Darktrace CCF Connector: Account Entity Mapping Added to Analytic Rules, Closing SaaS Identity Correlation Gap

Two Darktrace Analytic Rules now map user account names as Account entities for SaaS/identity-based incidents, and the DarktraceIncidents_CL table gains a modelBreaches field exposing the full chain of associated model alerts – data that was previously absent from incident context. Read More →

Netskope Web Transactions: 51-Field Schema Expansion Unlocks Threat Protection and Endpoint Posture Visibility

The NetskopeWebTransactions_CL schema gains 51 new fields covering malware detections, endpoint posture, process activity, identity/authorization, and remote geo — all parser column references have also shifted from raw W3C names to DCR-normalised PascalCase, requiring query updates on any existing saved searches or Analytic Rules built against this parser. Read More →

Fortinet FortiGate ASIM Auth Parser: Failed and System-Success Login Events Were Silently Dropped

The FortiGate ASIM Authentication parser was silently discarding event:system failed and event:system success log types, creating a blind spot for credential-based attacks and successful system authentications on FortiGate devices. Read More →

BitSight Function App Connector: UI Updated to Reflect Log Ingestion API Authentication Requirements

The BitSight legacy Function App connector UI page was updated to align with the Log Ingestion API (DCR) ingestion path, removing the Workspace ID/Key deployment step and replacing it with Entra ID credential requirements. Read More →

Microsoft Entra ID Assets Connector Gains Owner and Sponsor Relationship Tables

Two new identity graph tables – EntraOwners and EntraSponsors – are now available in the Microsoft Entra ID Assets connector, expanding the identity relationship data surface for investigating account takeover and privilege escalation paths. Read More →

Trend Micro Vision One Connector: Indonesia Region Support Added, Deployments in ID Site Were Unable to Ingest

The Trend Micro Vision One Function App connector gains support for the Indonesia (id) API region, resolving a complete ingestion gap for customers deployed on api.id.xdr.trendmicro.com. Read More →

Microsoft Defender XDR: Email Hunting Queries Fixed to Reference Correct Connector, Three New Teams/Phish Queries Added

Three email-focused Hunting Queries had a broken connector reference (OfficeATP instead of MicrosoftThreatProtection), suppressing results for orgs using the Defender XDR connector; three new queries covering RMM-via-Teams, alert correlation with Teams messages, and phish-reporter identity are also added. Read More →

New ASIM WebSession Parser Brings AWS WAF Traffic into Normalized Detection Coverage

AWS WAF web session logs can now be ingested and normalized via the ASIM WebSession schema, enabling source-agnostic detections against WAF allow/block/challenge/captcha decisions from the AWSWAF table. Read More →

SilkTyphoon Child Process Detection: Duplicate Connector Mapping Removed

The SilkTyphoonNewUMServiceChildProcess Analytic Rule carried a duplicate and mistyped connector entry (SecurityEvents instead of SecurityEvent) that could cause connector validation errors or unexpected behaviour in environments relying on connector dependency resolution. Read More →

AS-Checkmarx-SAST-Ingestion Playbook: Loop Optimization, Parameterized DCE/DCR Names, and CRITICAL Severity Support

The Checkmarx SAST ingestion Playbook receives pagination fixes, configurable DCE/DCR resource names to support multi-playbook deployments, a corrected severity schema (adding CRITICAL tier), and a reduced default lookback window from 7 to 2 days. Read More →

Microsoft Defender XDR: OAuth and Device-Code Phishing Hunting Queries Unblocked After ARM-TTK Pipeline Failure

Two Defender XDR hunting queries targeting OAuth consent and device-code phishing were blocked from pipeline validation due to ARM-TTK hardcoded URI false positives; KQL refactored to construct URLs via strcat(), restoring deployment and preserving detection semantics. Read More →

BloodHound Enterprise Workbooks: Parameter Query Failures Fixed with Explicit 30-Day Time Context

All six BloodHound Enterprise workbooks had parameter dropdown queries silently failing due to missing time context; this fix adds an explicit 30-day timeContext (durationMs: 2592000000) to each parameter, restoring operator visibility into attack paths and posture data. Read More →

SentinelOne CCF Connector Upgraded to Multi-Instance for MSSP Deployments

The SentinelOne CCF connector now supports multiple simultaneous instances via a grid/context-pane UX, enabling MSSPs to ingest from multiple SentinelOne tenants without deploying duplicate solutions. Read More →

CCF Solution Packaging Tool Gains Five New Auth Type Handlers

The createCCPConnector.ps1 solution packaging script now supports CiscoDuo, CommVault, VisaXpayToken, BarracudaWAF, and EdgeGrid auth types, unblocking connector packaging for products using these authentication schemes. Read More →

Zimperium MTD Gains Incident Log Ingestion via Two New CCF Tables

The Zimperium Mobile Threat Defense CCF connector now ingests mobile incident data into two new custom tables, extending threat visibility beyond raw threat events to correlated incident and mitigation workflows. Read More →

QualysVM Connector Enhanced with QDS Score Parameter

Added QDS score parameter to QualysVM CCF connector, enabling users to include Qualys Detection Scores in vulnerability data collection. Read More →

Akamai Guardicore v3.1.0: Function App Eliminated, CCF Migration Simplifies Microsegmentation Monitoring

Akamai Guardicore connector migrates from Azure Functions to Codeless Connector Framework, removing infrastructure overhead while preserving microsegmentation visibility. Read More →

ASIM Schema Tester: Fixing Critical Validation Gap for Common Fields

Critical fix restores validation of Common schema fields alongside schema-specific fields in ASIM parser testing. Read More →

AWS Security Hub Solution v3.0.4: Workbook Metadata Correction

Fixes missing workbook metadata in AWS Security Hub solution package without changing detection or ingestion logic. Read More →

Azure SQL Database Detection Rules: Enhanced MITRE Coverage and Alert Context

Quality improvements to 10 Azure SQL analytic rules add missing MITRE techniques, alert customization, and standardized query outputs. Read More →