Modern security operations demand scalable, reliable, and secure ways to integrate data sources into Microsoft Sentinel. Traditionally, building a custom connector meant writing and maintaining an Azure Function to poll APIs or handle ingestion logic. While powerful, function-based connectors often introduced challenges around performance, cost, and security configuration.

Enter the Codeless Connector Framework (CCF) - a game-changing approach to building Microsoft Sentinel data connectors without writing a single line of code.

1. From Code to Codeless: The Problem CCF Solves in Microsoft Sentinel

The Codeless Connector Framework (CCF) is a Microsoft Sentinel platform capability that allows you to build and publish fully managed data connectors without writing or maintaining custom code. Instead of spinning up Azure Functions to fetch and push logs or threat intelligence data, CCF provides a built-in, scalable Poller-as-a-Service, supported by Microsoft Sentinel’s Data Collection Rules (DCRs) and customizable connector UI.

Why does this matter?

• Performance: CCF connectors are backed by Microsoft’s polling service, capable of handling high-throughput endpoints with fewer failures compared to Azure Functions. No more function timeouts or scaling headaches.
• Security: CCF connectors are secure by default. They reduce risks of misconfiguration, credential leaks, or missing best practices (e.g., VNET restrictions) that often occur with Azure Functions.
• Ease of Use: With CCF, connector builders define ingestion pipelines declaratively (via ARM templates or APIs). No coding or service management required.

In short: CCF modernizes connector development, cutting down complexity while boosting performance and security.

2. The Big Wins: What You Gain with CCF

CCF isn’t just about removing code-it’s about transforming how Microsoft Sentinel connectors are built, deployed, and operated. Here are the key advantages:

• Simplicity for Engineering Teams
  Build connectors declaratively-no need to write, deploy, or debug Azure Functions.
• No-Code REST API Integration
  Quickly connect to public REST APIs without implementing authentication, pagination, or error handling logic in code.
• Scalable Built-in Poller
  CCF provides a fully managed polling service. It’s more performant than Function App polling connectors and eliminates compute costs for customers.
• Data Collection Rules (DCR) Support
  Perform ingestion-time transformations and filtering. This means partners can normalize logs or filter noisy events before ingestion, reducing Sentinel costs.
• Configurable UI for Connectors
  Build a connector UI page with branded descriptions, sample KQL queries, and easy configuration fields.
• Ingestion Cost Savings
  Filtering at ingestion time and optimized pipelines lower overall ingestion costs.
• Monitoring & Health Integration
  CCF integrates with Microsoft Sentinel Connector Health for out-of-the-box health monitoring and troubleshooting.
• Customer Simplicity
  End-users get an easy-to-configure SaaS experience: no service installations, no custom scripts.
• Higher Security Standards
  Unlike Azure Functions, CCF doesn’t expose credentials in code or connection strings. It follows Microsoft’s secure-by-default design.
• SaaS, Not Infrastructure
  No infrastructure (like Function Apps or VMs) to manage-connectors are fully SaaS.
• Ease of Use for Developers
  Declarative templates reduce the learning curve for new developers.
• Lower Costs at Scale
  Large-scale partners (e.g., firewall vendors) have seen up to 50% savings in ingestion scenarios.
• Higher Throughput Support
  Designed for high-volume data streams without risk of function app throttling or failures.
• Secure by Default
  Eliminates common misconfigurations and enforces Microsoft security best practices.

3. Knowing the Limits: When CCF Shines and When Functions Fit Better

While CCF is powerful, it’s not a silver bullet.

CCF Limitations:

• Designed for polling REST APIs and simple ingestion pipelines.
• Limited flexibility for complex business logic, multi-endpoint orchestration, or advanced transformations.
• Some scenarios (e.g., custom protocol parsing, pre-ingestion analytics) may still require Azure Functions or custom ingestion pipelines.

Use CCF when:

• Your data source exposes REST APIs.
• You want a secure, cost-effective, and scalable ingestion pipeline.
• You need fast time-to-market with minimal development effort.

Use Azure Functions when:

• Complex workflows, branching logic, or multiple API calls are needed.
• You need pre-processing beyond what DCR transforms can handle.
• Your ingestion involves non-HTTP protocols or advanced custom authentication schemes.

4. From Zero to Connector: Creating a CCF Connector Made Simple (Step-by-Step)

Building a CCF connector is straightforward. Here’s a high-level guide  

Prerequisites

• Microsoft Sentinel workspace in your Azure subscription.
• A Data Collection Endpoint (DCE) in the same region as the workspace.
• Familiarity with ARM templates and JSON schemas.
• Details of the target REST API (auth, pagination, JSON schema).

Steps

1. Create or identify your Data Collection Endpoint (DCE)
   Must be in the same region as your Sentinel workspace.

2. Define a Data Collection Rule (DCR)
   Map API fields into your Sentinel table using KQL transforms.
   Normalize fields as per ASIM schemas.

3. Create a custom table (if needed)
   Define schema with relevant fields (e.g., TimeGenerated, EventId, Severity).

4. Define the Connector UI (Data Connector Definitions)
   Configure title, publisher, description, sample queries, and UI input fields.
   This creates the page in Sentinel → Data connectors.

5. Configure the Poller (Data Connector)
   Set authentication (OAuth2, API key, etc.), polling schedule, pagination type, and event extraction paths.
   Bind the connector to your DCR and target table.

6. Deploy via ARM Template
   Deploy all resources (DCE, DCR, Table, Connector UI, Poller) as a single ARM template.

7. Validate in Sentinel
   Open the connector in Sentinel → enter credentials → click Connect.
   Verify ingestion by running sample KQL queries against your table.

Final Thoughts

The Codeless Connector Framework (CCF) is a leap forward in how Microsoft Sentinel ingests data. By removing the need for custom code, offering SaaS-based polling, and providing secure-by-default pipelines, CCF makes connector development simpler, faster, and safer-both for security vendors and enterprise teams.

For most REST API sources, CCF should be the default choice. Azure Functions remain a fallback for highly complex or specialized connectors, but the future of Sentinel data ingestion is clearly codeless.
‍
Ready to build your first CCF connector? Check out the official documentation and watch the step-by-step video tutorial.