Trend Micro Vision One Connector: Indonesia Region Support Added, Deployments in ID Site Were Unable to Ingest

The Trend Micro Vision One Function App connector gains support for the Indonesia (id) API region, resolving a complete ingestion gap for customers deployed on api.id.xdr.trendmicro.com. Read More →

Microsoft Defender XDR: Email Hunting Queries Fixed to Reference Correct Connector, Three New Teams/Phish Queries Added

Three email-focused Hunting Queries had a broken connector reference (OfficeATP instead of MicrosoftThreatProtection), suppressing results for orgs using the Defender XDR connector; three new queries covering RMM-via-Teams, alert correlation with Teams messages, and phish-reporter identity are also added. Read More →

Halcyon Anti-Ransomware: New CCF v2 Connector and OCSF Parsers Unlock Full Endpoint Telemetry

Halcyon Solution v3.2.0 ships a new CCF-based v2 Data Connector with two dedicated custom tables (HalcyonEventsV2_CL, HalcyonAlertUpdatesV2_CL) ingesting OCSF-formatted endpoint telemetry, plus eight class-scoped parsers that surface process, file, network, DNS, kernel, auth, application, and alert data for immediate query use. Read More →

Veeam Backup and Replication CCF Connector Now in Public Preview: Six Security Data Streams Added to Sentinel

The Veeam CCF connector enters Public Preview, bringing six new custom log tables covering malware detection, security compliance, authorization events, Veeam ONE alarms, Coveware ransomware findings, and session telemetry – closing a significant blind spot for backup infrastructure security monitoring. Read More →

ZeroFox Threat Intelligence Solution: Metadata Fix to Unblock Content Hub Publishing

Corrects an invalid solution ID in SolutionMetadata.json that was preventing the ZeroFox Threat Intelligence solution from publishing to Content Hub. Read More →

JoeSandbox Solution: Sample Queries Updated to Use ThreatIntelIndicators Table

JoeSandbox solution v3.0.2 updates sample queries from the legacy ThreatIntelligenceIndicator table to ThreatIntelIndicators — workspaces still on the legacy table may see broken sample queries post-upgrade. Read More →

Google Threat Intelligence: New GTI Relevance System Alerts Connector and Six Bundled Detections

A new Function App-based data connector ingests Google Threat Intelligence Relevance System Alerts into Sentinel, unlocking six new Analytic Rules that fire on high-severity, data-leak, initial access broker, and insider threat alert categories surfaced by the GTI platform. Read More →

Illumio Insights Graph Connector: DCR Type Mismatches Were Blocking All Ingestion

The IllumioInsightsGraph CCF connector had column type mismatches between the table schema and DCR transform that caused ingestion failures – this fix corrects TimeGenerated from string to datetime and multiple numeric fields from long to int, but introduces overflow risk for byte counters in high-volume environments. Read More →

Fortinet FortiNDR Cloud Connector: Migration from Deprecated HTTP Data Collector API to Log Ingestion API

The FortiNDR Cloud Function App connector has been fully rewritten to use the Azure Monitor Log Ingestion API, replacing the retired HTTP Data Collector API – deployments still on v3.0.x have had zero ingestion since the legacy API was deprecated. Read More →

GitHub Audit Log Azure Storage Connector: SAS Token Guidance Added to Prevent Credential Rotation Gaps

The GitHub Audit Log Azure Blob Storage connector now includes setup guidance on SAS token signing methods and recommends using Stored Access Policies to enable seamless credential rotation without reissuing tokens. Read More →

SailPoint IdentityNow Solution: Ownership Transferred from Microsoft to SailPoint

The SailPoint IdentityNow solution’s publisher, support, and identity metadata has been updated to reflect SailPoint as the owner — existing deployments may stop receiving updates if the offer identity change breaks Content Hub continuity. Read More →

Vaikora-AzureSecurityCenter: Three Analytic Rules and Playbook Completely Non-Functional Since Initial Deployment

The v3.0.0 solution was built against a fabricated alert API schema – the playbook crashed on ingestion, all three Analytic Rules queried a table that was never populated, and two install paths wrote to divergent tables, meaning zero Vaikora AI agent threat data reached Microsoft Sentinel from day one. Read More →

Vaikora-SentinelOne Playbook: Broken IOC Push Restored After HTTP 422 API Rejection

The v3.0.0 playbook always appended an empty agent_id= parameter, causing the Vaikora API to reject every poll request with HTTP 422, silently halting all IOC delivery to SentinelOne Threat Intelligence since initial deployment. Read More →

Vaikora-CrowdStrike Playbook: Silent IOC Pipeline Failure Fixed for Monitor All Agents Mode

When VaikoraAgentId was left blank to monitor all agents, every HTTP 422 rejection from the Vaikora API silently dropped all IOCs - no high/critical-risk actions ever reached CrowdStrike Falcon. Read More →

CiscoSEG and Infoblox NIOS Package Template Sync — Metadata and Version Normalisation

Package template refresh for CiscoSEG (3.0.5), Infoblox NIOS (3.0.5), and Windows Server DNS (3.0.1) solutions with no changes to detection logic, parser content, or connector ingestion configuration. Read More →

Microsoft Defender XDR: OAuth and Device-Code Phishing Hunting Queries Unblocked After ARM-TTK Pipeline Failure

Two Defender XDR hunting queries targeting OAuth consent and device-code phishing were blocked from pipeline validation due to ARM-TTK hardcoded URI false positives; KQL refactored to construct URLs via strcat(), restoring deployment and preserving detection semantics. Read More →

New BlueVoyant CCF Connector Brings Anthropic Claude Compliance Activity into Microsoft Sentinel

BlueVoyant new Solution adds a CCF-based Data Connector that polls the Anthropic Claude Compliance API every 10 minutes and lands compliance events in the custom table BV_ClaudeCompliance_ComplianceActivities_CL, opening a new AI platform audit surface in Sentinel. Read More →

CyberArk Audit Connector: Function App Runtime Updated to Python 3.12

The CyberArk Audit Function App connector has been updated from Python 3.10 (EOL) to Python 3.12, replacing all bundled dependency packages and deployment templates accordingly. Read More →

MuleSoft CloudHub Logs Connector: Empty Instruction Block Removed to Restore Marketplace Publishing

The MuleSoft CloudHub Logs CCF connector definition had an empty instructions array blocking marketplace validation—this fix removes it, restoring publishability with no change to ingestion logic or detection coverage. Read More →

New eDCRule Solution: 10 Entra ID and Azure Subscription Analytic Rules for Privilege Escalation and Identity Abuse Detection

A new community solution adds 10 scheduled Analytic Rules (plus Chinese-localized counterparts) targeting Microsoft Entra ID privilege escalation, OAuth token abuse, federation trust tampering, and Azure VM Run Command abuse correlated with UEBA signals. Read More →