[IONIX] Migrate to Codeless Connector Framework (CCF) #13524
Conversation
- Replace HTTP Data Collector API (push) with Codeless Connector Framework (pull) - Add RestApiPoller with daily polling (1440 min) from IONIX API - Simplified setup: API token + account name only - Data continues to CyberpionActionItems_CL table
Updated workbook and analytics rule to use summarize arg_max(TimeGenerated, *) by id_s for proper deduplication. This prevents duplicate action items from appearing when the CCF RestApiPoller polls the same open items daily. - Workbook queries now deduplicate by id_s before aggregating - Analytics rule uses id_s deduplication instead of time bucket approach - Historical chart counts distinct id_s per day
@microsoft-github-policy-service agree company="IONIX" |
Removed the unused 'restApiPollerName' variable from mainTemplate.json to fix the "Variables Must Be Referenced" ARM-TTK test failure. Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
|
Kindly refer to the below-mentioned solution for the correct folder structure and update the necessary changes. Thanks! |
…nector (v4.0.0) - Add new CCF data connector using Codeless Connector Framework with RestApiPoller - Automatic daily polling from IONIX API with pagination support - DCR transform maps API response fields (including nested title/urgency objects) - Keep old push connector marked as [DEPRECATED] for backward compatibility - Update Solution_IONIX.json with CCF connector file references - Update createUiDefinition.json to reflect 2 data connectors - Add ReleaseNotes entry for v4.0.0
Update stream declaration types and transformKql in IONIX_DCR.json to match the deployed mainTemplate: title/urgency as dynamic for nested JSON objects, asset_type as string, datetime fields as string, and bracket syntax for column references in transformKql.
|
Hi @ItaiMargalit Thanks! |
- Downgrade version from 4.0.0 to 3.1.0 per reviewer request - Regenerate mainTemplate.json and createUiDefinition.json using V3 packaging tool - Add 3.1.0.zip package and testParameters.json - Fix CCF files: wrap Table in array, remove dependsOn:null from ConnectorDefinition - Fix DCR transform: add missing is_open_b column (queries depend on it) - Fix Solution_IONIX.json: only list ConnectorDefinition (tool auto-discovers rest) - Add DataConnectorCCFVersion, lastPublishDate, Author email - Fix deprecation notice title to match actual CCF connector name - Update ReleaseNotes.md version to 3.1.0
- Fix empty label/text nulls in createUiDefinition.json workbook section - Add default value for workbook1-name parameter - Fix "Sentinel" → "Microsoft Sentinel" branding across all files
|
The following error was encountered while deploying the main template: “BadRequestException – properties.contentId is required. Thanks! |
The V3 packaging tool (commit e694e4e) blanked out workbookContentId1 and workbookVersion1 variables, causing ARM deployment to fail with "BadRequestException - properties.contentId is required".
|
Manual updates to the main template are not recommended. Please verify why these changes were not added during the solution packaging process. Thanks! |
Regenerated mainTemplate.json and createUiDefinition.json using the V3 packaging tool (createSolutionV3.ps1) instead of manual edits. The tool reads the standalone CCF connector files, workbook, and analytic rule from the Solution_IONIX.json manifest and produces the ARM template. Fixes: "Manual updates to the main template are not recommended"
|
Kindly attach a screenshot of the CCF data connector showing its connected state for reference and include analytics rule , workbook creation. Thanks! |
Hi @v-maheshbh CCF Data Connector - Connected State Analytics Rule (Note: The analytics rule shows its data source as [DEPRECATED] IONIX Security Logs (Push) — this is expected. The requiredDataConnectors metadata field references the original connector ID 
Workbook The workbook queries all use summarize arg_max(TimeGenerated, *) by id_s for deduplication, ensuring correct results even if both connectors are active simultaneously. Thanks! |
Fixes two deploy-time bugs in v3.1.0 (PR Azure#13524). Bug Azure#1 — Paging: Switched pagingType from "NextPageUrl" to "Offset", matching the IONIX API's standard DRF LimitOffsetPagination shape. The old config failed CCF connectivity validation with "Missing NextPageParaName from config" (RES40002) for every customer on 3.1.0. Bug Azure#3 — Table declaration: The original v3.1.1 attempt removed IONIX_Table.json on the theory that Log Analytics would auto-create the custom table on first DCR write. That's not how it works — Sentinel's DCR validator requires the custom output table to already exist, and Connect failed with: InvalidOutputTable: Table for output stream 'Custom-CyberpionActionItems_CL' is not available for destination 'IONIX-Destination'. Restored IONIX_Table.json with the 12-column declaration (same shape as v3.1.0) so the table is created when the solution is installed via Content Hub (which auto-executes the contentTemplates nested mainTemplate). This matches the pattern used by every other CCF solution in the catalog (Auth0, Cloudflare CCF, SAP BTP, CyrenThreatIntelligence — all have the table declared inside the contentTemplates wrapper, none at top level). Package regenerated via Tools/Create-Azure-Sentinel-Solution/V3 (createSolutionV3.ps1) — mainTemplate.json + 3.1.1.zip are canonical V3-tool output. Verified end-to-end on a fresh Sentinel workspace: - Solution installs via Content Hub - CyberpionActionItems_CL table created - CCF connector connects (green), no RES40002 - First poll ingested 64 deduped action items via Offset paging - Workbook + analytics rule template both render Note: customers migrating from the deprecated push connector who already have a populated CyberpionActionItems_CL table with the legacy 15-18 column set will still hit "Invalid output table schema" on this version (same behavior as v3.1.0). Migration handling is tracked separately for v3.1.2 — recommended approach is a new table name for the CCF connector with a union shim during the transition period.
Summary
id_sfield to prevent duplicate action itemsCyberpionActionItems_CLtableChanges
summarize arg_max(TimeGenerated, *) by id_sdeduplication