CCF Blob Connector Accelerator: Developer Reference Implementation for Event-Driven Log Ingestion

What Changed

Added the CCF Blob Connector Accelerator under Tools/CCF-Blob-Connector-Accelerator/ with ContosoFort reference implementation. This accelerator provides ISV partners and contributors with a working example of the StorageAccountBlobContainer CCF connector kind using event-driven blob ingestion.

Architecture Pattern

Implements the complete CCF blob connector workflow:

External product writes JSON logs to ADLS Gen2 blob container
Azure Event Grid detects new blobs and pushes notifications to Storage Queue
Microsoft Sentinel CCF poller reads queue, fetches blob content, sends to DCR
DCR applies KQL transform and writes to custom Log Analytics table (ContosoFortV1_CL)

Tool Components

The accelerator includes complete deployable artifacts:

ConnectorDefinition.json: Sentinel UI tile and permissions display
PollerConfig.json: StorageAccountBlobContainer configuration with DCR stream mapping
DCR.json: Data Collection Rule with KQL transform (source | extend TimeGenerated = now() | project …)
Table.json: Custom table schema with security event fields (EventType, Severity, Action, SourceIP, ThreatName)
ARM template: Full solution deployment package
GitHub Copilot agent: Automated deployment instructions for end-to-end setup

Developer Impact

Addresses undocumented CCF blob connector prerequisites validated through live testing:

ADLS Gen2 hierarchical namespace requirement (standard StorageV2 fails silently)
Workspace location parameter dependency in ARM templates
Required RBAC permissions for Sentinel Service Principal on storage resources
Event Grid system topic auto-provisioning workflow

Sample Data Schema

ContosoFort demonstrates security event structure with fields commonly needed for threat detection: EventTime, EventType (ThreatDetected/NetworkAlert/PolicyViolation/Audit), Severity levels, Action outcomes, network indicators (SourceIP/DestinationIP), and threat attribution (ThreatName, RuleID).

Affected Files

Tools/CCF-Blob-Connector-Accelerator/ContosoFort/Data Connectors/ContosoFortLog_CCF/ContosoFortLog_ConnectorDefinition.json
Tools/CCF-Blob-Connector-Accelerator/ContosoFort/Data Connectors/ContosoFortLog_CCF/ContosoFortLog_DCR.json
Tools/CCF-Blob-Connector-Accelerator/ContosoFort/Data Connectors/ContosoFortLog_CCF/ContosoFortLog_PollerConfig.json
Tools/CCF-Blob-Connector-Accelerator/ContosoFort/Data Connectors/ContosoFortLog_CCF/ContosoFortLog_Table.json
Tools/CCF-Blob-Connector-Accelerator/ContosoFort/Sample Data/ContosoFortSampleData.json
Tools/CCF-Blob-Connector-Accelerator/ContosoFort/Sample Data/ContosoFortSampleData2.json
Tools/CCF-Blob-Connector-Accelerator/README.md
Tools/CCF-Blob-Connector-Accelerator/agent-instructions.md
Tools/CCF-Blob-Connector-Accelerator/storage-account-deploy.json
(packaging artefacts: ReleaseNotes.md, SolutionMetadata.json, Solution_ContosoFort.json, mainTemplate.json)

What Changed#

Architecture Pattern#

Tool Components#

Developer Impact#

Sample Data Schema#

Affected Files#