Skip to content

Orca Security Alerts: add Microsoft Entra ID (Push CCF) data connector#14545

Merged
v-dvedak merged 11 commits into
Azure:masterfrom
viktor-orca:INTG-4798_sentinel-entra-id-push-connector
Jul 3, 2026
Merged

Orca Security Alerts: add Microsoft Entra ID (Push CCF) data connector#14545
v-dvedak merged 11 commits into
Azure:masterfrom
viktor-orca:INTG-4798_sentinel-entra-id-push-connector

Conversation

@viktor-orca

Copy link
Copy Markdown
Contributor

Summary

Adds a new Microsoft Entra ID based data connector for the Orca Security Alerts solution and bumps the solution to v3.0.0.

The new connector is a Push CCF connector: Orca pushes alerts to the Azure Monitor Logs Ingestion API via a Data Collection Endpoint (DCE) / Data Collection Rule (DCR), authenticating with a Microsoft Entra ID application instead of the deprecated HTTP Data Collector API Shared Key.

Changes

  • New connector under Data Connectors/OrcaSecurityAlertsCCF/:
    • connectorDefinition.json — Customizable UI with the Entra ID deploy flow (DCE/DCR/table/app + role assignment).
    • dataConnector.jsonkind: Push.
    • DCR.jsonCustom-OrcaSecurityAlerts stream + transform into OrcaAlerts_CL.
    • table_orcaalerts.jsonOrcaAlerts_CL table schema.
  • Backward compatibility: the legacy Shared Key based connector is retained. Both connectors ingest into the same OrcaAlerts_CL table.
  • Updated connector logo (Logos/OrcaSecurity.svg).
  • Regenerated solution package (mainTemplate.json, createUiDefinition.json, 3.0.0.zip, testParameters.json) via the V3 packaging tool.
  • Added ReleaseNotes.md and registered the new table columns for KQL validation.

Validation

  • Package generated with the V3 tool; ARM-TTK passes except the documented-ignorable contentProductId/id ("Ids should be derived from ResourceIds") check for CCF connectors.

Add a new Push CCF data connector for Orca Security Alerts that
authenticates via a Microsoft Entra ID application and ingests alerts
through the Azure Monitor Logs Ingestion API (DCE/DCR) into the existing
OrcaAlerts_CL table, replacing reliance on the deprecated HTTP Data
Collector API Shared Key auth.

- Add connectorDefinition.json (Customizable UI, Entra ID deploy flow),
  dataConnector.json (kind: Push), DCR.json and table_orcaalerts.json.
- Retain the legacy Shared Key based connector for backward compatibility;
  both connectors ingest into the same OrcaAlerts_CL table.
- Update the connector logo (Logos/OrcaSecurity.svg).
- Regenerate solution package (mainTemplate.json, createUiDefinition.json,
  3.0.0.zip, testParameters.json); bump solution version to 3.0.0.
- Add ReleaseNotes.md and register new table columns for KQL validation.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a new Microsoft Entra ID (Push CCF) data connector for the Orca Security Alerts solution and bumps the solution package to v3.0.0.

Changes:

  • Introduces a new customizable Push CCF connector (connector definition + push data connector + DCR + custom table schema).
  • Regenerates the solution package artifacts (ARM templates, UI definition, test parameters) for v3 packaging/content templates.
  • Updates solution metadata and KQL validation schema for the OrcaAlerts_CL table.

Reviewed changes

Copilot reviewed 10 out of 12 changed files in this pull request and generated 10 comments.

Show a summary per file
File Description
Solutions/Orca Security Alerts/ReleaseNotes.md Adds release notes entry for v3.0.0 and the new Entra ID connector.
Solutions/Orca Security Alerts/Package/testParameters.json Adds ARM test parameters needed for packaging/TTK.
Solutions/Orca Security Alerts/Package/mainTemplate.json Regenerated solution deployment template; adds content templates and new Push CCF resources.
Solutions/Orca Security Alerts/Package/createUiDefinition.json Updates install-time description and “Data Connectors”/“Workbooks” sections for two connectors.
Solutions/Orca Security Alerts/Data/Solution_ Orca Security Alerts.json Bumps solution version, adds the new connector definition, updates description text.
Solutions/Orca Security Alerts/Data Connectors/OrcaSecurityAlertsCCF/table_orcaalerts.json Adds the custom table schema for OrcaAlerts_CL.
Solutions/Orca Security Alerts/Data Connectors/OrcaSecurityAlertsCCF/dataConnector.json Adds the Push data connector resource definition.
Solutions/Orca Security Alerts/Data Connectors/OrcaSecurityAlertsCCF/connectorDefinition.json Adds the customizable connector UI + deployment instructions for Entra ID flow.
Solutions/Orca Security Alerts/Data Connectors/OrcaSecurityAlertsCCF/DCR.json Adds a DCR stream declaration + transform into OrcaAlerts_CL.
.script/tests/KqlvalidationsTests/CustomTables/OrcaAlerts_CL.json Registers new table columns for KQL validation.
Comments suppressed due to low confidence (1)

Solutions/Orca Security Alerts/ReleaseNotes.md:1

  • The markdown table is malformed due to the leading || and leading spaces, which prevents correct rendering. Replace it with a standard markdown table (single leading | on each row) so release notes render properly in GitHub.
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |

Comment thread Solutions/Orca Security Alerts/Package/mainTemplate.json
Comment thread Solutions/Orca Security Alerts/Package/mainTemplate.json
Comment thread Solutions/Orca Security Alerts/Package/mainTemplate.json
Comment thread Solutions/Orca Security Alerts/Package/mainTemplate.json
Comment thread Solutions/Orca Security Alerts/Package/mainTemplate.json
Comment thread Solutions/Orca Security Alerts/Data Connectors/OrcaSecurityAlertsCCF/DCR.json Outdated
Comment thread Solutions/Orca Security Alerts/Package/createUiDefinition.json
Comment thread Solutions/Orca Security Alerts/Package/mainTemplate.json Outdated
Replace deprecated 'Cloud Security' domain with the valid
'Security - Cloud Security' in SolutionMetadata.json and regenerate the
package; fixes the SolutionValidations check.
- Make workbook KQL dual-schema (column_ifexists + coalesce/iff) so the
  Orca alerts overview works for both the legacy Shared Key connector
  (alert_id_s/asset_type_s/alert_type_s/time_t/score_d) and the new
  Entra ID Push connector (alert_id/asset_type/alert_type/time/orca_score).
- Fix typo analize -> analyze in workbook metadata.
- Align custom table apiVersion to stable 2022-10-01.
- Regenerate solution package.
@viktor-orca viktor-orca requested a review from a team as a code owner June 23, 2026 12:30
…iable

The DCR destination name used variables('suffix'), which the packaging
tool only defines when the solution contains other content (e.g. analytic
rules). For this connector-only solution 'suffix' was never defined,
causing 'template variable suffix is not found' at deployment.

Use a literal destination name (clv2ws1), matching other CCF connectors
(SentinelOne, AWS CloudFront, Feedly). Regenerate package.
Azure rejects custom-table columns named 'time' ('invalid or reserved').
The DCR already derives TimeGenerated from the incoming 'time' field, so:
- remove the 'time' column from the OrcaAlerts_CL table schema,
- project-away 'time' in the DCR transform (kept only in the input stream),
- update the workbook time query to coalesce legacy 'time_t' with TimeGenerated,
- drop 'time' from the KQL-validation custom table schema.

Found via a live deployment test (table creation failed otherwise).
Regenerate package.
'time' is a reserved KQL keyword, so the DCR transform failed to compile
(InvalidTransformQuery). Reference the incoming column via bracket notation
['time'] in todatetime() and project-away. Regenerate package.

Found via live deployment test.
DCR transformations support only a subset of KQL; coalesce() is not
available ('Runtime scalar function provider not found'). Use
iif(isnotnull(todatetime(['time'])), todatetime(['time']), now()) instead.
Regenerate package. Found via live deployment test.
@v-maheshbh

Copy link
Copy Markdown
Contributor

Hi @viktor-orca

Kindly accept the CLA to proceed further.
Additionally, the WorkbooksMetadata validation is failing with the following error:
File: Workbooks/WorkbooksMetadata.json
Error: Can't locate logo image file 'akamai-guardicore.svg' under the Workbooks/Images/Logos directory.

Please add the missing logo file in the specified location.

Thanks!

…bal typo edit

- DCR transform now accepts the raw serving_layer alert shape: 'type' and
  'asset_tags' are folded into alert_type / asset_tags_info_list (reserved
  keyword 'type' referenced as ['type']), so both curated and raw alert shapes
  populate these columns. Verified end-to-end on a live Azure workspace.
- Revert the earlier 'analize'->'analyze' edit in the global
  Workbooks/WorkbooksMetadata.json to keep this PR scoped to the Orca solution
  (file is now back to upstream).
- Regenerate package.
@viktor-orca

Copy link
Copy Markdown
Contributor Author

Hi @v-maheshbh, thanks for the review!

WorkbooksMetadata validation: I've reverted my change to the global Workbooks/WorkbooksMetadata.json, so this PR no longer modifies that file (it now matches upstream). The akamai-guardicore.svg logo error is a pre-existing entry unrelated to the Orca solution — it was only surfaced because my PR previously touched that shared file. It should no longer be triggered by this PR.

CLA: I'll get the CLA signed shortly.

This PR is now scoped to the Solutions/Orca Security Alerts solution (data connector, DCR, table, package) plus the connector logo. Please let me know if anything else is needed.

@viktor-orca

Copy link
Copy Markdown
Contributor Author

@microsoft-github-policy-service agree company="Orca Security"

@v-maheshbh

Copy link
Copy Markdown
Contributor

Hi @viktor-orca

For the CCF connector, please ensure that all file names follow the required naming convention:
solutionName_ConnectorDefinition,
solutionName_PollerConfig,
solutionName_DCR,
solutionName_Table (Optional)
Kindly update the filenames accordingly.
and
Kindly attach a testing screenshot showing the CCF connector in a connected state for validation purposes.
Thanks!

- connectorDefinition.json -> OrcaSecurityAlerts_ConnectorDefinition.json
- dataConnector.json -> OrcaSecurityAlerts_PollerConfig.json
- DCR.json -> OrcaSecurityAlerts_DCR.json
- table_orcaalerts.json -> OrcaSecurityAlerts_Table.json
- Solution_ Orca Security Alerts.json -> Solution_Orca Security Alerts.json (remove leading space)

Update reference in Solution data file.
Reference the connector logo by the established OrcaSecurityLogo.svg
filename (with updated content) so both the legacy and the new Entra ID
(CCF) connector render the icon, and there is no window without an icon
regardless of logo-publish ordering. Rename Logos/OrcaSecurity.svg ->
Logos/OrcaSecurityLogo.svg, set logo in the CCF connector definition and
the solution logo reference, regenerate package.
@viktor-orca

Copy link
Copy Markdown
Contributor Author

Hi @v-maheshbh, attaching the requested testing screenshot showing the data connector in a Connected state for validation.

image The screenshot is from a test Microsoft Sentinel workspace where the solution was deployed and Orca alerts were ingested through the new **Orca Security Alerts (via Microsoft Entra ID)** connector (Logs Ingestion API → DCR → OrcaAlerts_CL). The connector page shows: - Status: **Connected** - Data received in the **OrcaAlerts_CL** table (graph + last data received)

Also addressed in this PR:

  • Renamed the CCF connector files to the required naming convention (OrcaSecurityAlerts_ConnectorDefinition.json,
    _PollerConfig.json, _DCR.json, _Table.json).
  • Fixed the connector logo reference to use the established OrcaSecurityLogo.svg filename so the icon renders for both connectors.

I've verified the connector end-to-end (Microsoft Entra ID auth → DCE/DCR → OrcaAlerts_CL). Please let me know if anything else is
needed for validation.

@viktor-orca

Copy link
Copy Markdown
Contributor Author

Hi @v-maheshbh, just following up on this PR.

All the requested items have been addressed:

  • ✅ CLA accepted
  • ✅ CCF connector files renamed to the required naming convention (OrcaSecurityAlerts_ConnectorDefinition.json, _PollerConfig.json, _DCR.json, _Table.json)
  • ✅ Testing screenshot attached showing the connector in a Connected state
  • ✅ All validation checks are passing

Is there anything else required from our side to move this PR forward? Happy to provide any additional details.

Thanks!

Updated the `Solutions/Orca Security Alerts/ReleaseNotes.md` table formatting by replacing generic separator rows with fixed-width markdown separators and aligned cell spacing, without changing release note content.
@v-dvedak v-dvedak merged commit ee65f22 into Azure:master Jul 3, 2026
33 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants