Fix PaloAltoPrismaCloud CCF data connector missing logs#14033
Closed
Bhagya767 wants to merge 66 commits intoAzure:masterfrom
Closed
Fix PaloAltoPrismaCloud CCF data connector missing logs#14033Bhagya767 wants to merge 66 commits intoAzure:masterfrom
Bhagya767 wants to merge 66 commits intoAzure:masterfrom
Conversation
Adds a new CCF Push-based data connector alongside the existing Azure Functions connector. The push connector uses OAuth 2.0 and the Azure Monitor Ingestion API to route real-time security events from Abnormal Security into 9 per-event-type custom log tables via a Data Collection Rule with stream-based routing. Changes: - New: Data Connectors/AbnormalSecurity_ccf/ with connectorDefinition, dataConnector (kind: Push), DCR with 9 streams, 9 table schemas, and 9 sample data files - Updated: Solution_AbnormalSecurity.json (version 4.0.0, added CCF connector path) - Updated: Package/ (mainTemplate.json, createUiDefinition.json, testParameters.json regenerated by packaging tool) - Updated: SolutionMetadata.json (lastPublishDate) - Updated: ReleaseNotes.md (v4.0.0 entry) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces manual concat-based ID construction with resourceId() to pass the 'IDs Should Be Derived From ResourceIDs' arm-ttk test. Regenerated mainTemplate.json with the fix applied.
- Renamed Data Connectors/AbnormalSecurity_ccf/ -> AbnormalSecurity_CCF/ - Prefixed all files with AbnormalSecurity_: connectorDefinition, dataConnector, DCR, and all table files - Updated Solution_AbnormalSecurity.json connector path - Version bumped to 3.1.0 (minor bump for new CCF Push connector) - Updated ReleaseNotes.md version entry to 3.1.0 - Regenerated Package/ with packaging tool v3
Standalone training lab solution with: - ARM template deployment (workspace, automation, ingestion pipeline) - 14 hands-on exercises (MDTI, MITRE, automation, MCP, notebooks, etc.) - Per-file CSV download with dynamic discovery via GitHub API - CrowdStrike, Okta, AWS CloudTrail, GCP Audit Logs telemetry - Detection rules deployment via Microsoft Graph API - Workbook, playbook, watchlists, analytic and hunting rules - Tools/Ingest-LocalCSV.ps1 standalone ingestion utility
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove unsupported "outputs" from secureData.properties on the AutoDecode Compose action. Compose actions only support "inputs". Bump solution version to 3.0.1.
…ent Hub v2.0.1) - Updated solution version from 3.1.0 to 2.1.0 - Regenerated mainTemplate.json, createUiDefinition.json, testParameters.json at v2.1.0 - Added 2.1.0.zip, removed incorrect 3.1.0.zip - Updated ReleaseNotes.md: 3.1.0 -> 2.1.0, 3.0.0 -> 2.0.1 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Updated solution version to 3.0.0 - Regenerated mainTemplate.json, createUiDefinition.json, testParameters.json, 3.0.0.zip - Removed 2.1.0.zip - Updated ReleaseNotes.md: 2.1.0 -> 3.0.0 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add a comprehensive .github/instructions/workbook.instructions.md file that documents standards and validation guidance for Microsoft Sentinel/Azure Monitor workbooks. The new guide specifies required workbook JSON top-level fields (version, items, fallbackResourceIds, fromTemplateId, $schema), provides minimal and full JSON examples, item/parameter/query/chart guidelines, naming and folder conventions, metadata requirements (WorkbooksMetadata.json), versioning rules, common validation errors, and a PR description template to help contributors create and submit valid workbooks.
--- updated-dependencies: - dependency-name: aiohttp dependency-version: 3.13.4 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Clarify fromTemplateId naming (use sentinel- prefix with descriptive identifier; allow kebab-case or PascalCase and provide filename/vendor/purpose examples) and reorganize examples/rules. Add comprehensive standards for query quality, documentation, visualizations, interactivity/parameters, structure/navigation, and general best practices (including no-data messaging, performance tips, and parameter usage). These updates provide guidance to ensure consistent, performant, and user-friendly workbook templates.
Update workbook JSON to replace occurrences of "Azure Security Benchmark" with "Microsoft cloud security benchmark" across user-facing text, headings, and KQL queries (including ComplianceStandard checks and noDataMessage strings). This aligns displayed labels and query filters with the updated complianceStandard identifier so recommendations, filters, and remediation links surface correctly.
Add workbook instructions and validation guide
Remove the checked-in binary archive Solutions/AbnormalSecurity/Package/3.0.1.zip from the repository. This deletes the 3.0.1 package zip (binary artifact) to avoid keeping large compiled/package files in source control.
…push-v4 AbnormalSecurity: Add CCF Push connector with multi-table routing (v3.0.0)
…on-Support Adding log ingestion support in Extrahop solution
…nt-enhancements [Tenable App][Data Connector] - Checkpoint field change
Add packaged release and bump solution version to 3.0.4. This commit adds Solutions/AzureSecurityBenchmark/Package/3.0.4.zip, updates mainTemplate.json to reference version 3.0.4 (including resource description updates and minor template cleanups such as removing an empty requiredDataConnectors entry and reordering a URL field mapping), and updates ReleaseNotes.md and Workbooks/WorkbooksMetadata.json to reflect the new release.
…form-Cloud-Monitoring/Data-Connectors/aiohttp-3.13.4
…redata Fix Blacklens Logic App invalid secureData configuration
Updated Azure Security Benchmark label and queries
Contributor
|
Hi @Bhagya767 Kindly resolve the branch conflicts. Thanks! |
…ogle-Cloud-Platform-Cloud-Monitoring/Data-Connectors/aiohttp-3.13.4 Bump aiohttp from 3.13.3 to 3.13.4 in /Solutions/Google Cloud Platform Cloud Monitoring/Data Connectors
…ta-Connectors/DataminrPulseAlerts/cryptography-46.0.7
…taminr-Pulse/Data-Connectors/DataminrPulseAlerts/cryptography-46.0.7 Bump cryptography from 46.0.5 to 46.0.7 in /Solutions/Dataminr Pulse/Data Connectors/DataminrPulseAlerts
…ata-Connectors/cryptography-46.0.7
…pid7InsightVM/Data-Connectors/cryptography-46.0.7 Bump cryptography from 46.0.5 to 46.0.7 in /Solutions/Rapid7InsightVM/Data Connectors
Updated "TI map Domain entity to SecurityAlert " for Threat Intelligence (NEW)
…ining-lab-tools Add Microsoft Sentinel Training Lab to Tools
Co-authored-by: Derrick Lee <derricklee@microsoft.com>
Fixed missing object separator in WorkbooksMetadata.json between Netskope and MicrosoftCopilot entries
…a767/Azure-Sentinel into users/v-bhk/PaloAltoPrisma
|
Check out this pull request on See visual diffs & provide feedback on Jupyter Notebooks. Powered by ReviewNB |
Contributor
|
🔒 Security Approval Required This fork PR requires manual approval before automated testing can run. For security, a maintainer must:
Note: If new commits are added later, simply remove and re-add the 🤖 Automated security check • Created: 2026-04-10T17:35:01.625Z |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
12 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixed data ingestion discrepancies in the Palo Alto Prisma Cloud CSPM CCF
data connector where the new connector collected fewer logs than the old
Azure Function-based connector.
Root causes and fixes:
collection to only status-changed alerts, missing newly opened alerts
to match Prisma Cloud v2 Alert API response schema
to match Prisma Cloud v2 Alert API request body spec
time using query window parameters to prevent gaps during delays or backfills
Files changed:
Version: 3.0.4 → 3.0.5