Overview
This lab deploys a complete custom Sentinel connector using the Codeless Connector Framework (CCF) Push mode:
- Infrastructure: Log Analytics workspace with Microsoft Sentinel enabled
- CCF Push Connector: Auto-provisioned DCE, DCR, custom table, Entra app, and RBAC
- Data Source: abuse.ch Feodotracker botnet C2 indicators (real threat intelligence)
- Detection: 5 analytics rules for botnet C2 activity patterns + network TI correlation
- Visualization: Threat Intelligence Dashboard workbook
Prerequisites
- Azure subscription with Contributor and Microsoft Sentinel Contributor roles
- PowerShell 7.0+ with Azure CLI installed and authenticated
- Python 3.10+ with
pip(for the sender script)
Quick Start
# Deploy infrastructure + connector + rules + workbook
./labs/sentinel-ccf-push/scripts/Deploy-Lab.ps1 -Location "eastus"
# After deploying push connector resources in the portal:
# Set environment variables from the connector credentials
export CCF_TENANT_ID="<tenant-id>"
export CCF_CLIENT_ID="<client-id>"
export CCF_CLIENT_SECRET="<client-secret>"
export CCF_DCE_URI="<dce-uri>"
export CCF_DCR_ID="<dcr-immutable-id>"
# Run initial data ingestion
python3 ./labs/sentinel-ccf-push/scripts/Send-ThreatIntel.py
# Validate end-to-end
./labs/sentinel-ccf-push/scripts/Test-CCFPush.ps1 \
-ResourceGroup "ccf-push-lab-rg" \
-WorkspaceName "ccf-push-lab-law"
What Gets Deployed
| Resource | Type | Purpose |
|---|---|---|
| Log Analytics workspace | Infrastructure | Data storage |
| Sentinel onboarding | Infrastructure | Enable Sentinel blade |
| CCF Push connector definition | Data Connector | Gallery entry with deploy button |
FeodoTracker_CL custom table | Custom Table | Threat intelligence storage |
| LAB - New Botnet Family Detected | Analytics Rule (High) | First-time malware family |
| LAB - C2 Infrastructure Surge | Analytics Rule (Medium) | >50% increase in active C2 |
| LAB - High-Confidence Active C2 | Analytics Rule (High) | Active C2 on encrypted ports |
| LAB - Geographic C2 Concentration | Analytics Rule (Medium) | 10+ C2 IPs from same country |
| LAB - Network Traffic to Known Botnet C2 | Analytics Rule (High) | Your devices talking to C2 |
| Threat Intelligence Dashboard | Workbook | 5-panel C2 monitoring |
Cost Estimate
- Log Analytics ingestion: ~$2.76/GB (pay-as-you-go)
- Feodotracker data: ~500 indicators per batch โ negligible
- No Azure Function/Logic App runtime for the connector path
- Total: typically low for lab workloads; confirm current regional ingestion pricing before budgeting
Cleanup
./labs/sentinel-ccf-push/scripts/Deploy-Lab.ps1 -Destroy
# Or manually:
az group delete --name ccf-push-lab-rg --yes --no-wait
Links
- Blog post: Build a Custom Sentinel Connector in 5 Minutes with CCF Push
- GitHub: j-dahl7/sentinel-ccf-push-connector
- Microsoft Learn: Create a codeless push connector
- abuse.ch Feodotracker: feodotracker.abuse.ch