New Solution: Upwind Logs Loader

[yael-nisanov]

Summary

• Adds the Upwind Logs Loader solution to Microsoft Sentinel Content Hub
• Ingests compute platform assets from the Upwind cloud security platform into a custom UpwindLogs_CL table using an Azure Function and the Azure Monitor Ingestion API (DCE/DCR)
• Timer-triggered Python 3.11 Azure Function with OAuth2 client credentials, cursor-based pagination, and exponential backoff retry

Components

• ARM template: Deploys DCE, custom log table, DCR, user-assigned managed identity, optional Key Vault, App Insights, Storage, Function App with zipdeploy
• Connector definition: Sentinel Data Connector UI with sample KQL queries and connectivity monitoring
• createUiDef.json: Azure portal deployment wizard with auth method chooser (Client Secret / Key Vault)
• Solution package: v3.0.0 for Sentinel Content Hub

Test plan

• Deploy ARM template to a test Azure subscription
• Verify DCE, DCR, custom table, and role assignment are created
• Verify Function App starts and authenticates to Upwind API
• Verify assets are ingested into UpwindLogs_CL table
• Verify connector shows as connected in Sentinel
• Test Key Vault auth method flow
• Install solution from Content Hub package

🤖 Generated with Claude Code

[v-maheshbh]

Hi @yael-nisanov

BasePath Format:
Modify the BasePath to the following structure:
C:\GitHub\Azure-Sentinel\solutions\Solution Name

The release notes should include the version number, release date, and the corresponding commit details.

The validation error is due to unsupported values in the Domains / Verticals section. Kindly update these fields to use only valid, predefined values by referring to any existing solution’s SolutionMetadata.json.

Update the permissions in Solutions/Upwind/Data Connectors/UpwindLogsLoader_API_FunctionApp.json to match the Azure Function Connector Template for validation to pass.

Kindly review and validate the KQL query to ensure it is correct and working as expected.
and accept the CLA to proceed further.

Thanks!

[Copilot]

Pull request overview

Adds the Upwind Logs Loader Microsoft Sentinel solution package, including deployment artifacts and an Azure Function-based ingestion pipeline to load Upwind compute platform assets into a custom Log Analytics table via DCE/DCR.

Changes:

• Introduces solution metadata, README, and release notes for the new Upwind solution.
• Adds ARM templates + CreateUiDefinition files for deploying DCE/DCR, custom table, identity, Key Vault integration, and Function App zipdeploy.
• Adds Python Azure Function implementation (config, auth, pagination, retries, DCR upload) and connector definition artifacts.

Reviewed changes

Copilot reviewed 17 out of 20 changed files in this pull request and generated 14 comments.

Show a summary per file

File	Description
Solutions/Upwind/SolutionMetadata.json	Adds Content Hub solution metadata (publisher/offer/support/categories).
Solutions/Upwind/ReleaseNotes.md	Introduces initial release notes for v3.0.0.
Solutions/Upwind/README.md	Documents deployment, parameters, schema, and sample KQL queries.
Solutions/Upwind/Package/testParameters.json	Adds ARM TTK-friendly test parameters for solution packaging.
Solutions/Upwind/Package/mainTemplate.json	Adds solution package template (content packages/templates + connector resources).
Solutions/Upwind/Package/createUiDefinition.json	Adds Content Hub deployment wizard (workspace selection + outputs).
Solutions/Upwind/Data/Solution_UpwindLogsLoader.json	Adds solution build manifest for packaging/publishing.
Solutions/Upwind/Data Connectors/requirements.txt	Pins Python dependencies for the Function connector package.
Solutions/Upwind/Data Connectors/host.json	Configures Azure Functions host settings (logging, bundle, timeout).
Solutions/Upwind/Data Connectors/createUiDef.json	Adds data connector ARM Wizard UI (auth method, schedule, advanced knobs).
Solutions/Upwind/Data Connectors/azuredeploy_UpwindLogsLoader_API_FunctionApp.json	ARM template to deploy infra (Key Vault, DCE/DCR/table, identity, Function App).
Solutions/Upwind/Data Connectors/UpwindLogsLoader_API_FunctionApp.json	Adds Sentinel Data Connector definition (queries, instructions, permissions).
Solutions/Upwind/Data Connectors/UpwindLogsLoader/upwind_client.py	Implements base Upwind API client (OAuth2 + retry + cursor pagination).
Solutions/Upwind/Data Connectors/UpwindLogsLoader/upwind_catalog_client.py	Implements asset fetcher for Upwind inventory catalog endpoint.
Solutions/Upwind/Data Connectors/UpwindLogsLoader/function.json	Declares timer trigger binding using env-configured CRON schedule.
Solutions/Upwind/Data Connectors/UpwindLogsLoader/config.py	Loads env + Key Vault secret, validates required config, parses ints.
Solutions/Upwind/Data Connectors/UpwindLogsLoader/init.py	Timer-triggered function: fetch assets and upload to DCR via ingestion SDK.

[v-maheshbh]

Hi @yael-nisanov

kindly accept CLA by adding comment @microsoft-github-policy-service agree company="company name"
and
Please refer template https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Templates/Connector_REST_API_AzureFunctionApp_template/DataConnector_API_AzureFunctionApp_template.json and add required permission section.

Please refer link https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/sentinel/sentinel-solutions.md?msclkid=9a240b52b11411ec99ae6736bd089c4a#categories-for-microsoft-sentinel-out-of-the-box-content-and-solutions for valid Domains and Verticals.

Thanks!

[yael-nisanov]

@microsoft-github-policy-service agree company="Upwind"

[v-maheshbh]

Hi @yael-nisanov

Since the Function App template has been updated, kindly repackage the solution so that the changes are reflected in the main template.

and Kindly include the following short links in the Function App configuration. These will be created once the PR is merged.
https://aka.ms/sentinel-Upwind-azuredeploy
https://aka.ms/sentinel-Upwind-functionapp

Thanks!

[robertmoriarty12]

@yael-nisanov @v-maheshbh

to be specific, mahesh needs these links swapped with the provided aka.ms links

File 1: Solutions/Upwind/Data Connectors/azuredeploy_UpwindLogsLoader_API_FunctionApp.json

https://aka.ms/sentinel-Upwind-azuredeploy

"packageUri": {
"defaultValue": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Upwind/Data%20Connectors/UpwindLogsLoader.zip",

File 2: Solutions/Upwind/Data Connectors/UpwindLogsLoader_API_FunctionApp.json

https://aka.ms/sentinel-Upwind-functionapp

(https://portal.azure.com/#view/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/**https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FUpwind%2FData%20Connectors%2Fazuredeploy_UpwindLogsLoader_API_FunctionApp.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FUpwind%2FData%20Connectors%2FcreateUiDef.json**)

[robertmoriarty12]

@yael-nisanov,

You need to repackage the solution. Maintemplate.json needs to be updated once you made a change to Solutions/Upwind/Data Connectors/UpwindLogsLoader_API_FunctionApp.json. You should have new files for package.

@v-maheshbh can review once he's back in the office.

[v-maheshbh]

@yael-nisanov @v-maheshbh

to be specific, mahesh needs these links swapped with the provided aka.ms links

File 1: Solutions/Upwind/Data Connectors/azuredeploy_UpwindLogsLoader_API_FunctionApp.json

https://aka.ms/sentinel-Upwind-azuredeploy

"packageUri": { "defaultValue": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Upwind/Data%20Connectors/UpwindLogsLoader.zip",

File 2: Solutions/Upwind/Data Connectors/UpwindLogsLoader_API_FunctionApp.json

https://aka.ms/sentinel-Upwind-functionapp

(https://portal.azure.com/#view/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/**https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FUpwind%2FData%20Connectors%2Fazuredeploy_UpwindLogsLoader_API_FunctionApp.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FUpwind%2FData%20Connectors%2FcreateUiDef.json**)

@yael-nisanov @v-maheshbh

to be specific, mahesh needs these links swapped with the provided aka.ms links

File 1: Solutions/Upwind/Data Connectors/azuredeploy_UpwindLogsLoader_API_FunctionApp.json

https://aka.ms/sentinel-Upwind-azuredeploy

"packageUri": { "defaultValue": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Upwind/Data%20Connectors/UpwindLogsLoader.zip",

File 2: Solutions/Upwind/Data Connectors/UpwindLogsLoader_API_FunctionApp.json

https://aka.ms/sentinel-Upwind-functionapp

(https://portal.azure.com/#view/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/**https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FUpwind%2FData%20Connectors%2Fazuredeploy_UpwindLogsLoader_API_FunctionApp.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FUpwind%2FData%20Connectors%2FcreateUiDef.json**)

This is not correct. The Function App package (UpwindLogsLoader.zip) is available at https://aka.ms/sentinel-Upwind-functionapp. The Azure deployment link is https://aka.ms/sentinel-Upwind-azuredeploy. Please update accordingly..

Thanks!

[v-maheshbh]

Hi @yael-nisanov

Kindly deploy the latest main template and attach a testing screenshot of the Azure data connector.
Additionally, the Azure Function is not visible in the Content Hub after deploying the main template.

Thanks!

[yael-nisanov]