Orca Security Alerts: add Microsoft Entra ID (Push CCF) data connector#14545
Conversation
Add a new Push CCF data connector for Orca Security Alerts that authenticates via a Microsoft Entra ID application and ingests alerts through the Azure Monitor Logs Ingestion API (DCE/DCR) into the existing OrcaAlerts_CL table, replacing reliance on the deprecated HTTP Data Collector API Shared Key auth. - Add connectorDefinition.json (Customizable UI, Entra ID deploy flow), dataConnector.json (kind: Push), DCR.json and table_orcaalerts.json. - Retain the legacy Shared Key based connector for backward compatibility; both connectors ingest into the same OrcaAlerts_CL table. - Update the connector logo (Logos/OrcaSecurity.svg). - Regenerate solution package (mainTemplate.json, createUiDefinition.json, 3.0.0.zip, testParameters.json); bump solution version to 3.0.0. - Add ReleaseNotes.md and register new table columns for KQL validation.
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a new Microsoft Entra ID (Push CCF) data connector for the Orca Security Alerts solution and bumps the solution package to v3.0.0.
Changes:
- Introduces a new customizable Push CCF connector (connector definition + push data connector + DCR + custom table schema).
- Regenerates the solution package artifacts (ARM templates, UI definition, test parameters) for v3 packaging/content templates.
- Updates solution metadata and KQL validation schema for the
OrcaAlerts_CLtable.
Reviewed changes
Copilot reviewed 10 out of 12 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| Solutions/Orca Security Alerts/ReleaseNotes.md | Adds release notes entry for v3.0.0 and the new Entra ID connector. |
| Solutions/Orca Security Alerts/Package/testParameters.json | Adds ARM test parameters needed for packaging/TTK. |
| Solutions/Orca Security Alerts/Package/mainTemplate.json | Regenerated solution deployment template; adds content templates and new Push CCF resources. |
| Solutions/Orca Security Alerts/Package/createUiDefinition.json | Updates install-time description and “Data Connectors”/“Workbooks” sections for two connectors. |
| Solutions/Orca Security Alerts/Data/Solution_ Orca Security Alerts.json | Bumps solution version, adds the new connector definition, updates description text. |
| Solutions/Orca Security Alerts/Data Connectors/OrcaSecurityAlertsCCF/table_orcaalerts.json | Adds the custom table schema for OrcaAlerts_CL. |
| Solutions/Orca Security Alerts/Data Connectors/OrcaSecurityAlertsCCF/dataConnector.json | Adds the Push data connector resource definition. |
| Solutions/Orca Security Alerts/Data Connectors/OrcaSecurityAlertsCCF/connectorDefinition.json | Adds the customizable connector UI + deployment instructions for Entra ID flow. |
| Solutions/Orca Security Alerts/Data Connectors/OrcaSecurityAlertsCCF/DCR.json | Adds a DCR stream declaration + transform into OrcaAlerts_CL. |
| .script/tests/KqlvalidationsTests/CustomTables/OrcaAlerts_CL.json | Registers new table columns for KQL validation. |
Comments suppressed due to low confidence (1)
Solutions/Orca Security Alerts/ReleaseNotes.md:1
- The markdown table is malformed due to the leading
||and leading spaces, which prevents correct rendering. Replace it with a standard markdown table (single leading|on each row) so release notes render properly in GitHub.
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
Replace deprecated 'Cloud Security' domain with the valid 'Security - Cloud Security' in SolutionMetadata.json and regenerate the package; fixes the SolutionValidations check.
- Make workbook KQL dual-schema (column_ifexists + coalesce/iff) so the Orca alerts overview works for both the legacy Shared Key connector (alert_id_s/asset_type_s/alert_type_s/time_t/score_d) and the new Entra ID Push connector (alert_id/asset_type/alert_type/time/orca_score). - Fix typo analize -> analyze in workbook metadata. - Align custom table apiVersion to stable 2022-10-01. - Regenerate solution package.
…iable
The DCR destination name used variables('suffix'), which the packaging
tool only defines when the solution contains other content (e.g. analytic
rules). For this connector-only solution 'suffix' was never defined,
causing 'template variable suffix is not found' at deployment.
Use a literal destination name (clv2ws1), matching other CCF connectors
(SentinelOne, AWS CloudFront, Feedly). Regenerate package.
Azure rejects custom-table columns named 'time' ('invalid or reserved').
The DCR already derives TimeGenerated from the incoming 'time' field, so:
- remove the 'time' column from the OrcaAlerts_CL table schema,
- project-away 'time' in the DCR transform (kept only in the input stream),
- update the workbook time query to coalesce legacy 'time_t' with TimeGenerated,
- drop 'time' from the KQL-validation custom table schema.
Found via a live deployment test (table creation failed otherwise).
Regenerate package.
'time' is a reserved KQL keyword, so the DCR transform failed to compile (InvalidTransformQuery). Reference the incoming column via bracket notation ['time'] in todatetime() and project-away. Regenerate package. Found via live deployment test.
DCR transformations support only a subset of KQL; coalesce() is not
available ('Runtime scalar function provider not found'). Use
iif(isnotnull(todatetime(['time'])), todatetime(['time']), now()) instead.
Regenerate package. Found via live deployment test.
|
Hi @viktor-orca Kindly accept the CLA to proceed further. Please add the missing logo file in the specified location. Thanks! |
…bal typo edit - DCR transform now accepts the raw serving_layer alert shape: 'type' and 'asset_tags' are folded into alert_type / asset_tags_info_list (reserved keyword 'type' referenced as ['type']), so both curated and raw alert shapes populate these columns. Verified end-to-end on a live Azure workspace. - Revert the earlier 'analize'->'analyze' edit in the global Workbooks/WorkbooksMetadata.json to keep this PR scoped to the Orca solution (file is now back to upstream). - Regenerate package.
|
Hi @v-maheshbh, thanks for the review! WorkbooksMetadata validation: I've reverted my change to the global CLA: I'll get the CLA signed shortly. This PR is now scoped to the |
|
@microsoft-github-policy-service agree company="Orca Security" |
|
Hi @viktor-orca For the CCF connector, please ensure that all file names follow the required naming convention: |
- connectorDefinition.json -> OrcaSecurityAlerts_ConnectorDefinition.json - dataConnector.json -> OrcaSecurityAlerts_PollerConfig.json - DCR.json -> OrcaSecurityAlerts_DCR.json - table_orcaalerts.json -> OrcaSecurityAlerts_Table.json - Solution_ Orca Security Alerts.json -> Solution_Orca Security Alerts.json (remove leading space) Update reference in Solution data file.
Reference the connector logo by the established OrcaSecurityLogo.svg filename (with updated content) so both the legacy and the new Entra ID (CCF) connector render the icon, and there is no window without an icon regardless of logo-publish ordering. Rename Logos/OrcaSecurity.svg -> Logos/OrcaSecurityLogo.svg, set logo in the CCF connector definition and the solution logo reference, regenerate package.
|
Hi @v-maheshbh, attaching the requested testing screenshot showing the data connector in a Connected state for validation.
The screenshot is from a test Microsoft Sentinel workspace where the solution was deployed and Orca alerts were ingested through the
new **Orca Security Alerts (via Microsoft Entra ID)** connector (Logs Ingestion API → DCR → OrcaAlerts_CL). The connector page
shows:
- Status: **Connected**
- Data received in the **OrcaAlerts_CL** table (graph + last data received)
Also addressed in this PR:
I've verified the connector end-to-end (Microsoft Entra ID auth → DCE/DCR → OrcaAlerts_CL). Please let me know if anything else is |
|
Hi @v-maheshbh, just following up on this PR. All the requested items have been addressed:
Is there anything else required from our side to move this PR forward? Happy to provide any additional details. Thanks! |
Updated the `Solutions/Orca Security Alerts/ReleaseNotes.md` table formatting by replacing generic separator rows with fixed-width markdown separators and aligned cell spacing, without changing release note content.

Summary
Adds a new Microsoft Entra ID based data connector for the Orca Security Alerts solution and bumps the solution to v3.0.0.
The new connector is a Push CCF connector: Orca pushes alerts to the Azure Monitor Logs Ingestion API via a Data Collection Endpoint (DCE) / Data Collection Rule (DCR), authenticating with a Microsoft Entra ID application instead of the deprecated HTTP Data Collector API Shared Key.
Changes
Data Connectors/OrcaSecurityAlertsCCF/:connectorDefinition.json— Customizable UI with the Entra ID deploy flow (DCE/DCR/table/app + role assignment).dataConnector.json—kind: Push.DCR.json—Custom-OrcaSecurityAlertsstream + transform intoOrcaAlerts_CL.table_orcaalerts.json—OrcaAlerts_CLtable schema.OrcaAlerts_CLtable.Logos/OrcaSecurity.svg).mainTemplate.json,createUiDefinition.json,3.0.0.zip,testParameters.json) via the V3 packaging tool.ReleaseNotes.mdand registered the new table columns for KQL validation.Validation
contentProductId/id("Ids should be derived from ResourceIds") check for CCF connectors.