A client-side web application that guides you through visually building a Microsoft Sentinel Codeless Connector Framework (CCF) connector (Push or RestApiPoller), complete with analytic rules, hunting queries, ASIM parsers, and workbooks. The tool produces a deployable ARM template (mainTemplate.json) that can be deployed directly to Azure via the portal, CLI, or API.
No backend required — everything runs in the browser and can be deployed as a static site (GitHub Pages, Azure Static Web Apps, Vercel, etc.).
- ISV developers building data connectors for their products
- Security engineers pushing data from internal tools into Microsoft Sentinel
The UX is designed for users who may have no prior experience with ARM templates, Data Collection Rules, or Sentinel connector definitions.
- Guided multi-step wizard — walks you through each part of the connector configuration
- Push and Pull connectors — build Push (CCF) or RestApiPoller connectors
- Live ARM template preview — see the generated template update in real time as you fill out the form
- JSON schema inference — paste a sample JSON event and the app auto-generates the table schema
- KQL transform editor — syntax-highlighted editor with template snippets for common patterns
- Bundled content
- Analytic rules — define Scheduled and NRT analytic rules with entity mappings, MITRE ATT&CK tactics, and custom KQL queries
- Hunting queries — define hunting queries with KQL, MITRE ATT&CK tactics/techniques, and required data connectors
- ASIM parsers — create Advanced Security Information Model (ASIM) parsers to normalize your connector's data into standard schemas
- Workbooks — include Azure Monitor Workbooks by pasting gallery template JSON exported from the Azure portal
- Smart defaults — table names, stream names, connectivity queries, permissions, and instruction steps are all auto-generated
- Session persistence — your work is saved to
localStorageso you can resume across sessions - Save / Load projects — export your project as a
.jsonfile, reload it later, or load from a URL - Multiple export options — download the ARM template, a full solution package (ZIP), or individual resource files
- Packager sidecar — optional Docker container that runs
createSolutionV3.ps1automatically to produce a deployable ARM template - Deep link support — link directly to a project via URL query parameter (
?project=<url>)
You can add a badge to your repository's README that opens your connector project directly in Sentinel Connector Studio. When someone clicks the badge, the app loads and automatically imports the project file from the URL.
Add the following markdown to your README, replacing <URL_TO_PROJECT_JSON> with a direct link to your exported .json project file (e.g. a raw GitHub URL):
[](https://connector-studio.reothor.no/?project=<URL_TO_PROJECT_JSON>)Example using a raw GitHub URL:
[](https://connector-studio.reothor.no/?project=https://raw.githubusercontent.com/myorg/myrepo/main/connector.json)Note: The project URL must serve valid JSON with the correct CORS headers. Raw GitHub URLs (
raw.githubusercontent.com) work out of the box.
- Create a codeless connector for Microsoft Sentinel (Push) — official guide for Push CCF connectors
- Create custom analytics rules — scheduled and NRT rule authoring
- Create hunting queries — proactive hunt query authoring and schema
- Develop ASIM parsers — building parsers that map data to the Advanced Security Information Model
- ASIM schemas overview — available ASIM schemas and their fields
- Azure Monitor Workbooks — creating interactive dashboards for Sentinel solutions
The project includes an optional packager sidecar — a Docker container that runs the official Azure-Sentinel createSolutionV3.ps1 script automatically. When the packager is running, the Export step offers a Build Deployable Template button that produces a ready-to-deploy mainTemplate.json without any local tooling.
- The app sends your solution ZIP to the packager sidecar (port 8081)
- The sidecar runs
createSolutionV3.ps1inside a PowerShell container - You get back a
deployable-template.zipcontaining the generatedPackage/mainTemplate.json
Start both the app and the packager together:
docker compose upOr start the packager alongside a local dev server:
docker compose up packager
pnpm devThe Export step shows a Packager Online / Packager Offline badge so you always know if the sidecar is reachable. When offline, you can still download the raw solution package and run createSolutionV3.ps1 manually.
After building or packaging your template, the Next Steps section provides both a Portal and CLI deployment guide.
Azure Portal:
- Navigate to Deploy a custom template
- Click "Build your own template in the editor"
- Upload
Package/mainTemplate.json - Select your subscription, resource group, and workspace
- Review and create
Azure CLI:
az login
az group create \
--name <RESOURCE_GROUP> \
--location <LOCATION>
az deployment group create \
--resource-group <RESOURCE_GROUP> \
--template-file Package/mainTemplate.json \
--parameters workspace=<WORKSPACE_NAME>The workspace parameter is required and must be supplied using the --parameters option as shown above.
Pull and run the latest image from Docker Hub:
docker pull frodehus/sentinel-connector-studio
docker run -p 8080:8080 frodehus/sentinel-connector-studioOpen http://localhost:8080 in your browser.
To pin a specific version:
docker run -p 8080:8080 frodehus/sentinel-connector-studio:1.3.0See all available tags at hub.docker.com/r/frodehus/sentinel-connector-studio.
To run both the studio and the packager using pre-built images from Docker Hub, copy the example env file and start the stack:
cp .env.example .env
docker compose upThe .env file pins the image versions. To upgrade to a newer release, update the version tags in .env and pull:
docker compose pull
docker compose upYou can also run only the packager alongside a local dev server:
docker compose up packager
pnpm devSee all available packager tags at hub.docker.com/r/frodehus/sentinel-connector-studio-packager.
If you prefer to build the images locally (e.g. for development), remove or omit the .env file and pass --build:
docker compose up --buildpnpm install
pnpm devThe app will be available at http://localhost:3000.
pnpm buildpnpm testpnpm run lint- TanStack Start / TanStack Router — SPA framework with file-based routing
- React 19 + TypeScript (strict mode)
- Tailwind CSS v4 + shadcn/ui — styling and component library
- Zod — schema validation for all connector data structures
- CodeMirror — KQL transform editor
- JSZip — solution package ZIP generation
- ESLint — linting with TypeScript, React Hooks, and React Refresh plugins
- Trivy — Docker image vulnerability scanning in CI
src/
├── components/
│ ├── wizard/ # Wizard steps and navigation
│ │ └── content/ # Content editors (analytic rules, hunting queries, ASIM parsers, workbooks)
│ ├── schema-editor/ # Interactive column editor + paste-JSON dialog
│ ├── kql-editor/ # Resizable KQL editor with expand-to-dialog
│ ├── instruction-editor/ # Connector page instruction step editor
│ ├── preview/ # Live ARM/YAML/JSON preview panels
│ └── ui/ # Reusable UI primitives (shadcn/ui)
├── hooks/ # React hooks (connector config state, theme)
├── lib/ # Pure logic — ARM resource generators, naming, schemas, utilities
│ └── arm-resources/ # Individual ARM resource builders (table, DCR, connector def, data connector)
└── routes/ # TanStack Router file-based routes
See CONTRIBUTING.md for coding standards and conventions.
See the repository for license details.