AbnormalSecurity: Add CCF Push connector with multi-table routing (v3.0.0)#13709
Conversation
Adds a new CCF Push-based data connector alongside the existing Azure Functions connector. The push connector uses OAuth 2.0 and the Azure Monitor Ingestion API to route real-time security events from Abnormal Security into 9 per-event-type custom log tables via a Data Collection Rule with stream-based routing. Changes: - New: Data Connectors/AbnormalSecurity_ccf/ with connectorDefinition, dataConnector (kind: Push), DCR with 9 streams, 9 table schemas, and 9 sample data files - Updated: Solution_AbnormalSecurity.json (version 4.0.0, added CCF connector path) - Updated: Package/ (mainTemplate.json, createUiDefinition.json, testParameters.json regenerated by packaging tool) - Updated: SolutionMetadata.json (lastPublishDate) - Updated: ReleaseNotes.md (v4.0.0 entry) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces manual concat-based ID construction with resourceId() to pass the 'IDs Should Be Derived From ResourceIDs' arm-ttk test. Regenerated mainTemplate.json with the fix applied.
v-atulyadav
added
Solution
|
Hi @anoopabsec Please accept the CLA so we can proceed with the PR review. Thanks! |
|
@microsoft-github-policy-service agree company="Abnormal AI" |
|
@v-maheshbh I have accepted the CLA |
|
Hi @anoopabsec Kindly refer below ccf push type connector and rename file names and folder structure accordingly and Thanks!! |
- Renamed Data Connectors/AbnormalSecurity_ccf/ -> AbnormalSecurity_CCF/ - Prefixed all files with AbnormalSecurity_: connectorDefinition, dataConnector, DCR, and all table files - Updated Solution_AbnormalSecurity.json connector path - Version bumped to 3.1.0 (minor bump for new CCF Push connector) - Updated ReleaseNotes.md version entry to 3.1.0 - Regenerated Package/ with packaging tool v3
anoopabsec
changed the title
|
@v-maheshbh All feedback has been addressed:
Re: CI failures — The Thanks for the detailed feedback! |
|
@v-maheshbh Following up on this PR — all the feedback from your March 3 review has been addressed (folder/file naming, version 3.1.0, V3 packaging, branding fixes). Could you take another look when you get a chance? Happy to make any further changes needed to get this merged. Thanks! |
|
Hi @anoopabsec Kindly update the release notes by adding the latest version details at the top. Thanks! |
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
@v-maheshbh Quick update — release notes have been updated with the latest version (3.1.0) now at the top of the table. One question: to provide a testing screenshot of the CCF data connector in a Connected state, we would need to deploy and test it in a Sentinel workspace first. However, since the solution hasn't been approved/published yet, we're unsure how to proceed with this testing step. Could you advise on the expected process — is there a way to manually deploy and test the connector before the PR is merged, or is this something that gets validated post-approval? Thanks! |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
.github/workflows/sentinel-deploy-19b709da-4488-433d-9062-af5c6b0db56d.yml
Fixed
Show fixed
Hide fixed
.github/workflows/sentinel-deploy-19b709da-4488-433d-9062-af5c6b0db56d.yml
Fixed
Show fixed
Hide fixed
.github/workflows/sentinel-deploy-19b709da-4488-433d-9062-af5c6b0db56d.yml
Fixed
Show fixed
Hide fixed
.github/workflows/sentinel-deploy-19b709da-4488-433d-9062-af5c6b0db56d.yml
Fixed
Show fixed
Hide fixed
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
You can custom‑deploy the main template to your test workspace and verify the connector deployment from Content Hub. Once deployed, please confirm the connector is in the Connected state and attach the testing screenshots, so we can proceed with the merge. Thanks! |
|
@v-maheshbh Sharing the connector verification screenshot as requested. The Abnormal Security (Push) connector was deployed to a test Microsoft Sentinel workspace (
Please let us know if any additional verification is needed. Thanks! |
|
@v-maheshbh All feedback has been addressed and the connector verification screenshot has been shared showing the Abnormal Security (Push) connector in a Connected state. Could you please review and approve the PR so we can proceed with the merge? Thank you! |
|
Hi @anoopabsec Version 3.0.0 is not live on Content Hub, whereas the solution has been packaged with version 3.1.0. Kindly ensure that the packaged version is incremented based on the current live version in Content Hub. Thanks! |
…ent Hub v2.0.1) - Updated solution version from 3.1.0 to 2.1.0 - Regenerated mainTemplate.json, createUiDefinition.json, testParameters.json at v2.1.0 - Added 2.1.0.zip, removed incorrect 3.1.0.zip - Updated ReleaseNotes.md: 3.1.0 -> 2.1.0, 3.0.0 -> 2.0.1 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
anoopabsec
changed the title
|
@v-maheshbh Updated the solution version to v2.1.0, correctly incremented from the live Content Hub version v2.0.1. The previous 3.1.0 versioning was inherited from a repo commit that was never published to Content Hub. All package files have been regenerated accordingly and the incorrect zip has been removed. |
Kindly package the solution with version 3.0.0. |
- Updated solution version to 3.0.0 - Regenerated mainTemplate.json, createUiDefinition.json, testParameters.json, 3.0.0.zip - Removed 2.1.0.zip - Updated ReleaseNotes.md: 2.1.0 -> 3.0.0 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
anoopabsec
changed the title
|
@v-maheshbh Done — solution has been repackaged at v3.0.0 using the V3 packaging tool. The mainTemplate.json, createUiDefinition.json, testParameters.json, and 3.0.0.zip have all been regenerated and pushed. ReleaseNotes updated accordingly. |
|
@v-maheshbh Just checking in — could you please review the latest changes and let us know if anything else is needed to move forward with the merge? Thanks! |
|
@v-maheshbh Following up again — all requested changes have been addressed including the version repackage at v3.0.0. Could you please take a look and approve when you get a chance? Happy to make any further adjustments. Thanks! |
Remove the checked-in binary archive Solutions/AbnormalSecurity/Package/3.0.1.zip from the repository. This deletes the 3.0.1 package zip (binary artifact) to avoid keeping large compiled/package files in source control.
4 participants
Summary
This PR adds a new CCF Push-based data connector to the Abnormal Security solution, bumping the solution to v3.0.0 as requested. The legacy Azure Functions connector is retained for backward compatibility.
New connector: Abnormal Security (Push)
Tables (9)
Files changed
arm-ttk results
48/49 tests passed. The one failure (`IDs Should Be Derived From ResourceIDs` on `contentProductId`) is generated by the packaging tool itself and is a known accepted failure across CCF connector submissions in this repo.
Connector Verification
The CCF Push connector was deployed to a test Microsoft Sentinel workspace (`abnormal-test-ccf`) by deploying the `mainTemplate.json` directly. The screenshot below shows the Abnormal Security (Push) connector in the Connected state with data being received.
Test plan