New CCF Connector Builder Accelerator: AI-Assisted End-to-End Pull Connector Generation for Microsoft Sentinel

Adds a GitHub Copilot agent accelerator to the Tools/ directory that automates generation of the four CCF connector files (polling config, DCR, table schema, connector definition) from any REST API documentation – lowering the barrier for partners building custom data connectors. Read More →

Azure WAF Log4j Detection Restored: Field Reference Errors Silenced the Rule Since v1.0.5

A broken column_ifexists reference caused the Azure WAF Log4j detection rule to silently miss exploit traffic in details_message and details_msg fields – any deployment running v1.0.5 had a gap in Log4Shell (CVE-2021-44228) coverage via WAF logs. Read More →

WithSecure Elements CCF Connector: Zero-Ingestion Fix for Broken OAuth2 Auth and Invalid Query Parameters

The WithSecureElementsCCF connector has been non-functional since initial release – both the OAuth2 token request and the security-events API call failed with HTTP 400 errors, meaning no WithSecure endpoint security events have been ingested into any Sentinel deployment running this connector. Read More →

Azure WAF Log4j Detection: Schema Gap Closed for details_message_s and details_msg_s Fields

The AzureWAFmatching_log4j_vuln Analytic Rule was silently missing CVE-2021-44228 exploit attempts in WAF logs that surfaced details_message_s via AdditionalFields or used the details_msg_s column variant, leaving a schema-dependent blind spot in Log4Shell detection. Read More →

Microsoft Entra ID Assets: EntraEligibleMembers Table Pulled Before GA

The EntraEligibleMembers (Preview) table added in v3.3.0 has been removed in this hotfix, eliminating that data source from the connector definition until a stable release. Read More →

Three Solutions Packaging Fix: Mulesoft, Trend Micro, and ESET UI Metadata Corrected

Duplicated connector count blocks in solution UI descriptions and a connector count mismatch are corrected across three solutions, with no detection logic or data ingestion changes. Read More →

Logstash Output Plugin Ruby Version Formally Deprecated - Java Version Now Canonical

The Ruby-based Microsoft Sentinel Logstash output plugin (1.x.x) is now officially deprecated and its documentation separated from the active Java-based version (2.x.x), clarifying which plugin operators should be running. Read More →

Orca Security Alerts: New CCF Push Connector Replaces Deprecated Shared Key Auth with Microsoft Entra ID

A new CCF Push connector for Orca Security Alerts replaces the legacy Log Analytics Shared Key ingestion path with Microsoft Entra ID app authentication via the Logs Ingestion API, eliminating the deprecated shared-key attack surface while retaining backward compatibility. Read More →

ESET PROTECT Platform Connector: Dependency Rollback Including Cryptography Downgrade Warrants Review

The ESET PROTECT Platform Function App connector rolls back several Python dependencies to lower versions, including cryptography from 48.0.0 to 43.0.1, without documented CVE justification – operators should verify no security regressions are introduced. Read More →

Recorded Future: Defender Portal Migration Breaks Incident Creation -- Playbooks Redesigned Around Analytic Rules

Recorded Future v3.2.20 removes direct incident creation from four playbooks (now incompatible with the unified Microsoft Defender portal) and introduces new Analytic Rules to restore incident generation from custom log tables. Read More →

Wiz Connector Overhaul: Agentless DCR Push Integration Adds Detections Stream, Eliminates Function App Attack Surface

Wiz v3.0.1 replaces the legacy Azure Function pull connector with a native DCR push integration, adding a new WizDetectionsV3_CL data stream and removing the need for customer-hosted infrastructure or shared workspace keys. Read More →

New Hunting Query: BadUSB HID Injection via certutil LOLBIN Detected Through explorer.exe Parent Signal

A new hunting query surfaces BadUSB payloads that abuse certutil.exe or cmd.exe via the WIN+R Run dialog by keying on explorer.exe as the initiating process – a signal absent from existing generic certutil LOLBin detections. Read More →

BlueVoyant Claude Compliance Connector: DCR Schema Expanded with Activity Fields, Sensitive request_body Removed

The BlueVoyant Anthropic Claude Compliance CCF connector v1.0.1 expands the DCR schema with dozens of activity-specific fields required for hunting and detection, and removes the request_body column to prevent ingestion of potentially sensitive data. Read More →

Entra ID Brute-Force Detection: Sort Order Fix Corrects Anomaly Decomposition Input

The BruteForceAgainstanEntraAuthenticatedWindowsDevice Analytic Rule was building unsorted time-series arrays for series_decompose_anomalies, meaning anomaly detection results could be incorrect or inconsistent across executions – this fix enforces chronological ordering and stable serialization before make_list. Read More →

ESET PROTECT Platform: New CCF Connector Adds Native Ingestion for Endpoint Inspect and Cloud Office Security Detections

A new Codeless Connector Framework connector and updated parser extend ESET PROTECT Platform coverage to three log streams while maintaining backward compatibility with the legacy Function App connector. Read More →

MuleSoft Anypoint Connector: Data Connector Count Display Fix in Content Hub UI

A packaging-only update to the MuleSoft Solution corrects a connector count mismatch visible in the Content Hub UI. Read More →

GitHub AzStorage Connector: Expanded api.request Fields Land in New GitHubAuditLogsV3_CL Table

The GitHub Azure Storage CCF connector gains a new V3 table with 10 additional api.request fields including token_scopes, request_method, request_body, status_code, and url_path, improving visibility into API-level attacker activity in GitHub audit logs. Read More →

AI Agents Hunting Queries Migrated to Unified AgentsInfo Table -- Connector-Split Queries Retired

Seven consolidated AI agent hunting queries now target the unified Defender XDR AgentsInfo table, replacing 26 connector-specific queries split across the A365 and Copilot Studio connectors; existing deployments still running the old AIAgentsInfo-based queries have had no effective hunting coverage since the table split was introduced. Read More →

SOCRadar Solution v3.0.1: Packaging Version Alignment

Version bump from 3.0.0 to 3.0.1 to align the published Content Hub package with the catalog; no detection logic, playbook, or connector changes. Read More →

Checkmarx Audit Ingestion Playbook: Pagination Fix, Deployment Simplification, and RBAC Enforcement

The AS-Checkmarx-Audit-Ingestion Playbook receives pagination loop fixes and a collapsed single-deployment model – teams running the old multi-step deployment may have incomplete audit event ingestion. Read More →