Skip to content

feat(AbnormalSecurity): CCF connector v3.0.1 — MLA column parity#14124

Merged
v-atulyadav merged 5 commits into
Azure:masterfrom
anoopabsec:anoop/pr/abnormal-security-ccf
May 4, 2026
Merged

feat(AbnormalSecurity): CCF connector v3.0.1 — MLA column parity#14124
v-atulyadav merged 5 commits into
Azure:masterfrom
anoopabsec:anoop/pr/abnormal-security-ccf

Conversation

@anoopabsec

@anoopabsec anoopabsec commented Apr 23, 2026

Copy link
Copy Markdown

Summary

Updates the Abnormal Security Codeless Connector Framework (CCF) connector to v3.0.1, fixing table column naming to match the existing Microsoft Log Analytics connector output exactly.

Changes

  • Column rename: All abx_body_* columns renamed to abx_body_abx_body_* across all 9 event streams to match Log Analytics auto-expansion naming (wire format nests fields under abx_body.abx_body.*)
  • New columns: Added abx_body_abx_metadata_event_type_s, abx_body_abx_metadata_timestamp_s, abx_body_abx_metadata_trace_id_g to all tables and DCR KQL — matching what MLA auto-creates from abx_body.abx_metadata.*
  • Type fix: Changed abx_metadata_timestamp from datetime (_t) to string (_s) to match MLA column type
  • Package: Regenerated mainTemplate.json and 3.0.1.zip

Test Plan

  • Deployed updated schemas to anoop-test-ccf Azure Log Analytics workspace (centralindia)
  • Compared column names against Abnormal-sentinel (live MLA workspace) — THREAT_LOG and AUDIT_LOG columns now match
  • All 9 CCF tables verified with correct abx_body_abx_body_* column naming
  • DCR KQL updated to extract from abx_body.abx_body.* and abx_body.abx_metadata.* paths
  • Package regenerated: 3.0.1.zip, mainTemplate.json, createUiDefinition.json

Deploy Plan

No service deployment required. Schema changes take effect on next ARM deployment of the solution from Azure Marketplace or manual template deployment.

@anoopabsec anoopabsec requested review from a team as code owners April 23, 2026 12:38
@anoopabsec anoopabsec marked this pull request as draft April 23, 2026 12:52
@anoopabsec anoopabsec force-pushed the anoop/pr/abnormal-security-ccf branch from 616f682 to bf56b6d Compare April 23, 2026 13:59
@anoopabsec anoopabsec changed the title feat(AbnormalSecurity CCF): extract abx_metadata sub-fields as explicit table columns feat(AbnormalSecurity CCF): add full table schemas with typed columns and correct DCR transformKql Apr 23, 2026
…v3.0.1

- Updated all 9 table JSON schemas to correctly extract abx_body and abx_metadata
  fields into properly typed Log Analytics columns (_s, _t, _d, _b, _g suffixes)
- Updated DCR transformKql for all 9 streams to use correct abx_body.* field paths
- Added missing fields: audit_type/subtype/details (AuditLog), campaign_id/
  message_reported_time (AbuseMailbox), is_read (ThreatLog), and others
- VendorCase uses camelCase keys matching the source wire format
- AbuseMailbox metadata timestamp typed as _s (nanosecond precision)
- Bumped solution version 3.0.0 -> 3.0.1, regenerated mainTemplate.json,
  createUiDefinition.json, and Package/3.0.1.zip via createSolutionV3.ps1
- Updated ReleaseNotes.md with 3.0.1 entry

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@anoopabsec anoopabsec force-pushed the anoop/pr/abnormal-security-ccf branch from bf56b6d to e43c95f Compare April 24, 2026 03:43
@anoopabsec anoopabsec changed the title feat(AbnormalSecurity CCF): add full table schemas with typed columns and correct DCR transformKql feat(AbnormalSecurity): update CCF connector schemas, DCR, and package to v3.0.1 Apr 24, 2026
@anoopabsec anoopabsec changed the title feat(AbnormalSecurity): update CCF connector schemas, DCR, and package to v3.0.1 feat(AbnormalSecurity): CCF connector v3.0.2 — MLA column parity Apr 27, 2026
@anoopabsec anoopabsec force-pushed the anoop/pr/abnormal-security-ccf branch 2 times, most recently from b9a186b to 88e2c67 Compare April 27, 2026 10:38
@anoopabsec anoopabsec changed the title feat(AbnormalSecurity): CCF connector v3.0.2 — MLA column parity feat(AbnormalSecurity): CCF connector v3.0.1 — MLA column parity Apr 27, 2026
@anoopabsec anoopabsec marked this pull request as ready for review April 27, 2026 11:34
@anoopabsec

Copy link
Copy Markdown
Author

@v-shukore Can you review this on priority?

- Rename all abx_body_* columns to abx_body_abx_body_* across all 9 tables and DCR KQL
- Fix _g suffix columns from string to guid type to match MLA
- Fix abx_metadata_timestamp from datetime (_t) to string (_s)
- Add abx_body_abx_metadata_* columns to all tables and DCR KQL
- Fix DCR KQL extraction paths to abx_body.abx_body.* and abx_body.abx_metadata.*
- Regenerate mainTemplate.json and 3.0.1.zip

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@anoopabsec anoopabsec force-pushed the anoop/pr/abnormal-security-ccf branch from bc83780 to 99e70ef Compare April 29, 2026 08:25
@anoopabsec

Copy link
Copy Markdown
Author

This PR is ready for review. Please take a look when you get a chance. Happy to answer any questions or make changes based on feedback. Thanks!

@VladDubrovskis

Copy link
Copy Markdown

@v-shukore bump please! we appreciate your support on this but with the Azure Data Connector deprecation fast approaching we would like to move this forward for our customers

@v-shukore v-shukore requested a review from Copilot May 4, 2026 04:55

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Aligns the AbnormalSecurity CCF connector schema with the existing Log Analytics output by updating projected columns/metadata and refreshing the solution’s packaged artifacts and version metadata.

Changes:

  • Renames and adds projected connector columns to match MLA naming/type behavior across the AbnormalSecurity CCF streams.
  • Regenerates table definitions, DCR transforms, sample payloads, and packaged ARM artifacts for the updated schema.
  • Updates solution versioning and release notes for the connector/schema refresh.

Reviewed changes

Copilot reviewed 22 out of 23 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
Solutions/AbnormalSecurity/ReleaseNotes.md Adds a new release note entry describing the schema/DCR parity update.
Solutions/AbnormalSecurity/Package/mainTemplate.json Regenerates packaged template content with updated versions, table schemas, and DCR transforms.
Solutions/AbnormalSecurity/Data/Solution_AbnormalSecurity.json Bumps the solution manifest version.
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/AbnormalSecurityLogs_CL.json Updates generic sample metadata fields.
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_VENDOR_CASE_CL.json Updates vendor-case sample metadata fields.
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_THREAT_LOG_CL.json Updates threat-log sample metadata fields.
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_REMEDIATION_CL.json Updates remediation sample metadata fields.
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_POSTURE_CHANGE_CL.json Updates posture-change sample metadata fields.
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_CASE_CL.json Updates case sample metadata formatting/fields.
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_AUDIT_LOG_CL.json Updates audit-log sample metadata fields.
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_ATO_CASE_CL.json Updates ATO-case sample metadata fields.
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/Sample Data/ABNORMAL_SECURITY_ABUSE_MAILBOX_CL.json Updates abuse-mailbox sample metadata fields.
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_VendorCase.json Expands vendor-case table schema for MLA parity.
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_ThreatLog.json Expands threat-log table schema for MLA parity.
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_Remediation.json Expands remediation table schema for MLA parity.
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_PostureChange.json Expands posture-change table schema for MLA parity.
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_Case.json Expands case table schema for MLA parity.
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AuditLog.json Expands audit-log table schema for MLA parity.
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AtoCase.json Expands ATO-case table schema for MLA parity.
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AbuseMailbox.json Expands abuse-mailbox table schema for MLA parity.
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_table_AbnormalSecurityLogs.json Renames and expands the generic fallback table schema.
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_CCF/AbnormalSecurity_DCR.json Updates DCR projections to emit the renamed/new parity columns.

Comment thread Solutions/AbnormalSecurity/Data/Solution_AbnormalSecurity.json
@@ -1,4 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------------------|
| 3.0.1 | 27-04-2026 | Updated CCF table schemas and DCR transformKql for full MLA column parity: renamed abx_body_* columns to abx_body_abx_body_*, added abx_body_abx_metadata_* columns across all 9 streams, fixed abx_metadata_timestamp type from datetime to string. |

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The previous version hasn't been released yet. We are aligning it with our previous connector (Microsoft Log Analytics)

Comment thread Solutions/AbnormalSecurity/Data/Solution_AbnormalSecurity.json
@v-shukore

Copy link
Copy Markdown
Contributor

Hi @anoopabsec, please apply suggestions provided by the copilot as reviewer and make sure inside zip and outside zip maintemplate and createui files should be same. Thanks!

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@anoopabsec

anoopabsec commented May 4, 2026

Copy link
Copy Markdown
Author

@v-shukore Addressed the two Copilot review comments — fixed TemplateSpec to false and updated the PR description to consistently reference v3.0.1. This PR is ready for review.

Anoop Kumar Sharma and others added 2 commits May 4, 2026 10:53
…n ThreatLog

- Rename abx_body_abx_message_id_d, abx_body_abx_message_id_str_s,
  abx_body_abx_portal_url_s to abx_body_abx_body_* in table schema and DCR KQL
- Revert TemplateSpec to true (false breaks CCF packaging; Jamf Protect 3.3.0 also uses true)
- Update mainTemplate.json and 3.0.1.zip

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ables

MLA getschema reports _g columns as string type. Declaring them as guid
in CCF would break union queries between MLA and CCF tables and cause
type mismatches in getschema for customers migrating between connectors.
Changed all 21 guid-typed columns to string in table schemas and
mainTemplate.json, rebuilt 3.0.1.zip.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@v-atulyadav v-atulyadav merged commit 003bda3 into Azure:master May 4, 2026
33 of 34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants