In today’s rapidly evolving threat landscape, organizations need security solutions that deliver actionable insights in real time, not minutes or hours after the fact. Microsoft Sentinel continues to expand its capabilities, driven by a commitment to empower customers and partners with cutting-edge tools for proactive defense. Today, we are excited to announce the public preview of our latest innovation, the Sentinel Codeless Connector Framework (CCF) Push feature. CCF Push addresses a critical need: enabling seamless, automated, and immediate delivery of security data to Sentinel, so teams can respond to threats as they happen.
What Is CCF Push and Why Does It Matter?
Microsoft Sentinel connectors generally follow two patterns. In the polling pattern, partners and customers expose their web‑facing REST API endpoints and use our traditional CCF connectors to poll those endpoints at intervals to gather data for ingestion into Sentinel. In the push pattern, partners and customers send data directly to a Sentinel workspace. Our new CCF Push capability was built to streamline and accelerate time to adoption for this second pattern.
Traditionally, building a connector required setup of multiple Azure resources - Data Collection Endpoints (DCE), Data Collection Rules (DCR), Entra app registrations, client secrets, and RBAC assignments. With CCF Push, connector creation is fast and easy, allowing developers to publish with minimal prerequisites. When you press “Deploy,” Sentinel sets up all the resources you need. This automation dramatically reduces friction, enabling partners and customers to release quickly and to onboard with minimal effort.
Built on the Log Ingestion API: Speed, Flexibility, and Power
A key advantage of CCF Push is that it leverages our Log Ingestion API. This modern API combined with the CCF Push capability brings several benefits to the table:
- Improved user experience: Removes configuration and deployment overhead by streamlining all setup through the Sentinel solution Content Hub, providing a single interface from which a customer can launch their connectors.
- High Throughput: Supports rapid, large-scale data ingestion, ensuring that security events are delivered to Sentinel without delay.
- Data Transformation: Allows for transformation of data before ingestion, so developers can tailor the format and content to meet customer needs.
- Targeting System Tables: Enables direct delivery of data to system tables, streamlining integration and analysis.
- Future-Ready Architecture: Opens pathways to advanced scenarios, including data lake integrations and agentic AI use cases.
By leveraging these capabilities, CCF Push provides a robust, scalable solution for real-time security data delivery.
New CCF Push Connectors
Since its rollout, several partners have adopted CCF Push to build connectors that enhance security for mutual customers. Here are a couple recent examples:
|
|
Keeper Security SIEM integration with Microsoft Sentinel The Keeper Security integration with Microsoft Sentinel brings advanced password and secrets management telemetry into your SIEM environment. By streaming audit logs and privileged access events from Keeper into Sentinel, security teams gain centralized visibility into credential usage and potential misuse. The connector supports custom queries and automated playbooks, helping organizations accelerate investigations, enforce Zero Trust principles, and strengthen identity security across hybrid environments.
|
|
|
Obsidian Threat and Activity Feed The Obsidian Threat and Activity Feed for Microsoft Sentinel delivers deep visibility into SaaS application activity, helping security teams detect account compromise and insider threats. By streaming user behavior and configuration data into Sentinel, organizations can correlate SaaS risks with enterprise telemetry for faster investigations. Prebuilt analytics and dashboards enable proactive monitoring, while automated playbooks simplify response workflows—strengthening security posture across critical cloud apps.
|
Start Building Today
Sentinel solution developers can begin leveraging the power of CCF Push immediately. For technical guidance and step-by-step instructions, refer to our MS Learn documentation.
In the unlikely event that you encounter any issues in building or updating your CCF Push connector, App Assure is here to help. We are an engineering-backed team committed to supporting customers and software development companies throughout their journey with Sentinel to streamline integration and accelerate time to market. Contact Microsoft Sentinel Partners at AzureSentinelPartner@microsoft.com for assistance.
Here is what Obsidian Security had to say about working with us to build their CCF Push connector:
Microsoft