solutions/42Crunch API Protection/sample-deployment/docker-compose.yml Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, Solution_42CrunchAPIProtection.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-29-pr-14210/","summary":"Migration addresses deprecated HTTP Data Collector API by implementing CCF OAuth2/Entra ID ingestion — deployments on legacy connector face imminent data loss.","title":"42Crunch API Protection: Critical Migration from Legacy HTTP Collector to CCF Push Connector"},{"content":"What Changed Three new Entra ID hunting queries added targeting post-compromise credential staging and account persistence patterns observed in Midnight Blizzard campaigns.\nDetection Coverage Service Principal Credential Addition with Immediate Sign-In Data Sources: AuditLogs, AADServicePrincipalSignInLogs Logic: Correlates credential additions to service principals with sign-ins within 30 minutes Entity Mapping: CloudApplication, IP Gap Addressed: Complements existing dormant SP queries by removing dormancy requirement — active SPs can also be compromised Privileged Role Assignment to New Accounts Data Source: AuditLogs Logic: Identifies accounts receiving privileged directory roles within 24 hours of creation Target Roles: Global Admin, Privileged Role Admin, Application Admin, Cloud App Admin, Exchange Admin, SharePoint Admin, User Account Admin, Authentication Admin, Security Admin, Hybrid Identity Admin Entity Mapping: Account, IP Temporary Access Pass Creation Data Source: AuditLogs Logic: Identifies TAP creation events that allow passwordless authentication and MFA bypass Entity Mapping: Account, IP Risk: TAP creation outside controlled onboarding indicates potential account takeover staging MITRE Mapping T1098.001: Account Manipulation - Additional Cloud Credentials T1098.003: Account Manipulation - Additional Cloud Roles T1136.003: Create Account - Cloud Account T1528: Steal Application Access Token T1556.006: Modify Authentication Process - Multi-Factor Authentication T1098: Account Manipulation (general) Operational Notes All queries use proper let timeframe declarations, in~ operators for case-insensitive matching, and direct dot notation for InitiatedBy field access. The service principal query specifically addresses join key accuracy by filtering only on operations that return the SP object ID rather than Application object ID.\nAffected Files Hunting Queries/AuditLogs/PrivilegedRoleAssignedToNewAccount.yaml Hunting Queries/AuditLogs/TemporaryAccessPassCreatedForUser.yaml Hunting Queries/MultipleDataSources/ServicePrincipalCredentialAddedThenSignedIn.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-29-pr-14299/","summary":"Three new hunting queries target Midnight Blizzard-style persistence patterns — service principal credential staging, privileged role assignments to new accounts, and Temporary Access Pass abuse.","title":"Entra ID Post-Credential Activity Detection: Service Principal Staging and Privileged Role Escalation"},{"content":"What Changed Azure Security Benchmark solution updated from v3.0.4 to v3.0.5 based on Content Doctor recommendations, focusing on detection logic improvements and operational enhancement.\nDetection Logic Updated Analytic Rule \u0026ldquo;Azure Security Benchmark Posture Changed\u0026rdquo;:\nPrimary data source: SecurityRecommendation and SecurityRegulatoryCompliance tables Core logic: joins compliance data to identify domains where policy compliance falls below 70% within 7 days, with improved percentage calculation handling zero-division scenarios Entity types mapped: URL (remediation portal link) Enhanced with proper data connector declarations (AzureSecurityCenter for SecurityRecommendation and SecurityRegulatoryCompliance data) Query Improvements Added safeguard against zero-division in percentage calculations using iff() and todouble() Improved variable naming (Last_Evaluated → ComplianceDomainLookup) Enhanced sort logic and string handling Added proper requiredDataConnectors section (was previously empty) Incident Enrichment New alertDetailsOverride and customDetails provide immediate context:\nAlert Title: \u0026ldquo;Azure Security Benchmark posture below threshold for {ComplianceDomain}\u0026rdquo; Custom Fields: ComplianceDomain, TotalControls, PassedControls, FailedControls Entity Mapping: Direct portal remediation link MITRE Mapping T1082: System Information Discovery (compliance posture reconnaissance) Operational Impact The enhanced logic provides better reliability for compliance monitoring and reduces triage time with enriched incident details. Rule version bumped from 1.0.1 to 1.0.2 reflecting the logic improvements.\nAffected Files Solutions/AzureSecurityBenchmark/Analytic Rules/AzureSecurityBenchmarkPostureChanged.yaml Solutions/AzureSecurityBenchmark/Workbooks/AzureSecurityBenchmark.json Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.0.5.zip, ReleaseNotes.md, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-29-pr-13905/","summary":"Azure Security Benchmark solution updated to v3.0.5 with improved compliance monitoring logic, proper data connector declarations, and enhanced incident alert details.","title":"Azure Security Benchmark Solution: Enhanced Detection Logic and Incident Enrichment (v3.0.5)"},{"content":"What Changed Two new hunting queries targeting the \u0026ldquo;Gentlemen\u0026rdquo; ransomware campaign infrastructure and payload artifacts, providing detection coverage for EtherRAT and TukTuk malware leading to domain-wide ransomware deployment.\nDetection Logic Both queries utilize Microsoft Defender for Endpoint telemetry (DeviceNetworkEvents, DeviceFileEvents) with optimized KQL:\nC2 Domain Connection Query:\nPrimary data source: DeviceNetworkEvents Core logic: identifies outbound connections to hardcoded IOC domains using has_any pre-filter followed by parse_url() host extraction and exact in~ matching Entity types mapped: Host, Account, Process, IP, URL Targets Web3 gateways (1rpc.io), TryCloudflare tunnels, and abused SaaS platforms (Supabase, ClickHouse, Neon) Payload Hash Query:\nPrimary data source: DeviceFileEvents Core logic: detects file creation/modification events matching known SHA256/SHA1/MD5 hashes of trojanized MSI installers, EtherRAT scripts, and TukTuk sideloaded DLLs Entity types mapped: Host, Account, Process, File, FileHash Uses coalesce() for reliable hash matching across file and process contexts MITRE Mapping T1204.002: Malicious File (trojanized Sysinternals MSI files) T1567.002: Exfiltration to Cloud Storage (abused SaaS platforms) T1568.002: Domain Generation Algorithms (decentralized Web3 C2s) T1574.002: DLL Side-Loading (malicious log4net.dll) Campaign Context Based on DFIR reporting, this threat actor uses a sophisticated intrusion chain:\nInitial Access: Trojanized MSI installers masquerading as Sysinternals tools C2 Infrastructure: Decentralized Web3 gateways, TryCloudflare tunnels, and legitimate SaaS platforms (bypasses reputation-based blocking) Payload Delivery: EtherRAT and TukTuk malware establishing persistence via DLL side-loading Final Impact: Domain-wide Gentlemen ransomware deployment The hunting queries provide exact cryptographic and network telemetry tracking with triage-optimized output including customDetails for immediate incident response context.\nAffected Files Hunting Queries/Microsoft 365 Defender/Campaigns/TheGentlemanRansomware/GentlemanRansomwareC2DomainConnection.yaml Hunting Queries/Microsoft 365 Defender/Campaigns/TheGentlemanRansomware/GentlemanRansomwarePayloadHashes.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-29-pr-14338/","summary":"Two hunting queries added targeting Gentlemen ransomware campaign artifacts including payload hashes and decentralized Web3/SaaS C2 infrastructure used by EtherRAT and TukTuk malware.","title":"Gentlemen Ransomware Campaign: New Hunting Queries for EtherRAT/TukTuk IOCs and Web3 C2 Infrastructure"},{"content":"What Changed Logstash output plugin for Microsoft Sentinel updated from v2.2.0 to v2.2.1 with enhanced operational visibility and security guidance.\nSecurity Impact (Visibility \u0026amp; Fidelity) The functional change adds info-level logging when batches are successfully sent, improving operational observability for data ingestion monitoring. No data fidelity impact — this is enhanced telemetry, not a data processing fix.\nVersion Support Matrix Updates README now includes explicit security warnings for multiple Logstash versions that require security updates according to Elastic Security Advisory ESA-2026-29:\nVersions 8.0-8.9, 8.11-8.15, 8.19.2, 9.0.8, 9.1.10, and 9.2.4-9.2.5 all flagged as requiring security updates Logstash 9.3.3 added as supported version Direct link provided to Elastic security discussion This guidance helps SOC teams assess their Logstash deployment security posture alongside Sentinel connector deployment planning.\nAffected Files DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/CHANGELOG.md DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/README.md ","permalink":"http://sentinelchangelog.net/posts/2026-05-29-pr-14359/","summary":"Microsoft Sentinel Logstash plugin updated to v2.2.1 with improved batch logging and comprehensive security warnings for vulnerable Logstash versions.","title":"Logstash Output Plugin: Version 2.2.1 with Enhanced Logging and Security Warnings"},{"content":"Affected Files Workbooks/WorkbooksMetadata.json ","permalink":"http://sentinelchangelog.net/posts/2026-05-29-pr-14353/","summary":"Workspace Usage Report workbook bumped to v1.6.5 with updated description mentioning Microsoft Sentinel and Defender support.","title":"Workspace Usage Report Workbook: Version 1.6.5 Metadata Update"},{"content":"What Changed Added a new hunting query targeting LockBit ransomware and associated tools deployed via Apache ActiveMQ exploitation (CVE-2023-46604). The query identifies file creation/modification events matching specific SHA256 hashes.\nDetection Logic Primary data source: DeviceFileEvents table. The query filters early using isnotempty(SHA256) before hash lookup for performance optimization. Core logic matches against six hardcoded SHA256 hashes representing:\nLockBit ransomware payloads (lb3_pass.exe, lb3.exe) Reconnaissance tools (Advanced IP Scanner, netscan.exe) RDP configuration scripts (rdp.bat) Entity mappings include Host, Account, FileHash, File, and Process for comprehensive incident response.\nMITRE Mapping T1486: Data Encrypted for Impact T1204: User Execution Security Impact This query targets statically compiled artifacts and unmodified legitimate tools frequently reused across LockBit intrusions. While hash-based detection is brittle to recompilation, these specific indicators represent builder artifacts that threat actors deploy without modification, providing reliable detection coverage for this attack chain.\nAffected Files Hunting Queries/Microsoft 365 Defender/Campaigns/Lockbit Ransomware/LockBitRansomwareHashIoCs.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-29-pr-14350/","summary":"New hunting query provides hash-based detection for LockBit ransomware artifacts deployed via Apache ActiveMQ CVE-2023-46604 exploitation.","title":"LockBit Hunting Query: ActiveMQ Exploit IoC Detection Added"},{"content":"What Changed The CrowdStrike API Data Connector was enhanced to support multiple domain configurations. Users can now deploy multiple instances of the connector with unique aliases to collect data from different CrowdStrike domains (e.g., production and sandbox environments).\nSecurity Impact (Visibility \u0026amp; Fidelity) This enhancement addresses a visibility gap for organizations operating multiple CrowdStrike domains or instances. Previously, deployments were limited to a single CrowdStrike instance per workspace, forcing SOC teams to choose between environments or manually manage multiple configurations.\nKey improvements:\nMulti-tenancy support: Organizations can now monitor multiple CrowdStrike instances from a single Microsoft Sentinel workspace Environment segregation: Production and sandbox data can be ingested simultaneously with distinct connection aliases Data type selection: Granular control over which data types (Alerts, Cases, Detections, Hosts, Vulnerabilities) are collected per domain Configuration Changes The connector configuration now includes:\nConnection Alias field: Required unique identifier for each CrowdStrike instance Data type selector: Multi-select dropdown allowing per-connection data type configuration Dynamic resource naming: Connector instances use uniqueString(parameters(\u0026ldquo;friendlyName\u0026rdquo;)) to prevent naming conflicts Conditional deployment: Each data type poller deploys only when selected via contains(parameters(\u0026ldquo;selectedDataTypes\u0026rdquo;)) Organizations should update existing deployments to take advantage of multi-domain capabilities and ensure proper data collection coverage across all CrowdStrike environments.\nAffected Files Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeAPI_ccp/CrowdStrikeAPI_Definition.json Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeAPI_ccp/CrowdStrikeAPI_PollingConfig.json (packaging artefacts: 3.3.6.zip, ReleaseNotes.md, Solution_CrowdStrike.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-28-pr-14370/","summary":"CrowdStrike API connector now supports multiple domain configurations with unique aliases, enabling organizations to ingest data from different CrowdStrike instances simultaneously.","title":"CrowdStrike API Connector: Multi-Domain Support for Enterprise Deployments"},{"content":"Data Source Airlock Digital is an application control platform that monitors and controls executable file execution on endpoints. This connector ingests logs from Airlock Digital servers to provide visibility into software execution patterns and policy violations.\nIngestion Mechanism CCF-based connector using DCR ingestion with API Key authentication. Polls three REST API endpoints every 5 minutes:\n/v1/logging/svractivities → AirlockDigitalServerActivities_CL /v1/logging/exechistories → AirlockDigitalExecutionHistories_CL /v1/logging/fileactivitysummary → AirlockDigitalFileActivitySummary_CL Detection Surface Unlocked Application control visibility enables detection of:\nUnauthorized software execution: Blocked execution attempts indicate potential malware or policy violations Execution context analysis: File hashes, publishers, command lines, and parent processes provide attribution for security investigations Administrative activity monitoring: Server configuration changes and agent check-ins track infrastructure modifications File activity trends: Aggregated statistics identify unusual execution patterns or new file introductions The ExecutionType field differentiates between blocked (1), audited, and trusted executions, enabling focused alerting on security violations while maintaining operational visibility.\nMITRE Coverage Application control monitoring directly supports:\nT1204 User Execution (execution attempts of untrusted binaries) T1055 Process Injection (unusual process execution patterns) T1059 Command and Scripting Interpreter (command line execution monitoring) Affected Files Solutions/AirlockDigital/Data Connectors/AirlockDigital_CCF/AirlockDigital_ConnectorDefinition.json Solutions/AirlockDigital/Data Connectors/AirlockDigital_CCF/AirlockDigital_DCR.json Solutions/AirlockDigital/Data Connectors/AirlockDigital_CCF/AirlockDigital_PollerConfig.json Solutions/AirlockDigital/Data Connectors/AirlockDigital_CCF/table_AirlockDigitalExecutionHistories.json Solutions/AirlockDigital/Data Connectors/AirlockDigital_CCF/table_AirlockDigitalFileActivitySummary.json Solutions/AirlockDigital/Data Connectors/AirlockDigital_CCF/table_AirlockDigitalServerActivities.json Solutions/AirlockDigital/Package/testParameters.json Solutions/AirlockDigital/Parsers/parser_AirlockDigitalExecutionHistoriesAliasFunction.json Solutions/AirlockDigital/Parsers/parser_AirlockDigitalFileActivitySummaryAliasFunction.json Solutions/AirlockDigital/Parsers/parser_AirlockDigitalServerActivitiesAliasFunction.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_AirlockDigital.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-28-pr-14330/","summary":"New CCF connector enables ingestion of Airlock Digital application control logs, providing execution monitoring and file activity visibility to detect unauthorized software execution.","title":"Airlock Digital Solution: Application Control Visibility for Endpoint Security"},{"content":"What Changed Added comprehensive AWS Security Hub Compliance Workbook to the AWS Security Hub solution (v3.0.3). The workbook provides executive-level dashboards and operational analytics for security compliance tracking across multi-account AWS environments.\nWorkbook Features The workbook delivers 10 visualization sections targeting SOC managers and security analysts:\nExecutive Summary: Total findings metrics, critical/high severity counts, failed compliance checks, monitored accounts, and distinct failing controls with KPI-style cards\nOperational Analytics:\nSeverity distribution (pie chart with color coding: CRITICAL=red, HIGH=orange, MEDIUM=yellow, LOW=blue) Compliance status breakdown (PASSED vs FAILED with trend analysis) Trend analysis over time by severity and compliance status Regional distribution (top 10 AWS regions by finding volume) Compliance Intelligence:\nTop 20 failing security controls with detailed breakdown showing control ID, title, finding count, severity distribution, and affected accounts Compliance standards mapping (CIS, NIST, PCI, ISO, HIPAA, SOC 2) with pass/fail ratios Per-account security posture summary with compliance rates Threat Surface Analysis:\nTop 15 resource types generating findings (IAM policies, EC2 instances, Security Groups, SQS queues) Service-specific views for IAM and EC2 security findings Latest 100 failed findings with drill-down capability Interactive Filtering Built-in parameter controls enable dynamic analysis:\nTime Range: Configurable from 1 hour to 90 days with custom range support AWS Account: Multi-select filtering across monitored accounts or view all AWS Region: Regional filtering for geographic compliance analysis Compliance Status: Filter by PASSED, FAILED, WARNING, NOT_AVAILABLE status Detection Impact The workbook enhances compliance monitoring by providing visual context for AWS Security Hub findings ingested via the existing CCF Data Connector. Organizations can now identify compliance gaps, track remediation progress, and demonstrate security posture improvements to stakeholders through standardized dashboards rather than manual KQL queries.\nAffected Files Solutions/AWS Security Hub/Package/testParameters.json Solutions/AWS Security Hub/Workbooks/AWSSecurityHubComplianceWorkbook.json Workbooks/Images/Logos/Aws.svg Workbooks/Images/Preview/AWSSecurityHubComplianceWorkbook_black.png Workbooks/Images/Preview/AWSSecurityHubComplianceWorkbook_white.png Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.0.3.zip, ReleaseNotes.md, Solution_AWSSecurityHub.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-28-pr-13870/","summary":"New AWS Security Hub compliance workbook provides executive dashboards and operational analytics for security findings, compliance tracking, and multi-account posture management.","title":"AWS Security Hub Compliance Workbook: Comprehensive Security Posture Visualization Now Available"},{"content":"What Changed Initial release of the NordStellar solution for Microsoft Sentinel, implementing a CCF Push connector that ingests real-time threat intelligence and exposure events. The connector creates a unified NordStellar_CL table with normalized common columns extracted via DCR KQL transform while preserving type-specific payloads.\nData Source NordStellar is a comprehensive threat intelligence platform offering:\nLeaked Data monitoring (module: LEAKED_DATA): Data breaches, combo lists, malware infections, consumer credentials Dark Web Monitoring (module: DARK_WEB_MONITORING): Forum posts, Telegram posts, ransomware posts, marketplace posts Domain Squatting (module: DOMAIN_SQUATTING): Domain permutation/typosquatting detection Attack Surface (module: ATTACK_SURFACE): Web application, network service, and DNS vulnerabilities Ingestion Mechanism CCF Push connector with OAuth 2.0 client credentials authentication. Events flow via Azure Monitor Ingestion API to a single Custom-NordStellar stream with DCR KQL transform extracting common fields (EventId, EventType, Module, RiskLevel, AssetType, AssetValue, Tags) and preserving full event payload in dynamic Details column.\nDetection Surface Unlocked The unified table structure enables detection engineering across:\nCredential exposure monitoring: Query malware infections by stealer family, track combo lists affecting organizational domains Dark web threat hunting: Monitor ransomware group mentions, marketplace discussions targeting your organization Attack surface vulnerability management: Correlate CVSS3 \u0026gt;= 7 vulnerabilities with asset inventory Domain abuse detection: Identify typosquatting campaigns against organizational domains No bundled detections included in initial release — organizations can develop KQL rules leveraging the standardized schema and type-specific Details payload fields.\nAffected Files Logos/NordStellar.svg Solutions/NordStellar/Data Connectors/NordStellar_ccf/DCR.json Solutions/NordStellar/Data Connectors/NordStellar_ccf/connectorDefinition.json Solutions/NordStellar/Data Connectors/NordStellar_ccf/dataConnector.json Solutions/NordStellar/Data Connectors/NordStellar_ccf/table.json Solutions/NordStellar/Package/testParameters.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_NordStellar.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-28-pr-14198/","summary":"New NordStellar solution delivers real-time threat intelligence and exposure monitoring via CCF Push architecture to unified NordStellar_CL table.","title":"NordStellar CCF Push Connector: Real-time Threat Intelligence Integration Now Available"},{"content":"What Changed Added three hunting queries targeting identity boundary expansion techniques in Entra ID that shift permission surfaces without creating new accounts or directly adding credentials.\nDetection Logic Guest User Type Changed to Member (T1098): Detects \u0026ldquo;Update user\u0026rdquo; events where UserType changes from Guest to Member, granting full tenant membership including access to internal resources and SharePoint sites that exclude guests. Rare operation requiring correlation against help desk records.\nService Principal Owner Added (T1098.001): Detects \u0026ldquo;Add owner to service principal\u0026rdquo; events that grant full credential management rights. SP ownership enables adding passwords or certificates without triggering separate credential-addition alerts — documented precursor in Midnight Blizzard-style persistence chains.\nOAuth Application Redirect URI Modified (T1528): Detects \u0026ldquo;Update application\u0026rdquo; events where ReplyUrls field changes. Adding attacker-controlled redirect URIs to trusted app registrations allows OAuth authorization code interception without requiring new app registration, bypassing first-seen-app detections.\nMITRE Mapping T1098 (Account Manipulation): Guest-to-member type conversion T1098.001 (Additional Cloud Credentials): Service principal ownership for credential access T1528 (Steal Application Access Token): OAuth redirect URI manipulation for token theft Primary data source: AuditLogs table with exact OperationName matching and direct InitiatedBy field access. Entity types mapped: Account, IP address.\nAffected Files Hunting Queries/AuditLogs/ApplicationRedirectUriModified.yaml Hunting Queries/AuditLogs/GuestUserTypeChangedToMember.yaml Hunting Queries/AuditLogs/ServicePrincipalOwnerAdded.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-28-pr-14307/","summary":"Added three hunting queries targeting identity boundary expansion techniques in Entra ID that escalate privileges without creating new accounts.","title":"Entra ID Identity Boundary Expansion: Three New Hunting Queries for Stealthy Persistence"},{"content":"What Changed Updated Data Connector definitions for Amazon Web Services S3 and CrowdStrike Falcon Endpoint Protection S3 Data Replicator to support non-analytics tier queries using the Usage table as a fallback mechanism.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments using Basic or Auxiliary Log Analytics pricing plans now have connector health monitoring capability that was previously unavailable. Prior to this change, these connectors could not properly report ingestion status on non-analytics tier workspaces, potentially creating blind spots in connector health visibility.\nThe enhancement adds nonAnalyticsTierBaseQuery and nonAnalyticsTierLastDataReceivedQuery fields to each data type, enabling:\nUsage table fallback queries with 14-hour time windows for CrowdStrike S3 FDR Basic ingestion volume and last-data-received metrics for deployments on cost-optimized plans This addresses a monitoring gap where SOC teams using Basic/Auxiliary plans could not verify that their CrowdStrike endpoint telemetry and AWS security logs were flowing correctly into Microsoft Sentinel.\nAffected Files Solutions/Amazon Web Services/Data Connectors/template_AwsS3.json Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeS3FDR_ccp/DataConnectorDefinition.json (packaging artefacts: 3.0.10.zip, 3.3.5.zip, ReleaseNotes.md, Solution_AmazonWebServices.json, Solution_CrowdStrike.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-28-pr-14264/","summary":"AWS S3 and CrowdStrike Falcon S3 Data Replicator connectors now support Usage table fallback queries for deployments using Basic/Auxiliary Log Analytics plans.","title":"AWS S3 and CrowdStrike Connectors: Non-Analytics Tier Query Support for Basic/Auxiliary Plans"},{"content":"What Changed Released comprehensive Microsoft Sentinel solution for Bitdefender GravityZone v3.0.1, introducing a new NRT (Near Real Time) analytic rule template that leverages ASIM-normalized alert data. The solution uses a push-based DCR architecture with custom table GzSecurityEvents_CL for direct log ingestion from GravityZone deployments.\nData Source Bitdefender GravityZone is an enterprise security platform providing:\nEndpoint Detection and Response (EDR): Host-based threat hunting and incident response Extended Detection and Response (XDR): Cross-domain correlation and kill chain analysis Anti-ransomware protection: Real-time file system monitoring and process blocking Network sandbox analysis: Dynamic malware inspection of suspicious files Exchange security: Email-borne threat detection and mitigation Ingestion Mechanism DCR-based push ingestion using Azure App Registration authentication. GravityZone agents and sensors forward security events directly to Microsoft Sentinel via Data Collection Endpoint, populating the GzSecurityEvents_CL custom table with structured incident data.\nDetection Surface Unlocked The solution enables detection of lateral movement activities via the included analytic rule NRT GravityZone Incident Alerts:\nQuery scope: Leverages ASimAlertEventBitdefenderGravityZone parser with packed field extraction Incident correlation: Groups events by result with dynamic severity mapping from GravityZone ratings Entity mapping: Automatically extracts host and IP entities for investigation pivoting Multi-vector coverage: Normalizes EDR incidents, XDR correlations, ransomware mitigations, sandbox detections, and Exchange malware alerts The rule provides tactical classification via AdditionalFields.AttackTypes integration and supports MITRE technique T1210 (Exploitation of Remote Services) detection through GravityZone behavioral analysis.\nAffected Files .script/tests/KqlvalidationsTests/CustomFunctions/ASimAlertEventBitdefenderGravityZone.json Solutions/GravityZone/Analytic Rules/Incidents.yaml (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, Solution_GravityZone.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-28-pr-13299/","summary":"Complete Microsoft Sentinel solution integrating Bitdefender GravityZone multi-vector threat detection with DCR-based ingestion and XDR correlation.","title":"Bitdefender GravityZone Solution v3.0.1 Adds Incident Analytics for Endpoint and Email Protection"},{"content":"What Changed Added comprehensive ASIM AlertEvent parsers for Bitdefender GravityZone security platform, including both full (ASimAlertEventBitdefenderGravityZone) and filtering (vimAlertEventBitdefenderGravityZone) variants. This integration enables normalization of five distinct GravityZone event modules into the Microsoft Sentinel ASIM AlertEvent schema.\nParser Impact The parsers normalize data from the GzSecurityEvents_CL custom table into standardized ASIM fields. Event modules covered:\nnew-incident: Core security incidents with device context, file hashes, and process details new-extended-incident: Enhanced incident data with kill chain phases and correlation mapping ransomware-mitigation: Anti-ransomware protection events from endpoint agents network-sandboxing: Malware analysis results from network-based file inspection exchange-malware: Email threat detection from Exchange integration Key normalized fields include EventUid, EventSeverity, DvcHostname, DvcAction, with packed mode preserving additional forensic metadata (file paths, process trees, MITRE ATT\u0026amp;CK mappings).\nMITRE Mapping Parser extracts MITRE ATT\u0026amp;CK technique IDs from GravityZone incident data via the att_ck_id field, supporting techniques T1002 (Data Compressed), T1012 (Query Registry), T1036 (Masquerading), T1059 (Command and Scripting Interpreter).\nDetection Surface Unlocked Organizations using Bitdefender GravityZone can now leverage normalized alert data for:\nCross-vendor incident correlation using ASIM-based detections Unified threat hunting across GravityZone and other security tools Standardized severity mapping from GravityZone low/medium/high scale to ASIM conventions Integration of endpoint, email, and network sandbox alerts into Microsoft Sentinel investigations Affected Files .script/tests/KqlvalidationsTests/CustomTables/GzSecurityEvents_CL.json Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json Parsers/ASimAlertEvent/ARM/ASimAlertEventBitdefenderGravityZone/ASimAlertEventBitdefenderGravityZone.json Parsers/ASimAlertEvent/ARM/ASimAlertEventBitdefenderGravityZone/README.md Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json Parsers/ASimAlertEvent/ARM/vimAlertEventBitdefenderGravityZone/README.md Parsers/ASimAlertEvent/ARM/vimAlertEventBitdefenderGravityZone/vimAlertEventBitdefenderGravityZone.json Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEvent.md Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventBitdefenderGravityZone.md Parsers/ASimAlertEvent/CHANGELOG/imAlertEvent.md Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventBitdefenderGravityZone.md Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml Parsers/ASimAlertEvent/Parsers/ASimAlertEventBitdefenderGravityZone.yaml Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml Parsers/ASimAlertEvent/Parsers/vimAlertEventBitdefenderGravityZone.yaml Sample Data/ASIM/Bitdefender_GravityZone_AlertEvent_IngestedLogs.csv Sample Data/ASIM/GzSecurityEvents_CL_Schema.csv ","permalink":"http://sentinelchangelog.net/posts/2026-05-28-pr-13330/","summary":"New parsers enable normalization of Bitdefender GravityZone alert data into Microsoft Sentinel ASIM schema for unified threat detection.","title":"ASIM AlertEvent Support Added for Bitdefender GravityZone Security Platform"},{"content":"Data Source Sonrai Security is a cloud infrastructure security platform that monitors cloud environments for compliance violations and security posture risks. The connector ingests Sonrai ticket data containing policy violations, resource misconfigurations, and compliance findings across multi-cloud environments.\nIngestion Mechanism CCF push connector using Data Collection Rules (DCR) with Entra application authentication. Raw ticket data is sent directly from Sonrai\u0026rsquo;s platform to Microsoft Sentinel via the Ingestion API, populating the SonraiSecurityTickets_CL table.\nDetection Surface Unlocked This connector provides visibility into:\nCloud resource compliance violations and policy breaches Infrastructure security posture deviations Critical resource misconfigurations across AWS, Azure, and GCP Compliance framework violations (SOX, HIPAA, PCI DSS, etc.) Resource ownership and assignment tracking for remediation workflows Ticket fields include severity categories, resource types, assignment details, and organizational context - enabling correlation with other security events for comprehensive cloud security monitoring.\nMITRE Coverage Compliance monitoring capabilities align with:\nT1087 (Account Discovery) - through resource ownership tracking T1119 (Automated Collection) - via systematic compliance scanning T1499 (Endpoint Denial of Service) - detecting resource availability risks Affected Files Solutions/SonraiSecurity/Data Connectors/SonraiSecurity_ccp/SonraiSecurity_DCR.json Solutions/SonraiSecurity/Data Connectors/SonraiSecurity_ccp/SonraiSecurity_Definition.json Solutions/SonraiSecurity/Data Connectors/SonraiSecurity_ccp/SonraiSecurity_poller.json Solutions/SonraiSecurity/Data Connectors/SonraiSecurity_ccp/SonraiSecurity_table.json (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_SonraiSecurity.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-27-pr-14360/","summary":"Sonrai Security compliance tickets now integrate directly with Microsoft Sentinel through a new CCF push connector.","title":"Sonrai Security CCF Connector: New Cloud Security Posture Visibility"},{"content":"What Changed BitSight migrated from a legacy Function App connector to two Codeless Connector Framework (CCF) connectors:\nBitSight Security Statistics — ingests Company Profiles, Rating Details, Diligence Historical Statistics, Risk Vector Statistics, Industries Statistics, Findings Summary, and Vulnerability reference data into 7 custom tables BitSight Security Events — ingests Alerts, Breaches, and security Findings (Diligence, Compromised Systems, User Behavior) into 3 custom tables The split architecture allows customers to independently enable security statistics data or event/alert data based on operational needs.\nData Source Migration Legacy ingestion: Function App with Azure Functions runtime dependency\nNew ingestion: Native CCF with DCR/DCE — eliminates Function App deployment and maintenance overhead\nTable mapping: All 10 custom tables retained with \u0026ldquo;_CL\u0026rdquo; suffix (BitSightCompanyDetails_CL, BitSightAlerts_CL, etc.)\nParser Impact All 13 parsers updated with union isfuzzy=true logic to support both legacy table names (BitsightAlerts_data_CL) and new CCF table names (BitSightAlerts_CL). This provides backward compatibility during migration periods.\nNew parsers added:\nBitSightCompanyRatingDetails BitSightVulnerabilitiesFindingsSummary Security Impact (Visibility \u0026amp; Fidelity) BitSight provides third-party risk monitoring and external attack surface visibility. The Function App architecture required customers to deploy and maintain Azure Functions infrastructure, creating potential blind spots if deployments failed or Functions became unhealthy.\nMigration benefit: CCF eliminates Function App dependency — data ingestion now relies on Microsoft-managed DCR/DCE infrastructure rather than customer-deployed Functions. This reduces the risk of ingestion failures due to Function App misconfigurations, runtime version conflicts, or scaling issues.\nDetection continuity: Parser union logic ensures existing detections continue functioning against both legacy and new table schemas during transition periods.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/BitSightAlerts_CL.json .script/tests/KqlvalidationsTests/CustomTables/BitSightBreaches_CL.json .script/tests/KqlvalidationsTests/CustomTables/BitSightCompanyDetails_CL.json .script/tests/KqlvalidationsTests/CustomTables/BitSightCompanyRatingDetails_CL.json .script/tests/KqlvalidationsTests/CustomTables/BitSightDiligenceHistoricalStatistics_CL.json .script/tests/KqlvalidationsTests/CustomTables/BitSightDiligenceStatistics_CL.json .script/tests/KqlvalidationsTests/CustomTables/BitSightFindingsSummary_CL.json .script/tests/KqlvalidationsTests/CustomTables/BitSightFindings_CL.json .script/tests/KqlvalidationsTests/CustomTables/BitSightObservationStatistics_CL.json .script/tests/KqlvalidationsTests/CustomTables/BitsightIndustrialStatistics_CL.json .script/tests/KqlvalidationsTests/CustomTables/BitsightVulnerabilitiesFindingsSummary_CL.json Solutions/BitSight/Data Connectors/BitSight_CCF/ConnectorDefinition.json Solutions/BitSight/Data Connectors/BitSight_CCF/DCR.json Solutions/BitSight/Data Connectors/BitSight_CCF/PollingConfig.json Solutions/BitSight/Data Connectors/BitSight_CCF/table_BitSightCompanyDetails.json Solutions/BitSight/Data Connectors/BitSight_CCF/table_BitSightCompanyRatingDetails.json Solutions/BitSight/Data Connectors/BitSight_CCF/table_BitSightDiligenceHistoricalStatistics.json Solutions/BitSight/Data Connectors/BitSight_CCF/table_BitSightDiligenceStatistics.json Solutions/BitSight/Data Connectors/BitSight_CCF/table_BitSightFindingsSummary.json Solutions/BitSight/Data Connectors/BitSight_CCF/table_BitSightObservationStatistics.json Solutions/BitSight/Data Connectors/BitSight_CCF/table_BitsightIndustrialStatistics.json Solutions/BitSight/Data Connectors/BitSight_CCF/table_BitsightVulnerabilitiesFindingsSummary.json Solutions/BitSight/Data Connectors/BitSight_Events_CCF/ConnectorDefinition.json Solutions/BitSight/Data Connectors/BitSight_Events_CCF/DCR.json Solutions/BitSight/Data Connectors/BitSight_Events_CCF/PollingConfig.json Solutions/BitSight/Data Connectors/BitSight_Events_CCF/table_BitSightAlerts.json Solutions/BitSight/Data Connectors/BitSight_Events_CCF/table_BitSightBreaches.json Solutions/BitSight/Data Connectors/BitSight_Events_CCF/table_BitSightFindings.json Solutions/BitSight/Package/testParameters.json Solutions/BitSight/Parsers/BitSightAlerts.yaml Solutions/BitSight/Parsers/BitSightBreaches.yaml Solutions/BitSight/Parsers/BitSightCompanyDetails.yaml Solutions/BitSight/Parsers/BitSightCompanyRatingDetails.yaml Solutions/BitSight/Parsers/BitSightCompanyRatings.yaml Solutions/BitSight/Parsers/BitSightDiligenceHistoricalStatistics.yaml Solutions/BitSight/Parsers/BitSightDiligenceStatistics.yaml Solutions/BitSight/Parsers/BitSightFindingsData.yaml Solutions/BitSight/Parsers/BitSightFindingsSummary.yaml Solutions/BitSight/Parsers/BitSightGraphData.yaml Solutions/BitSight/Parsers/BitSightIndustrialStatistics.yaml Solutions/BitSight/Parsers/BitSightObservationStatistics.yaml Solutions/BitSight/Parsers/BitSightVulnerabilitiesFindingsSummary.yaml Solutions/BitSight/Workbooks/BitSightWorkbook.json (packaging artefacts: 4.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_BitSight.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-27-pr-14356/","summary":"Legacy Function App connector replaced with two CCF connectors for independent security statistics and events ingestion.","title":"BitSight: Function App to CCF Migration Restores Third-Party Risk Visibility"},{"content":"What Changed New VMware Workspace ONE solution package (v3.0.0) introducing CCF-based data ingestion for VMware\u0026rsquo;s Unified Endpoint Management (UEM) platform. Supports device inventory and application tracking across iOS, Android, Windows, and macOS managed devices.\nData Source VMware Workspace ONE UEM platform ingestion via OAuth-authenticated REST API polling. Creates two Microsoft Sentinel tables:\nVMwareWorkspaceOneDevices — enrolled device inventory with compliance status VMwareWorkspaceOneDeviceApps — installed application details per device Ingestion Mechanism CCF-based connector using OAuth client credentials flow against region-specific VMware auth endpoints:\nCustom-VMwareWorkspaceOneDevices_CL stream for device data Custom-VMwareWorkspaceOneDeviceApps_CL stream for application data Configurable application collection (optional per-device API calls) Detection Surface Unlocked Device Compliance Monitoring:\nNon-compliant endpoint detection via ComplianceStatus field Compromised/jailbroken device identification through CompromisedStatus Device enrollment and last-seen tracking for visibility gaps Shadow IT Discovery:\nInstalled but unassigned applications via InstallStatus vs AssignmentStatus correlation Application inventory analysis across managed fleet Unauthorized software installation detection Sample Queries Included Five pre-built queries for immediate operational use:\nNon-compliant device identification Compromised device detection Top installed applications analysis Shadow IT application discovery Device enrollment status monitoring Required OAuth permissions: REST API Devices Read, REST API MDM Devices, REST API Apps Read.\nAffected Files Solutions/VMware Workspace ONE/Data Connectors/VMwareWorkspaceOneConnector_CCF/VMwareWorkspaceOne_ConnectorDefinition.json Solutions/VMware Workspace ONE/Data Connectors/VMwareWorkspaceOneConnector_CCF/VMwareWorkspaceOne_DCR.json Solutions/VMware Workspace ONE/Data Connectors/VMwareWorkspaceOneConnector_CCF/VMwareWorkspaceOne_PollerConfig.json Solutions/VMware Workspace ONE/Data Connectors/VMwareWorkspaceOneConnector_CCF/table_VMwareWorkspaceOneDeviceApps.json Solutions/VMware Workspace ONE/Data Connectors/VMwareWorkspaceOneConnector_CCF/table_VMwareWorkspaceOneDevices.json Solutions/VMware Workspace ONE/Package/testParameters.json Solutions/VMware Workspace ONE/Parsers/parser_VMwareWorkspaceOneDeviceAppsAliasFunction.json Solutions/VMware Workspace ONE/Parsers/parser_VMwareWorkspaceOneDevicesAliasFunction.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_VMwareWorkspaceOne.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-27-pr-14258/","summary":"VMware Workspace ONE Unified Endpoint Management platform now available in Microsoft Sentinel via CCF connector for device compliance monitoring and shadow IT detection.","title":"VMware Workspace ONE: New CCF Connector for UEM Device and Application Visibility"},{"content":"What Changed Added advanced hunting pack with three queries targeting sophisticated Entra ID authentication anomalies and privilege abuse patterns often missed by standard detections.\nDetection Coverage 1. Privileged Account Legacy Authentication Sign-In Data sources: SigninLogs, AuditLogs\nLogic: Detects directory role holders signing in via legacy protocols (SMTP Auth, IMAP4, MAPI over HTTP, EWS) that bypass Conditional Access MFA, correlated with high-impact operations within one hour.\nThreat: Credential theft targeting privileged accounts through legacy authentication channels that evade MFA requirements.\n2. Guest Account Privileged Operation Data sources: SigninLogs, AuditLogs\nLogic: Identifies B2B guest accounts acting as initiators of high-impact operations - role assignments, service principal credentials, policy changes.\nThreat: Compromised B2B guest accounts used for lateral movement and persistence, complementing existing queries that only detect guests as targets.\n3. Password Reset Then Privileged Operation Data source: AuditLogs\nLogic: Detects accounts performing privileged operations within 30 minutes of having their password reset by a different actor, using cross-actor correlation to exclude self-service flows.\nThreat: Post-compromise persistence where attacker resets account passwords to obscure attribution before establishing persistence.\nSecurity Impact These queries address advanced attack patterns by:\nDefense evasion detection: Legacy auth protocols bypassing Conditional Access controls Lateral movement: Guest account compromise for cross-tenant privilege escalation Timeline correlation: Linking password reset events with subsequent privileged actions The 90-day baseline for role holder identification ensures detection of privileges assigned weeks or months prior, not just recent assignments.\nMITRE Mapping T1078.004 (Cloud Accounts) - Valid account abuse across all three patterns T1562.001 (Disable Security Tools) - Legacy auth bypassing MFA controls T1098 (Account Manipulation) - Password resets for takeover T1098.001 (Additional Cloud Credentials) - Service principal credential manipulation T1098.003 (Additional Cloud Roles) - Role assignment abuse Affected Files Hunting Queries/AuditLogs/PasswordResetThenPrivilegedOperation.yaml Hunting Queries/MultipleDataSources/GuestAccountPrivilegedOperation.yaml Hunting Queries/MultipleDataSources/PrivilegedAccountLegacyAuthSignIn.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-27-pr-14339/","summary":"Adds three-query pack detecting legacy auth bypass, guest account abuse, and post-reset privileged operations.","title":"Entra ID Authentication Anomalies: Advanced Hunting for Privilege Abuse and Defense Evasion"},{"content":"What Changed Added comprehensive hunting pack with three queries targeting Entra ID account takeover techniques, covering initial access through post-compromise persistence patterns.\nDetection Coverage 1. Device Code Authentication from Unseen ASN Data source: SigninLogs\nLogic: Detects successful device code flow sign-ins from autonomous system numbers not seen for the target user in the preceding 30 days.\nThreat: Device code phishing attacks used by Midnight Blizzard - attacker initiates OAuth flow and tricks target into completing authentication.\n2. New Service Principal Granted Admin Consent Data source: AuditLogs\nLogic: Correlates service principal creation with admin consent or app role assignment within 1-hour window for the same SP.\nThreat: Post-compromise persistence pattern where attacker with Application Administrator rights creates malicious app and immediately grants tenant-wide permissions.\n3. Bulk Password Reset by Actor Data source: AuditLogs\nLogic: Identifies single actor resetting passwords for 3+ distinct accounts within one hour.\nThreat: Attacker with User Administrator or Helpdesk privileges performing bulk resets before activity triggers alerts.\nSecurity Impact These queries fill detection gaps in Entra ID account takeover scenarios by:\nReducing dependencies: Uses standard Azure AD connector data vs. M365 Defender requirements Correlation-based detection: Links creation and consent events for SP persistence Behavioral patterns: Identifies bulk administrative actions indicating compromise All three queries target documented attack patterns from NOBELIUM/Midnight Blizzard intrusions with low false positive rates.\nMITRE Mapping T1528 (Steal Application Access Token) - Device code phishing and malicious app consent T1078.004 (Cloud Accounts) - Compromised cloud account abuse T1098 (Account Manipulation) - Password resets for takeover T1098.003 (Additional Cloud Roles) - Service principal privilege grants Affected Files Hunting Queries/AuditLogs/BulkPasswordResetByActor.yaml Hunting Queries/AuditLogs/NewServicePrincipalGrantedAdminConsent.yaml Hunting Queries/MultipleDataSources/DeviceCodeSignInFromUnseenASN.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-27-pr-14335/","summary":"Adds hunting pack targeting device code phishing, service principal persistence, and bulk password resets by privileged actors.","title":"Entra ID Account Takeover: Three-Query Hunting Pack for Post-Compromise Detection"},{"content":"What Changed Added new hunting query to detect BadUSB and hardware HID injection attacks that use the Windows Run dialog (WIN+R) to execute PowerShell with evasion techniques.\nDetection Logic Queries DeviceProcessEvents to identify PowerShell processes with these characteristics:\nParent process: explorer.exe (indicates GUI-initiated execution via Run dialog) Child process: powershell.exe or pwsh.exe Required flags: -WindowStyle Hidden (concealment) Evasion indicators: Any of 9 common cradle/bypass techniques including: Remote execution: DownloadString, WebClient, IEX Profile bypass: -NoProfile, -NonInteractive Policy bypass: -ExecutionPolicy Bypass The combination of hidden execution from explorer.exe parent with evasion flags creates high-confidence detection of automated injection rather than legitimate user activity.\nSecurity Impact Provides visibility into hardware-based initial access attacks including:\nFlipper Zero and Rubber Ducky USB keystroke injection BadUSB attacks using WIN+R automation Physical access scenarios with automated payload delivery The query has been validated against real Flipper Zero payloads and includes companion SIGMA rules for broader SIEM coverage.\nMITRE Mapping T1200 (Hardware Additions) - USB HID injection devices T1059.001 (PowerShell) - Script execution post-injection T1564.003 (Hidden Window) - Concealment via WindowStyle parameter Affected Files Hunting Queries/DeviceProcess/BadUSBPowerShellRunDialog.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-27-pr-14336/","summary":"Adds hunting query to detect hardware keystroke injectors spawning PowerShell through explorer.exe with evasion patterns.","title":"BadUSB HID Injection Detection: New Hunt for PowerShell via Windows Run Dialog"},{"content":"What Changed Fixed a one-line bug in the OAuthConsentToHighRiskPermissionScope.yaml hunting query that caused it to return zero results. The query was filtering on an incorrect modifiedProperties.displayName value in Entra ID audit logs.\nSecurity Impact The hunting query was completely non-functional since its initial merge. Security teams using this query to detect OAuth consent to high-risk permissions would have received no alerts, creating a detection blind spot for:\nApplications gaining excessive permissions through OAuth consent Potential privilege escalation via malicious app consents High-risk scope grants that should trigger investigation Detection Logic The query filters Entra ID audit logs for consent events by checking TargetResources[0].modifiedProperties where:\nBefore (broken): displayName =~ \u0026ldquo;ConsentContext.Permissions\u0026rdquo; After (fixed): displayName =~ \u0026ldquo;ConsentAction.Permissions\u0026rdquo; The correct property name ConsentAction.Permissions is confirmed by other queries in the same repository that successfully parse OAuth consent events.\nMITRE Mapping T1098 (Account Manipulation) - OAuth consent can be used to grant persistent access T1078 (Valid Accounts) - Malicious apps gain legitimate access through consent Affected Files Hunting Queries/MultipleDataSources/OAuthConsentToHighRiskPermissionScope.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-27-pr-14334/","summary":"Corrects broken hunting query that returned no results due to incorrect property name filter.","title":"Microsoft Entra ID OAuth Consent Query: Fixing Zero-Result Bug in High-Risk Permission Detection"},{"content":"What Changed Fixed workbook queries in the Cloudflare CCF solution to reference the correct normalized field names from the CCF connector\u0026rsquo;s ASIM parser, resolving visualization failures from legacy field references.\nWorkbook Impact Field mappings corrected: Updated queries to use normalized ASIM fields (SrcIpAddr, HttpUserAgentOriginal, HttpReferrerOriginal, HttpRequestMethod, SrcGeoCountry) instead of legacy Cloudflare-specific field names (ClientIP, ClientRequestUserAgent, ClientRequestReferer, ClientRequestMethod, ClientCountry) Data visualization restored: Workbook charts and tables will now display data correctly for deployments using the Cloudflare CCF connector Deployment guidance added: Connector description now explicitly warns that the CCF connector requires the Azure Blob Storage account and Microsoft Sentinel workspace to be in the same subscription and resource group The field mapping corrections address a data fidelity issue where workbook queries returned null results due to referencing non-existent field names in the CCF connector\u0026rsquo;s normalized output schema.\nDeployment Prerequisites Added critical deployment constraint documentation: the Cloudflare CCF connector requires Azure Blob Storage and the Microsoft Sentinel workspace to be co-located in the same Azure subscription and resource group. Cross-subscription deployments will fail with CreateDataFlowResources not defined errors during connector configuration.\nAffected Files Solutions/Cloudflare CCF/Data Connectors/CloudflareLog_CCF/CloudflareLog_ConnectorDefinition.json Solutions/Cloudflare CCF/Package/testParameters.json Solutions/Cloudflare CCF/Workbooks/CloudflareCCF.json Solutions/Cloudflare CCF/Workbooks/Images/Logo/cloudflare.svg Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.0.3.zip, ReleaseNotes.md, Solution_Cloudflare.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-27-pr-14246/","summary":"Corrected workbook queries to use normalized ASIM fields from Cloudflare CCF connector, resolving visualization errors from legacy field references.","title":"Cloudflare CCF Workbook: Fixed Field Mapping for New CCF Schema"},{"content":"What Changed Added hunting query targeting ephemeral code-signing certificates used by Malware-Signing-as-a-Service (MSaaS) operations like Fox Tempest.\nDetection Logic The query correlates endpoint certificate data from DeviceFileCertificateInfo with device inventory:\nPrimary data source: DeviceFileCertificateInfo (certificate metadata), DeviceInfo (device context), DeviceTvmSoftwareInventory (software inventory) Core logic: Identifies certificates with lifespan ≤14 days on non-developer endpoints Exclusion mechanism: Filters out legitimate developer workstations using software keywords (Visual Studio, Jenkins, Git) and device tags Entity mappings: Host (DeviceName), IP (PublicIP), FileHash (SHA1) Uses timespan arithmetic (CertificateExpirationTime - CertificateCreationTime) to calculate certificate lifetime and applies dual-method exclusion to reduce false positives from legitimate DevOps pipelines.\nDetection Surface Unlocked Targets advanced evasion techniques where threat actors:\nUse stolen identities to abuse legitimate platforms (Microsoft Trusted Signing) Generate 72-hour to 14-day certificates for malware payloads Bypass SmartScreen and EDR reputation filters before certificate revocation Enable malware families (Oyster, Lumma, Rhysida ransomware) to appear legitimate Provides behavioral detection based on certificate lifespan anomaly rather than reactive IOCs, making it resilient against future MSaaS operators.\nMITRE Coverage T1553.002: Subvert Trust Controls: Code Signing (certificate abuse) T1588.003: Obtain Capabilities: Code Signing Certificates (acquisition of signing capability) Implementation Notes Query includes extensive adaptation guidance for customizing thresholds, adding organization-specific development tools to exclusion lists, and handling internal CA certificates to minimize false positives in production environments.\nAffected Files Hunting Queries/Microsoft 365 Defender/Defense evasion/Short-livedEphemeralCodeSigningCertificates.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-27-pr-14308/","summary":"New hunting query identifies short-lived code signing certificates (≤14 days) on non-developer endpoints to detect Fox Tempest MSaaS operations.","title":"Hunting Query: Ephemeral Code Signing Certificates for Malware-Signing-as-a-Service Detection"},{"content":"What Changed Added sophisticated hunting query targeting advanced rootkits that achieve Ring-0 (kernel space) execution to blind EDR network telemetry while maintaining stealth.\nDetection Logic The query implements a \u0026ldquo;Network Truth vs Host Truth\u0026rdquo; comparison:\nNetwork Truth: ASimNetworkSessionLogs from perimeter firewalls (Palo Alto, Fortinet, Check Point, Cisco, Zscaler) Host Truth: DeviceNetworkEvents and DeviceNetworkInfo from MDE Core Logic: Left anti-join identifies outbound TCP connections visible to firewalls but completely missing from MDE telemetry Entity Mappings: Host (HostName, DnsDomain), IP (source and destination addresses) Uses compute optimizations including pre-filtering active MDE nodes, data stratification via DeviceNetworkInfo, and left-side join rule compliance to prevent O(N*M) explosions.\nDetection Surface Unlocked Detects BYOVD (Bring Your Own Vulnerable Driver) techniques where adversaries:\nUnlink Windows Filtering Platform (WFP) callouts Inject raw frames directly into NDIS Achieve complete EDR network telemetry blindness while maintaining C2 communication This creates a detection paradox: kernel-level endpoint tampering cannot hide physical packets leaving the network boundary.\nMITRE Coverage T1562.001: Disable or Modify Tools (EDR bypass) T1562.004: Disable or Modify System Firewall (WFP manipulation) T1011: Exfiltration Over Other Network Medium Implementation Notes Query includes extensive tuning guidance for production deployment, threshold configuration for noise reduction, and specific warnings about compute impact when converting to scheduled analytics rule.\nAffected Files Hunting Queries/Microsoft 365 Defender/Defense evasion/PotentialRootkitTrafficMissingFromMDE.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-27-pr-14337/","summary":"New hunting query detects kernel-level rootkits bypassing EDR network telemetry by comparing perimeter firewall logs against Microsoft Defender for Endpoint data streams.","title":"Hunting Query: Rootkit Network Evasion Detection via Firewall-EDR Telemetry Delta"},{"content":"What Changed Updated the solution Description field in Content Hub to explicitly state that the Google Threat Intelligence custom Logic Apps connector must be deployed manually before any Playbooks will function.\nDeployment Impact Previously, customers installing the Google Threat Intelligence solution through Content Hub would encounter authentication failures when trying to use Playbooks, as the required custom connector resource was not included in the automated deployment. The solution description now provides clear prerequisite information and links to connector deployment instructions.\nAffected Files (packaging artefacts: 3.2.3.zip, ReleaseNotes.md, Solution_GoogleThreatIntelligence.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-27-pr-14267/","summary":"Solution metadata updated to warn customers that Playbooks require manual deployment of the GTI custom Logic Apps connector before use.","title":"Google Threat Intelligence Solution: Custom Connector Deployment Prerequisites Clarified"},{"content":"What Changed Applied \u0026ndash;ignore-scripts to npm install across 13 validation workflows and tightened security controls for the package-command slash dispatcher.\nSecurity Hardening Details The npm \u0026ndash;ignore-scripts flag prevents potentially malicious lifecycle scripts in dependencies from executing during CI builds. The slash-command dispatcher now requires:\nComment authors to have OWNER, MEMBER, or COLLABORATOR repository permissions Explicit fork checks to prevent unauthorized package operations Improved input validation for branch names and pull request numbers Affected Files .github/workflows/content-validations.yaml .github/workflows/data-connector-validations.yaml .github/workflows/detection-validations.yaml .github/workflows/documents-link-validation.yaml .github/workflows/json-syntax-validation.yaml .github/workflows/logo-validation.yaml .github/workflows/package-command.yaml .github/workflows/playbook-validations.yaml .github/workflows/slash-command-dispatch.yaml .github/workflows/solution-validations.yaml .github/workflows/workbook-metadata-validations.yaml .github/workflows/workbook-template-validations.yaml .github/workflows/yaml-syntax-validation.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-27-pr-14324/","summary":"CI hardening prevents npm lifecycle script execution and restricts slash-command dispatch to authorized repository members only.","title":"GitHub Actions Security: npm Scripts Disabled and Workflow Permissions Tightened"},{"content":"What Changed Added new hunting query targeting evasive network execution contexts through cryptographic identity baselining. Detects processes making first-time outbound connections outside a 14-day baseline.\nDetection Logic Uses DeviceFileCertificateInfo, DeviceNetworkEvents, and DeviceInfo tables to build identity profiles based on InitiatingProcessFileName + cryptographic Signer (requiring IsSigned == true and IsTrusted == true). Compares 24-hour activity against 14-day baseline using anti-join pattern, surfacing first-time network connections by verified process identities.\nIncludes performance optimizations with early isnotempty() filtering and comprehensive entity mappings for Host, Account, IP, Process, and FileHash.\nMITRE Mapping T1055 (Process Injection): Targets DLL sideloading via legitimate signed binaries T1071 (Application Layer Protocol): Detects C2 communication through reputable processes T1095 (Non-Application Layer Protocol): Captures anomalous network patterns Note: Query includes alertDetailsOverride and severity fields typically used for Analytic Rules rather than Hunting Queries—may require schema validation review.\nAffected Files Hunting Queries/Microsoft 365 Defender/Command and Control/First-TimeNetworkConnectionByUnusualProcess.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-26-pr-14333/","summary":"New hunting query detects first-time network connections by processes using cryptographic signer baselining to defeat DLL sideloading and BYOTA attacks.","title":"Defender for Endpoint: Cryptographic Identity Baselining Hunting Query for Process Network Anomalies"},{"content":"What Changed ASIM AssetEntity schema bumped to version 1.0.0 with three new fields added to the empty parser template:\nEntityKey (Optional, String): unique identifier for entity correlation EntityIdType (Mandatory, String): type of entity identifier EntitySnapshotId (Optional, String): snapshot identifier for the record Parser Impact No change to existing normalised field names or filter logic—safe for existing detections using this parser. The new fields extend correlation capabilities without breaking backward compatibility.\nData fidelity improvement: Queries referencing EntityKey, EntityIdType, or EntitySnapshotId against this parser previously returned null—this adds support for these correlation fields in asset entity queries.\nAffected Files .script/tests/asimParsersTest/VerifyASimParserTemplate.py ASIM/dev/ASimTester/ASimTester.csv Parsers/ASimAssetEntity/ARM/vimAssetEntityEmpty/vimAssetEntityEmpty.json Parsers/ASimAssetEntity/CHANGELOG/vimAssetEntityEmpty.md Parsers/ASimAssetEntity/Parsers/vimAssetEntityEmpty.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-26-pr-14312/","summary":"ASIM AssetEntity schema upgraded to v1.0.0 with three new fields for enhanced entity correlation and snapshot tracking.","title":"ASIM AssetEntity Schema: Three New Fields Added in v1.0.0 Release"},{"content":"What Changed Three new hunting queries targeting Entra ID attack chain correlation patterns where the security signal emerges from sequencing two events rather than individual events.\nDetection Logic FreshRoleGrantedActorSpCredentialAdded: Joins AuditLogs to correlate privileged role grants (Application Administrator, Cloud Application Administrator, Global Administrator, Privileged Role Administrator) with service principal credential additions within 24 hours by the same user.\nServicePrincipalFederatedIdentityCredentialAdded: Detects federated identity credential additions to service principals via \u0026ldquo;Update service principal\u0026rdquo; operations where modifiedProperties contains \u0026ldquo;FederatedIdentityCredentials\u0026rdquo;—enables external OIDC workloads to authenticate without secrets.\nMFADisabledThenSignInFromUnseenIP: Cross-source join between AuditLogs and SigninLogs flagging successful sign-ins from IPs not seen in prior 30 days occurring within 60 minutes of MFA being disabled for the same account.\nMITRE Mapping T1098.001 (Additional Cloud Credentials): Service principal credential and federated identity credential additions T1556.006 (Modify Authentication Process: Multi-Factor Authentication): MFA disabling operations T1078.004 (Valid Accounts: Cloud Accounts): Post-compromise account usage from new locations Affected Files Hunting Queries/AuditLogs/FreshRoleGrantedActorSpCredentialAdded.yaml Hunting Queries/AuditLogs/ServicePrincipalFederatedIdentityCredentialAdded.yaml Hunting Queries/MultipleDataSources/MFADisabledThenSignInFromUnseenIP.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-26-pr-14311/","summary":"Three hunting queries detect multi-event attack chains in Entra ID—privileged role grants followed by SP credential additions and MFA disabling followed by sign-ins from unknown IPs.","title":"Entra ID Attack Chain Correlation: Three New Hunting Queries for Sequential Compromise Patterns"},{"content":"What Changed New hunting query targeting phishing campaigns that use raw IPv4 addresses as URL domains instead of registered domain names to evade DNS-based reputation filtering.\nDetection Logic Query joins EmailUrlInfo with EmailEvents on NetworkMessageId to detect delivered inbound emails containing URLs where UrlDomain field matches IPv4 regex pattern. Primary data sources are EmailEvents and EmailUrlInfo tables from Microsoft Threat Protection connector.\nCore logic filters for:\n30-day lookback window UrlDomain matching IPv4 dotted-quad regex pattern EmailDirection == \u0026ldquo;Inbound\u0026rdquo; DeliveryAction == \u0026ldquo;Delivered\u0026rdquo; Entity mappings include IP (UrlDomain), URL (Url), and Account (RecipientEmailAddress).\nMITRE Mapping T1566 (Phishing): Primary technique for initial access via malicious emails T1566.002 (Spearphishing Link): Specific sub-technique for URL-based phishing delivery Affected Files Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Phish/IP-as-URL-Domain-Detection.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-26-pr-14340/","summary":"New hunting query identifies delivered emails using raw IPv4 addresses as URL domains to detect phishing campaigns bypassing domain reputation systems.","title":"Phishing Detection: Raw IP URLs in Delivered Email"},{"content":"What Changed Three new hunting queries focused on Entra ID post-compromise activity that degrades security controls or establishes covert persistence through timing-based evasion and federation manipulation.\nDetection Logic All queries use AuditLogs table exclusively and include Account/IP entity mappings:\nPIM Role Activation Outside Business Hours: Surfaces PIM role activations during weekends or outside configurable business hours (default 07:00-20:00 UTC). Primary logic joins against successful RoleManagement operations for PIM activation events and filters by time-based anomalies.\nNamed Location Deleted/Modified: Identifies Add/Update/Delete operations on Entra ID named locations under Policy category. Targets silent Conditional Access weakening where attackers modify IP range or country definitions rather than disabling CA policies directly.\nFederated Domain Added: Surfaces \u0026ldquo;Set domain authentication\u0026rdquo; operations where domains transition to federated authentication. Filters for NewValue containing \u0026ldquo;Federated\u0026rdquo; to catch Golden SAML preparation attacks.\nMITRE Mapping T1078.004 (Cloud Accounts): PIM activation outside business hours T1562.001 (Disable Security Tools): Named location manipulation T1484.002 (Trust Modification): Domain federation changes for Golden SAML Affected Files Hunting Queries/AuditLogs/FederatedDomainAddedToTenant.yaml Hunting Queries/AuditLogs/NamedLocationDeletedOrModified.yaml Hunting Queries/AuditLogs/PIMRoleActivationOutsideBusinessHours.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-26-pr-14240/","summary":"Three hunting queries targeting silent defense weakening techniques and off-hours privilege escalation in Entra ID environments.","title":"Entra ID Hunting Pack: Defense Weakening and Privilege Abuse Detection"},{"content":"What Changed Added three advanced hunting queries that detect LSASS credential dumping by focusing on behavioral \u0026ldquo;physics\u0026rdquo; rather than fragile timing heuristics or static tool signatures.\nDetection Logic HighVolumeLsassMemoryRead: Detects processes extracting \u0026gt;40MB from LSASS memory via ReadProcessMemory API. Uses cryptographic whitelisting and defeats handle hijacking evasions by tracking physical bytes copied at kernel level.\nSuspiciousLsassAccessRequest: Flags non-SYSTEM accounts requesting privileged access masks (PROCESS_VM_READ, PROCESS_ALL_ACCESS) against LSASS. Catches dumping intent even if memory read fails or is delayed to evade correlation rules.\nLsassAccessFromUnbackedMemory: Leverages Sysmon Event ID 10 CallTrace analysis to detect LSASS access from unbacked memory regions (process hollowing/shellcode injection). Legitimate tools use file-backed DLLs; attackers use in-memory execution.\nMITRE Mapping T1003.001 (OS Credential Dumping: LSASS Memory) — All three queries target this technique across different attack vectors These queries address critical gaps where existing detections fail against modern evasion techniques including privilege escalation, handle hijacking, and binary renaming.\nAffected Files Hunting Queries/Microsoft 365 Defender/Credential Access/HighVolumeLsassMemoryRead.yaml Hunting Queries/Microsoft 365 Defender/Credential Access/SuspiciousLsassAccessRequest.yaml Hunting Queries/WindowsEvent/LsassAccessFromUnbackedMemory.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-26-pr-14341/","summary":"Three new hunting queries detect LSASS memory dumping using behavioral physics rather than brittle timing or tool names.","title":"LSASS Credential Dumping: Resilient Behavioral Detection Pack Added"},{"content":"What Changed Updated the BloodHound Enterprise solution logo (BHE_Logo.svg) to align with SpecterOps current branding and improve how the solution appears in Microsoft Sentinel Content Hub.\nThis is a cosmetic change affecting only the visual representation of the solution in the Content Hub catalog — no security functionality is impacted.\nAffected Files Logos/BHE_Logo.svg (packaging artefacts: ReleaseNotes.md) ","permalink":"http://sentinelchangelog.net/posts/2026-05-26-pr-14254/","summary":"Updated BloodHound Enterprise solution logo to current SpecterOps branding.","title":"BloodHound Enterprise: Logo Update Aligns Solution Branding"},{"content":"What Changed The Fortinet FortiGate Next-Generation Firewall solution Playbook Function App authentication level was changed from \u0026ldquo;anonymous\u0026rdquo; to \u0026ldquo;function\u0026rdquo; in the mainTemplate.json deployment template. Additional packaging updates include a storage account API version bump and updated release notes.\nSecurity Impact Before this fix: The Playbook Function App HTTP trigger accepted anonymous requests, creating an authentication bypass risk where any external entity could invoke the automation workflows without credentials.\nAfter this fix: Function-level authentication is required, meaning callers must provide a valid function key to trigger the Playbook workflows.\nThis change eliminates unauthorized access to FortiGate automation functions and aligns with security best practices for Azure Function App deployments. SOCs using this solution should update to ensure their SOAR automation endpoints are properly authenticated.\nAffected Files (packaging artefacts: 3.0.9.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-25-pr-14316/","summary":"Playbook Function App authentication level upgraded from anonymous to function-level to close security exposure.","title":"Fortinet FortiGate Playbook: Function App Authentication Security Hardening"},{"content":"What Changed New Microsoft Sentinel solution enabling ingestion of Cyren threat intelligence indicators through an automated Logic App playbook. The solution provides dual-feed support for IP reputation and malware URL data via Cyren\u0026rsquo;s CCF API, with STIX indicator formatting and automated push to Sentinel\u0026rsquo;s Threat Intelligence platform.\nData Source Cyren threat intelligence feeds provide two distinct data categories:\nIP Reputation feed: Malicious IP addresses with risk scoring Malware URL feed: Known malicious URLs and domains The solution polls Cyren\u0026rsquo;s CCF API (api-feeds.cyren.com) every 6 hours using JWT Bearer authentication, supporting delta polling via persistent token pagination.\nIngestion Mechanism Logic App-based connector that:\nFetches NDJSON-formatted indicators from Cyren feeds Transforms data into STIX 2.1 indicator format Pushes indicators to Sentinel via the createIndicator API Uses managed identity authentication for workspace access Implements confidence mapping from Cyren risk scores The playbook requires Sentinel Contributor role assignment and includes null identifier guards plus 2-day freshness filtering to prevent re-ingestion of stale indicators.\nDetection Surface Unlocked Enables correlation of network activity against Cyren threat intelligence:\nIP-based detections: Outbound connections, authentication events, and network flows against malicious IP indicators URL-based detections: Web proxy logs, DNS queries, and email security events against malicious URL indicators STIX pattern matching: Compatible with existing TI-based analytics using ThreatIntelligenceIndicator table Deployment Architecture ARM template deploys:\nLogic App workflow with 6-hour recurrence Storage Account for persistent token state management Role assignment granting managed identity Sentinel Contributor access Configurable feed selection (ip_reputation or malware_urls) Affected Files Solutions/Cyren-Defender-ThreatIntelligence/Playbooks/CyrenToDefenderTI_Playbook.json Solutions/Cyren-Defender-ThreatIntelligence/Playbooks/Images/content-hub-installed.png Solutions/Cyren-Defender-ThreatIntelligence/Playbooks/Images/playbook-template-visible.png (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_CyrenDefenderTI.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-25-pr-14121/","summary":"Content Hub solution adds Cyren threat intelligence feeds for IP reputation and malware URL indicators via automated Logic App playbook.","title":"Cyren Defender Threat Intelligence: New IP and Malware URL Ingestion for Microsoft Sentinel"},{"content":"What Changed Added three hunting queries addressing workload identity abuse and privileged role assignment anomalies - a detection area with limited existing coverage targeting active threat actor techniques (Storm-0558, Midnight Blizzard).\nDetection Logic Directory Role Assigned Outside PIM Primary data source: AuditLogs Core logic: detects permanent directory role assignments to privileged roles (Global Administrator, Privileged Role Administrator, Application Administrator) made via direct assignment path, bypassing Privileged Identity Management approval and justification requirements Entity types: Account (actor and target), IP Uses exact OperationName match \u0026ldquo;Add member to role.\u0026rdquo; to exclude PIM activation variants Workload Identity Sign-in from New Country Primary data source: AADServicePrincipalSignInLogs Core logic: identifies service principal sign-ins from countries not present in the SP\u0026rsquo;s 14-day geographic baseline, using hint.strategy=broadcast on baseline join Entity types: Account, IP Detects stolen client credentials replayed from attacker infrastructure Application App Role Assigned High Privilege Primary data source: AuditLogs Core logic: flags application role assignments to service principals where granted role is high-risk (Mail.ReadWrite, Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory, Application.ReadWrite.All) Entity types: Account, IP Covers application-permission equivalent of consent grants, targeting persistent Exchange access mechanism Security Impact (Visibility \u0026amp; Fidelity) These queries address critical detection gaps where:\nWorkload identities with stable infrastructure patterns suddenly sign in from new geographic locations indicating credential theft Privileged directory roles are assigned outside PIM workflows, bypassing approval and justification controls Application-level permissions grant tenant-wide access without user context, invisible to standard delegated permission reviews MITRE Mapping Initial Access, Credential Access (T1078.004): Valid Accounts: Cloud Accounts - targeting service principal abuse Persistence, Credential Access (T1098.003): Account Manipulation: Additional Cloud Roles - detecting role assignment abuse Persistence, Credential Access (T1528): Steal Application Access Token - covering application permission grants Affected Files Hunting Queries/AuditLogs/ApplicationAppRoleAssignedHighPrivilege.yaml Hunting Queries/AuditLogs/DirectoryRoleAssignedOutsidePIM.yaml Hunting Queries/MultipleDataSources/WorkloadIdentitySignInFromNewCountry.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-21-pr-14281/","summary":"New hunting pack targeting workload identity abuse and privileged role assignment anomalies with coverage gaps for service principal credential theft and PIM bypass techniques.","title":"Entra ID Workload Identity and Privileged Role Hunting Pack: Three New Detection Queries"},{"content":"What Changed Added a new hunting query targeting in-memory .NET execution that remains effective even when adversaries patch Event Tracing for Windows (ETW) to evade detection.\nDetection Logic Primary data source: DeviceImageLoadEvents (kernel-driven telemetry via PsSetLoadImageNotifyRoutine) Core logic: detects when native Windows binaries or processes in user-writable directories unexpectedly load .NET runtime DLLs (clr.dll, mscoree.dll, mscorwks.dll, coreclr.dll) Entity types: Host, Account, Process Behavioral filters include LOLBin hijacking detection and suspicious staging path analysis Security Impact (Visibility \u0026amp; Fidelity) This query addresses a critical detection gap where advanced malware can bypass traditional memory execution alerts. Adversaries commonly patch user-mode ETW functions (like ntdll.dll!EtwEventWrite) to prevent EDRs from observing ClrUnbackedModuleLoaded events. This query shifts detection to kernel-level prerequisite behavior that user-mode malware cannot intercept or patch.\nKey behavioral indicators:\nNative C/C++ Windows tools (rundll32.exe, mshta.exe, wscript.exe) suddenly loading .NET engine Executables from high-risk user-writable directories (AppData, Temp, ProgramData) loading .NET runtime Provides resilient fallback when ETW telemetry is compromised MITRE Mapping Defense Evasion (T1562.001): Disable or Modify Tools - targeting ETW patching techniques Execution (T1055): Process Injection - detecting fileless .NET injection methods Affected Files Hunting Queries/Microsoft 365 Defender/Defense evasion/AnomalousNETRuntimeFilelessInjection.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-21-pr-14314/","summary":"New hunting query detects fileless .NET execution even when attackers patch ETW by monitoring kernel-level .NET runtime DLL loading in native processes and untrusted paths.","title":"ETW-Resistant .NET Fileless Injection Detection via Kernel-Level CLR Loading"},{"content":"What Changed Updated two CrowdStrike Falcon detection rules and workbook following Content Doctor recommendations to improve content score. Changes include enhanced descriptions, MITRE ATT\u0026amp;CK mappings, query optimization, and alert customization features.\nDetection Logic Critical or High Severity Detections by User (v1.0.4 → v1.0.5) Primary data source: CrowdStrikeFalconEventStream Core logic: filters DetectionSummaryEvent records with Critical/High severity, groups by DstUserName, alerts when detections exceed threshold of 15 within 1 hour Entity types: Account, Host, IP, FileHash Added alertDetailsOverride with dynamic display names and customDetails for enriched context Critical Severity Detection (v1.0.4 → v1.0.5) Primary data source: CrowdStrikeFalconEventStream Core logic: queries DetectionSummaryEvent records where Severity is Critical, summarizes by host/user/file details Entity types: Account, Host, IP, FileHash Added alertDetailsOverride and comprehensive customDetails including detection count, technique, activity, and file information MITRE Mapping Added tactics and techniques to both rules:\nCritical or High Severity rule: Impact, Defense Evasion (T1489 Service Stop, T1562 Impair Defenses) Critical Severity rule: Execution, Impact (T1204.002 Malicious File, T1499 Endpoint Denial of Service) Workbook Enhancements Added introduction section with usage guidance Improved visualizations with proper naming conventions Added noDataMessage handling for better user experience Enhanced export capabilities with showExportToExcel options Affected Files Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml Solutions/CrowdStrike Falcon Endpoint Protection/Workbooks/CrowdStrikeFalconEndpointProtection.json (packaging artefacts: 3.3.5.zip, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-21-pr-14268/","summary":"Content Doctor improvements to CrowdStrike Falcon detection rules enhancing KQL logic, MITRE mappings, and alert presentation for critical/high severity detections.","title":"CrowdStrike Content Doctor Enhancement: Improved Detection Logic and Alert Customization"},{"content":"What Changed Added a new hunting query \u0026ldquo;Identify acting user for reported phish\u0026rdquo; to both standalone and Microsoft Defender XDR solution paths. This query correlates user-reported phishing alerts with mailbox activity to determine the actual acting user.\nQuery Logic Primary data sources: AlertEvidence, CloudAppEvents Core logic: Joins user phish reports (AlertEvidence where Title == \u0026ldquo;Email reported by user as malware or phish\u0026rdquo;) with deleted items activity (CloudAppEvents with MovedToDeletedItems actions) on InternetMessageId Entity comparison: Normalizes and compares recipient email addresses with acting user email addresses to determine if they match Output: Returns detailed correlation showing alert timing, message details, and whether recipient matches the acting user Detection Surface This query addresses investigation gaps in email security workflows where:\nDelegates report messages on behalf of other users Shared mailbox users report messages under different identities SOC analysts need to understand the true chain of custody for phish reports The query enables analysts to distinguish between legitimate delegate actions and potential account compromise scenarios where an unexpected user is handling mailbox operations.\nAffected Files Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Submissions/Identify acting user for reported phish.yaml Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Submissions/Identify acting user for reported phish.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-21-pr-14257/","summary":"New hunting query helps identify the actual user who reported a phishing message when recipients and actors differ in delegate or shared mailbox scenarios.","title":"Microsoft Defender XDR: New Hunting Query for Delegate Mailbox Phish Reporting Analysis"},{"content":"What Changed The OpenAI data connector has been updated to normalize chat completions data into the ASIM (Advanced Security Information Model) standard table ASimAgentEventLogs rather than the custom OpenAIChatCompletions_CL table.\nSecurity Impact (Visibility \u0026amp; Fidelity) Data Standardization: Chat completions now follow the ASIM AgentEvent schema, enabling standardized AI usage monitoring across multiple AI platforms within Microsoft Sentinel Cross-Product Correlation: Normalizing to ASimAgentEventLogs allows for unified queries across different AI/LLM platforms that implement ASIM standards Field Mapping Enhancement: The DCR transform now maps OpenAI response fields to standard ASIM fields (EventUid, EventRequestId, ModelName, InputTokensUsed, OutputTokensUsed, EventVendor, EventProduct) Parser Updates: The OpenAIChatCompletions alias function now filters ASimAgentEventLogs by OpenAI-specific fields rather than querying a custom table Technical Changes Removed custom table definition OpenAIChatCompletions_Table.json Updated DCR output stream from Custom-OpenAIChatCompletions_CL to Microsoft-ASimAgentEventLogs Rewrote transform KQL to map to ASIM schema with standard fields like EventVendor: OpenAI, EventProduct: OpenAI API Platform, and EventType: ChatCompletion Updated connector definition, polling config, and UI documentation to reference the new table structure Solution version bumped from 3.0.0 to 3.1.0 Existing deployments using the OpenAI connector should update to benefit from standardized AI monitoring capabilities and improved query correlation across AI platforms.\nAffected Files Solutions/OpenAI/Data Connectors/OpenAI_CCP/OpenAIAuditLogs_Table.json Solutions/OpenAI/Data Connectors/OpenAI_CCP/OpenAIChatCompletions_Table.json Solutions/OpenAI/Data Connectors/OpenAI_CCP/OpenAI_ConnectorDefinition.json Solutions/OpenAI/Data Connectors/OpenAI_CCP/OpenAI_DCR.json Solutions/OpenAI/Data Connectors/OpenAI_CCP/OpenAI_PollingConfig.json Solutions/OpenAI/Parsers/parser_OpenAIChatCompletionsAliasFunction.json Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1 (packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_OpenAI.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-20-pr-14277/","summary":"OpenAI chat completions data now ingests to ASimAgentEventLogs standard table, enabling standardized AI usage monitoring and cross-product correlation.","title":"OpenAI Connector: Migration to ASIM Standard Improves AI Monitoring Normalization"},{"content":"What Changed Solution metadata updated to transition SailPoint IdentityNow from partner-published to Microsoft-published solution in Content Hub Public Preview. Changes affect only packaging and publisher attribution fields.\nPublisher ID migrated from partner tier to Microsoft (azuresentinel publisher, Microsoft support tier). Solution version remains at 3.0.1 with no modifications to detection rules, parsers, or data collection logic.\nAll substantive security content (CCF Data Connector, parser functions, Analytic Rules) unchanged from v3.0.1 released November 2024.\nAffected Files (packaging artefacts: 3.0.1.zip, SolutionMetadata.json, Solution_SailpointIdentityNow.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-20-pr-14297/","summary":"SailPoint IdentityNow solution metadata updated for Microsoft-published Public Preview release with no functional changes to identity monitoring capabilities.","title":"SailPoint IdentityNow: Publisher Migration to Microsoft Public Preview"},{"content":"What Changed New Microsoft Sentinel solution deploying a Logic App playbook that automates threat intelligence indicator synchronization between Cyren CCF feeds and CrowdStrike Falcon Custom IOC endpoints. The solution supports dual-feed architecture with optional JWT tokens for IP reputation and malware URL feeds.\nIntegration Architecture Data Flow: Cyren CCF API feeds → Logic App polling (6-hour recurrence) → CrowdStrike Falcon Custom IOC API (/iocs/entities/indicators/v1)\nAuthentication: OAuth2 Bearer tokens for Cyren feeds; OAuth2 Client ID/Secret for CrowdStrike API access\nFeed Types Supported:\nIP reputation indicators (ip_reputation feedId) Malware URL indicators (malware_urls feedId) Deployment Configuration The playbook requires region-specific CrowdStrike API base URLs (e.g., api.crowdstrike.com, api.us-2.crowdstrike.com) and implements persistent token pagination for reliable feed consumption. Customers can deploy with one or both Cyren feed subscriptions.\nSecurity Impact Enables automated IOC ingestion from Cyren threat intelligence into CrowdStrike Falcon for immediate threat blocking and detection. The 6-hour polling interval with lastSeen \u0026gt;= 2d filtering prevents re-pushing stale indicators while maintaining current threat coverage. This automation reduces manual IOC management overhead for SOC teams managing both platforms.\nAffected Files Solutions/Cyren-CrowdStrike-ThreatIntelligence/Playbooks/CyrenToCrowdStrike_Playbook.json Solutions/Cyren-CrowdStrike-ThreatIntelligence/Playbooks/Images/create-playbook-basics.png Solutions/Cyren-CrowdStrike-ThreatIntelligence/Playbooks/Images/create-playbook-parameters.png Solutions/Cyren-CrowdStrike-ThreatIntelligence/Playbooks/Images/playbook-template-visible.png (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_CyrenCrowdStrike.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-20-pr-13658/","summary":"Logic App playbook now available to automatically sync Cyren IP reputation and malware URL indicators to CrowdStrike Falcon for streamlined threat blocking.","title":"New Cyren-CrowdStrike Threat Intelligence Solution: Automated IOC Sync for Enhanced Threat Detection"},{"content":"What Changed XBOW Data Connector upgraded from API version 2026-02-01 to 2026-04-01, enhanced assessment data collection to include full detail records, and improved error handling for 400 Bad Request responses. Solution version updated from 3.0.0 to 3.0.1.\nSecurity Impact (Visibility \u0026amp; Fidelity) Previous assessment ingestion only captured summary data from the list endpoint, missing critical offensive security metrics. This update fetches full assessment details including:\nAttack Credits: Quantified measure of offensive security testing resources consumed per assessment Recent Events: Detailed activity logs showing specific attack progression and technique execution Enhanced Error Handling: 400 Bad Request responses now provide explicit error details instead of generic failures Assessment events now provide complete visibility into offensive security testing activities, enabling SOC teams to correlate attack simulation results with defensive telemetry and measure security control effectiveness against real-world attack techniques.\nData Enrichment Improvements Assessment Events: Now includes attackCredits and recentEvents fields populated from full detail API calls State Management: Refactored to use dataclass structure for improved reliability and type safety API Compatibility: Updated User-Agent to version 1.1 and API version header to 2026-04-01 Analytic Rules: Updated incident grouping to use consistent field naming (FindingID instead of FindingId) Affected Files Solutions/XBOW/Analytic Rules/XbowCriticalHighFindings.yaml Solutions/XBOW/Analytic Rules/XbowLowFindings.yaml Solutions/XBOW/Analytic Rules/XbowMediumFindings.yaml Solutions/XBOW/Analytic Rules/XbowNewAssetDiscovered.yaml Solutions/XBOW/Data Connectors/AzureFunctionXbow/main.py (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, Solution_Xbow.json, Xbow.zip, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-20-pr-14145/","summary":"XBOW connector upgrades to latest API version, adding attack credits tracking and recent event details to assessment ingestion for improved offensive security visibility.","title":"XBOW: API Version 2026-04-01 Upgrade Enriches Assessment Data with Attack Credits and Events"},{"content":"What Changed ESET PROTECT Platform Data Connector migrated from timestamp-based data filtering to delta token implementation for more reliable data ingestion. The connector version was bumped from 3.2.0 to 3.3.0.\nSecurity Impact (Visibility \u0026amp; Fidelity) Timestamp-based filtering in high-volume environments can miss events that occur within the same timestamp window or during clock skew scenarios. The previous implementation filtered data by occurTime for detections and createTime for incidents, which could result in data loss during rapid event generation or system time inconsistencies.\nDelta tokens provide a sequential cursor mechanism that ensures no events are missed between polling intervals. This change eliminates the risk of blind spots where ESET security events could be lost due to temporal filtering limitations — particularly critical for threat detection and incident response activities.\nData Ingestion Mechanism Previous: Time-based filtering using occurTime and createTime timestamps Current: Delta token-based sequential processing with nextDeltaToken tracking Storage: Migrated from LastDetectionTime{DataSource} to LastData{DataSource} table structure Backwards Compatibility: Maintains support for version 3.0.0 deployments through automatic detection and fallback logic Affected Files Solutions/ESET Protect Platform/Data Connectors/main_sentinel.py Solutions/ESET Protect Platform/Data Connectors/utils_sentinel.py (packaging artefacts: FunctionAppESETProtectPlatform.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-05-20-pr-14149/","summary":"ESET connector switches from unreliable timestamp filtering to delta tokens, closing potential data loss gaps during high-volume ingestion periods.","title":"ESET PROTECT Platform: Delta Token Migration Eliminates Data Gaps from Timestamp Filtering"},{"content":"What Changed Added three hunting queries to the MultipleDataSources folder that correlate Entra ID data sources to detect post-compromise identity abuse patterns:\nMFARegistrationFromUnseenIP.yaml - Flags MFA method registrations from IP addresses absent in the user\u0026rsquo;s 30-day sign-in baseline SignInFromNewCountryWithSensitiveOperation.yaml - Correlates sign-ins from new countries with sensitive operations within one hour BulkRoleAssignmentsInShortWindow.yaml - Detects rapid role assignments by the same actor within a 10-minute window Detection Logic MFA Registration Query:\nPrimary data source: AuditLogs + SigninLogs Core logic: Compares MFA registration source IPs against 30-day per-user sign-in IP baselines, flagging registrations from novel addresses Entity types: Account, IP Baseline period: 30 days of successful sign-ins Country Correlation Query:\nPrimary data source: SigninLogs + AuditLogs Core logic: Identifies sign-ins from countries absent in user\u0026rsquo;s 30-day baseline, then correlates with sensitive operations (role assignments, consent grants, credential additions) within 1 hour Entity types: Account, IP Correlation window: 1 hour post-sign-in Bulk Role Assignment Query:\nPrimary data source: AuditLogs + SigninLogs Core logic: Aggregates successful \u0026ldquo;Add member to role\u0026rdquo; operations by actor in 10-minute buckets, flags when threshold (≥3 assignments) is reached, enriches with actor\u0026rsquo;s most recent sign-in country Entity types: Account, IP Time window: 10-minute buckets with configurable threshold MITRE Mapping T1556.006 (Multi-factor Authentication) - MFA registration from novel IP addresses T1078.004 (Valid Accounts: Cloud Accounts) - Sign-ins from new countries followed by privileged actions T1098.003 (Account Manipulation: Additional Cloud Roles) - Bulk role assignment velocity patterns Affected Files Hunting Queries/MultipleDataSources/BulkRoleAssignmentsInShortWindow.yaml Hunting Queries/MultipleDataSources/MFARegistrationFromUnseenIP.yaml Hunting Queries/MultipleDataSources/SignInFromNewCountryWithSensitiveOperation.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-19-pr-14262/","summary":"Three new hunting queries correlate AuditLogs and SigninLogs to surface post-compromise identity patterns using baseline-driven anomaly detection.","title":"Entra ID Cross-Source Hunting Pack: Post-Compromise Pattern Detection"},{"content":"What Changed New CCF-based Data Connector for Illumio Insights Graph that ingests AI-powered threat discovery and anomaly reports generated by the Illumio Insights Agent.\nData Source Product: Illumio Insights Graph (Illumio zero-trust segmentation platform) API Endpoint: https://gw.console.illum.io/api/v1/resource-insights Ingestion Frequency: 15-minute polling intervals Ingestion Mechanism Framework: CCF (Codeless Connector Framework) with DCR Target Table: IllumioInsightsGraph_CL Authentication: API Key authentication with tenant-specific headers Data Transformation: Custom KQL transform parses JSON insights into structured network flow data Detection Surface Unlocked The connector provides comprehensive network traffic analysis capabilities including:\nNetwork Flow Intelligence Source/destination IP addresses, ports, and protocols Resource identification and internal IDs Network byte counts (sent/received) Flow frequency analysis Geographic and Threat Context Geographic location data (city, region, country) for source and destination Threat level scoring for endpoints Virtual network identification (Azure VNet IDs) Well-known service identification Enhanced Visibility Network traffic patterns between segmented resources Anomalous communication flows flagged by Illumio AI Cross-regional and cross-VNet communication analysis Service-level traffic breakdown with port/protocol details This connector fills a critical gap in zero-trust network monitoring by providing AI-enhanced visibility into micro-segmented network flows, enabling detection of lateral movement and policy violations within segmented environments.\nAffected Files Solutions/Illumio Insight/Data Connectors/IllumioInsightsGraph_CCP/IllumioInsightsGraph_ConnectorDefinition.json Solutions/Illumio Insight/Data Connectors/IllumioInsightsGraph_CCP/IllumioInsightsGraph_DCR.json Solutions/Illumio Insight/Data Connectors/IllumioInsightsGraph_CCP/IllumioInsightsGraph_PollingConfig.json Solutions/Illumio Insight/Data Connectors/IllumioInsightsGraph_CCP/table_IllumioInsightsGraph.json (packaging artefacts: 3.3.3.zip, ReleaseNotes.md, Solution_IllumioInsights.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-19-pr-14035/","summary":"New CCF-based connector ingests Illumio AI-powered threat discovery reports with network flow analysis, geographic context, and MITRE ATT\u0026amp;CK framework integration.","title":"Illumio Insights Graph: New Network Traffic Analysis and Threat Intelligence Connector"},{"content":"What Changed Fortra Agari has been fully migrated from a legacy Azure Functions-based connector to the modern Codeless Connector Framework (CCF). This introduces a completely new CCF-based Data Connector with comprehensive DCR configuration and custom table schemas for all Agari product lines.\nData Sources Unlocked The CCF connector provides ingestion for five distinct Agari data streams:\nBrand Protection (BP) Alerts: Domain protection events with SPF/DKIM failure tracking (AgariBPAlertsLog_CL) Phishing Defense (APD) Policy Events: Policy action logs and enforcement decisions (AgariAPDPolicyLog_CL) Phishing Defense Threat Categories: Email threat classification with attachment analysis (AgariAPDTCLog_CL) Brand Protection Threat Feed: IoC submissions and URL reputation data (AgariBPThreatFeedSubs_CL) Phishing Response (APR) Investigations: Investigation attachment metadata (AgariAPRInvestigationsLog_CL) Ingestion Mechanism Framework: CCF with DCR-based ingestion time transformations Authentication: OAuth2 Client Credentials (separate credentials per product line) Deployment: Replaces all Azure Functions infrastructure (PowerShell runtime, ARM templates, zip packages removed) Configuration: Multi-stream poller with configurable data source selection Security Impact This migration restores email security visibility for deployments that may have had broken or inefficient Function App connectors. The CCF framework provides more reliable ingestion with better error handling and monitoring capabilities. Organizations using Agari for email threat protection now have a modern, supported ingestion path for brand protection alerts, phishing detection events, and threat feed indicators.\nAffected Files .gitignore Solutions/Agari/Data Connectors/Agari_API_FunctionApp.json Solutions/Agari/Data Connectors/Agari_CCF/Agari_ConnectorDefinition.json Solutions/Agari/Data Connectors/Agari_CCF/Agari_DCR.json Solutions/Agari/Data Connectors/Agari_CCF/Agari_PollerConfig.json Solutions/Agari/Data Connectors/Agari_CCF/table_AgariAPDPolicyLog.json Solutions/Agari/Data Connectors/Agari_CCF/table_AgariAPDTCLog.json Solutions/Agari/Data Connectors/Agari_CCF/table_AgariAPRInvestigationsLog.json Solutions/Agari/Data Connectors/Agari_CCF/table_AgariBPAlertsLog.json Solutions/Agari/Data Connectors/Agari_CCF/table_AgariBPThreatFeedSubs.json Solutions/Agari/Data Connectors/AzureFunctionAgari/function.json Solutions/Agari/Data Connectors/AzureFunctionAgari/run.ps1 Solutions/Agari/Data Connectors/azuredeploy_Agari_API_FunctionApp.json Solutions/Agari/Data Connectors/host.json Solutions/Agari/Data Connectors/profile.ps1 Solutions/Agari/Data Connectors/requirements.psd1 Solutions/Agari/Package/testParameters.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Agari.json, agari.zip, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-19-pr-14271/","summary":"Fortra Agari transitions from Azure Functions to CCF framework, restoring Brand Protection, Phishing Defense, and Phishing Response visibility with DCR-based ingestion.","title":"Fortra Agari CCF Connector: Modern Email Security Data Ingestion"},{"content":"What Changed Initial release of GoogleDirectory solution (v3.0.0) for Microsoft Sentinel with enhanced OAuth scope configuration for Google Workspace API integration.\nPlaybook Integration Enhancement The solution includes updated OAuth scopes for the Google Directory API connector:\nRetained existing scope: https://www.googleapis.com/auth/admin.directory.user (basic user management) Added new scope: https://www.googleapis.com/auth/admin.directory.user.security (security-related user operations) Security Impact (Visibility \u0026amp; Coverage) The expanded OAuth scope enables Microsoft Sentinel playbooks to perform security-focused user management operations in Google Workspace environments, including:\nSecurity key management for users Two-factor authentication configuration changes Security-related user attribute modifications Enhanced user account security monitoring capabilities The additional scope unlocks automated incident response capabilities for Google Workspace identity security events that were previously limited to read-only user directory access.\nDetection Surface Unlocked While this solution focuses on playbook automation rather than data ingestion, it enables security teams to:\nAutomate user security posture changes in response to Microsoft Sentinel incidents Implement automated account security hardening based on threat intelligence Orchestrate cross-platform identity security responses between Microsoft and Google environments Affected Files Solutions/GoogleDirectory/Package/testParameters.json Solutions/GoogleDirectory/Playbooks/GoogleDirectoryAPIConnector/azuredeploy.json Solutions/GoogleDirectory/Playbooks/readme.md (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_GoogleDirectory.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-18-pr-14273/","summary":"Initial release of GoogleDirectory solution adds Google Workspace user security management capabilities to Microsoft Sentinel playbook automation.","title":"Google Directory Solution: New Playbook Integration with Extended Security Scope"},{"content":"What Changed Authentication requirement changed from \u0026ldquo;anonymous\u0026rdquo; to \u0026ldquo;function\u0026rdquo; across HTTP triggers in 6 data connector solutions and 2 playbook function apps. ZIP templates updated for Zoom and Cofense connectors to include the hardened configuration.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments with anonymous authLevel exposed HTTP-triggered functions to unauthenticated internet traffic—any external caller could invoke these endpoints without credentials. This created a direct attack surface for:\nData exfiltration via forced connector queries Resource exhaustion through function abuse Potential lateral movement if functions access internal APIs Post-fix: all affected functions require a function key (?code=key) to authenticate HTTP requests, eliminating the anonymous access vector.\nAffected Solutions Zoom Data Connector: ZoomLogs function Zscaler Remediation Playbook: Authentication function FortiGate Playbooks: Function App webhooks (2 solutions) Cofense Intelligence: DownloadThreatReports function Illumio: OnPremHealthFunctionApp health check Infoblox: InfobloxDossierHttpStarter function Affected Files DataConnectors/Zoom/ZoomLogs/function.json MasterPlaybooks/Remediation-URL/Zscaler-Remediation-URL/Authentication/azuredeploy.json Playbooks/Fortinet-FortiGate/FunctionApp/azuredeploy.json Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/DownloadThreatReports/function.json Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Playbooks/FortinetFortigateFunctionApp/azuredeploy.json Solutions/IllumioSaaS/Data Connectors/OnPremHealthFunctionApp/function.json Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierHttpStarter/function.json (packaging artefacts: CofenseIntelligenceDataConnector.zip, zoom_logs_template.zip, zoom_logs_templateV2.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-05-18-pr-14284/","summary":"Function keys now required for HTTP-triggered functions in Zoom, Zscaler, FortiGate, Cofense, Illumio, and Infoblox connectors—removing anonymous access vulnerability.","title":"Function App Security: Access Control Hardening Across Multiple Data Connectors"},{"content":"What Changed AWS Solution v3.0.9 delivers extensive quality improvements across the entire detection surface:\nAnalytic Rules (61 updated):\nStandardized naming convention with AWS prefix for consistent identification Normalized MITRE ATT\u0026amp;CK technique IDs and tactic mappings for proper framework alignment Updated entity mappings from deprecated AccountCustomEntity/IPCustomEntity to standard UserIdentityUserName/SourceIpAddress fields Added version fields and improved metadata consistency across all rules Hunting Queries (35 updated):\nApplied same standardization improvements as Analytic Rules Enhanced KQL reliability using summarize/order by patterns instead of legacy approaches Refined projections and clearer time field handling Workbooks (2 updated):\nAmazon Web Services Network Activities workbook Amazon Web Services User Activities workbook Detection Logic Impact Entity mapping changes improve correlation accuracy by aligning with current AWS CloudTrail schema expectations. Previously, detections using AccountCustomEntity fields may have produced incomplete entity resolution in incident timelines.\nThe standardization does not alter core detection thresholds, filters, or data sources — all rules continue monitoring the same AWS CloudTrail events with identical sensitivity.\nMITRE Coverage Updated mappings cover extensive AWS attack surface across:\nInitial Access: T1078 (Valid Accounts), T1190 (Exploit Public-Facing Application) Persistence: T1098 (Account Manipulation), T1136.003 (Create Cloud Account) Privilege Escalation: T1484 (Domain Policy Modification), T1078.004 (Cloud Accounts) Defense Evasion: T1562 (Impair Defenses), T1070 (Indicator Removal) Discovery: T1087 (Account Discovery), T1069 (Permission Groups Discovery) Impact: T1485 (Data Destruction), T1498 (Network Denial of Service) Operational Impact Existing AWS deployments should see improved detection fidelity and reduced false entity mapping. No changes to detection sensitivity or coverage gaps.\nAffected Files .script/tests/KqlvalidationsTests/CustomFunctions/AWSCloudTrail.json Solutions/Amazon Web Services/Analytic Rules/AWS_APIfromTor.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_ChangeToRDSDatabase.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_ChangeToVPC.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_ClearStopChangeTrailLogs.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_ConfigServiceResourceDeletion.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_ConsoleLogonWithoutMFA.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedCRUDDyanmoDBPolicytoPrivilegeEscalation.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedCRUDIAMtoPrivilegeEscalation.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedCRUDKMSPolicytoPrivilegeEscalation.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedCRUDLambdaPolicytoPrivilegEscalation.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedCRUDS3PolicytoPrivilegeEscalation.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedCloudFormationPolicytoPrivilegeEscalation.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedDataPipelinePolicytoPrivilegeEscalation.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedEC2PolicytoPrivilegeEscalation.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedGluePolicytoPrivilegeEscalation.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedLambdaPolicytoPrivilegeEscalation.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedSSMPolicytoPrivilegeEscalation.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_CreationofEncryptKeysWithoutMFA.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_CredentialHijack.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_EC2StartupShellScriptChanged.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_ECRContainerHigh.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_ECRImageScanningDisabled.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_FullAdminPolicyAttachedToRolesUsersGroups.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_GuardDutyDisabled.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_GuardDuty_template.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_IngressEgressSecurityGroupChange.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_LoadBalancerSecGroupChange.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_LogTampering.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_NetworkACLOpenToAllPorts.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_OverlyPermessiveKMS.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationAdminManagedPolicy.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationAdministratorAccessManagedPolicy.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationFullAccessManagedPolicy.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaCRUDIAMPolicy.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaCRUDKMSPolicy.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaCRUDLambdaPolicy.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaCRUDS3Policy.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaCloudFormationPolicy.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaDataPipeline.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaEC2Policy.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaGluePolicy.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaLambdaPolicy.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaSSM.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationviaCRUDDynamoDB.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_RDSInstancePubliclyExposed.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_S3BruteForce.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_S3BucketAccessPointExposed.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_S3BucketExposedviaACL.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_S3BucketExposedviaPolicy.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_S3ObjectExfiltrationByAnonymousUser.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_S3ObjectPubliclyExposed.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_S3Ransomware.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_SAMLUpdateIdentity.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_SSMPubliclyExposed.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_SetDefaulyPolicyVersion.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_SuspiciousCommandEC2.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_UnauthorizedInstanceSetUpAttempt.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_UserAccessKeyCreated.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_UserIAMEnumeration.yaml Solutions/Amazon Web Services/Analytic Rules/NRT_AWS_ConsoleLogonWithoutMFA.yaml Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSCLICommandExecution.yaml Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSEC2ComputeResourceDeployments.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_AssumeRoleBruteForce.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_BucketVersioningSuspended.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_CreateAccessKey.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_CreateLoginProfile.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_EC2_WithoutKeyPair.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_ECRContainerLow.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_ECRContainerMedium.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_ExcessiveExecutionofDiscoveryEvents.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_FailedBruteForceS3Bucket.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_FailedBruteForceWithoutMFA.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_IAMAccsesDeniedDiscoveryEvents.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_IAMUserGroupChanges.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_IAM_PolicyChange.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_IAM_PrivilegeEscalationbyAttachment.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_LambdaFunctionThrottled.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_LambdaLayerImportedExternalAccount.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_LambdaUpdateFunctionCode.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_LoginProfileUpdated.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_ModificationofRouteTableAttributes.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_ModificationofSubnetAttributes.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_ModificationofVPCAttributes.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_NetworkACLDeleted.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_NewRootAccessKey.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_PolicywithExcessivePermissions.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_PrivilegedRoleAttachedToInstance.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_RDSMasterPasswordChanged.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_RiskyRoleName.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_S3BucketDeleted.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_S3BucketEncryptionModified.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_STStoEC2.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_STStoECS.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_STStoGlue.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_STStoKWN.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_STStoLambda.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_SuspiciousCredentialTokenAccessOfValid_IAM_Roles.yaml Solutions/Amazon Web Services/Hunting Queries/AWS_Unused_UnsupportedCloudRegions.yaml Solutions/Amazon Web Services/Workbooks/AmazonWebServicesNetworkActivities.json Solutions/Amazon Web Services/Workbooks/AmazonWebServicesUserActivities.json (packaging artefacts: 3.0.9.zip, ReleaseNotes.md, Solution_AmazonWebServices.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-18-pr-14101/","summary":"Comprehensive quality improvements to 61 AWS Analytic Rules and 35 Hunting Queries with standardized naming conventions, normalized MITRE technique mappings, and updated entity field references from legacy AccountCustomEntity to UserIdentityUserName.","title":"AWS Content Quality Overhaul: Standardized Detection Rules and Improved Entity Mappings"},{"content":"What Changed Updated 12 hunting queries under Microsoft 365 Defender to use current Microsoft Entra ID table names. The changes replace deprecated AAD table references:\nAADSignInEventsBeta → EntraIdSignInEvents AADSpnSignInEventsBeta → EntraIdSpnSignInEvents Column name AadDeviceId → EntraIdDeviceId Impact on Detection Coverage This is a purely cosmetic update aligning with Microsoft\u0026rsquo;s rebranding from Azure Active Directory to Microsoft Entra ID. The underlying data sources and detection logic remain identical — no changes to query filters, thresholds, or MITRE technique coverage.\nUpdated hunting queries target phishing campaigns (T1566), malware execution (T1204), and Nobelium command-and-control infrastructure across:\nDevice code phishing attempts QR code phishing campaigns Risky sign-ins from unmanaged devices Encoded domain detection for Nobelium TTPs Operational Notes Deployments using these hunting queries should see no functional changes. The table name updates ensure compatibility with current Microsoft Entra ID schema documentation and prevent confusion with legacy AAD terminology.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/EntraIdSignInEvents.json .script/tests/KqlvalidationsTests/CustomTables/EntraIdSpnSignInEvents.json Hunting Queries/Microsoft 365 Defender/Command and Control/EncodedDomainURL [Nobelium].yaml Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Hunting/Automated email notifications and suspicious sign-in activity.yaml Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Malware/Email containing malware accessed on a unmanaged device.yaml Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Phish/Possible device code phishing attempts.yaml Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/QR code/Risky sign-in attempt from a non-managed device.yaml Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml Hunting Queries/Microsoft 365 Defender/Exfiltration/unusual-volume-of-file-sharing.yaml Hunting Queries/Microsoft 365 Defender/Impact/unusual-volume-of-file-deletion.yaml Hunting Queries/Microsoft 365 Defender/Persistence/AddedCredentialFromContryXAndSigninFromCountryY.yaml Hunting Queries/Microsoft 365 Defender/Persistence/riskySignInToDeviceRegistration.yaml Hunting Queries/Microsoft 365 Defender/Persistence/riskySignInToNewMFAMethod.yaml Hunting Queries/Microsoft 365 Defender/Privilege escalation/riskySignInToElevateAccess.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-18-pr-14186/","summary":"12 hunting queries updated to use EntraIdSignInEvents and EntraIdSpnSignInEvents tables, replacing deprecated AADSignInEventsBeta and AADSpnSignInEventsBeta references.","title":"Microsoft Entra ID Table Rename: Hunting Queries Updated for Current Schema"},{"content":"What Changed New Strider Shield solution from NVISO providing threat intelligence ingestion capabilities for Microsoft Sentinel through a CCF-based connector.\nData Source Strider Shield platform delivers threat intelligence focused on email-based threats including:\nEmail addresses and domains with threat indicators Risk signals and signal definitions for threat classification Terms and keywords associated with threat activity Ingestion Mechanism CCF-based connector using OAuth2 authentication with the following configuration:\nFive separate data streams targeting different threat intelligence categories DCR transforms split ingested data into dedicated tables: StriderShieldEmailAddresses_CL, StriderShieldEmailDomains_CL, StriderShieldRiskSignals_CL, StriderShieldRiskSignalsDefinitions_CL, StriderShieldTerms_CL 24-hour polling window with 1 QPS rate limiting OAuth2 client credentials flow with configurable authentication endpoint Detection Surface Unlocked Enhanced visibility into email-based threat vectors including:\nMalicious email addresses and domains from threat intelligence feeds Risk scoring and categorization for email security events Threat terminology tracking for campaign attribution Integration points for existing email security detections and hunting queries Solution includes sample queries but no bundled analytic rules — organizations must develop custom detections leveraging the ingested threat intelligence data.\nAffected Files Logos/StriderShield.svg Solutions/Strider Shield/Data Connectors/StriderShieldCCF/StriderShield_ConnectorDefinition.json Solutions/Strider Shield/Data Connectors/StriderShieldCCF/StriderShield_DCR.json Solutions/Strider Shield/Data Connectors/StriderShieldCCF/StriderShield_PollingConfig.json Solutions/Strider Shield/Data Connectors/StriderShieldCCF/StriderShield_Table.json Solutions/Strider Shield/Package/testParameters.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_StriderShield.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-15-pr-14155/","summary":"NVISO introduces Strider Shield CCF connector enabling ingestion of email threat intelligence data across five data streams targeting phishing and BEC protection.","title":"New Strider Shield Threat Intelligence Connector for Email Security Monitoring"},{"content":"What Changed New version of the Sentinel Defender Adoption Helper tool that analyzes Microsoft Sentinel environments for readiness to onboard into the Microsoft Defender portal. The tool consists of a PowerShell analysis script and an interactive HTML dashboard.\nTool Capabilities Analysis Areas Defender XDR Table Retention: Compares 30-day vs 730-day retention to identify tables that don\u0026rsquo;t require separate Sentinel ingestion Analytics Rules Assessment: Evaluates Fusion engine status, alert visibility, incident reopening, custom grouping, and Microsoft incident creation rules Automation Rules Review: Checks incident provider vs alert product naming, Fusion dependencies, and alert trigger configurations Data Lake Region Support: Validates workspace region compatibility with Data Lake features Dashboard Features Multi-workspace overview with readiness scores and per-workspace breakdowns Grouped rule checks with individual sub-assessments for analytics and automation rules Export capabilities (PDF generation) and direct Azure portal blade links Knowledge base with Microsoft documentation references and multi-tenant guidance Migration Planning Value This tool addresses the critical assessment phase before moving Sentinel to the Defender portal. Key planning insights:\nFusion Rule Impact: Identifies workspaces where Fusion rules will be automatically disabled post-migration Incident Configuration Gaps: Flags analytics rules that don\u0026rsquo;t generate incidents (creating alert-only noise) Automation Rule Dependencies: Highlights automation rules dependent on Fusion that will break after migration Data Retention Optimization: Recommends which Defender XDR tables can rely on native 30-day retention vs requiring extended Sentinel storage The assessment categorizes findings as OK (no action), WARNING (requires attention), or INFORMATIONAL (no migration blocker) to prioritize remediation efforts.\nAffected Files Tools/Sentinel-Defender-Helper-Script/New Version/DefenderAdoptionHelper.ps1 Tools/Sentinel-Defender-Helper-Script/New Version/README.md Tools/Sentinel-Defender-Helper-Script/New Version/dashboard.html Tools/Sentinel-Defender-Helper-Script/New Version/results.csv Tools/Sentinel-Defender-Helper-Script/New Version/sentinelEnvironments.json ","permalink":"http://sentinelchangelog.net/posts/2026-05-15-pr-14195/","summary":"New PowerShell assessment tool identifies migration blockers for Sentinel-to-Defender portal transitions.","title":"Microsoft Sentinel to Defender Portal Migration Readiness Tool"},{"content":"What Changed SailPoint IdentityNow v3.0.1 introduces a new Codeless Connector Framework (CCF) data connector alongside the existing Function App connector. This enables ingestion via the modern DCR-based approach while maintaining backward compatibility for existing deployments.\nData Connector Enhancement New CCF Implementation:\nIngests to SailPointIDN_EventsV2_CL table using clean column schema Supports OAuth2 client credentials authentication Enables multi-tenant monitoring (production/demo/partner environments) Provides API endpoint configuration: https://{tenantId}.api.{domain}/v2025/search/events Dual Parser Strategy:\nSailPointIDN_EventsV2: Uses new clean column names for CCF data SailPointIDN_Events: Alias parser providing backward compatibility with legacy suffixed columns Detection Logic Updates All 5 Analytic Rules updated to support both connectors:\nData Sources: Now reference both SailPointIdentityNow (legacy) and SailPointIdentityNowConnector (CCF) via parser alias SailPointIDN_Events Field Mapping: Migrated from suffixed columns (type_s, status_s, technicalName_s) to clean names (EventType, Status, TechnicalName) Version Bump: Rules updated from v1.0.0 to v1.1.0 MITRE Mapping T1133 (External Remote Services): Monitors failed authentication and access provisioning events Security Impact This upgrade provides dual ingestion paths for identity governance events. Organizations can deploy the CCF connector for new installations while existing Function App deployments continue operating without disruption. The parser alias ensures detection continuity across both deployment models.\nAffected Files .script/tests/KqlvalidationsTests/SkipValidationsTemplates.json .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json Solutions/SailPointIdentityNow/Analytic Rules/SailPointIdentityNowEventType.yaml Solutions/SailPointIdentityNow/Analytic Rules/SailPointIdentityNowEventTypeTechnicalName.yaml Solutions/SailPointIdentityNow/Analytic Rules/SailPointIdentityNowFailedEvents.yaml Solutions/SailPointIdentityNow/Analytic Rules/SailPointIdentityNowFailedEventsBasedOnTime.yaml Solutions/SailPointIdentityNow/Analytic Rules/SailPointIdentityNowUserWithFailedEvents.yaml Solutions/SailPointIdentityNow/Data Connectors/SearchEvent_CCF/SailPointIdentityNow_ConnectorDefinition.json Solutions/SailPointIdentityNow/Data Connectors/SearchEvent_CCF/SailPointIdentityNow_DCR.json Solutions/SailPointIdentityNow/Data Connectors/SearchEvent_CCF/SailPointIdentityNow_PollerConfig.json Solutions/SailPointIdentityNow/Data Connectors/SearchEvent_CCF/table_SailPointIDN_EventsV2.json Solutions/SailPointIdentityNow/Package/testParameters.json Solutions/SailPointIdentityNow/Parsers/parser_SailPointIDN_EventsAliasFunction.json (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, Solution_SailpointIdentityNow.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-15-pr-14235/","summary":"SailPoint IdentityNow now supports CCF ingestion with new schema parsers alongside backward compatibility for existing Function App deployments.","title":"SailPoint IdentityNow: New CCF Connector with Dual Parser Support (v3.0.1)"},{"content":"What Changed Microsoft rebranded the A365 Observability solution to Agent 365 (version 3.0.1) following marketing team requirements. The change updates display names across the Data Connector definition and solution metadata files with no modifications to data collection, parsing, or detection logic.\nThe connector continues to ingest AI agent telemetry from Agent 365, AI Foundry, and Copilot for investigation of agent behavior, tool usage, and execution patterns in Microsoft Sentinel.\nImpact Summary This is purely a branding change with no security or operational impact. Existing deployments will continue functioning without interruption. The underlying connector ID (\u0026ldquo;A365\u0026rdquo;) and data collection mechanisms remain unchanged.\nAffected Files Solutions/Agent 365/Data Connectors/A365_DataConnectorDefinition.json Solutions/Agent 365/Package/testParameters.json (packaging artefacts: 3.0.0.zip, 3.0.1.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_A365.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-15-pr-14263/","summary":"Microsoft renamed the A365 Observability solution to Agent 365 for marketing alignment with no functional changes.","title":"Agent 365 Solution Rebranded from A365 Observability (v3.0.1)"},{"content":"What Changed New CCF-based Data Connector for ElasticAgent v3.0.0, replacing the legacy HTTP Collector API implementation. The connector provides comprehensive system monitoring through Elasticsearch API integration.\nData Source Ingests system metrics, logs, and telemetry data from Elastic Agent deployments via Elasticsearch Search API. Supports multiple data streams including CPU, memory, process, filesystem, network, load, uptime, agent metrics, and agent logs.\nIngestion Mechanism CCF/DCR-based connector using API key authentication to query Elasticsearch indices. Data flows through Custom-ElasticAgentLogsV2_CL stream with DCR-based transformations for field normalization.\nDetection Surface Unlocked Provides visibility into:\nSystem performance metrics (CPU, memory, disk, network utilization) Process-level monitoring and resource consumption Agent health and telemetry data Error logs and operational events System load patterns (Linux environments) The connector enables SOC teams to monitor infrastructure health, detect performance anomalies, and correlate system events with security incidents.\nAffected Files Solutions/ElasticAgent/Data Connectors/ElasticAgent_CCF/ElasticAgent_ConnectorDefinition.json Solutions/ElasticAgent/Data Connectors/ElasticAgent_CCF/ElasticAgent_DCR.json Solutions/ElasticAgent/Data Connectors/ElasticAgent_CCF/ElasticAgent_PollingConfig.json Solutions/ElasticAgent/Data Connectors/ElasticAgent_CCF/table_ElasticAgentLogsV2.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, Solution_ElasticAgent.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-14-pr-14250/","summary":"ElasticAgent connector migrated to CCF framework to maintain system monitoring capability as HTTP Collector API approaches deprecation.","title":"Elastic Agent CCF Connector: Replacing Deprecated HTTP Collector API"},{"content":"What Changed New Red Sift solution provides comprehensive email security and authentication monitoring via the Codeless Connector Framework. The solution includes a push-based data connector ingesting into RedSiftAuth_CL and RedSiftEmailForensics_CL custom tables, plus five Analytic Rules targeting phishing and account compromise detection scenarios.\nData Source Red Sift\u0026rsquo;s email security platform provides authentication and email forensics data through push-based ingestion. The connector populates two custom log tables:\nRedSiftAuth_CL: User authentication events including logins and MFA status changes RedSiftEmailForensics_CL: Email analysis data with URL extraction and sender intelligence Detection Logic Five detection rules provide coverage across initial access and defense evasion tactics:\nEmail Threat Detection (T1566):\nNew URL-bearing sender detection: Identifies emails with URLs from previously unseen senders (14-day baseline) New source IP detection: Flags emails with URLs from previously unseen source IP addresses New domain detection: Detects emails containing URLs to previously unseen domains Authentication Monitoring:\nNew IP login detection (T1078): Alerts on successful logins from previously unseen IP addresses per user MFA disabled detection (T1556): High-severity alerts when MFA is disabled on any account All rules use RedSiftPush connector ID and implement 14-day historical baselines for anomaly detection with 1-hour query frequencies.\nMITRE Coverage T1078 (Valid Accounts): New IP login detection T1556 (Modify Authentication Process): MFA disabled monitoring T1566 (Phishing): Email URL and sender analysis across three detection angles Affected Files .script/tests/KqlvalidationsTests/CustomTables/RedSiftAuth_CL.json .script/tests/KqlvalidationsTests/CustomTables/RedSiftEmailForensics_CL.json .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json Logos/redsift_logo.svg Solutions/Red Sift/Analytic Rules/RedSiftEmailUrlFromNewSender.yaml Solutions/Red Sift/Analytic Rules/RedSiftEmailUrlFromNewSource.yaml Solutions/Red Sift/Analytic Rules/RedSiftEmailUrlWithNewDomain.yaml Solutions/Red Sift/Analytic Rules/RedSiftLoginFromNewIP.yaml Solutions/Red Sift/Analytic Rules/RedSiftMFADisabled.yaml Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_Connector.json Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_DCR.json Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_Definition.json Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_EmailForensics_table.json Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_table.json Solutions/Red Sift/Package/testParameters.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_RedSift.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-14-pr-14036/","summary":"Red Sift adds CCF-based email and authentication monitoring with 5 detection rules for phishing and account compromise scenarios.","title":"Red Sift Solution: New CCF Data Connector and Email Security Detections"},{"content":"What Changed Added ASIM Authentication parsers for VMware ESXi hosts, enabling normalized authentication monitoring from VMware hypervisor infrastructure. The parser processes syslog from ESXi DCUI (console) and Hostd (SSH/remote) authentication events.\nParser Impact The new parser normalizes ESXi authentication events to ASIM Authentication schema v0.1.4:\nData Sources:\nSyslog table (general ESXi syslog ingestion) AVSSyslog/AVSEsxiSyslog tables (Azure VMware Solution specific) Event Types Supported:\nDCUI console logon/logoff events (interactive access) Hostd SSH authentication (remote access with source IP tracking) Authentication failures with policy violation details Key Field Mappings:\nEvent result determination (Success/Failure from \u0026ldquo;Accepted/Rejected password\u0026rdquo;) Session tracking via TargetSessionId and operation IDs Source IP extraction for SSH attempts Username parsing from multiple ESXi log formats Session timeout detection for DCUI events No change to existing parser logic — this adds ESXi coverage to the ASIM authentication framework for hypervisor access visibility.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/AVSEsxiSyslog.json .script/tests/KqlvalidationsTests/CustomTables/AVSSyslog.json ASIM/dev/ASimTester/ASimTester.csv Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareESXi/ASimAuthenticationVMwareESXi.json Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareESXi/README.md Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareESXi/README.md Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareESXi/vimAuthenticationVMwareESXi.json Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationVMwareESXi.md Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationVMwareESXi.md Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml Parsers/ASimAuthentication/Parsers/ASimAuthenticationVMwareESXi.yaml Parsers/ASimAuthentication/Parsers/imAuthentication.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationVMwareESXi.yaml Parsers/ASimAuthentication/test/VMware ESXi/VMware_ESXi_ASimAuthenticationVMwareESXi_DataTest.csv Parsers/ASimAuthentication/test/VMware ESXi/VMware_ESXi_ASimAuthenticationVMwareESXi_SchemaTest.csv Parsers/ASimAuthentication/test/VMware ESXi/VMware_ESXi_vimAuthenticationVMwareESXi_DataTest.csv Parsers/ASimAuthentication/test/VMware ESXi/VMware_ESXi_vimAuthenticationVMwareESXi_SchemaTest.csv Sample Data/ASIM/VMware_ESXi_Authentication_IngestedLogs.csv ","permalink":"http://sentinelchangelog.net/posts/2026-05-13-pr-13989/","summary":"New ASIM parser normalizes VMware ESXi authentication events to enable centralized logon monitoring for hypervisor infrastructure.","title":"VMware ESXi: ASIM Authentication Parser for Host Access Monitoring"},{"content":"What Changed Added new ASIM AlertEvent parsers for Cisco Secure Endpoint with CCF ingestion support, enabling normalized alert processing from the CiscoSecureEndpointEventsV2_CL table. Updated top-level ASIM parsers to include the new Cisco Secure Endpoint parser functions.\nParser Impact The new parser normalizes Cisco Secure Endpoint security events to the ASIM AlertEvent schema v0.1. Key field mappings include:\nEvent severity mapping (Critical/High → High, Medium → Medium, Low → Low) Device information extraction from ComputerConnectorGuid and network addresses User context from matched activity events (process start, API invoke telemetry) File hashes (SHA1, SHA256, MD5) from both primary and parent files Process information including command lines and PIDs MITRE ATT\u0026amp;CK tactics and techniques from native Cisco data No change to existing parser logic or filter operations — this is additive content that extends ASIM coverage to Cisco endpoint telemetry.\nMITRE Coverage Parser extracts MITRE ATT\u0026amp;CK tactics and techniques directly from native Cisco Secure Endpoint event data via the Tactics and Techniques fields, enabling cross-platform threat correlation.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/CiscoSecureEndpointEventsV2_CL.json Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json Parsers/ASimAlertEvent/ARM/ASimAlertEventCiscoSecureEndpoint/ASimAlertEventCiscoSecureEndpoint.json Parsers/ASimAlertEvent/ARM/ASimAlertEventCiscoSecureEndpoint/README.md Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json Parsers/ASimAlertEvent/ARM/vimAlertEventCiscoSecureEndpoint/README.md Parsers/ASimAlertEvent/ARM/vimAlertEventCiscoSecureEndpoint/vimAlertEventCiscoSecureEndpoint.json Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEvent.md Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventCiscoSecureEndpoint.md Parsers/ASimAlertEvent/CHANGELOG/imAlertEvent.md Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventCiscoSecureEndpoint.md Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml Parsers/ASimAlertEvent/Parsers/ASimAlertEventCiscoSecureEndpoint.yaml Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml Parsers/ASimAlertEvent/Parsers/vimAlertEventCiscoSecureEndpoint.yaml Sample Data/ASIM/Cisco_Secure Endpoint_AlertEvent_IngestedLogs.csv ","permalink":"http://sentinelchangelog.net/posts/2026-05-13-pr-13741/","summary":"New ASIM parser enables normalized threat detection from Cisco Secure Endpoint via CCF ingestion to CiscoSecureEndpointEventsV2_CL table.","title":"Cisco Secure Endpoint: ASIM AlertEvent Parser for Cloud-Based Threat Detection"},{"content":"What Changed The QualysVM solution package has been updated to restore proper API versions in the ARM deployment template after a script regression caused them to be downgraded.\nDeployment Impact ARM template API version downgrades can cause deployment failures or unexpected behavior when newer Azure resource features are required. This maintenance update ensures the QualysVM solution deploys using current API standards, preventing potential installation issues for new deployments.\nThe change affects only packaging artifacts (mainTemplate.json, solution metadata) with no modifications to detection logic, data connectors, or security content.\nAffected Files (packaging artefacts: 3.0.8.zip, Solution_QualysVM.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-13-pr-14260/","summary":"QualysVM solution packaging corrects downgraded ARM template API versions that could impact deployment reliability.","title":"QualysVM Solution: API Version Regression Restored to Current Standards"},{"content":"What Changed Five new hunting queries targeting Entra ID application layer attacks have been added under Hunting Queries/AuditLogs/. This pack detects a complete adversary workflow where attackers with privileged Entra ID access establish persistence, escalate privilege, and remove defenses.\nDetection Surface Unlocked All queries use AuditLogs exclusively, requiring only the Azure Active Directory data connector with no Entra ID P2 or Defender XDR licensing requirements.\nQuery Coverage OAuthConsentToHighRiskPermission — Identifies consent events where newly observed applications receive high-risk delegated permissions (Mail.ReadWrite, Directory.ReadWrite.All, EWS.AccessAsUser.All, etc.). Targets canonical consent phishing patterns.\nAdminConsentGrantedToApplication — Surfaces tenant-wide OAuth consent grants identified by AllPrincipals principal type. Admin consent persists beyond password resets because permissions bind to service principals, not user sessions.\nAppRegistrationWithExternalRedirectUri — Detects application registrations with redirect URIs pointing to non-Microsoft domains. Attackers add attacker-controlled URIs to intercept authorization codes.\nGuestAccountAddedToPrivilegedRole — Identifies guest accounts (UPN contains #EXT#) added to privileged roles including Global Administrator, Security Administrator, and Application Administrator.\nConditionalAccessPolicyDisabledOrDeleted — Surfaces CA policy deletions and enabled-to-disabled transitions. Attackers disable policies to remove MFA requirements and device compliance checks.\nMITRE Mapping T1528 (Steal Application Access Token) — OAuth consent abuse and redirect URI manipulation T1098 (Account Manipulation) — Admin consent grants for persistence T1098.003 (Additional Cloud Roles) — Guest account privilege escalation T1556 (Modify Authentication Process) — CA policy manipulation T1562.001 (Disable or Modify Tools) — CA policy disablement Attack Context This detection pack maps to documented TTPs from Midnight Blizzard and Storm-0558 campaigns where adversaries used OAuth applications and admin consent to maintain persistent access to Microsoft 365 environments after initial compromise. The queries complement existing detections by filtering on specific risk signals: application novelty, privilege scope, and tenant-wide grants.\nAffected Files Hunting Queries/AuditLogs/AdminConsentGrantedToApplication.yaml Hunting Queries/AuditLogs/AppRegistrationWithExternalRedirectUri.yaml Hunting Queries/AuditLogs/ConditionalAccessPolicyDisabledOrDeleted.yaml Hunting Queries/AuditLogs/GuestAccountAddedToPrivilegedRole.yaml Hunting Queries/AuditLogs/OAuthConsentToHighRiskPermission.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-13-pr-14239/","summary":"Five hunting queries expose OAuth consent abuse, privileged escalation, and Conditional Access evasion used in Midnight Blizzard and Storm-0558 campaigns.","title":"Entra ID Attack Chain Detection: 5 New Hunting Queries Target Application Layer Persistence"},{"content":"What Changed This PR resolves multiple critical issues that rendered the Abnormal Security CCF Push connector completely non-functional since its v3.0.0 introduction in March 2026. The connector could not ingest any email threat intelligence data due to DCR transform failures, missing table deployments, and incorrect stream routing.\nSecurity Impact (Visibility \u0026amp; Fidelity) Pre-fix state: Deployments running Abnormal Security CCF connector v3.0.0/3.0.1 had complete email threat detection blind spots:\nAll 9 custom tables (ABNORMAL_SECURITY_*_CL) failed to deploy via ARM template — tables were defined only as Sentinel metadata, not as deployable workspace resources DCR transforms failed with InvalidTransformOutput errors due to type mismatch — input stream declared abx_body and abx_metadata as dynamic but output schema expected string Fallback stream routing to Custom-AbnormalSecurityLogs_CL pointed to non-existent table instead of Custom-ABNORMAL_SECURITY_LOGS_CL Result: Zero events from Abnormal Security ingested across all threat categories (email threats, cases, audit logs, ATO detection, etc.) Post-fix: All email threat visibility restored with proper data transformation and routing to correct tables.\nTechnical Fixes Applied Table Deployment Fix: Added all 9 ABNORMAL_SECURITY_*_CL tables as top-level ARM resources in mainTemplate.json — tables now deploy correctly on solution installation DCR Transform Fix: Added explicit extend statements to convert abx_body and abx_metadata to string type in all 9 transformKql statements Stream Routing Fix: Corrected fallback outputStream from Custom-AbnormalSecurityLogs_CL to Custom-ABNORMAL_SECURITY_LOGS_CL to match actual table name Schema Alignment: Updated column schemas across all 9 tables to match legacy MLA connector format Affected Email Threat Categories The fix restores ingestion for these email threat detection streams:\nABNORMAL_SECURITY_THREAT_LOG_CL: Email threat detections, attack vectors, remediation status ABNORMAL_SECURITY_CASE_CL: Investigation cases and entity analysis ABNORMAL_SECURITY_AUDIT_LOG_CL: Administrative actions and policy changes ABNORMAL_SECURITY_ATO_CASE_CL: Account takeover detection events ABNORMAL_SECURITY_ABUSE_MAILBOX_CL: Abuse mailbox submissions ABNORMAL_SECURITY_POSTURE_CHANGE_CL: Security posture modifications ABNORMAL_SECURITY_REMEDIATION_CL: Automated remediation actions ABNORMAL_SECURITY_VENDOR_CASE_CL: Third-party case integrations ABNORMAL_SECURITY_LOGS_CL: General fallback stream Per PR testing: All streams now accept data via Logs Ingestion API (HTTP 204 responses) and events are visible in Log Analytics workspace.\nAffected Files Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_DCR.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_connectorDefinition.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AbnormalSecurityLogs.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AbuseMailbox.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AtoCase.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AuditLog.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_Case.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_PostureChange.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_Remediation.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_ThreatLog.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_VendorCase.json (packaging artefacts: 3.0.0.zip, 3.0.1.zip, ReleaseNotes.md, Solution_AbnormalSecurity.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-13-pr-14216/","summary":"Fixes DCR transform errors, table deployment issues, and stream routing that prevented all data ingestion from Abnormal Security\u0026rsquo;s CCF Push connector since v3.0.0 launch.","title":"Abnormal Security CCF Connector: Critical Fix Restores Email Threat Detection After Complete Ingestion Failure"},{"content":"Data Source Ingests audit events from Salesforce orgs via REST API, targeting two critical log types:\nSetup Audit Trail: Administrative changes, configuration modifications, and permission updates Login History: User authentication events, failed login attempts, and access patterns Ingestion Mechanism CCF-based connector using Data Collection Rules with OAuth2 authentication (client credentials or username-password flows). Populates two custom tables:\nSalesforceAuditTrail (Setup Audit Trail events) SalesforceLoginHistory (Login History events) Detection Surface Unlocked Administrative oversight blind spots are addressed with visibility into:\nPrivilege escalation through permission changes and role modifications Unauthorized configuration changes to security controls Suspicious authentication patterns and credential compromise indicators Cross-domain administrative activity for multi-org environments The connector supports both production and sandbox environments with multi-domain configurations, enabling SOC teams to monitor Salesforce administrative security across complex deployments.\nAffected Files Solutions/Salesforce Service Cloud/Data Connectors/SalesforceAuditLogsConnector_CCF/SalesforceAuditLogs_DCR.json Solutions/Salesforce Service Cloud/Data Connectors/SalesforceAuditLogsConnector_CCF/SalesforceAuditLogs_DataConnectorDefinition.json Solutions/Salesforce Service Cloud/Data Connectors/SalesforceAuditLogsConnector_CCF/SalesforceAuditLogs_PollingConfig.json Solutions/Salesforce Service Cloud/Data Connectors/SalesforceSentinelConnector_CCP/SalesforceServiceCloud_DataConnectorDefinition.json Solutions/Salesforce Service Cloud/Data Connectors/SalesforceSentinelConnector_CCP/SalesforceServiceCloud_PollingConfig.json Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1 (packaging artefacts: 3.3.0.zip, ReleaseNotes.md, Solution_TSalesforceCloudtemplateSpec.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-12-pr-14227/","summary":"New Salesforce Audit Logs connector provides visibility into administrative changes and user authentication events across Salesforce orgs.","title":"Salesforce Audit Visibility: New CCF Connector for Administrative Change Tracking"},{"content":"What Changed Updated Flare Solution to version 3.1.0 with improved Analytic Rules and Workbooks aligned to the CFF connector\u0026rsquo;s updated schema. Added three new detection rules targeting chat platforms, lookalike domains, and underground marketplaces while removing one deprecated SSL certificate rule.\nDetection Logic Updates All existing Analytic Rules were updated from version 2.0.0 to 3.0.0 with standardized logic:\nPrimary data source: FireworkV2_CL Core filtering: notempty(uid) and RiskScore \u0026gt;= 3 with index-based categorization using split(uid, \u0026ldquo;/\u0026rdquo;)[0] Entity types: URL, Domain, Host, Account (varies by rule type) Updated Rules:\nCloud Bucket: Targets driller_bucket_object and bucket indices for exposed cloud storage Credential Leaks: Filters leaked_credential index for exposed authentication data Google Dorks: Matches driller_google index for reconnaissance activity Host Results: Targets service index for exposed infrastructure Infected Devices: Filters bot and stealer_log indices for compromised endpoints Paste/Source Code: Targets paste and GitHub-related indices for exposed code New Rules (v1.0.0):\nChat Results: Monitors chat_message index for threat actor communications Lookalike Domains: Tracks domain index for typosquatting activity Marketplace Results: Monitors listing index for underground commerce Removed:\nFlareSSLcert.yaml (SSL certificate monitoring) - functionality merged into lookalike domain detection Workbook Improvements Updated FlareSystemsFireworkOverview.json with schema-aligned queries:\nFixed field references from legacy source_name to current source field Enhanced chart descriptions and titles for better SOC usability Improved leaked credential tracking using uid-based filtering MITRE Mapping T1593 (Search Open Websites/Domains): Primary technique for reconnaissance rules T1110 (Brute Force): Credential leak detection T1555 (Credentials from Password Stores): Infected device monitoring T1583 (Acquire Infrastructure): Domain/certificate tracking T1596 (Search Open Technical Databases): Host reconnaissance Affected Files Solutions/Flare/Analytic Rules/FlareChat.yaml Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml Solutions/Flare/Analytic Rules/FlareDork.yaml Solutions/Flare/Analytic Rules/FlareHost.yaml Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml Solutions/Flare/Analytic Rules/FlareLookalikeDomain.yaml Solutions/Flare/Analytic Rules/FlareMarket.yaml Solutions/Flare/Analytic Rules/FlarePaste.yaml Solutions/Flare/Analytic Rules/FlareSSLcert.yaml Solutions/Flare/Analytic Rules/FlareSourceCode.yaml Solutions/Flare/Playbooks/credential-warning/azuredeploy.json Solutions/Flare/Workbooks/FlareSystemsFireworkOverview.json (packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_FlareSystemsFirework.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-12-pr-14126/","summary":"Flare Solution updates detection logic and adds three new Analytic Rules for improved threat exposure monitoring across chat platforms, lookalike domains, and underground marketplaces.","title":"Flare Solution 3.1.0: Enhanced Threat Intelligence Detection Coverage"},{"content":"What Changed The CorrelateIPC_Unfamiliar-Atypical Analytic Rule was updated to version 1.0.9 with improved filtering logic for Microsoft Entra ID Protection alerts.\nDetection Logic The KQL query now extracts and parses the Comments field from atypical travel alerts, specifically filtering out events where the risk detail contains \u0026ldquo;admin\u0026rdquo;. The core logic correlates unfamiliar sign-in properties with atypical travel alerts within a configurable time window, but now excludes admin-initiated activities that would otherwise generate false positives.\nSecurity Impact This update reduces noise in SOC workflows by filtering out legitimate admin activities that trigger atypical travel alerts. Teams running this rule will see fewer false positives from administrative actions while maintaining coverage for genuine suspicious user behavior patterns.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/IdentityInfo.json Solutions/Microsoft Entra ID Protection/Analytic Rules/CorrelateIPC_Unfamiliar-Atypical.yaml (packaging artefacts: 3.0.4.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-12-pr-14108/","summary":"Updated CorrelateIPC_Unfamiliar-Atypical rule adds filtering to exclude admin-triggered atypical travel alerts, improving detection precision.","title":"Microsoft Entra ID Protection: Enhanced Detection Logic Filters Out Admin Risk Events"},{"content":"What Changed Microsoft Sentinel Content Hub has removed five complete NXLog partner solutions at vendor request (ADO #5253676):\nNXLog BSM macOS: Basic Security Module audit events from macOS systems NXLog FIM: File Integrity Monitoring across platforms NXLog LinuxAudit: Native Linux audit framework integration NXLog AIX Audit: IBM AIX system audit trail collection NXLog DNS Logs: DNS query/response monitoring with ASIM normalization Security Impact (Visibility \u0026amp; Fidelity) Organizations currently using these solutions will lose critical security telemetry:\nAudit Trail Blind Spots: Linux/AIX audit visibility eliminated for privilege escalation detection (T1078), file system tampering (T1565), and administrative actions monitoring. Systems configured with these connectors will stop ingesting audit events.\nFile Integrity Loss: FIM solution removal eliminates detection of unauthorized file modifications, configuration tampering, and malware persistence mechanisms across monitored file systems.\nDNS Monitoring Gap: The removed DNS connector provided ASIM-normalized DNS event ingestion for DNS tunneling detection and suspicious domain monitoring — alternative Microsoft DNS solutions may not cover the same log sources.\nCross-Platform Coverage: These solutions specifically addressed Unix/Linux/AIX environments where Microsoft-native logging solutions have limited reach.\nMigration Required Users of these solutions must:\nIdentify alternative data collection mechanisms before connector removal Reconfigure log forwarding to supported Syslog or CEF connectors Update detection rules referencing BSMmacOS_CL, NXLogFIM_CL, LinuxAudit_CL, AIX_Audit_CL tables Validate ASIM DNS parser functionality if using ASimDnsMicrosoftNXLog The removal affects both real-time data ingestion and historical query capabilities for environments dependent on these specific NXLog integrations.\nAffected Files Solutions/NXLog BSM macOS/Data Connectors/NXLogBSMmacOS.json Solutions/NXLog FIM/Data Connectors/NXLogFIM.json Solutions/NXLog LinuxAudit/Data Connectors/NXLogLinuxAudit.json Solutions/NXLogAixAudit/Data Connectors/NXLogAixAudit.json Solutions/NXLogAixAudit/Parsers/NXLog_parsed_AIX_Audit_view.yaml Solutions/NXLogDnsLogs/Data Connectors/NXLogDnsLogs.json Solutions/NXLogDnsLogs/Parsers/ASimDnsMicrosoftNXLog.yaml (packaging artefacts: 2.0.0.zip, 2.0.1.zip, 3.0.0.zip, SolutionMetadata.json, Solution_NXLogAixAudit.json, Solution_NXLogBSMmacOSTemplateSpec.json, Solution_NXLogDnsLogs.json, Solution_NXLogFIMTemplateSpec.json, Solution_NXLogLinuxAuditTemplateSpec.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-11-pr-14228/","summary":"Five NXLog partner solutions removed from Content Hub, eliminating data connector support for BSM macOS, FIM, Linux Audit, AIX Audit, and DNS monitoring across Unix/Linux environments.","title":"NXLog Solutions Deprecated: Loss of Multi-Platform Audit Visibility"},{"content":"What Changed Zimperium Mobile Threat Defense Solution upgraded from Azure Function-based data connector to Codeless Connector Framework (CCF) push connector architecture. This migration addresses the upcoming deprecation of Azure Function-based connectors and the Log Analytics Data Collector API by June 2026.\nData Source \u0026amp; Ingestion Mechanism Data Source: Zimperium Mobile Threat Defense platform for enterprise mobile security monitoring\nIngestion Method: CCF-based push connector with DCR/DCE configuration\nTarget Tables:\nZimperiumThreatLogV2_CL — mobile threat detection events ZimperiumMitigationLogV2_CL — threat response and mitigation actions CCF Configuration The connector uses:\nstreamName: Custom-ZimperiumThreatLogV2 and Custom-ZimperiumMitigationLogV2 DCR transformation: Custom schema normalization for mobile threat telemetry Push model: Real-time threat data ingestion via Zimperium platform webhooks Mobile Security Coverage This connector provides visibility into:\nDevice compromise detection: Jailbreak/root detection, malware infections, app-based threats Network threats: Rogue WiFi access points, man-in-the-middle attacks, certificate violations App-layer risks: Sideloaded apps, malicious downloads, phishing attempts via mobile apps OS vulnerabilities: Unpatched devices, security bypass attempts Mobile threat data includes device context (OS version, MDM integration), threat attribution (MITRE tactics mapping), and location data for incident response.\nWorkbook Integration Updated workbook provides mobile security dashboards with CCF data source compatibility for threat trend analysis and device risk posturing.\nAffected Files Logos/ZIMPERIUM-logo_orange.svg Solutions/Zimperium Mobile Threat Defense/Data Connectors/ZimperiumMTD_CCF/ZimperiumMTD_DCR.json Solutions/Zimperium Mobile Threat Defense/Data Connectors/ZimperiumMTD_CCF/ZimperiumMTD_connectorDefinition.json Solutions/Zimperium Mobile Threat Defense/Data Connectors/ZimperiumMTD_CCF/ZimperiumMTD_dataConnector.json Solutions/Zimperium Mobile Threat Defense/Data Connectors/ZimperiumMTD_CCF/ZimperiumMitigationLogV2_table.json Solutions/Zimperium Mobile Threat Defense/Data Connectors/ZimperiumMTD_CCF/ZimperiumThreatLogV2_table.json Solutions/Zimperium Mobile Threat Defense/Package/testParameters.json Solutions/Zimperium Mobile Threat Defense/Sample Data/ZimperiumMitigationLogV2_IngestedLogs.csv Solutions/Zimperium Mobile Threat Defense/Sample Data/ZimperiumMitigationLogV2_RawLogs.json Solutions/Zimperium Mobile Threat Defense/Sample Data/ZimperiumMitigationLogV2_Schema.csv Solutions/Zimperium Mobile Threat Defense/Sample Data/ZimperiumThreatLogV2_IngestedLogs.csv Solutions/Zimperium Mobile Threat Defense/Sample Data/ZimperiumThreatLogV2_RawLogs.json Solutions/Zimperium Mobile Threat Defense/Sample Data/ZimperiumThreatLogV2_Schema.csv Solutions/Zimperium Mobile Threat Defense/Workbooks/Images/Preview/ZimperiumCCFBlack.png Solutions/Zimperium Mobile Threat Defense/Workbooks/Images/Preview/ZimperiumCCFWhite.png Solutions/Zimperium Mobile Threat Defense/Workbooks/ZimperiumMTDCCFWorkbooks.json Workbooks/Images/Logos/ZIMPERIUM-logo_orange.svg Workbooks/Images/Preview/ZimperiumCCFBlack.png Workbooks/Images/Preview/ZimperiumCCFWhite.png Workbooks/WorkbooksMetadata.json Workbooks/ZimperiumMTDCCFWorkbooks.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_ZimperiumMTD.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-08-pr-13947/","summary":"Zimperium Mobile Threat Defense migrates to CCF-based push connector, replacing deprecated Azure Function ingestion before June 2026 deadline.","title":"Zimperium MTD: New CCF Push Connector for Mobile Threat Telemetry"},{"content":"What Changed Reverted solutionId/offerId from azure-sentinel-solution-vaikora-azure-security-center back to vaikora-security-center-connector to match the immutable Partner Center offer ID.\nSecurity Impact This is a packaging metadata fix with no operational security impact. The solution failed Microsoft Marketplace certification under policy 300.4.1.1 because the GitHub package used a different offer ID than the Partner Center listing.\nThe original rename exceeded Partner Center 50-character limit and caused cert rejection. This revert restores Marketplace certification eligibility for the Vaikora AI to Microsoft Defender for Cloud integration solution.\nAffected Files (packaging artefacts: 3.0.0.zip, SolutionMetadata.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-07-pr-14211/","summary":"Reverts solution ID to match Partner Center offer name after Marketplace certification failure under policy 300.4.1.1.","title":"Vaikora Azure Security Center: Microsoft Marketplace Certification Fix"},{"content":"What Changed Fixed ARM template deployment failure in the RFI-confirm-EntraID-risky-user playbook by removing stale references to the deleted Check_if_AD_Identity_Protection_risky_users_list_contains_the_user action.\nSecurity Impact The affected playbook was completely non-deployable since v1.2 due to ARM template validation failures. Deployments attempting to install this playbook from the v3.0 folder experienced InvalidTemplate errors at deploy time, preventing installation of identity protection automation.\nPer PR discussion: The deleted action references remained in both response actions after the action was removed in v1.2, causing template validation to fail when referencing non-existent workflow steps.\nThis fix restores the playbook deployability for organizations using Recorded Future Identity Intelligence to automate Entra ID risky user confirmation workflows.\nAffected Files Solutions/Recorded Future Identity/Playbooks/v3.0/RFI-confirm-EntraID-risky-user/azuredeploy.json ","permalink":"http://sentinelchangelog.net/posts/2026-05-07-pr-14197/","summary":"Fixes broken deployment of RFI-confirm-EntraID-risky-user playbook that failed with InvalidTemplate error due to stale action references.","title":"Recorded Future Identity Playbook: ARM Template Deploy Failure Fixed"},{"content":"What Changed New hunting query ServicePrincipalCredentialAdditionByRareActor.yaml added to Hunting Queries/AuditLogs/ targeting persistence via credential manipulation on service principals and applications.\nDetection Logic The query builds a 90-day baseline of actors who have previously performed credential operations, then identifies new credential additions by previously unobserved actors. It monitors two specific operations:\nAdd service principal credentials Update application - Certificates and secrets management The logic correlates AuditLogs from the current window with baseline data (90 days prior to start time) using leftanti join to exclude known actors. Entity mappings include Account (Actor, AccountName, AccountUPNSuffix) and IP address.\nMITRE Mapping T1098.001 — Account Manipulation: Additional Cloud Credentials Security Impact This fills a coverage gap for persistence detection using AuditLogs alone — no Microsoft Defender XDR required. Unlike existing generic rare-audit queries, this specifically targets high-risk credential operations that could enable backdoor access. It provides a focused alternative to broad dormant service principal queries by emphasizing the actor baseline approach. Analysts must validate results as benign matches include newly onboarded administrators, first-time IaC pipelines, and certificate rotation by different operators.\nAffected Files Hunting Queries/AuditLogs/ServicePrincipalCredentialAdditionByRareActor.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-07-pr-14213/","summary":"Identifies service principal credential additions by actors not observed performing these operations in the previous 90 days, targeting persistence techniques.","title":"Microsoft Entra ID: Service Principal Credential Manipulation by Rare Actors"},{"content":"What Changed New hunting query IPIdentityFailureBurstFollowedBySuccess.yaml added to Hunting Queries/MultipleDataSources/ targeting password spraying and credential misuse patterns.\nDetection Logic The query correlates both interactive (SigninLogs) and non-interactive (AADNonInteractiveUserSignInLogs) sign-ins by source IP address within a 15-minute correlation window. It triggers when:\nMinimum 5 distinct failed users from the same IP Minimum 20 failed attempts from the same IP Followed by successful authentication (max 3 successful users) Success codes include: 0, 50125, 50140, 70043, 70044 Key output includes failure-to-success exposure ratio and comprehensive user/app/source table sets for investigation context. Entity mappings target Account (FirstSuccessfulUser) and IP address.\nMITRE Mapping T1110.003 — Password Spraying T1078 — Valid Accounts Security Impact This hypothesis-driven hunting query helps SOC analysts prioritize high-friction identity events indicating potential password spraying or opportunistic credential misuse. The explicit thresholds and bounded correlation windows reduce alert fatigue by focusing on meaningful patterns with entity relationships rather than isolated events. Analysts must validate results as benign matches are expected in shared egress environments (NAT, VPN/proxy, enterprise gateways) and legitimate automation/service activity.\nAffected Files Hunting Queries/MultipleDataSources/IPIdentityFailureBurstFollowedBySuccess.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-07-pr-14208/","summary":"Correlates failed sign-ins across multiple identities followed by successful authentication from the same IP within 15 minutes, targeting password spraying patterns.","title":"Microsoft Entra ID: Hunting Query for Password Spraying Detection via IP Failure Bursts"},{"content":"What Changed New hunting query SignInASNMismatchInteractiveVsNonInteractive.yaml added to Hunting Queries/MultipleDataSources/ targeting post-compromise authentication material abuse.\nDetection Logic The query correlates successful interactive sign-ins (SigninLogs) with successful non-interactive sign-ins (AADNonInteractiveUserSignInLogs) for the same user within a 10-minute window. It triggers when:\nBoth sign-ins have different Autonomous System Numbers (ASNs) IP addresses differ between the two events Both authentication events are successful (ResultType == 0) Entity mappings include Account (FullName, Name, UPNSuffix) and IP (NonInteractiveIP address).\nMITRE Mapping T1550.001 — Use Alternate Authentication Material: Application Access Token T1539 — Steal Web Session Cookie (post-compromise usage pattern) Security Impact This hypothesis-driven hunting query provides a new angle for detecting potential post-compromise token misuse that doesn\u0026rsquo;\u0026lsquo;\u0026rsquo;t require non-AAD connectors. It complements existing PossibleAiTMPhishingAttemptAgainstAAD detection by focusing purely on Microsoft Entra ID sign-in telemetry patterns. Analysts must validate all results as benign matches are expected in VPN, roaming, mobile background refresh, multi-device, and corporate proxy scenarios.\nAffected Files Hunting Queries/MultipleDataSources/SignInASNMismatchInteractiveVsNonInteractive.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-07-pr-14207/","summary":"Surfaces rapid ASN changes between interactive and non-interactive sign-ins within 10 minutes, indicating potential post-compromise token misuse.","title":"Microsoft Entra ID: New Hunting Query Detects Post-Compromise Token Abuse via ASN Mismatches"},{"content":"What Changed Fixed critical timestamp type conversion in four Dynatrace parsers (DynatraceAttacks, DynatraceAuditLogs, DynatraceProblems, DynatraceSecurityProblems) by converting V1 Unix epoch millisecond fields to proper datetime format using unixtime_milliseconds_todatetime(). All parsers updated from version 2.0.0 to 2.0.1.\nParser Impact The timestamp fields in affected parsers were previously returned as numeric values (timestamp_d, endTime_d, startTime_d, etc.), causing duplicate typed columns in query results when mixed with other datetime fields. This data type mismatch created query failures and inconsistent results when SOCs attempted to correlate events or build time-based analytics.\nFields normalized:\nDynatraceAttacks: TimeStamp field now properly converts from timestamp_d DynatraceAuditLogs: TimeStamp field corrected DynatraceProblems: StartTime and EndTime fields fixed DynatraceSecurityProblems: FirstSeenTimeStamp, LastUpdatedTimeStamp, LastOpenedTimeStamp corrected Queries referencing these timestamp fields against the parsers previously returned inconsistent data types — this is a data fidelity fix that ensures proper temporal correlation for security investigations.\nSecurity Impact Deployments using these parsers had compromised ability to perform time-based security analysis due to the type mismatch. This fix restores reliable temporal correlation for attack detection, audit trail analysis, and problem tracking within the Dynatrace security ecosystem.\nAffected Files Solutions/Dynatrace/Parsers/DynatraceAttacks.yaml Solutions/Dynatrace/Parsers/DynatraceAuditLogs.yaml Solutions/Dynatrace/Parsers/DynatraceProblems.yaml Solutions/Dynatrace/Parsers/DynatraceSecurityProblems.yaml Solutions/Dynatrace/Playbooks/Add_DynatraceApplicationSecurityAttackSourceIpThreatIntelligence/azuredeploy.json Solutions/Dynatrace/Playbooks/Add_DynatraceApplicationSecurityAttackSourceIpThreatIntelligence/readme.md (packaging artefacts: 3.0.3.zip, ReleaseNotes.md, Solution_Dynatrace.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-07-pr-14152/","summary":"Data fidelity fix converts Unix epoch millisecond fields to datetime, resolving duplicate typed columns that broke query functionality in Dynatrace parsers.","title":"Dynatrace Parsers: Critical Timestamp Fix Restores Query Reliability"},{"content":"What Changed Applied security hardening and code quality improvements to the Cyjax threat intelligence connector, addressing:\nPython linting issues across multiple modules Package dependency vulnerabilities Code-level security vulnerabilities Code formatting and style consistency Security Impact (Visibility \u0026amp; Fidelity) While the fixes primarily address code quality and security posture, unpatched vulnerabilities in the connector runtime could potentially impact:\nThreat intelligence data ingestion reliability Authentication security for API communications Overall connector stability and availability The fixes ensure the connector maintains secure operation when ingesting IOCs (IP addresses, domains, URLs, file hashes) from Cyjax threat intelligence feeds.\nTechnical Details Updated 7 Python modules within the Cyjax connector Function App:\nEnhanced error handling and logging consistency Improved code formatting and string handling Addressed security best practices in authentication flows Updated dependency specifications and constraints Fixed timeout and retry logic implementations The changes maintain compatibility with existing deployments while strengthening the security posture of the threat intelligence ingestion pipeline.\nAffected Files Solutions/Cyjax/Data Connectors/CyjaxIOCIngestion/__init__.py Solutions/Cyjax/Data Connectors/CyjaxIOCIngestion/cyjax_ioc_helper.py Solutions/Cyjax/Data Connectors/SharedCode/consts.py Solutions/Cyjax/Data Connectors/SharedCode/cyjax_client.py Solutions/Cyjax/Data Connectors/SharedCode/cyjax_to_stix_mapping.py Solutions/Cyjax/Data Connectors/SharedCode/sentinel.py Solutions/Cyjax/Data Connectors/SharedCode/state_manager.py (packaging artefacts: CyjaxIOC.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-05-07-pr-14193/","summary":"Addressed lint issues, package vulnerabilities, and code vulnerabilities in Cyjax threat intelligence connector.","title":"Cyjax Connector: Security and Code Quality Fixes Applied"},{"content":"What Changed Updated retry delay in Cisco Duo Function App connector from 60 seconds to 120 seconds across all log retrieval functions when encountering HTTP 429 throttling responses.\nSecurity Impact (Visibility \u0026amp; Fidelity) The previous 60-second retry delay was insufficient for Duo API throttling requirements, causing the connector to repeatedly fail API calls after hitting rate limits. This created visibility gaps for:\nAuthentication logs monitoring MFA bypass attempts Administrative logs tracking privilege escalation Activity logs covering user access patterns Telephony logs monitoring voice/SMS authentication events Deployments experiencing API throttling had incomplete log ingestion, creating blind spots in identity security monitoring.\nTechnical Details Modified retry logic in all log retrieval functions (process_auth_logs, get_auth_logs, process_admin_logs, get_admin_logs, process_offline_enrollment_logs, get_offline_enrollment_logs, get_activity_logs, get_tele_logs) to wait 120 seconds instead of 60 seconds when receiving HTTP 429 responses from Duo API.\nThe change ensures compliance with Duo API documented throttling expectations, reducing connector failures and improving data collection reliability.\nAffected Files Solutions/CiscoDuoSecurity/Data Connectors/AzureFunctionCiscoDuo/main.py (packaging artefacts: CiscoDuoSecurity_func.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-05-07-pr-14204/","summary":"Doubled retry delay to 120 seconds to address Duo API throttling requirements preventing log collection.","title":"Cisco Duo Connector: API Throttling Resilience Improved for Log Ingestion"},{"content":"Affected Files Workbooks/WorkspaceUsage.json ","permalink":"http://sentinelchangelog.net/posts/2026-05-07-pr-14214/","summary":"Fixed inverted display labels in WorkspaceUsage workbook where billing status showed opposite values.","title":"Workspace Usage Workbook: IsBillable Column Display Labels Corrected"},{"content":"What Changed Microsoft 365 Defender ASIM ProcessEvent parsers (both ASimProcessEventMicrosoft365D v0.3.1 and vimProcessEventMicrosoft365D v0.4.1) now include the previously missing TargetUserSessionId field in their project statements.\nParser Impact The TargetUserSessionId field was mapped in the parser logic (TargetUserSessionId = tostring(LogonId)) but omitted from the final project statement. Queries referencing TargetUserSessionId against these parsers previously returned null for all rows — this is a data fidelity fix, not a cosmetic update.\nSession correlation queries using this field for process-to-logon event linking can now function correctly. No change to other normalised field names or filter logic — safe for existing detections using these parsers.\nAffected Files Parsers/ASimProcessEvent/ARM/ASimProcessEventMicrosoft365D/ASimProcessEventMicrosoft365D.json Parsers/ASimProcessEvent/ARM/vimProcessEventMicrosoft365D/vimProcessEventMicrosoft365D.json Parsers/ASimProcessEvent/CHANGELOG/ASimProcessEventMicrosoft365D.md Parsers/ASimProcessEvent/CHANGELOG/vimProcessEventMicrosoft365D.md Parsers/ASimProcessEvent/Parsers/ASimProcessEventMicrosoft365D.yaml Parsers/ASimProcessEvent/Parsers/vimProcessEventMicrosoft365D.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-06-pr-14183/","summary":"Missing TargetUserSessionId field in Microsoft 365 Defender ASIM ProcessEvent parsers has been restored, fixing queries that previously returned null for this session correlation field.","title":"M365 Defender ASIM Parser: TargetUserSessionId Field Restoration Fixes Data Fidelity Gap"},{"content":"What Changed GitHub Actions workflow runAsimSchemaAndDataTesters.yaml implemented enhanced security controls for pull requests from forked repositories. The workflow now restricts trigger events to only labeled and synchronize events, eliminating broader event triggers that could execute untrusted code.\nSecurity Impact (CI/CD Supply Chain) This addresses a supply chain security vulnerability where malicious fork PRs could potentially execute arbitrary code in the CI environment with access to repository secrets. The previous implementation allowed multiple trigger events that could bypass security review.\nKey security improvements:\nRestricted trigger scope: Only labeled and synchronize events can trigger the workflow, reducing attack surface Strict SafeToRun gating: Fork PRs only execute when maintainers explicitly add the SafeToRun label during the labeled event Automatic label removal: New commits synchronize events automatically remove stale SafeToRun labels, forcing re-review Enhanced logging: Improved visibility into approval decisions and security state transitions Attack scenario mitigated: Previously, a malicious actor could open a fork PR, wait for SafeToRun approval, then push additional malicious commits that would execute without re-review. The new logic prevents this by immediately invalidating approval on code changes.\nOperational Changes Maintainer workflow: After new commits on approved fork PRs, maintainers must remove and re-add SafeToRun labels Automated enforcement: The workflow now includes GitHub Actions script automation to remove stale labels Fork-specific gating: Downstream jobs validation, data ingestion, testing only run for forks on labeled events This hardening aligns with GitHub Security Lab recommendations for preventing PWN request attacks in CI/CD pipelines.\nAffected Files .github/workflows/runAsimSchemaAndDataTesters.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-06-pr-14220/","summary":"CI/CD security enhancement prevents automatic execution of untrusted fork code by implementing strict SafeToRun label gating.","title":"GitHub Actions Security: Fork PR Workflow Hardened Against Supply Chain Attacks"},{"content":"What Changed Version 3.2.1 addresses critical compatibility issues with the GitHub CLv2 ingestion migration. The update fixes three core parsers (GitHubCodeScanningData, GitHubDependabotData, GitHubSecretScanningData) and both workbooks to properly handle the new GitHubAdvancedSecurityAlerts_CL table schema while maintaining backward compatibility with existing githubscanaudit_CL deployments.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments using the newer GitHub Webhook V2 connector (CLv2/Logs Ingestion API) experienced broken visibility for GitHub Advanced Security alerts since the v3.2.0 release. The parsers were hardcoded to query only the legacy githubscanaudit_CL table, causing zero results from the new GitHubAdvancedSecurityAlerts_CL table.\nImpact scope:\nCode scanning vulnerability alerts were not being parsed Dependabot security alerts returned null for key fields (external_identifier, severity) Secret scanning alerts were completely invisible to workbook queries Workbook tiles showed zero activity despite active GitHub security events Parser Impact Updated schema compatibility:\nGitHubCodeScanningData: Now uses the unified githubscanaudit parser and adds event_s == code_scanning_alert detection for CLv2 events alongside legacy action_s filtering.\nGitHubDependabotData: Enhanced with robust field mapping using coalesce() to handle schema differences:\nalertexternalidentifier: coalesce(alert.external_identifier, alert.security_advisory.ghsa_id, tostring(alert.number)) alertseverity: coalesce(alert.severity, alert.security_advisory.severity) Supports both create and created action values GitHubSecretScanningData: Adds event_s == secret_scanning_alert detection and includes alertresolveddate field for CLv2 compatibility.\nAll parsers now query the githubscanaudit union parser instead of directly accessing githubscanaudit_CL, ensuring automatic compatibility with both V1 and V2 table structures.\nDeployment Notes This is a data fidelity fix, not a cosmetic update. Existing workbooks and analytics that rely on GitHub security data were returning incomplete results for CLv2 deployments. The fix ensures consistent field names and alert detection across both ingestion methods.\nAffected Files Solutions/GitHub/Data Connectors/GithubWebhookV2/GithubWebhookV2_API_FunctionApp.json Solutions/GitHub/Data Connectors/GithubWebhookV2/README.md Solutions/GitHub/Parsers/GitHubCodeScanningData.yaml Solutions/GitHub/Parsers/GitHubDependabotData.yaml Solutions/GitHub/Parsers/GitHubSecretScanningData.yaml Solutions/GitHub/Workbooks/GitHub.json Solutions/GitHub/Workbooks/GitHubAdvancedSecurity.json Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.2.1.zip, ReleaseNotes.md, Solution_GitHub.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-06-pr-14209/","summary":"Critical fix migrates GitHub parsers and workbooks to support CLv2 ingestion table and updated GitHub alert event schemas, ensuring compatibility across V1 and V2 deployments.","title":"GitHub Advanced Security Parser Migration: CLv2 Compatibility and Schema Updates"},{"content":"What Changed Version 3.0.6 of the Azure Firewall solution delivers quality improvements across 11 Analytic Rules and 5 Hunting Queries. The changes focus on three core areas: enhanced alert context through entity mappings and custom details, query performance optimizations to prevent full-table scans, and expanded MITRE ATT\u0026amp;CK coverage.\nDetection Logic The improved rules target Azure Firewall logs (AzureDiagnostics, AZFWNetworkRule, AZFWApplicationRule, AZFWFlowTrace, AZFWIdpsSignature, AZFWThreatIntel) with these key enhancements:\nQuery Performance:\nTime range restrictions added to unioned tables via TimeGenerated between (FullWindowStart .. FullWindowEnd) to avoid full-table scans Explicit project statements replace project-away to preserve key fields for incident investigation Configurable thresholds for common ports in port scan detection to reduce benign scanner noise Alert Context:\nEntity mappings added for IP addresses and URLs across all rules Custom details now surface critical fields like AlertCount, Threshold, NetworkProtocol, and ThreatDescription Alert display name and description override templates provide incident-specific context Detection Coverage:\nTrigger thresholds standardized from 1 to 0 for immediate alerting Additional tactics (Discovery, Reconnaissance, DefenseEvasion) and MITRE techniques added Known scanner IP exclusion capability added to port scan rules MITRE Mapping Expanded coverage includes:\nT1046 (Network Service Discovery) — port scan/sweep detection T1071 (Application Layer Protocol) — abnormal protocol usage T1568.001/.002 (Dynamic Resolution: Fast Flux DNS/DGA) — abnormal deny rates T1571/T1572 (Non-Standard Port) — port to protocol anomalies T1595.001 (Active Scanning: Scanning IP Blocks) — reconnaissance activities Affected Files Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Abnormal Deny Rate for Source IP.yaml Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Abnormal Port to Protocol.yaml Solutions/Azure Firewall/Analytic Rules/Azure Firewall - DDoS attack detected.yaml Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Elevation of Privilege attempt detected.yaml Solutions/Azure Firewall/Analytic Rules/Azure Firewall - High severity malicious activity detected.yaml Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Medium severity malicious activity detected.yaml Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Multiple Sources Affected by the Same TI Destination.yaml Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Port Scan.yaml Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Port Sweep.yaml Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Web Application attack detected.yaml Solutions/Azure Firewall/Analytic Rules/SeveralDenyActionsRegistered.yaml Solutions/Azure Firewall/Hunting Queries/Azure Firewall - First Time Source IP to Destination Using Port.yaml Solutions/Azure Firewall/Hunting Queries/Azure Firewall - First time source IP to Destination.yaml Solutions/Azure Firewall/Hunting Queries/Azure Firewall - Source IP Abnormally Connects to Multiple Destinations.yaml Solutions/Azure Firewall/Hunting Queries/Azure Firewall - Uncommon Port for Organization.yaml Solutions/Azure Firewall/Hunting Queries/Azure Firewall - Uncommon Port to IP.yaml (packaging artefacts: 3.0.6.zip, ReleaseNotes.md, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-06-pr-13820/","summary":"Comprehensive quality improvements to 11 Azure Firewall detections and 5 hunting queries add entity mappings, custom details, and query optimizations to reduce false positives and improve incident context.","title":"Azure Firewall Detection Quality Overhaul: Enhanced Alert Context and Reduced Query Costs"},{"content":"What Changed The Workspace Usage Report workbook v1.6.5 fixes false positive \u0026ldquo;Query Text is different\u0026rdquo; alerts in the Weekly Rules comparison. The logic now uses contains matching instead of exact string comparison to ignore trailing whitespace differences between Active Rules and Rule Templates.\nOperational Impact SOC teams using this workbook for rule validation were receiving false alerts when Active Rules had identical logic to their templates but different trailing whitespace. This created noise in rule compliance monitoring and required manual verification of legitimate matches.\nThe fix eliminates these false positives while preserving the ability to detect actual logic differences between deployed rules and their templates.\nAffected Files Workbooks/WorkspaceUsage.json ","permalink":"http://sentinelchangelog.net/posts/2026-05-06-pr-14114/","summary":"Workbook no longer flags legitimate rule template and active rule pairs as having different query text due to whitespace sensitivity.","title":"Workspace Usage Report Workbook: Query Comparison False Positives Fixed"},{"content":"What Changed The BloodHound Enterprise connector received a comprehensive update addressing three categories of issues: deployment reliability, data collection schema validation failures, and ingestion mechanism improvements.\nSecurity Impact (Visibility \u0026amp; Fidelity) Data fidelity gaps closed: Multiple custom tables (BHEAttackPathsTimelineData_CL, BHEAuditLogsData_CL, BHETierZeroAssetsData_CL) were missing required TimeGenerated fields — KQL queries referencing these fields returned null for all rows until this fix. The BHEPostureHistoryData_CL table schema was replaced to eliminate validation errors that prevented data ingestion entirely.\nDeployment reliability restored: The Function App deployment was pulling from an unstable fork repository (metron-labs/Azure-Sentinel) instead of the official Microsoft repository. Deployments using the previous configuration experienced inconsistent availability and potential version drift from the validated solution package.\nConnector Enhancement Details Ingestion mechanism: Upgraded from basic REST API polling to Azure Functions-based data collection with dedicated DCR/DCE configuration for six data streams: attack paths, timeline data, audit logs, finding trends, posture history, and Tier Zero assets API connectivity: Enhanced documentation for BloodHound Enterprise API credential setup with clearer token ID/key instructions and Microsoft Entra application requirements Metric queries: Refined graph queries to provide more accurate attack path trend visualization and connectivity validation across all data types Affected Files .script/tests/KqlvalidationsTests/CustomTables/BHEAttackPathsTimelineData_CL.json .script/tests/KqlvalidationsTests/CustomTables/BHEAuditLogsData_CL.json .script/tests/KqlvalidationsTests/CustomTables/BHEPostureHistoryData_CL.json .script/tests/KqlvalidationsTests/CustomTables/BHEPostureHistory_CL .json .script/tests/KqlvalidationsTests/CustomTables/BHETierZeroAssetsData_CL.json Solutions/BloodHound Enterprise/Data Connectors/BloodHoundFunction.json Solutions/BloodHound Enterprise/Data Connectors/azuredeploy_BloodHoundEnterprise_FunctionApp.json (packaging artefacts: 3.2.2.zip, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-06-pr-13922/","summary":"Deployment source moved to stable Microsoft repo, custom table schemas fixed, and Function App ingestion enhanced for reliable attack path visibility.","title":"BloodHound Enterprise: Function App Upgrade Fixes Data Collection and Ingestion Gaps"},{"content":"What Changed Updated both VMware vCenter ASIM authentication parsers to properly cast DvcId field from dynamic to string type using tostring() function.\nParser Impact The DvcId field was incorrectly typed as dynamic when extracted via split(PreEventString, \u0026quot; \u0026ldquo;)[3]. This type mismatch caused queries referencing DvcId to fail or return unexpected results. The fix ensures proper string typing for both login and logout event processing in:\nASimAuthenticationVMwareVCenter (unfiltered parser) vimAuthenticationVMwareVCenter (filtering parser) No change to normalised field names or filter logic — safe for existing detections using this parser. However, deployments experiencing DvcId query failures will now function correctly.\nAffected Files Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareVCenter/ASimAuthenticationVMwareVCenter.json Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareVCenter/vimAuthenticationVMwareVCenter.json Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationVMwareVCenter.md Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationVMwareVCenter.md Parsers/ASimAuthentication/Parsers/ASimAuthenticationVMwareVCenter.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationVMwareVCenter.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-05-pr-14182/","summary":"Fixed critical data type mismatch in VMware vCenter authentication parser that caused DvcId field queries to fail.","title":"VMware vCenter ASIM Parser: DvcId Type Correction Prevents Query Failures"},{"content":"Affected Files (packaging artefacts: 3.0.5.zip, ReleaseNotes.md, Solution_VTI.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-05-pr-14206/","summary":"Updated Data Connector description in Visa Threat Intelligence solution to resolve certification failure.","title":"Visa Threat Intelligence: Connector Description Update for Certification"},{"content":"What Changed Claroty solution version 3.0.5 addresses Content Doctor recommendations across 9 analytic rules and 10 hunting queries. Changes include improved entity mappings, enhanced alert details, additional MITRE technique coverage, and strengthened query logic for better detection fidelity.\nDetection Logic (9 Rules Updated) Critical Baseline Deviation: Added alert customization and T1565.001 (Data Manipulation) mapping Login to Uncommon Location: Improved user extraction and site comparison logic using set operations Multiple Failed Logins: Enhanced with credential access tactics (T1110) and better username extraction Failed Logins Same Destination: Strengthened threshold monitoring with sample user tracking New Asset: Added discovery tactics (T1082) and custom alert formatting Policy Violation: Enhanced with T1135 (Network Share Discovery) mapping and custom details Suspicious Activity: Added alert customization and event type details Suspicious File Transfer: Expanded with exfiltration tactics (T1020) and improved formatting Threat Detection: Added reconnaissance tactics (T1595) and enhanced alert details MITRE Mapping Additional technique coverage includes:\nT1565.001 (Data Manipulation) for baseline deviations T1110 (Brute Force) for authentication attacks T1135 (Network Share Discovery) for policy violations T1020 (Automated Exfiltration) for file transfers T1595 (Active Scanning) for threat detection T1082, T1016, T1613 for hunting queries OT/IoT Security Impact These improvements enhance visibility into industrial control systems and IoT environments by:\nReducing false positives through refined query logic Improving incident response with enriched alert details Expanding attack surface coverage with additional MITRE mappings Strengthening entity resolution for IP-based investigations Affected Files Solutions/Claroty/Analytic Rules/ClarotyCriticalBaselineDeviation.yaml Solutions/Claroty/Analytic Rules/ClarotyLoginToUncommonSite.yaml Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLoginsSameDst.yaml Solutions/Claroty/Analytic Rules/ClarotyNewAsset.yaml Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml Solutions/Claroty/Analytic Rules/ClarotyThreat.yaml Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml Solutions/Claroty/Workbooks/ClarotyOverview.json Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.0.5.zip, ReleaseNotes.md, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-05-pr-14107/","summary":"Updated 9 analytic rules and 10 hunting queries with strengthened entity mapping, alert details, and MITRE coverage for OT/IoT network monitoring.","title":"Claroty: Enhanced IoT/OT Detection with Improved Alert Fidelity"},{"content":"What Changed ZeroFox has completely restructured their Microsoft Sentinel integration by splitting the legacy connector into two specialized solutions using the Codeless Connector Framework (CCF). This modernization provides granular data collection across 17 distinct threat intelligence categories and security alert streams.\nNew Solution Architecture ZeroFox Alerts (v3.0.0)\nSingle connector for security alert ingestion Consolidated alert data stream for incident detection DCR-based ingestion with custom table schema ZeroFox Threat Intelligence (v3.0.0)\n16 specialized threat intelligence connectors, each with dedicated DCR and custom table: Advanced Dark Web: Deep web threat monitoring Botnet/Botnet CC: Command and control infrastructure tracking Breaches: Data breach intelligence Compromised Credentials: Leaked credential monitoring Credit Cards: Financial fraud indicators Dark Web: General dark web intelligence Discord/Telegram: Messaging platform threats Disruption: Active threat disruption campaigns Email Addresses: Compromised email tracking Exploits: Zero-day and exploit intelligence Indicators: General IOCs and threat indicators Key Incidents: High-impact security events National IDs: Identity theft monitoring Physical Threats: Kinetic threat intelligence Vulnerabilities: CVE and vulnerability data Security Impact (Visibility \u0026amp; Fidelity) This architectural modernization significantly expands ZeroFox visibility within Microsoft Sentinel:\nEnhanced Data Granularity: Each threat category now flows into dedicated custom tables, enabling precise queries and reducing data noise in security operations.\nImproved Detection Surface: The 17 specialized data streams provide comprehensive coverage across digital risk protection domains:\nDark web monitoring for brand and data exposure Credential compromise detection for account takeover prevention Botnet tracking for C2 infrastructure identification Social media threats via Discord/Telegram monitoring Financial fraud indicators through credit card intelligence Physical security risks through kinetic threat feeds CCF Architecture Benefits: Migration to CCF provides automatic scaling, improved reliability, and consistent authentication patterns across all data streams.\nDetection Surface Unlocked Organizations can now build targeted detections for:\nCredential stuffing campaigns using compromised credential feeds Brand impersonation through dark web monitoring Executive protection via physical threat intelligence Financial fraud through credit card compromise alerts Infrastructure targeting via botnet C2 tracking Social engineering campaigns across messaging platforms Each data stream includes comprehensive field schemas enabling rich correlation with existing security data sources and MITRE ATT\u0026amp;CK mapping for threat hunting workflows.\nAffected Files Solutions/ZeroFox Threat Intelligence/Data Connectors/Advanced Dark Web/ZeroFoxThreatIntelligence_AdvancedDarkWeb_ConnectorDefinition.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Advanced Dark Web/ZeroFoxThreatIntelligence_AdvancedDarkWeb_DCR.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Advanced Dark Web/ZeroFoxThreatIntelligence_AdvancedDarkWeb_PollerConfig.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Advanced Dark Web/ZeroFoxThreatIntelligence_AdvancedDarkWeb_Table.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Botnet CC/ZeroFoxThreatIntelligence_BotnetCC_ConnectorDefinition.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Botnet CC/ZeroFoxThreatIntelligence_BotnetCC_DCR.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Botnet CC/ZeroFoxThreatIntelligence_BotnetCC_PollerConfig.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Botnet CC/ZeroFoxThreatIntelligence_BotnetCC_Table.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Botnet/ZeroFoxThreatIntelligence_Botnet_ConnectorDefinition.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Botnet/ZeroFoxThreatIntelligence_Botnet_DCR.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Botnet/ZeroFoxThreatIntelligence_Botnet_PollerConfig.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Botnet/ZeroFoxThreatIntelligence_Botnet_Table.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Breaches/ZeroFoxThreatIntelligence_Breaches_ConnectorDefinition.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Breaches/ZeroFoxThreatIntelligence_Breaches_DCR.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Breaches/ZeroFoxThreatIntelligence_Breaches_PollerConfig.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Breaches/ZeroFoxThreatIntelligence_Breaches_Table.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Compromised Credentials/ZeroFoxThreatIntelligence_CompromisedCredentials_ConnectorDefinition.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Compromised Credentials/ZeroFoxThreatIntelligence_CompromisedCredentials_DCR.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Compromised Credentials/ZeroFoxThreatIntelligence_CompromisedCredentials_PollerConfig.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Compromised Credentials/ZeroFoxThreatIntelligence_CompromisedCredentials_Table.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Credit Cards/ZeroFoxThreatIntelligence_CreditCards_ConnectorDefinition.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Credit Cards/ZeroFoxThreatIntelligence_CreditCards_DCR.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Credit Cards/ZeroFoxThreatIntelligence_CreditCards_PollerConfig.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Credit Cards/ZeroFoxThreatIntelligence_CreditCards_Table.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Dark Web/ZeroFoxThreatIntelligence_DarkWeb_ConnectorDefinition.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Dark Web/ZeroFoxThreatIntelligence_DarkWeb_DCR.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Dark Web/ZeroFoxThreatIntelligence_DarkWeb_PollerConfig.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Dark Web/ZeroFoxThreatIntelligence_DarkWeb_Table.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Discord/ZeroFoxThreatIntelligence_Discord_ConnectorDefinition.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Discord/ZeroFoxThreatIntelligence_Discord_DCR.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Discord/ZeroFoxThreatIntelligence_Discord_PollerConfig.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Discord/ZeroFoxThreatIntelligence_Discord_Table.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Disruption/ZeroFoxThreatIntelligence_Disruption_ConnectorDefinition.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Disruption/ZeroFoxThreatIntelligence_Disruption_DCR.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Disruption/ZeroFoxThreatIntelligence_Disruption_PollerConfig.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Disruption/ZeroFoxThreatIntelligence_Disruption_Table.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Email Addresses/ZeroFoxThreatIntelligence_EmailAddresses_ConnectorDefinition.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Email Addresses/ZeroFoxThreatIntelligence_EmailAddresses_DCR.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Email Addresses/ZeroFoxThreatIntelligence_EmailAddresses_PollerConfig.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Email Addresses/ZeroFoxThreatIntelligence_EmailAddresses_Table.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Exploits/ZeroFoxThreatIntelligence_Exploits_ConnectorDefinition.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Exploits/ZeroFoxThreatIntelligence_Exploits_DCR.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Exploits/ZeroFoxThreatIntelligence_Exploits_PollerConfig.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Exploits/ZeroFoxThreatIntelligence_Exploits_Table.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Indicators/ZeroFoxThreatIntelligence_Indicators_ConnectorDefinition.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Indicators/ZeroFoxThreatIntelligence_Indicators_DCR.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Indicators/ZeroFoxThreatIntelligence_Indicators_PollerConfig.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Indicators/ZeroFoxThreatIntelligence_Indicators_Table.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Key Incidents/ZeroFoxThreatIntelligence_KeyIncidents_ConnectorDefinition.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Key Incidents/ZeroFoxThreatIntelligence_KeyIncidents_DCR.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Key Incidents/ZeroFoxThreatIntelligence_KeyIncidents_PollerConfig.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Key Incidents/ZeroFoxThreatIntelligence_KeyIncidents_Table.json Solutions/ZeroFox Threat Intelligence/Data Connectors/National Ids/ZeroFoxThreatIntelligence_NationalIDs_DCR.json Solutions/ZeroFox Threat Intelligence/Data Connectors/National Ids/ZeroFoxThreatIntelligence_NationalIds_ConnectorDefinition.json Solutions/ZeroFox Threat Intelligence/Data Connectors/National Ids/ZeroFoxThreatIntelligence_NationalIds_PollerConfig.json Solutions/ZeroFox Threat Intelligence/Data Connectors/National Ids/ZeroFoxThreatIntelligence_NationalIds_Table.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Physical Threats/ZeroFoxThreatIntelligence_PhysicalThreats_ConnectorDefinition.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Physical Threats/ZeroFoxThreatIntelligence_PhysicalThreats_DCR.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Physical Threats/ZeroFoxThreatIntelligence_PhysicalThreats_PollerConfig.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Physical Threats/ZeroFoxThreatIntelligence_PhysicalThreats_Table.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Telegram/ZeroFoxThreatIntelligence_Telegram_ConnectorDefinition.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Telegram/ZeroFoxThreatIntelligence_Telegram_DCR.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Telegram/ZeroFoxThreatIntelligence_Telegram_PollerConfig.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Telegram/ZeroFoxThreatIntelligence_Telegram_Table.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Vulnerabilities/ZeroFoxThreatIntelligence_Vulnerabilities_ConnectorDefinition.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Vulnerabilities/ZeroFoxThreatIntelligence_Vulnerabilities_DCR.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Vulnerabilities/ZeroFoxThreatIntelligence_Vulnerabilities_PollerConfig.json Solutions/ZeroFox Threat Intelligence/Data Connectors/Vulnerabilities/ZeroFoxThreatIntelligence_Vulnerabilities_Table.json Solutions/ZeroFox Threat Intelligence/Package/testParameters.json Solutions/ZeroFoxAlerts/Data Connectors/Alerts/ZeroFoxAlerts_ConnectorDefinition.json Solutions/ZeroFoxAlerts/Data Connectors/Alerts/ZeroFoxAlerts_DCR.json Solutions/ZeroFoxAlerts/Data Connectors/Alerts/ZeroFoxAlerts_PollerConfig.json Solutions/ZeroFoxAlerts/Data Connectors/Alerts/ZeroFoxAlerts_Table.json Solutions/ZeroFoxAlerts/Package/testParameters.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_ZeroFoxAlerts.json, Solution_ZeroFox_Threat_Intelligence.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-05-pr-14055/","summary":"ZeroFox splits legacy connector into dedicated Alerts and Threat Intelligence solutions using modern CCF architecture with 17 specialized data streams.","title":"ZeroFox Digital Risk Protection: Complete CCF Migration with Dual Solution Architecture"},{"content":"What Changed Fixed Solutions Analyzer to properly deduplicate connectors in Codeless Connector Framework (CCF) v2 solutions where azuredeploy wrapper files were creating synthetic duplicate connector IDs alongside real definition entries.\nRoot Cause In CCF v2 solutions, connector directories typically contain two files describing the same logical connector:\nDataConnectorDefinition.json: The actual connector definition with a literal ID field azuredeploy_*_poller_connector.json: An ARM deployment wrapper with a non-literal ID reference When the ARM template ID contains variables that cannot be resolved, the analyzer generates a synthetic ID from the connector title. This caused the same logical connector to appear twice in the output with different IDs.\nFix Implementation Added two-phase deduplication logic in map_solutions_connectors_tables.py:\nPhase 1: Track connector titles from non-azuredeploy files that have literal IDs, organized by parent directory and title.\nPhase 2: When processing azuredeploy files, skip any connector entries where:\nThe ID was generated (not literal) The same (directory, title) combination already exists from a definition file Validation Results Testing with the 1Password solution confirmed the fix removes only synthetic duplicates:\nconnectors.csv: 593 → 592 entries solutions_with_connectors.csv: 606 → 605 entries solutions_connectors_tables_mapping.csv: 1397 → 1396 entries solutions.csv: unchanged (no impact on solution counts) This ensures accurate connector counting for Content Hub solution analysis and prevents inflated connector metrics that could affect security program planning and vendor assessments.\nAffected Files Tools/Solutions Analyzer/map_solutions_connectors_tables.py ","permalink":"http://sentinelchangelog.net/posts/2026-05-05-pr-14184/","summary":"Solutions Analyzer was double-counting connectors in CCF v2 solutions due to azuredeploy wrapper files creating phantom duplicates.","title":"Solutions Analyzer: Fix Connector Overcount in CCF v2 Solutions"},{"content":"What Changed Updated MISP2Sentinel solution (v3.1.0) to fix critical table reference error in the Upload Indicators API connector. All KQL queries now correctly reference ThreatIntelIndicators instead of the deprecated ThreatIntelligenceIndicator table.\nSecurity Impact (Visibility \u0026amp; Fidelity) Critical Data Blind Spot Resolved: Deployments using MISP2Sentinel v3.0.0 had a complete ingestion failure for threat intelligence indicators. The connector was referencing a non-existent table name ThreatIntelligenceIndicator instead of the correct ThreatIntelIndicators table, causing:\nZero threat intelligence data ingestion from MISP sources Failed connectivity checks preventing detection of ingestion issues Broken sample queries returning no results Invalid metrics reporting showing no indicators received This was not a cosmetic fix — the table name mismatch caused the connector to fail at the query execution level, resulting in no MISP indicators being available for threat hunting or detection rules.\nAffected Components Fixed Connectivity criteria queries: Now properly validate MISP indicator ingestion Sample queries: Correctly retrieve MISP threat intelligence data Metrics collection: Accurately reports indicator reception rates Health monitoring: Properly detects when MISP data stops flowing Detection Surface Restored With this fix, MISP threat intelligence indicators are now properly ingested into Microsoft Sentinel, restoring visibility for:\nIOC matching against security events Threat hunting queries using MISP indicators Analytic rules leveraging threat intelligence data Timeline correlation of indicators with security incidents Organizations using MISP as a threat intelligence source should immediately upgrade to prevent continued detection blind spots.\nAffected Files Solutions/MISP2Sentinel/Data Connectors/MISP2SentinelConnector_UploadIndicatorsAPI.json (packaging artefacts: 3.1.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_MISP2Sentinel.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-05-pr-14091/","summary":"MISP threat intelligence connector was broken due to incorrect table reference — deployments had zero indicator ingestion until this fix.","title":"MISP2Sentinel: Critical Table Reference Fix for Upload Indicators API"},{"content":"What Changed New Microsoft Sentinel solution (v3.0.0) that integrates Vaikora AI agent behavioral signals with Microsoft Defender for Cloud. The solution includes a Logic App playbook for automated data ingestion and three Analytic Rules for threat detection.\nSolution Components Logic App Playbook (VaikoraToAzureSecurityCenter)\nPolls Vaikora API every 6 hours for high-risk and anomalous agent actions Uses Managed Identity authentication to Azure services Ingests filtered signals into Vaikora_SecurityAlerts_CL custom table Creates security alerts via Defender for Cloud Alerts REST API Three Analytic Rules\nHigh Severity Security Alerts: Detects critical/high severity AI agent events with immediate threat indicators Behavioral Anomaly Detection: Identifies statistical anomalies in agent behavior below critical thresholds but worth investigating Feed Outage Detection: Monitors for data ingestion failures (12+ hour gaps) indicating connectivity or authentication issues Detection Surface Unlocked This solution provides visibility into AI agent security risks including:\nMalware activity detection by AI agents Intrusion attempt identification Policy violation monitoring Behavioral baseline deviation alerts Agent compromise indicators The solution maps agent events to multiple MITRE ATT\u0026amp;CK tactics including Initial Access, Execution, Persistence, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact.\nEntity Mappings All Analytic Rules include comprehensive entity mappings for:\nIP addresses (source and destination) Host identifiers User accounts Process names File paths This enables full incident enrichment and correlation with other security data sources in Microsoft Sentinel.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/Vaikora_SecurityAlerts_CL.json .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Anomaly Detection.yaml Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Feed Outage Detection.yaml Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - High Severity Security Alerts.yaml Solutions/Vaikora-AzureSecurityCenter/Playbooks/VaikoraToAzureSecurityCenter/azuredeploy.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_VaikoraSecurityCenter.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-05-pr-13986/","summary":"New Vaikora solution enables real-time AI agent threat detection through automated security alert ingestion and behavioral anomaly monitoring.","title":"Vaikora AI Agent Security Monitoring for Defender for Cloud"},{"content":"What Changed The Threat Intelligence TAXII Export connector has transitioned from Preview to General Availability status. The connector title was updated to remove \u0026ldquo;(Preview)\u0026rdquo; branding, and the availability configuration was changed from preview state to production-ready status.\nSecurity Impact (Visibility \u0026amp; Fidelity) Production Microsoft Sentinel deployments can now officially use TAXII 2.1 export functionality for sharing STIX objects with external threat intelligence platforms and partners. Previously, organizations hesitant to use preview connectors in production had limited options for automated TI sharing workflows.\nThe GA status indicates Microsoft\u0026rsquo;s commitment to supporting this connector for production threat intelligence sharing scenarios, reducing operational risk for SOCs implementing automated TI distribution workflows.\nAffected Files Solutions/Threat Intelligence (NEW)/Data Connectors/template_ThreatIntelligenceTaxiiExport.json (packaging artefacts: 3.0.18.zip, ReleaseNotes.md, Solution_ThreatIntelligenceUpdated.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-05-pr-14189/","summary":"Microsoft\u0026rsquo;s TAXII Export connector for Threat Intelligence objects is now GA, removing preview limitations for production TI sharing workflows.","title":"Microsoft Threat Intelligence TAXII Export Connector Moves to General Availability"},{"content":"What Changed Version 3.2.0 of the Salesforce Service Cloud solution introduces a new SalesforceServiceCloudV3_CL table with expanded field coverage and adds multi-domain support to the CCF data connector.\nSecurity Impact (Visibility \u0026amp; Fidelity) The new V3 table includes \u0026ldquo;all fields from all events within the event log files\u0026rdquo; — significantly expanding telemetry coverage beyond the previous V2 implementation. This addresses potential data fidelity gaps where security-relevant fields may have been excluded from ingestion.\nThe multi-domain capability allows a single workspace to monitor Salesforce events across multiple organizational domains, improving visibility into complex enterprise environments where Salesforce instances span multiple business units or subsidiaries.\nEnhanced Data Collection New table: SalesforceServiceCloudV3_CL with comprehensive field mapping Multi-domain support: Single connector can now ingest from multiple Salesforce domains Updated parser: Automatically includes V3 data via union isfuzzy=true SalesforceServiceCloudV3_CL Backward compatibility: Existing V2 table ingestion continues alongside V3 Deployment Considerations Organizations already using Salesforce Service Cloud connector should review the enhanced field coverage to identify new detection opportunities. The connector now requires \u0026ldquo;Connector Alias\u0026rdquo; configuration for multi-domain deployments.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/SalesforceServiceCloud.json .script/tests/KqlvalidationsTests/CustomTables/SalesforceServiceCloudV3_CL.json Solutions/Salesforce Service Cloud/Data Connectors/SalesforceSentinelConnector_CCP/SalesforceServiceCloud_DCR.json Solutions/Salesforce Service Cloud/Data Connectors/SalesforceSentinelConnector_CCP/SalesforceServiceCloud_DataConnectorDefinition.json Solutions/Salesforce Service Cloud/Data Connectors/SalesforceSentinelConnector_CCP/SalesforceServiceCloud_PollingConfig.json Solutions/Salesforce Service Cloud/Data Connectors/SalesforceSentinelConnector_CCP/SalesforceServiceCloud_Tables.json Solutions/Salesforce Service Cloud/Parsers/SalesforceServiceCloud.yaml Tools/Create-Azure-Sentinel-Solution/common/createCCPConnector.ps1 (packaging artefacts: 3.2.0.zip, ReleaseNotes.md, Solution_TSalesforceCloudtemplateSpec.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-04-pr-14180/","summary":"Major connector upgrade introduces comprehensive event field collection and multi-tenant monitoring capabilities.","title":"Salesforce Service Cloud Connector: Enhanced Event Log Coverage and Multi-Domain Support"},{"content":"What Changed Microsoft Security Research published 2 new hunting queries targeting Teams-based social engineering attacks that leverage Remote Monitoring and Management (RMM) tools for initial access. Both queries are placed in dual locations to ensure availability in both Microsoft Sentinel and Microsoft Defender XDR Advanced Hunting.\nDetection Logic Hunt for RMM tool execution following Teams messages:\nPrimary data sources: MessageEvents (Teams messages) and DeviceProcessEvents Core logic: joins Teams message recipients with subsequent RMM tool execution (QuickAssist, AnyDesk, TeamViewer) within a 30-minute window using Entra account object ID correlation Entity types: Account, Device, Process Hunt for alerts correlated with Teams messages:\nPrimary data sources: MessageEvents, CloudAppEvents, AlertEvidence Core logic: correlates Teams message activity with downstream Defender alerts using three parallel identity matching branches (AccountObjectId, UPN, ChatThreadId) within configurable time windows Entity types: Account, Alert, Chat MITRE Mapping T1566 - Phishing: Detects Teams message-based lure delivery T1219 - Remote Access Software: Identifies RMM tool execution following social engineering T1078 - Valid Accounts: Covers compromised account activity patterns Security Impact These queries address the Storm-1811 / Black Basta attack pattern documented in Microsoft\u0026rsquo;s cross-tenant helpdesk impersonation research. SOC teams gain visibility into:\nTeams phishing campaigns leading to RMM tool deployment First-contact external chat patterns that precede security incidents Cross-platform correlation between collaboration tool activity and endpoint compromise signals Queries include tunable parameters for time windows and RMM tool lists to adapt to environment-specific attack patterns.\nAffected Files Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Hunt for RMM tool execution following Teams messages.yaml Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Hunt for alerts correlated with Teams messages.yaml Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Hunt for RMM tool execution following Teams messages.yaml Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Hunt for alerts correlated with Teams messages.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-05-04-pr-14117/","summary":"Two new hunting queries detect Teams phishing campaigns that lure victims into launching remote access tools, addressing the Storm-1811 / Black Basta cross-tenant attack pattern.","title":"Teams Social Engineering Detection: New Hunting Queries for RMM-Based Attacks"},{"content":"What Changed Joe Sandbox solution updated to v3.0.1 addressing ARM template compatibility issues and improving playbook functionality. Updates include Azure Storage API version alignment and IOC handling improvements.\nSecurity Impact (Visibility \u0026amp; Fidelity) ARM template compatibility restored: Updated storage account API versions from deprecated versions to 2025-01-01 across all deployment templates — deployments using older API versions were likely failing with compatibility errors, preventing new installations.\nIOC processing logic fixed: Removed global INDICATOR_LIST variable and refactored IOC handling in JoeSandboxGetIOCs function — previous implementation had potential data leakage between function invocations and incorrect return handling that could cause IOC extraction failures.\nHash type mapping corrected: Updated hash type field mapping from underscore format (md5_hash, sha1_hash, sha256_hash) to standard format (md5, sha1, sha256) — this aligns with expected threat intelligence indicator format requirements.\nFunction reference fixes: Corrected case-sensitive variable references in Logic App templates (Functionappname to functionappName) — these template errors would cause deployment failures for new playbook installations.\nThis update primarily addresses deployment and operational reliability rather than introducing new detection capabilities.\nAffected Files Solutions/JoeSandbox/Data Connectors/JoeSandbox/const.py Solutions/JoeSandbox/Data Connectors/JoeSandbox/utils.py Solutions/JoeSandbox/Data Connectors/azuredeploy_JoeSandboxThreatIntelligenceFuncApp_AzureFunction_flex.json Solutions/JoeSandbox/Data Connectors/azuredeploy_JoeSandboxThreatIntelligenceFuncApp_AzureFunction_premium.json Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxGetIOCs/app.py Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxGetIOCs/utils.py Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/azuredeploy.json Solutions/JoeSandbox/Playbooks/JoeSandbox-Submit-File-Outlook-Attachment/azuredeploy.json Solutions/JoeSandbox/Playbooks/JoeSandbox-Submit-Url-Sentinel-Incident/azuredeploy.json (packaging artefacts: 3.0.1.zip, JoeSandboxConn.zip, JoeSandboxEnrichment.zip, ReleaseNotes.md, Solution_JoeSandbox.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-04-pr-14130/","summary":"Joe Sandbox solution updated to v3.0.1 with Azure template fixes, updated storage API versions, and improved IOC processing in playbooks.","title":"Joe Sandbox Solution: ARM Template Fixes and IOC Handling Improvements"},{"content":"What Changed Abnormal Security CCF connector updated to v3.0.1 with comprehensive table schema changes affecting all 9 event streams. Column naming conventions updated to match Microsoft Log Analytics auto-expansion behavior, and previously missing metadata columns added.\nSecurity Impact (Visibility \u0026amp; Fidelity) Column naming misalignment fix: All abx_body_* columns renamed to abx_body_abx_body_* across 9 event streams — queries referencing the original column names against CCF tables returned null for all rows. This was a data fidelity gap affecting any custom KQL queries built against the CCF connector.\nMissing metadata columns restored: Added abx_body_abx_metadata_event_type_s, abx_body_abx_metadata_timestamp_s, and abx_body_abx_metadata_trace_id_g columns — these fields were available in the Microsoft Log Analytics connector but missing from CCF tables, creating detection coverage gaps for correlation and timeline analysis.\nData type correction: Changed abx_metadata_timestamp from datetime to string type to match MLA behavior — queries expecting string format previously failed.\nThis change ensures CCF and MLA connector deployments present identical table schemas, eliminating detection logic differences between ingestion methods.\nAffected Files Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_DCR.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AbnormalSecurityLogs.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AbuseMailbox.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AtoCase.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AuditLog.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_Case.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_PostureChange.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_Remediation.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_ThreatLog.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_VendorCase.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_ABUSE_MAILBOX_CL.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_ATO_CASE_CL.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_AUDIT_LOG_CL.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_CASE_CL.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_POSTURE_CHANGE_CL.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_REMEDIATION_CL.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_THREAT_LOG_CL.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_VENDOR_CASE_CL.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/AbnormalSecurityLogs_CL.json (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, Solution_AbnormalSecurity.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-04-pr-14124/","summary":"Abnormal Security CCF connector v3.0.1 fixes table column naming to match Microsoft Log Analytics output, restoring access to previously missing metadata fields.","title":"Abnormal Security CCF Connector: Schema Alignment Fixes Column Visibility Gaps"},{"content":"What Changed Fixed parameter name inconsistency in the Azure DevOps Audit Logs CCF connector configuration that was preventing the connector from functioning. The queryParameters keys were changed from \u0026ldquo;from\u0026rdquo;/\u0026ldquo;to\u0026rdquo; to \u0026ldquo;startTime\u0026rdquo;/\u0026ldquo;endTime\u0026rdquo; to match the corresponding StartTimeAttributeName/EndTimeAttributeName values.\nSecurity Impact (Visibility \u0026amp; Fidelity) This was a complete connector failure. Deployments running the previous version experienced zero audit log ingestion from Azure DevOps due to the parameter mismatch. The CCF framework could not reconcile the time-window parameters, causing the connector to fail during configuration.\nPer PR discussion: deployments now show \u0026ldquo;Connected\u0026rdquo; status after applying this fix, confirming that the connector was previously non-functional and audit visibility has been restored.\nData Source Azure DevOps audit logs provide visibility into:\nProject and organization-level configuration changes User access and permission modifications Pipeline and repository security events Administrative actions across Azure DevOps services This connector failure represented a complete blind spot for Azure DevOps security monitoring in affected deployments.\nAffected Files Solutions/AzureDevOpsAuditing/Data Connectors/AzureDevOpsAuditLogs_CCP/AzureDevOpsAuditLogs_PollingConfig.json (packaging artefacts: 3.0.9.zip, ReleaseNotes.md, Solution_AzureDevOpsAuditing.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-04-pr-14090/","summary":"Critical configuration fix resolves parameter name mismatch that prevented Azure DevOps audit log ingestion entirely.","title":"Azure DevOps Auditing: Fixing Broken Connector After Parameter Mismatch"},{"content":"What Changed The CrowdStrike Falcon Data Replicator (CrowdStrike Managed AWS-S3) connector was restored from deprecated status after Microsoft determined that it serves a distinct deployment use case from the standard AWS S3 connector.\nSecurity Impact (Visibility \u0026amp; Fidelity) The Function App-based CrowdStrike connector was incorrectly marked as deprecated in v3.3.3, potentially leading SOC teams to believe this ingestion path was being phased out. The reversion clarifies that:\nCrowdStrike Falcon Data Replicator (AWS S3) targets self-managed AWS S3 buckets CrowdStrike Falcon Data Replicator (CrowdStrike Managed AWS-S3) targets CrowdStrike-managed storage with Key/Secret authentication Both connectors remain actively supported for their respective deployment scenarios. Teams using the Function App-based connector should continue normal operations — no migration or replacement is required.\nAffected Files Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeReplicatorV2_ConnectorUI.json (packaging artefacts: 3.3.4.zip, ReleaseNotes.md, Solution_CrowdStrike.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-01-pr-14174/","summary":"CrowdStrike\u0026rsquo;s Function App-based data replicator was incorrectly deprecated and has been restored to active status to maintain government deployment support.","title":"CrowdStrike Falcon Data Replicator: Incorrect Deprecation Reversed, Connector Restored to Active Status"},{"content":"What Changed Fixed critical deployment issues in the Upwind cloud security connector that prevented the Azure Function App from deploying correctly. The fix restructured the Function App package and ARM template configuration.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments using version 3.0.1 experienced Function App deployment failures, resulting in zero data ingestion from the Upwind cloud security platform. The connector was unable to fetch compute platform assets into the UpwindLogsAssets_CL table, creating a complete visibility gap for Upwind security events.\nPer PR discussion and test plan: users deploying via the \u0026ldquo;Deploy to Azure\u0026rdquo; button were unable to get the function code to deploy correctly, blocking all data collection from the Upwind platform.\nTechnical Details ARM Template Fix: Removed separate Microsoft.Web/serverfarms resource and configured the Function App to use implicit hosting plan with alwaysOn and reserved properties Package Structure Fix: Restructured UpwindLogsLoader.zip to flat layout (removed deployment/ prefix) and removed pre-compiled macOS packages Reference Links: Restored official aka.ms short links for deployment and package references Version Bump: Updated to v3.0.2 and repackaged via createSolutionV3.ps1 Affected Files Solutions/Upwind/Data Connectors/azuredeploy_UpwindLogsLoader_API_FunctionApp.json (packaging artefacts: 3.0.2.zip, ReleaseNotes.md, Solution_UpwindLogsLoader.json, UpwindLogsLoader.zip, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-05-01-pr-14158/","summary":"Upwind connector Function App deployment was failing due to incorrect zip structure and ARM template configuration - fixed with flat zip layout and implicit hosting plan.","title":"Upwind Connector: Function App Deployment Fixed After Broken Code Deployment"},{"content":"What Changed Updated GreyNoise Threat Intelligence connector v3.1.1 with packaging fixes, security improvements, and table name updates:\nFixed Function App packaging error with outdated aka.ms URL reference Updated ARM template to use securestring for API key and client secret parameters Enhanced error logging in the Python connector code Updated connector configuration and workbooks to reference the new ThreatIntelIndicators table Fixed typo in class name and improved HTTP error handling Security Impact (Visibility \u0026amp; Fidelity) The primary impact is operational reliability rather than detection coverage. Key improvements:\nDeployment Security: ARM template now properly protects sensitive parameters (API keys, client secrets) using securestring type instead of plain text Packaging Reliability: Fixed broken Function App deployment URL that would cause installation failures for new deployments Table Schema Alignment: Updated queries and workbooks to use the current ThreatIntelIndicators table instead of the legacy ThreatIntelligenceIndicator table Existing deployments continue to function, but new installations on v3.1.0 and earlier would fail due to the packaging URL issue.\nAffected Files Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConnector/main.py Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseConnector_UploadIndicatorsAPI.json Solutions/GreyNoiseThreatIntelligence/Data Connectors/azuredeploy_Connector_GreyNoiseAPISentinel_AzureFunction.json Solutions/GreyNoiseThreatIntelligence/Workbooks/GreyNoiseOverview.json (packaging artefacts: 3.1.1.zip, GreyNoiseAPISentinelConn.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_GreyNoise.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-30-pr-14032/","summary":"Fixed Function App deployment packaging errors and improved security by converting ARM template secrets to secure strings.","title":"GreyNoise Threat Intelligence: Packaging Fixes and Security Improvements"},{"content":"What Changed Fixed critical DCR transformKql errors and corrected invalid field data types in the Cloudflare CCF connector. The DCR definition, table schema, and validation tests have been updated to properly handle the Type field and resolve data type mismatches.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments running Cloudflare CCF v3.0.1 and earlier experienced complete data ingestion failure for this connector. The transformKql error in the DCR prevented the connector from processing logs at the ingestion layer — zero Cloudflare data reached the CloudflareV2_CL table in affected environments.\nThis represents a critical detection blind spot for organizations relying on Cloudflare visibility including:\nWeb application attacks and bot detection DNS query monitoring and threat hunting Network-layer security events Access control and authentication events Technical Details The DCR transformation logic has been corrected to properly map the Type field from Cloudflare source data. Multiple field data type definitions were updated across the table schema to align with the actual data structure from Cloudflare APIs. End-to-end testing confirms successful log ingestion to Log Analytics workspace.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/CloudflareV2_CL.json Solutions/Cloudflare CCF/Data Connectors/CloudflareLog_CCF/CloudflareLog_DCR.json Solutions/Cloudflare CCF/Data Connectors/CloudflareLog_CCF/CloudflareLog_Table.json (packaging artefacts: 3.0.2.zip, ReleaseNotes.md, Solution_Cloudflare.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-30-pr-14115/","summary":"Fixed DCR transformKql failures for Type field and invalid data types that were preventing Cloudflare log ingestion.","title":"Cloudflare Connector: Critical DCR Fix Restores Data Ingestion After Field Mapping Failures"},{"content":"What Changed Renamed analytic rule from \u0026ldquo;BruteForceCloudPC\u0026rdquo; to \u0026ldquo;BruteForceAgainstEntraAuthenticatedWindowsDevice\u0026rdquo; with updated display name and description. No detection logic, thresholds, or KQL queries were modified.\nDetection Logic KQL logic unchanged — YAML diff shows only metadata updates. The rule continues to detect multiple authentication failures followed by successful authentication within a time window against Windows devices via SigninLogs data.\nScope Clarification The updated name and description now explicitly reflect that this detection covers all Entra-authenticated Windows devices:\nEntra-joined devices Hybrid-joined devices Windows 365 Cloud PCs Previous naming suggested Cloud PC exclusivity, creating confusion about detection coverage. This change resolves the ambiguity without altering the underlying detection capability.\nAffected Files Solutions/Microsoft Entra ID/Analytic Rules/BruteForceAgainstanEntraAuthenticatedWindowsDevice.yaml (packaging artefacts: 3.3.12.zip, ReleaseNotes.md, Solution_AAD.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-30-pr-14162/","summary":"Analytic rule renamed from Cloud PC-specific to cover all Entra-authenticated Windows devices, clarifying detection scope without logic changes.","title":"Entra ID Brute Force Detection: Renamed for Broader Windows Device Coverage"},{"content":"Affected Files DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/CHANGELOG.md DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/README.md ","permalink":"http://sentinelchangelog.net/posts/2026-04-30-pr-14164/","summary":"Version bump to 2.1.1 with efficiency improvements noted but no connector logic changes.","title":"Logstash Output Plugin: Documentation Update for Version 2.1.1"},{"content":"What Changed New Logic App Playbook solution (v3.0.0) integrating Vaikora AI agent behavioral monitoring with CrowdStrike Falcon Custom IOC management. This is a novel AI security automation approach.\nPlaybook Logic The VaikoraToCrowdStrike_Playbook.json implements:\nScheduled polling: Queries Vaikora GET /api/v1/actions API every 6 hours (configurable) Risk filtering: Captures actions where risk_level is high or critical, or where is_anomaly is true CrowdStrike integration: OAuth2 authentication to push Custom IOCs via POST /iocs/entities/indicators/v1 Signal Mapping \u0026amp; IOC Creation Risk level translation:\ncritical → CrowdStrike severity: critical, action: prevent high → CrowdStrike severity: high, action: detect medium/low → CrowdStrike severity: medium, action: detect IOC type resolution from Vaikora action fields:\nip_address or target_ip → ipv4 IOC url or target_url → url IOC Fallback → domain IOC Automatic tagging includes vaikora, ai-agent-security, data443 (always), plus conditional tags ai-agent-anomaly and ai-threat-detected.\nSecurity Impact This introduces AI-driven threat intelligence sourcing for CrowdStrike deployments. Organizations using Vaikora for AI agent monitoring can now automatically translate behavioral anomalies into preventive IOCs across their endpoint infrastructure. The external_id field (vaikora-{action_id}) ensures deduplication.\nPublisher: Data443 Risk Mitigation, Inc.\nAffected Files Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/testParameters.json Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Playbooks/Images/playbook-create-basics.png Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Playbooks/Images/playbook-create-parameters.png Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Playbooks/Images/playbook-deployed-overview.png Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Playbooks/Images/playbook-deployed.png Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Playbooks/Images/playbook-template-detail.png Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Playbooks/README.md Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Playbooks/VaikoraToCrowdStrike_Playbook.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_VaikoraCrowdStrike.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-30-pr-13984/","summary":"Logic App Playbook introduced to poll Vaikora AI agent signals and push high-risk actions as Custom IOCs to CrowdStrike Falcon for automated threat prevention.","title":"New Vaikora-CrowdStrike Integration: AI Agent Behavioral Signals to Custom IOCs"},{"content":"What Changed ZoomReports v3.0.9 modifies the Cloud Recording API polling configuration in the CCF connector:\nPolling interval reduced from 2880 minutes (2 days) to 1440 minutes (1 day) Added 1440-minute (1-day) delay via queryWindowDelayInMin parameter Maintains 2 QPS rate limiting and existing timeout/retry settings Security Impact (Visibility \u0026amp; Fidelity) This change addresses data quality issues affecting Zoom cloud recording visibility. Previously, the 2-day polling window without delay caused duplicate log ingestion, potentially impacting:\nAlert fatigue from duplicate Zoom recording access events Inaccurate metrics in hunting queries counting recording downloads Detection rule effectiveness when deduplication logic is required The 1-day polling window with 1-day delay ensures each recording event is captured once, improving data fidelity for security monitoring of Zoom cloud storage access patterns and potential data exfiltration scenarios.\nAffected Files Solutions/ZoomReports/Data Connectors/ZoomReports_ccf/PollingConfig.json (packaging artefacts: 3.0.9.zip, ReleaseNotes.md, Solution_ZoomReports.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-29-pr-14169/","summary":"Updates polling interval from 2-day to 1-day window with 1-day delay to eliminate duplicate Zoom cloud recording logs.","title":"ZoomReports: Cloud Recording API Polling Optimized to Reduce Data Duplication"},{"content":"What Changed Visa Threat Intelligence (VTI) solution v3.0.4 updates ARM template URL variable handling from deprecated concat function to uri function. This change affects the mainTemplate.json deployment template and associated packaging artifacts.\nSecurity Impact No functional impact on threat intelligence ingestion or detection capabilities. This is a packaging maintenance change required for Azure Marketplace certification compliance. Existing deployments continue operating normally.\nThe ARM template standardization ensures consistent URL handling across Azure resource deployments but does not alter the VTI connector threat intelligence feed processing or data ingestion mechanisms.\nAffected Files (packaging artefacts: 3.0.4.zip, ReleaseNotes.md, Solution_VTI.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-29-pr-14167/","summary":"Replaces deprecated concat with uri function in ARM template to meet Azure certification requirements.","title":"Visa Threat Intelligence: ARM Template Certification Fix"},{"content":"What Changed The Qualys VM Knowledge Base connector has been promoted from Preview to General Availability status. This change includes configuration updates to support production deployment and enhanced monitoring capabilities.\nSecurity Impact (Visibility \u0026amp; Fidelity) Organizations can now deploy the Qualys KB connector in production environments to ingest vulnerability intelligence data. The connector provides access to Qualys vulnerability knowledge base entries, enabling correlation of detected vulnerabilities with comprehensive threat intelligence.\nKey improvements in this GA release:\nProduction support tier (Microsoft-supported) Enhanced monitoring with new parser-based metrics tracking Reduced timeout settings (60s → 30s) for improved reliability Full API v4.0 compatibility (from previous v3.1.1 update) The connector populates the QualysKB table with vulnerability knowledge base entries, enabling security teams to:\nCorrelate vulnerability scan results with detailed threat intelligence Enrich security alerts with vulnerability severity and exploitability data Support vulnerability management workflows with authoritative knowledge base data Organizations running Preview versions should upgrade to benefit from Microsoft production support and enhanced monitoring capabilities.\nAffected Files Solutions/Qualys VM Knowledgebase/Data Connectors/QualysKB_ccf/QualysKB_ConnectorDefinition.json Solutions/Qualys VM Knowledgebase/Data Connectors/QualysKB_ccf/QualysKB_PollingConfig.json (packaging artefacts: 3.1.2.zip, ReleaseNotes.md, Solution_QualysKBtemplateSpec.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-29-pr-14168/","summary":"Qualys Knowledge Base connector moves from Preview to General Availability, providing production-grade vulnerability intelligence ingestion with enhanced monitoring capabilities.","title":"Qualys KB Connector Now GA: Production-Ready Vulnerability Intelligence"},{"content":"What Changed New Microsoft Sentinel solution v3.0.0 from Data443 Risk Mitigation introduces the \u0026ldquo;Vaikora-SentinelOne-ThreatIntelligence\u0026rdquo; solution, containing a Logic App playbook that polls Vaikora AI agent security signals and pushes high-severity indicators to SentinelOne threat intelligence.\nPlaybook Integration VaikoraToSentinelOne_Playbook.json creates a scheduled Logic App (default: every 6 hours) that:\nPolls Vaikora GET /api/v1/actions endpoint for high-risk and anomalous agent actions Maps risk scores to SentinelOne severity levels (75-89 → high, 90+ → critical) Pushes IOC indicators via POST /web/api/v2.1/threat-intelligence/iocs Auto-creates \u0026ldquo;Vaikora IOC Detection\u0026rdquo; STAR rule if not present Authentication \u0026amp; Configuration Requires securestring parameters for:\nVaikoraApiKey (X-API-Key header authentication) SentinelOne_ApiToken and SentinelOne_AccountId SentinelOne_BaseUrl (e.g., https://usea1.sentinelone.net) IOC types determined from signal indicators (IPv4/IPv6), with 90-day expiration mode and threat context from anomaly detection flags.\nDetection Surface Enables SOC teams to leverage Vaikora AI behavioral analysis for endpoint threat intelligence in SentinelOne environments, bridging AI-driven agent security monitoring with existing EDR workflows.\nAffected Files Solutions/Vaikora-SentinelOne-ThreatIntelligence/Playbooks/VaikoraToSentinelOne_Playbook.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_VaikoraSentinelOne.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-29-pr-13985/","summary":"Data443 introduces Vaikora AI agent behavioral signal integration with SentinelOne threat intelligence via a 6-hour polling playbook.","title":"Vaikora AI Security: New Logic App Playbook for SentinelOne Threat Intelligence Integration"},{"content":"What Changed New Microsoft Sentinel solution for Spur Context API integration, providing high-fidelity IP intelligence capabilities for security operations.\nData Source Spur Context API delivers hosted high-performance IP enrichment lookups tracking:\nHundreds of millions of active anonymous IPs across 1,000+ VPN and proxy services Real-time updates on anonymization infrastructure and behavioral changes 20+ enrichment attributes per IP including geography, ASN, proxy/VPN attribution, device/connection type, and tunnel entry/exit context Security Impact Addresses detection blind spots around sophisticated evasion techniques:\nVPN Detection: Identifies traffic from virtual private networks used to obscure origin Residential Proxy Detection: Detects legitimate residential IPs being used as proxy infrastructure Bot Automation: Flags automated traffic attempting to appear legitimate Content Delivered Custom Connector: Provides three core actions:\nGet IP Context: Returns intelligence and risk context for IP addresses Get Tag Metadata: Retrieves provider/service tag information Check API Token Status: Monitors quota and service tier Playbooks (2):\nAlert Trigger: Enriches IP entities in new alerts, adds context as incident comments, optionally saves to Log Analytics custom table Incident Trigger: Same enrichment capabilities triggered on incident creation Deployment Requirements Spur API key Azure App Registration for authentication Data Collection Rule and Endpoint configuration for optional log storage ARM template deployment for custom connector and playbooks Affected Files Logos/Spur_Context_API.svg Solutions/Spur/Images/Spur.png Solutions/Spur/Package/testParameters.json Solutions/Spur/Playbooks/CustomConnector/azuredeploy.json Solutions/Spur/Playbooks/CustomConnector/readme.md Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Alert-Trigger/azuredeploy.json Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Alert-Trigger/images/comments.png Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Alert-Trigger/images/custom_table.png Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Alert-Trigger/images/deployment.png Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Alert-Trigger/readme.md Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Incident-Trigger/azuredeploy.json Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Incident-Trigger/images/comments.png Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Incident-Trigger/images/custom_table.png Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Incident-Trigger/images/deployment.png Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Incident-Trigger/images/post_deployment_connections.png Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Incident-Trigger/readme.md Solutions/Spur/readme.md (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Spur.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-29-pr-14148/","summary":"New solution provides real-time IP enrichment to detect VPN, residential proxy, and bot automation traffic in incidents and alerts.","title":"New Spur Context API Solution: High-Fidelity IP Intelligence for VPN and Proxy Detection"},{"content":"What Changed The Qualys VM CCF connector has been updated to use Qualys VM API version 5.0, migrating from the previously used version 3.0. This change affects both the API endpoint URL and documentation references in the connector definition.\nSecurity Impact (Visibility \u0026amp; Fidelity) Critical timeline dependency: The Qualys VM API v3.0 will be deprecated in June 2025. Deployments that do not upgrade before the deprecation date will experience complete data ingestion failure for Qualys VM vulnerability data - creating a blind spot for vulnerability management visibility in Microsoft Sentinel.\nThe API version change itself maintains the same data schema and ingestion mechanism. No vulnerability detection data will be lost during the transition, but failure to deploy this update before June will result in zero vulnerability data flowing from Qualys VM into the Custom-QualysVM stream.\nConnector Details API Endpoint Updated: /api/3.0/fo/asset/host/vm/detection/ → /api/5.0/fo/asset/host/vm/detection/ Ingestion Stream: Custom-QualysVM (DCR-based) Rate Limiting: Unchanged (1 QPS) Authentication: No changes to credential requirements Documentation: Updated Host Detection API reference links to v5.0 Affected Files Solutions/QualysVM/Data Connectors/QualysVMHostLogs_ccp/QualysVMHostLogs_ConnectorDefinition.json Solutions/QualysVM/Data Connectors/QualysVMHostLogs_ccp/QualysVMHostLogs_PollingConfig.json (packaging artefacts: 3.0.8.zip, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-28-pr-14160/","summary":"Qualys VM connector upgraded from API v3.0 to v5.0 to prevent June deprecation cutoff impacting vulnerability data ingestion.","title":"Qualys VM Connector: API Version 5.0 Migration Before Deprecation"},{"content":"What Changed ZoomReports CCF connector v3.0.8 transitions from Public Preview to GA with significant parser and ingestion improvements. The connector now supports a new ZoomV2_CL table alongside the existing Zoom_CL table.\nParser Impact Parser version upgraded from 1.0.0 to 2.0.0 with expanded dual-table support:\nLegacy support: Continues parsing Zoom_CL table data using existing field mappings New schema: Adds ZoomV2_CL table parsing with improved field coverage including CustomAttributes, CallInNumber, CountryName, Duration, EndTime, HostEmail, HostId, MeetingId, MeetingType, PhoneNumber, and meeting timing fields Unified output: Uses union operation to combine data from both tables into standardised field schema The parser maintains backward compatibility — existing detections using this parser will continue to function while gaining access to enhanced field coverage from new deployments.\nConnector Configuration Removed Preview status flag (isPreview: false) Updated cloud recording polling window from 60 to 2880 minutes (48 hours) Minor event name formatting changes (added periods) Affected Files Solutions/ZoomReports/Data Connectors/ZoomReports_ccf/ConnectorDefinition.json Solutions/ZoomReports/Data Connectors/ZoomReports_ccf/PollingConfig.json Solutions/ZoomReports/Data Connectors/ZoomReports_ccf/table_ZoomV2.json Solutions/ZoomReports/Parsers/Zoom.yaml (packaging artefacts: 3.0.8.zip, ReleaseNotes.md, Solution_ZoomReports.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-28-pr-14146/","summary":"ZoomReports CCF connector transitions to GA with parser supporting dual-table ingestion and expanded field coverage.","title":"Zoom Connector GA Release: Enhanced Data Ingestion with New Table Schema"},{"content":"What Changed The Microsoft Sentinel Training Lab deployment script was updated to retry detection rule creation on any KQL syntax errors, not just OktaV2_CL table errors. The fix broadens error handling to cover scenarios where custom connector tables have not yet been created during lab initialization.\nSecurity Impact Silent deployment failures resolved: The script previously only retried for OktaV2_CL table errors, meaning detection rules targeting other custom tables (GCP, AWS, third-party connectors) would fail silently during deployment. SOC analysts completing the lab exercises would unknowingly have incomplete detection coverage, creating false confidence in their detection stack.\nExercise improvements include corrected ThreatIntelIndicators schema queries, updated automation rules targeting analytics rules instead of custom detections, and a new Exercise 17 covering cross-source attack chain graphs linking CrowdStrike, Palo Alto, Okta, AWS, GCP, and MailGuard data.\nAffected Files Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Scripts/DeployDetectionRules.ps1 Tools/Microsoft-Sentinel-Training-Lab/Exercises/E02_threat_intelligence_mdti.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E04_automation_rules.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E05_device_isolation_response.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E06_port_scan_threshold_tuning.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E09_cost_management.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E17_custom_graph.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/Onboarding.md Tools/Microsoft-Sentinel-Training-Lab/GraphNotebook/GraphNotebookReadme.md Tools/Microsoft-Sentinel-Training-Lab/GraphNotebook/cross_source_attack_chain_graph.ipynb Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage43.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage44.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage45.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage46.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage47.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage48.png Tools/Microsoft-Sentinel-Training-Lab/README.md ","permalink":"http://sentinelchangelog.net/posts/2026-04-28-pr-14118/","summary":"Lab deployment script now retries on any table syntax errors, not just OktaV2_CL — prevents silent deployment failures.","title":"Training Lab: Fixed Detection Rule Deployment Script Resilience"},{"content":"What Changed The Okta session impersonation detection rule was updated to use the OktaSSO parser instead of directly querying the legacy Okta_CL table. This change restores detection capability after the Okta connector migration to the CCF-based data source.\nDetection Logic The rule queries OktaSSO parser data and filters for eventType_s == user.session.impersonation.initiate with successful outcomes. It extracts actor details from the target_s JSON array and maps Account and IP entities for correlation. Version bumped from 1.0.0 to 1.1.0.\nSecurity Impact Critical detection gap fixed: Per the PR description, without the change the query does not take effect for the latest version of the data connector, which writes its log and event data into the OktaV2_CL table. Deployments running Okta CCF connector had zero visibility into privileged session impersonation attempts — a significant blind spot for detecting credential abuse and privilege escalation via T1134 (Access Token Manipulation).\nMITRE Mapping T1134 - Access Token Manipulation T1134.003 - Make and Impersonate Token Affected Files Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml (packaging artefacts: 3.1.7.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-28-pr-14137/","summary":"Critical Okta detection was broken after connector migration — now uses OktaSSO parser to restore session impersonation monitoring.","title":"Okta Detection Rule: Fixed Blind Spot After Connector Migration to OktaV2_CL"},{"content":"What Changed Seraphic Web Security solution upgraded from v2.0.0 to v3.0.0, migrating to the v3 content schema pattern with contentTemplates and contentPackages structure.\nSecurity Impact (Visibility \u0026amp; Fidelity) This is a schema migration with infrastructure improvements rather than a security functionality change. The connector polling configuration was upgraded from v2.0 to v3.0, adding health check endpoints and LinkHeader paging support. Connectivity validation switched from legacy SentinelKindsV2 to modern IsConnectedQuery pattern — deployments will see improved connection status accuracy in the Microsoft Sentinel interface.\nAPI version upgraded from 2021-03-01-preview to stable 2023-02-01 API. Author email typo corrected from seraphicsecurity.con to seraphicsecurity.com.\nNo changes to ingestion logic, detection surface, or data fidelity — existing Seraphic Web Security deployments continue receiving the same event and alert data through the SeraphicWebSecurity_CL table.\nAffected Files Solutions/SeraphicSecurity/Data Connectors/SeraphicSecurityConnector.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Seraphic_Security.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-28-pr-14030/","summary":"Seraphic Web Security solution upgraded to v3.0.0 schema with polling v3.0, health checks, and corrected connectivity criteria.","title":"Seraphic Web Security: Upgraded to v3.0.0 Content Schema with Enhanced Polling"},{"content":"What Changed The Salesforce Service Cloud connector has been upgraded to version 3.1.0 with significant enhancements to event coverage and authentication options. This update expands data ingestion capabilities and provides additional deployment authentication methods.\nConnector Improvements Enhanced Event Coverage:\nDCR schema expanded with 957+ new field definitions for comprehensive Event Log File (ELF) object coverage Adds support for missing event types across all ELF categories including performance monitoring, security events, and operational telemetry New fields include timing metrics, network performance data, and detailed application-level events OAuth2 Authentication Enhancement:\nAdded OAuth2 username-password flow support alongside existing authentication methods Improves deployment flexibility for organizations with specific authentication requirements Maintains backward compatibility with existing authentication configurations Multi-Stream UI Preparation:\nUpdated connector UI configuration to support future multi-stream functionality Architectural improvements for enhanced scalability and data source selection Security Impact (Visibility \u0026amp; Fidelity) This update significantly enhances Salesforce security monitoring capabilities by capturing previously unavailable event types. Organizations can now ingest comprehensive performance metrics, detailed API call logs, and expanded authentication events that were missing from prior connector versions. The additional OAuth2 authentication method provides secure deployment options for environments with specific identity management requirements.\nAffected Files Solutions/Salesforce Service Cloud/Data Connectors/SalesforceSentinelConnector_CCP/SalesforceServiceCloud_DCR.json Solutions/Salesforce Service Cloud/Data Connectors/SalesforceSentinelConnector_CCP/SalesforceServiceCloud_DataConnectorDefinition.json Solutions/Salesforce Service Cloud/Data Connectors/SalesforceSentinelConnector_CCP/SalesforceServiceCloud_PollingConfig.json Solutions/Salesforce Service Cloud/Data Connectors/SalesforceSentinelConnector_CCP/SalesforceServiceCloud_Tables.json Solutions/Salesforce Service Cloud/Data Connectors/SalesforceSentinelConnector_CCP/azuredeploy_SalesforceServiceCloud_poller_connector.json (packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_TSalesforceCloudtemplateSpec.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-27-pr-14144/","summary":"Salesforce connector v3.1.0 adds comprehensive Event Log File coverage and OAuth2 username-password authentication for improved deployment flexibility.","title":"Salesforce Service Cloud Connector: Enhanced Event Coverage and OAuth2 Support"},{"content":"What Changed Microsoft added the GitHub Webhook V2 data connector as the strategic replacement for the original GitHub Webhook connector. The V2 connector migrates from the deprecated HTTP Data Collector API (CLv1/ODS endpoint) to the supported Logs Ingestion API (CLv2) with Managed Identity authentication.\nData Source This connector ingests GitHub Advanced Security webhook events for organizations using GitHub Enterprise features:\nCode Scanning Alert: Static analysis findings from CodeQL and third-party tools Repository Vulnerability Alert: Dependabot dependency vulnerability notifications Secret Scanning Alert: Exposed credential detections in repository code Ingestion Mechanism V2 (new): Logs Ingestion API (CLv2) with Managed Identity (DefaultAzureCredential) V1 (legacy): HTTP Data Collector API (CLv1/ODS) with SharedKey authentication Table: GitHubAdvancedSecurityAlerts_CL (V2) vs githubscanaudit_CL (V1) Unified parser: githubscanaudit() unions both tables for backward compatibility The V2 connector uses DCR/DCE architecture with the Function App system-assigned Managed Identity granted Monitoring Metrics Publisher role on the Data Collection Rule.\nSecurity Impact (Visibility \u0026amp; Fidelity) Migration urgency: The CLv1 HTTP Data Collector API is being replaced by Microsoft. Organizations still using the V1 GitHub Webhook connector will lose ingestion capability when CLv1 is deprecated. This creates a detection blind spot for:\nSupply chain compromise via dependency vulnerabilities (MITRE T1195.002) Credential exposure in code repositories SAST findings that detect injection flaws and other code-level vulnerabilities Backward compatibility: Both V1 and V2 tables use identical column schemas with _s/_d/_b suffixes. All existing workbooks, analytic rules, hunting queries, and parsers (GitHubCodeScanningData, GitHubDependabotData, GitHubSecretScanningData) continue to function via the unified githubscanaudit() parser.\nDetection Surface Unlocked For new deployments, this connector provides visibility into:\nCode quality gates: Static analysis alerts that may indicate vulnerable coding patterns Dependency risk: Third-party library vulnerabilities flagged by Dependabot scanning Secrets exposure: Hardcoded API keys, tokens, and credentials committed to repositories The connector supports HMAC-SHA256 signature validation (x-hub-signature-256) when GithubWebhookSecret is configured, ensuring webhook authenticity.\nAffected Files .script/tests/KqlvalidationsTests/CustomFunctions/githubscanaudit.json .script/tests/KqlvalidationsTests/CustomTables/GitHubAdvancedSecurityAlerts_CL.json Sample Data/GitHubAdvancedSecurityAlerts_CL.json Solutions/GitHub/Data Connectors/GithubWebhookV2/GithubWebhookConnectorV2/__init__.py Solutions/GitHub/Data Connectors/GithubWebhookV2/GithubWebhookConnectorV2/function.json Solutions/GitHub/Data Connectors/GithubWebhookV2/GithubWebhookV2_API_FunctionApp.json Solutions/GitHub/Data Connectors/GithubWebhookV2/README.md Solutions/GitHub/Data Connectors/GithubWebhookV2/azuredeploy_GithubWebhookV2_API_FunctionApp.json Solutions/GitHub/Data Connectors/GithubWebhookV2/host.json Solutions/GitHub/Data Connectors/GithubWebhookV2/requirements.txt Solutions/GitHub/Parsers/GitHubScanAudit.yaml (packaging artefacts: 3.2.0.zip, GithubWebhookV2.zip, ReleaseNotes.md, Solution_GitHub.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-27-pr-14111/","summary":"New CLv2-based GitHub Webhook connector replaces deprecated CLv1 API to maintain ingestion of code scanning, Dependabot, and secret scanning alerts.","title":"GitHub Webhook V2 Connector: CLv2 Migration Ensures Continued GitHub Advanced Security Ingestion"},{"content":"What Changed Microsoft Sentinel now supports direct data ingestion from Bitdefender GravityZone enterprise security platform through a new push-based connector solution. The deployment creates a complete data pipeline using Data Collection Rules (DCR), Data Collection Endpoints (DCE), and a custom table for GravityZone security events.\nData Source Bitdefender GravityZone is an enterprise security platform providing endpoint detection, network protection, and threat intelligence. The connector ingests security events from GravityZone\u0026rsquo;s API into the custom table GzSecurityEvents_CL.\nIngestion Mechanism Architecture: DCR-based push connector using Azure Data Collection Rules Authentication: Entra ID App Registration with service principal authentication Destination Table: GzSecurityEvents_CL (custom table with company_id, module, data fields) Data Transformation: KQL transform normalizes timestamp fields and structures dynamic data payload Security Impact (Visibility \u0026amp; Fidelity) This connector enables direct visibility into GravityZone-protected environments for organizations using Bitdefender\u0026rsquo;s enterprise security platform. The push-based approach provides real-time security event ingestion without polling delays.\nNote: This solution ships without pre-built Analytic Rules or Hunting Queries — detection engineering teams will need to develop custom KQL queries against the GzSecurityEvents_CL table to operationalize this data source.\nDetection Surface Unlocked With GravityZone data now available in Sentinel, SOC teams can correlate Bitdefender endpoint security events with other enterprise security data sources. The dynamic data field contains GravityZone\u0026rsquo;s native event structure, enabling detection logic around endpoint threats, compliance violations, and security policy enforcement events.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/GzSecurityEvents_CL.json .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json Logos/Bitdefender.svg Solutions/GravityZone/Data Connectors/GravityZone_API.json Solutions/GravityZone/Data Connectors/azuredeploy_GravityZone_API.json Solutions/GravityZone/Package/testParameters.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_GravityZone.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-27-pr-14102/","summary":"New GravityZone solution brings enterprise endpoint threat data directly to Sentinel via DCR-based push ingestion without bundled detections.","title":"Bitdefender GravityZone: New Push-Based Security Data Connector for Sentinel"},{"content":"What Changed Fixed a critical ARM template evaluation error in the Lookout Mobile Threat Detection connector that prevented deployment since version 3.0.3.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments running Lookout 3.0.3 experienced complete connector creation failure due to an ARM expression parsing error. The APIKey field contained malformed bracket escaping that produced an invalid ARM expression during Sentinel connector instantiation, resulting in zero mobile threat data ingestion.\nThe error \u0026ldquo;expected token EndOfData and actual RightSquareBracket\u0026rdquo; blocked all new Lookout connector deployments — organizations installing this connector had no mobile threat visibility until this fix.\nTechnical Details Changed APIKey field bracket escaping to match the pattern used by adjacent dcrConfig fields. After ARM deployment strips the escaping bracket, Sentinel now correctly evaluates the parameter expression to retrieve the customer API key for mobile threat data ingestion.\nAffected Files (packaging artefacts: 3.0.4.zip, ReleaseNotes.md, SolutionMetadata.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-27-pr-14134/","summary":"Fixed bracket escaping bug in ARM template that caused complete Lookout connector deployment failure.","title":"Lookout Connector: Critical ARM Template Fix Restores Mobile Threat Data Ingestion"},{"content":"What Changed Complete Microsoft Sentinel solution for Vaikora AI agent governance platform. Includes CCF data connector, custom table, 3 analytic rules, and workbook for monitoring AI agent behavioral signals.\nData Source Vaikora API REST endpoint (GET /api/v1/actions) polling every 6 hours. Ingests AI agent action data including policy decisions, risk scores, anomaly detection, and threat status into custom table Vaikora_AgentSignals_CL.\nDetection Logic Vaikora - Agent Policy Violation (Medium severity, 15m frequency):\nPrimary data source: Vaikora_AgentSignals_CL Core logic: fires when policy_decision_s == \u0026ldquo;block\u0026rdquo; — identifies explicit policy violations Entity types: Account (mapped to agent_id_s) Vaikora - Behavioral Anomaly Detected (Medium severity, 30m frequency):\nCore logic: triggers when is_anomaly_b == true and anomaly_score_d \u0026gt;= 0.7 — high-confidence behavioral deviations Entity types: Account Vaikora - High Severity AI Agent Action (High severity, 1h frequency):\nCore logic: fires when severity_s in (\u0026ldquo;high\u0026rdquo;, \u0026ldquo;critical\u0026rdquo;) — agent actions exceeding safety thresholds Entity types: Account MITRE Mapping T1078 (Valid Accounts) — agent authentication abuse T1562 (Impair Defenses) — policy circumvention attempts T1059 (Command and Scripting Interpreter) — anomalous execution patterns T1027 (Obfuscated Files or Information) — behavioral anomalies T1548 (Abuse Elevation Control Mechanism) — privilege escalation detection Detection Surface Unlocked Enables monitoring of AI agent governance violations including prompt injection attempts, policy circumvention, behavioral anomalies, and unauthorized resource access. Bridges AI governance and SIEM for AI-powered infrastructure security.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/Vaikora_AgentSignals_CL.json .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json Logos/vaikora_logo.svg Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Agent Policy Violation.yaml Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - High Risk AI Agent Action.yaml Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_ConnectorDefinition.json Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_DCR.json Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_PollerConfig.json Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_Table.json Solutions/Vaikora-Sentinel/Package/testParameters.json Solutions/Vaikora-Sentinel/README.md Solutions/Vaikora-Sentinel/Workbooks/Images/Preview/VaikoraAgentSignalsDashboardBlack.png Solutions/Vaikora-Sentinel/Workbooks/Images/Preview/VaikoraAgentSignalsDashboardWhite.png Solutions/Vaikora-Sentinel/Workbooks/VaikoraAgentSignalsDashboard.json Workbooks/Images/Logos/vaikora_logo.svg Workbooks/Images/Preview/VaikoraAgentSignalsDashboardBlack.png Workbooks/Images/Preview/VaikoraAgentSignalsDashboardWhite.png Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Vaikora.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-27-pr-13983/","summary":"New CCF connector ingests Vaikora AI agent behavioral signals with 3 detection rules for policy violations, anomalies, and high-risk actions.","title":"Vaikora Solution: New AI Agent Governance Connector for Microsoft Sentinel"},{"content":"What Changed Microsoft Sentinel introduces a new ASIM schema for Agent Event normalization, establishing the foundation for vendor-agnostic security agent monitoring. This creates the framework for standardizing agent lifecycle events, configuration changes, and agent-to-platform communications across all security tools.\nSchema Structure The new AgentEvent schema normalizes agent activity across three core areas:\nSource Agent Fields: SrcAgentId, SrcAgentName, SrcAgentDescription — tracks the originating security agent Target Agent Fields: TargetAgentId, TargetAgentName, TargetAgentUsername — identifies affected agents or platforms Event Context: EventType, EventRequestId, EventSessionId — provides operational context for agent interactions Key fields include agent blueprint identification, platform targeting, and detailed error reporting for agent failures.\nParser Infrastructure Three foundational parsers are now available:\nASimAgentEvent — unifying parser for all supported agent event sources imAgentEvent — filtering parser with parameters for time range, agent ID, and username filtering vimAgentEventEmpty — empty schema template for testing and development Detection Surface Unlocked This schema enables monitoring of:\nAgent deployment and configuration drift across the environment Unauthorized agent modifications or tampering attempts Agent communication failures that create visibility blind spots Cross-platform agent lifecycle management events The schema supports advanced fields for AI/ML agent interactions including token usage tracking, model provider identification, and thought process details — preparing for next-generation intelligent security agents.\nAffected Files .github/workflows/convertKqlFunctionYamlToArmTemplate.yaml .github/workflows/runAsimSchemaAndDataTesters.yaml .script/getModifiedASimSchemas.ps1 .script/tests/KqlvalidationsTests/CustomFunctions/_Im_AgentEvent.json .script/tests/KqlvalidationsTests/FunctionSchemasLoaders/ParsersDatabase.cs .script/tests/asimParsersTest/VerifyASimParserTemplate.py ASIM/deploy/EmptyCustomUnifyingParsers/ASim_AgentEventCustom.json ASIM/deploy/EmptyCustomUnifyingParsers/AgentEventDeploymentCustomUnifyingParsers.json ASIM/deploy/EmptyCustomUnifyingParsers/FullDeploymentCustomUnifyingParsers.json ASIM/deploy/EmptyCustomUnifyingParsers/Im_AgentEventCustom.json ASIM/deploy/EmptyCustomUnifyingParsers/README.md ASIM/dev/ASimTester/ASimTester.csv Parsers/ASimAgentEvent/ARM/ASimAgentEntity/ASimAgentEntity.json Parsers/ASimAgentEvent/ARM/ASimAgentEntity/README.md Parsers/ASimAgentEvent/ARM/FullDeploymentAgentEvent.json Parsers/ASimAgentEvent/ARM/README.md Parsers/ASimAgentEvent/ARM/imAgentEvent/README.md Parsers/ASimAgentEvent/ARM/imAgentEvent/imAgentEvent.json Parsers/ASimAgentEvent/ARM/vimAgentEventEmpty/README.md Parsers/ASimAgentEvent/ARM/vimAgentEventEmpty/vimAgentEventEmpty.json Parsers/ASimAgentEvent/CHANGELOG/ASimAgentEvent.md Parsers/ASimAgentEvent/CHANGELOG/imAgentEvent.md Parsers/ASimAgentEvent/CHANGELOG/vimAgentEventEmpty.md Parsers/ASimAgentEvent/Parsers/ASimAgentEntity.yaml Parsers/ASimAgentEvent/Parsers/imAgentEvent.yaml Parsers/ASimAgentEvent/Parsers/vimAgentEventEmpty.yaml Parsers/ASimAgentEvent/README.md ","permalink":"http://sentinelchangelog.net/posts/2026-04-24-pr-14086/","summary":"Microsoft Sentinel gains ASIM Agent Event schema for normalizing security agent events across all vendor platforms.","title":"ASIM Agent Event Schema: New Normalization Framework for Security Agent Monitoring"},{"content":"Affected Files Solutions/AWS ELB/Data Connectors/AWSELBConnector_CCF/AWSELBConnector_ConnectorDefinition.json (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-24-pr-14127/","summary":"AWS Elastic Load Balancer solution transitions from Public Preview to GA status, confirming production readiness for ALB/NLB access log monitoring.","title":"AWS ELB Solution Moves to General Availability"},{"content":"Affected Files (packaging artefacts: 3.0.3.zip, ReleaseNotes.md, SolutionMetadata.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-24-pr-14125/","summary":"Version bump from 3.0.2 to 3.0.3 for certification resubmission with ARM template parameter fix.","title":"Lookout Solution: Version 3.0.3 Certification Resubmission"},{"content":"What Changed New complete solution for Valimail Enforce platform monitoring, including CCF connector, 4 analytic rules, and 4 hunting queries targeting email authentication configuration security.\nData Source Valimail Enforce platform configuration events via REST API polling. Ingests domain management events including DMARC policy changes, SPF/DKIM configuration modifications, and user management activities into custom table ValimailEnforceEvents_CL.\nIngestion Mechanism CCF-based connector using DCR ingestion with custom stream Custom-ValimailReporting_API. Polls Valimail Enforce API for configuration events and normalizes fields including Subject (domain), User (actor), EventType (action), EventChange (details), and PerformedAt (timestamp).\nDetection Coverage Unlocked DMARC Policy Weakening (High Severity) Detects DMARC policy changes to \u0026rsquo;none\u0026rsquo; that disable enforcement MITRE: T1566 (Phishing), T1562 (Impair Defenses) Maps Account and DNS entities for incident correlation Email Authentication Key Deletion (Medium Severity) Monitors SPF delegation and DKIM key removals MITRE: T1562 (Impair Defenses) Tracks configuration changes that degrade authentication posture Unusual Configuration Change Rate (Medium Severity) Flags users making \u0026gt;3 changes in 1-hour windows MITRE: T1562, T1531 (Account Access Removal), T1078 (Valid Accounts) Detects potential compromised admin accounts or insider threats High-Value User Management Events (High Severity) Monitors critical user deletion/deactivation events MITRE: T1531, T1078 Account-centric alerting for privileged access changes MITRE Coverage Primary techniques from YAML diffs: T1078 (Valid Accounts), T1098 (Account Manipulation), T1531 (Account Access Removal), T1562 (Impair Defenses), T1566 (Phishing). Focus on defense evasion through email authentication weakening and account-based persistence mechanisms.\nHunting Capabilities Bulk domain change detection across multiple domains by single user Configuration change rate trending with hourly bucketing DMARC policy change history for forensic analysis High-value event summarization for security reviews Affected Files .script/tests/KqlvalidationsTests/CustomTables/ValimailEnforceEvents_CL.json .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json Logos/valimail.svg Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_AuthKeyChanged.yaml Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_DMARCPolicyWeakened.yaml Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_UnusualChangeRate.yaml Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_UserManagementHighValue.yaml Solutions/ValimailEnforce/Data Connectors/ValimailEnforceEventLogs_ccp/ValimailEnforceEventLogs_DCR.json Solutions/ValimailEnforce/Data Connectors/ValimailEnforceEventLogs_ccp/ValimailEnforceEventLogs_PollerConfig.json Solutions/ValimailEnforce/Data Connectors/ValimailEnforceEventLogs_ccp/ValimailEnforceEventLogs_Table.json Solutions/ValimailEnforce/Data Connectors/ValimailEnforceEventLogs_ccp/ValimailEnforceEventLogs_connectorDefinition.json Solutions/ValimailEnforce/Hunting Queries/ValimailEnforce_BulkChanges.yaml Solutions/ValimailEnforce/Hunting Queries/ValimailEnforce_ChangeRateTrend.yaml Solutions/ValimailEnforce/Hunting Queries/ValimailEnforce_DMARCPolicyHistory.yaml Solutions/ValimailEnforce/Hunting Queries/ValimailEnforce_HighValueEventSummary.yaml Solutions/ValimailEnforce/Package/testParameters.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_ValimailEvents.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-24-pr-14045/","summary":"Complete Valimail Enforce monitoring solution delivers real-time detection of email authentication policy weakening and suspicious admin activity affecting domain security posture.","title":"Valimail Enforce Solution: New Email Authentication Monitoring for DMARC/SPF/DKIM Configuration Changes"},{"content":"What Changed Halcyon solution updated to v3.1.0 with significant data architecture changes. The CCF connector now ingests events using Open Cybersecurity Schema Framework (OCSF) format instead of direct ASIM schema ingestion.\nParser Impact Removed ASIM Tables and Parsers (5 total)\nHalcyonAuthenticationEvents_CL table and ASimAuthenticationHalcyon parser removed HalcyonDnsActivity_CL table and ASimDnsHalcyon parser removed HalcyonFileActivity_CL table and ASimFileEventHalcyon parser removed HalcyonNetworkSession_CL table and ASimNetworkSessionHalcyon parser removed HalcyonProcessEvent_CL table and ASimProcessEventHalcyon parser removed New Unified Architecture\nSingle HalcyonEvents_CL table now receives all event types in OCSF format ASIM parsers will be provided separately to transform OCSF data to ASIM schemas Significant DCR schema simplification - reduced from 1,580 field definitions to 148 Security Impact (Visibility \u0026amp; Fidelity) This is a data architecture modernization rather than a capability loss. Organizations using the previous Halcyon connector will need to:\nRedeploy the connector to provision the new HalcyonEvents_CL table Update any custom queries referencing the old table names to use new ASIM parser functions Expect a brief data collection gap during migration Queries using the standardized ASIM function names (ASimAuthenticationHalcyon, etc.) will continue working once the new ASIM parsers are deployed, but direct table references to Halcyon*_CL tables will break.\nThe OCSF format provides richer event context and better alignment with industry standards while maintaining ASIM compatibility through transformation parsers.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/HalcyonAuthenticationEvents_CL.json .script/tests/KqlvalidationsTests/CustomTables/HalcyonDnsActivity_CL.json .script/tests/KqlvalidationsTests/CustomTables/HalcyonFileActivity_CL.json .script/tests/KqlvalidationsTests/CustomTables/HalcyonNetworkSession_CL.json .script/tests/KqlvalidationsTests/CustomTables/HalcyonProcessEvent_CL.json Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_DCR.json Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_connectorDefinition.json Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_AuthenticationEvent.json Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_DnsActivity.json Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_FileActivity.json Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_NetworkSession.json Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_ProcessEvent.json Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_events.json Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml (packaging artefacts: 3.1.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Halcyon.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-23-pr-13928/","summary":"Halcyon connector migrated from direct ASIM ingestion to OCSF schema with ASIM transformation parsers, replacing 5 custom tables with unified HalcyonEvents_CL table.","title":"Halcyon Anti-Ransomware: Connector Overhaul from ASIM to OCSF Schema Architecture"},{"content":"What Changed SOCRadar XTI Platform solution (v3.0.0) added to Content Hub, providing bidirectional integration between SOCRadar Extended Threat Intelligence platform and Microsoft Sentinel.\nSolution Components Data Sources \u0026amp; Logs\nCustom tables: SOCRadar_Alarms_CL, SOCRadarAuditLog_CL Data Collection Endpoint and Rules provisioned automatically Sample data included for validation Detections \u0026amp; Hunting (8 total)\n3 Analytic Rules: Critical/High severity alarm detection, volume spike detection, unsynced incident monitoring 5 Hunting Queries: Alarm overview, trends analysis, critical alarm hunting, incident correlation, audit analysis MITRE coverage: T1078 (Valid Accounts), T1485 (Data Destruction), T1486 (Data Encrypted for Impact), T1526 (Cloud Service Discovery), T1567 (Exfiltration Over Web Service), T1589 (Gather Victim Identity Information) Automation \u0026amp; Sync\nSOCRadar-Alarm-Import playbook: Paginated alarm fetching with duplicate detection, severity/status mapping, automatic tagging SOCRadar-Alarm-Sync playbook: Bidirectional sync of closed incidents back to SOCRadar with classification mapping Both use Managed Identity for authentication Visualization\nSOCRadar Dashboard workbook with severity, status, and timeline charts Extended Threat Intelligence Coverage SOCRadar XTI provides external attack surface monitoring and threat intelligence. Key alarm types monitored include:\nCredential exposure detection Ransomware mentions targeting the organization Digital risk protection alerts Attack surface management findings Security Impact Organizations gain visibility into external threats and attack surface exposure that traditional internal monitoring cannot detect. The bidirectional sync ensures threat response workflows remain synchronized between SOCRadar threat intelligence and Microsoft Sentinel incident management.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/SOCRadarAuditLog_CL.json .script/tests/KqlvalidationsTests/CustomTables/SOCRadar_Alarms_CL.json Logos/socradar.svg Sample Data/Custom/SOCRadarAuditLog_CL.json Sample Data/Custom/SOCRadar_Alarms_CL.json Solutions/SOCRadar/Analytic Rules/SOCRadarAlarmVolumeSpike.yaml Solutions/SOCRadar/Analytic Rules/SOCRadarCriticalAlarmDetection.yaml Solutions/SOCRadar/Analytic Rules/SOCRadarUnsyncedClosedIncident.yaml Solutions/SOCRadar/Hunting Queries/SOCRadar-Alarm-Overview.yaml Solutions/SOCRadar/Hunting Queries/SOCRadar-Alarm-Trends.yaml Solutions/SOCRadar/Hunting Queries/SOCRadar-Audit-Analysis.yaml Solutions/SOCRadar/Hunting Queries/SOCRadar-Critical-Alarms.yaml Solutions/SOCRadar/Hunting Queries/SOCRadar-Incident-Correlation.yaml Solutions/SOCRadar/Package/testParameters.json Solutions/SOCRadar/Playbooks/SOCRadar-Alarm-Import/azuredeploy.json Solutions/SOCRadar/Playbooks/SOCRadar-Alarm-Import/readme.md Solutions/SOCRadar/Playbooks/SOCRadar-Alarm-Sync/azuredeploy.json Solutions/SOCRadar/Playbooks/SOCRadar-Alarm-Sync/readme.md Solutions/SOCRadar/Workbooks/Images/Logos/socradar.svg Solutions/SOCRadar/Workbooks/Images/Preview/SOCRadarDashboardBlack.png Solutions/SOCRadar/Workbooks/Images/Preview/SOCRadarDashboardWhite.png Solutions/SOCRadar/Workbooks/SOCRadar-Dashboard.json Solutions/SOCRadar/logo/socradar.svg Solutions/SOCRadar/readme.md Workbooks/Images/Logos/socradar.svg Workbooks/Images/Preview/SOCRadarDashboardBlack.png Workbooks/Images/Preview/SOCRadarDashboardWhite.png Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_SOCRadar.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-23-pr-13858/","summary":"SOCRadar XTI Platform solution now available in Content Hub with automated alarm import, incident sync, and comprehensive threat intelligence monitoring capabilities.","title":"SOCRadar XTI Platform: New Extended Threat Intelligence Solution Launches with Bidirectional Sync"},{"content":"What Changed The ASIM Process Event parsers for Microsoft 365 Defender for Endpoint have been enhanced to extract additional file metadata fields that were previously available in source data but not mapped to standardized ASIM fields.\nParser Impact Both ASimProcessEventMicrosoft365D and vimProcessEventMicrosoft365D parsers now include:\nNew TargetProcessFile mappings:*\nTargetProcessFileCompany (from ProcessVersionInfoCompanyName) TargetProcessFileDescription (from ProcessVersionInfoFileDescription) TargetProcessFileProduct (from ProcessVersionInfoProductName) TargetProcessFileVersion (from ProcessVersionInfoProductVersion) TargetProcessFileInternalName (from ProcessVersionInfoInternalFileName) TargetProcessFileOriginalName (from ProcessVersionInfoOriginalFileName) TargetProcessFileSize (from FileSize, null when zero) New ActingProcessFile mappings:*\nActingProcessFileCompany (from InitiatingProcessVersionInfoCompanyName) ActingProcessFileDescription (from InitiatingProcessVersionInfoFileDescription) ActingProcessFileProduct (from InitiatingProcessVersionInfoProductName) ActingProcessFileVersion (from InitiatingProcessVersionInfoProductVersion) ActingProcessFileInternalName (from InitiatingProcessVersionInfoInternalFileName) ActingProcessFileOriginalName (from InitiatingProcessVersionInfoOriginalFileName) ActingProcessFileSize (from InitiatingProcessFileSize, null when zero) Additional projections:\nEventUid field mapping AdditionalFields, DvcHostname, DvcDomain, DvcDomainType output projection This is a data fidelity improvement — queries referencing these file metadata fields against these parsers previously returned null for all rows. No change to core filtering logic or entity types.\nAffected Files Parsers/ASimProcessEvent/ARM/ASimProcessEventMicrosoft365D/ASimProcessEventMicrosoft365D.json Parsers/ASimProcessEvent/ARM/vimProcessEventMicrosoft365D/vimProcessEventMicrosoft365D.json Parsers/ASimProcessEvent/CHANGELOG/ASimProcessEventMicrosoft365D.md Parsers/ASimProcessEvent/CHANGELOG/vimProcessEventMicrosoft365D.md Parsers/ASimProcessEvent/Parsers/ASimProcessEventMicrosoft365D.yaml Parsers/ASimProcessEvent/Parsers/vimProcessEventMicrosoft365D.yaml Sample Data/ASIM/Microsoft_M365 Defender for Endpoint_ProcessEvent_IngestedLogs.csv ","permalink":"http://sentinelchangelog.net/posts/2026-04-22-pr-13785/","summary":"ASIM Process Event parsers for Microsoft 365 Defender now extract file version metadata, improving process attribution and hunt query precision.","title":"Microsoft 365 Defender Process Parsers: Enhanced File Metadata Visibility"},{"content":"What Changed The Microsoft Sentinel Training Lab has been simplified to use only User-Assigned Managed Identity (UAMI) authentication for deploying custom detection rules to Microsoft Defender XDR, removing the previous dual-option choice between UAMI and Service Principal (App Registration) authentication.\nDeployment Impact The ARM template deployDetectionRules.json has been significantly streamlined:\nRemoved conditional deployment logic that supported both UAMI and Service Principal authentication Eliminated Service Principal parameters (spnTenantId, spnClientId, spnClientSecret) from the template Simplified the Automation Account resource creation to require only UAMI configuration Updated rule count reference from 17 to 22 detection rules in lab documentation User Experience Improvements Documentation has been restructured with clearer Cloud Shell guidance:\nConsolidated authentication setup from two complex options to a single UAMI workflow Added specific Azure portal Cloud Shell instructions with step-by-step PowerShell commands Removed Service Principal setup documentation that included manual portal steps and CLI alternatives Simplified deployment parameter requirements from multiple auth fields to a single UAMI resource ID This change reduces deployment complexity while maintaining the same Microsoft Graph CustomDetection.ReadWrite.All permission requirement for creating custom detection rules in Microsoft Defender XDR.\nAffected Files Tools/Microsoft-Sentinel-Training-Lab/Artifacts/LinkedTemplates/deployDetectionRules.json Tools/Microsoft-Sentinel-Training-Lab/Exercises/E03_mitre_attack_coverage.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/Onboarding.md Tools/Microsoft-Sentinel-Training-Lab/README.md (packaging artefacts: mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-22-pr-14106/","summary":"Training lab removes dual-auth complexity, standardizing on User-Assigned Managed Identity for Microsoft Defender XDR custom detection rule deployment.","title":"Microsoft Sentinel Training Lab: Authentication Simplified to UAMI-Only"},{"content":"What Changed BitSight solution package version bumped from 3.1.0 to 3.1.1 to resolve a solution ID configuration issue preventing proper republishing to Content Hub.\nSecurity Impact No detection logic, data ingestion, or security functionality affected — this is a packaging metadata fix only. BitSight threat intelligence and security ratings data ingestion remains unaffected for existing deployments.\nAffected Files (packaging artefacts: 3.1.1.zip, ReleaseNotes.md, Solution_BitSight.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-22-pr-14116/","summary":"BitSight solution package updated to v3.1.1 fixing a solution ID issue that prevented proper republishing to Microsoft Sentinel Content Hub.","title":"BitSight Solution: Packaging Fix Resolves Content Hub Republishing Failure"},{"content":"What Changed New complete Microsoft Sentinel solution for Cyjax threat intelligence platform integration, delivering automated IOC ingestion and interactive threat hunting capabilities.\nData Source Cyjax API v2 provides comprehensive threat intelligence including:\nIOCs (IPs, domains, URLs, file hashes, emails, hostnames) Data breach credential monitoring Domain monitoring alerts Enrichment data (GeoIP, ASN, sightings) Ingestion Mechanism Function App-based data connector with:\nSTIX 2.1 format IOC ingestion to ThreatIntelligenceIndicator table Configurable IOC type filtering and search queries Optional enrichment with GeoIP and ASN data Incremental fetching with checkpoint management Scheduled collection (default: every 10 minutes) Detection Surface Unlocked Automated Threat Intelligence:\nContinuous IOC ingestion from Cyjax feeds Threat indicator correlation with security events Enhanced IOC context through enrichment data Interactive Investigation Capabilities:\nAd hoc IOC enrichment via workbook interface Data breach credential monitoring for email addresses Domain monitoring for suspicious registrations Automated incident enrichment with Cyjax threat context Playbook Automation Five Logic Apps provide comprehensive investigation workflows:\nCyjaxIncidentEnrichment: Auto-enriches incident entities with threat intelligence CyjaxAddCommentToIncident: Sub-playbook for formatted threat data injection CyjaxAdHocEnrichment: On-demand IOC lookup from workbook CyjaxDataBreaches: Email credential breach investigation CyjaxDomainMonitor: Domain threat monitoring queries Security Impact Addresses threat intelligence blind spots by:\nProviding continuous IOC feed integration beyond basic indicators Enabling proactive credential breach monitoring Supporting ad hoc investigation of suspicious entities Automating threat context enrichment in incident response workflows All components integrate via Azure Key Vault for secure API credential management.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/CyjaxAdHocEnrichment_CL.json .script/tests/KqlvalidationsTests/CustomTables/CyjaxDataBreaches_CL.json .script/tests/KqlvalidationsTests/CustomTables/CyjaxDomainMonitor_CL.json .script/tests/KqlvalidationsTests/CustomTables/CyjaxThreatIndicator.json Logos/Cyjax.svg Sample Data/Custom/CyjaxAdHocEnrichment_CL.csv Sample Data/Custom/CyjaxDataBreaches_CL.csv Sample Data/Custom/CyjaxDomainMonitor_CL.csv Sample Data/Custom/CyjaxThreatIndicator.csv Solutions/Cyjax/Data Connectors/CyjaxIOCIngestion/__init__.py Solutions/Cyjax/Data Connectors/CyjaxIOCIngestion/cyjax_ioc_helper.py Solutions/Cyjax/Data Connectors/CyjaxIOCIngestion/function.json Solutions/Cyjax/Data Connectors/CyjaxIOC_API_FunctionApp.json Solutions/Cyjax/Data Connectors/README.md Solutions/Cyjax/Data Connectors/SharedCode/__init__.py Solutions/Cyjax/Data Connectors/SharedCode/consts.py Solutions/Cyjax/Data Connectors/SharedCode/cyjax_client.py Solutions/Cyjax/Data Connectors/SharedCode/cyjax_to_stix_mapping.py Solutions/Cyjax/Data Connectors/SharedCode/exceptions.py Solutions/Cyjax/Data Connectors/SharedCode/logger.py Solutions/Cyjax/Data Connectors/SharedCode/sentinel.py Solutions/Cyjax/Data Connectors/SharedCode/state_manager.py Solutions/Cyjax/Data Connectors/azuredeploy_Connector_CyjaxIOC_AzureFunction.json Solutions/Cyjax/Data Connectors/host.json Solutions/Cyjax/Data Connectors/requirements.txt Solutions/Cyjax/Package/testParameters.json Solutions/Cyjax/Parsers/CyjaxCorrelate.yaml Solutions/Cyjax/Parsers/CyjaxThreatIndicator.yaml Solutions/Cyjax/Playbooks/CyjaxAdHocEnrichment/CyjaxAdHocEnrichment.png Solutions/Cyjax/Playbooks/CyjaxAdHocEnrichment/README.md Solutions/Cyjax/Playbooks/CyjaxAdHocEnrichment/azuredeploy.json Solutions/Cyjax/Playbooks/CyjaxAddCommentToIncident/CyjaxAddCommentToIncident.png Solutions/Cyjax/Playbooks/CyjaxAddCommentToIncident/README.md Solutions/Cyjax/Playbooks/CyjaxAddCommentToIncident/azuredeploy.json Solutions/Cyjax/Playbooks/CyjaxDataBreaches/CyjaxDataBreaches.png Solutions/Cyjax/Playbooks/CyjaxDataBreaches/README.md Solutions/Cyjax/Playbooks/CyjaxDataBreaches/azuredeploy.json Solutions/Cyjax/Playbooks/CyjaxDomainMonitor/CyjaxDomainMonitor.png Solutions/Cyjax/Playbooks/CyjaxDomainMonitor/README.md Solutions/Cyjax/Playbooks/CyjaxDomainMonitor/azuredeploy.json Solutions/Cyjax/Playbooks/CyjaxIncidentEnrichment/CyjaxIncidentEnrichment.png Solutions/Cyjax/Playbooks/CyjaxIncidentEnrichment/README.md Solutions/Cyjax/Playbooks/CyjaxIncidentEnrichment/azuredeploy.json Solutions/Cyjax/Workbooks/Cyjax.json Workbooks/Images/Logos/Cyjax.svg Workbooks/Images/Preview/CyjaxBlack1.png Workbooks/Images/Preview/CyjaxBlack2.png Workbooks/Images/Preview/CyjaxBlack3.png Workbooks/Images/Preview/CyjaxBlack4.png Workbooks/Images/Preview/CyjaxBlack5.png Workbooks/Images/Preview/CyjaxWhite1.png Workbooks/Images/Preview/CyjaxWhite2.png Workbooks/Images/Preview/CyjaxWhite3.png Workbooks/Images/Preview/CyjaxWhite4.png Workbooks/Images/Preview/CyjaxWhite5.png Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.0.0.zip, CyjaxIOC.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Cyjax.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-22-pr-13902/","summary":"New comprehensive Microsoft Sentinel integration adds automated IOC collection, incident enrichment, and interactive threat intelligence dashboards for the Cyjax platform.","title":"Cyjax Threat Intelligence Platform: Complete Solution for IOC Ingestion and Investigation"},{"content":"What Changed Fixed the workspace-location parameter in mainTemplate.json from empty string to [resourceGroup().location] for the Lookout Mobile Risk API v2 solution.\nDeployment Impact ARM template deployments with unset location parameters previously failed or used incorrect regions. The fix ensures workspace location resolves correctly to the resource group region during solution deployment from Content Hub.\nThis is a packaging fix with no impact on detection logic or data ingestion.\nAffected Files (packaging artefacts: 3.0.2.zip, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-22-pr-14095/","summary":"Fixed workspace-location defaultValue in Lookout solution ARM template to prevent deployment failures when location parameter is unset.","title":"Lookout Connector: ARM Template Fix Prevents Deployment Location Errors"},{"content":"Affected Files (packaging artefacts: 3.0.0.zip, 3.0.1.zip, 3.0.2.zip, ReleaseNotes.md, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-21-pr-14083/","summary":"Resolved package publishing failure by adding missing connector information to UI definition file.","title":"Visa Threat Intelligence: Package Publishing Fix for Content Hub Deployment"},{"content":"What Changed The ExtraHop RevealX connector package was reverted from version 3.0.2 back to a stable version (ExtraHopDataConnector302) to address unspecified customer-facing issues. The ARM deployment template now references the previous function app package URL.\nSecurity Impact (Visibility \u0026amp; Fidelity) Per the PR discussion indicating urgency and customer impact, deployments using the ExtraHop RevealX connector version 3.0.2 were experiencing issues that disrupted data ingestion from ExtraHop RevealX network detection and response systems. The reversion restores network visibility for affected customers.\nExtraHop RevealX provides network traffic analysis and behavioral detection capabilities — any ingestion disruption creates a blind spot for network-based threat detection, lateral movement detection, and east-west traffic monitoring. The urgent nature of this fix suggests production deployments were affected.\nAffected Files Solutions/ExtraHop/Data Connectors/ExtraHopDataConnector/azuredeploy_ExtraHop_AzureFunction.json (packaging artefacts: ExtraHopDataConnector.zip, ExtraHopDataConnector302.zip, ReleaseNotes.md) ","permalink":"http://sentinelchangelog.net/posts/2026-04-21-pr-14105/","summary":"ExtraHop connector reverted to previous function app package to resolve customer-facing deployment issues affecting data ingestion.","title":"ExtraHop RevealX Connector: Function App Package Reverted to Address Customer Issues"},{"content":"What Changed The AWS CloudTrail Azure Function connector now properly handles unsupported file types by initializing the extracted_file variable and adding explicit error logging for unrecognized file extensions.\nSecurity Impact (Visibility \u0026amp; Fidelity) Prior to this fix, the CloudTrail ingestion function would crash with a NameError when encountering files with unsupported extensions (anything other than .csv.gz, .json.gz, or .json). This crash would terminate the ingestion process for that execution cycle, creating potential blind spots in CloudTrail audit log visibility.\nThe fix ensures the function continues processing other files in the S3 bucket even when encountering unsupported formats, maintaining continuous audit log ingestion and preventing data loss from function crashes.\nAffected Files DataConnectors/AWS-CloudTrail-AzureFunction/AzFunAWSCloudTrailLogsIngestion/__init__.py (packaging artefacts: AzFunAWSCloudTrailLogsIngestion.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-04-21-pr-14104/","summary":"Fixes potential Python exception in CloudTrail ingestion function when encountering unsupported file formats, preventing data ingestion failure.","title":"AWS CloudTrail Connector: Function App Crash Fix for Unsupported File Types"},{"content":"What Changed The Recorded Future Identity solution (v3.1.3) has been updated to prepare for Microsoft Defender Portal migration. The primary change is the deprecation of the RFI-Playbook-Alert-Importer-LAW-Sentinel playbook that creates incidents via Logic Apps, as these incidents do not appear in the unified Microsoft Defender portal.\nMigration Impact Breaking Change Alert: Deployments using the RFI-Playbook-Alert-Importer-LAW-Sentinel playbook will lose incident visibility when organizations migrate to Microsoft Defender Portal. The deprecated playbook creates incidents via the Azure Sentinel Logic Apps connector, which Microsoft no longer supports in the unified portal.\nRecommended Migration Path:\nSwitch to RFI-Playbook-Alert-Importer-LAW playbook to write identity exposure data to Log Analytics Deploy new Analytic Rule RecordedFutureIdentityExposure to create incidents from the RecordedFutureIdentity_PlaybookAlertResults_CL table Security Impact Organizations continuing to use the deprecated playbook face a detection blind spot - identity exposure alerts from Recorded Future will not generate visible incidents in Microsoft Defender Portal. This impacts SOC teams ability to investigate and respond to compromised identity events.\nThe new Analytic Rule approach maintains detection coverage while ensuring compatibility with Microsoft unified security portal. Identity exposure data continues to be ingested and processed; only the incident creation mechanism changes.\nContent Updates Analytic Rule Added: RecordedFutureIdentityExposure.yaml creates incidents from identity exposure data Playbook Deprecated: RFI-Playbook-Alert-Importer-LAW-Sentinel marked as deprecated with migration warnings Documentation Updated: README extensively revised with deprecation notices and migration guidance Custom Table Schema: Added validation for RecordedFutureIdentity_PlaybookAlertResults_CL table structure Affected Files .script/tests/KqlvalidationsTests/CustomTables/RecordedFutureIdentity_PlaybookAlertResults_CL.json Solutions/Recorded Future Identity/Analytic Rules/IncidentCreation/RecordedFutureIdentityExposure.yaml Solutions/Recorded Future Identity/Playbooks/RFI-Playbook-Alert-Importer-LAW-Sentinel/azuredeploy.json Solutions/Recorded Future Identity/Playbooks/RFI-Playbook-Alert-Importer-LAW/azuredeploy.json Solutions/Recorded Future Identity/Playbooks/readme.md (packaging artefacts: 3.1.3.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_RecordedFutureIdentity.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-21-pr-13682/","summary":"Recorded Future Identity solution deprecates Logic Apps-based incident creation and introduces Analytic Rules for Microsoft Defender Portal compatibility.","title":"Recorded Future Identity: Prepares for Microsoft Defender Portal Migration by Deprecating Legacy Incident Creation"},{"content":"What Changed The SAP ETD Cloud connector expanded data collection to include the Users entity, enabling extraction of UserAccountName and EmailAddresses from SAP alerts and investigations. All four analytic rules were updated with new entity mappings for Account and Mailbox correlation.\nData Fidelity Impact Prior to this change, SAP ETD alerts in Sentinel contained only SAP-internal user identifiers without corresponding account names or email addresses. This created a correlation blind spot — security analysts could see suspicious SAP activity but could not easily link it to specific user accounts or email addresses for cross-system investigation.\nThe Users entity expansion now provides:\nUserAccountName extraction from the Users object for Account entity mapping EmailAddresses[0] extraction for Mailbox entity mapping Enhanced custom details including SAP_UserEmail field Detection Logic Updates All four detection rules now include mv-expand Users operations to surface user identity data:\nExecution of Sensitive Function Module: Maps extracted user accounts to Account/Mailbox entities Login from Unexpected Network: Adds user correlation alongside existing IP geolocation analysis Synch Alerts: Enables account-based grouping of synchronized ETD alerts Synch Investigations: Links investigation workflows to specific user identities Technical Implementation The DCR configuration added the Users column as a dynamic type, and the polling configuration expanded the OData query to include Users expansion. This change maintains backward compatibility while enriching the data schema for enhanced correlation capabilities.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/SAPETDAlerts_CL.json Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchInvestigations.yaml Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_DCR.json Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_PollerConfig.json Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_table.json (packaging artefacts: 3.0.4.zip, ReleaseNotes.md, Solution_SAPETD.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-21-pr-14089/","summary":"SAP ETD alerts now surface user account names and email addresses for incident correlation, filling a critical entity mapping gap that prevented effective identity-based investigations.","title":"SAP ETD Cloud: User Account Correlation Now Available After Data Collection Gap"},{"content":"What Changed New PowerShell tool (Invoke-TableMigrationReview.ps1) added to automate classic custom log table (CLv1) migration planning for Microsoft Sentinel deployments.\nMigration Assessment Workflow The tool performs three-phase analysis:\nDiscovery: Identifies all tables with TableType = CustomLog and TableSubType = Classic via workspace Tables API Impact Assessment: Scans Analytics Rules, Hunting Queries, Parsers, Saved Searches, Workbooks, Playbooks, and DCRs for table references Solution Mapping: Classifies data connectors by type (CCF, AMA, Platform, AzureFunctions, Agent, Legacy) and matches to Content Hub solutions Critical Context All classic tables must migrate to DCR-based ingestion before the HTTP Data Collector API retirement on September 14, 2026. Tables fed by Azure Functions-based connectors are the primary migration candidates. Failing to migrate creates a complete ingestion failure post-retirement.\nOutput Artifacts Generates CSV reports (tables.csv, impact.csv, solution-matches.csv), machine-readable JSON, and self-contained HTML dashboard for prioritisation planning. Tables with high dependency counts require coordinated updates across multiple content types.\nDeployment Requirements Requires PowerShell 7.0+, Az.Accounts 2.13.0+, and Microsoft Sentinel Reader + Monitoring Reader RBAC permissions for read-only workspace analysis.\nAffected Files Tools/Microsoft-Sentinel-Classic-CLv1-Tables-Impact-Assessment/.github/agents/Sentinel-CLv1-Impact-Assessment-Assistant.md Tools/Microsoft-Sentinel-Classic-CLv1-Tables-Impact-Assessment/.github/copilot-instructions.md Tools/Microsoft-Sentinel-Classic-CLv1-Tables-Impact-Assessment/.github/instructions/powershell.instructions.md Tools/Microsoft-Sentinel-Classic-CLv1-Tables-Impact-Assessment/Invoke-TableMigrationReview.ps1 Tools/Microsoft-Sentinel-Classic-CLv1-Tables-Impact-Assessment/README.md Tools/Microsoft-Sentinel-Classic-CLv1-Tables-Impact-Assessment/Templates/Download.png Tools/Microsoft-Sentinel-Classic-CLv1-Tables-Impact-Assessment/Templates/report.html.template Tools/Microsoft-Sentinel-Classic-CLv1-Tables-Impact-Assessment/Update-SolutionMapping.ps1 (packaging artefacts: CLv1-Tables-Impact-Assessment.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-04-21-pr-14100/","summary":"New PowerShell script automates discovery of classic custom log tables and dependency impact assessment for the mandatory HTTP Data Collector API migration.","title":"PowerShell Tool Simplifies CLv1 Table Migration Assessment Before September 2026 Deadline"},{"content":"What Changed The Microsoft Sentinel Training Lab now includes two new exercises demonstrating advanced data management capabilities:\nExercise 15 — Data Federation with ADLS Gen2\nShows how to federate external data from Azure Data Lake Storage Gen2 into Sentinel Includes sample delta parquet datasets to demonstrate timestamp behavior differences Users practice creating connector instances and comparing federation timestamp handling Demonstrates querying security events alongside Sentinel tables without full ingestion Exercise 16 — Data Transformation: Split Ingestion by Tier\nCovers creating split transformation rules on CommonSecurityLog Routes denied/dropped firewall events to Analytics tier, allows to Data lake only Demonstrates the new _SPLT_CL table naming convention and new-data-only limitations Focuses on cost optimization through tiered ingestion strategies Additional Updates Detection Rules Enhancement: Five existing detection rules received entity mapping improvements:\nAdded RemoteIP entity extraction to CrowdStrike execution and credential access rules Enhanced phishing email rule with recipient email address, filename, and URL entities Improved correlation capabilities for multi-stage attack scenarios Exercise Maintenance: Updated exercises E02 and E03 with current UI terminology and added Content Hub installation step for Threat Intelligence solution dependency.\nAffected Files Tools/Microsoft-Sentinel-Training-Lab/Artifacts/DetectionRules/rules.json Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/CrowdStrikeDetections.csv Tools/Microsoft-Sentinel-Training-Lab/Exercises/E01_exploration.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E02_threat_intelligence_mdti.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E03_mitre_attack_coverage.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E05_device_isolation_response.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E12_datalake_port_diversity.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E13_notebooks.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E14_MCP.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E15_federation_adls.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E16_split_transformation.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/Onboarding.md Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage23.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage24.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage39.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage40.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage41.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage42.png Tools/Microsoft-Sentinel-Training-Lab/README.md (packaging artefacts: federation_sample_data.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-04-20-pr-14094/","summary":"Two advanced data ingestion exercises added to training lab covering ADLS Gen2 federation and tier-based transformation routing.","title":"Microsoft Sentinel Training Lab: Federation and Split Transformation Capabilities Expanded"},{"content":"What Changed Major architectural migration of the entire Dynatrace solution to DCR-based Codeless Connector Framework (CCF), introducing v2 versions of all four data connectors with updated parsers supporting both legacy and new data streams.\nIngestion Mechanism New v2 Connectors (DCR-based CCF):\nAttacks Connector: populates DynatraceAttacksV2_CL table via DCR stream Custom-DynatraceAttacksStream Audit Logs Connector: populates DynatraceAuditLogsV2_CL table via DCR stream Custom-DynatraceAuditLogsStream Problems Connector: populates DynatraceProblemsV2_CL table via DCR stream Custom-DynatraceProblemsStream Runtime Vulnerabilities Connector: populates DynatraceRuntimeVulnerabilitiesV2_CL table via DCR stream Custom-DynatraceRuntimeVulnerabilitiesStream All v2 connectors use REST API polling with OAuth2 authentication and identical endpoint configurations as v1 but leverage the modern DCR ingestion pipeline.\nLegacy v1 Connectors: Marked as previous versions with updated preview status but remain functional for existing deployments.\nParser Impact All four parsers (DynatraceAttacks, DynatraceAuditLogs, DynatraceProblems, DynatraceSecurityProblems) now use union queries combining both v1 and v2 data streams with isfuzzy=true:\nData fidelity enhancement: v2 parsers use native JSON field access instead of string suffix parsing (e.g., attackId vs attackId_s) Consistent TimeGenerated handling: v2 streams use TimeGenerated directly rather than timestamp_d conversions Backward compatibility: Existing queries continue to work seamlessly as parsers aggregate both data sources Security Impact (Visibility \u0026amp; Fidelity) This migration addresses Microsoft requirement for DCR while maintaining continuous visibility. Deployments can upgrade to v2 connectors for improved data handling and future-proofing without detection gaps. The dual-parser approach ensures zero downtime during migration periods.\nAffected Files Solutions/Dynatrace/Data Connectors/DynatraceAttacksV1/Connector_Dynatrace_Attacks.json Solutions/Dynatrace/Data Connectors/DynatraceAttacksV2/Connector_Dynatrace_Attacks_DCR.json Solutions/Dynatrace/Data Connectors/DynatraceAttacksV2/Connector_Dynatrace_Attacks_Definition.json Solutions/Dynatrace/Data Connectors/DynatraceAttacksV2/Connector_Dynatrace_Attacks_Polling_Config.json Solutions/Dynatrace/Data Connectors/DynatraceAttacksV2/Connector_Dynatrace_Attacks_table.json Solutions/Dynatrace/Data Connectors/DynatraceAuditLogsV1/Connector_Dynatrace_AuditLogs.json Solutions/Dynatrace/Data Connectors/DynatraceAuditLogsV2/Connector_Dynatrace_AuditLogs_DCR.json Solutions/Dynatrace/Data Connectors/DynatraceAuditLogsV2/Connector_Dynatrace_AuditLogs_Definition.json Solutions/Dynatrace/Data Connectors/DynatraceAuditLogsV2/Connector_Dynatrace_AuditLogs_Polling_Config.json Solutions/Dynatrace/Data Connectors/DynatraceAuditLogsV2/Connector_Dynatrace_AuditLogs_table.json Solutions/Dynatrace/Data Connectors/DynatraceProblemsV1/Connector_Dynatrace_Problems.json Solutions/Dynatrace/Data Connectors/DynatraceProblemsV2/Connector_Dynatrace_Problems_DCR.json Solutions/Dynatrace/Data Connectors/DynatraceProblemsV2/Connector_Dynatrace_Problems_Definition.json Solutions/Dynatrace/Data Connectors/DynatraceProblemsV2/Connector_Dynatrace_Problems_Polling_Config.json Solutions/Dynatrace/Data Connectors/DynatraceProblemsV2/Connector_Dynatrace_Problems_table.json Solutions/Dynatrace/Data Connectors/DynatraceRuntimeVulnerabilitiesV1/Connector_Dynatrace_RuntimeVulnerabilities.json Solutions/Dynatrace/Data Connectors/DynatraceRuntimeVulnerabilitiesV2/Connector_Dynatrace_RuntimeVulnerabilities_DCR.json Solutions/Dynatrace/Data Connectors/DynatraceRuntimeVulnerabilitiesV2/Connector_Dynatrace_RuntimeVulnerabilities_Definition.json Solutions/Dynatrace/Data Connectors/DynatraceRuntimeVulnerabilitiesV2/Connector_Dynatrace_RuntimeVulnerabilities_Polling_Config.json Solutions/Dynatrace/Data Connectors/DynatraceRuntimeVulnerabilitiesV2/Connector_Dynatrace_RuntimeVulnerabilities_table.json Solutions/Dynatrace/Package/testParameters.json Solutions/Dynatrace/Parsers/DynatraceAttacks.yaml Solutions/Dynatrace/Parsers/DynatraceAuditLogs.yaml Solutions/Dynatrace/Parsers/DynatraceProblems.yaml Solutions/Dynatrace/Parsers/DynatraceSecurityProblems.yaml (packaging artefacts: 3.0.2.zip, ReleaseNotes.md, Solution_Dynatrace.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-20-pr-14003/","summary":"All Dynatrace connectors migrated to DCR-based CCF architecture with dual-version parser support for seamless transitions.","title":"Dynatrace Solution: DCR Migration Introduces v2 Connectors for All Data Sources"},{"content":"What Changed Security alert remediation in AWS S3 Function App and CEF connector Python scripts addressing error handling vulnerabilities.\nSecurity Impact (Visibility \u0026amp; Fidelity) The fixes address potential security vulnerabilities in error handling paths:\nAWS S3 Connector (init.py):\nAdded explicit handling for unsupported file types to prevent silent failures Initialized sortedLogEvents variable to avoid undefined variable errors during processing These gaps could have caused the connector to fail silently or crash on unexpected file types CEF Info Script (cef_gather_info.py):\nInitialized output variables (o, e) before subprocess communication to prevent undefined variable access Enhanced exception handling with descriptive error messages instead of silent failure Previously, command execution failures could cause undefined variable exceptions Both fixes prevent potential crashes that would stop data ingestion entirely — deployments running the vulnerable versions risked complete connector failure when encountering edge cases in file processing or command execution.\nAffected Files DataConnectors/AWS-S3-AzureFunction/AzFun-AWS-S3-Ingestion/__init__.py DataConnectors/CEF/cef_gather_info.py (packaging artefacts: AzFun-AWS-S3-Ingestion.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-04-20-pr-14088/","summary":"Python connector security vulnerabilities patched with improved error handling and null check additions.","title":"AWS S3 and CEF Connectors: Security Alert Remediation Fixes Error Handling Gaps"},{"content":"What Changed Updated the Upwind cloud security platform solution from v3.0.0 to v3.0.1, primarily to correct the publisher ID in solution metadata files. The change updates SolutionMetadata.json to use upwindsecurityinc1754856292483 as the publisher identifier.\nOperational Impact This is a packaging metadata fix with no impact on detection capability or data ingestion. The Upwind connector continues to ingest compute platform assets from the Upwind cloud security platform into the UpwindLogsAssets_CL table via Azure Functions and DCR.\nDeployments running v3.0.0 will continue to function normally — this update addresses Content Hub validation requirements for new installations rather than fixing a functional issue.\nAffected Files (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_UpwindLogsLoader.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-20-pr-14047/","summary":"Updated publisher ID in Upwind solution metadata to comply with Content Hub deployment requirements.","title":"Upwind Solution: Publisher ID Update for Content Hub Validation"},{"content":"What Changed Updated Proofpoint POD (On Demand) Email Security solution to version 3.1.4, adding critical time parameter configuration to the CCF polling configuration for both message and maillog data streams.\nData Collection Fix Added three essential timing parameters to the polling configuration:\nqueryTimeFormat: yyyy-MM-ddTHH:mm:ss.sss-0000 (standardized timestamp format) startTimeAttributeName: sinceTime (explicit time parameter name) firstWindowBackfillInMin: 5 (5-minute backfill window) Security Impact (Visibility \u0026amp; Fidelity) The previous configuration lacked explicit time parameter handling, potentially causing data collection gaps during connector initialization or restart scenarios. Without the sinceTime parameter properly configured, the connector may have failed to establish the correct starting point for data collection, resulting in missed email security events.\nThis fix ensures consistent chronological data collection from Proofpoint POD, critical for maintaining complete visibility into email-based threats including phishing attempts, malware delivery, and policy violations.\nValidation Issues Per review comments, this PR contains validation errors in the ReleaseNotes.md table formatting and solution metadata configuration that will need correction before deployment.\nAffected Files Solutions/Proofpoint On demand(POD) Email Security/Data Connectors/ProofPointEmailSecurity_CCP/ProofpointPOD_PollingConfig.json (packaging artefacts: 3.1.4.zip, ReleaseNotes.md, Solution_ProofPointPOD.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-20-pr-14087/","summary":"Proofpoint POD connector updated to include sinceTime parameter configuration, addressing potential data collection gaps during initial ingestion windows.","title":"Proofpoint POD Connector: Critical Time Parameter Fix to Prevent Data Gaps"},{"content":"What Changed Updated README and CHANGELOG for the Microsoft Sentinel Logstash output plugin to correct version information and reflect significant architectural changes from v1.2.1 to v2.1.0.\nDocumentation Corrections The documentation previously showed version 1.2.1 (released 2026-03-06) but has been updated to reflect the current version 2.1.0 (released 2026-04-14). The changelog now includes previously missing version history showing major changes implemented in version 2.0.0.\nPlugin Evolution Summary Version 2.0.0 introduced substantial changes:\nComplete refactoring from Ruby to Java implementation Added managed identity authentication support for Azure VMs/VMSS Codebase migration from GitHub to Azure DevOps Transition to closed-source model (removed open source contribution language) Version 2.1.0 addressed event normalization issues that were present in the Java refactor.\nOperational Impact Organizations using this plugin should verify they are running the current version 2.1.0 to ensure proper event normalization. The managed identity authentication feature provides enhanced security for Azure-hosted Logstash deployments, eliminating the need for API key management.\nAffected Files DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/CHANGELOG.md DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/README.md ","permalink":"http://sentinelchangelog.net/posts/2026-04-20-pr-14084/","summary":"Documentation updated for Logstash output plugin to reflect version 2.1.0 with Ruby-to-Java refactor, managed identity support, and closed-source transition.","title":"Microsoft Sentinel Logstash Plugin: Documentation Update Reveals Major Architecture Changes"},{"content":"What Changed Updated Recorded Future solution to version 3.2.19 with two primary enhancements: configurable sandbox regions for malware analysis and restructured threat intelligence indicator imports.\nPlaybook Enhancements Added SandboxRegion parameter to sandbox logic apps allowing SOC teams to specify which Recorded Future sandbox region receives file submissions:\nDefault: eu (Europe) Available options: us (United States), apj (Asia-Pacific) This addresses deployment flexibility for organizations with data residency requirements or performance optimization needs for different geographic regions.\nThreat Intelligence Structure Improvement Moved Recorded Future evidence details from the labels field to within external_references in threat intelligence indicator imports. This restructuring improves compliance with STIX standard formatting and enhances indicator metadata organization for downstream analysis tools.\nDocumentation Updates Enhanced sandbox integration documentation with clearer API key guidance, distinguishing between standard Recorded Future API keys and specialized sandbox tokens. Added specific guidance for Enterprise Sandbox users requiring additional authentication tokens.\nAffected Files Solutions/Recorded Future/Playbooks/IndicatorImport/RecordedFuture-Domain-IndicatorImport/azuredeploy.json Solutions/Recorded Future/Playbooks/IndicatorImport/RecordedFuture-Hash-IndicatorImport/azuredeploy.json Solutions/Recorded Future/Playbooks/IndicatorImport/RecordedFuture-IP-IndicatorImport/azuredeploy.json Solutions/Recorded Future/Playbooks/IndicatorImport/RecordedFuture-URL-IndicatorImport/azuredeploy.json Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Outlook_Attachment/azuredeploy.json Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_StorageAccount/azuredeploy.json Solutions/Recorded Future/Playbooks/Sandboxing/readme.md Solutions/Recorded Future/Playbooks/readme.md (packaging artefacts: 3.2.19.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_RecordedFuture.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-20-pr-14056/","summary":"Recorded Future adds sandbox region configuration parameter and moves threat intelligence evidence details to comply with STIX standard structure.","title":"Recorded Future Sandbox: Enhanced Region Support and Improved Threat Intelligence Structure"},{"content":"What Changed Comprehensive editorial and functional improvements to the Microsoft Sentinel Training Lab solution, including standardized detection rule naming, enhanced entity correlation, and updated cost management exercises.\nDetection Logic Updates Enhanced entity correlation across training detection rules:\nAdded SHA256, FileName, and ProcessCommandLine entity mapping to Stage 2/3 CrowdStrike rules for improved incident investigation Added RemoteIP entity mapping to Stage 6 data exfiltration rule Standardized rule naming convention to \u0026ldquo;Lab Stage # - Name (Source)\u0026rdquo; format across all 12 detection rules Updated alert titles to match standardized naming convention Cost Management Enhancement Updated Exercise 9 with new XDR Cost Management dashboard features:\nAdded threshold policies configuration section covering policy enforcement and alert percentage settings Removed hardcoded pricing from KQL queries, now linking to current pricing pages Added new screenshots (OnboardingImage37, OnboardingImage38) for updated UI elements Updated automation schedule timers: ingestion T+5m, detection T+15m Training Content Improvements Simplified onboarding from 8 exercises to 4 for better learning progression Added exercise dependency table to README for clearer learning path guidance Standardized metadata format across all exercises (Topic/Rule, Difficulty, Prerequisites) Added \u0026ldquo;Next Steps\u0026rdquo; navigation linking between exercises Enhanced accessibility with descriptive alt text for images Fixed confusing Optional/Requires title in Exercise 5 Infrastructure maintenance includes BOM removal from mainTemplate.json and cleanup of unused images.\nAffected Files Tools/Microsoft-Sentinel-Training-Lab/Artifacts/DetectionRules/rules.json Tools/Microsoft-Sentinel-Training-Lab/Exercises/E01_exploration.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E02_threat_intelligence_mdti.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E03_mitre_attack_coverage.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E04_automation_rules.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E05_device_isolation_response.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E06_port_scan_threshold_tuning.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E07_okta_mfa_manipulation.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E08_watchlist_integration.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E09_cost_management.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E10_table_management.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E11_datalake_kql_jobs.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E12_datalake_port_diversity.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/Onboarding.md Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage32.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage33.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage37.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage38.png Tools/Microsoft-Sentinel-Training-Lab/README.md (packaging artefacts: mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-18-pr-14078/","summary":"Comprehensive update to the Sentinel Training Lab with improved detection entity correlation, new cost management capabilities, and standardized naming conventions.","title":"Sentinel Training Lab: Enhanced Detection Rules and Cost Management Features"},{"content":"What Changed ASIM Process Event parsers updated parameter names to align with official Microsoft Sentinel documentation. The correction affects 9 parser functions and their ARM deployment templates across multiple data sources including Linux Sysmon, MD4IoT, and Microsoft Security Events.\nParser Impact Parameter name standardization from legacy names to documented standard:\ntargetusername → targetusername_has actorusername → actorusername_has dvcname_has_any → dvchostname_has_any No change to normalized field names or core filter logic — safe for existing detections using these parsers. This is a parameter interface consistency fix, not a data fidelity change. Queries calling these parsers with the old parameter names may need updating to match the corrected interface.\nThe fix ensures all ASIM Process Event parsers (imProcessCreate, imProcessEvent, imProcessTerminate) and their vendor-specific implementations follow the same parameter naming convention as documented at https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-process-event#filtering-parser-parameters.\nAffected Files Parsers/ASimProcessEvent/ARM/imProcessCreate/imProcessCreate.json Parsers/ASimProcessEvent/ARM/imProcessEvent/imProcessEvent.json Parsers/ASimProcessEvent/ARM/imProcessTerminate/imProcessTerminate.json Parsers/ASimProcessEvent/ARM/vimProcessCreateLinuxSysmon/vimProcessCreateLinuxSysmon.json Parsers/ASimProcessEvent/ARM/vimProcessCreateMD4IoT/vimProcessCreateMD4IoT.json Parsers/ASimProcessEvent/ARM/vimProcessEventMD4IoT/vimProcessEventMD4IoT.json Parsers/ASimProcessEvent/ARM/vimProcessTerminateLinuxSysmon/vimProcessTerminateLinuxSysmon.json Parsers/ASimProcessEvent/ARM/vimProcessTerminateMD4IoT/vimProcessTerminateMD4IoT.json Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSecurityEvents/vimProcessTerminateMicrosoftSecurityEvents.json Parsers/ASimProcessEvent/Parsers/imProcessCreate.yaml Parsers/ASimProcessEvent/Parsers/imProcessEvent.yaml Parsers/ASimProcessEvent/Parsers/imProcessTerminate.yaml Parsers/ASimProcessEvent/Parsers/vimProcessCreateLinuxSysmon.yaml Parsers/ASimProcessEvent/Parsers/vimProcessCreateMD4IoT.yaml Parsers/ASimProcessEvent/Parsers/vimProcessEventMD4IoT.yaml Parsers/ASimProcessEvent/Parsers/vimProcessTerminateLinuxSysmon.yaml Parsers/ASimProcessEvent/Parsers/vimProcessTerminateMD4IoT.yaml Parsers/ASimProcessEvent/Parsers/vimProcessTerminateMicrosoftSecurityEvents.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-04-17-pr-13932/","summary":"ASIM Process Event parser parameter names corrected to match documentation, fixing filtering logic discrepancies that could affect query performance and parser interoperability.","title":"ASIM Process Event Parsers: Parameter Standardization Fixes Filtering Logic Inconsistencies"},{"content":"What Changed The Censys solution adds a new CensysRelatedInfrastructure playbook and enhanced workbook visualization for related infrastructure analysis. The playbook integrates with Censys Pivot Analysis API to automatically discover and analyze connected infrastructure based on IOC values.\nNew Playbook: CensysRelatedInfrastructure This playbook accepts IOC values (hosts, certificates, or web properties) and IOC type as input, creates a pivot analysis job through the Censys API, monitors job completion, and ingests the results into a custom Log Analytics table (CensysRelatedInfrastructure_CL) for analysis.\nKey features:\nAutomated pivot analysis job creation and monitoring Support for hosts, certificates, and web properties as IOC types Integration with Azure Key Vault for secure API token storage Custom table ingestion for workbook visualization Leverages Censys CensEye threat hunting capabilities Workbook Enhancements The existing Censys workbook receives new visualization capabilities to display related infrastructure data collected by the playbook. The workbook now includes dashboard components for analyzing pivot analysis results and related asset details.\nCustom Table Schema The playbook creates data in the CensysRelatedInfrastructure_CL table with fields including:\ncensys_url_s: Direct link to Censys platform results count_d: Number of related assets discovered fields_s and values_s: Pivot analysis field mappings and values ioc_s: Original IOC value used for the pivot Deployment Requirements Censys API token stored in Azure Key Vault as \u0026lsquo;Censys-Access-Token\u0026rsquo; Censys Organization ID from platform account settings Log Analytics Workspace configured for Microsoft Sentinel Managed identity permissions for Key Vault access Affected Files .script/tests/KqlvalidationsTests/CustomTables/CensysRelatedAssetsDetails_CL.json .script/tests/KqlvalidationsTests/CustomTables/CensysRelatedInfrastructure_CL.json Sample Data/Custom/CensysRelatedAssetsDetails_CL.csv Sample Data/Custom/CensysRelatedInfrastructure_CL.csv Solutions/Censys/Playbooks/CensysAddIncidentComment/azuredeploy.json Solutions/Censys/Playbooks/CensysAlertEnrichment/azuredeploy.json Solutions/Censys/Playbooks/CensysAlertRescan/azuredeploy.json Solutions/Censys/Playbooks/CensysEntityEnrichmentCertificate/azuredeploy.json Solutions/Censys/Playbooks/CensysEntityEnrichmentHost/azuredeploy.json Solutions/Censys/Playbooks/CensysEntityEnrichmentWebProperty/azuredeploy.json Solutions/Censys/Playbooks/CensysHostHistory/azuredeploy.json Solutions/Censys/Playbooks/CensysIOCLookup/azuredeploy.json Solutions/Censys/Playbooks/CensysIncidentEnrichment/azuredeploy.json Solutions/Censys/Playbooks/CensysRelatedInfrastructure/CensysRelatedInfrastructure.png Solutions/Censys/Playbooks/CensysRelatedInfrastructure/README.md Solutions/Censys/Playbooks/CensysRelatedInfrastructure/azuredeploy.json Solutions/Censys/Playbooks/CensysRescan/azuredeploy.json Solutions/Censys/Workbooks/Censys.json Workbooks/Images/Preview/CensysBlack6.png Workbooks/Images/Preview/CensysWhite6.png Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Censys.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-17-pr-13994/","summary":"Censys solution adds playbook and workbook for automated infrastructure pivoting and pivot analysis visualization using the Pivot Analysis API.","title":"Censys Solution: New Related Infrastructure Playbook Enhances Threat Pivot Capabilities"},{"content":"What Changed Updated Global Secure Access solution (v3.0.4) with critical detection fix and enhanced traffic type coverage:\nAnalytic Rule Fix: GSA - TI URL Entity rule had a broken regex pattern replace(@\u0026rsquo;[|]|\u0026quot;\u0026quot;\u0026quot;\u0026rsquo;, \u0026hellip;) that corrupted URL indicator parsing, leaving leading quotation marks in IndicatorType. This caused zero alerts from URL-based threat intelligence detections.\nWorkbook Enhancement: 25 queries in GSAM365EnrichedEvents.json and 1 query in GSANetworkTraffic.json updated from TrafficType == \u0026lsquo;microsoft365\u0026rsquo; to TrafficType in (\u0026lsquo;microsoft365\u0026rsquo;, \u0026rsquo;entra\u0026rsquo;) to include the new Entra traffic type.\nSecurity Impact Detection Gap Closed: The TI URL Entity rule was completely non-functional due to regex corruption. Deployments running previous versions had zero threat intelligence coverage for URL indicators since installation — this represents a critical blind spot for web-based threat detection.\nVisibility Enhancement: Workbook queries now include Entra traffic type, preventing visibility gaps as Global Secure Access expands traffic categorization. Without this update, Entra-classified traffic would be excluded from security analysis dashboards.\nDetection Logic Primary data source: NetworkAccessTraffic, ThreatIntelligenceIndicator Core logic: Joins threat intelligence URL indicators against Global Secure Access destination URLs, requiring active indicators with valid TLP levels Entity types: URL, IP, Account (UserId)\nMITRE Mapping Coverage remains unchanged — rule functionality restored rather than expanded.\nAffected Files Solutions/Global Secure Access/Analytic Rules/GSA - TI URL Entity.yaml Solutions/Global Secure Access/Workbooks/GSAM365EnrichedEvents.json Solutions/Global Secure Access/Workbooks/GSANetworkTraffic.json (packaging artefacts: 3.0.4.zip, ReleaseNotes.md, Solution_GlobalSecureAccess.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-16-pr-14052/","summary":"Fixed broken URL threat intelligence detection and expanded workbook coverage for new Entra traffic type.","title":"Global Secure Access: Threat Intelligence Detection Restored After URL Regex Failure"},{"content":"What Changed A new QRadar Migration Data Collector has been added to the Microsoft Sentinel toolkit, providing automated extraction of custom detection rules and building blocks from IBM QRadar SIEM environments.\nTool Capabilities Core Functions:\nExtracts custom QRadar detection rules via REST API Collects building blocks and rule dependencies Generates migration-ready CSV output with calculated migration columns Optional log sources inventory with activity tracking Technical Features:\nPython 2.7.5+ and Python 3.x compatibility (Python 3 recommended) Secure API token authentication with hidden input SSL certificate verification controls for self-signed environments Batch processing with configurable page sizes Offline replay mode for cached data analysis Migration Workflow Impact This tool addresses the discovery phase of QRadar-to-Sentinel migrations by providing structured rule inventory and dependency mapping. Organizations migrating from QRadar can now systematically catalog their existing detection coverage before rebuilding rules in KQL format.\nThe collector generates timestamped CSV files (qradar_rules_YYYYMMDDHHMMSS.csv) containing rule metadata and migration assessment data, enabling migration teams to prioritise high-value detections and identify coverage gaps during the transition.\nSecurity Considerations The tool includes a \u0026ndash;skip-ssl-verify option for environments with self-signed certificates, with appropriate warnings about TLS validation bypass risks. API tokens are handled securely through hidden input prompts rather than command-line exposure.\nAffected Files Tools/QRadarMigration/README.md Tools/QRadarMigration/qradar_collector.py ","permalink":"http://sentinelchangelog.net/posts/2026-04-16-pr-14015/","summary":"New Python-based data collector extracts custom QRadar detection rules and building blocks for migration-ready analysis and conversion to Microsoft Sentinel.","title":"QRadar Migration Tool: Streamlining SIEM Detection Rule Migration to Microsoft Sentinel"},{"content":"What Changed Fixed Logic App deployment failure in the Blacklens Attack Surface Management connector by removing an unsupported \u0026ldquo;outputs\u0026rdquo; parameter from the Validate_JSON ParseJson action\u0026rsquo;s secureData configuration.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments of Blacklens ASM connector version 3.0.1 and earlier failed during ARM template deployment with InvalidSecureDataConfiguration error — the connector was non-functional and provided zero threat intelligence ingestion for affected deployments. Organizations running the broken version had a complete blind spot for external attack surface monitoring data from blacklens.io.\nThe fix restores the ability to deploy and ingest Blacklens attack surface alerts, penetration testing findings, and vulnerability intelligence into Microsoft Sentinel. This addresses a follow-up issue to PR #13946 which fixed a similar configuration error on a different Logic App action.\nAffected Files Solutions/Blacklens/Data Connectors/deployment/azuredeploy_blacklens.json (packaging artefacts: 3.0.2.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Blacklens.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-16-pr-14057/","summary":"Removes unsupported secureData configuration preventing Blacklens ASM connector deployments from completing successfully.","title":"Blacklens Connector: Logic App Deployment Failure Fixed"},{"content":"What Changed Updated SAP agentless integration package to version 1.1.10 with security and usability improvements Removed \u0026ldquo;Preview\u0026rdquo; designation from SAP solution documentation, indicating production readiness Added redirect to agentless-specific release notes in main SAP ReleaseNotes.md Included new package-1.1.10.zip binary Security Impact This update addresses unspecified security improvements in the SAP agentless integration package. While specific vulnerabilities are not detailed in the PR description, the explicit mention of \u0026ldquo;security improvements\u0026rdquo; alongside usability enhancements suggests this is a recommended upgrade for production SAP environments.\nDeployment Notes Organizations using the SAP agentless solution should evaluate upgrading to version 1.1.10 to benefit from the security enhancements. The removal of \u0026ldquo;Preview\u0026rdquo; status indicates Microsoft considers this solution production-ready for enterprise SAP monitoring.\nAffected Files Solutions/SAP/Agentless/README.md Solutions/SAP/README.md (packaging artefacts: ReleaseNotes.md, package-1.1.10.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-04-16-pr-14043/","summary":"SAP agentless solution updated to version 1.1.10 with security and usability improvements, plus official release status designation.","title":"SAP: Agentless Integration Package v1.1.10 with Security Enhancements"},{"content":"What Changed Added new Consumption Logic App playbook for SAP user blocking that dynamically searches all alerts in an incident for SAP-specific Custom Details (SAP_User, SidGuid, AgentGuid), making it compatible with complex Defender XDR incidents.\nKey Enhancements Dynamic alert parsing: Unlike existing playbooks that assume SAP alert is always first, this version filters all alerts to find SAP details Defender XDR compatibility: Handles multi-alert incidents where SAP alerts may not be the primary trigger SAP Integration Suite: Uses OAuth2 client credentials for agentless SAP ERP user locking via CPI iFlow Teams integration: Presents adaptive cards for analyst decision-making (block user or flag false positive) Deployment Requirements SAP Integration Suite with community user lock/unlock iFlow deployed OAuth2 client credentials from SAP Process Integration runtime Microsoft Teams channel configured for incident notifications Microsoft Sentinel Responder role assigned to Logic App managed identity Security Impact This playbook addresses a critical gap in SAP incident response automation for environments using Microsoft Defender XDR. Previously, complex incidents with multiple alerts could not reliably trigger SAP user blocking due to static alert indexing. This enhancement enables consistent automated response to SAP security events regardless of incident complexity.\nAffected Files Solutions/SAP/Playbooks/Basic-SAPLockUser/README.md Solutions/SAP/Playbooks/Basic-SAPLockUser/azuredeploy.json Solutions/SAP/Playbooks/README.md ","permalink":"http://sentinelchangelog.net/posts/2026-04-16-pr-14071/","summary":"New SAP playbook enables automated user blocking via Teams adaptive cards with enhanced support for complex multi-alert incidents from Microsoft Defender XDR.","title":"SAP: New Agentless User Blocking Playbook for Defender XDR Integration"},{"content":"What Changed Added scheduled Analytic Rule to detect D3 Smart SOAR incidents with High or Critical severity. The rule queries the D3SOARIncidents_CL table hourly and creates Microsoft Sentinel incidents for security team triage.\nDetection Logic Primary data source: D3SOARIncidents_CL Core logic: Filters incidents from last hour where IncidentSeverity equals \u0026ldquo;High\u0026rdquo; or \u0026ldquo;Critical\u0026rdquo; Entity mapping: Account entity mapped to IncidentOwner field Trigger: Creates alert when any High/Critical incidents are found (threshold \u0026gt; 0) MITRE Mapping T1499 (Endpoint Denial of Service) — based on Impact tactic classification Security Impact This detection closes a visibility gap for D3 Smart SOAR deployments where High and Critical severity incidents previously required manual monitoring. Security teams can now receive automated Microsoft Sentinel alerts for their most impactful SOAR cases, enabling faster response to critical security events.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/D3SOARIncidents_CL.json .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json Solutions/D3SmartSOAR/Analytic Rules/D3SmartSOAR-HighOrCriticalSeverityIncident.yaml (packaging artefacts: 3.3.0.zip, ReleaseNotes.md, Solution_D3SOAR.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-16-pr-14060/","summary":"D3 Smart SOAR solution now includes an Analytic Rule to automatically detect and escalate High or Critical severity incidents from SOAR platform data.","title":"D3 Smart SOAR: New Detection for High/Critical Severity Incidents"},{"content":"What Changed Version bump from 0.1.0 to 0.1.1 for both ASimAuthentication and vimAuthentication Cisco ISE Administrator parsers with critical field mapping corrections.\nParser Impact Field mapping corrections resolve significant data fidelity gaps in the ASIM Authentication schema normalization:\nIP address mapping fix: HostIP now correctly maps to TargetIpAddr (ISE server) and AdminIPAddress maps to SrcIpAddr (admin client) — previous mapping was reversed EventSeverity enhancement: Added proper severity mapping via _ASIM_LookupSyslogSeverityLevel(EventOriginalSeverity) — replaces hardcoded \u0026ldquo;Informational\u0026rdquo; value User alias mapping: Added User field mapped to TargetUsername for improved query compatibility Filtering optimization: Moved srcipaddr_has_any_prefix filtering to apply against AdminIPAddress after parsing — improves query performance and accuracy Additional improvements in the filtering parser (vim):\nCorrected filter target: srcipaddr_has_any_prefix now filters against AdminIPAddress instead of HostIP — matches corrected field semantics Security Impact (Visibility \u0026amp; Fidelity) These are critical data fidelity fixes affecting network forensics capability. Deployments using the previous parser version had:\nReversed IP semantics: SrcIpAddr contained ISE server IP instead of admin source IP — network correlation queries returned incorrect results Missing severity context: EventSeverity was always \u0026ldquo;Informational\u0026rdquo; regardless of actual log severity — severity-based alerting was ineffective Incomplete field coverage: Missing User alias reduced query compatibility with detection rules expecting normalized user fields The parser normalizes Cisco ISE Administrator-Login events from Syslog table into the ASIM Authentication schema, covering ISE administrative console authentication events.\nAffected Files Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISEAdministrator/ASimAuthenticationCiscoISEAdministrator.json Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISEAdministrator/vimAuthenticationCiscoISEAdministrator.json Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationCiscoISEAdministrator.md Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationCiscoISEAdministrator.md Parsers/ASimAuthentication/Parsers/ASimAuthenticationCiscoISEAdministrator.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationCiscoISEAdministrator.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-04-15-pr-14076/","summary":"Cisco ISE Administrator authentication parser fixes swap incorrect SrcIpAddr and TargetIpAddr mappings that broke network forensics queries.","title":"Cisco ISE ASIM Parser: Correcting IP Address Field Mappings"},{"content":"What Changed Version bump from 0.1.0 to 0.1.1 for both ASimAuthentication and vimAuthentication VMware vCenter parsers with multiple field mapping corrections.\nParser Impact Field mapping fixes resolve data fidelity gaps in the ASIM Authentication schema normalization:\nActorUsername → TargetUsername: Corrects field name to match ASIM Authentication schema specification — queries referencing TargetUsername against this parser previously returned null Device ID extraction: New DvcId field extracted from PreEventString via split(PreEventString, \u0026quot; \u0026ldquo;)[3] — adds missing device identification capability User alias mapping: Added User field mapped to TargetUsername for improved query compatibility EventSeverity field: Previously missing field now included in output projection — severity-based filtering was incomplete Additional improvements in the filtering parser (vim):\nUsername filtering: Added proper username_has_any filtering against TargetUsername field — filtering by username parameters was not functional Security Impact (Visibility \u0026amp; Fidelity) These are data fidelity fixes, not cosmetic changes. Deployments using the previous parser version had:\nNull results for queries referencing TargetUsername, User, or DvcId fields Incomplete severity-based filtering due to missing EventSeverity projection Non-functional username filtering in parameterized queries (vim parser only) The parser normalizes VMware vCenter UserLoginSessionEvent and UserLogoutSessionEvent logs from vcenter_CL and AVSVcSyslog tables into the ASIM Authentication schema.\nAffected Files Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareVCenter/ASimAuthenticationVMwareVCenter.json Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareVCenter/vimAuthenticationVMwareVCenter.json Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationVMwareVCenter.md Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationVMwareVCenter.md Parsers/ASimAuthentication/Parsers/ASimAuthenticationVMwareVCenter.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationVMwareVCenter.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-04-15-pr-14075/","summary":"Critical fixes to VMware vCenter authentication parser resolve incorrect field mappings that broke queries referencing User and DvcId fields.","title":"VMware vCenter ASIM Parser: Fixing Field Mappings After ASIM Schema Updates"},{"content":"What Changed Major solution update (v3.0.0 → v3.1.0) introducing bi-directional alert sync between Check Point Cyberint (Infinity External Risk Management) and Microsoft Sentinel, plus critical data ingestion fixes.\nSecurity Impact (Visibility \u0026amp; Fidelity) Critical Fix: The ref_id column was defined as datetime in DCR/table definitions, causing alert reference IDs to be silently dropped during ingestion. Deployments running v3.0.0 have had incomplete alert data since installation — this is a data fidelity gap affecting alert correlation and deduplication.\nNew Detection Surface: Enhanced alert processing with automated enrichment (IOC analysis, credential leak validation, vulnerability intelligence) and response workflows (phishing takedown, attachment retrieval).\nBi-Directional Sync Capabilities Inbound Sync (Argos → Sentinel) CPEM_InboundSync: Polls Argos for modified alerts using modification_date filter (complements CCF connector which only captures new alerts) Writes updated records to argsentdc_CL custom table via Data Collection API Handles status changes, closures, and alert updates missed by the primary connector Outbound Sync (Sentinel → Argos) CPEM_OutboundSync: Pushes Sentinel incident status changes to corresponding Argos alerts Maps incident classifications to alert closure reasons (True Positive → resolved, False Positive → false_positive) Includes tag-based loop prevention (argos-importer-synced) to avoid circular sync Manual Operations CPEM_ManualStatusUpdate: On-demand status sync from Sentinel incident Actions menu CPEM_AutomationRules: Deploys automation rules to trigger sync on incident updates Enrichment \u0026amp; Response Playbooks CPEM_IOCEnrichment: Automatic IOC enrichment (IPs, domains, hashes, URLs) with threat intelligence verdicts CPEM_FetchAttachments: On-demand retrieval of alert attachments and analysis reports CPEM_CredentialLeakResponse: Credential leak validation with severity escalation for high-volume breaches CPEM_PhishingTakedown: Automated phishing site takedown with confidence thresholds CPEM_VulnerabilityMonitoring: CVE enrichment with EPSS/CVSS scoring and exploitation evidence Parser Improvements CPEMAlerts: Added alert type metadata lookup and deduplication by ref_id CPEMAlertIngestionAnomaly: New analytic rule for detecting ingestion issues MITRE Mapping Enhanced coverage for T1562 (Impair Defenses) through improved alert correlation and response workflows.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/argsentdc_CL.json .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json Logos/checkpoint-cyberint.svg Logos/checkpoint.svg Solutions/Check Point Cyberint Alerts/Analytic Rules/CPEMAlertIngestionAnomaly.yaml Solutions/Check Point Cyberint Alerts/Data Connectors/CyberintArgosAlertsLogs_ccp/CyberintArgosAlertsLogs_DCR.json Solutions/Check Point Cyberint Alerts/Data Connectors/CyberintArgosAlertsLogs_ccp/CyberintArgosAlertsLogs_PollingConfig.json Solutions/Check Point Cyberint Alerts/Data Connectors/CyberintArgosAlertsLogs_ccp/CyberintArgosAlertsLogs_Table.json Solutions/Check Point Cyberint Alerts/Data Connectors/CyberintArgosAlertsLogs_ccp/CyberintArgosAlertsLogs_connectorDefinition.json Solutions/Check Point Cyberint Alerts/Package/testParameters.json Solutions/Check Point Cyberint Alerts/Parsers/CPEMAlerts.yaml Solutions/Check Point Cyberint Alerts/Playbooks/Enrichment/CPEM_FetchAttachments/azuredeploy.json Solutions/Check Point Cyberint Alerts/Playbooks/Enrichment/CPEM_FetchAttachments/readme.md Solutions/Check Point Cyberint Alerts/Playbooks/Enrichment/CPEM_IOCEnrichment/azuredeploy.json Solutions/Check Point Cyberint Alerts/Playbooks/Enrichment/CPEM_IOCEnrichment/readme.md Solutions/Check Point Cyberint Alerts/Playbooks/Response/CPEM_CredentialLeakResponse/azuredeploy.json Solutions/Check Point Cyberint Alerts/Playbooks/Response/CPEM_CredentialLeakResponse/readme.md Solutions/Check Point Cyberint Alerts/Playbooks/Response/CPEM_PhishingTakedown/azuredeploy.json Solutions/Check Point Cyberint Alerts/Playbooks/Response/CPEM_PhishingTakedown/readme.md Solutions/Check Point Cyberint Alerts/Playbooks/Response/CPEM_VulnerabilityMonitoring/azuredeploy.json Solutions/Check Point Cyberint Alerts/Playbooks/Response/CPEM_VulnerabilityMonitoring/readme.md Solutions/Check Point Cyberint Alerts/Playbooks/Sync/CPEM_AutomationRules/azuredeploy.json Solutions/Check Point Cyberint Alerts/Playbooks/Sync/CPEM_AutomationRules/readme.md Solutions/Check Point Cyberint Alerts/Playbooks/Sync/CPEM_InboundSync/azuredeploy.json Solutions/Check Point Cyberint Alerts/Playbooks/Sync/CPEM_InboundSync/readme.md Solutions/Check Point Cyberint Alerts/Playbooks/Sync/CPEM_ManualStatusUpdate/azuredeploy.json Solutions/Check Point Cyberint Alerts/Playbooks/Sync/CPEM_ManualStatusUpdate/readme.md Solutions/Check Point Cyberint Alerts/Playbooks/Sync/CPEM_OutboundSync/azuredeploy.json Solutions/Check Point Cyberint Alerts/Playbooks/Sync/CPEM_OutboundSync/readme.md Solutions/Check Point Cyberint Alerts/README.md Solutions/Check Point Cyberint Alerts/Workbooks/CPEMAlertOverview.json Solutions/Check Point Cyberint Alerts/Workbooks/Images/Preview/CPEMAlertOverviewBlack.png Solutions/Check Point Cyberint Alerts/Workbooks/Images/Preview/CPEMAlertOverviewWhite.png Solutions/Check Point Cyberint Alerts/docs/sentinel-playbook-template-rendering-fixes.md Solutions/Check Point Cyberint IOC/Data Connectors/CyberintArgosIOCLogs_ccp/CyberintArgosIOCLogs_PollingConfig.json Solutions/Check Point Cyberint IOC/Data Connectors/CyberintArgosIOCLogs_ccp/CyberintArgosIOCLogs_Table.json Solutions/Check Point Cyberint IOC/Data Connectors/CyberintArgosIOCLogs_ccp/CyberintArgosIOCLogs_connectorDefinition.json Workbooks/Images/Logos/checkpoint.svg Workbooks/Images/Preview/CPEMAlertOverviewBlack.png Workbooks/Images/Preview/CPEMAlertOverviewWhite.png Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.0.2.zip, 3.1.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Cyberint.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-15-pr-13790/","summary":"Adds comprehensive bi-directional sync playbooks and fixes critical ref_id column type bug that caused silent data loss in alert ingestion.","title":"Check Point Cyberint: Bi-Directional Alert Sync and Critical Data Ingestion Fix"},{"content":"What Changed Contrast ADR v3.1.0 introduces CCF (Codeless Connector Framework) ingestion alongside the existing Function App connector, standardizing data collection for application attack detection. The solution now supports dual ingestion mechanisms with normalized table schemas.\nData Connector Evolution New CCF Implementation:\nDCR-based ingestion targeting ContrastADRAttackEvents_CL and ContrastADRIncidents_CL tables JSON polling configuration with configurable endpoints and authentication Standardized field mapping eliminating legacy _s suffix conventions Schema Standardization:\nContrastADR_CL → ContrastADRAttackEvents_CL (attack events) ContrastADRIncident_CL → ContrastADRIncidents_CL (incident correlation) Field names normalized: result_s → result, rule_s → rule, SourceIP → sourceIp Detection Logic Updates All 6 Analytic Rules updated to reference new table schemas and field names:\nPrimary data source: ContrastADRAttackEvents_CL and ContrastADRIncidents_CL tables Core logic: Joins attack events with incident context on incidentId; filters on attack rules including command injection, JNDI injection, XXE, and deserialization Entity types mapped: Host (hostname), IP (sourceIp) MITRE Mapping Maintains existing coverage for application attack techniques:\nT1008: Fallback Channels (application communication abuse) T1018: Remote System Discovery T1021: Remote Services exploitation T1046: Network Service Scanning T1190: Exploit Public-Facing Application (primary focus) T1210: Exploitation of Remote Services T1211: Exploitation for Defense Evasion Security Impact (Visibility \u0026amp; Fidelity) Enhanced Deployment Options: Organizations can now deploy Contrast ADR via CCF without Function App infrastructure requirements, reducing deployment complexity for application attack monitoring.\nData Consistency: Schema normalization eliminates field mapping inconsistencies between ingestion methods — queries targeting the new table schemas work uniformly regardless of connector choice.\nWorkbook Enhancement: Six specialized workbooks (Command Injection, JNDI Injection, Path Traversal, SQL Injection, Untrusted Deserialization, XXE) updated with additional correlation panels for improved attack pattern analysis.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/ContrastADRAttackEvents_CL.json .script/tests/KqlvalidationsTests/CustomTables/ContrastADRIncident_CL.json .script/tests/KqlvalidationsTests/CustomTables/ContrastADRIncidents_CL.json .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json Sample Data/Custom/ContrastADRAttackEvents_CL.csv Sample Data/Custom/ContrastADRIncidents_CL.csv Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_WAF.yaml Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event.yaml Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_Injection_Alert_with_DLP_alerts.yaml Solutions/ContrastADR/Analytic Rules/Contrast_Security_ADR_incident.yaml Solutions/ContrastADR/Data Connectors/AzureFunctionContrastADR/function_app.py Solutions/ContrastADR/Data Connectors/ContrastADRCCF/DCR.json Solutions/ContrastADR/Data Connectors/ContrastADRCCF/connectorDefinition.json Solutions/ContrastADR/Data Connectors/ContrastADRCCF/dataConnector.json Solutions/ContrastADR/Data Connectors/ContrastADRCCF/table_attackevents.json Solutions/ContrastADR/Data Connectors/ContrastADRCCF/table_incidents.json Solutions/ContrastADR/Package/testParameters.json Solutions/ContrastADR/Parsers/Contrast_alert_event_parser.yaml Solutions/ContrastADR/Parsers/Contrast_incident_parser.yaml Solutions/ContrastADR/Workbooks/ContrastADR_Command_Injection_Workbook.json Solutions/ContrastADR/Workbooks/ContrastADR_JNDI_Injection_Workbook.json Solutions/ContrastADR/Workbooks/ContrastADR_Path_Traversal_Workbook.json Solutions/ContrastADR/Workbooks/ContrastADR_SQL_Injection_Workbook.json Solutions/ContrastADR/Workbooks/ContrastADR_Untrusted_Deserialization_Workbook.json Solutions/ContrastADR/Workbooks/ContrastADR_XML External_Entity_Injection_Injection_Workbook.json Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_ContrastADR.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-15-pr-13954/","summary":"Contrast ADR adds CCF ingestion support with standardized table schemas for production-ready Application Detection and Response monitoring.","title":"Contrast ADR: CCF Connector Deployment Unlocks Application Attack Visibility"},{"content":"What Changed Microsoft has officially deprecated four Azure Function-based Data Connectors, marking them with \u0026ldquo;[DEPRECATED]\u0026rdquo; prefixes in their titles and descriptions. The affected connectors are:\nOkta Single Sign-On (using Azure Function) - version bumped to 3.1.6 SentinelOne (using Azure Function) - version bumped to 3.0.9 Sophos Endpoint Protection (using Azure Function) - version bumped to 3.0.8 VMware Carbon Black Cloud (using Azure Function) - version bumped to 3.0.8 Migration Path Available All four solutions already have CCF (Codeless Connector Framework) alternatives available in Microsoft Sentinel Content Hub. Recent release history shows that CCF versions were introduced in March 2026 for these connectors, providing the migration foundation before this deprecation announcement.\nOperational Impact Existing Azure Function deployments will continue to operate but are no longer supported for new installations. Teams using these legacy connectors should prioritize migration to the CCF alternatives to ensure continued vendor support and access to future enhancements. The CCF versions offer improved reliability, simplified deployment, and reduced maintenance overhead compared to the Azure Function implementations.\nAffected Files Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/Connector_REST_API_FunctionApp_Okta.json Solutions/SentinelOne/Data Connectors/SentinelOne_API_FunctionApp.json Solutions/Sophos Endpoint Protection/Data Connectors/SophosEP_API_FunctionApp.json Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlack_API_FunctionApp.json (packaging artefacts: 3.0.8.zip, 3.0.9.zip, 3.1.6.zip, ReleaseNotes.md, Solution_EP.json, Solution_Okta.json, Solution_SentinelOne.json, Solution_VMware Carbon Black Cloud.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-14-pr-14073/","summary":"Microsoft has deprecated Azure Function-based connectors for Okta SSO, SentinelOne, Sophos Endpoint Protection, and VMware Carbon Black Cloud in favor of CCF alternatives.","title":"Four Legacy Azure Function Connectors Marked for Deprecation - Migration to CCF Required"},{"content":"What Changed Four Azure Function-based connectors have been marked as deprecated with the [DEPRECATED] prefix added to their titles:\nAtlassian Jira Audit (using Azure Function) → replaced by CCF version (already available since v3.0.5) Auth0 Logs (using Azure Function) → replaced by CCF version (already available since v3.1.4) Box Events (using Azure Function) → replaced by CCF version (already available since v3.1.3) CrowdStrike Falcon Data Replicator (CrowdStrike Managed AWS-S3) (using Azure Function) → migration path to CCF pending Security Impact (Visibility \u0026amp; Fidelity) The deprecated Function App connectors remain fully functional — this change only adds deprecation labeling to guide users toward the modern CCF alternatives. Organizations currently using these Function App connectors maintain their existing data ingestion without interruption.\nMigration Consideration: The CCF versions provide the same data ingestion capabilities with improved reliability, reduced maintenance overhead, and better integration with Microsoft Sentinels native architecture. Organizations should plan migration to the CCF versions to ensure long-term supportability.\nCrowdStrike Note: The CrowdStrike connector deprecation signals an upcoming CCF replacement, but the modern alternative is not yet available in this release.\nAffected Files Solutions/AtlassianJiraAudit/Data Connectors/JiraAudit_API_FunctionApp.json Solutions/Auth0/Data Connectors/Auth0_FunctionApp.json Solutions/Box/Data Connectors/Box_API_FunctionApp.json Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeReplicatorV2_ConnectorUI.json (packaging artefacts: 3.0.6.zip, 3.1.4.zip, 3.1.5.zip, 3.3.3.zip, ReleaseNotes.md, Solution_AtlassianJiraAudit.json, Solution_Auth0.json, Solution_Box.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-14-pr-14063/","summary":"Legacy Azure Function connectors for Atlassian Jira, Auth0, Box, and CrowdStrike are now deprecated as solutions transition to the modern CCF architecture.","title":"Function App Connectors Deprecated: Four Solutions Migrate to CCF Framework"},{"content":"What Changed Added ConditionalAccessBenignStatusCodes watchlist and updated the Conditional Access bypass analytic rule (BypassCondAccessRule) with optional false positive filtering.\nDetection Logic The updated rule queries SigninLogs for ConditionalAccessStatus values indicating bypass attempts (Success=0, Failure=1, Not Applied=2, Unknown=3). Core logic joins authentication events with conditional access policy results, aggregating by user, application, and location. Entity mappings include Account (UserPrincipalName), IP, and URL.\nThe watchlist-based filtering (commented out by default) uses leftanti join to exclude status codes from the ConditionalAccessBenignStatusCodes watchlist.\nSecurity Impact This is a data fidelity improvement, not a blind spot closure. The existing detection remains fully functional with enhanced tuning guidance. The watchlist targets 7 specific status codes representing legitimate authentication flows:\n50074/50076: MFA prompts and policy enforcement 50097: Device authentication requirements 50125: Password reset interrupts 50140: \u0026ldquo;Keep me signed in\u0026rdquo; prompts 70043/700082: Token expiration due to inactivity/frequency policies SOC teams can now optionally reduce noise from expected authentication behaviors while maintaining full visibility into actual bypass attempts. Default configuration preserves all alerts for maximum coverage.\nAffected Files Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml Solutions/Microsoft Entra ID/Package/testParameters.json Solutions/Microsoft Entra ID/Watchlists/ConditionalAccessBenignStatusCodes.csv Solutions/Microsoft Entra ID/Watchlists/ConditionalAccessBenignStatusCodes.json (packaging artefacts: 3.3.11.zip, ReleaseNotes.md, Solution_AAD.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-14-pr-14016/","summary":"New watchlist filters out 7 known-benign status codes from Conditional Access bypass detection to reduce false positives from legitimate MFA prompts and session expiration events.","title":"Microsoft Entra ID Conditional Access Bypass Detection: False Positive Reduction via Benign Status Code Watchlist"},{"content":"What Changed The meshStack solution package received a publisher ID update to align with Microsoft Partner Center configuration, addressing a best practice validation issue identified during the certification process.\nPackaging Updates Publisher ID: Updated from meshcloudgmbh5353994 to meshcloudgmbh1628603483473 in solution metadata Version: Bumped from 3.0.0 to 3.0.1 to reflect the packaging change Release Notes: Added tracking file documenting the publisher ID correction Per PR discussion: this change addresses certification report item 300.4.1.1 (Best Practice Tests), ensuring the solution metadata matches Partner Center configuration for proper Content Hub publication.\nAffected Files (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_meshStack.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-14-pr-14029/","summary":"meshStack solution updated publisher ID to match Partner Center configuration, ensuring compliance with Microsoft certification requirements.","title":"meshStack Solution: Publisher ID Alignment for Content Hub Certification"},{"content":"What Changed Fixed a critical bug in the BeyondTrust PM Cloud Data Connector\u0026rsquo;s LogAnalyticsService.cs that was causing improper batching of events sent to Microsoft Sentinel via the Logs Ingestion API.\nSecurity Impact (Visibility \u0026amp; Fidelity) Critical data ingestion failure: The previous implementation wrapped entire event arrays in a single BinaryData payload, bypassing the SDK\u0026rsquo;s automatic batching mechanism. When BeyondTrust endpoint security events or activity audits exceeded the 1MB Log Analytics ingestion limit, the connector generated 413 (ContentLengthLimitExceeded) errors and failed to ingest those batches entirely.\nDetection blind spot: Deployments running the affected connector version had gaps in visibility when BeyondTrust activity exceeded per-batch size limits. This created unpredictable blind spots in endpoint security monitoring and privileged access auditing — exactly when visibility was most critical during high-activity periods.\nData fidelity restored: The fix serializes each record individually, allowing the SDK to automatically split large payloads into multiple sub-1MB requests. All BeyondTrust events now ingest consistently regardless of batch size.\nThe connector retrieves endpoint security events from /v3/Events/FromStartDate (ECS format) and administrative activities from /v3/ActivityAudits/Details — both critical for detecting privileged access abuse and endpoint compromise.\nAffected Files Solutions/BeyondTrustPMCloud/Data Connectors/AzureFunctionBeyondTrustPMCloud/Services/LogAnalyticsService.cs (packaging artefacts: BeyondTrustPMCloudFunctions.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-04-14-pr-14031/","summary":"A batching bug in the BeyondTrust PM Cloud connector was causing 413 errors and incomplete endpoint security event ingestion when payload sizes exceeded Log Analytics limits.","title":"BeyondTrust PM Cloud: Critical Data Ingestion Fix Restores Partial Event Visibility"},{"content":"What Changed Updated KQL queries in the Azure Security Benchmark workbook to use proper parameter filtering syntax. The workbook queries now correctly filter compliance data using the {ComplianceDomain} parameter instead of the previous has (ComplianceDomain) filter logic.\nQuery Logic Fixes Two primary workbook visualizations were updated:\nRecommendations by Control Area: Query now uses where ComplianceDomain in ({ComplianceDomain}) for proper parameter-based filtering Resource compliance summary: Aligned filtering logic to match the parameter selection mechanism The queries maintain the same data source (Microsoft.Security regulatory compliance tables) and continue to map compliance controls to domains like Asset Management, Data Protection, Identity Management, etc.\nPackaging Updates Solution artifacts updated to version 3.0.4 with refreshed ARM template content and workbook JSON synchronized across deployment artifacts.\nAffected Files Solutions/AzureSecurityBenchmark/Workbooks/AzureSecurityBenchmark.json (packaging artefacts: 3.0.4.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-13-pr-14039/","summary":"KQL queries in the Azure Security Benchmark workbook now properly filter by selected compliance domains.","title":"Azure Security Benchmark Workbook: Parameter Filtering Logic Fixed"},{"content":"What Changed Tanium solution v3.3.0 adds a new CCF push connector and updated workbook table formatting. The connector enables direct data flow from Tanium servers to Microsoft Sentinel via Data Collection Rules (DCRs).\nData Source The connector ingests from Tanium\u0026rsquo;s endpoint management platform across multiple modules:\nComply: Compliance findings and vulnerability data Threat Response: Security alert data from endpoint detection Discover: Unmanaged asset discovery data Patch: Patch compliance and coverage status Microsoft Tooling Health: SCCM client health and Defender status monitoring Ingestion Mechanism CCF-based connector using DCR/DCE architecture with 10 distinct custom data streams:\nTaniumComplyCompliance_CL - compliance assessment findings TaniumComplyVulnerabilities_CL - vulnerability scan results TaniumThreatResponseAlerts_CL - threat detection alerts TaniumDiscoverUnmanagedAssets_CL - asset discovery data TaniumPatchCoverageStatus_CL / TaniumPatchListCompliance_CL - patch management data TaniumDefenderHealth_CL / TaniumSccmHealth_CL - Microsoft tooling health metrics Detection Surface Unlocked This connector provides comprehensive endpoint visibility for:\nAsset discovery gaps - unmanaged devices on the network Compliance violations - policy and configuration drift detection Patch management blind spots - missing critical updates across the estate Microsoft security tooling health - Defender and SCCM deployment status Threat response correlation - endpoint alerts enriched with asset context The workbook includes 20+ visualizations across 5 tabs enabling SOC teams to correlate Tanium\u0026rsquo;s real-time endpoint data with Sentinel incident workflows.\nAffected Files .gitignore Solutions/Tanium/Data Connectors/ConnectorDefinition.json Solutions/Tanium/Data Connectors/DCR.json Solutions/Tanium/Data Connectors/DataConnector.json Solutions/Tanium/Data Connectors/README.md Solutions/Tanium/Data Connectors/Table_ComplianceFindings.json Solutions/Tanium/Data Connectors/Table_ComplianceVulnerabilities.json Solutions/Tanium/Data Connectors/Table_DefenderHealth.json Solutions/Tanium/Data Connectors/Table_DiscoverUnmanagedAssets.json Solutions/Tanium/Data Connectors/Table_HighUptime.json Solutions/Tanium/Data Connectors/Table_PatchCoverageStatus.json Solutions/Tanium/Data Connectors/Table_PatchListApplicability.json Solutions/Tanium/Data Connectors/Table_PatchListCompliance.json Solutions/Tanium/Data Connectors/Table_SccmHealth.json Solutions/Tanium/Data Connectors/Table_ThreatResponseAlerts.json Solutions/Tanium/Data Connectors/connect-module-connections.json Solutions/Tanium/Package/testParameters.json Solutions/Tanium/Workbooks/README.md Solutions/Tanium/Workbooks/TaniumWorkbook.json Solutions/Tanium/Workbooks/connect-module-connections.json Solutions/Tanium/build_solution.sh Solutions/Tanium/ci/Taskfile.yml Solutions/Tanium/ci/build-silently.ps1 Solutions/Tanium/ci/build.sh Solutions/Tanium/ci/get-new-version.ps1 Solutions/Tanium/ci/get-published-version.ps1 Solutions/Tanium/ci/run-arm-ttk-accurately.ps1 Solutions/Tanium/ci/run-json-validation.ps1 Solutions/Tanium/ci/set-connector-versions.ps1 Solutions/Tanium/ci/validation-functions.ps1 Solutions/Tanium/get-offer-id.ps1 Workbooks/WorkbooksMetadata.json cspell-dictionaries/azure-arm-template-words.txt cspell-dictionaries/dataconnector-words.txt cspell-dictionaries/kql-functions.txt cspell-dictionaries/powershell-words.txt cspell-dictionaries/variables.txt cspell.config.json package-lock.json package.json (packaging artefacts: 3.3.0.zip, SolutionMetadata.json, Solution_Tanium.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-13-pr-13958/","summary":"New CCF push connector for Tanium enables endpoint compliance, threat response, and patch data ingestion via DCR streams.","title":"Tanium CCF Data Connector: Enhanced Endpoint Visibility with DCR-Based Ingestion"},{"content":"What Changed Enhanced the AccountCreatedandDeletedinShortTimeframe analytic rule with three key improvements: extended query period from 1 day to 7 days, normalized UPN parsing with case-insensitive handling, and switched correlation from mutable UPN to immutable UserId.\nDetection Logic Primary data source: AuditLogs (Entra ID audit events) Core logic: Correlates \u0026ldquo;Add user\u0026rdquo; and \u0026ldquo;Delete user\u0026rdquo; operations within a 7-day window using immutable UserId as the join key, with normalized UPN extraction handling optional hex prefixes and case variations Entity types mapped: Account, IP\nSecurity Impact The previous 1-day detection window created a significant blind spot for sophisticated adversaries employing timing-based evasion tactics. Attackers could create temporary accounts for persistence or privilege escalation, then remove them outside the narrow detection timeframe to avoid correlation.\nKey improvements:\nTiming Evasion Resistance: 7-day lookback period captures delayed cleanup operations that bypass short detection windows Correlation Reliability: UserId-based joining eliminates false negatives caused by UPN mutations (prefix additions, case changes) Data Fidelity: Normalized UPN parsing handles Microsoft\u0026rsquo;s internal identifier variations consistently This closes a detection gap for T1078 (Valid Accounts) and T1136.003 (Create Account: Cloud Account) techniques where adversaries create temporary privileged accounts for lateral movement or persistence, then clean up evidence through delayed deletion.\nMITRE Mapping T1078: Valid Accounts - Detection of temporary account abuse patterns T1136.003: Create Account: Cloud Account - Rapid creation/deletion cycles for evasion Affected Files Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.3.10.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-13-pr-14049/","summary":"Critical improvements to AccountCreatedandDeletedinShortTimeframe rule extend detection window to 7 days and use immutable UserID correlation to prevent timing-based evasion techniques.","title":"Microsoft Entra ID: Account Creation/Deletion Detection Enhanced Against Timing Evasion"},{"content":"What Changed Fixed a critical bug in the Vectra XDR data connector\u0026rsquo;s detections collector where VectraException was being instantiated but not raised, causing silent failures during data ingestion.\nSecurity Impact (Visibility \u0026amp; Fidelity) The bug caused ingestion failures to be silently ignored instead of properly propagated. Deployments may have experienced data loss during connector errors without any indication of the failure in logs or monitoring systems. This created a potential blind spot where SOC teams believed data was being ingested when errors were actually occurring.\nWith this fix, exceptions are now properly raised, enabling:\nProper error logging and alerting for ingestion failures Visibility into connector health status Appropriate retry mechanisms and failure handling Affected Files Solutions/Vectra XDR/Data Connectors/VectraDataConnector/Detections/detections_collector.py ","permalink":"http://sentinelchangelog.net/posts/2026-04-13-pr-14051/","summary":"Exception handling bug in Vectra XDR data collector prevented proper error propagation during ingestion failures.","title":"Vectra XDR Connector: Critical Exception Handling Bug Fixed"},{"content":"What Changed Added new ASIM Authentication parsers for Cisco ISE administrator login events:\nASimAuthenticationCiscoISEAdministrator (unifying parser) vimAuthenticationCiscoISEAdministrator (filtering parser) Both parsers normalize Cisco ISE administrator authentication logs ingested via Syslog by AMA to the ASIM Authentication schema v0.1.4.\nParser Impact The parsers target Cisco ISE Administrative and Operational Audit logs specifically filtering for \u0026ldquo;Administrator-Login\u0026rdquo; events. Key normalized fields include:\nEventResult based on presence of AdminName (Success/Failure) EventResultDetails for failure cases (Incorrect password, No such user, Other) TargetUsername, SrcIpAddr, and SrcDvcId from syslog components TargetPortNumber and AdminInterface from parsed key-value pairs Parser integration adds ISE administrator authentication visibility to existing ASIM Authentication queries and detection content that reference the imAuthentication or ASimAuthentication functions.\nDetection Surface Unlocked Enables monitoring of privileged network device access patterns, failed administrator authentication attempts, and suspicious login behaviors on Cisco ISE infrastructure. Supports correlation with other ASIM-normalized authentication events for cross-system privilege escalation detection.\nAffected Files Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISEAdministrator/ASimAuthenticationCiscoISEAdministrator.json Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISEAdministrator/README.md Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISEAdministrator/README.md Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISEAdministrator/vimAuthenticationCiscoISEAdministrator.json Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationCiscoISEAdministrator.md Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationCiscoISEAdministrator.md Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml Parsers/ASimAuthentication/Parsers/ASimAuthenticationCiscoISE.yaml Parsers/ASimAuthentication/Parsers/ASimAuthenticationCiscoISEAdministrator.yaml Parsers/ASimAuthentication/Parsers/imAuthentication.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationCiscoISE.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationCiscoISEAdministrator.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-04-10-pr-13909/","summary":"Added ASIM Authentication parser for Cisco ISE administrator authentication events, expanding centralized network device visibility.","title":"ASIM Authentication: New Parser for Cisco ISE Administrator Login Events"},{"content":"What Changed Added \u0026ldquo;CsvEscapeMode\u0026rdquo;: \u0026ldquo;NoEscape\u0026rdquo; configuration to the Imperva Cloud WAF CCF connector\u0026rsquo;s CSV parsing settings. The change prevents logs containing embedded JSON with quotes from being dropped during ingestion.\nSecurity Impact (Visibility \u0026amp; Fidelity) WAF logs containing embedded JSON were being silently dropped during ingestion due to CSV quote-escaping conflicts. This created visibility gaps for security events that include JSON payloads — such as detailed attack signatures, request parameters, or response data that attackers manipulate.\nOrganizations running affected connector deployments had incomplete WAF log coverage, potentially missing indicators of web application attacks, data exfiltration attempts, or reconnaissance activities that generate JSON-formatted log entries.\nThe fix restores complete ingestion for all WAF log formats, eliminating the data loss condition.\nAffected Files Solutions/ImpervaCloudWAF/Data Connectors/ImpervaCloudWAFLogs_ccf/ImpervaCloudWAFLogs_PollingConfig.json (packaging artefacts: 3.1.1.zip, ReleaseNotes.md, Solution_ImpervaCloudWAF.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-10-pr-14044/","summary":"Imperva CCF connector now properly ingests WAF logs containing embedded JSON, preventing data loss during log processing.","title":"Imperva Cloud WAF: Critical Fix for JSON Log Ingestion Failure"},{"content":"Affected Files Parsers/ASimAuthentication/Parsers/ASimAuthenticationFortinetFortigate.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationFortinetFortigate.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-04-10-pr-14041/","summary":"Updates schema version metadata from 0.1.3 to 0.1.4 in FortiGate authentication parsers with no functional changes.","title":"Fortinet FortiGate ASIM Authentication Parsers: Schema Version Metadata Correction"},{"content":"What Changed New comprehensive training environment for Microsoft Sentinel deployed under Tools/ directory. Includes ARM template-based deployment, 14 structured exercises, pre-recorded security telemetry (~10 MB), and practical workflows covering detection engineering, threat hunting, and data lake operations.\nTraining Content Core Infrastructure One-click ARM deployment with Log Analytics workspace provisioning Azure Automation runbooks for telemetry ingestion via Logs Ingestion API Microsoft Graph API integration for custom detection rules deployment Support for both User-Assigned Managed Identity and Service Principal authentication Security Data Sources Pre-recorded telemetry from multiple security platforms:\nCrowdStrike: Alerts, detections, cases, hosts, and vulnerabilities AWS CloudTrail: Cloud audit events GCP Audit Logs: Google Cloud platform events Okta: Identity and authentication logs Palo Alto: Network security events Custom tables: Specialized attack scenarios and hunting data Detection Content Custom analytic rules targeting MITRE ATT\u0026amp;CK techniques across multiple tactics Investigation workbook for incident analysis Response playbook for automated geo-tagging Three watchlists (VIP users, high-value assets, known bad IPs) Hunting queries for OAuth applications and Solorigate indicators Exercises Coverage Foundation (1-4): Data exploration, threat intelligence integration, MITRE coverage analysis, automation rules\nDetection Engineering (6-8): Port scan threshold tuning, Okta MFA manipulation detection, watchlist integration\nOperations (9-10): Cost analysis, table tier management, retention optimization\nData Lake (11-13): KQL jobs, aggregated detection approaches, Jupyter notebooks with PySpark\nIntegration (14): AI assistant capabilities demonstration\nDeployment Requirements Azure subscription with Owner/Contributor role Microsoft Sentinel workspace onboarded to Defender XDR as primary workspace For custom detection rules: CustomDetection.ReadWrite.All Graph permission via UAMI or Service Principal Optional: Microsoft Sentinel Data Lake for exercises 11-13 Security Training Value This lab addresses the practical skills gap in security operations by providing hands-on experience with real telemetry patterns. The pre-recorded data represents authentic attack scenarios including credential compromise (T1078), network reconnaissance (T1046), data exfiltration (T1041), and defense evasion (T1562) techniques — allowing SOC teams to practice detection tuning and response workflows without live threat exposure.\nAffected Files Tools/Microsoft-Sentinel-Training-Lab/Artifacts/DetectionRules/rules.json Tools/Microsoft-Sentinel-Training-Lab/Artifacts/LinkedTemplates/WorkspaceLakeUsage-ARM.json Tools/Microsoft-Sentinel-Training-Lab/Artifacts/LinkedTemplates/alertRules.json Tools/Microsoft-Sentinel-Training-Lab/Artifacts/LinkedTemplates/deployDetectionRules.json Tools/Microsoft-Sentinel-Training-Lab/Artifacts/LinkedTemplates/ingestEvents.json Tools/Microsoft-Sentinel-Training-Lab/Artifacts/LinkedTemplates/playbook.json Tools/Microsoft-Sentinel-Training-Lab/Artifacts/LinkedTemplates/watchlist.json Tools/Microsoft-Sentinel-Training-Lab/Artifacts/LinkedTemplates/workbook.json Tools/Microsoft-Sentinel-Training-Lab/Artifacts/LinkedTemplates/workspace.json Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Scripts/DeployDetectionRules.ps1 Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Scripts/IngestCSV.ps1 Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Scripts/RunIngest.ps1 Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/AWSCloudTrail.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/CommonSecurityLog.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/CrowdStrikeAlerts.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/CrowdStrikeCases.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/CrowdStrikeDetections.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/CrowdStrikeHosts.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/CrowdStrikeVulnerabilities.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/GCPAuditLogs.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/SecurityEvents.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/AuditLogsHunting_CL.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/AzureActivity_CL.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/MailGuard365_Threats_CL.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/OfficeActivity_CL.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/OktaV2_CL.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/SEG_MailGuard_CL.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/azureActivity_adele_CL.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/disable_accounts_CL.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/model_evasion_detection_CL.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/office_activity_inbox_rule_CL.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/sign-in_adelete_CL.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/solarigate-beacon-umbrella_CL.csv Tools/Microsoft-Sentinel-Training-Lab/Artifacts/azuredeploy.json Tools/Microsoft-Sentinel-Training-Lab/Exercises/E01_exploration.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E02_threat_intelligence_mdti.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E03_mitre_attack_coverage.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E04_automation_rules.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E05_device_isolation_response.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E06_port_scan_threshold_tuning.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E07_okta_mfa_manipulation.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E08_watchlist_integration.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E09_cost_management.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E10_table_management.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E11_datalake_kql_jobs.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E12_datalake_port_diversity.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E13_notebooks.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/E14_MCP.md Tools/Microsoft-Sentinel-Training-Lab/Exercises/Onboarding.md Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage1.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage10.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage11.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage12.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage13.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage14.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage15.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage16.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage17.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage18.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage19.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage2.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage20.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage21.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage22.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage23.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage24.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage25.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage26.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage27.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage28.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage29.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage3.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage30.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage31.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage32.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage33.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage34.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage35.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage4.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage5.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage6.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage7.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage8.png Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage9.png Tools/Microsoft-Sentinel-Training-Lab/Images/sentinel-labs-logo.png Tools/Microsoft-Sentinel-Training-Lab/MCP/demo-prompts.md Tools/Microsoft-Sentinel-Training-Lab/Notebook/Lab_Notebook.ipynb Tools/Microsoft-Sentinel-Training-Lab/README.md Tools/Microsoft-Sentinel-Training-Lab/Tools/Ingest-LocalCSV.ps1 Tools/Microsoft-Sentinel-Training-Lab/Tools/ToolInstructions.md Tools/Microsoft-Sentinel-Training-Lab/Watchlists/high_value_assets.csv Tools/Microsoft-Sentinel-Training-Lab/Watchlists/known_bad_ips.csv Tools/Microsoft-Sentinel-Training-Lab/Watchlists/vip_users.csv (packaging artefacts: ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-10-pr-13848/","summary":"New deployment-ready training lab delivers 14 guided exercises with pre-recorded telemetry, detection rules, and automation workflows for practical Microsoft Sentinel skill development.","title":"Microsoft Sentinel Training Lab: Comprehensive Hands-On Security Operations Environment Now Available"},{"content":"What Changed The \u0026ldquo;TI map Domain entity to SecurityAlert\u0026rdquo; analytic rule has been updated with a critical self-exclusion filter to prevent recursive alert generation. The rule now filters out its own alerts from the SecurityAlert table before processing, breaking an infinite feedback loop.\nDetection Logic Primary data source: SecurityAlert table (14-day lookback) Core logic: Extracts domain entities from SecurityAlert records, joins against ThreatIntelligenceIndicator table for known malicious domains, requires active indicators with confidence ≥ 50 Key fix: Added | where AlertName != \u0026ldquo;TI map Domain entity to SecurityAlert\u0026rdquo; filter to exclude the rule\u0026rsquo;s own alerts from source data Entity types mapped: IP, URL entities from both the original alert and the threat intelligence match Security Impact (Detection Quality) This update resolves a recursive alert generation issue where the rule was processing its own generated alerts, creating an infinite loop of duplicate detections. Prior to this fix, deployments would experience alert noise and potential performance degradation as the rule continuously triggered on its own output. The fix improves detection quality by ensuring each malicious domain indicator generates exactly one alert rather than cascading duplicates.\nAffected Files Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_SecurityAlert.yaml (packaging artefacts: 3.0.17.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-10-pr-13977/","summary":"Threat Intelligence domain mapping rule updated to prevent infinite alert loops by excluding its own alerts from the source data.","title":"Threat Intelligence Domain-to-SecurityAlert Rule: Fixes Recursive Alert Loop with Self-Exclusion Filter"},{"content":"What Changed Updated the Azure Security Benchmark workbook to replace all occurrences of \u0026ldquo;Azure Security Benchmark\u0026rdquo; with \u0026ldquo;Microsoft cloud security benchmark\u0026rdquo; across user-facing text, headings, and KQL queries. This includes ComplianceStandard filter checks and noDataMessage strings throughout the workbook.\nOperational Impact The label changes align the workbook\u0026rsquo;s displayed compliance standard references with updated Microsoft terminology. Organizations using this workbook for Azure Security Benchmark compliance tracking should expect updated UI labels but no functional changes to the underlying compliance data or query logic. Filters and remediation links now reference the updated complianceStandard identifier to ensure recommendations surface correctly.\nVersion Update Solution version bumped to 3.0.4 to reflect the labeling updates.\nAffected Files Solutions/AzureSecurityBenchmark/Workbooks/AzureSecurityBenchmark.json (packaging artefacts: 3.0.4.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-10-pr-14007/","summary":"Replaced \u0026ldquo;Azure Security Benchmark\u0026rdquo; references with \u0026ldquo;Microsoft cloud security benchmark\u0026rdquo; across workbook labels and KQL queries.","title":"Azure Security Benchmark: Updated Labels to Microsoft Cloud Security Benchmark"},{"content":"What Changed Removed unsupported \u0026ldquo;outputs\u0026rdquo; property from secureData.properties configuration in the AutoDecode Compose action within the Blacklens Logic App ARM template. Logic App Compose actions only support \u0026ldquo;inputs\u0026rdquo; in secureData.properties.\nSecurity Impact The deployment failure prevented the Blacklens attack surface monitoring integration from functioning entirely — deployments using the previous version experienced complete Logic App creation failure and loss of attack surface visibility. This was not a cosmetic issue but a complete deployment blocker affecting all new installations and updates.\nDeployment Impact Per PR discussion: deployments failed with InvalidSecureDataConfiguration error until this fix. Organizations attempting to deploy Blacklens attack surface monitoring had zero functional capability due to the Logic App workflow failing at creation time.\nAffected Files Solutions/Blacklens/Data Connectors/deployment/azuredeploy_blacklens.json (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Blacklens.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-10-pr-13946/","summary":"Resolved deployment failure caused by invalid secureData configuration in Logic App Compose action.","title":"Blacklens Logic App: Fixed Invalid secureData Configuration Breaking Deployment"},{"content":"What Changed Updated the checkpoint field in Tenable VM vulnerability data export from last_found to indexed_at parameter in the export job initialization. This affects how the connector tracks which vulnerability records have been previously exported to Microsoft Sentinel.\nOperational Impact The field change modifies the timestamp-based checkpoint mechanism used to prevent duplicate vulnerability data ingestion. Deployments using this connector should verify that vulnerability data continues to flow correctly after the update without gaps or duplicates.\nAffected Files Solutions/Tenable App/Data Connectors/TenableVM/TenableStartVulnExportJob/__init__.py (packaging artefacts: ReleaseNotes.md, TenableVMAzureSentinelConnector310Updated.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-04-10-pr-14028/","summary":"Changed vulnerability export checkpoint field from last_found to indexed_at for customer enhancement.","title":"Tenable VM: Vulnerability Data Checkpoint Field Update"},{"content":"What Changed ExtraHop solution v3.0.2 migrates the Azure Functions data connector from the legacy HTTP Data Collector API to the Azure Monitor Logs Ingestion API.\nData Ingestion Architecture Legacy HTTP Data Collector API removal:\nReplaced SharedKey authentication with OAuth 2.0 client credentials Removed custom signature generation and HTTP request handling Eliminated retry logic for HTTP status codes (429, 500, 503) New Azure Monitor Logs Ingestion API implementation:\nAuthentication: ClientSecretCredential with Azure Government cloud support Ingestion: LogsIngestionClient with DCR-based routing Configuration: Added environment variables for DCR_RULE_ID, AZURE_DATA_COLLECTION_ENDPOINT, SCOPE Parser Updates Schema compatibility fixes:\nUpdated parser logic to handle new field names without _s/_d suffixes Maintains backward compatibility with existing queries Version bump from 1.0.1 to 2.0.0 reflects schema changes Security Impact (Visibility \u0026amp; Fidelity) Modern authentication: OAuth 2.0 credentials provide improved security posture compared to workspace key authentication.\nAPI deprecation mitigation: Proactive migration prevents future ingestion failures when Microsoft deprecates the HTTP Data Collector API.\nNo data loss: Schema changes maintain field mapping compatibility — existing analytics and hunting queries remain functional.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/ExtraHopDetections.json .script/tests/KqlvalidationsTests/CustomTables/ExtraHop_Detections_CL.json Solutions/ExtraHop/Data Connectors/ExtraHopDataConnector/ExtraHopSentinelActivity/extrahop.py Solutions/ExtraHop/Data Connectors/ExtraHopDataConnector/ExtraHopSentinelActivity/sentinel.py Solutions/ExtraHop/Data Connectors/ExtraHopDataConnector/ExtraHop_FunctionApp.json Solutions/ExtraHop/Data Connectors/ExtraHopDataConnector/SharedCode/consts.py Solutions/ExtraHop/Data Connectors/ExtraHopDataConnector/azuredeploy_ExtraHop_AzureFunction.json Solutions/ExtraHop/Data Connectors/ExtraHopDataConnector/requirements.txt Solutions/ExtraHop/Parsers/ExtraHopDetections.yaml Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.0.2.zip, ExtraHopDataConnector.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_ExtraHop.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-10-pr-13886/","summary":"Added Log Ingestion API support with OAuth 2.0 authentication — modernizes data ingestion from legacy HTTP Data Collector API.","title":"ExtraHop RevealX: Azure Monitor Logs Ingestion API Replaces Legacy HTTP Data Collector"},{"content":"What Changed Abnormal Security solution v3.0.0 introduces a new CCF Push-based data connector alongside the existing Azure Functions connector for backward compatibility.\nData Ingestion Architecture New CCF Push Connector:\nAuthentication: OAuth 2.0 client credentials via Azure Monitor Ingestion API DCR routing: 9 dedicated custom streams route events by type to per-table outputs Tables: Each event type maps to dedicated tables (ABNORMAL_SECURITY_THREAT_LOG_CL, ABNORMAL_SECURITY_CASE_CL, etc.) Setup automation: DeployPushConnectorButton creates DCE, DCR, Entra app, client secret, and role assignment Table Architecture:\n8 event-specific tables (THREAT_LOG, CASE, AUDIT_LOG, ABUSE_MAILBOX, POSTURE_CHANGE, ATO_CASE, REMEDIATION, VENDOR_CASE) 1 fallback table (AbnormalSecurityLogs_CL) for unknown event types Standard schema: Time, abx_body (dynamic), abx_metadata (dynamic) Security Impact (Visibility \u0026amp; Fidelity) Enhanced data organisation: Event type segregation improves query performance and enables more granular monitoring compared to the single-table legacy connector.\nModern authentication: OAuth 2.0 client credentials replace API key authentication, providing better credential lifecycle management for enterprise deployments.\nMigration path: Legacy Azure Functions connector remains available — no immediate action required for existing deployments.\nAffected Files Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_DCR.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_connectorDefinition.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_dataConnector.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AbnormalSecurityLogs.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AbuseMailbox.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AtoCase.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AuditLog.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_Case.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_PostureChange.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_Remediation.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_ThreatLog.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_VendorCase.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_ABUSE_MAILBOX_CL.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_ATO_CASE_CL.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_AUDIT_LOG_CL.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_CASE_CL.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_POSTURE_CHANGE_CL.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_REMEDIATION_CL.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_THREAT_LOG_CL.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_VENDOR_CASE_CL.json Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/AbnormalSecurityLogs_CL.json Solutions/AbnormalSecurity/Package/testParameters.json (packaging artefacts: 3.0.0.zip, 3.0.1.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_AbnormalSecurity.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-10-pr-13709/","summary":"Added CCF Push connector with OAuth 2.0 authentication and dedicated tables for 9 event types — modern replacement for Azure Functions ingestion.","title":"Abnormal Security: New CCF Push Connector Adds Multi-Table Email Security Event Routing"},{"content":"What Changed ASIM parser for Cisco Umbrella Web Session logs moved variable declarations for src_or_any and dest_or_any from global scope into the parser function. Version incremented from 0.1.0 to 0.1.1.\nParser Impact The variables src_or_any and dest_or_any combine IP prefix filters (srcipaddr_has_any_prefix and ipaddr_has_any_prefix) for matching source and destination IPs. Previously declared outside the parser function, these variables were computed once with potentially stale parameter values rather than being evaluated with each parser invocation.\nThis is a data fidelity fix — queries using this parser with different IP filter parameters may have experienced incorrect filtering behavior where the wrong set of IPs was matched. The parser now correctly evaluates these variables within the function scope, ensuring IP filtering works as intended for each query execution.\nNo change to normalised field names or filter logic beyond the scope correction — safe for existing detections using this parser.\nAffected Files Parsers/ASimWebSession/ARM/vimWebSessionCiscoUmbrella/vimWebSessionCiscoUmbrella.json Parsers/ASimWebSession/CHANGELOG/vimWebSessionCiscoUmbrella.md Parsers/ASimWebSession/Parsers/vimWebSessionCiscoUmbrella.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-04-09-pr-14027/","summary":"Moves critical IP filtering variables inside parser function to prevent incorrect filtering and potential data loss.","title":"Cisco Umbrella ASIM Parser: Fixing Variable Scope Bug in IP Filter Logic"},{"content":"What Changed Added complete ASIM Authentication parser support for Palo Alto PAN-OS GlobalProtect VPN events, including both parametrized (vimAuthenticationPaloAltoGlobalProtect) and unfiltered (ASimAuthenticationPaloAltoGlobalProtect) versions.\nParser Impact The new parsers normalize GlobalProtect authentication logs from the CommonSecurityLog table to the ASIM Authentication schema (v0.1.4). Core functionality:\nPrimary data source: CommonSecurityLog table filtering on DeviceVendor == \u0026ldquo;Palo Alto Networks\u0026rdquo; and DeviceProduct == \u0026ldquo;PAN-OS\u0026rdquo; with DeviceEventClassID == \u0026ldquo;GLOBALPROTECT\u0026rdquo; Core logic: Parses AdditionalExtensions field extracting authentication events (gateway-login, gateway-logout, gateway-auth, portal-auth, portal-prelogin, gateway-connected) Entity mappings: Account (TargetUsername), IP (SrcIpAddr), Host (SrcHostname), URL (TargetAppName) Detection Surface Unlocked Enables standardized monitoring of:\nVPN gateway authentication events (login/logout/connect) Portal authentication and pre-login events Multiple authentication methods (LDAP, RADIUS, SAML, certificate, local-database, Kerberos, TACACS+) GlobalProtect client version and endpoint OS tracking Authentication failures with detailed error categorization No bundled detections included — parser provides data normalization foundation for custom detection development.\nAffected Files .script/tests/KqlvalidationsTests/Kqlvalidations.Tests.csproj Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoGlobalProtect/ASimAuthenticationPaloAltoGlobalProtect.json Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoGlobalProtect/README.md Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoGlobalProtect/README.md Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoGlobalProtect/vimAuthenticationPaloAltoGlobalProtect.json Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationPaloAltoGlobalProtect.md Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationPaloAltoGlobalProtect.md Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml Parsers/ASimAuthentication/Parsers/ASimAuthenticationPaloAltoGlobalProtect.yaml Parsers/ASimAuthentication/Parsers/imAuthentication.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationPaloAltoGlobalProtect.yaml Sample Data/ASIM/Palo Alto_PAN-OS_Authentication_IngestedLogs.csv ","permalink":"http://sentinelchangelog.net/posts/2026-04-09-pr-14012/","summary":"New ASIM parser normalizes GlobalProtect VPN authentication events from CommonSecurityLog table, enabling unified monitoring of gateway and portal authentication across Palo Alto PAN-OS deployments.","title":"Palo Alto GlobalProtect: New ASIM Authentication Parser for VPN Monitoring"},{"content":"What Changed Added South Africa (za) regional API endpoint configuration to the Trend Micro Vision One Function App connector, expanding regional deployment options.\nConnector Update The connector now supports an additional regional endpoint:\nNew region: South Africa (za) at https://api.za.xdr.trendmicro.com Version bump: 1.2.7 → 1.2.8 Configuration scope: Both Python configuration files and Azure deployment template updated Operational Impact Customers deploying in the South Africa region can now configure the connector to use the regional API endpoint rather than routing through other regions. No impact on existing deployments using other regions.\nAffected Files Solutions/Trend Micro Vision One/Data Connectors/AzureFunctionTrendMicroXDR/shared_code/configurations.py Solutions/Trend Micro Vision One/Data Connectors/AzureFunctionTrendMicroXDR/timer_trigger/__init__.py Solutions/Trend Micro Vision One/Data Connectors/AzureFunctionTrendMicroXDR/timer_trigger_oat/__init__.py Solutions/Trend Micro Vision One/Data Connectors/azuredeploy_TrendMicroVisionOne_API_FunctionApp.json (packaging artefacts: AzureFunctionTrendMicroXDR.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-04-09-pr-14009/","summary":"Added South Africa (za) regional API endpoint support, expanding global deployment coverage for Trend Micro Vision One data ingestion.","title":"Trend Micro Vision One Connector: South Africa Region Support Added"},{"content":"Affected Files Solutions/Island/Data Connectors/IslandAdminAPIConnector.json Solutions/Island/Data Connectors/IslandUserAPIConnector.json Solutions/Island/Data Connectors/IslandV2_CCP/IslandV2_connectorDefinition.json (packaging artefacts: 3.2.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Island.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-09-pr-13993/","summary":"Updated Island connector titles and descriptions to reduce confusion between legacy V1 and current V2 connectors.","title":"Island Enterprise Browser V2 Connector: Documentation Clarity Improvements"},{"content":"What Changed Regenerated package artifacts for the Visa Threat Intelligence (VTI) solution to resolve ARM template validation failures. The mainTemplate.json file contained tier field inconsistencies that caused deployment validation to fail.\nSecurity Impact (Visibility \u0026amp; Fidelity) This is purely a packaging fix with no impact on detection capabilities or data ingestion. The underlying Threat Intelligence connector and associated content remain unchanged. No blind spots created or resolved.\nAffected Files Solutions/Visa Threat Intelligence (VTI)/Package/testParameters.json (packaging artefacts: 3.0.2.zip, Solution_VTI.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-08-pr-13982/","summary":"Template validation failure fixed through package regeneration for Visa Threat Intelligence solution v3.0.2.","title":"Visa Threat Intelligence Solution: Package Artifacts Regenerated After Template Validation Failure"},{"content":"What Changed Microsoft Sentinel documentation now includes \u0026ldquo;Known Issue #10\u0026rdquo; covering the Azure Monitor Logs Ingestion API 64 KB per-field size limit that affects all data connectors using Data Collection Rules (DCRs).\nSecurity Impact (Visibility \u0026amp; Fidelity) This documentation addresses a significant data fidelity gap: fields containing large payloads such as ScriptContentBytes, CommandLine, RequestBody, or encoded content are silently truncated at 64 KB with no error or warning surfaced to users.\nThe impact creates detection blind spots where:\nIncomplete command line arguments may hide malicious parameters beyond the 64 KB boundary Truncated script content prevents full payload analysis for threat hunting Large request bodies in web traffic analysis lose critical attack vectors Any detection logic depending on complete field values will operate on partial data Operational Guidance The documentation provides SOC teams with:\nClarification that DCRLogErrors table will not show truncation events (silent failure) KQL heuristic using strlen() approximation to identify potentially affected records Source system mitigation strategies (field splitting, payload summarization) Platform limitation acknowledgment with reference to Azure Monitor service limits This is a documentation-only change with no code modifications to connector logic.\nAffected Files Solutions/known_issues.md ","permalink":"http://sentinelchangelog.net/posts/2026-04-08-pr-14008/","summary":"Microsoft Sentinel now documents a critical platform limitation where individual fields exceeding 64 KB are silently truncated during ingestion, creating blind spots in large payload analysis.","title":"Data Connector 64 KB Field Truncation: Silent Data Loss Risk Documented"},{"content":"What Changed The CI pipeline\u0026rsquo;s parser validation database was updated to include four previously missing ASIM schemas: AlertEvent, AssetEntity, DhcpEvent, and UserManagement. These schemas now have their KQL validated when PRs are submitted.\nSecurity Impact (Validation Coverage) Prior to this fix, parsers implementing these four ASIM schemas bypassed automated KQL validation during the PR process. This created a blind spot where syntax errors, logic flaws, or security-relevant parsing issues could reach production without automated detection.\nThe missing schemas were:\nASimAlertEvent (_Im_AlertEvent sample function) ASimAssetEntity (_Im_AssetEntity sample function) ASimDhcpEvent (_Im_DhcpEvent sample function) ASimUserManagement (_Im_UserManagement sample function) Parsers implementing these schemas will now undergo the same rigorous KQL validation as other ASIM schemas, reducing the risk of deployment failures and data ingestion issues.\nAffected Files .script/tests/KqlvalidationsTests/FunctionSchemasLoaders/ParsersDatabase.cs ","permalink":"http://sentinelchangelog.net/posts/2026-04-08-pr-14011/","summary":"Four ASIM schemas missing from KQL validation pipeline now included, preventing unvalidated parser deployments.","title":"ASIM Parser Validation: Critical Schemas Added to CI Pipeline"},{"content":"What Changed Updated stream declarations in the Atlassian Confluence Audit CCF Data Connector DCR configuration to align with expected naming conventions and corrected column mappings.\nSecurity Impact (Visibility \u0026amp; Fidelity) The DCR stream declaration error caused the connector to fail at creation — zero audit data was ingested by affected deployments since installation. This represents a complete blind spot for Confluence security monitoring including administrative actions, permission changes, and content access patterns.\nKey fixes include:\nStream name corrected from Custom-ConfluenceAuditLogs to Custom-ConfluenceAuditLogs_CL to match expected naming convention Column mapping correction for affectedObject.objectType field (was using .type instead of .objectType) Enhanced TimeGenerated logic with null handling for missing creationDate values Sample query improvement replacing OriginalEventUid with Category for better user guidance The connector now properly ingests Confluence audit events to the ConfluenceAuditLogs_CL table, restoring visibility into user activities, administrative changes, and potential security incidents within Confluence environments.\nAffected Files Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_DCR.json Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_DataConnectorDefinition.json Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_PollingConfig.json Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_table.json (packaging artefacts: 3.0.7.zip, ReleaseNotes.md, Solution_AtlassianConfluenceAudit.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-08-pr-14010/","summary":"CCF connector repair resolves stream naming mismatch that prevented audit data ingestion in affected deployments.","title":"Atlassian Confluence Audit: Critical DCR Fix Restores Data Ingestion After Stream Declaration Error"},{"content":"What Changed Version 3.0.1 of the SOC Prime CCF solution adds three new Analytic Rules for detecting security-relevant administrative activities and suspicious authentication events within the SOC Prime platform.\nDetection Logic The new rules query the SOCPrimeAuditLogs_CL table:\nSOC Prime Deleted Custom Field Mapping Profile:\nDetects deletion of Custom Field Mapping profiles (EventName == \u0026ldquo;Deleted a Custom Field Mapping profile\u0026rdquo;) Maps to MITRE T1562.001 (Disable or Modify Tools) Medium severity with Defense Evasion tactic SOC Prime Deleted Tenant:\nDetects tenant deletion events (EventName == \u0026ldquo;Deleted a Tenant\u0026rdquo;) Maps to MITRE T1562.001 (Disable or Modify Tools) Medium severity with Defense Evasion tactic Successful Logins from Bad IP Addresses:\nCross-references successful logins against a blacklist watchlist of malicious IPs Maps to MITRE T1078 (Valid Accounts) Medium severity with Initial Access tactic Uses _GetWatchlist(\u0026lsquo;blacklistOfIps\u0026rsquo;) to identify known malicious source IPs MITRE Mapping T1078 (Valid Accounts): Login detection from known malicious IPs T1562.001 (Impair Defenses: Disable or Modify Tools): Administrative deletion events that could impact security monitoring capabilities All rules include entity mappings for Account (UserName) and IP (SourceIp) to enable enrichment and correlation with other security events.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/SOCPrimeAuditLogs_CL.json .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json Solutions/SOC Prime CCF/Analytic Rules/SOCPrimeDeletedCustomFieldMappingProfile.yaml Solutions/SOC Prime CCF/Analytic Rules/SOCPrimeDeletedTenant.yaml Solutions/SOC Prime CCF/Analytic Rules/SuccessLoginFromBadIp.yaml Solutions/SOC Prime CCF/Data Connectors/SOCPrime_ccp/SOCPrime_DataConnectorDefinition.json (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, Solution_SOCPrimeAuditLogs.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-08-pr-13636/","summary":"SOC Prime solution adds Analytic Rules detecting platform administration events including tenant deletion and successful logins from malicious IPs.","title":"SOC Prime CCF: Three New Detection Rules for Platform Security Events"},{"content":"What Changed New Microsoft Sentinel solution for Citrix Analytics has been added, providing a CCF push connector that ingests Citrix Analytics data (SPA, Security) via the Azure Monitor Logs Ingestion API.\nData Source The connector ingests security analytics data from Citrix Analytics, including:\nSPA (Security Performance Analytics) Events CVAD (Citrix Virtual Apps and Desktops) Events Risk Score Changes Indicator Event Details and Summaries User Profile data Ingestion Mechanism Push-based CCF connector using Azure Monitor Logs Ingestion API with DCR-based data transformation. The connector creates six custom log tables:\nCustom-CitrixAnalytics_SPA_Events_V1_CL Custom-CitrixAnalytics_CVAD_Events_V1_CL Custom-CitrixAnalytics_indicatorSummary_V1_CL Custom-CitrixAnalytics_indicatorEventDetails_V1_CL Custom-CitrixAnalytics_riskScoreChange_V1_CL Custom-CitrixAnalytics_userProfile_V1_CL Detection Surface Unlocked With this connector, security teams gain visibility into:\nCitrix Virtual Apps and Desktops access patterns and security events User risk score changes and security analytics indicators Clipboard operations, file downloads, and session monitoring Identity-based authentication and access events Device posture and endpoint information for virtual desktop sessions The solution includes a comprehensive workbook for visualizing Citrix Analytics data across these security domains.\nAffected Files Logos/citrix_logo.svg Solutions/Citrix Analytics CCF/Data Connectors/CitrixAnalytics_CCF/CitrixAnalytics_DCR.json Solutions/Citrix Analytics CCF/Data Connectors/CitrixAnalytics_CCF/CitrixAnalytics_Definition.json Solutions/Citrix Analytics CCF/Data Connectors/CitrixAnalytics_CCF/CitrixAnalytics_dataConnector.json Solutions/Citrix Analytics CCF/Data Connectors/CitrixAnalytics_CCF/CitrixAnalytics_tableCVADEvents.json Solutions/Citrix Analytics CCF/Data Connectors/CitrixAnalytics_CCF/CitrixAnalytics_tableIndicatorEventDetails.json Solutions/Citrix Analytics CCF/Data Connectors/CitrixAnalytics_CCF/CitrixAnalytics_tableIndicatorSummary.json Solutions/Citrix Analytics CCF/Data Connectors/CitrixAnalytics_CCF/CitrixAnalytics_tableRiskScoreChange.json Solutions/Citrix Analytics CCF/Data Connectors/CitrixAnalytics_CCF/CitrixAnalytics_tableSPAEvents.json Solutions/Citrix Analytics CCF/Data Connectors/CitrixAnalytics_CCF/CitrixAnalytics_tableUserProfile.json Solutions/Citrix Analytics CCF/Package/testParameters.json Solutions/Citrix Analytics CCF/Workbooks/CitrixAnalytics.json Solutions/Citrix Analytics CCF/Workbooks/Images/Preview/CitrixAnalyticsBlack1.png Solutions/Citrix Analytics CCF/Workbooks/Images/Preview/CitrixAnalyticsBlack2.png Solutions/Citrix Analytics CCF/Workbooks/Images/Preview/CitrixAnalyticsBlack3.png Solutions/Citrix Analytics CCF/Workbooks/Images/Preview/CitrixAnalyticsWhite1.png Solutions/Citrix Analytics CCF/Workbooks/Images/Preview/CitrixAnalyticsWhite2.png Solutions/Citrix Analytics CCF/Workbooks/Images/Preview/CitrixAnalyticsWhite3.png Workbooks/Images/Preview/CitrixAnalyticsBlack1.png Workbooks/Images/Preview/CitrixAnalyticsBlack2.png Workbooks/Images/Preview/CitrixAnalyticsBlack3.png Workbooks/Images/Preview/CitrixAnalyticsWhite1.png Workbooks/Images/Preview/CitrixAnalyticsWhite2.png Workbooks/Images/Preview/CitrixAnalyticsWhite3.png Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_CitrixAnalytics.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-08-pr-13918/","summary":"New Citrix Analytics CCF solution provides push-based ingestion for SPA and CVAD security events via Azure Monitor Logs Ingestion API.","title":"Citrix Analytics: New CCF Push Connector Enables Security Analytics Visibility"},{"content":"What Changed The SAP Reader role (MSFTSEN_SENTINEL_READER) was enhanced by significantly reducing required permissions for the agentless connector, streamlining from 137 authorization entries to 52 entries.\nSecurity Impact (Visibility \u0026amp; Fidelity) This is a positive security improvement implementing least-privilege access principles. The agentless connector now requires fewer SAP authorizations while maintaining the same monitoring and threat detection capabilities.\nKey improvements:\nReduced attack surface: Fewer RFC function calls and authorization objects required Simplified deployment: Easier approval process for SAP administrators due to minimal permission requirements Maintained coverage: Full audit log ingestion and security monitoring capabilities preserved SOC teams continue to receive the same SAP audit data for threat hunting and incident response. The change only affects the connector\u0026rsquo;s authentication footprint within the SAP environment, not the data visibility in Sentinel.\nAffected Files Solutions/SAP/Sample Authorizations Role File/MSFTSEN_SENTINEL_READER.SAP Tools/Solutions Analyzer/solutions_connectors_tables_issues_and_exceptions_report.csv ","permalink":"http://sentinelchangelog.net/posts/2026-04-08-pr-14002/","summary":"SAP Reader role permissions significantly reduced for agentless connector, implementing least-privilege access while maintaining monitoring capabilities.","title":"SAP Agentless Connector: Reduced Permission Model for Enhanced Security"},{"content":"What Changed Removed redundant \u0026ldquo;excludeFields\u0026rdquo;: [] property from TheHive CCF polling configuration to resolve ARM Template Toolkit (ARM-TTK) validation warnings.\nSecurity Impact No security impact — this is a configuration cleanup that removes an unused/empty field flagged by deployment validation tooling. The TheHive connector continues to ingest security incident and case management data with the same functionality.\nThe connector maintains its ability to collect case lifecycle events, investigation artifacts, and incident response workflows from TheHive platforms for security orchestration visibility in Sentinel.\nAffected Files Solutions/TheHive/Data Connectors/CCF/PollingConfig.json (packaging artefacts: 3.0.2.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-08-pr-13997/","summary":"Removed redundant configuration field from TheHive CCF connector to resolve ARM-TTK validation warnings and ensure clean deployment.","title":"TheHive Connector: ARM Template Validation Fix"},{"content":"What Changed Azure Resource Graph data connector updated table labels from generic names (e.g., \u0026ldquo;Resources\u0026rdquo;, \u0026ldquo;Resource Containers\u0026rdquo;) to standardized prefixed names (e.g., \u0026ldquo;ARGResources\u0026rdquo;, \u0026ldquo;ARGResourceContainers\u0026rdquo;) to align with Table Management conventions.\nSecurity Impact No functional security impact — this is a naming standardization that improves query consistency. SOC teams referencing Azure Resource Graph tables in KQL queries should verify table names align with these updated labels:\n\u0026ldquo;Resources\u0026rdquo; → \u0026ldquo;ARGResources\u0026rdquo; \u0026ldquo;Resource Containers\u0026rdquo; → \u0026ldquo;ARGResourceContainers\u0026rdquo; \u0026ldquo;Authorization Resources\u0026rdquo; → \u0026ldquo;ARGAuthorizationResources\u0026rdquo; \u0026ldquo;Role Definitions\u0026rdquo; → \u0026ldquo;ARGRoleDefinitions\u0026rdquo; The connector continues to provide the same Azure infrastructure visibility for cloud security posture monitoring and compliance tracking.\nAffected Files Solutions/Azure Resource Graph/Data Connectors/AzureResourceGraph_DataConnectorDefinition.json (packaging artefacts: 3.0.2.zip, ReleaseNotes.md, Solution_AzureResourceGraph.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-08-pr-13971/","summary":"Azure Resource Graph connector updated table labels to align with Table Management naming conventions, ensuring consistent query references.","title":"Azure Resource Graph: Table Name Standardization for Query Consistency"},{"content":"What Changed Two SAP solutions (LogServ and S4 Cloud Public Edition) had their preview flags removed after successful customer deployments, marking their transition to production-ready status.\nSecurity Impact No immediate security impact — this is a product maturity milestone rather than functional change. Both connectors continue to provide the same SAP audit log and infrastructure monitoring capabilities, but now with production support guarantees.\nThe connectors enable visibility into:\nSAP LogServ infrastructure events and system health metrics SAP S/4HANA Cloud audit events and user activity monitoring Both solutions continue to populate their respective custom log tables with SAP telemetry for threat detection and compliance monitoring.\nAffected Files Solutions/SAP LogServ/Data Connectors/SAPLogServ.json Solutions/SAP LogServ/Data Connectors/SAPLogServ_PUSH_CCP/SAPLogServ_connectorDefinition.json Solutions/SAP S4 Cloud Public Edition/Data Connectors/SAPS4PublicPollerConnector/SAPS4Public_connectorDefinition.json Tools/Solutions Analyzer/solutions_connectors_tables_issues_and_exceptions_report.csv (packaging artefacts: 3.0.3.zip, 3.0.5.zip, ReleaseNotes.md, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-08-pr-13960/","summary":"Two SAP solutions transitioned from preview to production-ready status, unlocking stable SAP audit and infrastructure log ingestion.","title":"SAP Solutions: Production-Ready Status After Preview Removal"},{"content":"What Changed Added comprehensive ASIM Authentication parser support for VMware vCenter, introducing both full (ASimAuthenticationVMwareVCenter) and filtering (vimAuthenticationVMwareVCenter) parsers that normalize vCenter authentication events to the ASIM Authentication schema v0.1.4.\nData Sources The parser supports VMware vCenter logs ingested via:\nOn-premises vCenter: Syslog via AMA agent through DCR into vcenter_CL table Azure VMware Solution: Native Azure VMware syslog into AVSVcSyslog table Detection Logic Primary data sources: vcenter_CL and AVSVcSyslog tables Core logic: Parses structured vCenter event messages to extract authentication events (UserLoginSessionEvent/UserLogoutSessionEvent) with user identity, source IP, user agent, and session metadata Entity types mapped: Account (ActorUsername), IP (SrcIpAddr), and session context Authentication Event Coverage This parser normalizes two critical vCenter authentication event types:\nLogon events (vim.event.UserLoginSessionEvent): Captures successful user authentication with source IP and user agent Logoff events (vim.event.UserLogoutSessionEvent): Tracks session termination with login duration and API invocation metrics The parser enables detection of unauthorized vCenter access, privilege escalation attempts, and suspicious administrative activity across both on-premises and Azure VMware environments.\nSecurity Impact Addresses authentication monitoring blind spot for VMware vCenter environments. Organizations running vSphere infrastructure can now apply ASIM-based authentication detections to monitor administrative access patterns, detect lateral movement through vCenter, and identify suspicious authentication behaviors targeting virtualization infrastructure.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/AVSVcSyslog.json .script/tests/KqlvalidationsTests/CustomTables/vcenter_CL.json ASIM/dev/ASimTester/ASimTester.csv Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json Parsers/ASimAuthentication/ARM/ASimAuthentication/README.md Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareVCenter/ASimAuthenticationVMwareVCenter.json Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareVCenter/README.md Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareVCenter/README.md Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareVCenter/vimAuthenticationVMwareVCenter.json Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationVMwareVCenter.md Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationVMwareVCenter.md Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml Parsers/ASimAuthentication/Parsers/ASimAuthenticationVMwareVCenter.yaml Parsers/ASimAuthentication/Parsers/imAuthentication.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationVMwareVCenter.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-04-07-pr-13929/","summary":"New ASIM parser normalizes VMware vCenter authentication events from syslog streams to enable detection coverage across vSphere environments.","title":"ASIM Authentication Schema: VMware vCenter Parser Enables Authentication Monitoring for On-Premises and Azure VMware Environments"},{"content":"What Changed Fixed ARM template deployment failure in the Cyren-SentinelOne threat intelligence connector that was preventing successful installation from Content Hub. The inner Logic App template had an invalid variable reference causing InvalidTemplate errors during deployment.\nSecurity Impact Deployments running version 3.0.0 have had a complete deployment failure since installation — the connector could not be deployed at all from Content Hub, resulting in zero threat intelligence data ingestion. The ARM template error occurred during the initial deployment phase, meaning affected organizations had no Cyren threat intelligence visibility in their Sentinel workspace.\nThe fix ensures the Logic App playbook can properly reference the target Log Analytics workspace during ARM template evaluation, restoring the ability to:\nIngest Cyren threat intelligence indicators via CCF polling Push IOCs to SentinelOne via their Threat Intelligence API Maintain 6-hour recurrence for fresh threat data Technical Details The root cause was an ARM template variable evaluation scope issue in the inner Logic App template. The workspaceResourceId variable used parameters workspace directly inside double-bracket expressions, which failed to resolve the parameter value at deployment time and inlined it as a bare identifier.\nThe fix adopts the same pattern used in the verified TacitRed-SentinelOne connector: using variables workspace-name where workspace-name equals parameters workspace is evaluated at outer scope.\nAffected Files Solutions/Cyren-SentinelOne-ThreatIntelligence/Playbooks/CyrenToSentinelOne_Playbook.json (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, Solution_CyrenSentinelOne.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-07-pr-13990/","summary":"Critical deployment fix for Cyren-SentinelOne connector that was failing ARM template validation in Content Hub, preventing threat intelligence data ingestion.","title":"Cyren-SentinelOne Connector: Restoring Threat Intelligence Deployment After ARM Template Failure"},{"content":"What Changed D3 Security updated their Smart SOAR solution from version 3.1.0 to 3.2.0, primarily to address Content Hub compatibility. The core change is migrating from a Managed Application plan type to a Solution Template plan type in Partner Center, necessitating a new offer ID: azure-sentinel-solution-d3smartsoar (previously azure-sentinel-solution-d3soar).\nSolution Impact New Solution Identity: This creates a new solution identity in Content Hub. Existing D3 Smart SOAR deployments will not receive updates through the previous offer ID. Organizations currently using the solution will need to deploy the new version separately, creating potential duplication until the legacy version is removed.\nNo Functional Changes: The underlying connector logic, polling configuration, and data ingestion remain unchanged. The D3SOARIncidents_CL table structure and 5-minute polling interval are preserved from version 3.1.0.\nSupport URL Updated: Contact endpoint changed to https://d3security.com/company/contact/ for future support requests.\nDeployment Considerations Organizations should:\nDeploy the new 3.2.0 solution alongside existing installations Verify no data collection gaps during transition Remove legacy D3 Smart SOAR solution after confirming new version functionality Update any automation or documentation referencing the previous offer ID Affected Files Solutions/D3SmartSOAR/README.md (packaging artefacts: 3.2.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_D3SOAR.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-07-pr-13962/","summary":"D3 Security migrates from Managed Application to Solution Template plan type, requiring new offer ID and deployment procedures.","title":"D3 Smart SOAR: New Content Hub Solution Template Deployment Model"},{"content":"What Changed Expanded the EntitySource field enumeration in the ASIM AssetEntity schema to include three additional data platform sources: Snowflake, Databricks, and Salesforce. This extends the existing list (Azure, Microsoft365, GCP, AWS, Other) to support broader asset inventory tracking.\nSchema Impact The ASimTester validation framework now recognizes these data platforms as valid EntitySource values, enabling proper validation of ASIM parsers that track assets from cloud data warehouses and CRM platforms. No existing validation logic is disrupted — this is purely additive to the enumerated values.\nNo change to existing field names, filter logic, or parser behavior. Safe for all current ASIM consumers and parsers.\nAffected Files ASIM/dev/ASimTester/ASimTester.csv ","permalink":"http://sentinelchangelog.net/posts/2026-04-07-pr-13999/","summary":"ASimTester validation schema adds Snowflake, Databricks, and Salesforce to AssetEntity EntitySource enumeration for broader data platform asset tracking.","title":"ASIM Schema: Enhanced EntitySource Coverage for Data Platform Assets"},{"content":"What Changed Added a new ASIM authentication parser for Cisco IOS devices that normalizes authentication events from syslog messages into the ASIM Authentication schema.\nParser Logic The parser processes three distinct syslog patterns from the standard Syslog table:\nLogin Success: %SEC_LOGIN-5-LOGIN_SUCCESS events with username, source IP, and local port extraction Login Failure: %SEC_LOGIN-4-LOGIN_FAILED events including failure reason parsing Logout: %SYS-6-LOGOUT events tracking user session termination Field mappings include username normalization, source IP/port extraction, severity level translation via _ASIM_LookupSyslogSeverityLevel, and standard ASIM schema compliance with event categorization (Logon/Logoff) and result status (Success/Failure).\nSecurity Impact Network administrators can now query Cisco IOS authentication events through the unified ASIM interface, enabling correlation of router/switch access attempts with other authentication sources. This addresses a visibility gap for network infrastructure authentication monitoring — particularly valuable for detecting lateral movement targeting network device management interfaces.\nAffected Files .script/tests/KqlvalidationsTests/CustomFunctions/_ASIM_LookupSyslogSeverityLevel.json ASIM/dev/ASimTester/ASimTester.csv Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoIOS/ASimAuthenticationCiscoIOS.json Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoIOS/README.md Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoIOS/README.md Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoIOS/vimAuthenticationCiscoIOS.json Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationCiscoIOS.md Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationCiscoIOS.md Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml Parsers/ASimAuthentication/Parsers/ASimAuthenticationCiscoIOS.yaml Parsers/ASimAuthentication/Parsers/imAuthentication.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationCiscoIOS.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-04-06-pr-13966/","summary":"ASIM authentication parser for Cisco IOS enables normalized monitoring of login, logout, and failed authentication events from network infrastructure devices.","title":"Cisco IOS: New ASIM Authentication Parser for Network Device Login Monitoring"},{"content":"What Changed The ASIM AssetEntity schema definition in the ASimTester validation framework has been updated to:\nMake EntitySource enumerated: Previously a free-form string field, EntitySource now enforces specific values: Azure, Microsoft365, GCP, AWS, Other Add EntityOriginalSource field: New optional string field for tracking the original data source identifier Schema Impact These changes affect how asset entities are normalized in ASIM-compliant parsers and how validation testing occurs:\nEntitySource enumeration: Parsers must now map asset sources to the predefined cloud platform values (Azure|Microsoft365|GCP|AWS|Other). This standardizes asset origin classification across different data sources. EntityOriginalSource: Provides a new field to preserve the original source system identifier when EntitySource is normalized to a standard value. No change to existing normalized field names — safe for current detections using ASIM asset parsers. However, parsers populating EntitySource with custom values will need updates to comply with the enumeration.\nAffected Files ASIM/dev/ASimTester/ASimTester.csv ","permalink":"http://sentinelchangelog.net/posts/2026-04-06-pr-13996/","summary":"ASIM AssetEntity schema now enforces cloud platform enumeration and adds source traceability field.","title":"ASIM AssetEntity Schema: EntitySource Enumeration and EntityOriginalSource Added"},{"content":"What Changed The Alibaba Cloud Networking CCF connector\u0026rsquo;s UI interface was missing graph chart configurations for two data streams that were added in v3.0.0. This PR adds the missing visualization queries for WAF Logs (AlibabaCloudWAFLogs table) and API Gateway Logs (AlibabaCloudAPIGatewayLogs table) to the connector definition.\nSecurity Impact (Visibility \u0026amp; Fidelity) This was a UI-only issue affecting the Data Connector configuration page. The underlying data ingestion for WAF and API Gateway logs was functioning correctly — deployments were receiving this data into the correct Sentinel tables. However, administrators configuring or validating the connector would not see these data streams represented in the interface charts, potentially causing confusion about connector health.\nThe fix restores proper visibility into data flow metrics for:\nWAF security events and access logs API Gateway request/response logs and security events Data collection and detection capabilities were unaffected.\nAffected Files Solutions/Alibaba Cloud Networking/Data Connectors/AlibabaCloudNetworking_CCP/AlibabaCloudNetworking_ConnectorDefinition.json (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, Solution_Alibaba Cloud Networking.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-06-pr-13995/","summary":"UI graph charts for WAF and API Gateway data streams were broken in the connector interface since v3.0.0 launch.","title":"Alibaba Cloud Networking: Missing Data Stream Visualization Restored"},{"content":"What Changed Added ASIM NetworkSession parsers for Check Point Smart Defense logs, enabling normalized analysis of threat prevention events from Check Point Smart Defense appliances through CEF Data Connector.\nParser Impact The new parsers (ASimNetworkSessionCheckPointSmartDefense and vimNetworkSessionCheckPointSmartDefense) normalize Check Point Smart Defense logs to the ASIM NetworkSession schema version 0.2.7. Key field mappings include:\nNetwork connection metadata (source/destination IPs, ports, protocols) Threat prevention rule names and IDs from Smart Defense policies Protection types and confidence scores (0-5 scale mapped to 0-100%) Device actions (Reject→Deny, Accept→Allow, Prevent→Deny, Detect→Deny) The parsers extract threat intelligence fields including protection names, attack information, and confidence levels for enhanced threat context.\nSecurity Impact Queries referencing ASIM NetworkSession fields against Check Point Smart Defense data now return normalized results instead of null - this closes a data fidelity gap for environments using Smart Defense threat prevention. SOC teams can now use source-agnostic detections and hunting queries that work across multiple firewall vendors including Check Point Smart Defense.\nAffected Files ASIM/dev/ASimTester/ASimTester.csv Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCheckpointSmartDefense/ASimNetworkSessionCheckpointSmartDefense.json Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCheckpointSmartDefense/README.md Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json Parsers/ASimNetworkSession/ARM/vimNetworkSessionCheckpointSmartDefense/README.md Parsers/ASimNetworkSession/ARM/vimNetworkSessionCheckpointSmartDefense/vimNetworkSessionCheckpointSmartDefense.json Parsers/ASimNetworkSession/CHANGELOG/ASimNetworkSession.md Parsers/ASimNetworkSession/CHANGELOG/ASimNetworkSessionCheckPointSmartDefense.md Parsers/ASimNetworkSession/CHANGELOG/imNetworkSession.md Parsers/ASimNetworkSession/CHANGELOG/vimNetworkSessionCheckPointSmartDefense.md Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCheckpointSmartDefense.yaml Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCheckpointSmartDefense.yaml Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCorelightZeek.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-04-06-pr-13950/","summary":"New ASIM NetworkSession parser adds Check Point Smart Defense logs to normalized threat monitoring and detection coverage.","title":"Check Point Smart Defense: ASIM NetworkSession Parser Expands Threat Prevention Visibility"},{"content":"What Changed Fixed a critical typo in the Claroty threat detection Analytic Rule where \u0026ldquo;Treat\u0026rdquo; was incorrectly used instead of \u0026ldquo;Threat\u0026rdquo; in multiple locations, updating the rule from version 1.0.3 to 1.0.4.\nDetection Logic Primary data source: ClarotyEvent table Core logic: Searches for events where EventOriginalType or EventType contains \u0026ldquo;Threat\u0026rdquo; (previously \u0026ldquo;Treat\u0026rdquo;), then projects TimeGenerated and DstIpAddr for IP entity mapping Entity mapping: IP addresses from DstIpAddr field\nSecurity Impact This was a data fidelity gap affecting threat detection coverage. The original rule searched for EventOriginalType has \u0026lsquo;Treat\u0026rsquo; or EventType has \u0026lsquo;Treat\u0026rsquo; which would have returned no results from legitimate Claroty threat events. SOC analysts using this rule would have missed critical threat indicators from the Claroty platform, creating a blind spot in OT/IoT threat detection.\nMITRE Mapping T1018 - System Network Discovery (from relevantTechniques field)\nAffected Files Solutions/Claroty/Analytic Rules/ClarotyThreat.yaml (packaging artefacts: 3.0.4.zip, ReleaseNotes.md, Solution_Claroty.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-06-pr-13988/","summary":"Fixed critical typo in Claroty threat detection rule where \u0026ldquo;Treat\u0026rdquo; was incorrectly used instead of \u0026ldquo;Threat\u0026rdquo; in both rule name and KQL logic.","title":"Claroty Analytic Rule: Critical Typo Fix Restores Threat Detection Logic"},{"content":"What Changed New Netskope Secure Web Gateway solution provides comprehensive monitoring of web transactions with 10 analytic rules, a CCF-based data connector, parser, and workbook dashboard.\nData Source Netskope Web Transaction logs ingested via CCF connector using Azure Blob Storage and Event Grid. Populates NetskopeWebTransactions_CL table for analysis of user web activity, application usage, and data movement.\nIngestion Mechanism CCF-based connector with DCR configuration for blob storage polling and Event Grid notifications. Includes custom table schema with comprehensive web transaction field mapping.\nDetection Surface Unlocked New detection coverage for:\nImpossible travel - Users accessing from multiple countries within 1 hour Data exfiltration patterns - Excessive downloads vs 7-day baseline (3x threshold) Shadow IT detection - Unsanctioned/risky cloud app access based on Cloud Confidence Level Personal cloud storage abuse - Heavy usage of personal Dropbox, Google Drive, OneDrive Anomalous user behavior - High volume transfers from unmanaged devices Policy violations - Repeated or critical policy blocks Data movement tracking - Upload/download monitoring with size thresholds Suspicious network context - Unusual IPs/geography/ports DLP violations - Large data uploads indicating potential exfiltration MITRE Coverage T1078 (Valid Accounts) - Impossible travel detection T1567 (Exfiltration Over Web Service) - Cloud storage and data transfer monitoring T1074 (Data Staged) - File staging and movement detection T1199 (Trusted Relationship) - Unsanctioned app access T1530 (Data from Cloud Storage Object) - Excessive download detection T1562 (Impair Defenses) - Policy violation tracking Affected Files .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule1.yaml Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule10.yaml Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule2.yaml Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule3.yaml Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule4.yaml Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule5.yaml Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule6.yaml Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule7.yaml Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule8.yaml Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule9.yaml Solutions/NetskopeWebTx/Data Connectors/NetskopeWebTx_CCF/NetskopeWebtx_DCR.json Solutions/NetskopeWebTx/Data Connectors/NetskopeWebTx_CCF/NetskopeWebtx_PollingConfig.json Solutions/NetskopeWebTx/Data Connectors/NetskopeWebTx_CCF/NetskopeWebtx_Table.json Solutions/NetskopeWebTx/Data Connectors/NetskopeWebTx_CCF/NetskopeWebtx_connectorDefinition.json Solutions/NetskopeWebTx/Package/testParameters.json Solutions/NetskopeWebTx/Parsers/NetskopeWebtx.yaml Solutions/NetskopeWebTx/README.md Solutions/NetskopeWebTx/Workbooks/Images/NetskopeWebtxOverviewBlack01.png Solutions/NetskopeWebTx/Workbooks/Images/NetskopeWebtxOverviewBlack02.png Solutions/NetskopeWebTx/Workbooks/Images/NetskopeWebtxOverviewWhite01.png Solutions/NetskopeWebTx/Workbooks/Images/NetskopeWebtxOverviewWhite02.png Solutions/NetskopeWebTx/Workbooks/NetskopeWebtxDashboard/NetskopeWebTx_Workbook.json Workbooks/Images/Preview/NetskopeWebtxOverviewBlack01.png Workbooks/Images/Preview/NetskopeWebtxOverviewBlack02.png Workbooks/Images/Preview/NetskopeWebtxOverviewWhite01.png Workbooks/Images/Preview/NetskopeWebtxOverviewWhite02.png Workbooks/NetskopeWebTx_Workbook.json Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_NetskopeWebTx.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-03-pr-13618/","summary":"New Netskope solution adds 10 detections for web transaction monitoring including impossible travel, excessive downloads, shadow IT detection, and data exfiltration patterns.","title":"Netskope Secure Web Gateway Solution: New Detection Coverage for Cloud Application Visibility"},{"content":"What Changed Added user-agent headers to HTTP requests in both Proofpoint TAP and POD (On Demand) Email Security CCF connectors:\nTAP connector: user-agent header \u0026ldquo;MicrosoftSentinelTAPConnector/{version}\u0026rdquo; added to all 4 API polling endpoints POD connector: user-agent header \u0026ldquo;MicrosoftSentinelPoDConnector/{version}\u0026rdquo; added to message and maillog API endpoints Security Impact (Visibility \u0026amp; Fidelity) This change enhances API request attribution for Proofpoint server-side logging and rate limiting mechanisms. The version-specific user-agent enables:\nBetter troubleshooting of connector-related API issues by correlating requests to specific Sentinel solution versions Improved rate limiting accuracy on the Proofpoint API side through distinct client identification Enhanced audit trail for API consumption patterns per connector version No changes to data ingestion logic, field mappings, or query syntax. The modification affects only HTTP request headers and does not impact detection fidelity or introduce breaking changes for existing deployments.\nDeployment Impact Version bumped to 3.1.3 for both solutions. The user-agent header includes a dynamic reference to the solution version variable, ensuring accurate version reporting without manual maintenance.\nAffected Files Solutions/ProofPointTap/Data Connectors/ProofpointTAP_CCP/ProofpointTAP_pollingconfig.json Solutions/Proofpoint On demand(POD) Email Security/Data Connectors/ProofPointEmailSecurity_CCP/ProofpointPOD_PollingConfig.json (packaging artefacts: 3.1.3.zip, ReleaseNotes.md, Solution_ProofPointPOD.json, Solution_ProofTap.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-03-pr-13861/","summary":"Proofpoint connectors now send user-agent headers with solution package version information for improved API request identification.","title":"Proofpoint TAP and POD Connectors: User-Agent Header Added for Solution Version Tracking"},{"content":"What Changed Added Docker image integrity verification function to both SAP data connector deployment scripts (sapcon-sentinel-kickstart.sh and sapcon-sentinel-ui-agent-kickstart.sh).\nSecurity Impact (Supply Chain Protection) The new verify_image_integrity() function addresses container supply chain attack vectors by:\nExtracting local image digest from docker inspect after pull completion Querying remote registry digest via docker manifest inspect as primary verification method Falling back to digest extraction from docker pull output when manifest inspection fails Terminating deployment with exit code 1 on any digest mismatch This prevents scenarios where a compromised or man-in-the-middle attack could substitute malicious container images during the docker pull operation. Previously, the deployment scripts performed no post-pull verification that the downloaded image matched the intended registry artifact.\nDeployment Impact Deployments now perform an additional integrity check after Docker image download but before container instantiation. The verification step adds minimal overhead while closing a significant supply chain security gap in the SAP connector installation process.\nAffected Files Solutions/SAP/sapcon-sentinel-kickstart.sh Solutions/SAP/sapcon-sentinel-ui-agent-kickstart.sh ","permalink":"http://sentinelchangelog.net/posts/2026-04-03-pr-13736/","summary":"SAP deployment scripts now verify Docker image digest integrity to prevent container supply chain attacks during installation.","title":"SAP Data Connector: Docker Image Integrity Verification Added to Deployment Scripts"},{"content":"Affected Files Solutions/Trellix/Data Connectors/Trellix_CCF/Trellix_DataConnectorDefinition.json (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-03-pr-13981/","summary":"Trellix solution transitioned from preview to GA status, now production-ready for deployment.","title":"Trellix Solution Enters GA: Production Ready for Cyberthreat Detection"},{"content":"Affected Files Solutions/Visa Threat Intelligence (VTI)/DataConnectors/VisaThreatIntelligenceConnector.json Solutions/Visa Threat Intelligence (VTI)/Package/testParameters.json (packaging artefacts: 3.0.0.zip, 3.0.1.zip, SolutionMetadata.json, Solution_VTI.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-03-pr-13881/","summary":"Fixed missing connector information in deployment template and updated solution tier to Partner status.","title":"Visa Threat Intelligence Solution: Packaging Metadata Corrected"},{"content":"What Changed The Qualys VM Knowledge Base solution (v4.0.0) now includes a CCF-based Data Connector alongside the existing legacy connector infrastructure. The new connector provides automated ingestion of Qualys vulnerability database entries via the Qualys API v2.0.\nData Source External System: Qualys Vulnerability Management API v2.0\nLog Types: Knowledge Base vulnerability records (QIDs, CVEs, vendor advisories, patch status)\nEvent Categories: Vulnerability discovery records, software vendor advisories, patch availability data\nIngestion Mechanism Type: CCF/DCR-based with REST API polling\nDestination Table: QualysKnowledgeBase (new Microsoft-managed stream)\nAPI Endpoint: /api/2.0/fo/knowledge_base/vuln/ with configurable filters\nPolling Frequency: 10-minute query window with 10-hour delay\nParser Impact The updated parser (v1.1.0) now supports both legacy (QualysKB_CL) and CCF streams (QualysKnowledgeBase) through a union query. Key improvements:\nFixed field name inconsistencies (Consquence → Consequence, Title → VulnTitle) Standardized timestamp field references (removed trailing spaces) Added SeverityLevel and PublishedDatetime field normalization Enhanced compatibility for cross-source queries Data Fidelity Impact: Queries referencing the corrected field names against the legacy parser previously returned inconsistent results due to typos — this is a data quality improvement for mixed-source environments.\nDetection Surface Unlocked The connector exposes Qualys vulnerability intelligence for threat hunting and asset risk assessment:\nCVE Cross-Reference: Links vulnerability IDs to CVE numbers and vendor advisories Patch Status Tracking: Identifies patchable vs. unpatchable vulnerabilities Discovery Method Context: Remote vs. authenticated vulnerability detection metadata Vendor Intelligence: Software vendor and product categorization for supply chain analysis Affected Files Solutions/Qualys VM Knowledgebase/Data Connectors/QualysKB_ccf/QualysKB_ConnectorDefinition.json Solutions/Qualys VM Knowledgebase/Data Connectors/QualysKB_ccf/QualysKB_DCR.json Solutions/Qualys VM Knowledgebase/Data Connectors/QualysKB_ccf/QualysKB_PollingConfig.json Solutions/Qualys VM Knowledgebase/Package/testParameters.json Solutions/Qualys VM Knowledgebase/Parsers/QualysKB.yaml Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1 (packaging artefacts: 4.0.0.zip, ReleaseNotes.md, Solution_QualysKBtemplateSpec.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-02-pr-13747/","summary":"Qualys VM Knowledge Base solution now includes a Codeless Connector Framework (CCF) implementation for automated vulnerability data ingestion alongside the existing legacy connector.","title":"Qualys VM: CCF Connector Adds Vulnerability Intelligence Stream"},{"content":"What Changed TheHive CCF (Codeless Connector Framework) Data Connector was promoted from Preview to General Availability status, enabling production deployment for security incident response teams. The connector ingests case, alert, and task data from TheHive platform via REST API polling into the TheHiveData_CL custom table.\nData Processing Enhancement The DCR transform KQL was updated to improve custom fields handling:\nField renamed: CustomFields → TheHiveCustomFields with updated description \u0026ldquo;The hive custom fields\u0026rdquo; Processing unchanged: Core data transformation logic, time handling, and entity mapping remain identical Data fidelity impact: Existing queries referencing CustomFields will need updating to use TheHiveCustomFields - this is a breaking change for custom detection rules Security Impact (Visibility \u0026amp; Fidelity) Production-grade availability enables consistent ingestion of:\nSecurity incident cases with severity classification and TLP markings Alert data with source references and observable counts Task management data for incident response workflow tracking Custom field data now properly labeled for TheHive-specific metadata Organizations using TheHive for incident response can now deploy this connector in production environments without preview limitations, enabling comprehensive SOAR data visibility in Microsoft Sentinel.\nAffected Files Solutions/TheHive/Data Connectors/CCF/ConnectorDefinition.json Solutions/TheHive/Data Connectors/CCF/DCR.json Solutions/TheHive/Data Connectors/CCF/PollingConfig.json Solutions/TheHive/Data Connectors/CCF/table_TheHiveData.json (packaging artefacts: 3.0.2.zip, ReleaseNotes.md, Solution_TheHive.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-02-pr-13980/","summary":"TheHive CCF connector promoted to General Availability with improved custom fields processing, removing preview limitations for security incident management workflows.","title":"TheHive Connector: Production-Ready with Enhanced Custom Fields Mapping"},{"content":"What Changed Fixed missing AlertOriginalStatus extension field in the vimAlertEventMicrosoftDefenderXDR ASIM parser by adding mapping from AdditionalFields.LastRemediationState.\nParser Impact Data Fidelity Gap Closed: Queries referencing AlertOriginalStatus against this parser previously returned null for all rows — this was a data fidelity gap where alert status information was unavailable despite being present in the raw Microsoft Defender XDR data. The parser now correctly extracts and normalizes the alert status from AdditionalFields.LastRemediationState.\nThe fix enables proper alert status filtering and analysis in detections that rely on the ASIM AlertEvent schema. Queries using AlertStatus field (which derives from AlertOriginalStatus) can now accurately distinguish between Active and Closed alerts from Microsoft Defender XDR data sources.\nNo change to other normalized field names or core filter logic — safe for existing detections using this parser.\nAffected Files Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventMicrosoftDefenderXDR.md Parsers/ASimAlertEvent/Parsers/vimAlertEventMicrosoftDefenderXDR.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-04-02-pr-13970/","summary":"Critical data fidelity fix restores missing AlertOriginalStatus field in Microsoft Defender XDR ASIM AlertEvent parser, resolving alert status visibility gap.","title":"ASIM AlertEvent Parser: Microsoft Defender XDR Missing AlertOriginalStatus Field Restored"},{"content":"What Changed Microsoft Security Copilot solution v3.0.2 has been released to General Availability, transitioning from preview status. The primary change updates the connector availability from preview to production status in the ConnectorDefinition.json.\nSecurity Impact This is a packaging update with no detection logic or ingestion changes. Existing deployments using Microsoft Copilot for threat detection and response workflows continue operating unchanged. The GA status indicates the solution has passed production readiness requirements and is suitable for enterprise deployments.\nThe solution provides visibility into Microsoft Copilot activities through the CopilotActivity table, supporting monitoring of AI-assisted security operations and potential misuse detection.\nAffected Files Solutions/Microsoft Copilot/Data Connectors/MicrosoftCopilot_ConnectorDefinition.json (packaging artefacts: 3.0.2.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-02-pr-13976/","summary":"Microsoft Security Copilot solution v3.0.2 transitions from preview to GA with connector availability status updated.","title":"Microsoft Security Copilot Solution Released to General Availability"},{"content":"What Changed The detection template authoring instructions now include explicit guidance for validating connectorId values in Analytic Rules. The update adds a mandatory validation step that requires all connectorId values to be checked against the official ValidConnectorIds.json file in the repository.\nProcess Impact Detection contributors and reviewers must now verify that any connectorId referenced in YAML templates exists in the official allowlist at .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json. Invalid connector IDs trigger a standardized reviewer comment requesting either use of a valid ID from the official list or addition of the new connector to the allowlist.\nThe guidance provides concrete examples of valid IDs (CiscoDuoSecurity, AzureActiveDirectory) versus common invalid variants (CiscoDuo, AzureAD) to reduce submission errors.\nAffected Files .github/instructions/detections.instructions.md ","permalink":"http://sentinelchangelog.net/posts/2026-04-02-pr-13959/","summary":"Detection authoring guidelines now require validation of connectorId values against the official repository allowlist to prevent invalid connector references.","title":"Detection Template Validation: connectorId Enforcement Added to Review Process"},{"content":"What Changed Added a RiskScoreThreshold parameter to the RecordedFuture-IOC_Enrichment Logic App that defaults to 5. IOCs with risk scores below this threshold will no longer generate comments on incidents.\nSecurity Impact (Noise Reduction) This change addresses analyst fatigue by filtering out low-risk IOC enrichments from incident comments. Previously, all IOCs regardless of risk score would generate enrichment comments, creating noise that could obscure high-priority intelligence.\nThe configurable threshold (default: 5) allows SOC teams to tune the noise floor based on their environment. Only IOCs meeting the risk score threshold will receive enrichment comments containing:\nRecorded Future Risk Score Triggered Risk Rules Risk Context OSINT references Previous detections Intelligence Card links Operational Considerations Teams using this playbook for automatic enrichment should review their current incident comment volume and adjust the threshold as needed. The parameter is configurable during deployment to match organizational risk tolerance.\nAffected Files Solutions/Recorded Future/Playbooks/Enrichment/RecordedFuture-IOC_Enrichment/azuredeploy.json Solutions/Recorded Future/Playbooks/Enrichment/readme.md (packaging artefacts: 3.2.18.zip, ReleaseNotes.md, Solution_RecordedFuture.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-02-pr-13545/","summary":"Added configurable RiskScoreThreshold parameter to prevent low-risk IOCs from generating incident comments.","title":"Recorded Future: IOC Enrichment Noise Reduction via Risk Score Thresholding"},{"content":"What Changed Added a SessionId variable and its _SessionId alias to the mainTemplate.json deployment template, replacing hardcoded \u0026ldquo;authenticationContext_externalSessionId_s\u0026rdquo; references with the parameterized variable.\nSecurity Impact This is a template compliance fix with no security implications. The change resolves an Azure Resource Manager Template Toolkit (ARM TTK) validation error by following Azure best practices for template parameterization. No changes to connector functionality, data ingestion, or detection logic were made.\nThe Okta Single Sign-On connector continues to operate unchanged — this affects only the ARM deployment template structure.\nAffected Files (packaging artefacts: 3.1.5.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-02-pr-13975/","summary":"Resolved ARM TTK validation error by parameterizing hardcoded SessionId reference in deployment template.","title":"Okta Single Sign-On: ARM Template Compliance Fix for SessionId Variable"},{"content":"Affected Files (packaging artefacts: 3.1.0.zip, ReleaseNotes.md, SolutionMetadata.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-01-pr-13953/","summary":"BitSight solution publishing restored after solution ID metadata correction.","title":"BitSight Solution: Metadata Fix for Content Hub Publishing Issue"},{"content":"What Changed Microsoft removed the explicit SecurityAdmin tenant permission requirement from the A365 Observability Data Connector. The connector now only lists GlobalAdmin as a required permission for deployment and operation.\nSecurity Impact Despite the removal of the explicit SecurityAdmin requirement, this change does not reduce the privilege level required to deploy the connector. GlobalAdmin is the highest privilege role available in Azure AD and already encompasses all SecurityAdmin capabilities. The effective privilege requirement remains at the highest possible level.\nEnvironments deploying this connector should be aware that GlobalAdmin access is still required for deployment.\nNo operational impact to existing deployments — the connector will continue functioning normally.\nAffected Files Solutions/A365 Observability/Data Connectors/A365_DataConnectorDefinition.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-04-01-pr-13956/","summary":"Microsoft removed the explicit SecurityAdmin requirement from the A365 Observability connector, but GlobalAdmin — the highest privilege level in Azure AD — is still required. This is not a reduction in required privilege.","title":"Microsoft A365 Observability Connector: Explicit SecurityAdmin Requirement Removed"},{"content":"What Changed Imperva Cloud WAF connector promoted to public preview with standard table migration. The CCF connector now ingests into the standard SentinelImpervaWAFCloudV2Logs table instead of custom ImpervaWAFCloudV2_CL.\nSecurity Impact (Visibility \u0026amp; Fidelity) Data continuity maintained through parser union. The updated parser (ImpervaWAFCloud) now combines data from three sources:\nLegacy Azure Function custom table (ImpervaWAFCloud_CL) Private preview CCF custom table (ImpervaWAFCloudV2_CL) Public preview CCF standard table (SentinelImpervaWAFCloudV2Logs) All WAF event fields preserved including attack detection, request analysis, and geolocation data. No data fidelity loss during transition.\nCCF Connector Changes DCR simplified from complex custom stream with transformKql to standard Microsoft-managed stream Polling config updated to use SENTINEL_IMPERVA_WAF_CLOUD_V2_LOGS stream Connector definition enhanced with improved sample queries and connectivity checks Standard table schema provides 40+ normalized fields for WAF events Affected Files .script/tests/KqlvalidationsTests/CustomTables/SentinelImpervaWAFCloudV2Logs.json Solutions/ImpervaCloudWAF/Data Connectors/ImpervaCloudWAFLogs_ccf/ImpervaCloudWAFLogs_ConnectorDefinition.json Solutions/ImpervaCloudWAF/Data Connectors/ImpervaCloudWAFLogs_ccf/ImpervaCloudWAFLogs_DCR.json Solutions/ImpervaCloudWAF/Data Connectors/ImpervaCloudWAFLogs_ccf/ImpervaCloudWAFLogs_PollingConfig.json Solutions/ImpervaCloudWAF/Parsers/ImpervaWAFCloud.yaml Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1 (packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_ImpervaCloudWAF.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-31-pr-13948/","summary":"Imperva Cloud WAF CCF connector migrates from private preview custom tables to public preview standard tables.","title":"Imperva Cloud WAF: Production Ready CCF Connector with Standard Tables"},{"content":"What Changed SentinelOne CCF connector template cleaned up to remove explicit null value assignments from JSON configuration fields including connectivityCriteria.value, permissions.tenant, permissions.licenses, and instructionSteps.innerSteps.\nTechnical Details The connector definition now omits optional fields rather than explicitly setting them to null, following JSON schema best practices. This change affects only the connector packaging template — no impact on data ingestion, authentication logic, or detection capabilities.\nNo functional changes to the SentinelOne data connector behavior or API integration.\nAffected Files Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/connectorDefinition.json (packaging artefacts: 3.0.8.zip, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-30-pr-13949/","summary":"Code hygiene fix removes redundant null values from CCF connector configuration.","title":"SentinelOne Connector: Template Cleanup for JSON Schema Compliance"},{"content":"What Changed The Cyren-SentinelOne threat intelligence Playbook template was updated to mark credential parameters as securestring instead of plain string, addressing a security policy compliance issue (Policy 300.4.1.1).\nThree credential parameters in the Logic App definition were changed from type \u0026ldquo;string\u0026rdquo; to \u0026ldquo;securestring\u0026rdquo;:\nCyren_IpReputation_JwtToken Cyren_MalwareUrl_JwtToken SentinelOne_ApiToken Security Impact This fixes a credential exposure risk in the Playbook deployment template. Prior to this change, JWT tokens and API keys were stored as plain text parameters in the Logic App definition, making them visible in deployment logs and ARM template outputs. The securestring typing ensures these credentials are properly masked during deployment and runtime operations.\nDeployments of the Cyren-SentinelOne solution using version 3.0.0 prior to this fix had credential parameters exposed in deployment artifacts — this represents a potential credential leak vector that is now resolved.\nAffected Files Solutions/Cyren-SentinelOne-ThreatIntelligence/Playbooks/CyrenToSentinelOne_Playbook.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-30-pr-13945/","summary":"Fixed Policy 300.4.1.1 violation by securing credential parameters in the Cyren-SentinelOne threat intelligence integration Playbook.","title":"Cyren-SentinelOne Playbook: Credential Parameter Security Compliance Fix"},{"content":"What Changed Updated the TenableVMVulnerabilities parser to map 30 additional vulnerability scoring fields that were present in ingested data but unmapped by the parser schema.\nParser Impact The parser now extracts CVSS 4.0 scoring data and enhanced VPR v2 threat intelligence fields from vulnerability scan results:\nCVSS 4.0 fields added:\nBase score and vector components (attack complexity, attack requirements, privileges required) System impact ratings (availability, confidentiality, integrity) for both vulnerable and subsequent systems Threat vector components including exploit maturity and threat scores VPR v2 threat intelligence fields added:\nEnhanced VPR scoring (VPR v2 score, percentile, severity) Exploit intelligence (probability, code maturity, CISA KEV status) Threat activity indicators (news intensity, malware observation frequency) EPSS (Exploit Prediction Scoring System) score integration Security Impact (Visibility \u0026amp; Fidelity) Data fidelity gap closed: Queries referencing CVSS 4.0 metrics or VPR v2 threat intelligence fields against the TenableVMVulnerabilities parser previously returned null for all rows. Security teams using modern vulnerability prioritization workflows based on CVSS 4.0 or enhanced VPR scoring had incomplete risk assessment data.\nThe unmapped fields contained critical vulnerability prioritization intelligence including:\nWhether vulnerabilities appear on CISA\u0026rsquo;s Known Exploited Vulnerabilities list Real-world exploit activity and threat actor interest levels Modern CVSS 4.0 scoring that accounts for subsequent system impact EPSS scores for exploit likelihood prediction This parser update restores access to this vulnerability prioritization data without requiring re-ingestion.\nAffected Files Solutions/Tenable App/Data Connectors/TenableVM/azuredeploy_Connector_TenableVM_AzureFunction.json Solutions/Tenable App/Parsers/TenableVMVulnerabilities.yaml (packaging artefacts: 3.1.2.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-30-pr-13868/","summary":"Tenable VM vulnerability parser now extracts CVSS 4.0 vector components and VPR v2 threat intelligence previously unmapped from ingested vulnerability scans.","title":"Tenable VM Parser: CVSS 4.0 and VPR v2 Field Mapping Restores Missing Vulnerability Scoring Data"},{"content":"Affected Files (packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_D3SOAR.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-27-pr-13926/","summary":"Version increment from 3.0.0 to 3.1.0 to enable Partner Center to detect previously submitted fixes including pagination improvements and branding updates.","title":"D3 Smart SOAR: Version Bump to 3.1.0 for Partner Center Resubmission"},{"content":"What Changed Updated 8 Corelight aggregation parsers and the Data Explorer workbook to properly handle aggregated network events with corrected field mappings and new filtering capabilities.\nParser Impact The aggregation parsers had several field mapping issues that caused data fidelity problems:\nUID field mapping: Changed from uid_s to uids_s across all aggregation parsers — queries referencing connection UIDs against these parsers previously returned null values Community ID mapping: Fixed from community_id_s to community_ids_s in connection aggregation parser User agent handling: Converted from string to dynamic array format in HTTP parsers for proper multi-value support MIME type normalization: Fixed field references and converted to dynamic arrays where appropriate Netskope field corrections: Updated field names to plural form (netskope_site_ids_s, netskope_user_ids_s) These changes restore data availability for queries that reference aggregated network session data. The incorrect field mappings caused zero results for connection correlation and user agent analysis on aggregated logs.\nWorkbook Enhancement Added Show Aggregation filters to the Corelight Data Explorer workbook, enabling SOC analysts to specifically query and visualize aggregated network events alongside raw events.\nAffected Files Solutions/Corelight/Parsers/corelight_conn_agg.yaml Solutions/Corelight/Parsers/corelight_dns_agg.yaml Solutions/Corelight/Parsers/corelight_files.yaml Solutions/Corelight/Parsers/corelight_files_agg.yaml Solutions/Corelight/Parsers/corelight_http.yaml Solutions/Corelight/Parsers/corelight_http_agg.yaml Solutions/Corelight/Parsers/corelight_ssl_agg.yaml Solutions/Corelight/Parsers/corelight_weird_agg.yaml Solutions/Corelight/Workbooks/Corelight_Data_Explorer.json (packaging artefacts: 3.2.4.zip, ReleaseNotes.md, Solution_Corelight.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-27-pr-13917/","summary":"Fixes field mapping inconsistencies in Corelight aggregation parsers that caused data loss and adds aggregation filtering to the Data Explorer workbook.","title":"Corelight: Enhanced Data Fidelity for Network Aggregation Events"},{"content":"What Changed Microsoft Partner Center certification flagged Best Practice Test 300.4.1.1 due to a malformed ARM template expression in the Lookout v3.0.2 solution package. The APIKey parameter reference was missing a closing bracket. The fix corrected line 1503 in mainTemplate.json and rebuilt the 3.0.2.zip package to match the corrected source file. No functional changes to the mobile threat detection capabilities or data ingestion logic.\nAffected Files (packaging artefacts: 3.0.2.zip, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-27-pr-13880/","summary":"Partner Center certification blocker resolved with single bracket correction in ARM deployment template.","title":"Lookout Mobile Threat Defense: ARM Template Certification Fix"},{"content":"What Changed Added 6 new analytic rules and 2 hunting queries targeting Microsoft Security Copilot activity monitoring, plus a comprehensive workbook for visibility into AI assistant usage.\nDetection Logic Primary data source: CopilotActivity table\nNew Analytic Rules:\nCopilot - File Uploads Disabled: Detects when file upload capabilities are disabled, potentially indicating attackers covering their tracks by disabling evidence collection mechanisms Copilot - Jailbreak Attempt Detected: Identifies prompt injection attempts where users try to bypass Copilot security controls and guardrails Copilot - Plugin Created by Non-Admin User: Flags non-administrative users creating plugins, which could establish persistence or inject malicious capabilities Copilot - Plugin Tampering: Correlates enable/disable actions within 5-minute windows, indicating reconnaissance of security boundaries Key Detection Patterns:\nJailbreak detection uses LLMEventData has \u0026ldquo;JailbreakDetected\u0026rdquo; with JSON parsing to extract the boolean flag Plugin creation monitoring filters on ActorUserType != \u0026ldquo;Admin\u0026rdquo; for privilege boundary violations External access detection excludes RFC 1918 private IP ranges to identify unauthorized location usage File upload disabling tracks Property changes from \u0026ldquo;Enabled\u0026rdquo; to \u0026ldquo;Disabled\u0026rdquo; state Entity Mappings: Account (ActorName) and IP (SrcIpAddr) across all rules for investigation pivoting\nMITRE Mapping T1078 (Valid Accounts): External IP access detection T1087 (Account Discovery): Plugin tampering reconnaissance T1098 (Account Manipulation): Non-admin plugin creation for persistence T1110 (Brute Force): Jailbreak attempt correlation T1546 (Event Triggered Execution): Plugin-based persistence mechanisms T1562/T1562.001 (Impair Defenses): File upload disabling, plugin tampering to evade controls T1565 (Data Manipulation): Jailbreak attempts targeting data integrity Security Impact These detections address critical AI security blind spots where traditional security tools lack visibility into LLM interactions. Organizations using Microsoft Security Copilot now have coverage for:\nAI Abuse Scenarios: Jailbreak attempts represent a novel attack vector specific to AI assistants Insider Threat Detection: Non-admin plugin creation and external access monitoring Defense Evasion Coverage: File upload disabling and rapid plugin state changes indicate attacker operational security measures Privilege Boundary Enforcement: Plugin creation restrictions prevent unauthorized capability expansion The workbook provides operational dashboards for SOC teams to monitor AI assistant usage patterns and security events.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/CopilotActivity.json Solutions/Microsoft Copilot/Analytic Rules/CopilotFileUploadsDisabled.yaml Solutions/Microsoft Copilot/Analytic Rules/CopilotJailbreakAttempt.yaml Solutions/Microsoft Copilot/Analytic Rules/CopilotPluginCreatedByNonAdmin.yaml Solutions/Microsoft Copilot/Analytic Rules/CopilotPluginTampering.yaml Solutions/Microsoft Copilot/Hunting Queries/CopilotExternalIPAccess.yaml Solutions/Microsoft Copilot/Hunting Queries/CopilotPluginReEnabled.yaml Solutions/Microsoft Copilot/Package/testParameters.json Solutions/Microsoft Copilot/Workbooks/Images/Preview/MicrosoftCopilotActivityMonitoringWorkbookBlack.png Solutions/Microsoft Copilot/Workbooks/Images/Preview/MicrosoftCopilotActivityMonitoringWorkbookWhite.png Solutions/Microsoft Copilot/Workbooks/MicrosoftCopilotActivityMonitoring.json Workbooks/Images/Logos/Copilot_logo.svg Workbooks/Images/Preview/MicrosoftCopilotActivityMonitoringWorkbookBlack.png Workbooks/Images/Preview/MicrosoftCopilotActivityMonitoringWorkbookWhite.png Workbooks/MicrosoftCopilotActivityMonitoring.json Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.0.2.zip, ReleaseNotes.md, Solution_MicrosoftCopilot.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-27-pr-13735/","summary":"New analytic rules target jailbreak attempts, external access, plugin tampering, and file upload disabling - covering major AI security attack vectors.","title":"Microsoft Security Copilot: Six New Detections for AI Assistant Abuse"},{"content":"What Changed Google Workspace Reports connector v3.0.4 removes preview status and updates OAuth configuration steps for general availability.\nSecurity Impact (Visibility \u0026amp; Fidelity) No impact on data ingestion or detection capability. The connector continues to ingest Google Workspace audit logs through the same Admin SDK API mechanism. Configuration updates streamline the OAuth setup process by:\nRemoving requirement for authorized domains in OAuth consent screen Clarifying External user type selection for broader workspace compatibility Adding explicit Admin SDK API scope configuration step The preview-to-GA transition indicates Microsoft\u0026rsquo;s confidence in the connector\u0026rsquo;s stability for production SOC deployments.\nAffected Files Solutions/GoogleWorkspaceReports/Data Connectors/GoogleWorkspaceTemplate_ccp/GoogleWorkspaceReports_DataConnectorDefinition.json (packaging artefacts: 3.0.4.zip, ReleaseNotes.md, Solution_GoogleWorkspaceReports.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-26-pr-13927/","summary":"Google Workspace Reports CCF connector exits preview status with updated OAuth configuration guidance.","title":"Google Workspace Reports Connector Promoted to General Availability"},{"content":"What Changed New Content Hub solution for blacklens.io Attack Surface Management (ASM) platform, providing external security posture monitoring capabilities. Includes complete infrastructure for webhook-based alert ingestion via Logic Apps and DCR/DCE architecture.\nData Source blacklens.io is an Attack Surface Management platform that combines automated security analysis, continuous monitoring, and penetration testing. The integration captures alerts from features including Darknet Monitoring, Vulnerability Scanning, and XDR Response.\nIngestion Mechanism DCR-based ingestion using:\nLogic App webhook endpoint receives blacklens.io alerts Custom Log Analytics table blacklens_CL with schema for alert metadata (id, severity, message, payload) Data Collection Rule transforms and routes alerts to Microsoft Sentinel workspace Detection Surface Unlocked The solution enables visibility into external attack surface threats including reconnaissance activities, credential exposures, and vulnerability discoveries affecting organisational assets outside the traditional network perimeter. Bundled analytics rule creates incidents with severity mapping and entity extraction for investigation workflows.\nMITRE Coverage Covers reconnaissance and initial access techniques including T1595 (Active Scanning), T1583 (Acquire Infrastructure), T1190 (Exploit Public-Facing Application), and T1110 (Brute Force). Additional coverage spans credential access, collection, and exfiltration techniques relevant to external threat monitoring.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/blacklens_CL.json .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json Logos/blacklens.svg Solutions/Blacklens/Analytic Rules/blacklensInsights.yaml Solutions/Blacklens/Data Connectors/blacklens_io.json Solutions/Blacklens/Data Connectors/deployment/azuredeploy_blacklens.json Solutions/Blacklens/Package/testParameters.json Solutions/Blacklens/README.md Workbooks/Images/Logos/blacklens.svg (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Blacklens.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-26-pr-13375/","summary":"blacklens.io Attack Surface Management platform now available in Content Hub with webhook-based alert ingestion and automated incident creation.","title":"New Attack Surface Management Solution: blacklens.io Brings External Threat Visibility to Microsoft Sentinel"},{"content":"Version updated from 1.0.4 to 1.0.6 — no changes to detection logic, KQL query, or entity mappings.\nAffected Files Detections/SigninLogs/AnomalousSingleFactorSignin.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-03-26-pr-13914/","summary":"Version bump to 1.0.6 for Anomalous Single Factor Sign-in detection rule with no logic changes.","title":"Anomalous Single Factor Sign-in Detection: Version Metadata Update"},{"content":"What Changed New ASIM WebSession parser for Cisco Umbrella proxy logs from Azure Function connector, adding two new parser functions:\nASimWebSessionCiscoUmbrella (unfiltered parser) vimWebSessionCiscoUmbrella (filtering parser with parameter support) Parser Impact The parser normalizes Cisco_Umbrella_proxy_CL table data to ASIM WebSession schema version 0.2.7. Key field mappings include:\nSource identity extraction from PolicyIdentity_s field (UPN or Simple username types) HTTP metadata: user agent, content type, referrer, request/response sizes Threat intelligence: AMP disposition, SHA-256 hashes, risk scores, blocked categories Network context: internal IP, external IP, destination IP addresses Request verdict classification (Allowed/Blocked → Success/Failure) Parser includes filtering capabilities for time windows, IP prefixes, URLs, user agents, and result codes. The pack parameter enables additional fields in AdditionalFields bag for extended visibility.\nDetection Surface Unlocked Organizations using Cisco Umbrella proxy logs can now:\nQuery web sessions using source-agnostic ASIM queries across multiple security tools Correlate Umbrella proxy activity with other data sources via normalized fields Apply existing ASIM-based detections to Umbrella data without modification Leverage threat intelligence fields (AMP scores, file hashes, categories) in detections The parser enables detection of web-based threats, policy violations, and suspicious browsing patterns through the standardized WebSession schema.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/Cisco_Umbrella_proxy_CL.json ASIM/dev/ASimTester/ASimTester.csv Parsers/ASimWebSession/ARM/ASimWebSession/ASimWebSession.json Parsers/ASimWebSession/ARM/ASimWebSessionCiscoUmbrella/ASimWebSessionCiscoUmbrella.json Parsers/ASimWebSession/ARM/ASimWebSessionCiscoUmbrella/README.md Parsers/ASimWebSession/ARM/FullDeploymentWebSession.json Parsers/ASimWebSession/ARM/imWebSession/imWebSession.json Parsers/ASimWebSession/ARM/vimWebSessionCiscoUmbrella/README.md Parsers/ASimWebSession/ARM/vimWebSessionCiscoUmbrella/vimWebSessionCiscoUmbrella.json Parsers/ASimWebSession/CHANGELOG/ASimWebSession.md Parsers/ASimWebSession/CHANGELOG/ASimWebSessionCiscoUmbrella.md Parsers/ASimWebSession/CHANGELOG/imWebSession.md Parsers/ASimWebSession/CHANGELOG/vimWebSessionCiscoUmbrella.md Parsers/ASimWebSession/Parsers/ASimWebSession.yaml Parsers/ASimWebSession/Parsers/ASimWebSessionCiscoUmbrella.yaml Parsers/ASimWebSession/Parsers/imWebSession.yaml Parsers/ASimWebSession/Parsers/vimWebSessionCiscoUmbrella.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-03-25-pr-13893/","summary":"New ASIM parser adds web session visibility for Cisco Umbrella proxy logs, normalizing HTTP/HTTPS traffic data to standard schema.","title":"ASIM WebSession Parser: New Cisco Umbrella Proxy Log Coverage"},{"content":"What Changed Cisco Umbrella Function App connector version 3.0.10 adds null-byte sanitization for corrupted Azure File Share state manager timestamps and CSV date field handling to prevent ingestion crashes.\nSecurity Impact (Visibility \u0026amp; Fidelity) Per IcM incident 21000000951645: deployments with corrupted Azure File Share state markers experienced complete ingestion failure. When the state manager file became corrupted with null bytes, the datetime parser crashed on startup, preventing any log ingestion from resuming.\nThis created a complete blind spot for Cisco Umbrella DNS security telemetry - no queries, blocks, or threat intelligence matches were reaching Microsoft Sentinel until manual intervention. The corruption pattern appears to stem from Azure File Share storage layer issues that fill timestamp files with null bytes.\nTechnical Details The fix implements two layers of protection:\nState Manager Sanitization: New sanitize_timestamp() function strips null bytes and validates datetime format before processing, with fallback to default state on corruption CSV Field Protection: Added null-byte stripping in date formatting to prevent downstream _csv.Error exceptions on corrupted log files The fix ensures ingestion resilience against both Azure File Share corruption and malformed CSV input data, maintaining continuous visibility into DNS security events.\nAffected Files Solutions/CiscoUmbrella/Data Connectors/ciscoUmbrellaDataConn/__init__.py (packaging artefacts: 3.0.10.zip, CiscoUmbrellaConn.zip, ReleaseNotes.md, Solution_CiscoUmbrella.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-25-pr-13899/","summary":"Cisco Umbrella connector fixes critical null-byte corruption in Azure File Share state markers that was causing complete ingestion failures.","title":"Cisco Umbrella Connector: Critical Fix for State Manager Corruption and Data Ingestion Crashes"},{"content":"What Changed The Varonis Purview CCF connector received significant schema improvements in version 3.0.1, including field additions, data type corrections, and table naming standardization.\nSecurity Impact (Visibility \u0026amp; Fidelity) Before this update, queries referencing several fields against the VaronisResources_CL table experienced data fidelity issues:\nAssetName, Risks, Classification, AADTenantID fields returned inconsistent results due to incorrect dynamic typing where structured data was expected LastAccessDateTime and ClassificationLastScanDateTime fields were unusable for time-based queries due to incorrect data types Two new fields (AssetName, SensitivityLabel, ClassificationLastScanDateTime) were completely unavailable, creating gaps in asset visibility The schema updates restore proper data typing for asset correlation queries and add critical fields for Microsoft Purview integration workflows. The table name change from varonisresources_CL to VaronisResources_CL standardizes casing for consistent query patterns.\nSchema Changes Key data type corrections:\nSubWorkload, Risks, Classification, AADTenantID: Changed from dynamic to string for consistent querying LastAccessDateTime: Renamed from LastAccess and changed from dynamic to datetime for proper temporal operations Added AssetName, SensitivityLabel, ClassificationLastScanDateTime fields for enhanced asset metadata coverage Affected Files Solutions/Varonis Purview/Data Connectors/VaronisPurview_ccp/VaronisPurview_DCR.json Solutions/Varonis Purview/Data Connectors/VaronisPurview_ccp/VaronisPurview_connectorDefinition.json Solutions/Varonis Purview/Data Connectors/VaronisPurview_ccp/VaronisPurview_table.json (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-25-pr-13891/","summary":"Varonis Purview schema update adds new fields and corrects data types, improving query reliability for asset tracking and classification data.","title":"Varonis Purview Connector: Schema Update Enhances Data Fidelity and Field Coverage"},{"content":"What Changed Updated the connector title from \u0026ldquo;Netskope Alerts and Events\u0026rdquo; to \u0026ldquo;Netskope Alerts and Events(via Codeless Connector Framework)\u0026rdquo; in the connector definition JSON.\nSecurity Impact (Visibility \u0026amp; Fidelity) No impact to data ingestion, detection logic, or security coverage. This is a purely cosmetic change to clarify the ingestion mechanism in the user interface. All existing deployments continue to function identically.\nAffected Files Solutions/Netskopev2/Data Connectors/NetskopeAlertsEvents_RestAPI_CCP/NetskopeAlertsEvents_ConnectorDefination.json (packaging artefacts: 3.1.3.zip, ReleaseNotes.md, Solution_Netskope.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-25-pr-13894/","summary":"Cosmetic title change to clarify the connector uses Codeless Connector Framework for Netskope API ingestion.","title":"Netskope Connector: Title Update to Clarify CCF Usage"},{"content":"What Changed Updated the Box Events connector title from \u0026ldquo;Box Events (CCP)\u0026rdquo; to \u0026ldquo;Box Events (via Codeless Connector Framework)\u0026rdquo; in the connector definition JSON. This change replaces the deprecated \u0026ldquo;CCP\u0026rdquo; acronym with the current official terminology.\nSecurity Impact (Visibility \u0026amp; Fidelity) No impact to data ingestion, detection logic, or security coverage. This is a purely cosmetic change to clarify the ingestion mechanism using current terminology. All existing deployments continue to function identically.\nAffected Files Solutions/Box/Data Connectors/BoxEvents_ccp/BoxEvents_DataConnectorDefinition.json (packaging artefacts: 3.1.3.zip, ReleaseNotes.md, Solution_Auth0.json, Solution_Box.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-25-pr-13892/","summary":"Cosmetic title change from \u0026ldquo;Box Events (CCP)\u0026rdquo; to \u0026ldquo;Box Events (via Codeless Connector Framework)\u0026rdquo; to reflect current terminology.","title":"Box Events Connector: Title Update to Clarify CCF Usage"},{"content":"What Changed Updated the connector title from \u0026ldquo;Okta Single Sign-On\u0026rdquo; to \u0026ldquo;Okta Single Sign-On (via Codeless Connector Framework)\u0026rdquo; in the connector definition JSON.\nSecurity Impact (Visibility \u0026amp; Fidelity) No impact to data ingestion, detection logic, or security coverage. This is a purely cosmetic change to clarify the ingestion mechanism in the user interface. All existing deployments continue to function identically.\nAffected Files Solutions/Okta Single Sign-On/Data Connectors/OktaNativePollerConnectorV2/OktaSSOv2_DataConnectorDefinition.json (packaging artefacts: 3.1.5.zip, ReleaseNotes.md, Solution_Okta.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-25-pr-13897/","summary":"Cosmetic title change to clarify the connector uses Codeless Connector Framework for Okta API ingestion.","title":"Okta Single Sign-On Connector: Title Update to Clarify CCF Usage"},{"content":"What Changed Updated the connector title from \u0026ldquo;SentinelOne\u0026rdquo; to \u0026ldquo;SentinelOne (via Codeless Connector Framework)\u0026rdquo; in the connector definition JSON.\nSecurity Impact (Visibility \u0026amp; Fidelity) No impact to data ingestion, detection logic, or security coverage. This is a purely cosmetic change to clarify the ingestion mechanism in the user interface. All existing deployments continue to function identically.\nAffected Files Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/connectorDefinition.json (packaging artefacts: 3.0.8.zip, ReleaseNotes.md, Solution_SentinelOne.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-25-pr-13898/","summary":"Cosmetic title change to clarify the connector uses Codeless Connector Framework for API ingestion.","title":"SentinelOne Connector: Title Update to Clarify CCF Usage"},{"content":"What Changed Updated the connector title from \u0026ldquo;Sophos Endpoint Protection (using REST API)\u0026rdquo; to \u0026ldquo;Sophos Endpoint Protection (via Codeless Connector Platform)\u0026rdquo; in the connector definition JSON.\nSecurity Impact (Visibility \u0026amp; Fidelity) No impact to data ingestion, detection logic, or security coverage. This is a purely cosmetic change to clarify the ingestion mechanism in the user interface. All existing deployments continue to function identically.\nNote on Terminology The PR uses deprecated terminology \u0026ldquo;Codeless Connector Platform\u0026rdquo; — the current official term is \u0026ldquo;Codeless Connector Framework\u0026rdquo; (CCF). The underlying functionality remains unchanged regardless of title terminology.\nAffected Files Solutions/Sophos Endpoint Protection/Data Connectors/SophosEP_ccp/SophosEP_DataConnectorDefinition.json (packaging artefacts: 3.0.7.zip, ReleaseNotes.md, Solution_EP.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-25-pr-13900/","summary":"Connector title updated to indicate CCF usage, but incorrectly uses deprecated \u0026ldquo;Codeless Connector Platform\u0026rdquo; instead of current \u0026ldquo;Codeless Connector Framework\u0026rdquo; terminology.","title":"Sophos Endpoint Protection Connector: Title Update with Deprecated Terminology"},{"content":"What Changed Updated the connector title from \u0026ldquo;VMware Carbon Black Cloud via AWS S3\u0026rdquo; to \u0026ldquo;VMware Carbon Black Cloud via AWS S3 (via Codeless Connector Framework)\u0026rdquo; in the connector definition JSON.\nSecurity Impact (Visibility \u0026amp; Fidelity) No impact to data ingestion, detection logic, or security coverage. This is a purely cosmetic change to clarify the ingestion mechanism in the user interface. All existing deployments continue to function identically.\nAffected Files Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DataConnectorDefinition.json (packaging artefacts: 3.0.7.zip, ReleaseNotes.md, Solution_VMware Carbon Black Cloud.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-25-pr-13901/","summary":"Cosmetic title change to clarify the connector uses Codeless Connector Framework for AWS S3 ingestion.","title":"VMware Carbon Black Cloud Connector: Title Update to Clarify CCF Usage"},{"content":"What Changed Microsoft optimized the TI map Domain entity to EmailUrlInfo analytic rule (version 1.0.5 → 1.0.6) by reordering query logic to deduplicate threat intelligence records earlier in the processing pipeline and simplify join operations.\nDetection Logic Primary data source: ThreatIntelligenceIndicator joined with EmailUrlInfo. Core logic processes URL and domain-based threat indicators by applying summarize arg_max function by Id, ObservableValue to get the latest record per indicator, then filters for active indicators. Entity types mapped include URL and IP entities from threat intelligence indicators.\nSecurity Impact (Visibility \u0026amp; Fidelity) The query reordering introduces a potential detection blind spot identified in code review: if the most recent TI record for a given indicator ID is inactive/expired but an earlier record is still valid, the arg_max operation keeps the inactive record and subsequent filtering removes it entirely. This could result in missing threat intelligence matches against active indicators that would have been caught by the previous logic.\nAdditionally, the removal of timestamp validation and summarize operations on email data may produce nondeterministic results when multiple EmailUrlInfo records exist for the same URL, potentially affecting match reliability.\nMITRE Mapping MITRE mapping unavailable — YAML diff does not include relevantTechniques fields.\nAffected Files Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_EmailUrlInfo_Updated.yaml (packaging artefacts: 3.0.16.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-25-pr-13904/","summary":"Analytic rule optimization introduces potential detection gaps by reordering deduplication before indicator validity checks.","title":"Microsoft Threat Intelligence: Detection Logic Optimization Risks in Domain/URL Mapping Rule"},{"content":"Affected Files Solutions/Auth0/Data Connectors/Auth0_CCP/DataConnectorDefinition.json (packaging artefacts: 3.1.3.zip, ReleaseNotes.md, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-24-pr-13873/","summary":"Auth0 connector display name updated to clarify CCF implementation, supporting connector adoption transparency.","title":"Auth0 CCF Connector: UI Branding Updated for Framework Visibility"},{"content":"What Changed Rebuilt and updated all 20 IPinfo connector Azure Function zip packages to resolve dependency issues with the Azure Functions Linux runtime. The .python_packages components were rebuilt to ensure compatibility across all connector types including ASN, Abuse, Carrier, Company, Core, Plus, and various WHOIS data feeds.\nSecurity Impact (Visibility \u0026amp; Fidelity) Connector Restoration: This is a critical fix for production deployments. The dependency issues were preventing successful Azure Function execution, resulting in complete ingestion failure for all IPinfo data connectors. Deployments running versions prior to 3.0.5 have had zero data ingestion from IPinfo services since the dependency incompatibility emerged.\nData Source Blind Spot: IPinfo provides threat intelligence and network context data including IP geolocation, ASN information, abuse contact details, and privacy/proxy detection. The broken connectors created a complete blind spot for this network intelligence, affecting threat hunting, incident response, and automated enrichment workflows that depend on IP context data.\nAffected Files (packaging artefacts: 3.0.5.zip, IPInfoWHOISASNConn.zip, IPinfoASNConn.zip, IPinfoAbuseConn.zip, IPinfoCarrierConn.zip, IPinfoCompanyConn.zip, IPinfoCoreConn.zip, IPinfoCountryConn.zip, IPinfoDomainConn.zip, IPinfoIplocationConn.zip, IPinfoIplocationExtendedConn.zip, IPinfoPlusConn.zip, IPinfoPrivacyConn.zip, IPinfoPrivacyExtendedConn.zip, IPinfoRIRWHOISConn.zip, IPinfoRWHOISConn.zip, IPinfoResProxyConn.zip, IPinfoWHOISMNTConn.zip, IPinfoWHOISNETConn.zip, IPinfoWHOISORGConn.zip, IPinfoWHOISPOCConn.zip, ReleaseNotes.md, Solution_IPinfo.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-24-pr-13875/","summary":"All IPinfo connector Azure Function packages rebuilt to resolve dependency issues with Linux runtime.","title":"IPinfo Connectors: Azure Functions Dependency Fix for Linux Runtime"},{"content":"What Changed Added two new event codes to the Commvault Security IQ connector ingestion filter: \u0026ldquo;69:65\u0026rdquo; and \u0026ldquo;69:66\u0026rdquo;. These events were introduced in Commvault threat scan functionality but were not being collected by the existing connector configuration.\nAdditionally fixed regex patterns for extracting clientId and clientName from event descriptions. The patterns now correctly match PascalCase field names (\u0026ldquo;ClientId\u0026rdquo; and \u0026ldquo;ClientName\u0026rdquo;) instead of lowercase variants, addressing a data fidelity gap where these fields returned null for events using the PascalCase format.\nSecurity Impact (Visibility \u0026amp; Fidelity) New Event Coverage: The addition of event codes 69:65 and 69:66 closes a visibility gap for threat scan activity. Deployments running prior versions had incomplete ingestion of threat scanning events, potentially missing security-relevant activities during threat detection workflows.\nParser Fidelity Fix: The regex update resolves a data extraction issue where clientId and hostName fields returned null for events containing PascalCase formatting. Queries referencing these fields against affected events would have missed valid data — this is a data fidelity fix restoring proper field population for threat scan events.\nAffected Files Solutions/Commvault Security IQ/Data Connectors/AzureFunctionCommvaultSecurityIQ/main.py (packaging artefacts: CommvaultSecurityIQDataConnector.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-03-24-pr-13869/","summary":"Two new threat scan event types added to ingestion with regex fix for PascalCase field extraction.","title":"Commvault Security IQ: Enhanced Threat Scan Event Coverage and Parser Fix"},{"content":"What Changed The Illumio SaaS connector Function App components have been updated to use Managed Identity authentication instead of DefaultAzureCredential. The change removes all references to Azure AD application credentials (client ID, client secret, tenant ID) from both the deployment templates and Python code.\nSecurity Impact (Visibility \u0026amp; Fidelity) This change enhances the security posture of Illumio deployments by eliminating the need to store and manage client secrets in Function App environment variables. Previous deployments required manual Azure AD application registration and secret management, creating potential credential exposure risks.\nThe ARM templates now automatically assign the Monitoring Metrics Publisher role to the Function App managed identity on the Data Collection Rule, removing the manual role assignment step that could lead to deployment failures if misconfigured.\nDeployment Changes New deployments: Templates automatically configure managed identity and role assignments Existing deployments: Manual migration required to enable system-assigned managed identity and configure DCR permissions Removed parameters: aadTenantId, aadApplicationId, aadApplicationSecret no longer required in deployment templates UI simplification: Connector UI definition removes Azure AD application configuration steps Existing deployments will continue to work but should be migrated to leverage the improved security model.\nAffected Files Solutions/IllumioSaaS/Data Connectors/CommonCode/constants.py Solutions/IllumioSaaS/Data Connectors/CommonCode/sentinel_connector.py Solutions/IllumioSaaS/Data Connectors/QueueTriggerFuncApp/DeployFunctionApp/azuredeploy_QueueTrigger_FunctionApp.json Solutions/IllumioSaaS/Data Connectors/QueueTriggerFuncApp/DeployFunctionApp/azuredeploy_QueueTrigger_FunctionApp.parameters.json Solutions/IllumioSaaS/Data Connectors/QueueTriggerFuncApp/DeployFunctionApp/createUiDefinitionQueueTrigger.json Solutions/IllumioSaaS/Data Connectors/QueueTriggerFuncApp/azure_queue_trigger.py Solutions/IllumioSaaS/Data Connectors/README.md Solutions/IllumioSaaS/Data Connectors/TimedApiFunctionApp/api_response.py Solutions/IllumioSaaS/Data Connectors/azuredeploy_IllumioSaaS_FunctionApp.json Solutions/IllumioSaaS/Package/testParameters.json (packaging artefacts: 3.4.1.zip, IllumioEventsConn.zip, IllumioQueueTrigger.zip, ReleaseNotes.md, Solution_IllumioSaaS.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-24-pr-13691/","summary":"Illumio Function App connector replaces DefaultAzureCredential with ManagedIdentityCredential, eliminating client secret exposure.","title":"Illumio Connector: Enhanced Security with Managed Identity Authentication"},{"content":"Data Source Cyren Cyber Threat Intelligence (CTI) platform offering two commercial feeds:\nIP Reputation feed — malicious IP addresses with threat scores Malware URL feed — weaponised URLs delivering malware payloads Feeds delivered via Cyren CCF (Codeless Connector Framework) API with NDJSON parsing.\nAutomation Mechanism Playbook: CyrenToSentinelOne\n6-hour polling cycle from Cyren CCF feed endpoints PersistentToken pagination for large result sets Dual-feed support — customers can purchase one or both feeds Optional JWT tokens per feed (single-feed deployments supported) IOC push to SentinelOne via /web/api/v2.1/threat-intelligence/iocs endpoint SentinelOne Integration Creates IOC indicators directly in SentinelOne Threat Intelligence module Establishes STAR (SentinelOne Threat Analysis and Response) detection rule: \u0026ldquo;Cyren IOC Detection\u0026rdquo; Rule query: IndicatorSource = \u0026ldquo;Cyren\u0026rdquo; with High severity classification Automated endpoint protection against Cyren-flagged threats Detection Surface Unlocked Organizations gain automated threat detection for:\nMalicious IP communications (network sessions, DNS queries, firewall logs) Drive-by download attempts and malware distribution URLs Command and control infrastructure identified by Cyren threat research Known attacker infrastructure with recent activity (2-day freshness filter) Field mapping preserves threat context — IP indicators maintain confidence scores, URL indicators include categorisation metadata for security team triage.\nAffected Files Solutions/Cyren-SentinelOne-ThreatIntelligence/Package/testParameters.json Solutions/Cyren-SentinelOne-ThreatIntelligence/Playbooks/CyrenToSentinelOne_Playbook.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_CyrenSentinelOne.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-24-pr-13657/","summary":"New Content Hub solution automates IOC ingestion from Cyren CCF feeds (IP reputation and malware URLs) into SentinelOne for automated threat detection and response.","title":"Cyren Threat Intelligence: SentinelOne IOC Automation Solution Deployed"},{"content":"What Changed New CCF-based data connector solution for AWS Elastic Load Balancing services, enabling ingestion of access logs and flow logs from Application Load Balancers (ALB), Network Load Balancers (NLB), and Gateway Load Balancers (GLB).\nData Source AWS Elastic Load Balancing Services:\nALB access logs → AWSALBAccessLogs table NLB access logs → AWSNLBAccessLogs table NLB/GLB flow logs → AWSELBFlowLogs table (LogType field distinguishes source) Ingestion Mechanism CCF/DCR-based connector using S3 bucket ingestion with SQS notifications:\nFour separate SQS queues for different log types OIDC-based IAM role authentication Custom DCR streams: Microsoft-AWSALBAccessLogs, Microsoft-AWSNLBAccessLogs, Microsoft-AWSNLBFlowLogsStream, Microsoft-AWSGLBFlowLogsStream CloudFormation templates provided for automated AWS resource provisioning Detection Surface Unlocked Network visibility gains:\nLoad balancer request/response analysis for web application security Network flow monitoring for east-west traffic inspection Backend target health and connection patterns Potential detection of load balancer abuse, DDoS patterns, and suspicious connection flows Bundled Content:\n3 parsers: AWSALBAccessLogsData, AWSNLBAccessLogsData, AWSELBFlowLogsData Sample queries for basic log exploration Custom table definitions for KQL validation testing Affected Files .script/tests/KqlvalidationsTests/CustomTables/AWSALBAccessLogs.json .script/tests/KqlvalidationsTests/CustomTables/AWSALBAccessLogs_CL.json .script/tests/KqlvalidationsTests/CustomTables/AWSELBFlowLogs.json .script/tests/KqlvalidationsTests/CustomTables/AWSELBFlowLogs_CL.json .script/tests/KqlvalidationsTests/CustomTables/AWSNLBAccessLogs.json .script/tests/KqlvalidationsTests/CustomTables/AWSNLBAccessLogs_CL.json Solutions/AWS ELB/Data Connectors/AWSELBConnector_CCF/AWSELBConnector_ConnectorDefinition.json Solutions/AWS ELB/Data Connectors/AWSELBConnector_CCF/AWSELBConnector_DCR.json Solutions/AWS ELB/Data Connectors/AWSELBConnector_CCF/AWSELBConnector_PollingConfig.json Solutions/AWS ELB/Data Connectors/CloudFormationTemplates/AWSS3ELB.json Solutions/AWS ELB/Data Connectors/CloudFormationTemplates/OIDCWebIdProvider.json Solutions/AWS ELB/Data Connectors/CloudFormationTemplates/README.md Solutions/AWS ELB/Package/testParameters.json Solutions/AWS ELB/Parsers/AWSALBAccessLogsData.yaml Solutions/AWS ELB/Parsers/AWSELBFlowLogsData.yaml Solutions/AWS ELB/Parsers/AWSNLBAccessLogsData.yaml Tools/Create-Azure-Sentinel-Solution/common/createCCPConnector.ps1 Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1 (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_AWSELB.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-23-pr-13872/","summary":"New CCF connector enables ingestion of AWS Elastic Load Balancer access and flow logs into Microsoft Sentinel for network traffic monitoring and threat detection.","title":"AWS ELB Connector: Public Preview CCF Ingestion for ALB, NLB, and GLB Logs"},{"content":"What Changed Updated GreyNoise Threat Intelligence solution from v3.0.3 to v3.1.0 with dependency upgrades and runtime fixes:\nUpdated GreyNoise Python SDK from v3.0.1 to v3.0.2 Fixed Python module mismatches in requirements.txt Bumped Azure Functions runtime from bundle v3 to v4 Updated data connector instructions referencing new Threat Intelligence (New) solution Increased function timeout to 2 hours Security Impact (Visibility \u0026amp; Fidelity) This maintenance update addresses connector stability issues that could impact threat intelligence data ingestion reliability. The fixes ensure:\nConsistent Data Flow: Resolved module compatibility issues that could cause connector failures Runtime Stability: Updated Azure Functions runtime eliminates potential execution timeouts API Compatibility: Updated SDK maintains compatibility with GreyNoise threat intelligence APIs No changes to detection logic or data schema - existing threat intelligence queries and detections remain unaffected. This is purely a maintenance release to ensure reliable operation of the GreyNoise connector infrastructure.\nThe solution continues to ingest IP reputation data and context from GreynoiseThreatIntelligence into the ThreatIntelligenceIndicator table for correlation with security events.\nAffected Files Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseConnector_UploadIndicatorsAPI.json Solutions/GreyNoiseThreatIntelligence/Data Connectors/host.json Solutions/GreyNoiseThreatIntelligence/Data Connectors/requirements.txt (packaging artefacts: 3.1.0.zip, GreyNoiseAPISentinelConn.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_GreyNoise.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-23-pr-13819/","summary":"Updated GreyNoise Python SDK to v3.0.3, fixed module mismatches, and bumped Azure Functions runtime to resolve connector stability issues.","title":"GreyNoise Threat Intelligence: SDK Update Addresses Function App Runtime Issues"},{"content":"What Changed New Codeless Connector Framework (CCF) data connector for Rubrik Security Cloud that ingests comprehensive backup and protection status data for Azure VMs into Microsoft Sentinel. The connector creates a custom table RubrikProtectionStatus_CL with 49 data fields covering compliance status, snapshot counts, storage metrics, SLA assignments, and cluster information.\nSecurity Impact (Visibility \u0026amp; Fidelity) This connector addresses a critical visibility gap in ransomware incident response by enabling automatic correlation of security alerts with backup infrastructure health. Security teams can now:\nRansomware Recovery Readiness: Immediately assess if compromised assets have recent, clean backups available during active incidents Attack Pattern Detection: Identify sophisticated attacks that specifically target backup infrastructure to prevent recovery Incident Correlation: Join SecurityAlert events with backup status using asset identifiers to determine blast radius and recovery options Backup Anomaly Detection: Detect sudden compliance failures, missing snapshots, or unusual storage consumption coinciding with security events The connector polls Rubrik Security Cloud GraphQL API every 60 minutes using OAuth2 authentication, collecting protection telemetry that was previously invisible to security operations.\nData Source Product: Rubrik Security Cloud backup and data protection platform API: GraphQL API with OAuth2 service account authentication Data Types: VM backup status, SLA compliance, snapshot metadata, storage efficiency metrics Target Table: RubrikProtectionStatus_CL (custom table with 49 fields) Ingestion Mechanism Framework: Codeless Connector Framework (CCF) with Data Collection Rule (DCR) Polling Interval: 60 minutes (configurable) Authentication: OAuth2 client credentials flow Rate Limiting: 5 queries per second Detection Surface Unlocked Security teams gain visibility into backup infrastructure that attackers commonly target to prevent recovery:\nCorrelation of security incidents with backup compliance failures Detection of backup job failures during suspicious activity windows Monitoring of snapshot deletion patterns that indicate ransomware preparation Assessment of data reduction anomalies suggesting encryption activity Tracking of SLA domain changes that could indicate policy tampering The README includes sample KQL queries for correlating SecurityAlert events with backup status and identifying critical risks where compromised assets lack adequate backup protection.\nAffected Files Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/README.md Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_ConnectorDefinition.json Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_DCE.json Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_DCR.json Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_PollerConfig.json Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_Table.json Solutions/RubrikSecurityCloud/Package/testParameters.json (packaging artefacts: 3.5.2.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_RubrikSecurityCloud.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-23-pr-13508/","summary":"New CCF data connector ingests comprehensive backup status data enabling correlation between security incidents and backup health for rapid ransomware recovery assessment.","title":"Rubrik Security Cloud: New CCF Connector Unlocks Ransomware Recovery Intelligence"},{"content":"Data Source Ingests compute platform assets from the Upwind cloud security platform via REST API, providing visibility into cloud infrastructure across AWS, Azure, and GCP environments. The connector focuses on asset inventory with integrated risk scoring, vulnerability assessments, and network exposure analysis.\nIngestion Mechanism Function App-based connector using Python 3.11 with OAuth2 client credentials authentication. Timer-triggered function (hourly by default) that pages through Upwind inventory API and ships data to custom UpwindLogsAssets_CL table via Azure Monitor Ingestion API (DCE/DCR). Includes exponential backoff retry logic and cursor-based pagination.\nDetection Surface Unlocked Enables monitoring of cloud infrastructure security posture through asset risk correlation:\nVulnerability Management: Critical/high vulnerability counts per asset with CVE-level detail Network Exposure: Public IP addresses and network risk scoring for internet-exposed resources Privilege Escalation Detection: High privilege risk indicators for assets with elevated permissions Data Protection: Sensitive data at rest/in transit discovery across cloud workloads Multi-Cloud Visibility: Unified asset view across AWS, Azure, and GCP environments The connector populates structured fields for cloud account ID, resource type, region, protection status, and risk metrics that enable correlation with existing security telemetry for comprehensive cloud threat detection.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/UpwindLogsAssets_CL.json Solutions/Upwind/Data Connectors/Logos/upwind.svg Solutions/Upwind/Data Connectors/UpwindLogsLoader/__init__.py Solutions/Upwind/Data Connectors/UpwindLogsLoader/config.py Solutions/Upwind/Data Connectors/UpwindLogsLoader/function.json Solutions/Upwind/Data Connectors/UpwindLogsLoader/upwind_catalog_client.py Solutions/Upwind/Data Connectors/UpwindLogsLoader/upwind_client.py Solutions/Upwind/Data Connectors/UpwindLogsLoader_API_FunctionApp.json Solutions/Upwind/Data Connectors/azuredeploy_UpwindLogsLoader_API_FunctionApp.json Solutions/Upwind/Data Connectors/createUiDef.json Solutions/Upwind/Data Connectors/host.json Solutions/Upwind/Data Connectors/requirements.txt Solutions/Upwind/Package/testParameters.json Solutions/Upwind/README.md (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_UpwindLogsLoader.json, UpwindLogsLoader.zip, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-23-pr-13778/","summary":"New Upwind solution enables ingestion of compute platform assets with risk assessments, vulnerability data, and network exposure metrics.","title":"Upwind Cloud Security: New Data Connector Unlocks Cloud Asset Visibility"},{"content":"What Changed Updated all KQL queries in the Cisco Firepower workbook to filter DeviceProduct by \u0026lsquo;FTD\u0026rsquo; instead of \u0026lsquo;Firepower\u0026rsquo;.\nSecurity Impact (Visibility and Fidelity) The Cisco Firepower workbook was completely non-functional due to incorrect DeviceProduct filtering. The workbook queries filtered for DeviceProduct =~ \u0026lsquo;Firepower\u0026rsquo;, but the actual parser stores this field as \u0026lsquo;FTD\u0026rsquo;. This mismatch caused all dashboard charts and visualizations to return zero results despite active Cisco FTD data ingestion.\nSOC analysts using this workbook for Cisco FTD network security monitoring had no functional dashboards for threat analysis, protocol distribution, device action tracking, or anomaly detection. This represents a visualization blind spot that prevented effective analysis of blocked connections, threat patterns, and network activity trends from Cisco Firepower Threat Defense appliances.\nAffected Files Workbooks/CiscoFirepower.json ","permalink":"http://sentinelchangelog.net/posts/2026-03-23-pr-13865/","summary":"Cisco Firepower workbook queries updated from incorrect \u0026lsquo;Firepower\u0026rsquo; to \u0026lsquo;FTD\u0026rsquo; filter, fixing non-functional dashboard charts.","title":"Cisco Firepower Workbook: Fixed DeviceProduct Filter Restores Dashboard Functionality"},{"content":"What Changed Fixed malformed ARM expression in Lookout connector mainTemplate.json that prevented successful deployment when using API key authentication.\nSecurity Impact (Visibility and Fidelity) Deployments attempting to use API key authentication for the Lookout Mobile Risk connector experienced complete deployment failure due to ARM template syntax error. The double closing bracket caused Azure Resource Manager to reject the template during deployment phase — zero connector instances were successfully created for affected deployments using API key auth flow.\nOrganizations relying on API key authentication (vs OAuth flows) for Lookout mobile threat data ingestion have been unable to establish data connectivity since the syntax error was introduced. This represents a complete blind spot for mobile device threat detection in environments that deployed this connector configuration.\nAffected Files (packaging artefacts: 3.0.2.zip, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-23-pr-13850/","summary":"Lookout connector ARM template syntax error blocked API key deployments with double bracket parse failure.","title":"Lookout Connector: ARM Deployment Fix Restores API Key Authentication"},{"content":"What Changed The Atlassian Jira Audit connector has been rebranded from \u0026ldquo;Atlassian Jira Audit (using REST API)\u0026rdquo; to \u0026ldquo;Atlassian Jira Audit (via Codeless Connector Framework)\u0026rdquo; to align with current Microsoft Sentinel connector terminology standards. This is a pure branding change with no functional modifications to the connector logic or ingestion behavior.\nSecurity Impact No security implications — this is a display name update only. The connector continues to ingest Jira audit events through the same CCF mechanism as before. All detection rules, queries, and data ingestion remain unaffected.\nThe accompanying API version updates in ARM templates (from 2023-04-01-preview to 2025-01-01-preview) are standard Microsoft.SecurityInsights API versioning maintenance with no functional changes to the connector behavior.\nAffected Files Solutions/AtlassianJiraAudit/Data Connectors/JiraAuditAPISentinelConnector_ccpv2/JiraAudit_DataConnectorDefinition.json Solutions/AtlassianJiraAudit/Data Connectors/JiraAuditAPISentinelConnector_ccpv2/azuredeploy_JiraAudit_poller_connector.json Solutions/AtlassianJiraAudit/Playbooks/Sync-CommentsFunctionApp/azuredeploy.json (packaging artefacts: 3.0.5.zip, ReleaseNotes.md, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-20-pr-13859/","summary":"Atlassian Jira Audit connector rebranded to reflect Codeless Connector Framework terminology.","title":"Atlassian Jira Connector Rebrand: \"REST API\" to \"CCF\" Terminology Update"},{"content":"What Changed The GitHub Enterprise \u0026ldquo;Two Factor Authentication Disabled\u0026rdquo; NRT detection rule has been fixed after a complete monitoring failure caused by table migration. The rule was querying the deprecated GitHubAudit table instead of the current GitHubAuditData table, resulting in zero detection capability.\nDetection Logic Data Source: GitHubAuditData (corrected from deprecated GitHubAudit) Core Logic: Monitors org.disable_two_factor_requirement audit events to detect when organization-wide 2FA requirements are disabled Entity Mapping: Account entities (Name, UPNSuffix) — IP address mapping removed as field no longer exists in new parser format Detection Type: Near Real Time (NRT) rule for immediate alerting Security Impact (Visibility \u0026amp; Fidelity) Critical blind spot eliminated: Deployments running the previous version had complete detection failure for GitHub Enterprise 2FA policy changes. The rule produced zero alerts because it was querying a non-existent table name.\nOrganizations using GitHub Enterprise with this rule experienced an undetected gap in monitoring for:\nMalicious disabling of organization-wide 2FA requirements Insider threats weakening authentication policies Compliance violations related to multi-factor authentication enforcement This represents a complete loss of T1562 (Impair Defenses) detection capability for GitHub Enterprise environments until this fix is deployed.\nMITRE Mapping T1562 - Impair Defenses: Detects when attackers disable 2FA requirements to weaken organizational security controls Affected Files Solutions/ContentHubSolutionsCatalog.md Solutions/GitHub/Analytic Rules/NRT Two Factor Authentication Disabled.yaml (packaging artefacts: 3.1.4.zip, ReleaseNotes.md, Solution_GitHub.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-20-pr-13770/","summary":"GitHub Enterprise 2FA disablement detection rule was completely broken due to deprecated table reference — restored monitoring for T1562 defense impairment.","title":"GitHub 2FA Detection Restored: Critical Blind Spot Fixed After Parser Migration"},{"content":"What Changed The Microsoft Copilot Data Connector description was updated to clarify product scope and improve readability. The connector description now explicitly mentions both \u0026ldquo;M365 Copilot and Security Copilot\u0026rdquo; rather than generic \u0026ldquo;Microsoft Copilot services,\u0026rdquo; and removes extraneous commas for better flow.\nThe change is purely descriptive — no modification to data ingestion logic, table schemas, or connector functionality. The solution version was bumped to 3.0.2 with corresponding packaging updates.\nAffected Files Solutions/Microsoft Copilot/Data Connectors/MicrosoftCopilot_ConnectorDefinition.json (packaging artefacts: 3.0.2.zip, ReleaseNotes.md, Solution_MicrosoftCopilot.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-20-pr-13842/","summary":"Clarifies connector description to specify M365 Copilot and Security Copilot coverage alongside general improvements.","title":"Microsoft Copilot Connector: Updated Product Scope Description"},{"content":"What Changed The CrowdStrike Falcon Adversary Intelligence Function App connector\u0026rsquo;s Azure Functions extension bundle version constraint was updated from \u0026ldquo;[4.0.0, 5.0.0)\u0026rdquo; to \u0026ldquo;[4.*, 5.0.0)\u0026rdquo; in the host.json configuration file.\nSecurity Impact (Visibility \u0026amp; Fidelity) This fixes a deployment blocker that prevented the Function App from starting. Deployments running the previous version would fail to deploy the connector entirely — zero threat intelligence indicators were ingested from CrowdStrike Falcon X into the ThreatIntelligenceIndicator table.\nThe stricter version constraint \u0026ldquo;[4.0.0, 5.0.0)\u0026rdquo; caused compatibility conflicts with Azure Functions runtime versions 4.1.x and higher, preventing the connector from initializing and resulting in complete ingestion failure.\nAffected Files Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeFalconAdversaryIntelligence/host.json (packaging artefacts: CrowdStrikeFalconThreatIntelConnector.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-03-20-pr-13864/","summary":"Version constraint fix restores Function App deployment after Azure Functions runtime compatibility issue.","title":"CrowdStrike Adversary Intelligence Connector: Function App Deployment Fix"},{"content":"What Changed Enhanced the ASIM Data Tester function with expanded dynamic type validation capabilities and improved documentation structure.\nParser Impact Added DynamicType and ArrayValuesType columns to ASimTester.csv for comprehensive dynamic field validation Enhanced ASimDataTester.yaml with logic to validate dynamic field types and array element consistency Updated documentation to clearly separate schema testing from data testing functions Testing Improvements The data tester now validates:\nDynamic field types match expected schema definitions Array values maintain consistent type within each array field Invalid dynamic array detection when inner values have mixed types Documentation Updates README clarified to distinguish between two ASIM testers:\nSchema Tester: Validates parser column names and types against ASIM schema Data Tester: Validates actual data values and content within parser output No change to existing detection logic or field mappings — safe for current ASIM parser deployments.\nAffected Files ASIM/dev/ASimTester/ASimDataTester.json ASIM/dev/ASimTester/ASimTester.csv ASIM/dev/ASimTester/README.md ASIM/dev/ASimTester/Testers/ASimDataTester.yaml Parsers/ASimAssetEntity/README.md ","permalink":"http://sentinelchangelog.net/posts/2026-03-19-pr-13769/","summary":"ASIM Data Tester adds DynamicType and ArrayValuesType validation columns to improve dynamic field type checking accuracy.","title":"ASIM Data Tester Enhanced: New Type Validation for Asset Schema Fields"},{"content":"What Changed The Zoom Reports CCF connector has been migrated to use a new table schema and naming convention, moving from Zoom_CL to ZoomV2_CL with standardized field names.\nData Connector Impact Table and Stream Changes Output table: Zoom_CL → ZoomV2_CL DCR streams: Custom-ZoomReportsGeneral_CL → Custom-ZoomReportsV2General_CL DCR name: ZoomReportsDCR → ZoomReportsV2DCR Schema Normalization The DCR transform KQL now maps to normalized field names without legacy suffix conventions:\nevent_type_s → EventType event_name_s → EventName email_s → Email user_name_s → UserName meeting_minutes_d → MeetingMinutes ip_address_s → IpAddress Added new CustomAttributes dynamic field for extensibility Deployment Coexistence This change eliminates table conflicts between the CCF connector and legacy Azure Function App deployments. Organizations can now run both connectors simultaneously without schema conflicts, with the Function App continuing to use Zoom_CL while the CCF connector uses ZoomV2_CL.\nDetection Surface Impact Existing queries targeting Zoom_CL will not automatically work with the new CCF connector data. Organizations migrating from Function App to CCF deployments must update:\nAnalytic Rules referencing Zoom_CL table Hunting queries with legacy field names (event_type_s, email_s, etc.) Workbooks and dashboards showing Zoom activity The connector UI now provides updated KQL examples using the new ZoomV2_CL table and normalized field names.\nAffected Files Solutions/ZoomReports/Data Connectors/ZoomReports_ccf/ConnectorDefinition.json Solutions/ZoomReports/Data Connectors/ZoomReports_ccf/DCR.json Solutions/ZoomReports/Data Connectors/ZoomReports_ccf/PollingConfig.json (packaging artefacts: 3.0.7.zip, ReleaseNotes.md, Solution_ZoomReports.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-19-pr-13856/","summary":"CCF connector now ingests to ZoomV2_CL with normalized field names, avoiding conflicts with legacy Function App deployments using Zoom_CL.","title":"Zoom Reports CCF Connector: Table Migration From Legacy Zoom_CL to ZoomV2_CL Schema"},{"content":"What Changed Added two new ASIM AuditEvent parsers for Azure SQL Security Audit logs:\nASimAuditEventSQLSecurityAudit: Full normalization parser vimAuditEventSQLSecurityAudit: Filtering-enabled parser with parameter support Both parsers normalize events from SQLSecurityAuditEvents table and AzureDiagnostics table (Category: SQLSecurityAuditEvents) to the ASIM AuditEvent schema v0.1.2.\nParser Impact The parsers map SQL audit actions to ASIM EventType values:\nSQL DML operations (SELECT, INSERT, UPDATE, DELETE) → Read/Create/Set/Delete DDL operations (CREATE, ALTER, DROP) → Create/Set/Delete Permission operations (GRANT, DENY, REVOKE) → Set Session events (LOGIN, LOGOUT) → Execute Key normalized fields include:\nActorUsername: ServerPrincipalName (SQL principal executing the action) SrcIpAddr: ClientIp (source of SQL connection) Object: ObjectName (SQL object being accessed) TargetAppName: LogicalServerName/DatabaseName format EventResult: Success/Failure based on SQL audit outcome The pack parameter enables detailed SQL context in AdditionalFields (Statement, SchemaName, DurationMs, AffectedRows, etc.).\nDetection Surface Unlocked This enables source-agnostic detection of:\nPrivilege escalation attempts via SQL permission changes Suspicious data access patterns across SQL databases Failed authentication events to SQL servers Schema modification tracking for compliance Cross-database query analysis using normalized field names Affected Files .script/tests/KqlvalidationsTests/CustomTables/AzureDiagnostics.json .script/tests/KqlvalidationsTests/CustomTables/SQLSecurityAuditEvents.json ASIM/dev/ASimTester/ASimTester.csv Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json Parsers/ASimAuditEvent/ARM/ASimAuditEventSQLSecurityAudit/ASimAuditEventSQLSecurityAudit.json Parsers/ASimAuditEvent/ARM/ASimAuditEventSQLSecurityAudit/README.md Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json Parsers/ASimAuditEvent/ARM/vimAuditEventSQLSecurityAudit/README.md Parsers/ASimAuditEvent/ARM/vimAuditEventSQLSecurityAudit/vimAuditEventSQLSecurityAudit.json Parsers/ASimAuditEvent/CHANGELOG/ASimAuditEvent.md Parsers/ASimAuditEvent/CHANGELOG/ASimAuditEventSQLSecurityAudit.md Parsers/ASimAuditEvent/CHANGELOG/imAuditEvent.md Parsers/ASimAuditEvent/CHANGELOG/vimAuditEventSQLSecurityAudit.md Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml Parsers/ASimAuditEvent/Parsers/ASimAuditEventSQLSecurityAudit.yaml Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml Parsers/ASimAuditEvent/Parsers/vimAuditEventSQLSecurityAudit.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-03-18-pr-13745/","summary":"New ASIM parser enables normalized analysis of SQL security audit events from SQLSecurityAuditEvents and AzureDiagnostics tables.","title":"ASIM AuditEvent Parser: Azure SQL Security Audit Data Normalized for Detection"},{"content":"What Changed New Microsoft Sentinel solution package for Censys attack surface intelligence integration. Includes six playbooks providing automated enrichment for IP addresses, domains, and certificates detected in incidents and alerts.\nPlaybook Capabilities Entity Enrichment Playbooks:\nCensysEntityEnrichmentHost: Triggered on IP entities, retrieves geolocation, ASN, WHOIS, services, and DNS data CensysEntityEnrichmentWebProperty: Triggered on DNS entities, queries web properties on ports 80/443 by default CensysEntityEnrichmentCertificate: Triggered on FileHash entities, provides certificate metadata and associated services Alert Processing:\nCensysAlertEnrichment: Processes alert entities (IP, domain, certificate SHA256), ingests data to custom tables CensysAlertRescan: Manual rescan capability for updated asset intelligence with workbook integration Infrastructure:\nCensysAddIncidentComment: Sub-playbook handling enrichment data formatting and incident comment injection Data Ingestion Creates custom Log Analytics tables for historical analysis:\nCensysHost_CL - Host/IP enrichment data Censyswebproperty_CL - Web property intelligence CensysCert_CL - Certificate metadata CensysHostAlert_CL, CensysWebPropertyAlert_CL, CensysCertificateAlert_CL - Alert-triggered enrichment Deployment Requirements Censys API token stored in Azure Key Vault (secret: Censys-Access-Token) Censys Organization ID for API authentication Automation rules configured for entity-triggered enrichment Sequential deployment required (CensysAddIncidentComment first, then entity enrichment playbooks) Operational Value Provides SOC teams with contextual threat intelligence for IOCs during incident investigation, including geolocation, infrastructure ownership, service exposure, and certificate chain analysis.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/CensysCert_CL.json .script/tests/KqlvalidationsTests/CustomTables/CensysCertificateAlert_CL.json .script/tests/KqlvalidationsTests/CustomTables/CensysCertificate_CL.json .script/tests/KqlvalidationsTests/CustomTables/CensysHostAlert_CL.json .script/tests/KqlvalidationsTests/CustomTables/CensysHost_CL.json .script/tests/KqlvalidationsTests/CustomTables/CensysRelatedAssetsDetails_CL.json .script/tests/KqlvalidationsTests/CustomTables/CensysRescanHostAlert_CL.json .script/tests/KqlvalidationsTests/CustomTables/CensysRescanHost_CL.json .script/tests/KqlvalidationsTests/CustomTables/CensysRescanWebPropertyAlert_CL.json .script/tests/KqlvalidationsTests/CustomTables/CensysRescanWebProperty_CL.json .script/tests/KqlvalidationsTests/CustomTables/CensysWebPropertyAlert_CL.json .script/tests/KqlvalidationsTests/CustomTables/Censys_Certificate_IOC_CL.json .script/tests/KqlvalidationsTests/CustomTables/Censys_Host_History_Data_CL.json .script/tests/KqlvalidationsTests/CustomTables/Censys_Host_IOC_CL.json .script/tests/KqlvalidationsTests/CustomTables/Censys_Host_Services_CL.json .script/tests/KqlvalidationsTests/CustomTables/Censys_Web_Property_Endpoint_CL.json .script/tests/KqlvalidationsTests/CustomTables/Censys_Web_Property_IOC_CL.json .script/tests/KqlvalidationsTests/CustomTables/Censys_Web_Property_Threat_CL.json .script/tests/KqlvalidationsTests/CustomTables/Censys_Web_Property_Vuln_CL.json .script/tests/KqlvalidationsTests/CustomTables/Censyswebproperty_CL.json .script/tests/KqlvalidationsTests/CustomTables/Incident_Enrich_Data_CL.json Logos/Censys.svg Sample Data/Custom/CensysCert_CL.csv Sample Data/Custom/CensysCertificateAlert_CL.csv Sample Data/Custom/CensysCertificate_CL.csv Sample Data/Custom/CensysHostAlert_CL.csv Sample Data/Custom/CensysHost_CL.csv Sample Data/Custom/CensysRelatedAssetsDetails_CL.csv Sample Data/Custom/CensysRescanHostAlert_CL.csv Sample Data/Custom/CensysRescanHost_CL.csv Sample Data/Custom/CensysRescanWebPropertyAlert_CL.csv Sample Data/Custom/CensysRescanWebProperty_CL.csv Sample Data/Custom/CensysWebPropertyAlert_CL.csv Sample Data/Custom/Censys_Certificate_IOC_CL.csv Sample Data/Custom/Censys_Host_History_Data_CL.csv Sample Data/Custom/Censys_Host_IOC_CL.csv Sample Data/Custom/Censys_Host_Services_CL.csv Sample Data/Custom/Censys_Web_Property_Endpoint_CL.csv Sample Data/Custom/Censys_Web_Property_IOC_CL.csv Sample Data/Custom/Censys_Web_Property_Threat_CL.csv Sample Data/Custom/Censys_Web_Property_Vuln_CL.csv Sample Data/Custom/Censyswebproperty_CL.csv Sample Data/Custom/Incident_Enrich_Data_CL.csv Solutions/Censys/Package/testParameters.json Solutions/Censys/Playbooks/CensysAddIncidentComment/CensysAddIncidentComment.png Solutions/Censys/Playbooks/CensysAddIncidentComment/Enrichment comment.png Solutions/Censys/Playbooks/CensysAddIncidentComment/Host comment.png Solutions/Censys/Playbooks/CensysAddIncidentComment/README.md Solutions/Censys/Playbooks/CensysAddIncidentComment/azuredeploy.json Solutions/Censys/Playbooks/CensysAddIncidentComment/certificate comment.png Solutions/Censys/Playbooks/CensysAddIncidentComment/web property comments.png Solutions/Censys/Playbooks/CensysAlertEnrichment/CensysAlertEnrichment.png Solutions/Censys/Playbooks/CensysAlertEnrichment/README.md Solutions/Censys/Playbooks/CensysAlertEnrichment/azuredeploy.json Solutions/Censys/Playbooks/CensysAlertRescan/CensysAlertRescan.png Solutions/Censys/Playbooks/CensysAlertRescan/README.md Solutions/Censys/Playbooks/CensysAlertRescan/azuredeploy.json Solutions/Censys/Playbooks/CensysEntityEnrichmentCertificate/CensysEntityEnrichmentCertificate.png Solutions/Censys/Playbooks/CensysEntityEnrichmentCertificate/README.md Solutions/Censys/Playbooks/CensysEntityEnrichmentCertificate/azuredeploy.json Solutions/Censys/Playbooks/CensysEntityEnrichmentHost/CensysEntityEnrichmentHost.png Solutions/Censys/Playbooks/CensysEntityEnrichmentHost/README.md Solutions/Censys/Playbooks/CensysEntityEnrichmentHost/azuredeploy.json Solutions/Censys/Playbooks/CensysEntityEnrichmentWebProperty/CensysEntityEnrichmentWebProperty.png Solutions/Censys/Playbooks/CensysEntityEnrichmentWebProperty/README.md Solutions/Censys/Playbooks/CensysEntityEnrichmentWebProperty/azuredeploy.json Solutions/Censys/Playbooks/CensysHostHistory/CensysHostHistory.png Solutions/Censys/Playbooks/CensysHostHistory/README.md Solutions/Censys/Playbooks/CensysHostHistory/azuredeploy.json Solutions/Censys/Playbooks/CensysIOCLookup/CensysIOCLookup.png Solutions/Censys/Playbooks/CensysIOCLookup/README.md Solutions/Censys/Playbooks/CensysIOCLookup/azuredeploy.json Solutions/Censys/Playbooks/CensysIncidentEnrichment/CensysIncidentEnrichment.png Solutions/Censys/Playbooks/CensysIncidentEnrichment/README.md Solutions/Censys/Playbooks/CensysIncidentEnrichment/azuredeploy.json Solutions/Censys/Playbooks/CensysRescan/CensysRescan.png Solutions/Censys/Playbooks/CensysRescan/README.md Solutions/Censys/Playbooks/CensysRescan/azuredeploy.json Solutions/Censys/Workbooks/Censys.json Workbooks/Images/Logos/Censys.svg Workbooks/Images/Preview/CensysBlack1.png Workbooks/Images/Preview/CensysBlack2.png Workbooks/Images/Preview/CensysBlack3.png Workbooks/Images/Preview/CensysBlack4.png Workbooks/Images/Preview/CensysBlack5.png Workbooks/Images/Preview/CensysWhite1.png Workbooks/Images/Preview/CensysWhite2.png Workbooks/Images/Preview/CensysWhite3.png Workbooks/Images/Preview/CensysWhite4.png Workbooks/Images/Preview/CensysWhite5.png Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Censys.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-18-pr-13752/","summary":"Adds comprehensive playbook automation for Censys threat intelligence enrichment, providing IP/domain/certificate context during incident investigation.","title":"New Censys Solution: Attack Surface Intelligence and Entity Enrichment"},{"content":"What Changed The CyberArk Audit Function App connector received documentation and configuration updates including critical deployment warnings and migration guidance. The primary change adds explicit disclaimers about deploying only one CyberArk connector option per workspace.\nSecurity Impact (Visibility \u0026amp; Fidelity) This update addresses a configuration risk where customers could inadvertently deploy both the legacy Function App and newer CCF-based CyberArk connectors simultaneously, resulting in duplicated audit log ingestion. The added warning states: \u0026ldquo;Deploy only one CyberArk Audit connector option in your workspace (either Azure Functions or Codeless Connector Framework). Deploying both is not recommended, as the data will be duplicated if both connectors are deployed.\u0026rdquo;\nKey improvements:\nEnhanced connector description now clearly identifies this as the \u0026ldquo;Azure Functions\u0026rdquo; variant Streamlined deployment instructions with consolidated ARM template guidance Added explicit warnings about Azure Functions costs and Key Vault security model Updated configuration steps reference current CyberArk documentation Affected Files Solutions/CyberArkAudit/Data Connectors/CyberArkAudit_API_FunctionApp.json (packaging artefacts: 3.1.0.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-18-pr-13755/","summary":"Function App connector updated with critical migration disclaimers to prevent dual-deployment data duplication.","title":"CyberArk Audit Connector: Enhanced Documentation and Deployment Warnings"},{"content":"What Changed New standalone playbook AS-Checkmarx-Audit-Ingestion that creates unidirectional integration between Checkmarx One audit logs and Microsoft Sentinel for security event monitoring and compliance tracking.\nData Source Checkmarx audit log integration pulls audit events from Checkmarx One platform via REST API, ingesting administrative and user activity data into custom log table CheckmarxAuditEvents_CL.\nAPI authentication: Supports both OAuth client_credentials (recommended) and refresh_token grant types with configurable regional endpoints (US, EU, DEU, ANZ, IND). Shares authentication infrastructure with the complementary SAST ingestion playbook.\nIngestion Mechanism DCR-based ingestion using Data Collection Rules (DCR), Data Collection Endpoints (DCE), and custom log tables. Logic App runs daily to collect audit events from the previous 24 hours.\nShared infrastructure: Designed to use the same DCE and Key Vault secret as the AS-Checkmarx-SAST-Ingestion playbook, minimizing resource overhead for combined deployments.\nDetection Surface Unlocked Administrative activity monitoring: Enables tracking of user authentication events, login failures, account changes, and administrative actions within the Checkmarx platform for insider threat detection and compliance auditing.\nSecurity event correlation: KQL queries for login activity analysis, failed authentication tracking, user behavior monitoring, and IP address-based activity analysis to identify suspicious patterns.\nAffected Files Playbooks/AS-Checkmarx-Audit-Ingestion/AzureDeployAuditDCR.json Playbooks/AS-Checkmarx-Audit-Ingestion/AzureDeployAuditTable.json Playbooks/AS-Checkmarx-Audit-Ingestion/AzureDeployDCE.json Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Custom_Logs_1.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_DCR_Access_1.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_DCR_Access_2.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_DCR_Access_3.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_DCR_Access_4.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Demo_1.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_1.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_2.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_3.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_Audit_DCR_1.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_Audit_DCR_2.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_Audit_Table_1.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_DCE_1.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_DCE_2.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_1.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_2.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_1.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_2.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_3.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_4.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_5.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_6.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_7.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_8.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Log_Analytics_Workspace_1.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Log_Analytics_Workspace_2.png Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Log_Analytics_Workspace_3.png Playbooks/AS-Checkmarx-Audit-Ingestion/README.md Playbooks/AS-Checkmarx-Audit-Ingestion/azuredeploy.json ","permalink":"http://sentinelchangelog.net/posts/2026-03-18-pr-13841/","summary":"New playbook for ingesting Checkmarx audit log events into Microsoft Sentinel via DCR/DCE for security event monitoring and compliance.","title":"Checkmarx Audit Log Ingestion Playbook: Security Event Monitoring Integration"},{"content":"What Changed New standalone playbook AS-Checkmarx-SAST-Ingestion that creates unidirectional integration between Checkmarx SAST (Static Application Security Testing) and Microsoft Sentinel for application vulnerability monitoring.\nData Source Checkmarx SAST integration pulls completed scan findings from Checkmarx One platform via REST API, ingesting static code analysis results into custom log table CheckmarxSASTFindings_CL.\nAPI authentication: Supports both OAuth client_credentials (recommended) and refresh_token grant types with configurable regional endpoints (US, EU, DEU, ANZ, IND).\nIngestion Mechanism DCR-based ingestion using Data Collection Rules (DCR), Data Collection Endpoints (DCE), and custom log tables. Logic App runs daily to collect findings from the previous 24 hours with configurable batch size (recommended 200 results per request).\nSchema coverage: Ingests comprehensive SAST data including vulnerability details (QueryName, Severity, CweID, CVSS score), source code location (SourceFileName, line/column), scan metadata, and compliance framework mappings.\nDetection Surface Unlocked Application vulnerability tracking: Enables monitoring of static code analysis findings across development lifecycle, supporting vulnerability trend analysis, compliance reporting, and integration with broader security operations.\nKQL query capabilities: Pre-configured sample queries for severity analysis, language-specific findings, CVSS score distribution, and source file vulnerability hotspots.\nAffected Files Playbooks/AS-Checkmarx-SAST-Ingestion/AzureDeployDCE.json Playbooks/AS-Checkmarx-SAST-Ingestion/AzureDeploySASTDCR.json Playbooks/AS-Checkmarx-SAST-Ingestion/AzureDeploySASTTable.json Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Custom_Logs_1.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_DCR_Access_1.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_DCR_Access_2.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_DCR_Access_3.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_DCR_Access_4.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Deploy_1.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Deploy_2.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Deploy_3.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Deploy_DCE_1.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Deploy_DCE_2.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Deploy_DCR_1.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Deploy_DCR_2.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Deploy_Table_1.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Initial_Run_1.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Initial_Run_2.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Integration_Demo_1.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Key_Vault_1.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Key_Vault_2.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Key_Vault_Access_1.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Key_Vault_Access_2.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Key_Vault_Access_3.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Key_Vault_Access_4.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Key_Vault_Access_5.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Key_Vault_Access_6.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Key_Vault_Access_7.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Key_Vault_Access_8.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Log_Analytics_Workspace_1.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Log_Analytics_Workspace_2.png Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Log_Analytics_Workspace_3.png Playbooks/AS-Checkmarx-SAST-Ingestion/README.md Playbooks/AS-Checkmarx-SAST-Ingestion/azuredeploy.json ","permalink":"http://sentinelchangelog.net/posts/2026-03-18-pr-13840/","summary":"New playbook for ingesting Checkmarx SAST scan findings into Microsoft Sentinel via DCR/DCE for application vulnerability tracking.","title":"Checkmarx SAST Ingestion Playbook: Static Application Security Testing Integration"},{"content":"What Changed Fixed critical data ingestion issues in the D3 Smart SOAR CCF connector that was causing duplicate incident ingestion and broken pagination through multi-page API responses.\nSecurity Impact (Visibility \u0026amp; Fidelity) Pre-fix data corruption: The original Offset paging with \u0026ldquo;Page Index\u0026rdquo; (with space) parameter could not replace nested parameters inside the CommandParams POST body. This caused the connector to repeatedly ingest the same incidents across polling windows, creating duplicate entries in the D3SOARIncidents_CL table and corrupting incident correlation analysis.\nIngestion mechanism fix: Switched from broken Offset paging to CountBasedPaging using:\n$.CommandParams.PageIndex (no space) for proper nested JSON path parameter replacement $.outputData.TotalPages for accurate page count detection Zero-based indexing alignment with D3 API expectations Data fidelity restoration: Testing confirmed each incident is now ingested exactly once with no duplicates, restoring accurate incident volume metrics and correlation capabilities. The connector now correctly paginates through multiple pages when incident volume exceeds PageSize limits.\nPublisher ID synchronization: Updated publisherId to match Partner Center registration (d3securitymanagementsystemsinc1599258630765), ensuring proper solution packaging and deployment consistency.\nAffected Files Solutions/D3SmartSOAR/Data Connectors/D3SOAR_CCF/D3SOAR_PollingConfig.json (packaging artefacts: 3.0.0.zip, SolutionMetadata.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-18-pr-13839/","summary":"Fixes broken paging mechanism that was causing duplicate D3 Smart SOAR incidents to be ingested into Microsoft Sentinel.","title":"D3 Smart SOAR Connector: Fixing Critical Duplicate Incident Ingestion"},{"content":"What Changed Removed Actor/Target user roles from AuditEvent, DhcpEvent, Dns, NetworkSession and WebSession schemas in ASimTester.csv Removed Target user roles from FileEvent and Registry schemas in ASimTester.csv Added Dst user roles for NetworkSession and WebSession schemas in ASimTester.csv Added ActorUserType/ActorScopeId/ActingProcessCommandLine columns to RegistryEvent schema in ASimTester.csv Aligned all empty parsers (vimXXXEmpty) to match ASimTester.csv and sorted fields alphabetically Parser Impact Schema field standardization across 11 ASIM empty parsers covering Alert, Audit, Authentication, DHCP, DNS, File, Network Session, Process, Registry, User Management, and Web Session events. Changes are primarily to data structure definitions in empty parsers rather than active parsing logic — no change to normalised field names or filter logic for production data sources. Safe for existing detections using these parsers.\nField additions in RegistryEvent (ActorUserType, ActorScopeId, ActingProcessCommandLine) prepare for enhanced user context tracking in future registry monitoring scenarios. The removal of unused role fields eliminates schema bloat without impacting current detection coverage.\nAffected Files ASIM/dev/ASimTester/ASimTester.csv Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/vimAlertEventEmpty.json Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventEmpty.md Parsers/ASimAlertEvent/Parsers/vimAlertEventEmpty.yaml Parsers/ASimAuditEvent/ARM/vimAuditEventEmpty/vimAuditEventEmpty.json Parsers/ASimAuditEvent/CHANGELOG/vimAuditEventEmpty.md Parsers/ASimAuditEvent/Parsers/vimAuditEventEmpty.yaml Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationEmpty.md Parsers/ASimAuthentication/Parsers/vimAuthenticationEmpty.yaml Parsers/ASimDhcpEvent/ARM/vimDhcpEventEmpty/vimDhcpEventEmpty.json Parsers/ASimDhcpEvent/CHANGELOG/vimDhcpEventEmpty.md Parsers/ASimDhcpEvent/Parsers/vimDhcpEventEmpty.yaml Parsers/ASimDns/ARM/vimDnsEmpty/vimDnsEmpty.json Parsers/ASimDns/CHANGELOG/vimDnsEmpty.md Parsers/ASimDns/Parsers/vimDnsEmpty.yaml Parsers/ASimFileEvent/ARM/vimFileEventEmpty/vimFileEventEmpty.json Parsers/ASimFileEvent/CHANGELOG/vimFileEventEmpty.md Parsers/ASimFileEvent/Parsers/vimFileEventEmpty.yaml Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json Parsers/ASimNetworkSession/CHANGELOG/vimNetworkSessionEmpty.md Parsers/ASimNetworkSession/Parsers/vimNetworkSessionEmpty.yaml Parsers/ASimProcessEvent/ARM/vimProcessEmpty/vimProcessEmpty.json Parsers/ASimProcessEvent/CHANGELOG/vimProcessEmpty.md Parsers/ASimProcessEvent/Parsers/vimProcessEmpty.yaml Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoft365D/ASimRegistryEventMicrosoft365D.json Parsers/ASimRegistryEvent/ARM/vimRegistryEventEmpty/vimRegistryEventEmpty.json Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoft365D/vimRegistryEventMicrosoft365D.json Parsers/ASimRegistryEvent/CHANGELOG/vimRegistryEventEmpty.md Parsers/ASimRegistryEvent/Parsers/vimRegistryEventEmpty.yaml Parsers/ASimUserManagement/ARM/vimUserManagementEmpty/vimUserManagementEmpty.json Parsers/ASimUserManagement/CHANGELOG/vimUserManagementEmpty.md Parsers/ASimUserManagement/Parsers/vimUserManagementEmpty.yaml Parsers/ASimWebSession/ARM/vimWebSessionEmpty/vimWebSessionEmpty.json Parsers/ASimWebSession/CHANGELOG/vimWebSessionEmpty.md Parsers/ASimWebSession/Parsers/vimWebSessionEmpty.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-03-17-pr-13851/","summary":"Cleanup of unused Actor/Target user role fields and alignment of empty parsers improves schema consistency but does not affect active detection capabilities.","title":"ASIM Schema Standardization: Removing Unused User Role Fields Across Multiple Schemas"},{"content":"Data Source Semperis Lightning is an Active Directory security platform that provides tier-0 privilege escalation monitoring, attack path analysis, and identity governance visibility. The platform offers comprehensive coverage of high-risk AD attack vectors including golden ticket detection, DCSync monitoring, and privileged credential usage tracking.\nIngestion Mechanism Function App-based connector (Python 3.11) with hourly collection schedule. Creates 7 custom Log Analytics tables (with _CL suffix) via Data Collection Rules (DCR) and endpoints (DCE). Uses Azure Key Vault for API credential storage and managed identity for secure authentication to Azure Monitor APIs.\nData Streams Tier0 Nodes (LightningTier0Nodes_CL) — Identity graph nodes with privilege escalation risk scores Attack Paths (LightningAttackPaths_CL) — Calculated privilege escalation attack chains Attack Path Links (LightningAttackPathLinks_CL) — Relationship mappings between attack path components Tier0 Attackers (LightningTier0Attackers_CL) — Zone access objects with tier-0 privileges Indicator Executions (LightningIndicatorExecutions_CL) — IoE (Indicators of Exposure) execution events IoE Metadata (LightningIOEsMetadata_CL) — IoE rule definitions and configuration IoE Results (LightningIOEResults_CL) — IoE detection findings and risk assessments Security Impact (Visibility Unlocked) This connector addresses a critical detection gap in Active Directory tier-0 monitoring. Organizations gain real-time visibility into privilege escalation attack paths that traditional SIEM solutions cannot detect through log analysis alone. The platform identity graph analysis reveals lateral movement opportunities and credential exposure risks that would otherwise remain invisible until exploitation occurs.\nKey detection surfaces enabled:\nGolden ticket usage — Detects forged Kerberos tickets bypassing normal authentication DCSync abuse — Monitors unauthorized Active Directory replication requests Shadow admin discovery — Identifies hidden privileged accounts and nested group memberships Attack path enumeration — Maps viable privilege escalation routes to domain admin Credential exposure tracking — Monitors service accounts and privileged credentials at risk Affected Files .script/tests/KqlvalidationsTests/CustomTables/LightningAttackPathLinks_CL.json .script/tests/KqlvalidationsTests/CustomTables/LightningAttackPaths_CL.json .script/tests/KqlvalidationsTests/CustomTables/LightningIOEResults_CL.json .script/tests/KqlvalidationsTests/CustomTables/LightningIOEsMetadata_CL.json .script/tests/KqlvalidationsTests/CustomTables/LightningIndicatorExecutions_CL.json .script/tests/KqlvalidationsTests/CustomTables/LightningTier0Attackers_CL.json .script/tests/KqlvalidationsTests/CustomTables/LightningTier0Nodes_CL.json Solutions/SemperisLightning/Data Connectors/Logos/semperis.svg Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/__init__.py Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/function.json Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/local.settings.json Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/semperis_attack_paths.py Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/semperis_ioe_execution_results.py Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/semperis_ioe_executions.py Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/semperis_ioe_metadata.py Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/semperis_tier0_attackers.py Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/semperis_tier0_nodes.py Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/SemperisLightningLogs_AzureFunction.json Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/azuredeploy_Connector_SemperisLightning_AzureFunction.json Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/createUiDef.json Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/host.json Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/requirements.txt Solutions/SemperisLightning/Package/testParameters.json Solutions/SemperisLightning/README.md (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SemperisLightning.zip, SolutionMetadata.json, Solution_SemperisLightning.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-17-pr-13719/","summary":"Semperis Lightning connector brings comprehensive Active Directory tier-0 attack path monitoring and privileged access visibility to Microsoft Sentinel via real-time API ingestion.","title":"Semperis Lightning: New Active Directory Security Monitoring Platform Added to Content Hub"},{"content":"What Changed Microsoft released a new A365 Observability solution (version 3.0.0) that provides visibility into AI agent activity across the Microsoft ecosystem. This solution introduces a dedicated data connector for ingesting telemetry from A365, AI Foundry, and Copilot services into Microsoft Sentinel.\nData Source The A365 Observability connector ingests AI agent telemetry from:\nA365 (Agent 365) platform AI Foundry services Microsoft Copilot operations Ingestion Mechanism This connector uses a custom ingestion type (connectivity criteria type: \u0026ldquo;A365\u0026rdquo;) that appears to be a Microsoft-managed stream for unified agent observability data. The connector requires Global Administrator or Security Administrator permissions and ingests data into the \u0026ldquo;UnifiedAgentObservability\u0026rdquo; stream.\nDetection Surface Unlocked This connector enables security teams to:\nMonitor AI agent behavior patterns and execution flows Investigate agent tool usage and interaction patterns Track agent activity across hunting, graph, and MCP (Model Context Protocol) workflows Analyze potential misuse or abuse of AI agent capabilities The connector description specifically notes that deactivating it will prevent investigations into AI agent behavior, tool usage, and execution - indicating this is critical infrastructure for AI security monitoring.\nSecurity Impact (Visibility \u0026amp; Fidelity) Organizations gain new visibility into AI agent operations that were previously outside the security monitoring scope. This addresses the growing need to monitor AI system behavior as these tools become more integrated into enterprise workflows. SOC teams can now investigate AI-related incidents and understand the security implications of automated agent actions.\nAffected Files Logos/A365.svg Solutions/A365 Observability/Data Connectors/A365_DataConnectorDefinition.json Solutions/A365 Observability/Package/testParameters.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_A365.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-17-pr-13715/","summary":"New data connector for AI agent behavior monitoring brings telemetry from A365, AI Foundry, and Copilot into Microsoft Sentinel for security investigations.","title":"A365 Observability Connector: New AI Agent Telemetry Visibility in Microsoft Sentinel"},{"content":"What Changed Fixed missing destinationTable configuration in AWS EKS CCF Data Connector by specifying AWSEKSLogs_CL as the target table for Amazon Elastic Kubernetes Service audit log ingestion.\nSecurity Impact (Visibility \u0026amp; Fidelity) The AWS EKS connector in v3.0.0 had a complete ingestion failure — the empty destinationTable field caused zero data to be ingested by affected deployments since the initial marketplace release.\nDeployments running v3.0.0 have had no visibility into EKS audit events (pod creation, service configuration, RBAC changes, API server activity) — a critical blind spot for Kubernetes security monitoring.\nConnector Configuration Fix CCF pollingConfig now correctly routes compressed JSON logs from Amazon EKS API to AWSEKSLogs_CL custom log table, enabling threat detection against Kubernetes control plane activity.\nAffected Files Solutions/AWS EKS/Data Connectors/AWSEKS_PollingConfig.json (packaging artefacts: 3.0.0.zip, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-17-pr-13838/","summary":"CCF connector was unable to ingest any data due to empty destinationTable field preventing log routing to AWSEKSLogs_CL.","title":"AWS EKS Connector: Critical Data Ingestion Fix for Missing Table Configuration"},{"content":"What Changed Updated IPEntity_DuoSecurity Analytic Rule (v1.0.9 → v1.0.10) to use ASIM-normalized CiscoDuo table instead of legacy DuoSecurityAuthentication_CL table.\nDetection Logic Joins threat intelligence IP indicators against Duo authentication events using CiscoDuo table with normalized field names:\nPrimary data source: ThreatIntelligenceIndicator joined with CiscoDuo Core logic: correlates TI_ipEntity against AccessDvcIpAddr for active indicators within confidence thresholds Entity types mapped: Account (DstUserName), IP (AccessDvcIpAddr) MITRE Mapping KQL logic unavailable — YAML not included in diff context.\nField Migration Impact Legacy field names replaced with ASIM-normalized equivalents:\naccess_device_ip_s → AccessDvcIpAddr user_name_s → DstUserName factor_s → AuthFactor result_s → EventResult application_name_s → SrcAppName event_type_s → EventType txid_g → TransactionId isotimestamp_t → IsoTimestamp Existing deployments using the legacy DuoSecurityAuthentication_CL table must ensure CiscoDuo ASIM parser is deployed for continued threat intelligence correlation.\nAffected Files Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_DuoSecurity.yaml (packaging artefacts: 3.0.15.zip, ReleaseNotes.md, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-17-pr-13774/","summary":"IPEntity_DuoSecurity detection migrated from legacy DuoSecurityAuthentication_CL table to normalized CiscoDuo ASIM schema.","title":"Threat Intelligence: Duo Security IP Detection Updated for ASIM Schema Compliance"},{"content":"What Changed Fixed folder structure in zip packages for all 20 IPinfo Data Connectors by moving host.json to the root level, eliminating an extra wrapping folder that prevented Azure Functions runtime from starting.\nSecurity Impact (Visibility \u0026amp; Fidelity) Per PR discussion: deployments of IPinfo Solution v3.0.3 from Content Hub experienced complete Function App failure — Azure Functions did not appear in the Function App UI and were unable to ingest any data. This represents a total loss of IP intelligence visibility for affected deployments.\nThe transformKql error caused the connector to fail at creation — zero data was ingested by affected deployments since the v3.0.3 marketplace release.\nConnector Fix Scope All 20 IPinfo Data Connectors affected:\nCore, Plus, Residential Proxy (added in v3.0.3) ASN, Abuse, Carrier, Company, Country ASN, Domain IP Location, IP Location Extended, Privacy, Privacy Extended RIRWHOIS, RWHOIS, WHOIS ASN, WHOIS MNT, WHOIS NET, WHOIS ORG, WHOIS POC Each connector uses Function App ingestion mechanism and was completely non-functional due to the packaging error.\nAffected Files (packaging artefacts: 3.0.4.zip, IPInfoWHOISASNConn.zip, IPinfoASNConn.zip, IPinfoAbuseConn.zip, IPinfoCarrierConn.zip, IPinfoCompanyConn.zip, IPinfoCoreConn.zip, IPinfoCountryConn.zip, IPinfoDomainConn.zip, IPinfoIplocationConn.zip, IPinfoIplocationExtendedConn.zip, IPinfoPlusConn.zip, IPinfoPrivacyConn.zip, IPinfoPrivacyExtendedConn.zip, IPinfoRIRWHOISConn.zip, IPinfoRWHOISConn.zip, IPinfoResProxyConn.zip, IPinfoWHOISMNTConn.zip, IPinfoWHOISNETConn.zip, IPinfoWHOISORGConn.zip, IPinfoWHOISPOCConn.zip, ReleaseNotes.md, Solution_IPinfo.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-17-pr-13824/","summary":"Azure Functions were completely non-functional for marketplace deployments due to incorrect zip folder structure preventing runtime from locating host.json.","title":"IPinfo Data Connectors: Critical Function App Runtime Fix for Production Deployment"},{"content":"What Changed New Alibaba Cloud Networking solution (v3.0.0) adds Microsoft Sentinel integration for Alibaba Cloud network security monitoring through a CCF-based Data Connector.\nData Source External System: Alibaba Cloud Simple Log Service (SLS) REST API\nLog Types: Three distinct network data streams:\nVPC Flow Logs (AlibabaCloudVPCFlowLogs) — network traffic flows within Virtual Private Cloud WAF Logs (AlibabaCloudWAFLogs) — web application firewall events and blocks API Gateway Logs (AlibabaCloudAPIGatewayLogs) — API request/response activity and access patterns Ingestion Mechanism CCF-based connector using Alibaba Cloud SLS authentication (AliCloudSlsV1)\nPolling configuration: 5-minute query windows, 2 QPS rate limit, offset-based pagination (200 events/page)\nSentinel Tables: Three dedicated tables via DCR streams:\nSENTINEL_ALIBABACLOUDVPCFLOWLOGS SENTINEL_ALIBABACLOUDWAFLOGS SENTINEL_ALIBABACLOUDAPIGATEWAYLOGS Authentication: RAM user access key pair with SLS permissions\nDetection Surface Unlocked VPC Flow monitoring — network traversal, lateral movement detection, unusual traffic patterns\nWAF event analysis — web application attack attempts, blocked malicious requests, bypass attempts\nAPI Gateway security — API abuse, authentication failures, suspicious access patterns\nNo bundled detections included in this release — pure data ingestion capability requiring custom detection development.\nConfiguration Requirements Alibaba Cloud RAM user with SLS access permissions Access Key ID/Secret pair Log Project, Log Store, and Log Region parameters per data stream Separate connector instance required for each data type (VPC/WAF/API Gateway) Affected Files Solutions/Alibaba Cloud Networking/Data Connectors/AlibabaCloudNetworking_CCP/AlibabaCloudNetworking_ConnectorDefinition.json Solutions/Alibaba Cloud Networking/Data Connectors/AlibabaCloudNetworking_CCP/AlibabaCloudNetworking_DCR.json Solutions/Alibaba Cloud Networking/Data Connectors/AlibabaCloudNetworking_CCP/AlibabaCloudNetworking_PollingConfig.json Solutions/Alibaba Cloud Networking/Package/testParameters.json Solutions/Alibaba Cloud Networking/Parsers/parser_AlibabaCloudAPIGatewayLogsAliasFunction.json Solutions/Alibaba Cloud Networking/Parsers/parser_AlibabaCloudVPCFlowLogsAliasFunction.json Solutions/Alibaba Cloud Networking/Parsers/parser_AlibabaCloudWAFLogsAliasFunction.json Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1 (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Alibaba Cloud Networking.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-16-pr-13810/","summary":"Microsoft Sentinel gains visibility into Alibaba Cloud network infrastructure with a new CCF connector supporting VPC Flow Logs, WAF events, and API Gateway data ingestion via Simple Log Service.","title":"Alibaba Cloud Networking: New CCF Connector Brings VPC Flow, WAF, and API Gateway Visibility"},{"content":"What Changed The CrowdStrike API Data Connector v3.3.2 introduces sophisticated rate limiting configuration and transitions from preview to General Availability status. The connector now includes custom rate limit handling for the Alerts, Cases, and Detections data types.\nConnector Improvements Three critical enhancements were implemented:\nRate Limit Configuration: Added rateLimitConfig blocks to the polling configuration for Alerts and Detections endpoints with:\nOnlyWhen429 evaluation mode (responds only to HTTP 429 rate limit errors) Custom header extraction for X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-RetryAfter Retry strategy using reset/retry-after headers for intelligent backoff GA Status: Connector availability changed from isPreview: true to isPreview: false, indicating production readiness and Microsoft support.\nEnhanced Reliability: The rate limiting mechanism prevents API quota exhaustion and connector failures during high-volume ingestion periods.\nSecurity Impact (Visibility \u0026amp; Fidelity) Prior to this update, deployments could experience ingestion failures when hitting CrowdStrike API rate limits, particularly during alert-heavy periods or when processing detection backlogs. The enhanced rate limiting ensures continuous data flow by:\nAutomatically backing off when API limits are reached Utilizing CrowdStrike rate limit headers for optimal retry timing Preventing connector timeout failures that could create visibility gaps Deployments using previous versions (≤3.3.1) may experience intermittent data ingestion interruptions during periods of high CrowdStrike alert volume, potentially missing security events during API throttling windows.\nAffected Files Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeAPI_ccp/CrowdStrikeAPI_Definition.json Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeAPI_ccp/CrowdStrikeAPI_PollingConfig.json (packaging artefacts: 3.3.2.zip, ReleaseNotes.md, Solution_CrowdStrike.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-16-pr-13837/","summary":"CrowdStrike API Data Connector moves to General Availability with advanced rate limit handling for Alerts and Detections data ingestion.","title":"CrowdStrike Connector: Enhanced Rate Limiting and GA Release"},{"content":"Affected Files ASIM/dev/ASimTester/ASimTester.csv ","permalink":"http://sentinelchangelog.net/posts/2026-03-16-pr-13828/","summary":"Maintenance cleanup removes unused optional user fields from ASIM test configuration with no impact on parser or detection functionality.","title":"ASIM Schema Cleanup: Removing Unused User Fields from Test Configuration"},{"content":"What Changed The ZoomReports solution v3.0.6 introduces a new CCF-based data connector alongside the existing Azure Function approach, enabling migration from legacy Function App ingestion to Codeless Connector Framework polling.\nData Sources The CCF connector ingests six Zoom report categories via REST API v2:\nDaily Usage Reports (dates): Meeting statistics and usage metrics User Reports (users): Active/inactive user host information Telephony Reports (report/telephone): Telephony usage statistics Cloud Recording Usage Reports (report/cloud_recording): Storage and recording usage Operation Logs (report/operationlogs): Administrative operations and audit trail Activity Logs (report/activities): User sign-in/sign-out activities Ingestion Mechanism Authentication: Server-to-Server OAuth with Account ID, Client ID, and Client Secret credentials. Requires scopes: report:read:list_users:admin, report:read:cloud_recording:admin, report:read:daily_usage:admin, report:read:operation_logs:admin, report:read:telephone:admin, report:read:user_activities:admin.\nDCR Configuration: Dual stream architecture with Custom-ZoomReportsGeneral_CL for most reports and Custom-ZoomReportsUser_CL for user-specific data, both feeding into Custom-Zoom_CL table.\nPolling: 5-minute intervals with 7-day query windows, 2 QPS rate limiting per endpoint, automatic pagination via NextPageToken, and 3-retry exponential backoff.\nSecurity Impact Organizations using the legacy Azure Function connector can migrate to CCF for improved reliability and reduced operational overhead. The CCF approach eliminates Function App deployment complexity while maintaining comprehensive audit visibility across Zoom administrative operations, user activities, and usage patterns.\nAffected Files Solutions/ZoomReports/Data Connectors/ZoomReports_ccf/ConnectorDefinition.json Solutions/ZoomReports/Data Connectors/ZoomReports_ccf/DCR.json Solutions/ZoomReports/Data Connectors/ZoomReports_ccf/PollingConfig.json Solutions/ZoomReports/Package/testParameters.json (packaging artefacts: 3.0.6.zip, ReleaseNotes.md, Solution_ZoomReports.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-16-pr-13827/","summary":"ZoomReports solution migrates from Azure Function to CCF architecture, providing streamlined OAuth-based ingestion for six report types covering usage, telephony, and audit activities.","title":"Zoom Reports: CCF Connector Replaces Azure Function for Report Ingestion"},{"content":"Data Source New Microsoft Sentinel solution for ingesting OpenAI telemetry through REST API polling. Covers two distinct data streams: organizational audit events and chat completion metadata from OpenAI platform.\nIngestion Mechanism CCF-based connector with dual REST API pollers:\nAudit logs: Organization-level admin API key required, populates OpenAIAuditLogs_CL table Chat completions: Project-level API key required, populates OpenAIChatCompletions_CL table Both streams use 5-minute query windows with 5 QPS rate limiting and support independent configuration.\nDetection Surface Unlocked Audit Log Visibility:\nAPI key lifecycle events (creation, updates, deletion) Organization configuration changes User administrative actions Security-relevant organization events Chat Completion Monitoring:\nModel usage patterns and token consumption Request metadata and performance metrics Only captures completions stored with store: true parameter Security Impact Establishes visibility into AI platform governance and usage patterns. Audit logs enable detection of unauthorized API key management and organizational security events. Chat completion data supports usage monitoring and potential data exfiltration detection through abnormal token consumption patterns.\nNote: Audit logging must be enabled in OpenAI organization settings before deployment and cannot be disabled without contacting OpenAI support.\nAffected Files Logos/OpenAI.svg Solutions/OpenAI/Data Connectors/OpenAI_CCP/OpenAIAuditLogs_Table.json Solutions/OpenAI/Data Connectors/OpenAI_CCP/OpenAIChatCompletions_Table.json Solutions/OpenAI/Data Connectors/OpenAI_CCP/OpenAI_ConnectorDefinition.json Solutions/OpenAI/Data Connectors/OpenAI_CCP/OpenAI_DCR.json Solutions/OpenAI/Data Connectors/OpenAI_CCP/OpenAI_PollingConfig.json Solutions/OpenAI/Package/testParameters.json Solutions/OpenAI/Parsers/parser_OpenAIAuditLogsAliasFunction.json Solutions/OpenAI/Parsers/parser_OpenAIChatCompletionsAliasFunction.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_OpenAI.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-16-pr-13817/","summary":"New Microsoft Sentinel solution introduces CCF connector for OpenAI audit logs and chat completions, enabling AI governance and threat detection.","title":"OpenAI Solution: New Data Source for AI Security Monitoring"},{"content":"What Changed The AWS EKS solution package has been updated to fix a template formatting issue that was preventing successful deployments.\nSecurity Impact (Visibility \u0026amp; Fidelity) The mainTemplate.json contained an empty destinationTable field that caused ARM deployment failures. Environments attempting to deploy the AWS EKS connector since v3.0.0 release would have experienced complete deployment failure — no Kubernetes audit log ingestion was possible until this fix.\nThis restores the ability to monitor Amazon EKS cluster security events including pod creation, service account modifications, and cluster configuration changes.\nAffected Files (packaging artefacts: 3.0.0.zip, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-16-pr-13826/","summary":"AWS EKS solution packaging error fixed — deployments were failing due to malformed ARM template.","title":"AWS EKS Connector: Package Template Fix Restores Deployment Capability"},{"content":"What Changed Cisco Umbrella Function App connector (v3.0.8 → v3.0.9) patches critical CSV parsing failures that caused complete ingestion stoppage.\nSecurity Impact (Visibility \u0026amp; Fidelity) Complete ingestion failure: Deployments running v3.0.8 and earlier experienced total data loss when encountering oversized CSV fields or null characters in Cisco Umbrella logs. Per PR discussion: \u0026ldquo;Ingestion fails for large CSV fields during parsing. Ingestion stops completely when this occurs.\u0026rdquo;\nData source blind spot: When the CSV parser encountered a single oversized field (\u0026gt;128KB default limit) or embedded null bytes, the entire ingestion pipeline stalled. No subsequent Cisco Umbrella events were processed until manual intervention.\nAffected log types: All 12 CSV parsers (proxy, DNS, DLP, IP, file events) were vulnerable to the same parsing failure modes.\nTechnical Fixes Module-level CSV field limit: Moved csv.field_size_limit(1024 * 1024) to prevent redundant calls across all parsers Null byte sanitization: Consolidated null character stripping in unpack_file() to prevent _csv.Error Error recovery: Added csv.Error exception handling to log failures and continue processing remaining files Ingestion continuity: Parser errors no longer terminate the entire ingestion batch Deployment Priority Immediate update recommended for all Cisco Umbrella deployments. Version displays correctly as 3.0.9 (previously showed 1.0.0 in Azure UI).\nAffected Files Solutions/CiscoUmbrella/Data Connectors/ciscoUmbrellaDataConn/__init__.py (packaging artefacts: 3.0.9.zip, CiscoUmbrellaConn.zip, ReleaseNotes.md, Solution_CiscoUmbrella.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-13-pr-13818/","summary":"Resolves complete ingestion stall caused by oversized CSV fields and null character parsing errors.","title":"Cisco Umbrella Connector: Critical CSV Ingestion Failure Fixed"},{"content":"What Changed Microsoft Sentinel Logstash output plugin v1.2.1 introduces a configurable retransmission_delay parameter, replacing the previously hardcoded 2-second delay between retry attempts during failed log transmissions.\nData Fidelity Impact The hardcoded 2-second retry delay could exacerbate HTTP 429 throttling scenarios in high-volume environments. When Log Analytics rate limiting occurred, the fixed short delay caused rapid retry attempts that could:\nIntensify throttling conditions by generating additional API requests Lead to data loss if retransmission_time (default 10 seconds) expired before throttling subsided Create cascading delays across multiple Logstash pipelines sharing the same workspace The new configurable delay (retransmission_delay parameter, default 2 seconds) allows administrators to increase the retry interval during throttling periods, reducing API request rate and improving data delivery success.\nConfiguration Impact Existing configurations continue working unchanged with the 2-second default. For high-volume deployments experiencing frequent HTTP 429 responses, increasing retransmission_delay to 5-10 seconds can significantly improve data ingestion reliability.\nSecurity Operations Impact This addresses a data availability gap where critical security logs could be lost during workspace throttling events. Organizations with high log volumes or multiple Logstash instances feeding the same workspace should evaluate their retransmission_delay settings to ensure continuous security telemetry during peak ingestion periods.\nAffected Files DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/CHANGELOG.md DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/README.md DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/outputs/microsoft-sentinel-log-analytics-logstash-output-plugin.rb DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logstashLoganalyticsConfiguration.rb DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/version.rb ","permalink":"http://sentinelchangelog.net/posts/2026-03-13-pr-13765/","summary":"Microsoft Sentinel Logstash plugin v1.2.1 adds configurable retry delay parameter to mitigate data loss during throttling scenarios.","title":"Logstash Plugin: Configurable Retransmission Delay Reduces HTTP 429 Throttling Impact"},{"content":"What Changed Zero Networks v3.0.3 introduces significant expansions to audit visibility and data ingestion capabilities, including an enhanced parser with 182 new audit event types and two new CCF-based data connectors.\nParser Enhancement The audit parser (ZNSegmentAudit.yaml) now supports 323 audit types (expanded from 141), covering comprehensive microsegmentation operations including:\nAsset lifecycle management (quarantine, unquarantine, mirroring) Network and identity segmentation state changes OT/IoT device rule management (allow/block rules with create/edit/delete/expire events) Custom and environment group management License limit enforcement across network, identity, RPC, and connect modules Anti-tampering detection and response events External access portal authentication events The parser consolidates data from both ZNSegmentAuditNativePoller_CL and ZNAudit_CL tables into a unified schema with consistent field mappings.\nNew CCF Data Connectors Two CCF connectors provide complementary ingestion paths:\nPull Connector: REST API polling of Zero Networks audit endpoint with configurable authentication Push Connector: Direct data collection via DCR across four specialized tables (ZNAudit, ZNIdentityActivity, ZNNetworkActivity, ZNRPCActivity) Both connectors leverage DCR-based ingestion with the ZNSegmentAuditNativePoller_CL table as the primary destination.\nSecurity Impact This update significantly expands microsegmentation telemetry, particularly for:\nOT/IoT environment monitoring with granular rule enforcement tracking License compliance monitoring to identify potential security gaps due to capacity limits Enhanced user and asset lifecycle visibility across network, identity, and RPC protection modules Anti-tampering detection events that indicate potential security policy bypasses Organizations using Zero Networks for microsegmentation gain substantially improved visibility into segmentation rule effectiveness and policy enforcement events.\nAffected Files Solutions/ZeroNetworks/Data Connectors/ZNSegmentAudit_CCP_Pull/ZNSegmentAudit_ConnectorDefinition.json Solutions/ZeroNetworks/Data Connectors/ZNSegmentAudit_CCP_Pull/ZNSegmentAudit_DCR.json Solutions/ZeroNetworks/Data Connectors/ZNSegmentAudit_CCP_Pull/ZNSegmentAudit_PollingConfig.json Solutions/ZeroNetworks/Data Connectors/ZNSegmentAudit_CCP_Pull/ZNSegmentAudit_Table.json Solutions/ZeroNetworks/Data Connectors/ZNSegment_CCP_Push/ZNAudit_Table.json Solutions/ZeroNetworks/Data Connectors/ZNSegment_CCP_Push/ZNIdentityActivity_Table.json Solutions/ZeroNetworks/Data Connectors/ZNSegment_CCP_Push/ZNNetworkActivity_Table.json Solutions/ZeroNetworks/Data Connectors/ZNSegment_CCP_Push/ZNRPCActivity_Table.json Solutions/ZeroNetworks/Data Connectors/ZNSegment_CCP_Push/ZNSegmentPush_DCR.json Solutions/ZeroNetworks/Data Connectors/ZNSegment_CCP_Push/ZNSegmentPush_connectorDefinition.json Solutions/ZeroNetworks/Data Connectors/ZNSegment_CCP_Push/ZNSegmentPush_dataConnector.json Solutions/ZeroNetworks/Package/testParameters.json Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.yaml (packaging artefacts: 3.0.3.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_ZeroNetworks.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-13-pr-13322/","summary":"Zero Networks parser update adds 182 new audit types plus dual CCF connectors for comprehensive microsegmentation telemetry.","title":"Zero Networks: Enhanced Audit Parser and CCF Connectors Expand Microsegmentation Visibility"},{"content":"NEW Connector XBOW Security Platform integrates autonomous offensive security testing with Microsoft Sentinel through a comprehensive solution providing asset discovery, vulnerability assessment, and finding correlation capabilities.\nData Source The XBOW platform provides autonomous penetration testing and vulnerability assessment, ingesting:\nAsset inventory with configuration details and reachability checks Security findings with evidence, proof-of-concept exploits, and mitigation guidance Assessment lifecycle events including test execution history Ingestion Mechanism Function App-based connector with incremental sync strategy using Azure Blob Storage for state persistence. Populates three custom tables:\nXbowAssets_CL - Full asset inventory with configuration snapshots (credentials excluded) XbowFindings_CL - Enriched vulnerability findings with evidence and remediation XbowAssessments_CL - Assessment execution history with state changes Detection Surface Unlocked Four analytic rules provide coverage across XBOW findings severity spectrum:\nCritical/High findings detection for immediate response Medium severity finding monitoring Low severity finding baseline awareness New asset discovery for inventory tracking MITRE Coverage Detected MITRE techniques include T1190 (External Remote Services) and T1595 (Active Scanning) based on autonomous offensive security testing capabilities.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/XbowAssessments_CL.json .script/tests/KqlvalidationsTests/CustomTables/XbowAssets_CL.json .script/tests/KqlvalidationsTests/CustomTables/XbowFindings_CL.json .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json Logos/XBOW.svg Solutions/XBOW/Analytic Rules/XbowCriticalHighFindings.yaml Solutions/XBOW/Analytic Rules/XbowLowFindings.yaml Solutions/XBOW/Analytic Rules/XbowMediumFindings.yaml Solutions/XBOW/Analytic Rules/XbowNewAssetDiscovered.yaml Solutions/XBOW/Data Connectors/AzureFunctionXbow/function.json Solutions/XBOW/Data Connectors/AzureFunctionXbow/main.py Solutions/XBOW/Data Connectors/Xbow_API_Xbow.json Solutions/XBOW/Data Connectors/azuredeploy_Xbow_API_Xbow.json Solutions/XBOW/Data Connectors/host.json Solutions/XBOW/Data Connectors/proxies.json Solutions/XBOW/Data Connectors/requirements.txt Solutions/XBOW/Package/testParameters.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Xbow.json, Xbow.zip, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-13-pr-13772/","summary":"New XBOW solution provides asset inventory, vulnerability finding correlation, and automated security assessment visibility through Function App ingestion and four analytic rules.","title":"XBOW Autonomous Security Platform: Function App Connector and Detection Rules"},{"content":"What Changed Cyren Threat Intelligence solution v3.0.4 introduces conditional deployment for JWT tokens, allowing customers to install either or both feeds based on their specific subscription.\nSecurity Impact (Visibility \u0026amp; Fidelity) Prior to this fix, customers purchasing only one Cyren feed (IP Reputation OR Malware URL) faced deployment failures due to ARM template validation requiring both tokens. This created a deployment barrier preventing threat intelligence ingestion for single-subscription customers.\nThe conditional deployment logic ensures only purchased feeds are deployed and active, eliminating 403 authentication errors from dummy tokens and enabling proper threat intelligence coverage matching customer subscriptions.\nDeployment Changes ARM template modifications include:\nJWT token parameters changed from minLength: 1 to minLength: 0 Conditional deployment logic for each connector based on token presence UI labels updated to indicate Optional status with helper text Affected Files (packaging artefacts: 3.0.4.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-13-pr-13811/","summary":"Cyren threat intelligence connectors now support conditional deployment — customers can install either IP reputation or malware URL feeds individually based on their subscription.","title":"Cyren Threat Intelligence: Flexible Deployment with Optional JWT Tokens"},{"content":"Affected Files Solutions/TacitRed-IOC-CrowdStrike/Playbooks/TacitRedToCrowdStrike_Playbook.json (packaging artefacts: 3.0.3.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-13-pr-13767/","summary":"TacitRed-CrowdStrike playbook updated to include required User-Agent header for CrowdStrike Technology Partner certification compliance.","title":"TacitRed-CrowdStrike IOC Playbook: Partner Certification Header Compliance"},{"content":"What Changed The BloodHound Enterprise solution has been updated to version 3.2.2 with a change to the offer identifier from bloodhoundenterprise-azuresentinel to bloodhoundenterprise-mssentinel. This administrative change was made to resolve a conflict where a client had already created an offer with the same ID in their Partner Portal.\nThe update affects the solution metadata and ARM template packaging, requiring regeneration of the solution package using the V3 tooling to ensure the new offer ID is reflected throughout all solution components. No functional changes were made to the BloodHound Enterprise detection capabilities or connector functionality.\nThis is a packaging maintenance update that resolves a deployment conflict in the Azure Marketplace publishing pipeline for the BloodHound Enterprise solution.\nAffected Files (packaging artefacts: 3.2.2.zip, SolutionMetadata.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-13-pr-13775/","summary":"BloodHound Enterprise solution updated to version 3.2.2 with new offer ID to resolve Partner Portal publishing conflict.","title":"BloodHound Enterprise Solution Offer ID Updated to Resolve Partner Portal Conflict"},{"content":"What Changed The WorkspaceUsage.json workbook has been updated to version 1.6.4, introducing new features to the weekly analytics section. This appears to be a feature enhancement and bug fix update based on the PR description.\nSince the YAML diff was not available from the GitHub API, the specific functionality changes cannot be analyzed in detail. The update is described as adding new features into the weekly section with accompanying bug fixes, suggesting improvements to workspace monitoring and analytics capabilities within Microsoft Sentinel.\nAffected Files Workbooks/WorkspaceUsage.json ","permalink":"http://sentinelchangelog.net/posts/2026-03-13-pr-13805/","summary":"WorkspaceUsage workbook updated to version 1.6.4 with new weekly analytics features and bug fixes to improve usage visibility.","title":"Workspace Usage Monitoring Enhanced with New Features and Weekly Analytics"},{"content":"What Changed Reverted AWS EKS connector CloudFormation templates to resolve deployment issues that prevented successful infrastructure provisioning for EKS audit log collection.\nConnector Impact The AWS EKS CCF connector enables ingestion of Amazon Elastic Kubernetes Service audit logs into Microsoft Sentinel through an automated CloudFormation deployment. This fix addresses:\nTemplate syntax errors in the mainTemplate.json that caused deployment failures Corrected CloudFormation template structure for both OIDC authentication provider and EKS resources deployment Fixed release notes date field (corrected from future date 12-03-2026 to proper historical date) Infrastructure Components Fixed The connector deploys critical AWS infrastructure including:\nOpenID Connect (OIDC) identity provider for Microsoft Sentinel authentication IAM roles and policies for cross-account access S3 bucket for EKS audit log storage SQS queue for S3 event notifications Kinesis Data Firehose delivery stream with Lambda transformation CloudWatch Logs subscription filters Deployments using the previous broken templates would fail at provisioning, resulting in zero EKS audit log data reaching Microsoft Sentinel. This revert ensures successful infrastructure deployment and restoration of Kubernetes security monitoring capabilities.\nAffected Files Solutions/AWS EKS/Data Connectors/AWSEKS_ConnectorDefinition.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, Solution_AWSEKS.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-12-pr-13812/","summary":"AWS EKS connector CloudFormation templates reverted to resolve deployment errors affecting EKS audit log ingestion setup.","title":"AWS EKS Connector: CloudFormation Template Revert Fixes Deployment Issues"},{"content":"What Changed New ASIM Authentication parser for Okta OktaSystemLogs table, providing normalized schema-compliant authentication event processing.\nParser Impact This parser adds Okta authentication event visibility to the ASIM normalized Authentication schema. The parser processes user.session.start and user.session.end events from the OktaSystemLogs table, mapping Okta-specific fields to standardized ASIM field names.\nKey normalization capabilities:\nMaps Okta authentication outcome codes to standard EventResultDetails Normalizes device type classifications (Computer, Mobile Device) Extracts geolocation and ISP context from Okta events Provides filtering parameters for targeted authentication analysis Detection Surface Unlocked SOC teams can now leverage existing ASIM Authentication detection rules against Okta authentication events without source-specific modifications. The parser enables:\nCross-platform authentication correlation using normalized field names Consistent user behavior analysis across multiple identity providers Simplified hunting queries targeting authentication patterns regardless of source system Integration with ASIM-based detections for credential-based attack scenarios Both full (ASimAuthenticationOktaSystemLogs) and filtering (vimAuthenticationOktaSystemLogs) parser variants are available, supporting both comprehensive analysis and performance-optimized queries.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/OktaSystemLogs.json Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaSystemLogs/ASimAuthenticationOktaSystemLogs.json Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaSystemLogs/README.md Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json Parsers/ASimAuthentication/ARM/vimAuthenticationOktaSystemLogs/README.md Parsers/ASimAuthentication/ARM/vimAuthenticationOktaSystemLogs/vimAuthenticationOktaSystemLogs.json Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationOktaSystemLogs.md Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationOktaSystemLogs.md Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml Parsers/ASimAuthentication/Parsers/ASimAuthenticationOktaSystemLogs.yaml Parsers/ASimAuthentication/Parsers/imAuthentication.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationOktaSystemLogs.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-03-12-pr-13801/","summary":"New ASIM parser normalizes Okta authentication events from OktaSystemLogs table to standard Authentication schema.","title":"ASIM Authentication: New Okta OktaSystemLogs Parser Enables Normalized Identity Event Analysis"},{"content":"What Changed TheHive CCF Data Connector removes the excludeFields parameter from the REST API query template, changing from \u0026ldquo;excludeFields\u0026rdquo;: [] to complete removal of the field.\nSecurity Impact (Visibility \u0026amp; Fidelity) The excludeFields parameter in the queryParametersTemplate was causing TheHive API responses to potentially exclude fields even when specified as an empty array. This field filtering mechanism could have prevented complete security event data from reaching Microsoft Sentinel, creating data fidelity gaps in incident investigation and case management visibility.\nDeployments running the previous connector configuration may have experienced incomplete TheHive event data ingestion, particularly affecting:\nCase update tracking (_updatedAt field integrity) Complete incident artifact collection Full case timeline visibility for security investigations The removal ensures TheHive security incident data flows completely into the Custom-TheHiveData_CL table without field-level filtering.\nAffected Files Solutions/TheHive/Data Connectors/CCF/PollingConfig.json Solutions/TheHive/Package/testParameters.json Solutions/TheHive/Playbooks/TheHiveConnector/azuredeploy.json (packaging artefacts: 3.0.1.zip, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-12-pr-13808/","summary":"TheHive CCF connector removes excludeFields parameter that was preventing complete event data ingestion.","title":"TheHive Connector: Field Filtering Fix Restores Complete Event Collection"},{"content":"What Changed Datawiza solution v3.0.1 adds a new Analytic Rule \u0026ldquo;Datawiza - massive errors detected\u0026rdquo; that monitors for abnormal server error patterns.\nDetection Logic Primary data source: datawizaserveraccess_CL table. Core logic monitors HTTP 5xx status codes (Status_d \u0026gt;= 500) over a 10-minute window, triggering when error count exceeds 100 events. Entity types mapped: none explicitly defined in the rule.\nMITRE Mapping T1082 (System Information Discovery) - Detection identifies potential reconnaissance activity through error pattern analysis that may indicate system probing or misconfiguration discovery attempts.\nAffected Files .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json Solutions/Datawiza/Analytic Rules/DatawizaSentinelAlerts.yaml (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, Solution_Datawiza_DAP.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-12-pr-13750/","summary":"Datawiza solution adds server error spike detection to identify potential DDoS attacks or system misconfigurations.","title":"Datawiza Solution: New Detection for Server Error Spike Monitoring"},{"content":"What Changed New solution package for D3 Smart SOAR integration, enabling Microsoft Sentinel customers to ingest incident data from D3 Security\u0026rsquo;s SOAR platform. Version 3.0.0 includes complete CCF connector implementation with DCR, polling configuration, and solution packaging.\nData Source D3 Smart SOAR is a Security Orchestration, Automation and Response platform that manages security incident workflows and automated response actions. The connector polls incident data including:\nCore incident metadata (IR Number, Title, Status, Severity, Priority) Workflow state (Stage, Disposition, Owner, Creator) Operational context (Playbook, Investigation Team, Linked Incidents) Raw incident and event data for forensic analysis Ingestion Mechanism CCF-based connector using RestApiPoller with the following characteristics:\nTarget table: D3SOARIncidents_CL (custom log table) Polling frequency: 5 minutes via /api/command/GetIncidentsWithNewParameters endpoint Authentication: D3 JWT token via APIKey auth type Data transformation: DCR KQL normalizes D3 field names to consistent schema with TimeGenerated, DateCreated, DateModified fields and preserves raw data in dynamic columns Security Impact (Visibility \u0026amp; Fidelity) This connector addresses a common SOAR visibility gap where security teams lose sight of automated response actions after incidents are handed off to orchestration platforms. Key benefits:\nResponse tracking: Incidents processed through D3 Smart SOAR are now visible in Microsoft Sentinel for correlation with other security events Workflow visibility: Playbook execution, stage transitions, and disposition outcomes become queryable within Sentinel Cross-platform correlation: Enables detection rules to reference SOAR incident context when analyzing related security events Audit trail: Complete incident lifecycle preserved with raw event data for compliance and forensic analysis Configuration prerequisite: D3 Smart SOAR site timezone must be set to UTC for correct timestamp alignment with Sentinel polling windows.\nAffected Files Logos/D3SOAR.svg Solutions/D3SmartSOAR/Data Connectors/D3SOAR_CCF/D3SOAR_DCR.json Solutions/D3SmartSOAR/Data Connectors/D3SOAR_CCF/D3SOAR_DataConnectorDefinition.json Solutions/D3SmartSOAR/Data Connectors/D3SOAR_CCF/D3SOAR_PollingConfig.json Solutions/D3SmartSOAR/Data Connectors/D3SOAR_CCF/D3SOAR_Table.json Solutions/D3SmartSOAR/Package/testParameters.json Solutions/D3SmartSOAR/README.md (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_D3SOAR.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-12-pr-13718/","summary":"New connector integrates D3 Smart SOAR incidents into Microsoft Sentinel via CCF, providing SOC teams centralized visibility into automated response activities.","title":"D3 Smart SOAR Integration: New CCF Connector Enables SOAR Incident Visibility"},{"content":"What Changed Critical bugfix in AWS Network Firewall connector deployment logic that was causing duplicate data collector creation when dynamic stream names were configured.\nSecurity Impact (Visibility \u0026amp; Fidelity) Pre-Fix Data Processing Issue: The connector was creating separate collector resources for each log stream (Alert, Flow, TLS), causing deployment conflicts and potential data ingestion failures. This resulted in:\nFailed connector deployments due to resource naming conflicts Inconsistent data collection across Network Firewall log types Administrative overhead managing multiple collectors for a single data source Post-Fix Behaviour: Single parameterised connector with conditional logic that dynamically routes data to correct destination tables based on stream type:\nAlert logs → AWSNetworkFirewallAlert table Flow logs → AWSNetworkFirewallFlow table TLS logs → AWSNetworkFirewallTls table Technical Fix Details Connector Resource Changes:\nConsolidated three separate collector definitions into one parameterised resource Added conditional ARM template logic for dynamic destination table selection Updated PowerShell deployment tooling to handle dynamic stream name mappings Build Tool Improvements: Enhanced createCCPConnector.ps1 to generate proper conditional logic for multi-stream connectors, preventing future occurrence of this deployment pattern bug in other AWS solutions.\nThis fix ensures reliable AWS Network Firewall data collection deployment and eliminates a critical failure mode affecting network security monitoring capability.\nAffected Files Solutions/Amazon Web Services NetworkFirewall/Data Connectors/AWSNetworkFirewallLogs_CCP/AWSNetworkFirewallLog_PollingConfig.json Tools/Create-Azure-Sentinel-Solution/common/createCCPConnector.ps1 Tools/Create-Azure-Sentinel-Solution/common/get-ccp-details.ps1 (packaging artefacts: 3.0.3.zip, ReleaseNotes.md, Solution_AmazonWebServices.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-11-pr-13589/","summary":"Deployment bug fix prevents multiple collector creation for AWS Network Firewall multi-stream connectors.","title":"AWS Network Firewall Connector: Fixed Critical Deployment Bug Causing Duplicate Collectors"},{"content":"Data Source Amazon Elastic Kubernetes Service (EKS) audit logs containing API server requests, authentication decisions, and cluster activities in JSON format.\nIngestion Mechanism CCF-based connector using AWS SQS notifications triggered by S3 object creation events. When EKS audit logs are exported to S3, SQS notifications trigger real-time ingestion into the AWSEKSLogs_CL custom table.\nArchitecture Components:\nCloudFormation templates for AWS resource deployment OIDC web identity provider for cross-account authentication SQS queue for log file notifications DCR with custom stream transformation Detection Surface Unlocked Kubernetes API Activity Monitoring:\nAPI server request patterns and response codes Authentication and authorisation decisions Resource access attempts and modifications Administrative user activity tracking Key Security Visibility:\nUser field captures identity performing API operations AuthDecision tracks authentication success/failure Verb and ObjectRef detail specific Kubernetes operations SourceIPs provides network attribution ResponseCode indicates operation success/failure Attack Surface Coverage:\nPrivilege escalation attempts via unauthorised API calls Pod creation/modification for container breakout Service account token abuse Kubectl/API client reconnaissance activity Cluster configuration tampering This connector fills a critical gap in container security monitoring by providing standardised access to EKS control plane audit events that are essential for detecting Kubernetes-targeted attacks.\nAffected Files Solutions/AWS EKS/Data Connectors/AWSEKS_ConnectorDefinition.json Solutions/AWS EKS/Data Connectors/AWSEKS_DCR.json Solutions/AWS EKS/Data Connectors/AWSEKS_PollingConfig.json Solutions/AWS EKS/Data Connectors/AWSEKS_Table.json Solutions/AWS EKS/Data Connectors/CloudFormationTemplates/AWS_EKS_Resources_Deployment.json Solutions/AWS EKS/Data Connectors/CloudFormationTemplates/OIDC_Web_Identity_Provider.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_AWSEKS.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-11-pr-13749/","summary":"New CCF-based solution ingests Amazon Elastic Kubernetes Service audit logs via SQS for real-time cluster security monitoring.","title":"AWS EKS Connector: New Public Preview for Kubernetes Audit Log Security Monitoring"},{"content":"What Changed New ASIM Authentication parser for Fortinet FortiGate that normalises administrator authentication events to the standardised Authentication schema.\nParser Impact Two new functions added to the ASIM Authentication framework:\nASimAuthenticationFortinetFortigate: Standard normalisation parser vimAuthenticationFortinetFortigate: Filtering-enabled parser with parameter support The parser transforms FortiGate CEF logs from CommonSecurityLog table into ASIM-compliant authentication events. Processes both login (system event login) and logout (system event logout) activities while filtering out unrelated events like FortiCloud join attempts.\nDetection Surface Unlocked Data Source: FortiGate administrative authentication logs via CommonSecurityLog CEF format\nEvent Types Normalised:\nAdministrator login attempts (success/failure with detailed failure reasons) Administrator logout events IP-based access policy violations Certificate authentication failures Key Fields Mapped:\nSource IP address and target device identification Username and authentication result details Event timing and severity classification Failure categorisation (incorrect password, user disabled, policy violations) This parser enables ASIM-based detections to monitor FortiGate administrative access patterns without vendor-specific query syntax.\nAffected Files ASIM/dev/ASimTester/ASimTester.csv Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json Parsers/ASimAuthentication/ARM/ASimAuthenticationFortinetFortigate/ASimAuthenticationFortinetFortigate.json Parsers/ASimAuthentication/ARM/ASimAuthenticationFortinetFortigate/README.md Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json Parsers/ASimAuthentication/ARM/vimAuthenticationFortinetFortigate/README.md Parsers/ASimAuthentication/ARM/vimAuthenticationFortinetFortigate/vimAuthenticationFortinetFortigate.json Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationFortinetFortigate.md Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationFortinetFortigate.md Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml Parsers/ASimAuthentication/Parsers/ASimAuthenticationFortinetFortigate.yaml Parsers/ASimAuthentication/Parsers/imAuthentication.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationFortinetFortigate.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-03-11-pr-13786/","summary":"New ASIM parser adds normalised authentication monitoring for FortiGate administrator login and logout events.","title":"FortiGate ASIM Authentication Parser: New Visibility for Fortinet Administrative Access Events"},{"content":"What Changed Fixed code injection risks in GitHub workflow files by replacing direct GitHub context interpolation with environment variable assignments that are properly scoped and safer from injection attacks.\nSecurity Impact The previous pattern allowed potential command injection when untrusted user input was directly interpolated into shell commands. This created a security risk where malicious actors could potentially execute arbitrary commands in the CI environment.\nBefore (vulnerable): Direct interpolation of GitHub context into PowerShell variables After (secure): Environment variable assignment with proper scoping\nFiles Affected .github/workflows/allowedWorkflowRun.yaml: Updated user validation logic .github/workflows/checkSkipPackagingInfo.yaml: Secured packaging workflow variables Removed legacy validation tools directory (Tools/validate-detections/) The fix ensures that untrusted GitHub context data is properly isolated through environment variable scoping rather than direct string interpolation.\nAffected Files .github/workflows/allowedWorkflowRun.yaml .github/workflows/checkSkipPackagingInfo.yaml Tools/validate-detections/LICENSE Tools/validate-detections/README.md Tools/validate-detections/action.ps1 Tools/validate-detections/action.yml Tools/validate-detections/analytics.tests.ps1 Tools/validate-detections/mitre.csv Tools/validate-detections/yaml-analytics.tests.ps1 ","permalink":"http://sentinelchangelog.net/posts/2026-03-11-pr-13794/","summary":"Fixed code injection vulnerabilities in CI workflows by replacing direct GitHub context interpolation with safer environment variable patterns.","title":"GitHub Workflows: Code Injection Risk Mitigation via Environment Variable Security Fix"},{"content":"Affected Files (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_DataBahn.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-11-pr-13780/","summary":"Fixed naming inconsistencies across Databahn solution metadata files to standardize on lowercase \u0026lsquo;b\u0026rsquo; branding.","title":"Databahn Solution: Branding Consistency Fix"},{"content":"What Changed The Commvault Security IQ data connector underwent a complete architectural migration from the legacy Log Analytics HTTP Data Collector API to the modern Azure Monitor Logs Ingestion API with Data Collection Endpoint (DCE) and Data Collection Rule (DCR) infrastructure.\nSecurity Impact (Visibility \u0026amp; Fidelity) This modernization prevents future ingestion failures as Microsoft phases out legacy APIs. The connector now uses:\nAzure Monitor Logs Ingestion API via LogsIngestionClient instead of deprecated HTTP Data Collector API Data Collection Rule (DCR) for schema validation and transformation Data Collection Endpoint (DCE) for secure data ingestion Managed Identity authentication replacing shared key authentication Custom table CommvaultAlerts_CL (renamed from CommvaultSecurityIQ_CL) Event filtering logic remains unchanged — connector still targets the same security event codes (7:211, 7:212, 7:293, 7:269, 14:337, 14:338, 69:59, 7:333, 69:60, 35:5575, 35:5636, 7:349, 17:193, 17:195) unless ShowAllEvents is enabled.\nARM Template Changes The deployment template now provisions:\nData Collection Endpoint (DCE) resource Data Collection Rule (DCR) with custom stream definition Role assignment granting Function App managed identity Monitoring Metrics Publisher permissions on DCR Removed deprecated AzureSentinelWorkspaceId and AzureSentinelSharedKey parameters Data Format Changes Events are normalized with improved field mapping:\nEventCode field now uses eventCodeString (previously eventCode) Enhanced client name extraction from event descriptions Better timestamp normalization via timeSource field Hidden metadata extraction from HTML span elements in descriptions Organizations using this connector must upgrade to maintain Commvault security event visibility as Microsoft deprecates the legacy ingestion API.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/CommvaultAlerts_CL.json .script/tests/KqlvalidationsTests/CustomTables/CommvaultSecurityIQ_CL.json Solutions/Commvault Security IQ/Analytic Rules/CommvaultSecurityIQ_Alert.yaml Solutions/Commvault Security IQ/Data Connectors/AzureFunctionCommvaultSecurityIQ/main.py Solutions/Commvault Security IQ/Data Connectors/CommvaultSecurityIQ_API_AzureFunctionApp.json Solutions/Commvault Security IQ/Data Connectors/azuredeploy_CommvaultSecurityIQ_FunctionApp.json Solutions/Commvault Security IQ/Data Connectors/requirements.txt Solutions/Commvault Security IQ/DataConnector.md Solutions/Commvault Security IQ/Permissions.md Solutions/Commvault Security IQ/README.md (packaging artefacts: 3.0.4.zip, CommvaultSecurityIQDataConnector.zip, ReleaseNotes.md, Solution_Commvault Security IQ.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-11-pr-13703/","summary":"Commvault Security IQ connector migrated from deprecated Log Analytics API to Azure Monitor Logs Ingestion API with DCE/DCR architecture.","title":"Commvault Connector: Migration from Legacy Sentinel API to Modern Logs Ingestion Architecture"},{"content":"What Changed Microsoft Entra ID Assets connector expanded from 7 to 9 data streams, adding EntraDevices and EntraOrgContacts tables. Configuration names standardized to match table names (e.g., \u0026ldquo;Applications\u0026rdquo; → \u0026ldquo;EntraApplications\u0026rdquo;).\nSecurity Impact (Visibility \u0026amp; Fidelity) The addition of device and organizational contact tables fills visibility gaps in hybrid identity environments:\nEntraDevices: Enables monitoring of device join/unjoin events, compliance state changes, and stale device detection — critical for device-based lateral movement detection and Zero Trust compliance posture EntraOrgContacts: Provides external contact visibility for external collaboration monitoring and potential social engineering vector identification Per PR context: these tables support BloodHound graph building for attack path analysis, providing more complete scope of Entra assets for threat hunting and privilege escalation detection.\nData Source Enhancement The connector now ingests 9 distinct Entra ID asset types:\nEntraApplications (existing) EntraDevices (new) — registered/joined devices, compliance status EntraGroupMemberships (existing) EntraGroups (existing) EntraMembers (existing) EntraOrgContacts (new) — external organizational contacts EntraOrganizations (existing) EntraServicePrincipals (existing) EntraUsers (existing) Configuration label standardization eliminates confusion between UI display names and actual table destinations.\nAffected Files Solutions/Microsoft Entra ID Assets/Data Connectors/EntraIDAssets_DataConnectorDefinition.json (packaging artefacts: 3.0.2.zip, ReleaseNotes.md, Solution_MicrosoftEntraAssets.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-11-pr-13766/","summary":"Two new asset tables (EntraDevices, EntraOrgContacts) added to Microsoft Entra ID connector for BloodHound graph building and complete asset enumeration.","title":"Microsoft Entra ID Assets: Device and Organizational Contact Visibility Expansion"},{"content":"What Changed Fixed template file inconsistencies in the Visa Threat Intelligence (VTI) connector that were causing installation issues.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments attempting to install the Visa Threat Intelligence connector experienced installation failures due to mismatched solution names and IDs in the ARM template. This created a potential blind spot for organizations relying on Visa\u0026rsquo;s threat intelligence feeds for payment fraud detection and cybersecurity monitoring. The fix ensures proper connector deployment and restoration of threat intelligence visibility.\nTemplate Corrections Updated _solutionName from VisaThreatIntelligence-Early-preview to Visa Threat Intelligence (VTI) Corrected _solutionId from preview-specific identifier to production value visa-cyber.azure-sentinel-solution-visathreatintel Version bumped to 3.0.1 with consistent packaging Affected Files Solutions/Visa Threat Intelligence (VTI)/DataConnectors/VisaThreatIntelligenceConnector.json (packaging artefacts: 3.0.0.zip, 3.0.1.zip, Solution_VTI.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-11-pr-13789/","summary":"Corrects solution name and ID mismatches in Visa TI connector templates that were causing installation failures.","title":"Visa Threat Intelligence Connector: Template Consistency Fix Addresses Installation Issues"},{"content":"What Changed Two new ASIM parsers (ASimAuditEventAzureKeyVault and vimAuditEventAzureKeyVault) were added to normalize audit events from Azure Key Vault, supporting both legacy AzureDiagnostics and the newer AZKVAuditLogs tables.\nParser Impact The parsers normalize audit events from both AzureDiagnostics (legacy) and AZKVAuditLogs (resource-specific) tables into the ASIM AuditEvent schema. This provides a unified view of Azure Key Vault operations including:\nVault operations: VaultGet, VaultPut, VaultDelete, VaultPatch, VaultList Secret management: SecretGet, SecretSet, SecretDelete, SecretList, SecretPurge, SecretBackup, SecretRestore, SecretRecover Key operations: KeyGet, KeyCreate, KeyDelete, KeyList, KeyUpdate, KeyPurge, KeyBackup, KeyRestore, KeyRecover, plus cryptographic operations (KeySign, KeyVerify, KeyWrap, KeyUnwrap, KeyEncrypt, KeyDecrypt) Certificate management: CertificateGet, CertificateCreate, CertificateDelete, CertificateList, CertificateUpdate, CertificatePurge, CertificateRecover, CertificateImport The parser maps each operation to standardized ASIM event types (Read, Set, Delete, Create, Execute, Other) and extracts actor information from Azure AD claims, enabling detection engineers to write source-agnostic queries for key management monitoring.\nDetection Surface Unlocked This parser enables standardized monitoring of high-value Azure Key Vault activities critical for detecting:\nUnauthorized secret/key access attempts Bulk key/secret enumeration indicating reconnaissance Cryptographic operations that may indicate lateral movement Certificate manipulation for persistence Policy changes affecting vault security Detection engineers can now use ASIM AuditEvent queries to monitor Key Vault activities alongside other audit sources without writing service-specific KQL.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/AZKVAuditLogs.json .script/tests/KqlvalidationsTests/CustomTables/AzureDiagnostics.json ASIM/dev/ASimTester/ASimTester.csv Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json Parsers/ASimAuditEvent/ARM/ASimAuditEventAzureKeyVault/ASimAuditEventAzureKeyVault.json Parsers/ASimAuditEvent/ARM/ASimAuditEventAzureKeyVault/README.md Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json Parsers/ASimAuditEvent/ARM/vimAuditEventAzureKeyVault/README.md Parsers/ASimAuditEvent/ARM/vimAuditEventAzureKeyVault/vimAuditEventAzureKeyVault.json Parsers/ASimAuditEvent/CHANGELOG/ASimAuditEvent.md Parsers/ASimAuditEvent/CHANGELOG/AsimAuditEventAzureKeyVault.md Parsers/ASimAuditEvent/CHANGELOG/imAuditEvent.md Parsers/ASimAuditEvent/CHANGELOG/vimAuditEventAzureKeyVault.md Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml Parsers/ASimAuditEvent/Parsers/ASimAuditEventAzureKeyVault.yaml Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml Parsers/ASimAuditEvent/Parsers/vimAuditEventAzureKeyVault.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-03-10-pr-13757/","summary":"Azure Key Vault audit events can now be analyzed using ASIM schema, enabling standardized detection across vault, secret, key, and certificate operations.","title":"Azure Key Vault ASIM Parser: New Audit Event Normalization for Critical Key Management Monitoring"},{"content":"What Changed A comprehensive new solution providing six interconnected playbooks for NetApp Ransomware Protection Service integration. The solution establishes automated incident response capabilities for NetApp storage environments through Microsoft Sentinel.\nPlaybook Architecture The solution follows a modular building-block approach with foundation and response components:\nFoundation Infrastructure:\nAuthentication Playbook — centralized credential management via Azure Key Vault with OAuth2 token generation Async Poll Playbook — monitors long-running NetApp operations until completion Investigation Capabilities:\nEnrich IP Playbook — retrieves network interface details, associated storage VMs, and volume mappings for suspicious IPs Enrich StorageVM Playbook — gathers comprehensive storage configuration, volume states, and access policies Protective Actions:\nVolume Snapshot Playbook — creates point-in-time snapshots for data protection and evidence preservation Volume Offline Playbook — isolates compromised volumes by taking them offline to prevent lateral movement Security Impact This solution addresses a critical gap in automated storage protection during ransomware incidents. Previously, SOC teams had limited ability to rapidly protect NetApp storage assets through Sentinel automation. The solution enables:\nImmediate Containment — automated volume isolation upon threat detection prevents ransomware spread Data Protection — automated snapshot creation preserves clean recovery points before corruption Investigation Context — IP and storage VM enrichment provides rapid situational awareness of affected infrastructure Deployment Workflow The playbooks must be deployed in strict sequence due to dependencies: Auth → Async Poll → Enrich IP → Enrich StorageVM → Volume Snapshot → Volume Offline. Each playbook includes comprehensive deployment documentation and testing procedures.\nSOC Integration The modular design enables flexible automation rules:\nHigh-severity ransomware alerts can trigger automatic snapshot + offline workflows IP-based investigations can chain enrichment with protective actions Manual triggering available for analyst-driven incident response Authentication leverages Azure Key Vault for secure credential storage, with all API communications using OAuth2 client credentials flow.\nAffected Files Logos/NetApp.svg Solutions/NetApp Ransomware Resilience/Package/testParameters.json Solutions/NetApp Ransomware Resilience/Playbooks/NetApp-RansomwareResilience-Auth-Playbook/README.md Solutions/NetApp Ransomware Resilience/Playbooks/NetApp-RansomwareResilience-Auth-Playbook/azuredeploy.json Solutions/NetApp Ransomware Resilience/Playbooks/NetApp-RansomwareResilience-Auth-Playbook/azuredeploy.parameters.json Solutions/NetApp Ransomware Resilience/Playbooks/NetApp-RansomwareResilience-Manual-IP-to-Offline-Playbook/azuredeploy.json Solutions/NetApp Ransomware Resilience/Playbooks/NetApp-RansomwareResilience_Async_Poll_Playbook/README.md Solutions/NetApp Ransomware Resilience/Playbooks/NetApp-RansomwareResilience_Async_Poll_Playbook/azuredeploy.json Solutions/NetApp Ransomware Resilience/Playbooks/NetApp-RansomwareResilience_Async_Poll_Playbook/azuredeploy.parameters.json Solutions/NetApp Ransomware Resilience/Playbooks/NetApp-RansomwareResilience_Enrich_IP_Playbook/README.md Solutions/NetApp Ransomware Resilience/Playbooks/NetApp-RansomwareResilience_Enrich_IP_Playbook/azuredeploy.json Solutions/NetApp Ransomware Resilience/Playbooks/NetApp-RansomwareResilience_Enrich_IP_Playbook/azuredeploy.parameters.json Solutions/NetApp Ransomware Resilience/Playbooks/NetApp-RansomwareResilience_Enrich_StorageVM_Playbook/README.md Solutions/NetApp Ransomware Resilience/Playbooks/NetApp-RansomwareResilience_Enrich_StorageVM_Playbook/azuredeploy.json Solutions/NetApp Ransomware Resilience/Playbooks/NetApp-RansomwareResilience_Enrich_StorageVM_Playbook/azuredeploy.parameters.json Solutions/NetApp Ransomware Resilience/Playbooks/NetApp-RansomwareResilience_Volume_Offline_Playbook/README.md Solutions/NetApp Ransomware Resilience/Playbooks/NetApp-RansomwareResilience_Volume_Offline_Playbook/azuredeploy.json Solutions/NetApp Ransomware Resilience/Playbooks/NetApp-RansomwareResilience_Volume_Offline_Playbook/azuredeploy.parameters.json Solutions/NetApp Ransomware Resilience/Playbooks/NetApp-RansomwareResilience_Volume_Snapshot_Playbook/README.md Solutions/NetApp Ransomware Resilience/Playbooks/NetApp-RansomwareResilience_Volume_Snapshot_Playbook/azuredeploy.json Solutions/NetApp Ransomware Resilience/Playbooks/NetApp-RansomwareResilience_Volume_Snapshot_Playbook/azuredeploy.parameters.json Solutions/NetApp Ransomware Resilience/Playbooks/README.md (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_NetAppRansomwareResilience.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-10-pr-13052/","summary":"NetApp introduces modular playbooks for automated ransomware protection, enabling SOC teams to investigate, snapshot, and isolate compromised storage volumes via Microsoft Sentinel integration.","title":"NetApp Ransomware Resilience: New Automated Incident Response Solution"},{"content":"What Changed IPinfo solution v3.0.3 introduces three new Function App data connectors (Core, Plus, Residential Proxy) while implementing comprehensive OAuth 2.0 authentication error handling across all existing connectors.\nNEW Data Connectors IPinfo Core: Comprehensive IP intelligence covering basic geolocation, ASN, carrier, and hosting information. Populates Ipinfo_CORE_CL table with 93 custom fields including geographic coordinates, organization details, and network metadata.\nIPinfo Plus: Extended intelligence dataset adding privacy detection, company information, and abuse contact details. Populates Ipinfo_PLUS_CL table with 125 custom fields for enhanced threat context.\nIPinfo Residential Proxy: Specialized detection of residential proxy infrastructure used for malicious traffic obfuscation. Populates Ipinfo_RESIDENTIAL_PROXY_CL table with 25 custom fields specifically targeting proxy identification and classification.\nSecurity Impact (Visibility \u0026amp; Fidelity) OAuth Authentication Hardening: All connectors now implement comprehensive Azure AD authentication validation with specific exception handling for Client ID (AADSTS700016), Client Secret, Tenant ID, and API token errors. Previously, authentication failures would cause silent connector shutdown without visibility into the root cause.\nThreat Intelligence Enhancement: The new connectors provide critical IP reputation and infrastructure intelligence for:\nResidential Proxy Detection: Identifies traffic routing through compromised home networks commonly used in fraud and malware C2 communications Enhanced IP Context: Core and Plus connectors deliver comprehensive geolocation, ASN ownership, and hosting provider details essential for threat attribution Abuse Contact Intelligence: Plus connector provides abuse reporting contacts for rapid threat response coordination Data Ingestion Reliability: Function App authentication errors now generate specific error messages rather than generic failures, enabling faster troubleshooting of broken data ingestion workflows. This prevents prolonged IP intelligence blind spots during deployment or configuration issues.\nDeployment Template Consistency: All new connectors use standardized Function App deployment templates with consistent parameter validation, reducing misconfiguration risks that could lead to data collection gaps.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/Ipinfo_CORE_CL.json .script/tests/KqlvalidationsTests/CustomTables/Ipinfo_PLUS_CL.json .script/tests/KqlvalidationsTests/CustomTables/Ipinfo_RESIDENTIAL_PROXY_CL.json Solutions/IPinfo/Data Connectors/ASN/AzureFunctionIPinfoASN/main.py Solutions/IPinfo/Data Connectors/ASN/AzureFunctionIPinfoASN/utils.py Solutions/IPinfo/Data Connectors/ASN/azuredeploy_Connector_IPinfo_ASN_AzureFunction.json Solutions/IPinfo/Data Connectors/Abuse/AzureFunctionIPinfoAbuse/main.py Solutions/IPinfo/Data Connectors/Abuse/AzureFunctionIPinfoAbuse/utils.py Solutions/IPinfo/Data Connectors/Abuse/azuredeploy_Connector_IPinfo_Abuse_AzureFunction.json Solutions/IPinfo/Data Connectors/Carrier/AzureFunctionIPinfoCarrier/main.py Solutions/IPinfo/Data Connectors/Carrier/AzureFunctionIPinfoCarrier/utils.py Solutions/IPinfo/Data Connectors/Carrier/azuredeploy_Connector_IPinfo_Carrier_AzureFunction.json Solutions/IPinfo/Data Connectors/Company/AzureFunctionIPinfoCompany/main.py Solutions/IPinfo/Data Connectors/Company/AzureFunctionIPinfoCompany/utils.py Solutions/IPinfo/Data Connectors/Company/azuredeploy_Connector_IPinfo_Company_AzureFunction.json Solutions/IPinfo/Data Connectors/Core/AzureFunctionIPinfoCore/constants.py Solutions/IPinfo/Data Connectors/Core/AzureFunctionIPinfoCore/function.json Solutions/IPinfo/Data Connectors/Core/AzureFunctionIPinfoCore/main.py Solutions/IPinfo/Data Connectors/Core/AzureFunctionIPinfoCore/utils.py Solutions/IPinfo/Data Connectors/Core/IPinfo_Core_API_AzureFunctionApp.json Solutions/IPinfo/Data Connectors/Core/azuredeploy_Connector_IPinfo_Core_AzureFunction.json Solutions/IPinfo/Data Connectors/Core/host.json Solutions/IPinfo/Data Connectors/Core/proxies.json Solutions/IPinfo/Data Connectors/Core/requirements.txt Solutions/IPinfo/Data Connectors/Country ASN/AzureFunctionIPinfoCountryASN/main.py Solutions/IPinfo/Data Connectors/Country ASN/AzureFunctionIPinfoCountryASN/utils.py Solutions/IPinfo/Data Connectors/Country ASN/azuredeploy_Connector_IPinfo_Country_AzureFunction.json Solutions/IPinfo/Data Connectors/Domain/AzureFunctionIPinfoDomain/main.py Solutions/IPinfo/Data Connectors/Domain/AzureFunctionIPinfoDomain/utils.py Solutions/IPinfo/Data Connectors/Domain/azuredeploy_Connector_IPinfo_Domain_AzureFunction.json Solutions/IPinfo/Data Connectors/Iplocation Extended/AzureFunctionIPinfoIplocationExtended/main.py Solutions/IPinfo/Data Connectors/Iplocation Extended/AzureFunctionIPinfoIplocationExtended/utils.py Solutions/IPinfo/Data Connectors/Iplocation Extended/azuredeploy_Connector_IPinfo_Iplocation_Extended_AzureFunction.json Solutions/IPinfo/Data Connectors/Iplocation/AzureFunctionIPinfoIplocation/main.py Solutions/IPinfo/Data Connectors/Iplocation/AzureFunctionIPinfoIplocation/utils.py Solutions/IPinfo/Data Connectors/Iplocation/azuredeploy_Connector_IPinfo_Iplocation_AzureFunction.json Solutions/IPinfo/Data Connectors/Plus/AzureFunctionIPinfoPlus/constants.py Solutions/IPinfo/Data Connectors/Plus/AzureFunctionIPinfoPlus/function.json Solutions/IPinfo/Data Connectors/Plus/AzureFunctionIPinfoPlus/main.py Solutions/IPinfo/Data Connectors/Plus/AzureFunctionIPinfoPlus/utils.py Solutions/IPinfo/Data Connectors/Plus/IPinfo_Plus_API_AzureFunctionApp.json Solutions/IPinfo/Data Connectors/Plus/azuredeploy_Connector_IPinfo_Plus_AzureFunction.json Solutions/IPinfo/Data Connectors/Plus/host.json Solutions/IPinfo/Data Connectors/Plus/proxies.json Solutions/IPinfo/Data Connectors/Plus/requirements.txt Solutions/IPinfo/Data Connectors/Privacy Extended/AzureFunctionIPinfoPrivacyExtended/main.py Solutions/IPinfo/Data Connectors/Privacy Extended/AzureFunctionIPinfoPrivacyExtended/utils.py Solutions/IPinfo/Data Connectors/Privacy Extended/azuredeploy_Connector_IPinfo_Privacy_Extended_AzureFunction.json Solutions/IPinfo/Data Connectors/Privacy/AzureFunctionIPinfoPrivacy/main.py Solutions/IPinfo/Data Connectors/Privacy/AzureFunctionIPinfoPrivacy/utils.py Solutions/IPinfo/Data Connectors/Privacy/azuredeploy_Connector_IPinfo_Privacy_AzureFunction.json Solutions/IPinfo/Data Connectors/RIRWHOIS/AzureFunctionIPinfoRIRWHOIS/main.py Solutions/IPinfo/Data Connectors/RIRWHOIS/AzureFunctionIPinfoRIRWHOIS/utils.py Solutions/IPinfo/Data Connectors/RIRWHOIS/azuredeploy_Connector_IPinfo_RIRWHOIS_AzureFunction.json Solutions/IPinfo/Data Connectors/RWHOIS/AzureFunctionIPinfoRWHOIS/main.py Solutions/IPinfo/Data Connectors/RWHOIS/AzureFunctionIPinfoRWHOIS/utils.py Solutions/IPinfo/Data Connectors/RWHOIS/azuredeploy_Connector_IPinfo_RWHOIS_AzureFunction.json Solutions/IPinfo/Data Connectors/ResProxy/AzureFunctionIPinfoResProxy/constants.py Solutions/IPinfo/Data Connectors/ResProxy/AzureFunctionIPinfoResProxy/function.json Solutions/IPinfo/Data Connectors/ResProxy/AzureFunctionIPinfoResProxy/main.py Solutions/IPinfo/Data Connectors/ResProxy/AzureFunctionIPinfoResProxy/utils.py Solutions/IPinfo/Data Connectors/ResProxy/IPinfo_ResProxy_API_AzureFunctionApp.json Solutions/IPinfo/Data Connectors/ResProxy/azuredeploy_Connector_IPinfo_ResProxy_AzureFunction.json Solutions/IPinfo/Data Connectors/ResProxy/host.json Solutions/IPinfo/Data Connectors/ResProxy/proxies.json Solutions/IPinfo/Data Connectors/ResProxy/requirements.txt Solutions/IPinfo/Data Connectors/WHOIS ASN/AzureFunctionIPinfoWHOISASN/main.py Solutions/IPinfo/Data Connectors/WHOIS ASN/AzureFunctionIPinfoWHOISASN/utils.py Solutions/IPinfo/Data Connectors/WHOIS ASN/azuredeploy_Connector_IPinfo_WHOIS_ASN_AzureFunction.json Solutions/IPinfo/Data Connectors/WHOIS MNT/AzureFunctionIPinfoWHOISMNT/main.py Solutions/IPinfo/Data Connectors/WHOIS MNT/AzureFunctionIPinfoWHOISMNT/utils.py Solutions/IPinfo/Data Connectors/WHOIS MNT/azuredeploy_Connector_IPinfo_WHOIS_MNT_AzureFunction.json Solutions/IPinfo/Data Connectors/WHOIS NET/AzureFunctionIPinfoWHOISNET/main.py Solutions/IPinfo/Data Connectors/WHOIS NET/AzureFunctionIPinfoWHOISNET/utils.py Solutions/IPinfo/Data Connectors/WHOIS NET/azuredeploy_Connector_IPinfo_WHOIS_NET_AzureFunction.json Solutions/IPinfo/Data Connectors/WHOIS ORG/AzureFunctionIPinfoWHOISORG/main.py Solutions/IPinfo/Data Connectors/WHOIS ORG/AzureFunctionIPinfoWHOISORG/utils.py Solutions/IPinfo/Data Connectors/WHOIS ORG/azuredeploy_Connector_IPinfo_WHOIS_ORG_AzureFunction.json Solutions/IPinfo/Data Connectors/WHOIS POC/AzureFunctionIPinfoWHOISPOC/main.py Solutions/IPinfo/Data Connectors/WHOIS POC/AzureFunctionIPinfoWHOISPOC/utils.py Solutions/IPinfo/Data Connectors/WHOIS POC/azuredeploy_Connector_IPinfo_WHOIS_POC_AzureFunction.json (packaging artefacts: 3.0.3.zip, IPInfoWHOISASNConn.zip, IPinfoASNConn.zip, IPinfoAbuseConn.zip, IPinfoCarrierConn.zip, IPinfoCompanyConn.zip, IPinfoCoreConn.zip, IPinfoCountryConn.zip, IPinfoDomainConn.zip, IPinfoIplocationConn.zip, IPinfoIplocationExtendedConn.zip, IPinfoPlusConn.zip, IPinfoPrivacyConn.zip, IPinfoPrivacyExtendedConn.zip, IPinfoRIRWHOISConn.zip, IPinfoRWHOISConn.zip, IPinfoResProxyConn.zip, IPinfoWHOISMNTConn.zip, IPinfoWHOISNETConn.zip, IPinfoWHOISORGConn.zip, IPinfoWHOISPOCConn.zip, ReleaseNotes.md, Solution_IPinfo.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-10-pr-13734/","summary":"IPinfo v3.0.3 adds Core, Plus, and Residential Proxy data connectors with robust Azure AD OAuth exception handling to prevent authentication blind spots.","title":"IPinfo Solution: Three New Data Connectors with Enhanced OAuth Authentication"},{"content":"What Changed The AWS Athena Function App connector received two critical updates: Azure Functions extension bundle upgrade from v3 to v4+ range, and a defensive fix to the Python query result parsing logic in GetQueryResults.\nSecurity Impact (Visibility \u0026amp; Fidelity) Function App Runtime Compatibility: The extension bundle version constraint changed from [3., 4.0.0) to [4., 5.0.0), aligning with Azure Functions runtime v4 requirements. Deployments using newer Azure Functions hosts would fail to load the connector with the previous constraint, resulting in complete automation failure for AWS Athena query orchestration.\nQuery Result Data Fidelity: The Python parsing logic previously contained an unsafe assumption that query result data cells always contain values (list(dict(data).values())[0]). When AWS Athena returns empty cells or malformed data structures, this would raise an IndexError, causing the entire query result processing to fail. The fix adds defensive handling to populate None for empty cells, ensuring partial results are still processed rather than complete automation failure.\nOperational Risk: Without these fixes, deployments running Azure Functions v4+ infrastructure would experience silent failures during connector initialization, while those on compatible runtime would intermittently fail when processing Athena queries containing sparse or empty result sets. Both scenarios create blind spots in AWS log analysis automation workflows.\nAffected Files Solutions/AWSAthena/Playbooks/CustomConnector/AWSAthena_FunctionAppConnector/GetQueryResults/__init__.py Solutions/AWSAthena/Playbooks/CustomConnector/AWSAthena_FunctionAppConnector/host.json (packaging artefacts: AWSAthenaFunctionApp.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-03-10-pr-13648/","summary":"AWS Athena Function App connector updated to Azure Functions v4+ bundle and fixed Python query parsing logic that previously failed on empty result data.","title":"AWS Athena Function App: Resolving Extension Bundle Compatibility and Query Result Parsing"},{"content":"What Changed Microsoft Sentinel has deprecated four Recorded Future Playbooks that automated threat intelligence ingestion from Recorded Future\u0026rsquo;s Command \u0026amp; Control feeds into Microsoft Defender for Endpoint. The affected playbooks are:\nRecordedFuture-ImportToDefenderEndpoint — automated import of C\u0026amp;C IPs and weaponized domains RecordedFuture-TIforDefenderEndpoint — threat intelligence processor for prevention actions RecordedFuture_IP_SCF_ImportToDefenderEndpoint — Command \u0026amp; Control IP Security Control Feed importer RecordedFuture_IP_SCF_IndicatorProcessor — IP indicator processing workflow Security Impact Critical Integration Failure: Any deployments using these playbooks have lost automated threat intelligence ingestion capabilities. The underlying Microsoft Graph Security tiIndicators API (beta) and its submitTiIndicators endpoint have been deprecated by Microsoft, causing complete integration failure.\nDetection Blind Spot: Organizations relying on these playbooks for automated blocking of Recorded Future\u0026rsquo;s Command \u0026amp; Control indicators in Defender for Endpoint no longer receive this threat intelligence feed. This represents a significant reduction in proactive threat blocking capabilities.\nMigration Required: Recorded Future has provided alternative integration paths, but existing deployments require immediate attention to restore threat intelligence functionality.\nAffected Capabilities Automated C\u0026amp;C IP blocking — no longer functional Weaponized domain prevention — no longer operational Daily threat intelligence updates — integration broken Recorded Future Security Control Feeds — ingestion pipeline disabled Organizations using these playbooks should immediately review Recorded Future\u0026rsquo;s migration documentation and implement alternative threat intelligence ingestion methods.\nAffected Files Playbooks/RecordedFuture-Block-IPs-and-Domains-on-Microsoft-Defender-for-Endpoint/RecordedFuture-ImportToDefenderEndpoint.json Playbooks/RecordedFuture-Block-IPs-and-Domains-on-Microsoft-Defender-for-Endpoint/RecordedFuture-TIforDefenderEndpoint.json Playbooks/RecordedFuture-Block-IPs-and-Domains-on-Microsoft-Defender-for-Endpoint/readme.md Playbooks/RecordedFuture_IP_SCF/RecordedFuture_IP_SCF_ImportToDefenderEndpoint.json Playbooks/RecordedFuture_IP_SCF/RecordedFuture_IP_SCF_IndicatorProcessor.json Playbooks/RecordedFuture_IP_SCF/readme.md ","permalink":"http://sentinelchangelog.net/posts/2026-03-09-pr-13763/","summary":"Microsoft has deprecated the Graph Security tiIndicators API, rendering Recorded Future\u0026rsquo;s automated threat intelligence ingestion playbooks non-functional.","title":"Recorded Future Playbooks: Threat Intelligence Integration Discontinued Due to Microsoft API Deprecation"},{"content":"What Changed The Feedly Threat Intelligence solution has been fully migrated from Azure Functions-based ingestion to the native Microsoft Sentinel Codeless Connector Framework (CCF). This architectural modernization removes all custom Python polling logic and Function App infrastructure dependencies.\nSecurity Impact (Visibility \u0026amp; Fidelity) No loss of threat intelligence coverage — the CCF connector maintains identical data ingestion from Feedly IoC feeds into the feedly_indicators_CL table. The migration improves reliability by leveraging Sentinel native scheduling, authentication, pagination, and ingestion mechanisms instead of custom Function App code.\nThe change eliminates potential blind spots from Function App failures or maintenance overhead, ensuring consistent threat intelligence flow for detection engineering teams.\nIngestion Mechanism Replaced Azure Function timer trigger with CCF REST API polling connector using:\nNative DCR/DCE ingestion pipeline Sentinel-managed authentication and retry logic Automated pagination for Feedly stream contents API Built-in state management for incremental data collection Files Removed Complete Azure Function codebase (251 lines of Python across 6 modules) Function App deployment template (azuredeploy_Connector_Feedly_AzureFunction.json) Custom state management and Sentinel API integration code Function configuration files and requirements Files Added New CCF deployment template (azuredeploy_Connector_Feedly_CCP.json) with 657 lines of ARM template Native DCR configuration for feedly_indicators_CL table schema Deployment Impact Existing deployments using the Azure Function connector will need to migrate to the new CCF connector. The CCF connector provides the same threat intelligence coverage with reduced infrastructure complexity and improved maintainability.\nAffected Files Solutions/Feedly/Data Connectors/FeedlySentinelConnector/__init__.py Solutions/Feedly/Data Connectors/FeedlySentinelConnector/config.py Solutions/Feedly/Data Connectors/FeedlySentinelConnector/feedly_downloader.py Solutions/Feedly/Data Connectors/FeedlySentinelConnector/function.json Solutions/Feedly/Data Connectors/FeedlySentinelConnector/local.settings.json Solutions/Feedly/Data Connectors/FeedlySentinelConnector/sentinel_api.py Solutions/Feedly/Data Connectors/FeedlySentinelConnector/state_manager.py Solutions/Feedly/Data Connectors/FeedlySentinelConnector/worker.py Solutions/Feedly/Data Connectors/Feedly_API_AzureFunctionApp.json Solutions/Feedly/Data Connectors/azuredeploy_Connector_Feedly_AzureFunction.json Solutions/Feedly/Data Connectors/azuredeploy_Connector_Feedly_CCP.json Solutions/Feedly/Data Connectors/host.json Solutions/Feedly/Data Connectors/proxies.json Solutions/Feedly/Data Connectors/requirements.txt (packaging artefacts: FeedlyAzureFunction.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-03-09-pr-13748/","summary":"Modernizes Feedly threat intelligence ingestion by removing Azure Function dependencies and migrating to native Sentinel CCF polling for IoC feeds.","title":"Feedly Threat Intelligence: Migration from Azure Functions to Native CCF Connector"},{"content":"What Changed The CyeraDSPM solution has been simplified by completely removing the legacy Azure Functions-based data connector while retaining the Codeless Connector Framework (CCF) connector. This architectural change eliminates dual deployment paths that were causing marketplace publication issues.\nSecurity Impact (Visibility \u0026amp; Fidelity) No impact on data visibility — the CCF connector provides identical functionality to the removed Azure Functions connector. Both connectors ingested the same Cyera API data into custom tables (CyeraAssets_MS_CL, CyeraIdentities_CL, CyeraClassifications_CL, CyeraIssues_CL) for Data Security Posture Management monitoring.\nThe removal addresses a deployment reliability issue where the deprecated Azure Functions connector was causing marketplace package validation failures, potentially blocking security teams from deploying the solution.\nFiles Removed Entire Data Connectors/CyeraDSPM_Functions/ directory containing: Python Azure Function code (510 lines of connector logic) Function App deployment templates and configuration Manual installation documentation and deployment packages Deployment Impact Existing deployments using the CCF connector remain unaffected. The change simplifies future deployments by removing the manual Function App setup requirement and aligning with Microsoft recommeded direct ingestion approach for Sentinel solutions.\nAffected Files Solutions/CyeraDSPM/CHANGELOG.md Solutions/CyeraDSPM/Data Connectors/CyeraDSPM_Functions/AzureFunction/CyeraConnector/__init__.py Solutions/CyeraDSPM/Data Connectors/CyeraDSPM_Functions/AzureFunction/CyeraConnector/function.json Solutions/CyeraDSPM/Data Connectors/CyeraDSPM_Functions/AzureFunction/README.md Solutions/CyeraDSPM/Data Connectors/CyeraDSPM_Functions/AzureFunction/host.json Solutions/CyeraDSPM/Data Connectors/CyeraDSPM_Functions/AzureFunction/requirements.txt Solutions/CyeraDSPM/Data Connectors/CyeraDSPM_Functions/FunctionAppDC.json Solutions/CyeraDSPM/Data Connectors/CyeraDSPM_Functions/INSTALL.md (packaging artefacts: 3.0.0.zip, CyeraConnector.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Cyera.json, createUiDefinition.json, install-pack-v0_7_3.zip, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-09-pr-13768/","summary":"Removes deprecated Azure Functions connector from CyeraDSPM solution, streamlining to single CCF-based ingestion to prevent marketplace deployment failures.","title":"CyeraDSPM Connector: Eliminates Legacy Azure Functions Deployment Path"},{"content":"What Changed New ASIM Asset Entity schema implementation with complete parser infrastructure and CI integration.\nSchema Foundation The Asset Entity schema introduces normalised asset tracking with fields for:\nEntity identification (EntityId, EntityName, AssetType) Asset ownership and permissions (AssetOwnerId, AssetOwnerType, AdditionalAssetOwners) Risk assessment (AssetRiskLevel, AssetRiskName, AssetOriginalRiskDetails) Data classification (AssetSensitivityLabel, AssetOriginalDataClassificationType) File metadata (FilePath, FileSize, FileMD5/SHA hashes) Parser Infrastructure Three core parsers deployed:\nASimAssetEntity: Source-agnostic unifying parser imAssetEntity: Filtering parser with parameter support for targeted queries vimAssetEntityEmpty: Empty schema template returning structured schema fields CI Integration Updated GitHub workflows and test frameworks to include AssetEntity in automated validation, ensuring schema consistency across future development.\nAffected Files .github/workflows/convertKqlFunctionYamlToArmTemplate.yaml .github/workflows/runAsimSchemaAndDataTesters.yaml .script/getModifiedASimSchemas.ps1 .script/tests/asimParsersTest/VerifyASimParserTemplate.py ASIM/deploy/EmptyCustomUnifyingParsers/ASim_AssetEntityCustom.json ASIM/deploy/EmptyCustomUnifyingParsers/AssetEntityDeploymentCustomUnifyingParsers.json ASIM/deploy/EmptyCustomUnifyingParsers/FullDeploymentCustomUnifyingParsers.json ASIM/deploy/EmptyCustomUnifyingParsers/Im_AssetEntityCustom.json ASIM/deploy/EmptyCustomUnifyingParsers/README.md ASIM/dev/ASimTester/ASimTester.csv Parsers/ASimAssetEntity/ARM/ASimAssetEntity/ASimAssetEntity.json Parsers/ASimAssetEntity/ARM/ASimAssetEntity/README.md Parsers/ASimAssetEntity/ARM/FullDeploymentAssetEntity.json Parsers/ASimAssetEntity/ARM/README.md Parsers/ASimAssetEntity/ARM/imAssetEntity/README.md Parsers/ASimAssetEntity/ARM/imAssetEntity/imAssetEntity.json Parsers/ASimAssetEntity/ARM/vimAssetEntityEmpty/README.md Parsers/ASimAssetEntity/ARM/vimAssetEntityEmpty/vimAssetEntityEmpty.json Parsers/ASimAssetEntity/CHANGELOG/ASimAssetEntity.md Parsers/ASimAssetEntity/CHANGELOG/imAssetEntity.md Parsers/ASimAssetEntity/CHANGELOG/vimAssetEntityEmpty.md Parsers/ASimAssetEntity/Parsers/ASimAssetEntity.yaml Parsers/ASimAssetEntity/Parsers/imAssetEntity.yaml Parsers/ASimAssetEntity/Parsers/vimAssetEntityEmpty.yaml Parsers/ASimAssetEntity/README.md ","permalink":"http://sentinelchangelog.net/posts/2026-03-06-pr-13732/","summary":"Introduces complete ASIM Asset Entity schema with parsers, empty templates, and CI integration to enable asset-centric security monitoring.","title":"ASIM Asset Entity Schema: New Schema Foundation for Asset Management"},{"content":"What Changed CrowdStrike API Data Connector v3.3.1 implements a complete overhaul of the alerts and detections ingestion mechanism, switching from a broken single-endpoint approach to a two-step nested collection process.\nSecurity Impact (Visibility \u0026amp; Fidelity) Critical data fidelity gap resolved: The previous connector configuration (v3.3.0 and earlier) was only retrieving alert IDs from /alerts/combined/alerts/v1 endpoint, not the actual alert content. Deployments running the affected versions had incomplete CrowdStrike visibility — only alert references were ingested, with no alert metadata, severity, or contextual data populated in the CrowdStrikeAlerts and CrowdStrikeDetections tables.\nThe connector now implements proper nested data collection:\nStep 1: Query /alerts/queries/alerts/v2 (GET) to retrieve alert ID lists Step 2: Call /alerts/entities/alerts/v2 (POST) with those IDs to fetch full alert details This two-phase approach ensures complete alert and detection data ingestion, restoring visibility into CrowdStrike endpoint protection events that was missing in previous versions.\nConfiguration Changes HTTP method changed from POST to GET for initial alert queries Implemented nested step collection with stepInfo.stepType: Nested Added dedicated alert_details and detection_details step collectors Changed paging mechanism from PersistentToken to Offset-based pagination Reduced timeout from 120s to 90s per request The fix affects both CrowdStrikeAlerts and CrowdStrikeDetections data types with identical architectural improvements.\nAffected Files Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeAPI_ccp/CrowdStrikeAPI_Definition.json Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeAPI_ccp/CrowdStrikeAPI_PollingConfig.json (packaging artefacts: 3.3.1.zip, ReleaseNotes.md, Solution_CrowdStrike.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-06-pr-13761/","summary":"CrowdStrike API connector fix implements nested API calls to retrieve complete alert/detection details after prior version only captured alert IDs.","title":"CrowdStrike API Connector: Critical Fix Restores Full Alert and Detection Data Ingestion"},{"content":"What Changed Added a new KQL workspace function AMAVersionReport() that provides centralized visibility into Azure Monitor Agent deployments across the Sentinel environment.\nFunction Logic The function queries the Heartbeat table to extract the most recent Azure Monitor Agent telemetry per resource:\nFilters for Category == \u0026ldquo;Azure Monitor Agent\u0026rdquo; Uses summarize arg_max(TimeGenerated, *) to get the latest heartbeat per _ResourceId Returns distinct records showing Computer name, AMA Version, OS Name, Environment, and Resource ID Security Impact This function enables proactive monitoring of AMA deployment health and version compliance. SOC teams can identify outdated agents that may have security vulnerabilities or missing log collection capabilities. Regular execution helps ensure consistent data ingestion quality across the environment.\nAffected Files Functions/AMAVersionReport.txt ","permalink":"http://sentinelchangelog.net/posts/2026-03-06-pr-13743/","summary":"New KQL function enables SOC teams to audit Azure Monitor Agent versions across their Sentinel deployment for maintenance and security compliance tracking.","title":"AMA Version Tracking: New Function for Azure Monitor Agent Deployment Management"},{"content":"What Changed The \u0026ldquo;Orphaned AI Agents\u0026rdquo; hunting query was updated to reference AccountUpn instead of AccountUPN in the IdentityInfo table distinct operation.\nDetection Logic The query identifies AI agents that may be orphaned by correlating:\nEnabled user accounts from IdentityInfo table (IsAccountEnabled == 1) AI agent information from AIAgentsInfo table with non-deleted status Entity mapping includes AI agent name to hostname for investigation workflow The core logic joins these datasets to surface AI agents potentially lacking proper account association or oversight.\nSecurity Impact Per PR discussion: The original query was failing KQL validation due to case-sensitive field name mismatch. Deployments running the broken version would have had zero results from this hunting query, creating a blind spot for detecting orphaned AI agents that could represent unauthorized automation or compromised service accounts.\nThis fix restores the ability to identify AI agents operating without proper account linkage, which is critical for maintaining visibility into automated systems and preventing unauthorized AI agent deployment.\nAffected Files Hunting Queries/AI Agents/OrphanedAIAgents.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-03-06-pr-13740/","summary":"Fixed IdentityInfo field reference from AccountUPN to AccountUpn to resolve KQL validation failure and restore query functionality.","title":"AI Agents Hunting Query: Schema Field Case Correction Enables Query Execution"},{"content":"What Changed The Dataminr Pulse connector\u0026rsquo;s Function App configuration has been updated to use Azure Functions extension bundle v4.x instead of the deprecated v3.x version.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments attempting to install or update the Dataminr Pulse connector using the v3.x extension bundle would encounter deployment failures due to Microsoft\u0026rsquo;s deprecation of that bundle version. This represents a deployment-level blind spot where organizations would be unable to establish threat intelligence ingestion from Dataminr\u0026rsquo;s real-time alert feed.\nThe upgrade ensures the connector can be successfully deployed and maintained, preserving access to Dataminr\u0026rsquo;s threat intelligence data which covers emerging security events and potential threats across multiple domains.\nAffected Files Solutions/Dataminr Pulse/Data Connectors/DataminrPulseAlerts/host.json (packaging artefacts: DataminrPulseAlertsUpdated.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-03-06-pr-13725/","summary":"Function App extension bundle upgraded from deprecated v3 to v4 to restore connector deployment capability.","title":"Dataminr Pulse Connector: Extension Bundle Updated to Prevent Deployment Failures"},{"content":"What Changed TacitRed CrowdStrike v3.0.2 fixes a region-specific authentication failure in the IOC automation playbook. The CrowdStrike_BaseUrl parameter was hardcoded to https://api.us-2.crowdstrike.com, causing deployment failures for customers on other CrowdStrike regions.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments from customers on US-1 (https://api.crowdstrike.com) or EU-1 (https://api.eu-1.crowdstrike.com) regions experienced complete authentication failures when using the default configuration. The playbook would fail to connect to CrowdStrike Falcon APIs, resulting in zero IOC synchronization between TacitRed threat intelligence and CrowdStrike.\nPer PR description: Customers on US-1 or EU-1 who deploy without changing the default get authentication failures — this confirms the hardcoded US-2 endpoint was incompatible with other CrowdStrike regions.\nFix Details Cleared CrowdStrike_BaseUrl defaultValue to empty string — customers must now specify their regional API URL during deployment Added regional URL guidance to parameter description referencing CrowdStrike Falcon → Support → API Clients \u0026amp; Keys Updated deployment template to include all three CrowdStrike regional endpoints: US-1: https://api.crowdstrike.com (most common) US-2: https://api.us-2.crowdstrike.com EU-1: https://api.eu-1.crowdstrike.com Organizations using this solution should upgrade to v3.0.2 and verify their regional CrowdStrike API endpoint is correctly configured.\nAffected Files (packaging artefacts: 3.0.2.zip, ReleaseNotes.md, Solution_TacitRedCrowdStrikeAutomation.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-06-pr-13729/","summary":"Fixed hardcoded CrowdStrike API URL default causing authentication failures for customers in US-1 and EU-1 regions.","title":"TacitRed CrowdStrike Playbook: Authentication Fix for Multi-Region API Endpoints"},{"content":"What Changed TacitRed SentinelOne v3.0.3 fixes a critical API integration failure in the IOC automation playbook. The Post_IOC_to_SentinelOne HTTP action was missing the required filter.accountIds field, causing the SentinelOne /web/api/v2.1/threat-intelligence/iocs endpoint to return HTTP 500 errors on every playbook execution.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments running any version prior to 3.0.3 have had complete IOC automation failure since installation. The playbook appeared to execute successfully in Microsoft Sentinel but failed silently at the SentinelOne API level — zero threat indicators were actually ingested into SentinelOne for automated threat response.\nPer PR testing: Without accountIds: HTTP 500 vs With accountIds: HTTP 200 — this confirms the API requirement was enforced server-side and all prior versions were non-functional.\nFix Details Added filter: { accountIds: [parameters SentinelOne_AccountId] } to POST request body Added SentinelOne_AccountId parameter to deployment template Testing confirmed TacitRed IOCs now successfully ingest into SentinelOne after the fix Organizations using this solution should upgrade immediately to restore IOC automation functionality.\nAffected Files (packaging artefacts: 3.0.3.zip, ReleaseNotes.md, Solution_TacitRedSentinelOneAutomation.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-06-pr-13728/","summary":"Fixed broken TacitRed playbook that was failing with HTTP 500 errors when posting IOCs to SentinelOne due to missing account scope parameter.","title":"TacitRed SentinelOne Playbook: Critical API Fix Restores IOC Automation After HTTP 500 Failures"},{"content":"What Changed Microsoft Sentinel Content Hub now includes a new solution for TheHive security incident response platform. This adds native data ingestion capability for TheHive cases, tasks, and alerts through a CCF-based connector.\nData Source TheHive is an open-source security incident response platform designed for Security Operations Centers (SOCs). The connector ingests:\nCases: Security incidents with severity, TLP markings, and assignment tracking Alerts: Security events and indicators requiring investigation Tasks: Investigation activities and response actions within cases Ingestion Mechanism CCF-based ingestion via REST API polling:\nPopulates custom table: TheHiveData_CL Authentication: Bearer token (API key from TheHive user profile) Query mechanism: TheHive native query API (/api/v1/query) with time-based filtering Data freshness: 5-minute polling window for updated/created objects Detection Surface Unlocked This connector enables correlation between TheHive case management and Sentinel telemetry:\nCase lifecycle tracking: Monitor incident response progression through stages Response time analysis: Track timeToDetect and case resolution metrics Assignment visibility: Correlate analyst workload and case ownership TLP enforcement: Honor Traffic Light Protocol markings in automated workflows Key fields for detection engineering:\nObjectType: Distinguishes Cases, Alerts, Tasks for targeted analytics Severity/SeverityLabel: Case priority alignment with Sentinel incident severity Tags: TheHive case tags available for filtering and correlation ObservableCount: Indicator volume per case for threat hunting pivots Pipeline Enhancement Additionally includes tooling updates to support JSON-format parsers alongside YAML (previously YAML-only), expanding solution packaging capabilities for future connectors.\nAffected Files .github/actions/entrypoint.ps1 .script/tests/KqlvalidationsTests/KqlValidationTests.cs Solutions/TheHive/Data Connectors/CCF/ConnectorDefinition.json Solutions/TheHive/Data Connectors/CCF/DCR.json Solutions/TheHive/Data Connectors/CCF/PollingConfig.json Solutions/TheHive/Data Connectors/CCF/table_TheHiveData.json Solutions/TheHive/Data/system_generated_metadata.json Solutions/TheHive/Package/testParameters.json Solutions/TheHive/Parsers/parser_TheHiveDataAliasFunction.json Tools/Create-Azure-Sentinel-Solution/V3/createSolutionV3.ps1 Tools/Create-Azure-Sentinel-Solution/common/commonFunctions.ps1 (packaging artefacts: 3.0.1.zip, Solution_TheHive.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-05-pr-13756/","summary":"Microsoft Sentinel gains native ingestion from TheHive security incident response platform via CCF connector, enabling case management visibility and response workflow correlation.","title":"TheHive Incident Response: New CCF Connector for SOAR Platform Integration"},{"content":"What Changed Updated Cyera DSPM solution to v3.0.4, addressing critical DCR transformation failures that prevented data collection into Microsoft Sentinel. The fix removes unsupported KQL functions from the Data Collection Rule transform query and enhances ASIM schema compliance for the CyeraAssets_MS_CL table.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments running the previous version experienced complete ingestion failure for the CyeraAssets_MS_CL stream due to DCR InvalidTransformQuery errors. The transform KQL contained functions not supported in DCR context (coalesce(), todynamic(), mv_apply operator), causing the connector to fail at deployment — zero asset data was ingested by affected deployments.\nThis represents a significant blind spot for Data Security Posture Management: organizations lost visibility into cloud asset discovery, classification status, data risks, and ownership mapping across their multi-cloud environment.\nTechnical Details Fixed DCR Transform: Removed unsupported functions from Custom-CyeraAssets_MS_CL stream transformation Replaced coalesce() with iif() pattern Eliminated todynamic() usage in favor of native dynamic field handling Simplified AssetOwner field processing without mv_apply ASIM Schema Compliance: All 18 required ASIM fields now properly populated in CyeraAssets_MS_CL table Enhanced Authentication: Azure Functions connector updated to use ManagedIdentityCredential instead of DefaultAzureCredential for improved security posture API Consistency: Added User-Agent headers across all poller configurations for better request tracking The fix ensures data flows correctly to all 5 custom tables: CyeraAssets_MS_CL, CyeraDataStores_CL, CyeraLabels_CL, CyeraClassifications_CL, and CyeraUsers_CL.\nAffected Files Logos/cyera_logo.svg Solutions/CyeraDSPM/CHANGELOG.md Solutions/CyeraDSPM/Data Connectors/CyeraDSPM_CCF/CyeraDSPMLogs_ConnectorDefinitionCCF.json Solutions/CyeraDSPM/Data Connectors/CyeraDSPM_CCF/CyeraDSPMLogs_DataConnectorPoller.json Solutions/CyeraDSPM/Data Connectors/CyeraDSPM_CCF/CyeraDSPM_DCR.json Solutions/CyeraDSPM/Data Connectors/CyeraDSPM_CCF/CyeraDSPM_Table.json Solutions/CyeraDSPM/Data Connectors/CyeraDSPM_Functions/AzureFunction/CyeraConnector/__init__.py (packaging artefacts: 3.0.0.zip, CyeraConnector.zip, ReleaseNotes.md, SolutionMetadata.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-05-pr-13726/","summary":"Cyera DSPM connector v3.0.4 fixes DCR transformation failures that prevented data ingestion, restoring visibility into cloud asset security posture and compliance.","title":"Cyera DSPM Connector: Critical DCR Transform Fix Restores Asset Visibility After KQL Function Errors"},{"content":"What Changed Fixed critical Function App connector bugs in CTM360 HackerView that prevented data ingestion:\nCorrected variable naming typo (\u0026ldquo;statsusss\u0026rdquo; → proper state handling) in backup flag logic Fixed backup condition to properly default to true on first deployment Added automatic file share creation in state_manager.py to prevent ResourceNotFoundError Security Impact (Visibility \u0026amp; Fidelity) Complete threat intelligence blind spot: Deployments running CTM360 HackerView v3.0.2 and earlier had zero data ingestion due to the Function App failing at startup. The backup flag feature contained a typo in the variable name and incorrect conditional logic that caused immediate failure on every execution attempt.\nFirst deployment failure: New deployments could not complete initial setup due to missing file share initialization, resulting in ResourceNotFoundError during the first Function App execution. This prevented any organizations from successfully deploying this threat intelligence connector.\nImpact scope: All CTM360 HackerView deployments were unable to ingest external threat intelligence data covering advanced persistent threats, domain infringement, malware campaigns, and breach credential intelligence. This represents a significant detection coverage gap for organizations relying on CTM360 threat feeds.\nData Source Recovery CTM360 HackerView provides external threat intelligence covering:\nAdvanced Persistent Threat (APT) campaigns and indicators Brand protection and domain infringement monitoring Breach credential and compromise card intelligence Malware family tracking and C2 infrastructure Executive impersonation and targeted attack detection Data is ingested to the HackerViewLog_CL table via Function App with 5-minute polling intervals. This fix restores the complete CTM360 threat intelligence pipeline.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/CBSLog.json .script/tests/KqlvalidationsTests/CustomTables/CBSLog_AzureV2_CL.json .script/tests/KqlvalidationsTests/CustomTables/CBS_BreachedCredentials.json .script/tests/KqlvalidationsTests/CustomTables/CBS_BreachedCredentials_AzureV2_CL.json .script/tests/KqlvalidationsTests/CustomTables/CBS_BreachedCredentials_CL.json .script/tests/KqlvalidationsTests/CustomTables/CBS_CompromisedCards.json .script/tests/KqlvalidationsTests/CustomTables/CBS_CompromisedCards_AzureV2_CL.json .script/tests/KqlvalidationsTests/CustomTables/CBS_CompromisedCards_CL.json .script/tests/KqlvalidationsTests/CustomTables/CBS_DomainInfringement_AzureV2_CL.json .script/tests/KqlvalidationsTests/CustomTables/CBS_DomainInfringement_CL.json .script/tests/KqlvalidationsTests/CustomTables/CBS_Log_CL.json .script/tests/KqlvalidationsTests/CustomTables/CBS_MalwareLogs.json .script/tests/KqlvalidationsTests/CustomTables/CBS_MalwareLogs_AzureV2_CL.json .script/tests/KqlvalidationsTests/CustomTables/CBS_MalwareLogs_CL.json .script/tests/KqlvalidationsTests/CustomTables/CBS_SubdomainInfringement.json .script/tests/KqlvalidationsTests/CustomTables/CBS_SubdomainInfringement_AzureV2_CL.json .script/tests/KqlvalidationsTests/CustomTables/HackerViewLog.json .script/tests/KqlvalidationsTests/CustomTables/HackerViewLog_AzureV2_CL.json .script/tests/detectionTemplateSchemaValidation/SkipConnectorIdsValidationsTemplates.json .script/tests/detectionTemplateSchemaValidation/SkipStrcutreValidationsTemplates.json .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json Solutions/CTM360/Analytic Rules/AutoGeneratedPage.yaml Solutions/CTM360/Analytic Rules/BrandAbuse.yaml Solutions/CTM360/Analytic Rules/BrandImpersonationHIGH.yaml Solutions/CTM360/Analytic Rules/BrandImpersonationINFO.yaml Solutions/CTM360/Analytic Rules/CBSAnyIssueDetected.yaml Solutions/CTM360/Analytic Rules/CodeRepository.yaml Solutions/CTM360/Analytic Rules/CompromisedCards.yaml Solutions/CTM360/Analytic Rules/CookiesHttponlyFlagNotUsed.yaml Solutions/CTM360/Analytic Rules/CookiesSamesiteFlagNotUsed.yaml Solutions/CTM360/Analytic Rules/CookiesSecureFlagNotUsed.yaml Solutions/CTM360/Analytic Rules/DMARCNotConfigured.yaml Solutions/CTM360/Analytic Rules/DomainInfringemen.yaml Solutions/CTM360/Analytic Rules/ExecutiveImpersonation.yaml Solutions/CTM360/Analytic Rules/ExposedAdminLoginPage.yaml Solutions/CTM360/Analytic Rules/ExposedEmailAddress.yaml Solutions/CTM360/Analytic Rules/ExposedUserList.yaml Solutions/CTM360/Analytic Rules/HackerViewAnyIssueDetected.yaml Solutions/CTM360/Analytic Rules/HeaderContentSecurityPolicyMissing.yaml Solutions/CTM360/Analytic Rules/HeaderHTTPStrictTransportSecurityMissing.yaml Solutions/CTM360/Analytic Rules/HeaderReferrerPolicyMissing.yaml Solutions/CTM360/Analytic Rules/HeaderWebServerExposed.yaml Solutions/CTM360/Analytic Rules/HeaderXFrameOptionsMissingInformational.yaml Solutions/CTM360/Analytic Rules/HeaderXFrameOptionsMissingLow.yaml Solutions/CTM360/Analytic Rules/HeaderXFrameOptionsMissingMedium.yaml Solutions/CTM360/Analytic Rules/HeaderXXSSProtectionMissing.yaml Solutions/CTM360/Analytic Rules/LeakedCredential.yaml Solutions/CTM360/Analytic Rules/Phishing.yaml Solutions/CTM360/Analytic Rules/SPFNotConfigured.yaml Solutions/CTM360/Analytic Rules/SPFPolicySetToSoftFail.yaml Solutions/CTM360/Analytic Rules/SubdomainInfringement.yaml Solutions/CTM360/Analytic Rules/SubresourceIntegritySRINotImplemented.yaml Solutions/CTM360/Analytic Rules/SuspiciousMobileAppHigh.yaml Solutions/CTM360/Analytic Rules/SuspiciousMobileAppINFO.yaml Solutions/CTM360/Analytic Rules/TLSCertificateHostnameMismatch.yaml Solutions/CTM360/Analytic Rules/TLSCertificateUsingWeakCipherInformational.yaml Solutions/CTM360/Analytic Rules/TLSCertificateUsingWeakCipherMedium.yaml Solutions/CTM360/Analytic Rules/Tlsv11InUseInfo.yaml Solutions/CTM360/Analytic Rules/Tlsv11InUseMedium.yaml Solutions/CTM360/Analytic Rules/Tlsv1InUseLow.yaml Solutions/CTM360/Analytic Rules/Tlsv1InUseMedium.yaml Solutions/CTM360/Analytic Rules/apt_high.yaml Solutions/CTM360/Analytic Rules/apt_informational.yaml Solutions/CTM360/Analytic Rules/apt_low.yaml Solutions/CTM360/Analytic Rules/apt_medium.yaml Solutions/CTM360/Analytic Rules/attack_indication_high.yaml Solutions/CTM360/Analytic Rules/attack_indication_informational.yaml Solutions/CTM360/Analytic Rules/attack_indication_low.yaml Solutions/CTM360/Analytic Rules/attack_indication_medium.yaml Solutions/CTM360/Analytic Rules/auto_generated_page_high.yaml Solutions/CTM360/Analytic Rules/auto_generated_page_informational.yaml Solutions/CTM360/Analytic Rules/auto_generated_page_medium.yaml Solutions/CTM360/Analytic Rules/baiting_news_site_high.yaml Solutions/CTM360/Analytic Rules/baiting_news_site_informational.yaml Solutions/CTM360/Analytic Rules/baiting_news_site_low.yaml Solutions/CTM360/Analytic Rules/baiting_news_site_medium.yaml Solutions/CTM360/Analytic Rules/brand_abuse_high.yaml Solutions/CTM360/Analytic Rules/brand_abuse_informational.yaml Solutions/CTM360/Analytic Rules/brand_abuse_low.yaml Solutions/CTM360/Analytic Rules/brand_abuse_medium.yaml Solutions/CTM360/Analytic Rules/brand_harassment_high.yaml Solutions/CTM360/Analytic Rules/brand_harassment_informational.yaml Solutions/CTM360/Analytic Rules/brand_harassment_low.yaml Solutions/CTM360/Analytic Rules/brand_harassment_medium.yaml Solutions/CTM360/Analytic Rules/brand_impersonation_informational.yaml Solutions/CTM360/Analytic Rules/brand_impersonation_medium.yaml Solutions/CTM360/Analytic Rules/breached_credential_high.yaml Solutions/CTM360/Analytic Rules/breached_credential_informational.yaml Solutions/CTM360/Analytic Rules/breached_credential_low.yaml Solutions/CTM360/Analytic Rules/breached_credential_medium.yaml Solutions/CTM360/Analytic Rules/code_repo_high.yaml Solutions/CTM360/Analytic Rules/code_repo_informational.yaml Solutions/CTM360/Analytic Rules/code_repo_low.yaml Solutions/CTM360/Analytic Rules/code_repo_medium.yaml Solutions/CTM360/Analytic Rules/code_repository_high.yaml Solutions/CTM360/Analytic Rules/code_repository_low.yaml Solutions/CTM360/Analytic Rules/code_repository_medium.yaml Solutions/CTM360/Analytic Rules/compromised_cards_high.yaml Solutions/CTM360/Analytic Rules/compromised_cards_informational.yaml Solutions/CTM360/Analytic Rules/compromised_cards_low.yaml Solutions/CTM360/Analytic Rules/compromised_cards_medium.yaml Solutions/CTM360/Analytic Rules/cyber_evil_twin_site_high.yaml Solutions/CTM360/Analytic Rules/cyber_evil_twin_site_informational.yaml Solutions/CTM360/Analytic Rules/cyber_evil_twin_site_low.yaml Solutions/CTM360/Analytic Rules/cyber_evil_twin_site_medium.yaml Solutions/CTM360/Analytic Rules/dark_web_high.yaml Solutions/CTM360/Analytic Rules/dark_web_informational.yaml Solutions/CTM360/Analytic Rules/dark_web_low.yaml Solutions/CTM360/Analytic Rules/dark_web_medium.yaml Solutions/CTM360/Analytic Rules/data_leakage_high.yaml Solutions/CTM360/Analytic Rules/data_leakage_informational.yaml Solutions/CTM360/Analytic Rules/data_leakage_low.yaml Solutions/CTM360/Analytic Rules/data_leakage_medium.yaml Solutions/CTM360/Analytic Rules/digital_content_theft_high.yaml Solutions/CTM360/Analytic Rules/digital_content_theft_informational.yaml Solutions/CTM360/Analytic Rules/digital_content_theft_low.yaml Solutions/CTM360/Analytic Rules/digital_content_theft_medium.yaml Solutions/CTM360/Analytic Rules/domain_infringement_high.yaml Solutions/CTM360/Analytic Rules/domain_infringement_informational.yaml Solutions/CTM360/Analytic Rules/domain_infringement_low.yaml Solutions/CTM360/Analytic Rules/domain_infringement_medium.yaml Solutions/CTM360/Analytic Rules/doorway_page_high.yaml Solutions/CTM360/Analytic Rules/doorway_page_informational.yaml Solutions/CTM360/Analytic Rules/doorway_page_low.yaml Solutions/CTM360/Analytic Rules/doorway_page_medium.yaml Solutions/CTM360/Analytic Rules/email_fraud_high.yaml Solutions/CTM360/Analytic Rules/email_fraud_informational.yaml Solutions/CTM360/Analytic Rules/email_fraud_low.yaml Solutions/CTM360/Analytic Rules/email_fraud_medium.yaml Solutions/CTM360/Analytic Rules/employee_credentials_3rd_party_high.yaml Solutions/CTM360/Analytic Rules/employee_credentials_3rd_party_informational.yaml Solutions/CTM360/Analytic Rules/employee_credentials_3rd_party_low.yaml Solutions/CTM360/Analytic Rules/employee_credentials_3rd_party_medium.yaml Solutions/CTM360/Analytic Rules/employee_credentials_internal_high.yaml Solutions/CTM360/Analytic Rules/employee_credentials_internal_informational.yaml Solutions/CTM360/Analytic Rules/employee_credentials_internal_low.yaml Solutions/CTM360/Analytic Rules/employee_credentials_internal_medium.yaml Solutions/CTM360/Analytic Rules/executive_impersonation_high.yaml Solutions/CTM360/Analytic Rules/executive_impersonation_low.yaml Solutions/CTM360/Analytic Rules/executive_impersonation_medium.yaml Solutions/CTM360/Analytic Rules/executive_leaks_high.yaml Solutions/CTM360/Analytic Rules/executive_leaks_informational.yaml Solutions/CTM360/Analytic Rules/executive_leaks_low.yaml Solutions/CTM360/Analytic Rules/executive_leaks_medium.yaml Solutions/CTM360/Analytic Rules/exposed_email_address_informational.yaml Solutions/CTM360/Analytic Rules/exposed_email_address_low.yaml Solutions/CTM360/Analytic Rules/exposed_email_address_medium.yaml Solutions/CTM360/Analytic Rules/exposed_misconfiguration_high.yaml Solutions/CTM360/Analytic Rules/exposed_misconfiguration_informational.yaml Solutions/CTM360/Analytic Rules/exposed_misconfiguration_low.yaml Solutions/CTM360/Analytic Rules/exposed_misconfiguration_medium.yaml Solutions/CTM360/Analytic Rules/fake_ad_high.yaml Solutions/CTM360/Analytic Rules/fake_ad_informational.yaml Solutions/CTM360/Analytic Rules/fake_ad_low.yaml Solutions/CTM360/Analytic Rules/fake_ad_medium.yaml Solutions/CTM360/Analytic Rules/hacker_chatter_high.yaml Solutions/CTM360/Analytic Rules/hacker_chatter_informational.yaml Solutions/CTM360/Analytic Rules/hacker_chatter_low.yaml Solutions/CTM360/Analytic Rules/hacker_chatter_medium.yaml Solutions/CTM360/Analytic Rules/inaccurate_content_high.yaml Solutions/CTM360/Analytic Rules/inaccurate_content_informational.yaml Solutions/CTM360/Analytic Rules/inaccurate_content_low.yaml Solutions/CTM360/Analytic Rules/inaccurate_content_medium.yaml Solutions/CTM360/Analytic Rules/leaked_credential_informational.yaml Solutions/CTM360/Analytic Rules/leaked_credential_low.yaml Solutions/CTM360/Analytic Rules/leaked_credential_medium.yaml Solutions/CTM360/Analytic Rules/malicious_domain_high.yaml Solutions/CTM360/Analytic Rules/malicious_domain_informational.yaml Solutions/CTM360/Analytic Rules/malicious_domain_low.yaml Solutions/CTM360/Analytic Rules/malicious_domain_medium.yaml Solutions/CTM360/Analytic Rules/malicious_ip_high.yaml Solutions/CTM360/Analytic Rules/malicious_ip_informational.yaml Solutions/CTM360/Analytic Rules/malicious_ip_low.yaml Solutions/CTM360/Analytic Rules/malicious_ip_medium.yaml Solutions/CTM360/Analytic Rules/malicious_redirector_high.yaml Solutions/CTM360/Analytic Rules/malicious_redirector_informational.yaml Solutions/CTM360/Analytic Rules/malicious_redirector_low.yaml Solutions/CTM360/Analytic Rules/malicious_redirector_medium.yaml Solutions/CTM360/Analytic Rules/malware_high.yaml Solutions/CTM360/Analytic Rules/malware_informational.yaml Solutions/CTM360/Analytic Rules/malware_low.yaml Solutions/CTM360/Analytic Rules/malware_medium.yaml Solutions/CTM360/Analytic Rules/money_mule_account_high.yaml Solutions/CTM360/Analytic Rules/money_mule_account_informational.yaml Solutions/CTM360/Analytic Rules/money_mule_account_low.yaml Solutions/CTM360/Analytic Rules/money_mule_account_medium.yaml Solutions/CTM360/Analytic Rules/pharming_high.yaml Solutions/CTM360/Analytic Rules/pharming_informational.yaml Solutions/CTM360/Analytic Rules/pharming_low.yaml Solutions/CTM360/Analytic Rules/pharming_medium.yaml Solutions/CTM360/Analytic Rules/phish_redirector_high.yaml Solutions/CTM360/Analytic Rules/phish_redirector_informational.yaml Solutions/CTM360/Analytic Rules/phish_redirector_low.yaml Solutions/CTM360/Analytic Rules/phish_redirector_medium.yaml Solutions/CTM360/Analytic Rules/phishing_informational.yaml Solutions/CTM360/Analytic Rules/phishing_low.yaml Solutions/CTM360/Analytic Rules/phishing_medium.yaml Solutions/CTM360/Analytic Rules/ransomware_high.yaml Solutions/CTM360/Analytic Rules/ransomware_informational.yaml Solutions/CTM360/Analytic Rules/ransomware_low.yaml Solutions/CTM360/Analytic Rules/ransomware_medium.yaml Solutions/CTM360/Analytic Rules/se_vulnerability_high.yaml Solutions/CTM360/Analytic Rules/se_vulnerability_informational.yaml Solutions/CTM360/Analytic Rules/se_vulnerability_low.yaml Solutions/CTM360/Analytic Rules/se_vulnerability_medium.yaml Solutions/CTM360/Analytic Rules/smshing_high.yaml Solutions/CTM360/Analytic Rules/smshing_informational.yaml Solutions/CTM360/Analytic Rules/smshing_low.yaml Solutions/CTM360/Analytic Rules/smshing_medium.yaml Solutions/CTM360/Analytic Rules/spam_high.yaml Solutions/CTM360/Analytic Rules/spam_informational.yaml Solutions/CTM360/Analytic Rules/spam_low.yaml Solutions/CTM360/Analytic Rules/spam_medium.yaml Solutions/CTM360/Analytic Rules/subdomain_infringement_high.yaml Solutions/CTM360/Analytic Rules/subdomain_infringement_informational.yaml Solutions/CTM360/Analytic Rules/subdomain_infringement_low.yaml Solutions/CTM360/Analytic Rules/subdomain_infringement_medium.yaml Solutions/CTM360/Analytic Rules/survey_scam_high.yaml Solutions/CTM360/Analytic Rules/survey_scam_informational.yaml Solutions/CTM360/Analytic Rules/survey_scam_low.yaml Solutions/CTM360/Analytic Rules/survey_scam_medium.yaml Solutions/CTM360/Analytic Rules/suspicious_documents_high.yaml Solutions/CTM360/Analytic Rules/suspicious_documents_informational.yaml Solutions/CTM360/Analytic Rules/suspicious_documents_low.yaml Solutions/CTM360/Analytic Rules/suspicious_documents_medium.yaml Solutions/CTM360/Analytic Rules/suspicious_email_high.yaml Solutions/CTM360/Analytic Rules/suspicious_email_informational.yaml Solutions/CTM360/Analytic Rules/suspicious_email_low.yaml Solutions/CTM360/Analytic Rules/suspicious_email_medium.yaml Solutions/CTM360/Analytic Rules/suspicious_mobile_app_low.yaml Solutions/CTM360/Analytic Rules/suspicious_mobile_app_medium.yaml Solutions/CTM360/Analytic Rules/targeted_malware_high.yaml Solutions/CTM360/Analytic Rules/targeted_malware_informational.yaml Solutions/CTM360/Analytic Rules/targeted_malware_low.yaml Solutions/CTM360/Analytic Rules/targeted_malware_medium.yaml Solutions/CTM360/Analytic Rules/trap_10_high.yaml Solutions/CTM360/Analytic Rules/trap_10_informational.yaml Solutions/CTM360/Analytic Rules/trap_10_low.yaml Solutions/CTM360/Analytic Rules/trap_10_medium.yaml Solutions/CTM360/Analytic Rules/unauthorized_association_high.yaml Solutions/CTM360/Analytic Rules/unauthorized_association_informational.yaml Solutions/CTM360/Analytic Rules/unauthorized_association_low.yaml Solutions/CTM360/Analytic Rules/unauthorized_association_medium.yaml Solutions/CTM360/Analytic Rules/unauthorized_job_posting_high.yaml Solutions/CTM360/Analytic Rules/unauthorized_job_posting_informational.yaml Solutions/CTM360/Analytic Rules/unauthorized_job_posting_low.yaml Solutions/CTM360/Analytic Rules/unauthorized_job_posting_medium.yaml Solutions/CTM360/Analytic Rules/user_credentials_mobile_app_high.yaml Solutions/CTM360/Analytic Rules/user_credentials_mobile_app_informational.yaml Solutions/CTM360/Analytic Rules/user_credentials_mobile_app_low.yaml Solutions/CTM360/Analytic Rules/user_credentials_mobile_app_medium.yaml Solutions/CTM360/Analytic Rules/user_credentials_web_app_high.yaml Solutions/CTM360/Analytic Rules/user_credentials_web_app_informational.yaml Solutions/CTM360/Analytic Rules/user_credentials_web_app_low.yaml Solutions/CTM360/Analytic Rules/user_credentials_web_app_medium.yaml Solutions/CTM360/Analytic Rules/vip_credential_high.yaml Solutions/CTM360/Analytic Rules/vip_credential_informational.yaml Solutions/CTM360/Analytic Rules/vip_credential_low.yaml Solutions/CTM360/Analytic Rules/vip_credential_medium.yaml Solutions/CTM360/Analytic Rules/vishing_high.yaml Solutions/CTM360/Analytic Rules/vishing_informational.yaml Solutions/CTM360/Analytic Rules/vishing_low.yaml Solutions/CTM360/Analytic Rules/vishing_medium.yaml Solutions/CTM360/Data Connectors/CCF/CBS/CTM360_CBS_ConnectorDefinition.json Solutions/CTM360/Data Connectors/CCF/CBS/CTM360_CBS_DCR.json Solutions/CTM360/Data Connectors/CCF/CBS/CTM360_CBS_PollingConfig.json Solutions/CTM360/Data Connectors/CCF/CBS/CTM360_CBS_TablesV2.json Solutions/CTM360/Data Connectors/CCF/HackerView/CTM360_HV_ConnectorDefinition.json Solutions/CTM360/Data Connectors/CCF/HackerView/CTM360_HV_DCR.json Solutions/CTM360/Data Connectors/CCF/HackerView/CTM360_HV_PollingConfig.json Solutions/CTM360/Data Connectors/CCF/HackerView/CTM360_HV_TablesV2.json Solutions/CTM360/Data/CTM360.json Solutions/CTM360/Package/testParameters.json Solutions/CTM360/Parsers/CBSLog_Parser.yaml Solutions/CTM360/Parsers/CBS_BreachedCredentials_Parser.yaml Solutions/CTM360/Parsers/CBS_CompromisedCards_Parser.yaml Solutions/CTM360/Parsers/CBS_DomainInfringement_Parser.yaml Solutions/CTM360/Parsers/CBS_MalwareLogs_Parser.yaml Solutions/CTM360/Parsers/CBS_SubdomainInfringement_Parser.yaml Solutions/CTM360/Parsers/HackerViewLog_Parser.yaml (packaging artefacts: 3.0.3.zip, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-05-pr-13423/","summary":"CTM360 HackerView Function App connector was completely broken due to backup flag logic errors, preventing all threat intelligence ingestion until this fix.","title":"CTM360 HackerView: Connector Ingestion Restored After Complete Deployment Failure"},{"content":"What Changed The WithSecure Elements Function App connector deployment template was updated to specify Python 3.12 as the runtime version, changing from the previous Python 3.10 specification in the Azure Function App configuration.\nSecurity Impact (Visibility \u0026amp; Fidelity) This is a runtime environment alignment update with no direct security impact on data ingestion or detection capabilities. The change ensures the deployment template matches the Python version used in the actual function code, maintaining consistency between the runtime environment and application dependencies.\nNo impact on existing deployments using Python 3.10 — this change only affects new connector deployments or infrastructure-as-code redeployments using the updated template.\nAffected Files Solutions/WithSecureElementsViaFunction/Data Connectors/azuredeploy_Connector_WithSecureElements_AzureFunction.json ","permalink":"http://sentinelchangelog.net/posts/2026-03-05-pr-13708/","summary":"WithSecure Elements Function App connector upgraded from Python 3.10 to 3.12 to align with updated function code.","title":"WithSecure Elements Connector: Python Runtime Upgrade to 3.12"},{"content":"What Changed The Incident-Trigger-Entity-Analyzer playbook in the SentinelSOARessentials solution received significant enhancements to improve user entity resolution reliability. The update addresses a critical gap where the playbook previously only used AadUserId for user identification, causing silent failures when incidents contained user entities with different identifier formats.\nSecurity Impact (Visibility \u0026amp; Fidelity) Previous Gap: Deployments using the earlier version experienced silent failures in user entity analysis when incident entities provided user identifiers in formats other than AadUserId (objectGuid, UPN variations, Name+UPNSuffix combinations). This resulted in incomplete incident enrichment and missed security intelligence for affected user entities.\nResolution: The updated logic now implements a robust fallback mechanism using coalesce() across multiple identifier types:\nobjectGuid aadUserId UPN (both case variations) Name+UPNSuffix combinations When no valid user identifier is found, the playbook now adds an explicit skip comment to the incident, providing visibility into entities that could not be analyzed rather than failing silently.\nOperational Changes Metadata Updates: Extended description clarifies intelligent user identifier detection capabilities Logic App Tagging: Added Sentinel template metadata for improved deployment tracking Error Handling: Explicit skip comments when user identification fails API Standardization: Consistent lowercase azuresentinel connection naming Affected Files Solutions/SentinelSOARessentials/Playbooks/Incident-Trigger-Entity-Analyzer/azuredeploy.json (packaging artefacts: 3.0.8.zip, Solution_SentinelSOAREssentials.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-05-pr-13614/","summary":"Incident-Trigger-Entity-Analyzer playbook upgraded with intelligent user identifier detection, resolving silent failures when entities lack AadUserId.","title":"Microsoft Sentinel SOAR Playbook: Enhanced User Entity Resolution Prevents Silent Failures"},{"content":"What Changed Rapid7InsightVM solution updated from version 3.1.1 to 3.2.0 with the addition of a new Codeless Connector Framework (CCF) data connector. The solution now provides dual ingestion paths: the existing Azure Function App connector and the new CCF connector for organizations preferring cloud-native data collection architecture.\nNew Data Connector: CCF Implementation The new CCF connector (Rapid7InsightVM_CCP/) implements DCR-based ingestion for:\nCustom Tables: Rapid7InsightVMCloudAssets and Rapid7InsightVMCloudVulnerabilities API Endpoints: Assets (/asset/search) and Vulnerabilities (/vulnerability/search) Authentication: API Key-based with regional endpoint support (us, eu, etc.) Ingestion Method: REST API polling via DCE/DCR pipeline instead of Function App Parser Enhancement: Unified Data Handling Updated parsers (v2.0.0) now support both data sources via union isfuzzy=true:\nInsightVMAssets: Combines NexposeInsightVMCloud_assets_CL (Function App) with Rapid7InsightVMCloudAssets (CCF) InsightVMVulnerabilities: Unifies NexposeInsightVMCloud_vulnerabilities_CL with Rapid7InsightVMCloudVulnerabilities Field mappings are normalized across both ingestion paths, ensuring consistent detection compatibility regardless of connector choice.\nDeployment Impact Organizations can choose their preferred ingestion method:\nFunction App: For environments with existing Function App management processes CCF: For simplified deployment without custom code requirements Both connectors populate the same normalized fields via updated parsers — existing detections and queries remain compatible.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/Rapid7InsightVMCloudAssets.json .script/tests/KqlvalidationsTests/CustomTables/Rapid7InsightVMCloudVulnerabilities.json Solutions/Rapid7InsightVM/Data Connectors/Rapid7InsightVM_CCP/Rapid7InsightVM_ConnectorDefinition.json Solutions/Rapid7InsightVM/Data Connectors/Rapid7InsightVM_CCP/Rapid7InsightVM_DCR.json Solutions/Rapid7InsightVM/Data Connectors/Rapid7InsightVM_CCP/Rapid7InsightVM_PollingConfig.json Solutions/Rapid7InsightVM/Package/testParameters.json Solutions/Rapid7InsightVM/Parsers/InsightVMAssets.yaml Solutions/Rapid7InsightVM/Parsers/InsightVMVulnerabilities.yaml Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1 (packaging artefacts: 3.2.0.zip, Solution_InsightVMCloudAPI.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-03-pr-13625/","summary":"Rapid7InsightVM solution adds CCF-based data connector for cloud-native ingestion alongside legacy Function App connector, enhancing deployment flexibility for vulnerability management visibility.","title":"Rapid7 InsightVM: New CCF Connector Expands Vulnerability Management Data Ingestion Options"},{"content":"Affected Files (packaging artefacts: 3.0.2.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-03-pr-13704/","summary":"Microsoft updated the SavedSearches API version in the Versasec CMS solution packaging.","title":"Versasec CMS: Microsoft API Version Update for SavedSearches"},{"content":"What Changed Solution Analyzer toolset upgraded to v9.0 with significant enhancements to table schema discovery, documentation source prioritization, and solution dependency mapping.\nTable Schema Discovery System New comprehensive column schema collection from three primary sources:\nDCR definitions: Stream declarations from CCP/CCF connector DCR.json files extracting column names, types, stream configurations, and transform KQL Azure Monitor documentation: Rendered learn.microsoft.com table reference pages providing column names, types, and descriptions KQL validation schemas: CI test table definitions for tables not covered by other sources Produces two new CSV outputs: la_table_schemas.csv (documentation schemas) and table_schemas.csv (unified schemas with 77,457+ column definitions across all discovered tables).\nDocumentation Source Prioritization Tables index now displays single primary discovery source using hierarchical priority: Connector \u0026gt; Content \u0026gt; Docs \u0026gt; Schema. This replaces previous multi-source listing with cleaner categorization:\nConnector: Tables from solution data connectors Content: Tables from standalone detection/hunting content Docs: Unified category for all documentation sources (Azure Monitor, Defender XDR, Sentinel Tables, Feature Support, Ingestion API) Schema: Tables discovered only via schema files Enhanced Table Documentation Individual table pages gain new Schema section displaying column definitions (name, type, description, source) with clickable attribution links. Tables with schema information marked with book icon in the index for quick identification.\nSolution Dependencies Tracking New solution_dependencies.csv maps explicit dependencies (from dependentDomainSolutionIds) and optional ASIM-based dependencies. Solution pages show dependency relationships with connector and table mappings from dependent solutions.\nStatistics Improvements Statistics page restructured with detailed discovery breakdowns: primary discovery source counts, individual documentation source breakdowns, and schema source attribution (Azure Monitor docs, DCR, KQL validation).\nAffected Files Tools/Solutions Analyzer/README.md Tools/Solutions Analyzer/collect_table_info.py Tools/Solutions Analyzer/content_tables_mapping.csv Tools/Solutions Analyzer/generate_connector_docs.py Tools/Solutions Analyzer/la_table_schemas.csv Tools/Solutions Analyzer/map_solutions_connectors_tables.py Tools/Solutions Analyzer/script-docs/collect_table_info.md Tools/Solutions Analyzer/script-docs/generate_connector_docs.md Tools/Solutions Analyzer/script-docs/map_solutions_connectors_tables.md Tools/Solutions Analyzer/solution_dependencies.csv Tools/Solutions Analyzer/table_schemas.csv Tools/Solutions Analyzer/upload_to_kusto.py ","permalink":"http://sentinelchangelog.net/posts/2026-03-03-pr-13707/","summary":"Major enhancement adds comprehensive table schema extraction from DCR configs and Azure Monitor docs, plus improved discovery source hierarchy for better data source visibility.","title":"Solution Analyzer v9.0: Enhanced Table Schema Discovery and Documentation Source Prioritization"},{"content":"What Changed Open Systems Data Connector ARM template (azureDeploy-OpenSystems-DataConnector.json) adds configurable consumer thread parameters for all six log stream types: Secure Web Gateway, Identity, Firewall, Zero Trust Network Access, Secure Email Gateway, and Intrusion Detection System.\nConnector Configuration Enhancement The ARM template now exposes consumer_threads parameters for each Kafka consumer, replacing hardcoded single-threaded processing. Key changes:\nNew parameters: proxyConsumerThreads, identityConsumerThreads, firewallConsumerThreads, ztnaConsumerThreads, secureE-MailGatewayConsumerThreads, intrusionDetectionSystemConsumerThreads (all default to 1) Logstash configuration: Each Kafka input block gains consumer_threads and enable_auto_commit =\u0026gt; false Parameter reorganization: Moved authentication and location parameters to logical grouping at template top Data Ingestion Impact Previously, all Open Systems log streams used single-threaded Kafka consumers, creating potential throughput bottlenecks in high-volume environments. This change enables administrators to scale consumer threads per log type based on actual data volumes — critical for deployments with heavy proxy traffic or high authentication event rates.\nThe change maintains backward compatibility with default single-threaded operation while allowing performance tuning for production deployments experiencing ingestion lag.\nAffected Files Solutions/Open Systems/DataConnectors/azureDeploy-OpenSystems-DataConnector.json ","permalink":"http://sentinelchangelog.net/posts/2026-03-03-pr-13289/","summary":"ARM template gains configurable consumer threads for each log type to address Logstash performance bottlenecks in high-volume deployments.","title":"Open Systems Connector: Enhanced Kafka Consumer Thread Configuration for Scalability"},{"content":"What Changed CyberArk Audit solution adds a new Codeless Connector Framework (CCF) data connector as an alternative to the existing Azure Functions-based connector. The CCF implementation uses OAuth2 authentication with CyberArk Identity Administration and ingests audit events via REST API polling into the Custom-CyberArk_AuditEvents_CL table.\nIngestion Mechanism CCF-based polling: Replaces Azure Functions dependency with native Sentinel CCF framework OAuth2 authentication: Uses client credentials flow with CyberArk Identity Administration Custom DCR: Streams to Custom-CyberArk_AuditEvents_CL via transformKql normalisation API polling: 5-minute query windows with 10 QPS rate limiting and configurable field filtering Security Impact (Visibility \u0026amp; Fidelity) This connector alternative provides the same audit visibility as the Function App version but eliminates deployment complexity and Azure Functions management overhead. The DCR schema captures comprehensive audit fields including privileged access events (safe operations, account access), cloud workspaces/roles, and custom data for correlation. No data fidelity changes — existing detections remain compatible with the same table structure.\nDetection Surface Unlocked Maintains existing detection coverage for:\nPrivileged credential access monitoring via accountId, safe, and targetAccount fields Multi-cloud identity tracking through cloudProvider and cloudIdentities Session correlation using sessionId and correlationId Access method analysis for different authentication mechanisms Affected Files Solutions/CyberArkAudit/Analytics Rules/CyberArkAuditHighRiskActions.yaml Solutions/CyberArkAudit/Analytics Rules/CyberArkAuditMultiFailedAndSuccess.yaml Solutions/CyberArkAudit/Analytics Rules/CyberArkAuditSensitiveChanges.yaml Solutions/CyberArkAudit/Data Connectors/CyberArkAuditConnector/audit.py Solutions/CyberArkAudit/Data Connectors/CyberArkAudit_CCP/CyberArkAudit_DCR.json Solutions/CyberArkAudit/Data Connectors/CyberArkAudit_CCP/CyberArkAudit_DataConnectorDefinition.json Solutions/CyberArkAudit/Data Connectors/CyberArkAudit_CCP/CyberArkAudit_PollingConfig.json Solutions/CyberArkAudit/Data Connectors/CyberArkAudit_CCP/CyberArkAudit_Tables.json Solutions/CyberArkAudit/Data Connectors/azuredeploy_CyberArkAudit_MainTemplate.json Solutions/CyberArkAudit/Package/testParameters.json (packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_CyberArkAudit.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-03-pr-13473/","summary":"CyberArk adds CCF-based connector to eliminate Azure Functions dependency for audit data ingestion.","title":"CyberArk Audit: New CCF Connector Alternative Replaces Function App Dependency"},{"content":"What Changed Microsoft introduced a new Trellix solution providing comprehensive endpoint security visibility through the Codeless Connector Framework (CCF). The solution includes a CCF-based data connector and normalizing parser for ingesting security events from Trellix ePO (ePolicy Orchestrator).\nData Source Product: Trellix Endpoint Security via ePO (ePolicy Orchestrator) API Endpoint: /epo/v2/events with OAuth2 client credentials authentication Data Volume: Configurable pagination with 1000-event pages, 30-minute query windows Ingestion Mechanism Framework: CCF (Codeless Connector Framework) with DCR-based ingestion Authentication: OAuth2 client credentials with API key header authentication Target Table: TrellixEvents_CL (custom logs) and SentinelTrellixEvents (normalized) Rate Limiting: 3 queries per second with automatic pagination handling Detection Surface Unlocked The connector ingests comprehensive endpoint security telemetry including:\nThreat Intelligence: Threat category, severity, type, and response actions Endpoint Context: Agent details, analyzer versions, and detection methods Network Artifacts: Source/target IP addresses (IPv4/IPv6), hostnames, MAC addresses, protocols, and ports Process Artifacts: Process names, file paths, and file hashes User Context: Source and target usernames for attribution Temporal Data: Detection timestamps, receipt times, and event correlation IDs Security Impact This solution addresses an endpoint visibility gap by providing:\nMalware Detection Events: Real-time threat detection and response status Lateral Movement Tracking: Network communications between endpoints via source/target mapping Process Monitoring: Executable analysis and behavioral detection coverage Threat Response Validation: Confirmation of security actions taken by Trellix agents The normalized parser (TrellixEvents) creates a unified view across both legacy (TrellixEvents_CL) and current table schemas, ensuring detection compatibility during migrations.\nAffected Files .script/tests/KqlvalidationsTests/CustomTables/SentinelTrellixEvents.json .script/tests/KqlvalidationsTests/CustomTables/TrellixEvents_CL.json Solutions/Trellix/Data Connectors/Trellix_CCF/TrellixEvents_Table.json Solutions/Trellix/Data Connectors/Trellix_CCF/Trellix_DCR.json Solutions/Trellix/Data Connectors/Trellix_CCF/Trellix_DataConnectorDefinition.json Solutions/Trellix/Data Connectors/Trellix_CCF/Trellix_PollingConfig.json Solutions/Trellix/Package/testParameters.json Solutions/Trellix/Parsers/TrellixEvents.yaml (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Trellix.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-02-pr-13706/","summary":"New solution delivers Trellix ePO endpoint security events via CCF with OAuth2 authentication and comprehensive threat intelligence data.","title":"New Trellix Endpoint Security: CCF Connector Unlocks ePO Threat Visibility in Sentinel"},{"content":"What Changed TacitRed-SentinelOne v3.0.2 fixes a critical bug present since v1.0.0: the SentinelOne_BaseUrl parameter had a hardcoded defaultValue of https://usea1-001.sentinelone.net, which is a non-existent placeholder URL.\nSecurity Impact (Visibility \u0026amp; Fidelity) This was a complete connector failure scenario. Any customer deploying the TacitRed-SentinelOne solution from Content Hub without explicitly changing the BaseUrl parameter would experience:\nConnection timeout on every playbook run Post IOC to SentinelOne step fails with host unreachable error Zero threat intelligence indicators pushed to SentinelOne for automated response Complete loss of IOC automation capability Per PR discussion: curl https://usea1-001.sentinelone.net returns HTTP 000 (no server at this address), confirming the URL never existed. Real SentinelOne console URLs like usea1-021, usea1-022, usea1-050 return HTTP 200.\nTechnical Details Root cause: The hardcoded defaultValue was set from the initial commit (Dec 8, 2025) and persisted through all subsequent versions. Every SentinelOne customer receives their own unique management console subdomain at sign-up — the hardcoded usea1-001 subdomain was never a valid endpoint.\nChanges made:\nmainTemplate.json: Cleared defaultValue for SentinelOne_BaseUrl to empty string Updated parameter description with guidance: \u0026ldquo;SentinelOne Console URL (e.g. https://usea1-021.sentinelone.net) — find this in your browser address bar when logged into SentinelOne\u0026rdquo; createUiDefinition.json: Updated placeholder from usea1-001 to YOUR-CONSOLE Rebuilt package with corrected templates Affected Files (packaging artefacts: 3.0.2.zip, ReleaseNotes.md, Solution_TacitRedSentinelOneAutomation.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-02-pr-13688/","summary":"Fixes a critical deployment bug present since v1.0.0 where hardcoded placeholder URL caused complete playbook failure for all Content Hub installations.","title":"TacitRed-SentinelOne v3.0.2: Critical Fix for Broken SentinelOne Connection"},{"content":"What Changed The Gigamon AMX connector has been completely migrated from the deprecated Log Analytics ingestion method to Microsoft Sentinel\u0026rsquo;\u0026lsquo;\u0026rsquo;s modern CCF (Codeless Connector Framework) push architecture. This is a breaking change that requires redeployment but prevents a complete connector failure.\nSecurity Impact (Visibility \u0026amp; Fidelity) Critical Migration Required: The previous Log Analytics-based integration method has been deprecated by Microsoft, meaning existing deployments would have lost all network visibility from Gigamon devices without this update. This migration restores and future-proofs visibility into:\nNetwork flow data (source/destination IPs, ports, protocols, byte counts) DNS resolution events and response codes SSL/TLS certificate details and JA3/JA3S fingerprints HTTP transactions and response codes Industrial protocol monitoring (DNP3, Modbus, SNMP) Medical protocol visibility (HL7, DICOM) The connector now uses DCR-based ingestion via the Custom-GigamonV2_CL stream, requiring manual reconfiguration but providing more robust data delivery guarantees than the legacy method.\nDeployment Changes Breaking Change: Existing Gigamon connectors will stop functioning and must be redeployed using the new CCF method. The migration adds:\nData Collection Rule (DCR) with 130+ network telemetry fields Entra ID application for secure token-based authentication Data Collection Endpoint (DCE) for direct ingestion API access Push connector configuration replacing polling-based collection Organizations must obtain new authentication credentials and reconfigure their Gigamon AMX appliances to push data to the new DCE endpoint rather than the deprecated Log Analytics API.\nDetection Surface Preserved All existing detection logic targeting GigamonV2_CL table remains functional. Field schema is preserved including critical hunting fields:\nNetwork flow metadata (src_ip, dst_ip, src_port, dst_port, protocol) SSL fingerprinting (ssl_fingerprint_ja3, ssl_fingerprint_ja3s) DNS analysis (dns_name, dns_reply_code, dns_query_type) Application identification (app_name, app_id, app_tags) Affected Files Solutions/Gigamon Connector/Data Connectors/Gigamon_CCF/Gigamon_ConnectorDefinition.json Solutions/Gigamon Connector/Data Connectors/Gigamon_CCF/Gigamon_DCR.json Solutions/Gigamon Connector/Data Connectors/Gigamon_CCF/Gigamon_dataConnector.json Solutions/Gigamon Connector/Data Connectors/Gigamon_CCF/Gigamon_table.json Solutions/Gigamon Connector/Data Connectors/Gigamon_Connector_Analytics_Gigamon.json Solutions/Gigamon Connector/Package/testParameters.json Solutions/Gigamon Connector/Workbooks/Gigamon.json Solutions/Gigamon Connector/Workbooks/Images/Logo/gigamon.svg (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Gigamon.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-02-pr-13633/","summary":"Gigamon connector migrated from deprecated Log Analytics method to CCF push architecture, preventing complete loss of network traffic and threat visibility.","title":"Gigamon AMX Connector: Migration to CCF Push Restores Network Visibility After Deprecation"},{"content":"What Changed This update addresses reliability issues in the Cisco Duo Data Connector Function App that could cause incomplete data ingestion when processing large batches of offline enrollment logs. The connector now includes timeout detection to prevent Azure Function execution limits from causing forced termination and partial ingestion.\nSecurity Impact (Visibility \u0026amp; Fidelity) Before this fix: Deployments processing large volumes of offline enrollment logs experienced timeout-induced ingestion failures, creating blind spots in Duo security event visibility. When the Function App hit Azure execution time limits, offline enrollment events were partially ingested or lost entirely.\nAfter this fix: The connector monitors execution time and gracefully saves progress before timeout, ensuring consistent data ingestion for offline enrollment events. This prevents detection blind spots that occurred when Functions were forcibly terminated mid-processing.\nTechnical Details Dependency Updates: duo-client upgraded from 5.5.0 to 5.6.1, cryptography pinned to 43.0.3 for security maintenance Timeout Protection: Added check_if_script_runs_too_long() guard specifically for offline enrollment log processing Function Bundle: Extension bundle version range updated to [4.*, 5.0.0) for better compatibility with Azure Functions runtime Packaging: Function App deployment package rebuilt with corrected Python dependency structure Affected Files Solutions/CiscoDuoSecurity/Data Connectors/AzureFunctionCiscoDuo/main.py Solutions/CiscoDuoSecurity/Data Connectors/host.json Solutions/CiscoDuoSecurity/Data Connectors/requirements.txt (packaging artefacts: CiscoDuoSecurity_func.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-03-02-pr-13713/","summary":"Fixes timeout-induced ingestion failures in offline enrollment log processing and updates duo-client library for security maintenance.","title":"Cisco Duo Connector: Function Timeout Mitigation and Dependency Security Updates"},{"content":"What Changed Version 3.0.2 of the Google Kubernetes Engine solution updates documentation links within the connector configuration to point to official Microsoft Learn guides instead of a personal GitHub repository.\nDocumentation Changes ConnectorDefinition.json now references the official Microsoft Learn guide: \u0026ldquo;Ingest Google Cloud Platform log data into Microsoft Sentinel\u0026rdquo; Setup instructions reordered to prioritize authentication setup before resource configuration Configuration guide link updated from personal repo (github.com/Alekhya0824) to official Azure-Sentinel repository path Terraform script simplified by removing hardcoded project ID placeholder Operational Impact No functional changes to data ingestion or connector behavior. This is a documentation maintenance update that improves the reliability and official support status of setup instructions for new deployments.\nAffected Files DataConnectors/GCP/Terraform/sentinel_resources_creation/GoogleKubernetesEngineLogsSetup/GoogleKubernetesEngineLogSetup.tf Solutions/Google Kubernetes Engine/Data Connectors/GoogleKubernetesEngineLogs_ccp/GoogleKubernetesEngineLogs_ConnectorDefinition.json (packaging artefacts: 3.0.2.zip, ReleaseNotes.md, Solution_GoogleKubernetesEngineLogs.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-03-01-pr-13720/","summary":"Google Kubernetes Engine connector documentation updated to reference official Microsoft Learn guides instead of personal repositories.","title":"Google Kubernetes Engine Connector: Documentation Update Links to Official Microsoft Learn"},{"content":"What Changed Added missing mandatory fields EventSchema and EventResult to both ASimRegistryEventMicrosoft365D and vimRegistryEventMicrosoft365D parsers for full ASIM RegistryEvent schema compliance.\nParser Impact Enhanced ASIM schema compliance for Microsoft 365 Defender registry event normalization:\nEventSchema: Set to \u0026ldquo;RegistryEvent\u0026rdquo; to explicitly identify the normalized schema type EventResult: Set to \u0026ldquo;Success\u0026rdquo; as Microsoft 365 Defender registry events represent successful registry operations Version Update: Bumped parser version from 0.1.2 to 0.1.3 ASIM Compatibility Fields added are mandatory per ASIM RegistryEvent schema specification. This ensures proper schema validation and compatibility with ASIM-aware detections and workbooks that reference these standardized fields.\nData Source Normalizes DeviceRegistryEvents table from Microsoft 365 Defender for Endpoint, providing standardized registry monitoring for Windows systems including registry key/value creation, modification, and deletion events.\nNo changes to logic or filter behavior — this is a data fidelity fix ensuring complete ASIM field coverage for downstream analytics consuming normalized registry events.\nAffected Files Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoft365D/ASimRegistryEventMicrosoft365D.json Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoft365D/vimRegistryEventMicrosoft365D.json Parsers/ASimRegistryEvent/CHANGELOG/ASimRegistryEventMicrosoft365D.md Parsers/ASimRegistryEvent/CHANGELOG/vimRegistryEventMicrosoft365D.md Parsers/ASimRegistryEvent/Parsers/ASimRegistryEventMicrosoft365D.yaml Parsers/ASimRegistryEvent/Parsers/vimRegistryEventMicrosoft365D.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-02-27-pr-13712/","summary":"Updated ASIM Registry Event parser for Microsoft 365 Defender to include mandatory EventSchema and EventResult fields per schema compliance requirements.","title":"ASIM Registry Event: Added Mandatory Fields for Microsoft 365 Defender Parser Compliance"},{"content":"What Changed Fixed Partner Center automated validation credential scanner violations by removing default values from securestring token parameters and aligned all content template versions to 3.0.3.\nCompliance Requirements Partner Center automated validation flagged default values in securestring parameters (cyrenIpReputationToken, cyrenMalwareUrlToken) as General Symmetric Key credentials under https://aka.ms/credentialRestrictions policy. Default values for securestring parameters must be empty strings for marketplace compliance.\nVersion Alignment Corrections Synchronized version references across solution package:\nSolution_Cyren.json version: 3.0.4 → 3.0.3 mainTemplate.json _solutionVersion and contentPackages.version aligned to 3.0.3 All content template version descriptions (3 analytics rules + 1 workbook) updated from 3.0.1 to 3.0.3 Regenerated 3.0.3.zip package with corrected metadata No functional changes to threat intelligence ingestion logic or detection capabilities.\nAffected Files (packaging artefacts: 3.0.3.zip, Solution_Cyren.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-27-pr-13670/","summary":"Compliance update removes credential scanner violations from securestring parameters and aligns all content versions to 3.0.3.","title":"Cyren Threat Intelligence: Partner Center Compliance Fix and Version Alignment"},{"content":"What Changed Migrated IONIX connector from HTTP Data Collector API (push model) to CCF RestApiPoller (pull model) with automatic daily polling and added query-time deduplication across analytics and workbooks.\nSecurity Impact (Visibility \u0026amp; Fidelity) Enhanced attack surface management visibility through automated data collection:\nPrevious State: Required manual IONIX portal configuration to push data; susceptible to duplicate action items causing false positive alerts Current State: Automatic daily polling from IONIX API with query-time deduplication using id_s field prevents duplicate processing Operational Improvement: Simplified setup requiring only API token and account name; eliminates manual portal configuration dependency MITRE Mapping T1195 (Supply Chain Compromise): Enhanced detection coverage through continuous ingestion of supply chain security findings from IONIX Attack Surface Management platform Data Collection Architecture Ingestion Method: CCF RestApiPoller with 24-hour query window, 5 QPS rate limiting Target Table: CyberpionActionItems_CL (maintains compatibility with existing analytics) Deduplication Logic: arg_max(TimeGenerated, *) by id_s ensures latest state per action item API Endpoint: https://api.portal.ionix.io/api/v1/remediation/action-items/open/ Backwards Compatibility Legacy HTTP Data Collector API connector marked as deprecated (removal scheduled June 2026). Updated analytics rule to version 1.0.2 and workbook queries with improved deduplication logic. Data continues flowing to existing CyberpionActionItems_CL table ensuring seamless migration.\nAffected Files Solutions/IONIX/Analytic Rules/HighUrgencyActionItems.yaml Solutions/IONIX/Data Connectors/IONIXActionItems_CCF/IONIX_ConnectorDefinition.json Solutions/IONIX/Data Connectors/IONIXActionItems_CCF/IONIX_DCR.json Solutions/IONIX/Data Connectors/IONIXActionItems_CCF/IONIX_PollerConfig.json Solutions/IONIX/Data Connectors/IONIXActionItems_CCF/IONIX_Table.json Solutions/IONIX/Data Connectors/IONIXSecurityLogs.json Solutions/IONIX/Package/testParameters.json Solutions/IONIX/Workbooks/IONIXOverviewWorkbook.json (packaging artefacts: 3.1.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_IONIX.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-27-pr-13524/","summary":"Major migration from HTTP Data Collector API to CCF RestApiPoller enabling automatic polling with query-time deduplication for IONIX attack surface management data.","title":"IONIX: Migration to CCF RestApiPoller with Enhanced Data Deduplication"},{"content":"What Changed Updated Microsoft Sentinel Logstash output plugin documentation to include support for additional tested Logstash versions: 8.19.2, 9.0.8, 9.1.10, and 9.2.4-9.2.5.\nVersion Support Impact Extends compatibility matrix for organizations using newer Logstash releases, addressing customer requests for version support confirmation. Enables deployment confidence for environments running these specific Logstash versions for log ingestion into Microsoft Sentinel.\nAffected Files DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/README.md ","permalink":"http://sentinelchangelog.net/posts/2026-02-27-pr-13714/","summary":"Documentation update adds support for Logstash versions 8.19.2, 9.0.8, 9.1.10, and 9.2.4-9.2.5.","title":"Logstash Connector: Extended Version Support for Newer Logstash Releases"},{"content":"What Changed Fixed critical configuration mismatch in SWG Abnormal Deny Rate analytic rule where queryPeriod (25h) was insufficient for the defined 5-day learning window.\nSecurity Impact (Visibility \u0026amp; Fidelity) Detection logic broken due to insufficient historical data: The rule defines a 5-day learning period for baseline computation but was only retrieving 25 hours of data, preventing proper baseline establishment for anomaly detection.\nRoot cause: queryPeriod = 25h could not provide sufficient historical data for LearningPeriod = 5d baseline calculation, causing the rule to operate with incomplete or invalid baselines.\nCurrent state: Updated queryPeriod to 7d ensures full coverage of the 5-day learning window with buffer, enabling proper statistical baseline computation for detecting abnormal deny rates in Global Secure Access traffic.\nDetection Logic Primary data source: NetworkAccessTrafficLogs from Global Secure Access connector. The rule now properly retrieves 7 days of data to establish baselines for source-to-destination IP deny rate patterns, enabling detection of suspicious traffic blocking patterns that may indicate reconnaissance or attack attempts.\nImpact Assessment This was a data fidelity gap affecting anomaly detection accuracy — the rule would either fail to generate meaningful baselines or produce false positives due to insufficient statistical foundation.\nAffected Files Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml (packaging artefacts: 3.0.3.zip, ReleaseNotes.md, Solution_GlobalSecureAccess.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-27-pr-13678/","summary":"Critical fix aligns queryPeriod with 5-day learning window, restoring proper baseline computation for abnormal deny rate detection.","title":"Global Secure Access: Critical Fix for Abnormal Deny Rate Detection Baseline Computation"},{"content":"What Changed Comprehensive reliability improvements across 17 IPinfo data connectors addressing deployment stability, runtime configuration, and multi-workspace support.\nSecurity Impact (Visibility \u0026amp; Fidelity) Enhanced deployment reliability ensures consistent IPinfo threat intelligence ingestion:\nPrevious State: Function App startup failures due to missing native dependencies (cffi) and inconsistent DCR workspace validation logic Current State: Pinned Azure Functions runtime v4 with Python 3.11, added missing cffi dependency, and standardized DCR handling across all connectors Risk Mitigation: Eliminates deployment failures that could result in gaps in IP reputation and geolocation intelligence Technical Improvements Runtime Stability: Pinned Azure Functions runtime to v4 with verified Python 3.11 compatibility Dependency Management: Added missing cffi native dependency to requirements.txt for reliable Function App publishing Multi-Workspace Support: Standardized DCR workspace validation and creation logic across all 17 IPinfo connectors Performance Optimization: Updated max_records from 100 (testing) to 10000 (production) for improved data throughput Affected Connectors 17 IPinfo data connectors updated: ASN, Abuse, Carrier, Company, Country ASN, Domain, IP Location, IP Location Extended, Privacy, Privacy Extended, RIRWHOIS, RWHOIS, and 5 WHOIS variants (ASN, MNT, NET, ORG, POC).\nEach connector now includes consistent DCR handling logic supporting multi-workspace deployments and improved ARM template deployment URLs using aka.ms shortlinks for marketplace readiness.\nAffected Files Solutions/IPinfo/Data Connectors/ASN/AzureFunctionIPinfoASN/constants.py Solutions/IPinfo/Data Connectors/ASN/AzureFunctionIPinfoASN/main.py Solutions/IPinfo/Data Connectors/ASN/AzureFunctionIPinfoASN/utils.py Solutions/IPinfo/Data Connectors/ASN/azuredeploy_Connector_IPinfo_ASN_AzureFunction.json Solutions/IPinfo/Data Connectors/ASN/host.json Solutions/IPinfo/Data Connectors/ASN/requirements.txt Solutions/IPinfo/Data Connectors/Abuse/AzureFunctionIPinfoAbuse/constants.py Solutions/IPinfo/Data Connectors/Abuse/AzureFunctionIPinfoAbuse/main.py Solutions/IPinfo/Data Connectors/Abuse/AzureFunctionIPinfoAbuse/utils.py Solutions/IPinfo/Data Connectors/Abuse/azuredeploy_Connector_IPinfo_Abuse_AzureFunction.json Solutions/IPinfo/Data Connectors/Abuse/host.json Solutions/IPinfo/Data Connectors/Abuse/requirements.txt Solutions/IPinfo/Data Connectors/Carrier/AzureFunctionIPinfoCarrier/constants.py Solutions/IPinfo/Data Connectors/Carrier/AzureFunctionIPinfoCarrier/main.py Solutions/IPinfo/Data Connectors/Carrier/AzureFunctionIPinfoCarrier/utils.py Solutions/IPinfo/Data Connectors/Carrier/azuredeploy_Connector_IPinfo_Carrier_AzureFunction.json Solutions/IPinfo/Data Connectors/Carrier/host.json Solutions/IPinfo/Data Connectors/Carrier/requirements.txt Solutions/IPinfo/Data Connectors/Company/AzureFunctionIPinfoCompany/constants.py Solutions/IPinfo/Data Connectors/Company/AzureFunctionIPinfoCompany/main.py Solutions/IPinfo/Data Connectors/Company/AzureFunctionIPinfoCompany/utils.py Solutions/IPinfo/Data Connectors/Company/azuredeploy_Connector_IPinfo_Company_AzureFunction.json Solutions/IPinfo/Data Connectors/Company/host.json Solutions/IPinfo/Data Connectors/Company/requirements.txt Solutions/IPinfo/Data Connectors/Country ASN/AzureFunctionIPinfoCountryASN/constants.py Solutions/IPinfo/Data Connectors/Country ASN/AzureFunctionIPinfoCountryASN/main.py Solutions/IPinfo/Data Connectors/Country ASN/AzureFunctionIPinfoCountryASN/utils.py Solutions/IPinfo/Data Connectors/Country ASN/azuredeploy_Connector_IPinfo_Country_AzureFunction.json Solutions/IPinfo/Data Connectors/Country ASN/host.json Solutions/IPinfo/Data Connectors/Country ASN/requirements.txt Solutions/IPinfo/Data Connectors/Domain/AzureFunctionIPinfoDomain/constants.py Solutions/IPinfo/Data Connectors/Domain/AzureFunctionIPinfoDomain/main.py Solutions/IPinfo/Data Connectors/Domain/AzureFunctionIPinfoDomain/utils.py Solutions/IPinfo/Data Connectors/Domain/azuredeploy_Connector_IPinfo_Domain_AzureFunction.json Solutions/IPinfo/Data Connectors/Domain/host.json Solutions/IPinfo/Data Connectors/Domain/requirements.txt Solutions/IPinfo/Data Connectors/Iplocation Extended/AzureFunctionIPinfoIplocationExtended/constants.py Solutions/IPinfo/Data Connectors/Iplocation Extended/AzureFunctionIPinfoIplocationExtended/main.py Solutions/IPinfo/Data Connectors/Iplocation Extended/AzureFunctionIPinfoIplocationExtended/utils.py Solutions/IPinfo/Data Connectors/Iplocation Extended/azuredeploy_Connector_IPinfo_Iplocation_Extended_AzureFunction.json Solutions/IPinfo/Data Connectors/Iplocation Extended/host.json Solutions/IPinfo/Data Connectors/Iplocation Extended/requirements.txt Solutions/IPinfo/Data Connectors/Iplocation/AzureFunctionIPinfoIplocation/constants.py Solutions/IPinfo/Data Connectors/Iplocation/AzureFunctionIPinfoIplocation/main.py Solutions/IPinfo/Data Connectors/Iplocation/AzureFunctionIPinfoIplocation/utils.py Solutions/IPinfo/Data Connectors/Iplocation/azuredeploy_Connector_IPinfo_Iplocation_AzureFunction.json Solutions/IPinfo/Data Connectors/Iplocation/host.json Solutions/IPinfo/Data Connectors/Iplocation/requirements.txt Solutions/IPinfo/Data Connectors/Privacy Extended/AzureFunctionIPinfoPrivacyExtended/constants.py Solutions/IPinfo/Data Connectors/Privacy Extended/AzureFunctionIPinfoPrivacyExtended/main.py Solutions/IPinfo/Data Connectors/Privacy Extended/AzureFunctionIPinfoPrivacyExtended/utils.py Solutions/IPinfo/Data Connectors/Privacy Extended/azuredeploy_Connector_IPinfo_Privacy_Extended_AzureFunction.json Solutions/IPinfo/Data Connectors/Privacy Extended/host.json Solutions/IPinfo/Data Connectors/Privacy Extended/requirements.txt Solutions/IPinfo/Data Connectors/Privacy/AzureFunctionIPinfoPrivacy/constants.py Solutions/IPinfo/Data Connectors/Privacy/AzureFunctionIPinfoPrivacy/main.py Solutions/IPinfo/Data Connectors/Privacy/AzureFunctionIPinfoPrivacy/utils.py Solutions/IPinfo/Data Connectors/Privacy/azuredeploy_Connector_IPinfo_Privacy_AzureFunction.json Solutions/IPinfo/Data Connectors/Privacy/host.json Solutions/IPinfo/Data Connectors/Privacy/requirements.txt Solutions/IPinfo/Data Connectors/RIRWHOIS/AzureFunctionIPinfoRIRWHOIS/constants.py Solutions/IPinfo/Data Connectors/RIRWHOIS/AzureFunctionIPinfoRIRWHOIS/main.py Solutions/IPinfo/Data Connectors/RIRWHOIS/AzureFunctionIPinfoRIRWHOIS/utils.py Solutions/IPinfo/Data Connectors/RIRWHOIS/azuredeploy_Connector_IPinfo_RIRWHOIS_AzureFunction.json Solutions/IPinfo/Data Connectors/RIRWHOIS/host.json Solutions/IPinfo/Data Connectors/RIRWHOIS/requirements.txt Solutions/IPinfo/Data Connectors/RWHOIS/AzureFunctionIPinfoRWHOIS/constants.py Solutions/IPinfo/Data Connectors/RWHOIS/AzureFunctionIPinfoRWHOIS/main.py Solutions/IPinfo/Data Connectors/RWHOIS/AzureFunctionIPinfoRWHOIS/utils.py Solutions/IPinfo/Data Connectors/RWHOIS/azuredeploy_Connector_IPinfo_RWHOIS_AzureFunction.json Solutions/IPinfo/Data Connectors/RWHOIS/host.json Solutions/IPinfo/Data Connectors/RWHOIS/requirements.txt Solutions/IPinfo/Data Connectors/WHOIS ASN/AzureFunctionIPinfoWHOISASN/constants.py Solutions/IPinfo/Data Connectors/WHOIS ASN/AzureFunctionIPinfoWHOISASN/main.py Solutions/IPinfo/Data Connectors/WHOIS ASN/AzureFunctionIPinfoWHOISASN/utils.py Solutions/IPinfo/Data Connectors/WHOIS ASN/azuredeploy_Connector_IPinfo_WHOIS_ASN_AzureFunction.json Solutions/IPinfo/Data Connectors/WHOIS ASN/host.json Solutions/IPinfo/Data Connectors/WHOIS ASN/requirements.txt Solutions/IPinfo/Data Connectors/WHOIS MNT/AzureFunctionIPinfoWHOISMNT/constants.py Solutions/IPinfo/Data Connectors/WHOIS MNT/AzureFunctionIPinfoWHOISMNT/main.py Solutions/IPinfo/Data Connectors/WHOIS MNT/AzureFunctionIPinfoWHOISMNT/utils.py Solutions/IPinfo/Data Connectors/WHOIS MNT/azuredeploy_Connector_IPinfo_WHOIS_MNT_AzureFunction.json Solutions/IPinfo/Data Connectors/WHOIS MNT/host.json Solutions/IPinfo/Data Connectors/WHOIS MNT/requirements.txt Solutions/IPinfo/Data Connectors/WHOIS NET/AzureFunctionIPinfoWHOISNET/constants.py Solutions/IPinfo/Data Connectors/WHOIS NET/AzureFunctionIPinfoWHOISNET/main.py Solutions/IPinfo/Data Connectors/WHOIS NET/AzureFunctionIPinfoWHOISNET/utils.py Solutions/IPinfo/Data Connectors/WHOIS NET/azuredeploy_Connector_IPinfo_WHOIS_NET_AzureFunction.json Solutions/IPinfo/Data Connectors/WHOIS NET/host.json Solutions/IPinfo/Data Connectors/WHOIS NET/requirements.txt Solutions/IPinfo/Data Connectors/WHOIS ORG/AzureFunctionIPinfoWHOISORG/constants.py Solutions/IPinfo/Data Connectors/WHOIS ORG/AzureFunctionIPinfoWHOISORG/main.py Solutions/IPinfo/Data Connectors/WHOIS ORG/AzureFunctionIPinfoWHOISORG/utils.py Solutions/IPinfo/Data Connectors/WHOIS ORG/azuredeploy_Connector_IPinfo_WHOIS_ORG_AzureFunction.json Solutions/IPinfo/Data Connectors/WHOIS ORG/host.json Solutions/IPinfo/Data Connectors/WHOIS ORG/requirements.txt Solutions/IPinfo/Data Connectors/WHOIS POC/AzureFunctionIPinfoWHOISPOC/constants.py Solutions/IPinfo/Data Connectors/WHOIS POC/AzureFunctionIPinfoWHOISPOC/main.py Solutions/IPinfo/Data Connectors/WHOIS POC/AzureFunctionIPinfoWHOISPOC/utils.py Solutions/IPinfo/Data Connectors/WHOIS POC/azuredeploy_Connector_IPinfo_WHOIS_POC_AzureFunction.json Solutions/IPinfo/Data Connectors/WHOIS POC/host.json Solutions/IPinfo/Data Connectors/WHOIS POC/requirements.txt (packaging artefacts: 3.0.2.zip, IPInfoWHOISASNConn.zip, IPifnoASNConn.zip, IPinfoASNConn.zip, IPinfoAbuseConn.zip, IPinfoCarrierConn.zip, IPinfoCompanyConn.zip, IPinfoCountryConn.zip, IPinfoDomainConn.zip, IPinfoIplocationConn.zip, IPinfoIplocationExtendedConn.zip, IPinfoPrivacyConn.zip, IPinfoPrivacyExtendedConn.zip, IPinfoRIRWHOISConn.zip, IPinfoRWHOISConn.zip, IPinfoWHOISMNTConn.zip, IPinfoWHOISNETConn.zip, IPinfoWHOISORGConn.zip, IPinfoWHOISPOCConn.zip, ReleaseNotes.md, Solution_IPinfo.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-27-pr-13630/","summary":"Comprehensive update to 17 IPinfo connectors enhancing deployment reliability with runtime pinning, dependency fixes, and multi-workspace DCR support.","title":"IPinfo: Multi-Workspace Support and Function App Deployment Reliability Improvements"},{"content":"What Changed Fixed critical DCR transform query error causing connector deployment failure and updated Microsoft Sentinel branding across solution components.\nSecurity Impact (Visibility \u0026amp; Fidelity) Complete detection blind spot restored: Deployments running v3.0.1 experienced total connector creation failure due to InvalidTransformQuery error referencing undefined symbol detections. The transformKql error prevented DCR creation entirely — zero mobile threat data was ingested by affected deployments.\nRoot cause: DCR transform query incorrectly referenced detections instead of smishing_alert.detections, causing validation failure during connector provisioning.\nCurrent state: Fixed transform query now properly extracts smishing detection data from nested object structure, enabling successful connector deployment and mobile threat telemetry ingestion.\nDCR Transform Logic Correction Previous (broken): smishing_detections = detections — undefined symbol caused deployment failure Current (fixed): smishing_detections = smishing_alert.detections — proper nested field reference enables smishing threat extraction This was a deployment-blocking issue, not a data fidelity gap — users could not create the connector resource at all.\nAdditional Improvements Updated product branding from \u0026ldquo;Azure Sentinel\u0026rdquo; to \u0026ldquo;Microsoft Sentinel\u0026rdquo; in workbook descriptions Aligned data connector version from 1.0.0 to 3.0.2 for consistent version tracking Enhanced install wizard with improved discoverability for Parsers and Notebooks components Affected Files Solutions/Lookout/Data Connectors/LookoutStreamingConnector_ccp/LookoutStreaming_DCR.json (packaging artefacts: 3.0.2.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Lookout.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-26-pr-13651/","summary":"Critical fix resolves undefined symbol error that prevented Lookout connector creation, restoring mobile threat detection capability.","title":"Lookout Connector: Critical DCR Transform Fix Restores Mobile Threat Visibility"},{"content":"What Changed Updated ARM deployment template to enforce minimum TLS version 1.2 for Azure storage accounts used by the Trend Micro Vision One Function App connector.\nSecurity Impact (Visibility \u0026amp; Fidelity) Critical security hardening addressing TLS 1.0/1.1 vulnerability exposure:\nPrevious State: Storage accounts allowed TLS 1.0 connections, exposing data in transit to known cryptographic weaknesses and potential downgrade attacks Current State: Enforces TLS 1.2 minimum, ensuring secure data transmission and compliance with modern security standards Risk Mitigation: Eliminates exposure to TLS 1.0/1.1 protocol vulnerabilities including BEAST, CRIME, and POODLE attacks Deployment Considerations This change affects new deployments of the Trend Micro Vision One connector. Existing deployments may require manual storage account configuration update to enforce TLS 1.2. Organizations should audit existing storage accounts for consistent TLS policy enforcement across their Sentinel connector infrastructure.\nAffected Files Solutions/Trend Micro Vision One/Data Connectors/azuredeploy_TrendMicroVisionOne_API_FunctionApp.json ","permalink":"http://sentinelchangelog.net/posts/2026-02-26-pr-13697/","summary":"Critical security hardening update enforces minimum TLS 1.2 for Azure storage accounts in Function App deployment template.","title":"Trend Micro Vision One: Azure Storage Account TLS Security Hardening"},{"content":"Data Source DataBahn AI platform connector providing real-time telemetry ingestion for audit logs, operational alerts, and device inventory data. Uses CCF push pattern for direct data transmission to Microsoft Sentinel.\nIngestion Mechanism CCF-based push connector with dedicated Data Collection Rule (DCR) and three custom Log Analytics tables:\ndatabahn_audit_logs_CL: User actions, object changes, tenant activities with success/failure tracking databahn_alerts_CL: Platform alerts with criticality levels, error codes, and dismissal status databahn_device_inventory_CL: Device discovery and inventory tracking Uses Azure Monitor Ingestion API with Entra app registration authentication and automatic ARM deployment.\nDetection Surface Unlocked User Activity Monitoring: Tracks privileged actions, object modifications, and access patterns through audit logs Operational Security: Monitors platform alerts for system anomalies, error conditions, and security events Asset Visibility: Provides device discovery and inventory tracking for network security assessments Configuration Requirements Requires automated ARM deployment creating DCR, Log Analytics tables, and Entra application registration. Platform integration uses service principal authentication with Monitoring Metrics Publisher RBAC role on the DCR.\nAffected Files Logos/databahn.svg Solutions/Databahn/Data Connectors/DataBahn_PUSH_CCP/DataBahn_DCR.json Solutions/Databahn/Data Connectors/DataBahn_PUSH_CCP/DataBahn_connectorDefinition.json Solutions/Databahn/Data Connectors/DataBahn_PUSH_CCP/DataBahn_dataConnector.json Solutions/Databahn/Data Connectors/DataBahn_PUSH_CCP/DataBahn_table_databahn_alerts.json Solutions/Databahn/Data Connectors/DataBahn_PUSH_CCP/DataBahn_table_databahn_audit_logs.json Solutions/Databahn/Data Connectors/DataBahn_PUSH_CCP/DataBahn_table_databahn_device_inventory.json Solutions/Databahn/Package/testParameters.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_DataBahn.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-26-pr-13598/","summary":"New CCF push connector enables direct ingestion of DataBahn audit logs, alerts, and device inventory into Microsoft Sentinel.","title":"DataBahn Platform: New CCF Connector for Real-Time Security Telemetry Ingestion"},{"content":"What Changed Enhanced documentation for the Rare Custom Script Extension hunting query, adding clarification about protected settings behavior and removing formatting inconsistencies.\nDocumentation Improvements Added explanatory note about protected settings encryption: when fileUris and commandToExecute are configured under Protected Settings, their values appear masked in AzureActivity logs by design Clarified that execution details must be reviewed from Guest VM logs rather than AzureActivity when protected settings are used Included reference link to Microsoft documentation Fixed minor formatting issues in description text Affected Files Solutions/Azure Activity/Hunting Queries/Rare_Custom_Script_Extension.yaml (packaging artefacts: 3.0.4.zip, ReleaseNotes.md, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-26-pr-13705/","summary":"Minor documentation improvement clarifying protected settings visibility in Custom Script Extension hunting query.","title":"Azure Activity: Hunting Query Documentation Enhancement for Custom Script Extensions"},{"content":"What Changed Version 7.9.2 of the Solutions Analyzer tooling with three major feature additions: Kusto uploader tool, CCF Legacy connector support, and enhanced parser analysis capabilities.\nNew Kusto Integration Added upload_to_kusto.py for automated CSV upload to Azure Data Explorer clusters:\nSolution Analyzer mode: bulk upload of all 10 analysis CSV files Azure CLI authentication with queued ingestion Dry-run mode for operation preview Automatic schema detection and mapping Enhanced CCF Analysis New CCF (Legacy) collection method:\nIdentifies connectors with embedded pollingConfig in ARM templates Extracts capabilities (auth type, paging, POST) from legacy configurations Improved config file detection for Bitwarden-style and GCP-style directory structures CCF capabilities statistics:\nAuthentication method breakdown (APIKey, OAuth2, Basic, JwtToken) Request feature analysis (Paging, POST, MvExpand, Nested) Comprehensive CCF connector classification across all variants ASIM Parser Documentation Fixes Resolved empty Product column display in union parser pages (imDns, imFileEvent, etc.) Fixed broken sub-parser links between Im and ASim naming conventions Excluded empty/stub parsers from documentation tables Enhanced parser-to-product name resolution These improvements enhance visibility into Microsoft Sentinel\u0026rsquo;s connector ecosystem and streamline analysis workflow automation.\nAffected Files .github/copilot-instructions.md Tools/Solutions Analyzer/.cache/file_analysis_cache.json Tools/Solutions Analyzer/.cache/marketplace_availability.csv Tools/Solutions Analyzer/README.md Tools/Solutions Analyzer/asim_parsers.csv Tools/Solutions Analyzer/asim_parsers_unmatched_report.csv Tools/Solutions Analyzer/collect_table_info.py Tools/Solutions Analyzer/connectors.csv Tools/Solutions Analyzer/content_items.csv Tools/Solutions Analyzer/content_tables_mapping.csv Tools/Solutions Analyzer/filter_fields_findings.md Tools/Solutions Analyzer/generate_connector_docs.py Tools/Solutions Analyzer/map_solutions_connectors_tables.py Tools/Solutions Analyzer/parsers.csv Tools/Solutions Analyzer/script-docs/collect_table_info.md Tools/Solutions Analyzer/script-docs/generate_connector_docs.md Tools/Solutions Analyzer/script-docs/map_solutions_connectors_tables.md Tools/Solutions Analyzer/script-docs/upload_to_kusto.md Tools/Solutions Analyzer/solutions.csv Tools/Solutions Analyzer/solutions_connectors_tables_mapping.csv Tools/Solutions Analyzer/solutions_connectors_tables_mapping_simplified.csv Tools/Solutions Analyzer/tables.csv Tools/Solutions Analyzer/tables_reference.csv Tools/Solutions Analyzer/upload_to_kusto.py ","permalink":"http://sentinelchangelog.net/posts/2026-02-20-pr-13666/","summary":"Major tooling update adds Kusto integration, improves CCF connector classification, and fixes ASIM parser documentation generation.","title":"Solutions Analyzer Tools: Kusto Upload, CCF Legacy Support, and Parser Analysis Enhancements"},{"content":"What Changed Added comprehensive ASIM FileEvent parser for AWS CloudTrail S3 events with full ARM template deployment support and documentation.\nParser Impact New data source coverage: AWS S3 file operations via CloudTrail logs\nPrimary schema: ASIM FileEvent v0.2.2 normalization Event source: s3.amazonaws.com CloudTrail events Parser functions: ASimFileEventAWSCloudTrail and vimFileEventAWSCloudTrail Event Type Mappings S3 operations normalized to ASIM FileEvent types:\nFileCreated: PutObject, CreateMultipartUpload, UploadPart, RestoreObject FileAccessed: GetObject, HeadObject, ListObjects, GetObjectAttributes FileDeleted: DeleteObject, DeleteObjects (with version marker support) FileAttributesUpdated: PutObjectAcl, PutObjectTagging, DeleteObjectTagging FolderCreated: CreateBucket FolderModified: PutBucketPolicy, PutBucketEncryption, PutBucketVersioning FolderAttributesAccessed: GetBucketAcl, GetBucketPolicy, ListBuckets FileCopied: CopyObject FileRenamed: RenameObject Detection Surface Unlocked Enables monitoring of:\nS3 bucket and object access patterns for data exfiltration detection Unauthorized bucket policy or ACL modifications Object deletion and lifecycle events for ransomware indicators Cross-account S3 operations and privilege escalation attempts Data classification through object tagging and metadata operations Parser includes comprehensive actor attribution (AWS User ID, username, access key), source IP tracking, and additional CloudTrail context preservation.\nAffected Files ASIM/dev/ASimTester/ASimTester.csv Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json Parsers/ASimFileEvent/ARM/ASimFileEventAWSCloudTrail/ASimFileEventAWSCloudTrail.json Parsers/ASimFileEvent/ARM/ASimFileEventAWSCloudTrail/README.md Parsers/ASimFileEvent/ARM/FullDeploymentFileEvent.json Parsers/ASimFileEvent/ARM/imFileEvent/imFileEvent.json Parsers/ASimFileEvent/ARM/vimFileEventAWSCloudTrail/README.md Parsers/ASimFileEvent/ARM/vimFileEventAWSCloudTrail/vimFileEventAWSCloudTrail.json Parsers/ASimFileEvent/CHANGELOG/ASimFIleEventAWSCloudTrail.md Parsers/ASimFileEvent/CHANGELOG/ASimFileEvent.md Parsers/ASimFileEvent/CHANGELOG/imFileEvent.md Parsers/ASimFileEvent/CHANGELOG/vimFileEventAWSCloudTrail.md Parsers/ASimFileEvent/Parsers/ASimFileEvent.yaml Parsers/ASimFileEvent/Parsers/ASimFileEventAWSCloudTrail.yaml Parsers/ASimFileEvent/Parsers/imFileEvent.yaml Parsers/ASimFileEvent/Parsers/vimFileEventAWSCloudTrail.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-02-20-pr-13569/","summary":"New FileEvent parser enables normalized S3 object activity monitoring from AWS CloudTrail logs across bucket operations and object lifecycle events.","title":"ASIM FileEvent Parser: New AWS CloudTrail S3 Support Added"},{"content":"What Changed Added new CCF (Codeless Connector Framework) template for Azure Storage Blob data ingestion at DataConnectors/Templates/Connector_StorageBlob_CCF_template.json.\nIngestion Mechanism Event-driven blob ingestion:\nUses Event Grid topic to monitor blob creation events in storage account Automatic notification queue and dead-letter queue creation Role assignments grant Microsoft Sentinel access to blob container and storage queues Data flows through DCR (Data Collection Rule) with KQL transform capabilities Configuration requirements:\nBlob container URL and optional folder path Storage account location, resource group, and subscription details Existing Event Grid topic name (if present) or creates new one Detection Surface Unlocked Enables collection of security logs from:\nCustom applications writing structured logs to blob storage Third-party security tools using blob storage for log export Archive data recovery for historical analysis Any system capable of writing JSON/text logs to Azure Storage blobs Template includes customizable table schema and transform KQL for data normalization.\nAffected Files DataConnectors/Templates/Connector_StorageBlob_CCF_template.json ","permalink":"http://sentinelchangelog.net/posts/2026-02-20-pr-13668/","summary":"New Codeless Connector Framework template enables ingestion from Azure Storage blob containers via event-driven data flows.","title":"New CCF Template: Azure Storage Blob Data Connector"},{"content":"What Changed Updated savedSearchesApiVersion parameter in PrepareSolutionMetadata function within the Create-Azure-Sentinel-Solution tooling from 2022-10-01 to 2025-07-01.\nThis change ensures compatibility with recent service API changes when generating solution packages that include saved searches (hunting queries, workbook queries, and other KQL assets).\nAffected Files Tools/Create-Azure-Sentinel-Solution/common/commonFunctions.ps1 ","permalink":"http://sentinelchangelog.net/posts/2026-02-20-pr-13647/","summary":"Updated savedSearches API version from 2022-10-01 to 2025-07-01 in solution metadata generation tool.","title":"Solution Creation Tools: API Version Update for Saved Searches"},{"content":"What Changed Updated CCF poller configuration parameters for both IP Reputation and Malware URLs feeds to eliminate duplicate data ingestion.\nSecurity Impact (Visibility \u0026amp; Fidelity) Production Impact Resolved: Deployments running v3.0.2 experienced massive duplicate ingestion with a 1,535:1 duplicate ratio (304,000 rows ingested vs 198 unique IPs). This consumed excessive log analytics storage and made threat intelligence queries inefficient.\nConfiguration Changes Applied:\nPage size: Increased count from 100 to 1000 (eliminates multi-page fetching) Polling frequency: Reduced from 15 minutes to 6 hours (360 minutes) Expected reduction: ~99.7% decrease in ingested rows (304,000/day → 3,200/day) Root Cause Analysis The Cyren feeds contain relatively static indicator sets:\nIP Reputation feed: ~800 indicators Malware URLs feed: ~200 indicators Previous configuration caused repeated fetching of the same indicator set:\n8+ page requests per poll cycle (due to count=100 vs 800 total indicators) 96 poll cycles per day (every 15 minutes) Result: Same indicators ingested repeatedly throughout each day Connector Mechanism CCF (Codeless Connector Framework) with DCR-based ingestion using PersistentToken paging (correctly preserved from v3.0.2 fix).\nAffected Files Solutions/CyrenThreatIntelligence/Data Connectors/CyrenThreatIntel_CCF/Cyren_PollerConfig.json (packaging artefacts: 3.0.3.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-20-pr-13631/","summary":"Configuration updates eliminate massive duplicate indicator ingestion caused by small page sizes and frequent polling intervals.","title":"Cyren Threat Intelligence: Critical Fix for 1,535:1 Duplicate Data Ingestion"},{"content":"What Changed New Analytic Rule URLEntity_imWebSession.yaml added to complement existing domain-based IOC detection with full URL matching capabilities.\nDetection Logic Primary data source: ASIM Web Session events via _Im_WebSession() function Core logic: Joins ThreatIntelIndicators table (URL type) against web session URLs, requiring active indicators within 14-day lookback period and confidence validation Entity types mapped: IP (source address), URL (requested URL) Query optimization: Uses has_any filtering with 10,000 IOC limit for performance MITRE Mapping T1071: Application Layer Protocol (Command and Control) Detection Surface Unlocked Enables detection of web requests to known malicious URLs from threat intelligence feeds, providing coverage for:\nC2 infrastructure communication via HTTP/HTTPS Initial access through malicious landing pages Exfiltration to attacker-controlled domains Rule supports multiple web session data sources including Squid Proxy, Zscaler, and other ASIM-compliant web security solutions.\nAffected Files Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_imWebSession.yaml (packaging artefacts: 3.0.14.zip, ReleaseNotes.md, Solution_ThreatIntelligenceUpdated.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-20-pr-13637/","summary":"New Analytic Rule enables detection of malicious URLs from threat feeds in web traffic, closing coverage gap for URL-based indicators.","title":"Threat Intelligence: URL IOC Detection Added for Web Session Monitoring"},{"content":"What Changed CognyteLuminar solution updated to fix deployment configuration issues with Azure Function App soft links. ARM template deployment URIs corrected and createUiDefinition.json updated to support both flex and premium consumption plans for improved deployment reliability.\nPackage rebuilt with corrected packageUri references to ensure successful Function App deployments across different Azure hosting plans.\nAffected Files Solutions/CognyteLuminar/Data Connectors/CognyteLuminar_FunctionApp.json Solutions/CognyteLuminar/Data Connectors/azuredeploy_LuminarFuncApp_AzureFunction_flex.json Solutions/CognyteLuminar/Data Connectors/azuredeploy_LuminarFuncApp_AzureFunction_premium.json (packaging artefacts: 3.0.2.zip, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-18-pr-13448/","summary":"ARM template deployment links updated and Function App soft links corrected for flex and premium consumption plans.","title":"CognyteLuminar: Deployment Configuration and Soft Link Updates"},{"content":"What Changed Zscaler Internet Access solution underwent comprehensive modernization to version 3.0.4, replacing legacy data connectors with 15 new CloudNSS CCP (Codeless Connector Platform) connectors covering audit logs, CASB activity, DNS/FW/tunnel/web logs, and email/endpoint DLP logs.\nIngestion Mechanism Complete migration from legacy API-key based authentication to OAuth2-based playbooks with CCF data collection. New CCP connectors provide comprehensive log visibility across CloudNSS Audit, CASB Activity (CRM, Cloud Storage, Collaboration, Email, File Sharing, ITSM, Repo), DNS, Firewall, Tunnel, Web, and DLP streams.\nThe solution now includes 12 OAuth2 playbooks for automated response: IP/URL blocking/unblocking, blacklisting/whitelisting, and lookup operations including sandbox reports. All playbooks leverage centralized OAuth2 authentication with Azure Key Vault credential management.\nDetection Surface Unlocked Enhanced visibility across all Zscaler Internet Access security controls with standardized CCF ingestion enabling better threat detection, policy enforcement monitoring, and automated incident response capabilities through modern OAuth2-based SOAR integration.\nAffected Files Solutions/Zscaler Internet Access/Data Connectors/CloudNSSAuditLogs_ccp/DCR.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSAuditLogs_ccp/connectorDefinition.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSAuditLogs_ccp/dataConnector.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBActivityLogs_ccp/DCR.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBActivityLogs_ccp/connectorDefinition.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBActivityLogs_ccp/dataConnector.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBCRMLogs_ccp/DCR.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBCRMLogs_ccp/connectorDefinition.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBCRMLogs_ccp/dataConnector.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBCloudStorageLogs_ccp/DCR.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBCloudStorageLogs_ccp/connectorDefinition.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBCloudStorageLogs_ccp/dataConnector.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBCollabLogs_ccp/DCR.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBCollabLogs_ccp/connectorDefinition.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBCollabLogs_ccp/dataConnector.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBEmailLogs_ccp/DCR.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBEmailLogs_ccp/connectorDefinition.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBEmailLogs_ccp/dataConnector.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBFileSharingLogs_ccp/DCR.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBFileSharingLogs_ccp/connectorDefinition.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBFileSharingLogs_ccp/dataConnector.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBITSMLogs_ccp/DCR.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBITSMLogs_ccp/connectorDefinition.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBITSMLogs_ccp/dataConnector.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBRepoLogs_ccp/DCR.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBRepoLogs_ccp/connectorDefinition.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSCASBRepoLogs_ccp/dataConnector.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSDNSLogs_ccp/DCR.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSDNSLogs_ccp/connectorDefinition.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSDNSLogs_ccp/dataConnector.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSEmailDLPLogs_ccp/DCR.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSEmailDLPLogs_ccp/connectorDefinition.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSEmailDLPLogs_ccp/dataConnector.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSEndpointDLPLogs_ccp/DCR.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSEndpointDLPLogs_ccp/connectorDefinition.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSEndpointDLPLogs_ccp/dataConnector.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSFWLogs_ccp/DCR.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSFWLogs_ccp/connectorDefinition.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSFWLogs_ccp/dataConnector.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSTunnelLogs_ccp/DCR.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSTunnelLogs_ccp/connectorDefinition.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSTunnelLogs_ccp/dataConnector.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSWebLogs_ccp/DCR.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSWebLogs_ccp/connectorDefinition.json Solutions/Zscaler Internet Access/Data Connectors/CloudNSSWebLogs_ccp/dataConnector.json Solutions/Zscaler Internet Access/Data Connectors/Images/CloudNSSAuditLogs_ccp.png Solutions/Zscaler Internet Access/Data Connectors/Images/CloudNSSCASBActivityLogs_ccp.png Solutions/Zscaler Internet Access/Data Connectors/Images/CloudNSSCASBCRMLogs_ccp.png Solutions/Zscaler Internet Access/Data Connectors/Images/CloudNSSCASBCloudStorageLogs_ccp.png Solutions/Zscaler Internet Access/Data Connectors/Images/CloudNSSCASBCollabLogs_ccp.png Solutions/Zscaler Internet Access/Data Connectors/Images/CloudNSSCASBEmailLogs_ccp.png Solutions/Zscaler Internet Access/Data Connectors/Images/CloudNSSCASBFileSharingLogs_ccp.png Solutions/Zscaler Internet Access/Data Connectors/Images/CloudNSSCASBITSMLogs_ccp.png Solutions/Zscaler Internet Access/Data Connectors/Images/CloudNSSCASBRepoLogs_ccp.png Solutions/Zscaler Internet Access/Data Connectors/Images/CloudNSSDNSLogs_ccp.png Solutions/Zscaler Internet Access/Data Connectors/Images/CloudNSSEmailDLPLogs_ccp.png Solutions/Zscaler Internet Access/Data Connectors/Images/CloudNSSEndpointDLPLogs_ccp.png Solutions/Zscaler Internet Access/Data Connectors/Images/CloudNSSFWLogs_ccp.png Solutions/Zscaler Internet Access/Data Connectors/Images/CloudNSSTunnelLogs_ccp.png Solutions/Zscaler Internet Access/Data Connectors/Images/CloudNSSWebLogs_ccp.png Solutions/Zscaler Internet Access/Data Connectors/template_Zscaler.JSON Solutions/Zscaler Internet Access/Data Connectors/template_ZscalerAma.JSON Solutions/Zscaler Internet Access/Package/testParameters.json Solutions/Zscaler Internet Access/Parsers/ZScalerFW_Parser.csl Solutions/Zscaler Internet Access/Parsers/ZScalerFW_Parser.yaml Solutions/Zscaler Internet Access/Parsers/ZScalerWeb_Parser.csl Solutions/Zscaler Internet Access/Parsers/ZScalerWeb_Parser.yaml Solutions/Zscaler Internet Access/Playbooks/Add-Url-To-Category/deployboth.json Solutions/Zscaler Internet Access/Playbooks/Add-Url-To-Category/images/Sentinel_Add_URL_To_Category.png Solutions/Zscaler Internet Access/Playbooks/Add-Url-To-Category/images/designerDark.png Solutions/Zscaler Internet Access/Playbooks/Add-Url-To-Category/images/designerLight.png Solutions/Zscaler Internet Access/Playbooks/Add-Url-To-Category/readme.md Solutions/Zscaler Internet Access/Playbooks/Get-Sandbox-Report-For-Hash/azuredeploy.json Solutions/Zscaler Internet Access/Playbooks/Get-Sandbox-Report-For-Hash/deployboth.json Solutions/Zscaler Internet Access/Playbooks/Get-Sandbox-Report-For-Hash/images/Get-Sandbox-Report.png Solutions/Zscaler Internet Access/Playbooks/Get-Sandbox-Report-For-Hash/images/designerDark.png Solutions/Zscaler Internet Access/Playbooks/Get-Sandbox-Report-For-Hash/images/designerLight.png Solutions/Zscaler Internet Access/Playbooks/Get-Sandbox-Report-For-Hash/readme.md Solutions/Zscaler Internet Access/Playbooks/Oauth2Authentication/Images/Zscaler-Oauth2-Authentication-light.png Solutions/Zscaler Internet Access/Playbooks/Oauth2Authentication/azuredeploy.json Solutions/Zscaler Internet Access/Playbooks/Oauth2Authentication/readme.md Solutions/Zscaler Internet Access/Playbooks/Oauth2BlacklistURL/Images/Zscaler-Oauth2-BlacklistURL-light.png Solutions/Zscaler Internet Access/Playbooks/Oauth2BlacklistURL/azuredeploy.json Solutions/Zscaler Internet Access/Playbooks/Oauth2BlacklistURL/readme.md Solutions/Zscaler Internet Access/Playbooks/Oauth2BlockIP/Images/Zscaler-Oauth2-BlockIP-light.png Solutions/Zscaler Internet Access/Playbooks/Oauth2BlockIP/azuredeploy.json Solutions/Zscaler Internet Access/Playbooks/Oauth2BlockIP/readme.md Solutions/Zscaler Internet Access/Playbooks/Oauth2BlockURL/Images/Zscaler-Oauth2-BlockURL-light.png Solutions/Zscaler Internet Access/Playbooks/Oauth2BlockURL/azuredeploy.json Solutions/Zscaler Internet Access/Playbooks/Oauth2BlockURL/readme.md Solutions/Zscaler Internet Access/Playbooks/Oauth2LookupIP/Images/Zscaler-Oauth2-LookupIP-light.png Solutions/Zscaler Internet Access/Playbooks/Oauth2LookupIP/azuredeploy.json Solutions/Zscaler Internet Access/Playbooks/Oauth2LookupIP/readme.md Solutions/Zscaler Internet Access/Playbooks/Oauth2LookupURL/Images/Zscaler-Oauth2-LookupURL-light.png Solutions/Zscaler Internet Access/Playbooks/Oauth2LookupURL/azuredeploy.json Solutions/Zscaler Internet Access/Playbooks/Oauth2LookupURL/readme.md Solutions/Zscaler Internet Access/Playbooks/Oauth2UnblacklistURL/Images/Zscaler-Oauth2-UnblacklistURL-light.png Solutions/Zscaler Internet Access/Playbooks/Oauth2UnblacklistURL/azuredeploy.json Solutions/Zscaler Internet Access/Playbooks/Oauth2UnblacklistURL/readme.md Solutions/Zscaler Internet Access/Playbooks/Oauth2UnblockIP/Images/Zscaler-Oauth2-UnblockIP-light.png Solutions/Zscaler Internet Access/Playbooks/Oauth2UnblockIP/azuredeploy.json Solutions/Zscaler Internet Access/Playbooks/Oauth2UnblockIP/readme.md Solutions/Zscaler Internet Access/Playbooks/Oauth2UnblockURL/Images/Zscaler-Oauth2-UnblockURL-light.png Solutions/Zscaler Internet Access/Playbooks/Oauth2UnblockURL/azuredeploy.json Solutions/Zscaler Internet Access/Playbooks/Oauth2UnblockURL/readme.md Solutions/Zscaler Internet Access/Playbooks/Oauth2WhitelistURL/Images/Zscaler-Oauth2-WhitelistURL-light.png Solutions/Zscaler Internet Access/Playbooks/Oauth2WhitelistURL/azuredeploy.json Solutions/Zscaler Internet Access/Playbooks/Oauth2WhitelistURL/readme.md Solutions/Zscaler Internet Access/Playbooks/Zscaler API authentication/FunctionApp/azuredeploy.json Solutions/Zscaler Internet Access/Playbooks/Zscaler API authentication/azuredeploy.json Solutions/Zscaler Internet Access/Playbooks/Zscaler API authentication/images/Authentication.png Solutions/Zscaler Internet Access/Playbooks/Zscaler API authentication/readme.md Solutions/Zscaler Internet Access/Workbooks/NSSAuditLogs.json Solutions/Zscaler Internet Access/Workbooks/NSSCASBActivityLogs.json Solutions/Zscaler Internet Access/Workbooks/NSSCASBCRMLogs.json Solutions/Zscaler Internet Access/Workbooks/NSSCASBCloudStorageLogs.json Solutions/Zscaler Internet Access/Workbooks/NSSCASBCollabLogs.json Solutions/Zscaler Internet Access/Workbooks/NSSCASBEmail.json Solutions/Zscaler Internet Access/Workbooks/NSSCASBFileSharingLogs.json Solutions/Zscaler Internet Access/Workbooks/NSSCASBITSMLogs.json Solutions/Zscaler Internet Access/Workbooks/NSSCASBRepoLogs.json Solutions/Zscaler Internet Access/Workbooks/NSSDNSLogs.json Solutions/Zscaler Internet Access/Workbooks/NSSEmailDLPLogs.json Solutions/Zscaler Internet Access/Workbooks/NSSEndpointDLPLogs.json Solutions/Zscaler Internet Access/Workbooks/NSSFWLogs.json Solutions/Zscaler Internet Access/Workbooks/NSSTunnelLogs.json Solutions/Zscaler Internet Access/Workbooks/NSSWebLogsOffice365.json Solutions/Zscaler Internet Access/Workbooks/NSSWebLogsOverview.json Solutions/Zscaler Internet Access/Workbooks/NSSWebLogsThreats.json Workbooks/Images/Preview/NSSAuditLogsBlack.png Workbooks/Images/Preview/NSSAuditLogsWhite.png Workbooks/Images/Preview/NSSCASBActivityLogsBlack.png Workbooks/Images/Preview/NSSCASBActivityLogsWhite.png Workbooks/Images/Preview/NSSCASBCRMLogsBlack.png Workbooks/Images/Preview/NSSCASBCRMLogsWhite.png Workbooks/Images/Preview/NSSCASBCloudStorageLogsBlack.png Workbooks/Images/Preview/NSSCASBCloudStorageLogsWhite.png Workbooks/Images/Preview/NSSCASBCollabLogsBlack.png Workbooks/Images/Preview/NSSCASBCollabLogsWhite.png Workbooks/Images/Preview/NSSCASBEmailBlack.png Workbooks/Images/Preview/NSSCASBEmailWhite.png Workbooks/Images/Preview/NSSCASBFileSharingLogsBlack.png Workbooks/Images/Preview/NSSCASBFileSharingLogsWhite.png Workbooks/Images/Preview/NSSCASBITSMLogsBlack.png Workbooks/Images/Preview/NSSCASBITSMLogsWhite.png Workbooks/Images/Preview/NSSCASBRepoLogsBlack.png Workbooks/Images/Preview/NSSCASBRepoLogsWhite.png Workbooks/Images/Preview/NSSDNSLogsBlack.png Workbooks/Images/Preview/NSSDNSLogsWhite.png Workbooks/Images/Preview/NSSEmailDLPLogsBlack.png Workbooks/Images/Preview/NSSEmailDLPLogsWhite.png Workbooks/Images/Preview/NSSEndpointDLPLogsBlack.png Workbooks/Images/Preview/NSSEndpointDLPLogsWhite.png Workbooks/Images/Preview/NSSFWLogsBlack.png Workbooks/Images/Preview/NSSFWLogsWhite.png Workbooks/Images/Preview/NSSTunnelLogsBlack.png Workbooks/Images/Preview/NSSTunnelLogsWhite.png Workbooks/Images/Preview/NSSWebLogsOffice365Black.png Workbooks/Images/Preview/NSSWebLogsOffice365White.png Workbooks/Images/Preview/NSSWebLogsOverviewBlack.png Workbooks/Images/Preview/NSSWebLogsOverviewWhite.png Workbooks/Images/Preview/NSSWebLogsThreatsBlack.png Workbooks/Images/Preview/NSSWebLogsThreatsWhite.png Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.0.4.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Zscaler Internet Access.json, Solution_ZscalerInternetAccess.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-18-pr-13391/","summary":"Complete solution overhaul replaces legacy connectors with 15 CloudNSS CCP connectors and 12 OAuth2 playbooks for enhanced Zscaler integration.","title":"Zscaler Internet Access: Major Platform Modernization with CloudNSS CCP Connectors"},{"content":"What Changed TacitRed CrowdStrike IOC Automation solution v3.0.1 addresses critical deployment and visibility issues:\nFixed InvalidResourceLocation error preventing Content Hub deployments Added missing Sentinel discovery tags making playbook template visible in Automation UI Removed restrictive domain filter expanding IOC retrieval scope Deployment Template Fixes ARM Template Standardization:\nLocation parameter fix: Removed non-standard location parameter causing Content Hub failures Sentinel template discovery: Added hidden-SentinelTemplateName and hidden-SentinelTemplateVersion tags Domain filter removal: Eliminated forced domain restriction from API calls Security Impact (IOC Automation) This was a complete solution deployment and discovery failure:\nPre-fix: Solution appeared installed but playbook template was completely invisible in Sentinel Automation UI Post-fix: Playbook template properly discoverable enabling TacitRed to CrowdStrike IOC synchronization IOC Integration Enhancement:\nTemplate visibility: Fixed missing hidden tags that prevented playbook discovery in Sentinel Automation \u0026gt; Playbook templates Full IOC scope: Removed domain filter allowing retrieval of all TacitRed compromised credentials CrowdStrike integration: Enables automated push of domain and SHA256 IOCs to CrowdStrike Falcon platform The missing discovery tags were preventing security teams from finding and configuring the IOC automation playbook, effectively rendering the threat intelligence integration non-functional despite successful solution installation.\nAffected Files Solutions/TacitRed-IOC-CrowdStrike/Playbooks/TacitRedToCrowdStrike_Playbook.json (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, Solution_TacitRedCrowdStrikeAutomation.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-17-pr-13641/","summary":"Fixed InvalidResourceLocation deployment error and missing playbook template discovery for TacitRed CrowdStrike IOC automation solution.","title":"TacitRed CrowdStrike IOC Automation: Critical Deployment Fix and Template Visibility"},{"content":"What Changed TacitRed-SentinelOne solution v3.0.1 addresses critical deployment failures affecting Content Hub installations:\nFixed InvalidResourceLocation error by removing non-standard location parameter from ARM template Fixed metadata resource naming using incorrect double-bracket syntax Removed restrictive domain filter that limited IOC retrieval scope Deployment Template Fixes ARM Template Standardization:\nBefore: Used non-standard location parameter causing Content Hub deployment failures After: Aligned with 489/492 Sentinel solutions using workspace-location-inline variable pattern Metadata naming: Fixed double-bracket to single-bracket syntax matching 481/482 solutions Security Impact (IOC Automation) This was a complete solution deployment blocker:\nPre-fix: TacitRed-SentinelOne solution failed to deploy from Content Hub due to ARM template errors Post-fix: Solution deploys successfully enabling IOC automation between TacitRed threat intelligence and SentinelOne IOC Retrieval Enhancement:\nRemoved forced domain filter: Previously hardcoded domains parameter limited IOC scope Full threat intelligence access: Playbook now retrieves all available TacitRed compromised credentials IOCs Default 7-day lookback: Maintains recent IOC focus while removing artificial domain restrictions The domain filter removal significantly improves threat intelligence coverage by allowing organizations to consume the complete TacitRed IOC feed rather than being restricted to pre-specified domains.\nAffected Files Solutions/TacitRed-SentinelOne/Playbooks/TacitRedToSentinelOne_Playbook.json (packaging artefacts: 3.0.1.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-17-pr-13640/","summary":"Fixed InvalidResourceLocation deployment error and removed restrictive domain filter that was preventing TacitRed IOC automation deployments.","title":"TacitRed-SentinelOne Solution: Critical Deployment Fix for Content Hub Installation Failures"},{"content":"What Changed Microsoft Defender XDR solution updated to v3.0.14 with new hunting query addition:\nAdded: Punycode chars lookalike domains hunting query Solution packaging: Updated ARM templates and metadata for new content Hunting Query Addition The new hunting query targets Punycode character abuse in domain name attacks:\nDetection focus: Lookalike domains using Punycode (internationalized domain names) to impersonate legitimate sites Attack vector: Threat actors use visually similar Unicode characters to create deceptive domains (e.g., using Cyrillic \u0026ldquo;а\u0026rdquo; instead of Latin \u0026ldquo;a\u0026rdquo;) Data source: Likely targets Microsoft Defender for Endpoint DNS/web activity or email URL data Security Impact (Threat Hunting) Punycode abuse represents a significant phishing and brand impersonation threat:\nVisual deception: Unicode lookalike characters create domains that appear legitimate to users Detection gap: Traditional string-based blocking often misses Punycode variants Hunting capability: Enables proactive identification of suspicious internationalized domains in network traffic Note: This PR references content from PR #13535. The actual hunting query logic is not visible in this packaging-only diff.\nAffected Files (packaging artefacts: 3.0.14.zip, ReleaseNotes.md, Solution_Microsoft Defender XDR.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-17-pr-13596/","summary":"Microsoft Defender XDR solution v3.0.14 adds hunting query targeting Punycode character abuse in lookalike domain attacks.","title":"Microsoft Defender XDR Solution: Punycode Hunting Query Added for Lookalike Domain Detection"},{"content":"What Changed Microsoft Sentinel Logstash output plugin v1.2.0 adds comprehensive passwordless authentication:\nManaged identity support for Azure VMs and VMSS (system-assigned and user-assigned) AKS workload identity via OIDC token exchange for Kubernetes workloads Azure Arc managed identity for hybrid and on-premises servers Automatic authentication detection runtime fallback hierarchy HTTP client migration from excon to rest-client for improved compatibility Authentication Enhancement Auto-detection hierarchy when managed_identity is enabled:\nAKS Workload Identity: Uses OIDC token exchange if required environment variables are present Azure Arc: Detects azcmagent process and uses Arc managed identity endpoint for hybrid servers IMDS: Falls back to Instance Metadata Service for Azure VMs/VMSS Backward compatibility: Existing service principal authentication unchanged and remains default.\nSecurity Impact (Authentication \u0026amp; Data Ingestion) Eliminates credential management security risks:\nNo client secrets: Removes need to store and rotate authentication secrets in Logstash configurations Environment-native: Uses Azure platform identity instead of stored credentials Cross-environment support: Single configuration works across Azure VMs, AKS clusters, and Arc-connected servers Improved operational security: Reduces attack surface by eliminating stored credentials in configuration files For Azure Arc environments: Requires Logstash process user membership in himds group for challenge token access.\nAffected Files DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/CHANGELOG.md DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/README.md DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/examples/auxiliary-logs/arm-template/deploy-dcr-dce-cef-table.json DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/examples/auxiliary-logs/config/bronze.conf DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/examples/auxiliary-logs/config/logstash.yml DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/examples/auxiliary-logs/config/pipelines.yml DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/examples/auxiliary-logs/config/syslog.conf DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/outputs/microsoft-sentinel-log-analytics-logstash-output-plugin.rb DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logAnalyticsAadTokenProvider.rb DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logAnalyticsArcTokenProvider.rb DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logAnalyticsClient.rb DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logAnalyticsManagedIdentityTokenProvider.rb DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logStashEventsBatcher.rb DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logstashLoganalyticsConfiguration.rb DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/version.rb DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/microsoft-sentinel-log-analytics-logstash-output-plugin.gemspec ","permalink":"http://sentinelchangelog.net/posts/2026-02-17-pr-13582/","summary":"Logstash output plugin enhanced with managed identity authentication for Azure VMs, AKS workload identity, and Azure Arc servers.","title":"Microsoft Sentinel Logstash Plugin: Passwordless Authentication with Managed Identity Support"},{"content":"What Changed First-time packaging of Visa Threat Intelligence (VTI) solution for Microsoft Sentinel, including complete solution artifacts:\nDCR-based data connector for Visa IOC ingestion 2 high-severity analytic rules targeting domain and SHA1 IOCs VTI IOC Feed workbook for threat intelligence visualization Solution packaging with ARM templates and metadata Data Source Visa Threat Intelligence Platform (VTIP): DCR connector ingests IOCs using X-Pay Token authentication\nCustom table: VisaThreatIntelligenceIOC_CL IOC types: Domains, file hashes (SHA1), additional IOC types supported Severity classification: High, Medium, Low severity indicators from Visa threat intelligence Detection Logic VTI - High Severity Domain Collision Detection (VTIP_high_severity_domain.yaml):\nData source: EmailUrlInfo joined with VisaThreatIntelligenceIOC_CL Logic: Correlates email URL domains against VTI high-severity domain IOCs Entity mapping: URL and DNS entities for threat hunting MITRE: T1566 (Phishing) - Initial Access tactic VTI - High Severity SHA1 Collision Detection (VTIP_high_severity_sha1.yaml):\nData source: DeviceFileEvents joined with VisaThreatIntelligenceIOC_CL Logic: Matches file SHA1 hashes against VTI high-severity hash IOCs Entity mapping: Host and FileHash entities for endpoint correlation MITRE: T1204 (User Execution) - Execution tactic Security Impact (Threat Intelligence Integration) Provides financial sector threat intelligence visibility:\nPayment industry IOCs: Visa-specific threat intelligence for financial services Cross-platform detection: Email security (domains) and endpoint security (file hashes) High-confidence indicators: Focus on high-severity IOCs to minimize false positives Real-time correlation: DCR ingestion enables near real-time IOC matching Affected Files .vscode/extensions.json .vscode/launch.json .vscode/settings.json .vscode/tasks.json Solutions/Visa Threat Intelligence (VTI)/Analytic Rules/VTIP_high_severity_domain.yaml Solutions/Visa Threat Intelligence (VTI)/Analytic Rules/VTIP_high_severity_sha1.yaml Solutions/Visa Threat Intelligence (VTI)/DataConnectors/VisaThreatIntelligenceConnector.json Solutions/Visa Threat Intelligence (VTI)/Package/testParameters.json Solutions/Visa Threat Intelligence (VTI)/README.md Solutions/Visa Threat Intelligence (VTI)/Workbooks/Images/Logo/Visa_VTI_Logo.svg Solutions/Visa Threat Intelligence (VTI)/Workbooks/Images/Preview/VTIOverview_black.png Solutions/Visa Threat Intelligence (VTI)/Workbooks/Images/Preview/VTIOverview_white.png Solutions/Visa Threat Intelligence (VTI)/Workbooks/VTI_IOC_Feed.json (packaging artefacts: 3.0.0.zip, SolutionMetadata.json, Solution_VTI.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-13-pr-13616/","summary":"New Visa Threat Intelligence (VTI) solution providing IOC feeds via DCR connector with high-severity detection rules for domains and file hashes.","title":"Visa Threat Intelligence Solution: Initial Package Release with IOC Detection Rules"},{"content":"What Changed Updated JoeSandbox Function App connector deployment documentation:\nFixed deployment links: Updated ARM template links to correct endpoints Removed manual deployment: Eliminated lengthy manual VS Code deployment steps Streamlined options: Now provides only automated ARM template deployment with Flex Consumption and Premium plan options Deployment Improvements Before: Three deployment options including complex manual VS Code setup After: Two streamlined automated deployment options:\nOption 1: Flex Consumption Plan via ARM template Option 2: Premium Plan via ARM template Both options link to automated deployment buttons with pre-configured templates.\nDocumentation Impact Removed 3 complex manual deployment sections that required:\nVS Code setup and Azure Functions development environment Manual function app creation and configuration Individual application setting configuration The manual deployment process was error-prone and required significant technical expertise. Automated ARM template deployment reduces deployment time and configuration errors.\nAffected Files Solutions/JoeSandbox/Data Connectors/JoeSandboxThreatIntelligence_FunctionApp.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-13-pr-13623/","summary":"JoeSandbox solution deployment documentation updated with corrected Azure links and streamlined automated deployment options.","title":"JoeSandbox Solution: Updated Deployment Links and Removed Manual Installation Steps"},{"content":"What Changed Fixed critical ARM template parameter syntax error in MailRisk CCF connector that was preventing successful deployments.\nDeployment Template Fix ARM template parameter extraction corrected:\nBefore: Double bracket syntax causing parsing failures After: Single bracket syntax enabling proper parameter extraction The incorrect syntax was causing ARM template parsing failures during connector deployment.\nSecurity Impact (Data Ingestion) This was a complete connector deployment blocker:\nPre-fix: MailRisk connector deployments failed entirely due to ARM template parsing errors Post-fix: Connector deploys successfully and can ingest threat intelligence data from MailRisk API Any organization attempting to deploy MailRisk CCF connector since v3.0.0 migration (Oct 2025) experienced deployment failures, resulting in zero data ingestion from MailRisk threat feeds until this fix.\nCCF Authentication Configuration Fixed authentication block in MailRisk polling configuration:\nUserName: Maps to API key parameter Password: Maps to API secret parameter Endpoint: https://api.mailrisk.com/v1/events (unchanged) Per PR discussion: connector functionality verified with successful connection screenshot provided by contributor.\nAffected Files Solutions/MailRisk/Data Connectors/MailRisk_CCP/MailRisk_PollingConfig.json (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, Solution_SecurePracticeMailRisk.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-13-pr-13497/","summary":"Fixed CCF deployment blocking issue in MailRisk connector caused by incorrect ARM template parameter extraction syntax.","title":"MailRisk CCF Connector: Critical Parameter Syntax Fix for Deployment Failures"},{"content":"What Changed Added 5 comprehensive analytic rules to the Azure Firewall solution targeting Azure Firewall IDPS signature data (AZFWIdpsSignature table):\nHigh severity malicious activity detected - Targets exploit kits, C2 domains, credential theft, and trojans Medium severity malicious activity detected - Detects PUPs, social engineering, cryptomining, and suspicious files Web Application attack detected - Identifies web application exploitation attempts DDoS attack detected - Monitors for denial of service attack patterns Elevation of Privilege attempt detected - Detects privilege escalation attempts Detection Logic All rules query AZFWIdpsSignature with:\n90-day lookback window for comprehensive threat hunting Configurable severity thresholds and category filters Aggregation by SourceIP with 10+ hit threshold to reduce noise Flexible filtering system with toggleable category/description/action filters MITRE Coverage Expansion The new rules significantly expand MITRE ATT\u0026amp;CK coverage:\nT1190 (Exploit Public-Facing Application) - Web app attacks T1498 (Network Denial of Service) - DDoS detection T1078 (Valid Accounts), T1110 (Brute Force) - Privilege escalation T1041 (Exfiltration Over C2), T1003 (OS Credential Dumping) - High severity threats T1496 (Resource Hijacking), T1036 (Masquerading) - Medium severity threats Security Impact (Detection Coverage) These rules transform Azure Firewall from primarily network filtering to comprehensive threat detection:\nAttack surface visibility: Web application attacks, DDoS attempts, C2 communications Threat intelligence integration: IDPS signature correlation with known attack patterns Behavioral analysis: Multi-stage attack detection through aggregated source IP analysis Reduced false positives: Threshold-based detection (10+ hits per source) minimizes alert fatigue Affected Files Solutions/Azure Firewall/Analytic Rules/Azure Firewall - DDoS attack detected.yaml Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Elevation of Privilege attempt detected.yaml Solutions/Azure Firewall/Analytic Rules/Azure Firewall - High severity malicious activity detected.yaml Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Medium severity malicious activity detected.yaml Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Web Application attack detected.yaml (packaging artefacts: 3.0.5.zip, ReleaseNotes.md, Solution_AzureFirewall.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-13-pr-13591/","summary":"Azure Firewall solution expanded with 5 new analytic rules targeting high/medium severity threats, DDoS attacks, web application attacks, and privilege escalation attempts.","title":"Azure Firewall: Five New IDPS Analytic Rules for Advanced Threat Detection"},{"content":"What Changed Complete replacement of Lumen Threat Feed connector infrastructure:\nRemoved: Deprecated V1.1 connector using Durable Functions architecture Added: New V2 connector with Azure Functions V2 programming model Added: Private networking support template for customers with corporate storage endpoint requirements Connector Improvements V2 connector addresses key limitations:\nAPI v3 compatibility: Uses new Lumen endpoint with native pagination support, eliminating complex blob storage orchestration Simplified architecture: Single timer-triggered function replaces multi-function Durable Functions workflow Private endpoint support: New ARM template variant supports Function Apps with private storage endpoints Enhanced filtering: Confidence threshold and indicator type filtering at API level Improved reliability: Direct page-by-page processing with automatic retry and exponential backoff Security Impact (Threat Intelligence) The V2 connector continues feeding threat intelligence indicators to ThreatIntelligenceIndicator table but with:\nSame 15-minute sync interval maintained for threat intelligence freshness Improved data fidelity from API v3 pagination vs. V1.1 delta sync approach Enhanced filtering capabilities reduce noise through server-side confidence thresholds The deprecation of V1.1 means existing deployments must migrate to V2 to continue receiving Lumen threat intelligence updates.\nAffected Files Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/LumenThreatFeedConnector/.funcignore Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/LumenThreatFeedConnector/.gitignore Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/LumenThreatFeedConnector/README.md Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/LumenThreatFeedConnector/activity_cleanup_blob/__init__.py Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/LumenThreatFeedConnector/activity_cleanup_blob/function.json Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/LumenThreatFeedConnector/activity_get_manifest_page/__init__.py Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/LumenThreatFeedConnector/activity_get_manifest_page/function.json Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/LumenThreatFeedConnector/activity_upload_from_blob/__init__.py Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/LumenThreatFeedConnector/activity_upload_from_blob/function.json Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/LumenThreatFeedConnector/main.py Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/LumenThreatFeedConnector/orchestrator_function/__init__.py Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/LumenThreatFeedConnector/orchestrator_function/function.json Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/LumenThreatFeedConnector/requirements.txt Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/LumenThreatFeedConnector/timer_starter_function/__init__.py Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/LumenThreatFeedConnector/timer_starter_function/function.json Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/azuredeploy_Connector_LumenThreatFeed_AzureFunction.json Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeedv2/LumenThreatFeedConnectorV2/README.md Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeedv2/LumenThreatFeedConnectorV2/__init__.py Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeedv2/LumenThreatFeedConnectorV2/function_app.py Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeedv2/LumenThreatFeedConnectorV2/host.json Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeedv2/LumenThreatFeedConnectorV2/main.py Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeedv2/LumenThreatFeedConnectorV2/requirements.txt Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeedv2/LumenThreatFeedConnectorV2_ConnectorUI.json Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeedv2/LumenThreatFeedConnectorV2_PrivateNetworking_ConnectorUI.json Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeedv2/azuredeploy_Connector_LumenThreatFeed_AzureFunction_v2.json Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeedv2/azuredeploy_Connector_LumenThreatFeed_AzureFunction_v2_privateendpoint.json Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeedv2/azuredeploy_VNet_for_PrivateEndpoint.json Solutions/Lumen Defender Threat Feed/README.md (packaging artefacts: 3.2.0.zip, LumenThreatFeedConnector.zip, LumenThreatFeedConnectorv2.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_LumenDefenderThreatFeed.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-12-pr-13575/","summary":"Lumen Defender Threat Feed solution updated with V2 connector using new API v3 endpoint, removing deprecated V1.1 connector entirely.","title":"Lumen Threat Feed: V2 Connector Replaces Deprecated V1.1 with Paginated API Support"},{"content":"What Changed New ASIM User Management parser for AWS CloudTrail supporting IAM and Cognito Identity Provider event normalization.\nParser Impact The parser normalizes AWS CloudTrail user management events to ASIM User Management schema (v0.1.2), targeting:\nIAM events (iam.amazonaws.com): user/role lifecycle, group membership, policy attachments Cognito IDP events (cognito-idp.amazonaws.com): user pools, group management, authentication configuration Detection Surface Unlocked Provides normalized visibility into AWS identity operations:\nUser and role creation/deletion across IAM and Cognito Group membership changes and policy modifications Password changes and MFA device management Cross-service identity activity correlation via ASIM schema ASIM Schema Enhancement Added new enumerated values to ASimTester.csv:\nEventVendor: AWS for UserManagement schema EventProduct: CloudTrail for UserManagement schema GroupIdType: Simple enumeration TargetUserIdType: AWSIAMUserId, AWSIAMRoleId enumerations Affected Files ASIM/dev/ASimTester/ASimTester.csv Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json Parsers/ASimUserManagement/ARM/ASimUserManagementAWSCloudTrail/ASimUserManagementAWSCloudTrail.json Parsers/ASimUserManagement/ARM/ASimUserManagementAWSCloudTrail/README.md Parsers/ASimUserManagement/ARM/FullDeploymentUserManagement.json Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json Parsers/ASimUserManagement/ARM/vimUserManagementAWSCloudTrail/README.md Parsers/ASimUserManagement/ARM/vimUserManagementAWSCloudTrail/vimUserManagementAWSCloudTrail.json Parsers/ASimUserManagement/CHANGELOG/ASimUserManagementAWSCloudTrail.md Parsers/ASimUserManagement/CHANGELOG/vimUserManagementAWSCloudTrail.md Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml Parsers/ASimUserManagement/Parsers/ASimUserManagementAWSCloudTrail.yaml Parsers/ASimUserManagement/Parsers/imUserManagement.yaml Parsers/ASimUserManagement/Parsers/vimUserManagementAWSCloudTrail.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-02-12-pr-13503/","summary":"New ASIM parser normalizes AWS CloudTrail user management events from IAM and Cognito services into Microsoft Sentinel.","title":"ASIM User Management: AWS CloudTrail Parser Enables IAM and Cognito Visibility"},{"content":"Affected Files ASIM/dev/ASimTester/ASimTester.csv ","permalink":"http://sentinelchangelog.net/posts/2026-02-12-pr-13518/","summary":"ASIM Authentication schema expanded to include NetworkCleartext authentication subtype for cleartext password events.","title":"ASIM Authentication Schema: NetworkCleartext SubType Added"},{"content":"What Changed Tenable App solution updated to version 3.1.2 with enhanced rsyslog configuration options. Two new configuration files added: standard rsyslog configuration and an enhanced version with source IP filtering capabilities for improved log processing.\nThe update addresses incorrectly populated configuration commands on the Data Connector UI page and provides additional filtering options to reduce noise in vulnerability scanner logs by applying source IP-based filtering to syslog streams.\nAffected Files Solutions/Tenable App/Data Connectors/TenableIE/80-tenable-allowedsender.conf Solutions/Tenable App/Data Connectors/TenableIE/80-tenable-filter.conf Solutions/Tenable App/Data Connectors/TenableIE/README.md Solutions/Tenable App/Data Connectors/TenableIE/TenableIE.json (packaging artefacts: 3.1.2.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-10-pr-13429/","summary":"Additional rsyslog configuration files added with source IP filtering capabilities to improve log collection accuracy and data connector UI guidance.","title":"Tenable App: Enhanced Rsyslog Configuration with Source IP Filtering"},{"content":"What Changed Fixed two broken links reported via customer incident: Microsoft Entra ID ADFSSignInLogsPasswordSpray analytic rule now references local documentation instead of defunct Microsoft URL, and Network Session Essentials hunting queries corrected MITRE technique from non-existent T1905 to valid T1095 (Non-Application Layer Protocol).\nNew ADFSSignInLogsPasswordSpray.md file provides Connect Health error code reference that was previously unavailable due to broken external link. Both solutions updated to resolve Content Hub display issues affecting user experience.\nAffected Files Solutions/Microsoft Entra ID/ADFSSignInLogsPasswordSpray.md Solutions/Microsoft Entra ID/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml Solutions/Network Session Essentials/Hunting Queries/DetectPortMisuseByAnomalyHunting.yaml Solutions/Network Session Essentials/Hunting Queries/DetectPortMisuseByStaticThresholdHunting.yaml (packaging artefacts: 3.0.9.zip, 3.3.8.zip, ReleaseNotes.md, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-06-pr-13510/","summary":"Customer-reported broken links fixed in analytic rule descriptions with corrected MITRE technique references and restored documentation.","title":"Documentation Fix: Broken Links Resolved in Microsoft Entra ID and Network Session Essentials"},{"content":"What Changed Global Secure Access solution updated to version 3.0.2 with three new threat intelligence correlation analytic rules and one new MCP (Model Context Protocol) monitoring workbook.\nDetection Logic Three new analytic rules added for threat intelligence correlation:\nTI Map Domain Entity: Correlates domain IOCs from ThreatIntelIndicators with NetworkAccessTraffic DestinationFqdn, targeting C\u0026amp;C communication TI Map IP Entity: Matches IP IOCs against NetworkAccessTraffic DestinationIp for malicious traffic detection TI Map URL Entity: Identifies URL IOCs in NetworkAccessTraffic DestinationUrl for web-based threats All rules query 1-hour windows against 14-day threat intelligence lookback, targeting MITRE T1071 (Application Layer Protocol) for command and control detection.\nMITRE Mapping T1071: Application Layer Protocol - All three rules detect command and control communications using standard application protocols through Global Secure Access traffic monitoring. Affected Files .script/tests/KqlvalidationsTests/CustomTables/NetworkAccessTraffic.json Solutions/Global Secure Access/Analytic Rules/GSA - TI Domain Entity.yaml Solutions/Global Secure Access/Analytic Rules/GSA - TI IP Entity.yaml Solutions/Global Secure Access/Analytic Rules/GSA - TI URL Entity.yaml Solutions/Global Secure Access/Package/testParameters.json Solutions/Global Secure Access/Workbooks/GSAMCPInsights.json Workbooks/Images/Preview/GSAMCPInsightsBlack.png Workbooks/Images/Preview/GSAMCPInsightsWhite.png Workbooks/WorkbooksMetadata.json (packaging artefacts: 3.0.2.zip, ReleaseNotes.md, Solution_GlobalSecureAccess.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-06-pr-13525/","summary":"New analytic rules correlate threat intelligence indicators with GSA traffic while MCP Servers Dashboard provides Model Context Protocol server monitoring.","title":"Global Secure Access: Enhanced Threat Intelligence Correlation and MCP Monitoring"},{"content":"What Changed The SAP solution received comprehensive agentless tooling for Microsoft Sentinel connectivity via SAP Integration Suite. The new PowerShell toolkit includes scripts for destination discovery, service provisioning, and automated connection creation with support for multiple authentication modes.\nNew Capabilities Unlocked The toolkit enables:\nDual-mode credential management: Cloud Foundry runtime retrieval or direct credential supply CSV-based destination processing: Automated creation of multiple SAP backend connections Shared infrastructure: Single DCE/DCR supporting all connections to standard SAP tables (ABAPAuditLog, ABAPChangeDocsLog, ABAPUserDetails, ABAPAuthorizationDetails, SentinelHealth) NEO environment support: Basic authentication for legacy SAP environments This provides critical flexibility for organizations with complex SAP landscapes requiring different authentication methods across production, development, and legacy systems, enhancing SAP security monitoring coverage without agent deployment requirements.\nAffected Files Solutions/SAP/Tools/IntegrationSuite/.gitignore Solutions/SAP/Tools/IntegrationSuite/IntegrationSuiteHelpers.ps1 Solutions/SAP/Tools/IntegrationSuite/README.md Solutions/SAP/Tools/IntegrationSuite/SAPCC_DCR.json Solutions/SAP/Tools/IntegrationSuite/connect-sentinel-to-integration-suite.ps1 Solutions/SAP/Tools/IntegrationSuite/destinations-sample.csv Solutions/SAP/Tools/IntegrationSuite/discover-destinations.ps1 Solutions/SAP/Tools/IntegrationSuite/provision-sap-cpi-runtime.ps1 ","permalink":"http://sentinelchangelog.net/posts/2026-02-06-pr-13465/","summary":"New PowerShell tooling enables agentless SAP data collection via Integration Suite with dual-mode credentials and CSV-based destination management.","title":"SAP Solution: Agentless Integration Suite Tooling Added for Enhanced ERP Connectivity"},{"content":"What Changed The Cisco Duo Security solution was updated to version 3.1.0 with critical fixes for Azure portal deployment failures and Python runtime compatibility. The createUiDefinition.json now derives location parameters from the selected Log Analytics workspace instead of passing empty values that caused ARM template validation failures.\nSecurity Impact This fix resolves a complete deployment blocker affecting all new Cisco Duo Security connector installations via Azure portal. The empty location parameter issue prevented successful deployments, creating a blind spot for organizations attempting to ingest Cisco Duo authentication, administrator, telephony, and offline enrollment logs.\nAdditionally, the Python runtime bundle was updated from version [3.*, 4.0.0) to [4.0.0, 5.0.0), addressing breaking changes for existing deployments running on Python 3.11. Without this fix, existing function app connectors would fail to execute, resulting in complete data ingestion failure for authentication monitoring and multi-factor authentication visibility.\nAffected Files Solutions/CiscoDuoSecurity/Data Connectors/host.json Solutions/ContentHubSolutionsCatalog.md (packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_CiscoDuoSecurity.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-05-pr-13532/","summary":"Azure portal deployment failures resolved by fixing empty location parameters and updating Python runtime compatibility to prevent connector breakage.","title":"Cisco Duo Security: Critical Deployment Fix Resolves Portal Installation Failures"},{"content":"Data Source meshStack is a cloud platform management solution that helps platform engineering teams build, operate, and scale internal developer platforms (IDPs). This connector provides audit and governance visibility into platform operations including workspace management, resource provisioning, policy enforcement, and user access events.\nIngestion Mechanism CCF-based connector with OAuth2 authentication using client credentials flow:\nAuthentication: OAuth2 with API Key credentials (Key ID as client_id, Key Secret as client_secret) Data Collection: REST API polling of meshStack Events API at /api/meshobjects/mesheventlogs Destination Table: Custom table meshStackEventLogs_CL with 8 columns including TimeGenerated, EventTitle, EventType, WorkspaceName, AuthorIdentifier The connector implements pagination support, configurable query windows (5-minute default), and rate limiting (10 QPS).\nDetection Surface Unlocked Enables monitoring of cloud platform governance and security events:\nPlatform Access Control: User authentication, authorization, and role changes across workspaces Resource Governance: Policy violations, compliance failures, and privilege escalation attempts Audit Trail: Complete event logging for compliance requirements and forensic investigation Workspace Operations: Multi-cloud environment changes, configuration drift, and unauthorized modifications This integration provides critical visibility into internal developer platform security, enabling SOC teams to correlate platform governance events with broader security incidents and detect insider threats or misconfigurations in cloud platform management.\nAffected Files Logos/meshcloud.svg Solutions/meshStack/Data Connectors/meshStackEventLogs_ccp/meshStackEventLogs_DCR.json Solutions/meshStack/Data Connectors/meshStackEventLogs_ccp/meshStackEventLogs_PollerConfig.json Solutions/meshStack/Data Connectors/meshStackEventLogs_ccp/meshStackEventLogs_Table.json Solutions/meshStack/Data Connectors/meshStackEventLogs_ccp/meshStackEventLogs_connectorDefinition.json Solutions/meshStack/Package/testParameters.json Solutions/meshStack/README.md Solutions/meshStack/events-example-response.json Tools/Create-Azure-Sentinel-Solution/common/get-ccp-details.ps1 (packaging artefacts: 3.0.0.zip, SolutionMetadata.json, Solution_meshStack.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-05-pr-13324/","summary":"meshStack event logging connector enables cloud platform governance monitoring by ingesting developer platform events into Microsoft Sentinel.","title":"New Solution: meshStack Platform Event Logs Integration for Cloud Governance"},{"content":"What Changed Both ASimAlertEventMicrosoftDefenderXDR and vimAlertEventMicrosoftDefenderXDR parsers were updated to version 0.2.0 with significant KQL logic improvements and field mapping corrections.\nParser Impact Key changes include corrected DvcIdType mapping (changed from \u0026ldquo;MDEid\u0026rdquo; to \u0026ldquo;FQDN\u0026rdquo;), improved Username field mapping (AccountName vs AccountUpn), optimized regex operations using replace_regex instead of replace, and enhanced AdditionalFields structure with consolidated IP address collection using make_list().\nThe parsers now properly collect and expose IP addresses from multiple sources (RemoteIP, LocalIP, Host.IpInterfaces) in a unified IpAddresses array, improving IP-based correlation capabilities. No change to normalized field names or filter logic — safe for existing detections using these parsers.\nAffected Files Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/ASimAlertEventMicrosoftDefenderXDR.json Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventMicrosoftDefenderXDR.md Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventMicrosoftDefenderXDR.md Parsers/ASimAlertEvent/Parsers/ASimAlertEventMicrosoftDefenderXDR.yaml Parsers/ASimAlertEvent/Parsers/vimAlertEventMicrosoftDefenderXDR.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-02-05-pr-13418/","summary":"Microsoft Defender XDR AlertEvent parsers updated with optimized KQL logic, corrected field mappings, and enhanced IP address collection.","title":"ASIM AlertEvent: Microsoft Defender XDR Parser Enhanced with Improved Field Mappings"},{"content":"What Changed The Solutions Analyzer documentation generation tool received major enhancements including lake-only ingestion status tracking from Microsoft Sentinel documentation, collection methods indexing with official Microsoft references, and improved connector association logic for ASIM parsers and standalone content.\nKey additions include a unified statistics page, extended filter fields detection supporting 22 field types, device configuration overrides for 19+ products, and enhanced caching with selective refresh capabilities. The tool now provides comprehensive documentation generation for Microsoft Sentinel solutions, connectors, tables, and content relationships.\nAffected Files Tools/Solutions Analyzer/README.md Tools/Solutions Analyzer/asim_parsers.csv Tools/Solutions Analyzer/collect_table_info.py Tools/Solutions Analyzer/connectors.csv Tools/Solutions Analyzer/filter_fields_findings.md Tools/Solutions Analyzer/generate_connector_docs.py Tools/Solutions Analyzer/graphics/data-flow-diagram.svg Tools/Solutions Analyzer/map_solutions_connectors_tables.py Tools/Solutions Analyzer/parsers.csv Tools/Solutions Analyzer/script-docs/collect_table_info.md Tools/Solutions Analyzer/script-docs/generate_connector_docs.md Tools/Solutions Analyzer/script-docs/map_solutions_connectors_tables.md Tools/Solutions Analyzer/solution_analyzer_overrides.csv Tools/Solutions Analyzer/solutions.csv Tools/Solutions Analyzer/solutions_connectors_tables_issues_and_exceptions_report.csv Tools/Solutions Analyzer/solutions_connectors_tables_mapping.csv Tools/Solutions Analyzer/solutions_connectors_tables_mapping_simplified.csv Tools/Solutions Analyzer/tables.csv Tools/Solutions Analyzer/tables_reference.csv ","permalink":"http://sentinelchangelog.net/posts/2026-02-04-pr-13478/","summary":"Comprehensive documentation tool update adds lake-only ingestion tracking, collection methods index, and enhanced connector association analysis.","title":"Solutions Analyzer: Enhanced Documentation with Lake-Only Ingestion and Statistics Features"},{"content":"Data Source This solution integrates TacitRed\u0026rsquo;s threat intelligence platform, which provides compromised credential monitoring and threat surface intelligence. The solution enables automated retrieval of compromised credentials and other threat indicators from TacitRed\u0026rsquo;s API for ingestion into Microsoft Sentinel.\nIngestion Mechanism Function App-based solution with dual components:\nAzure Function App: Processes TacitRed API data and converts findings to STIX format Logic App Playbook: Scheduled automation (every 6 hours) that orchestrates data retrieval and upload to Microsoft Defender Threat Intelligence The solution uses the ARM-based createIndicator API to upload threat indicators, requiring Reader and Microsoft Sentinel Contributor roles on the target workspace.\nDetection Surface Unlocked Enables detection of credential-based attacks by providing visibility into:\nCompromised organizational credentials discovered in dark web monitoring Credential stuffing and password spray attack correlation Account takeover risk assessment through exposed credential intelligence Timeline correlation between credential exposure and suspicious authentication events The integration feeds Microsoft Defender Threat Intelligence with indicators that can trigger alerts when compromised credentials are used in authentication attempts against organizational resources.\nAffected Files Logos/tacitred_logo.svg Solutions/TacitRed-Defender-ThreatIntelligence/Package/testParameters.json Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedDefenderTI_FunctionApp/azuredeploy.json Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedToDefenderTI/Images/TacitRedToDefenderTIDark.png Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedToDefenderTI/Images/TacitRedToDefenderTILight.png Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedToDefenderTI/azuredeploy.json Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedToDefenderTI/readme.md Solutions/TacitRed-Defender-ThreatIntelligence/README.md (packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_TacitRedDefenderThreatIntelligence.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-04-pr-13266/","summary":"Official TacitRed Defender TI solution from Data443 enables automated sync of compromised credentials to Microsoft Defender Threat Intelligence.","title":"New Solution: TacitRed Defender Threat Intelligence Integration"},{"content":"What Changed TacitRed SentinelOne IOC Automation solution metadata was updated to align the solutionId with Partner Center format (data443riskmitigationinc1761580347231.azure-sentinel-solution-tacitred-s1-ioc-auto) and corrected template variable errors that were causing deployment failures.\nAffected Files (packaging artefacts: 3.0.0.zip, SolutionMetadata.json, Solution_TacitRedSentinelOneAutomation.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-04-pr-13556/","summary":"TacitRed SentinelOne solution metadata updated for Partner Center alignment with ARM template variable corrections.","title":"TacitRed SentinelOne Solution: Partner Center Metadata Alignment and Template Fixes"},{"content":"What Changed TacitRed Threat Intelligence solution metadata was updated to align the solutionId with Partner Center publisherId.offerId format requirements (data443riskmitigationinc1761580347231.azure-sentinel-solution-tacitred-threat-intel).\nAffected Files (packaging artefacts: 3.0.0.zip, SolutionMetadata.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-04-pr-13557/","summary":"TacitRed solution metadata updated for Partner Center publisherId.offerId alignment.","title":"TacitRed Threat Intelligence Solution: Partner Center Metadata Alignment"},{"content":"What Changed The CyberArk EPM (Endpoint Privilege Manager) connector function app package was updated to include the missing .python_packages dependency file. This addresses a critical deployment bug where the function app would fail during installation.\nSecurity Impact Deployments attempting to install the CyberArk EPM connector experienced complete installation failure due to the missing Python dependencies file. This created a detection blind spot for organizations relying on privileged access monitoring and endpoint privilege escalation visibility.\nThe CyberArk EPM connector provides crucial security telemetry for privileged access management including credential elevation events, policy violations, and application control actions — essential data for detecting privilege abuse and credential theft patterns.\nAffected Files (packaging artefacts: CyberArkEPMSentinelConn.zip) ","permalink":"http://sentinelchangelog.net/posts/2026-02-04-pr-13527/","summary":"Missing .python_packages dependency added to function app package, resolving deployment failures that blocked connector installations.","title":"CyberArk EPM Connector: Critical Package Fix Restores Function App Deployment"},{"content":"What Changed The ASIM sudo authentication parsers (both ASimAuthenticationSudo and vimAuthenticationSudo) received major updates to align with Authentication schema version 0.1.4, including comprehensive field mapping improvements and code refactoring.\nParser Impact Key enhancements include:\nSchema version updated from 0.1.1 to 0.1.4 Added SeverityLevel normalization to EventSeverity using lookup table Improved field mappings: HostIP → SrcIpAddr, ProcessName → TargetAppName/ActingAppName Added ProcessID → ActingAppId mapping Corrected EventProduct from \u0026ldquo;sudo\u0026rdquo; to \u0026ldquo;Linux\u0026rdquo; Added alias fields: Src, Dvc, IpAddr for better query compatibility Removed unnormalized columns and code duplication Security Impact (Visibility \u0026amp; Fidelity) The updates ensure consistent data normalization across sudo authentication events, improving:\nCross-parser query compatibility through standardized field mappings Severity-based alerting and filtering capabilities via EventSeverity normalization Enhanced correlation potential with proper source IP and application mappings Better performance through reduced code duplication and improved filtering Organizations using ASIM-based detection rules for privilege escalation monitoring will benefit from more complete and consistent field population across sudo authentication events.\nAffected Files Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json Parsers/ASimAuthentication/ARM/vimAuthenticationSudo/vimAuthenticationSudo.json Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationSudo.md Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationSudo.md Parsers/ASimAuthentication/Parsers/ASimAuthenticationSudo.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationSudo.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-02-04-pr-13529/","summary":"ASIM sudo parser updated to schema 0.1.4 with improved field mappings, severity normalization, and code deduplication.","title":"ASIM Sudo Authentication Parser: Schema Version 0.1.4 Compliance and Field Mapping Enhancements"},{"content":"What Changed The Oracle Cloud Infrastructure data connector was enhanced with Group Cursor support for OCI Streaming, providing customers the option to consume from group cursors instead of individual partition cursors.\nSecurity Impact (Visibility \u0026amp; Fidelity) Previously, the connector only supported Individual Cursor mode, limiting customers to consuming from specific OCI Streaming partitions. The new Group Cursor capability enables:\nConsumption from multiple partitions within a consumer group Better load balancing across streaming partitions Feature parity with the legacy Function App connector Improved scalability for high-volume OCI audit and security log ingestion Organizations using OCI Streaming for security event collection can now choose the cursor type that best fits their partition management requirements, ensuring no gaps in log visibility due to partition-specific consumption limitations.\nImplementation Details The connector definition and polling configuration were updated to support a configurable cursor type selection between IndividualCursor and GroupCursor modes, with corresponding UI elements and validation logic to guide users through the appropriate configuration choices.\nAffected Files Solutions/Oracle Cloud Infrastructure/Data Connectors/Oracle_Cloud_Infrastructure_CCP/OCI_DataConnector_DCR.json Solutions/Oracle Cloud Infrastructure/Data Connectors/Oracle_Cloud_Infrastructure_CCP/OCI_DataConnector_DataConnectorDefinition.json Solutions/Oracle Cloud Infrastructure/Data Connectors/Oracle_Cloud_Infrastructure_CCP/OCI_DataConnector_PollingConfig.json Solutions/Oracle Cloud Infrastructure/Package/testParameters.json (packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_OCILogs.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-03-pr-13548/","summary":"OCI connector now supports Group Cursor mode alongside Individual Cursor for improved streaming partition consumption flexibility.","title":"Oracle Cloud Infrastructure Connector: Group Cursor Support for OCI Streaming"},{"content":"What Changed The Rapid7 InsightVM data connector Function App was upgraded from Azure Functions Extension Bundle 3.x to 4.x, updating both the host.json configuration and deployment package.\nSecurity Impact (Visibility \u0026amp; Fidelity) This maintenance update ensures continued compatibility with Azure Functions runtime and prevents potential service disruption from deprecated extension versions. Organizations using Rapid7 InsightVM vulnerability data ingestion should experience improved stability and access to latest Azure Functions security updates.\nThe Function App deployment instructions were also updated to reference the correct GitHub location for the connector package within the official Azure-Sentinel repository.\nAffected Files Solutions/Rapid7InsightVM/Data Connectors/InsightVMCloud_API_FunctionApp.json Solutions/Rapid7InsightVM/Data Connectors/host.json (packaging artefacts: 3.1.0.zip, InsightVMCloudAPISentinelConn.zip, ReleaseNotes.md, Solution_InsightVMCloudAPI.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-03-pr-13546/","summary":"Rapid7 InsightVM Function App connector updated to use latest 4.x Azure Functions extension bundles from deprecated 3.x version.","title":"Rapid7 InsightVM Data Connector: Azure Functions Extension Bundle Upgrade to 4.x"},{"content":"What Changed A new hunting query \u0026ldquo;Punycode lookalikes\u0026rdquo; was added to both the standalone Hunting Queries collection and Microsoft Defender XDR solution for detecting phishing attempts using internationalized domain names (IDN).\nDetection Logic The query targets punycode domains (xn\u0026ndash; prefix) containing visually similar Unicode characters that can impersonate legitimate ASCII domains. It processes both email (EmailEvents, EmailUrlInfo) and Microsoft Teams messages (MessageEvents, MessageUrlInfo) to identify:\nCyrillic characters (е, а, о, р, с, х, etc.) mimicking Latin letters Greek characters (α, ε, ο, ρ, χ, etc.) visually similar to ASCII Fullwidth ASCII characters used in domain spoofing The detection normalizes Unicode lookalikes to ASCII equivalents and validates the resulting domain appears legitimate, indicating intentional spoofing rather than accidental character usage.\nMITRE Mapping Technique: T1566 (Phishing) - Initial Access via deceptive domains in email and collaboration platforms\nDetection Surface Unlocked Organizations gain visibility into sophisticated domain impersonation attacks that bypass traditional string-based domain reputation systems. The query reveals phishing campaigns leveraging:\nBrand impersonation through visually identical Unicode domains Cross-platform attacks spanning email and Teams messaging Advanced evasion techniques exploiting internationalized domain specifications This hunting capability fills a gap in detecting IDN homograph attacks that rely on human visual perception rather than technical domain validation.\nAffected Files Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Phish/Punycode chars lookalike domains.yaml Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Phish/Punycode chars lookalike domains.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-02-03-pr-13535/","summary":"Advanced hunting query detects punycode domains using Cyrillic, Greek, and fullwidth ASCII characters to visually impersonate legitimate domains in email and Teams.","title":"Microsoft Defender XDR: New Hunting Query for Punycode Lookalike Domain Phishing"},{"content":"What Changed The \u0026ldquo;Snowflake Multiple Failed Queries\u0026rdquo; detection rule was updated to include an additional filter requiring the presence of QueryExecutionStatus field before evaluating query failures.\nDetection Logic The enhanced rule now includes \u0026ldquo;| where isnotempty(QueryExecutionStatus)\u0026rdquo; as the first filter, ensuring only events with execution status information are processed for failure analysis. The rule continues to monitor for more than 50 failed queries per user within 5-minute bins where QueryExecutionStatus does not equal SUCCESS.\nSecurity Impact (Visibility \u0026amp; Fidelity) Previously, the detection triggered false positives on SnowflakeLoad and other activity event types that lacked QueryExecutionStatus fields. These events would satisfy the \u0026ldquo;not SUCCESS\u0026rdquo; condition despite not being actual query execution failures.\nThe fix ensures detection fidelity by:\nEliminating false alerts from data loading operations Focusing monitoring on actual query execution events Maintaining coverage of legitimate failed query patterns (brute force, credential stuffing, reconnaissance) Organizations using this detection will see reduced alert noise while preserving visibility into suspicious query failure patterns that may indicate compromise or unauthorized access attempts.\nAffected Files Solutions/Snowflake/Analytic Rules/SnowflakeMultipleFailedQueries.yaml (packaging artefacts: 3.0.9.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-03-pr-13356/","summary":"Snowflake detection rule now filters out events lacking QueryExecutionStatus to prevent false alerts from data loading operations.","title":"Snowflake Multiple Failed Queries Detection: Fixed False Positives from Load Operations"},{"content":"What Changed The Microsoft Sentinel solution package creation tool (createSolutionV3.ps1) was enhanced to support dual version management modes. The existing catalog API mode remains the default for production deployments, while a new local mode enables offline development with semantic versioning (major.minor.patch).\nLocal mode increments versions independently of the Microsoft Catalog API, resolving workflow blocking issues when remote versions are behind local development state. The tool now accepts -VersionMode and -VersionBump parameters to control version management behavior, with automatic updates to solution data files and metadata.\nAffected Files Tools/Create-Azure-Sentinel-Solution/V3/README.md Tools/Create-Azure-Sentinel-Solution/V3/createSolutionV3.ps1 Tools/Create-Azure-Sentinel-Solution/common/commonFunctions.ps1 ","permalink":"http://sentinelchangelog.net/posts/2026-02-03-pr-13482/","summary":"CreateSolutionV3 script now supports offline semantic versioning with local version management alongside existing catalog API mode.","title":"Solution Package Tool: Local Version Bumping Mode Added for Offline Development"},{"content":"What Changed Dynamic redirect URI support was implemented across four OAuth-based CCF connectors: Azure DevOps Auditing, Google Cloud Platform Cloud Monitoring, Google Workspace Reports, and Workday. The connectors now use template variable {{redirectUri}} instead of hardcoded portal URIs.\nSecurity Impact (Visibility \u0026amp; Fidelity) Previously, these connectors required manual Azure portal redirect URI configuration during OAuth app registration. The hardcoded \u0026ldquo;https://portal.azure.com/TokenAuthorize/ExtensionName/Microsoft_Azure_Security_Insights\u0026quot; caused deployment friction and limited portal flexibility.\nDynamic redirect URIs enable:\nSimplified connector deployment without manual portal configuration Support for different Microsoft Sentinel environments and tenants Reduced configuration errors that could prevent data ingestion Implementation Details Each connector received identical updates:\nConnector definitions now include \u0026ldquo;showRedirectUri\u0026rdquo;: true and \u0026ldquo;sendRedirectUri\u0026rdquo;: true flags Polling configurations replaced static redirect URIs with {{redirectUri}} template variables Documentation updated to reference dynamic URI values from the connector experience PowerShell tooling enhanced to support the redirectUri parameter The change affects authentication flows for Azure DevOps audit logs, Google Cloud Platform monitoring data, Google Workspace reports, and Workday activity logs.\nAffected Files Solutions/AzureDevOpsAuditing/Data Connectors/AzureDevOpsAuditLogs_CCP/AzureDevOpsAuditLogs_DataConnectorDefinition.json Solutions/AzureDevOpsAuditing/Data Connectors/AzureDevOpsAuditLogs_CCP/AzureDevOpsAuditLogs_PollingConfig.json Solutions/Google Cloud Platform Cloud Monitoring/Data Connectors/GCPMonitoringLogs_CCP/GCPCloudMonitoringLogs_ConnectorDefinition.json Solutions/Google Cloud Platform Cloud Monitoring/Data Connectors/GCPMonitoringLogs_CCP/GCPCloudMonitoringLogs_PollingConfig.json Solutions/Google Cloud Platform Cloud Monitoring/Data Connectors/Readme.md Solutions/GoogleWorkspaceReports/Data Connectors/GoogleWorkspaceTemplate_ccp/GoogleWorkspaceReports_DataConnectorDefinition.json Solutions/GoogleWorkspaceReports/Data Connectors/GoogleWorkspaceTemplate_ccp/GoogleWorkspaceReports_PollingConfig.json Solutions/Workday/Data Connectors/Workday_ccp/Workday_DataConnectorDefinition.json Solutions/Workday/Data Connectors/Workday_ccp/Workday_PollingConfig.json Tools/Create-Azure-Sentinel-Solution/common/createCCPConnector.ps1 (packaging artefacts: 3.0.3.zip, 3.0.8.zip, ReleaseNotes.md, Solution_AzureDevOpsAuditing.json, Solution_GoogleCloudPlatformMonitor.json, Solution_GoogleWorkspaceReports.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-03-pr-13165/","summary":"Four OAuth-based data connectors now support dynamic redirect URIs, eliminating manual Azure portal configuration requirements.","title":"OAuth Data Connectors: Dynamic Redirect URI Support Simplifies Authentication Setup"},{"content":"What Changed The ASIM Authentication parser for OpenSSH SSHD was updated to fix parsing of \u0026ldquo;Invalid user\u0026rdquo; syslog messages where source IP addresses and port numbers are formatted inconsistently.\nParser Impact The previous parsing logic failed when \u0026ldquo;Invalid user\u0026rdquo; log entries contained IP addresses without explicit port formatting. The fix introduces more robust parsing that handles both formats:\n\u0026ldquo;Invalid user \u0026lt;username\u0026gt; from \u0026lt;ip\u0026gt; port \u0026lt;port\u0026gt;\u0026rdquo; \u0026ldquo;Invalid user \u0026lt;username\u0026gt; from \u0026lt;ip\u0026gt;\u0026rdquo; Both ASimAuthenticationSshd and vimAuthenticationSshd parsers received identical parsing improvements to correctly extract SrcIpAddr and SrcPortNumber fields from malformed authentication attempts.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments using these ASIM parsers against OpenSSH logs previously had incomplete source IP extraction for certain \u0026ldquo;Invalid user\u0026rdquo; authentication failures. This fix ensures consistent population of source IP fields across all invalid user attempts, improving detection fidelity for brute force and reconnaissance queries.\nAffected Files Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationSshd.md Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationSshd.md Parsers/ASimAuthentication/Parsers/ASimAuthenticationSshd.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationSshd.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-02-03-pr-13531/","summary":"OpenSSH authentication parser now correctly extracts source IP addresses from \u0026ldquo;Invalid user\u0026rdquo; events regardless of port format.","title":"ASIM SSH Authentication Parser: Improved Invalid User Event Parsing"},{"content":"What Changed The Sample Data Validation GitHub Actions workflow was updated to resolve persistent build failures caused by outdated npm 6.14.18 (\u0026ldquo;cb() never called!\u0026rdquo; errors). The workflow now uses actions/setup-node@v4 with Node.js 20 LTS, npm caching enabled, and npm ci for deterministic dependency installation.\nAdditional changes include package-lock.json synchronization to add missing tslib@2.8.1, gitignore patterns for TypeScript build artifacts, and workbook preview image validation logic expanded to accept \u0026ldquo;Light/Dark\u0026rdquo; theme naming conventions alongside \u0026ldquo;Black/White\u0026rdquo;.\nAffected Files .github/workflows/sample-data-validation.yaml .gitignore .script/utils/workbookCheckers/previewImageChecker.js .script/utils/workbookCheckers/previewImageChecker.js.map package-lock.json ","permalink":"http://sentinelchangelog.net/posts/2026-02-02-pr-13537/","summary":"Legacy npm 6.14.18 dependency causing validation failures replaced with modern Node.js 20 LTS setup and deterministic builds.","title":"CI Pipeline: Sample Data Validation Workflow Modernized to Node.js 20"},{"content":"What Changed The GitHub Enterprise Cloud audit log connector and its detection rule set transitioned from Preview to Generally Available (GA) status. This includes removing \u0026ldquo;(Preview)\u0026rdquo; designations from the connector definition and 11 associated Analytic Rules.\nSecurity Impact (Visibility \u0026amp; Fidelity) Organizations using the GitHub connector during Preview can now rely on production-grade support for monitoring DevOps security events including repository management, user access controls, OAuth application changes, and payment method modifications.\nThe GA promotion signals Microsoft\u0026rsquo;s confidence in the connector\u0026rsquo;s stability for production deployment across enterprise GitHub environments.\nDetection Coverage The following detection scenarios are now GA:\nRepository creation and destruction events User access management (additions, blocking, invitations) Two-factor authentication status changes OAuth application credential management Payment method modifications Pull request lifecycle monitoring User visibility changes All detection rules target GitHub audit log events ingested via the CCF-based connector into the GitHubAuditLogsV2_CL table.\nAffected Files Solutions/GitHub/Analytic Rules/GitHub - A payment method was removed.yaml Solutions/GitHub/Analytic Rules/GitHub - Activities from Infrequent Country.yaml Solutions/GitHub/Analytic Rules/GitHub - Oauth application - a client secret was removed.yaml Solutions/GitHub/Analytic Rules/GitHub - Repository was created.yaml Solutions/GitHub/Analytic Rules/GitHub - Repository was destroyed.yaml Solutions/GitHub/Analytic Rules/GitHub - Two Factor Authentication Disabled in GitHub.yaml Solutions/GitHub/Analytic Rules/GitHub - User visibility Was changed.yaml Solutions/GitHub/Analytic Rules/GitHub - User was added to the organization.yaml Solutions/GitHub/Analytic Rules/GitHub - User was blocked.yaml Solutions/GitHub/Analytic Rules/GitHub - User was invited to the repository.yaml Solutions/GitHub/Analytic Rules/GitHub - pull request was created.yaml Solutions/GitHub/Analytic Rules/GitHub - pull request was merged.yaml Solutions/GitHub/Data Connectors/GitHubAuditLogs_CCF/GitHubAuditLogs_ConnectorDefinition.json (packaging artefacts: 3.1.3.zip, ReleaseNotes.md, Solution_GitHub.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-02-pr-13530/","summary":"GitHub Enterprise audit log connector and 11 accompanying detection rules promoted from Preview to GA status.","title":"GitHub Enterprise Cloud Connector: Audit Log Data Ingestion Now Generally Available"},{"content":"Affected Files (packaging artefacts: 3.0.0.zip, SolutionMetadata.json, Solution_VersasecCMS.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-02-pr-13542/","summary":"Versasec CMS solution packaging updated to meet Content Hub publishing requirements.","title":"Versasec CMS Solution: Publishing Configuration Updates"},{"content":"What Changed The BigID DSPM solution package was updated to version 3.0.0 with ARM template modifications introducing centralized step identifier management. The mainTemplate.json now uses reusable \u0026ldquo;stepId\u0026rdquo; and \u0026ldquo;_stepId\u0026rdquo; variables instead of hardcoded values like \u0026ldquo;fetchDataSourceDetails\u0026rdquo; and \u0026ldquo;fetchObjectsDetails\u0026rdquo;.\nSecurity Impact Labeled P0 — assess deployment or pipeline breakage risk explicitly. This ARM template fix resolves azure-resource-manager-testing-toolkit (arm-ttk) validation failures that were preventing successful deployments of the BigID DSPM connector. Existing deployments remain unaffected, but new connector installations were blocked until this fix.\nThe BigID DSPM connector provides data classification and privacy posture visibility — deployment failures represent a blind spot in data governance monitoring for organizations attempting fresh installations.\nAffected Files (packaging artefacts: 3.0.0.zip, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-02-02-pr-13541/","summary":"ARM template toolkit validation failure resolved by centralizing hardcoded step identifiers into reusable variables.","title":"BigID DSPM: P0 ARM Template Fix Addresses Deployment Failure"},{"content":"What Changed Major functionality expansion for ASIM Authentication parser covering Linux su (switch user) command events.\nParser Impact Failed Authentication Coverage: Added support for \u0026ldquo;FAILED SU\u0026rdquo; events, closing significant detection gap:\nPreviously only captured successful su events and logoffs Now detects failed privilege escalation attempts (EventType = \u0026ldquo;Logon\u0026rdquo;, EventResult = \u0026ldquo;Failure\u0026rdquo;) Event Classification Fix: Corrected successful su events from EventType = \u0026ldquo;Elevation\u0026rdquo; to EventType = \u0026ldquo;Logon\u0026rdquo; aligning with ASIM Authentication schema standards for user switching operations.\nEnhanced Field Mapping:\nAdded TargetAppName = \u0026ldquo;su\u0026rdquo; for application-specific filtering Added SrcIpAddr mapping to DvcIpAddr for source correlation Improved prefilter logic to handle EventResult-based filtering Schema Compliance: Updated EventSchemaVersion to 0.1.3 and explicit Type = \u0026ldquo;Syslog\u0026rdquo; for table identification.\nSecurity Impact: Organizations can now detect both successful and failed privilege escalation attempts via su command — previously failed attempts were invisible, creating a blind spot for lateral movement detection.\nAffected Files Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json Parsers/ASimAuthentication/Parsers/ASimAuthenticationSu.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationSu.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-01-22-pr-13453/","summary":"Linux su parser significantly enhanced to capture failed su attempts, correct event classification from Elevation to Logon, and improve field mappings for comprehensive privilege escalation monitoring.","title":"ASIM Authentication Parser: Linux Su Command Enhanced with Failed Authentication Support"},{"content":"What Changed Significant enhancements to ASIM Authentication parser for Palo Alto Cortex Data Lake addressing performance, schema compliance, and data fidelity issues.\nParser Impact Field Mapping Corrections:\nFixed EventStartTime to coalesce with TimeGenerated when start field is empty Corrected TargetDvc → TargetDvcId alignment with ASIM schema Enhanced TargetUsername logic to prioritize PanOSAuthenticatedUserName over DestinationUserName Performance Improvements:\nReplaced broad project-away with explicit project statement limiting output columns Added explicit Type = \u0026ldquo;CommonSecurityLog\u0026rdquo; for table identification Schema Compliance:\nAdded TargetDvcIdType field with proper \u0026ldquo;Other\u0026rdquo; classification Fixed TargetDomainType logic to reference TargetUsername instead of DestinationUserName Updated schema version to 0.2.0 reflecting significant improvements Data Fidelity: Previously empty EventStartTime fields when start was null now fallback to TimeGenerated, ensuring consistent timestamp availability for correlation queries.\nAffected Files Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json Parsers/ASimAuthentication/Parsers/ASimAuthenticationPaloAltoCortexDataLake.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationPaloAltoCortexDataLake.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-01-22-pr-13410/","summary":"Palo Alto Cortex Data Lake authentication parser enhanced with schema compliance improvements, performance optimizations, and corrected field mappings for better data fidelity.","title":"ASIM Authentication Parser: Palo Alto Cortex Data Lake Performance and Schema Fixes"},{"content":"What Changed Major schema compliance enhancement to ASIM Authentication parser for Microsoft 365 Defender Device Logon Events improving normalization standards.\nParser Impact Schema Normalization: Removed unnormalized process and hash fields from main output and relocated to AdditionalFields:\nActing process metadata (command line, creation time, integrity level, hashes) Parent process information Process hash details (MD5, SHA1, SHA256) Field Restructuring: Enhanced AdditionalFields bag structure using bag_merge to preserve both original additional fields and unnormalized process metadata for downstream analysis.\nPerformance Optimization: Switched from TimeGenerated to Timestamp field for event time filtering and explicitly added Type field for table identification.\nVersion Update: Schema version updated to 0.2.0 reflecting significant normalization improvements.\nNo change to core authentication logic or entity mappings — safe for existing detections. Previously exposed process fields now accessible via AdditionalFields for specialized hunting queries requiring process context.\nAffected Files Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json Parsers/ASimAuthentication/Parsers/ASimAuthenticationM365Defender.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationM365Defender.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-01-22-pr-13441/","summary":"Microsoft 365 Defender authentication parser improved ASIM compliance by removing unnormalized columns and relocating process/hash metadata to AdditionalFields structure.","title":"ASIM Authentication Parser: Microsoft 365 Defender Schema Compliance Enhancement"},{"content":"Affected Files Solutions/BeyondTrustPMCloud/Workbooks/Images/Preview/BeyondTrustPMCloudBlack01.png Solutions/BeyondTrustPMCloud/Workbooks/Images/Preview/BeyondTrustPMCloudBlack02.png Solutions/BeyondTrustPMCloud/Workbooks/Images/Preview/BeyondTrustPMCloudBlack03.png Solutions/BeyondTrustPMCloud/Workbooks/Images/Preview/BeyondTrustPMCloudWhite01.png Solutions/BeyondTrustPMCloud/Workbooks/Images/Preview/BeyondTrustPMCloudWhite02.png Solutions/BeyondTrustPMCloud/Workbooks/Images/Preview/BeyondTrustPMCloudWhite03.png Workbooks/Images/Logos/BeyondTrustLogo.svg Workbooks/Images/Preview/BeyondTrustPMCloudBlack01.png Workbooks/Images/Preview/BeyondTrustPMCloudBlack02.png Workbooks/Images/Preview/BeyondTrustPMCloudBlack03.png Workbooks/Images/Preview/BeyondTrustPMCloudWhite01.png Workbooks/Images/Preview/BeyondTrustPMCloudWhite02.png Workbooks/Images/Preview/BeyondTrustPMCloudWhite03.png Workbooks/WorkbooksMetadata.json ","permalink":"http://sentinelchangelog.net/posts/2026-01-22-pr-13489/","summary":"Renamed BeyondTrust PM Cloud workbook preview images from Dark/Light to Black/White convention and added BeyondTrust logo asset for UI consistency.","title":"BeyondTrust PM Cloud: Workbook Preview Image Standardization"},{"content":"Affected Files (packaging artefacts: 3.0.7.zip, ReleaseNotes.md, Solution_AzureDevOpsAuditing.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-01-22-pr-13488/","summary":"Azure DevOps Auditing solution repackaged with updated description removing outdated streaming configuration text references.","title":"Azure DevOps Auditing Solution: Description Text Cleanup and Repackaging"},{"content":"Affected Files Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Activity after failed logons.yaml Solutions/Microsoft Defender XDR/Analytic Rules/SUNSPOTHashes.yaml (packaging artefacts: 3.0.13.zip, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-01-22-pr-13485/","summary":"Updated SUNSPOT malware detection rule with corrected reference link formatting and MITRE technique mapping fixes across multiple solutions.","title":"Microsoft Defender XDR: SUNSPOT Detection Rule Documentation Update"},{"content":"Data Source JoeSandbox Cloud malware analysis platform providing:\nAutomated sample submission and analysis (files/URLs) Threat intelligence IOC feeds Behavioral analysis reports and indicators Ingestion Mechanism Multi-component integration:\nFunction App-based: Automated threat intelligence feed connector using Azure Functions Logic App Playbooks: Manual/triggered analysis workflows for incident enrichment Custom table: ThreatIntelligenceIndicator table population with JoeSandbox IOCs Detection Surface Unlocked Threat Intelligence Integration: Automated IOC ingestion from JoeSandbox feeds enriches Microsoft Sentinel threat detection capabilities\nMalware Analysis Workflows:\nIncident-triggered URL analysis playbook automatically submits suspicious URLs for sandbox analysis Email attachment analysis playbook processes Outlook attachments through JoeSandbox Analysis results added as incident comments with detailed behavioral reports Bundled Content Data Connector: JoeSandbox Threat Intelligence Feed (Function App) Playbooks: URL submission for incidents, Outlook attachment analysis Hunting Queries: 10 queries for analyzing JoeSandbox data including submission trends, malware family analysis, and IOC correlation Affected Files Logos/joesandbox.svg Solutions/JoeSandbox/Data Connectors/JoeSandbox/__init__.py Solutions/JoeSandbox/Data Connectors/JoeSandbox/app.py Solutions/JoeSandbox/Data Connectors/JoeSandbox/const.py Solutions/JoeSandbox/Data Connectors/JoeSandbox/function.json Solutions/JoeSandbox/Data Connectors/JoeSandbox/joesandbox.py Solutions/JoeSandbox/Data Connectors/JoeSandbox/state_manager.py Solutions/JoeSandbox/Data Connectors/JoeSandbox/utils.py Solutions/JoeSandbox/Data Connectors/JoeSandboxThreatIntelligence_FunctionApp.json Solutions/JoeSandbox/Data Connectors/Logo/joesandbox.svg Solutions/JoeSandbox/Data Connectors/azuredeploy_JoeSandboxThreatIntelligenceFuncApp_AzureFunction_flex.json Solutions/JoeSandbox/Data Connectors/azuredeploy_JoeSandboxThreatIntelligenceFuncApp_AzureFunction_premium.json Solutions/JoeSandbox/Data Connectors/host.json Solutions/JoeSandbox/Data Connectors/proxies.json Solutions/JoeSandbox/Data Connectors/requirements.txt Solutions/JoeSandbox/Images/01.png Solutions/JoeSandbox/Images/02.png Solutions/JoeSandbox/Images/02a.png Solutions/JoeSandbox/Images/03.png Solutions/JoeSandbox/Images/04.png Solutions/JoeSandbox/Images/05.png Solutions/JoeSandbox/Images/06.png Solutions/JoeSandbox/Images/07.png Solutions/JoeSandbox/Images/08.png Solutions/JoeSandbox/Images/09.png Solutions/JoeSandbox/Images/10.png Solutions/JoeSandbox/Images/11.png Solutions/JoeSandbox/Images/12.png Solutions/JoeSandbox/Images/13.png Solutions/JoeSandbox/Images/14.png Solutions/JoeSandbox/Images/38.png Solutions/JoeSandbox/Images/app_per.png Solutions/JoeSandbox/Images/email_playbook.png Solutions/JoeSandbox/Images/ti_feed.png Solutions/JoeSandbox/Images/url_playbook.png Solutions/JoeSandbox/Package/testParameters.json Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxDownloadAnalysisReport/__init__.py Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxDownloadAnalysisReport/app.py Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxDownloadAnalysisReport/function.json Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxGetAnalysisInfo/__init__.py Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxGetAnalysisInfo/app.py Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxGetAnalysisInfo/function.json Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxGetIOCs/__init__.py Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxGetIOCs/app.py Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxGetIOCs/function.json Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxGetIOCs/utils.py Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxGetSubmissionInfo/__init__.py Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxGetSubmissionInfo/app.py Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxGetSubmissionInfo/function.json Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxSearchAnalysis/__init__.py Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxSearchAnalysis/app.py Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxSearchAnalysis/function.json Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxSubmitFile/__init__.py Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxSubmitFile/app.py Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxSubmitFile/function.json Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxSubmitUrl/__init__.py Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxSubmitUrl/app.py Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/JoeSandboxSubmitUrl/function.json Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/azuredeploy.json Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/host.json Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/joesandbox.py Solutions/JoeSandbox/Playbooks/CustomConnector/JoeSandboxEnrichment_FunctionAppConnector/requirements.txt Solutions/JoeSandbox/Playbooks/JoeSandbox-Submit-File-Outlook-Attachment/Images/email_playbook.png Solutions/JoeSandbox/Playbooks/JoeSandbox-Submit-File-Outlook-Attachment/Images/outlook_attchment_playbook.png Solutions/JoeSandbox/Playbooks/JoeSandbox-Submit-File-Outlook-Attachment/Images/outlook_incident_comment.png Solutions/JoeSandbox/Playbooks/JoeSandbox-Submit-File-Outlook-Attachment/azuredeploy.json Solutions/JoeSandbox/Playbooks/JoeSandbox-Submit-File-Outlook-Attachment/readme.md Solutions/JoeSandbox/Playbooks/JoeSandbox-Submit-Url-Sentinel-Incident/Images/incident_url_comment.png Solutions/JoeSandbox/Playbooks/JoeSandbox-Submit-Url-Sentinel-Incident/Images/incident_url_playbook.png.png Solutions/JoeSandbox/Playbooks/JoeSandbox-Submit-Url-Sentinel-Incident/Images/url_playbook.png Solutions/JoeSandbox/Playbooks/JoeSandbox-Submit-Url-Sentinel-Incident/azuredeploy.json Solutions/JoeSandbox/Playbooks/JoeSandbox-Submit-Url-Sentinel-Incident/readme.md Solutions/JoeSandbox/README.md (packaging artefacts: 3.0.0.zip, JoeSandboxConn.zip, JoeSandboxEnrichment.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_JoeSandbox.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-01-22-pr-12801/","summary":"Complete JoeSandbox solution deployment enabling automated malware analysis, threat intelligence feed ingestion, and incident enrichment playbooks for Microsoft Sentinel.","title":"New Solution: JoeSandbox Threat Intelligence and Malware Analysis Platform Integration"},{"content":"Affected Files Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Number of unique accounts performing Teams message Admin submissions.yaml Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Number of unique accounts performing Teams message User submissions.yaml Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams User submissions daily trend.yaml Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 sender domains - Admin Teams message submissions FN.yaml Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 sender domains - Teams user submissions FN or FP.yaml Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 senders - Teams users submissions FN or FP.yaml Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 senders of Admin Teams message submissions FN.yaml Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 senders of Admin Teams message submissions FP.yaml Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top accounts performing Teams admin submissions FN or FP.yaml Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top accounts performing Teams user submissions FN or FP.yaml (packaging artefacts: 3.0.13.zip, ReleaseNotes.md, Solution_Microsoft Defender XDR.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-01-22-pr-13205/","summary":"Corrected malformed version numbers in Microsoft Teams threat hunting queries from invalid \u0026ldquo;l.0.0\u0026rdquo; to proper \u0026ldquo;1.0.0\u0026rdquo; format.","title":"Microsoft Defender XDR: Teams Hunting Queries Version Number Fix"},{"content":"What Changed Critical fix for Check Point Cyberint IOC connector addressing complete data ingestion failure.\nSecurity Impact (Visibility \u0026amp; Fidelity) Complete Ingestion Failure: Deployments running v3.0.1 had zero IOC data ingested due to:\nBroken API Endpoint: Static placeholder prevented API calls from reaching Cyberint servers Malformed Schema: Duplicate schema nesting in table definition caused DCR creation failures Data Blind Spot: Organizations using this connector for threat intelligence IOC enrichment had no Cyberint IOC data flowing to iocsent_CL table since initial deployment — complete visibility loss for Cyberint threat indicators.\nConnector Fixes API Configuration: Fixed endpoint construction from placeholder to dynamic template using proper ARM template syntax for connecting to Cyberint IOC API endpoints.\nSchema Structure: Removed duplicate schema wrapper in table definition enabling proper iocsent_CL table creation.\nPost-fix, connector now successfully ingests daily IOC feeds containing confidence scores, severity ratings, and threat activity descriptions.\nAffected Files Solutions/Check Point Cyberint IOC/Data Connectors/CyberintArgosIOCLogs_ccp/CyberintArgosIOCLogs_PollingConfig.json Solutions/Check Point Cyberint IOC/Data Connectors/CyberintArgosIOCLogs_ccp/CyberintArgosIOCLogs_Table.json (packaging artefacts: 3.0.2.zip, ReleaseNotes.md, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-01-22-pr-13464/","summary":"Cyberint threat intelligence connector restored from complete ingestion failure caused by malformed API endpoint and duplicate schema nesting blocking IOC data collection.","title":"Check Point Cyberint IOC Connector: Critical Data Ingestion Restoration"},{"content":"What Changed Maintenance updates across three solutions addressing outdated reference links and MITRE ATT\u0026amp;CK technique accuracy:\nMicrosoft Business Applications: Corrected MITRE technique in Dataverse identity management hunting query from T0819 → T1190 Microsoft Defender XDR: Updated SUNSPOT malware detection with current Microsoft blog link and bumped version to 1.0.3 Windows Security Events: Updated device join detection reference link and bumped version to 1.0.6\nAll changes are documentation/metadata updates with no impact to detection logic or KQL queries. Version bumps follow repository standards for detection template modifications.\nAffected Files Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Identity management changes without MFA.yaml Solutions/Microsoft Defender XDR/Analytic Rules/SUNSPOTHashes.yaml Solutions/Microsoft Defender XDR/Hunting Queries/Campaigns/JudgementPandaExfilActivity.yaml Solutions/Windows Security Events/Analytic Rules/LocalDeviceJoinInfoAndTransportKeyRegKeysAccess.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-01-21-pr-13480/","summary":"Updated outdated links and corrected MITRE ATT\u0026amp;CK technique mapping in detection rules across Microsoft Business Applications, Microsoft Defender XDR, and Windows Security Events solutions.","title":"Multi-Solution Link Updates: MITRE Technique Corrections and Reference Refreshes"},{"content":"Affected Files Solutions/NISTSP80053/Workbooks/NISTSP80053.json Solutions/ZeroTrust(TIC3.0)/Workbooks/ZeroTrustTIC3.json (packaging artefacts: 3.0.3.zip, ReleaseNotes.md, Solution_NISTSP80053.json, Solution_ZeroTrust(TIC3.0).json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-01-21-pr-13341/","summary":"NIST SP 800-53 and Zero Trust compliance workbooks updated with current Microsoft Defender for Office 365 documentation links following EOP rebrand.","title":"Compliance Solutions: Microsoft Exchange Product Link Rebrand Update"},{"content":"What Changed Enhanced ASIM Authentication parser for OpenSSH sshd with improved logon method detection and field mapping standardization.\nParser Impact Logon Method Enhancement: Added structured LogonMethod lookup table mapping SSH authentication types:\npassword → \u0026ldquo;Username \u0026amp; password\u0026rdquo; publickey → \u0026ldquo;PKI\u0026rdquo; keyboard-interactive/pam → \u0026ldquo;PAM\u0026rdquo; RSA key detection → \u0026ldquo;PKI\u0026rdquo; Fallback → \u0026ldquo;Other\u0026rdquo; Field Improvements:\nAdded explicit Type = Syslog for consistent table mapping Enhanced Dvc field coalescing for better device identification Added Src alias for source IP address normalization Schema Update: Updated EventSchemaVersion to 0.1.3 reflecting standardized LogonMethod classification.\nNo change to core parsing logic or filter criteria — safe for existing detections using this parser. Previously unclassified authentication methods now have proper LogonMethod values instead of being left empty.\nAffected Files ASIM/dev/ASimTester/ASimTester.csv Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json Parsers/ASimAuthentication/Parsers/ASimAuthenticationSshd.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationSshd.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-01-21-pr-13460/","summary":"SSH authentication parser now accurately identifies logon methods (password, PKI, PAM) and adds improved field mappings for better authentication visibility.","title":"ASIM Authentication Parser: Enhanced SSH Authentication Method Detection"},{"content":"What Changed Fixed critical data fidelity bug in ASIM NetworkSession parsers for NTANetAnalytics that caused SrcIpAddr and DstIpAddr fields to return null when primary IP fields (SrcIp/DestIp) were empty but alternate fields (SrcPublicIps/DestPublicIps) contained valid data.\nParser Impact Enhanced IP address mapping logic in both ASimNetworkSessionNTANetAnalytics and vimNetworkSessionNTANetAnalytics parsers with fallback mechanism:\nPrimary mapping: Uses SrcIp/DestIp when available Fallback mapping: Uses first valid IP from SrcPublicIps/DestPublicIps when primary fields are empty Additional visibility: All PublicIPs arrays now preserved in AdditionalFields (SrcIpAddresses/DstIpAddresses) Data Impact: Queries referencing SrcIpAddr/DstIpAddr against this parser previously returned null for flows where only PublicIPs were populated — this fixes that data blind spot and restores complete IP visibility for network session analysis.\nAffected Files Parsers/ASimNetworkSession/ARM/ASimNetworkSessionNTANetAnalytics/ASimNetworkSessionNTANetAnalytics.json Parsers/ASimNetworkSession/ARM/vimNetworkSessionNTANetAnalytics/vimNetworkSessionNTANetAnalytics.json Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionNTANetAnalytics.yaml Parsers/ASimNetworkSession/Parsers/vimNetworkSessionNTANetAnalytics.yaml ","permalink":"http://sentinelchangelog.net/posts/2026-01-21-pr-13472/","summary":"Azure NTANetAnalytics parser now correctly maps source and destination IP addresses from PublicIPs fields when primary IP fields are empty, closing a data fidelity blind spot.","title":"ASIM NetworkSession Parser: Critical IP Address Mapping Fix for Azure NSG Flow Data"},{"content":"Affected Files (packaging artefacts: 3.0.6.zip, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-01-20-pr-13476/","summary":"Oracle Cloud Infrastructure connector package repair addresses polling configuration naming issue preventing proper deployment.","title":"OCI Data Connector: Packaging Configuration Fix"},{"content":"What Changed Removed a broken link from the VMware ESXi solution documentation and updated version to 3.0.6. All changes are to packaging artefacts and documentation with no functional impact on detection logic or data ingestion.\nAffected Files (packaging artefacts: 3.0.6.zip, ReleaseNotes.md, Solution_VMWareESXi.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-01-05-pr-13379/","summary":"Documentation maintenance removing broken link from VMware ESXi solution.","title":"VMware ESXi Solution: Broken Link Removed"},{"content":"What Changed 10 new Analytic Rules added to detect tampering and unauthorized access in SAP BTP Cloud Integration, Cloud Identity Service, and Build Work Zone Data connector enhancements including queryWindowDelayInMin configuration for handling SAP log delays Connection tooling updates with improved authentication flows and subaccount management Detection Logic The new Analytic Rules target critical SAP BTP enterprise security scenarios:\nCloud Integration Security (5 rules):\nJDBC data source deployment/undeployment monitoring (credential access detection) Access policy and artifact reference tampering (privilege escalation and defense evasion) Security material manipulation (certificate, keystore changes) Package import/transport and artifact deployment (supply chain monitoring) Identity Service Monitoring (2 rules):\nApplication configuration CRUD operations for SAML/OIDC providers (federation tampering) Mass user deletion events (impact and defense evasion) Service Availability (3 rules):\nAudit log service availability monitoring (defense evasion via service disabling) Build Work Zone unauthorized OData access and role tampering Privileged administrator list modifications Primary data source: SAPBTPAuditLog_CL Core logic focuses on high-risk configuration changes, mass deletion events, and service tampering attempts Entity types mapped: Account, IP, CloudApplication\nMITRE Mapping T1562.008: Impair Defenses (audit log service monitoring) T1606: Forge Web Credentials (federated application tampering) T1556: Modify Authentication Process (identity service configuration) T1552: Unsecured Credentials (JDBC data source access) T1078: Valid Accounts (unauthorized access detection) T1531: Account Access Removal (mass user deletion) T1222: File and Directory Permissions Modification (access policy tampering) T1548: Abuse Elevation Control Mechanism (privilege escalation via policy changes) Security Impact Detection Gap Closed: SAP BTP enterprise environments previously had limited coverage for Cloud Integration service tampering, federated identity manipulation, and systematic audit log suppression attacks. These detections provide comprehensive monitoring for credential theft, lateral movement, and defense evasion techniques targeting SAP enterprise cloud platform.\nData Connector Enhancement: Addition of queryWindowDelayInMin addresses SAP BTP inherent log delivery delays, preventing false negatives in time-sensitive detections.\nAffected Files Solutions/SAP BTP/Analytic Rules/BTP - Audit log service unavailable.yaml Solutions/SAP BTP/Analytic Rules/BTP - Build Work Zone unauthorized access and role tampering.yaml Solutions/SAP BTP/Analytic Rules/BTP - Cloud Identity Service application configuration monitor.yaml Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration JDBC data source changes.yaml Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration access policy tampering.yaml Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration artifact deployment.yaml Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration package import or transport.yaml Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration tampering with security material.yaml Solutions/SAP BTP/Analytic Rules/BTP - Mass user deletion in Cloud Identity Service.yaml Solutions/SAP BTP/Analytic Rules/BTP - User added to privileged Administrators list.yaml Solutions/SAP BTP/Data Connectors/SAPBTPPollerConnector/SAPBTP_DataConnectorDefinition.json Solutions/SAP BTP/Data Connectors/SAPBTPPollerConnector/SAPBTP_PollingConfig.json Solutions/SAP BTP/Data Connectors/SAPBTPPollerConnector/SAPBTP_Tables.json Solutions/SAP BTP/Tools/BtpHelpers.ps1 Solutions/SAP BTP/Tools/README.md Solutions/SAP BTP/Tools/connect-sentinel-to-btp.ps1 Solutions/SAP BTP/Tools/export-subaccounts.ps1 (packaging artefacts: 3.0.11.zip, ReleaseNotes.md, Solution_SAPBTP.json, createUiDefinition.json, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2026-01-05-pr-13366/","summary":"New threat detection coverage for SAP BTP Cloud Integration tampering, identity service compromise, and audit service availability.","title":"SAP BTP: 10 New Enterprise Security Detections for Cloud Integration and Identity Service"},{"content":"What Changed Security improvement to the AWS S3 Server Access and Config CloudFormation template, tightening SQS queue access policy from wildcard principal to S3 service-specific access.\nSecurity Impact (Visibility \u0026amp; Fidelity) The change restricts SQS queue access from \u0026ldquo;Principal\u0026rdquo;: \u0026ldquo;*\u0026rdquo; (any AWS entity) to \u0026ldquo;Principal\u0026rdquo;: {\u0026ldquo;Service\u0026rdquo;: \u0026ldquo;s3.amazonaws.com\u0026rdquo;} (S3 service only). This follows AWS security best practices by implementing the principle of least privilege for queue access permissions.\nDeployments using the previous template had overly permissive SQS access that could potentially allow unintended access to log processing queues. This update reduces the attack surface while maintaining proper S3-to-SQS log delivery functionality.\nAffected Files Solutions/AWS_AccessLogs/CloudFormationTemplates/AWSS3ServerAccessAndConfig.json ","permalink":"http://sentinelchangelog.net/posts/2025-12-30-pr-13365/","summary":"AWS S3 Server Access Logs CloudFormation template receives critical security update restricting SQS queue principal from wildcard to S3 service only.","title":"AWS Access Logs: Security Enhancement for SQS Principal Access Control"},{"content":"What Changed Comprehensive update to Armis solution replacing legacy Log Analytics API with modern Azure Monitor Logs Ingestion API. Includes DCR (Data Collection Rule) integration, enhanced authentication with managed identity support, and improved data field mapping for alerts, activities, and devices.\nSecurity Impact (Visibility \u0026amp; Fidelity) Enhanced data ingestion mechanism improves reliability and field mapping accuracy for Armis IoT security events. New field additions (alert_type, alert_title, activity_type, activity_title) provide better contextual information for security analysis and incident response.\nAffected Files Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/__init__.py Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/sentinel.py Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/__init__.py Solutions/Armis/Parsers/ArmisActivities.yaml Solutions/Armis/Parsers/ArmisAlerts.yaml Solutions/Armis/Parsers/ArmisDevice.yaml (Solutions Analyzer documentation updates, packaging artefacts) ","permalink":"http://sentinelchangelog.net/posts/2025-12-26-pr-13252/","summary":"Major enhancement to Armis data connectors implementing Azure Monitor Logs Ingestion API with DCR support for improved data fidelity and performance.","title":"Armis IoT Security Solution: Enhanced Log Ingestion and Data Collection Rule Integration"},{"content":"What Changed P0-labeled correction updating MITRE ATT\u0026amp;CK technique field names from deprecated requiredTechniques to standardised relevantTechniques across BitSight, Dynatrace, and Microsoft Defender for Endpoint analytic rules.\nSecurity Impact (Visibility \u0026amp; Fidelity) Analytic rules using the deprecated requiredTechniques field were at risk of schema validation failures and potential deployment issues. This correction ensures:\nProper MITRE ATT\u0026amp;CK technique mapping in Microsoft Sentinel Consistent schema compliance across all detection templates Continued functionality of existing deployed rules Affected rules monitor compromise detection, vulnerability identification, and process-based threats across BitSight security ratings, Dynatrace application security, and endpoint telemetry.\nAffected Files Solutions/BitSight/Analytic Rules/ (4 rules updated) Solutions/Dynatrace/Analytic Rules/ (4 rules updated) Solutions/MicrosoftDefenderForEndpoint/Hunting Queries/ (1 query updated)\n","permalink":"http://sentinelchangelog.net/posts/2025-12-24-pr-13346/","summary":"Critical schema update replaces deprecated requiredTechniques field with correct relevantTechniques field in analytic rules.","title":"Schema Correction: MITRE ATT\u0026CK Field Name Fix Across Multiple Solutions"},{"content":"What Changed Threat Intelligence solution updated to standardise alert severity field naming and improve query performance in IP entity detection rules.\nDetection Logic Updated IPEntity_AppServiceHTTPLogs analytic rule:\nRenamed AlertPriority field to standard Severity field for consistency with Microsoft Sentinel alerting conventions Removed duplicate time filter that caused unnecessary query overhead Maintained confidence score thresholds: High (\u0026gt;82), Medium (\u0026gt;74), Low (≤74) Updated rule version from 1.5.7 to 1.5.8 Security Impact (Visibility \u0026amp; Fidelity) No change to detection logic or coverage — this is a field standardisation and performance optimisation. Existing detections continue to identify malicious IP addresses in App Service HTTP logs with the same fidelity.\nAffected Files Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml (packaging artefacts: mainTemplate.json, ReleaseNotes.md)\n","permalink":"http://sentinelchangelog.net/posts/2025-12-23-pr-13349/","summary":"Threat Intelligence solution updated with standardised severity field naming and query performance improvements in IP entity analytics.","title":"Threat Intelligence: Alert Severity Field Standardisation and Query Optimisation"},{"content":"What Changed Snowflake connector polling configuration updated to introduce 120-minute queryWindowDelayInMin and parser KQL logic corrected for timestamp field handling.\nSecurity Impact (Visibility \u0026amp; Fidelity) The Snowflake connector had a data fidelity gap where recent events were not being ingested due to API latency. The parser also had incorrect timestamp field handling that affected temporal correlation of security events:\nData gap: Events from the past 2 hours were not being collected due to Snowflake API latency in surfacing recent data Parser fidelity: Start/end timestamp fields were incorrectly parsed, affecting timeline analysis and incident correlation Deployments running prior versions experienced incomplete visibility into recent Snowflake authentication, query execution, and administrative activities.\nParser Impact Parser updated from version 1.0.3 to 1.0.4 with corrected timestamp field mapping and improved timezone handling. No change to normalised field names or filter logic — safe for existing detections using this parser.\nAffected Files Solutions/Snowflake/Data Connectors/SnowflakeLogs_ccp/SnowflakeLogs_PollingConfig.json Solutions/Snowflake/Parsers/Snowflake.yaml (packaging artefacts: mainTemplate.json, Solution_Snowflake.json, ReleaseNotes.md) ","permalink":"http://sentinelchangelog.net/posts/2025-12-23-pr-13340/","summary":"Snowflake connector updated with 120-minute ingestion delay and corrected timestamp parsing to address customer-reported data gaps.","title":"Snowflake Connector: Data Ingestion Timing Fix and Parser Field Corrections"},{"content":"What Changed Major repository update introducing two new threat intelligence solutions and comprehensive updates across existing solutions including packaging improvements, script automation, and solution analyzer tooling.\nNEW Solutions Added Cyble Vision (Threat Intelligence) Complete threat intelligence solution providing dark web monitoring, vulnerability tracking, and compromise detection across multiple threat vectors including IoCs, leaked credentials, malicious domains, and stealer logs.\nTropico Security orchestration solution providing alert, event, and incident management capabilities through CCF-based data connectors.\nDetection Surface Unlocked Cyble Vision brings comprehensive external threat monitoring:\nDark web marketplace and forum monitoring Stolen credential and data breach detection Phishing and malicious domain identification IoC and vulnerability intelligence feeds Mobile app security monitoring Social media threat tracking Tropico enhances security operations workflow:\nSecurity event aggregation and correlation Incident lifecycle management Alert prioritization and routing Affected Files Solutions/Cyble Vision/ (90+ new files: analytic rules, parsers, connectors, workbooks) Solutions/Tropico/ (12+ new files: CCF connectors, packaging) Solutions/Intel471/ (enhanced playbooks and deployment guides) Solutions/Miro/ (new CCF connectors) Plus updates to: Infoblox NIOS, SOC Prime CCF, Microsoft Entra ID, SAP BTP, and 10+ other solutions (.script/bundleAwsS3Scripts.sh and extensive Solutions Analyzer documentation updates) ","permalink":"http://sentinelchangelog.net/posts/2025-12-22-pr-13350/","summary":"Large release adds two new threat intelligence solutions (Cyble Vision, Tropico) and updates to 15+ existing solutions across the repository.","title":"Major Solution Release: Cyble Vision and Tropico Solutions Added Plus Multi-Solution Updates"},{"content":"What Changed New Miro solution added to Microsoft Sentinel providing enterprise collaboration platform monitoring through two CCF-based data connectors.\nData Source Miro is a visual collaboration platform. The solution provides security monitoring for enterprise deployments with:\nMiro Audit Logs (Enterprise Plan): Authentication events, administrative actions, access control changes Miro Content Logs (Enterprise + Enterprise Guard): Content creation, modification, deletion, and sharing activities Ingestion Mechanism CCF-based RestApiPoller connectors using OAuth 2.0 authentication. Populates MiroAuditLogs_CL and MiroContentLogs_CL custom tables for audit and content activity monitoring.\nDetection Surface Unlocked User authentication and access pattern monitoring Content sharing and data exfiltration detection Administrative configuration change tracking Insider threat and compliance monitoring Team and organization security oversight Affected Files Solutions/Miro/Data Connectors/MiroAuditLogs_CCF/ (4 files) Solutions/Miro/Data Connectors/MiroContentLogs_CCF/ (4 files) Solutions/Miro/Package/ (packaging artefacts) Solutions/Miro/README.md (logo and metadata files) ","permalink":"http://sentinelchangelog.net/posts/2025-12-22-pr-13248/","summary":"New Miro solution added with CCF connectors for audit logs and content logs to enable collaboration platform security monitoring.","title":"Miro Solution: New Enterprise Collaboration Security and Compliance Monitoring"},{"content":"What Changed New ConditionalAccessSISM.json workbook added to Microsoft Entra ID solution providing comprehensive Conditional Access policy monitoring and insights for Zero Trust implementations.\nDetection Surface Unlocked The new workbook enables SOC teams to monitor and analyse Conditional Access effectiveness:\nReal-time CA policy evaluation and success/failure rates User account and workload identity CA compliance monitoring Emergency account CA policy bypass detection CA policy configuration drift and coverage analysis Zero Trust implementation progress tracking Uses AuditLogs, SigninLogs, AADServicePrincipalSignInLogs, and AADRiskyServicePrincipals tables for comprehensive CA visibility across user and service principal authentication flows.\nAffected Files Solutions/Microsoft Entra ID/Workbooks/ConditionalAccessSISM.json Workbooks/Images/Preview/ConditionalAccessSISMBlack.png Workbooks/Images/Preview/ConditionalAccessSISMWhite.png Workbooks/WorkbooksMetadata.json ","permalink":"http://sentinelchangelog.net/posts/2025-12-19-pr-13313/","summary":"New Conditional Access SISM workbook added to provide comprehensive CA policy monitoring and Zero Trust analytics.","title":"Microsoft Entra ID: New Conditional Access Security Insights and Monitoring Workbook"},{"content":"What Changed SAP BTP deployment tools updated to improve connection reliability and subaccount metadata handling. Key changes include simplified connection naming, reduced query windows for better performance, and enhanced subaccount identification.\nAffected Files Solutions/SAP BTP/Tools/BtpHelpers.ps1 Solutions/SAP BTP/Tools/connect-sentinel-to-btp.ps1 Solutions/SAP BTP/Tools/export-subaccounts.ps1 ","permalink":"http://sentinelchangelog.net/posts/2025-12-19-pr-13338/","summary":"SAP BTP connector tools updated with better subaccount handling, connection naming, and performance optimisations.","title":"SAP BTP Tools: Improved Connection Management and Subaccount Naming"},{"content":"What Changed WithSecure Elements Via Function connector dependency urllib3 upgraded from 2.5.0 to 2.6.0 to address critical security vulnerabilities.\nSecurity Impact (Visibility \u0026amp; Fidelity) The WithSecure Elements connector was vulnerable to two high-severity denial of service attacks via malicious HTTP responses:\nCVE-2025-66471 (8.9 High): Decompression bomb vulnerability where highly compressed HTTP content could cause excessive resource consumption during streaming API operations CVE-2025-66418 (8.9 High): Unlimited chained Content-Encoding headers could exhaust system resources during decoding Affected deployments running WithSecure Elements connector versions with urllib3 2.5.0 or earlier are vulnerable to resource exhaustion attacks that could disrupt endpoint security data ingestion.\nAffected Files Solutions/WithSecureElementsViaFunction/Data Connectors/requirements.txt (packaging artefacts: WithSecureElementsViaFunctionConn.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-12-19-pr-13258/","summary":"WithSecure Elements connector urllib3 dependency updated to address two high-severity CVEs causing potential DoS attacks.","title":"WithSecure Elements Connector: Critical Security Fix for HTTP Decompression Vulnerabilities"},{"content":"What Changed Box connector dependency urllib3 upgraded from 2.5.0 to 2.6.0 to address critical security vulnerabilities.\nSecurity Impact (Visibility \u0026amp; Fidelity) The Box connector was vulnerable to two high-severity denial of service attacks via malicious HTTP responses:\nCVE-2025-66471 (8.9 High): Decompression bomb vulnerability where highly compressed HTTP content could cause excessive resource consumption during streaming API operations CVE-2025-66418 (8.9 High): Unlimited chained Content-Encoding headers could exhaust system resources during decoding Affected deployments running Box connector versions with urllib3 2.5.0 or earlier are vulnerable to resource exhaustion attacks that could disrupt data ingestion.\nAffected Files Solutions/Box/Data Connectors/requirements.txt (packaging artefacts: BoxConn.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-12-19-pr-13257/","summary":"Box connector urllib3 dependency updated to address two high-severity CVEs causing potential DoS attacks.","title":"Box Connector: Critical Security Fix for HTTP Decompression Vulnerabilities"},{"content":"What Changed Enhanced exclusion filters in Infoblox DHCP parsers to filter out additional administrative and authentication log categories including AdminMember, AdminGroup, AccessRight, Login_Denied, and Login_Allowed events.\nSecurity Impact (Visibility \u0026amp; Fidelity) Improves parser efficiency by reducing processing overhead from high-volume administrative logs while preserving security-relevant DHCP events. The expanded filters help focus detection rules on actual network anomalies rather than routine administrative activities.\nAffected Files Solutions/Infoblox NIOS/Parsers/Infoblox_allotherdhcpdTypes.yaml Solutions/Infoblox NIOS/Parsers/Infoblox_dhcpother.yaml (packaging artefacts: mainTemplate.json, ReleaseNotes.md) ","permalink":"http://sentinelchangelog.net/posts/2025-12-18-pr-12930/","summary":"Updated Infoblox NIOS parsers exclude additional administrative log categories to improve signal-to-noise ratio.","title":"Infoblox NIOS Parsers: Enhanced Log Filtering Reduces Noise in DHCP Monitoring"},{"content":"What Changed Added support for Intel471\u0026rsquo;s new Verity471 platform backend to the malware intelligence import playbooks, enabling users to select between Titan and Verity APIs. Performance improvements include switching from loop-based to query-based indicator filtering.\nAffected Files Solutions/Intel471/Playbooks/Intel471-ImportMalwareIntelligenceToSentinel/azuredeploy.json Solutions/Intel471/Playbooks/Intel471-ImportMalwareIntelligenceToGraphSecurity/azuredeploy.json Solutions/Intel471/Playbooks/Intel471-ImportMalwareIntelligenceToSentinel/README.md (packaging artefacts: mainTemplate.json, createUiDefinition.json)\n","permalink":"http://sentinelchangelog.net/posts/2025-12-18-pr-13187/","summary":"Intel471 solution now supports the new Verity471 backend alongside Titan for ingesting malware threat indicators.","title":"Intel471: Added Verity471 Platform Support for Enhanced Malware Intelligence"},{"content":"Data Source Comprehensive threat intelligence platform ingesting alerts from 40+ specialized Cyble Vision services including:\nDark web monitoring: Ransomware groups, data breaches, marketplaces, stolen credentials Application security: GitHub, Docker, mobile apps, web applications, Postman API exposure Infrastructure threats: Domain expiry, SSL expiry, subdomain monitoring, suspicious domains Social media intelligence: Telegram mentions, Discord activity, social media monitoring Vulnerability management: Product vulnerabilities, CVE advisories, IoCs, malicious ads Ingestion Mechanism CCF-based connector with comprehensive DCR configuration for CybleVisionAlerts_CL custom table API token-based authentication with Cyble Vision platform Structured alert ingestion with service-specific field mapping and normalization Automated alert status update playbook for bidirectional integration Detection Surface Unlocked Provides unprecedented breadth of threat intelligence coverage:\n40+ specialized detection rules: Each service has dedicated analytic rules for alert classification Comprehensive parser framework: Service-specific parsers for optimal field extraction and normalization MITRE ATT\u0026amp;CK coverage: Extensive technique mapping including T1592 (Gather Victim Host Information), credential access, and reconnaissance tactics Automated incident response: Playbook integration for alert status updates and workflow automation Affected Files Solutions/Cyble Vision/Analytic Rules/ (40+ detection rules) Solutions/Cyble Vision/Parser/ (40+ specialized parsers) Solutions/Cyble Vision/Data Connectors/CybleVisionAlerts_CCF/ (CCF connector configuration) Solutions/Cyble Vision/Playbooks/CybleVisionAlert_Status_Update/ (automation playbook) Solutions/Cyble Vision/Workbooks/CybleVisionAlertsWorkbook.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, 3.0.2.zip)\n","permalink":"http://sentinelchangelog.net/posts/2025-12-18-pr-13045/","summary":"Massive new Cyble Vision solution providing 40+ specialized detection rules and parsers for diverse threat intelligence feeds from dark web to cloud security.","title":"New Cyble Vision Threat Intelligence Solution: Comprehensive CCF-Based Alert Platform"},{"content":"What Changed Two GCP IAM analytic rules were fixed to resolve query syntax errors that prevented proper detection of authentication token generation and service account key enumeration activities.\nDetection Logic GCPIAMNewAuthenticationToken.yaml (Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMNewAuthenticationToken.yaml:20):\nPrimary data source: GCP_IAM table Core logic: Monitors for GenerateAccessToken method calls (now supports both short and fully-qualified method names) Entity types: Account, IP address Fixed where clause to include both GenerateAccessToken and google.iam.admin.v1.GenerateAccessToken method names GCPIAMServiceAccountKeysEnumeration.yaml (Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMServiceAccountKeysEnumeration.yaml:22):\nPrimary data source: GCP_IAM table Core logic: Detects excessive ListServiceAccountKeys API calls (threshold: \u0026gt;5 per hour per principal) Entity types: Account Fixed typo in method name from ListServiceAccountsKeys to ListServiceAccountKeys MITRE Mapping T1550: Use Alternate Authentication Material Affected Files Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMNewAuthenticationToken.yaml Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMServiceAccountKeysEnumeration.yaml (packaging artefacts: mainTemplate.json, createUiDefinition.json, 3.0.8.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-12-17-pr-13323/","summary":"Two GCP IAM analytic rules had syntax errors preventing proper detection of token generation and key enumeration attacks.","title":"GCP IAM Detection Logic Fixed — Correcting Service Account Key Detection Gaps"},{"content":"What Changed New SOX IT Compliance solution added to Microsoft Sentinel Content Hub, providing regulatory compliance monitoring for IT systems supporting financial reporting under the Sarbanes-Oxley Act. The solution includes compliance workbooks for tracking IT system changes, access controls, and segregation of duties required for SOX 302/404 controls.\nCompliance Coverage The SOX IT Compliance solution provides monitoring capabilities for:\nIT change management controls and approval workflows Segregation of duties in financial systems access Privileged access monitoring for systems touching financial data Configuration change tracking for SOX-relevant infrastructure Audit trail generation for compliance reporting Additional Updates Multiple solutions received maintenance updates:\nLookout: Major version 3.0.1 with enhanced mobile threat detection capabilities, new Analytic Rules for audit events and device compliance, updated DCR configuration for streaming connector Oracle Cloud Infrastructure: Enhanced CCF connector configuration with expanded data collection rules and improved field mappings Varonis SaaS: Function App connector improvements for data loss prevention monitoring Microsoft Entra ID: Updated Playbooks for session revocation capabilities Affected Files Solutions/SOX IT Compliance/Workbooks/SOXITCompliance.json Solutions/SOX IT Compliance/Data/Solution_SOX IT Compliance.json Solutions/Lookout/Analytic Rules/LookoutThreatEventV2.yaml Solutions/Oracle Cloud Infrastructure/Data Connectors/Oracle_Cloud_Infrastructure_CCP/ (packaging artefacts: mainTemplate.json, createUiDefinition.json, etc.) ","permalink":"http://sentinelchangelog.net/posts/2025-12-17-pr-13298/","summary":"New compliance monitoring solution provides IT systems change tracking and segregation of duties controls for Sarbanes-Oxley compliance programs.","title":"SOX IT Compliance Solution Released: IT Change Monitoring for Financial Controls"},{"content":"What Changed Updated urllib3 dependency from version 1.26.20 to 2.6.0 in Trend Micro Vision One Azure Function data connector, addressing critical security vulnerabilities.\nSecurity Impact (Visibility \u0026amp; Fidelity) CVE Fixes Applied:\nCVE-2025-66471 (8.9 High): Fixed decompression bomb vulnerability where compressed HTTP content could cause excessive resource consumption during streaming operations CVE-2025-66418 (8.9 High): Fixed DoS attack vector via unlimited Content-Encoding header chains, now limited to 5 chained encodings maximum Connector Stability:\nFunction App ingestion remains stable with improved security posture No impact on data collection or parsing logic Enhanced protection against malicious HTTP responses targeting the connector infrastructure Affected Files Solutions/Trend Micro Vision One/Data Connectors/AzureFunctionTrendMicroXDR/requirements.txt ","permalink":"http://sentinelchangelog.net/posts/2025-12-16-pr-13253/","summary":"Dependency update from urllib3 1.26.20 to 2.6.0 addresses two high-severity CVEs preventing DoS attacks via decompression bombs and content encoding chains.","title":"Trend Micro Vision One — urllib3 Security Update Fixes Critical DoS Vulnerabilities"},{"content":"What Changed Bumped urllib3 dependency from 2.5.0 to 2.6.0 in the ESET Protect Platform Function App connector to address security vulnerabilities.\nSecurity Impact (Visibility \u0026amp; Fidelity) CVE relevance verified — urllib3 2.6.0 addresses two high-severity (8.9 CVSS) vulnerabilities:\nCVE-2025-66471: Decompression bomb vulnerability where streaming API could improperly handle highly compressed HTTP content, leading to excessive resource consumption CVE-2025-66418: DoS vulnerability where attackers could compose HTTP responses with unlimited Content-Encoding links, exhausting system resources during decoding These vulnerabilities could be exploited against the ESET connector when processing API responses from ESET Protect Platform, potentially causing connector failures or resource exhaustion that would disrupt security telemetry ingestion.\nAffected Files Solutions/ESET Protect Platform/Data Connectors/requirements.txt (packaging artefacts: FunctionAppESETProtectPlatform.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-12-16-pr-13293/","summary":"Updated urllib3 dependency to v2.6.0 to address two high-severity CVEs affecting HTTP decompression handling.","title":"ESET Protect Platform Connector: urllib3 Security Update for CVE Fixes"},{"content":"What Changed Microsoft Copilot connector updated to use the correct official table name CopilotActivity instead of LLMActivity across all solution components, sample data, and tooling.\nSecurity Impact (Visibility \u0026amp; Fidelity) Critical Table Reference Fix:\nQueries targeting wrong table: All sample queries, connectivity checks, and documentation referenced LLMActivity table which was deprecated/renamed - these queries returned zero results for deployments using the current schema Data Collection Rule alignment: DCR now correctly outputs to Microsoft-CopilotActivity stream instead of Microsoft-LLMActivity, ensuring proper data ingestion Sample data schema match: Sample logs now use CopilotActivity type field matching the actual ingested data format Impact Assessment:\nDeployments using the previous connector version had functional data ingestion but broken sample queries and monitoring This fix restores proper visibility into Microsoft Copilot audit events and user activity monitoring Affected Files Solutions/Microsoft Copilot/Data Connectors/MicrosoftCopilot_ConnectorDefinition.json Solutions/Microsoft Copilot/Data Connectors/MicrosoftCopilot_DCR.json Sample Data/MicrosoftCopilot_IngestedLogs.json Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1 Tools/Solutions Analyzer/connector-docs/connectors/microsoftcopilot.md (packaging artefacts: 3.0.1.zip, createUiDefinition.json, mainTemplate.json, etc.) ","permalink":"http://sentinelchangelog.net/posts/2025-12-16-pr-13272/","summary":"Microsoft Copilot connector fixes critical table reference issue, standardizing on official CopilotActivity table name across all components.","title":"Microsoft Copilot Connector — Critical Table Name Update from LLMActivity to CopilotActivity"},{"content":"What Changed Ermes Browser Security CCF connector enhanced with improved data fidelity, multi-tenant support, and expanded log collection capabilities.\nSecurity Impact (Visibility \u0026amp; Fidelity) Data Fidelity Improvements:\nTimestamp accuracy restored: Previously used server ingestion timestamp (_created), now extracts real event timestamp when available - this fixes temporal correlation issues for security investigations Extended log data: Added log_data field for specific event categories (general, dashboard_auth, dashboard_audit, device_status) - queries referencing detailed event context previously returned null Time range precision: Fixed API query boundaries from gte/lt to gt/lte, ensuring no event gaps or duplicates in collection Multi-Tenant Support:\nAdded configurable API URL parameter supporting multiple Ermes tenant deployments Deployments can now connect to different Ermes instances beyond the default api.shield.ermessecurity.com Affected Files Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_CCF/ErmesBrowserSecurityEvents_ConnectorDefinition.json Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_CCF/ErmesBrowserSecurityEvents_DCR.json Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_CCF/ErmesBrowserSecurityEvents_PollerConfig.json Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_CCF/ErmesBrowserSecurityEvents_Table.json (packaging artefacts: 3.1.0.zip, createUiDefinition.json, mainTemplate.json, etc.) ","permalink":"http://sentinelchangelog.net/posts/2025-12-16-pr-13303/","summary":"CCF connector update fixes timestamp extraction, adds configurable API endpoints, and expands log data collection for better event visibility.","title":"Ermes Browser Security Connector — Enhanced Data Fidelity and Multi-Tenant Support"},{"content":"TITLE: Microsoft Entra ID Playbooks: API Permission Updates for Session Revocation SUMMARY: Updates Revoke-AADSignInSessions playbook documentation to use correct User.RevokeSessions.All permissions instead of broader User.ReadWrite.All. TAGS: Solutions, Microsoft Entra ID, Playbooks, Documentation RATING: Medium ACTION: Update BODY:\n","permalink":"http://sentinelchangelog.net/posts/2025-12-15-pr-13236/","summary":"Updates Revoke-AADSignInSessions playbook documentation to use correct User.RevokeSessions.All permissions instead of broader User.ReadWrite.All.","title":"Microsoft Entra ID Playbooks: API Permission Updates for Session Revocation"},{"content":"What Changed Updated field reference in the Contrast ADR Confirmed EDR detection rule from incident_id_s to incidentId_s to match the actual field name in the ContrastADR_CL table. Added both field names to the test schema for validation.\nDetection Logic KQL logic unavailable — YAML not included in diff context.\nSecurity Impact (Visibility \u0026amp; Fidelity) The incorrect field name caused the detection rule to fail completely when referencing incident correlation data from the ContrastADR_CL table. Queries using incident_id_s would return null values or cause query execution errors, preventing the rule from correlating security events with Contrast application security incidents.\nThis eliminated detection capability for confirmed application layer attacks detected by Contrast ADR — a critical blind spot for organizations using application security runtime protection.\nAffected Files Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml .script/tests/KqlvalidationsTests/CustomTables/ContrastADR_CL.json (packaging artefacts: mainTemplate.json, 3.0.1.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-12-15-pr-13287/","summary":"Corrected field name from incident_id_s to incidentId_s in Contrast EDR detection rule.","title":"Contrast ADR Detection: Fixed Field Reference Causing Query Failures"},{"content":"What Changed The Lookout mobile security solution has been updated to version 3.0.1 addressing parser validation issues and adding new security monitoring capabilities. Key improvements include parser field fixes, comprehensive and executive security dashboards, and updated analytic rules.\nSecurity Impact (Visibility \u0026amp; Fidelity) Parser fixes resolve KQL validation errors that could have affected query reliability against Lookout mobile threat data. The solution now includes:\nFixed LookoutEvents parser with proper field mapping New comprehensive security investigation dashboard for detailed threat analysis Executive dashboard providing high-level security posture overview Enhanced analytic rules (v2.0.3) with improved MITRE ATT\u0026amp;CK mappings for mobile threats These improvements enhance visibility into mobile device threats, compliance status, and security incidents across iOS and Android platforms.\nAffected Files Solutions/Lookout/Analytic Rules/ (5 detection rules updated) Solutions/Lookout/Workbooks/ (4 new dashboards added) Solutions/Lookout/Parsers/LookoutEvents.yaml Solutions/Lookout/Data Connectors/ (CCF and Function App configurations) (extensive documentation, validation tools, and packaging artifacts) ","permalink":"http://sentinelchangelog.net/posts/2025-12-15-pr-13148/","summary":"Lookout solution updated to v3.0.1 with parser fixes, comprehensive security dashboards, and enhanced analytic rules.","title":"Lookout Mobile Security: Parser Fixes and Executive Dashboard Enhancement"},{"content":"What Changed Fixed field name parsing errors in the Slack Audit parser affecting the SlackAuditV2_CL table. Updated field references from dot notation to underscore notation to match the actual JSON structure.\nParser Impact The parser was attempting to access nested JSON fields using dot notation (entity.channel.is.shared, context.ip.address) when the actual field names use underscores (entity.channel.is_shared, context.ip_address). This mismatch caused affected fields to consistently return null values.\nSecurity Impact (Visibility \u0026amp; Fidelity) Queries referencing these fields against the Slack Audit parser returned null for all rows — this was a data fidelity gap affecting:\nEntityChannelIsShared/EntityChannelIsOrgShared: Channel sharing status visibility was completely lost, preventing detection of data exfiltration via shared channels ContextIpAddress/SrcIpAddr: Source IP address tracking was broken, eliminating geolocation-based anomaly detection and threat correlation ContextSessionId: Session tracking was impaired, reducing ability to correlate related user activities This was not a cosmetic fix — security teams using Slack audit data for insider threat detection, data loss prevention, or geographic access monitoring had critical blind spots.\nAffected Files Solutions/SlackAudit/Parsers/SlackAudit.yaml (packaging artefacts: mainTemplate.json, Solution_SlackAudit.json, 3.0.5.zip, ReleaseNotes.md) ","permalink":"http://sentinelchangelog.net/posts/2025-12-12-pr-13279/","summary":"Corrected field name parsing errors in SlackAuditV2_CL that were causing channel sharing status and IP context data to return null.","title":"Slack Audit Parser: Fixed Broken Field References Causing Data Loss"},{"content":"What Changed Two ProofPoint TAP Analytic Rules have been updated to reference the newer ProofpointTAPv2 connector ID instead of the legacy ProofpointTAP connector. The affected detection rules maintain their existing logic while ensuring compatibility with the updated connector infrastructure.\nDetection Rules Updated MalwareAttachmentDelivered (version 1.0.5 → 1.0.6): Monitors for malicious email attachments delivered through ProofPoint TAP MalwareLinkClicked (version 1.0.6 → 1.0.7): Detects clicks on malicious URLs identified by ProofPoint TAP Both rules continue to monitor the same data tables (ProofPointTAPMessagesDeliveredV2_CL and ProofPointTAPClicksPermittedV2_CL) with no changes to detection logic or thresholds.\nCompatibility Impact Deployments using the legacy ProofpointTAP connector may need to migrate to ProofpointTAPv2 for these rules to function correctly. The connector ID change ensures proper data source validation and maintains detection coverage for ProofPoint TAP telemetry.\nAffected Files Solutions/ProofPointTap/Analytic Rules/MalwareAttachmentDelivered.yaml Solutions/ProofPointTap/Analytic Rules/MalwareLinkClicked.yaml Workbooks/WorkbooksMetadata.json .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json ","permalink":"http://sentinelchangelog.net/posts/2025-12-12-pr-13309/","summary":"Two ProofPoint TAP Analytic Rules updated to reference ProofpointTAPv2 connector ID, ensuring compatibility with the newer connector version.","title":"ProofPoint TAP Detection Rules Updated for v2 Connector Migration"},{"content":"What Changed Fortigate ASIM parser updates to address field name inconsistencies that were impacting schema compliance for ASIM tables. The changes originated from PR #12794 and ensure proper data normalization.\nParser Impact Field mapping corrections ensure that Fortigate network session logs properly align with ASIM NetworkSession schema requirements. This addresses data fidelity issues where field names may have been inconsistent with the normalized schema specification.\nAdditional Content This PR includes the same extensive Microsoft 365 Defender Email and Collaboration hunting queries as previous updates, indicating this was part of a consolidated release addressing multiple improvements.\nSecurity Impact (Visibility \u0026amp; Fidelity) Organizations using Fortigate firewalls with ASIM normalization will see improved query reliability when referencing standardized field names. Previously inconsistent field mappings could have caused detection rules or hunting queries to miss data due to schema mismatches.\nAffected Files Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ (ASIM parser + ARM template) 700+ Microsoft 365 Defender Email and Collaboration hunting queries Custom table test definitions for schema validation ","permalink":"http://sentinelchangelog.net/posts/2025-12-12-pr-12927/","summary":"Field name inconsistencies in Fortigate ASIM parsers corrected to ensure proper schema compliance and data normalization.","title":"Fortigate ASIM Parser: Field Name Consistency Fix for Network Session Schema"},{"content":"What Changed The SAP agentless package receives version 1.1.8 with two key infrastructure improvements: migration from Log Analytics v1 to v2 API for heartbeat functionality and new support for audit log user exclusions.\nSecurity Impact (Visibility \u0026amp; Fidelity) This update addresses two operational aspects of SAP monitoring:\nHeartbeat API Migration: The connector now uses the Log Analytics v2 API for heartbeat signals, ensuring continued operational visibility as Microsoft phases out v1 endpoints. Deployments using older package versions may experience heartbeat reporting gaps as legacy endpoints are deprecated.\nAudit Log User Exclusions: New capability allows filtering of specific user accounts from SAP audit log ingestion. This reduces noise from service accounts and automated processes while maintaining audit trail integrity for human user activities — improving signal-to-noise ratio for security analysis.\nAffected Files Solutions/SAP/Agentless/README.md (packaging artefacts: package-1.1.8.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-12-11-pr-13265/","summary":"SAP agentless package updated to use Log Analytics v2 API for heartbeats and added audit log user exclusion capabilities.","title":"SAP Solution: Agentless Package Upgraded to Log Analytics v2 API"},{"content":"What Changed Modified Proofpoint On-Demand (POD) Email Security CCF connector polling configuration to remove startTime and endTime query parameters, enabling proper WebSocket-based live streaming.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments using Proofpoint POD connector experienced significant data quality issues:\nDuplicate Data Problem:\nThe POD API rounds time parameters to the nearest hour, creating overlapping time frames Previous 5-minute polling intervals with startTime/endTime caused systematic data duplication SOC teams received multiple alerts for the same email security events Investigation workflows were impacted by inflated event counts and false positives Root Cause:\nPOD uses WebSocket architecture designed for persistent live connections Time-based polling contradicts the intended streaming API design Historical data retrieval mode was inappropriately used for live monitoring This fix eliminates duplicate ingestion and restores proper email security event fidelity for threat detection and incident response.\nAffected Files Solutions/Proofpoint On demand(POD) Email Security/Data Connectors/ProofPointEmailSecurity_CCP/ProofpointPOD_PollingConfig.json (bulk CI/packaging updates across multiple solutions) ","permalink":"http://sentinelchangelog.net/posts/2025-12-11-pr-13262/","summary":"Removed time-based query parameters from Proofpoint On-Demand Email Security connector to prevent duplicate data ingestion caused by time rounding overlaps.","title":"Proofpoint POD: Fixing WebSocket Connector to Eliminate Duplicate Data Ingestion"},{"content":"What Changed Complete new solution for SOC Prime Platform audit log ingestion via the Codeless Connector Framework (CCF). The connector uses the SOC Prime TDM API to fetch platform audit logs with DCR-based ingestion.\nData Source SOC Prime Platform audit logs capture user activities and administrative actions:\nLogin events and authentication patterns Administrative configuration changes API key usage and access patterns Platform feature utilisation The connector polls the SOC Prime TDM API endpoint (api.tdm.socprime.com/v1/audit-logs) every 10 minutes with API key authentication.\nIngestion Mechanism CCF-based REST API poller with DCR transformation:\nInput fields: timestamp, event_name, user_email, user_name, event_page, source_ip, user_agent Transform logic: Maps to standard fields (TimeGenerated, EventName, UserName, SourceIp, HttpUserAgent) Output table: SOCPrimeAuditLogs_CL Pagination: NextPageToken with 100 events per page The DCR transforms raw SOC Prime API responses into normalised audit events with vendor/product metadata.\nDetection Surface Unlocked Enables monitoring of SOC Prime platform usage for:\nInsider threat detection (unusual administrative activity) Account compromise indicators (abnormal login patterns) Compliance auditing (who accessed what, when) API abuse detection (automated vs manual usage patterns) Affected Files Solutions/SOC Prime CCF/Data Connectors/SOCPrime_ccp/ (9 connector files) Logos/SOCPrime_Logo.svg (packaging artefacts: mainTemplate.json, createUiDefinition.json, 3.0.0.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-12-10-pr-13186/","summary":"New SOC Prime Platform audit logs data connector added using CCF framework, providing visibility into SOC Prime TDM platform user activities and administrative actions.","title":"SOC Prime Platform: New CCF Connector for Audit Log Visibility"},{"content":"What Changed Fixed a case-sensitive path reference in the ASIM WebSession ARM template. The template URI was pointing to ASimWebSessionAzureFirewall (capital A) but the actual directory is AsimWebSessionAzureFirewall (lowercase s).\nSecurity Impact (Visibility \u0026amp; Fidelity) The incorrect case in the template URI caused Azure Firewall WebSession parser deployments to fail completely — GitHub raw URLs are case-sensitive, so the ARM template could not locate the referenced nested template.\nDeployments using the FullDeploymentWebSession.json template would encounter a deployment failure when attempting to provision the Azure Firewall WebSession parser component. This resulted in a complete blind spot for Azure Firewall web session data in ASIM normalization — no Azure Firewall HTTP traffic was being parsed into the imWebSession schema.\nAffected Files Parsers/ASimWebSession/ARM/FullDeploymentWebSession.json ","permalink":"http://sentinelchangelog.net/posts/2025-12-10-pr-13275/","summary":"Corrected case-sensitive path reference that was preventing Azure Firewall WebSession parser deployment.","title":"ASIM WebSession Parser: Fixed Broken Azure Firewall Template Reference"},{"content":"What Changed Fixed ARM Template Toolkit (ARM-TTK) validation failures in the ProofPoint TAP solution package. The changes affected the mainTemplate.json deployment template.\nSecurity Impact (Visibility \u0026amp; Fidelity) Labeled P0 — assess deployment or pipeline breakage risk explicitly.\nThe ARM-TTK validation failures prevented successful deployment of the ProofPoint TAP solution from Content Hub. Organizations attempting to install or update the ProofPoint TAP solution would encounter deployment errors, resulting in a complete blind spot for ProofPoint email security telemetry.\nProofPoint TAP provides critical email threat intelligence including malicious URLs, file attachments, and campaign attribution data. Failed deployments meant no ingestion of email attack vectors, phishing campaigns, or threat actor infrastructure indicators.\nAffected Files (packaging artefacts: mainTemplate.json, 3.1.1.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-12-10-pr-13283/","summary":"Resolved ARM-TTK validation errors preventing ProofPoint TAP solution deployment.","title":"ProofPoint TAP Solution: Fixed ARM Template Validation Failures"},{"content":"What Changed New automated entity analysis capabilities with three distinct trigger types for comprehensive incident response automation. Each playbook performs AI-powered analysis of URL and user entities using Microsoft Sentinel MCP integration.\nAffected Files Solutions/SentinelSOARessentials/Playbooks/Incident-Trigger-Entity-Analyzer/azuredeploy.json Solutions/SentinelSOARessentials/Playbooks/Http-Trigger-Entity-Analyzer/azuredeploy.json Solutions/SentinelSOARessentials/Playbooks/Url-Trigger-Entity-Analyzer/azuredeploy.json Solutions/SentinelSOARessentials/Playbooks/Incident-Trigger-Entity-Analyzer/readme.md Solutions/SentinelSOARessentials/Playbooks/Http-Trigger-Entity-Analyzer/readme.md Solutions/SentinelSOARessentials/Playbooks/Url-Trigger-Entity-Analyzer/readme.md (packaging artefacts: mainTemplate.json, createUiDefinition.json, solution version files) ","permalink":"http://sentinelchangelog.net/posts/2025-12-10-pr-13139/","summary":"Three new entity analyzer playbooks added with HTTP, URL, and incident triggers for automated URL and user entity enrichment.","title":"SentinelSOARessentials: New Entity Analyzer Playbooks for Incident Response"},{"content":"TITLE: Cyera DSPM Solution: Marketplace Preparation and Configuration Updates SUMMARY: Marketplace preparation updates including publisher ID changes, logo corrections, and DCR configuration fixes for Cyera DSPM solution. TAGS: Solutions, Cyera DSPM, Maintenance RATING: Low ACTION: Monitor BODY:\n","permalink":"http://sentinelchangelog.net/posts/2025-12-10-pr-13246/","summary":"Marketplace preparation updates including publisher ID changes, logo corrections, and DCR configuration fixes for Cyera DSPM solution.","title":"Cyera DSPM Solution: Marketplace Preparation and Configuration Updates"},{"content":"What Changed Fixed two critical issues in the AWS CloudTrail connector configuration script:\nVariable scoping fix: Introduced \\ variable to persist the KMS confirmation decision across different script execution contexts AWS CLI syntax fix: Corrected malformed aws cloudtrail update-trail command (missing dash in -kms-key-id flag) Security Impact (Visibility \u0026amp; Fidelity) The script errors would cause CloudTrail setup failures in specific scenarios:\nKMS variable scope issue: The \\ variable was not accessible in nested execution blocks, potentially causing CloudTrail creation to fail or use incorrect encryption settings when KMS was requested AWS CLI syntax error: The malformed command (\u0026quot;-kms-key-id\u0026quot; instead of \u0026ldquo;\u0026ndash;kms-key-id\u0026rdquo;) would cause trail updates to fail completely when KMS encryption was enabled These failures resulted in incomplete CloudTrail ingestion setup — customers attempting to configure AWS audit log collection would encounter deployment errors, leaving them with no AWS API activity visibility in Microsoft Sentinel.\nAffected Files DataConnectors/AWS-S3/ConfigCloudTrailDataConnector.ps1 ","permalink":"http://sentinelchangelog.net/posts/2025-12-10-pr-13281/","summary":"Corrected PowerShell variable scoping and AWS CLI command syntax in CloudTrail configuration script.","title":"AWS CloudTrail Connector: Fixed Script Logic and Command Syntax Errors"},{"content":"What Changed Added six new aggregation parsers for Corelight network sensor data to enhance security analytics capabilities:\nDNS Aggregation Parser: Normalizes DNS query/response data with CIM field mapping for record types, reply codes, and threat intelligence context HTTP Aggregation Parser: Processes HTTP transactions with status code mapping, user agent analysis, and URL categorization Files Aggregation Parser: Tracks file transfers with hash analysis (MD5, SHA1, SHA256) and MIME type detection Connection Aggregation Parser: Enhanced network session analysis with improved field extraction SSL Aggregation Parser: Certificate and encryption protocol monitoring Weird Events Parser: Anomalous network behavior detection and alerting Detection Surface Unlocked These parsers enable advanced network security monitoring including:\nDNS tunneling and exfiltration detection via DNS aggregation analysis Web-based attack pattern identification through HTTP transaction monitoring Malware propagation tracking via file hash correlation Encrypted channel abuse detection through SSL/TLS analysis Network anomaly identification via weird event correlation Affected Files Solutions/Corelight/Parsers/corelight_conn_agg.yaml Solutions/Corelight/Parsers/corelight_dns_agg.yaml Solutions/Corelight/Parsers/corelight_files_agg.yaml Solutions/Corelight/Parsers/corelight_http_agg.yaml Solutions/Corelight/Parsers/corelight_ssl_agg.yaml Solutions/Corelight/Parsers/corelight_weird_agg.yaml (validation schemas and packaging artefacts) ","permalink":"http://sentinelchangelog.net/posts/2025-12-09-pr-13211/","summary":"Added six new aggregation parsers for Corelight sensor data including DNS, HTTP, files, connections, SSL, and weird events with improved CIM mapping.","title":"Corelight Network Monitoring: Six New Aggregation Parsers for Enhanced Analytics"},{"content":"TITLE: AbuseIPDB Playbooks: Typo Fixes and Logo Source Update SUMMARY: Minor documentation and configuration fixes for AbuseIPDB playbooks including corrected image source and typo corrections. TAGS: Solutions, Abuse IPDB, Playbooks, Documentation RATING: Low ACTION: Monitor BODY:\n","permalink":"http://sentinelchangelog.net/posts/2025-12-09-pr-13137/","summary":"Minor documentation and configuration fixes for AbuseIPDB playbooks including corrected image source and typo corrections.","title":"AbuseIPDB Playbooks: Typo Fixes and Logo Source Update"},{"content":"What Changed The GDPR Compliance \u0026amp; Data Security workbook expanded its asset monitoring capabilities from hostname-only filtering to support multiple cloud and storage asset types. The watchlist schema changed from HostName to AssetName as the search key.\nSecurity Impact (Visibility \u0026amp; Fidelity) Previously, the workbook only tracked security alerts against traditional servers/hosts listed in the GDPR watchlist. Organizations using cloud resources to store personal data had a compliance monitoring blind spot — incidents against Azure storage accounts, AWS resources, or GCP assets were invisible in GDPR reporting.\nThe updated KQL logic now extracts entity names from multiple entity types:\nazure-resource: ResourceId field amazon-resources: AmazonResourceId field gcp-resource: FullResourceName field blob-container and blob: Name field host: HostName or FQDN fields (retained) This eliminates the cloud asset blind spot for GDPR compliance monitoring. Organizations must update their watchlist format and repopulate with all personal data hosting assets.\nAffected Files Solutions/GDPR Compliance \u0026amp; Data Security/Workbooks/GDPRComplianceAndDataSecurity.json (packaging artefacts: Workbooks/WorkbooksMetadata.json) ","permalink":"http://sentinelchangelog.net/posts/2025-12-09-pr-13259/","summary":"GDPR compliance workbook now monitors security alerts across Azure, AWS, GCP, and blob storage assets, not just traditional servers.","title":"GDPR Workbook: Expanded Asset Coverage Beyond On-Prem Hosts"},{"content":"What Changed Labeled P0 — assess deployment or pipeline breakage risk explicitly.\nPrimary security-focused changes include improved URL entity mapping in Cloudflare XSS probing pattern detection rules. Additionally includes extensive repository infrastructure updates affecting CI/CD validation processes, compiled JavaScript validation modules, and maintenance across multiple solution components.\nDetection Logic KQL logic unavailable — YAML not included in diff context.\nAffected Files Detections/MultipleDataSources/CloudflareXSSProbingPattern.yaml Solutions/Cloudflare/Analytic Rules/Cloudflare.yaml .script/ validation modules (1600+ compiled JavaScript files) .github/workflows/ CI configuration updates (extensive repository maintenance across parsers, hunting queries, connectors) ","permalink":"http://sentinelchangelog.net/posts/2025-12-08-pr-13138/","summary":"P0-labeled update improves URL entity mapping in Cloudflare detection rules alongside extensive repository maintenance and validation improvements.","title":"Critical Cloudflare Analytics Rules: Enhanced URL Entity Mapping and Repository Maintenance"},{"content":"What Changed New ASIM parsers added for six Azure Firewall log types: AZFWNetworkRule, AZFWNatRule, AZFWApplicationRule, AZFWIdpsSignature, AZFWThreatIntel, and AZFWDnsQuery. Creates normalised views across DNS, NetworkSession, and WebSession schemas.\nDetection Surface Unlocked The parsers enable standardised detection across Azure Firewall logs:\nDNS Schema: Domain reputation checks, DNS tunneling detection, C2 beaconing analysis Network Session Schema: East-west traffic analysis, lateral movement detection, network segmentation monitoring Web Session Schema: HTTP/HTTPS traffic inspection, web application attack detection, data exfiltration monitoring Each parser includes comprehensive field mapping for source/destination IPs, ports, protocols, and Azure Firewall-specific metadata (rules, actions, threat intelligence verdicts).\nASIM Integration Parsers integrate with existing ASIM framework:\nAdded to master ASimDns, imDns, imWebSession union functions Support for disabled parser exclusion lists Full ARM deployment templates and schema validation tests included Custom table definitions added to KQL validation framework New parsers follow ASIM v0.1.7 schema compliance with Azure Firewall-specific normalisation logic for timestamps, response codes, and protocol handling.\nAffected Files Parsers/ASimDns/ (6 new parser files, 5 updated) Parsers/ASimNetworkSession/ (4 new parser files, 4 updated) Parsers/ASimWebSession/ (6 new parser files, 4 updated) Sample Data/ASIM/ (3 new test data files) (.script/tests/ validation config, ARM templates) ","permalink":"http://sentinelchangelog.net/posts/2025-12-05-pr-13181/","summary":"New ASIM normalisation parsers added for six Azure Firewall log tables, expanding detection coverage for network sessions, DNS queries, and web traffic analysis.","title":"Azure Firewall ASIM Parsers: Enhanced Detection Coverage for Six New Log Types"},{"content":"What Changed Updates connector configuration to support Cisco Cloud Security log schema version 14, replacing previous version 11 support. Adds documentation links for workspace key permissions and improves formatting consistency.\nSecurity Impact (Visibility \u0026amp; Fidelity) Maintains compatibility with latest Cisco Umbrella log format to ensure continued data ingestion. Schema updates may include new fields or modified field structures requiring connector alignment.\nAffected Files Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_API_FunctionApp.json Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_API_FunctionApp_elasticpremium.json (packaging artefacts: mainTemplate.json, 3.0.7.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-12-05-pr-13251/","summary":"Updates Cisco Umbrella Function App connectors to support log schema version 14 with enhanced workspace key documentation.","title":"Cisco Umbrella Connector: Schema v14 Compatibility and Documentation Updates"},{"content":"What Changed Reverts PR #13191 changes to anomalous single factor sign-in detection rule due to reported issues in GitHub issue #13249. Restores original filtering logic from ResultType != 0 back to ResultType == 0.\nDetection Logic Reverts the detection to only analyze successful sign-ins (ResultType == 0) rather than failed sign-ins (ResultType != 0). Original logic correctly focuses on successful single-factor authentications from unusual locations or ASNs as potential security threats.\nAffected Files Detections/SigninLogs/AnomalousSingleFactorSignin.yaml ","permalink":"http://sentinelchangelog.net/posts/2025-12-05-pr-13250/","summary":"Reverts detection rule logic changes due to GitHub issue reporting incorrect filtering logic causing operational problems.","title":"Anomalous Single Factor Sign-in Detection: Critical Logic Revert Due to False Positives"},{"content":"What Changed Major enhancement to Solutions Analyzer tool adding automated markdown documentation generation for all data connectors alongside existing CSV reports. Creates comprehensive connector index and individual connector pages detailing ingestion mechanisms, table mappings, and solution metadata.\nAffected Files Tools/Solutions Analyzer/README.md Tools/Solutions Analyzer/connector-docs/README.md Tools/Solutions Analyzer/connector-docs/connectors-index.md Tools/Solutions Analyzer/connector-docs/connectors/[1000+ connector documentation files].md Parsers/ASimAuditEvent/Field Mappings/Templates/AuditEvent_EventVendorEventProduct_MappingSheet.csv (ASIM field mapping templates for 9 schemas) .github/workflows/update-solutions-analyzer.yml ","permalink":"http://sentinelchangelog.net/posts/2025-12-04-pr-13234/","summary":"Solutions Analyzer tool enhanced to generate markdown documentation files for all 1000+ connectors in addition to CSV output.","title":"Solutions Analyzer Tool: Automated Connector Documentation Generation"},{"content":"What Changed Primary fix addresses missing KQL query in ZeroFox CCF connector (ConnectorDefinition.json and DCR.json). Secondary changes include parser enhancements for Cisco Umbrella with new AI-related fields, substantial Teams C# connector code removal, and packaging updates across multiple solutions.\nSecurity Impact (Visibility \u0026amp; Fidelity) ZeroFox deployments using the CCF connector may have experienced reduced query functionality due to the missing KQL component. The fix restores proper query capabilities for threat intelligence correlation against ZeroFox alert data.\nAffected Files Solutions/ZeroFox/Data Connectors/Alerts/ZeroFoxAlerts_ConnectorDefinition.json Solutions/ZeroFox/Data Connectors/Alerts/ZeroFoxAlerts_DCR.json Solutions/CiscoUmbrella/Data Connectors/ciscoUmbrellaDataConn/__init__.py Solutions/CiscoUmbrella/Parsers/Cisco_Umbrella.yaml Tools/Solutions Analyzer/solution_connector_tables.py (packaging artefacts: mainTemplate.json files, createUiDefinition.json, zip packages across 8+ solutions) ","permalink":"http://sentinelchangelog.net/posts/2025-12-04-pr-13209/","summary":"ZeroFox CCF connector receives missing KQL query fixes alongside packaging updates across 8+ solutions.","title":"ZeroFox CCF Connector: KQL Query Restoration and Multi-Solution Maintenance"},{"content":"What Changed Four threat hunting analytic rules and corresponding hunting queries were updated to add MITRE ATT\u0026amp;CK tactics and techniques, plus parser function modernization.\nDetection Logic The analytic rules target threat intelligence correlation across multiple data sources:\nDomain/IP/URL rules: Join network traffic (CommonSecurityLog, imDnsActivity, UrlClickEvents) against Google Threat Intelligence indicators in ThreatIntelligenceIndicator table Hash rule: Uses _Im_FileEvent (modernized from imFileEvent) to correlate file hashes against threat intelligence Core logic requires active indicators with valid timeframes (isnull(ValidUntil) or ValidUntil \u0026gt; now()) Entity types mapped include IP addresses, domains, URLs, and file hashes MITRE Mapping T1071 (Application Layer Protocol): Added to domain and IP hunting rules targeting command and control communications T1566 (Phishing): Added to URL hunting rule targeting initial access vectors Affected Files Solutions/Google Threat Intelligence/Analytic Rules/ThreatHunting/ThreatHuntDomain.yaml Solutions/Google Threat Intelligence/Analytic Rules/ThreatHunting/ThreatHuntHash.yaml Solutions/Google Threat Intelligence/Analytic Rules/ThreatHunting/ThreatHuntIp.yaml Solutions/Google Threat Intelligence/Analytic Rules/ThreatHunting/ThreatHuntUrl.yaml Solutions/Google Threat Intelligence/Hunting Queries/ThreatHuntDomain.yaml Solutions/Google Threat Intelligence/Hunting Queries/ThreatHuntHash.yaml Solutions/Google Threat Intelligence/Hunting Queries/ThreatHuntIp.yaml Solutions/Google Threat Intelligence/Hunting Queries/ThreatHuntUrl.yaml (packaging artefacts: mainTemplate.json, createUiDefinition.json, Solution_GoogleThreatIntelligence.json) ","permalink":"http://sentinelchangelog.net/posts/2025-12-04-pr-13198/","summary":"Updated threat hunting rules add MITRE ATT\u0026amp;CK mappings and fix parser function calls for improved threat detection coverage.","title":"Google Threat Intelligence: Enhanced Threat Hunting with MITRE ATT\u0026CK Integration"},{"content":"What Changed Critical fixes to ASIM Authentication parsers for Microsoft Windows Event and SSH (sshd) sources addressing SrcHostname resolution when WorkstationName is empty and correcting IpAddr field aliasing.\nParser Impact Microsoft Windows Event parser: SrcHostname now falls back to Computer when WorkstationName is empty or \u0026lsquo;-\u0026rsquo;, preventing null hostname values in normalized output SSH parser: IpAddr alias corrected to reference SrcIpAddr instead of DvcIpAddr for proper source IP visibility Added DvcHostName alias mapping in both parsers for improved field standardization No change to normalised field names or core filter logic — safe for existing detections using these parsers Affected Files Parsers/ASimAuthentication/Parsers/ASimAuthenticationMicrosoftWindowsEvent.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationMicrosoftWindowsEvent.yaml Parsers/ASimAuthentication/Parsers/ASimAuthenticationSshd.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationSshd.yaml (ARM templates: ASimAuthenticationMicrosoftWindowsEvent.json, ASimAuthenticationSshd.json, vimAuthenticationMicrosoftWindowsEvent.json, vimAuthenticationSshd.json) ","permalink":"http://sentinelchangelog.net/posts/2025-12-03-pr-13232/","summary":"Fixes SrcHostname resolution logic and IpAddr aliases in Microsoft Windows Event and SSH authentication parsers.","title":"ASIM Authentication Parsers: Hostname Resolution and Alias Fixes"},{"content":"What Changed Added a Linux-compatible version of the Sentinel Transition Helper script that provides the same functionality as the Windows version but uses Azure CLI instead of Az PowerShell modules. The script enables SOC teams on Linux/macOS to perform the same Sentinel environment analysis capabilities.\nKey features include:\nAuto-discovery of Sentinel workspaces in subscription Interactive subscription selection Analysis of tables, Analytic Rules, and automation rules HTML report generation with charts Cross-platform PowerShell compatibility Affected Files Tools/Sentinel-Defender-Helper-Script/SentinelTransitionHelper-Linux.ps1 (additional CI and validation artifacts updated across .script/ directory) ","permalink":"http://sentinelchangelog.net/posts/2025-12-03-pr-13144/","summary":"Added Linux-compatible version of Sentinel Transition Helper script using Azure CLI for cross-platform SOC environment analysis.","title":"Linux Support for Sentinel Transition Helper: Cross-Platform SOC Analysis Tool"},{"content":"What Changed Removed two legacy projects with security vulnerabilities:\nO365 DataCSharp Teams CustomConnector:\nComplete C# Teams data ingestion solution using legacy .NET Framework Custom connector for Microsoft Teams audit logs and activity data Function App-based architecture with Key Vault integration RDAPQuery Tool:\nDomain registration lookup tool for threat intelligence enrichment RDAP (Registration Data Access Protocol) API integration Azure Function-based deployment for automated domain investigation Security Impact (Visibility \u0026amp; Fidelity) Organizations using these legacy components had exposure to:\nVulnerable Dependencies: Both projects used outdated .NET libraries with known security vulnerabilities Authentication Risks: Legacy authentication patterns potentially susceptible to credential compromise Maintenance Burden: Unsupported code paths requiring security patches This cleanup reduces attack surface by removing vulnerable legacy code paths. Organizations should migrate to supported CCF-based Teams connectors or native Microsoft 365 data ingestion methods.\nAffected Files DataConnectors/O365 DataCSharp/ (entire directory removed) Tools/RDAP/RDAPQuery/ (entire directory removed) ","permalink":"http://sentinelchangelog.net/posts/2025-12-03-pr-13217/","summary":"Deleted legacy O365 DataCSharp Teams connector and RDAPQuery tool due to vulnerable .NET dependencies and security risks.","title":"Security Cleanup: Removing Vulnerable Legacy O365 Teams and RDAP Tools"},{"content":"What Changed Released the Solutions Analyzer tool - a comprehensive Python-based solution for automatically analyzing Microsoft Sentinel content repository structure. The tool performs automated discovery and mapping of data connector to table relationships across all solutions.\nKey capabilities:\nAutomated Discovery: Scans all solution directories to identify connectors, parsers, and table dependencies KQL Analysis: Parses connector definitions, DCR configurations, and query templates to extract table references Relationship Mapping: Creates detailed mappings between connectors and the tables they populate CSV Reporting: Generates multiple CSV reports for analysis and validation CI Integration: Includes GitHub workflow for automated analysis updates Detection Surface Unlocked This tool enhances SOC operations by:\nVisibility Gap Identification: Quickly identifies which tables are populated by which connectors Dependency Analysis: Maps parser dependencies and ASIM relationships Configuration Validation: Detects mismatches between connector names and actual table references Coverage Assessment: Enables comprehensive data source coverage analysis for threat hunting Affected Files Tools/Solutions Analyzer/solution_connector_tables.py (new analysis engine) Tools/Solutions Analyzer/README.md .github/workflows/update-solutions-analyzer.yml (new CI workflow) Tools/Solutions Analyzer/solutions_connectors_tables_mapping.csv (generated mapping) Tools/Solutions Analyzer/solutions_connectors_tables_issues_and_exceptions_report.csv (issue tracking) ","permalink":"http://sentinelchangelog.net/posts/2025-12-02-pr-13218/","summary":"Released Solutions Analyzer tool for automated discovery and mapping of connector-to-table relationships across Sentinel solutions with CSV reporting.","title":"New Solutions Analyzer Tool: Automated Connector-to-Table Mapping for Security Operations"},{"content":"What Changed Authomize Data Connector updated the Python requests library dependency from 2.31.0 to 2.32.4, addressing CVE-2024-47081.\nSecurity Impact (Visibility \u0026amp; Fidelity) CVE-2024-47081 fixed a credential leakage vulnerability where maliciously crafted URLs in a trusted environment could retrieve credentials for the wrong hostname from netrc files. Deployments using the Authomize connector with vulnerable requests versions (≤2.32.3) were susceptible to credential misdelivery attacks if netrc authentication was configured.\nAffected Files Solutions/Authomize/Data Connectors/requirements.txt (packaging artefacts: AuthomizeSentinelConnector.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-12-02-pr-13166/","summary":"Authomize connector dependency updated to address credential leakage vulnerability in requests library.","title":"Authomize Connector: Critical requests Library CVE-2024-47081 Security Fix"},{"content":"What Changed Updated Cisco Umbrella connector to support log format versions 13 and 14, adding new fields across multiple log types:\nVersion 13 Additions (Proxy Logs):\nAI Model Name: Tracks AI model usage for content filtering decisions AI Supply Chain Categories: Categorizes AI-related traffic patterns Version 14 Additions:\nEvent Correlation ID: Links related events across different log sources Enhanced ZTNA log parsing with 27 additional fields including process details, device compliance, and network trust context Security Impact (Visibility \u0026amp; Fidelity) Organizations using Cisco Secure versions generating v13-v14 logs previously had incomplete data ingestion. Missing fields included:\nAI Context Loss: No visibility into which AI models were involved in security decisions, limiting ability to track AI-related threats or policy violations Event Correlation Gaps: Missing correlation IDs prevented linking related security events across different Cisco components ZTNA Blind Spots: Process-level details, device compliance status, and network trust evaluations were not captured, reducing Zero Trust visibility This update restores full data fidelity for current Cisco Secure deployments.\nAffected Files Solutions/CiscoUmbrella/Data Connectors/ciscoUmbrellaDataConn/__init__.py Solutions/CiscoUmbrella/Parsers/Cisco_Umbrella.yaml (packaging artefacts: mainTemplate.json, CiscoUmbrellaConn.zip, 3.0.7.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-12-02-pr-13200/","summary":"Added support for Cisco Secure log formats v13-v14, exposing AI model tracking and event correlation fields for improved threat context.","title":"Cisco Umbrella: Enhanced Data Fidelity with Log Format v13-v14 Support"},{"content":"What Changed Updated the Microsoft Defender for Office 365 workbook to version 3 with enhanced visualizations and insights across existing tabs based on community feedback and testing in private preview.\nAffected Files Solutions/Microsoft Defender XDR/Workbooks/MicrosoftDefenderForOffice365detectionsandinsights.json ","permalink":"http://sentinelchangelog.net/posts/2025-12-02-pr-13215/","summary":"Updated Microsoft Defender for Office 365 workbook to version 3 with new visuals and improved insights based on user feedback.","title":"Microsoft Defender XDR Workbook Version 3: Enhanced Visualizations and Insights"},{"content":"What Changed Fixed a critical stream naming inconsistency in the ZeroFox CCF connector that prevented threat alert data from being ingested into Sentinel. The DCR stream name was corrected from \u0026ldquo;Custom-ZeroFoxAlertsPoller_CL\u0026rdquo; to \u0026ldquo;Custom-ZeroFoxAlertPoller_CL\u0026rdquo; to match the connector configuration.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments running the previous version had a complete ingestion failure for ZeroFox threat alerts. The stream name mismatch caused the DCR to reject all incoming data, resulting in zero visibility into:\nBrand protection alerts from social media and web monitoring Executive protection threats Digital asset compromise notifications Physical security alerts from location monitoring This represents a significant blind spot for organizations relying on ZeroFox for threat surface monitoring and executive protection.\nAffected Files Solutions/ZeroFox/Data Connectors/Alerts/ZeroFoxAlerts_ConnectorDefinition.json Solutions/ZeroFox/Data Connectors/Alerts/ZeroFoxAlerts_DCR.json (packaging artefacts: mainTemplate.json, 3.2.2.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-11-28-pr-13201/","summary":"Stream name mismatch between DCR and connector config prevented ZeroFox threat alerts from reaching Sentinel workspaces.","title":"ZeroFox Connector: Fixing Stream Naming Inconsistency Breaking Alert Ingestion"},{"content":"What Changed Packaging metadata updates to resolve Azure Marketplace certification issues:\nLogo file path corrected from .png to .svg extension Contact email typo fixed in solution metadata SVG logo file cleaned up (removed xlink namespace) Deployment Impact Changes enable Azure Marketplace offer publication. No functional impact on existing Open Systems data connector deployments — purely cosmetic updates for marketplace presentation and vendor contact information.\nAffected Files Logos/opensystems_logo.svg Solutions/Open Systems/Data/OpenSystems_Solution_Input.json (packaging artefacts: 3.0.0.zip, mainTemplate.json, createUiDefinition.json) ","permalink":"http://sentinelchangelog.net/posts/2025-11-27-pr-13184/","summary":"Marketplace certification fixes for Open Systems solution — updated SVG logo path and corrected contact email address for Azure Marketplace deployment.","title":"Open Systems Solution: Logo Update and Contact Email Correction"},{"content":"What Changed Dependency update bumps Python requests library from 2.31.0 to 2.32.4 in the Fortinet FortiNDR Cloud connector.\nSecurity Impact (Visibility \u0026amp; Fidelity) CVE-2024-47081: Fixed critical vulnerability where maliciously crafted URLs could retrieve credentials for the wrong hostname from netrc files. This affects any deployment using this connector with netrc authentication — compromised credentials could be sent to unintended hosts, creating a data exfiltration risk.\nAdditional fixes include SSL context handling improvements and Python compatibility updates that may have affected connector stability.\nAffected Files Solutions/Fortinet FortiNDR Cloud/Data Connectors/requirements.txt (packaging artefacts: 3.0.2.zip and extensive solution metadata files) ","permalink":"http://sentinelchangelog.net/posts/2025-11-26-pr-13153/","summary":"Critical security update patches CVE-2024-47081 netrc credential leak vulnerability in Python requests library.","title":"Fortinet FortiNDR Cloud: Security Update Addresses Python Requests CVE-2024-47081"},{"content":"What Changed The ContrastADR solution parsers have been updated to use column_ifexists() functions instead of direct column references, improving error handling when expected columns are missing from ingested data. Additionally, workbook templates have been corrected to remove hardcoded resource IDs.\nSecurity Impact (Visibility \u0026amp; Fidelity) Parser improvements ensure consistent data mapping even when Contrast ADR API responses vary in structure or contain missing fields. This prevents parser failures that could result in data ingestion gaps for application security events.\nThe changes maintain visibility into critical web application security events including SQL injection, XSS, command injection, and other OWASP Top 10 attacks monitored by Contrast ADR.\nAffected Files Solutions/ContrastADR/Parsers/Contrast_alert_event_parser.yaml Solutions/ContrastADR/Parsers/Contrast_incident_parser.yaml Solutions/ContrastADR/Workbooks/ (9 threat-specific workbooks updated) Solutions/ContrastADR/Data Connectors/azuredeploy_ContrastADR_functionapp.json (packaging artifacts and workbook metadata) ","permalink":"http://sentinelchangelog.net/posts/2025-11-26-pr-13117/","summary":"ContrastADR parsers updated with column_ifexists logic for improved error handling and workbook template fixes.","title":"ContrastADR Solution: Parser Logic Enhancement and Workbook Fixes"},{"content":"What Changed Updated two ASIM authentication parsers for Microsoft 365 Defender to conditionally handle the _ItemId field using columnifexists() function, ensuring compatibility across different workspace configurations.\nParser Impact The _ItemId field is present in some client workspaces but not others, causing parser failures when the field was missing. Queries referencing _ItemId in EventUid mapping previously failed with \u0026ldquo;column not found\u0026rdquo; errors in workspaces lacking this field — this is a data fidelity fix that restores parser functionality.\nFixed Logic Added conditional field mapping: ItemId = columnifexists(\u0026quot;_ItemId\u0026quot;, \u0026ldquo;\u0026rdquo;) Updated EventUid references to use the new conditional ItemId field Maintains backward compatibility with workspaces that have _ItemId Affected Files Parsers/ASimAuthentication/Parsers/ASimAuthenticationM365Defender.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationM365Defender.yaml\n","permalink":"http://sentinelchangelog.net/posts/2025-11-25-pr-12393/","summary":"M365 Defender authentication parsers updated to handle optional _ItemId field, resolving parser failures in some client environments.","title":"Microsoft 365 Defender ASIM: Fixed Field Compatibility Issue in Authentication Parsers"},{"content":"What Changed Updated GitHub Enterprise CCF connector user interface to provide clearer guidance for API URL configuration:\nField label changed from \u0026ldquo;Github Enterprise URL\u0026rdquo; to \u0026ldquo;Github Enterprise API URL\u0026rdquo; Added Markdown instructions with API URL format examples Updated placeholder text for better user guidance Configuration Impact The changes improve connector setup clarity by explicitly showing valid API URL formats:\nCloud: https://api.github.com/enterprises/{enterprise} Server: https://api.{subdomain}.ghe.com/enterprises/{enterprise} This reduces customer configuration errors and support requests by making the required URL format more explicit during connector deployment.\nAffected Files Solutions/GitHub/Data Connectors/GitHubAuditLogs_CCF/GitHubAuditLogs_ConnectorDefinition.json (packaging artefacts: mainTemplate.json, 3.1.2.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-11-24-pr-13188/","summary":"Enhanced connector definition for GitHub Enterprise audit logs with clearer API URL field labels and format examples to reduce customer configuration errors.","title":"GitHub Enterprise Connector: Improved API URL Configuration Guidance"},{"content":"What Changed Single-line addition of \u0026ldquo;detailed\u0026rdquo;: true flag to Palo Alto Prisma Cloud CCF connector API query parameters. This flag was present in the legacy Function App connector but omitted during CCF migration.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments using the CCF connector experienced significant data loss — critical policy-related fields were excluded from Prisma Cloud alert ingestion due to the missing \u0026ldquo;detailed\u0026rdquo; API flag:\nMissing policy data impacts:\nPolicy violation details and compliance context Risk assessment and severity scoring information Resource configuration drift detection Compliance framework mapping (GDPR, SOX, HIPAA, etc.) Per PR discussion: Customer confirmed missing policy fields before fix, which are now visible post-deployment. The legacy Function App connector correctly included this flag — this was a migration oversight that created a data blind spot for CCF users.\nAPI Impact The Prisma Cloud API /alerts/v2 endpoint requires the \u0026ldquo;detailed\u0026rdquo; flag to include comprehensive policy metadata. Without it, the API returns basic alert information but excludes policy violation context essential for security analysis and compliance reporting.\nAffected Files Solutions/PaloAltoPrismaCloud/Data Connectors/PrismaCloudCSPMLog_CCF/PaloAltoPrismaCloudCSPMLog_PollingConfig.json (packaging artefacts: mainTemplate.json, 3.0.4.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-11-24-pr-13018/","summary":"Critical data fidelity fix for Palo Alto Prisma Cloud CCF connector — added missing \u0026ldquo;detailed\u0026rdquo; flag to API queries, restoring previously excluded policy field data.","title":"Palo Alto Prisma Cloud Connector: Policy Data Restored with Missing \"detailed\" API Flag"},{"content":"What Changed Version bump to 4.1.0 with five new hunting queries added and one obsolete query removed. The new queries focus on efficient anomaly triage and threat pattern analysis using the Anomalies table.\nHunting Queries Added Anomalous High-Score Activity Triage: Surfaces highest-scoring anomalies for rapid SOC triage based on behavioral analytics scores.\nAnomaly Detection Trend Analysis: 90-day time-series visualization of anomaly patterns to identify baseline deviations and threat campaign timing.\nAnomaly Template Distribution: Statistical breakdown of anomaly types by MITRE tactics/techniques for detection tuning and threat landscape analysis.\nUser-Centric Anomaly Investigation: Comprehensive 30-day user activity analysis with behavioral insights and attack technique mapping.\nTop Anomalous Source IP Triage: Multi-template IP analysis to identify persistent threat sources beyond single-event noise, with 24-hour activity focus for active threats.\nDetection Focus All queries leverage UEBA behavioral analytics data to enhance threat hunting efficiency:\nScore-based prioritization for limited analyst resources MITRE ATT\u0026amp;CK technique correlation for campaign attribution Temporal analysis for attack pattern recognition User behavior baseline establishment for insider threat detection IP reputation analysis for external threat actor tracking Removed obsolete \u0026ldquo;Anomalous Entra High-Privilege Role Modification\u0026rdquo; query (58 lines) that targeted legacy Azure AD operations.\nAffected Files Solutions/UEBA Essentials/Hunting Queries/ (5 new, 1 removed) (packaging artefacts: Solution_UEBA.json, mainTemplate.json, 3.0.3.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-11-24-pr-13182/","summary":"UEBA Essentials v4.1.0 adds five targeted hunting queries for high-score anomaly triage, trend analysis, template distribution, user-centric investigation, and malicious source IP identification.","title":"UEBA Essentials: Five New Hunting Queries for Advanced Anomaly Analysis and Threat Triage"},{"content":"What Changed Complete rewrite of Snowflake parser data extraction logic in Snowflake.yaml (533 new lines, 516 removed). The connector now uses extractjson() functions against JSON field names instead of array index-based extraction from todynamic() results.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments using the previous version experienced complete data fidelity loss — all Snowflake log fields returned null values due to malformed SQL array parsing. This created a comprehensive blind spot across:\nAuthentication events (login failures, privilege escalation) Data access patterns (query logs, table access) User and role management activities Database schema changes and table operations The fix restores proper field mapping for all 10 Snowflake log types, enabling detection of insider threats, unauthorized access, and data exfiltration attempts.\nParser Impact All Snowflake log views now extract fields using JSON property names rather than positional array access:\nAuthentication: extractjson(\u0026quot;$.USER_NAME\u0026quot;) vs DataList[3] Query logs: extractjson(\u0026quot;$.QUERY_TEXT\u0026quot;) vs DataList[4] User management: extractjson(\u0026quot;$.GRANTEE_NAME\u0026quot;) vs DataList[4] This change ensures parser resilience against Snowflake API schema modifications and eliminates field misalignment issues.\nAffected Files Solutions/Snowflake/Parsers/Snowflake.yaml Solutions/Snowflake/Data Connectors/SnowflakeLogs_ccp/ (13 connector configs) (packaging artefacts: mainTemplate.json, Solution_Snowflake.json, 3.0.6.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-11-21-pr-13177/","summary":"Critical fix to Snowflake connector data parsing logic, switching from array-based extraction to proper JSON field extraction, restoring visibility across all log types.","title":"Snowflake Connector: Data Parsing Logic Restored After SQL Query Malformation"},{"content":"What Changed New PowerShell toolset for automating SAP BTP solution deployment across multiple subaccounts.\nTools Added Five PowerShell scripts providing end-to-end automation:\nBtpHelpers.ps1: Core authentication and API management library export-subaccounts.ps1: BTP CLI-based subaccount enumeration provision-audit-to-subaccounts.ps1: Bulk audit service provisioning connect-sentinel-to-btp.ps1: Automated Sentinel data connector creation Deployment Impact Addresses operational scalability gap for enterprises managing many BTP subaccounts. Previously required manual per-subaccount configuration through Content Hub UI.\nAffected Files Solutions/SAP BTP/Tools/.gitignore Solutions/SAP BTP/Tools/BtpHelpers.ps1 Solutions/SAP BTP/Tools/README.md Solutions/SAP BTP/Tools/connect-sentinel-to-btp.ps1 Solutions/SAP BTP/Tools/export-subaccounts.ps1 Solutions/SAP BTP/Tools/provision-audit-to-subaccounts.ps1 Solutions/SAP BTP/Tools/subaccounts-sample.csv ","permalink":"http://sentinelchangelog.net/posts/2025-11-21-pr-13157/","summary":"PowerShell automation tools added for scalable SAP BTP subaccount onboarding to Microsoft Sentinel, enabling SOC teams to efficiently connect dozens of BTP subaccounts at once.","title":"SAP BTP Connector: Mass Onboarding Tools for Multi-Subaccount Deployment"},{"content":"TITLE: ZeroNetworks Solution Connector Deprecation: Function App Integration Removed SUMMARY: ZeroNetworks solution updated to version 4.0.0, removing deprecated Function App connector per Microsoft guidance. TAGS: ZeroNetworks, DataConnectors, Deprecated, Function App, Solutions RATING: Low ACTION: Monitor\n","permalink":"http://sentinelchangelog.net/posts/2025-11-21-pr-12825/","summary":"ZeroNetworks solution updated to version 4.0.0, removing deprecated Function App connector per Microsoft guidance.","title":"ZeroNetworks Solution Connector Deprecation: Function App Integration Removed"},{"content":"What Changed Bug fixes and improvements to the NCSC-NL NDN Cyber Threat Intelligence Sharing solution, addressing issues discovered during POC validation.\nPlaybook Fixes Fixed broken boolean parameter in Azure Portal deployment template Corrected playbook parameter name from \u0026ldquo;Playbook Name\u0026rdquo; to \u0026ldquo;PlaybookName\u0026rdquo; for ARM template compliance Improved JSON structure consistency across deployment templates Updated documentation references and parameter descriptions Security Impact (Visibility \u0026amp; Fidelity) No functional security logic changes - this is a maintenance release addressing deployment and usability issues:\nPlaybook deployment now functions correctly in Azure Portal without parameter errors Threat intelligence sharing automation operates reliably without JSON structure issues No impact on STIX bundle processing or indicator sharing capabilities Affected Files Solutions/NCSC-NL NDN Cyber Threat Intelligence Sharing/Playbooks/NCSCNLShareSTIXBundle/azuredeploy.json Solutions/NCSC-NL NDN Cyber Threat Intelligence Sharing/Playbooks/NCSCNLShareSTIXBundle/README.md Solutions/NCSC-NL NDN Cyber Threat Intelligence Sharing/README.md (packaging artefacts: mainTemplate.json, 3.0.1.zip, Solution JSON) ","permalink":"http://sentinelchangelog.net/posts/2025-11-21-pr-13072/","summary":"Dutch National Detection Network threat intelligence sharing solution updated to v3.0.1 with playbook parameter fixes and improved JSON structure.","title":"NCSC-NL Threat Intelligence Sharing: Playbook Bug Fixes and JSON Structure Improvements"},{"content":"Data Source Ingests security findings from Quokka Qscout mobile app security platform analyzing applications on organizational mobile devices. The platform exports app analysis events for malicious findings detected during mobile application assessment.\nIngestion Mechanism CCF-based connector using REST API polling against api.krwr.net endpoint Custom table: QscoutAppEvents_CL with mobile app metadata and analysis results Organization ID and API key authentication required for data access Polling configuration supports 5-minute query windows with 10 QPS rate limiting Detection Surface Unlocked Provides visibility into mobile application security posture across organizational devices including:\nMalicious app detection on managed mobile devices Mobile app vulnerability findings and security assessments Cross-platform mobile threat visibility (iOS/Android) Device compliance and app security monitoring for MDM-enrolled devices MITRE Coverage Comprehensive mobile threat technique coverage including Initial Access, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Collection, Command and Control, and Impact tactics with 35+ specific mobile techniques (T1406, T1409, T1414, T1417, T1418, T1422, T1424, T1429, T1430, T1471, T1474, T1481, T1509, T1512, T1513, T1516, T1517, T1532, T1541, T1544, T1582, T1616, T1617, T1623, T1624, T1625, T1627, T1628, T1629, T1630, T1631, T1633, T1634, T1635, T1636, T1638, T1640, T1641, T1642, T1643).\nAffected Files Solutions/Quokka/Data Connectors/QuokkaQscoutAppEventsLogs_ccf/QuokkaQscoutAppEventsLogs_connectorDefinition.json Solutions/Quokka/Data Connectors/QuokkaQscoutAppEventsLogs_ccf/QuokkaQscoutAppEventsLogs_DCR.json Solutions/Quokka/Data Connectors/QuokkaQscoutAppEventsLogs_ccf/QuokkaQscoutAppEventsLogs_PollingConfig.json Solutions/Quokka/Analytic Rules/MaliciousResultsDetection.yaml Solutions/Quokka/Workbooks/QscoutDashboards.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, Solution_Quokka.json) ","permalink":"http://sentinelchangelog.net/posts/2025-11-21-pr-13048/","summary":"CCF connector and detection rule for Quokka Qscout mobile app security analysis platform provides visibility into malicious mobile application findings.","title":"New Quokka Qscout Mobile App Security Solution: Mobile Threat Detection Visibility"},{"content":"What Changed Fixed column name mapping bug in Salesforce Service Cloud CCF connector DCR configuration, plus updates to ASIM SentinelOne parsers and multiple solution packaging updates.\nSecurity Impact (Visibility \u0026amp; Fidelity) The Salesforce Service Cloud connector had broken column name mappings in the DCR transform causing data ingestion failures. Missing USER_NAME column and incorrect field references prevented proper data collection from Salesforce environments. Per PR title, this was identified as a bug in the CCF Data Connector.\nParser Impact ASIM SentinelOne parsers updated with improved regex patterns for attack tactic extraction and proper FileSize type conversion from double to long for data fidelity.\nAffected Files Solutions/Salesforce Service Cloud/Data Connectors/SalesforceSentinelConnector_CCP/SalesforceServiceCloud_DCR.json Solutions/Salesforce Service Cloud/Data Connectors/SalesforceSentinelConnector_CCP/SalesforceServiceCloud_Tables.json Parsers/ASimAlertEvent/Parsers/ASimAlertEventSentinelOneSingularity.yaml (extensive packaging artefacts across 30+ files) ","permalink":"http://sentinelchangelog.net/posts/2025-11-21-pr-13150/","summary":"Fixed critical column name mapping bug in Salesforce Service Cloud CCF connector preventing proper data ingestion.","title":"Salesforce Service Cloud Connector: Column Name Bug Fix Plus Multi-Solution Updates"},{"content":"Data Source ZeroFox Enterprise provides threat intelligence and brand protection services. This connector ingests security alerts from the ZeroFox API covering phishing, malware, social media threats, and brand abuse incidents.\nIngestion Mechanism CCF/DCR-based connector using JSON polling configuration. Populates the ZeroFoxAlerts_CL table via the Custom-ZeroFoxAlerts_AlertsApi stream with 5-minute polling intervals.\nDetection Surface Unlocked Phishing campaigns, malware distribution, social media impersonation, brand abuse, executive impersonation, and credential theft targeting organization assets. Alerts include perpetrator information, affected entities, and threat classification.\nMigration Impact Replaces deprecated CCP-based connector. Organizations using the legacy connector will need to migrate to this CCF implementation to maintain ZeroFox alert visibility in Microsoft Sentinel.\nAffected Files Solutions/ZeroFox/Data Connectors/Alerts/ZeroFoxAlerts_ConnectorDefinition.json Solutions/ZeroFox/Data Connectors/Alerts/ZeroFoxAlerts_DCR.json Solutions/ZeroFox/Data Connectors/Alerts/ZeroFoxAlerts_PollerConfig.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, solution metadata) (removed legacy files: connectorDefinition.json, dataConnectorPoller.json, armTemplate.json)\n","permalink":"http://sentinelchangelog.net/posts/2025-11-21-pr-12754/","summary":"ZeroFox alert ingestion modernized with CCF-based connector, replacing deprecated CCP framework.","title":"ZeroFox Enterprise: New CCF Connector Replaces Deprecated CCP Implementation"},{"content":"What Changed Nine additional hunting queries added for Microsoft Teams security monitoring, expanding detection coverage beyond the previous 7 queries.\nDetection Surface Unlocked New hunting capabilities include:\nPartner impersonation detection in external Teams messages Admin submission tracking for malware/phishing trends OpenPhish URL correlation with Teams messages External sender profiling and phishing message identification Malicious URL detection method analysis Query Logic Primary data sources: CloudAppEvents, MessageEvents, ThreatIntelligenceIndicator\nPartner impersonation detection analyzes sender domain patterns against known partners Admin submission queries track malware/phish/no-threat verdicts over time OpenPhish integration correlates external threat feeds with Teams URLs External sender analysis identifies top phishing sources and message patterns MITRE Mapping T1566 - Phishing\nAffected Files Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/ (9 files) Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/ (9 files) ","permalink":"http://sentinelchangelog.net/posts/2025-11-21-pr-13167/","summary":"Extended Teams protection hunting coverage with queries for partner impersonation, admin submissions, and external sender analysis.","title":"Microsoft Teams Security: 9 Additional Hunting Queries for Advanced Threat Detection"},{"content":"What Changed Open Systems connector dependency update for aiohttp from 3.10.11 to 3.12.14, combined with extensive packaging updates across multiple solutions and build system changes.\nSecurity Impact (Visibility \u0026amp; Fidelity) Review aiohttp 3.12.14 release notes to confirm no security fixes. Deployments using Open Systems connector with vulnerable aiohttp versions (3.10.11) should evaluate upgrade necessity based on aiohttp security advisories for the version range.\nAffected Files Solutions/Open Systems/DataConnectors/requirements.txt (extensive packaging artefacts and build system updates across 320+ files) ","permalink":"http://sentinelchangelog.net/posts/2025-11-20-pr-13158/","summary":"Open Systems connector updated aiohttp dependency addressing potential security vulnerabilities, bundled with extensive solution packaging updates.","title":"Open Systems Connector: aiohttp Security Update 3.10.11→3.12.14 Plus Multi-Solution Changes"},{"content":"What Changed Fixed broken logic condition in IPEntity_CloudAppEvents_Updated analytic rule by removing erroneous OR clause that caused rule to always evaluate to true.\nSecurity Impact (Visibility \u0026amp; Fidelity) The IPEntity_CloudAppEvents detection was completely broken due to malformed logic condition. The OR clause caused the rule to fire on ALL IP addresses, including revoked or deleted threat intelligence indicators, generating massive false positive alerts. This created alert fatigue and masked legitimate threats in deployment environments using Threat Intelligence (NEW) solution.\nDetection Logic Primary data source: CloudAppEvents joined with ThreatIntelligenceIndicator\nRemoved OR isnotempty(NetworkSourceIP) condition that bypassed proper indicator validation Query now correctly filters for active indicators only (IsActive and ValidUntil checks) Logic aligned with similar threat intelligence analytic rules Affected Files Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_CloudAppEvents_Updated.yaml (packaging artefacts: mainTemplate.json, createUiDefinition.json, 3.0.10.zip, Solution_ThreatIntelligenceUpdated.json, ReleaseNotes.md) ","permalink":"http://sentinelchangelog.net/posts/2025-11-20-pr-13084/","summary":"Broken condition in CloudAppEvents threat intelligence detection fixed to prevent firing on revoked/deleted indicators.","title":"Threat Intelligence: Critical Logic Fix Stops False Alerts on Revoked Indicators"},{"content":"What Changed QualysVM connector updated to include API rate limiting (1 QPS) and configurable truncation limits (20-5000 range) to prevent customer incidents where excessive API calls impacted performance.\nSecurity Impact (Visibility \u0026amp; Fidelity) Prevents service degradation from API abuse scenarios where truncation_limit=1 caused one host per API call, generating excessive API requests. Rate limiting protects both customer and Qualys infrastructure while maintaining data collection reliability.\nAffected Files Solutions/QualysVM/Data Connectors/QualysVMHostLogs_ccp/QualysVMHostLogs_ConnectorDefinition.json Solutions/QualysVM/Data Connectors/QualysVMHostLogs_ccp/QualysVMHostLogs_PollingConfig.json (packaging artefacts: 3.0.7.zip, mainTemplate.json, createUiDefinition.json, ReleaseNotes.md, SolutionMetadata.json, Solution_QualysVM.json) (.github/workflows/ScanSecrets.yaml, Tools/Create-Azure-Sentinel-Solution/common/createCCPConnector.ps1) ","permalink":"http://sentinelchangelog.net/posts/2025-11-19-pr-13160/","summary":"QualysVM connector enhanced with 1 QPS rate limiting and configurable truncation limits to prevent API abuse.","title":"QualysVM Connector: API Rate Limiting and Configurable Truncation Protection"},{"content":"What Changed Check Point Cyberint Alerts solution version 3.0.1 corrects DCR transform formatting and adds customer name parameter to connector headers for proper API authentication.\nData Fidelity Risk (Pre-Fix) The DCR transform JSON contained formatting inconsistencies in the dataFlows configuration that could impact data ingestion reliability. Additionally, the connector was missing the customer name in API headers, which may have caused authentication failures with the Cyberint Argos API.\nDCR Transform Corrections Formatting fix: Cleaned up JSON structure in CyberintArgosAlertsLogs_DCR.json dataFlows configuration Field mappings preserved: The transformKql logic remains unchanged, ensuring consistent field normalization (update_date → TimeGenerated, type → event_type, title → event_title) Connector Configuration Updates API endpoint: Updated to use proper parameter substitution for argosurl Customer authentication: Added X-Integration-Customer-Name header with customer name parameter for proper API authentication UI enhancement: Added customer name input field to connector configuration interface Security Impact (Visibility \u0026amp; Fidelity) Organizations with Check Point Cyberint deployments should update to prevent potential authentication failures and ensure reliable alert ingestion. The DCR formatting fix addresses potential data flow interruptions that could cause missing threat intelligence alerts.\nAffected Files Solutions/Check Point Cyberint Alerts/Data Connectors/CyberintArgosAlertsLogs_ccp/CyberintArgosAlertsLogs_DCR.json Solutions/Check Point Cyberint Alerts/Data Connectors/CyberintArgosAlertsLogs_ccp/CyberintArgosAlertsLogs_PollingConfig.json Solutions/Check Point Cyberint Alerts/Data Connectors/CyberintArgosAlertsLogs_ccp/CyberintArgosAlertsLogs_connectorDefinition.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, ReleaseNotes.md)\n","permalink":"http://sentinelchangelog.net/posts/2025-11-19-pr-13080/","summary":"Check Point Cyberint Alerts connector v3.0.1 fixes DCR formatting and adds customer name header for proper API authentication.","title":"Check Point Cyberint Alerts: DCR Transform Fix and Customer Name Header Addition"},{"content":"What Changed Fixed broken IP entity detection rule in AppService HTTP logs by adding missing AlertPriority column to the query output and alertDetailsOverride configuration.\nSecurity Impact (Visibility \u0026amp; Fidelity) The IPEntity_AppServiceHTTPLogs analytic rule was completely broken due to missing AlertPriority column reference. Deployments using Threat Intelligence solution v3.1.2 or earlier could not create this detection rule - causing a complete detection blind spot for threat intelligence indicators matching AppService HTTP logs. Per PR discussion, the template failed to upload in the UI without this fix.\nDetection Logic Primary data source: AppServiceHTTPLogs joined with ThreatIntelligenceIndicator\nCorrelates inbound IP addresses from AppService logs against active threat intelligence indicators Query now properly includes AlertPriority field in projection for severity mapping Uses alertSeverityColumnName configuration to set incident severity based on AlertPriority Affected Files Solutions/Threat Intelligence/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml (packaging artefacts: mainTemplate.json, createUiDefinition.json, 3.1.3.zip, Solution_ThreatIntelligenceTemplateSpec.json, ReleaseNotes.md) ","permalink":"http://sentinelchangelog.net/posts/2025-11-19-pr-12870/","summary":"Critical fix for broken IP entity detection rule that was missing AlertPriority column causing template failures.","title":"Threat Intelligence: AppService HTTP Logs Detection Restored After Missing Column Fix"},{"content":"What Changed Seven new hunting queries added to monitor Microsoft Teams security events, focused on URL threat detection and post-delivery protection.\nDetection Surface Unlocked The new hunting queries provide visibility into:\nMalicious URL clicks within Teams messages (phishing/malware) ZAP (Zero-hour Auto Purge) events on Teams messages Admin/user submission verdicts for Teams content Daily trends for blocked URL clicks Post-delivery security actions on Teams messages Query Logic Primary data sources: UrlClickEvents, CloudAppEvents, MessagePostDeliveryEvents, MessageUrlInfo\nURL click analysis filters by Workload == Teams and ThreatTypes in (Phish,Malware) Submission triage queries parse RawEventData for SubmissionContentType == ChatMessage ZAP event tracking monitors ActionType has ZAP in MessagePostDeliveryEvents Cross-correlation queries join multiple tables to link URLs, messages, and click events MITRE Mapping T1566 - Phishing\nAffected Files Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/ (7 files) Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/ (7 files) ","permalink":"http://sentinelchangelog.net/posts/2025-11-19-pr-13156/","summary":"New hunting queries added to detect malicious URL clicks, ZAP events, and user submissions in Microsoft Teams.","title":"Microsoft Teams Security: 7 New Hunting Queries for URL Threat Detection"},{"content":"Data Source Cyera DSPM (Data Security Posture Management) is a data security platform that provides visibility, classification, and protection for sensitive data across cloud and on-premises environments.\nIngestion Mechanism The solution offers dual connector options:\nCCF-based connector with DCR transformation for standard deployments Azure Function App connector for environments requiring extended processing beyond the 3-minute CCF limitation Both connectors ingest data into the CyeraDSPMLogs_CL custom table.\nDetection Surface Unlocked Cyera DSPM data enables monitoring of:\nData discovery and classification events across environments Data access patterns and anomalies Compliance violations and policy breaches Data risk assessments and posture changes Shadow data identification and governance events Affected Files Solutions/CyeraDSPM/Data Connectors/ (CCF and Function App configurations) Solutions/CyeraDSPM/Package/3.0.0.zip Logos/cyera_icon.svg, cyera_logo.svg (extensive CI validation tooling updates) ","permalink":"http://sentinelchangelog.net/posts/2025-11-19-pr-12980/","summary":"New solution added for Cyera DSPM providing data security monitoring with both CCF and Function App connectors.","title":"Cyera DSPM Solution: New Data Security Posture Management Integration"},{"content":"Data Source Varonis data governance and security platform, focusing on file and data asset visibility across hybrid environments.\nIngestion Mechanism CCF/DCR-based push connector using Entra application authentication. Creates dedicated varonisresources_CL table for asset metadata including permissions, classifications, and risk assessments.\nDetection Surface Unlocked Enables monitoring of data asset permissions, classification changes, and risk status across enterprise file systems and cloud storage. Provides visibility into asset ownership, access patterns, and policy compliance status for data governance use cases.\nAffected Files Solutions/Varonis Purview/Data Connectors/VaronisPurview_ccp/VaronisPurview_connectorDefinition.json Solutions/Varonis Purview/Data Connectors/VaronisPurview_ccp/VaronisPurview_DCR.json Solutions/Varonis Purview/Data Connectors/VaronisPurview_ccp/VaronisPurview_dataConnector.json Solutions/Varonis Purview/Data Connectors/VaronisPurview_ccp/VaronisPurview_table.json (packaging artefacts: Solution_VaronisPurview.json, 3.0.0.zip, 3.0.1.zip, createUiDefinition.json, mainTemplate.json)\n","permalink":"http://sentinelchangelog.net/posts/2025-11-18-pr-13110/","summary":"New solution providing push connector to sync Varonis data resources into Microsoft Purview via Sentinel data lake.","title":"Varonis Purview: New Push Connector for Microsoft Purview Data Governance Integration"},{"content":"What Changed New Open Systems solution (v3.0.0) provides comprehensive integration for multiple Open Systems security products, including Secure Web Gateway, Identity service, firewall, Zero Trust Network Access, email gateway, and intrusion detection systems.\nData Sources The solution ingests logs from:\nSecure Web Gateway: Proxy traffic monitoring and URL filtering Identity Provider: Authentication events and user access Firewall: Network traffic filtering and security events Zero Trust Network Access: Secure remote access monitoring Email Gateway: Email security and threat detection (optional) Intrusion Detection System: Network-based threat detection (optional) Ingestion Mechanism Uses Azure Container Apps with Logstash to ingest logs from Open Systems Kafka streams. ARM template automates deployment of the ingestion infrastructure with configurable scaling and resource allocation.\nASIM Parser Coverage Includes ASIM-compliant parsers for:\nAuthentication schema: ASimAuthenticationOpenSystems Network Session schema: ASimNetworkSessionOpenSystemsFirewall Web Session schema: ASimWebSessionOpenSystemsProxySecureWebGateway Affected Files Solutions/Open Systems/DataConnectors/OpenSystems.json Solutions/Open Systems/Parsers/AuthASIMParser.yaml Solutions/Open Systems/Parsers/FirewallASIMParser.yaml\nSolutions/Open Systems/Parsers/ProxyASIMParser.yaml ARM deployment templates and Function App configuration (packaging artefacts: mainTemplate.json, createUiDefinition.json, SolutionMetadata.json)\n","permalink":"http://sentinelchangelog.net/posts/2025-11-18-pr-12165/","summary":"New Open Systems solution enables ingestion from multiple security products via Logstash with ASIM parsers for authentication, firewall, and proxy logs.","title":"Open Systems Solution: New Multi-Product Security Platform with ASIM Parsers"},{"content":"What Changed Fixed the devicemodel field parsing logic in the Zscaler ZIA ASIM WebSession parser. The parser now correctly extracts device model information from log fields instead of consuming all remaining text.\nParser Impact Affects ASimWebSession normalization for Zscaler ZIA logs ingested via CommonSecurityLog Data fidelity fix: Queries referencing device model fields against this parser previously returned incomplete or incorrect device categorization data No change to core filter logic or primary field mappings — safe for existing detections using this parser Sample data updated to reflect corrected parsing behavior with proper outcome=Blocked values Affected Files Parsers/ASimWebSession/Parsers/ASimWebSessionzScalerZIA.yaml Parsers/ASimWebSession/Parsers/vimWebSessionzScalerZIA.yaml (packaging artefacts: ASimWebSessionzScalerZIA.json, vimWebSessionzScalerZIA.json) Sample Data/ASIM/Zscaler_ZIA Proxy_WebSession_IngestedLogs.csv ","permalink":"http://sentinelchangelog.net/posts/2025-11-18-pr-12053/","summary":"ASIM WebSession parser for Zscaler ZIA corrected devicemodel parsing logic that was preventing proper device categorization.","title":"Zscaler ZIA ASIM Parser: Device Model Field Parsing Fix Restores Visibility"},{"content":"What Changed The WithSecure Elements Azure Function connector dependencies have been updated to requests 2.32.4, addressing CVE-2024-47081, a security vulnerability in netrc credential handling.\nSecurity Impact (Visibility \u0026amp; Fidelity) CVE-2024-47081 fixed a security issue where maliciously crafted URLs in trusted environments could retrieve credentials for the wrong hostname from netrc files. This represents a credential leakage vulnerability that could compromise authentication security in connector environments using netrc-based credential storage.\nThe update ensures proper hostname validation during credential lookup, preventing potential credential misuse in HTTP client operations.\nAffected Files Solutions/WithSecureElementsViaFunction/Data Connectors/requirements.txt (also updated: GitHub connector API endpoint format, AWS S3 documentation, packaging artifacts) ","permalink":"http://sentinelchangelog.net/posts/2025-11-18-pr-13136/","summary":"requests library upgraded to 2.32.4 patching CVE-2024-47081 netrc credential leak vulnerability.","title":"WithSecure Elements Connector: Critical requests Security Update"},{"content":"What Changed The ESET Protect Platform connector dependencies have been updated to urllib3 2.5.0, addressing two moderate security vulnerabilities in redirect handling.\nSecurity Impact (Visibility \u0026amp; Fidelity) urllib3 2.5.0 fixes two CVE vulnerabilities:\nCVE-2025-50181: Pool managers now properly control redirects when retries parameter is passed CVE-2025-50182: Redirects are now controlled by urllib3 in the Node.js runtime Both vulnerabilities had CVSS scores of 5.3 (Medium) but represent potential security bypass conditions in HTTP client redirect handling that could affect connector reliability and security posture.\nAffected Files Solutions/ESET Protect Platform/Data Connectors/requirements.txt (urllib3 2.4.0 → 2.5.0) ","permalink":"http://sentinelchangelog.net/posts/2025-11-14-pr-13109/","summary":"urllib3 dependency upgraded to 2.5.0 patching two CVE redirect control vulnerabilities (CVE-2025-50181, CVE-2025-50182).","title":"ESET Protect Platform Connector: Critical urllib3 Security Update"},{"content":"What Changed Added required analytic rule to Squadra Technologies SecRMM solution for Microsoft Sentinel compliance. The solution was previously non-compliant due to missing detection content.\nDetection Logic Primary data source: secRMM_CL custom table from Squadra removable storage monitoring Core logic: Near-real-time (NRT) detection for removable storage device connection events Entity types mapped: Host (Computer field) Technique coverage: MITRE T1025 (Data from Removable Media) for USB security monitoring Security Impact (Visibility \u0026amp; Fidelity) Enables detection of removable storage device usage in enterprise environments:\nReal-time alerting when USB devices are connected to monitored endpoints Enhanced data loss prevention (DLP) visibility for removable media usage Compliance monitoring for removable storage policies Custom table schema updated with improved field definitions and data types Affected Files Solutions/Squadra Technologies SecRmm/Analytic Rules/Removable_Storage_ONLINE.yaml Solutions/Squadra Technologies SecRmm/Data Connectors/SquadraTechnologiesSecRMM.json Solutions/Squadra Technologies SecRmm/Workbooks/AzureSentinelWorkbookForRemovableStorageSecurityEvents.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, 3.0.0.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-11-14-pr-12959/","summary":"SecRMM solution updated to v3.0.0 with mandatory analytic rule for removable storage monitoring to meet Microsoft Sentinel compliance requirements.","title":"Squadra Technologies SecRMM: Compliance Update Adds Required Detection Rule"},{"content":"What Changed The AWS S3 Azure Function connector has been upgraded from Python 3.9 to Python 3.11 runtime, with corresponding Azure Functions extension bundle and boto3 library updates. A defensive programming fix addresses potential null reference issues with newer boto3 versions.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments using newer boto3 versions (1.28.85+) may have experienced intermittent data collection failures when S3 API responses returned empty CommonPrefixes arrays. The fix ensures consistent S3 log ingestion regardless of the API response format variation.\nThe Python runtime upgrade maintains platform security support and compatibility with current Azure Functions infrastructure.\nAffected Files DataConnectors/AWS-S3-AzureFunction/AzFun-AWS-S3-Ingestion/__init__.py DataConnectors/AWS-S3-AzureFunction/azuredeploy_awss3.json DataConnectors/AWS-S3-AzureFunction/host.json DataConnectors/AWS-S3-AzureFunction/requirements.txt (packaging: AzFun-AWS-S3-Ingestion.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-11-14-pr-13129/","summary":"Function App connector updated to Python 3.11 with boto3 fix for missing CommonPrefixes handling.","title":"AWS S3 Connector: Python Runtime Upgrade and Boto3 Compatibility Fix"},{"content":"What Changed The SAP BTP CCF connector was failing to collect paginated API responses due to incorrect next-page token parsing. The fix implements proper token transformation to extract pagination handles from the API response format.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments running the previous SAP BTP connector version experienced a critical blind spot: when SAP BTP API responses exceeded a single page, only the first page of audit events was ingested. Subsequent pages were silently dropped due to malformed pagination token processing.\nThe connector now properly parses the paging response header using delimiter splitting to extract the continuation handle, ensuring complete event collection across all API result pages.\nAffected Files Solutions/SAP BTP/Data Connectors/SAPBTPPollerConnector/SAPBTP_PollingConfig.json (packaging artefacts: mainTemplate.json, Solution_SAPBTP.json, ReleaseNotes.md, 3.0.10.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-11-14-pr-12908/","summary":"CCF connector pagination bug fixed - deployments were missing audit events due to failed token parsing.","title":"SAP BTP Connector: Critical Pagination Fix Restores Missing Security Events"},{"content":"What Changed Added comprehensive detection coverage for Google Cloud Platform Security Command Center findings, including 5 new Analytic Rules and 5 Hunting Queries targeting critical GCP security misconfigurations.\nAnalytic Rules (5 added) New detection rules target common GCP security gaps:\nGCP API Key APIs Unrestricted: Detects API keys without API restrictions GCP API Key Exists: Identifies projects with API keys (inherent security risk) GCP DNSSEC Disabled: Flags domains without DNSSEC protection GCP Firewall High Risk Open Ports: Detects open firewall rules on risky ports GCP Logging Disabled: Identifies resources with disabled audit logging All rules query the GoogleCloudSCC table and provide entity mapping for CloudApplication resources with custom alert details including project information and finding counts.\nHunting Queries (5 added) Proactive hunting capabilities for GCP environments:\nGCP Admin Service Account Detection: Identifies service accounts with elevated privileges GCP Compute Secure Boot Disabled Detection: Finds VMs without secure boot GCP Full API Access Detection: Locates instances with unrestricted API scope GCP Public Buckets: Surfaces Cloud Storage buckets with public ACLs GCP User Managed Service Account Key Detection: Finds long-lived service account keys Security Impact (Visibility \u0026amp; Fidelity) This Solution closes significant detection gaps for GCP environments by monitoring Security Command Center findings. Organizations can now detect:\nAPI key misconfigurations that enable unauthorized access Disabled security features (DNSSEC, logging, secure boot) Over-privileged service accounts and risky IAM bindings Public cloud storage exposures Network security policy violations Affected Files Solutions/Google Cloud Platform Security Command Center/Analytic Rules/GCPAPIKeyApisUnrestricted.yaml Solutions/Google Cloud Platform Security Command Center/Analytic Rules/GCPAPIKeyExists.yaml Solutions/Google Cloud Platform Security Command Center/Analytic Rules/GCPDNSSECDisabled.yaml Solutions/Google Cloud Platform Security Command Center/Analytic Rules/GCPFirewallHighRiskOpenPorts.yaml Solutions/Google Cloud Platform Security Command Center/Analytic Rules/GCPLoggingDisabled.yaml Solutions/Google Cloud Platform Security Command Center/Hunting Queries/GCPAdminServiceAccountDetection.yaml Solutions/Google Cloud Platform Security Command Center/Hunting Queries/GCPComputeSecureBootDisabledDetection.yaml Solutions/Google Cloud Platform Security Command Center/Hunting Queries/GCPFullAPIAccessDetection.yaml Solutions/Google Cloud Platform Security Command Center/Hunting Queries/GCPPublicBuckets.yaml Solutions/Google Cloud Platform Security Command Center/Hunting Queries/GCPUserManagedServiceAccountKeyDetection.yaml (packaging artefacts: createUiDefinition.json, mainTemplate.json, Solution_*.json, ReleaseNotes.md) ","permalink":"http://sentinelchangelog.net/posts/2025-11-14-pr-13116/","summary":"New Solution delivers 5 Analytic Rules and 5 Hunting Queries to detect GCP security misconfigurations including unrestricted API keys, disabled security features, and risky IAM configurations.","title":"GCP Security Command Center: New Detection Suite for Cloud Misconfigurations"},{"content":"What Changed Updated default API hostname configuration across Rubrik Security Cloud automation components for proper customer deployments.\nConfiguration Updates API hostname change: Updated from rubrik-tme-rdp.my.rubrik.com to rubrik-tme-customer.my.rubrik.com across all components Affected playbooks: RubrikAdvanceThreatHunt RubrikAnomalyIncidentResponse RubrikTurboThreatHunt RubrikUpdateAnomalyStatusViaIncident Custom connector: Updated RubrikCustomConnector default hostname parameter Security Impact (Visibility \u0026amp; Fidelity) Configuration alignment for proper Rubrik Security Cloud integration:\nEnsures playbooks connect to correct Rubrik API endpoints during deployment Prevents deployment failures due to incorrect hostname defaults Maintains automated incident response and threat hunting capabilities with proper API connectivity Affected Files Solutions/RubrikSecurityCloud/Playbooks/RubrikAdvanceThreatHunt/azuredeploy.json Solutions/RubrikSecurityCloud/Playbooks/RubrikAnomalyIncidentResponse/azuredeploy.json Solutions/RubrikSecurityCloud/Playbooks/RubrikTurboThreatHunt/azuredeploy.json Solutions/RubrikSecurityCloud/Playbooks/RubrikUpdateAnomalyStatusViaIncident/azuredeploy.json Solutions/RubrikSecurityCloud/Playbooks/RubrikCustomConnector/Rubrik_custom_conn.json (packaging artefacts: mainTemplate.json, 3.5.1.zip)\n","permalink":"http://sentinelchangelog.net/posts/2025-11-14-pr-13082/","summary":"Rubrik Security Cloud solution updated to v3.5.1 with corrected API hostname defaults across all playbooks and custom connector.","title":"Rubrik Security Cloud: API Hostname Configuration Update for Customer Deployments"},{"content":"What Changed Mimecast solution updated to version 3.1.0 with comprehensive migration from legacy Log Analytics ingestion to Azure Monitor Log Ingestion API. All five Mimecast Function App connectors (AT, Audit, Cloud Integrated, SEG, TTP) now use DCR-based ingestion instead of workspace keys.\nSecurity Impact (Visibility \u0026amp; Fidelity) The migration eliminates dependency on legacy workspace keys and SharedKey authentication. Deployments using previous versions relied on hardcoded workspace credentials that are being deprecated. The new implementation requires Azure service principal credentials and DCR configuration - ensuring more secure, scalable ingestion aligned with Microsofts current data collection architecture.\nConnector authentication now uses Azure client credentials with proper scope handling for government cloud environments. Table name customization is now supported through environment variables, providing deployment flexibility while maintaining data consistency.\nAffected Files Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/sentinel.py Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/sentinel.py Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/sentinel.py Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/sentinel.py Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/sentinel.py Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Url.yaml Solutions/Mimecast/Parsers/MimecastAT/Mimecast_AT_Performane_Detail.yaml Solutions/Mimecast/Parsers/MimecastAT/Mimecast_AT_Safe_Score.yaml Solutions/Mimecast/Parsers/MimecastAT/Mimecast_AT_User_Data.yaml Solutions/Mimecast/Parsers/MimecastAT/Mimecast_AT_Watchlist.yaml Solutions/Mimecast/Parsers/MimecastAudit/Mimecast_Audit.yaml Solutions/Mimecast/Parsers/MimecastCI/Mimecast_Cloud_Integrated.yaml Solutions/Mimecast/Parsers/MimecastSEG/Mimecast_SEG_CG.yaml Solutions/Mimecast/Parsers/MimecastSEG/Mimecast_SEG_DLP.yaml Solutions/Mimecast/Parsers/MimecastTTP/Mimecast_TTP_Attachment.yaml Solutions/Mimecast/Parsers/MimecastTTP/Mimecast_TTP_Impersonation.yaml Solutions/Mimecast/Parsers/MimecastTTP/Mimecast_TTP_Url.yaml (packaging artefacts: mainTemplate.json, createUiDefinition.json, SolutionMetadata.json) ","permalink":"http://sentinelchangelog.net/posts/2025-11-14-pr-13042/","summary":"Mimecast Function App connectors migrated from legacy Log Analytics ingestion to Azure Monitor Log Ingestion API, requiring DCR reconfiguration.","title":"Mimecast Connectors: Migration to Log Ingestion API Eliminates Legacy Workspace Key Dependency"},{"content":"What Changed Removed unnecessary and problematic to_csv file handling from three AWS CloudWatch Lambda connectors that was causing runtime errors on Python 3.13. The connectors were attempting to use invalid delimiter and escape character values for single-column CSV files that do not require these parameters.\nSecurity Impact (Visibility \u0026amp; Fidelity) Lambda functions running on Python 3.13 runtime were failing with invalid delimiter and escape character errors, causing complete ingestion failure for affected CloudWatch log streams. The to_csv operation was also modifying ingested logs during the save process, creating data fidelity issues.\nAffected Files DataConnectors/AWS-S3/CloudWatchLambdaFunction.py DataConnectors/AWS-S3/CloudWatchLambdaFunction_V2.py DataConnectors/AWS-S3/CloudWatchPushBasedLambdaFunction.py (plus extensive solution packaging updates for multiple vendors) ","permalink":"http://sentinelchangelog.net/posts/2025-11-13-pr-13104/","summary":"Removed problematic CSV handling causing Lambda function failures on Python 3.13 runtime in CloudWatch connectors.","title":"AWS CloudWatch Connectors: Critical Python 3.13 Compatibility Fix"},{"content":"What Changed Enhanced UEBA Essentials solution from 20 to 26 hunting queries by adding 6 new multi-cloud detection capabilities targeting AWS, GCP, and Okta platforms. Significant improvements to existing queries and typo corrections throughout the solution.\nNew Multi-Cloud Detection Coverage Anomalous AWS Console Login Without MFA from Uncommon Country: Detects console access without MFA from unusual geographic locations Anomalous First-Time Device Logon: MDE integration for detecting new device connections and first-time IP associations Anomalous GCP IAM Activity: Monitors privilege escalation and IAM modifications in Google Cloud Platform Anomalous High-Privileged Role Assignment: Enhanced detection for privilege escalation attempts Anomalous Okta First-Time or Uncommon Actions: Identifies unusual Okta administrative activities and geographic anomalies UEBA Multi-Source Anomalous Activity Overview: Unified view across AWS CloudTrail, Okta, GCP Audit Logs, and authentication events MITRE Mapping T1078: Valid Accounts (AWS, Okta, GCP authentication anomalies) T1110: Brute Force (failed login pattern detection) T1098: Account Manipulation (privilege escalation detection) T1548: Abuse Elevation Control Mechanism (GCP IAM anomalies) T1021: Remote Services (device logon anomalies) T1556: Modify Authentication Process (Okta configuration changes) Affected Files Solutions/UEBA Essentials/Hunting Queries/Anomalous AWS Console Login Without MFA from Uncommon Country.yaml Solutions/UEBA Essentials/Hunting Queries/Anomalous First-Time Device Logon.yaml Solutions/UEBA Essentials/Hunting Queries/Anomalous GCP IAM Activity.yaml Solutions/UEBA Essentials/Hunting Queries/Anomalous High-Privileged Role Assignment.yaml Solutions/UEBA Essentials/Hunting Queries/Anomalous Okta First-Time or Uncommon Actions.yaml Solutions/UEBA Essentials/Hunting Queries/UEBA Multi-Source Anomalous Activity Overview.yaml (16 existing queries updated with enhanced entity mappings and improved accuracy) (packaging artefacts: Data/Solution_UEBA.json, Package/*.json, documentation files) ","permalink":"http://sentinelchangelog.net/posts/2025-11-12-pr-13065/","summary":"Major update adds comprehensive multi-cloud anomaly detection capabilities across AWS, GCP, and Okta platforms with 6 new hunting queries.","title":"UEBA Essentials: Enhanced Multi-Cloud Detection with 6 New AWS, GCP \u0026 Okta Hunting Queries"},{"content":"What Changed The AWS S3 Function App connector has been updated to use Python 3.11 runtime, replacing the deprecated Python 3.9. This change addresses GitHub Issue #13111 regarding Python 3.9 deprecation.\nSecurity Impact (Visibility \u0026amp; Fidelity) No security visibility impact — this is a runtime migration only. The connector\u0026rsquo;\u0026lsquo;\u0026rsquo;s ingestion logic and data processing remain unchanged. Existing deployments will continue to function with Python 3.9 until they are redeployed with the updated template.\nAffected Files DataConnectors/AWS-S3-AzureFunction/azuredeploy_awss3.json DataConnectors/AWS-S3-AzureFunction/host.json DataConnectors/AWS-S3-AzureFunction/requirements.txt DataConnectors/AWS-S3-AzureFunction/AzFun-AWS-S3-Ingestion.zip ","permalink":"http://sentinelchangelog.net/posts/2025-11-12-pr-13115/","summary":"AWS S3 Function App connector updated to Python 3.11 runtime following Python 3.9 deprecation.","title":"AWS S3 Connector: Python 3.11 Runtime Migration"},{"content":"What Changed Vectra XDR solution updated to version 3.3.0 with migration from legacy Log Analytics ingestion to Azure Monitor Log Ingestion API. API version upgraded from v3.3 to v3.4 for enhanced data collection. Added three new playbooks and updated existing analytics rules.\nSecurity Impact (Visibility \u0026amp; Fidelity) The migration eliminates dependency on legacy workspace keys, replacing SharedKey authentication with Azure client credentials and DCR-based ingestion. Government cloud environments now supported through proper scope handling in Key Vault operations.\nEnhanced retry logic addresses rate limiting scenarios with proper backoff mechanisms. The API v3.4 upgrade provides improved data fidelity and additional detection context for security operations.\nNew Playbooks Added VectaDownloadPcapFileToStorage: Downloads PCAP files for network forensics analysis VectraCloseDetections: Automates detection closure workflows VectraOpenClosedDetections: Manages detection state transitions Analytic Rules (5 updated) Updated entity tagging rules for account and host entities, including new Defender alert evidence correlation. Existing priority scoring rules updated for API v3.4 compatibility.\nAffected Files Solutions/Vectra XDR/Data Connectors/VectraDataConnector/SharedCode/sentinel.py Solutions/Vectra XDR/Data Connectors/VectraDataConnector/SharedCode/collector.py Solutions/Vectra XDR/Data Connectors/VectraDataConnector/SharedCode/keyvault_secrets_management.py Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Account_Entity.yaml Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Host_Entity.yaml Solutions/Vectra XDR/Analytic Rules/Defender_Alert_Evidence.yaml Solutions/Vectra XDR/Analytic Rules/Priority_Account.yaml Solutions/Vectra XDR/Analytic Rules/Priority_Host.yaml Solutions/Vectra XDR/Parsers/VectraAudits.yaml Solutions/Vectra XDR/Parsers/VectraDetections.yaml Solutions/Vectra XDR/Parsers/VectraEntityScoring.yaml Solutions/Vectra XDR/Parsers/VectraHealth.yaml Solutions/Vectra XDR/Parsers/VectraLockdown.yaml Solutions/Vectra XDR/Playbooks/VectaDownloadPcapFileToStorage/azuredeploy.json Solutions/Vectra XDR/Playbooks/VectraCloseDetections/azuredeploy.json Solutions/Vectra XDR/Playbooks/VectraOpenClosedDetections/azuredeploy.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, SolutionMetadata.json) ","permalink":"http://sentinelchangelog.net/posts/2025-11-11-pr-13034/","summary":"Vectra XDR solution updated to API v3.4 with Log Ingestion API support, three new playbooks for PCAP download and detection management.","title":"Vectra XDR: Log Ingestion API Migration and Enhanced API v3.4 Support with New Playbook Capabilities"},{"content":"What Changed Fixed alert display format in the SuspiciousAccessOfBECRelatedDocuments analytic rule to reference the correct variable name CountOfDocs instead of the undefined number_of_files_accessed variable.\nDetection Logic Primary data source: imFileEvent (ASIM File Events schema) Core logic: Detects users with suspicious spikes in BEC-related document access (invoices, payments) compared to 14-day baseline Entity types mapped: Account, IP, File, CloudApplication Alert format: Now correctly displays actual count of documents accessed in alert title and description MITRE Mapping KQL logic unavailable — YAML not included in diff context.\nAffected Files Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/SuspiciousAccessOfBECRelatedDocuments.yaml (packaging artefacts: Solution_Business Email Compromise - Financial Fraud.json, 3.0.10.zip, createUiDefinition.json, mainTemplate.json, ReleaseNotes.md) ","permalink":"http://sentinelchangelog.net/posts/2025-11-11-pr-13108/","summary":"Corrected alert display format to use correct variable name CountOfDocs instead of non-existent number_of_files_accessed.","title":"Business Email Compromise: Fixed Alert Display Variable Reference"},{"content":"Data Source Integrates Pathlock Threat Detection and Response platform for SAP security monitoring including:\nSAP ABAP audit log forwarding with threat detection overlays Security event correlation and threat intelligence from Pathlock TDnR platform SAP-specific security findings and policy violations Ingestion Mechanism Push-based CCF connector using Data Collection Rules for SAP security data ingestion Custom table: Pathlock_TDnR_CL with comprehensive SAP audit schema (55+ fields) Integration with Microsoft Sentinel Solution for SAP via ABAPAuditLog table Supports both dedicated Pathlock TDnR stream and SAP solution integration Detection Surface Unlocked Provides specialized SAP application security visibility:\nEnhanced threat detection for SAP environments beyond standard ABAP audit logs Real-time correlation of SAP transactions with security threat indicators Policy violation monitoring for sensitive SAP operations and data access Integration with existing Microsoft Sentinel for SAP solution deployments Affected Files Solutions/Pathlock_TDnR/Data Connectors/Pathlock_TDnR_PUSH_CCP/Pathlock_TDnR_connectorDefinition.json Solutions/Pathlock_TDnR/Data Connectors/Pathlock_TDnR_PUSH_CCP/Pathlock_TDnR_DCR.json Solutions/Pathlock_TDnR/Data Connectors/Pathlock_TDnR_PUSH_CCP/Pathlock_TDnR_PollingConfig.json Solutions/Pathlock_TDnR/Data Connectors/Pathlock_TDnR_CL.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, 3.0.0.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-11-11-pr-13076/","summary":"Push-based connector integrating Pathlock TDnR SAP security monitoring with Microsoft Sentinel for enhanced SAP application security visibility.","title":"New Pathlock Threat Detection and Response Solution: SAP Security Integration for Microsoft Sentinel"},{"content":"What Changed Fixed critical bugs in Salesforce Service Cloud analytic rules preventing proper deployment and execution.\nDetection Logic Fixes Timestamp conversion issue resolved: Added explicit todatetime(TimestampDerived) conversion in PasswordSpray and SigninsMultipleCountries rules Connector ID updates: Corrected connectorId references from SalesforceServiceCloud to SalesforceServiceCloudCCPDefinition across all three rules All three rules affected: Brute Force, Password Spray, and Multiple Countries signin detection rules Security Impact (Visibility \u0026amp; Fidelity) Critical deployment fix: Detection rules were failing to create due to timestamp field handling errors:\nTimestampDerived field was not properly converted to datetime type causing KQL query failures Rules could not be deployed through Content Hub or ARM templates Fix restores detection capabilities for Salesforce authentication threats including brute force attacks, password spray campaigns, and impossible travel scenarios Affected Files Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-BruteForce.yaml Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-PasswordSpray.yaml Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-SigninsMultipleCountries.yaml (packaging artefacts: mainTemplate.json, 3.0.8.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-11-11-pr-13067/","summary":"Essential bug fixes for Salesforce Service Cloud detection rules resolving datetime conversion issues that prevented rule creation.","title":"Salesforce Service Cloud: Critical Detection Rule Fixes for TimestampDerived Field"},{"content":"What Changed Updated the CrowdStrike Falcon Adversary Intelligence connector by merging improvements from PR #12692 and latest master branch updates. Key enhancements include restructured configuration management, improved error handling, and better code documentation.\nSecurity Impact (Visibility \u0026amp; Fidelity) Enhanced reliability of threat intelligence ingestion through better error handling and configuration validation. The connector now provides more robust authentication token management and improved logging for troubleshooting ingestion failures.\nAffected Files Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeFalconAdversaryIntelligence/CrowdStrikeFalconThreatIntelConnector/__init__.py Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeFalconAdversaryIntelligence/CrowdStrikeFalconThreatIntelConnector/config.py Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeFalconAdversaryIntelligence/CrowdStrikeFalconThreatIntelConnector/utils.py Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeFalconAdversaryIntelligence/azure_deploy_CrowdstrikeFalconIndicatorsofCompromise.json Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeFalconAdversaryIntelligence/requirements.txt (packaging artefacts: CrowdStrikeFalconThreatIntelConnector.zip, CrowdStrikeFalconAdversaryIntelligence_FunctionApp.json) ","permalink":"http://sentinelchangelog.net/posts/2025-11-10-pr-13107/","summary":"Updated CrowdStrike Falcon Adversary Intelligence connector with better configuration validation, error handling, and code quality improvements.","title":"CrowdStrike Falcon: Enhanced Threat Intelligence Connector with Improved Error Handling"},{"content":"What Changed Fixed critical issues in the VMRay Threat Intelligence Function App connector\u0026rsquo;s Premium ARM template that were preventing proper deployment and causing security compliance failures.\nSecurity Impact (Visibility \u0026amp; Fidelity) The Premium ARM template had deployment configuration errors that would cause Function App creation to fail, resulting in zero threat intelligence data ingestion. Additionally, missing TLS security configurations violated Azure security policies:\nminimumTlsVersion property missing from storage accounts (security requirement) minTlsVersion missing from Function App site configuration (security requirement) Incorrect storage account resource references causing deployment failures Typos in parameter descriptions affecting user experience Affected Files Solutions/VMRay/Data Connectors/azuredeploy_VMRayThreatIntelligenceFuncApp_AzureFunction_premium.json Solutions/VMRay/Data Connectors/azuredeploy_VMRayThreatIntelligenceFuncApp_AzureFunction_flex.json Solutions/VMRay/Playbooks/CustomConnector/VMRayEnrichment_FunctionAppConnector/azuredeploy.json Solutions/VMRay/Data Connectors/VMRayThreatIntelligence_FunctionApp.json Solutions/VMRay/README.md (packaging artefacts: Package/3.0.0.zip, Package/3.0.1.zip, Package/mainTemplate.json, ReleaseNotes.md) ","permalink":"http://sentinelchangelog.net/posts/2025-11-10-pr-13100/","summary":"ARM template deployment fix adds mandatory TLS 1.2 enforcement and corrects resource configuration for VMRay Function App connector.","title":"VMRay Connector: Fixed Premium ARM Template Security Configuration"},{"content":"Detections (2 new, multiple updated) New VMware ESXi SSH Brute Force Detection Primary addition: ESXiMultipleFailedSSHLogin detection for VMware ESXi infrastructure Targets brute force attacks against ESXi management interfaces via SSH MITRE T1078 (Valid Accounts) technique coverage for ESXi hypervisor authentication New Acronis Cyber Protect Cloud Solution Complete new solution package with 4 detection rules and 13 hunting queries:\nDetection coverage: Abnormal IP logins, malicious URL access, ransomware infections, phishing attacks MITRE mapping: T1078 (Valid Accounts), T1204.001 (User Execution), T1486 (Data Encrypted for Impact), T1566 (Phishing) Data source: CommonSecurityLog events from Acronis audit and security platforms Updated Solutions (13 solutions) Azure Firewall: Enhanced threat intelligence destination analysis Box: Query optimization across 5 detection rules and 10 hunting queries Microsoft Defender XDR: Attack Simulator training playbook improvements MongoDB Atlas: Updated Function App connector and documentation OneTrust: New CCF connector with DCR configuration for privacy platform logs SAP S4 Cloud Public Edition: Connector definition refinements Multiple others: Version bumps and packaging updates for Cisco Umbrella, ExtraHop, Tenable, VMRay, Wiz, Obsidian Datasharing Affected Files Primary new detections: Solutions/VMWareESXi/Analytic Rules/ESXiMultipleFailedSSHLogin.yaml Solutions/Acronis Cyber Protect Cloud/Analytic Rules/ (4 new detection rules) Solutions/Acronis Cyber Protect Cloud/Hunting queries/ (13 new hunting queries) Solutions/OneTrust/Data Connectors/OneTrustLogs_CCF/ (new CCF connector) (packaging artefacts across 15+ solutions: various mainTemplate.json, createUiDefinition.json, zip packages) ","permalink":"http://sentinelchangelog.net/posts/2025-11-10-pr-13063/","summary":"New VMware ESXi detection for multiple failed SSH login attempts, plus comprehensive solution updates across 15+ vendor solutions.","title":"VMware ESXi SSH Brute Force Detection Plus Multi-Solution Updates"},{"content":"What Changed Updated lookback periods in the EmailEntity_CloudAppEvents_Updated analytic rule to fix query timing alignment issues. The dt_lookBack period was reduced from 10 days to 1 hour, and ioc_lookBack from 30 days to 14 days to match the rule\u0026rsquo;s configured query period and frequency.\nDetection Logic Primary data source: ThreatIntelIndicators joined with CloudAppEvents Core logic: Joins active threat intelligence email indicators against cloud application events on User field, filtering for valid email addresses via regex Entity types mapped: Account (User_Id, UPNSuffix) Detection timing: Now properly aligned with 1-hour query window instead of 10-day lookback mismatch MITRE Mapping T1566: Phishing (email-based threat intelligence correlation) Affected Files Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_CloudAppEvents_Updated.yaml (packaging artefacts: Solution_ThreatIntelligenceUpdated.json, mainTemplate.json, createUiDefinition.json, 3.0.9.zip, ReleaseNotes.md) ","permalink":"http://sentinelchangelog.net/posts/2025-11-07-pr-13091/","summary":"TI analytic rule query periods reduced from 10 days to 1 hour to prevent false negatives from timing mismatches.","title":"Threat Intelligence Detection: Critical Timing Fix for Cloud App Email Indicators"},{"content":"What Changed Cisco Meraki syslog connector corrected data types table name from meraki_CL to CiscoMeraki to match the table name actually used in queries and data collection.\nSecurity Impact (Visibility \u0026amp; Fidelity) UI displayed incorrect table name (meraki_CL) that did not match actual query logic using CiscoMeraki table — this was a display inconsistency, not a data collection failure. Fix ensures UI accurately reflects the table name for query building and troubleshooting.\nAffected Files Solutions/CiscoMeraki/Data Connectors/Connector_Syslog_CiscoMeraki.json (table name correction)\n","permalink":"http://sentinelchangelog.net/posts/2025-11-07-pr-12786/","summary":"Cisco Meraki connector fixed incorrect table name reference in UI data types to match actual KQL queries.","title":"Cisco Meraki Connector: Data Types Table Name Corrected for Query Consistency"},{"content":"What Changed Fixed Function App deployment package structure for SailPoint IdentityNow connector to ensure proper Azure Functions runtime initialization.\nPackage Structure Fixes Code repositioning: Moved function code to root directory within ZIP package for proper Azure Function host discovery Python dependencies: Added .python_packages directory structure required for WEBSITE_RUN_FROM_PACKAGE deployment mode Requirements handling: Ensured requirements.txt is accessible at package root for automatic dependency resolution Security Impact (Visibility \u0026amp; Fidelity) Deployment issue resolution: SailPoint IdentityNow connectors were failing to initialize properly:\nAzure Functions host could not discover function triggers due to incorrect ZIP structure Missing Python packages prevented proper module imports and connector execution Fix restores identity governance event ingestion from SailPoint IdentityNow platform Affected Files Solutions/SailPointIdentityNow/Data Connectors/SearchEvent.zip\n","permalink":"http://sentinelchangelog.net/posts/2025-11-06-pr-13053/","summary":"Critical deployment fix for SailPoint IdentityNow Function App correcting ZIP file structure for proper Azure Function discovery and Python package dependencies.","title":"SailPoint IdentityNow: Function App Deployment Package Structure Fix"},{"content":"Security Fix (Primary) CVE-2024-47081 Remediation: Updated requests library from 2.32.2 to 2.32.4 in CyberArk Audit solution:\nVulnerability: Maliciously crafted URLs could retrieve credentials for wrong hostname from netrc file Impact: Credential exposure risk in trusted environments with netrc authentication Scope: CyberArk Audit data connectors using Python requests library for API authentication Multi-Solution Updates (8 solutions) New Features Corelight v3.2.1: Added anomaly and first_seen parsers with custom table schema support Netskope v3.1.2: New CCF connector configuration for enhanced alert and event ingestion Microsoft Teams Hunting: New detection queries for blocked domain monitoring (NRT and scheduled) Maintenance Updates Lumen Threat Feed: Delta sync improvements with enhanced error handling and logging Salesforce Service Cloud: Expanded CCF connector with improved DCR configuration ProofPoint TAP/POD: Version bump releases with packaging updates Feedly: Function App deployment package fixes for Python dependency structure Affected Files Solutions/CyberArkAudit/Data Connectors/requirements.txt (security fix) Solutions/Corelight/Parsers/ (new parsers: corelight_anomaly.yaml, corelight_first_seen.yaml) Solutions/Netskopev2/Data Connectors/NetskopeAlertsEvents_RestAPI_CCP/ (new CCF configuration) Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/ (new queries) (packaging artefacts across multiple solutions)\n","permalink":"http://sentinelchangelog.net/posts/2025-11-05-pr-13061/","summary":"Critical security update for CyberArk Audit requests library addressing credential leak vulnerability, plus comprehensive updates across 8 solutions.","title":"CyberArk Audit Security Update: CVE-2024-47081 Fix Plus Multi-Solution Maintenance"},{"content":"What Changed Two new KQL parsers added to the Corelight solution for enhanced network threat detection capabilities:\ncorelight_anomaly parser for ML-based anomaly detection events corelight_first_seen parser for tracking first-occurrence events Parser Impact Both parsers normalise Corelight v2 sensor data into structured fields with EventVendor=\u0026ldquo;Corelight\u0026rdquo; and EventProduct=\u0026ldquo;CorelightSensor\u0026rdquo; tagging. The corelight_anomaly parser provides extensive ML scoring and nearest-neighbor analysis fields for anomaly detection, while corelight_first_seen tracks entity baseline establishment events. No change to existing normalised field names — safe for current detection logic.\nAffected Files Solutions/Corelight/Parsers/corelight_anomaly.yaml Solutions/Corelight/Parsers/corelight_first_seen.yaml (packaging artefacts: mainTemplate.json, createUiDefinition.json, Solution_Corelight.json)\n","permalink":"http://sentinelchangelog.net/posts/2025-11-05-pr-13043/","summary":"Corelight solution gains two new parsers for machine learning-based anomaly detection and first-seen event tracking.","title":"Corelight: New Anomaly and First-Seen Event Parsers for Advanced Threat Detection"},{"content":"What Changed Updated Feedly Azure Function App deployment package to include .python_packages directory structure required by WEBSITE_RUN_FROM_PACKAGE deployment mode.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployment issue resolution: Feedly connectors deployed via Content Hub were failing due to missing Python package dependencies:\nFunction Apps configured with WEBSITE_RUN_FROM_PACKAGE require .python_packages directory in the deployment ZIP Missing dependency structure prevented proper Function App initialization and threat intelligence ingestion Fix restores Feedly threat feed connectivity for existing and new deployments Affected Files Solutions/Feedly/Data Connectors/FeedlyAzureFunction.zip ","permalink":"http://sentinelchangelog.net/posts/2025-11-05-pr-13054/","summary":"Critical deployment fix for Feedly Azure Function App requiring proper Python packages structure.","title":"Feedly Threat Intelligence: Function App Package Fix for Python Dependencies"},{"content":"What Changed Lumen Threat Feed solution updated from daily full sync to 15-minute delta synchronization with enhanced polling logic and workbook improvements.\nAPI Flow Changes New delta sync architecture: POST /reputation-query → Poll GET /reputation-query/{cache_id} → Download results Combined indicator processing: Single endpoint handles both IPv4 and domain indicators simultaneously Enhanced polling mechanism: 1-second intervals with 5-minute timeout for query completion Improved statistics tracking: Added poll attempts, query times, and cache query metrics Security Impact (Visibility \u0026amp; Fidelity) Enhanced threat intelligence ingestion providing:\n15-minute refresh cycle replacing daily full sync for more current threat indicators Reduced API latency through optimized polling and combined indicator endpoints Better error handling with retry logic and timeout management for reliable data flow Enhanced workbook visualization with updated threat intelligence dashboards Affected Files Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/LumenThreatFeedConnector/main.py Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/LumenThreatFeedConnector/timer_starter_function/__init__.py Solutions/Lumen Defender Threat Feed/Workbooks/Lumen-Threat-Feed-Overview.json (packaging artefacts: mainTemplate.json, 3.1.0.zip, LumenThreatFeedConnector.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-11-05-pr-13046/","summary":"Lumen Defender Threat Feed updated to v3.1.0 with migrated delta sync polling logic and improved workbook functionality.","title":"Lumen Threat Feed Solution: Enhanced Delta Sync and Performance Improvements"},{"content":"Data Source OneTrust Data Security Platform ingests privacy compliance, data governance, risk assessment, and consent management events into the OneTrustMetadata_CL custom table.\nIngestion Mechanism CCF-based connector using DCR/DCE architecture. The connector polls OneTrust API endpoints with OAuth2 authentication and transforms data via transformKql before ingestion.\nDetection Surface Unlocked This connector provides visibility into:\nPrivacy compliance violations and data subject requests Cookie consent management and preference changes Data governance policy violations and risk assessments Third-party vendor risk scoring and assessment changes Data mapping and classification activities Additional Updates This PR also includes maintenance updates across multiple solutions:\nAzure WAF: Enhanced detection logic for code injection, path traversal, SQLi, XSS, and scanner detection MongoDB Atlas: Improved Function App connector with multiprocessing support and Key Vault secret integration CrowdStrike Falcon: Updated CCF connector configuration and DCR optimization CyberArk Audit: Enhanced error handling and authentication improvements Affected Files Solutions/OneTrust/Data Connectors/OneTrustLogs_CCF/OneTrustLogs_DCR.json Solutions/OneTrust/Data Connectors/OneTrustLogs_CCF/OneTrustLogs_connectorDefinition.json\nSolutions/OneTrust/Data Connectors/OneTrustLogs_CCF/OneTrustLogs_dataConnector.json Solutions/OneTrust/Data Connectors/OneTrustLogs_CCF/OneTrustLogs_table.json Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/.yaml Solutions/MongoDBAtlas/Data Connectors/MongoDBAtlasLogs/GetMDBALogs/init.py Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeAPI_ccp/.json Solutions/CyberArkAudit/Data Connectors/CyberArkAuditConnector/audit.py (packaging artefacts: mainTemplate.json, createUiDefinition.json, SolutionMetadata.json, etc.)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-31-pr-13007/","summary":"New CCF-based connector for OneTrust enables monitoring of privacy compliance, data governance, and risk management activities in Sentinel workspaces.","title":"OneTrust Data Security Platform Connector: New Privacy and Risk Management Visibility"},{"content":"What Changed Updated the Python requests library dependency from versions 2.31.0 and 2.32.2 to 2.32.4 across three data connector solutions: Auth0, Alibaba Cloud, and CrowdStrike Falcon Threat Intelligence. This affects Function App-based connectors that handle API communications for log ingestion.\nSecurity Impact (Visibility \u0026amp; Fidelity) The requests library is critical for HTTP communications in these Function App connectors. Older versions may contain security vulnerabilities that could affect data ingestion reliability or expose authentication tokens during API calls.\nDeployments running connector versions with requests 2.31.0 or 2.32.2 should update immediately. The update addresses potential security issues in HTTP request handling that could impact the secure ingestion of Auth0 audit logs, Alibaba Cloud events, and CrowdStrike threat intelligence data.\nCVE relevance unverified — review release notes for requests 2.32.4 to confirm security fixes addressed.\nAffected Files Solutions/Alibaba Cloud/DataConnectors/AliCloudConn.zip Solutions/Alibaba Cloud/DataConnectors/requirements.txt Solutions/Auth0/Data Connectors/Auth0Connector.zip Solutions/Auth0/Data Connectors/requirements.txt Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeFalconAdversaryIntelligence/CrowdStrikeFalconThreatIntelConnector.zip Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeFalconAdversaryIntelligence/requirements.txt\n","permalink":"http://sentinelchangelog.net/posts/2025-10-30-pr-13021/","summary":"Updated requests library to 2.32.4 in Auth0, Alibaba Cloud, and CrowdStrike connectors to address potential security vulnerabilities.","title":"Critical Security Fix: Requests Library Updated to 2.32.4 Across Multiple Connectors"},{"content":"What Changed Corrected typo in the Microsoft Entra ID Assets data connector title from \u0026ldquo;Microsoft Enta ID Assets\u0026rdquo; to \u0026ldquo;Microsoft Entra ID Assets\u0026rdquo; and updated description to reference \u0026ldquo;Microsoft Sentinel Lake\u0026rdquo; instead of just \u0026ldquo;Sentinel Lake\u0026rdquo;.\nSecurity Impact (Visibility \u0026amp; Fidelity) This is a cosmetic fix with no impact on data ingestion or detection capabilities. The connector functionality remains unchanged - it continues to provide asset information that enriches Entra ID activity data and supports data risk graphs in Microsoft Purview.\nAffected Files Solutions/Microsoft Entra ID Assets/Data Connectors/EntraIDAssets_DataConnectorDefinition.json (packaging artefacts: mainTemplate.json, Solution_MicrosoftEntraAssets.json, ReleaseNotes.md, 3.0.1.zip)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-29-pr-12955/","summary":"Fixed typo in Microsoft Entra ID Assets connector title and updated description to use correct Microsoft Sentinel branding.","title":"Microsoft Entra ID Assets: Fixing Product Name Typo in Data Connector"},{"content":"Detection Logic Enhanced CyberArk audit analytics rules with improved KQL logic leveraging custom data field parsing:\nHigh Risk Actions: Modified to parse customData JSON for enriched context including authentication method, client IP, geo-location, and device OS details during off-hours privileged operations Mass Actions: Enhanced to track bulk operations with custom data target extraction for improved correlation Multi Failed and Success: Improved pattern detection with custom data enrichment for failed/successful authentication sequences Sensitive Changes: Completely rewritten to detect control-plane modifications (safes, permissions, roles, entitlements) using customData fields Security Impact (Visibility \u0026amp; Fidelity) Significantly improved detection fidelity by extracting structured data from customData JSON fields rather than relying solely on message parsing. This reduces false positives and provides SOC analysts with enriched context for privileged access investigations.\nMITRE Mapping T1078 (Valid Accounts): Enhanced user activity correlation Privilege Escalation tactics: Improved permission change detection Affected Files Solutions/CyberArkAudit/Analytics Rules/CyberArkAuditHighRiskActions.yaml Solutions/CyberArkAudit/Analytics Rules/CyberArkAuditMassActions.yaml Solutions/CyberArkAudit/Analytics Rules/CyberArkAuditMultiFailedAndSuccess.yaml Solutions/CyberArkAudit/Analytics Rules/CyberArkAuditSensitiveChanges.yaml (packaging artefacts: mainTemplate.json, createUiDefinition.json) ","permalink":"http://sentinelchangelog.net/posts/2025-10-29-pr-12958/","summary":"CyberArk Audit solution updated with improved analytics rules leveraging custom data fields for better privileged access monitoring.","title":"CyberArk Audit: Enhanced Detection Rules with Custom Data Field Analysis"},{"content":"What Changed Fixed incorrect template configuration in CiscoDuoSecurity solution package that prevented successful Azure deployments. The templates contained mismatched content (referenced as containing Tomcat-specific configurations) that blocked proper solution installation.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments attempting to install CiscoDuoSecurity v3.0.4 and earlier experienced complete deployment failure due to template configuration errors. This resulted in zero Cisco Duo security event ingestion for affected deployments — a complete visibility gap for multi-factor authentication monitoring and access security.\nAffected Files Solutions/CiscoDuoSecurity/SolutionMetadata.json (packaging artefacts: Package/3.0.4.zip)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-29-pr-12987/","summary":"Corrected template files that contained incorrect configurations, restoring Azure deployment functionality for CiscoDuoSecurity solution.","title":"CiscoDuoSecurity Solution: Fixed Broken Azure Deployment Templates"},{"content":"Data Source Morphisec provides Moving Target Defense technology for advanced threat prevention, delivering endpoint protection against zero-day attacks, advanced persistent threats, and in-memory exploits. The solution ingests security alerts, threat detections, and endpoint protection events.\nIngestion Mechanism CCF-based connector that polls Morphisec API endpoints for security alerts and threat detection events. The connector transforms Morphisec security data into structured logs for analysis and correlation within Microsoft Sentinel.\nDetection Surface Unlocked Enables detection of advanced threats including zero-day exploits, process-level anomalies, and in-memory attacks that traditional signature-based solutions miss. Includes analytic rules for critical severity detections, device alert surges, and process-level anomalies to identify sophisticated attack campaigns.\nAffected Files Solutions/Morphisec/Data Connectors/Morphisec_CCF/Morphisec_ConnectorDefinition.json Solutions/Morphisec/Data Connectors/Morphisec_CCF/Morphisec_DCR.json Solutions/Morphisec/Analytic Rules/MorphisecCriticalSeverityDetection.yaml Solutions/Morphisec/Analytic Rules/MorphisecDeviceAlertSurge.yaml Solutions/Morphisec/Workbooks/MorphisecOverview.json (packaging artefacts: mainTemplate.json, Solution_Morphisec.json, plus 200+ mixed repository updates) ","permalink":"http://sentinelchangelog.net/posts/2025-10-28-pr-12808/","summary":"New Morphisec CCF connector provides endpoint protection monitoring with advanced threat detection capabilities and process-level anomaly detection.","title":"Morphisec Solution: New CCF Connector for Advanced Threat Prevention and Endpoint Security"},{"content":"What Changed Added Azure Government Cloud support to the Tenable App data connector, including a dedicated deployment button in the UI and updated authentication mechanisms across all Function App components. Modified Python code to use ClientSecretCredential instead of DefaultAzureCredential for explicit credential management.\nSecurity Impact (Visibility \u0026amp; Fidelity) This update extends Tenable vulnerability data ingestion to Azure Government Cloud environments, addressing compliance requirements for government and regulated organizations. The authentication changes from DefaultAzureCredential to ClientSecretCredential provide more explicit control over service principal credentials in Government Cloud deployments.\nGovernment Cloud organizations previously could not deploy the Tenable connector due to missing deployment templates and authentication compatibility issues. This fix enables vulnerability management visibility for assets, compliance, and web application security scanning results in Azure Government environments.\nAffected Files Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetDownloadAndProcessChunks/init.py Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceDownloadAndProcessChunks/init.py\nSolutions/Tenable App/Data Connectors/TenableVM/TenableVulnDownloadAndProcessChunks/init.py Solutions/Tenable App/Data Connectors/TenableVM/TenableWASAssetDownloadAndProcessChunks/init.py Solutions/Tenable App/Data Connectors/TenableVM/TenableWASVulnDownloadAndProcessChunks/init.py Solutions/Tenable App/Data Connectors/TenableVM/TenableVM.json (packaging artefacts: TenableVMAzureSentinelConnector310Updated.zip, mainTemplate.json, Solution_TenableApp.json, ReleaseNotes.md, 3.1.1.zip)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-28-pr-12823/","summary":"Tenable App connector now supports Azure Government Cloud deployments with updated authentication and deployment options.","title":"Tenable App Connector: Adding Azure Government Cloud Support"},{"content":"What Changed Updated Feedly connector download URLs from broken aka.ms short links to direct GitHub raw file URLs. This affects both the WEBSITE_RUN_FROM_PACKAGE configuration and deployment documentation.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments attempting to install the Feedly connector experienced complete deployment failures due to broken download links. The aka.ms/sentinel-Feedly-functionapp redirect was pointing to an outdated GitHub address, preventing Function App package retrieval.\nPer PR discussion: Users were unable to deploy the Feedly connector for threat intelligence ingestion. This created a blind spot for organizations relying on Feedly indicators for threat detection until the URLs were corrected.\nAffected Files Solutions/Feedly/Data Connectors/azuredeploy_Connector_Feedly_AzureFunction.json Solutions/Feedly/Data Connectors/Feedly_API_AzureFunctionApp.json (packaging artefacts: mainTemplate.json, 3.0.6.zip)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-28-pr-12985/","summary":"Fixed broken aka.ms short links that prevented Feedly Function App deployment by updating to direct GitHub URLs.","title":"Feedly Connector: Fixing Broken Download Links for Function App Deployment"},{"content":"What Changed Updated the GitHub data connector ARM template to support GitHub Enterprise Cloud (GHEC) with data residency requirements. Added a configurable GitHubAPIEndPoint parameter allowing customers to specify custom API endpoints for their GHEC deployments.\nSecurity Impact (Visibility \u0026amp; Fidelity) The addition of GHEC data residency support extends GitHub log ingestion to organizations with geographic data residency requirements. The Azure storage connection fix resolves a configuration issue that could prevent proper blob storage initialization during connector deployment.\nOrganizations using GHEC with data residency previously could not ingest GitHub audit logs and repository activity data due to hardcoded api.github.com endpoints. This update enables log collection from custom GitHub Enterprise domains (e.g., api.octocorp.ghe.com).\nAffected Files DataConnectors/GitHub/azuredeploy.json\n","permalink":"http://sentinelchangelog.net/posts/2025-10-27-pr-13014/","summary":"GitHub connector now supports GHEC with data residency and fixes Azure storage initialization issues.","title":"GitHub Connector: Adding Enterprise Cloud Data Residency Support"},{"content":"What Changed Enhanced error logging in CyberArk Audit connector to include HTTP status codes and request URLs when API calls fail.\nSecurity Impact (Visibility \u0026amp; Fidelity) Prevents silent connector failures that could lead to audit log ingestion gaps. Better error visibility enables faster diagnosis of authentication issues or API configuration problems that impact privileged access monitoring.\nAffected Files Solutions/CyberArkAudit/Data Connectors/CyberArkAuditConnector/audit.py (packaging artefacts: CyberArkAuditConnector.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-10-27-pr-12984/","summary":"Improved error logging in CyberArk Audit data connector to prevent silent failures and assist troubleshooting.","title":"CyberArk Audit Connector: Enhanced Error Logging for API Troubleshooting"},{"content":"What Changed Added PowerShell version check in AWS S3 configuration script requiring PowerShell 7 or higher, with clear error messaging directing users to upgrade.\nSecurity Impact (Visibility \u0026amp; Fidelity) Prevents connector deployment failures that result in no data ingestion. Customers using outdated PowerShell 5 would experience silent deployment failures leading to complete monitoring blind spots for S3 access logs.\nAffected Files DataConnectors/AWS-S3/ConfigAwsConnector.ps1 DataConnectors/AWS-S3/README.md ","permalink":"http://sentinelchangelog.net/posts/2025-10-22-pr-12924/","summary":"AWS S3 connector script now enforces PowerShell 7+ requirement to prevent customer deployment failures.","title":"AWS S3 Connector: PowerShell Version Enforcement Prevents Configuration Failures"},{"content":"What Changed Fixed overly long offer ID in GDPR Compliance \u0026amp; Data Security solution metadata and enhanced the workbook with feedback collection prompt. Added proper workbook metadata entries to enable discoverability in Content Hub.\nAffected Files Solutions/GDPR Compliance \u0026amp; Data Security/SolutionMetadata.json Solutions/GDPR Compliance \u0026amp; Data Security/Workbooks/GDPRComplianceAndDataSecurity.json Workbooks/WorkbooksMetadata.json\n","permalink":"http://sentinelchangelog.net/posts/2025-10-22-pr-12989/","summary":"Updated GDPR Compliance solution with corrected offer ID to resolve deployment issues and added feedback collection capability.","title":"GDPR Compliance Solution: Fixed Offer ID and Enhanced Workbook Metadata"},{"content":"What Changed Fixed Data Collection Rule transform mapping for UserEmail column in Salesforce Service Cloud connector to prevent blank values from appearing in ingested data.\nSecurity Impact (Visibility \u0026amp; Fidelity) The incorrect field mapping caused UserEmail queries to return null for all rows — this was a data fidelity gap affecting user attribution in security analytics.\nAffected Files Solutions/Salesforce Service Cloud/Data Connectors/SalesforceSentinelConnector_CCP/SalesforceServiceCloud_DCR.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, Solution_TSalesforceCloudtemplateSpec.json)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-17-pr-12896/","summary":"Corrected DCR transform mapping to prevent blank UserEmail fields in Salesforce Service Cloud data ingestion.","title":"Salesforce Service Cloud: Fixed UserEmail Column Mapping in DCR Transform"},{"content":"What Changed MongoDB Atlas solution version 3.0.5 adds multi-cluster connectivity, allowing multiple MongoDB clusters to upload logs to a single Log Analytics table. Performance improvements were also implemented alongside extensive hunting query additions.\nMulti-Cluster Enhancement The connector now supports ingesting logs from multiple MongoDB Atlas clusters into a unified Log Analytics destination, addressing enterprise deployments with distributed database infrastructure.\nAdditional Content The PR includes a significant expansion of Microsoft 365 Defender Email and Collaboration hunting queries (590+ files), indicating this was a bundled release combining MongoDB improvements with M365 hunting content updates.\nSecurity Impact (Visibility \u0026amp; Fidelity) Organizations with multiple MongoDB Atlas clusters can now achieve unified security monitoring without deploying separate connectors per cluster. This consolidation improves operational efficiency and reduces blind spots in distributed database environments.\nAffected Files Solutions/MongoDB Atlas/Function App and ARM template files MongoDB Atlas connector configuration updates 590+ Microsoft 365 Defender Email hunting queries Custom table test definitions for various security platforms\n","permalink":"http://sentinelchangelog.net/posts/2025-10-16-pr-12961/","summary":"MongoDB Atlas solution updated to support multiple cluster ingestion with performance improvements and extensive hunting query additions.","title":"MongoDB Atlas Connector: Multi-Cluster Support and Performance Improvements"},{"content":"What Changed Microsoft released a new HIPAA Compliance solution featuring a comprehensive workbook for healthcare privacy monitoring and compliance tracking, strengthening Microsoft Sentinel support for HIPAA asset monitoring.\nCompliance Coverage The HIPAA Compliance solution provides healthcare organizations with consolidated visibility into privacy-related security events and compliance posture. The workbook correlates data from multiple Microsoft security platforms to track healthcare data access, usage patterns, and potential privacy violations.\nHealthcare Security Focus Designed specifically for healthcare environments, the solution addresses unique HIPAA requirements including:\nPatient data access monitoring Healthcare workforce activity tracking Administrative safeguards compliance Technical safeguards validation Additional Content This release includes the recurring Microsoft 365 Defender Email and Collaboration hunting queries (700+ files), indicating this was part of a consolidated security content update.\nSecurity Impact (Visibility \u0026amp; Fidelity) Healthcare organizations can now achieve unified HIPAA compliance monitoring across their Microsoft security stack. This addresses the operational challenge of demonstrating privacy controls and detecting potential HIPAA violations in a healthcare environment.\nAffected Files Solutions/HIPAA Compliance/Workbooks/HIPAACompliance.json Workbooks/WorkbooksMetadata.json 700+ Microsoft 365 Defender Email hunting queries Custom table test definitions for validation\n","permalink":"http://sentinelchangelog.net/posts/2025-10-15-pr-12934/","summary":"New HIPAA Compliance solution adds comprehensive workbook for healthcare privacy monitoring and compliance tracking with bundled Microsoft 365 hunting queries.","title":"HIPAA Compliance Solution: New Healthcare Privacy Monitoring Dashboard"},{"content":"What Changed Comprehensive update affecting 15+ solutions with Microsoft 365 filtering enhancements, GDPR workbook improvements, new BigID Data Security Posture Management solution, and extensive Netskope v2 expansion.\nMajor Solution Additions BigID DSPM: New solution with CCF connector for data security posture monitoring Netskope v2 Expansion: Added comprehensive parser set (12 new parsers) covering alerts, cloud exchange events, and web transactions Netskope Workbooks: New CCP and CE dashboard workbooks for enhanced visibility Key Enhancements GDPR Workbook: Microsoft 365 filters and UI improvements for better compliance monitoring Feedly Connector: Migration from legacy Log Analytics API to DCR-based ingestion with Azure authentication SailPoint IdentityNow: Updated API endpoint from v3 to v2025 Solution Updates Multiple solutions received packaging updates and version increments:\nPalo Alto Cortex XDR CCP: Polling configuration improvements Snowflake: Parser enhancements and packaging updates VMRay: Function App template improvements Contrast ADR: Template corrections Security Impact (Visibility \u0026amp; Fidelity) The Feedly connector migration from legacy API to DCR improves ingestion reliability and authentication security. Netskope v2 parser expansion provides comprehensive visibility across cloud security events. GDPR workbook enhancements enable better privacy risk monitoring across Microsoft 365 environments.\nAffected Files Solutions/GDPR Compliance \u0026amp; Data Security/Workbooks/GDPRComplianceAndDataSecurity.json Solutions/BigID/ (complete new solution) Solutions/Netskopev2/Parsers/ (12 new parser files) Solutions/Feedly/Data Connectors/FeedlySentinelConnector/ (DCR migration) 15+ solution packaging and template updates\n","permalink":"http://sentinelchangelog.net/posts/2025-10-15-pr-12950/","summary":"Major update spanning 15+ solutions adds Microsoft 365 filters, GDPR workbook improvements, new BigID DSPM solution, and Netskope v2 with comprehensive parsers.","title":"Multi-Solution Update: Microsoft 365 Filters, GDPR Workbook Enhancements, and New BigID Solution"},{"content":"What Changed Cisco Duo Security solution version 3.0.4 corrects ARM template files (createUiDefinition.json and mainTemplate.json) that incorrectly contained Tomcat-specific configurations instead of Cisco Duo-specific content.\nTemplate Configuration Fix The solution templates were referencing the wrong product configuration, preventing successful Azure deployments. This fix ensures the templates contain proper Cisco Duo Security-specific parameters and configurations.\nSecurity Impact (Visibility \u0026amp; Fidelity) Organizations attempting to deploy the Cisco Duo Security solution would have experienced deployment failures due to the template mismatch. This was a deployment-blocking issue that prevented new installations of the Cisco Duo connector and associated security content.\nAffected Files Solutions/CiscoDuoSecurity/Package/mainTemplate.json Solutions/CiscoDuoSecurity/Package/3.0.4.zip\n","permalink":"http://sentinelchangelog.net/posts/2025-10-15-pr-12949/","summary":"Cisco Duo Security solution v3.0.4 fixes ARM deployment templates that incorrectly contained Tomcat-specific configurations.","title":"Cisco Duo Security: ARM Template Correction Removes Incorrect Tomcat References"},{"content":"What Changed SailPoint IdentityNow data connector Function App upgraded from Python 3.9 to Python 3.11 with corresponding Azure Functions Extension Bundle update and API endpoint modifications.\nSecurity Impact (Visibility \u0026amp; Fidelity) Runtime Security Enhancement: Python 3.11 upgrade addresses end-of-support lifecycle for Python 3.9, ensuring continued security updates and compatibility with Azure Functions platform. Maintains connector reliability for identity governance monitoring.\nAPI Endpoint Evolution: Updated API endpoints from \u0026lsquo;identitynow.com\u0026rsquo; to \u0026lsquo;identitynow-demo.com\u0026rsquo; and versioning changes (\u0026lsquo;v3/search/events\u0026rsquo; to \u0026lsquo;v2025/search/events\u0026rsquo;) reflect SailPoint\u0026rsquo;s transition to Identity Security Cloud platform, ensuring continued data collection capability.\nExtension Bundle Modernisation: Azure Functions Extension Bundle updated from version range [3.*, 4.0.0) to [4.0.0, 5.0.0) provides latest runtime features and security improvements.\nDependency Security: Cryptography library downgraded from 44.0.1 to 43.0.1 for compatibility with Python 3.11 runtime environment.\nAffected Files Solutions/SailPointIdentityNow/Data Connectors/SearchEvent/init.py Solutions/SailPointIdentityNow/Data Connectors/azuredeploy_SailPoint_IdentityNow_FunctionApp.json Solutions/SailPointIdentityNow/Data Connectors/host.json Solutions/SailPointIdentityNow/Data Connectors/requirements.txt Solutions/SailPointIdentityNow/Data Connectors/SearchEvent.zip (packaging artefacts: etc.)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-15-pr-12944/","summary":"SailPoint IdentityNow connector upgraded to Python 3.11 runtime with updated API endpoints for Identity Security Cloud transition.","title":"SailPoint IdentityNow Function App: Python 3.11 Upgrade and API Endpoint Updates"},{"content":"What Changed Upgraded Python runtime version from 3.9 to 3.11 for Contrast ADR data connector Function App deployment.\nAffected Files Solutions/ContrastADR/Data Connectors/azuredeploy_ContrastADR_functionapp.json (packaging artefacts: mainTemplate.json, 3.0.0.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-10-14-pr-12919/","summary":"Python runtime upgrade from 3.9 to 3.11 for Contrast ADR Function App connector ensures continued security support.","title":"Contrast ADR Connector: Python Runtime Upgraded to 3.11"},{"content":"What Changed Snowflake solution version 3.0.5 updates the parser to version 1.0.1, correcting EventStartTime field mapping and removing commented-out code that was causing data fidelity issues.\nData Fidelity Risk (Pre-Fix) The parser contained a commented-out EventStartTime mapping that prevented proper temporal field normalization. This resulted in missing EventStartTime values in the normalized Snowflake events, impacting time-based analysis and correlation capabilities.\nParser Corrections EventStartTime mapping restored: The parser now properly maps EventStartTime using column_ifexists at the final project stage Code cleanup: Removed the commented-out EventStartTime mapping that was causing confusion Field consolidation: Improved coalescing of database and table name fields for better normalization Security Impact (Visibility \u0026amp; Fidelity) Organizations using Snowflake data for security monitoring will now have proper temporal context for events. Previously, queries relying on EventStartTime for timeline analysis or temporal correlation would return null values, creating gaps in security investigations and compliance reporting.\nAffected Files Solutions/Snowflake/Parsers/Snowflake.yaml (packaging artefacts: mainTemplate.json, createUiDefinition.json, ReleaseNotes.md)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-14-pr-12951/","summary":"Snowflake solution v3.0.5 corrects EventStartTime field mapping issue that was causing missing temporal data in normalized events.","title":"Snowflake Parser: EventStartTime Field Mapping Fix and Version Update"},{"content":"What Changed Migration of Feedly threat intelligence connector from the legacy HTTP Data Collector API to the modern Logs Ingestion API with DCR-based ingestion. This is a required infrastructure migration due to the deprecation of the HTTP Data Collector.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments running the prior version will face complete ingestion failure when Microsoft discontinues the HTTP Data Collector API. Without this migration, organisations would lose all visibility into Feedly threat intelligence feeds — a critical gap for IOC correlation against web sessions, DNS queries, and file hashes.\nThe new implementation introduces DCR-based transformation and authentication via Azure AD service principals, replacing workspace keys with more secure credential management.\nAffected Files Solutions/Feedly/Data Connectors/FeedlySentinelConnector/sentinel_api.py Solutions/Feedly/Data Connectors/FeedlySentinelConnector/config.py Solutions/Feedly/Data Connectors/FeedlySentinelConnector/worker.py Solutions/Feedly/Data Connectors/azuredeploy_Connector_Feedly_AzureFunction.json Solutions/Feedly/Data Connectors/Feedly_API_AzureFunctionApp.json (packaging artefacts: FeedlySentinelConnector.zip, requirements.txt, mainTemplate.json) ","permalink":"http://sentinelchangelog.net/posts/2025-10-14-pr-12913/","summary":"Migration from deprecated HTTP Data Collector API to Log Ingestion API prevents Feedly threat intelligence blind spot.","title":"Feedly Connector: Critical Migration from Deprecated API Prevents Complete Data Loss"},{"content":"What Changed New BigID Data Security Posture Management (DSPM) solution version 3.0.0 introduces a CCF-based connector for comprehensive data security monitoring and compliance tracking.\nData Sources Enabled The connector ingests three types of data security intelligence:\nDSPM Cases: Actionable insights and security cases from BigID DSPM platform Affected Objects: Detailed information about data assets impacted by security issues Data Source Details: Comprehensive metadata about monitored data repositories and connections Ingestion Mechanism Uses CCF with nested API calls to enrich case data:\nPrimary API fetches all DSPM cases from /api/v1/actionable-insights/all-cases Secondary calls to /api/v1/data-catalog/ for affected object details Tertiary calls to /api/v1/ds_connections/ for data source metadata Security Impact (Visibility \u0026amp; Fidelity) Organizations with BigID DSPM deployments gain unified visibility into data security posture within Microsoft Sentinel. This addresses the operational gap where data security insights were siloed in BigID platform, preventing correlation with broader security events and centralized SIEM analysis.\nDCR Transform Logic The DCR applies metadata enrichment ensuring proper temporal indexing and vendor classification for security analytics.\nAffected Files Solutions/BigID/Data Connectors/BigIDDSPMLogs_ccp/BigIDDSPMLogs_DCR.json Solutions/BigID/Data Connectors/BigIDDSPMLogs_ccp/BigIDDSPMLogs_connectorDefinition.json Solutions/BigID/Data Connectors/BigIDDSPMLogs_ccp/BigIDDSPMLogs_PollerConfig.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, SolutionMetadata.json)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-14-pr-12929/","summary":"New BigID DSPM solution provides CCF connector for ingesting data security posture cases, affected objects, and datasource information into Microsoft Sentinel.","title":"BigID DSPM Solution: New CCF Connector for Data Security Posture Management"},{"content":"What Changed Palo Alto Prisma Cloud CSPM solution version 3.0.3 has graduated from preview to general availability status. The solution now exclusively uses the Codeless Connector Framework (CCF) for data ingestion.\nConnector Streamlining Removed the deprecated Azure Functions-based data connector, standardizing on CCF for all deployments. The connector title was updated from \u0026ldquo;Palo Alto Prisma Cloud CSPM (via Codeless Connector Framework) (Preview)\u0026rdquo; to remove the preview designation.\nSecurity Impact (Visibility \u0026amp; Fidelity) Organizations using the preview version should update to benefit from the production-ready connector. The CCF-based approach provides more reliable ingestion of Prisma Cloud CSPM alerts and audit logs compared to the legacy Function App implementation.\nAffected Files Solutions/PaloAltoPrismaCloud/Data Connectors/PrismaCloudCSPMLog_CCF/PaloAltoPrismaCloudCSPMLog_ConnectorDefinition.json Solutions/PaloAltoPrismaCloud/Data/Solution_PaloAltoPrismaCloud.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, ReleaseNotes.md)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-13-pr-12945/","summary":"Palo Alto Prisma Cloud CSPM solution v3.0.3 moves to GA, removing preview tag and deprecated Function App connector in favor of CCF-only deployment.","title":"Palo Alto Prisma Cloud CSPM: Solution Graduates from Preview to General Availability"},{"content":"What Changed Updated VMRay threat intelligence connector documentation and deployment templates to use standardised short links (aka.ms URLs) instead of raw GitHub URLs for deployment templates and Function App packages.\nAffected Files Solutions/VMRay/Data Connectors/VMRayThreatIntelligence_FunctionApp.json Solutions/VMRay/Data Connectors/azuredeploy_VMRayThreatIntelligenceFuncApp_AzureFunction_flex.json Solutions/VMRay/Data Connectors/azuredeploy_VMRayThreatIntelligenceFuncApp_AzureFunction_premium.json Solutions/VMRay/README.md (packaging artefacts: mainTemplate.json, ReleaseNotes.md)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-13-pr-12891/","summary":"VMRay solution updated deployment URLs and documentation to use short links for better maintainability.","title":"VMRay: Updated Deployment URLs and Documentation for Threat Intelligence Connector"},{"content":"What Changed The Sentinel solution packaging toolchain has been updated to support JWT token authentication in the Codeless Connector Framework (CCF). This affects the core tooling used to package and deploy CCF-based connectors.\nAffected Files Tools/Create-Azure-Sentinel-Solution/V3/common/createCCPConnector.ps1 Tools/Create-Azure-Sentinel-Solution/V3/CCF_README.md Tools/Create-Azure-Sentinel-Solution/V3/README.md (packaging artefacts and solution updates across multiple vendors including BloodHound Enterprise, Google Threat Intelligence, MongoDB Atlas, SecurityBridge App, and others)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-09-pr-12906/","summary":"CCF packaging tooling now supports JWT token authentication alongside existing methods for connector development.","title":"Sentinel CCF Packaging Tool: Adding JWT Token Authentication Support"},{"content":"Analytic Rules — Amazon Web Services (2 added) What Changed Two new Analytic Rules added to the AWS CloudTrail solution. The PR description mentions one rule, but the diff contains two — AWS_EC2StartupShellScriptChanged and AWS_S3ObjectExfiltrationByAnonymousUser.\nDetection Logic EC2 Startup Shell Script Changed (Severity: Medium)\nPrimary data source: AWSCloudTrail\nCore logic: Filters for ModifyInstanceAttribute or CreateLaunchTemplate events where userData is present in RequestParameters. The EC2 user data field is the startup shell script executed as root/SYSTEM on every instance boot — modifying it is a well-documented persistence technique (referenced in the Pacu framework). Rule fires on both live instance attribute changes and new launch template creation.\nEntity types: Account (Name, UPNSuffix), IP (SourceIpAddress)\nS3 Object Exfiltration from Anonymous User (Severity: Medium)\nPrimary data source: AWSCloudTrail\nCore logic: Matches GetObject events where UserIdentityAccountId is ANONYMOUS_PRINCIPAL or UserIdentityPrincipalid is \u0026quot;Anonymous\u0026quot;. Fires on any unauthenticated read of an S3 object — a direct signal that a bucket is misconfigured as publicly readable and is actively being accessed. Extracts BucketName and ObjectKey for triage.\nEntity types: Account (Name, UPNSuffix), IP (SourceIpAddress)\nMITRE Mapping T1059 — Command and Scripting Interpreter (EC2 startup script modification) T1530 — Data from Cloud Storage (anonymous S3 object access) Analytic Rules — VMware ESXi (1 added) What Changed One new Analytic Rule added to the VMware ESXi solution detecting programmatic SSH service enablement via vim-cmd.\nDetection Logic VMware ESXi - SSH Enable on ESXi Host (Severity: High)\nPrimary data source: VMwareESXi table (syslog ingested via SyslogAma connector)\nCore logic: Searches VMwareESXi syslog messages for both vim-cmd and hostsvc/enable_ssh. Extracts the initiating username from the [info] [username] pattern and the target ESXi hostname from the [pid] [hostname on pattern. SSH is disabled by default on ESXi hosts; enabling it programmatically via vim-cmd is a consistent precursor in VMware-targeted ransomware campaigns (e.g., BlackMatter, ESXiArgs) and hands-on-keyboard intrusions that pivot to hypervisors.\nEntity types: Host (FullName), Account (Name)\nMITRE Mapping T1021 — Remote Services (SSH enablement for lateral movement to ESXi host) Affected Files Solutions/Amazon Web Services/Analytic Rules/AWS_EC2StartupShellScriptChanged.yaml Solutions/Amazon Web Services/Analytic Rules/AWS_S3ObjectExfiltrationByAnonymousUser.yaml Solutions/VMWareESXi/Analytic Rules/ESXiSSHEnableOnHost.yaml (packaging artefacts: mainTemplate.json, createUiDefinition.json, Solution_AmazonWebServices.json, Solution_VMWareESXi.json, 3.0.7.zip, 3.0.4.zip) View on GitHub\n","permalink":"http://sentinelchangelog.net/posts/2025-10-09-pr-12696/","summary":"Three new Analytic Rules added across AWS CloudTrail and VMware ESXi — detecting EC2 startup script tampering (T1059), anonymous S3 object exfiltration (T1530), and SSH enablement on ESXi hosts (T1021).","title":"AWS and VMware ESXi: Three New Analytic Rules for Execution, Exfiltration, and Lateral Movement"},{"content":"What Changed Microsoft released a new GDPR Compliance \u0026amp; Data Security solution containing a comprehensive workbook for privacy risk monitoring and compliance tracking.\nWorkbook Coverage The workbook consolidates GDPR-relevant data from multiple security and compliance sources:\nSecurity telemetry: SecurityAlert, SecurityIncident from Defender XDR Data sensitivity: PurviewDataSensitivityLogs, MicrosoftPurviewInformationProtection logs Database activity: AzureDiagnostics from Azure SQL databases User behavior: BehaviorAnalytics (UEBA), OfficeActivity from Microsoft 365 Identity risk: SigninLogs, AuditLogs, AADUserRiskEvents from Entra ID Security Impact (Visibility \u0026amp; Fidelity) This workbook addresses the operational challenge of correlating privacy risk indicators across disparate Microsoft security platforms. SOC teams can now visualize data subject rights activity, data exposure incidents, and identity-based privacy risks in a unified dashboard rather than pivoting between multiple consoles.\nAffected Files Solutions/GDPR Compliance \u0026amp; Data Security/Workbooks/GDPRComplianceAndDataSecurity.json Workbooks/WorkbooksMetadata.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, SolutionMetadata.json)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-09-pr-12933/","summary":"New GDPR Compliance solution adds workbook consolidating privacy risk signals from Defender XDR, Microsoft Purview, Azure SQL, and Entra ID.","title":"GDPR Compliance Dashboard: New Workbook for Privacy Risk Monitoring"},{"content":"Data Source New Cloudflare data connector ingesting logs from Cloudflare services via Azure Blob Storage integration. Supports multiple Cloudflare log types including network session logs, gateway activity, Zero Trust tunnel sessions, Worker execution logs, and Magic Transit packet capture.\nIngestion Mechanism CCF-based solution using blob container polling with Event Grid notifications. Uses Data Collection Rule with extensive schema supporting 1000+ fields across Cloudflare\u0026rsquo;s various security and performance data streams.\nDetection Surface Unlocked Enables visibility into web application traffic patterns, DDoS mitigation events, Zero Trust access patterns, and serverless execution anomalies. Critical for organizations using Cloudflare as their primary web security platform to correlate external threats with internal SOC data.\nAffected Files Solutions/Cloudflare CCF/Data Connectors/CloudflareLog_CCF/CloudflareLog_ConnectorDefinition.json Solutions/Cloudflare CCF/Data Connectors/CloudflareLog_CCF/CloudflareLog_DCR.json Solutions/Cloudflare CCF/Data Connectors/CloudflareLog_CCF/CloudflareLog_PollerConfig.json Solutions/Cloudflare CCF/Data Connectors/CloudflareLog_CCF/CloudflareLog_Table.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, SolutionMetadata.json) ","permalink":"http://sentinelchangelog.net/posts/2025-10-09-pr-12898/","summary":"New Cloudflare connector solution delivers comprehensive log ingestion through CCF blob integration for enhanced web traffic and security monitoring.","title":"New Cloudflare CCF Solution: Enterprise Log Visibility via Azure Blob Integration"},{"content":"Palo Alto Prisma Cloud - Dependency Update aiohttp library updated from 3.10.11 to 3.12.14 addressing potential security vulnerabilities. CVE relevance unverified — review aiohttp release notes to confirm security fixes.\nNew Connector Solutions Obsidian Datasharing New CCF-based connector for Obsidian Security providing activity and threat data streams. Enables dual-stream monitoring with ObsidianActivity_CL for user actions and ObsidianThreat_CL for security events.\nSAP S4 Cloud Public Edition New connector solution for SAP S/4HANA Cloud Public Edition providing audit and configuration change visibility for enterprise SAP environments.\nAffected Files Solutions/PaloAltoPrismaCloud/Data Connectors/requirements.txt Solutions/Obsidian Datasharing/Data Connectors/ObsidianDatasharing_CCP/ObsidianDatasharing_ConnectorDefinition.json Solutions/Obsidian Datasharing/Data Connectors/ObsidianDatasharing_CCP/ObsidianDatasharing_DCR.json Solutions/SAP S4 Cloud Public Edition/Data Connectors/SAPS4PublicPollerConnector/SAPS4Public_connectorDefinition.json Solutions/SAP S4 Cloud Public Edition/Data Connectors/SAPS4PublicPollerConnector/SAPS4Public_DCR.json (packaging artefacts: multiple mainTemplate.json, createUiDefinition.json files) ","permalink":"http://sentinelchangelog.net/posts/2025-10-08-pr-12922/","summary":"Palo Alto Prisma Cloud dependency security update alongside new Obsidian Datasharing and SAP S4 Cloud Public Edition connector solutions.","title":"Multiple Solutions Added: Palo Alto aiohttp Update Plus New Obsidian and SAP S4 Connectors"},{"content":"What Changed Promotion of Palo Alto Cortex Xpanse CCF connector from Preview to General Availability status with version bump to 3.0.1.\nAffected Files Solutions/Palo Alto Cortex Xpanse CCF/Data Connectors/CortexXpanse_ccp/CortexXpanse_ConnectorDefinition.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, ReleaseNotes.md) ","permalink":"http://sentinelchangelog.net/posts/2025-10-08-pr-12928/","summary":"Palo Alto Cortex Xpanse CCF connector promoted from Preview to General Availability with version 3.0.1.","title":"Palo Alto Cortex Xpanse CCF Connector: GA Promotion Removes Preview Status"},{"content":"What Changed Updated solutionId in mainTemplate.json from incorrect identifier to proper marketplace identifier for VirtualMetric DataStream solution.\nAffected Files Solutions/VirtualMetric DataStream/Package/mainTemplate.json (packaging artefacts: 3.0.0.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-10-07-pr-12925/","summary":"Corrected solution identifier in VirtualMetric DataStream package to resolve Azure Marketplace deployment failures.","title":"VirtualMetric DataStream: Solution ID Correction for Marketplace Deployment"},{"content":"What Changed Fixed template entity formatting errors in the TeamCymruScoutEnrichIncident playbook that were causing the automation to fail during incident processing.\nAffected Files Solutions/Team Cymru Scout/Playbooks/TeamCymruScoutEnrichIncident/azuredeploy.json (packaging artefacts: mainTemplate.json, Solution_TeamCymruScout.json)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-07-pr-12871/","summary":"Fixed template error in TeamCymruScoutEnrichIncident playbook that was causing runtime failures.","title":"Team Cymru Scout: Playbook Bug Fix for Incident Enrichment Template"},{"content":"Data Source SAP S/4HANA Cloud Public Edition provides security audit logs (SAL) containing user authentication events, transaction codes, authorization checks, and system access patterns from SAP cloud environments. The solution ingests audit data via OData services using basic authentication.\nIngestion Mechanism CCF-based connector with DCR transformation that polls SAP S/4HANA Cloud Public Edition OData API endpoints for security audit log events. The connector transforms raw SAP audit data into the ABAPAuditLog table format used by Microsoft Sentinel Solution for SAP.\nSecurity Impact (Visibility \u0026amp; Fidelity) Previously, SAP S/4HANA Cloud Public Edition customers had no native method to ingest security audit logs into Microsoft Sentinel, creating a significant blind spot for cloud SAP environments. This connector closes that gap by providing visibility into user activities, transaction codes (slgtc), authorization events, and suspicious access patterns in cloud SAP deployments.\nAffected Files Solutions/SAP S4 Cloud Public Edition/Data Connectors/SAPS4PublicPollerConnector/SAPS4Public_connectorDefinition.json Solutions/SAP S4 Cloud Public Edition/Data Connectors/SAPS4PublicPollerConnector/SAPS4Public_DCR.json Solutions/SAP S4 Cloud Public Edition/Data Connectors/SAPS4PublicPollerConnector/SAPS4Public_PollingConfig.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, Solution_SAPS4Public.json) ","permalink":"http://sentinelchangelog.net/posts/2025-10-07-pr-12917/","summary":"New SAP S/4HANA Cloud Public Edition CCF connector enables ingestion of security audit logs into Microsoft Sentinel SAP solution.","title":"SAP S/4HANA Cloud Public Edition: New CCF Connector for Security Audit Logs"},{"content":"Data Source Obsidian Datasharing provides aggregated security data and threat intelligence feeds. This connector ingests activity events and threat indicators from the Obsidian platform covering various security domains.\nIngestion Mechanism CCF/DCR-based connector with custom table schemas for ObsidianActivity and ObsidianThreat data streams. Uses structured data ingestion with comprehensive field mappings for activity tracking and threat intelligence.\nDetection Surface Unlocked Provides visibility into security events, threat indicators, user activities, and security control effectiveness. The platform aggregates data from multiple security sources to provide unified visibility and threat correlation capabilities.\nTable Schemas ObsidianActivity: Activity events with ASIM-compatible fields for user actions, device information, and event metadata ObsidianThreat: Threat intelligence indicators with threat classification, confidence levels, and contextual information Affected Files Solutions/Obsidian Datasharing/Data Connectors/ObsidianDatasharing_CCP/ObsidianDatasharing_ConnectorDefinition.json Solutions/Obsidian Datasharing/Data Connectors/ObsidianDatasharing_CCP/ObsidianDatasharing_DCR.json Solutions/Obsidian Datasharing/Data Connectors/ObsidianDatasharing_CCP/ObsidianDatasharing_PollerConfig.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, solution metadata)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-07-pr-12865/","summary":"New connector solution for ingesting Obsidian platform security data into Microsoft Sentinel.","title":"Obsidian Datasharing: New Security Data Aggregation Solution"},{"content":"Google Kubernetes Engine (GKE) - GA Promotion Removed Preview status from Google Kubernetes Engine connector, promoting to General Availability with version 3.0.1.\nSAP ETD Cloud - Major Enhancement Significant expansion adding investigation data stream alongside existing alert ingestion. New DCR configuration supports SAPETDInvestigations_CL table with investigation metadata, severity tracking, and cross-referencing capabilities. Added new detection rule for investigation correlation.\nSecurity Impact (Visibility \u0026amp; Fidelity) The SAP ETD investigation stream fills a critical gap in enterprise SAP security monitoring — investigations provide contextual threat analysis beyond individual alerts, enabling SOC teams to track comprehensive threat scenarios and analyst workflows from SAP ETD directly in Microsoft Sentinel.\nAffected Files Solutions/Google Kubernetes Engine/Data Connectors/GoogleKubernetesEngineLogs_ccp/GoogleKubernetesEngineLogs_ConnectorDefinition.json Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchInvestigations.yaml (new) Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_DCR.json Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_connectorDefinition.json Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_PollerConfig.json .script/tests/KqlvalidationsTests/CustomTables/SAPETDInvestigations_CL.json (new) (packaging artefacts: multiple mainTemplate.json, createUiDefinition.json files) ","permalink":"http://sentinelchangelog.net/posts/2025-10-07-pr-12920/","summary":"Google Kubernetes Engine connector promoted to GA while SAP ETD Cloud gains investigation data ingestion and enhanced detection coverage.","title":"Multiple Solution Updates: GKE GA Promotion and SAP ETD Investigation Capability"},{"content":"What Changed The Threat Intelligence (NEW) solution received a new TAXII Export data connector in version 3.0.7. This connector enables Microsoft Sentinel to export threat intelligence indicators to external TAXII 2.1 servers, expanding threat intelligence sharing capabilities.\nData Source The TAXII Export connector allows organizations to:\nExport STIX-formatted threat intelligence objects from Microsoft Sentinel Share indicators with external threat intelligence platforms via TAXII 2.1 protocol Configure automated threat intelligence distribution to partner organizations Populate the new ThreatIntelExportOperation_CL table with export operation logs Ingestion Mechanism This is an outbound export connector rather than traditional data ingestion. It enables Microsoft Sentinel to push threat intelligence indicators to configured TAXII servers, supporting collaborative threat intelligence sharing workflows.\nAffected Files Solutions/Threat Intelligence (NEW)/Data Connectors/template_ThreatIntelligenceTaxiiExport.json (new connector definition) .script/tests/KqlvalidationsTests/CustomTables/ThreatIntelExportOperation.json (new table schema for export operations) (packaging artefacts updated: mainTemplate.json, createUiDefinition.json, 3.0.7.zip, Solution json) ","permalink":"http://sentinelchangelog.net/posts/2025-10-07-pr-12654/","summary":"New TAXII Export connector enables Microsoft Sentinel to share threat intelligence indicators with external TAXII 2.1 servers.","title":"Threat Intelligence: TAXII Export Connector Added for External Sharing"},{"content":"What Changed Promotion of AWS S3 Server Access Logs connector from Preview to General Availability status with version bump to 3.0.1.\nAffected Files Solutions/AWS_AccessLogs/Data Connectors/AwsS3ServerAccessLogsDefinition_CCP/AWSS3ServerAccessLogs_ConnectorDefinition.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, ReleaseNotes.md) ","permalink":"http://sentinelchangelog.net/posts/2025-10-07-pr-12918/","summary":"AWS S3 Server Access Logs connector promoted from Preview to General Availability with version 3.0.1.","title":"AWS S3 Server Access Logs Connector: GA Promotion Removes Preview Status"},{"content":"What Changed Automated dependency update for aiohttp library in Cloudflare Data Connector from version 3.10.11 to 3.12.14.\nSecurity Impact (Visibility \u0026amp; Fidelity) CVE relevance unverified — review aiohttp release notes for 3.12.14 to confirm security fixes. Dependency updates typically address security vulnerabilities, performance issues, or compatibility improvements.\nAffected Files Solutions/Cloudflare/Data Connectors/requirements.txt ","permalink":"http://sentinelchangelog.net/posts/2025-10-06-pr-12907/","summary":"aiohttp library updated from 3.10.11 to 3.12.14 in Cloudflare connector addressing potential security vulnerabilities.","title":"Cloudflare Connector: Security Dependency Update for aiohttp Library"},{"content":"What Changed SAP ETD Cloud solution adds new Investigations data connector to ingest investigation data from ETD cloud edition alongside existing alerts data. The connector provides comprehensive investigation tracking, correlation, and threat hunting capabilities.\nData Source New connector ingests investigation data from SAP ETD\u0026rsquo;s /investigations/v1/Investigations API endpoint, including investigation status, severity, actions, users, systems, and alerts. This expands visibility beyond individual alerts to complete investigation workflows.\nIngestion Mechanism CCF-based connector using OAuth2 client credentials authentication. Data flows to SAPETDInvestigations_CL table via consolidated DCR supporting both alerts and investigations data streams.\nDetection Surface Unlocked Investigation completion tracking becomes visible, enabling SOC teams to monitor investigation lifecycles, identify investigation patterns, and correlate completed investigations with ongoing threats. High-severity completed investigations can now be automatically surfaced for review.\nAffected Files Solutions/SAP ETD Cloud/Data Connectors/SAPETD_INVESTIGATIONS_CCP/ (new investigations connector), Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_DCR.json (consolidated DCR); (packaging artefacts updated: mainTemplate.json, createUiDefinition.json, etc.)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-06-pr-12916/","summary":"SAP Enterprise Threat Detection solution expands with new Investigations connector, providing comprehensive investigation tracking and correlation capabilities.","title":"SAP ETD Cloud: Investigations Data Source Added for Enhanced Threat Tracking"},{"content":"What Changed Enhanced documentation and configuration steps for both Illumio Insight connectors with clearer deployment instructions and adjusted polling frequency for the Summary connector from 120 to 360 minutes.\nSecurity Impact (Visibility \u0026amp; Fidelity) No data fidelity impact — this is primarily a user experience enhancement. The polling frequency change for the Summary connector reduces API calls while maintaining appropriate coverage for daily and weekly summary reports. Improved documentation reduces deployment errors that could lead to connector misconfiguration.\nAffected Files Solutions/Illumio Insight/Data Connectors/IllumioInsightsSummaryConnector_CCP/IllumioInsightsSummary_ConnectorDefinition.json Solutions/Illumio Insight/Data Connectors/IllumioInsight_CCP/IllumioInsight_Definition.json Solutions/Illumio Insight/Data Connectors/IllumioInsightsSummaryConnector_CCP/IllumioInsightsSummary_PollingConfig.json Tools/Create-Azure-Sentinel-Solution/common/createCCPConnector.ps1 (packaging artefacts: mainTemplate.json, createUiDefinition.json, SolutionMetadata.json) ","permalink":"http://sentinelchangelog.net/posts/2025-10-06-pr-12886/","summary":"Documentation improvements and polling frequency adjustment enhance user experience for Illumio threat analysis deployment.","title":"Illumio Insight Connectors: Enhanced Documentation and Polling Configuration"},{"content":"What Changed Updated Samsung Knox Asset Intelligence DCR to remove 13 event types from the data schema and deleted the SamsungKnoxKeyguardDisabledFeatureSet.yaml analytic rule.\nData Fidelity Impact Organizations using Samsung Knox Asset Intelligence will lose visibility into 13 specific event categories that were previously collected. The deleted analytic rule (Keyguard Disabled Feature Set detection) will no longer function as its underlying data source has been removed from the DCR schema.\nRemoved Detection The SamsungKnoxKeyguardDisabledFeatureSet.yaml rule provided detection capability for Android device security bypass attempts through keyguard feature manipulation. This detection gap affects mobile device security monitoring.\nAffected Files Solutions/Samsung Knox Asset Intelligence/Data Connectors/azuredeploy_SamsungDataConnectorDefinition.json Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml (packaging artefacts: mainTemplate.json, createUiDefinition.json, Solution metadata) (Note: Many additional files changed due to bulk maintenance updates across solutions)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-03-pr-12760/","summary":"Knox connector DCR updated to remove 13 event types, with corresponding analytic rule deleted due to missing data source.","title":"Samsung Knox Asset Intelligence: DCR Schema Reduction and Rule Removal"},{"content":"Data Source VirtualMetric DataStream integrates telemetry from VirtualMetric infrastructure monitoring and security platforms into Microsoft Sentinel. The solution ingests data from VirtualMetric\u0026rsquo;s monitoring agents deployed across virtualised environments, providing visibility into system performance, security events, and operational metrics.\nIngestion Mechanism DCR-based ingestion with three distinct connector variants:\nVirtualMetric-Sentinel: Direct ingestion to standard Sentinel tables via Data Collection Rules VirtualMetric-SentinelDataLake: Custom table ingestion for Sentinel data lake with configurable table prefixes VirtualMetric-DirectorProxy: Function App-based proxy service for director-mediated data flows using Azure Premium hosting All connectors utilise Data Collection Endpoints (DCE) and Data Collection Rules (DCR) for structured data transformation and routing.\nDetection Surface Unlocked ASIM Schema Support: Native ingestion into ASimAuditEventLogs, ASimAuthenticationEventLogs, ASimDhcpEventLogs, ASimDnsActivityLogs, ASimFileEventLogs, ASimNetworkSessionLogs, ASimProcessEventLogs, ASimRegistryEventLogs, ASimUserManagementActivityLogs, and ASimWebSessionLogs enables immediate compatibility with normalised detection rules.\nStandard Log Integration: Parallel ingestion to CommonSecurityLog, SecurityEvent, Event, Syslog, and WindowsEvent tables provides comprehensive coverage for traditional SIEM analytics and existing detection content.\nInfrastructure Visibility: VirtualMetric-specific telemetry exposes virtualisation layer security events, hypervisor anomalies, and resource consumption patterns that are typically invisible to traditional endpoint monitoring.\nAffected Files Solutions/VirtualMetric DataStream/Data Connectors/VirtualMetric-Sentinel/DeployToAzure.json Solutions/VirtualMetric DataStream/Data Connectors/VirtualMetric-SentinelDataLake/DeployToAzure.json Solutions/VirtualMetric DataStream/Data Connectors/VirtualMetric-DirectorProxy/DeployToAzure.json Solutions/VirtualMetric DataStream/Data Connectors/VirtualMetric-DirectorProxy/DirectorProxyFunction.zip Sample Data/VirtualMetricDataStream_CEF.csv Logos/VirtualMetric.svg (packaging artefacts: mainTemplate.json, createUiDefinition.json, SolutionMetadata.json, etc.)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-03-pr-12840/","summary":"New VirtualMetric DataStream solution provides comprehensive data ingestion capabilities with ASIM support and multiple deployment options for Sentinel and data lake environments.","title":"VirtualMetric DataStream Solution: New Multi-Path Data Ingestion Platform for Sentinel"},{"content":"What Changed Updated Cisco Duo Security solution metadata including support tier designation and offer identification for Content Hub compatibility.\nAdministrative Updates Per PR discussion: Updated \u0026ldquo;tier\u0026rdquo; field to \u0026ldquo;Partner\u0026rdquo; and set offerId to \u0026ldquo;azure-sentinel-solution-cisco-duo-security\u0026rdquo; in solution metadata to resolve validation requirements. No functional changes to detection logic or data ingestion.\nAffected Files (packaging artefacts: mainTemplate.json, Solution metadata, SolutionMetadata.json, ReleaseNotes.md)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-03-pr-12868/","summary":"Solution package updated with revised support information and compatibility metadata.","title":"Cisco Duo Security: Support Information and Metadata Updates"},{"content":"What Changed Simplified anomaly detection logic in two Network Session Essentials analytic rules by unifying EPS (events per second) thresholds and removing redundant code blocks.\nDetection Logic Primary data source: _Im_NetworkSession (ASIM Network Session schema) Core logic: Changed from dual EPS thresholds (\u0026gt;1000 and 501-1000) to single unified threshold \u0026gt;500, maintaining anomaly detection while reducing complexity Entity types: Network protocols, destination ports, applications, and device actions\nSecurity Impact Lowers the threshold for network anomaly detection from 501-1000 EPS range to a single \u0026gt;500 EPS condition, potentially increasing detection sensitivity for moderate-volume network anomalies while simplifying rule maintenance.\nAffected Files Solutions/Network Session Essentials/Analytic Rules/AnomalyFoundInNetworkSessionTraffic.yaml Solutions/Network Session Essentials/Analytic Rules/DetectPortMisuseByAnomalyBasedDetection.yaml (packaging artefacts: mainTemplate.json, ReleaseNotes.md, solution package)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-03-pr-12788/","summary":"Two network session analytic rules updated with unified EPS threshold and simplified query logic for improved maintainability.","title":"Network Session Anomaly Detection: Simplified EPS Threshold Logic"},{"content":"What Changed Fixed a critical bug in MongoDB Atlas data connector where category filter type \u0026rsquo;none\u0026rsquo; was causing failures. Also improved deployment documentation by removing broken links and clarifying instructions.\nSecurity Impact (Visibility \u0026amp; Fidelity) The filtering bug could have caused the connector to fail during initialization when category filters were set to \u0026rsquo;none\u0026rsquo; — this would result in zero data ingestion for affected deployments.\nAffected Files Solutions/MongoDBAtlas/Data Connectors/MongoDBAtlasLogs/GetMDBALogs/init.py Solutions/MongoDBAtlas/Data Connectors/MongoDBAtlasLogs/MongoDBAtlasLogs_AzureFunction.json Solutions/MongoDBAtlas/Data Connectors/MongoDBAtlasLogs/createUiDef.json (packaging artefacts: mainTemplate.json, Solution_MongoDBAtlas.json)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-01-pr-12893/","summary":"Fixed filtering bug when category is \u0026rsquo;none\u0026rsquo; and streamlined deployment documentation for MongoDB Atlas data connector.","title":"MongoDB Atlas: Fixed Category Filter Bug and Improved Deployment Instructions"},{"content":"What Changed Added filter query parameter support to the Google Threat Intelligence custom connector, enabling users to apply specific filters when retrieving threat lists and IoC streams.\nEnhanced Capabilities Threat List queries now support optional filter parameters for more targeted data retrieval IoC Stream functionality introduced with filter-based searching and pagination support Maintains backward compatibility with existing playbook implementations Security Impact Improves threat intelligence precision by allowing filtered queries instead of bulk data retrieval. Organizations can now target specific threat categories, reduce noise, and focus on relevant indicators for their environment.\nAffected Files Solutions/Google Threat Intelligence/Playbooks/CustomConnector/GTICustomConnector/azuredeploy.json Solutions/Google Threat Intelligence/Playbooks/CustomConnector/GTICustomConnector/readme.md (packaging artefacts: mainTemplate.json, Solution metadata, ReleaseNotes.md)\n","permalink":"http://sentinelchangelog.net/posts/2025-10-01-pr-12857/","summary":"Custom connector updated with filter query parameters for more targeted threat intelligence retrieval.","title":"Google Threat Intelligence: Enhanced Filtering for Threat List Queries"},{"content":"What Changed The Vectra XDR data connector received critical updates:\nPython runtime upgraded from 3.9 to 3.12 (addressing deprecation timeline) Authentication switched from DefaultAzureCredential to ManagedIdentityCredential for Key Vault access Updated function app package (VectraXDR321.zip) Security Impact (Visibility \u0026amp; Fidelity) This addresses a significant security concern identified in PR discussion. DefaultAzureCredential was deemed inappropriate for production environments due to potential security risks with user data. The switch to ManagedIdentityCredential provides:\nDeterministic credential behavior in production Enhanced security for Key Vault secret access Reduced credential management overhead Per PR discussion: authentication changes were customer-requested for production deployment security.\nAffected Files Solutions/Vectra XDR/Data Connectors/VectraDataConnector/SharedCode/keyvault_secrets_management.py (credential type updated) Solutions/Vectra XDR/Data Connectors/VectraDataConnector/VectraXDR321.zip (Python 3.12 runtime package) ","permalink":"http://sentinelchangelog.net/posts/2025-10-01-pr-12637/","summary":"Vectra XDR connector upgraded to Python 3.12 and switched from DefaultAzureCredential to managed identity for production security.","title":"Vectra XDR Connector: Python Runtime Upgrade and Authentication Security Fix"},{"content":"What Changed Added new SecurityBridge_CL custom table definition with comprehensive schema for native SAP audit log ingestion, replacing legacy CEF-based parser approach with structured DCR ingestion.\nSecurity Impact (Visibility \u0026amp; Fidelity) Native SAP Log Structure: New SecurityBridge_CL table provides native SAP audit log fields (BusinessEvent, client, User, UserGroup, triggeringTA, etc.) enabling more precise SAP security analytics without CEF parsing overhead.\nEnhanced Data Fidelity: Direct field mapping eliminates data loss from CEF conversion process — SAP-specific attributes like StagingLevel, PGUID, and contact information are now preserved natively for compliance reporting.\nImproved Query Performance: Structured table schema replaces complex CEF parsing logic in SecurityBridgeLogs parser, significantly improving query performance for SAP security investigations.\nDual Stream Support: Solution now supports both SAP_ABAPAUDITLOG (ASIM-compatible) and Custom-SecurityBridge_CL streams for flexible deployment architectures.\nAffected Files Solutions/SecurityBridge App/Data Connectors/SecurityBridge_PUSH_CCP/SecurityBridge_CL.json Solutions/SecurityBridge App/Data Connectors/SecurityBridge_PUSH_CCP/SecurityBridge_DCR.json Solutions/SecurityBridge App/Data Connectors/SecurityBridge_PUSH_CCP/SecurityBridge_connectorDefinition.json Solutions/SecurityBridge App/Parsers/SecurityBridgeLogs.yaml (removed) (packaging artefacts: mainTemplate.json, createUiDefinition.json, etc.)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-30-pr-12847/","summary":"SecurityBridge App solution adds dedicated SecurityBridge_CL custom table with enhanced schema for native SAP security log processing via DCR.","title":"SecurityBridge App Schema Update: New SecurityBridge_CL Table Enables Native SAP Log Ingestion"},{"content":"What Changed GCP IAM parser updated from version 3.0.6 to 3.0.7, adding explicit type conversions for certain fields to bool and datetime types in the parser query logic.\nSecurity Impact (Visibility \u0026amp; Fidelity) Per incident 660943681, the GCP IAM parser was non-functional due to type handling issues. Deployments using this parser experienced zero data processing from GCP_IAM_CL logs — this is a complete detection blind spot, not a cosmetic fix. The updated parser with explicit type conversions restores GCP IAM audit log visibility for identity and access management monitoring.\nAffected Files Solutions/GoogleCloudPlatformIAM/Parsers/GCP_IAM.yaml (packaging artefacts updated: mainTemplate.json, Package/*.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-09-30-pr-12714/","summary":"GCP IAM parser updated to version 3.0.7 with explicit type conversions for bool and datetime fields, fixing parser execution failures that prevented data ingestion.","title":"GCP IAM Parser: Critical Type Handling Fix Resolves Parser Execution Failure"},{"content":"What Changed Major version upgrade of BloodHound Enterprise solution introducing:\n105 new analytic rules for Active Directory attack path detection New workbooks for visualization and analysis Updated data connector with Azure Function v2 for new BloodHound Enterprise APIs Simplified Function App ARM template with streamlined parameter set New documentation for local development and deployment Detection Logic KQL logic unavailable — YAML not included in diff context.\nSecurity Impact (Visibility \u0026amp; Fidelity) This represents a significant expansion of Active Directory attack surface monitoring capabilities. BloodHound Enterprise specializes in identifying attack paths through Active Directory environments — 105 new detection rules dramatically expand coverage of privilege escalation, lateral movement, and domain persistence techniques.\nThe updated data connector ensures compatibility with new BloodHound Enterprise APIs, maintaining continuous visibility into AD security posture and potential attack vectors that traditional tools miss.\nAffected Files Data connector updated: BloodHound Enterprise connector with new Azure Function v2 ARM template simplified: azuredeploy_BloodHoundEnterprise_FunctionApp.json Documentation added: README.md for connector setup Analytic rules (105 files) and workbooks not visible in diff context (packaging artefacts updated: solution metadata, ARM templates) ","permalink":"http://sentinelchangelog.net/posts/2025-09-30-pr-12473/","summary":"Complete solution overhaul adds 105 analytic rules, new workbooks, and updated data connector with Azure Function v2 for enhanced Active Directory threat detection.","title":"BloodHound Enterprise Solution: Major v2.0 Upgrade with 105 New Detection Rules"},{"content":"What Changed Fixed workbook preview image metadata configuration for proper Content Hub display. The primary focus was on Tanium solution workbook metadata, with additional fixes to SOC Handbook query logic and cleanup of duplicate Keeper Security metadata.\nSecurity Impact Labeled P0 — assess deployment or pipeline breakage risk explicitly. This metadata fix ensures proper workbook visibility in Content Hub, preventing SOC teams from missing available analytics capabilities during solution deployment.\nAffected Files Solutions/Tanium/Workbooks/TaniumWorkbook.json Workbooks/WorkbooksMetadata.json Solutions/SOC Handbook/Workbooks/SecurityOperationsEfficiency.json (packaging artefacts: mainTemplate.json files for multiple solutions)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-30-pr-12890/","summary":"Fixed workbook preview image metadata for proper Content Hub display across multiple solutions including Tanium.","title":"Tanium Solution: Content Hub Preview Image Display Fix (P0)"},{"content":"What Changed Fixed query logic in the SOC Handbook Security Operations Efficiency workbook by reordering operations to ensure proper filtering before time-to-triage calculations.\nQuery Logic Fix Moved the arg_max() operation before Owner and Product filtering to ensure the calculation uses the latest incident state before applying additional filters. This prevents incorrect triage time measurements that could occur when filtering was applied before incident deduplication.\nOperational Impact SOC managers using this workbook for performance metrics will now see accurate mean time to triage calculations. Previous calculations may have been skewed due to the filter order affecting incident state selection.\nAffected Files Solutions/SOC Handbook/Workbooks/SecurityOperationsEfficiency.json Workbooks/WorkbooksMetadata.json (packaging artefacts: mainTemplate.json, Solution metadata, ReleaseNotes.md)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-29-pr-12861/","summary":"Security Operations Efficiency workbook query corrected to properly calculate incident triage metrics.","title":"SOC Handbook: Fixed Mean Time to Triage Calculation Logic"},{"content":"What Changed Updated the Continuous Diagnostics \u0026amp; Mitigation workbook to fix broken hyperlinks and repair non-functional metrics queries.\nAffected Files Solutions/ContinuousDiagnostics\u0026amp;Mitigation/Workbooks/ContinuousDiagnostics\u0026amp;Mitigation.json Workbooks/WorkbooksMetadata.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, Solution_ContinuousDiagnostics\u0026amp;Mitigation.json)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-29-pr-12880/","summary":"Fixed broken hyperlinks and metrics in the Continuous Diagnostics \u0026amp; Mitigation workbook.","title":"Continuous Diagnostics \u0026 Mitigation: Workbook Hyperlink and Metrics Fix"},{"content":"What Changed Fixed URL encoding bug in Tanium-QuarantineHosts and Tanium-UnquarantineHosts playbooks where package names containing square brackets and special characters were causing 400 API response errors.\nSecurity Impact (Visibility \u0026amp; Fidelity) Quarantine Operations Failure: Host quarantine and unquarantine operations were failing when Tanium package names contained special characters (particularly square brackets). The manual space replacement with \u0026lsquo;%20\u0026rsquo; was insufficient — packages with names like \u0026ldquo;Deploy Agent [Windows]\u0026rdquo; would generate malformed API requests, causing complete quarantine operation failures.\nIncident Response Degradation: Security teams using automated quarantine workflows through Microsoft Sentinel incidents experienced silent failures when attempting to isolate compromised endpoints. This created a false sense of containment while threats remained active on the network.\nAPI Integration Restored: Replaced manual string manipulation with proper uriComponent() encoding function, ensuring all special characters in package names are correctly encoded for URL-safe API calls to Tanium.\nAffected Files Solutions/Tanium/Playbooks/Tanium-QuarantineHosts/azuredeploy.json Solutions/Tanium/Playbooks/Tanium-UnquarantineHosts/azuredeploy.json (packaging artefacts: mainTemplate.json, etc.)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-29-pr-12884/","summary":"Critical fix for Tanium quarantine/unquarantine playbooks resolves API failures caused by improper URL encoding of package names containing special characters.","title":"Tanium Playbook API Failure Fix: URL Encoding Bug Breaks Host Quarantine Operations"},{"content":"What Changed Fixed broken hyperlinks and metrics in the Maturity Model for Event Log Management workbook, addressing usability issues that prevented proper navigation and data visualization.\nAffected Files Solutions/MaturityModelForEventLogManagementM2131/Workbooks/MaturityModelForEventLogManagement_M2131.json Workbooks/WorkbooksMetadata.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, Solution metadata, ReleaseNotes.md)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-29-pr-12856/","summary":"Workbook hyperlinks and metrics restored to address navigation and display issues.","title":"Event Log Management Maturity Model: Fixing Broken Links and Metrics"},{"content":"What Changed Systematic field name standardisation across Snowflake detection rules, parser, and workbook to align with normalised schema, plus mixed solution maintenance for Tanium, ZeroTrust, and Trend Micro connectors.\nSecurity Impact (Visibility \u0026amp; Fidelity) Detection Query Failures Eliminated: All 10 Snowflake detection rules were using legacy field names (QUERY_TYPE_s, EXECUTION_STATUS_s, IS_SUCCESS_s) that no longer exist in the normalised parser output. Queries were returning zero results despite active Snowflake logging — this created a complete detection blind spot for database activity monitoring.\nField Mappings Restored:\nLogin failure detection now properly references LoginIsSuccess instead of IS_SUCCESS_s Query monitoring uses QueryType/QueryText instead of QUERY_TYPE_s/QUERY_TEXT_s Performance thresholds reference QueryTotalElapsedTime instead of TOTAL_ELAPSED_TIME_d Privilege escalation detection correctly maps QueryExecutionStatus instead of EXECUTION_STATUS_s Parser Schema Consistency: Parser now properly exposes normalised fields (QueryTotalElapsedTime, QueryCreditsUsedCloudServices, QueryExecutionTime) with correct data types, eliminating type conversion errors in downstream analytics.\nDetection Logic SnowflakeDiscoveryActivity: Monitors SHOW commands with SUCCESS status to detect reconnaissance activity — now properly filters on QueryType and QueryExecutionStatus fields.\nSnowflakeMultipleLoginFailure: Tracks failed authentication attempts by monitoring LOGIN events where LoginIsSuccess equals \u0026ldquo;No\u0026rdquo; — authentication monitoring was completely broken due to field mismatch.\nSnowflakePossibleDataDestruction: Identifies potential data destruction via DROP commands — critical for detecting insider threats and data sabotage attempts.\nAffected Files Solutions/Snowflake/Analytic Rules/SnowflakeDiscoveryActivity.yaml Solutions/Snowflake/Analytic Rules/SnowflakeLongQueryProcessTime.yaml Solutions/Snowflake/Analytic Rules/SnowflakeMultipleFailedQueries.yaml Solutions/Snowflake/Analytic Rules/SnowflakeMultipleLoginFailure.yaml Solutions/Snowflake/Analytic Rules/SnowflakeMultipleLoginFailureFromIP.yaml Solutions/Snowflake/Analytic Rules/SnowflakePossibleDataDestruction.yaml Solutions/Snowflake/Analytic Rules/SnowflakePrivilegesDiscovery.yaml Solutions/Snowflake/Analytic Rules/SnowflakeQueryOnSensitiveTable.yaml Solutions/Snowflake/Analytic Rules/SnowflakeUnusualQuery.yaml Solutions/Snowflake/Analytic Rules/SnowflakeUserAddAdminPrivileges.yaml Solutions/Snowflake/Parsers/Snowflake.yaml Solutions/Snowflake/Workbooks/Snowflake.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, etc.)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-26-pr-12831/","summary":"Comprehensive field name standardisation in Snowflake detection rules resolves widespread query failures caused by parser schema mismatches, restoring database activity monitoring.","title":"Snowflake Security Detection Restoration: Critical Field Name Standardisation Fixes Query Failures"},{"content":"What Changed MongoDB Atlas Function App connector updated to version 3.0.1 with enhanced log filtering capabilities and performance optimizations for Log Ingestion API uploads.\nSecurity Impact (Visibility \u0026amp; Fidelity) Previous connector version provided only binary include/exclude options for log categories (ACCESS, NETWORK, QUERY). The enhanced filtering system now supports granular ID-based filtering with include/exclude lists, allowing SOC teams to focus ingestion on specific database clusters, networks, or query patterns while reducing noise and ingestion costs. Performance improvements address potential timeouts during high-volume log uploads that could cause data gaps.\nAffected Files Solutions/MongoDBAtlas/Data Connectors/MongoDBAtlasLogs/GetMDBALogs/__init__.py Solutions/MongoDBAtlas/Data Connectors/MongoDBAtlasLogs/MongoDBAtlasLogs_AzureFunction.json Solutions/MongoDBAtlas/Data Connectors/MongoDBAtlasLogs/azuredeploy_Connector_MongoDBAtlasLogs_AzureFunction.json Solutions/MongoDBAtlas/Data Connectors/MongoDBAtlasLogs/createUiDef.json (packaging artefacts: MongoDBAtlasLogs.zip, Solution_MongoDBAtlas.json, mainTemplate.json, ReleaseNotes.md) ","permalink":"http://sentinelchangelog.net/posts/2025-09-25-pr-12836/","summary":"MongoDB Atlas Function App connector receives filtering capabilities and performance improvements for more efficient log ingestion.","title":"MongoDB Atlas Connector: Enhanced Log Filtering and Performance Optimization"},{"content":"Data Source Microsoft Entra ID Assets connector ingests asset information from Entra ID to supplement activity data with richer context. This data enhances existing activity logs by providing detailed asset metadata for comprehensive risk analysis.\nIngestion Mechanism Native Microsoft-managed connector utilising Entra ID APIs to populate asset information tables, providing real-time asset context for security analytics.\nDetection Surface Unlocked Data Risk Graph Foundation: Asset data enables construction of data risk graphs in Microsoft Purview, providing visual representation of data access patterns and potential exposure risks across the organisation.\nEnhanced Activity Context: Supplements existing Entra ID activity logs with detailed asset information, improving accuracy of user behaviour analytics and risk scoring algorithms.\nCross-Product Integration: Enables seamless integration between Sentinel security operations and Purview data governance workflows for unified risk management.\nAffected Files Solutions/Microsoft Entra ID Assets/Data Connectors/EntraIDAssets_DataConnectorDefinition.json Logos/AADCloudSync.svg (packaging artefacts: mainTemplate.json, createUiDefinition.json, SolutionMetadata.json, etc.)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-25-pr-12810/","summary":"New Microsoft Entra ID Assets connector provides supplemental asset data for enhanced activity insights and data risk graph capabilities in Microsoft Purview.","title":"Microsoft Entra ID Assets Solution: New Data Risk Graph Foundation for Purview Integration"},{"content":"TITLE: Anvilogic Solution Publisher ID Correction for Marketplace Publication SUMMARY: Anvilogic solution updated with correct publisherId to resolve publication issues preventing solution deployment from Content Hub. TAGS: Anvilogic, Solutions, Maintenance RATING: Low ACTION: Monitor\n","permalink":"http://sentinelchangelog.net/posts/2025-09-25-pr-12851/","summary":"Anvilogic solution updated with correct publisherId to resolve publication issues preventing solution deployment from Content Hub.","title":"Anvilogic Solution Publisher ID Correction for Marketplace Publication"},{"content":"What Changed Updated PowerShell permission assignment instructions in Microsoft Defender for Endpoint antivirus playbooks to use the Microsoft Graph SDK instead of deprecated AzureAD module cmdlets.\nMigration Context The AzureAD PowerShell module is deprecated and being phased out by Microsoft. Organizations deploying these playbooks would experience script failures when using the old cmdlets, as the AzureAD module may not be available in newer environments.\nUpdated Commands Get-AzureADServicePrincipal → Get-MgServicePrincipal New-AzureAdServiceAppRoleAssignment → New-MgServicePrincipalAppRoleAssignment Connect-AzureAD → Connect-MgGraph Playbook functionality remains unchanged - this affects only post-deployment configuration scripts.\nAffected Files Solutions/MicrosoftDefenderForEndpoint/Playbooks/Run-MDEAntivirus/Run-MDEAntivirus-alert-trigger/azuredeploy.json Solutions/MicrosoftDefenderForEndpoint/Playbooks/Run-MDEAntivirus/Run-MDEAntivirus-incident-trigger/azuredeploy.json Solutions/MicrosoftDefenderForEndpoint/Playbooks/Run-MDEAntivirus/readme.md (packaging artefacts: mainTemplate.json, ReleaseNotes.md)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-25-pr-12858/","summary":"Playbook deployment instructions updated to use Microsoft Graph SDK replacing deprecated AzureAD cmdlets.","title":"Microsoft Defender for Endpoint: Modernized PowerShell SDK Instructions"},{"content":"What Changed NIST SP 800-53 workbook updated with corrected hyperlinks and validation fixes including proper table name references and JSON formatting corrections.\nAffected Files Solutions/NISTSP80053/Workbooks/NISTSP80053.json (hyperlink and validation fixes)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-24-pr-12784/","summary":"NIST SP 800-53 workbook updated with corrected hyperlinks and validation fixes to restore proper functionality.","title":"NIST SP 800-53 Workbook: Broken Hyperlinks and Validation Errors Fixed"},{"content":"What Changed Complete QualysVM solution update to align with CCF connector data schema, addressing fundamental data ingestion and parsing incompatibilities identified in GitHub issues #12753 and #12795.\nSecurity Impact (Visibility \u0026amp; Fidelity) Detection Failures Resolved: Entity mapping corrections fix broken host identification in detections — the \u0026ldquo;NetBios_s\u0026rdquo; field reference was incorrect for the CCF schema, causing detection rules to fail entity mapping entirely. Queries referencing NetBios_s against the new connector returned null for all rows.\nParser Data Loss Eliminated: Result_column_count field type conversion from double to string prevents data ingestion failures where numeric data couldn\u0026rsquo;t be properly parsed. Added missing HostTags field restores host classification data that was being dropped during ingestion.\nWorkbook Query Restoration: All workbook queries updated from legacy table names (QualysHostDetectionV2_CL) to the CCF schema (QualysHostDetection), restoring vulnerability dashboards that were showing empty results post-CCF migration.\nConnector Reference Cleanup: Removed obsolete connector references that could cause deployment conflicts in environments attempting to use both legacy and CCF connectors simultaneously.\nDetection Logic HighNumberofVulnDetectedV2: Host entity mapping corrected from NetBios_s to NetBios field for proper host identification in incident correlation.\nNewHighSeverityVulnDetectedAcrossMulitpleHostsV2: Connector dependency cleaned up to reference only the CCF connector (QualysVMLogsCCPDefinition), eliminating configuration conflicts.\nAffected Files Solutions/QualysVM/Analytic Rules/HighNumberofVulnDetectedV2.yaml Solutions/QualysVM/Analytic Rules/NewHighSeverityVulnDetectedAcrossMulitpleHostsV2.yaml Solutions/QualysVM/Parsers/QualysHostDetection.yaml Solutions/QualysVM/Workbooks/QualysVMv2.json Workbooks/WorkbooksMetadata.json (packaging artefacts: mainTemplate.json, etc.)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-24-pr-12829/","summary":"QualysVM solution migration to CCF connector resolves critical schema mismatches causing detection failures and incorrect entity mapping for vulnerability data.","title":"QualysVM CCF Migration: Schema Update Fixes Data Parsing and Entity Mapping Failures"},{"content":"What Changed New Auth0 logs monitoring workbook added to provide comprehensive visualization and insights into authentication activities and security events.\nDetection Surface Unlocked The workbook enables SOC teams to monitor authentication patterns, identify suspicious user behaviors, and track security-critical events across Auth0 identity infrastructure. Key monitoring capabilities include mobile vs desktop authentication distribution, scope sensitivity analysis for privilege escalation detection, and timeline views of authentication and access trends.\nAffected Files Workbooks/Auth0Workbook.json Workbooks/WorkbooksMetadata.json Workbooks/Images/Preview/Auth0Black.png Workbooks/Images/Preview/Auth0White.png (mixed updates: Lumen Defender Threat Feed solution, Veeam updates, Commvault Security IQ improvements, Fortinet FortiGate parser enhancements) ","permalink":"http://sentinelchangelog.net/posts/2025-09-23-pr-12803/","summary":"New Auth0 monitoring workbook provides authentication insights, user activity tracking, and security event visualization for improved identity security monitoring.","title":"Auth0 Workbook: Comprehensive Authentication Log Monitoring and Analysis"},{"content":"What Changed Updated all KQL queries in the ProofPoint TAP workbook to reference the new CCF-based table names and column schema. This includes transitioning from legacy Custom Log Analytics tables to the V2 schema format.\nSecurity Impact Labeled P0 — assess deployment or pipeline breakage risk explicitly. Deployments using the ProofPoint TAP workbook with CCF-based connectors would have experienced complete visualization failure due to table name mismatches. All workbook charts would return empty results until this fix is applied.\nTable Schema Changes ProofPointTAPMessagesBlocked_CL → ProofPointTAPMessagesBlockedV2_CL ProofPointTAPMessagesDelivered_CL → ProofPointTAPMessagesDeliveredV2_CL ProofPointTAPClicksBlocked_CL → ProofPointTAPClicksBlockedV2_CL ProofPointTAPClicksPermitted_CL → ProofPointTAPClicksPermittedV2_CL Column references updated: threatsInfoMap_s → threatsInfoMap, url_s → url, classification_s → classification, senderIP_s → senderIP Affected Files Solutions/ProofPointTap/Workbooks/ProofpointTAP.json\n","permalink":"http://sentinelchangelog.net/posts/2025-09-23-pr-12680/","summary":"Workbook queries updated to use CCF V2 table names, preventing data visualization failures after connector migration.","title":"ProofPoint TAP Connector: Critical Table Name Update for CCF Schema"},{"content":"What Changed The Microsoft Entra ID data connector received documentation updates to remove \u0026ldquo;(Preview)\u0026rdquo; designations from data types that are no longer in preview status:\nNon-Interactive User Sign-In Log Service Principal Sign-In Log Managed Identity Sign-In Log Provisioning Log ADFS Sign-In Log Security Impact This is a documentation update reflecting the general availability status of these log types. No functional changes to data collection or processing. Organizations using these data types can now consider them production-ready without preview limitations.\nAffected Files Solutions/Microsoft Entra ID/Data Connectors/template_AzureActiveDirectory.JSON (preview labels removed) ","permalink":"http://sentinelchangelog.net/posts/2025-09-23-pr-12770/","summary":"Entra ID connector updated to remove preview designations from data types that have reached general availability.","title":"Microsoft Entra ID Connector: Preview Labels Removed from GA Data Types"},{"content":"TITLE: Zero Trust Workbook: Removing Deprecated NetworkMap Component SUMMARY: Zero Trust solution package updated to remove deprecated networkmap visualization due to upstream repository retirement.\n","permalink":"http://sentinelchangelog.net/posts/2025-09-23-pr-12854/","summary":"Zero Trust solution package updated to remove deprecated networkmap visualization due to upstream repository retirement.","title":"Zero Trust Workbook: Removing Deprecated NetworkMap Component"},{"content":"What Changed Cybersixgill Actionable Alerts Function App connector updated with security hardening measures including minimum TLS version enforcement and SSL configuration compliance.\nSecurity Impact (Visibility \u0026amp; Fidelity) ARM template now enforces minimum TLS 1.2 version (minimumTlsVersion: \u0026ldquo;TLS1_2\u0026rdquo;) and disables public blob access (allowBlobPublicAccess: false) on storage accounts. Previous deployments may have been flagged by Azure policies requiring encryption-in-transit, potentially blocking connector deployment or causing compliance violations. This fix ensures the connector meets modern security standards for data in transit.\nAffected Files Solutions/Cybersixgill-Actionable-Alerts/Data Connectors/azuredeploy_Connector_Cybersixgill_AzureFunction.json ","permalink":"http://sentinelchangelog.net/posts/2025-09-23-pr-12800/","summary":"Cybersixgill Function App connector enforces minimum TLS 1.2 and disables public blob access to meet encryption-in-transit requirements.","title":"Cybersixgill Connector: TLS and SSL Security Hardening"},{"content":"What Changed Major security enhancement to Microsoft Defender Threat Intelligence playbooks:\nRemoved MDTI-Base playbook (legacy authentication model) Updated MDTI-Automated-Triage to use managed identity authentication Upgraded to Graph API v1.0 for improved stability Enhanced documentation for deployment clarity Security Impact This update addresses authentication security by eliminating the need for stored client secrets in playbook configurations. Managed identity authentication provides:\nAutomatic credential rotation No exposed secrets in playbook definitions Reduced attack surface for credential theft Azure-managed authentication lifecycle The change requires redeployment of existing MDTI automation workflows but significantly improves security posture.\nAffected Files Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Automated-Triage/azuredeploy_new.json (managed identity implementation) Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Base/azuredeploy.json (removed - legacy auth model) Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Base/readme.md (removed) (updated deployment images) ","permalink":"http://sentinelchangelog.net/posts/2025-09-23-pr-12798/","summary":"MDTI playbooks updated to use managed identity authentication and Graph API v1.0 — eliminates client secret management.","title":"Microsoft Defender Threat Intelligence: Playbooks Enhanced with Managed Identity Security"},{"content":"TITLE: Cisco Duo Security Solution: New Log Endpoints Support Added in Version 3.0.3 SUMMARY: Cisco Duo Security solution updated to version 3.0.3 with enhanced data ingestion capabilities through new log endpoint support. TAGS: CiscoDuoSecurity, DataConnectors, Updated, Solutions, Maintenance RATING: Low ACTION: Monitor\n","permalink":"http://sentinelchangelog.net/posts/2025-09-22-pr-12734/","summary":"Cisco Duo Security solution updated to version 3.0.3 with enhanced data ingestion capabilities through new log endpoint support.","title":"Cisco Duo Security Solution: New Log Endpoints Support Added in Version 3.0.3"},{"content":"What Changed Refactored Commvault Security IQ data connector to implement managed identity authentication and enforce secure HTTPS requests by removing SSL verification bypass.\nSecurity Impact (Visibility \u0026amp; Fidelity) Authentication Security Enhanced: Replaced DefaultAzureCredential fallback with explicit ManagedIdentityCredential, eliminating potential credential exposure in multi-tenant environments and ensuring consistent authentication mechanism.\nSSL/TLS Security Restored: Removed \u0026lsquo;verify=False\u0026rsquo; parameter from all HTTP requests, re-enabling SSL certificate validation for API calls to Commvault Security IQ platform. Previous implementation bypassed certificate verification, creating man-in-the-middle attack vulnerability.\nDual Authentication Support: Added both authtoken and Authorization Bearer header support to accommodate both SaaS and on-premises authentication flows, ensuring compatibility across deployment models.\nToken Management Improved: Enhanced token refresh logic with proper Authorization header updates, ensuring secure token lifecycle management throughout connector operation.\nAffected Files Solutions/Commvault Security IQ/Data Connectors/AzureFunctionCommvaultSecurityIQ/main.py Solutions/Commvault Security IQ/Data Connectors/CommvaultSecurityIQDataConnector.zip (packaging artefacts: etc.)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-22-pr-12844/","summary":"Commvault Security IQ connector security improvements include managed identity authentication and removal of SSL verification bypass for enhanced security posture.","title":"Commvault Security IQ Authentication Security Hardening: Managed Identity and HTTPS Enforcement"},{"content":"What Changed Updated Oracle Cloud Infrastructure CCP connector instruction page to clarify partition ID requirements and improve user guidance for connector setup.\nSecurity Impact (Visibility \u0026amp; Fidelity) Setup Clarity Improved: Added explicit note that connector only supports ingesting data from one partition ID at a time, and that ID must be a single-digit number (0, 1, or 2). This prevents deployment errors where users attempt to configure multi-partition ingestion causing connector failures.\nConfiguration Error Prevention: Enhanced placeholder text for Partition ID field provides clear examples, reducing misconfigurations that could lead to failed data ingestion from Oracle Cloud Infrastructure logs.\nAffected Files Solutions/Oracle Cloud Infrastructure/Data Connectors/Oracle_Cloud_Infrastructure_CCP/OCI_DataConnector_DataConnectorDefinition.json (packaging artefacts: mainTemplate.json, etc.)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-22-pr-12843/","summary":"Oracle Cloud Infrastructure CCP connector instructions updated to clarify single-partition limitation and provide clearer partition ID guidance.","title":"Oracle Cloud Infrastructure Connector Setup: Partition Limitation Documentation Added"},{"content":"What Changed The Zero Trust (TIC3.0) workbook removed the network map component due to deprecation of the underlying repository that powered this visualization feature.\nAffected Files Solutions/ZeroTrust(TIC3.0)/Workbooks/ZeroTrustTIC3.json (network map component removal), Workbooks/WorkbooksMetadata.json (version update); (packaging artefacts updated: mainTemplate.json, createUiDefinition.json, etc.)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-22-pr-12781/","summary":"Network mapping visualization removed from Zero Trust (TIC3.0) workbook following upstream repository deprecation.","title":"Zero Trust Workbook: Network Map Component Removed Due to Repository Deprecation"},{"content":"What Changed Tanium solution version 3.2.0 updates all playbook templates with Azure Key Vault integration for secure API token storage and fixes analytic rule alert grouping and naming issues.\nSecurity Impact (Visibility \u0026amp; Fidelity) Previous playbooks stored Tanium API credentials as plaintext parameters, creating security risks for bad actors accessing deployment templates. The updated templates use Key Vault SecureString parameters and require \u0026ldquo;Key Vaults Secret User\u0026rdquo; role assignment. Additionally, the analytic rule fix ensures 1:1 mapping between Tanium Threat Response alerts and Microsoft Sentinel alerts, preventing alert aggregation that could mask individual security events.\nAffected Files Solutions/Tanium/Analytic Rules/TaniumThreatResponseAlerts.yaml Solutions/Tanium/Playbooks/Tanium-ComplyFindings/azuredeploy.json Solutions/Tanium/Playbooks/Tanium-QuarantineHosts/azuredeploy.json Solutions/Tanium/Playbooks/Tanium-ResolveThreatResponseAlert/azuredeploy.json (packaging artefacts: mainTemplate.json, Solution_Tanium.json) ","permalink":"http://sentinelchangelog.net/posts/2025-09-19-pr-12806/","summary":"Tanium playbooks updated with Azure Key Vault integration for API token security and improved alert naming to resolve grouping issues.","title":"Tanium Solution: Security Hardening for Playbook API Authentication and Alert Management"},{"content":"What Changed Mixed connector maintenance addressing authentication vulnerabilities, regional deployment expansion, and dependency updates across four enterprise security solutions.\nSecurity Impact (Visibility \u0026amp; Fidelity) Trend Micro Vision One: DefaultAzureCredential replaced with ManagedIdentityCredential — the original implementation potentially exposed authentication tokens or caused ingestion failures in managed identity environments. Deployments using DefaultAzureCredential may have experienced authentication-related data loss.\nMongoDB Atlas: Added UK site configuration and removed UAE site support — organisations with UK-based MongoDB deployments gain new log visibility, while UAE deployments lose connector support. Enhanced filtering logic for ACCESS/NETWORK/QUERY log categories improves data fidelity.\nVaronis SaaS: State management improvements and alert object mapper fixes address potential data synchronisation gaps that could cause missed security events.\nAffected Files Solutions/Trend Micro Vision One/Data Connectors/AzureFunctionTrendMicroXDR/shared_code/configurations.py Solutions/Trend Micro Vision One/Data Connectors/AzureFunctionTrendMicroXDR/timer_trigger/init.py Solutions/Trend Micro Vision One/Data Connectors/azuredeploy_TrendMicroVisionOne_API_FunctionApp.json Solutions/MongoDBAtlas/Data Connectors/MongoDBAtlasLogs/GetMDBALogs/init.py Solutions/MongoDBAtlas/Data Connectors/MongoDBAtlasLogs/GetMDBALogs/job_state_table_store.py Solutions/VaronisSaaS/Data Connectors/VaronisSaaSFunction/Varonis.Sentinel.Functions/FetchDataFunction.cs Solutions/VaronisSaaS/Data Connectors/VaronisSaaSFunction/Varonis.Sentinel.Functions/State/BlobStateSaver.cs (packaging artefacts: mainTemplate.json, createUiDefinition.json, SolutionMetadata.json, etc.)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-18-pr-12824/","summary":"Authentication vulnerability fix in Trend Micro connector plus new MongoDB Atlas regional deployment support restores and expands enterprise log visibility.","title":"Multiple Data Connector Security Fixes: Trend Micro Authentication and MongoDB Atlas Expansion"},{"content":"Data Source MongoDB Atlas solution ingests administration logs from MongoDB Atlas using the Administration API via Azure Function App connector.\nIngestion Mechanism Function App-based connector with filtering capabilities for network IDs and log categories. Ingests to custom table MDBALogTable_CL in Log Analytics workspace.\nDetection Surface Unlocked Database administration activity monitoring User access pattern analysis for MongoDB Atlas clusters Configuration change tracking and unauthorized modifications Network-level filtering for focused monitoring on specific MongoDB deployments Atlas cluster audit logging for compliance and security oversight Affected Files Solutions/MongoDBAtlas/Data Connectors/ containing Function App implementation, deployment templates, and UI definitions ","permalink":"http://sentinelchangelog.net/posts/2025-09-18-pr-12694/","summary":"New MongoDB Atlas solution added providing database administration log ingestion via Function App for monitoring database operations, access patterns, and configuration changes.","title":"MongoDB Atlas Solution: New Database Activity Monitoring with Administration API Integration"},{"content":"What Changed Varonis SaaS Function App connector updated with persistent state management using Azure Blob Storage to track the last successful alert ingestion timestamp across function executions.\nSecurity Impact (Visibility \u0026amp; Fidelity) Previous connector implementation relied on timer schedule status which could result in data gaps during connector restarts, Azure Functions cold starts, or deployment updates. The new BlobStateSaver implementation ensures continuous data collection by persisting the last IngestTime, eliminating the risk of missing security alerts during service interruptions. This addresses a critical blind spot where Varonis security alerts could be lost between connector runs.\nAffected Files Solutions/VaronisSaaS/Data Connectors/VaronisSaaSFunction/Varonis.Sentinel.Functions/FetchDataFunction.cs Solutions/VaronisSaaS/Data Connectors/VaronisSaaSFunction/Varonis.Sentinel.Functions/State/BlobStateSaver.cs Solutions/VaronisSaaS/Workbooks/VaronisSaaS.json (packaging artefacts: mainTemplate.json, Solution_VaronisSaaS.json, ReleaseNotes.md) ","permalink":"http://sentinelchangelog.net/posts/2025-09-17-pr-12623/","summary":"Varonis SaaS connector updated with blob state persistence to track last alert ingest time and prevent potential data loss during connector restarts.","title":"Varonis SaaS Connector: Critical State Management Fix to Prevent Data Loss"},{"content":"What Changed New Lumen Technologies threat intelligence solution including:\n10 analytic rules covering IP and domain-based threat detection across multiple data sources 2 hunting queries for proactive threat hunting Threat feed overview workbook for visibility and metrics Azure Durable Function App connector with STIX object upload integration ARM templates for automated deployment and connector UI definition Detection Logic Primary data sources: DNS, CommonSecurityLog, DeviceEvents, DeviceNetworkEvents, IdentityLogonEvents, OfficeActivity, SecurityEvent, SigninLogs, WindowsEvents Core logic: Correlates Lumen threat intelligence indicators with network and authentication events, detecting malicious IP and domain interactions across the enterprise infrastructure Entity types mapped: IP addresses, domains, accounts, and hosts for comprehensive threat correlation\nSecurity Impact (Visibility \u0026amp; Fidelity) This solution provides SOC teams with access to Lumen\u0026rsquo;s enterprise-grade threat intelligence feed, expanding detection coverage for advanced persistent threats and emerging attack infrastructure. The Durable Function architecture ensures reliable, scalable ingestion of threat indicators while the analytic rules provide immediate alerting on indicator matches.\nThe solution addresses a significant visibility gap by providing real-time correlation between Lumen\u0026rsquo;s commercial threat feed and organizational telemetry across network, endpoint, and identity data sources.\nAffected Files Analytic rules added (10 files): IP and domain-based detections for multiple data sources Hunting queries added (2 files): Domain and IP indicator hunting queries Workbook added: Lumen-Threat-Feed-Overview.json Data connector: Azure Durable Function with STIX integration ARM templates: Function deployment and connector UI definition Solution metadata: Complete solution packaging for Content Hub ","permalink":"http://sentinelchangelog.net/posts/2025-09-16-pr-12761/","summary":"Complete new solution with 10 analytic rules, hunting queries, workbook, and Azure Durable Function connector for Lumen threat intelligence integration.","title":"Lumen Threat Intelligence Solution: Comprehensive New Threat Feed Integration"},{"content":"What Changed Major enhancement to the Veeam solution adding comprehensive security monitoring capabilities:\n137+ New Detection Rules: Extensive coverage for backup infrastructure security events including malware detection, encryption changes, user management, and ransomware indicators Enhanced Data Connector: Updated function app with improved event filtering, processing capabilities, and Coveware integration for threat intelligence Simplified Analytics: Consolidated from multiple rules to single streamlined analytics rule Comprehensive Coverage: Added monitoring for VeeamONE, backup repositories, credentials management, and multi-factor authentication events Detection Coverage Unlocked The new detection rules provide security visibility across Veeam infrastructure:\nBackup Security: Repository deletions, encryption password changes, backup failures Access Control: User/group management, MFA events, credential record changes Threat Detection: Malware activity detection, ransomware indicators, suspicious backup patterns Infrastructure Changes: Host deletions, service provider updates, storage modifications Compliance Monitoring: License management, best practice compliance checks Data Source Enhancement Function app connector improvements enable:\nEnhanced event filtering for reduced noise Coveware security findings integration Better processing of VeeamONE alarm data Improved backup session monitoring Affected Files This large-scale update touched 531 files across multiple solution components. Key security-relevant changes include 137+ new YAML detection rules, enhanced C# function app code, updated sample data, and comprehensive solution packaging updates.\n","permalink":"http://sentinelchangelog.net/posts/2025-09-15-pr-12768/","summary":"Comprehensive Veeam solution update adds extensive security monitoring with 137+ new detection rules, enhanced function app data connector, and streamlined deployment.","title":"Veeam Enterprise Solution: Major Enhancement with 137+ Detection Rules and Advanced Data Collection"},{"content":"What Changed Veeam solution components updated to rename the main data table from VeeamSession_CL to VeeamSessions_CL, along with corresponding updates to analytic rules, workbooks, and deployment templates.\nSecurity Impact (Visibility \u0026amp; Fidelity) This change corrects display issues in Microsoft Defender Portal that were preventing Veeam security monitoring dashboards and analytic rules from rendering properly. The table schema and data remain unchanged - only the naming convention was updated to ensure compatibility with the Defender Portal interface.\nAffected Files Solutions/Veeam/Analytic Rules/Configuration_Backup_Failed.yaml Solutions/Veeam/Analytic Rules/Coveware_Security_Finding_Detected.yaml Solutions/Veeam/Analytic Rules/Malware_Activity_Detected.yaml Solutions/Veeam/Data Connectors/DeployTemplates/CustomTables/VeeamSessionsSchema.bicep Solutions/Veeam/Workbooks/VeeamDataPlatformMonitoring/VeeamDataPlatformMonitoring.json (packaging artefacts: mainTemplate.json, test files, sample data) ","permalink":"http://sentinelchangelog.net/posts/2025-09-15-pr-12778/","summary":"Veeam solution updated with table rename from VeeamSession_CL to VeeamSessions_CL to ensure proper display in Microsoft Defender Portal.","title":"Veeam Solution: Table Rename Fix for Microsoft Defender Portal Compatibility"},{"content":"What Changed Illumio Insights solution adds new Summary data connector alongside enhanced authentication for existing Resource Insights connector. The update separates API authentication into distinct API Key and Secret components while adding dedicated insights-summary endpoint access.\nData Source New connector ingests daily and weekly summary reports from Illumio\u0026rsquo;s insights-summary API endpoint, providing aggregated security posture data for compliance managers and threat hunters. Original resource-insights connector continues providing detailed asset visibility.\nIngestion Mechanism CCF-based connector using separate API Key (X-api-key) and API Secret (X-api-secret) authentication headers. Data flows to IllumioInsightsSummary_CL table via DCR transform.\nAffected Files Solutions/Illumio Insight/Data Connectors/IllumioInsightsSummaryConnector_CCP/ (new connector), Solutions/Illumio Insight/Data Connectors/IllumioInsight_CCP/ (authentication update); (packaging artefacts updated: mainTemplate.json, createUiDefinition.json, etc.)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-15-pr-12780/","summary":"Illumio solution expands with new Insights Summary connector for compliance managers and threat hunters, plus improved API authentication structure.","title":"Illumio Insights Enhanced: New Summary Connector and Improved Authentication"},{"content":"What Changed New Windows Audit Coverage Checker workbook provides comprehensive visibility into Windows security event auditing coverage across Microsoft Sentinel deployments. This community workbook enables SOC teams to assess gaps in their Windows security logging configuration.\nAffected Files Workbooks/WindowsAuditChecker.json (new workbook), Workbooks/WorkbooksMetadata.json (metadata update), preview images; (packaging artefacts updated across multiple solutions)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-12-pr-12776/","summary":"New community workbook provides focused visibility tool for Windows Security auditing coverage assessment in Microsoft Sentinel deployments.","title":"Windows Audit Coverage Checker Workbook Added for Enhanced Security Visibility"},{"content":"What Changed Dataminr Pulse solution updated with Azure Government Cloud deployment button, enabling deployment in government cloud environments alongside existing commercial Azure support.\nAffected Files Solutions/Dataminr Pulse/Data Connectors/DataminrPulseAlerts/DataminrPulseAlerts_FunctionApp.json (Gov Cloud button), Solutions/Dataminr Pulse/Data Connectors/DataminrPulseAlerts/README.md (deployment documentation); (packaging artefacts updated: mainTemplate.json, Solution_DataminrPulse.json, etc.)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-12-pr-12787/","summary":"Dataminr Pulse connector adds Azure Government Cloud deployment button for government environments.","title":"Dataminr Pulse: Azure Government Cloud Deployment Support Added"},{"content":"What Changed Updated six Contrast ADR analytic rules with refined alert formatting and descriptions:\nEDR correlation alerts simplified for clarity WAF confirmation alerts enhanced with endpoint details SQL injection detection downgraded from Critical to High severity Custom table schema updated to include request_headers_referer_s field Removed unused ContrastWAFLogs_CL custom table definition Detection Logic KQL logic unavailable — YAML not included in diff context.\nSecurity Impact (Visibility \u0026amp; Fidelity) The alert description changes improve SOC analyst workflow by providing clearer, more actionable information in incident titles and descriptions. The addition of request_headers_referer_s field to the custom table schema indicates improved data fidelity for tracking attack vectors and referrer-based threat analysis.\nThe severity downgrade of SQL injection detection from Critical to High may affect alerting thresholds and response priorities — teams should review their severity-based automation rules accordingly.\nAffected Files Analytic rules updated (6 files): Contrast_ADR_Confirmed_EDR.yaml, Contrast_ADR_Confirmed_WAF.yaml, Contrast_ADR_Exploited_Attack_Event.yaml, Contrast_ADR_Exploited_Attack_Event_in_Production.yaml, Contrast_ADR_SQL_Injection_Alert_with_DLP_alerts.yaml, Contrast_Security_ADR_incident.yaml Custom table definitions updated: ContrastADR_CL.json (field added), ContrastWAFLogs_CL.json (removed) (packaging artefacts updated: mainTemplate.json, 3.0.0.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-09-12-pr-12655/","summary":"Six Contrast ADR analytic rules updated with improved alert descriptions and custom table schema changes for better incident clarity.","title":"Contrast ADR Solution: Refined Alert Formatting and Detection Logic Updates"},{"content":"What Changed Check Point Cyberint IOC Data Connector fixed incorrect table name reference from iocsent_CL to the correct table identifier, resolving a data ingestion failure.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments running the previous connector configuration experienced complete ingestion failure for Cyberint IOC threat intelligence data — no indicators were flowing into Sentinel. This fix restores IOC visibility for threat hunting and detection rules that depend on this intelligence feed.\nAffected Files Solutions/Check Point Cyberint IOC/Data Connectors/CyberintArgosIOCLogs_ccp/CyberintArgosIOCLogs_connectorDefinition.json (table name correction), Solutions/Check Point Cyberint IOC/ReleaseNotes.md (version update); (packaging artefacts updated: mainTemplate.json, Solution_Cyberint.json, etc.)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-12-pr-12672/","summary":"Fixed incorrect table reference (iocsent_CL) in Check Point Cyberint IOC connector that was preventing data ingestion.","title":"Check Point Cyberint IOC Connector: Table Name Fix Restores Data Ingestion"},{"content":"What Changed SAP agentless integration package updated to version 1.1.7 with new max-rows parameter that introduces safe limit for data extraction operations.\nAffected Files Solutions/SAP/Agentless/package-1.1.7.zip (updated package), Solutions/SAP/Agentless/README.md (release notes update)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-12-pr-12785/","summary":"SAP agentless integration package updated with safe limit parameter for extraction operations, enhancing data processing control.","title":"SAP Agentless Solution: Safe Extraction Limit Added for Data Processing"},{"content":"What Changed The Azure Security Benchmark workbook removed the network map component due to deprecation of the underlying repository that powered this visualization feature.\nAffected Files Solutions/AzureSecurityBenchmark/Workbooks/AzureSecurityBenchmark.json (network map component removal), Workbooks/WorkbooksMetadata.json (version update); (packaging artefacts updated: mainTemplate.json, Solution_AzureSecurityBenchmark.json, etc.)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-11-pr-12775/","summary":"Network mapping visualization removed from Azure Security Benchmark workbook following upstream repository deprecation.","title":"Azure Security Benchmark Workbook: Network Map Component Removed Due to Repository Deprecation"},{"content":"What Changed Microsoft Defender XDR solution adds new Attack Simulator Training playbook that identifies users who received phishing emails but failed to report them to SOC (deleted, marked as junk, etc.), then automatically triggers educational Attack Simulator \u0026ldquo;How-To Guide\u0026rdquo; simulations for those users.\nAffected Files Solutions/Microsoft Defender XDR/Playbooks/AttackSimulatorTrainingNonReporters/ (new playbook: azuredeploy.json, README, PowerShell permission script, documentation images)\n","permalink":"http://sentinelchangelog.net/posts/2025-09-11-pr-12661/","summary":"New playbook automatically educates users who failed to report phishing emails by triggering Attack Simulator training simulations.","title":"Microsoft Defender XDR: Attack Simulator Training Playbook for Phishing Non-Reporters"},{"content":"What Changed The Cybersecurity Maturity Model Certification (CMMC) 2.0 workbook received an update to version 3.1.0, removing network map components due to underlying repository deprecation. The change affects the Media Inspection (MA.L2-3.7.4) section and related hyperlinks.\nSecurity Impact This maintenance change removes functionality that was no longer supported due to dependency deprecation. While this may reduce some visualization capabilities in the CMMC compliance workbook, it eliminates potential reliability issues from deprecated components.\nAffected Files Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Workbooks/CybersecurityMaturityModelCertification_CMMCV2.json (networkmap removed) Workbooks/WorkbooksMetadata.json (version updated to 1.1.0) (packaging artefacts updated: mainTemplate.json, createUiDefinition.json, 3.1.0.zip, Solution json, ReleaseNotes.md) ","permalink":"http://sentinelchangelog.net/posts/2025-09-11-pr-12766/","summary":"Cybersecurity Maturity Model workbook updated to remove deprecated network mapping functionality.","title":"CMMC 2.0 Workbook: Network Map Component Removed Due to Deprecation"},{"content":"Data Source Microsoft Copilot solution ingests AI usage and activity telemetry from Microsoft 365 Copilot experiences into the LLMActivity table for security monitoring and investigation.\nIngestion Mechanism DCR-based connector using Microsoft-LLMActivity stream to populate the LLMActivity table in Log Analytics workspace with Copilot interaction data.\nDetection Surface Unlocked AI assistant usage pattern analysis across Microsoft 365 Unauthorized or suspicious Copilot interactions Data exfiltration attempts through AI conversations Compliance monitoring for AI tool usage in regulated environments Investigation capabilities for AI-assisted activities in security incidents Security Impact (Visibility \u0026amp; Fidelity) This connector introduces visibility into Microsoft Copilot interactions, addressing a blind spot in AI-assisted activities within enterprise environments. Organizations can now monitor how users interact with AI tools, detect potential misuse, and investigate security incidents involving AI-generated content or data access patterns.\nAffected Files Solutions/Microsoft Copilot/Data Connectors/ConnectorDefinition.json Solutions/Microsoft Copilot/Data Connectors/DCR.json (supporting files: SolutionMetadata.json, ValidConnectorIds.json, Copilot_logo.svg) ","permalink":"http://sentinelchangelog.net/posts/2025-09-11-pr-12722/","summary":"New Microsoft Copilot solution added providing AI-powered assistant usage monitoring and security telemetry through LLMActivity table ingestion via DCR framework.","title":"Microsoft Copilot Solution: New AI Security Monitoring with LLM Activity Telemetry"},{"content":"What Changed The GitHub Enterprise Audit Logs CCF connector definition file received updated setup instructions in version 3.0.9. The change adds code formatting to the API token scope requirement description, improving clarity for connector deployment.\nSecurity Impact (Visibility \u0026amp; Fidelity) Labeled P0 — assess deployment or pipeline breakage risk explicitly. This documentation fix clarifies that the GitHub personal access token must have the read:audit_log scope for enterprise audit log ingestion. Clearer setup instructions reduce deployment errors that could prevent audit log collection.\nAffected Files Solutions/GitHub/Data Connectors/GitHubAuditLogs_CCF/GitHubAuditLogs_ConnectorDefinition.json (setup instructions clarified) (packaging artefacts updated: mainTemplate.json, createUiDefinition.json, 3.0.9.zip, ReleaseNotes.md) ","permalink":"http://sentinelchangelog.net/posts/2025-09-10-pr-12755/","summary":"Labeled P0 — GitHub CCF connector setup instructions fixed to clarify API token scope requirements.","title":"GitHub Enterprise Audit Logs Connector: Critical Setup Instructions Updated"},{"content":"What Changed Jamf Protect solution updated to version 3.3.0 with comprehensive parser enhancements across all five parser functions:\nAdded support for four new event types: TCC_Modify, Network_Connect, Pty_grant, Pty_close Enhanced process audit tokens with additional fields for richer telemetry Updated event type mappings and categorization logic Parser Impact Enhanced data fidelity for macOS endpoint monitoring:\nTCC_Modify Events: Now captures Transparency Consent and Control permission changes, critical for detecting privacy permission abuse Network_Connect Events: Provides network session establishment visibility for endpoint network monitoring Pseudoterminal Events: Tracks terminal access grants and closures, important for detecting suspicious interactive access Enhanced Process Tokens: Additional audit fields improve process execution context and attribution Queries referencing these new event types previously returned no results — this update unlocks visibility into previously unmonitored macOS security events.\nSecurity Impact (Visibility \u0026amp; Fidelity) Customer-requested enhancement addresses specific blind spots in macOS endpoint monitoring:\nPrivacy permission manipulation attempts now visible through TCC events Network connection patterns trackable at endpoint level Terminal access patterns captured for forensic analysis Richer process execution context for attribution and correlation Affected Files Solutions/Jamf Protect/Parsers/JamfProtectTelemetry.yaml (major event type additions and field mappings) Solutions/Jamf Protect/Parsers/JamfProtectAlerts.yaml, JamfProtectNetworkTraffic.yaml, JamfProtectThreatEvents.yaml, JamfProtectUnifiedLogs.yaml (version updates) (packaging artefacts updated: mainTemplate.json, 3.3.0.zip, Solution json, ReleaseNotes.md, SolutionMetadata.json) ","permalink":"http://sentinelchangelog.net/posts/2025-09-10-pr-12738/","summary":"Jamf Protect parsers updated to support TCC modifications, network connections, and pseudoterminal events plus enhanced process audit tokens.","title":"Jamf Protect: Enhanced Parsing for New macOS Security Events and Process Audit Fields"},{"content":"What Changed The Snowflake CCF connector received critical fixes to address data quality and reliability issues:\nDCR transform logic updated to filter empty result sets (prevents ingestion of \u0026ldquo;[]\u0026rdquo; data) Polling configuration enhanced with retry logic (5 attempts) and extended timeouts (180s) Pagination improved with proper LinkHeader handling for large result sets API endpoint updated to include retry parameter for connection stability Security Impact (Visibility \u0026amp; Fidelity) This addresses multiple data fidelity gaps that were affecting Snowflake security monitoring:\nRedundant Data: Empty result sets (\u0026quot;[]\u0026quot;) were being ingested as valid data, creating noise in security queries and potentially masking real events Connection Interruptions: Short 60-second timeouts caused incomplete data collection during peak usage periods — extending to 180s with retry logic ensures complete audit trail capture Pagination Failures: Large query results were being truncated, creating blind spots in security event monitoring for high-volume Snowflake environments Deployments running previous versions had incomplete Snowflake audit visibility due to these ingestion failures.\nAffected Files Solutions/Snowflake/Data Connectors/SnowflakeLogs_ccp/SnowflakeLogs_DCR.json (data filtering added to all streams) Solutions/Snowflake/Data Connectors/SnowflakeLogs_ccp/SnowflakeLogs_PollingConfig.json (reliability improvements) (packaging artefacts updated: mainTemplate.json, createUiDefinition.json, 3.0.3.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-09-09-pr-12756/","summary":"Snowflake CCF connector fixed to prevent duplicate data ingestion, improve pagination handling, and reduce connection failures.","title":"Snowflake Connector: Critical Data Fidelity and Reliability Improvements"},{"content":"What Changed The Threat Intelligence (NEW) solution received a workbook query fix in version 3.0.6. The change modifies query logic in the ThreatIntelligenceNew workbook component.\nSecurity Impact (Visibility \u0026amp; Fidelity) This addresses a workbook query issue that was affecting threat intelligence dashboard visualization. The fix ensures analysts have reliable access to threat intelligence indicator metrics and trending data through the workbook interface.\nAffected Files Solutions/Threat Intelligence (NEW)/Workbooks/ThreatIntelligenceNew.json (query logic updated) (packaging artefacts updated: mainTemplate.json, createUiDefinition.json, 3.0.6.zip, ReleaseNotes.md) ","permalink":"http://sentinelchangelog.net/posts/2025-09-08-pr-12759/","summary":"Workbook query issue resolved in Threat Intelligence solution — improves analyst dashboard reliability.","title":"Threat Intelligence Workbook: Query Logic Fix for Indicator Visualization"},{"content":"What Changed Added two new analytic rules and enhanced connector functionality:\nDomain data breach detection rule (MITRE T1020 - Exfiltration) User data breach detection rule (MITRE T1020 - Exfiltration) Enhanced Function App ingestion logic for improved data processing Updated workbook with additional event type support Version bump to 3.0.1 Detection Logic Primary data source table: NordPassEventLogs_CL Core logic: Monitors breach event types (domain_breached and email_breached actions) to detect when organization data appears on the dark web, triggering on any occurrence with 5-minute query frequency Entity types mapped: Mailbox (using user_email field for breach notifications)\nMITRE Mapping T1020 - Automated Exfiltration: Detects when organizational data has been exfiltrated and discovered in breach databases\nSecurity Impact (Visibility \u0026amp; Fidelity) These rules provide critical early warning when organizational credentials or domain-related data appears in breach databases on the dark web. SOC teams can now proactively identify compromised accounts before they are used in attacks, enabling rapid password resets and account security measures.\nThe enhanced ingestion logic improves data fidelity for NordPass Data Breach Scanner events, ensuring complete visibility into organizational exposure from data breaches.\nAffected Files Analytic rules added (2 files): nordpass_domain_data_detected_in_breach.yaml, nordpass_user_data_detected_in_breach.yaml Data connector updated: Function App template and deployment configuration Workbook updated: NordPass.json with additional event type support (packaging artefacts updated: mainTemplate.json, createUiDefinition.json, 3.0.1.zip, function.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-09-05-pr-12703/","summary":"Two new analytic rules detect domain and user data breaches on the dark web, with enhanced ingestion logic for NordPass Data Breach Scanner integration.","title":"NordPass Solution: Data Breach Scanner Detection Rules and Enhanced Connector Logic"},{"content":"Data Source Veeam Data Platform solution ingests security events from Veeam Backup \u0026amp; Replication (VBR), Veeam ONE, and Coveware products via REST APIs and Function Apps.\nIngestion Mechanism Function App-based connector supporting multiple data streams:\nAuthorization events and user activity Malware detection results from backup scanning Security compliance analyzer findings Triggered alarms from Veeam ONE monitoring Best practice analysis results Detection Surface Unlocked Backup infrastructure compromise detection through authorization monitoring Malware presence identification in backup repositories Licensing and compliance violation alerts Configuration security best practice enforcement Restore point integrity validation for ransomware recovery scenarios Bundled Content 9 detection rules covering license violations, malware detection, and failed operations 4 parsers for normalizing Veeam event data 14 playbooks for automated response and data collection 2 workbooks for security monitoring and data platform oversight Affected Files 253 files across Solutions/Veeam/ including complete solution structure with connectors, detections, parsers, playbooks, and workbooks ","permalink":"http://sentinelchangelog.net/posts/2025-09-04-pr-12709/","summary":"New Veeam solution added providing comprehensive security monitoring for backup infrastructure with malware scanning, compliance analysis, and threat detection capabilities.","title":"Veeam Solution: New Backup Security Monitoring with Malware Detection and Compliance Analysis"},{"content":"What Changed Removed broken links from Onapsis Defend data connector documentation:\nRemoved non-functional workspace keys documentation link Removed broken blog series link for LogServ integration guide Security Impact (Visibility \u0026amp; Fidelity) No functional changes to data ingestion or connector operation. This is a documentation maintenance fix that removes broken external links from the connector setup instructions, improving user experience during deployment but having no impact on security monitoring capabilities.\nAffected Files Connector definitions updated (2 files): Onapsis_connectorDefinition.json, Onapsis.json (packaging artefacts updated: mainTemplate.json, 3.0.0.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-09-04-pr-12730/","summary":"Fixed connector documentation by removing non-functional links to workspace key documentation.","title":"Onapsis Defend Connectors: Broken Documentation Links Removed"},{"content":"What Changed Added monitoring and sample queries for the new ThreatIntelObjects table across all Threat Intelligence data connector templates. The update affects six connector variants including Microsoft Defender TI, TAXII feeds, and manual upload connectors.\nSecurity Impact (Visibility \u0026amp; Fidelity) Prior to this update, deployments only tracked threat intelligence data in the ThreatIntelIndicators table. The new ThreatIntelObjects table represents an expanded threat intelligence data model that was invisible to connector health monitoring. SOC teams using these connectors had no visibility into ThreatIntelObjects data ingestion status or volume metrics.\nThis change ensures comprehensive monitoring coverage for Microsoft Sentinel\u0026rsquo;s enhanced threat intelligence data structure, providing operators with complete visibility into both indicator-based and object-based threat intelligence ingestion.\nAffected Files Data connector templates updated (6 files): Microsoft Defender TI (standard and premium), generic TI, TAXII, upload indicators (commercial and government) (packaging artefacts updated: createUiDefinition.json, mainTemplate.json, 3.0.5.zip) Custom table definition added: ThreatIntelObjects.json ","permalink":"http://sentinelchangelog.net/posts/2025-09-04-pr-12732/","summary":"All TI data connector templates now monitor the new ThreatIntelObjects table, expanding threat intelligence visibility beyond traditional indicators.","title":"Threat Intelligence Connectors: ThreatIntelObjects Data Source Visibility Added"},{"content":"TITLE: Data Connectors: CodeQL Alert Suppression for Legacy Components SUMMARY: Added suppression comments for CodeQL security alerts in deprecated connectors and backward compatibility modules.\n","permalink":"http://sentinelchangelog.net/posts/2025-09-04-pr-12749/","summary":"Added suppression comments for CodeQL security alerts in deprecated connectors and backward compatibility modules.","title":"Data Connectors: CodeQL Alert Suppression for Legacy Components"},{"content":"TITLE: Google Cloud Platform NAT Solution: Packaging Update SUMMARY: GCP NAT solution packaging updated to version 3.0.1 with minor metadata revisions.\n","permalink":"http://sentinelchangelog.net/posts/2025-09-03-pr-12746/","summary":"GCP NAT solution packaging updated to version 3.0.1 with minor metadata revisions.","title":"Google Cloud Platform NAT Solution: Packaging Update"},{"content":"What Changed Removed \u0026ldquo;(Preview)\u0026rdquo; designation from three Google Cloud Platform CCF connector titles, promoting them to General Availability status:\nGCP Cloud Run connector GCP NAT connector GCP Resource Manager connector Security Impact (Visibility \u0026amp; Fidelity) No functional changes to data ingestion or query logic. This is a maturity milestone indicating Microsoft\u0026rsquo;s confidence in production deployment. SOC teams can now deploy these GCP connectors in enterprise environments with full vendor support, expanding cloud security monitoring coverage for Google Cloud Platform infrastructure.\nThe connectors provide visibility into:\nCloud Run application request logs and audit events NAT gateway audit and traffic logs for network security monitoring Resource Manager administrative activities across GCP resource hierarchy Affected Files Connector definitions updated (3 files): GCPCloudRunLogs_ConnectorDefinition.json, GCPNATLogs_ConnectorDefinition.json, GCPResourceManagerAuditLogs_ConnectorDefinition.json (packaging artefacts updated: solution metadata, ARM templates, release notes) ","permalink":"http://sentinelchangelog.net/posts/2025-09-03-pr-12735/","summary":"Three Google Cloud Platform CCF connectors graduate from Preview to GA status, indicating production readiness for enterprise deployment.","title":"GCP Connectors Promoted to General Availability: Cloud Run, NAT, and Resource Manager"},{"content":"TITLE: Threat Analysis \u0026amp; Response Workbook: Enhanced Visualizations and UI Improvements SUMMARY: Workbook update adds graphical views to complement table displays and fixes missing data source statistics headers.\n","permalink":"http://sentinelchangelog.net/posts/2025-09-03-pr-12727/","summary":"Workbook update adds graphical views to complement table displays and fixes missing data source statistics headers.","title":"Threat Analysis \u0026 Response Workbook: Enhanced Visualizations and UI Improvements"},{"content":"What Changed Threat Intelligence imDns_IPEntity_DnsEvents detection rule updated from version 1.2.9 to 1.2.10, correcting alert description field mapping from {{Type}} to {{ThreatType}}.\nDetection Logic KQL logic unavailable — YAML not included in diff context.\nSecurity Impact (Visibility \u0026amp; Fidelity) The alert description format referenced a non-existent {{Type}} field, causing DNS-based threat intelligence alerts to display incomplete context about IP indicators. This prevented SOC analysts from understanding the specific threat classification (malware C2, phishing infrastructure, botnet, etc.) directly from alert descriptions, requiring additional investigation steps to determine threat context.\nAffected Files Solutions/Threat Intelligence (NEW)/Analytic Rules/imDns_IPEntity_DnsEvents.yaml ","permalink":"http://sentinelchangelog.net/posts/2025-08-29-pr-12721/","summary":"Threat Intelligence imDns_IPEntity_DnsEvents rule updated to fix alert description field mapping from non-existent Type to ThreatType, restoring threat classification in DNS alerts.","title":"Threat Intelligence DNS Detection: Alert Description Field Mapping Fix Enables Threat Context"},{"content":"What Changed Azure Firewall Abnormal Port to Protocol detection rule updated from version 1.1.2 to 1.1.3 with improved time range handling and alignment between query frequency and runtime parameters.\nDetection Logic Primary data source: AzureDiagnostics, AZFWNetworkRule, AZFWApplicationRule tables. Core logic performs learning-based anomaly detection on port-to-protocol mappings, identifying traffic patterns that deviate from 7-day baseline behavior. The rule now uses consistent 1-hour detection windows aligned with query frequency to prevent overlapping evaluations.\nMITRE Mapping T1571 (Non-Standard Port)\nSecurity Impact (Visibility \u0026amp; Fidelity) The previous implementation used brittle time calculations (EndRunTime = RunTime - 1d) that only worked when RunTime = 1d. Any modification to the runtime parameter broke the detection window calculation, preventing alerts from being generated. Additionally, the mismatch between queryFrequency (1h) and RunTime (1d) caused overlapping detection windows and duplicate alerts for the same anomalous activity.\nAffected Files Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Abnormal Port to Protocol.yaml (packaging artefacts updated: mainTemplate.json, createUiDefinition.json, Package/*.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-08-29-pr-12681/","summary":"Azure Firewall Abnormal Port to Protocol rule updated to fix brittle time range handling that caused duplicate alerts and failed detection when runtime was modified.","title":"Azure Firewall Detection: Critical Time Range Fix Prevents Overlapping Alerts and Query Failures"},{"content":"What Changed Multiple Microsoft Entra ID Conditional Access detection rules updated from version 1.0.0 to 1.0.1, standardizing lookbackDuration format from \u0026ldquo;1h\u0026rdquo; to \u0026ldquo;PT1H\u0026rdquo; (ISO 8601 duration format).\nDetection Logic KQL logic unavailable — YAML not included in diff context.\nSecurity Impact (Visibility \u0026amp; Fidelity) The incorrect lookbackDuration format (\u0026ldquo;1h\u0026rdquo; instead of \u0026ldquo;PT1H\u0026rdquo;) prevented these Conditional Access detection rules from being deployed or saved in Microsoft Sentinel. Deployments attempting to use these rules experienced complete deployment failures for Conditional Access monitoring — this represents a critical detection blind spot for identity governance and access policy changes.\nAffected Files Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access Device platforms condition has changed.yaml Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access app exclusion has changed.yaml Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was deleted.yaml Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was disabled.yaml Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was put into report-only mode.yaml Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was updated.yaml Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access usergrouprole exclusion has changed.yaml Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A new Conditional Access policy was created.yaml Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - Dynamic Group Exclusion Changes.yaml (packaging artefacts updated: mainTemplate.json, Package/*.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-08-29-pr-12717/","summary":"Microsoft Entra ID Conditional Access detection rules updated to fix lookbackDuration format preventing rule deployment in Microsoft Sentinel workspaces.","title":"Microsoft Entra ID Conditional Access Rules: Incident Configuration Fix Resolves Rule Creation Failures"},{"content":"What Changed Threat Intelligence DomainEntity_imWebSession detection rule updated from version 1.0.10 to 1.0.11, changing alert description field mapping from {{Type}} to {{ThreatType}}.\nDetection Logic KQL logic unavailable — YAML not included in diff context.\nSecurity Impact (Visibility \u0026amp; Fidelity) The alert description format referenced a non-existent {{Type}} field, causing alert descriptions to display incomplete context about threat indicators. This affected SOC analyst workflow by providing generic descriptions instead of specific threat type information (malware, phishing, botnet, etc.) when investigating web session alerts. The corrected {{ThreatType}} field mapping restores meaningful threat context in alert descriptions.\nAffected Files Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_imWebSession.yaml ","permalink":"http://sentinelchangelog.net/posts/2025-08-28-pr-12720/","summary":"Threat Intelligence DomainEntity_imWebSession rule updated to fix alert description field mapping, replacing non-existent Type field with ThreatType for proper alert context.","title":"Threat Intelligence Detection: Alert Description Field Mapping Fix Restores Dynamic Content"},{"content":"What Changed ZPAEvent ASIM parser updated from version 1.0.2 to 1.0.3, adding parsing support for SessionID, IPProtocol, ClientCountryCode, and additional network session metadata fields.\nParser Impact The updated parser extracts additional fields that were previously unparsed from ZPA_CL logs. Queries referencing SessionID, IPProtocol, or ClientCountryCode against this parser previously returned null for all rows — this is a data fidelity improvement. The core filter logic and existing field mappings remain unchanged, making this safe for existing detections using this parser.\nAffected Files Solutions/Zscaler Private Access (ZPA)/Parsers/ZPAEvent.yaml (packaging artefacts updated: mainTemplate.json, Package/*.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-08-28-pr-12713/","summary":"ZPAEvent parser updated to version 1.0.3 with additional fields for SessionID, IPProtocol, and ClientCountryCode, improving zero-trust network monitoring capabilities.","title":"Zscaler Private Access Parser: Enhanced Field Coverage Improves Network Session Visibility"},{"content":"What Changed GitHub webhook connector title and description updated to remove [DEPRECATED] tags, signaling transition from deprecated to actively supported status.\nSecurity Impact (Visibility \u0026amp; Fidelity) The restoration of GitHub webhook connector support re-establishes a data ingestion path for GitHub security events that was previously marked for deprecation. Organizations using GitHub webhook-based monitoring can continue leveraging this connector for repository security events, push notifications, and access monitoring without migration concerns.\nAffected Files Solutions/GitHub/Data Connectors/GithubWebhook/GithubWebhook_API_FunctionApp.json (packaging artefacts updated: mainTemplate.json, Package/*.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-08-28-pr-12705/","summary":"GitHub webhook connector restored from deprecated status, indicating renewed support for GitHub security event ingestion via webhooks.","title":"GitHub Webhook Connector: Deprecated Status Removed, Restored to Active Support"},{"content":"What Changed Cisco Umbrella elastic premium connector configuration updated to align data types, query structures, and table naming conventions with the standard Cisco Umbrella connector.\nSecurity Impact (Visibility \u0026amp; Fidelity) The configuration changes ensure consistent data processing across both standard and elastic premium Cisco Umbrella connectors. This alignment prevents query compatibility issues and ensures uniform field mapping for DNS, proxy, firewall, DLP, and other log types. The standardization maintains detection coverage across different deployment models.\nAffected Files Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_API_FunctionApp_elasticpremium.json ","permalink":"http://sentinelchangelog.net/posts/2025-08-28-pr-12712/","summary":"Cisco Umbrella elastic premium connector updated to match standard connector data types and table structures for consistent log processing and queries.","title":"Cisco Umbrella Elastic Premium Connector: Data Consistency Fix Aligns with Standard Connector"},{"content":"What Changed ProofPoint TAP CCF connector polling configuration updated to use interval-based time parameters instead of deprecated sinceTime approach, with enhanced authorization headers.\nSecurity Impact (Visibility \u0026amp; Fidelity) Deployments using the previous polling configuration experienced incomplete data retrieval from ProofPoint TAP APIs. The sinceTime parameter implementation resulted in partial event ingestion, creating potential blind spots in email security monitoring. The new interval-based approach ({_QueryWindowStartTime}/{_QueryWindowEndTime}) ensures complete data coverage within each polling window.\nAffected Files Solutions/ProofPointTap/Data Connectors/ProofpointTAP_CCP/ProofpointTAP_pollingconfig.json (packaging artefacts updated: mainTemplate.json, Package/*.zip) ","permalink":"http://sentinelchangelog.net/posts/2025-08-28-pr-12653/","summary":"ProofPoint TAP CCF connector updated from deprecated sinceTime to interval-based polling, addressing incomplete data retrieval that affected threat visibility.","title":"ProofPoint TAP Connector: Critical API Parameter Update Restores Complete Data Ingestion"},{"content":" Unofficial site — not affiliated with or endorsed by Microsoft Corporation. Microsoft Sentinel is a trademark of Microsoft Corporation.\nWhat Is This? Microsoft Sentinel Changelog automatically tracks changes to Microsoft Sentinel\u0026rsquo;s open-source content library and publishes security-focused summaries for detection engineers and SOC analysts who want to stay current without monitoring GitHub directly.\nWhat Gets Tracked The site monitors the Azure/Azure-Sentinel repository for merged pull requests across all content types:\nAnalytics rules — new detections, logic changes, query fixes Data connectors — new sources, schema changes, ingestion fixes Hunting queries — new hunts, updated logic Workbooks and dashboards Playbooks and automation Parser updates and KQL function changes Not every merged PR produces a post. Changes that are purely cosmetic, version-bump-only, or otherwise carry no operational signal for defenders are skipped.\nHow It Works A scheduled automation pipeline monitors the upstream repository. When new merged PRs are detected, each change is reviewed and a structured post is generated. Posts are published automatically.\nEach post includes:\nSummary — one-sentence description of the change Security Impact — what visibility was added, lost, or restored; detection gaps opened or closed Affected Files — which rules, connectors, or schemas changed Rating — a signal-level assessment (Critical, High, Medium, Low, or Informational) Action — recommended operator posture (Immediate Fix, Review, Update, Monitor, or No Action) View on GitHub — direct link to the source PR Why This Exists There is no other resource that tracks the Azure/Azure-Sentinel repository at the pull-request level and explains what each change means for defenders. The alternatives leave gaps:\nMicrosoft\u0026rsquo;s \u0026ldquo;What\u0026rsquo;s New\u0026rdquo; posts cover platform features on a monthly cadence — not individual content PRs. Community newsletters are manually curated and weekly at best, covering the broader Sentinel ecosystem rather than every merged change. GitHub\u0026rsquo;s own RSS feed delivers every commit with no filtering or context — pure noise for anyone who isn\u0026rsquo;t reading diffs for a living. Content Hub in-portal updates only surface changes to content you\u0026rsquo;ve already installed, require an active Sentinel workspace, and say nothing about what actually changed. Sentinel Changelog fills the space between \u0026ldquo;a PR was merged\u0026rdquo; and \u0026ldquo;here\u0026rsquo;s what it means for your security operations\u0026rdquo; — automatically, at near-real-time cadence, on a freely accessible site with RSS.\nPart of the motivation was simply wanting an RSS feed to follow. The site publishes a feed for all posts, and also per-tag feeds — so you can subscribe to just DataConnectors, or ASIM, or a specific vendor, and ignore everything else. Pull those feeds into whatever fits your workflow: an RSS reader, an RSS-to-email service like Mailbrew, or pipe them straight into a Slack channel so your SOC team sees relevant changes as they land.\nAI Limitations Posts are AI-generated. The model analyses code diffs and available metadata to assess security relevance, but it can misread intent, miss context that only exists outside the PR, or misjudge severity. Treat each post as a triage signal, not a definitive assessment. When precision matters, follow the View on GitHub link to read the source directly.\nUpstream Repository Azure/Azure-Sentinel — Microsoft\u0026rsquo;s official open-source repository for Microsoft Sentinel content including detection rules, hunting queries, workbooks, playbooks, and data connectors.\n","permalink":"http://sentinelchangelog.net/about/","summary":"About Microsoft Sentinel Changelog","title":"About"}]