Azure
diff --git a/‎Solutions/Amazon Web Services NetworkFirewall/Data/Solution_AmazonWebServices.json‎
Lines changed: 1 addition & 1 deletion b/‎Solutions/Amazon Web Services NetworkFirewall/Data/Solution_AmazonWebServices.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎Solutions/Amazon Web Services NetworkFirewall/Package/3.0.3.zip‎
7.66 KB b/‎Solutions/Amazon Web Services NetworkFirewall/Package/3.0.3.zip‎
7.66 KB
diff --git a/‎Solutions/Amazon Web Services NetworkFirewall/Package/createUiDefinition.json‎
Lines changed: 1 addition & 1 deletion b/‎Solutions/Amazon Web Services NetworkFirewall/Package/createUiDefinition.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎Solutions/Amazon Web Services NetworkFirewall/Package/mainTemplate.json‎
Lines changed: 3 additions & 63 deletions b/‎Solutions/Amazon Web Services NetworkFirewall/Package/mainTemplate.json‎
Lines changed: 3 additions & 63 deletions
diff --git a/‎Solutions/Amazon Web Services NetworkFirewall/ReleaseNotes.md‎
Lines changed: 1 addition & 0 deletions b/‎Solutions/Amazon Web Services NetworkFirewall/ReleaseNotes.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Tools/Create-Azure-Sentinel-Solution/common/createCCPConnector.ps1‎
Lines changed: 42 additions & 3 deletions b/‎Tools/Create-Azure-Sentinel-Solution/common/createCCPConnector.ps1‎
Lines changed: 42 additions & 3 deletions
@@ -7,7 +7,7 @@
     "Data Connectors/AWSNetworkFirewallLogs_CCP/AWSNetworkFirewallLog_ConnectorDefinition.json"
   ],
   "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Amazon Web Services NetworkFirewall",
-  "Version": "3.0.0",
+  "Version": "3.0.3",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "StaticDataConnectorIds": [
 
@@ -60,7 +60,7 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This Solution installs the data connector for Amazon Web Services NetworkFirewall. You can get Amazon Web Services NetworkFirewall data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+              "text": "This Solution installs the data connector for Amazon Web Services NetworkFirewall (via Codeless Connector Framework). You can get Amazon Web Services NetworkFirewall (via Codeless Connector Framework) data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
 
@@ -45,7 +45,7 @@
   },
   "variables": {
     "_solutionName": "Amazon Web Services NetworkFirewall",
-    "_solutionVersion": "3.0.2",
+    "_solutionVersion": "3.0.3",
     "solutionId": "azuresentinel.azure-sentinel-solution-aws-networkfirewall",
     "_solutionId": "[variables('solutionId')]",
     "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
@@ -785,67 +785,7 @@
               "kind": "AmazonWebServicesS3",
               "properties": {
                 "connectorDefinitionName": "AwsNetworkFirewallCcpDefinition",
-                "destinationTable": "[[concat(parameters('streamName')[0],'_CL')]",
-                "dataTypes": {
-                  "logs": {
-                    "state": "enabled"
-                  }
-                },
-                "dcrConfig": {
-                  "streamName": "[[parameters('streamName')[0]]",
-                  "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
-                  "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
-                },
-                "dataFormat": {
-                  "Format": "Json",
-                  "IsCompressed": true,
-                  "compressType": "Gzip"
-                },
-                "roleArn": "[[parameters('roleArn')]",
-                "sqsUrls": [
-                  "[[parameters('queueUrl')]"
-                ]
-              }
-            },
-            {
-              "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'AwsNetworkFirewall Flow Logs', parameters('guidValue'))]",
-              "apiVersion": "2023-02-01-preview",
-              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
-              "location": "[parameters('workspace-location')]",
-              "kind": "AmazonWebServicesS3",
-              "properties": {
-                "connectorDefinitionName": "AwsNetworkFirewallCcpDefinition",
-                "destinationTable": "[[concat(parameters('streamName')[0],'_CL')]",
-                "dataTypes": {
-                  "logs": {
-                    "state": "enabled"
-                  }
-                },
-                "dcrConfig": {
-                  "streamName": "[[parameters('streamName')[0]]",
-                  "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
-                  "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
-                },
-                "dataFormat": {
-                  "Format": "Json",
-                  "IsCompressed": true,
-                  "compressType": "Gzip"
-                },
-                "roleArn": "[[parameters('roleArn')]",
-                "sqsUrls": [
-                  "[[parameters('queueUrl')]"
-                ]
-              }
-            },
-            {
-              "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'AwsNetworkFirewall Tls Logs', parameters('guidValue'))]",
-              "apiVersion": "2023-02-01-preview",
-              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
-              "location": "[parameters('workspace-location')]",
-              "kind": "AmazonWebServicesS3",
-              "properties": {
-                "connectorDefinitionName": "AwsNetworkFirewallCcpDefinition",
-                "destinationTable": "[[concat(parameters('streamName')[0],'_CL')]",
+                "destinationTable": "[[if(equals(parameters('streamName')[0], 'Custom-AWSNetworkFirewall-AlertLog'), 'AWSNetworkFirewallAlert', if(equals(parameters('streamName')[0], 'Custom-AWSNetworkFirewall-FlowLog'), 'AWSNetworkFirewallFlow', 'AWSNetworkFirewallTls'))]]",
                 "dataTypes": {
                   "logs": {
                     "state": "enabled"
@@ -883,7 +823,7 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.2",
+        "version": "3.0.3",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Amazon Web Services NetworkFirewall",
 
@@ -1,5 +1,6 @@
  **Version** | **Date Modified (DD-MM-YYYY)**| **ChangeHistory**                                                                         |
 |------------|-------------------------------|-------------------------------------------------------------------------------------------|
+| 3.0.3      | 03-02-2026                    | Fix duplicate collectors creation.   | 
 | 3.0.2      | 19-08-2025                    | **CCF Connector** moving to GA.  | 
 | 3.0.1      | 23-07-2025                    | Updated AWS Network Firewall Readme file and the associated links for the **CCF Data Connector**  |   
 | 3.0.0      | 20-03-2025                    | Initial Solution Release                                               					 |
@@ -757,8 +757,21 @@ function createCCPConnectorResources($contentResourceDetails, $dataFileMetadata,
             }
 
             if ($fileContent -is [System.Object[]]) {
-                foreach ($content in $fileContent) {
-                    CCPDataConnectorsResource -fileContent $content;
+                if ($ccpItem.isDynamicStreamName) {
+                    # For dynamic streamName, only create ONE resource with conditional logic
+                    # Store all streamName->destinationTable mappings first
+                    $script:streamNameMappings = @{}
+                    foreach ($content in $fileContent) {
+                        if ($content.properties.dcrConfig.streamName -and $content.properties.destinationTable) {
+                            $script:streamNameMappings[$content.properties.dcrConfig.streamName] = $content.properties.destinationTable
+                        }
+                    }
+                    # Process only the first item, it will be parameterized
+                    CCPDataConnectorsResource -fileContent $fileContent[0];
+                } else {
+                    foreach ($content in $fileContent) {
+                        CCPDataConnectorsResource -fileContent $content;
+                    }
                 }
             }
             else {
@@ -1430,7 +1443,33 @@ function CreateAwsResourceProperties($armResource, $templateContentConnections,
     if ($isDynamicStreamName) {
         # Handle properties destinationTable and streamName in dc poller file for this solutions as a special case
         $armResource.properties.dcrConfig.streamName = "[[parameters('streamName')[0]]"
-        $armResource.properties.destinationTable = "[[concat(parameters('streamName')[0],'_CL')]"
+        
+        # Build conditional logic for destinationTable based on streamNameMappings
+        if ($script:streamNameMappings -and $script:streamNameMappings.Count -gt 0) {
+            $sortedMappings = $script:streamNameMappings.GetEnumerator() | Sort-Object Name
+            $conditionalLogic = ""
+            $mappingArray = @($sortedMappings)
+            
+            # Build nested if() statements from right to left
+            for ($i = $mappingArray.Count - 1; $i -ge 0; $i--) {
+                $streamName = $mappingArray[$i].Key
+                $destTable = $mappingArray[$i].Value
+                
+                if ($i -eq $mappingArray.Count - 1) {
+                    # Last item (rightmost in the conditional)
+                    $conditionalLogic = "'$destTable'"
+                } else {
+                    # Wrap with if(equals())
+                    $conditionalLogic = "if(equals(parameters('streamName')[0], '$streamName'), '$destTable', $conditionalLogic)"
+                }
+            }
+            
+            $armResource.properties.destinationTable = "[[$conditionalLogic]]"
+        } else {
+            # Fallback to _CL suffix if no mappings found
+            $armResource.properties.destinationTable = "[[concat(parameters('streamName')[0],'_CL')]"
+        }
+        
         $templateContentConnections.properties.mainTemplate.parameters | Add-Member -NotePropertyName "streamName" -NotePropertyValue ([PSCustomObject] @{ type = "array" })
     }
     else {
Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@`
`60`	`60`	`"name": "dataconnectors1-text",`
`61`	`61`	`"type": "Microsoft.Common.TextBlock",`
`62`	`62`	`"options": {`
`63`		`- "text": "This Solution installs the data connector for Amazon Web Services NetworkFirewall. You can get Amazon Web Services NetworkFirewall data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."`
	`63`	`+ "text": "This Solution installs the data connector for Amazon Web Services NetworkFirewall (via Codeless Connector Framework). You can get Amazon Web Services NetworkFirewall (via Codeless Connector Framework) data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."`
`64`	`64`	`}`
`65`	`65`	`},`
`66`	`66`	`{`