Add CCF Pull Connector Nested API Polling Accelerator

[robertmoriarty12]

Added CCF-Pull-Connector-Nested-Accelerator — a new developer accelerator demonstrating the CCF nested API polling pattern end-to-end in Microsoft Sentinel
Includes a mock Contoso Incident API (Python Azure Functions), ARM templates for Function App infrastructure and the Sentinel solution, CCF RestApiPoller connector with nested step configuration, DCE/DCR/table definitions, connector UI definition, and GitHub Copilot agent deployment instructions
Reason for Change(s):

Provides a working reference implementation of the stepType: "Nested" CCF polling pattern for developers building multi-call REST API connectors
Accelerates development and testing by providing a fully deployable end-to-end example with a one-command GitHub Copilot quick-deploy workflow
Version Updated:

N/A — no Detections/Analytic Rule templates included
Testing Completed:

Yes — deployed end-to-end to Azure subscription 2a77f8c8-1e2d-4ba4-8ebf-16d94bbc4aee in centralus. Mock API verified returning 5 incidents. mainTemplate.json deployed successfully (ARM-TTK 48/48 passing). Connector registered in Sentinel. ContosoIncidents_CL table created and receiving data after clicking Connect.
Checked that the validations are passing and have addressed any issues that are present:

Yes — ARM-TTK validation passes (48/48). No KQL or YAML detection files included in this PR; folder contains only Tools accelerator content.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a new developer accelerator under Tools/ that demonstrates the Microsoft Sentinel CCF “Nested” REST API polling pattern end-to-end, including a deployable mock API and a Sentinel solution package with a RestApiPoller connector.

Changes:

• Added GitHub Copilot agent-driven deployment instructions plus manual deployment docs for the accelerator.
• Added a Python Azure Functions mock “Contoso Incident API” (list + detail endpoints) and an ARM template to provision its infrastructure.
• Added a Sentinel solution package (ARM template + connector definition + DCR/table + poller config) for nested-step CCF polling.

Reviewed changes

Copilot reviewed 19 out of 20 changed files in this pull request and generated 17 comments.

Show a summary per file

File	Description
Tools/CCF-Pull-Connector-Nested-Accelerator/agent-instructions.md	Agent deployment runbook for infra + connector deployment and verification
Tools/CCF-Pull-Connector-Nested-Accelerator/README.md	Accelerator overview, quick deploy prompt, manual deployment steps, troubleshooting
Tools/CCF-Pull-Connector-Nested-Accelerator/MockApi/requirements.txt	Python Azure Functions dependency list
Tools/CCF-Pull-Connector-Nested-Accelerator/MockApi/host.json	Azure Functions host/runtime configuration
Tools/CCF-Pull-Connector-Nested-Accelerator/MockApi/azuredeploy_MockApi.json	ARM template for provisioning the mock API Function App resources
Tools/CCF-Pull-Connector-Nested-Accelerator/MockApi/ListIncidents/function.json	HTTP trigger binding for the list endpoint
Tools/CCF-Pull-Connector-Nested-Accelerator/MockApi/ListIncidents/init.py	Mock list endpoint implementation for nested polling parent step
Tools/CCF-Pull-Connector-Nested-Accelerator/MockApi/GetIncidentDetails/function.json	HTTP trigger binding for the details endpoint
Tools/CCF-Pull-Connector-Nested-Accelerator/MockApi/GetIncidentDetails/init.py	Mock details endpoint implementation for nested polling child step
Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/SolutionMetadata.json	Solution metadata for the accelerator’s Sentinel content
Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/ReleaseNotes.md	Release note entry for the accelerator solution
Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/Package/testParameters.json	ARM-TTK parameter scaffolding for solution template
Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/Package/mainTemplate.json	Main ARM template to deploy Sentinel artifacts + connector
Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/Package/createUiDefinition.json	UI definition for solution install experience (workspace picker + outputs)
Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/Data/Solution_ContosoIncidents.json	Solution “Data” manifest pointing to connector assets
Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/Data Connectors/ContosoIncidents_CCF/ContosoIncidents_Table.json	Custom table schema definition
Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/Data Connectors/ContosoIncidents_CCF/ContosoIncidents_PollerConfig.json	RestApiPoller config with nested steps
Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/Data Connectors/ContosoIncidents_CCF/ContosoIncidents_DCR.json	DCR definition with transform KQL and stream declaration
Tools/CCF-Pull-Connector-Nested-Accelerator/ContosoIncidents/Data Connectors/ContosoIncidents_CCF/ContosoIncidents_ConnectorDefinition.json	Data connector UI definition and instructions

[v-maheshbh]

Hi @robertmoriarty12

Kindly address the review comments if required.

Thnaks!

[robertmoriarty12]

@v-maheshbh this is a deployment sample tool for developer to build a nested pattern, don't think these copilot findings apply.

[v-maheshbh]

Hi @robertmoriarty12

There is a discrepancy between the description defined in the source mainTemplate and the packaged mainTemplate within the ZIP file. Kindly align both descriptions to ensure consistency.

Thanks!