Skip to content

Add RetailShield custom table schema definitions (data connector ARM template)#77

Merged
TFT444 merged 3 commits into
devfrom
feature/data-connector-definition
Jun 6, 2026
Merged

Add RetailShield custom table schema definitions (data connector ARM template)#77
TFT444 merged 3 commits into
devfrom
feature/data-connector-definition

Conversation

@TFT444
Copy link
Copy Markdown
Owner

@TFT444 TFT444 commented Jun 4, 2026

Summary

Closes #70

Adds the ARM template that provisions RetailShield_POS_CL and RetailShield_Logs_CL — the two custom Log Analytics tables required by RetailShield detection rules — along with a README documenting their schemas.

Files added

sentinel/data-connectors/
├── retailshield-connector.json   ARM template: creates both custom tables
└── README.md                     Schema reference + ingestion guide

What the template does

Deploys both tables via Microsoft.OperationalInsights/workspaces/tables (API 2022-10-01) with explicit column definitions including types and descriptions. This must be run before deploying analytics rules or ingesting POS/log data.

RetailShield_POS_CL — 19 columns covering: TerminalID, StoreID, EmployeeID, OperatorID, TransactionType, TransactionAmount, VoidCount, RefundCount, GiftCardID, TotalGiftCardValue, RiskScore, PlaybookTrigger, and more.

RetailShield_Logs_CL — 17 columns covering: EventType (voice_fraud / pos_anomaly / network_anomaly), CallerID, CallCount, VoiceAnomalyScore, ProcessName, DeviceName, RiskScore, PlaybookTrigger, and more.

How to test

  1. Deploy to a dev workspace:

    az deployment group create \
  --resource-group <rg> \
  --template-file sentinel/data-connectors/retailshield-connector.json \
  --parameters workspaceName=<workspace>

  2. Verify tables exist in the workspace:

    az monitor log-analytics workspace table show \
  --resource-group <rg> \
  --workspace-name <workspace> \
  --name RetailShield_POS_CL
az monitor log-analytics workspace table show \
  --resource-group <rg> \
  --workspace-name <workspace> \
  --name RetailShield_Logs_CL

  3. Confirm schema — the response from each table show command should list all columns with the correct types.

  4. JSON validation: python -m json.tool sentinel/data-connectors/retailshield-connector.json

Generated by Claude Code

@TFT444
Add RetailShield custom table definitions as data connector ARM template
ef1dc95 
Defines RetailShield_POS_CL and RetailShield_Logs_CL custom Log Analytics
table schemas with full column definitions, types, and descriptions.
Includes README documenting ingestion endpoints and standard table dependencies.

Closes #70
@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 4, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
retail-shield Ready Ready Preview, Comment Jun 5, 2026 2:00pm

TFT444 added 2 commits June 5, 2026 13:59
@TFT444
Fix corrupted test file: restore proper newlines in test_kql_rules.py
3821a38 
The file was stored with literal \n sequences instead of real newlines
(MCP push_files encoding bug from previous session), causing syntax
errors in pytest and flake8 on every branch forked from dev.
@TFT444
Fix E127 flake8 in test_kql_rules.py (continuation line indent)
17ffc42
@TFT444 TFT444 merged commit 2a282fc into dev Jun 6, 2026
8 checks passed
@TFT444 TFT444 deleted the feature/data-connector-definition branch June 6, 2026 10:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TFT444