The Codeless Connector Platform

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

We are announcing the Codeless Connector Platform (CCP Create a codeless connector for Microsoft Sentinel | Microsoft Docs in public preview, CCP empowers customers and partners to build their own Microsoft Sentinel connectors easily, by configuring a definition file. CCP connector instances are scalable, robust, and backed by Microsoft Sentinel support SLAs since it’s a built-in component.


Currently, CCP enables connecting to any data source that exposes a public REST API endpoint; Microsoft Sentinel product team will continue to enhance the platform to support additional type of features like support for more authentication models, pagination types and more.

Key benefits include:

  1. Avoid writing lines of code to connect with publicly exposed REST APIs
  2. Scalable built in Poller as a service
  3. Configurable UI components for your connector
  4. Ingest Cost benefits
  5. Monitor your connectors; CCP integrates with Sentinel Connector Health message using which you can troubleshoot and get health messages.

Getting started

 

For customers

Step 1 – As a Microsoft Sentinel customer you can go to Microsoft Sentinel Content hub and install any of the following solutions that includes a CCP based data connector to immediately connect and ingest data.

  • GitHub – GitHub Audit log connector provides capability to ingest GitHub audit logs into Microsoft Sentinel.
  • Slack Audit – Enables ingestion of Slack logs using CCP and monitor the data with SIEM content. This also has the existing Azure Functions data connector, so after you install this solution, connect to the CCP data connector. Furthermore, once data ingestion works fine through the CCP connector, you would want to disable the Azure Functions ingestion to avoid duplicate ingestion costs.

Step 2- Once the solution installs, you can find the CCP data connector in the data connector gallery.

Step 3 – Click on the data connector details page and provide the necessary information to connect and ingest data. Refer to the following illustration as an example of one of the connectors:

 

GitHub Enterprise Audit Log (Preview) - Microsoft .png

Step 4 – Check the connectivity notification on the upper ride side

b42b1758-d635-4933-a5ea-bbda0d23b42a.jpg

 

Note: If you have other ingestion mechanisms like Azure Functions data connectors to ingest data from the same source, please disable those to avoid duplicate ingestion costs.

Step 5 – How to check health monitoring? Microsoft Sentinel health allows you to monitor your connector health, viewing any service or data source issues, such as authentication, throttling, and more.

Monitor the health of your Microsoft Sentinel data connectors | Microsoft Docs

 

For developers and partners

Step 1 - Follow the guidance for building a CCP data connector.

Step 2 - Follow the solution guidance to build additional SIEM content, as applies, and publish as a solution in Content hub.

 

What’s next:

We plan to continue adding more features to CCP to help support more scenarios and following is a preview of what’s coming next.

  • Support for new REST API paginations (Link, Offset).
  • Support for additional authentications (Oauth2 and others).
  • GCP Pub/Sub integration with CCP.

Install and enable the CCP data connectors by installing the respective solution in Content hub. Let us know your feedback using any of the channels listed in the Resources.


We also invite our partners to build and publish new solutions that include CCP data connectors for Microsoft Sentinel. Get started now by joining the Microsoft Sentinel Threat Hunters GitHub community and follow the solutions build and publish guidance.

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.