[ContrastADR] - CCF Data Connector Support#13954
Merged
rahul0216 merged 9 commits intoAzure:masterfrom Apr 15, 2026
Merged
Conversation
v-atulyadav
added
Solution
Contributor
Author
|
@microsoft-github-policy-service agree company="Contrast Security" |
Contributor
|
@v-shukore |
Contributor
|
Hi @shashankshah-contrast, could you share the screenshots of the running CCF data connector here? Also, please confirm if you want to delete the functionapp connector from the solution since you’ve added CCF and resolved the branch conflicts. |
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds ContrastADR CCF (Push) data connector support and updates solution assets (parsers, analytic rules, workbooks, metadata) to use the new custom tables and connector ID.
Changes:
- Switched solution to CCF push connector and updated connector IDs / table names across rules and workbook queries.
- Added workbook panels (time range parameter + table view) to surface
ContrastADRAttackEvents_CLdata. - Updated solution metadata/tests/sample data to recognize new custom tables and connector ID; bumped solution version to 3.1.0.
Reviewed changes
Copilot reviewed 37 out of 40 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| Workbooks/WorkbooksMetadata.json | Adds data type + connector dependencies for multiple ContrastADR workbooks. |
| Solutions/ContrastADR/Workbooks/ContrastADR_XML External_Entity_Injection_Injection_Workbook.json | Adds time range parameter + KQL table panel querying ContrastADRAttackEvents_CL for XXE events. |
| Solutions/ContrastADR/Workbooks/ContrastADR_Untrusted_Deserialization_Workbook.json | Adds time range parameter + KQL table panel querying ContrastADRAttackEvents_CL for deserialization events. |
| Solutions/ContrastADR/Workbooks/ContrastADR_SQL_Injection_Workbook.json | Adds time range parameter + KQL table panel querying ContrastADRAttackEvents_CL for SQLi events. |
| Solutions/ContrastADR/Workbooks/ContrastADR_Path_Traversal_Workbook.json | Adds time range parameter + KQL table panel querying ContrastADRAttackEvents_CL for path traversal events. |
| Solutions/ContrastADR/Workbooks/ContrastADR_JNDI_Injection_Workbook.json | Adds time range parameter + KQL table panel querying ContrastADRAttackEvents_CL for JNDI injection events. |
| Solutions/ContrastADR/Workbooks/ContrastADR_Command_Injection_Workbook.json | Adds time range parameter + KQL table panel querying ContrastADRAttackEvents_CL for command injection events. |
| Solutions/ContrastADR/ReleaseNotes.md | Adds a 3.1.0 release note entry for CCF connector support. |
| Solutions/ContrastADR/Parsers/Contrast_incident_parser.yaml | Updates incident parser to new table/column names via a view() definition. |
| Solutions/ContrastADR/Parsers/Contrast_alert_event_parser.yaml | Updates alert/event parser to new table/column names via a view() definition. |
| Solutions/ContrastADR/Package/testParameters.json | Adds parameters for RG/subscription used by deployment UI (ignored for detailed review). |
| Solutions/ContrastADR/Package/createUiDefinition.json | Updates UI text for the push connector (ignored for detailed review). |
| Solutions/ContrastADR/Data/Solution_ContrastADR.json | Updates solution data connector reference + version/base path. |
| Solutions/ContrastADR/Data Connectors/requirements.txt | Removes Function App requirements file (ignored for detailed review). |
| Solutions/ContrastADR/Data Connectors/proxies.json | Removes proxies.json (ignored for detailed review). |
| Solutions/ContrastADR/Data Connectors/host.json | Removes host.json (ignored for detailed review). |
| Solutions/ContrastADR/Data Connectors/azuredeploy_ContrastADR_functionapp.json | Removes legacy Function App deployment template (ignored for detailed review). |
| Solutions/ContrastADR/Data Connectors/ContrastADR_API_FunctionApp.json | Removes legacy connector definition (ignored for detailed review). |
| Solutions/ContrastADR/Data Connectors/ContrastADRCCF/table_incidents.json | Adds incidents custom table resource (ignored for detailed review). |
| Solutions/ContrastADR/Data Connectors/ContrastADRCCF/table_attackevents.json | Adds attack events custom table resource (ignored for detailed review). |
| Solutions/ContrastADR/Data Connectors/ContrastADRCCF/dataConnector.json | Adds push data connector resource (ignored for detailed review). |
| Solutions/ContrastADR/Data Connectors/ContrastADRCCF/connectorDefinition.json | Adds connector definition + UI steps (ignored for detailed review). |
| Solutions/ContrastADR/Data Connectors/ContrastADRCCF/DCR.json | Adds DCR for custom tables/streams (ignored for detailed review). |
| Solutions/ContrastADR/Data Connectors/AzureFunctionContrastADR/function_app.py | Removes Function App ingestion code (ignored for detailed review). |
| Solutions/ContrastADR/Data Connectors/AzureFunctionContrastADR/function.json | Removes Function App binding config (ignored for detailed review). |
| Solutions/ContrastADR/Analytic Rules/Contrast_Security_ADR_incident.yaml | Updates rule to new connector/table and adjusts entity/grouping fields. |
| Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_Injection_Alert_with_DLP_alerts.yaml | Updates rule to new connector/table/field names. |
| Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml | Updates rule to new connector/table/field names. |
| Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event.yaml | Updates rule to new connector/table/field names. |
| Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_WAF.yaml | Updates rule to new connector/table/field names and entity grouping. |
| Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml | Updates rule join to new connector/table/field names. |
| Sample Data/Custom/ContrastADRIncidents_CL.csv | Adds sample data for incidents custom table. |
| Sample Data/Custom/ContrastADRAttackEvents_CL.csv | Adds sample data for attack events custom table. |
| .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json | Registers ContrastADRCCF as a valid connector ID for validation tests. |
| .script/tests/KqlvalidationsTests/CustomTables/ContrastADRIncidents_CL.json | Adds custom table schema for KQL validation tests. |
| .script/tests/KqlvalidationsTests/CustomTables/ContrastADRIncident_CL.json | Removes legacy incidents table schema for KQL validation tests. |
| .script/tests/KqlvalidationsTests/CustomTables/ContrastADRAttackEvents_CL.json | Adds custom table schema for KQL validation tests. |
Contributor
Author
|
Hi @v-shukore
Thanks |
Contributor
|
@v-shukore @v-atulyadav Would it be okay to keep the Azure Function–based connector code in the Microsoft repository as-is? My concern is that if we remove it and the PR gets merged, existing users of this connector may face functional issues, since the data connector ZIP (referenced at runtime) would no longer be available. My suggestion is to retain it for now and, once all users have migrated to the CCF-based connector (after it’s available in the Marketplace), I can raise another PR to either remove it or mark it as deprecated. Please let me know your thoughts before this PR is merged, so I can revert today’s data connector removal changes if needed. |
Contributor
Author
|
Hi @v-shukore |
Contributor
|
Hi @shashankshah-contrast, validation is failing because you forgot to add a comma at the end of the line in the |
Contributor
|
@v-shukore |
v-shukore
approved these changes
Apr 15, 2026
v-atulyadav
approved these changes
Apr 15, 2026
rahul0216
approved these changes
Apr 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Change(s):
Reason for Change(s):
Version Updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present: