Added solution package for Cyjax

[devendra-chavda]

Change(s):

• Added Data Connector, Playbooks and Workbook for Cyjax

Reason for Change(s):

• Initial Solution

Version Updated:

• Initial version. 3.0.0

Testing Completed:

• Yes

Checked that the validations are passing and have addressed any issues that are present:

• Yes

[v-shukore]

Hi @devendra-chavda,
We are putting your PR on hold because your solution uses Azure Function and not Sentinel Codeless Connector Framework (CCF). We would be happy to work with you to migrate your solution to CCF. Please contact the Microsoft Sentinel Partners at AzureSentinelPartner@microsoft.com to discuss available options.
Thanks!

[dhwanishah-crest]

Hi @v-shukore,
This is a requirement from Cyjax customer and we have been working since more than a month for this. They want to publish this asap. Can we release it as of now?
Later on we can see the feasibility of the CCF and try migrating. Does that work?

[v-shukore]

Hi @dhwanishah-crest, as instructed by the team, we cannot move forward with the Azure Function data connector without approval from the Sentinel partner team. If you wish to proceed, please email AzureSentinelPartner@microsoft.com for approval and share a screenshot of their response. Thanks!

[devendra-chavda]

Hi @v-shukore,

We have received approval from the Sentinel partner team. Please find the screenshot attached for reference.

[Copilot]

Pull request overview

Adds an initial Microsoft Sentinel Solution package for Cyjax, including a threat intel data connector (Azure Function), supporting playbooks, workbook metadata, parsers, and sample data/test artifacts.

Changes:

• Added Cyjax solution metadata, release notes, and solution definition file.
• Added Azure Function–based IOC connector implementation plus shared Python code.
• Added playbook ARM templates/READMEs, workbook registration metadata, parsers, sample data, and KQL validation custom table schemas.

Reviewed changes

Copilot reviewed 43 out of 63 changed files in this pull request and generated 16 comments.

Show a summary per file

File	Description
Workbooks/WorkbooksMetadata.json	Registers the Cyjax workbook and its declared dependencies for discovery.
Solutions/Cyjax/SolutionMetadata.json	Adds marketplace/solution metadata (publisher, offer, categories, support).
Solutions/Cyjax/ReleaseNotes.md	Introduces initial release notes entry for the Cyjax solution.
Solutions/Cyjax/README.md	Adds top-level solution README content.
Solutions/Cyjax/Playbooks/CyjaxIncidentEnrichment/README.md	Documents incident enrichment playbook deployment and configuration.
Solutions/Cyjax/Playbooks/CyjaxDomainMonitor/azuredeploy.json	Adds Domain Monitor playbook ARM template.
Solutions/Cyjax/Playbooks/CyjaxDomainMonitor/README.md	Documents Domain Monitor playbook usage/deployment.
Solutions/Cyjax/Playbooks/CyjaxDataBreaches/azuredeploy.json	Adds Data Breaches playbook ARM template.
Solutions/Cyjax/Playbooks/CyjaxDataBreaches/README.md	Documents Data Breaches playbook usage/deployment.
Solutions/Cyjax/Playbooks/CyjaxAddCommentToIncident/README.md	Documents the “Add Comment” sub-playbook.
Solutions/Cyjax/Playbooks/CyjaxAdHocEnrichment/azuredeploy.json	Adds Ad Hoc Enrichment playbook ARM template.
Solutions/Cyjax/Playbooks/CyjaxAdHocEnrichment/README.md	Documents Ad Hoc Enrichment playbook usage/deployment.
Solutions/Cyjax/Parser/CyjaxThreatIndicator.yaml	Adds custom parser/function definition for Cyjax threat indicators.
Solutions/Cyjax/Parser/CyjaxCorrelate.yaml	Adds custom parser/function definition for correlation logic.
Solutions/Cyjax/Package/testParameters.json	Adds deployment test parameters for package validation.
Solutions/Cyjax/Package/createUiDefinition.json	Adds UI definition for the solution installation experience.
Solutions/Cyjax/Data/Solution_Cyjax.json	Defines the solution manifest (connectors, playbooks, workbooks, parsers, metadata).
Solutions/Cyjax/Data Connector/requirements.txt	Defines Python dependencies for the Azure Function connector.
Solutions/Cyjax/Data Connector/host.json	Adds Azure Functions host configuration.
Solutions/Cyjax/Data Connector/azuredeploy_Connector_CyjaxIOC_AzureFunction.json	Adds ARM template for deploying the Cyjax IOC function connector.
Solutions/Cyjax/Data Connector/SharedCode/state_manager.py	Adds checkpoint/state handling via Azure File Share.
Solutions/Cyjax/Data Connector/SharedCode/sentinel.py	Adds Sentinel Upload Indicator API client with retry/error handling.
Solutions/Cyjax/Data Connector/SharedCode/logger.py	Adds connector logging configuration.
Solutions/Cyjax/Data Connector/SharedCode/exceptions.py	Adds custom exception types for the connector.
Solutions/Cyjax/Data Connector/SharedCode/cyjax_to_stix_mapping.py	Adds mapping from Cyjax IOC records to STIX 2.1 objects.
Solutions/Cyjax/Data Connector/SharedCode/cyjax_client.py	Adds Cyjax API client for IOC fetch + enrichment.
Solutions/Cyjax/Data Connector/SharedCode/consts.py	Adds constants/env var bindings for the connector.
Solutions/Cyjax/Data Connector/SharedCode/init.py	Marks SharedCode as a Python package.
Solutions/Cyjax/Data Connector/README.md	Adds documentation for connector deployment/configuration.
Solutions/Cyjax/Data Connector/CyjaxIOC_API_FunctionApp.json	Adds the Sentinel data connector definition and instructions.
Solutions/Cyjax/Data Connector/CyjaxIOCIngestion/function.json	Defines the timer trigger binding.
Solutions/Cyjax/Data Connector/CyjaxIOCIngestion/cyjax_ioc_helper.py	Implements ingestion orchestration (paging, enrichment, mapping, upload, checkpoint).
Solutions/Cyjax/Data Connector/CyjaxIOCIngestion/init.py	Function entrypoint wiring for timer trigger.
Sample Data/Custom/CyjaxThreatIndicator.csv	Adds sample data for Cyjax threat indicators.
Sample Data/Custom/CyjaxDomainMonitor_CL.csv	Adds sample data for domain monitor custom logs.
Sample Data/Custom/CyjaxDataBreaches_CL.csv	Adds sample data for data breaches custom logs.
Sample Data/Custom/CyjaxAdHocEnrichment_CL.csv	Adds sample data for ad hoc enrichment custom logs.
.script/tests/KqlvalidationsTests/CustomTables/CyjaxThreatIndicator.json	Adds KQL validation schema for the CyjaxThreatIndicator table/function output.
.script/tests/KqlvalidationsTests/CustomTables/CyjaxDomainMonitor_CL.json	Adds KQL validation schema for domain monitor custom log table.
.script/tests/KqlvalidationsTests/CustomTables/CyjaxDataBreaches_CL.json	Adds KQL validation schema for data breaches custom log table.
.script/tests/KqlvalidationsTests/CustomTables/CyjaxAdHocEnrichment_CL.json	Adds KQL validation schema for ad hoc enrichment custom log table.

[v-shukore]

Hi @devendra-chavda, please resolve kql validations failure. Thanks!

[devendra-chavda]

Hi @v-shukore,

We are using the column name Hash for ASimWebSession, ASimFileEvent, and ASimProcessEvent. We validated this field name against the parsers available here:
https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/ASimWebSession/Parsers
https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/ASimFileEvent/Parsers
https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/ASimProcessEvent/Parsers

The field exists in these parsers, and this same PR was previously passing. We only merged the latest master branch to resolve merge conflicts—no other changes were made after the previous successful run.

Could you please re-run the pipeline or suggest how we can resolve this failure?

Thanks.

[devendra-chavda]

Hi @v-shukore,

We are using the column name Hash for ASimWebSession, ASimFileEvent, and ASimProcessEvent. We validated this field name against the parsers available here: https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/ASimWebSession/Parsers https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/ASimFileEvent/Parsers https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/ASimProcessEvent/Parsers

The field exists in these parsers, and this same PR was previously passing. We only merged the latest master branch to resolve merge conflicts—no other changes were made after the previous successful run.

Could you please re-run the pipeline or suggest how we can resolve this failure?

Thanks.

Hi @v-shukore, Could you please help with this so we can proceed? Thanks!