Recorded Future: Defender Portal Migration Breaks Incident Creation -- Playbooks Redesigned Around Analytic Rules

Recorded Future v3.2.20 removes direct incident creation from four playbooks (now incompatible with the unified Microsoft Defender portal) and introduces new Analytic Rules to restore incident generation from custom log tables. Read More →

Wiz Connector Overhaul: Agentless DCR Push Integration Adds Detections Stream, Eliminates Function App Attack Surface

Wiz v3.0.1 replaces the legacy Azure Function pull connector with a native DCR push integration, adding a new WizDetectionsV3_CL data stream and removing the need for customer-hosted infrastructure or shared workspace keys. Read More →

BlueVoyant Claude Compliance Connector: DCR Schema Expanded with Activity Fields, Sensitive request_body Removed

The BlueVoyant Anthropic Claude Compliance CCF connector v1.0.1 expands the DCR schema with dozens of activity-specific fields required for hunting and detection, and removes the request_body column to prevent ingestion of potentially sensitive data. Read More →

Entra ID Brute-Force Detection: Sort Order Fix Corrects Anomaly Decomposition Input

The BruteForceAgainstanEntraAuthenticatedWindowsDevice Analytic Rule was building unsorted time-series arrays for series_decompose_anomalies, meaning anomaly detection results could be incorrect or inconsistent across executions – this fix enforces chronological ordering and stable serialization before make_list. Read More →

ESET PROTECT Platform: New CCF Connector Adds Native Ingestion for Endpoint Inspect and Cloud Office Security Detections

A new Codeless Connector Framework connector and updated parser extend ESET PROTECT Platform coverage to three log streams while maintaining backward compatibility with the legacy Function App connector. Read More →

MuleSoft Anypoint Connector: Data Connector Count Display Fix in Content Hub UI

A packaging-only update to the MuleSoft Solution corrects a connector count mismatch visible in the Content Hub UI. Read More →

GitHub AzStorage Connector: Expanded api.request Fields Land in New GitHubAuditLogsV3_CL Table

The GitHub Azure Storage CCF connector gains a new V3 table with 10 additional api.request fields including token_scopes, request_method, request_body, status_code, and url_path, improving visibility into API-level attacker activity in GitHub audit logs. Read More →

SOCRadar Solution v3.0.1: Packaging Version Alignment

Version bump from 3.0.0 to 3.0.1 to align the published Content Hub package with the catalog; no detection logic, playbook, or connector changes. Read More →

Google SecOps Solution: Publisher and Offer Identity Update

The Google SecOps Solution package has been re-registered under new marketplace publisher and offer identifiers — no detection logic or connector configuration was changed. Read More →

Cisco Umbrella CCF Connector GA Promotion Fixes Template Variable Rendering in UI Queries

The Cisco Umbrella CCF connector graduates to GA while also resolving broken template variable references that caused Content Hub connectivity checks and sample queries to malfunction. Read More →

Rapid7 InsightVM CCF Connector Promoted to General Availability

The Rapid7 InsightVM CCF data connector moves out of Public Preview to GA, updating the API version to the stable 2025-09-01 release. Read More →

Abnormal Security Solution: Full Detection Coverage Added for CCF Push Connector (v3.1.0)

The Abnormal Security solution now ships four scheduled Analytic Rules, four Hunting Queries, four parsers, a workbook, and a Playbook — closing a complete detection gap that existed since the CCF Push connector was introduced in v3.0.0 with no bundled detections. Read More →

New Akamai DDoS Protection CCF Connector: WAF Security Events Now Available in Microsoft Sentinel

A new CCF-based connector ingests Akamai WAF SIEM security events into the AkamaiSIEMEvent table, unlocking web application attack visibility including denied requests, client reputation, rule triggers, and geolocation context for attacker IPs. Read More →

WithSecure Elements Connector Migrated to CCF: Function App Infrastructure Eliminated

A new CCF-based WithSecure Elements solution (v4.0.0) replaces the Azure Function connector, removing the Azure Function, Storage Account, and Key Vault dependency stack while the legacy Function App solution is deprecated in place with a transition buffer for existing deployments. Read More →

Lookout Connector v3.0.6: Silent Ingestion Stop After 24h and Four DCR Field Mapping Blind Spots Fixed

A CCF cursor expiry caused the Lookout streaming connector to silently stop ingesting data after roughly 24 hours, and four incorrect DCR field paths meant ThreatId, ThreatAction, DeviceEmail, and SmishingAlertId were null in every ingested record. Read More →

Agent 365 Solution v3.1.2: Microsoft Agent Identities Connector Version Refresh

Bumps the Microsoft Agent Identities (EntraNHIAssets) data connector to version 1.0.1 so Content Hub correctly detects and applies the latest connector configuration on solution update. Read More →

Trend Micro Cloud App Security: Offer ID Alignment for Marketplace Publishing

Solution metadata offer ID updated to match the Azure Marketplace listing — no detection logic or connector changes. Read More →

Darktrace CCF Connector: Setup Guide Link Updated to Customer Portal

Version 3.1.1 fixes a broken documentation link in the connector UI, replacing the prior URL with the Darktrace customer portal guides page (https://customerportal.darktrace.com/guides) after a manual validation failure. Read More →

Semperis Lightning Connector: TLS Certificate Verification Restored Across All API Calls

The Semperis Lightning data connector was making all outbound API requests with TLS verification disabled (verify=False), exposing token acquisition and all data collection calls to man-in-the-middle attacks; this fix re-enables certificate validation across seven affected modules. Read More →

Google Workspace Reports: Google Meet Activity Logs Restored After Polling Window Gap

A missing queryWindowDelayInMin setting caused Google Meet audit events to be silently dropped by the CCF connector - adding a 30-minute delay restores ingestion of events that arrive late from Google API. Read More →