Add CCF Pull Connector Nested API Polling Accelerator#14459
Open
robertmoriarty12 wants to merge 1 commit into
Open
Add CCF Pull Connector Nested API Polling Accelerator#14459robertmoriarty12 wants to merge 1 commit into
robertmoriarty12 wants to merge 1 commit into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a new developer accelerator under Tools/ that demonstrates the Microsoft Sentinel CCF “Nested” REST API polling pattern end-to-end, including a deployable mock API and a Sentinel solution package with a RestApiPoller connector.
Changes:
- Added GitHub Copilot agent-driven deployment instructions plus manual deployment docs for the accelerator.
- Added a Python Azure Functions mock “Contoso Incident API” (list + detail endpoints) and an ARM template to provision its infrastructure.
- Added a Sentinel solution package (ARM template + connector definition + DCR/table + poller config) for nested-step CCF polling.
Reviewed changes
Copilot reviewed 19 out of 20 changed files in this pull request and generated 17 comments.
Show a summary per file
| File | Description |
|---|---|
| Tools/CCF-Pull-Connector-Nested-Accelerator/agent-instructions.md | Agent deployment runbook for infra + connector deployment and verification |
| Tools/CCF-Pull-Connector-Nested-Accelerator/README.md | Accelerator overview, quick deploy prompt, manual deployment steps, troubleshooting |
| Tools/CCF-Pull-Connector-Nested-Accelerator/MockApi/requirements.txt | Python Azure Functions dependency list |
| Tools/CCF-Pull-Connector-Nested-Accelerator/MockApi/host.json | Azure Functions host/runtime configuration |
| Tools/CCF-Pull-Connector-Nested-Accelerator/MockApi/azuredeploy_MockApi.json | ARM template for provisioning the mock API Function App resources |
| Tools/CCF-Pull-Connector-Nested-Accelerator/MockApi/ListIncidents/function.json | HTTP trigger binding for the list endpoint |
| Tools/CCF-Pull-Connector-Nested-Accelerator/MockApi/ListIncidents/init.py | Mock list endpoint implementation for nested polling parent step |
| Tools/CCF-Pull-Connector-Nested-Accelerator/MockApi/GetIncidentDetails/function.json | HTTP trigger binding for the details endpoint |
| Tools/CCF-Pull-Connector-Nested-Accelerator/MockApi/GetIncidentDetails/init.py | Mock details endpoint implementation for nested polling child step |
| Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/SolutionMetadata.json | Solution metadata for the accelerator’s Sentinel content |
| Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/ReleaseNotes.md | Release note entry for the accelerator solution |
| Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/Package/testParameters.json | ARM-TTK parameter scaffolding for solution template |
| Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/Package/mainTemplate.json | Main ARM template to deploy Sentinel artifacts + connector |
| Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/Package/createUiDefinition.json | UI definition for solution install experience (workspace picker + outputs) |
| Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/Data/Solution_ContosoIncidents.json | Solution “Data” manifest pointing to connector assets |
| Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/Data Connectors/ContosoIncidents_CCF/ContosoIncidents_Table.json | Custom table schema definition |
| Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/Data Connectors/ContosoIncidents_CCF/ContosoIncidents_PollerConfig.json | RestApiPoller config with nested steps |
| Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/Data Connectors/ContosoIncidents_CCF/ContosoIncidents_DCR.json | DCR definition with transform KQL and stream declaration |
| Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/Data Connectors/ContosoIncidents_CCF/ContosoIncidents_ConnectorDefinition.json | Data connector UI definition and instructions |
Comment on lines
+169
to
+173
| az deployment group create ` | ||
| --resource-group <mock-api-rg> ` | ||
| --template-file "Tools/CCF-Pull-Connector-Nested-Accelerator/MockApi/azuredeploy_MockApi.json" ` | ||
| --parameters FunctionAppName=<prefix> Location=<region> ` | ||
| --output table |
Comment on lines
+179
to
+182
| $outputs = (az deployment group show ` | ||
| --resource-group <mock-api-rg> ` | ||
| --name azuredeploy_MockApi ` | ||
| --query properties.outputs -o json | ConvertFrom-Json) |
| ### Step 1 — Deploy the Mock API | ||
|
|
||
| Deploy the Function App infrastructure: | ||
|
|
| ``` | ||
|
|
||
| Verify the endpoints respond: | ||
|
|
| "ContosoMockApi ListIncidents: startTime=%s endTime=%s x-functions-key=%s", | ||
| start_time, end_time, "(present)" if auth_header != "(missing)" else "(missing)", | ||
| ) | ||
| logging.info("ContosoMockApi ListIncidents headers: %s", dict(req.headers)) |
| "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]", | ||
| "_dataConnectorContentIdConnections1": "ContosoIncidentsConnectorConnections", | ||
| "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]", | ||
| "dataCollectionEndpoint1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", |
Comment on lines
+224
to
+230
| "name": "ContosoIncidents-DCR", | ||
| "apiVersion": "2022-06-01", | ||
| "type": "Microsoft.Insights/dataCollectionRules", | ||
| "location": "[parameters('workspace-location')]", | ||
| "kind": "[variables('blanks')]", | ||
| "properties": { | ||
| "dataCollectionEndpointId": "[variables('dataCollectionEndpoint1')]", |
| ], | ||
| "Parsers": [], | ||
| "Watchlists": [], | ||
| "BasePath": "C:\\GitHub\\Azure-Sentinel\\Tools\\CCF-Pull-Connector-Nested-Accelerator\\ContosoIncidents", |
| "domains": [ "Security – Threat Protection" ] | ||
| }, | ||
| "providers": [ "Contoso" ], | ||
| "version": "1.0.0" |
| "contentSchemaVersion": "3.0.0", | ||
| "displayName": "ContosoIncidents", | ||
| "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", | ||
| "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ContosoIncidents/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>Demonstrates the CCF nested API polling pattern in Microsoft Sentinel. Includes a mock Contoso Incident API (Azure Function App) and a fully configured RestApiPoller connector that chains a list call to a detail call, ingesting complete incident records into the ContosoIncidents_CL table.</p>\n<p><strong>Data Connectors:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n", |
Contributor
|
Kindly address the required review comments if required. Thnaks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Added CCF-Pull-Connector-Nested-Accelerator — a new developer accelerator demonstrating the CCF nested API polling pattern end-to-end in Microsoft Sentinel
Includes a mock Contoso Incident API (Python Azure Functions), ARM templates for Function App infrastructure and the Sentinel solution, CCF RestApiPoller connector with nested step configuration, DCE/DCR/table definitions, connector UI definition, and GitHub Copilot agent deployment instructions
Reason for Change(s):
Provides a working reference implementation of the stepType: "Nested" CCF polling pattern for developers building multi-call REST API connectors
Accelerates development and testing by providing a fully deployable end-to-end example with a one-command GitHub Copilot quick-deploy workflow
Version Updated:
N/A — no Detections/Analytic Rule templates included
Testing Completed:
Yes — deployed end-to-end to Azure subscription 2a77f8c8-1e2d-4ba4-8ebf-16d94bbc4aee in centralus. Mock API verified returning 5 incidents. mainTemplate.json deployed successfully (ARM-TTK 48/48 passing). Connector registered in Sentinel. ContosoIncidents_CL table created and receiving data after clicking Connect.
Checked that the validations are passing and have addressed any issues that are present:
Yes — ARM-TTK validation passes (48/48). No KQL or YAML detection files included in this PR; folder contains only Tools accelerator content.