Modern security operations demand scalable, reliable, and secure ways to integrate data sources into Microsoft Sentinel. Traditionally, building a custom connector meant writing and maintaining an Azure Function to poll APIs or handle ingestion logic. While powerful, function-based connectors often introduced challenges around performance, cost, and security configuration.
Enter the Codeless Connector Framework (CCF) - a game-changing approach to building Microsoft Sentinel data connectors without writing a single line of code.
1. From Code to Codeless: The Problem CCF Solves in Microsoft Sentinel
The Codeless Connector Framework (CCF) is a Microsoft Sentinel platform capability that allows you to build and publish fully managed data connectors without writing or maintaining custom code. Instead of spinning up Azure Functions to fetch and push logs or threat intelligence data, CCF provides a built-in, scalable Poller-as-a-Service, supported by Microsoft Sentinel’s Data Collection Rules (DCRs) and customizable connector UI.
Why does this matter?
- Performance: CCF connectors are backed by Microsoft’s polling service, capable of handling high-throughput endpoints with fewer failures compared to Azure Functions. No more function timeouts or scaling headaches.
- Security: CCF connectors are secure by default. They reduce risks of misconfiguration, credential leaks, or missing best practices (e.g., VNET restrictions) that often occur with Azure Functions.
- Ease of Use: With CCF, connector builders define ingestion pipelines declaratively (via ARM templates or APIs). No coding or service management required.
In short: CCF modernizes connector development, cutting down complexity while boosting performance and security.
2. The Big Wins: What You Gain with CCF
CCF isn’t just about removing code-it’s about transforming how Microsoft Sentinel connectors are built, deployed, and operated. Here are the key advantages:
- Simplicity for Engineering Teams
Build connectors declaratively-no need to write, deploy, or debug Azure Functions. - No-Code REST API Integration
Quickly connect to public REST APIs without implementing authentication, pagination, or error handling logic in code. - Scalable Built-in Poller
CCF provides a fully managed polling service. It’s more performant than Function App polling connectors and eliminates compute costs for customers. - Data Collection Rules (DCR) Support
Perform ingestion-time transformations and filtering. This means partners can normalize logs or filter noisy events before ingestion, reducing Sentinel costs. - Configurable UI for Connectors
Build a connector UI page with branded descriptions, sample KQL queries, and easy configuration fields. - Ingestion Cost Savings
Filtering at ingestion time and optimized pipelines lower overall ingestion costs. - Monitoring & Health Integration
CCF integrates with Microsoft Sentinel Connector Health for out-of-the-box health monitoring and troubleshooting. - Customer Simplicity
End-users get an easy-to-configure SaaS experience: no service installations, no custom scripts. - Higher Security Standards
Unlike Azure Functions, CCF doesn’t expose credentials in code or connection strings. It follows Microsoft’s secure-by-default design. - SaaS, Not Infrastructure
No infrastructure (like Function Apps or VMs) to manage-connectors are fully SaaS. - Ease of Use for Developers
Declarative templates reduce the learning curve for new developers. - Lower Costs at Scale
Large-scale partners (e.g., firewall vendors) have seen up to 50% savings in ingestion scenarios. - Higher Throughput Support
Designed for high-volume data streams without risk of function app throttling or failures. - Secure by Default
Eliminates common misconfigurations and enforces Microsoft security best practices.
3. Knowing the Limits: When CCF Shines and When Functions Fit Better
While CCF is powerful, it’s not a silver bullet.
CCF Limitations:
- Designed for polling REST APIs and simple ingestion pipelines.
- Limited flexibility for complex business logic, multi-endpoint orchestration, or advanced transformations.
- Some scenarios (e.g., custom protocol parsing, pre-ingestion analytics) may still require Azure Functions or custom ingestion pipelines.
Use CCF when:
- Your data source exposes REST APIs.
- You want a secure, cost-effective, and scalable ingestion pipeline.
- You need fast time-to-market with minimal development effort.
Use Azure Functions when:
- Complex workflows, branching logic, or multiple API calls are needed.
- You need pre-processing beyond what DCR transforms can handle.
- Your ingestion involves non-HTTP protocols or advanced custom authentication schemes.
4. From Zero to Connector: Creating a CCF Connector Made Simple (Step-by-Step)
Building a CCF connector is straightforward. Here’s a high-level guide
Prerequisites
- Microsoft Sentinel workspace in your Azure subscription.
- A Data Collection Endpoint (DCE) in the same region as the workspace.
- Familiarity with ARM templates and JSON schemas.
- Details of the target REST API (auth, pagination, JSON schema).
Steps
- Create or identify your Data Collection Endpoint (DCE)
Must be in the same region as your Sentinel workspace.
- Define a Data Collection Rule (DCR)
Map API fields into your Sentinel table using KQL transforms.
Normalize fields as per ASIM schemas.
- Create a custom table (if needed)
Define schema with relevant fields (e.g., TimeGenerated, EventId, Severity).
- Define the Connector UI (Data Connector Definitions)
Configure title, publisher, description, sample queries, and UI input fields.
This creates the page in Sentinel → Data connectors.
- Configure the Poller (Data Connector)
Set authentication (OAuth2, API key, etc.), polling schedule, pagination type, and event extraction paths.
Bind the connector to your DCR and target table.
- Deploy via ARM Template
Deploy all resources (DCE, DCR, Table, Connector UI, Poller) as a single ARM template.
- Validate in Sentinel
Open the connector in Sentinel → enter credentials → click Connect.
Verify ingestion by running sample KQL queries against your table.
Final Thoughts
The Codeless Connector Framework (CCF) is a leap forward in how Microsoft Sentinel ingests data. By removing the need for custom code, offering SaaS-based polling, and providing secure-by-default pipelines, CCF makes connector development simpler, faster, and safer-both for security vendors and enterprise teams.
For most REST API sources, CCF should be the default choice. Azure Functions remain a fallback for highly complex or specialized connectors, but the future of Sentinel data ingestion is clearly codeless.
Ready to build your first CCF connector? Check out the official documentation and watch the step-by-step video tutorial.
About Loginsoft
For over 20 years, leading companies in Telecom, Cybersecurity, Healthcare, Banking, New Media, and more have come to rely on Loginsoft as a trusted resource for technology talent. From startups, to product and enterprises rely on our services. Whether Onsite, Offsite, or Offshore, we deliver. With a track record of successful partnerships with leading technology companies globally, and specifically in the past 6 years with Cybersecurity product companies, Loginsoft offers a comprehensive range of security offerings, including Software Supply Chain, Vulnerability Management, Threat Intelligence, Cloud Security, Cybersecurity Platform Integrations, creating content packs for Cloud SIEM, Logs onboarding and more. Our commitment to innovation and expertise has positioned us as a trusted player in the cybersecurity space. Loginsoft continues to provide traditional IT services which include Software development & Support, QA automation, Data Science & AI, etc.
Expertise in Integrations with Threat Intelligence and Security Products: Built more than 250+ integrations with leading TIP, SIEM, SOAR, and Ticketing Platforms such as Cortex XSOAR, Anomali, ThreatQ, Splunk, IBM QRadar & Resilient, Microsoft Azure Sentinel, ServiceNow, Swimlane, Siemplify, MISP, Maltego, Cryptocurrency Digital Exchange Platforms, CISCO, Datadog, Symantec, Carbonblack, F5, Fortinet, and so on. Loginsoft is a partner with industry leading technology vendors Palo Alto, Splunk, Elastic, IBM Security, etc.
In addition, Loginsoft offers Research as a service: We're more than just experts in cybersecurity; we're your accredited in-house research team focused on unraveling the complexities of cybersecurity and future technologies. From Application Security to Threat Research, our seasoned professionals have cultivated expertise in every facet of the field. We've earned the trust of over 20 security platform companies, who count on our research and analysis to strengthen their cybersecurity solutions.
Interested to learn more? Let’s start a conversation.
