[SOLUTION] Add Halcyon data connector v2, parsers, and hunting content#14460
Open
jwilke-halcyon wants to merge 5 commits into
Open
[SOLUTION] Add Halcyon data connector v2, parsers, and hunting content#14460jwilke-halcyon wants to merge 5 commits into
jwilke-halcyon wants to merge 5 commits into
Conversation
Squashes the following work into a single commit: - Data Connector v2 for events and alert updates (GAL-440, #7) - OCSF aggregate parser for HalcyonAlertUpdates_CL (#8) - Halcyon event hunting query (#9) - First set of Halcyon event OCSF parsers (#10) - Fix HalcyonEventsV2_CL plan type deployment issue (#11) - Bump version Co-Authored-By: kwest-halcyon <kwest+sentinel@halcyon.ai>
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds the Halcyon v2 push connector (new DCR + custom tables) and ships accompanying parser + hunting content, with a solution version bump to 3.2.0.
Changes:
- Introduces HalcyonPushV2 connector artifacts (DCR, connector definition, data connector, v2 tables).
- Adds OCSF parsers for HalcyonEventsV2_CL and an alerts “latest state” parser.
- Adds a HalcyonEventsV2_CL hunting query and updates solution packaging + release notes.
Reviewed changes
Copilot reviewed 18 out of 19 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| Solutions/Halcyon/ReleaseNotes.md | Adds 3.2.0 entry describing new connector/tables + hunting/parsers |
| Solutions/Halcyon/Parsers/Halcyon_OCSF_ProcessActivity.yaml | New OCSF class-specific projection parser for Process Activity |
| Solutions/Halcyon/Parsers/Halcyon_OCSF_NetworkActivity.yaml | New OCSF class-specific projection parser for Network Activity |
| Solutions/Halcyon/Parsers/Halcyon_OCSF_KernelActivity.yaml | New OCSF class-specific projection parser for Kernel Activity |
| Solutions/Halcyon/Parsers/Halcyon_OCSF_FileActivity.yaml | New OCSF class-specific projection parser for File Activity |
| Solutions/Halcyon/Parsers/Halcyon_OCSF_DnsActivity.yaml | New OCSF class-specific projection parser for DNS Activity |
| Solutions/Halcyon/Parsers/Halcyon_OCSF_Authentication.yaml | New OCSF class-specific projection parser for Authentication |
| Solutions/Halcyon/Parsers/Halcyon_OCSF_ApplicationLifecycle.yaml | New OCSF class-specific projection parser for Application Lifecycle |
| Solutions/Halcyon/Parsers/Halcyon_Alerts.yaml | Adds a parser intended to return latest state per alert |
| Solutions/Halcyon/Package/mainTemplate.json | Packages v2 connector + DCR transforms + tables, and adds packaged parser/hunting content |
| Solutions/Halcyon/Package/createUiDefinition.json | Updates solution install UX text and adds hunting queries blade |
| Solutions/Halcyon/Hunting Queries/Halcyon_RelatedEventsForAlert.yaml | Adds a hunting query to retrieve events related to an alert |
| Solutions/Halcyon/Data/Solution_Halcyon.json | Updates connector path, adds parser/hunting query references, bumps version to 3.2.0 |
| Solutions/Halcyon/Data Connectors/Halcyon_ccp_v2/Halcyon_table_events.json | Defines HalcyonEventsV2_CL table schema |
| Solutions/Halcyon/Data Connectors/Halcyon_ccp_v2/Halcyon_table_alert_updates.json | Defines HalcyonAlertUpdatesV2_CL table schema |
| Solutions/Halcyon/Data Connectors/Halcyon_ccp_v2/Halcyon_dataConnector.json | Defines the Push data connector resource for v2 |
| Solutions/Halcyon/Data Connectors/Halcyon_ccp_v2/Halcyon_connectorDefinition.json | Defines the v2 connector UI + instructions + permissions |
| Solutions/Halcyon/Data Connectors/Halcyon_ccp_v2/Halcyon_DCR.json | Defines v2 DCR stream + transforms to EventsV2/AlertUpdatesV2 |
Author
|
@microsoft-github-policy-service agree company="Halcyon" |
Author
|
Screenshot of DCR Connected |
Contributor
|
Hi @jwilke-halcyon, I noticed there are a total of 8 parsers in this PR, but only one was added to the data file. Was this intentional, or did you forget to add the others by mistake? Could you please confirm? Thanks! |
Author
@v-shukore - This was a mistake. I've added the parsers and regenerated the packages. Thank you! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Required items, please complete
Change(s):
- Added Data Connector V2 for events and alert updates
- Added OCSF aggregate parser for HalcyonAlertUpdatesV2_CL
- Added HalcyonEventsV2_CL hunting query
- Added HalcyonEventsV2_CL OCSF parsers
Reason for Change(s):
Version updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present: