Share via

Microsoft.SecurityInsights dataConnectors 2025-07-01-preview

Bicep resource definition

The dataConnectors resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/dataConnectors resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.SecurityInsights/dataConnectors@2025-07-01-preview' = {
  etag: 'string'
  name: 'string'
  kind: 'string'
  // For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}

Microsoft.SecurityInsights/dataConnectors objects

Set the kind property to specify the type of object.

For APIPolling, use:

{
  kind: 'APIPolling'
  properties: {
    connectorUiConfig: {
      availability: {
        isPreview: bool
        status: '1'
      }
      connectivityCriteria: [
        {
          type: 'string'
          value: [
            'string'
          ]
        }
      ]
      customImage: 'string'
      dataTypes: [
        {
          lastDataReceivedQuery: 'string'
          name: 'string'
        }
      ]
      descriptionMarkdown: 'string'
      graphQueries: [
        {
          baseQuery: 'string'
          legend: 'string'
          metricName: 'string'
        }
      ]
      graphQueriesTableName: 'string'
      instructionSteps: [
        {
          description: 'string'
          instructions: [
            {
              parameters: any(...)
              type: 'string'
            }
          ]
          title: 'string'
        }
      ]
      permissions: {
        customs: [
          {
            description: 'string'
            name: 'string'
          }
        ]
        resourceProvider: [
          {
            permissionsDisplayText: 'string'
            provider: 'string'
            providerDisplayName: 'string'
            requiredPermissions: {
              action: bool
              delete: bool
              read: bool
              write: bool
            }
            scope: 'string'
          }
        ]
      }
      publisher: 'string'
      sampleQueries: [
        {
          description: 'string'
          query: 'string'
        }
      ]
      title: 'string'
    }
    pollingConfig: {
      auth: {
        apiKeyIdentifier: 'string'
        apiKeyName: 'string'
        authorizationEndpoint: 'string'
        authorizationEndpointQueryParameters: any(...)
        authType: 'string'
        flowName: 'string'
        isApiKeyInPostPayload: 'string'
        isClientSecretInHeader: bool
        redirectionEndpoint: 'string'
        scope: 'string'
        tokenEndpoint: 'string'
        tokenEndpointHeaders: any(...)
        tokenEndpointQueryParameters: any(...)
      }
      isActive: bool
      paging: {
        nextPageParaName: 'string'
        nextPageTokenJsonPath: 'string'
        pageCountAttributePath: 'string'
        pageSize: int
        pageSizeParaName: 'string'
        pageTimeStampAttributePath: 'string'
        pageTotalCountAttributePath: 'string'
        pagingType: 'string'
        searchTheLatestTimeStampFromEventsList: 'string'
      }
      request: {
        apiEndpoint: 'string'
        endTimeAttributeName: 'string'
        headers: any(...)
        httpMethod: 'string'
        queryParameters: any(...)
        queryParametersTemplate: 'string'
        queryTimeFormat: 'string'
        queryWindowInMin: int
        rateLimitQps: int
        retryCount: int
        startTimeAttributeName: 'string'
        timeoutInSeconds: int
      }
      response: {
        eventsJsonPaths: [
          'string'
        ]
        isGzipCompressed: bool
        successStatusJsonPath: 'string'
        successStatusValue: 'string'
      }
    }
  }
}

For AmazonWebServicesCloudTrail, use:

{
  kind: 'AmazonWebServicesCloudTrail'
  properties: {
    awsRoleArn: 'string'
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
  }
}

For AmazonWebServicesS3, use:

{
  kind: 'AmazonWebServicesS3'
  properties: {
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
    destinationTable: 'string'
    roleArn: 'string'
    sqsUrls: [
      'string'
    ]
  }
}

For AzureActiveDirectory, use:

{
  kind: 'AzureActiveDirectory'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For AzureAdvancedThreatProtection, use:

{
  kind: 'AzureAdvancedThreatProtection'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For AzureSecurityCenter, use:

{
  kind: 'AzureSecurityCenter'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    subscriptionId: 'string'
  }
}

For Dynamics365, use:

{
  kind: 'Dynamics365'
  properties: {
    dataTypes: {
      dynamics365CdsActivities: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For GCP, use:

{
  kind: 'GCP'
  properties: {
    auth: {
      projectNumber: 'string'
      serviceAccountEmail: 'string'
      workloadIdentityProviderId: 'string'
    }
    connectorDefinitionName: 'string'
    dcrConfig: {
      dataCollectionEndpoint: 'string'
      dataCollectionRuleImmutableId: 'string'
      streamName: 'string'
    }
    request: {
      projectId: 'string'
      subscriptionNames: [
        'string'
      ]
    }
  }
}

For GenericUI, use:

{
  kind: 'GenericUI'
  properties: {
    connectorUiConfig: {
      availability: {
        isPreview: bool
        status: '1'
      }
      connectivityCriteria: [
        {
          type: 'string'
          value: [
            'string'
          ]
        }
      ]
      customImage: 'string'
      dataTypes: [
        {
          lastDataReceivedQuery: 'string'
          name: 'string'
        }
      ]
      descriptionMarkdown: 'string'
      graphQueries: [
        {
          baseQuery: 'string'
          legend: 'string'
          metricName: 'string'
        }
      ]
      graphQueriesTableName: 'string'
      instructionSteps: [
        {
          description: 'string'
          instructions: [
            {
              parameters: any(...)
              type: 'string'
            }
          ]
          title: 'string'
        }
      ]
      permissions: {
        customs: [
          {
            description: 'string'
            name: 'string'
          }
        ]
        resourceProvider: [
          {
            permissionsDisplayText: 'string'
            provider: 'string'
            providerDisplayName: 'string'
            requiredPermissions: {
              action: bool
              delete: bool
              read: bool
              write: bool
            }
            scope: 'string'
          }
        ]
      }
      publisher: 'string'
      sampleQueries: [
        {
          description: 'string'
          query: 'string'
        }
      ]
      title: 'string'
    }
  }
}

For IOT, use:

{
  kind: 'IOT'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    subscriptionId: 'string'
  }
}

For MicrosoftCloudAppSecurity, use:

{
  kind: 'MicrosoftCloudAppSecurity'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
      discoveryLogs: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For MicrosoftDefenderAdvancedThreatProtection, use:

{
  kind: 'MicrosoftDefenderAdvancedThreatProtection'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For MicrosoftPurviewInformationProtection, use:

{
  kind: 'MicrosoftPurviewInformationProtection'
  properties: {
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For MicrosoftThreatIntelligence, use:

{
  kind: 'MicrosoftThreatIntelligence'
  properties: {
    dataTypes: {
      microsoftEmergingThreatFeed: {
        lookbackPeriod: 'string'
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For MicrosoftThreatProtection, use:

{
  kind: 'MicrosoftThreatProtection'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
      incidents: {
        state: 'string'
      }
    }
    filteredProviders: {
      alerts: [
        'string'
      ]
    }
    tenantId: 'string'
  }
}

For Office365, use:

{
  kind: 'Office365'
  properties: {
    dataTypes: {
      exchange: {
        state: 'string'
      }
      sharePoint: {
        state: 'string'
      }
      teams: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For Office365Project, use:

{
  kind: 'Office365Project'
  properties: {
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For OfficeATP, use:

{
  kind: 'OfficeATP'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For OfficeIRM, use:

{
  kind: 'OfficeIRM'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For OfficePowerBI, use:

{
  kind: 'OfficePowerBI'
  properties: {
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For PurviewAudit, use:

{
  kind: 'PurviewAudit'
  properties: {
    connectorDefinitionName: 'string'
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
    dcrConfig: {
      dataCollectionEndpoint: 'string'
      dataCollectionRuleImmutableId: 'string'
      streamName: 'string'
    }
    sourceType: 'string'
    tenantId: 'string'
  }
}

For RestApiPoller, use:

{
  kind: 'RestApiPoller'
  properties: {
    addOnAttributes: {
      {customized property}: 'string'
    }
    auth: {
      type: 'string'
      // For remaining properties, see CcpAuthConfig objects
    }
    connectorDefinitionName: 'string'
    dataType: 'string'
    dcrConfig: {
      dataCollectionEndpoint: 'string'
      dataCollectionRuleImmutableId: 'string'
      streamName: 'string'
    }
    isActive: bool
    paging: {
      pageSize: int
      pageSizeParameterName: 'string'
      pagingType: 'string'
    }
    request: {
      apiEndpoint: 'string'
      endTimeAttributeName: 'string'
      headers: {
        {customized property}: 'string'
      }
      httpMethod: 'string'
      isPostPayloadJson: bool
      queryParameters: {
        {customized property}: any(...)
      }
      queryParametersTemplate: 'string'
      queryTimeFormat: 'string'
      queryTimeIntervalAttributeName: 'string'
      queryTimeIntervalDelimiter: 'string'
      queryTimeIntervalPrepend: 'string'
      queryWindowInMin: int
      rateLimitQPS: int
      retryCount: int
      startTimeAttributeName: 'string'
      timeoutInSeconds: int
    }
    response: {
      compressionAlgo: 'string'
      convertChildPropertiesToArray: bool
      csvDelimiter: 'string'
      csvEscape: 'string'
      eventsJsonPaths: [
        'string'
      ]
      format: 'string'
      hasCsvBoundary: bool
      hasCsvHeader: bool
      isGzipCompressed: bool
      successStatusJsonPath: 'string'
      successStatusValue: 'string'
    }
  }
}

For ThreatIntelligence, use:

{
  kind: 'ThreatIntelligence'
  properties: {
    dataTypes: {
      indicators: {
        state: 'string'
      }
    }
    tenantId: 'string'
    tipLookbackPeriod: 'string'
  }
}

For ThreatIntelligenceTaxii, use:

{
  kind: 'ThreatIntelligenceTaxii'
  properties: {
    collectionId: 'string'
    dataTypes: {
      taxiiClient: {
        state: 'string'
      }
    }
    friendlyName: 'string'
    password: 'string'
    pollingFrequency: 'string'
    taxiiLookbackPeriod: 'string'
    taxiiServer: 'string'
    tenantId: 'string'
    userName: 'string'
    workspaceId: 'string'
  }
}

CcpAuthConfig objects

Set the type property to specify the type of object.

For APIKey, use:

{
  apiKey: 'string'
  apiKeyIdentifier: 'string'
  apiKeyName: 'string'
  isApiKeyInPostPayload: bool
  type: 'APIKey'
}

For AWS, use:

{
  externalId: 'string'
  roleArn: 'string'
  type: 'AWS'
}

For Basic, use:

{
  password: 'string'
  type: 'Basic'
  userName: 'string'
}

For GCP, use:

{
  projectNumber: 'string'
  serviceAccountEmail: 'string'
  type: 'GCP'
  workloadIdentityProviderId: 'string'
}

For GitHub, use:

{
  installationId: 'string'
  type: 'GitHub'
}

For JwtToken, use:

{
  headers: {
    {customized property}: 'string'
  }
  isCredentialsInHeaders: bool
  isJsonRequest: bool
  password: {
    {customized property}: 'string'
  }
  queryParameters: {
    {customized property}: 'string'
  }
  requestTimeoutInSeconds: int
  tokenEndpoint: 'string'
  type: 'JwtToken'
  userName: {
    {customized property}: 'string'
  }
}

For None, use:

{
  type: 'None'
}

For OAuth2, use:

{
  accessTokenPrepend: 'string'
  authorizationCode: 'string'
  authorizationEndpoint: 'string'
  authorizationEndpointHeaders: {
    {customized property}: 'string'
  }
  authorizationEndpointQueryParameters: {
    {customized property}: 'string'
  }
  clientId: 'string'
  clientSecret: 'string'
  grantType: 'string'
  isCredentialsInHeaders: bool
  isJwtBearerFlow: bool
  redirectUri: 'string'
  scope: 'string'
  tokenEndpoint: 'string'
  tokenEndpointHeaders: {
    {customized property}: 'string'
  }
  tokenEndpointQueryParameters: {
    {customized property}: 'string'
  }
  type: 'OAuth2'
}

For Oracle, use:

{
  pemFile: 'string'
  publicFingerprint: 'string'
  tenantId: 'string'
  type: 'Oracle'
  userId: 'string'
}

For ServiceBus, use:

{
  credentialsConfig: {
    {customized property}: 'string'
  }
  storageAccountCredentialsConfig: {
    {customized property}: 'string'
  }
  type: 'ServiceBus'
}

For Session, use:

{
  headers: {
    {customized property}: 'string'
  }
  isPostPayloadJson: bool
  password: {
    {customized property}: 'string'
  }
  queryParameters: {
    {customized property}: any(...)
  }
  sessionIdName: 'string'
  sessionLoginRequestUri: 'string'
  sessionTimeoutInMinutes: int
  type: 'Session'
  userName: {
    {customized property}: 'string'
  }
}

Property Values

Microsoft.SecurityInsights/dataConnectors

Name Description Value
etag Etag of the azure resource string
kind Set to 'APIPolling' for type CodelessApiPollingDataConnector. Set to 'AmazonWebServicesCloudTrail' for type AwsCloudTrailDataConnector. Set to 'AmazonWebServicesS3' for type AwsS3DataConnector. Set to 'AzureActiveDirectory' for type AADDataConnector. Set to 'AzureAdvancedThreatProtection' for type AatpDataConnector. Set to 'AzureSecurityCenter' for type ASCDataConnector. Set to 'Dynamics365' for type Dynamics365DataConnector. Set to 'GCP' for type GCPDataConnector. Set to 'GenericUI' for type CodelessUiDataConnector. Set to 'IOT' for type IoTDataConnector. Set to 'MicrosoftCloudAppSecurity' for type McasDataConnector. Set to 'MicrosoftDefenderAdvancedThreatProtection' for type MdatpDataConnector. Set to 'MicrosoftPurviewInformationProtection' for type MicrosoftPurviewInformationProtectionDataConnector. Set to 'MicrosoftThreatIntelligence' for type MstiDataConnector. Set to 'MicrosoftThreatProtection' for type MTPDataConnector. Set to 'Office365' for type OfficeDataConnector. Set to 'Office365Project' for type Office365ProjectDataConnector. Set to 'OfficeATP' for type OfficeATPDataConnector. Set to 'OfficeIRM' for type OfficeIRMDataConnector. Set to 'OfficePowerBI' for type OfficePowerBIDataConnector. Set to 'PurviewAudit' for type PurviewAuditDataConnector. Set to 'RestApiPoller' for type RestApiPollerDataConnector. Set to 'ThreatIntelligence' for type TIDataConnector. Set to 'ThreatIntelligenceTaxii' for type TiTaxiiDataConnector. 'AmazonWebServicesCloudTrail'
'AmazonWebServicesS3'
'APIPolling'
'AzureActiveDirectory'
'AzureAdvancedThreatProtection'
'AzureSecurityCenter'
'Dynamics365'
'GCP'
'GenericUI'
'IOT'
'MicrosoftCloudAppSecurity'
'MicrosoftDefenderAdvancedThreatProtection'
'MicrosoftPurviewInformationProtection'
'MicrosoftThreatIntelligence'
'MicrosoftThreatProtection'
'Office365'
'Office365Project'
'OfficeATP'
'OfficeIRM'
'OfficePowerBI'
'PurviewAudit'
'RestApiPoller'
'ThreatIntelligence'
'ThreatIntelligenceTaxii' (required)
name The resource name string (required)
scope Use when creating a resource at a scope that is different than the deployment scope. Set this property to the symbolic name of a resource to apply the extension resource.

AADDataConnector

Name Description Value
kind The data connector kind 'AzureActiveDirectory' (required)
properties AADIP (Azure Active Directory Identity Protection) data connector properties. AADDataConnectorProperties

AADDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

AatpDataConnector

Name Description Value
kind The data connector kind 'AzureAdvancedThreatProtection' (required)
properties AATP (Azure Advanced Threat Protection) data connector properties. AatpDataConnectorProperties

AatpDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

AlertsDataTypeOfDataConnector

Name Description Value
alerts Alerts data type connection. DataConnectorDataTypeCommon (required)

ApiKeyAuthModel

Name Description Value
apiKey API Key for the user secret key credential string (required)
apiKeyIdentifier API Key Identifier string
apiKeyName API Key name string (required)
isApiKeyInPostPayload Flag to indicate if API key is set in HTTP POST payload bool
type The auth type 'APIKey' (required)

ApiPollingParameters

Name Description Value
connectorUiConfig Config to describe the instructions blade CodelessUiConnectorConfigProperties
pollingConfig Config to describe the polling instructions CodelessConnectorPollingConfigProperties

ASCDataConnector

Name Description Value
kind The data connector kind 'AzureSecurityCenter' (required)
properties ASC (Azure Security Center) data connector properties. ASCDataConnectorProperties

ASCDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
subscriptionId The subscription id to connect to, and get the data from. string

Availability

Name Description Value
isPreview Set connector as preview bool
status The connector Availability Status '1'

AWSAuthModel

Name Description Value
externalId AWS STS assume role external ID. This is used to prevent the confused deputy problem: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html' string
roleArn AWS STS assume role ARN string (required)
type The auth type 'AWS' (required)

AwsCloudTrailDataConnector

Name Description Value
kind The data connector kind 'AmazonWebServicesCloudTrail' (required)
properties Amazon Web Services CloudTrail data connector properties. AwsCloudTrailDataConnectorProperties

AwsCloudTrailDataConnectorDataTypes

Name Description Value
logs Logs data type. AwsCloudTrailDataConnectorDataTypesLogs (required)

AwsCloudTrailDataConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

AwsCloudTrailDataConnectorProperties

Name Description Value
awsRoleArn The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account. string
dataTypes The available data types for the connector. AwsCloudTrailDataConnectorDataTypes (required)

AwsS3DataConnector

Name Description Value
kind The data connector kind 'AmazonWebServicesS3' (required)
properties Amazon Web Services S3 data connector properties. AwsS3DataConnectorProperties

AwsS3DataConnectorDataTypes

Name Description Value
logs Logs data type. AwsS3DataConnectorDataTypesLogs (required)

AwsS3DataConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

AwsS3DataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AwsS3DataConnectorDataTypes (required)
destinationTable The logs destination table name in LogAnalytics. string (required)
roleArn The Aws Role Arn that is used to access the Aws account. string (required)
sqsUrls The AWS sqs urls for the connector. string[] (required)

BasicAuthModel

Name Description Value
password The password string (required)
type The auth type 'Basic' (required)
userName The user name. string (required)

CcpAuthConfig

Name Description Value
type Set to 'APIKey' for type ApiKeyAuthModel. Set to 'AWS' for type AWSAuthModel. Set to 'Basic' for type BasicAuthModel. Set to 'GCP' for type GCPAuthModel. Set to 'GitHub' for type GitHubAuthModel. Set to 'JwtToken' for type JwtAuthModel. Set to 'None' for type NoneAuthModel. Set to 'OAuth2' for type OAuthModel. Set to 'Oracle' for type OracleAuthModel. Set to 'ServiceBus' for type GenericBlobSbsAuthModel. Set to 'Session' for type SessionAuthModel. 'APIKey'
'AWS'
'Basic'
'GCP'
'GitHub'
'JwtToken'
'None'
'OAuth2'
'Oracle'
'ServiceBus'
'Session' (required)

CcpResponseConfig

Name Description Value
compressionAlgo The compression algorithm. For Example: 'gzip', 'multi-gzip', 'deflate'. string
convertChildPropertiesToArray The value indicating whether the response isn't an array of events / logs. By setting this flag to true it means the remote server will response with an object which each property has as a value an array of events / logs. bool
csvDelimiter The csv delimiter, in case the response format is CSV. string
csvEscape The character used to escape characters in CSV. string

Constraints:
Min length = 1
Max length = 1
eventsJsonPaths The json paths, '$' char is the json root. string[] (required)
format The response format. possible values are json,csv,xml string
hasCsvBoundary The value indicating whether the response has CSV boundary in case the response in CSV format. bool
hasCsvHeader The value indicating whether the response has headers in case the response in CSV format. bool
isGzipCompressed The value indicating whether the remote server support Gzip and we should expect Gzip response. bool
successStatusJsonPath The value where the status message/code should appear in the response. string
successStatusValue The status value. string

CodelessApiPollingDataConnector

Name Description Value
kind The data connector kind 'APIPolling' (required)
properties Codeless poling data connector properties ApiPollingParameters

CodelessConnectorPollingAuthProperties

Name Description Value
apiKeyIdentifier A prefix send in the header before the actual token string
apiKeyName The header name which the token is sent with string
authorizationEndpoint The endpoint used to authorize the user, used in Oauth 2.0 flow string
authorizationEndpointQueryParameters The query parameters used in authorization request, used in Oauth 2.0 flow any
authType The authentication type string (required)
flowName Describes the flow name, for example 'AuthCode' for Oauth 2.0 string
isApiKeyInPostPayload Marks if the key should sent in header string
isClientSecretInHeader Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow bool
redirectionEndpoint The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow string
scope The OAuth token scope string
tokenEndpoint The endpoint used to issue a token, used in Oauth 2.0 flow string
tokenEndpointHeaders The query headers used in token request, used in Oauth 2.0 flow any
tokenEndpointQueryParameters The query parameters used in token request, used in Oauth 2.0 flow any

CodelessConnectorPollingConfigProperties

Name Description Value
auth Describe the authentication type of the poller CodelessConnectorPollingAuthProperties (required)
isActive The poller active status bool
paging Describe the poll request paging config of the poller CodelessConnectorPollingPagingProperties
request Describe the poll request config parameters of the poller CodelessConnectorPollingRequestProperties (required)
response Describe the response config parameters of the poller CodelessConnectorPollingResponseProperties

CodelessConnectorPollingPagingProperties

Name Description Value
nextPageParaName Defines the name of a next page attribute string
nextPageTokenJsonPath Defines the path to a next page token JSON string
pageCountAttributePath Defines the path to a page count attribute string
pageSize Defines the paging size int
pageSizeParaName Defines the name of the page size parameter string
pageTimeStampAttributePath Defines the path to a paging time stamp attribute string
pageTotalCountAttributePath Defines the path to a page total count attribute string
pagingType Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp' string (required)
searchTheLatestTimeStampFromEventsList Determines whether to search for the latest time stamp in the events list string

CodelessConnectorPollingRequestProperties

Name Description Value
apiEndpoint Describe the endpoint we should pull the data from string (required)
endTimeAttributeName This will be used the query events from the end of the time window string
headers Describe the headers sent in the poll request any
httpMethod The http method type we will use in the poll request, GET or POST string (required)
queryParameters Describe the query parameters sent in the poll request any
queryParametersTemplate For advanced scenarios for example user name/password embedded in nested JSON payload string
queryTimeFormat The time format will be used the query events in a specific window string (required)
queryWindowInMin The window interval we will use the pull the data int (required)
rateLimitQps Defines the rate limit QPS int
retryCount Describe the amount of time we should try and poll the data in case of failure int
startTimeAttributeName This will be used the query events from a start of the time window string
timeoutInSeconds The number of seconds we will consider as a request timeout int

CodelessConnectorPollingResponseProperties

Name Description Value
eventsJsonPaths Describes the path we should extract the data in the response string[] (required)
isGzipCompressed Describes if the data in the response is Gzip bool
successStatusJsonPath Describes the path we should extract the status code in the response string
successStatusValue Describes the path we should extract the status value in the response string

CodelessParameters

Name Description Value
connectorUiConfig Config to describe the instructions blade CodelessUiConnectorConfigProperties

CodelessUiConnectorConfigProperties

Name Description Value
availability Connector Availability Status Availability (required)
connectivityCriteria Define the way the connector check connectivity CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem[] (required)
customImage An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery string
dataTypes Data types to check for last data received CodelessUiConnectorConfigPropertiesDataTypesItem[] (required)
descriptionMarkdown Connector description string (required)
graphQueries The graph query to show the current data status CodelessUiConnectorConfigPropertiesGraphQueriesItem[] (required)
graphQueriesTableName Name of the table the connector will insert the data to string (required)
instructionSteps Instruction steps to enable the connector CodelessUiConnectorConfigPropertiesInstructionStepsItem[] (required)
permissions Permissions required for the connector Permissions (required)
publisher Connector publisher name string (required)
sampleQueries The sample queries for the connector CodelessUiConnectorConfigPropertiesSampleQueriesItem[] (required)
title Connector blade title string (required)

CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem

Name Description Value
type type of connectivity 'IsConnectedQuery'
value Queries for checking connectivity string[]

CodelessUiConnectorConfigPropertiesDataTypesItem

Name Description Value
lastDataReceivedQuery Query for indicate last data received string
name Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder string

CodelessUiConnectorConfigPropertiesGraphQueriesItem

Name Description Value
baseQuery The base query for the graph string
legend The legend for the graph string
metricName the metric that the query is checking string

CodelessUiConnectorConfigPropertiesInstructionStepsItem

Name Description Value
description Instruction step description string
instructions Instruction step details InstructionStepsInstructionsItem[]
title Instruction step title string

CodelessUiConnectorConfigPropertiesSampleQueriesItem

Name Description Value
description The sample query description string
query the sample query string

CodelessUiDataConnector

Name Description Value
kind The data connector kind 'GenericUI' (required)
properties Codeless UI data connector properties CodelessParameters

DataConnectorDataTypeCommon

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

DCRConfiguration

Name Description Value
dataCollectionEndpoint Represents the data collection ingestion endpoint in log analytics. string (required)
dataCollectionRuleImmutableId The data collection rule immutable id, the rule defines the transformation and data destination. string (required)
streamName The stream we are sending the data to. string (required)

Dynamics365DataConnector

Name Description Value
kind The data connector kind 'Dynamics365' (required)
properties Dynamics365 data connector properties. Dynamics365DataConnectorProperties

Dynamics365DataConnectorDataTypes

Name Description Value
dynamics365CdsActivities Common Data Service data type connection. Dynamics365DataConnectorDataTypesDynamics365CdsActivities (required)

Dynamics365DataConnectorDataTypesDynamics365CdsActivities

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

Dynamics365DataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. Dynamics365DataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

GCPAuthModel

Name Description Value
projectNumber GCP Project Number string (required)
serviceAccountEmail GCP Service Account Email string (required)
type The auth type 'GCP' (required)
workloadIdentityProviderId GCP Workload Identity Provider ID string (required)

GCPAuthProperties

Name Description Value
projectNumber The GCP project number. string (required)
serviceAccountEmail The service account that is used to access the GCP project. string (required)
workloadIdentityProviderId The workload identity provider id that is used to gain access to the GCP project. string (required)

GCPDataConnector

Name Description Value
kind The data connector kind 'GCP' (required)
properties Google Cloud Platform data connector properties. GCPDataConnectorProperties

GCPDataConnectorProperties

Name Description Value
auth The auth section of the connector. GCPAuthProperties (required)
connectorDefinitionName The name of the connector definition that represents the UI config. string (required)
dcrConfig The configuration of the destination of the data. DCRConfiguration
request The request section of the connector. GCPRequestProperties (required)

GCPRequestProperties

Name Description Value
projectId The GCP project id. string (required)
subscriptionNames The GCP pub/sub subscription names. string[] (required)

GenericBlobSbsAuthModel

Name Description Value
credentialsConfig Credentials for service bus namespace, keyvault uri for access key GenericBlobSbsAuthModelCredentialsConfig
storageAccountCredentialsConfig Credentials for storage account, keyvault uri for access key GenericBlobSbsAuthModelStorageAccountCredentialsConfig
type The auth type 'ServiceBus' (required)

GenericBlobSbsAuthModelCredentialsConfig

Name Description Value

GenericBlobSbsAuthModelStorageAccountCredentialsConfig

Name Description Value

GitHubAuthModel

Name Description Value
installationId The GitHubApp auth installation id. string
type The auth type 'GitHub' (required)

InstructionStepsInstructionsItem

Name Description Value
parameters The parameters for the setting any
type The kind of the setting 'CopyableLabel'
'InfoMessage'
'InstructionStepsGroup' (required)

IoTDataConnector

Name Description Value
kind The data connector kind 'IOT' (required)
properties IoT data connector properties. IoTDataConnectorProperties

IoTDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
subscriptionId The subscription id to connect to, and get the data from. string

JwtAuthModel

Name Description Value
headers The custom headers we want to add once we send request to token endpoint. JwtAuthModelHeaders
isCredentialsInHeaders Flag indicating whether we want to send the user name and password to token endpoint in the headers. bool
isJsonRequest Flag indicating whether the body request is JSON (header Content-Type = application/json), meaning its a Form URL encoded request (header Content-Type = application/x-www-form-urlencoded). bool
password The password JwtAuthModelPassword (required)
queryParameters The custom query parameter we want to add once we send request to token endpoint. JwtAuthModelQueryParameters
requestTimeoutInSeconds Request timeout in seconds. int

Constraints:
Max value = 180
tokenEndpoint Token endpoint to request JWT string (required)
type The auth type 'JwtToken' (required)
userName The user name. If user name and password sent in header request we only need to populate the value property with the user name (Same as basic auth). If user name and password sent in body request we need to specify the Key and Value. JwtAuthModelUserName (required)

JwtAuthModelHeaders

Name Description Value

JwtAuthModelPassword

Name Description Value

JwtAuthModelQueryParameters

Name Description Value

JwtAuthModelUserName

Name Description Value

McasDataConnector

Name Description Value
kind The data connector kind 'MicrosoftCloudAppSecurity' (required)
properties MCAS (Microsoft Cloud App Security) data connector properties. McasDataConnectorProperties

McasDataConnectorDataTypes

Name Description Value
alerts Alerts data type connection. DataConnectorDataTypeCommon (required)
discoveryLogs Discovery log data type connection. DataConnectorDataTypeCommon

McasDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. McasDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

MdatpDataConnector

Name Description Value
kind The data connector kind 'MicrosoftDefenderAdvancedThreatProtection' (required)
properties MDATP (Microsoft Defender Advanced Threat Protection) data connector properties. MdatpDataConnectorProperties

MdatpDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

MicrosoftPurviewInformationProtectionConnectorDataTypes

Name Description Value
logs Logs data type. MicrosoftPurviewInformationProtectionConnectorDataTypesLogs (required)

MicrosoftPurviewInformationProtectionConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

MicrosoftPurviewInformationProtectionDataConnector

Name Description Value
kind The data connector kind 'MicrosoftPurviewInformationProtection' (required)
properties Microsoft Purview Information Protection data connector properties. MicrosoftPurviewInformationProtectionDataConnectorProperties

MicrosoftPurviewInformationProtectionDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. MicrosoftPurviewInformationProtectionConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

MstiDataConnector

Name Description Value
kind The data connector kind 'MicrosoftThreatIntelligence' (required)
properties Microsoft Threat Intelligence data connector properties. MstiDataConnectorProperties

MstiDataConnectorDataTypes

Name Description Value
microsoftEmergingThreatFeed Data type for Microsoft Threat Intelligence Platforms data connector. MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed (required)

MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed

Name Description Value
lookbackPeriod The lookback period for the feed to be imported. string (required)
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

MstiDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. MstiDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

MTPDataConnector

Name Description Value
kind The data connector kind 'MicrosoftThreatProtection' (required)
properties MTP (Microsoft Threat Protection) data connector properties. MTPDataConnectorProperties

MTPDataConnectorDataTypes

Name Description Value
alerts Alerts data type for Microsoft Threat Protection Platforms data connector. MTPDataConnectorDataTypesAlerts
incidents Incidents data type for Microsoft Threat Protection Platforms data connector. MTPDataConnectorDataTypesIncidents (required)

MTPDataConnectorDataTypesAlerts

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

MTPDataConnectorDataTypesIncidents

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

MTPDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. MTPDataConnectorDataTypes (required)
filteredProviders The available filtered providers for the connector. MtpFilteredProviders
tenantId The tenant id to connect to, and get the data from. string (required)

MtpFilteredProviders

Name Description Value
alerts Alerts filtered providers. When filters are not applied, all alerts will stream through the MTP pipeline, still in private preview for all products EXCEPT MDA and MDI, which are in GA state. String array containing any of:
'microsoftDefenderForCloudApps'
'microsoftDefenderForIdentity' (required)

NoneAuthModel

Name Description Value
type The auth type 'None' (required)

OAuthModel

Name Description Value
accessTokenPrepend Access token prepend. Default is 'Bearer'. string
authorizationCode The user's authorization code. string
authorizationEndpoint The authorization endpoint. string
authorizationEndpointHeaders The authorization endpoint headers. OAuthModelAuthorizationEndpointHeaders
authorizationEndpointQueryParameters The authorization endpoint query parameters. OAuthModelAuthorizationEndpointQueryParameters
clientId The Application (client) ID that the OAuth provider assigned to your app. string (required)
clientSecret The Application (client) secret that the OAuth provider assigned to your app. string (required)
grantType The grant type, usually will be 'authorization code'. string (required)
isCredentialsInHeaders Indicating whether we want to send the clientId and clientSecret to token endpoint in the headers. bool
isJwtBearerFlow A value indicating whether it's a JWT flow. bool
redirectUri The Application redirect url that the user config in the OAuth provider. string
scope The Application (client) Scope that the OAuth provider assigned to your app. string
tokenEndpoint The token endpoint. Defines the OAuth2 refresh token. string (required)
tokenEndpointHeaders The token endpoint headers. OAuthModelTokenEndpointHeaders
tokenEndpointQueryParameters The token endpoint query parameters. OAuthModelTokenEndpointQueryParameters
type The auth type 'OAuth2' (required)

OAuthModelAuthorizationEndpointHeaders

Name Description Value

OAuthModelAuthorizationEndpointQueryParameters

Name Description Value

OAuthModelTokenEndpointHeaders

Name Description Value

OAuthModelTokenEndpointQueryParameters

Name Description Value

Office365ProjectConnectorDataTypes

Name Description Value
logs Logs data type. Office365ProjectConnectorDataTypesLogs (required)

Office365ProjectConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

Office365ProjectDataConnector

Name Description Value
kind The data connector kind 'Office365Project' (required)
properties Office Microsoft Project data connector properties. Office365ProjectDataConnectorProperties

Office365ProjectDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. Office365ProjectConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

OfficeATPDataConnector

Name Description Value
kind The data connector kind 'OfficeATP' (required)
properties OfficeATP (Office 365 Advanced Threat Protection) data connector properties. OfficeATPDataConnectorProperties

OfficeATPDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

OfficeDataConnector

Name Description Value
kind The data connector kind 'Office365' (required)
properties Office data connector properties. OfficeDataConnectorProperties

OfficeDataConnectorDataTypes

Name Description Value
exchange Exchange data type connection. OfficeDataConnectorDataTypesExchange (required)
sharePoint SharePoint data type connection. OfficeDataConnectorDataTypesSharePoint (required)
teams Teams data type connection. OfficeDataConnectorDataTypesTeams (required)

OfficeDataConnectorDataTypesExchange

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficeDataConnectorDataTypesSharePoint

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficeDataConnectorDataTypesTeams

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficeDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. OfficeDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

OfficeIRMDataConnector

Name Description Value
kind The data connector kind 'OfficeIRM' (required)
properties OfficeIRM (Microsoft Insider Risk Management) data connector properties. OfficeIRMDataConnectorProperties

OfficeIRMDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

OfficePowerBIConnectorDataTypes

Name Description Value
logs Logs data type. OfficePowerBIConnectorDataTypesLogs (required)

OfficePowerBIConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficePowerBIDataConnector

Name Description Value
kind The data connector kind 'OfficePowerBI' (required)
properties Office Microsoft PowerBI data connector properties. OfficePowerBIDataConnectorProperties

OfficePowerBIDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. OfficePowerBIConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

OracleAuthModel

Name Description Value
pemFile Content of the PRM file string (required)
publicFingerprint Public Fingerprint string (required)
tenantId Oracle tenant ID string (required)
type The auth type 'Oracle' (required)
userId Oracle user ID string (required)

Permissions

Name Description Value
customs Customs permissions required for the connector PermissionsCustomsItem[]
resourceProvider Resource provider permissions required for the connector PermissionsResourceProviderItem[]

PermissionsCustomsItem

Name Description Value
description Customs permissions description string
name Customs permissions name string

PermissionsResourceProviderItem

Name Description Value
permissionsDisplayText Permission description text string
provider Provider name 'microsoft.aadiam/diagnosticSettings'
'Microsoft.Authorization/policyAssignments'
'Microsoft.OperationalInsights/solutions'
'Microsoft.OperationalInsights/workspaces'
'Microsoft.OperationalInsights/workspaces/datasources'
'Microsoft.OperationalInsights/workspaces/sharedKeys'
providerDisplayName Permission provider display name string
requiredPermissions Required permissions for the connector RequiredPermissions
scope Permission provider scope 'ResourceGroup'
'Subscription'
'Workspace'

PurviewAuditConnectorDataTypes

Name Description Value
logs Logs data type. PurviewAuditConnectorDataTypesLogs (required)

PurviewAuditConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

PurviewAuditDataConnector

Name Description Value
kind The data connector kind 'PurviewAudit' (required)
properties PurviewAudit data connector properties. PurviewAuditDataConnectorProperties

PurviewAuditDataConnectorProperties

Name Description Value
connectorDefinitionName The connector definition name (the dataConnectorDefinition resource id). string
dataTypes The available data types for the connector. PurviewAuditConnectorDataTypes (required)
dcrConfig The DCR related properties. DCRConfiguration
sourceType The source type indicates which kind of data is relevant for this connector. string
tenantId The tenant id to connect to, and get the data from. string (required)

RequiredPermissions

Name Description Value
action action permission bool
delete delete permission bool
read read permission bool
write write permission bool

RestApiPollerDataConnector

Name Description Value
kind The data connector kind 'RestApiPoller' (required)
properties Rest Api Poller data connector properties. RestApiPollerDataConnectorProperties

RestApiPollerDataConnectorProperties

Name Description Value
addOnAttributes The add on attributes. The key name will become attribute name (a column) and the value will become the attribute value in the payload. RestApiPollerDataConnectorPropertiesAddOnAttributes
auth The a authentication model. CcpAuthConfig (required)
connectorDefinitionName The connector definition name (the dataConnectorDefinition resource id). string (required)
dataType The Log Analytics table destination. string
dcrConfig The DCR related properties. DCRConfiguration
isActive Indicates whether the connector is active or not. bool
paging The paging configuration. RestApiPollerRequestPagingConfig
request The request configuration. RestApiPollerRequestConfig (required)
response The response configuration. CcpResponseConfig

RestApiPollerDataConnectorPropertiesAddOnAttributes

Name Description Value

RestApiPollerRequestConfig

Name Description Value
apiEndpoint The API endpoint. string (required)
endTimeAttributeName The query parameter name which the remote server expect to end query. This property goes hand to hand with startTimeAttributeName string
headers The header for the request for the remote server. RestApiPollerRequestConfigHeaders
httpMethod The HTTP method, default value GET. 'DELETE'
'GET'
'POST'
'PUT'
isPostPayloadJson Flag to indicate if HTTP POST payload is in JSON format (vs form-urlencoded). bool
queryParameters The HTTP query parameters to RESTful API. RestApiPollerRequestConfigQueryParameters
queryParametersTemplate the query parameters template. Defines the query parameters template to use when passing query parameters in advanced scenarios. string
queryTimeFormat The query time format. A remote server can have a query to pull data from range 'start' to 'end'. This property indicate what is the expected time format the remote server know to parse. string
queryTimeIntervalAttributeName The query parameter name which we need to send the server for query logs in time interval. Should be defined with queryTimeIntervalPrepend and queryTimeIntervalDelimiter string
queryTimeIntervalDelimiter The delimiter string between 2 QueryTimeFormat in the query parameter queryTimeIntervalAttributeName. string
queryTimeIntervalPrepend The string prepend to the value of the query parameter in queryTimeIntervalAttributeName. string
queryWindowInMin The query window in minutes for the request. int
rateLimitQPS The Rate limit queries per second for the request.. int
retryCount The retry count. int
startTimeAttributeName The query parameter name which the remote server expect to start query. This property goes hand to hand with endTimeAttributeName. string
timeoutInSeconds The timeout in seconds. int

RestApiPollerRequestConfigHeaders

Name Description Value

RestApiPollerRequestConfigQueryParameters

Name Description Value

RestApiPollerRequestPagingConfig

Name Description Value
pageSize Page size int
pageSizeParameterName Page size parameter name string
pagingType Type of paging 'CountBasedPaging'
'LinkHeader'
'NextPageToken'
'NextPageUrl'
'Offset'
'PersistentLinkHeader'
'PersistentToken' (required)

SessionAuthModel

Name Description Value
headers HTTP request headers to session service endpoint. SessionAuthModelHeaders
isPostPayloadJson Indicating whether API key is set in HTTP POST payload. bool
password The password attribute name. SessionAuthModelPassword (required)
queryParameters Query parameters to session service endpoint. SessionAuthModelQueryParameters
sessionIdName Session id attribute name from HTTP response header. string
sessionLoginRequestUri HTTP request URL to session service endpoint. string
sessionTimeoutInMinutes Session timeout in minutes. int
type The auth type 'Session' (required)
userName The user name attribute key value. SessionAuthModelUserName (required)

SessionAuthModelHeaders

Name Description Value

SessionAuthModelPassword

Name Description Value

SessionAuthModelQueryParameters

Name Description Value

SessionAuthModelUserName

Name Description Value

TIDataConnector

Name Description Value
kind The data connector kind 'ThreatIntelligence' (required)
properties TI (Threat Intelligence) data connector properties. TIDataConnectorProperties

TIDataConnectorDataTypes

Name Description Value
indicators Data type for indicators connection. TIDataConnectorDataTypesIndicators (required)

TIDataConnectorDataTypesIndicators

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

TIDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. TIDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)
tipLookbackPeriod The lookback period for the feed to be imported. string

TiTaxiiDataConnector

Name Description Value
kind The data connector kind 'ThreatIntelligenceTaxii' (required)
properties Threat intelligence TAXII data connector properties. TiTaxiiDataConnectorProperties

TiTaxiiDataConnectorDataTypes

Name Description Value
taxiiClient Data type for TAXII connector. TiTaxiiDataConnectorDataTypesTaxiiClient (required)

TiTaxiiDataConnectorDataTypesTaxiiClient

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

TiTaxiiDataConnectorProperties

Name Description Value
collectionId The collection id of the TAXII server. string
dataTypes The available data types for Threat Intelligence TAXII data connector. TiTaxiiDataConnectorDataTypes (required)
friendlyName The friendly name for the TAXII server. string
password The password for the TAXII server. string
pollingFrequency The polling frequency for the TAXII server. 'OnceADay'
'OnceAMinute'
'OnceAnHour' (required)
taxiiLookbackPeriod The lookback period for the TAXII server. string
taxiiServer The API root for the TAXII server. string
tenantId The tenant id to connect to, and get the data from. string (required)
userName The userName for the TAXII server. string
workspaceId The workspace id. string

Usage Examples

Azure Verified Modules

The following Azure Verified Modules can be used to deploy this resource type.

Module Description
Security Insights - Data Connector AVM Resource Module for Security Insights - Data Connector

ARM template resource definition

The dataConnectors resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/dataConnectors resource, add the following JSON to your template.

{
  "etag": "string",
  "name": "string",
  "kind": "string"
  // For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}

Microsoft.SecurityInsights/dataConnectors objects

Set the kind property to specify the type of object.

For APIPolling, use:

{
  "kind": "APIPolling",
  "properties": {
    "connectorUiConfig": {
      "availability": {
        "isPreview": "bool",
        "status": "1"
      },
      "connectivityCriteria": [
        {
          "type": "string",
          "value": [ "string" ]
        }
      ],
      "customImage": "string",
      "dataTypes": [
        {
          "lastDataReceivedQuery": "string",
          "name": "string"
        }
      ],
      "descriptionMarkdown": "string",
      "graphQueries": [
        {
          "baseQuery": "string",
          "legend": "string",
          "metricName": "string"
        }
      ],
      "graphQueriesTableName": "string",
      "instructionSteps": [
        {
          "description": "string",
          "instructions": [
            {
              "parameters": {},
              "type": "string"
            }
          ],
          "title": "string"
        }
      ],
      "permissions": {
        "customs": [
          {
            "description": "string",
            "name": "string"
          }
        ],
        "resourceProvider": [
          {
            "permissionsDisplayText": "string",
            "provider": "string",
            "providerDisplayName": "string",
            "requiredPermissions": {
              "action": "bool",
              "delete": "bool",
              "read": "bool",
              "write": "bool"
            },
            "scope": "string"
          }
        ]
      },
      "publisher": "string",
      "sampleQueries": [
        {
          "description": "string",
          "query": "string"
        }
      ],
      "title": "string"
    },
    "pollingConfig": {
      "auth": {
        "apiKeyIdentifier": "string",
        "apiKeyName": "string",
        "authorizationEndpoint": "string",
        "authorizationEndpointQueryParameters": {},
        "authType": "string",
        "flowName": "string",
        "isApiKeyInPostPayload": "string",
        "isClientSecretInHeader": "bool",
        "redirectionEndpoint": "string",
        "scope": "string",
        "tokenEndpoint": "string",
        "tokenEndpointHeaders": {},
        "tokenEndpointQueryParameters": {}
      },
      "isActive": "bool",
      "paging": {
        "nextPageParaName": "string",
        "nextPageTokenJsonPath": "string",
        "pageCountAttributePath": "string",
        "pageSize": "int",
        "pageSizeParaName": "string",
        "pageTimeStampAttributePath": "string",
        "pageTotalCountAttributePath": "string",
        "pagingType": "string",
        "searchTheLatestTimeStampFromEventsList": "string"
      },
      "request": {
        "apiEndpoint": "string",
        "endTimeAttributeName": "string",
        "headers": {},
        "httpMethod": "string",
        "queryParameters": {},
        "queryParametersTemplate": "string",
        "queryTimeFormat": "string",
        "queryWindowInMin": "int",
        "rateLimitQps": "int",
        "retryCount": "int",
        "startTimeAttributeName": "string",
        "timeoutInSeconds": "int"
      },
      "response": {
        "eventsJsonPaths": [ "string" ],
        "isGzipCompressed": "bool",
        "successStatusJsonPath": "string",
        "successStatusValue": "string"
      }
    }
  }
}

For AmazonWebServicesCloudTrail, use:

{
  "kind": "AmazonWebServicesCloudTrail",
  "properties": {
    "awsRoleArn": "string",
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    }
  }
}

For AmazonWebServicesS3, use:

{
  "kind": "AmazonWebServicesS3",
  "properties": {
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    },
    "destinationTable": "string",
    "roleArn": "string",
    "sqsUrls": [ "string" ]
  }
}

For AzureActiveDirectory, use:

{
  "kind": "AzureActiveDirectory",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For AzureAdvancedThreatProtection, use:

{
  "kind": "AzureAdvancedThreatProtection",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For AzureSecurityCenter, use:

{
  "kind": "AzureSecurityCenter",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "subscriptionId": "string"
  }
}

For Dynamics365, use:

{
  "kind": "Dynamics365",
  "properties": {
    "dataTypes": {
      "dynamics365CdsActivities": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For GCP, use:

{
  "kind": "GCP",
  "properties": {
    "auth": {
      "projectNumber": "string",
      "serviceAccountEmail": "string",
      "workloadIdentityProviderId": "string"
    },
    "connectorDefinitionName": "string",
    "dcrConfig": {
      "dataCollectionEndpoint": "string",
      "dataCollectionRuleImmutableId": "string",
      "streamName": "string"
    },
    "request": {
      "projectId": "string",
      "subscriptionNames": [ "string" ]
    }
  }
}

For GenericUI, use:

{
  "kind": "GenericUI",
  "properties": {
    "connectorUiConfig": {
      "availability": {
        "isPreview": "bool",
        "status": "1"
      },
      "connectivityCriteria": [
        {
          "type": "string",
          "value": [ "string" ]
        }
      ],
      "customImage": "string",
      "dataTypes": [
        {
          "lastDataReceivedQuery": "string",
          "name": "string"
        }
      ],
      "descriptionMarkdown": "string",
      "graphQueries": [
        {
          "baseQuery": "string",
          "legend": "string",
          "metricName": "string"
        }
      ],
      "graphQueriesTableName": "string",
      "instructionSteps": [
        {
          "description": "string",
          "instructions": [
            {
              "parameters": {},
              "type": "string"
            }
          ],
          "title": "string"
        }
      ],
      "permissions": {
        "customs": [
          {
            "description": "string",
            "name": "string"
          }
        ],
        "resourceProvider": [
          {
            "permissionsDisplayText": "string",
            "provider": "string",
            "providerDisplayName": "string",
            "requiredPermissions": {
              "action": "bool",
              "delete": "bool",
              "read": "bool",
              "write": "bool"
            },
            "scope": "string"
          }
        ]
      },
      "publisher": "string",
      "sampleQueries": [
        {
          "description": "string",
          "query": "string"
        }
      ],
      "title": "string"
    }
  }
}

For IOT, use:

{
  "kind": "IOT",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "subscriptionId": "string"
  }
}

For MicrosoftCloudAppSecurity, use:

{
  "kind": "MicrosoftCloudAppSecurity",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      },
      "discoveryLogs": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For MicrosoftDefenderAdvancedThreatProtection, use:

{
  "kind": "MicrosoftDefenderAdvancedThreatProtection",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For MicrosoftPurviewInformationProtection, use:

{
  "kind": "MicrosoftPurviewInformationProtection",
  "properties": {
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For MicrosoftThreatIntelligence, use:

{
  "kind": "MicrosoftThreatIntelligence",
  "properties": {
    "dataTypes": {
      "microsoftEmergingThreatFeed": {
        "lookbackPeriod": "string",
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For MicrosoftThreatProtection, use:

{
  "kind": "MicrosoftThreatProtection",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      },
      "incidents": {
        "state": "string"
      }
    },
    "filteredProviders": {
      "alerts": [ "string" ]
    },
    "tenantId": "string"
  }
}

For Office365, use:

{
  "kind": "Office365",
  "properties": {
    "dataTypes": {
      "exchange": {
        "state": "string"
      },
      "sharePoint": {
        "state": "string"
      },
      "teams": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For Office365Project, use:

{
  "kind": "Office365Project",
  "properties": {
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For OfficeATP, use:

{
  "kind": "OfficeATP",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For OfficeIRM, use:

{
  "kind": "OfficeIRM",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For OfficePowerBI, use:

{
  "kind": "OfficePowerBI",
  "properties": {
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For PurviewAudit, use:

{
  "kind": "PurviewAudit",
  "properties": {
    "connectorDefinitionName": "string",
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    },
    "dcrConfig": {
      "dataCollectionEndpoint": "string",
      "dataCollectionRuleImmutableId": "string",
      "streamName": "string"
    },
    "sourceType": "string",
    "tenantId": "string"
  }
}

For RestApiPoller, use:

{
  "kind": "RestApiPoller",
  "properties": {
    "addOnAttributes": {
      "{customized property}": "string"
    },
    "auth": {
      "type": "string"
      // For remaining properties, see CcpAuthConfig objects
    },
    "connectorDefinitionName": "string",
    "dataType": "string",
    "dcrConfig": {
      "dataCollectionEndpoint": "string",
      "dataCollectionRuleImmutableId": "string",
      "streamName": "string"
    },
    "isActive": "bool",
    "paging": {
      "pageSize": "int",
      "pageSizeParameterName": "string",
      "pagingType": "string"
    },
    "request": {
      "apiEndpoint": "string",
      "endTimeAttributeName": "string",
      "headers": {
        "{customized property}": "string"
      },
      "httpMethod": "string",
      "isPostPayloadJson": "bool",
      "queryParameters": {
        "{customized property}": {}
      },
      "queryParametersTemplate": "string",
      "queryTimeFormat": "string",
      "queryTimeIntervalAttributeName": "string",
      "queryTimeIntervalDelimiter": "string",
      "queryTimeIntervalPrepend": "string",
      "queryWindowInMin": "int",
      "rateLimitQPS": "int",
      "retryCount": "int",
      "startTimeAttributeName": "string",
      "timeoutInSeconds": "int"
    },
    "response": {
      "compressionAlgo": "string",
      "convertChildPropertiesToArray": "bool",
      "csvDelimiter": "string",
      "csvEscape": "string",
      "eventsJsonPaths": [ "string" ],
      "format": "string",
      "hasCsvBoundary": "bool",
      "hasCsvHeader": "bool",
      "isGzipCompressed": "bool",
      "successStatusJsonPath": "string",
      "successStatusValue": "string"
    }
  }
}

For ThreatIntelligence, use:

{
  "kind": "ThreatIntelligence",
  "properties": {
    "dataTypes": {
      "indicators": {
        "state": "string"
      }
    },
    "tenantId": "string",
    "tipLookbackPeriod": "string"
  }
}

For ThreatIntelligenceTaxii, use:

{
  "kind": "ThreatIntelligenceTaxii",
  "properties": {
    "collectionId": "string",
    "dataTypes": {
      "taxiiClient": {
        "state": "string"
      }
    },
    "friendlyName": "string",
    "password": "string",
    "pollingFrequency": "string",
    "taxiiLookbackPeriod": "string",
    "taxiiServer": "string",
    "tenantId": "string",
    "userName": "string",
    "workspaceId": "string"
  }
}

CcpAuthConfig objects

Set the type property to specify the type of object.

For APIKey, use:

{
  "apiKey": "string",
  "apiKeyIdentifier": "string",
  "apiKeyName": "string",
  "isApiKeyInPostPayload": "bool",
  "type": "APIKey"
}

For AWS, use:

{
  "externalId": "string",
  "roleArn": "string",
  "type": "AWS"
}

For Basic, use:

{
  "password": "string",
  "type": "Basic",
  "userName": "string"
}

For GCP, use:

{
  "projectNumber": "string",
  "serviceAccountEmail": "string",
  "type": "GCP",
  "workloadIdentityProviderId": "string"
}

For GitHub, use:

{
  "installationId": "string",
  "type": "GitHub"
}

For JwtToken, use:

{
  "headers": {
    "{customized property}": "string"
  },
  "isCredentialsInHeaders": "bool",
  "isJsonRequest": "bool",
  "password": {
    "{customized property}": "string"
  },
  "queryParameters": {
    "{customized property}": "string"
  },
  "requestTimeoutInSeconds": "int",
  "tokenEndpoint": "string",
  "type": "JwtToken",
  "userName": {
    "{customized property}": "string"
  }
}

For None, use:

{
  "type": "None"
}

For OAuth2, use:

{
  "accessTokenPrepend": "string",
  "authorizationCode": "string",
  "authorizationEndpoint": "string",
  "authorizationEndpointHeaders": {
    "{customized property}": "string"
  },
  "authorizationEndpointQueryParameters": {
    "{customized property}": "string"
  },
  "clientId": "string",
  "clientSecret": "string",
  "grantType": "string",
  "isCredentialsInHeaders": "bool",
  "isJwtBearerFlow": "bool",
  "redirectUri": "string",
  "scope": "string",
  "tokenEndpoint": "string",
  "tokenEndpointHeaders": {
    "{customized property}": "string"
  },
  "tokenEndpointQueryParameters": {
    "{customized property}": "string"
  },
  "type": "OAuth2"
}

For Oracle, use:

{
  "pemFile": "string",
  "publicFingerprint": "string",
  "tenantId": "string",
  "type": "Oracle",
  "userId": "string"
}

For ServiceBus, use:

{
  "credentialsConfig": {
    "{customized property}": "string"
  },
  "storageAccountCredentialsConfig": {
    "{customized property}": "string"
  },
  "type": "ServiceBus"
}

For Session, use:

{
  "headers": {
    "{customized property}": "string"
  },
  "isPostPayloadJson": "bool",
  "password": {
    "{customized property}": "string"
  },
  "queryParameters": {
    "{customized property}": {}
  },
  "sessionIdName": "string",
  "sessionLoginRequestUri": "string",
  "sessionTimeoutInMinutes": "int",
  "type": "Session",
  "userName": {
    "{customized property}": "string"
  }
}

Property Values

Microsoft.SecurityInsights/dataConnectors

Name Description Value
apiVersion The api version '2025-07-01-preview'
etag Etag of the azure resource string
kind Set to 'APIPolling' for type CodelessApiPollingDataConnector. Set to 'AmazonWebServicesCloudTrail' for type AwsCloudTrailDataConnector. Set to 'AmazonWebServicesS3' for type AwsS3DataConnector. Set to 'AzureActiveDirectory' for type AADDataConnector. Set to 'AzureAdvancedThreatProtection' for type AatpDataConnector. Set to 'AzureSecurityCenter' for type ASCDataConnector. Set to 'Dynamics365' for type Dynamics365DataConnector. Set to 'GCP' for type GCPDataConnector. Set to 'GenericUI' for type CodelessUiDataConnector. Set to 'IOT' for type IoTDataConnector. Set to 'MicrosoftCloudAppSecurity' for type McasDataConnector. Set to 'MicrosoftDefenderAdvancedThreatProtection' for type MdatpDataConnector. Set to 'MicrosoftPurviewInformationProtection' for type MicrosoftPurviewInformationProtectionDataConnector. Set to 'MicrosoftThreatIntelligence' for type MstiDataConnector. Set to 'MicrosoftThreatProtection' for type MTPDataConnector. Set to 'Office365' for type OfficeDataConnector. Set to 'Office365Project' for type Office365ProjectDataConnector. Set to 'OfficeATP' for type OfficeATPDataConnector. Set to 'OfficeIRM' for type OfficeIRMDataConnector. Set to 'OfficePowerBI' for type OfficePowerBIDataConnector. Set to 'PurviewAudit' for type PurviewAuditDataConnector. Set to 'RestApiPoller' for type RestApiPollerDataConnector. Set to 'ThreatIntelligence' for type TIDataConnector. Set to 'ThreatIntelligenceTaxii' for type TiTaxiiDataConnector. 'AmazonWebServicesCloudTrail'
'AmazonWebServicesS3'
'APIPolling'
'AzureActiveDirectory'
'AzureAdvancedThreatProtection'
'AzureSecurityCenter'
'Dynamics365'
'GCP'
'GenericUI'
'IOT'
'MicrosoftCloudAppSecurity'
'MicrosoftDefenderAdvancedThreatProtection'
'MicrosoftPurviewInformationProtection'
'MicrosoftThreatIntelligence'
'MicrosoftThreatProtection'
'Office365'
'Office365Project'
'OfficeATP'
'OfficeIRM'
'OfficePowerBI'
'PurviewAudit'
'RestApiPoller'
'ThreatIntelligence'
'ThreatIntelligenceTaxii' (required)
name The resource name string (required)
type The resource type 'Microsoft.SecurityInsights/dataConnectors'

AADDataConnector

Name Description Value
kind The data connector kind 'AzureActiveDirectory' (required)
properties AADIP (Azure Active Directory Identity Protection) data connector properties. AADDataConnectorProperties

AADDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

AatpDataConnector

Name Description Value
kind The data connector kind 'AzureAdvancedThreatProtection' (required)
properties AATP (Azure Advanced Threat Protection) data connector properties. AatpDataConnectorProperties

AatpDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

AlertsDataTypeOfDataConnector

Name Description Value
alerts Alerts data type connection. DataConnectorDataTypeCommon (required)

ApiKeyAuthModel

Name Description Value
apiKey API Key for the user secret key credential string (required)
apiKeyIdentifier API Key Identifier string
apiKeyName API Key name string (required)
isApiKeyInPostPayload Flag to indicate if API key is set in HTTP POST payload bool
type The auth type 'APIKey' (required)

ApiPollingParameters

Name Description Value
connectorUiConfig Config to describe the instructions blade CodelessUiConnectorConfigProperties
pollingConfig Config to describe the polling instructions CodelessConnectorPollingConfigProperties

ASCDataConnector

Name Description Value
kind The data connector kind 'AzureSecurityCenter' (required)
properties ASC (Azure Security Center) data connector properties. ASCDataConnectorProperties

ASCDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
subscriptionId The subscription id to connect to, and get the data from. string

Availability

Name Description Value
isPreview Set connector as preview bool
status The connector Availability Status '1'

AWSAuthModel

Name Description Value
externalId AWS STS assume role external ID. This is used to prevent the confused deputy problem: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html' string
roleArn AWS STS assume role ARN string (required)
type The auth type 'AWS' (required)

AwsCloudTrailDataConnector

Name Description Value
kind The data connector kind 'AmazonWebServicesCloudTrail' (required)
properties Amazon Web Services CloudTrail data connector properties. AwsCloudTrailDataConnectorProperties

AwsCloudTrailDataConnectorDataTypes

Name Description Value
logs Logs data type. AwsCloudTrailDataConnectorDataTypesLogs (required)

AwsCloudTrailDataConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

AwsCloudTrailDataConnectorProperties

Name Description Value
awsRoleArn The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account. string
dataTypes The available data types for the connector. AwsCloudTrailDataConnectorDataTypes (required)

AwsS3DataConnector

Name Description Value
kind The data connector kind 'AmazonWebServicesS3' (required)
properties Amazon Web Services S3 data connector properties. AwsS3DataConnectorProperties

AwsS3DataConnectorDataTypes

Name Description Value
logs Logs data type. AwsS3DataConnectorDataTypesLogs (required)

AwsS3DataConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

AwsS3DataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AwsS3DataConnectorDataTypes (required)
destinationTable The logs destination table name in LogAnalytics. string (required)
roleArn The Aws Role Arn that is used to access the Aws account. string (required)
sqsUrls The AWS sqs urls for the connector. string[] (required)

BasicAuthModel

Name Description Value
password The password string (required)
type The auth type 'Basic' (required)
userName The user name. string (required)

CcpAuthConfig

Name Description Value
type Set to 'APIKey' for type ApiKeyAuthModel. Set to 'AWS' for type AWSAuthModel. Set to 'Basic' for type BasicAuthModel. Set to 'GCP' for type GCPAuthModel. Set to 'GitHub' for type GitHubAuthModel. Set to 'JwtToken' for type JwtAuthModel. Set to 'None' for type NoneAuthModel. Set to 'OAuth2' for type OAuthModel. Set to 'Oracle' for type OracleAuthModel. Set to 'ServiceBus' for type GenericBlobSbsAuthModel. Set to 'Session' for type SessionAuthModel. 'APIKey'
'AWS'
'Basic'
'GCP'
'GitHub'
'JwtToken'
'None'
'OAuth2'
'Oracle'
'ServiceBus'
'Session' (required)

CcpResponseConfig

Name Description Value
compressionAlgo The compression algorithm. For Example: 'gzip', 'multi-gzip', 'deflate'. string
convertChildPropertiesToArray The value indicating whether the response isn't an array of events / logs. By setting this flag to true it means the remote server will response with an object which each property has as a value an array of events / logs. bool
csvDelimiter The csv delimiter, in case the response format is CSV. string
csvEscape The character used to escape characters in CSV. string

Constraints:
Min length = 1
Max length = 1
eventsJsonPaths The json paths, '$' char is the json root. string[] (required)
format The response format. possible values are json,csv,xml string
hasCsvBoundary The value indicating whether the response has CSV boundary in case the response in CSV format. bool
hasCsvHeader The value indicating whether the response has headers in case the response in CSV format. bool
isGzipCompressed The value indicating whether the remote server support Gzip and we should expect Gzip response. bool
successStatusJsonPath The value where the status message/code should appear in the response. string
successStatusValue The status value. string

CodelessApiPollingDataConnector

Name Description Value
kind The data connector kind 'APIPolling' (required)
properties Codeless poling data connector properties ApiPollingParameters

CodelessConnectorPollingAuthProperties

Name Description Value
apiKeyIdentifier A prefix send in the header before the actual token string
apiKeyName The header name which the token is sent with string
authorizationEndpoint The endpoint used to authorize the user, used in Oauth 2.0 flow string
authorizationEndpointQueryParameters The query parameters used in authorization request, used in Oauth 2.0 flow any
authType The authentication type string (required)
flowName Describes the flow name, for example 'AuthCode' for Oauth 2.0 string
isApiKeyInPostPayload Marks if the key should sent in header string
isClientSecretInHeader Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow bool
redirectionEndpoint The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow string
scope The OAuth token scope string
tokenEndpoint The endpoint used to issue a token, used in Oauth 2.0 flow string
tokenEndpointHeaders The query headers used in token request, used in Oauth 2.0 flow any
tokenEndpointQueryParameters The query parameters used in token request, used in Oauth 2.0 flow any

CodelessConnectorPollingConfigProperties

Name Description Value
auth Describe the authentication type of the poller CodelessConnectorPollingAuthProperties (required)
isActive The poller active status bool
paging Describe the poll request paging config of the poller CodelessConnectorPollingPagingProperties
request Describe the poll request config parameters of the poller CodelessConnectorPollingRequestProperties (required)
response Describe the response config parameters of the poller CodelessConnectorPollingResponseProperties

CodelessConnectorPollingPagingProperties

Name Description Value
nextPageParaName Defines the name of a next page attribute string
nextPageTokenJsonPath Defines the path to a next page token JSON string
pageCountAttributePath Defines the path to a page count attribute string
pageSize Defines the paging size int
pageSizeParaName Defines the name of the page size parameter string
pageTimeStampAttributePath Defines the path to a paging time stamp attribute string
pageTotalCountAttributePath Defines the path to a page total count attribute string
pagingType Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp' string (required)
searchTheLatestTimeStampFromEventsList Determines whether to search for the latest time stamp in the events list string

CodelessConnectorPollingRequestProperties

Name Description Value
apiEndpoint Describe the endpoint we should pull the data from string (required)
endTimeAttributeName This will be used the query events from the end of the time window string
headers Describe the headers sent in the poll request any
httpMethod The http method type we will use in the poll request, GET or POST string (required)
queryParameters Describe the query parameters sent in the poll request any
queryParametersTemplate For advanced scenarios for example user name/password embedded in nested JSON payload string
queryTimeFormat The time format will be used the query events in a specific window string (required)
queryWindowInMin The window interval we will use the pull the data int (required)
rateLimitQps Defines the rate limit QPS int
retryCount Describe the amount of time we should try and poll the data in case of failure int
startTimeAttributeName This will be used the query events from a start of the time window string
timeoutInSeconds The number of seconds we will consider as a request timeout int

CodelessConnectorPollingResponseProperties

Name Description Value
eventsJsonPaths Describes the path we should extract the data in the response string[] (required)
isGzipCompressed Describes if the data in the response is Gzip bool
successStatusJsonPath Describes the path we should extract the status code in the response string
successStatusValue Describes the path we should extract the status value in the response string

CodelessParameters

Name Description Value
connectorUiConfig Config to describe the instructions blade CodelessUiConnectorConfigProperties

CodelessUiConnectorConfigProperties

Name Description Value
availability Connector Availability Status Availability (required)
connectivityCriteria Define the way the connector check connectivity CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem[] (required)
customImage An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery string
dataTypes Data types to check for last data received CodelessUiConnectorConfigPropertiesDataTypesItem[] (required)
descriptionMarkdown Connector description string (required)
graphQueries The graph query to show the current data status CodelessUiConnectorConfigPropertiesGraphQueriesItem[] (required)
graphQueriesTableName Name of the table the connector will insert the data to string (required)
instructionSteps Instruction steps to enable the connector CodelessUiConnectorConfigPropertiesInstructionStepsItem[] (required)
permissions Permissions required for the connector Permissions (required)
publisher Connector publisher name string (required)
sampleQueries The sample queries for the connector CodelessUiConnectorConfigPropertiesSampleQueriesItem[] (required)
title Connector blade title string (required)

CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem

Name Description Value
type type of connectivity 'IsConnectedQuery'
value Queries for checking connectivity string[]

CodelessUiConnectorConfigPropertiesDataTypesItem

Name Description Value
lastDataReceivedQuery Query for indicate last data received string
name Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder string

CodelessUiConnectorConfigPropertiesGraphQueriesItem

Name Description Value
baseQuery The base query for the graph string
legend The legend for the graph string
metricName the metric that the query is checking string

CodelessUiConnectorConfigPropertiesInstructionStepsItem

Name Description Value
description Instruction step description string
instructions Instruction step details InstructionStepsInstructionsItem[]
title Instruction step title string

CodelessUiConnectorConfigPropertiesSampleQueriesItem

Name Description Value
description The sample query description string
query the sample query string

CodelessUiDataConnector

Name Description Value
kind The data connector kind 'GenericUI' (required)
properties Codeless UI data connector properties CodelessParameters

DataConnectorDataTypeCommon

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

DCRConfiguration

Name Description Value
dataCollectionEndpoint Represents the data collection ingestion endpoint in log analytics. string (required)
dataCollectionRuleImmutableId The data collection rule immutable id, the rule defines the transformation and data destination. string (required)
streamName The stream we are sending the data to. string (required)

Dynamics365DataConnector

Name Description Value
kind The data connector kind 'Dynamics365' (required)
properties Dynamics365 data connector properties. Dynamics365DataConnectorProperties

Dynamics365DataConnectorDataTypes

Name Description Value
dynamics365CdsActivities Common Data Service data type connection. Dynamics365DataConnectorDataTypesDynamics365CdsActivities (required)

Dynamics365DataConnectorDataTypesDynamics365CdsActivities

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

Dynamics365DataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. Dynamics365DataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

GCPAuthModel

Name Description Value
projectNumber GCP Project Number string (required)
serviceAccountEmail GCP Service Account Email string (required)
type The auth type 'GCP' (required)
workloadIdentityProviderId GCP Workload Identity Provider ID string (required)

GCPAuthProperties

Name Description Value
projectNumber The GCP project number. string (required)
serviceAccountEmail The service account that is used to access the GCP project. string (required)
workloadIdentityProviderId The workload identity provider id that is used to gain access to the GCP project. string (required)

GCPDataConnector

Name Description Value
kind The data connector kind 'GCP' (required)
properties Google Cloud Platform data connector properties. GCPDataConnectorProperties

GCPDataConnectorProperties

Name Description Value
auth The auth section of the connector. GCPAuthProperties (required)
connectorDefinitionName The name of the connector definition that represents the UI config. string (required)
dcrConfig The configuration of the destination of the data. DCRConfiguration
request The request section of the connector. GCPRequestProperties (required)

GCPRequestProperties

Name Description Value
projectId The GCP project id. string (required)
subscriptionNames The GCP pub/sub subscription names. string[] (required)

GenericBlobSbsAuthModel

Name Description Value
credentialsConfig Credentials for service bus namespace, keyvault uri for access key GenericBlobSbsAuthModelCredentialsConfig
storageAccountCredentialsConfig Credentials for storage account, keyvault uri for access key GenericBlobSbsAuthModelStorageAccountCredentialsConfig
type The auth type 'ServiceBus' (required)

GenericBlobSbsAuthModelCredentialsConfig

Name Description Value

GenericBlobSbsAuthModelStorageAccountCredentialsConfig

Name Description Value

GitHubAuthModel

Name Description Value
installationId The GitHubApp auth installation id. string
type The auth type 'GitHub' (required)

InstructionStepsInstructionsItem

Name Description Value
parameters The parameters for the setting any
type The kind of the setting 'CopyableLabel'
'InfoMessage'
'InstructionStepsGroup' (required)

IoTDataConnector

Name Description Value
kind The data connector kind 'IOT' (required)
properties IoT data connector properties. IoTDataConnectorProperties

IoTDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
subscriptionId The subscription id to connect to, and get the data from. string

JwtAuthModel

Name Description Value
headers The custom headers we want to add once we send request to token endpoint. JwtAuthModelHeaders
isCredentialsInHeaders Flag indicating whether we want to send the user name and password to token endpoint in the headers. bool
isJsonRequest Flag indicating whether the body request is JSON (header Content-Type = application/json), meaning its a Form URL encoded request (header Content-Type = application/x-www-form-urlencoded). bool
password The password JwtAuthModelPassword (required)
queryParameters The custom query parameter we want to add once we send request to token endpoint. JwtAuthModelQueryParameters
requestTimeoutInSeconds Request timeout in seconds. int

Constraints:
Max value = 180
tokenEndpoint Token endpoint to request JWT string (required)
type The auth type 'JwtToken' (required)
userName The user name. If user name and password sent in header request we only need to populate the value property with the user name (Same as basic auth). If user name and password sent in body request we need to specify the Key and Value. JwtAuthModelUserName (required)

JwtAuthModelHeaders

Name Description Value

JwtAuthModelPassword

Name Description Value

JwtAuthModelQueryParameters

Name Description Value

JwtAuthModelUserName

Name Description Value

McasDataConnector

Name Description Value
kind The data connector kind 'MicrosoftCloudAppSecurity' (required)
properties MCAS (Microsoft Cloud App Security) data connector properties. McasDataConnectorProperties

McasDataConnectorDataTypes

Name Description Value
alerts Alerts data type connection. DataConnectorDataTypeCommon (required)
discoveryLogs Discovery log data type connection. DataConnectorDataTypeCommon

McasDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. McasDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

MdatpDataConnector

Name Description Value
kind The data connector kind 'MicrosoftDefenderAdvancedThreatProtection' (required)
properties MDATP (Microsoft Defender Advanced Threat Protection) data connector properties. MdatpDataConnectorProperties

MdatpDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

MicrosoftPurviewInformationProtectionConnectorDataTypes

Name Description Value
logs Logs data type. MicrosoftPurviewInformationProtectionConnectorDataTypesLogs (required)

MicrosoftPurviewInformationProtectionConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

MicrosoftPurviewInformationProtectionDataConnector

Name Description Value
kind The data connector kind 'MicrosoftPurviewInformationProtection' (required)
properties Microsoft Purview Information Protection data connector properties. MicrosoftPurviewInformationProtectionDataConnectorProperties

MicrosoftPurviewInformationProtectionDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. MicrosoftPurviewInformationProtectionConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

MstiDataConnector

Name Description Value
kind The data connector kind 'MicrosoftThreatIntelligence' (required)
properties Microsoft Threat Intelligence data connector properties. MstiDataConnectorProperties

MstiDataConnectorDataTypes

Name Description Value
microsoftEmergingThreatFeed Data type for Microsoft Threat Intelligence Platforms data connector. MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed (required)

MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed

Name Description Value
lookbackPeriod The lookback period for the feed to be imported. string (required)
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

MstiDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. MstiDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

MTPDataConnector

Name Description Value
kind The data connector kind 'MicrosoftThreatProtection' (required)
properties MTP (Microsoft Threat Protection) data connector properties. MTPDataConnectorProperties

MTPDataConnectorDataTypes

Name Description Value
alerts Alerts data type for Microsoft Threat Protection Platforms data connector. MTPDataConnectorDataTypesAlerts
incidents Incidents data type for Microsoft Threat Protection Platforms data connector. MTPDataConnectorDataTypesIncidents (required)

MTPDataConnectorDataTypesAlerts

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

MTPDataConnectorDataTypesIncidents

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

MTPDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. MTPDataConnectorDataTypes (required)
filteredProviders The available filtered providers for the connector. MtpFilteredProviders
tenantId The tenant id to connect to, and get the data from. string (required)

MtpFilteredProviders

Name Description Value
alerts Alerts filtered providers. When filters are not applied, all alerts will stream through the MTP pipeline, still in private preview for all products EXCEPT MDA and MDI, which are in GA state. String array containing any of:
'microsoftDefenderForCloudApps'
'microsoftDefenderForIdentity' (required)

NoneAuthModel

Name Description Value
type The auth type 'None' (required)

OAuthModel

Name Description Value
accessTokenPrepend Access token prepend. Default is 'Bearer'. string
authorizationCode The user's authorization code. string
authorizationEndpoint The authorization endpoint. string
authorizationEndpointHeaders The authorization endpoint headers. OAuthModelAuthorizationEndpointHeaders
authorizationEndpointQueryParameters The authorization endpoint query parameters. OAuthModelAuthorizationEndpointQueryParameters
clientId The Application (client) ID that the OAuth provider assigned to your app. string (required)
clientSecret The Application (client) secret that the OAuth provider assigned to your app. string (required)
grantType The grant type, usually will be 'authorization code'. string (required)
isCredentialsInHeaders Indicating whether we want to send the clientId and clientSecret to token endpoint in the headers. bool
isJwtBearerFlow A value indicating whether it's a JWT flow. bool
redirectUri The Application redirect url that the user config in the OAuth provider. string
scope The Application (client) Scope that the OAuth provider assigned to your app. string
tokenEndpoint The token endpoint. Defines the OAuth2 refresh token. string (required)
tokenEndpointHeaders The token endpoint headers. OAuthModelTokenEndpointHeaders
tokenEndpointQueryParameters The token endpoint query parameters. OAuthModelTokenEndpointQueryParameters
type The auth type 'OAuth2' (required)

OAuthModelAuthorizationEndpointHeaders

Name Description Value

OAuthModelAuthorizationEndpointQueryParameters

Name Description Value

OAuthModelTokenEndpointHeaders

Name Description Value

OAuthModelTokenEndpointQueryParameters

Name Description Value

Office365ProjectConnectorDataTypes

Name Description Value
logs Logs data type. Office365ProjectConnectorDataTypesLogs (required)

Office365ProjectConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

Office365ProjectDataConnector

Name Description Value
kind The data connector kind 'Office365Project' (required)
properties Office Microsoft Project data connector properties. Office365ProjectDataConnectorProperties

Office365ProjectDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. Office365ProjectConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

OfficeATPDataConnector

Name Description Value
kind The data connector kind 'OfficeATP' (required)
properties OfficeATP (Office 365 Advanced Threat Protection) data connector properties. OfficeATPDataConnectorProperties

OfficeATPDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

OfficeDataConnector

Name Description Value
kind The data connector kind 'Office365' (required)
properties Office data connector properties. OfficeDataConnectorProperties

OfficeDataConnectorDataTypes

Name Description Value
exchange Exchange data type connection. OfficeDataConnectorDataTypesExchange (required)
sharePoint SharePoint data type connection. OfficeDataConnectorDataTypesSharePoint (required)
teams Teams data type connection. OfficeDataConnectorDataTypesTeams (required)

OfficeDataConnectorDataTypesExchange

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficeDataConnectorDataTypesSharePoint

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficeDataConnectorDataTypesTeams

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficeDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. OfficeDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

OfficeIRMDataConnector

Name Description Value
kind The data connector kind 'OfficeIRM' (required)
properties OfficeIRM (Microsoft Insider Risk Management) data connector properties. OfficeIRMDataConnectorProperties

OfficeIRMDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

OfficePowerBIConnectorDataTypes

Name Description Value
logs Logs data type. OfficePowerBIConnectorDataTypesLogs (required)

OfficePowerBIConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficePowerBIDataConnector

Name Description Value
kind The data connector kind 'OfficePowerBI' (required)
properties Office Microsoft PowerBI data connector properties. OfficePowerBIDataConnectorProperties

OfficePowerBIDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. OfficePowerBIConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

OracleAuthModel

Name Description Value
pemFile Content of the PRM file string (required)
publicFingerprint Public Fingerprint string (required)
tenantId Oracle tenant ID string (required)
type The auth type 'Oracle' (required)
userId Oracle user ID string (required)

Permissions

Name Description Value
customs Customs permissions required for the connector PermissionsCustomsItem[]
resourceProvider Resource provider permissions required for the connector PermissionsResourceProviderItem[]

PermissionsCustomsItem

Name Description Value
description Customs permissions description string
name Customs permissions name string

PermissionsResourceProviderItem

Name Description Value
permissionsDisplayText Permission description text string
provider Provider name 'microsoft.aadiam/diagnosticSettings'
'Microsoft.Authorization/policyAssignments'
'Microsoft.OperationalInsights/solutions'
'Microsoft.OperationalInsights/workspaces'
'Microsoft.OperationalInsights/workspaces/datasources'
'Microsoft.OperationalInsights/workspaces/sharedKeys'
providerDisplayName Permission provider display name string
requiredPermissions Required permissions for the connector RequiredPermissions
scope Permission provider scope 'ResourceGroup'
'Subscription'
'Workspace'

PurviewAuditConnectorDataTypes

Name Description Value
logs Logs data type. PurviewAuditConnectorDataTypesLogs (required)

PurviewAuditConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

PurviewAuditDataConnector

Name Description Value
kind The data connector kind 'PurviewAudit' (required)
properties PurviewAudit data connector properties. PurviewAuditDataConnectorProperties

PurviewAuditDataConnectorProperties

Name Description Value
connectorDefinitionName The connector definition name (the dataConnectorDefinition resource id). string
dataTypes The available data types for the connector. PurviewAuditConnectorDataTypes (required)
dcrConfig The DCR related properties. DCRConfiguration
sourceType The source type indicates which kind of data is relevant for this connector. string
tenantId The tenant id to connect to, and get the data from. string (required)

RequiredPermissions

Name Description Value
action action permission bool
delete delete permission bool
read read permission bool
write write permission bool

RestApiPollerDataConnector

Name Description Value
kind The data connector kind 'RestApiPoller' (required)
properties Rest Api Poller data connector properties. RestApiPollerDataConnectorProperties

RestApiPollerDataConnectorProperties

Name Description Value
addOnAttributes The add on attributes. The key name will become attribute name (a column) and the value will become the attribute value in the payload. RestApiPollerDataConnectorPropertiesAddOnAttributes
auth The a authentication model. CcpAuthConfig (required)
connectorDefinitionName The connector definition name (the dataConnectorDefinition resource id). string (required)
dataType The Log Analytics table destination. string
dcrConfig The DCR related properties. DCRConfiguration
isActive Indicates whether the connector is active or not. bool
paging The paging configuration. RestApiPollerRequestPagingConfig
request The request configuration. RestApiPollerRequestConfig (required)
response The response configuration. CcpResponseConfig

RestApiPollerDataConnectorPropertiesAddOnAttributes

Name Description Value

RestApiPollerRequestConfig

Name Description Value
apiEndpoint The API endpoint. string (required)
endTimeAttributeName The query parameter name which the remote server expect to end query. This property goes hand to hand with startTimeAttributeName string
headers The header for the request for the remote server. RestApiPollerRequestConfigHeaders
httpMethod The HTTP method, default value GET. 'DELETE'
'GET'
'POST'
'PUT'
isPostPayloadJson Flag to indicate if HTTP POST payload is in JSON format (vs form-urlencoded). bool
queryParameters The HTTP query parameters to RESTful API. RestApiPollerRequestConfigQueryParameters
queryParametersTemplate the query parameters template. Defines the query parameters template to use when passing query parameters in advanced scenarios. string
queryTimeFormat The query time format. A remote server can have a query to pull data from range 'start' to 'end'. This property indicate what is the expected time format the remote server know to parse. string
queryTimeIntervalAttributeName The query parameter name which we need to send the server for query logs in time interval. Should be defined with queryTimeIntervalPrepend and queryTimeIntervalDelimiter string
queryTimeIntervalDelimiter The delimiter string between 2 QueryTimeFormat in the query parameter queryTimeIntervalAttributeName. string
queryTimeIntervalPrepend The string prepend to the value of the query parameter in queryTimeIntervalAttributeName. string
queryWindowInMin The query window in minutes for the request. int
rateLimitQPS The Rate limit queries per second for the request.. int
retryCount The retry count. int
startTimeAttributeName The query parameter name which the remote server expect to start query. This property goes hand to hand with endTimeAttributeName. string
timeoutInSeconds The timeout in seconds. int

RestApiPollerRequestConfigHeaders

Name Description Value

RestApiPollerRequestConfigQueryParameters

Name Description Value

RestApiPollerRequestPagingConfig

Name Description Value
pageSize Page size int
pageSizeParameterName Page size parameter name string
pagingType Type of paging 'CountBasedPaging'
'LinkHeader'
'NextPageToken'
'NextPageUrl'
'Offset'
'PersistentLinkHeader'
'PersistentToken' (required)

SessionAuthModel

Name Description Value
headers HTTP request headers to session service endpoint. SessionAuthModelHeaders
isPostPayloadJson Indicating whether API key is set in HTTP POST payload. bool
password The password attribute name. SessionAuthModelPassword (required)
queryParameters Query parameters to session service endpoint. SessionAuthModelQueryParameters
sessionIdName Session id attribute name from HTTP response header. string
sessionLoginRequestUri HTTP request URL to session service endpoint. string
sessionTimeoutInMinutes Session timeout in minutes. int
type The auth type 'Session' (required)
userName The user name attribute key value. SessionAuthModelUserName (required)

SessionAuthModelHeaders

Name Description Value

SessionAuthModelPassword

Name Description Value

SessionAuthModelQueryParameters

Name Description Value

SessionAuthModelUserName

Name Description Value

TIDataConnector

Name Description Value
kind The data connector kind 'ThreatIntelligence' (required)
properties TI (Threat Intelligence) data connector properties. TIDataConnectorProperties

TIDataConnectorDataTypes

Name Description Value
indicators Data type for indicators connection. TIDataConnectorDataTypesIndicators (required)

TIDataConnectorDataTypesIndicators

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

TIDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. TIDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)
tipLookbackPeriod The lookback period for the feed to be imported. string

TiTaxiiDataConnector

Name Description Value
kind The data connector kind 'ThreatIntelligenceTaxii' (required)
properties Threat intelligence TAXII data connector properties. TiTaxiiDataConnectorProperties

TiTaxiiDataConnectorDataTypes

Name Description Value
taxiiClient Data type for TAXII connector. TiTaxiiDataConnectorDataTypesTaxiiClient (required)

TiTaxiiDataConnectorDataTypesTaxiiClient

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

TiTaxiiDataConnectorProperties

Name Description Value
collectionId The collection id of the TAXII server. string
dataTypes The available data types for Threat Intelligence TAXII data connector. TiTaxiiDataConnectorDataTypes (required)
friendlyName The friendly name for the TAXII server. string
password The password for the TAXII server. string
pollingFrequency The polling frequency for the TAXII server. 'OnceADay'
'OnceAMinute'
'OnceAnHour' (required)
taxiiLookbackPeriod The lookback period for the TAXII server. string
taxiiServer The API root for the TAXII server. string
tenantId The tenant id to connect to, and get the data from. string (required)
userName The userName for the TAXII server. string
workspaceId The workspace id. string

Usage Examples

Terraform (AzAPI provider) resource definition

The dataConnectors resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/dataConnectors resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  etag = "string"
  name = "string"
  kind = "string"
  // For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}

Microsoft.SecurityInsights/dataConnectors objects

Set the kind property to specify the type of object.

For APIPolling, use:

{
  kind = "APIPolling"
  properties = {
    connectorUiConfig = {
      availability = {
        isPreview = bool
        status = "1"
      }
      connectivityCriteria = [
        {
          type = "string"
          value = [
            "string"
          ]
        }
      ]
      customImage = "string"
      dataTypes = [
        {
          lastDataReceivedQuery = "string"
          name = "string"
        }
      ]
      descriptionMarkdown = "string"
      graphQueries = [
        {
          baseQuery = "string"
          legend = "string"
          metricName = "string"
        }
      ]
      graphQueriesTableName = "string"
      instructionSteps = [
        {
          description = "string"
          instructions = [
            {
              parameters = ?
              type = "string"
            }
          ]
          title = "string"
        }
      ]
      permissions = {
        customs = [
          {
            description = "string"
            name = "string"
          }
        ]
        resourceProvider = [
          {
            permissionsDisplayText = "string"
            provider = "string"
            providerDisplayName = "string"
            requiredPermissions = {
              action = bool
              delete = bool
              read = bool
              write = bool
            }
            scope = "string"
          }
        ]
      }
      publisher = "string"
      sampleQueries = [
        {
          description = "string"
          query = "string"
        }
      ]
      title = "string"
    }
    pollingConfig = {
      auth = {
        apiKeyIdentifier = "string"
        apiKeyName = "string"
        authorizationEndpoint = "string"
        authorizationEndpointQueryParameters = ?
        authType = "string"
        flowName = "string"
        isApiKeyInPostPayload = "string"
        isClientSecretInHeader = bool
        redirectionEndpoint = "string"
        scope = "string"
        tokenEndpoint = "string"
        tokenEndpointHeaders = ?
        tokenEndpointQueryParameters = ?
      }
      isActive = bool
      paging = {
        nextPageParaName = "string"
        nextPageTokenJsonPath = "string"
        pageCountAttributePath = "string"
        pageSize = int
        pageSizeParaName = "string"
        pageTimeStampAttributePath = "string"
        pageTotalCountAttributePath = "string"
        pagingType = "string"
        searchTheLatestTimeStampFromEventsList = "string"
      }
      request = {
        apiEndpoint = "string"
        endTimeAttributeName = "string"
        headers = ?
        httpMethod = "string"
        queryParameters = ?
        queryParametersTemplate = "string"
        queryTimeFormat = "string"
        queryWindowInMin = int
        rateLimitQps = int
        retryCount = int
        startTimeAttributeName = "string"
        timeoutInSeconds = int
      }
      response = {
        eventsJsonPaths = [
          "string"
        ]
        isGzipCompressed = bool
        successStatusJsonPath = "string"
        successStatusValue = "string"
      }
    }
  }
}

For AmazonWebServicesCloudTrail, use:

{
  kind = "AmazonWebServicesCloudTrail"
  properties = {
    awsRoleArn = "string"
    dataTypes = {
      logs = {
        state = "string"
      }
    }
  }
}

For AmazonWebServicesS3, use:

{
  kind = "AmazonWebServicesS3"
  properties = {
    dataTypes = {
      logs = {
        state = "string"
      }
    }
    destinationTable = "string"
    roleArn = "string"
    sqsUrls = [
      "string"
    ]
  }
}

For AzureActiveDirectory, use:

{
  kind = "AzureActiveDirectory"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For AzureAdvancedThreatProtection, use:

{
  kind = "AzureAdvancedThreatProtection"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For AzureSecurityCenter, use:

{
  kind = "AzureSecurityCenter"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    subscriptionId = "string"
  }
}

For Dynamics365, use:

{
  kind = "Dynamics365"
  properties = {
    dataTypes = {
      dynamics365CdsActivities = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For GCP, use:

{
  kind = "GCP"
  properties = {
    auth = {
      projectNumber = "string"
      serviceAccountEmail = "string"
      workloadIdentityProviderId = "string"
    }
    connectorDefinitionName = "string"
    dcrConfig = {
      dataCollectionEndpoint = "string"
      dataCollectionRuleImmutableId = "string"
      streamName = "string"
    }
    request = {
      projectId = "string"
      subscriptionNames = [
        "string"
      ]
    }
  }
}

For GenericUI, use:

{
  kind = "GenericUI"
  properties = {
    connectorUiConfig = {
      availability = {
        isPreview = bool
        status = "1"
      }
      connectivityCriteria = [
        {
          type = "string"
          value = [
            "string"
          ]
        }
      ]
      customImage = "string"
      dataTypes = [
        {
          lastDataReceivedQuery = "string"
          name = "string"
        }
      ]
      descriptionMarkdown = "string"
      graphQueries = [
        {
          baseQuery = "string"
          legend = "string"
          metricName = "string"
        }
      ]
      graphQueriesTableName = "string"
      instructionSteps = [
        {
          description = "string"
          instructions = [
            {
              parameters = ?
              type = "string"
            }
          ]
          title = "string"
        }
      ]
      permissions = {
        customs = [
          {
            description = "string"
            name = "string"
          }
        ]
        resourceProvider = [
          {
            permissionsDisplayText = "string"
            provider = "string"
            providerDisplayName = "string"
            requiredPermissions = {
              action = bool
              delete = bool
              read = bool
              write = bool
            }
            scope = "string"
          }
        ]
      }
      publisher = "string"
      sampleQueries = [
        {
          description = "string"
          query = "string"
        }
      ]
      title = "string"
    }
  }
}

For IOT, use:

{
  kind = "IOT"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    subscriptionId = "string"
  }
}

For MicrosoftCloudAppSecurity, use:

{
  kind = "MicrosoftCloudAppSecurity"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
      discoveryLogs = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For MicrosoftDefenderAdvancedThreatProtection, use:

{
  kind = "MicrosoftDefenderAdvancedThreatProtection"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For MicrosoftPurviewInformationProtection, use:

{
  kind = "MicrosoftPurviewInformationProtection"
  properties = {
    dataTypes = {
      logs = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For MicrosoftThreatIntelligence, use:

{
  kind = "MicrosoftThreatIntelligence"
  properties = {
    dataTypes = {
      microsoftEmergingThreatFeed = {
        lookbackPeriod = "string"
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For MicrosoftThreatProtection, use:

{
  kind = "MicrosoftThreatProtection"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
      incidents = {
        state = "string"
      }
    }
    filteredProviders = {
      alerts = [
        "string"
      ]
    }
    tenantId = "string"
  }
}

For Office365, use:

{
  kind = "Office365"
  properties = {
    dataTypes = {
      exchange = {
        state = "string"
      }
      sharePoint = {
        state = "string"
      }
      teams = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For Office365Project, use:

{
  kind = "Office365Project"
  properties = {
    dataTypes = {
      logs = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For OfficeATP, use:

{
  kind = "OfficeATP"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For OfficeIRM, use:

{
  kind = "OfficeIRM"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For OfficePowerBI, use:

{
  kind = "OfficePowerBI"
  properties = {
    dataTypes = {
      logs = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For PurviewAudit, use:

{
  kind = "PurviewAudit"
  properties = {
    connectorDefinitionName = "string"
    dataTypes = {
      logs = {
        state = "string"
      }
    }
    dcrConfig = {
      dataCollectionEndpoint = "string"
      dataCollectionRuleImmutableId = "string"
      streamName = "string"
    }
    sourceType = "string"
    tenantId = "string"
  }
}

For RestApiPoller, use:

{
  kind = "RestApiPoller"
  properties = {
    addOnAttributes = {
      {customized property} = "string"
    }
    auth = {
      type = "string"
      // For remaining properties, see CcpAuthConfig objects
    }
    connectorDefinitionName = "string"
    dataType = "string"
    dcrConfig = {
      dataCollectionEndpoint = "string"
      dataCollectionRuleImmutableId = "string"
      streamName = "string"
    }
    isActive = bool
    paging = {
      pageSize = int
      pageSizeParameterName = "string"
      pagingType = "string"
    }
    request = {
      apiEndpoint = "string"
      endTimeAttributeName = "string"
      headers = {
        {customized property} = "string"
      }
      httpMethod = "string"
      isPostPayloadJson = bool
      queryParameters = {
        {customized property} = ?
      }
      queryParametersTemplate = "string"
      queryTimeFormat = "string"
      queryTimeIntervalAttributeName = "string"
      queryTimeIntervalDelimiter = "string"
      queryTimeIntervalPrepend = "string"
      queryWindowInMin = int
      rateLimitQPS = int
      retryCount = int
      startTimeAttributeName = "string"
      timeoutInSeconds = int
    }
    response = {
      compressionAlgo = "string"
      convertChildPropertiesToArray = bool
      csvDelimiter = "string"
      csvEscape = "string"
      eventsJsonPaths = [
        "string"
      ]
      format = "string"
      hasCsvBoundary = bool
      hasCsvHeader = bool
      isGzipCompressed = bool
      successStatusJsonPath = "string"
      successStatusValue = "string"
    }
  }
}

For ThreatIntelligence, use:

{
  kind = "ThreatIntelligence"
  properties = {
    dataTypes = {
      indicators = {
        state = "string"
      }
    }
    tenantId = "string"
    tipLookbackPeriod = "string"
  }
}

For ThreatIntelligenceTaxii, use:

{
  kind = "ThreatIntelligenceTaxii"
  properties = {
    collectionId = "string"
    dataTypes = {
      taxiiClient = {
        state = "string"
      }
    }
    friendlyName = "string"
    password = "string"
    pollingFrequency = "string"
    taxiiLookbackPeriod = "string"
    taxiiServer = "string"
    tenantId = "string"
    userName = "string"
    workspaceId = "string"
  }
}

CcpAuthConfig objects

Set the type property to specify the type of object.

For APIKey, use:

{
  apiKey = "string"
  apiKeyIdentifier = "string"
  apiKeyName = "string"
  isApiKeyInPostPayload = bool
  type = "APIKey"
}

For AWS, use:

{
  externalId = "string"
  roleArn = "string"
  type = "AWS"
}

For Basic, use:

{
  password = "string"
  type = "Basic"
  userName = "string"
}

For GCP, use:

{
  projectNumber = "string"
  serviceAccountEmail = "string"
  type = "GCP"
  workloadIdentityProviderId = "string"
}

For GitHub, use:

{
  installationId = "string"
  type = "GitHub"
}

For JwtToken, use:

{
  headers = {
    {customized property} = "string"
  }
  isCredentialsInHeaders = bool
  isJsonRequest = bool
  password = {
    {customized property} = "string"
  }
  queryParameters = {
    {customized property} = "string"
  }
  requestTimeoutInSeconds = int
  tokenEndpoint = "string"
  type = "JwtToken"
  userName = {
    {customized property} = "string"
  }
}

For None, use:

{
  type = "None"
}

For OAuth2, use:

{
  accessTokenPrepend = "string"
  authorizationCode = "string"
  authorizationEndpoint = "string"
  authorizationEndpointHeaders = {
    {customized property} = "string"
  }
  authorizationEndpointQueryParameters = {
    {customized property} = "string"
  }
  clientId = "string"
  clientSecret = "string"
  grantType = "string"
  isCredentialsInHeaders = bool
  isJwtBearerFlow = bool
  redirectUri = "string"
  scope = "string"
  tokenEndpoint = "string"
  tokenEndpointHeaders = {
    {customized property} = "string"
  }
  tokenEndpointQueryParameters = {
    {customized property} = "string"
  }
  type = "OAuth2"
}

For Oracle, use:

{
  pemFile = "string"
  publicFingerprint = "string"
  tenantId = "string"
  type = "Oracle"
  userId = "string"
}

For ServiceBus, use:

{
  credentialsConfig = {
    {customized property} = "string"
  }
  storageAccountCredentialsConfig = {
    {customized property} = "string"
  }
  type = "ServiceBus"
}

For Session, use:

{
  headers = {
    {customized property} = "string"
  }
  isPostPayloadJson = bool
  password = {
    {customized property} = "string"
  }
  queryParameters = {
    {customized property} = ?
  }
  sessionIdName = "string"
  sessionLoginRequestUri = "string"
  sessionTimeoutInMinutes = int
  type = "Session"
  userName = {
    {customized property} = "string"
  }
}

Property Values

Microsoft.SecurityInsights/dataConnectors

Name Description Value
etag Etag of the azure resource string
kind Set to 'APIPolling' for type CodelessApiPollingDataConnector. Set to 'AmazonWebServicesCloudTrail' for type AwsCloudTrailDataConnector. Set to 'AmazonWebServicesS3' for type AwsS3DataConnector. Set to 'AzureActiveDirectory' for type AADDataConnector. Set to 'AzureAdvancedThreatProtection' for type AatpDataConnector. Set to 'AzureSecurityCenter' for type ASCDataConnector. Set to 'Dynamics365' for type Dynamics365DataConnector. Set to 'GCP' for type GCPDataConnector. Set to 'GenericUI' for type CodelessUiDataConnector. Set to 'IOT' for type IoTDataConnector. Set to 'MicrosoftCloudAppSecurity' for type McasDataConnector. Set to 'MicrosoftDefenderAdvancedThreatProtection' for type MdatpDataConnector. Set to 'MicrosoftPurviewInformationProtection' for type MicrosoftPurviewInformationProtectionDataConnector. Set to 'MicrosoftThreatIntelligence' for type MstiDataConnector. Set to 'MicrosoftThreatProtection' for type MTPDataConnector. Set to 'Office365' for type OfficeDataConnector. Set to 'Office365Project' for type Office365ProjectDataConnector. Set to 'OfficeATP' for type OfficeATPDataConnector. Set to 'OfficeIRM' for type OfficeIRMDataConnector. Set to 'OfficePowerBI' for type OfficePowerBIDataConnector. Set to 'PurviewAudit' for type PurviewAuditDataConnector. Set to 'RestApiPoller' for type RestApiPollerDataConnector. Set to 'ThreatIntelligence' for type TIDataConnector. Set to 'ThreatIntelligenceTaxii' for type TiTaxiiDataConnector. 'AmazonWebServicesCloudTrail'
'AmazonWebServicesS3'
'APIPolling'
'AzureActiveDirectory'
'AzureAdvancedThreatProtection'
'AzureSecurityCenter'
'Dynamics365'
'GCP'
'GenericUI'
'IOT'
'MicrosoftCloudAppSecurity'
'MicrosoftDefenderAdvancedThreatProtection'
'MicrosoftPurviewInformationProtection'
'MicrosoftThreatIntelligence'
'MicrosoftThreatProtection'
'Office365'
'Office365Project'
'OfficeATP'
'OfficeIRM'
'OfficePowerBI'
'PurviewAudit'
'RestApiPoller'
'ThreatIntelligence'
'ThreatIntelligenceTaxii' (required)
name The resource name string (required)
parent_id The ID of the resource to apply this extension resource to. string (required)
type The resource type "Microsoft.SecurityInsights/dataConnectors@2025-07-01-preview"

AADDataConnector

Name Description Value
kind The data connector kind 'AzureActiveDirectory' (required)
properties AADIP (Azure Active Directory Identity Protection) data connector properties. AADDataConnectorProperties

AADDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

AatpDataConnector

Name Description Value
kind The data connector kind 'AzureAdvancedThreatProtection' (required)
properties AATP (Azure Advanced Threat Protection) data connector properties. AatpDataConnectorProperties

AatpDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

AlertsDataTypeOfDataConnector

Name Description Value
alerts Alerts data type connection. DataConnectorDataTypeCommon (required)

ApiKeyAuthModel

Name Description Value
apiKey API Key for the user secret key credential string (required)
apiKeyIdentifier API Key Identifier string
apiKeyName API Key name string (required)
isApiKeyInPostPayload Flag to indicate if API key is set in HTTP POST payload bool
type The auth type 'APIKey' (required)

ApiPollingParameters

Name Description Value
connectorUiConfig Config to describe the instructions blade CodelessUiConnectorConfigProperties
pollingConfig Config to describe the polling instructions CodelessConnectorPollingConfigProperties

ASCDataConnector

Name Description Value
kind The data connector kind 'AzureSecurityCenter' (required)
properties ASC (Azure Security Center) data connector properties. ASCDataConnectorProperties

ASCDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
subscriptionId The subscription id to connect to, and get the data from. string

Availability

Name Description Value
isPreview Set connector as preview bool
status The connector Availability Status '1'

AWSAuthModel

Name Description Value
externalId AWS STS assume role external ID. This is used to prevent the confused deputy problem: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html' string
roleArn AWS STS assume role ARN string (required)
type The auth type 'AWS' (required)

AwsCloudTrailDataConnector

Name Description Value
kind The data connector kind 'AmazonWebServicesCloudTrail' (required)
properties Amazon Web Services CloudTrail data connector properties. AwsCloudTrailDataConnectorProperties

AwsCloudTrailDataConnectorDataTypes

Name Description Value
logs Logs data type. AwsCloudTrailDataConnectorDataTypesLogs (required)

AwsCloudTrailDataConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

AwsCloudTrailDataConnectorProperties

Name Description Value
awsRoleArn The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account. string
dataTypes The available data types for the connector. AwsCloudTrailDataConnectorDataTypes (required)

AwsS3DataConnector

Name Description Value
kind The data connector kind 'AmazonWebServicesS3' (required)
properties Amazon Web Services S3 data connector properties. AwsS3DataConnectorProperties

AwsS3DataConnectorDataTypes

Name Description Value
logs Logs data type. AwsS3DataConnectorDataTypesLogs (required)

AwsS3DataConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

AwsS3DataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AwsS3DataConnectorDataTypes (required)
destinationTable The logs destination table name in LogAnalytics. string (required)
roleArn The Aws Role Arn that is used to access the Aws account. string (required)
sqsUrls The AWS sqs urls for the connector. string[] (required)

BasicAuthModel

Name Description Value
password The password string (required)
type The auth type 'Basic' (required)
userName The user name. string (required)

CcpAuthConfig

Name Description Value
type Set to 'APIKey' for type ApiKeyAuthModel. Set to 'AWS' for type AWSAuthModel. Set to 'Basic' for type BasicAuthModel. Set to 'GCP' for type GCPAuthModel. Set to 'GitHub' for type GitHubAuthModel. Set to 'JwtToken' for type JwtAuthModel. Set to 'None' for type NoneAuthModel. Set to 'OAuth2' for type OAuthModel. Set to 'Oracle' for type OracleAuthModel. Set to 'ServiceBus' for type GenericBlobSbsAuthModel. Set to 'Session' for type SessionAuthModel. 'APIKey'
'AWS'
'Basic'
'GCP'
'GitHub'
'JwtToken'
'None'
'OAuth2'
'Oracle'
'ServiceBus'
'Session' (required)

CcpResponseConfig

Name Description Value
compressionAlgo The compression algorithm. For Example: 'gzip', 'multi-gzip', 'deflate'. string
convertChildPropertiesToArray The value indicating whether the response isn't an array of events / logs. By setting this flag to true it means the remote server will response with an object which each property has as a value an array of events / logs. bool
csvDelimiter The csv delimiter, in case the response format is CSV. string
csvEscape The character used to escape characters in CSV. string

Constraints:
Min length = 1
Max length = 1
eventsJsonPaths The json paths, '$' char is the json root. string[] (required)
format The response format. possible values are json,csv,xml string
hasCsvBoundary The value indicating whether the response has CSV boundary in case the response in CSV format. bool
hasCsvHeader The value indicating whether the response has headers in case the response in CSV format. bool
isGzipCompressed The value indicating whether the remote server support Gzip and we should expect Gzip response. bool
successStatusJsonPath The value where the status message/code should appear in the response. string
successStatusValue The status value. string

CodelessApiPollingDataConnector

Name Description Value
kind The data connector kind 'APIPolling' (required)
properties Codeless poling data connector properties ApiPollingParameters

CodelessConnectorPollingAuthProperties

Name Description Value
apiKeyIdentifier A prefix send in the header before the actual token string
apiKeyName The header name which the token is sent with string
authorizationEndpoint The endpoint used to authorize the user, used in Oauth 2.0 flow string
authorizationEndpointQueryParameters The query parameters used in authorization request, used in Oauth 2.0 flow any
authType The authentication type string (required)
flowName Describes the flow name, for example 'AuthCode' for Oauth 2.0 string
isApiKeyInPostPayload Marks if the key should sent in header string
isClientSecretInHeader Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow bool
redirectionEndpoint The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow string
scope The OAuth token scope string
tokenEndpoint The endpoint used to issue a token, used in Oauth 2.0 flow string
tokenEndpointHeaders The query headers used in token request, used in Oauth 2.0 flow any
tokenEndpointQueryParameters The query parameters used in token request, used in Oauth 2.0 flow any

CodelessConnectorPollingConfigProperties

Name Description Value
auth Describe the authentication type of the poller CodelessConnectorPollingAuthProperties (required)
isActive The poller active status bool
paging Describe the poll request paging config of the poller CodelessConnectorPollingPagingProperties
request Describe the poll request config parameters of the poller CodelessConnectorPollingRequestProperties (required)
response Describe the response config parameters of the poller CodelessConnectorPollingResponseProperties

CodelessConnectorPollingPagingProperties

Name Description Value
nextPageParaName Defines the name of a next page attribute string
nextPageTokenJsonPath Defines the path to a next page token JSON string
pageCountAttributePath Defines the path to a page count attribute string
pageSize Defines the paging size int
pageSizeParaName Defines the name of the page size parameter string
pageTimeStampAttributePath Defines the path to a paging time stamp attribute string
pageTotalCountAttributePath Defines the path to a page total count attribute string
pagingType Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp' string (required)
searchTheLatestTimeStampFromEventsList Determines whether to search for the latest time stamp in the events list string

CodelessConnectorPollingRequestProperties

Name Description Value
apiEndpoint Describe the endpoint we should pull the data from string (required)
endTimeAttributeName This will be used the query events from the end of the time window string
headers Describe the headers sent in the poll request any
httpMethod The http method type we will use in the poll request, GET or POST string (required)
queryParameters Describe the query parameters sent in the poll request any
queryParametersTemplate For advanced scenarios for example user name/password embedded in nested JSON payload string
queryTimeFormat The time format will be used the query events in a specific window string (required)
queryWindowInMin The window interval we will use the pull the data int (required)
rateLimitQps Defines the rate limit QPS int
retryCount Describe the amount of time we should try and poll the data in case of failure int
startTimeAttributeName This will be used the query events from a start of the time window string
timeoutInSeconds The number of seconds we will consider as a request timeout int

CodelessConnectorPollingResponseProperties

Name Description Value
eventsJsonPaths Describes the path we should extract the data in the response string[] (required)
isGzipCompressed Describes if the data in the response is Gzip bool
successStatusJsonPath Describes the path we should extract the status code in the response string
successStatusValue Describes the path we should extract the status value in the response string

CodelessParameters

Name Description Value
connectorUiConfig Config to describe the instructions blade CodelessUiConnectorConfigProperties

CodelessUiConnectorConfigProperties

Name Description Value
availability Connector Availability Status Availability (required)
connectivityCriteria Define the way the connector check connectivity CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem[] (required)
customImage An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery string
dataTypes Data types to check for last data received CodelessUiConnectorConfigPropertiesDataTypesItem[] (required)
descriptionMarkdown Connector description string (required)
graphQueries The graph query to show the current data status CodelessUiConnectorConfigPropertiesGraphQueriesItem[] (required)
graphQueriesTableName Name of the table the connector will insert the data to string (required)
instructionSteps Instruction steps to enable the connector CodelessUiConnectorConfigPropertiesInstructionStepsItem[] (required)
permissions Permissions required for the connector Permissions (required)
publisher Connector publisher name string (required)
sampleQueries The sample queries for the connector CodelessUiConnectorConfigPropertiesSampleQueriesItem[] (required)
title Connector blade title string (required)

CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem

Name Description Value
type type of connectivity 'IsConnectedQuery'
value Queries for checking connectivity string[]

CodelessUiConnectorConfigPropertiesDataTypesItem

Name Description Value
lastDataReceivedQuery Query for indicate last data received string
name Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder string

CodelessUiConnectorConfigPropertiesGraphQueriesItem

Name Description Value
baseQuery The base query for the graph string
legend The legend for the graph string
metricName the metric that the query is checking string

CodelessUiConnectorConfigPropertiesInstructionStepsItem

Name Description Value
description Instruction step description string
instructions Instruction step details InstructionStepsInstructionsItem[]
title Instruction step title string

CodelessUiConnectorConfigPropertiesSampleQueriesItem

Name Description Value
description The sample query description string
query the sample query string

CodelessUiDataConnector

Name Description Value
kind The data connector kind 'GenericUI' (required)
properties Codeless UI data connector properties CodelessParameters

DataConnectorDataTypeCommon

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

DCRConfiguration

Name Description Value
dataCollectionEndpoint Represents the data collection ingestion endpoint in log analytics. string (required)
dataCollectionRuleImmutableId The data collection rule immutable id, the rule defines the transformation and data destination. string (required)
streamName The stream we are sending the data to. string (required)

Dynamics365DataConnector

Name Description Value
kind The data connector kind 'Dynamics365' (required)
properties Dynamics365 data connector properties. Dynamics365DataConnectorProperties

Dynamics365DataConnectorDataTypes

Name Description Value
dynamics365CdsActivities Common Data Service data type connection. Dynamics365DataConnectorDataTypesDynamics365CdsActivities (required)

Dynamics365DataConnectorDataTypesDynamics365CdsActivities

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

Dynamics365DataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. Dynamics365DataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

GCPAuthModel

Name Description Value
projectNumber GCP Project Number string (required)
serviceAccountEmail GCP Service Account Email string (required)
type The auth type 'GCP' (required)
workloadIdentityProviderId GCP Workload Identity Provider ID string (required)

GCPAuthProperties

Name Description Value
projectNumber The GCP project number. string (required)
serviceAccountEmail The service account that is used to access the GCP project. string (required)
workloadIdentityProviderId The workload identity provider id that is used to gain access to the GCP project. string (required)

GCPDataConnector

Name Description Value
kind The data connector kind 'GCP' (required)
properties Google Cloud Platform data connector properties. GCPDataConnectorProperties

GCPDataConnectorProperties

Name Description Value
auth The auth section of the connector. GCPAuthProperties (required)
connectorDefinitionName The name of the connector definition that represents the UI config. string (required)
dcrConfig The configuration of the destination of the data. DCRConfiguration
request The request section of the connector. GCPRequestProperties (required)

GCPRequestProperties

Name Description Value
projectId The GCP project id. string (required)
subscriptionNames The GCP pub/sub subscription names. string[] (required)

GenericBlobSbsAuthModel

Name Description Value
credentialsConfig Credentials for service bus namespace, keyvault uri for access key GenericBlobSbsAuthModelCredentialsConfig
storageAccountCredentialsConfig Credentials for storage account, keyvault uri for access key GenericBlobSbsAuthModelStorageAccountCredentialsConfig
type The auth type 'ServiceBus' (required)

GenericBlobSbsAuthModelCredentialsConfig

Name Description Value

GenericBlobSbsAuthModelStorageAccountCredentialsConfig

Name Description Value

GitHubAuthModel

Name Description Value
installationId The GitHubApp auth installation id. string
type The auth type 'GitHub' (required)

InstructionStepsInstructionsItem

Name Description Value
parameters The parameters for the setting any
type The kind of the setting 'CopyableLabel'
'InfoMessage'
'InstructionStepsGroup' (required)

IoTDataConnector

Name Description Value
kind The data connector kind 'IOT' (required)
properties IoT data connector properties. IoTDataConnectorProperties

IoTDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
subscriptionId The subscription id to connect to, and get the data from. string

JwtAuthModel

Name Description Value
headers The custom headers we want to add once we send request to token endpoint. JwtAuthModelHeaders
isCredentialsInHeaders Flag indicating whether we want to send the user name and password to token endpoint in the headers. bool
isJsonRequest Flag indicating whether the body request is JSON (header Content-Type = application/json), meaning its a Form URL encoded request (header Content-Type = application/x-www-form-urlencoded). bool
password The password JwtAuthModelPassword (required)
queryParameters The custom query parameter we want to add once we send request to token endpoint. JwtAuthModelQueryParameters
requestTimeoutInSeconds Request timeout in seconds. int

Constraints:
Max value = 180
tokenEndpoint Token endpoint to request JWT string (required)
type The auth type 'JwtToken' (required)
userName The user name. If user name and password sent in header request we only need to populate the value property with the user name (Same as basic auth). If user name and password sent in body request we need to specify the Key and Value. JwtAuthModelUserName (required)

JwtAuthModelHeaders

Name Description Value

JwtAuthModelPassword

Name Description Value

JwtAuthModelQueryParameters

Name Description Value

JwtAuthModelUserName

Name Description Value

McasDataConnector

Name Description Value
kind The data connector kind 'MicrosoftCloudAppSecurity' (required)
properties MCAS (Microsoft Cloud App Security) data connector properties. McasDataConnectorProperties

McasDataConnectorDataTypes

Name Description Value
alerts Alerts data type connection. DataConnectorDataTypeCommon (required)
discoveryLogs Discovery log data type connection. DataConnectorDataTypeCommon

McasDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. McasDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

MdatpDataConnector

Name Description Value
kind The data connector kind 'MicrosoftDefenderAdvancedThreatProtection' (required)
properties MDATP (Microsoft Defender Advanced Threat Protection) data connector properties. MdatpDataConnectorProperties

MdatpDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

MicrosoftPurviewInformationProtectionConnectorDataTypes

Name Description Value
logs Logs data type. MicrosoftPurviewInformationProtectionConnectorDataTypesLogs (required)

MicrosoftPurviewInformationProtectionConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

MicrosoftPurviewInformationProtectionDataConnector

Name Description Value
kind The data connector kind 'MicrosoftPurviewInformationProtection' (required)
properties Microsoft Purview Information Protection data connector properties. MicrosoftPurviewInformationProtectionDataConnectorProperties

MicrosoftPurviewInformationProtectionDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. MicrosoftPurviewInformationProtectionConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

MstiDataConnector

Name Description Value
kind The data connector kind 'MicrosoftThreatIntelligence' (required)
properties Microsoft Threat Intelligence data connector properties. MstiDataConnectorProperties

MstiDataConnectorDataTypes

Name Description Value
microsoftEmergingThreatFeed Data type for Microsoft Threat Intelligence Platforms data connector. MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed (required)

MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed

Name Description Value
lookbackPeriod The lookback period for the feed to be imported. string (required)
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

MstiDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. MstiDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

MTPDataConnector

Name Description Value
kind The data connector kind 'MicrosoftThreatProtection' (required)
properties MTP (Microsoft Threat Protection) data connector properties. MTPDataConnectorProperties

MTPDataConnectorDataTypes

Name Description Value
alerts Alerts data type for Microsoft Threat Protection Platforms data connector. MTPDataConnectorDataTypesAlerts
incidents Incidents data type for Microsoft Threat Protection Platforms data connector. MTPDataConnectorDataTypesIncidents (required)

MTPDataConnectorDataTypesAlerts

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

MTPDataConnectorDataTypesIncidents

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

MTPDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. MTPDataConnectorDataTypes (required)
filteredProviders The available filtered providers for the connector. MtpFilteredProviders
tenantId The tenant id to connect to, and get the data from. string (required)

MtpFilteredProviders

Name Description Value
alerts Alerts filtered providers. When filters are not applied, all alerts will stream through the MTP pipeline, still in private preview for all products EXCEPT MDA and MDI, which are in GA state. String array containing any of:
'microsoftDefenderForCloudApps'
'microsoftDefenderForIdentity' (required)

NoneAuthModel

Name Description Value
type The auth type 'None' (required)

OAuthModel

Name Description Value
accessTokenPrepend Access token prepend. Default is 'Bearer'. string
authorizationCode The user's authorization code. string
authorizationEndpoint The authorization endpoint. string
authorizationEndpointHeaders The authorization endpoint headers. OAuthModelAuthorizationEndpointHeaders
authorizationEndpointQueryParameters The authorization endpoint query parameters. OAuthModelAuthorizationEndpointQueryParameters
clientId The Application (client) ID that the OAuth provider assigned to your app. string (required)
clientSecret The Application (client) secret that the OAuth provider assigned to your app. string (required)
grantType The grant type, usually will be 'authorization code'. string (required)
isCredentialsInHeaders Indicating whether we want to send the clientId and clientSecret to token endpoint in the headers. bool
isJwtBearerFlow A value indicating whether it's a JWT flow. bool
redirectUri The Application redirect url that the user config in the OAuth provider. string
scope The Application (client) Scope that the OAuth provider assigned to your app. string
tokenEndpoint The token endpoint. Defines the OAuth2 refresh token. string (required)
tokenEndpointHeaders The token endpoint headers. OAuthModelTokenEndpointHeaders
tokenEndpointQueryParameters The token endpoint query parameters. OAuthModelTokenEndpointQueryParameters
type The auth type 'OAuth2' (required)

OAuthModelAuthorizationEndpointHeaders

Name Description Value

OAuthModelAuthorizationEndpointQueryParameters

Name Description Value

OAuthModelTokenEndpointHeaders

Name Description Value

OAuthModelTokenEndpointQueryParameters

Name Description Value

Office365ProjectConnectorDataTypes

Name Description Value
logs Logs data type. Office365ProjectConnectorDataTypesLogs (required)

Office365ProjectConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

Office365ProjectDataConnector

Name Description Value
kind The data connector kind 'Office365Project' (required)
properties Office Microsoft Project data connector properties. Office365ProjectDataConnectorProperties

Office365ProjectDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. Office365ProjectConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

OfficeATPDataConnector

Name Description Value
kind The data connector kind 'OfficeATP' (required)
properties OfficeATP (Office 365 Advanced Threat Protection) data connector properties. OfficeATPDataConnectorProperties

OfficeATPDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

OfficeDataConnector

Name Description Value
kind The data connector kind 'Office365' (required)
properties Office data connector properties. OfficeDataConnectorProperties

OfficeDataConnectorDataTypes

Name Description Value
exchange Exchange data type connection. OfficeDataConnectorDataTypesExchange (required)
sharePoint SharePoint data type connection. OfficeDataConnectorDataTypesSharePoint (required)
teams Teams data type connection. OfficeDataConnectorDataTypesTeams (required)

OfficeDataConnectorDataTypesExchange

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficeDataConnectorDataTypesSharePoint

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficeDataConnectorDataTypesTeams

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficeDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. OfficeDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

OfficeIRMDataConnector

Name Description Value
kind The data connector kind 'OfficeIRM' (required)
properties OfficeIRM (Microsoft Insider Risk Management) data connector properties. OfficeIRMDataConnectorProperties

OfficeIRMDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

OfficePowerBIConnectorDataTypes

Name Description Value
logs Logs data type. OfficePowerBIConnectorDataTypesLogs (required)

OfficePowerBIConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficePowerBIDataConnector

Name Description Value
kind The data connector kind 'OfficePowerBI' (required)
properties Office Microsoft PowerBI data connector properties. OfficePowerBIDataConnectorProperties

OfficePowerBIDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. OfficePowerBIConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

OracleAuthModel

Name Description Value
pemFile Content of the PRM file string (required)
publicFingerprint Public Fingerprint string (required)
tenantId Oracle tenant ID string (required)
type The auth type 'Oracle' (required)
userId Oracle user ID string (required)

Permissions

Name Description Value
customs Customs permissions required for the connector PermissionsCustomsItem[]
resourceProvider Resource provider permissions required for the connector PermissionsResourceProviderItem[]

PermissionsCustomsItem

Name Description Value
description Customs permissions description string
name Customs permissions name string

PermissionsResourceProviderItem

Name Description Value
permissionsDisplayText Permission description text string
provider Provider name 'microsoft.aadiam/diagnosticSettings'
'Microsoft.Authorization/policyAssignments'
'Microsoft.OperationalInsights/solutions'
'Microsoft.OperationalInsights/workspaces'
'Microsoft.OperationalInsights/workspaces/datasources'
'Microsoft.OperationalInsights/workspaces/sharedKeys'
providerDisplayName Permission provider display name string
requiredPermissions Required permissions for the connector RequiredPermissions
scope Permission provider scope 'ResourceGroup'
'Subscription'
'Workspace'

PurviewAuditConnectorDataTypes

Name Description Value
logs Logs data type. PurviewAuditConnectorDataTypesLogs (required)

PurviewAuditConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

PurviewAuditDataConnector

Name Description Value
kind The data connector kind 'PurviewAudit' (required)
properties PurviewAudit data connector properties. PurviewAuditDataConnectorProperties

PurviewAuditDataConnectorProperties

Name Description Value
connectorDefinitionName The connector definition name (the dataConnectorDefinition resource id). string
dataTypes The available data types for the connector. PurviewAuditConnectorDataTypes (required)
dcrConfig The DCR related properties. DCRConfiguration
sourceType The source type indicates which kind of data is relevant for this connector. string
tenantId The tenant id to connect to, and get the data from. string (required)

RequiredPermissions

Name Description Value
action action permission bool
delete delete permission bool
read read permission bool
write write permission bool

RestApiPollerDataConnector

Name Description Value
kind The data connector kind 'RestApiPoller' (required)
properties Rest Api Poller data connector properties. RestApiPollerDataConnectorProperties

RestApiPollerDataConnectorProperties

Name Description Value
addOnAttributes The add on attributes. The key name will become attribute name (a column) and the value will become the attribute value in the payload. RestApiPollerDataConnectorPropertiesAddOnAttributes
auth The a authentication model. CcpAuthConfig (required)
connectorDefinitionName The connector definition name (the dataConnectorDefinition resource id). string (required)
dataType The Log Analytics table destination. string
dcrConfig The DCR related properties. DCRConfiguration
isActive Indicates whether the connector is active or not. bool
paging The paging configuration. RestApiPollerRequestPagingConfig
request The request configuration. RestApiPollerRequestConfig (required)
response The response configuration. CcpResponseConfig

RestApiPollerDataConnectorPropertiesAddOnAttributes

Name Description Value

RestApiPollerRequestConfig

Name Description Value
apiEndpoint The API endpoint. string (required)
endTimeAttributeName The query parameter name which the remote server expect to end query. This property goes hand to hand with startTimeAttributeName string
headers The header for the request for the remote server. RestApiPollerRequestConfigHeaders
httpMethod The HTTP method, default value GET. 'DELETE'
'GET'
'POST'
'PUT'
isPostPayloadJson Flag to indicate if HTTP POST payload is in JSON format (vs form-urlencoded). bool
queryParameters The HTTP query parameters to RESTful API. RestApiPollerRequestConfigQueryParameters
queryParametersTemplate the query parameters template. Defines the query parameters template to use when passing query parameters in advanced scenarios. string
queryTimeFormat The query time format. A remote server can have a query to pull data from range 'start' to 'end'. This property indicate what is the expected time format the remote server know to parse. string
queryTimeIntervalAttributeName The query parameter name which we need to send the server for query logs in time interval. Should be defined with queryTimeIntervalPrepend and queryTimeIntervalDelimiter string
queryTimeIntervalDelimiter The delimiter string between 2 QueryTimeFormat in the query parameter queryTimeIntervalAttributeName. string
queryTimeIntervalPrepend The string prepend to the value of the query parameter in queryTimeIntervalAttributeName. string
queryWindowInMin The query window in minutes for the request. int
rateLimitQPS The Rate limit queries per second for the request.. int
retryCount The retry count. int
startTimeAttributeName The query parameter name which the remote server expect to start query. This property goes hand to hand with endTimeAttributeName. string
timeoutInSeconds The timeout in seconds. int

RestApiPollerRequestConfigHeaders

Name Description Value

RestApiPollerRequestConfigQueryParameters

Name Description Value

RestApiPollerRequestPagingConfig

Name Description Value
pageSize Page size int
pageSizeParameterName Page size parameter name string
pagingType Type of paging 'CountBasedPaging'
'LinkHeader'
'NextPageToken'
'NextPageUrl'
'Offset'
'PersistentLinkHeader'
'PersistentToken' (required)

SessionAuthModel

Name Description Value
headers HTTP request headers to session service endpoint. SessionAuthModelHeaders
isPostPayloadJson Indicating whether API key is set in HTTP POST payload. bool
password The password attribute name. SessionAuthModelPassword (required)
queryParameters Query parameters to session service endpoint. SessionAuthModelQueryParameters
sessionIdName Session id attribute name from HTTP response header. string
sessionLoginRequestUri HTTP request URL to session service endpoint. string
sessionTimeoutInMinutes Session timeout in minutes. int
type The auth type 'Session' (required)
userName The user name attribute key value. SessionAuthModelUserName (required)

SessionAuthModelHeaders

Name Description Value

SessionAuthModelPassword

Name Description Value

SessionAuthModelQueryParameters

Name Description Value

SessionAuthModelUserName

Name Description Value

TIDataConnector

Name Description Value
kind The data connector kind 'ThreatIntelligence' (required)
properties TI (Threat Intelligence) data connector properties. TIDataConnectorProperties

TIDataConnectorDataTypes

Name Description Value
indicators Data type for indicators connection. TIDataConnectorDataTypesIndicators (required)

TIDataConnectorDataTypesIndicators

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

TIDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. TIDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)
tipLookbackPeriod The lookback period for the feed to be imported. string

TiTaxiiDataConnector

Name Description Value
kind The data connector kind 'ThreatIntelligenceTaxii' (required)
properties Threat intelligence TAXII data connector properties. TiTaxiiDataConnectorProperties

TiTaxiiDataConnectorDataTypes

Name Description Value
taxiiClient Data type for TAXII connector. TiTaxiiDataConnectorDataTypesTaxiiClient (required)

TiTaxiiDataConnectorDataTypesTaxiiClient

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

TiTaxiiDataConnectorProperties

Name Description Value
collectionId The collection id of the TAXII server. string
dataTypes The available data types for Threat Intelligence TAXII data connector. TiTaxiiDataConnectorDataTypes (required)
friendlyName The friendly name for the TAXII server. string
password The password for the TAXII server. string
pollingFrequency The polling frequency for the TAXII server. 'OnceADay'
'OnceAMinute'
'OnceAnHour' (required)
taxiiLookbackPeriod The lookback period for the TAXII server. string
taxiiServer The API root for the TAXII server. string
tenantId The tenant id to connect to, and get the data from. string (required)
userName The userName for the TAXII server. string
workspaceId The workspace id. string

Usage Examples

Terraform Samples

A basic example of deploying Data Connector.

terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
    azurerm = {
      source = "hashicorp/azurerm"
    }
  }
}

provider "azurerm" {
  features {
  }
}

provider "azapi" {
  skip_provider_registration = false
}

variable "resource_name" {
  type    = string
  default = "acctest0001"
}

variable "location" {
  type    = string
  default = "westeurope"
}

data "azurerm_client_config" "current" {
}

resource "azapi_resource" "resourceGroup" {
  type     = "Microsoft.Resources/resourceGroups@2020-06-01"
  name     = var.resource_name
  location = var.location
}

resource "azapi_resource" "workspace" {
  type      = "Microsoft.OperationalInsights/workspaces@2022-10-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  location  = var.location
  body = {
    properties = {
      features = {
        disableLocalAuth                            = false
        enableLogAccessUsingOnlyResourcePermissions = true
      }
      publicNetworkAccessForIngestion = "Enabled"
      publicNetworkAccessForQuery     = "Enabled"
      retentionInDays                 = 30
      sku = {
        name = "PerGB2018"
      }
      workspaceCapping = {
        dailyQuotaGb = -1
      }
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}

resource "azapi_resource" "onboardingState" {
  type      = "Microsoft.SecurityInsights/onboardingStates@2023-06-01-preview"
  parent_id = azapi_resource.workspace.id
  name      = "default"
  body = {
    properties = {
      customerManagedKey = false
    }
  }
}

resource "azapi_resource" "dataConnector" {
  type      = "Microsoft.SecurityInsights/dataConnectors@2022-10-01-preview"
  parent_id = azapi_resource.workspace.id
  name      = var.resource_name
  body = {
    kind = "MicrosoftThreatIntelligence"
    properties = {
      dataTypes = {
        bingSafetyPhishingURL = {
          lookbackPeriod = ""
          state          = "Disabled"
        }
        microsoftEmergingThreatFeed = {
          lookbackPeriod = "1970-01-01T00:00:00Z"
          state          = "enabled"
        }
      }
      tenantId = data.azurerm_client_config.current.tenant_id
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
  depends_on                = [azapi_resource.onboardingState]
}
  • Last updated on