Microsoft.SecurityInsights dataConnectors 2021-03-01-preview

Bicep resource definition

The dataConnectors resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/dataConnectors resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.SecurityInsights/dataConnectors@2021-03-01-preview' = {
  etag: 'string'
  name: 'string'
  kind: 'string'
  // For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}

Microsoft.SecurityInsights/dataConnectors objects

Set the kind property to specify the type of object.

For AmazonWebServicesCloudTrail, use:

{
  kind: 'AmazonWebServicesCloudTrail'
  properties: {
    awsRoleArn: 'string'
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
  }
}

For AzureActiveDirectory, use:

{
  kind: 'AzureActiveDirectory'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For AzureAdvancedThreatProtection, use:

{
  kind: 'AzureAdvancedThreatProtection'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For AzureSecurityCenter, use:

{
  kind: 'AzureSecurityCenter'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    subscriptionId: 'string'
  }
}

For Dynamics365, use:

{
  kind: 'Dynamics365'
  properties: {
    dataTypes: {
      dynamics365CdsActivities: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For GenericUI, use:

{
  kind: 'GenericUI'
  properties: {
    connectorUiConfig: {
      availability: {
        isPreview: bool
        status: '1'
      }
      connectivityCriteria: [
        {
          type: 'string'
          value: [
            'string'
          ]
        }
      ]
      customImage: 'string'
      dataTypes: [
        {
          lastDataReceivedQuery: 'string'
          name: 'string'
        }
      ]
      descriptionMarkdown: 'string'
      graphQueries: [
        {
          baseQuery: 'string'
          legend: 'string'
          metricName: 'string'
        }
      ]
      graphQueriesTableName: 'string'
      instructionSteps: [
        {
          description: 'string'
          instructions: [
            {
              parameters: any(...)
              type: 'string'
            }
          ]
          title: 'string'
        }
      ]
      permissions: {
        customs: [
          {
            description: 'string'
            name: 'string'
          }
        ]
        resourceProvider: [
          {
            permissionsDisplayText: 'string'
            provider: 'string'
            providerDisplayName: 'string'
            requiredPermissions: {
              action: bool
              delete: bool
              read: bool
              write: bool
            }
            scope: 'string'
          }
        ]
      }
      publisher: 'string'
      sampleQueries: [
        {
          description: 'string'
          query: 'string'
        }
      ]
      title: 'string'
    }
  }
}

For MicrosoftCloudAppSecurity, use:

{
  kind: 'MicrosoftCloudAppSecurity'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
      discoveryLogs: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For MicrosoftDefenderAdvancedThreatProtection, use:

{
  kind: 'MicrosoftDefenderAdvancedThreatProtection'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For MicrosoftThreatIntelligence, use:

{
  kind: 'MicrosoftThreatIntelligence'
  properties: {
    dataTypes: {
      bingSafetyPhishingURL: {
        lookbackPeriod: 'string'
        state: 'string'
      }
      microsoftEmergingThreatFeed: {
        lookbackPeriod: 'string'
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For MicrosoftThreatProtection, use:

{
  kind: 'MicrosoftThreatProtection'
  properties: {
    dataTypes: {
      incidents: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For Office365, use:

{
  kind: 'Office365'
  properties: {
    dataTypes: {
      exchange: {
        state: 'string'
      }
      sharePoint: {
        state: 'string'
      }
      teams: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For OfficeATP, use:

{
  kind: 'OfficeATP'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For ThreatIntelligence, use:

{
  kind: 'ThreatIntelligence'
  properties: {
    dataTypes: {
      indicators: {
        state: 'string'
      }
    }
    tenantId: 'string'
    tipLookbackPeriod: 'string'
  }
}

For ThreatIntelligenceTaxii, use:

{
  kind: 'ThreatIntelligenceTaxii'
  properties: {
    collectionId: 'string'
    dataTypes: {
      taxiiClient: {
        state: 'string'
      }
    }
    friendlyName: 'string'
    password: 'string'
    pollingFrequency: 'string'
    taxiiLookbackPeriod: 'string'
    taxiiServer: 'string'
    tenantId: 'string'
    userName: 'string'
    workspaceId: 'string'
  }
}

Property Values

Microsoft.SecurityInsights/dataConnectors

Name	Description	Value
etag	Etag of the azure resource	string
kind	Set to 'AmazonWebServicesCloudTrail' for type AwsCloudTrailDataConnector. Set to 'AzureActiveDirectory' for type AADDataConnector. Set to 'AzureAdvancedThreatProtection' for type AatpDataConnector. Set to 'AzureSecurityCenter' for type ASCDataConnector. Set to 'Dynamics365' for type Dynamics365DataConnector. Set to 'GenericUI' for type CodelessUiDataConnector. Set to 'MicrosoftCloudAppSecurity' for type McasDataConnector. Set to 'MicrosoftDefenderAdvancedThreatProtection' for type MdatpDataConnector. Set to 'MicrosoftThreatIntelligence' for type MstiDataConnector. Set to 'MicrosoftThreatProtection' for type MTPDataConnector. Set to 'Office365' for type OfficeDataConnector. Set to 'OfficeATP' for type OfficeATPDataConnector. Set to 'ThreatIntelligence' for type TIDataConnector. Set to 'ThreatIntelligenceTaxii' for type TiTaxiiDataConnector.	'AmazonWebServicesCloudTrail' 'AzureActiveDirectory' 'AzureAdvancedThreatProtection' 'AzureSecurityCenter' 'Dynamics365' 'GenericUI' 'MicrosoftCloudAppSecurity' 'MicrosoftDefenderAdvancedThreatProtection' 'MicrosoftThreatIntelligence' 'MicrosoftThreatProtection' 'Office365' 'OfficeATP' 'ThreatIntelligence' 'ThreatIntelligenceTaxii' (required)
name	The resource name	string (required)
scope	Use when creating a resource at a scope that is different than the deployment scope.	Set this property to the symbolic name of a resource to apply the extension resource.

AADDataConnector

Name	Description	Value
kind	The data connector kind	'AzureActiveDirectory' (required)
properties	AAD (Azure Active Directory) data connector properties.	AADDataConnectorProperties

AADDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

AatpDataConnector

Name	Description	Value
kind	The data connector kind	'AzureAdvancedThreatProtection' (required)
properties	AATP (Azure Advanced Threat Protection) data connector properties.	AatpDataConnectorProperties

AatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

AlertsDataTypeOfDataConnector

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon (required)

ASCDataConnector

Name	Description	Value
kind	The data connector kind	'AzureSecurityCenter' (required)
properties	ASC (Azure Security Center) data connector properties.	ASCDataConnectorProperties

ASCDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
subscriptionId	The subscription id to connect to, and get the data from.	string

Availability

Name	Description	Value
isPreview	Set connector as preview	bool
status	The connector Availability Status	'1'

AwsCloudTrailDataConnector

Name	Description	Value
kind	The data connector kind	'AmazonWebServicesCloudTrail' (required)
properties	Amazon Web Services CloudTrail data connector properties.	AwsCloudTrailDataConnectorProperties

AwsCloudTrailDataConnectorDataTypes

Name	Description	Value
logs	Logs data type.	AwsCloudTrailDataConnectorDataTypesLogs (required)

AwsCloudTrailDataConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

AwsCloudTrailDataConnectorProperties

Name	Description	Value
awsRoleArn	The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.	string
dataTypes	The available data types for the connector.	AwsCloudTrailDataConnectorDataTypes (required)

CodelessParameters

Name	Description	Value
connectorUiConfig	Config to describe the instructions blade	CodelessUiConnectorConfigProperties

CodelessUiConnectorConfigProperties

Name	Description	Value
availability	Connector Availability Status	Availability (required)
connectivityCriteria	Define the way the connector check connectivity	CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem[] (required)
customImage	An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery	string
dataTypes	Data types to check for last data received	CodelessUiConnectorConfigPropertiesDataTypesItem[] (required)
descriptionMarkdown	Connector description	string (required)
graphQueries	The graph query to show the current data status	CodelessUiConnectorConfigPropertiesGraphQueriesItem[] (required)
graphQueriesTableName	Name of the table the connector will insert the data to	string (required)
instructionSteps	Instruction steps to enable the connector	CodelessUiConnectorConfigPropertiesInstructionStepsItem[] (required)
permissions	Permissions required for the connector	Permissions (required)
publisher	Connector publisher name	string (required)
sampleQueries	The sample queries for the connector	CodelessUiConnectorConfigPropertiesSampleQueriesItem[] (required)
title	Connector blade title	string (required)

CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem

Name	Description	Value
type	type of connectivity	'IsConnectedQuery'
value	Queries for checking connectivity	string[]

CodelessUiConnectorConfigPropertiesDataTypesItem

Name	Description	Value
lastDataReceivedQuery	Query for indicate last data received	string
name	Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder	string

CodelessUiConnectorConfigPropertiesGraphQueriesItem

Name	Description	Value
baseQuery	The base query for the graph	string
legend	The legend for the graph	string
metricName	the metric that the query is checking	string

CodelessUiConnectorConfigPropertiesInstructionStepsItem

Name	Description	Value
description	Instruction step description	string
instructions	Instruction step details	InstructionStepsInstructionsItem[]
title	Instruction step title	string

CodelessUiConnectorConfigPropertiesSampleQueriesItem

Name	Description	Value
description	The sample query description	string
query	the sample query	string

CodelessUiDataConnector

Name	Description	Value
kind	The data connector kind	'GenericUI' (required)
properties	Codeless UI data connector properties	CodelessParameters

DataConnectorDataTypeCommon

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

Dynamics365DataConnector

Name	Description	Value
kind	The data connector kind	'Dynamics365' (required)
properties	Dynamics365 data connector properties.	Dynamics365DataConnectorProperties

Dynamics365DataConnectorDataTypes

Name	Description	Value
dynamics365CdsActivities	Common Data Service data type connection.	Dynamics365DataConnectorDataTypesDynamics365CdsActivities (required)

Dynamics365DataConnectorDataTypesDynamics365CdsActivities

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

Dynamics365DataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	Dynamics365DataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

InstructionStepsInstructionsItem

Name	Description	Value
parameters	The parameters for the setting	any
type	The kind of the setting	'CopyableLabel' 'InfoMessage' 'InstructionStepsGroup' (required)

McasDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftCloudAppSecurity' (required)
properties	MCAS (Microsoft Cloud App Security) data connector properties.	McasDataConnectorProperties

McasDataConnectorDataTypes

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon (required)
discoveryLogs	Discovery log data type connection.	DataConnectorDataTypeCommon

McasDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	McasDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MdatpDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftDefenderAdvancedThreatProtection' (required)
properties	MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.	MdatpDataConnectorProperties

MdatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

MstiDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatIntelligence' (required)
properties	Microsoft Threat Intelligence data connector properties.	MstiDataConnectorProperties

MstiDataConnectorDataTypes

Name	Description	Value
bingSafetyPhishingURL	Data type for Microsoft Threat Intelligence Platforms data connector.	MstiDataConnectorDataTypesBingSafetyPhishingURL (required)
microsoftEmergingThreatFeed	Data type for Microsoft Threat Intelligence Platforms data connector.	MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed (required)

MstiDataConnectorDataTypesBingSafetyPhishingURL

Name	Description	Value
lookbackPeriod	lookback period	string (required)
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed

Name	Description	Value
lookbackPeriod	lookback period	string (required)
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MstiDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MstiDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MTPDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatProtection' (required)
properties	MTP (Microsoft Threat Protection) data connector properties.	MTPDataConnectorProperties

MTPDataConnectorDataTypes

Name	Description	Value
incidents	Data type for Microsoft Threat Protection Platforms data connector.	MTPDataConnectorDataTypesIncidents (required)

MTPDataConnectorDataTypesIncidents

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MTPDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MTPDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeATPDataConnector

Name	Description	Value
kind	The data connector kind	'OfficeATP' (required)
properties	OfficeATP (Office 365 Advanced Threat Protection) data connector properties.	OfficeATPDataConnectorProperties

OfficeATPDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeDataConnector

Name	Description	Value
kind	The data connector kind	'Office365' (required)
properties	Office data connector properties.	OfficeDataConnectorProperties

OfficeDataConnectorDataTypes

Name	Description	Value
exchange	Exchange data type connection.	OfficeDataConnectorDataTypesExchange (required)
sharePoint	SharePoint data type connection.	OfficeDataConnectorDataTypesSharePoint (required)
teams	Teams data type connection.	OfficeDataConnectorDataTypesTeams (required)

OfficeDataConnectorDataTypesExchange

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorDataTypesSharePoint

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorDataTypesTeams

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	OfficeDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

Permissions

Name	Description	Value
customs	Customs permissions required for the connector	PermissionsCustomsItem[]
resourceProvider	Resource provider permissions required for the connector	PermissionsResourceProviderItem[]

PermissionsCustomsItem

Name	Description	Value
description	Customs permissions description	string
name	Customs permissions name	string

PermissionsResourceProviderItem

Name	Description	Value
permissionsDisplayText	Permission description text	string
provider	Provider name	'microsoft.aadiam/diagnosticSettings' 'Microsoft.Authorization/policyAssignments' 'Microsoft.OperationalInsights/solutions' 'Microsoft.OperationalInsights/workspaces' 'Microsoft.OperationalInsights/workspaces/datasources' 'Microsoft.OperationalInsights/workspaces/sharedKeys'
providerDisplayName	Permission provider display name	string
requiredPermissions	Required permissions for the connector	RequiredPermissions
scope	Permission provider scope	'ResourceGroup' 'Subscription' 'Workspace'

RequiredPermissions

Name	Description	Value
action	action permission	bool
delete	delete permission	bool
read	read permission	bool
write	write permission	bool

TIDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligence' (required)
properties	TI (Threat Intelligence) data connector properties.	TIDataConnectorProperties

TIDataConnectorDataTypes

Name	Description	Value
indicators	Data type for indicators connection.	TIDataConnectorDataTypesIndicators (required)

TIDataConnectorDataTypesIndicators

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

TIDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	TIDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)
tipLookbackPeriod	The lookback period for the feed to be imported.	string

TiTaxiiDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligenceTaxii' (required)
properties	Threat intelligence TAXII data connector properties.	TiTaxiiDataConnectorProperties

TiTaxiiDataConnectorDataTypes

Name	Description	Value
taxiiClient	Data type for TAXII connector.	TiTaxiiDataConnectorDataTypesTaxiiClient (required)

TiTaxiiDataConnectorDataTypesTaxiiClient

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

TiTaxiiDataConnectorProperties

Name	Description	Value
collectionId	The collection id of the TAXII server.	string
dataTypes	The available data types for Threat Intelligence TAXII data connector.	TiTaxiiDataConnectorDataTypes (required)
friendlyName	The friendly name for the TAXII server.	string
password	The password for the TAXII server.	string
pollingFrequency	The polling frequency for the TAXII server.	'OnceADay' 'OnceAMinute' 'OnceAnHour' (required)
taxiiLookbackPeriod	The lookback period for the TAXII server.	string
taxiiServer	The API root for the TAXII server.	string
tenantId	The tenant id to connect to, and get the data from.	string (required)
userName	The userName for the TAXII server.	string
workspaceId	The workspace id.	string

Usage Examples

Azure Verified Modules

The following Azure Verified Modules can be used to deploy this resource type.

ARM template resource definition

The dataConnectors resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/dataConnectors resource, add the following JSON to your template.

{
  "etag": "string",
  "name": "string",
  "kind": "string"
  // For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}

Microsoft.SecurityInsights/dataConnectors objects

Set the kind property to specify the type of object.

For AmazonWebServicesCloudTrail, use:

{
  "kind": "AmazonWebServicesCloudTrail",
  "properties": {
    "awsRoleArn": "string",
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    }
  }
}

For AzureActiveDirectory, use:

{
  "kind": "AzureActiveDirectory",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For AzureAdvancedThreatProtection, use:

{
  "kind": "AzureAdvancedThreatProtection",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For AzureSecurityCenter, use:

{
  "kind": "AzureSecurityCenter",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "subscriptionId": "string"
  }
}

For Dynamics365, use:

{
  "kind": "Dynamics365",
  "properties": {
    "dataTypes": {
      "dynamics365CdsActivities": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For GenericUI, use:

{
  "kind": "GenericUI",
  "properties": {
    "connectorUiConfig": {
      "availability": {
        "isPreview": "bool",
        "status": "1"
      },
      "connectivityCriteria": [
        {
          "type": "string",
          "value": [ "string" ]
        }
      ],
      "customImage": "string",
      "dataTypes": [
        {
          "lastDataReceivedQuery": "string",
          "name": "string"
        }
      ],
      "descriptionMarkdown": "string",
      "graphQueries": [
        {
          "baseQuery": "string",
          "legend": "string",
          "metricName": "string"
        }
      ],
      "graphQueriesTableName": "string",
      "instructionSteps": [
        {
          "description": "string",
          "instructions": [
            {
              "parameters": {},
              "type": "string"
            }
          ],
          "title": "string"
        }
      ],
      "permissions": {
        "customs": [
          {
            "description": "string",
            "name": "string"
          }
        ],
        "resourceProvider": [
          {
            "permissionsDisplayText": "string",
            "provider": "string",
            "providerDisplayName": "string",
            "requiredPermissions": {
              "action": "bool",
              "delete": "bool",
              "read": "bool",
              "write": "bool"
            },
            "scope": "string"
          }
        ]
      },
      "publisher": "string",
      "sampleQueries": [
        {
          "description": "string",
          "query": "string"
        }
      ],
      "title": "string"
    }
  }
}

For MicrosoftCloudAppSecurity, use:

{
  "kind": "MicrosoftCloudAppSecurity",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      },
      "discoveryLogs": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For MicrosoftDefenderAdvancedThreatProtection, use:

{
  "kind": "MicrosoftDefenderAdvancedThreatProtection",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For MicrosoftThreatIntelligence, use:

{
  "kind": "MicrosoftThreatIntelligence",
  "properties": {
    "dataTypes": {
      "bingSafetyPhishingURL": {
        "lookbackPeriod": "string",
        "state": "string"
      },
      "microsoftEmergingThreatFeed": {
        "lookbackPeriod": "string",
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For MicrosoftThreatProtection, use:

{
  "kind": "MicrosoftThreatProtection",
  "properties": {
    "dataTypes": {
      "incidents": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For Office365, use:

{
  "kind": "Office365",
  "properties": {
    "dataTypes": {
      "exchange": {
        "state": "string"
      },
      "sharePoint": {
        "state": "string"
      },
      "teams": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For OfficeATP, use:

{
  "kind": "OfficeATP",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For ThreatIntelligence, use:

{
  "kind": "ThreatIntelligence",
  "properties": {
    "dataTypes": {
      "indicators": {
        "state": "string"
      }
    },
    "tenantId": "string",
    "tipLookbackPeriod": "string"
  }
}

For ThreatIntelligenceTaxii, use:

{
  "kind": "ThreatIntelligenceTaxii",
  "properties": {
    "collectionId": "string",
    "dataTypes": {
      "taxiiClient": {
        "state": "string"
      }
    },
    "friendlyName": "string",
    "password": "string",
    "pollingFrequency": "string",
    "taxiiLookbackPeriod": "string",
    "taxiiServer": "string",
    "tenantId": "string",
    "userName": "string",
    "workspaceId": "string"
  }
}

Property Values

Microsoft.SecurityInsights/dataConnectors

Name	Description	Value
apiVersion	The api version	'2021-03-01-preview'
etag	Etag of the azure resource	string
kind	Set to 'AmazonWebServicesCloudTrail' for type AwsCloudTrailDataConnector. Set to 'AzureActiveDirectory' for type AADDataConnector. Set to 'AzureAdvancedThreatProtection' for type AatpDataConnector. Set to 'AzureSecurityCenter' for type ASCDataConnector. Set to 'Dynamics365' for type Dynamics365DataConnector. Set to 'GenericUI' for type CodelessUiDataConnector. Set to 'MicrosoftCloudAppSecurity' for type McasDataConnector. Set to 'MicrosoftDefenderAdvancedThreatProtection' for type MdatpDataConnector. Set to 'MicrosoftThreatIntelligence' for type MstiDataConnector. Set to 'MicrosoftThreatProtection' for type MTPDataConnector. Set to 'Office365' for type OfficeDataConnector. Set to 'OfficeATP' for type OfficeATPDataConnector. Set to 'ThreatIntelligence' for type TIDataConnector. Set to 'ThreatIntelligenceTaxii' for type TiTaxiiDataConnector.	'AmazonWebServicesCloudTrail' 'AzureActiveDirectory' 'AzureAdvancedThreatProtection' 'AzureSecurityCenter' 'Dynamics365' 'GenericUI' 'MicrosoftCloudAppSecurity' 'MicrosoftDefenderAdvancedThreatProtection' 'MicrosoftThreatIntelligence' 'MicrosoftThreatProtection' 'Office365' 'OfficeATP' 'ThreatIntelligence' 'ThreatIntelligenceTaxii' (required)
name	The resource name	string (required)
type	The resource type	'Microsoft.SecurityInsights/dataConnectors'

AADDataConnector

Name	Description	Value
kind	The data connector kind	'AzureActiveDirectory' (required)
properties	AAD (Azure Active Directory) data connector properties.	AADDataConnectorProperties

AADDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

AatpDataConnector

Name	Description	Value
kind	The data connector kind	'AzureAdvancedThreatProtection' (required)
properties	AATP (Azure Advanced Threat Protection) data connector properties.	AatpDataConnectorProperties

AatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

AlertsDataTypeOfDataConnector

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon (required)

ASCDataConnector

Name	Description	Value
kind	The data connector kind	'AzureSecurityCenter' (required)
properties	ASC (Azure Security Center) data connector properties.	ASCDataConnectorProperties

ASCDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
subscriptionId	The subscription id to connect to, and get the data from.	string

Availability

Name	Description	Value
isPreview	Set connector as preview	bool
status	The connector Availability Status	'1'

AwsCloudTrailDataConnector

Name	Description	Value
kind	The data connector kind	'AmazonWebServicesCloudTrail' (required)
properties	Amazon Web Services CloudTrail data connector properties.	AwsCloudTrailDataConnectorProperties

AwsCloudTrailDataConnectorDataTypes

Name	Description	Value
logs	Logs data type.	AwsCloudTrailDataConnectorDataTypesLogs (required)

AwsCloudTrailDataConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

AwsCloudTrailDataConnectorProperties

Name	Description	Value
awsRoleArn	The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.	string
dataTypes	The available data types for the connector.	AwsCloudTrailDataConnectorDataTypes (required)

CodelessParameters

Name	Description	Value
connectorUiConfig	Config to describe the instructions blade	CodelessUiConnectorConfigProperties

CodelessUiConnectorConfigProperties

Name	Description	Value
availability	Connector Availability Status	Availability (required)
connectivityCriteria	Define the way the connector check connectivity	CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem[] (required)
customImage	An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery	string
dataTypes	Data types to check for last data received	CodelessUiConnectorConfigPropertiesDataTypesItem[] (required)
descriptionMarkdown	Connector description	string (required)
graphQueries	The graph query to show the current data status	CodelessUiConnectorConfigPropertiesGraphQueriesItem[] (required)
graphQueriesTableName	Name of the table the connector will insert the data to	string (required)
instructionSteps	Instruction steps to enable the connector	CodelessUiConnectorConfigPropertiesInstructionStepsItem[] (required)
permissions	Permissions required for the connector	Permissions (required)
publisher	Connector publisher name	string (required)
sampleQueries	The sample queries for the connector	CodelessUiConnectorConfigPropertiesSampleQueriesItem[] (required)
title	Connector blade title	string (required)

CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem

Name	Description	Value
type	type of connectivity	'IsConnectedQuery'
value	Queries for checking connectivity	string[]

CodelessUiConnectorConfigPropertiesDataTypesItem

Name	Description	Value
lastDataReceivedQuery	Query for indicate last data received	string
name	Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder	string

CodelessUiConnectorConfigPropertiesGraphQueriesItem

Name	Description	Value
baseQuery	The base query for the graph	string
legend	The legend for the graph	string
metricName	the metric that the query is checking	string

CodelessUiConnectorConfigPropertiesInstructionStepsItem

Name	Description	Value
description	Instruction step description	string
instructions	Instruction step details	InstructionStepsInstructionsItem[]
title	Instruction step title	string

CodelessUiConnectorConfigPropertiesSampleQueriesItem

Name	Description	Value
description	The sample query description	string
query	the sample query	string

CodelessUiDataConnector

Name	Description	Value
kind	The data connector kind	'GenericUI' (required)
properties	Codeless UI data connector properties	CodelessParameters

DataConnectorDataTypeCommon

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

Dynamics365DataConnector

Name	Description	Value
kind	The data connector kind	'Dynamics365' (required)
properties	Dynamics365 data connector properties.	Dynamics365DataConnectorProperties

Dynamics365DataConnectorDataTypes

Name	Description	Value
dynamics365CdsActivities	Common Data Service data type connection.	Dynamics365DataConnectorDataTypesDynamics365CdsActivities (required)

Dynamics365DataConnectorDataTypesDynamics365CdsActivities

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

Dynamics365DataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	Dynamics365DataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

InstructionStepsInstructionsItem

Name	Description	Value
parameters	The parameters for the setting	any
type	The kind of the setting	'CopyableLabel' 'InfoMessage' 'InstructionStepsGroup' (required)

McasDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftCloudAppSecurity' (required)
properties	MCAS (Microsoft Cloud App Security) data connector properties.	McasDataConnectorProperties

McasDataConnectorDataTypes

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon (required)
discoveryLogs	Discovery log data type connection.	DataConnectorDataTypeCommon

McasDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	McasDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MdatpDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftDefenderAdvancedThreatProtection' (required)
properties	MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.	MdatpDataConnectorProperties

MdatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

MstiDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatIntelligence' (required)
properties	Microsoft Threat Intelligence data connector properties.	MstiDataConnectorProperties

MstiDataConnectorDataTypes

Name	Description	Value
bingSafetyPhishingURL	Data type for Microsoft Threat Intelligence Platforms data connector.	MstiDataConnectorDataTypesBingSafetyPhishingURL (required)
microsoftEmergingThreatFeed	Data type for Microsoft Threat Intelligence Platforms data connector.	MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed (required)

MstiDataConnectorDataTypesBingSafetyPhishingURL

Name	Description	Value
lookbackPeriod	lookback period	string (required)
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed

Name	Description	Value
lookbackPeriod	lookback period	string (required)
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MstiDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MstiDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MTPDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatProtection' (required)
properties	MTP (Microsoft Threat Protection) data connector properties.	MTPDataConnectorProperties

MTPDataConnectorDataTypes

Name	Description	Value
incidents	Data type for Microsoft Threat Protection Platforms data connector.	MTPDataConnectorDataTypesIncidents (required)

MTPDataConnectorDataTypesIncidents

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MTPDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MTPDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeATPDataConnector

Name	Description	Value
kind	The data connector kind	'OfficeATP' (required)
properties	OfficeATP (Office 365 Advanced Threat Protection) data connector properties.	OfficeATPDataConnectorProperties

OfficeATPDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeDataConnector

Name	Description	Value
kind	The data connector kind	'Office365' (required)
properties	Office data connector properties.	OfficeDataConnectorProperties

OfficeDataConnectorDataTypes

Name	Description	Value
exchange	Exchange data type connection.	OfficeDataConnectorDataTypesExchange (required)
sharePoint	SharePoint data type connection.	OfficeDataConnectorDataTypesSharePoint (required)
teams	Teams data type connection.	OfficeDataConnectorDataTypesTeams (required)

OfficeDataConnectorDataTypesExchange

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorDataTypesSharePoint

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorDataTypesTeams

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	OfficeDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

Permissions

Name	Description	Value
customs	Customs permissions required for the connector	PermissionsCustomsItem[]
resourceProvider	Resource provider permissions required for the connector	PermissionsResourceProviderItem[]

PermissionsCustomsItem

Name	Description	Value
description	Customs permissions description	string
name	Customs permissions name	string

PermissionsResourceProviderItem

Name	Description	Value
permissionsDisplayText	Permission description text	string
provider	Provider name	'microsoft.aadiam/diagnosticSettings' 'Microsoft.Authorization/policyAssignments' 'Microsoft.OperationalInsights/solutions' 'Microsoft.OperationalInsights/workspaces' 'Microsoft.OperationalInsights/workspaces/datasources' 'Microsoft.OperationalInsights/workspaces/sharedKeys'
providerDisplayName	Permission provider display name	string
requiredPermissions	Required permissions for the connector	RequiredPermissions
scope	Permission provider scope	'ResourceGroup' 'Subscription' 'Workspace'

RequiredPermissions

Name	Description	Value
action	action permission	bool
delete	delete permission	bool
read	read permission	bool
write	write permission	bool

TIDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligence' (required)
properties	TI (Threat Intelligence) data connector properties.	TIDataConnectorProperties

TIDataConnectorDataTypes

Name	Description	Value
indicators	Data type for indicators connection.	TIDataConnectorDataTypesIndicators (required)

TIDataConnectorDataTypesIndicators

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

TIDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	TIDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)
tipLookbackPeriod	The lookback period for the feed to be imported.	string

TiTaxiiDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligenceTaxii' (required)
properties	Threat intelligence TAXII data connector properties.	TiTaxiiDataConnectorProperties

TiTaxiiDataConnectorDataTypes

Name	Description	Value
taxiiClient	Data type for TAXII connector.	TiTaxiiDataConnectorDataTypesTaxiiClient (required)

TiTaxiiDataConnectorDataTypesTaxiiClient

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

TiTaxiiDataConnectorProperties

Name	Description	Value
collectionId	The collection id of the TAXII server.	string
dataTypes	The available data types for Threat Intelligence TAXII data connector.	TiTaxiiDataConnectorDataTypes (required)
friendlyName	The friendly name for the TAXII server.	string
password	The password for the TAXII server.	string
pollingFrequency	The polling frequency for the TAXII server.	'OnceADay' 'OnceAMinute' 'OnceAnHour' (required)
taxiiLookbackPeriod	The lookback period for the TAXII server.	string
taxiiServer	The API root for the TAXII server.	string
tenantId	The tenant id to connect to, and get the data from.	string (required)
userName	The userName for the TAXII server.	string
workspaceId	The workspace id.	string

Usage Examples

Terraform (AzAPI provider) resource definition

The dataConnectors resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/dataConnectors resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  etag = "string"
  name = "string"
  kind = "string"
  // For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}

Microsoft.SecurityInsights/dataConnectors objects

Set the kind property to specify the type of object.

For AmazonWebServicesCloudTrail, use:

{
  kind = "AmazonWebServicesCloudTrail"
  properties = {
    awsRoleArn = "string"
    dataTypes = {
      logs = {
        state = "string"
      }
    }
  }
}

For AzureActiveDirectory, use:

{
  kind = "AzureActiveDirectory"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For AzureAdvancedThreatProtection, use:

{
  kind = "AzureAdvancedThreatProtection"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For AzureSecurityCenter, use:

{
  kind = "AzureSecurityCenter"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    subscriptionId = "string"
  }
}

For Dynamics365, use:

{
  kind = "Dynamics365"
  properties = {
    dataTypes = {
      dynamics365CdsActivities = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For GenericUI, use:

{
  kind = "GenericUI"
  properties = {
    connectorUiConfig = {
      availability = {
        isPreview = bool
        status = "1"
      }
      connectivityCriteria = [
        {
          type = "string"
          value = [
            "string"
          ]
        }
      ]
      customImage = "string"
      dataTypes = [
        {
          lastDataReceivedQuery = "string"
          name = "string"
        }
      ]
      descriptionMarkdown = "string"
      graphQueries = [
        {
          baseQuery = "string"
          legend = "string"
          metricName = "string"
        }
      ]
      graphQueriesTableName = "string"
      instructionSteps = [
        {
          description = "string"
          instructions = [
            {
              parameters = ?
              type = "string"
            }
          ]
          title = "string"
        }
      ]
      permissions = {
        customs = [
          {
            description = "string"
            name = "string"
          }
        ]
        resourceProvider = [
          {
            permissionsDisplayText = "string"
            provider = "string"
            providerDisplayName = "string"
            requiredPermissions = {
              action = bool
              delete = bool
              read = bool
              write = bool
            }
            scope = "string"
          }
        ]
      }
      publisher = "string"
      sampleQueries = [
        {
          description = "string"
          query = "string"
        }
      ]
      title = "string"
    }
  }
}

For MicrosoftCloudAppSecurity, use:

{
  kind = "MicrosoftCloudAppSecurity"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
      discoveryLogs = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For MicrosoftDefenderAdvancedThreatProtection, use:

{
  kind = "MicrosoftDefenderAdvancedThreatProtection"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For MicrosoftThreatIntelligence, use:

{
  kind = "MicrosoftThreatIntelligence"
  properties = {
    dataTypes = {
      bingSafetyPhishingURL = {
        lookbackPeriod = "string"
        state = "string"
      }
      microsoftEmergingThreatFeed = {
        lookbackPeriod = "string"
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For MicrosoftThreatProtection, use:

{
  kind = "MicrosoftThreatProtection"
  properties = {
    dataTypes = {
      incidents = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For Office365, use:

{
  kind = "Office365"
  properties = {
    dataTypes = {
      exchange = {
        state = "string"
      }
      sharePoint = {
        state = "string"
      }
      teams = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For OfficeATP, use:

{
  kind = "OfficeATP"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For ThreatIntelligence, use:

{
  kind = "ThreatIntelligence"
  properties = {
    dataTypes = {
      indicators = {
        state = "string"
      }
    }
    tenantId = "string"
    tipLookbackPeriod = "string"
  }
}

For ThreatIntelligenceTaxii, use:

{
  kind = "ThreatIntelligenceTaxii"
  properties = {
    collectionId = "string"
    dataTypes = {
      taxiiClient = {
        state = "string"
      }
    }
    friendlyName = "string"
    password = "string"
    pollingFrequency = "string"
    taxiiLookbackPeriod = "string"
    taxiiServer = "string"
    tenantId = "string"
    userName = "string"
    workspaceId = "string"
  }
}

Property Values

Microsoft.SecurityInsights/dataConnectors

Name	Description	Value
etag	Etag of the azure resource	string
kind	Set to 'AmazonWebServicesCloudTrail' for type AwsCloudTrailDataConnector. Set to 'AzureActiveDirectory' for type AADDataConnector. Set to 'AzureAdvancedThreatProtection' for type AatpDataConnector. Set to 'AzureSecurityCenter' for type ASCDataConnector. Set to 'Dynamics365' for type Dynamics365DataConnector. Set to 'GenericUI' for type CodelessUiDataConnector. Set to 'MicrosoftCloudAppSecurity' for type McasDataConnector. Set to 'MicrosoftDefenderAdvancedThreatProtection' for type MdatpDataConnector. Set to 'MicrosoftThreatIntelligence' for type MstiDataConnector. Set to 'MicrosoftThreatProtection' for type MTPDataConnector. Set to 'Office365' for type OfficeDataConnector. Set to 'OfficeATP' for type OfficeATPDataConnector. Set to 'ThreatIntelligence' for type TIDataConnector. Set to 'ThreatIntelligenceTaxii' for type TiTaxiiDataConnector.	'AmazonWebServicesCloudTrail' 'AzureActiveDirectory' 'AzureAdvancedThreatProtection' 'AzureSecurityCenter' 'Dynamics365' 'GenericUI' 'MicrosoftCloudAppSecurity' 'MicrosoftDefenderAdvancedThreatProtection' 'MicrosoftThreatIntelligence' 'MicrosoftThreatProtection' 'Office365' 'OfficeATP' 'ThreatIntelligence' 'ThreatIntelligenceTaxii' (required)
name	The resource name	string (required)
parent_id	The ID of the resource to apply this extension resource to.	string (required)
type	The resource type	"Microsoft.SecurityInsights/dataConnectors@2021-03-01-preview"

AADDataConnector

Name	Description	Value
kind	The data connector kind	'AzureActiveDirectory' (required)
properties	AAD (Azure Active Directory) data connector properties.	AADDataConnectorProperties

AADDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

AatpDataConnector

Name	Description	Value
kind	The data connector kind	'AzureAdvancedThreatProtection' (required)
properties	AATP (Azure Advanced Threat Protection) data connector properties.	AatpDataConnectorProperties

AatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

AlertsDataTypeOfDataConnector

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon (required)

ASCDataConnector

Name	Description	Value
kind	The data connector kind	'AzureSecurityCenter' (required)
properties	ASC (Azure Security Center) data connector properties.	ASCDataConnectorProperties

ASCDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
subscriptionId	The subscription id to connect to, and get the data from.	string

Availability

Name	Description	Value
isPreview	Set connector as preview	bool
status	The connector Availability Status	'1'

AwsCloudTrailDataConnector

Name	Description	Value
kind	The data connector kind	'AmazonWebServicesCloudTrail' (required)
properties	Amazon Web Services CloudTrail data connector properties.	AwsCloudTrailDataConnectorProperties

AwsCloudTrailDataConnectorDataTypes

Name	Description	Value
logs	Logs data type.	AwsCloudTrailDataConnectorDataTypesLogs (required)

AwsCloudTrailDataConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

AwsCloudTrailDataConnectorProperties

Name	Description	Value
awsRoleArn	The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.	string
dataTypes	The available data types for the connector.	AwsCloudTrailDataConnectorDataTypes (required)

CodelessParameters

Name	Description	Value
connectorUiConfig	Config to describe the instructions blade	CodelessUiConnectorConfigProperties

CodelessUiConnectorConfigProperties

Name	Description	Value
availability	Connector Availability Status	Availability (required)
connectivityCriteria	Define the way the connector check connectivity	CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem[] (required)
customImage	An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery	string
dataTypes	Data types to check for last data received	CodelessUiConnectorConfigPropertiesDataTypesItem[] (required)
descriptionMarkdown	Connector description	string (required)
graphQueries	The graph query to show the current data status	CodelessUiConnectorConfigPropertiesGraphQueriesItem[] (required)
graphQueriesTableName	Name of the table the connector will insert the data to	string (required)
instructionSteps	Instruction steps to enable the connector	CodelessUiConnectorConfigPropertiesInstructionStepsItem[] (required)
permissions	Permissions required for the connector	Permissions (required)
publisher	Connector publisher name	string (required)
sampleQueries	The sample queries for the connector	CodelessUiConnectorConfigPropertiesSampleQueriesItem[] (required)
title	Connector blade title	string (required)

CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem

Name	Description	Value
type	type of connectivity	'IsConnectedQuery'
value	Queries for checking connectivity	string[]

CodelessUiConnectorConfigPropertiesDataTypesItem

Name	Description	Value
lastDataReceivedQuery	Query for indicate last data received	string
name	Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder	string

CodelessUiConnectorConfigPropertiesGraphQueriesItem

Name	Description	Value
baseQuery	The base query for the graph	string
legend	The legend for the graph	string
metricName	the metric that the query is checking	string

CodelessUiConnectorConfigPropertiesInstructionStepsItem

Name	Description	Value
description	Instruction step description	string
instructions	Instruction step details	InstructionStepsInstructionsItem[]
title	Instruction step title	string

CodelessUiConnectorConfigPropertiesSampleQueriesItem

Name	Description	Value
description	The sample query description	string
query	the sample query	string

CodelessUiDataConnector

Name	Description	Value
kind	The data connector kind	'GenericUI' (required)
properties	Codeless UI data connector properties	CodelessParameters

DataConnectorDataTypeCommon

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

Dynamics365DataConnector

Name	Description	Value
kind	The data connector kind	'Dynamics365' (required)
properties	Dynamics365 data connector properties.	Dynamics365DataConnectorProperties

Dynamics365DataConnectorDataTypes

Name	Description	Value
dynamics365CdsActivities	Common Data Service data type connection.	Dynamics365DataConnectorDataTypesDynamics365CdsActivities (required)

Dynamics365DataConnectorDataTypesDynamics365CdsActivities

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

Dynamics365DataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	Dynamics365DataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

InstructionStepsInstructionsItem

Name	Description	Value
parameters	The parameters for the setting	any
type	The kind of the setting	'CopyableLabel' 'InfoMessage' 'InstructionStepsGroup' (required)

McasDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftCloudAppSecurity' (required)
properties	MCAS (Microsoft Cloud App Security) data connector properties.	McasDataConnectorProperties

McasDataConnectorDataTypes

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon (required)
discoveryLogs	Discovery log data type connection.	DataConnectorDataTypeCommon

McasDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	McasDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MdatpDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftDefenderAdvancedThreatProtection' (required)
properties	MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.	MdatpDataConnectorProperties

MdatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

MstiDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatIntelligence' (required)
properties	Microsoft Threat Intelligence data connector properties.	MstiDataConnectorProperties

MstiDataConnectorDataTypes

Name	Description	Value
bingSafetyPhishingURL	Data type for Microsoft Threat Intelligence Platforms data connector.	MstiDataConnectorDataTypesBingSafetyPhishingURL (required)
microsoftEmergingThreatFeed	Data type for Microsoft Threat Intelligence Platforms data connector.	MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed (required)

MstiDataConnectorDataTypesBingSafetyPhishingURL

Name	Description	Value
lookbackPeriod	lookback period	string (required)
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed

Name	Description	Value
lookbackPeriod	lookback period	string (required)
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MstiDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MstiDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MTPDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatProtection' (required)
properties	MTP (Microsoft Threat Protection) data connector properties.	MTPDataConnectorProperties

MTPDataConnectorDataTypes

Name	Description	Value
incidents	Data type for Microsoft Threat Protection Platforms data connector.	MTPDataConnectorDataTypesIncidents (required)

MTPDataConnectorDataTypesIncidents

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MTPDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MTPDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeATPDataConnector

Name	Description	Value
kind	The data connector kind	'OfficeATP' (required)
properties	OfficeATP (Office 365 Advanced Threat Protection) data connector properties.	OfficeATPDataConnectorProperties

OfficeATPDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeDataConnector

Name	Description	Value
kind	The data connector kind	'Office365' (required)
properties	Office data connector properties.	OfficeDataConnectorProperties

OfficeDataConnectorDataTypes

Name	Description	Value
exchange	Exchange data type connection.	OfficeDataConnectorDataTypesExchange (required)
sharePoint	SharePoint data type connection.	OfficeDataConnectorDataTypesSharePoint (required)
teams	Teams data type connection.	OfficeDataConnectorDataTypesTeams (required)

OfficeDataConnectorDataTypesExchange

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorDataTypesSharePoint

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorDataTypesTeams

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	OfficeDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

Permissions

Name	Description	Value
customs	Customs permissions required for the connector	PermissionsCustomsItem[]
resourceProvider	Resource provider permissions required for the connector	PermissionsResourceProviderItem[]

PermissionsCustomsItem

Name	Description	Value
description	Customs permissions description	string
name	Customs permissions name	string

PermissionsResourceProviderItem

Name	Description	Value
permissionsDisplayText	Permission description text	string
provider	Provider name	'microsoft.aadiam/diagnosticSettings' 'Microsoft.Authorization/policyAssignments' 'Microsoft.OperationalInsights/solutions' 'Microsoft.OperationalInsights/workspaces' 'Microsoft.OperationalInsights/workspaces/datasources' 'Microsoft.OperationalInsights/workspaces/sharedKeys'
providerDisplayName	Permission provider display name	string
requiredPermissions	Required permissions for the connector	RequiredPermissions
scope	Permission provider scope	'ResourceGroup' 'Subscription' 'Workspace'

RequiredPermissions

Name	Description	Value
action	action permission	bool
delete	delete permission	bool
read	read permission	bool
write	write permission	bool

TIDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligence' (required)
properties	TI (Threat Intelligence) data connector properties.	TIDataConnectorProperties

TIDataConnectorDataTypes

Name	Description	Value
indicators	Data type for indicators connection.	TIDataConnectorDataTypesIndicators (required)

TIDataConnectorDataTypesIndicators

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

TIDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	TIDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)
tipLookbackPeriod	The lookback period for the feed to be imported.	string

TiTaxiiDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligenceTaxii' (required)
properties	Threat intelligence TAXII data connector properties.	TiTaxiiDataConnectorProperties

TiTaxiiDataConnectorDataTypes

Name	Description	Value
taxiiClient	Data type for TAXII connector.	TiTaxiiDataConnectorDataTypesTaxiiClient (required)

TiTaxiiDataConnectorDataTypesTaxiiClient

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

TiTaxiiDataConnectorProperties

Name	Description	Value
collectionId	The collection id of the TAXII server.	string
dataTypes	The available data types for Threat Intelligence TAXII data connector.	TiTaxiiDataConnectorDataTypes (required)
friendlyName	The friendly name for the TAXII server.	string
password	The password for the TAXII server.	string
pollingFrequency	The polling frequency for the TAXII server.	'OnceADay' 'OnceAMinute' 'OnceAnHour' (required)
taxiiLookbackPeriod	The lookback period for the TAXII server.	string
taxiiServer	The API root for the TAXII server.	string
tenantId	The tenant id to connect to, and get the data from.	string (required)
userName	The userName for the TAXII server.	string
workspaceId	The workspace id.	string

Usage Examples

Terraform Samples

A basic example of deploying Data Connector.

terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
    azurerm = {
      source = "hashicorp/azurerm"
    }
  }
}

provider "azurerm" {
  features {
  }
}

provider "azapi" {
  skip_provider_registration = false
}

variable "resource_name" {
  type    = string
  default = "acctest0001"
}

variable "location" {
  type    = string
  default = "westeurope"
}

data "azurerm_client_config" "current" {
}

resource "azapi_resource" "resourceGroup" {
  type     = "Microsoft.Resources/resourceGroups@2020-06-01"
  name     = var.resource_name
  location = var.location
}

resource "azapi_resource" "workspace" {
  type      = "Microsoft.OperationalInsights/workspaces@2022-10-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  location  = var.location
  body = {
    properties = {
      features = {
        disableLocalAuth                            = false
        enableLogAccessUsingOnlyResourcePermissions = true
      }
      publicNetworkAccessForIngestion = "Enabled"
      publicNetworkAccessForQuery     = "Enabled"
      retentionInDays                 = 30
      sku = {
        name = "PerGB2018"
      }
      workspaceCapping = {
        dailyQuotaGb = -1
      }
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}

resource "azapi_resource" "onboardingState" {
  type      = "Microsoft.SecurityInsights/onboardingStates@2023-06-01-preview"
  parent_id = azapi_resource.workspace.id
  name      = "default"
  body = {
    properties = {
      customerManagedKey = false
    }
  }
}

resource "azapi_resource" "dataConnector" {
  type      = "Microsoft.SecurityInsights/dataConnectors@2022-10-01-preview"
  parent_id = azapi_resource.workspace.id
  name      = var.resource_name
  body = {
    kind = "MicrosoftThreatIntelligence"
    properties = {
      dataTypes = {
        bingSafetyPhishingURL = {
          lookbackPeriod = ""
          state          = "Disabled"
        }
        microsoftEmergingThreatFeed = {
          lookbackPeriod = "1970-01-01T00:00:00Z"
          state          = "enabled"
        }
      }
      tenantId = data.azurerm_client_config.current.tenant_id
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
  depends_on                = [azapi_resource.onboardingState]
}