Skip to content

[SOLUTION] Update Halcyon Solution #13928

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
v-atulyadav merged 4 commits into from
Apr 23, 2026
Merged

[SOLUTION] Update Halcyon Solution #13928

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b7b7e2c
update solution to handle events with ocsf schemas
Mar 19, 2026
a408f62
pr feedback
Mar 27, 2026
1a11c90
update halcyon custom tables in ksql tests tool
Mar 31, 2026
c05c4bc
remove parsers, add sample query
Apr 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
486 changes: 0 additions & 486 deletions .script/tests/KqlvalidationsTests/CustomTables/HalcyonAuthenticationEvents_CL.json
View file
Open in desktop

This file was deleted.

458 changes: 0 additions & 458 deletions .script/tests/KqlvalidationsTests/CustomTables/HalcyonDnsActivity_CL.json
View file
Open in desktop

This file was deleted.

435 changes: 0 additions & 435 deletions .script/tests/KqlvalidationsTests/CustomTables/HalcyonFileActivity_CL.json
View file
Open in desktop

This file was deleted.

666 changes: 0 additions & 666 deletions .script/tests/KqlvalidationsTests/CustomTables/HalcyonNetworkSession_CL.json
View file
Open in desktop

This file was deleted.

511 changes: 0 additions & 511 deletions .script/tests/KqlvalidationsTests/CustomTables/HalcyonProcessEvent_CL.json
View file
Open in desktop

This file was deleted.

1,590 changes: 59 additions & 1,531 deletions Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_DCR.json
View file
Open in desktop

Large diffs are not rendered by default.

81 changes: 16 additions & 65 deletions Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_connectorDefinition.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,80 +11,31 @@
"publisher": "Halcyon",
"logo": "halcyon.svg",
"descriptionMarkdown": "The [Halcyon](https://www.halcyon.ai) connector provides the capability to send data from Halcyon to Microsoft Sentinel.",
"graphQueries": [
{
"metricName": "Authentication Events",
"legend": "HalcyonAuthenticationEvents_CL",
"baseQuery": "HalcyonAuthenticationEvents_CL"
},
{
"metricName": "DNS Activity",
"legend": "HalcyonDnsActivity_CL",
"baseQuery": "HalcyonDnsActivity_CL"
},
{
"metricName": "File Activity",
"legend": "HalcyonFileActivity_CL",
"baseQuery": "HalcyonFileActivity_CL"
},
{
"metricName": "Network Sessions",
"legend": "HalcyonNetworkSession_CL",
"baseQuery": "HalcyonNetworkSession_CL"
},
"sampleQueries": [
{
"metricName": "Process Events",
"legend": "HalcyonProcessEvent_CL",
"baseQuery": "HalcyonProcessEvent_CL"
"description": "View recent events",
"query": "HalcyonEvents_CL\n| where TimeGenerated > ago(24h)\n| sort by TimeGenerated desc\n"
}
],
"sampleQueries": [
{
"description": "Get Sample Authentication Events",
"query": "HalcyonAuthenticationEvents_CL\n | take 10"
},
{
"description": "Get Sample DNS Activity",
"query": "HalcyonDnsActivity_CL\n | take 10"
},
{
"description": "Get Sample File Activity",
"query": "HalcyonFileActivity_CL\n | take 10"
},
{
"description": "Get Sample Network Sessions",
"query": "HalcyonNetworkSession_CL\n | take 10"
},
"graphQueries": [
{
"description": "Get Sample Process Events",
"query": "HalcyonProcessEvent_CL\n | take 10"
"metricName": "Events",
"legend": "HalcyonEvents_CL",
"baseQuery": "HalcyonEvents_CL"
}
],
"dataTypes": [
{
"name": "Halcyon Authentication Events",
"lastDataReceivedQuery": "HalcyonAuthenticationEvents_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "Halcyon DNS Activity",
"lastDataReceivedQuery": "HalcyonDnsActivity_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "Halcyon File Activity",
"lastDataReceivedQuery": "HalcyonFileActivity_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "Halcyon Network Sessions",
"lastDataReceivedQuery": "HalcyonNetworkSession_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "Halcyon Process Events",
"lastDataReceivedQuery": "HalcyonProcessEvent_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
"name": "Halcyon Events",
"lastDataReceivedQuery": "HalcyonEvents_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors"
"type": "IsConnectedQuery",
"value": [
"HalcyonEvents_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7d)"
]
}
],
"availability": {
Expand Down Expand Up @@ -129,14 +80,14 @@
{
"parameters": {
"label": "Deploy Halcyon Connector Resources",
"applicationDisplayName": "Halcyon Connector Application"
"applicationDisplayName": "Halcyon Sentinel Connector"
},
"type": "DeployPushConnectorButton"
}
]
},
{
"title": "2. Configured your integration in the Halcyon Platform",
"title": "2. Configure your integration in the Halcyon Platform",
"description": "Use the following parameters to configure your integration in the Halcyon Platform.",
"instructions": [
{
Expand Down Expand Up @@ -180,7 +131,7 @@
},
{
"parameters": {
"label": "Data Collection Rule Immutable ID (Rule ID)",
"label": "Data Collection Rule ID (Rule ID)",
"fillWith": [
"DataCollectionRuleId"
],
Expand Down
Loading
Loading