[PuPr] - 42Crunch - Migration of docker container/analytic rules/workbook

[Hector-Suarez]

Required items, please complete

Change(s):

• Updated all 11 Analytic Rules to use the new CCF Push Connector schema: renamed table (apifirewall_log_1_CL → FortyTwoCrunchAPIProtectionV2_CL), updated column names from legacy type-suffixed format to PascalCase, and corrected connectorId to FortyTwoCrunchAPIProtection
• Updated Workbook (42CrunchAPIProtectionWorkbook.json) to reference the new table and column names
• Added Migration_Guide.md with step-by-step instructions for migrating from the legacy HTTP Data Collector API to the CCF Push Connector
• Added sample-deployment/ with a working Docker Compose stack (ccf-forwarder replacing 42c-fw-2la) for E2E validation
• Bumped solution package to version 3.0.1 (mainTemplate.json, createUiDefinition.json, 3.0.1.zip)

Reason for Change(s):

• The legacy HTTP Data Collector API (Workspace ID + Primary Key / HMAC-SHA256) is deprecated. This PR migrates the 42Crunch API Protection solution to the current CCF Push Connector model (OAuth2 Entra ID + DCE/DCR), which has been end-to-end validated with data flowing correctly into FortyTwoCrunchAPIProtectionV2_CL

Version Updated:

• Yes — all 11 Analytic Rules updated; solution package bumped from 3.0.0 to 3.0.1

Testing Completed:

• Yes — end-to-end tested in a Microsoft Sentinel environment. Data confirmed flowing into FortyTwoCrunchAPIProtectionV2_CL. All 11 analytic rules validated against the new schema. ARM-TTK validations passed (48/49; 1 known false-positive on contentProductId common to all Sentinel solutions).

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Migrates the 42Crunch API Protection solution from the legacy HTTP Data Collector ingestion model to the CCF Push Connector model by updating solution content to the new table/column schema and providing a sample forwarder deployment path.

Changes:

• Updated analytic rules and workbook queries to use FortyTwoCrunchAPIProtectionV2_CL and PascalCase columns.
• Added a sample Docker Compose deployment and a Python-based ccf-forwarder to push logs to Azure Monitor using DCE/DCR + OAuth2.
• Updated solution release notes and solution data versioning to reflect the migration.

Reviewed changes

Copilot reviewed 21 out of 23 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
Solutions/42Crunch API Protection/sample-deployment/docker-compose.yml	Adds a sample stack using ccf-forwarder to ingest Guardian logs via CCF push.
Solutions/42Crunch API Protection/sample-deployment/ccf-forwarder/requirements.txt	Defines Python dependency set for the forwarder image.
Solutions/42Crunch API Protection/sample-deployment/ccf-forwarder/forwarder.py	Implements log tailing + DCE/DCR ingestion for Guardian transaction logs.
Solutions/42Crunch API Protection/sample-deployment/ccf-forwarder/Dockerfile	Containerizes the forwarder for the sample deployment.
Solutions/42Crunch API Protection/sample-deployment/.env.example	Provides example environment variable configuration for the sample stack.
Solutions/42Crunch API Protection/Workbooks/42CrunchAPIProtectionWorkbook.json	Updates workbook queries to the new table/column schema.
Solutions/42Crunch API Protection/ReleaseNotes.md	Documents the migration changes in a new release entry.
Solutions/42Crunch API Protection/Package/createUiDefinition.json	Skipped (Package path is ignored for review).
Solutions/42Crunch API Protection/Migration_Guide.md	Adds step-by-step migration documentation for customers.
Solutions/42Crunch API Protection/Data/Solution_42CrunchAPIProtection.json	Updates solution version metadata for the new release.
Solutions/42Crunch API Protection/Analytic Rules/APISuspiciousLogin.yaml	Updates rule to new table/columns and new connectorId.
Solutions/42Crunch API Protection/Analytic Rules/APIRateLimiting.yaml	Updates rule to new table/columns and new connectorId.
Solutions/42Crunch API Protection/Analytic Rules/APIPasswordCracking.yaml	Updates rule to new table/columns and new connectorId.
Solutions/42Crunch API Protection/Analytic Rules/APIKiterunnerDetection.yaml	Updates rule to new table/columns and new connectorId.
Solutions/42Crunch API Protection/Analytic Rules/APIJWTValidation.yaml	Updates rule to new table/columns and new connectorId.
Solutions/42Crunch API Protection/Analytic Rules/APIInvalidHostAccess.yaml	Updates rule to new table/columns and new connectorId.
Solutions/42Crunch API Protection/Analytic Rules/APIFirstTimeAccess.yaml	Updates rule to new table/columns and new connectorId.
Solutions/42Crunch API Protection/Analytic Rules/APIBOLA.yaml	Updates rule to new table/columns and new connectorId.
Solutions/42Crunch API Protection/Analytic Rules/APIAnomalyDetection.yaml	Updates rule to new table/columns and new connectorId.
Solutions/42Crunch API Protection/Analytic Rules/APIAccountTakeover.yaml	Updates rule to new table/columns and new connectorId.
Solutions/42Crunch API Protection/Analytic Rules/APIAPIScaping.yaml	Updates rule to new table/columns and new connectorId.

[v-maheshbh]

Hi @Hector-Suarez

Kindly review the above comments and address the required changes accordingly.

Thanks!

[Hector-Suarez]

@microsoft-github-policy-service agree company="Microsoft"

[v-maheshbh]

Hi @Hector-Suarez

Kindly resolve the branch conflict.

Thanks!

[v-maheshbh]

Hi @Hector-Suarez

Kindly ensure all CCF files follow the naming convention:
SolutionName_ConnectorDefinition, SolutionName_PollerConfig, SolutionName_DCR and that the file name prefix matches the solution name consistently. and Kindly attach testing screenshot of the CCF connector is successfully connected.

Thanks!