Add KQL query for ZeroFox CCF

lderequesensS · lderequesensS · commit 7925f0d93c54 · 2025-12-03T14:19:46.000-03:00
diff --git a/Solutions/ZeroFox/Data Connectors/Alerts/ZeroFoxAlerts_ConnectorDefinition.json b/Solutions/ZeroFox/Data Connectors/Alerts/ZeroFoxAlerts_ConnectorDefinition.json
@@ -47,7 +47,6 @@
         {
           "type": "IsConnectedQuery",
           "value": [
-            "ZeroFoxAlertPoller_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(3d)",
             "ZeroFoxAlertPoller_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(3d)"
           ]
         }
diff --git a/Solutions/ZeroFox/Data Connectors/Alerts/ZeroFoxAlerts_DCR.json b/Solutions/ZeroFox/Data Connectors/Alerts/ZeroFoxAlerts_DCR.json
@@ -6,7 +6,7 @@
     "properties": {
         "dataCollectionEndpointId": "{{dataCollectionEndpointId}}",
         "streamDeclarations": {
-            "Custom-ZeroFoxAlertsPoller_CL": {
+            "Custom-ZeroFoxAlertPoller_CL": {
                 "columns": [
                     {
                         "name": "alert_type",
@@ -162,12 +162,12 @@
         "dataFlows": [
             {
                 "streams": [
-                    "Custom-ZeroFoxAlertsPoller_CL"
+                    "Custom-ZeroFoxAlertPoller_CL"
                 ],
                 "destinations": [
                     "clv2ws1"
                 ],
-                "transformKql": "source\n| extend TimeGenerated = now()",
+                "transformKql": "source\n| extend \n entity_id_d = toint(entity.id),\n entity_name_s = tostring(entity.name),\n entity_image_s = tostring(entity.image),\n entity_labels_s = tostring(entity.labels),\n entity_entity_group_id_d = toint(entity.entity_group_id),\n entity_entity_group_name_s = tostring(entity.entity_group_name),\n entity_term_s = tostring(entity.term),\n entity_account_s = tostring(entity.account),\n entity_email_receiver_id_s = tostring(entity.email_receiver_id),\n perpetrator_name_s = tostring(perpetrator.name),\n perpetrator_display_name_s = tostring(perpetrator.display_name),\n perpetrator_id_d = toint(perpetrator.id),\n perpetrator_url_s = tostring(perpetrator.url),\n perpetrator_content_s = tostring(perpetrator.content),\n perpetrator_type_s = tostring(perpetrator.type),\n perpetrator_timestamp_t = todatetime(perpetrator.timestamp),\n perpetrator_network_s = tostring(perpetrator.network),\n asset_id_d = toint(asset.id),\n asset_name_s = tostring(asset.name),\n asset_image_s = tostring(asset.image),\n asset_labels_s = tostring(asset.labels),\n asset_entity_group_id_d = toint(asset.entity_group_id),\n asset_entity_group_name_s = tostring(asset.entity_group_name),\n id_d = toint(id),\n Severity = toint(severity),\n rule_group_id_d = toint(rule_group_id),\n reviewed_b = tobool(reviewed),\n escalated_b = tobool(escalated),\n rule_id_d = toint(rule_id),\n last_modified_t = last_modified\n | project-rename \n TimeGenerated = last_modified,\n alert_type_s = alert_type,\n logs_s = logs,\n offending_content_url_s = offending_content_url,\n asset_term_s = asset_term,\n assignee_s = assignee,\n content_created_at_t = content_created_at,\n entered_by_s = entered_by,\n metadata_s = metadata,\n status_s = status,\n rule_name_s = rule_name,\n protected_locations_s = protected_locations,\n darkweb_term_s = darkweb_term,\n business_network_s = business_network,\n network_s = network,\n protected_social_object_s = protected_social_object,\n notes_s = notes,\n reviews_s = reviews,\n tags_s = tags\n| project TimeGenerated, alert_type_s, logs_s, offending_content_url_s, asset_term_s, assignee_s, entity_id_d, entity_name_s, entity_image_s, entity_labels_s, entity_entity_group_id_d, entity_entity_group_name_s, entity_term_s, content_created_at_t, id_d, Severity, perpetrator_name_s, perpetrator_display_name_s, perpetrator_id_d, perpetrator_url_s, perpetrator_content_s, perpetrator_type_s, perpetrator_timestamp_t, perpetrator_network_s, rule_group_id_d, asset_id_d, asset_name_s, asset_image_s, asset_labels_s, asset_entity_group_id_d, asset_entity_group_name_s, entered_by_s, metadata_s, status_s, rule_name_s, last_modified_t, protected_locations_s, darkweb_term_s, business_network_s, reviewed_b, escalated_b, network_s, protected_social_object_s, notes_s, reviews_s, rule_id_d, entity_account_s, entity_email_receiver_id_s, tags_s",
                 "outputStream": "Custom-ZeroFoxAlertPoller_CL"
             }
         ]
diff --git a/Solutions/ZeroFox/Package/mainTemplate.json b/Solutions/ZeroFox/Package/mainTemplate.json
@@ -835,7 +835,7 @@
           "resources": [
             {
               "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]",
-              "apiVersion": "2022-09-01-preview",
+              "apiVersion": "2025-09-01",
               "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
               "location": "[parameters('workspace-location')]",
               "kind": "Customizable",
@@ -877,7 +877,6 @@
                     {
                       "type": "IsConnectedQuery",
                       "value": [
-                        "ZeroFoxAlertPoller_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(3d)",
                         "ZeroFoxAlertPoller_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(3d)"
                       ]
                     }
@@ -975,14 +974,14 @@
             },
             {
               "name": "AlertsDCR",
-              "apiVersion": "2022-06-01",
+              "apiVersion": "2024-03-11",
               "type": "Microsoft.Insights/dataCollectionRules",
               "location": "[parameters('workspace-location')]",
               "kind": "[variables('blanks')]",
               "properties": {
                 "dataCollectionEndpointId": "[variables('dataCollectionEndpointId2')]",
                 "streamDeclarations": {
-                  "Custom-ZeroFoxAlertsPoller_CL": {
+                  "Custom-ZeroFoxAlertPoller_CL": {
                     "columns": [
                       {
                         "name": "alert_type",
@@ -1138,20 +1137,20 @@
                 "dataFlows": [
                   {
                     "streams": [
-                      "Custom-ZeroFoxAlertsPoller_CL"
+                      "Custom-ZeroFoxAlertPoller_CL"
                     ],
                     "destinations": [
                       "clv2ws1"
                     ],
-                    "transformKql": "source\n| extend TimeGenerated = now()",
+                    "transformKql": "source\n| extend \n entity_id_d = toint(entity.id),\n entity_name_s = tostring(entity.name),\n entity_image_s = tostring(entity.image),\n entity_labels_s = tostring(entity.labels),\n entity_entity_group_id_d = toint(entity.entity_group_id),\n entity_entity_group_name_s = tostring(entity.entity_group_name),\n entity_term_s = tostring(entity.term),\n entity_account_s = tostring(entity.account),\n entity_email_receiver_id_s = tostring(entity.email_receiver_id),\n perpetrator_name_s = tostring(perpetrator.name),\n perpetrator_display_name_s = tostring(perpetrator.display_name),\n perpetrator_id_d = toint(perpetrator.id),\n perpetrator_url_s = tostring(perpetrator.url),\n perpetrator_content_s = tostring(perpetrator.content),\n perpetrator_type_s = tostring(perpetrator.type),\n perpetrator_timestamp_t = todatetime(perpetrator.timestamp),\n perpetrator_network_s = tostring(perpetrator.network),\n asset_id_d = toint(asset.id),\n asset_name_s = tostring(asset.name),\n asset_image_s = tostring(asset.image),\n asset_labels_s = tostring(asset.labels),\n asset_entity_group_id_d = toint(asset.entity_group_id),\n asset_entity_group_name_s = tostring(asset.entity_group_name),\n id_d = toint(id),\n Severity = toint(severity),\n rule_group_id_d = toint(rule_group_id),\n reviewed_b = tobool(reviewed),\n escalated_b = tobool(escalated),\n rule_id_d = toint(rule_id),\n last_modified_t = last_modified\n | project-rename \n TimeGenerated = last_modified,\n alert_type_s = alert_type,\n logs_s = logs,\n offending_content_url_s = offending_content_url,\n asset_term_s = asset_term,\n assignee_s = assignee,\n content_created_at_t = content_created_at,\n entered_by_s = entered_by,\n metadata_s = metadata,\n status_s = status,\n rule_name_s = rule_name,\n protected_locations_s = protected_locations,\n darkweb_term_s = darkweb_term,\n business_network_s = business_network,\n network_s = network,\n protected_social_object_s = protected_social_object,\n notes_s = notes,\n reviews_s = reviews,\n tags_s = tags\n| project TimeGenerated, alert_type_s, logs_s, offending_content_url_s, asset_term_s, assignee_s, entity_id_d, entity_name_s, entity_image_s, entity_labels_s, entity_entity_group_id_d, entity_entity_group_name_s, entity_term_s, content_created_at_t, id_d, Severity, perpetrator_name_s, perpetrator_display_name_s, perpetrator_id_d, perpetrator_url_s, perpetrator_content_s, perpetrator_type_s, perpetrator_timestamp_t, perpetrator_network_s, rule_group_id_d, asset_id_d, asset_name_s, asset_image_s, asset_labels_s, asset_entity_group_id_d, asset_entity_group_name_s, entered_by_s, metadata_s, status_s, rule_name_s, last_modified_t, protected_locations_s, darkweb_term_s, business_network_s, reviewed_b, escalated_b, network_s, protected_social_object_s, notes_s, reviews_s, rule_id_d, entity_account_s, entity_email_receiver_id_s, tags_s",
                     "outputStream": "Custom-ZeroFoxAlertPoller_CL"
                   }
                 ]
               }
             },
             {
               "name": "ZeroFoxAlertPoller_CL",
-              "apiVersion": "2022-10-01",
+              "apiVersion": "2025-07-01",
               "type": "Microsoft.OperationalInsights/workspaces/tables",
               "location": "[parameters('workspace-location')]",
               "kind": null,
@@ -1426,7 +1425,7 @@
     },
     {
       "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]",
-      "apiVersion": "2022-09-01-preview",
+      "apiVersion": "2025-09-01",
       "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
       "location": "[parameters('workspace-location')]",
       "kind": "Customizable",
@@ -1468,7 +1467,6 @@
             {
               "type": "IsConnectedQuery",
               "value": [
-                "ZeroFoxAlertPoller_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(3d)",
                 "ZeroFoxAlertPoller_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(3d)"
               ]
             }
@@ -1642,7 +1640,7 @@
             },
             {
               "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'ZeroFoxAlertsPoller', parameters('guidValue'))]",
-              "apiVersion": "2023-02-01-preview",
+              "apiVersion": "2025-09-01",
               "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
               "location": "[parameters('workspace-location')]",
               "kind": "RestApiPoller",
@@ -1760,8 +1758,8 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "entity_name_s",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "entity_name_s"
                       }
                     ]
                   }
@@ -1870,8 +1868,8 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "entity_name_s",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "entity_name_s"
                       }
                     ]
                   }
@@ -1980,8 +1978,8 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "entity_name_s",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "entity_name_s"
                       }
                     ]
                   }
@@ -2090,8 +2088,8 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "entity_name_s",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "entity_name_s"
                       }
                     ]
                   }

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,6 @@`
`47`	`47`	`{`
`48`	`48`	`"type": "IsConnectedQuery",`
`49`	`49`	`"value": [`
`50`		`- "ZeroFoxAlertPoller_CL\n \| summarize LastLogReceived = max(TimeGenerated)\n \| project IsConnected = LastLogReceived > ago(3d)",`
`51`	`50`	`"ZeroFoxAlertPoller_CL\n \| summarize LastLogReceived = max(TimeGenerated)\n \| project IsConnected = LastLogReceived > ago(3d)"`
`52`	`51`	`]`
`53`	`52`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@`
`6`	`6`	`"properties": {`
`7`	`7`	`"dataCollectionEndpointId": "{{dataCollectionEndpointId}}",`
`8`	`8`	`"streamDeclarations": {`
`9`		`- "Custom-ZeroFoxAlertsPoller_CL": {`
	`9`	`+ "Custom-ZeroFoxAlertPoller_CL": {`
`10`	`10`	`"columns": [`
`11`	`11`	`{`
`12`	`12`	`"name": "alert_type",`
`@@ -162,12 +162,12 @@`
`162`	`162`	`"dataFlows": [`
`163`	`163`	`{`
`164`	`164`	`"streams": [`
`165`		`- "Custom-ZeroFoxAlertsPoller_CL"`
	`165`	`+ "Custom-ZeroFoxAlertPoller_CL"`
`166`	`166`	`],`
`167`	`167`	`"destinations": [`
`168`	`168`	`"clv2ws1"`
`169`	`169`	`],`
`170`		`- "transformKql": "source\n\| extend TimeGenerated = now()",`
	`170`	+ "transformKql": "source\n\| extend \n entity_id_d = toint(entity.id),\n entity_name_s = tostring(entity.name),\n entity_image_s = tostring(entity.image),\n entity_labels_s = tostring(entity.labels),\n entity_entity_group_id_d = toint(entity.entity_group_id),\n entity_entity_group_name_s = tostring(entity.entity_group_name),\n entity_term_s = tostring(entity.term),\n entity_account_s = tostring(entity.account),\n entity_email_receiver_id_s = tostring(entity.email_receiver_id),\n perpetrator_name_s = tostring(perpetrator.name),\n perpetrator_display_name_s = tostring(perpetrator.display_name),\n perpetrator_id_d = toint(perpetrator.id),\n perpetrator_url_s = tostring(perpetrator.url),\n perpetrator_content_s = tostring(perpetrator.content),\n perpetrator_type_s = tostring(perpetrator.type),\n perpetrator_timestamp_t = todatetime(perpetrator.timestamp),\n perpetrator_network_s = tostring(perpetrator.network),\n asset_id_d = toint(asset.id),\n asset_name_s = tostring(asset.name),\n asset_image_s = tostring(asset.image),\n asset_labels_s = tostring(asset.labels),\n asset_entity_group_id_d = toint(asset.entity_group_id),\n asset_entity_group_name_s = tostring(asset.entity_group_name),\n id_d = toint(id),\n Severity = toint(severity),\n rule_group_id_d = toint(rule_group_id),\n reviewed_b = tobool(reviewed),\n escalated_b = tobool(escalated),\n rule_id_d = toint(rule_id),\n last_modified_t = last_modified\n \| project-rename \n TimeGenerated = last_modified,\n alert_type_s = alert_type,\n logs_s = logs,\n offending_content_url_s = offending_content_url,\n asset_term_s = asset_term,\n assignee_s = assignee,\n content_created_at_t = content_created_at,\n entered_by_s = entered_by,\n metadata_s = metadata,\n status_s = status,\n rule_name_s = rule_name,\n protected_locations_s = protected_locations,\n darkweb_term_s = darkweb_term,\n business_network_s = business_network,\n network_s = network,\n protected_social_object_s = protected_social_object,\n notes_s = notes,\n reviews_s = reviews,\n tags_s = tags\n\| project TimeGenerated, alert_type_s, logs_s, offending_content_url_s, asset_term_s, assignee_s, entity_id_d, entity_name_s, entity_image_s, entity_labels_s, entity_entity_group_id_d, entity_entity_group_name_s, entity_term_s, content_created_at_t, id_d, Severity, perpetrator_name_s, perpetrator_display_name_s, perpetrator_id_d, perpetrator_url_s, perpetrator_content_s, perpetrator_type_s, perpetrator_timestamp_t, perpetrator_network_s, rule_group_id_d, asset_id_d, asset_name_s, asset_image_s, asset_labels_s, asset_entity_group_id_d, asset_entity_group_name_s, entered_by_s, metadata_s, status_s, rule_name_s, last_modified_t, protected_locations_s, darkweb_term_s, business_network_s, reviewed_b, escalated_b, network_s, protected_social_object_s, notes_s, reviews_s, rule_id_d, entity_account_s, entity_email_receiver_id_s, tags_s",
`171`	`171`	`"outputStream": "Custom-ZeroFoxAlertPoller_CL"`
`172`	`172`	`}`
`173`	`173`	`]`
Original file line number	Diff line number	Diff line change
`@@ -835,7 +835,7 @@`
`835`	`835`	`"resources": [`
`836`	`836`	`{`
`837`	`837`	`"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]",`
`838`		`- "apiVersion": "2022-09-01-preview",`
	`838`	`+ "apiVersion": "2025-09-01",`
`839`	`839`	`"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",`
`840`	`840`	`"location": "[parameters('workspace-location')]",`
`841`	`841`	`"kind": "Customizable",`
`@@ -877,7 +877,6 @@`
`877`	`877`	`{`
`878`	`878`	`"type": "IsConnectedQuery",`
`879`	`879`	`"value": [`
`880`		`- "ZeroFoxAlertPoller_CL\n \| summarize LastLogReceived = max(TimeGenerated)\n \| project IsConnected = LastLogReceived > ago(3d)",`
`881`	`880`	`"ZeroFoxAlertPoller_CL\n \| summarize LastLogReceived = max(TimeGenerated)\n \| project IsConnected = LastLogReceived > ago(3d)"`
`882`	`881`	`]`
`883`	`882`	`}`
`@@ -975,14 +974,14 @@`
`975`	`974`	`},`
`976`	`975`	`{`
`977`	`976`	`"name": "AlertsDCR",`
`978`		`- "apiVersion": "2022-06-01",`
	`977`	`+ "apiVersion": "2024-03-11",`
`979`	`978`	`"type": "Microsoft.Insights/dataCollectionRules",`
`980`	`979`	`"location": "[parameters('workspace-location')]",`
`981`	`980`	`"kind": "[variables('blanks')]",`
`982`	`981`	`"properties": {`
`983`	`982`	`"dataCollectionEndpointId": "[variables('dataCollectionEndpointId2')]",`
`984`	`983`	`"streamDeclarations": {`
`985`		`- "Custom-ZeroFoxAlertsPoller_CL": {`
	`984`	`+ "Custom-ZeroFoxAlertPoller_CL": {`
`986`	`985`	`"columns": [`
`987`	`986`	`{`
`988`	`987`	`"name": "alert_type",`
`@@ -1138,20 +1137,20 @@`
`1138`	`1137`	`"dataFlows": [`
`1139`	`1138`	`{`
`1140`	`1139`	`"streams": [`
`1141`		`- "Custom-ZeroFoxAlertsPoller_CL"`
	`1140`	`+ "Custom-ZeroFoxAlertPoller_CL"`
`1142`	`1141`	`],`
`1143`	`1142`	`"destinations": [`
`1144`	`1143`	`"clv2ws1"`
`1145`	`1144`	`],`
`1146`		`- "transformKql": "source\n\| extend TimeGenerated = now()",`
	`1145`	+ "transformKql": "source\n\| extend \n entity_id_d = toint(entity.id),\n entity_name_s = tostring(entity.name),\n entity_image_s = tostring(entity.image),\n entity_labels_s = tostring(entity.labels),\n entity_entity_group_id_d = toint(entity.entity_group_id),\n entity_entity_group_name_s = tostring(entity.entity_group_name),\n entity_term_s = tostring(entity.term),\n entity_account_s = tostring(entity.account),\n entity_email_receiver_id_s = tostring(entity.email_receiver_id),\n perpetrator_name_s = tostring(perpetrator.name),\n perpetrator_display_name_s = tostring(perpetrator.display_name),\n perpetrator_id_d = toint(perpetrator.id),\n perpetrator_url_s = tostring(perpetrator.url),\n perpetrator_content_s = tostring(perpetrator.content),\n perpetrator_type_s = tostring(perpetrator.type),\n perpetrator_timestamp_t = todatetime(perpetrator.timestamp),\n perpetrator_network_s = tostring(perpetrator.network),\n asset_id_d = toint(asset.id),\n asset_name_s = tostring(asset.name),\n asset_image_s = tostring(asset.image),\n asset_labels_s = tostring(asset.labels),\n asset_entity_group_id_d = toint(asset.entity_group_id),\n asset_entity_group_name_s = tostring(asset.entity_group_name),\n id_d = toint(id),\n Severity = toint(severity),\n rule_group_id_d = toint(rule_group_id),\n reviewed_b = tobool(reviewed),\n escalated_b = tobool(escalated),\n rule_id_d = toint(rule_id),\n last_modified_t = last_modified\n \| project-rename \n TimeGenerated = last_modified,\n alert_type_s = alert_type,\n logs_s = logs,\n offending_content_url_s = offending_content_url,\n asset_term_s = asset_term,\n assignee_s = assignee,\n content_created_at_t = content_created_at,\n entered_by_s = entered_by,\n metadata_s = metadata,\n status_s = status,\n rule_name_s = rule_name,\n protected_locations_s = protected_locations,\n darkweb_term_s = darkweb_term,\n business_network_s = business_network,\n network_s = network,\n protected_social_object_s = protected_social_object,\n notes_s = notes,\n reviews_s = reviews,\n tags_s = tags\n\| project TimeGenerated, alert_type_s, logs_s, offending_content_url_s, asset_term_s, assignee_s, entity_id_d, entity_name_s, entity_image_s, entity_labels_s, entity_entity_group_id_d, entity_entity_group_name_s, entity_term_s, content_created_at_t, id_d, Severity, perpetrator_name_s, perpetrator_display_name_s, perpetrator_id_d, perpetrator_url_s, perpetrator_content_s, perpetrator_type_s, perpetrator_timestamp_t, perpetrator_network_s, rule_group_id_d, asset_id_d, asset_name_s, asset_image_s, asset_labels_s, asset_entity_group_id_d, asset_entity_group_name_s, entered_by_s, metadata_s, status_s, rule_name_s, last_modified_t, protected_locations_s, darkweb_term_s, business_network_s, reviewed_b, escalated_b, network_s, protected_social_object_s, notes_s, reviews_s, rule_id_d, entity_account_s, entity_email_receiver_id_s, tags_s",
`1147`	`1146`	`"outputStream": "Custom-ZeroFoxAlertPoller_CL"`
`1148`	`1147`	`}`
`1149`	`1148`	`]`
`1150`	`1149`	`}`
`1151`	`1150`	`},`
`1152`	`1151`	`{`
`1153`	`1152`	`"name": "ZeroFoxAlertPoller_CL",`
`1154`		`- "apiVersion": "2022-10-01",`
	`1153`	`+ "apiVersion": "2025-07-01",`
`1155`	`1154`	`"type": "Microsoft.OperationalInsights/workspaces/tables",`
`1156`	`1155`	`"location": "[parameters('workspace-location')]",`
`1157`	`1156`	`"kind": null,`
`@@ -1426,7 +1425,7 @@`
`1426`	`1425`	`},`
`1427`	`1426`	`{`
`1428`	`1427`	`"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]",`
`1429`		`- "apiVersion": "2022-09-01-preview",`
	`1428`	`+ "apiVersion": "2025-09-01",`
`1430`	`1429`	`"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",`
`1431`	`1430`	`"location": "[parameters('workspace-location')]",`
`1432`	`1431`	`"kind": "Customizable",`
`@@ -1468,7 +1467,6 @@`
`1468`	`1467`	`{`
`1469`	`1468`	`"type": "IsConnectedQuery",`
`1470`	`1469`	`"value": [`
`1471`		`- "ZeroFoxAlertPoller_CL\n \| summarize LastLogReceived = max(TimeGenerated)\n \| project IsConnected = LastLogReceived > ago(3d)",`
`1472`	`1470`	`"ZeroFoxAlertPoller_CL\n \| summarize LastLogReceived = max(TimeGenerated)\n \| project IsConnected = LastLogReceived > ago(3d)"`
`1473`	`1471`	`]`
`1474`	`1472`	`}`
`@@ -1642,7 +1640,7 @@`
`1642`	`1640`	`},`
`1643`	`1641`	`{`
`1644`	`1642`	`"name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'ZeroFoxAlertsPoller', parameters('guidValue'))]",`
`1645`		`- "apiVersion": "2023-02-01-preview",`
	`1643`	`+ "apiVersion": "2025-09-01",`
`1646`	`1644`	`"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",`
`1647`	`1645`	`"location": "[parameters('workspace-location')]",`
`1648`	`1646`	`"kind": "RestApiPoller",`
`@@ -1760,8 +1758,8 @@`
`1760`	`1758`	`"entityType": "Account",`
`1761`	`1759`	`"fieldMappings": [`
`1762`	`1760`	`{`
`1763`		`- "columnName": "entity_name_s",`
`1764`		`- "identifier": "FullName"`
	`1761`	`+ "identifier": "FullName",`
	`1762`	`+ "columnName": "entity_name_s"`
`1765`	`1763`	`}`
`1766`	`1764`	`]`
`1767`	`1765`	`}`
`@@ -1870,8 +1868,8 @@`
`1870`	`1868`	`"entityType": "Account",`
`1871`	`1869`	`"fieldMappings": [`
`1872`	`1870`	`{`
`1873`		`- "columnName": "entity_name_s",`
`1874`		`- "identifier": "FullName"`
	`1871`	`+ "identifier": "FullName",`
	`1872`	`+ "columnName": "entity_name_s"`
`1875`	`1873`	`}`
`1876`	`1874`	`]`
`1877`	`1875`	`}`
`@@ -1980,8 +1978,8 @@`
`1980`	`1978`	`"entityType": "Account",`
`1981`	`1979`	`"fieldMappings": [`
`1982`	`1980`	`{`
`1983`		`- "columnName": "entity_name_s",`
`1984`		`- "identifier": "FullName"`
	`1981`	`+ "identifier": "FullName",`
	`1982`	`+ "columnName": "entity_name_s"`
`1985`	`1983`	`}`
`1986`	`1984`	`]`
`1987`	`1985`	`}`
`@@ -2090,8 +2088,8 @@`
`2090`	`2088`	`"entityType": "Account",`
`2091`	`2089`	`"fieldMappings": [`
`2092`	`2090`	`{`
`2093`		`- "columnName": "entity_name_s",`
`2094`		`- "identifier": "FullName"`
	`2091`	`+ "identifier": "FullName",`
	`2092`	`+ "columnName": "entity_name_s"`
`2095`	`2093`	`}`
`2096`	`2094`	`]`
`2097`	`2095`	`}`