Add OCI infrastructure content#14612
Open
KanenasCS wants to merge 4 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates the Oracle Cloud Infrastructure solution package to v3.1.0 by optimizing CCF ingestion (smaller post-transform footprint), removing legacy Function App connector assets, and retargeting shipped content to OCI_LogsV2_CL / OracleCloudInfraConnector.
Changes:
- Rebuilt the CCF DCR transform and regenerated the
OCI_LogsV2_CLtable schema to remove duplicated/raw payload content and header noise. - Removed deprecated Azure Function connector templates/assets; updated parser, analytic rules, hunting queries, and workbook notes to align with the CCF pipeline/table.
- Bumped solution + content versions and updated packaging UI/test parameters.
Reviewed changes
Copilot reviewed 39 out of 56 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| Solutions/Oracle Cloud Infrastructure/Workbooks/OracleCloudInfrastructureOCI.json | Updates workbook note about parser installation and normalizes query string content. |
| Solutions/Oracle Cloud Infrastructure/SolutionMetadata.json | Updates solution metadata (providers/support/author). |
| Solutions/Oracle Cloud Infrastructure/ReleaseNotes.md | Adds 3.1.0 release notes entry describing ingestion optimization and cleanup. |
| Solutions/Oracle Cloud Infrastructure/Parsers/OCILogs.yaml | Updates parser to v2-only against OCI_LogsV2_CL and derives event times from epoch fields. |
| Solutions/Oracle Cloud Infrastructure/Package/testParameters.json | Adds workbook name test parameter. |
| Solutions/Oracle Cloud Infrastructure/Package/createUiDefinition.json | Updates installer description counts; adds workbook section and updates connector references in text. |
| Solutions/Oracle Cloud Infrastructure/Hunting Queries/OCIUserUpdatedInstances.yaml | Retargets required connector + datatype to OracleCloudInfraConnector / OCI_LogsV2_CL. |
| Solutions/Oracle Cloud Infrastructure/Hunting Queries/OCIUserTerminatedInstances.yaml | Retargets required connector + datatype to OracleCloudInfraConnector / OCI_LogsV2_CL. |
| Solutions/Oracle Cloud Infrastructure/Hunting Queries/OCIUserSources.yaml | Retargets required connector + datatype to OracleCloudInfraConnector / OCI_LogsV2_CL. |
| Solutions/Oracle Cloud Infrastructure/Hunting Queries/OCIUserNewUsers.yaml | Retargets required connector + datatype to OracleCloudInfraConnector / OCI_LogsV2_CL. |
| Solutions/Oracle Cloud Infrastructure/Hunting Queries/OCIUserDeletedUsers.yaml | Retargets required connector + datatype to OracleCloudInfraConnector / OCI_LogsV2_CL. |
| Solutions/Oracle Cloud Infrastructure/Hunting Queries/OCIUserDeleteActions.yaml | Retargets required connector + datatype to OracleCloudInfraConnector / OCI_LogsV2_CL. |
| Solutions/Oracle Cloud Infrastructure/Hunting Queries/OCIUpdateActivities.yaml | Retargets required connector + datatype to OracleCloudInfraConnector / OCI_LogsV2_CL. |
| Solutions/Oracle Cloud Infrastructure/Hunting Queries/OCILaunchedInstances.yaml | Retargets required connector + datatype to OracleCloudInfraConnector / OCI_LogsV2_CL. |
| Solutions/Oracle Cloud Infrastructure/Hunting Queries/OCIDestinationsOut.yaml | Retargets required connector + datatype to OracleCloudInfraConnector / OCI_LogsV2_CL. |
| Solutions/Oracle Cloud Infrastructure/Hunting Queries/OCIDestinationsIn.yaml | Retargets required connector + datatype to OracleCloudInfraConnector / OCI_LogsV2_CL. |
| Solutions/Oracle Cloud Infrastructure/Data/Solution_OCILogs.json | Updates solution version and metadata, including BasePath/Author. |
| Solutions/Oracle Cloud Infrastructure/Data Connectors/requirements.txt | Removes legacy Function App requirements. |
| Solutions/Oracle Cloud Infrastructure/Data Connectors/proxies.json | Removes legacy Function App proxies config. |
| Solutions/Oracle Cloud Infrastructure/Data Connectors/host.json | Removes legacy Function App host configuration. |
| Solutions/Oracle Cloud Infrastructure/Data Connectors/azuredeploy_OCI_logs_API_FunctionApp.json | Removes legacy Function App ARM deployment template. |
| Solutions/Oracle Cloud Infrastructure/Data Connectors/Oracle_Cloud_Infrastructure_CCP/azuredeploy_OCI_DataConnector_poller_connector.json | Updates embedded DCR/table and connector strings; aligns embedded artifacts with optimized schema. |
| Solutions/Oracle Cloud Infrastructure/Data Connectors/Oracle_Cloud_Infrastructure_CCP/OCI_DataConnector_Table.json | Regenerates table schema to match optimized transform output (fewer columns). |
| Solutions/Oracle Cloud Infrastructure/Data Connectors/Oracle_Cloud_Infrastructure_CCP/OCI_DataConnector_DataConnectorDefinition.json | Updates connector definition metadata (publisher). |
| Solutions/Oracle Cloud Infrastructure/Data Connectors/Oracle_Cloud_Infrastructure_CCP/OCI_DataConnector_DCR.json | Rebuilds ingestion-time transform and output stream mapping. |
| Solutions/Oracle Cloud Infrastructure/Data Connectors/OCI_logs_API_FunctionApp.json | Removes deprecated connector definition JSON. |
| Solutions/Oracle Cloud Infrastructure/Data Connectors/AzureFunctionOCILogs/sentinel_connector.py | Removes legacy Function App implementation. |
| Solutions/Oracle Cloud Infrastructure/Data Connectors/AzureFunctionOCILogs/main.py | Removes legacy Function App implementation. |
| Solutions/Oracle Cloud Infrastructure/Data Connectors/AzureFunctionOCILogs/function.json | Removes legacy Function App binding definition. |
| Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCIUnexpectedUserAgent.yaml | Retargets required connector+datatype and bumps rule version. |
| Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCISSHScan.yaml | Retargets required connector+datatype and bumps rule version. |
| Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCIMultipleRejects.yaml | Retargets required connector+datatype and bumps rule version. |
| Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCIMultipleInstancesTerminated.yaml | Retargets required connector+datatype and bumps rule version. |
| Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCIMultipleInstancesLaunched.yaml | Retargets required connector+datatype and bumps rule version. |
| Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCIMetadataEndpointIpAccess.yaml | Retargets required connector+datatype and bumps rule version. |
| Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCIInsecureMetadataEndpoint.yaml | Retargets required connector+datatype and bumps rule version. |
| Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCIInboundSSHConnection.yaml | Retargets required connector+datatype and bumps rule version. |
| Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCIEventRuleDeleted.yaml | Retargets required connector+datatype and bumps rule version. |
| Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCIDiscoveryActivity.yaml | Retargets required connector+datatype and bumps rule version. |
added 3 commits
July 2, 2026 17:20
…ema validation test and update the OCI Data Connector DCR and poller connector templates to reflect the correct configuration. Also, update the main solution package and template to include the latest changes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Required items, please complete
Change(s):
Data Connectors/Oracle_Cloud_Infrastructure_CCP/OCI_DataConnector_DCR.json: rebuilt the DCR ingestion-time transform. The output no longer stores the rawdataandoracledynamic payloads alongside their flattened columns, and drops HTTP request/response header noise, CloudEvents boilerplate (dataschema_s,specversion_s), duplicated fields (time_t,id_s, flow-logdata_source*/destination*copies of the normalizedSrcIpAddr/DstIpAddrset), credential-bearing request headers (authorization,Cookie,opc_obo_token,auth_info,opc_principal), and thestateChange.current.keyValuepublic-key blob. FixedSrcIpAddrmapping typo (identity.ipAddres→identity.ipAddress) with fallback for audit events. Input stream declaration unchanged.Data Connectors/Oracle_Cloud_Infrastructure_CCP/OCI_DataConnector_Table.json: schema regenerated to match the transform output — 201 → 86 columns.Data Connectors/Oracle_Cloud_Infrastructure_CCP/azuredeploy_OCI_DataConnector_poller_connector.json: embedded DCR/table synced to the above.AzureFunctionOCILogs/,OCILogsConn.zip,OCI_logs_API_FunctionApp.json,azuredeploy_OCI_logs_API_FunctionApp.json,host.json,proxies.json,requirements.txt). The V3 package already shipped only the CCF connector.Parsers/OCILogs.yaml(v2.0.0): now readsOCI_LogsV2_CLonly (removed theOCI_Logs_CLunion); derivesEventStartTime/EventEndTimefrom flow-log epoch fields viaunixtime_seconds_todatetime()withTimeGeneratedfallback.requiredDataConnectorsretargeted from the deprecatedOracleCloudInfrastructureLogsConnector/OCILogsto the CCF connectorOracleCloudInfraConnector/OCI_LogsV2_CL. Queries unchanged.Workbooks/OracleCloudInfrastructureOCI.json: replaced the outdated manual parser-deployment note (parser installs with the V3 solution). Queries unchanged.Reason for Change(s):
OCI_LogsV2_CLincreased ~3x with no increase in OCI event count. Root cause: the DCR transform stored each event up to three times — the full rawdata/oraclepayloads, ~190 flattened columns extracted from those same payloads, and normalized aliases duplicating several fields again. Since Log Analytics bills post-transform bytes, this directly tripled Sentinel/Log Analytics cost for all users of this connector.authorization/Cookie/OBO-token headers and key material from a 180-day table is also a security improvement.OCI_Logs_CLdependency were removed as the legacy pipeline is superseded by CCF; content still pointed at the deprecated connector id, so rule tiles showed "not connected" for CCF-only workspaces.SrcIpAddrtypo fix restores source-IP population for audit events (previously empty), improving existing detections and workbook panels.Version Updated:
Testing Completed:
createSolutionV3.ps1(V3) and validated with arm-ttk; only the two known CCF-specific exceptions remain (IDs Should Be Derived From ResourceIDson CCF resource ids and [second known exception]).OCI_LogsV2_CLfor audit and VCN flow log categories.estimate_data_size(*)reduced from [X] KB to [Y] KB (~[Z]% reduction); daily GB viaUsagereduced accordingly with unchanged event counts.OCILogsresolves in a workspace without the legacyOCI_Logs_CLtable.Checked that the validations are passing and have addressed any issues that are present:
OCI_Logs_CLor the deprecated connector id remain in the solution.