Action Required: Transition from HTTP Data Collector API in Microsoft Sentinel

Microsoft Sentinel continues to evolve to provide more secure, scalable, and reliable data ingestion experiences. As part of this evolution, we want to remind customers and partners of an important upcoming change that may impact custom data ingestion and integrations like detection rules, playbooks etc.

HTTP Data Collector API will no longer be eligible for Incident Support after September 2026

Starting September 14, 2026, connectors and tables that rely on the legacy HTTP Data Collector API will no longer be eligible for incident support in Microsoft Sentinel, consistent with Azure’s 2024 announcement.

Any data sources, custom integrations, or connectors that continue to rely on the HTTP Data Collector API beyond this date may experience ingestion issues. We highly recommend customers transition to a supported ingestion alternative before this deadline, to avoid any service interruptions.

Who is impacted?

You may be impacted by this change if you are using:

• Custom-built scripts or applications that ingest data using the HTTP Data Collector API.
• Any custom data connectors (likely built as Azure Functions) with HTTP Collector API.
• Any data connector from the in-product Content Hub, provided by Microsoft or one of our partner ISVs, that will be rewritten prior to the API deprecation date.
• Classic custom log tables (usually marked type: Classic) created using HTTP Data Collector API.

Recommended migration paths

We recommend transitioning to supported, DCR‑based ingestion methods. The appropriate path depends on how data is currently ingested.

1. Update to the latest connector version in Content Hub (Recommended for most customers):

For customers using Microsoft or partner‑provided connectors:

• Many existing connectors have been released with new versions using modern ingestion and are available as updated versions in the Content Hub.
• These newer versions use DCR‑based ingestion and are fully supported.

1.1 Identify the Connector

• Go to Microsoft Defender portal
• Navigate to Content Hub
• Search for the connector you are currently using, If your existing connector mentions HTTP Data Collector API.

1.2  Install the New CCF Connector 

• Navigate to Content Hub
• Search for the same connector name 
• Select the version labeled “(via Codeless Connector Framework)”
• Click Install/Update the CCF connector and complete the setup wizard (authentication, configuration, polling schedule, etc.)  

Note: As Microsoft Sentinel transitions to the Codeless Connector Framework (CCF), customers migrating from Azure Functions–based connectors should expect intentional architectural changes. These include new or updated table names and schemas using the Log Ingestion API, and a move to Data Collection Rules (DCRs) and Data Collection Endpoints (DCEs) for modern, governed ingestion.

Both connectors may coexist temporarily; installing the CCF connector does not automatically remove the Azure Function connector.

 1.3   Validate Data Ingestion 

• Confirm new data is flowing into CCF backed tables.
• Monitor ingestion for a stabilization period (typically several days).
• Validate that Logs are flowing as expected, there are no ingestion errors and expected log volume is observed.

1.4 Migrate Dependent Content 

Update any workloads out of Microsoft provided content types that depend on the old Azure Function–based tables: 

• Analytics rules 
• Hunting queries 
• Workbooks 
• Playbooks / automations 
• Parsers or custom queries 

2. Logs Ingestion API (for custom applications and direct ingestion)

For customers or ISV partners that ingest data directly into Sentinel tables using custom applications:

The Azure Monitor Logs Ingestion API is the supported replacement for the legacy HTTP Data Collector API.

Key benefits:

• Secure, OAuth‑based authentication
• Data Collection Rules (DCRs) for schema control
• Improved reliability, scalability, and governance
• Long‑term platform support

Customers using custom ingestion pipelines should plan to migrate their applications to the Logs Ingestion API prior to the deprecation date.

Migration Benefits (Azure Function → CCF)

• Lower Total Cost of Ownership (TCO) , no infra: saves compute cost and eliminates infrastructure maintenance.
• One‑time modernization: clean queries (no type suffixes) and one‑time migration with no ongoing API churn.
• Built‑in data shaping & quality gates: transformations (filter/modify during ingestion) plus schema validation to enforce ingestion quality.
• Flexible routing & modern tables: multiple destinations (route to multiple tables) with modern table format for better performance/features.
• Governed & future‑proof ingestion: granular RBAC (DCR + identity control), Sentinel data lake mirroring / lake‑only ingestion, and Microsoft’s supported API going forward.

Summary

The transition from the HTTP Data Collector API to the Azure Monitor Logs Ingestion API is essential to ensure continued data ingestion and improved security. The new API provides key benefits such as OAuth‑based authentication, data filtering and transformation during ingestion, and fine‑grained RBAC. Organizations are strongly encouraged to migrate to the new API ahead of the September 14, 2026 retirement date.

Support Resources:

If you are an Independent Software Vendor (ISV) and you encounter any difficulty building your Microsoft Sentinel data connector, Microsoft Security's App Assure program is available to assist.

Contact us at AzureSentinelPartner@microsoft.com.