|
1 | | ---- |
2 | | -title: Microsoft Sentinel CCF Push Connectors - Getting Started Guide |
3 | | -description: Learn how to create and deploy push-based codeless connectors for Microsoft Sentinel that sends data in real-time. |
4 | | -author: edbaynash |
5 | | -ms.author: edbaynash |
6 | | -ms.topic: how-to |
7 | | -ms.date: 11/21/2025 |
8 | | -#customer intent: As a security engineer or ISV partner, I want to understand how CCF Push connectors work and how to build one so I can send real-time data from my application to Microsoft Sentinel. |
9 | | ---- |
10 | | - |
11 | | -# Microsoft Sentinel CCF Push Connectors - Getting Started Guide |
12 | | - |
13 | | -This guide helps you understand, build, and deploy push-based codeless connectors for Microsoft Sentinel using the Codeless Connector Framework (CCF) Push. |
14 | | - |
15 | | -## What is CCF Push? |
16 | | - |
17 | | -CCF Push connectors enable your applications to send security events directly to Microsoft Sentinel in real-time. Unlike traditional polling-based connectors that periodically fetch data from APIs, push connectors let you push data to Sentinel as events occur in your system. |
18 | | - |
19 | | -CCF Push provide several key benefits: |
20 | | - |
21 | | -- **Application-controlled data flow:** Your application controls when and how to send data, enabling intelligent batching strategies and optimized network usage |
22 | | -- **Real-time ingestion:** Send data immediately as events happen, without waiting for polling intervals |
23 | | -- **Simplified architecture:** No need to maintain API endpoints for Sentinel to poll |
24 | | -- **Template-based provisioning:** Deployment creates ARM templates for DCRs, custom tables, Entra application registration, and client secrets - you receive the connection details to configure in your sending application |
25 | | -- **Secure authentication:** Uses Microsoft Entra applications with OAuth 2.0 for secure data submission |
26 | | - |
27 | | -## How CCF push works |
28 | | - |
29 | | - |
30 | | -### The push model vs pull model |
31 | | - |
32 | | -Understanding the difference between push and pull data ingestion models helps you choose the right connector type for your scenario. |
33 | | - |
34 | | -**CCF pull connectors - Polling-Based:** |
35 | | - |
36 | | -In the pull model, Microsoft Sentinel periodically polls your API to retrieve data: |
37 | | - |
38 | | -- Microsoft Sentinel initiates connections to your data source API on a configured schedule |
39 | | -- Data arrives at regular polling intervals (for example, every 5 minutes) |
40 | | -- You must maintain a publicly accessible API endpoint |
41 | | -- Sentinel's polling infrastructure manages the data collection process |
42 | | - |
43 | 1 | --- |
44 | 2 | title: Microsoft Sentinel CCF push connectors - Getting started guide |
45 | 3 | description: Learn how to create and deploy push-based codeless connectors for Microsoft Sentinel that sends data in real-time. |
46 | 4 | author: edbaynash |
47 | 5 | ms.author: edbaynash |
48 | 6 | ms.topic: how-to |
49 | 7 | ms.date: 11/21/2025 |
50 | | -#customer intent: As a security engineer or ISV partner, I want to understand how CCF Push connectors work and how to build one so I can send real-time data from my application to Microsoft Sentinel. |
| 8 | +# customer intent: As a security engineer or ISV partner, I want to understand how CCF Push connectors work and how to build one so I can send real-time data from my application to Microsoft Sentinel. |
51 | 9 | --- |
52 | 10 |
|
53 | 11 | # Microsoft Sentinel CCF push connectors - Getting started guide |
|
0 commit comments