[SOLUTION] Update Halcyon Solution

[kwest-halcyon]

Required items, please complete

Change(s):

• Update Data Connector's DCR to handle a different set of fields and write to a new custom table
• Create new custom table: HalcyonEvents_CL
• Delete existing custom tables
• Update existing ASIM parsers to read from new HalcyonEvents_CL table

Reason for Change(s):

• Changing the schema of the data push to Sentinel to OCSF and then providing parsers to transform to ASIM. Previously we were sending data in ASIM schema directly

Version Updated:

• Updated Solution to 3.1.0

Testing Completed:

• Yes: Deployed mainTemplate.json to a clean Sentinel instance and confirmed data ingest and parsers worked as expected

Checked that the validations are passing and have addressed any issues that are present:

• Need Help. Developing with Mac

[Copilot]

Pull request overview

Updates the Halcyon Sentinel solution to ingest OCSF-shaped events into a new unified custom table (HalcyonEvents_CL) and adjusts solution metadata, release notes, and ASIM parsers accordingly.

Changes:

• Bumps solution version and updates release notes/metadata dates for the new release.
• Updates ASIM parsers to query the new HalcyonEvents_CL table and map OCSF fields into ASIM.
• Reworks connector assets to use a single events table instead of multiple per-schema custom tables.

Reviewed changes

Copilot reviewed 17 out of 19 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
Solutions/Halcyon/SolutionMetadata.json	Updates publish metadata date for the new release.
Solutions/Halcyon/ReleaseNotes.md	Adds 3.1.0 entry describing the schema/connector update.
Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml	Parser now reads from HalcyonEvents_CL and maps process fields.
Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml	Parser now reads from HalcyonEvents_CL and maps network session fields.
Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml	Parser now reads from HalcyonEvents_CL and maps file activity fields.
Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml	Parser now reads from HalcyonEvents_CL and maps DNS fields.
Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml	Parser now reads from HalcyonEvents_CL and maps authentication fields.
Solutions/Halcyon/Package/createUiDefinition.json	Updates solution install description text (file in ignored path for review).
Solutions/Halcyon/Data/Solution_Halcyon.json	Updates solution description/version and maintains packaging metadata.
Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_events.json	Adds new unified custom table definition (file in ignored path for review).
Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_ProcessEvent.json	Removes old per-schema table definition (file in ignored path for review).
Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_NetworkSession.json	Removes old per-schema table definition (file in ignored path for review).
Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_FileActivity.json	Removes old per-schema table definition (file in ignored path for review).
Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_DnsActivity.json	Removes old per-schema table definition (file in ignored path for review).
Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_AuthenticationEvent.json	Removes old per-schema table definition (file in ignored path for review).
Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_connectorDefinition.json	Updates connector definition to reference unified events table (file in ignored path for review).
Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_DCR.json	Updates DCR columns/transform for OCSF-like payload and new table (file in ignored path for review).

[Copilot]

Correct spelling in release notes: change 'recieve' to 'receive'.

Suggested change

	|3.1.0 | 24-03-2026 | Update Connector to recieve events with OCSF schemas |
	|3.1.0 | 24-03-2026 | Update Connector to receive events with OCSF schemas |

[Copilot]

In Solution_*.json, Author must include a contact email in the format {Organization} - {email} (e.g., Halcyon - support@halcyon.ai) to meet solution packaging requirements.

Suggested change

	"Author": "Halcyon",
	"Author": "Halcyon - support@halcyon.ai",

[Copilot]

For solution data files, Version 3.*.* must have TemplateSpec set to false. With Version: 3.1.0, TemplateSpec: true will fail validation—set it to false.

Suggested change

	"TemplateSpec": true,
	"TemplateSpec": false,

[Copilot]

Solution Description should include the standard Underlying Microsoft Technologies used: section (and preview/cost disclaimer if applicable). This helps meet solution description standards and sets expectations for DCR/DCE-related dependencies and costs.

Suggested change

"Description": "The [Halcyon](https://www.halcyon.ai) solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\nInstalling this solution automatically provisions a Data Collection Endpoint (DCE) and Data Collection Rule (DCR) in your Azure environment. These resources are updated automatically with each solution upgrade. To complete the connector setup, use the **Deploy** button on the Halcyon connector page to create the required Entra app registration and link it to the DCR.",

"Description": "The [Halcyon](https://www.halcyon.ai) solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\nInstalling this solution automatically provisions a Data Collection Endpoint (DCE) and Data Collection Rule (DCR) in your Azure environment. These resources are updated automatically with each solution upgrade. To complete the connector setup, use the **Deploy** button on the Halcyon connector page to create the required Entra app registration and link it to the DCR.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following Microsoft technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional data ingestion or operational costs:\n\na. [Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/)\n\nb. [Azure Monitor Data Collection Rules (DCR)](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview)\n\nc. [Azure Monitor Data Collection Endpoints (DCE)](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-endpoint-overview)\n\nd. [Azure Log Analytics workspaces](https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-workspace-overview)",

[Copilot]

The preferred BasePath format in this repo uses C:\\GitHub\\... (capital H) for consistency (even though other formats may still work). Consider updating to C:\\GitHub\\Azure-Sentinel\\Solutions\\Halcyon.

Suggested change

	"BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Halcyon",
	"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Halcyon",

[Copilot]

The parser currently leaves the original OCSF fields (including potentially large dynamic columns like metadata, actor, device, src_endpoint, dst_endpoint, raw_data, etc.) in the output. This can bloat results and slow downstream queries. Prefer project (or project-away) to keep only the ASIM output columns (plus any intentionally surfaced raw fields). This same pattern appears across the other updated parsers.

Suggested change

	| project-away _ResourceId
	| project
	TimeGenerated,
	EventVendor,
	EventProduct,
	EventProductVersion,
	EventSchema,
	EventSchemaVersion,
	EventCount,
	EventStartTime,
	EventEndTime,
	EventType,
	EventResult,
	EventOriginalType,
	EventOriginalSeverity,
	EventSeverity,
	EventMessage,
	DvcAction,
	SrcIpAddr,
	SrcPortNumber,
	SrcHostname,
	SrcDomain,
	SrcMacAddr,
	DstIpAddr,
	DstPortNumber,
	DstHostname,
	DstDomain,
	DstMacAddr,
	DvcHostname,
	DvcIpAddr,
	DvcId,
	Src,
	Dst,
	IpAddr,
	Dvc

[Copilot]

PR description says Version Updated: N/A, but this change bumps the solution version to 3.1.0. Please update the PR description (or adjust the versioning) so they match.

[kwest-halcyon]

@v-maheshbh I addressed all the copilot comments and fixed the failing KQL test last week. I would really appreciate a review. Thank you!

[v-atulyadav]

Hi @kwest-halcyon,

I noticed that ASIM files have been added to the solution folder, which doesn’t align with our standards. Please remove these files from the current PR and create a new PR for them, ensuring each file is placed in the appropriate folder as per the path provided below. Thanks

https://github.com/Azure/Azure-Sentinel/tree/master/Parsers

[kwest-halcyon]

Hi @v-atulyadav

The ASIM parsers were already in the solution. I have removed them anyways and will open up a new PR following this one that moves them into the correct Parsers directory