Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Microsoft.SecurityInsights dataConnectors
- Latest
- 2025-09-01
- 2025-07-01-preview
- 2025-06-01
- 2025-04-01-preview
- 2025-03-01
- 2025-01-01-preview
- 2024-10-01-preview
- 2024-09-01
- 2024-04-01-preview
- 2024-03-01
- 2024-01-01-preview
- 2023-12-01-preview
- 2023-11-01
- 2023-10-01-preview
- 2023-09-01-preview
- 2023-08-01-preview
- 2023-07-01-preview
- 2023-06-01-preview
- 2023-05-01-preview
- 2023-04-01-preview
- 2023-03-01-preview
- 2023-02-01
- 2023-02-01-preview
- 2022-12-01-preview
- 2022-11-01
- 2022-11-01-preview
- 2022-10-01-preview
- 2022-09-01-preview
- 2022-08-01
- 2022-08-01-preview
- 2022-07-01-preview
- 2022-06-01-preview
- 2022-05-01-preview
- 2022-04-01-preview
- 2022-01-01-preview
- 2021-10-01
- 2021-10-01-preview
- 2021-09-01-preview
- 2021-03-01-preview
- 2020-01-01
- 2019-01-01-preview
Bicep resource definition
The dataConnectors resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/dataConnectors resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.SecurityInsights/dataConnectors@2025-09-01' = {
etag: 'string'
name: 'string'
kind: 'string'
// For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}
Microsoft.SecurityInsights/dataConnectors objects
Set the kind property to specify the type of object.
For AmazonWebServicesCloudTrail, use:
{
kind: 'AmazonWebServicesCloudTrail'
properties: {
awsRoleArn: 'string'
dataTypes: {
logs: {
state: 'string'
}
}
}
}
For AzureActiveDirectory, use:
{
kind: 'AzureActiveDirectory'
properties: {
dataTypes: {
alerts: {
state: 'string'
}
}
tenantId: 'string'
}
}
For AzureAdvancedThreatProtection, use:
{
kind: 'AzureAdvancedThreatProtection'
properties: {
dataTypes: {
alerts: {
state: 'string'
}
}
tenantId: 'string'
}
}
For AzureSecurityCenter, use:
{
kind: 'AzureSecurityCenter'
properties: {
dataTypes: {
alerts: {
state: 'string'
}
}
subscriptionId: 'string'
}
}
For MicrosoftCloudAppSecurity, use:
{
kind: 'MicrosoftCloudAppSecurity'
properties: {
dataTypes: {
alerts: {
state: 'string'
}
discoveryLogs: {
state: 'string'
}
}
tenantId: 'string'
}
}
For MicrosoftDefenderAdvancedThreatProtection, use:
{
kind: 'MicrosoftDefenderAdvancedThreatProtection'
properties: {
dataTypes: {
alerts: {
state: 'string'
}
}
tenantId: 'string'
}
}
For MicrosoftThreatIntelligence, use:
{
kind: 'MicrosoftThreatIntelligence'
properties: {
dataTypes: {
microsoftEmergingThreatFeed: {
lookbackPeriod: 'string'
state: 'string'
}
}
tenantId: 'string'
}
}
For Office365, use:
{
kind: 'Office365'
properties: {
dataTypes: {
exchange: {
state: 'string'
}
sharePoint: {
state: 'string'
}
teams: {
state: 'string'
}
}
tenantId: 'string'
}
}
For PremiumMicrosoftDefenderForThreatIntelligence, use:
{
kind: 'PremiumMicrosoftDefenderForThreatIntelligence'
properties: {
dataTypes: {
connector: {
state: 'string'
}
}
lookbackPeriod: 'string'
requiredSKUsPresent: bool
tenantId: 'string'
}
}
For RestApiPoller, use:
{
kind: 'RestApiPoller'
properties: {
addOnAttributes: {
{customized property}: 'string'
}
auth: {
type: 'string'
// For remaining properties, see CcpAuthConfig objects
}
connectorDefinitionName: 'string'
dataType: 'string'
dcrConfig: {
dataCollectionEndpoint: 'string'
dataCollectionRuleImmutableId: 'string'
streamName: 'string'
}
isActive: bool
paging: {
pageSize: int
pageSizeParameterName: 'string'
pagingType: 'string'
}
request: {
apiEndpoint: 'string'
endTimeAttributeName: 'string'
headers: {
{customized property}: 'string'
}
httpMethod: 'string'
isPostPayloadJson: bool
queryParameters: {
{customized property}: any(...)
}
queryParametersTemplate: 'string'
queryTimeFormat: 'string'
queryTimeIntervalAttributeName: 'string'
queryTimeIntervalDelimiter: 'string'
queryTimeIntervalPrepend: 'string'
queryWindowInMin: int
rateLimitQPS: int
retryCount: int
startTimeAttributeName: 'string'
timeoutInSeconds: int
}
response: {
compressionAlgo: 'string'
convertChildPropertiesToArray: bool
csvDelimiter: 'string'
csvEscape: 'string'
eventsJsonPaths: [
'string'
]
format: 'string'
hasCsvBoundary: bool
hasCsvHeader: bool
isGzipCompressed: bool
successStatusJsonPath: 'string'
successStatusValue: 'string'
}
}
}
For ThreatIntelligence, use:
{
kind: 'ThreatIntelligence'
properties: {
dataTypes: {
indicators: {
state: 'string'
}
}
tenantId: 'string'
tipLookbackPeriod: 'string'
}
}
CcpAuthConfig objects
Set the type property to specify the type of object.
For APIKey, use:
{
apiKey: 'string'
apiKeyIdentifier: 'string'
apiKeyName: 'string'
isApiKeyInPostPayload: bool
type: 'APIKey'
}
For AWS, use:
{
externalId: 'string'
roleArn: 'string'
type: 'AWS'
}
For Basic, use:
{
password: 'string'
type: 'Basic'
userName: 'string'
}
For GCP, use:
{
projectNumber: 'string'
serviceAccountEmail: 'string'
type: 'GCP'
workloadIdentityProviderId: 'string'
}
For GitHub, use:
{
installationId: 'string'
type: 'GitHub'
}
For JwtToken, use:
{
headers: {
{customized property}: 'string'
}
isCredentialsInHeaders: bool
isJsonRequest: bool
password: {
{customized property}: 'string'
}
queryParameters: {
{customized property}: 'string'
}
requestTimeoutInSeconds: int
tokenEndpoint: 'string'
type: 'JwtToken'
userName: {
{customized property}: 'string'
}
}
For None, use:
{
type: 'None'
}
For OAuth2, use:
{
accessTokenPrepend: 'string'
authorizationCode: 'string'
authorizationEndpoint: 'string'
authorizationEndpointHeaders: {
{customized property}: 'string'
}
authorizationEndpointQueryParameters: {
{customized property}: 'string'
}
clientId: 'string'
clientSecret: 'string'
grantType: 'string'
isCredentialsInHeaders: bool
isJwtBearerFlow: bool
redirectUri: 'string'
scope: 'string'
tokenEndpoint: 'string'
tokenEndpointHeaders: {
{customized property}: 'string'
}
tokenEndpointQueryParameters: {
{customized property}: 'string'
}
type: 'OAuth2'
}
For Oracle, use:
{
pemFile: 'string'
publicFingerprint: 'string'
tenantId: 'string'
type: 'Oracle'
userId: 'string'
}
For ServiceBus, use:
{
credentialsConfig: {
{customized property}: 'string'
}
storageAccountCredentialsConfig: {
{customized property}: 'string'
}
type: 'ServiceBus'
}
For Session, use:
{
headers: {
{customized property}: 'string'
}
isPostPayloadJson: bool
password: {
{customized property}: 'string'
}
queryParameters: {
{customized property}: any(...)
}
sessionIdName: 'string'
sessionLoginRequestUri: 'string'
sessionTimeoutInMinutes: int
type: 'Session'
userName: {
{customized property}: 'string'
}
}
Property Values
Microsoft.SecurityInsights/dataConnectors
| Name | Description | Value |
|---|---|---|
| etag | Etag of the azure resource | string |
| kind | Set to 'AmazonWebServicesCloudTrail' for type AwsCloudTrailDataConnector. Set to 'AzureActiveDirectory' for type AADDataConnector. Set to 'AzureAdvancedThreatProtection' for type AatpDataConnector. Set to 'AzureSecurityCenter' for type ASCDataConnector. Set to 'MicrosoftCloudAppSecurity' for type McasDataConnector. Set to 'MicrosoftDefenderAdvancedThreatProtection' for type MdatpDataConnector. Set to 'MicrosoftThreatIntelligence' for type MstiDataConnector. Set to 'Office365' for type OfficeDataConnector. Set to 'PremiumMicrosoftDefenderForThreatIntelligence' for type PremiumMicrosoftDefenderForThreatIntelligence. Set to 'RestApiPoller' for type RestApiPollerDataConnector. Set to 'ThreatIntelligence' for type TIDataConnector. | 'AmazonWebServicesCloudTrail' 'AzureActiveDirectory' 'AzureAdvancedThreatProtection' 'AzureSecurityCenter' 'MicrosoftCloudAppSecurity' 'MicrosoftDefenderAdvancedThreatProtection' 'MicrosoftThreatIntelligence' 'Office365' 'PremiumMicrosoftDefenderForThreatIntelligence' 'RestApiPoller' 'ThreatIntelligence' (required) |
| name | The resource name | string (required) |
| scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. |
AADDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'AzureActiveDirectory' (required) |
| properties | Microsoft Entra ID data connector properties. | AADDataConnectorProperties |
AADDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | AlertsDataTypeOfDataConnector |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
AatpDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'AzureAdvancedThreatProtection' (required) |
| properties | AATP (Azure Advanced Threat Protection) data connector properties. | AatpDataConnectorProperties |
AatpDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | AlertsDataTypeOfDataConnector |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
AlertsDataTypeOfDataConnector
| Name | Description | Value |
|---|---|---|
| alerts | Alerts data type connection. | DataConnectorDataTypeCommon (required) |
ApiKeyAuthModel
| Name | Description | Value |
|---|---|---|
| apiKey | API Key for the user secret key credential | string (required) |
| apiKeyIdentifier | API Key Identifier | string |
| apiKeyName | API Key name | string (required) |
| isApiKeyInPostPayload | Flag to indicate if API key is set in HTTP POST payload | bool |
| type | The auth type | 'APIKey' (required) |
ASCDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'AzureSecurityCenter' (required) |
| properties | ASC (Azure Security Center) data connector properties. | ASCDataConnectorProperties |
ASCDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | AlertsDataTypeOfDataConnector |
| subscriptionId | The subscription id to connect to, and get the data from. | string |
AWSAuthModel
| Name | Description | Value |
|---|---|---|
| externalId | AWS STS assume role external ID. This is used to prevent the confused deputy problem: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html' | string |
| roleArn | AWS STS assume role ARN | string (required) |
| type | The auth type | 'AWS' (required) |
AwsCloudTrailDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'AmazonWebServicesCloudTrail' (required) |
| properties | Amazon Web Services CloudTrail data connector properties. | AwsCloudTrailDataConnectorProperties |
AwsCloudTrailDataConnectorDataTypes
| Name | Description | Value |
|---|---|---|
| logs | Logs data type. | AwsCloudTrailDataConnectorDataTypesLogs (required) |
AwsCloudTrailDataConnectorDataTypesLogs
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
AwsCloudTrailDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| awsRoleArn | The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account. | string |
| dataTypes | The available data types for the connector. | AwsCloudTrailDataConnectorDataTypes (required) |
BasicAuthModel
| Name | Description | Value |
|---|---|---|
| password | The password | string (required) |
| type | The auth type | 'Basic' (required) |
| userName | The user name. | string (required) |
CcpAuthConfig
| Name | Description | Value |
|---|---|---|
| type | Set to 'APIKey' for type ApiKeyAuthModel. Set to 'AWS' for type AWSAuthModel. Set to 'Basic' for type BasicAuthModel. Set to 'GCP' for type GCPAuthModel. Set to 'GitHub' for type GitHubAuthModel. Set to 'JwtToken' for type JwtAuthModel. Set to 'None' for type NoneAuthModel. Set to 'OAuth2' for type OAuthModel. Set to 'Oracle' for type OracleAuthModel. Set to 'ServiceBus' for type GenericBlobSbsAuthModel. Set to 'Session' for type SessionAuthModel. | 'APIKey' 'AWS' 'Basic' 'GCP' 'GitHub' 'JwtToken' 'None' 'OAuth2' 'Oracle' 'ServiceBus' 'Session' (required) |
CcpResponseConfig
| Name | Description | Value |
|---|---|---|
| compressionAlgo | The compression algorithm. For Example: 'gzip', 'multi-gzip', 'deflate'. | string |
| convertChildPropertiesToArray | The value indicating whether the response isn't an array of events / logs. By setting this flag to true it means the remote server will response with an object which each property has as a value an array of events / logs. | bool |
| csvDelimiter | The csv delimiter, in case the response format is CSV. | string |
| csvEscape | The character used to escape characters in CSV. | string Constraints: Min length = 1 Max length = 1 |
| eventsJsonPaths | The json paths, '$' char is the json root. | string[] (required) |
| format | The response format. possible values are json,csv,xml | string |
| hasCsvBoundary | The value indicating whether the response has CSV boundary in case the response in CSV format. | bool |
| hasCsvHeader | The value indicating whether the response has headers in case the response in CSV format. | bool |
| isGzipCompressed | The value indicating whether the remote server support Gzip and we should expect Gzip response. | bool |
| successStatusJsonPath | The value where the status message/code should appear in the response. | string |
| successStatusValue | The status value. | string |
DataConnectorDataTypeCommon
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
DCRConfiguration
| Name | Description | Value |
|---|---|---|
| dataCollectionEndpoint | Represents the data collection ingestion endpoint in log analytics. | string (required) |
| dataCollectionRuleImmutableId | The data collection rule immutable id, the rule defines the transformation and data destination. | string (required) |
| streamName | The stream we are sending the data to. | string (required) |
GCPAuthModel
| Name | Description | Value |
|---|---|---|
| projectNumber | GCP Project Number | string (required) |
| serviceAccountEmail | GCP Service Account Email | string (required) |
| type | The auth type | 'GCP' (required) |
| workloadIdentityProviderId | GCP Workload Identity Provider ID | string (required) |
GenericBlobSbsAuthModel
| Name | Description | Value |
|---|---|---|
| credentialsConfig | Credentials for service bus namespace, keyvault uri for access key | GenericBlobSbsAuthModelCredentialsConfig |
| storageAccountCredentialsConfig | Credentials for storage account, keyvault uri for access key | GenericBlobSbsAuthModelStorageAccountCredentialsConfig |
| type | The auth type | 'ServiceBus' (required) |
GenericBlobSbsAuthModelCredentialsConfig
| Name | Description | Value |
|---|
GenericBlobSbsAuthModelStorageAccountCredentialsConfig
| Name | Description | Value |
|---|
GitHubAuthModel
| Name | Description | Value |
|---|---|---|
| installationId | The GitHubApp auth installation id. | string |
| type | The auth type | 'GitHub' (required) |
JwtAuthModel
| Name | Description | Value |
|---|---|---|
| headers | The custom headers we want to add once we send request to token endpoint. | JwtAuthModelHeaders |
| isCredentialsInHeaders | Flag indicating whether we want to send the user name and password to token endpoint in the headers. | bool |
| isJsonRequest | Flag indicating whether the body request is JSON (header Content-Type = application/json), meaning its a Form URL encoded request (header Content-Type = application/x-www-form-urlencoded). | bool |
| password | The password | JwtAuthModelPassword (required) |
| queryParameters | The custom query parameter we want to add once we send request to token endpoint. | JwtAuthModelQueryParameters |
| requestTimeoutInSeconds | Request timeout in seconds. | int Constraints: Max value = 180 |
| tokenEndpoint | Token endpoint to request JWT | string (required) |
| type | The auth type | 'JwtToken' (required) |
| userName | The user name. If user name and password sent in header request we only need to populate the value property with the user name (Same as basic auth). If user name and password sent in body request we need to specify the Key and Value. |
JwtAuthModelUserName (required) |
JwtAuthModelHeaders
| Name | Description | Value |
|---|
JwtAuthModelPassword
| Name | Description | Value |
|---|
JwtAuthModelQueryParameters
| Name | Description | Value |
|---|
JwtAuthModelUserName
| Name | Description | Value |
|---|
McasDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'MicrosoftCloudAppSecurity' (required) |
| properties | MCAS (Microsoft Cloud App Security) data connector properties. | McasDataConnectorProperties |
McasDataConnectorDataTypes
| Name | Description | Value |
|---|---|---|
| alerts | Alerts data type connection. | DataConnectorDataTypeCommon (required) |
| discoveryLogs | Discovery log data type connection. | DataConnectorDataTypeCommon |
McasDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | McasDataConnectorDataTypes (required) |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
MdatpDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'MicrosoftDefenderAdvancedThreatProtection' (required) |
| properties | MDATP (Microsoft Defender Advanced Threat Protection) data connector properties. | MdatpDataConnectorProperties |
MdatpDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | AlertsDataTypeOfDataConnector |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
MstiDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'MicrosoftThreatIntelligence' (required) |
| properties | Microsoft Threat Intelligence data connector properties. | MstiDataConnectorProperties |
MstiDataConnectorDataTypes
| Name | Description | Value |
|---|---|---|
| microsoftEmergingThreatFeed | Data type for Microsoft Threat Intelligence data connector. | MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed (required) |
MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed
| Name | Description | Value |
|---|---|---|
| lookbackPeriod | The lookback period for the feed to be imported. The date-time to begin importing the feed from, for example: 2024-01-01T00:00:00.000Z. | string (required) |
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
MstiDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | MstiDataConnectorDataTypes (required) |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
NoneAuthModel
| Name | Description | Value |
|---|---|---|
| type | The auth type | 'None' (required) |
OAuthModel
| Name | Description | Value |
|---|---|---|
| accessTokenPrepend | Access token prepend. Default is 'Bearer'. | string |
| authorizationCode | The user's authorization code. | string |
| authorizationEndpoint | The authorization endpoint. | string |
| authorizationEndpointHeaders | The authorization endpoint headers. | OAuthModelAuthorizationEndpointHeaders |
| authorizationEndpointQueryParameters | The authorization endpoint query parameters. | OAuthModelAuthorizationEndpointQueryParameters |
| clientId | The Application (client) ID that the OAuth provider assigned to your app. | string (required) |
| clientSecret | The Application (client) secret that the OAuth provider assigned to your app. | string (required) |
| grantType | The grant type, usually will be 'authorization code'. | string (required) |
| isCredentialsInHeaders | Indicating whether we want to send the clientId and clientSecret to token endpoint in the headers. | bool |
| isJwtBearerFlow | A value indicating whether it's a JWT flow. | bool |
| redirectUri | The Application redirect url that the user config in the OAuth provider. | string |
| scope | The Application (client) Scope that the OAuth provider assigned to your app. | string |
| tokenEndpoint | The token endpoint. Defines the OAuth2 refresh token. | string (required) |
| tokenEndpointHeaders | The token endpoint headers. | OAuthModelTokenEndpointHeaders |
| tokenEndpointQueryParameters | The token endpoint query parameters. | OAuthModelTokenEndpointQueryParameters |
| type | The auth type | 'OAuth2' (required) |
OAuthModelAuthorizationEndpointHeaders
| Name | Description | Value |
|---|
OAuthModelAuthorizationEndpointQueryParameters
| Name | Description | Value |
|---|
OAuthModelTokenEndpointHeaders
| Name | Description | Value |
|---|
OAuthModelTokenEndpointQueryParameters
| Name | Description | Value |
|---|
OfficeDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'Office365' (required) |
| properties | Office data connector properties. | OfficeDataConnectorProperties |
OfficeDataConnectorDataTypes
| Name | Description | Value |
|---|---|---|
| exchange | Exchange data type connection. | OfficeDataConnectorDataTypesExchange (required) |
| sharePoint | SharePoint data type connection. | OfficeDataConnectorDataTypesSharePoint (required) |
| teams | Teams data type connection. | OfficeDataConnectorDataTypesTeams (required) |
OfficeDataConnectorDataTypesExchange
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
OfficeDataConnectorDataTypesSharePoint
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
OfficeDataConnectorDataTypesTeams
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
OfficeDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | OfficeDataConnectorDataTypes (required) |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
OracleAuthModel
| Name | Description | Value |
|---|---|---|
| pemFile | Content of the PRM file | string (required) |
| publicFingerprint | Public Fingerprint | string (required) |
| tenantId | Oracle tenant ID | string (required) |
| type | The auth type | 'Oracle' (required) |
| userId | Oracle user ID | string (required) |
PremiumMdtiDataConnectorDataTypes
| Name | Description | Value |
|---|---|---|
| connector | Data type for Microsoft Defender for Threat Intelligence Premium data connector. | PremiumMdtiDataConnectorDataTypesConnector (required) |
PremiumMdtiDataConnectorDataTypesConnector
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
PremiumMdtiDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | PremiumMdtiDataConnectorDataTypes (required) |
| lookbackPeriod | The lookback period for the feed to be imported. The date-time to begin importing the feed from, for example: 2024-01-01T00:00:00.000Z. | string (required) |
| requiredSKUsPresent | The flag to indicate whether the tenant has the premium SKU required to access this connector. | bool |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
PremiumMicrosoftDefenderForThreatIntelligence
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'PremiumMicrosoftDefenderForThreatIntelligence' (required) |
| properties | Microsoft Defender for Threat Intelligence Premium data connector properties. | PremiumMdtiDataConnectorProperties |
RestApiPollerDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'RestApiPoller' (required) |
| properties | Rest Api Poller data connector properties. | RestApiPollerDataConnectorProperties |
RestApiPollerDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| addOnAttributes | The add on attributes. The key name will become attribute name (a column) and the value will become the attribute value in the payload. | RestApiPollerDataConnectorPropertiesAddOnAttributes |
| auth | The a authentication model. | CcpAuthConfig (required) |
| connectorDefinitionName | The connector definition name (the dataConnectorDefinition resource id). | string (required) |
| dataType | The Log Analytics table destination. | string |
| dcrConfig | The DCR related properties. | DCRConfiguration |
| isActive | Indicates whether the connector is active or not. | bool |
| paging | The paging configuration. | RestApiPollerRequestPagingConfig |
| request | The request configuration. | RestApiPollerRequestConfig (required) |
| response | The response configuration. | CcpResponseConfig |
RestApiPollerDataConnectorPropertiesAddOnAttributes
| Name | Description | Value |
|---|
RestApiPollerRequestConfig
| Name | Description | Value |
|---|---|---|
| apiEndpoint | The API endpoint. | string (required) |
| endTimeAttributeName | The query parameter name which the remote server expect to end query. This property goes hand to hand with startTimeAttributeName |
string |
| headers | The header for the request for the remote server. | RestApiPollerRequestConfigHeaders |
| httpMethod | The HTTP method, default value GET. | 'DELETE' 'GET' 'POST' 'PUT' |
| isPostPayloadJson | Flag to indicate if HTTP POST payload is in JSON format (vs form-urlencoded). | bool |
| queryParameters | The HTTP query parameters to RESTful API. | RestApiPollerRequestConfigQueryParameters |
| queryParametersTemplate | the query parameters template. Defines the query parameters template to use when passing query parameters in advanced scenarios. | string |
| queryTimeFormat | The query time format. A remote server can have a query to pull data from range 'start' to 'end'. This property indicate what is the expected time format the remote server know to parse. | string |
| queryTimeIntervalAttributeName | The query parameter name which we need to send the server for query logs in time interval. Should be defined with queryTimeIntervalPrepend and queryTimeIntervalDelimiter |
string |
| queryTimeIntervalDelimiter | The delimiter string between 2 QueryTimeFormat in the query parameter queryTimeIntervalAttributeName. |
string |
| queryTimeIntervalPrepend | The string prepend to the value of the query parameter in queryTimeIntervalAttributeName. |
string |
| queryWindowInMin | The query window in minutes for the request. | int |
| rateLimitQPS | The Rate limit queries per second for the request.. | int |
| retryCount | The retry count. | int |
| startTimeAttributeName | The query parameter name which the remote server expect to start query. This property goes hand to hand with endTimeAttributeName. |
string |
| timeoutInSeconds | The timeout in seconds. | int |
RestApiPollerRequestConfigHeaders
| Name | Description | Value |
|---|
RestApiPollerRequestConfigQueryParameters
| Name | Description | Value |
|---|
RestApiPollerRequestPagingConfig
| Name | Description | Value |
|---|---|---|
| pageSize | Page size | int |
| pageSizeParameterName | Page size parameter name | string |
| pagingType | Type of paging | 'CountBasedPaging' 'LinkHeader' 'NextPageToken' 'NextPageUrl' 'Offset' 'PersistentLinkHeader' 'PersistentToken' (required) |
SessionAuthModel
| Name | Description | Value |
|---|---|---|
| headers | HTTP request headers to session service endpoint. | SessionAuthModelHeaders |
| isPostPayloadJson | Indicating whether API key is set in HTTP POST payload. | bool |
| password | The password attribute name. | SessionAuthModelPassword (required) |
| queryParameters | Query parameters to session service endpoint. | SessionAuthModelQueryParameters |
| sessionIdName | Session id attribute name from HTTP response header. | string |
| sessionLoginRequestUri | HTTP request URL to session service endpoint. | string |
| sessionTimeoutInMinutes | Session timeout in minutes. | int |
| type | The auth type | 'Session' (required) |
| userName | The user name attribute key value. | SessionAuthModelUserName (required) |
SessionAuthModelHeaders
| Name | Description | Value |
|---|
SessionAuthModelPassword
| Name | Description | Value |
|---|
SessionAuthModelQueryParameters
| Name | Description | Value |
|---|
SessionAuthModelUserName
| Name | Description | Value |
|---|
TIDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'ThreatIntelligence' (required) |
| properties | TI (Threat Intelligence) data connector properties. | TIDataConnectorProperties |
TIDataConnectorDataTypes
| Name | Description | Value |
|---|---|---|
| indicators | Data type for indicators connection. | TIDataConnectorDataTypesIndicators (required) |
TIDataConnectorDataTypesIndicators
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
TIDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | TIDataConnectorDataTypes (required) |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
| tipLookbackPeriod | The lookback period for the feed to be imported. | string |
Usage Examples
Bicep Samples
A basic example of deploying Data Connector.
param resourceName string = 'acctest0001'
param location string = 'westeurope'
resource workspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
name: resourceName
location: location
properties: {
features: {
disableLocalAuth: false
enableLogAccessUsingOnlyResourcePermissions: true
}
publicNetworkAccessForIngestion: 'Enabled'
publicNetworkAccessForQuery: 'Enabled'
retentionInDays: 30
sku: {
name: 'PerGB2018'
}
workspaceCapping: {
dailyQuotaGb: -1
}
}
}
resource onboardingState 'Microsoft.SecurityInsights/onboardingStates@2023-06-01-preview' = {
name: 'default'
scope: workspace
properties: {
customerManagedKey: false
}
}
resource dataConnector 'Microsoft.SecurityInsights/dataConnectors@2022-10-01-preview' = {
name: resourceName
scope: workspace
dependsOn: [
onboardingState
]
kind: 'MicrosoftThreatIntelligence'
properties: {
dataTypes: {
bingSafetyPhishingURL: {
lookbackPeriod: ''
state: 'Disabled'
}
microsoftEmergingThreatFeed: {
lookbackPeriod: '1970-01-01T00:00:00Z'
state: 'enabled'
}
}
tenantId: tenant().tenantId
}
}
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description |
|---|---|
| Security Insights - Data Connector | AVM Resource Module for Security Insights - Data Connector |
ARM template resource definition
The dataConnectors resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/dataConnectors resource, add the following JSON to your template.
{
"etag": "string",
"name": "string",
"kind": "string"
// For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}
Microsoft.SecurityInsights/dataConnectors objects
Set the kind property to specify the type of object.
For AmazonWebServicesCloudTrail, use:
{
"kind": "AmazonWebServicesCloudTrail",
"properties": {
"awsRoleArn": "string",
"dataTypes": {
"logs": {
"state": "string"
}
}
}
}
For AzureActiveDirectory, use:
{
"kind": "AzureActiveDirectory",
"properties": {
"dataTypes": {
"alerts": {
"state": "string"
}
},
"tenantId": "string"
}
}
For AzureAdvancedThreatProtection, use:
{
"kind": "AzureAdvancedThreatProtection",
"properties": {
"dataTypes": {
"alerts": {
"state": "string"
}
},
"tenantId": "string"
}
}
For AzureSecurityCenter, use:
{
"kind": "AzureSecurityCenter",
"properties": {
"dataTypes": {
"alerts": {
"state": "string"
}
},
"subscriptionId": "string"
}
}
For MicrosoftCloudAppSecurity, use:
{
"kind": "MicrosoftCloudAppSecurity",
"properties": {
"dataTypes": {
"alerts": {
"state": "string"
},
"discoveryLogs": {
"state": "string"
}
},
"tenantId": "string"
}
}
For MicrosoftDefenderAdvancedThreatProtection, use:
{
"kind": "MicrosoftDefenderAdvancedThreatProtection",
"properties": {
"dataTypes": {
"alerts": {
"state": "string"
}
},
"tenantId": "string"
}
}
For MicrosoftThreatIntelligence, use:
{
"kind": "MicrosoftThreatIntelligence",
"properties": {
"dataTypes": {
"microsoftEmergingThreatFeed": {
"lookbackPeriod": "string",
"state": "string"
}
},
"tenantId": "string"
}
}
For Office365, use:
{
"kind": "Office365",
"properties": {
"dataTypes": {
"exchange": {
"state": "string"
},
"sharePoint": {
"state": "string"
},
"teams": {
"state": "string"
}
},
"tenantId": "string"
}
}
For PremiumMicrosoftDefenderForThreatIntelligence, use:
{
"kind": "PremiumMicrosoftDefenderForThreatIntelligence",
"properties": {
"dataTypes": {
"connector": {
"state": "string"
}
},
"lookbackPeriod": "string",
"requiredSKUsPresent": "bool",
"tenantId": "string"
}
}
For RestApiPoller, use:
{
"kind": "RestApiPoller",
"properties": {
"addOnAttributes": {
"{customized property}": "string"
},
"auth": {
"type": "string"
// For remaining properties, see CcpAuthConfig objects
},
"connectorDefinitionName": "string",
"dataType": "string",
"dcrConfig": {
"dataCollectionEndpoint": "string",
"dataCollectionRuleImmutableId": "string",
"streamName": "string"
},
"isActive": "bool",
"paging": {
"pageSize": "int",
"pageSizeParameterName": "string",
"pagingType": "string"
},
"request": {
"apiEndpoint": "string",
"endTimeAttributeName": "string",
"headers": {
"{customized property}": "string"
},
"httpMethod": "string",
"isPostPayloadJson": "bool",
"queryParameters": {
"{customized property}": {}
},
"queryParametersTemplate": "string",
"queryTimeFormat": "string",
"queryTimeIntervalAttributeName": "string",
"queryTimeIntervalDelimiter": "string",
"queryTimeIntervalPrepend": "string",
"queryWindowInMin": "int",
"rateLimitQPS": "int",
"retryCount": "int",
"startTimeAttributeName": "string",
"timeoutInSeconds": "int"
},
"response": {
"compressionAlgo": "string",
"convertChildPropertiesToArray": "bool",
"csvDelimiter": "string",
"csvEscape": "string",
"eventsJsonPaths": [ "string" ],
"format": "string",
"hasCsvBoundary": "bool",
"hasCsvHeader": "bool",
"isGzipCompressed": "bool",
"successStatusJsonPath": "string",
"successStatusValue": "string"
}
}
}
For ThreatIntelligence, use:
{
"kind": "ThreatIntelligence",
"properties": {
"dataTypes": {
"indicators": {
"state": "string"
}
},
"tenantId": "string",
"tipLookbackPeriod": "string"
}
}
CcpAuthConfig objects
Set the type property to specify the type of object.
For APIKey, use:
{
"apiKey": "string",
"apiKeyIdentifier": "string",
"apiKeyName": "string",
"isApiKeyInPostPayload": "bool",
"type": "APIKey"
}
For AWS, use:
{
"externalId": "string",
"roleArn": "string",
"type": "AWS"
}
For Basic, use:
{
"password": "string",
"type": "Basic",
"userName": "string"
}
For GCP, use:
{
"projectNumber": "string",
"serviceAccountEmail": "string",
"type": "GCP",
"workloadIdentityProviderId": "string"
}
For GitHub, use:
{
"installationId": "string",
"type": "GitHub"
}
For JwtToken, use:
{
"headers": {
"{customized property}": "string"
},
"isCredentialsInHeaders": "bool",
"isJsonRequest": "bool",
"password": {
"{customized property}": "string"
},
"queryParameters": {
"{customized property}": "string"
},
"requestTimeoutInSeconds": "int",
"tokenEndpoint": "string",
"type": "JwtToken",
"userName": {
"{customized property}": "string"
}
}
For None, use:
{
"type": "None"
}
For OAuth2, use:
{
"accessTokenPrepend": "string",
"authorizationCode": "string",
"authorizationEndpoint": "string",
"authorizationEndpointHeaders": {
"{customized property}": "string"
},
"authorizationEndpointQueryParameters": {
"{customized property}": "string"
},
"clientId": "string",
"clientSecret": "string",
"grantType": "string",
"isCredentialsInHeaders": "bool",
"isJwtBearerFlow": "bool",
"redirectUri": "string",
"scope": "string",
"tokenEndpoint": "string",
"tokenEndpointHeaders": {
"{customized property}": "string"
},
"tokenEndpointQueryParameters": {
"{customized property}": "string"
},
"type": "OAuth2"
}
For Oracle, use:
{
"pemFile": "string",
"publicFingerprint": "string",
"tenantId": "string",
"type": "Oracle",
"userId": "string"
}
For ServiceBus, use:
{
"credentialsConfig": {
"{customized property}": "string"
},
"storageAccountCredentialsConfig": {
"{customized property}": "string"
},
"type": "ServiceBus"
}
For Session, use:
{
"headers": {
"{customized property}": "string"
},
"isPostPayloadJson": "bool",
"password": {
"{customized property}": "string"
},
"queryParameters": {
"{customized property}": {}
},
"sessionIdName": "string",
"sessionLoginRequestUri": "string",
"sessionTimeoutInMinutes": "int",
"type": "Session",
"userName": {
"{customized property}": "string"
}
}
Property Values
Microsoft.SecurityInsights/dataConnectors
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2025-09-01' |
| etag | Etag of the azure resource | string |
| kind | Set to 'AmazonWebServicesCloudTrail' for type AwsCloudTrailDataConnector. Set to 'AzureActiveDirectory' for type AADDataConnector. Set to 'AzureAdvancedThreatProtection' for type AatpDataConnector. Set to 'AzureSecurityCenter' for type ASCDataConnector. Set to 'MicrosoftCloudAppSecurity' for type McasDataConnector. Set to 'MicrosoftDefenderAdvancedThreatProtection' for type MdatpDataConnector. Set to 'MicrosoftThreatIntelligence' for type MstiDataConnector. Set to 'Office365' for type OfficeDataConnector. Set to 'PremiumMicrosoftDefenderForThreatIntelligence' for type PremiumMicrosoftDefenderForThreatIntelligence. Set to 'RestApiPoller' for type RestApiPollerDataConnector. Set to 'ThreatIntelligence' for type TIDataConnector. | 'AmazonWebServicesCloudTrail' 'AzureActiveDirectory' 'AzureAdvancedThreatProtection' 'AzureSecurityCenter' 'MicrosoftCloudAppSecurity' 'MicrosoftDefenderAdvancedThreatProtection' 'MicrosoftThreatIntelligence' 'Office365' 'PremiumMicrosoftDefenderForThreatIntelligence' 'RestApiPoller' 'ThreatIntelligence' (required) |
| name | The resource name | string (required) |
| type | The resource type | 'Microsoft.SecurityInsights/dataConnectors' |
AADDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'AzureActiveDirectory' (required) |
| properties | Microsoft Entra ID data connector properties. | AADDataConnectorProperties |
AADDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | AlertsDataTypeOfDataConnector |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
AatpDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'AzureAdvancedThreatProtection' (required) |
| properties | AATP (Azure Advanced Threat Protection) data connector properties. | AatpDataConnectorProperties |
AatpDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | AlertsDataTypeOfDataConnector |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
AlertsDataTypeOfDataConnector
| Name | Description | Value |
|---|---|---|
| alerts | Alerts data type connection. | DataConnectorDataTypeCommon (required) |
ApiKeyAuthModel
| Name | Description | Value |
|---|---|---|
| apiKey | API Key for the user secret key credential | string (required) |
| apiKeyIdentifier | API Key Identifier | string |
| apiKeyName | API Key name | string (required) |
| isApiKeyInPostPayload | Flag to indicate if API key is set in HTTP POST payload | bool |
| type | The auth type | 'APIKey' (required) |
ASCDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'AzureSecurityCenter' (required) |
| properties | ASC (Azure Security Center) data connector properties. | ASCDataConnectorProperties |
ASCDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | AlertsDataTypeOfDataConnector |
| subscriptionId | The subscription id to connect to, and get the data from. | string |
AWSAuthModel
| Name | Description | Value |
|---|---|---|
| externalId | AWS STS assume role external ID. This is used to prevent the confused deputy problem: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html' | string |
| roleArn | AWS STS assume role ARN | string (required) |
| type | The auth type | 'AWS' (required) |
AwsCloudTrailDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'AmazonWebServicesCloudTrail' (required) |
| properties | Amazon Web Services CloudTrail data connector properties. | AwsCloudTrailDataConnectorProperties |
AwsCloudTrailDataConnectorDataTypes
| Name | Description | Value |
|---|---|---|
| logs | Logs data type. | AwsCloudTrailDataConnectorDataTypesLogs (required) |
AwsCloudTrailDataConnectorDataTypesLogs
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
AwsCloudTrailDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| awsRoleArn | The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account. | string |
| dataTypes | The available data types for the connector. | AwsCloudTrailDataConnectorDataTypes (required) |
BasicAuthModel
| Name | Description | Value |
|---|---|---|
| password | The password | string (required) |
| type | The auth type | 'Basic' (required) |
| userName | The user name. | string (required) |
CcpAuthConfig
| Name | Description | Value |
|---|---|---|
| type | Set to 'APIKey' for type ApiKeyAuthModel. Set to 'AWS' for type AWSAuthModel. Set to 'Basic' for type BasicAuthModel. Set to 'GCP' for type GCPAuthModel. Set to 'GitHub' for type GitHubAuthModel. Set to 'JwtToken' for type JwtAuthModel. Set to 'None' for type NoneAuthModel. Set to 'OAuth2' for type OAuthModel. Set to 'Oracle' for type OracleAuthModel. Set to 'ServiceBus' for type GenericBlobSbsAuthModel. Set to 'Session' for type SessionAuthModel. | 'APIKey' 'AWS' 'Basic' 'GCP' 'GitHub' 'JwtToken' 'None' 'OAuth2' 'Oracle' 'ServiceBus' 'Session' (required) |
CcpResponseConfig
| Name | Description | Value |
|---|---|---|
| compressionAlgo | The compression algorithm. For Example: 'gzip', 'multi-gzip', 'deflate'. | string |
| convertChildPropertiesToArray | The value indicating whether the response isn't an array of events / logs. By setting this flag to true it means the remote server will response with an object which each property has as a value an array of events / logs. | bool |
| csvDelimiter | The csv delimiter, in case the response format is CSV. | string |
| csvEscape | The character used to escape characters in CSV. | string Constraints: Min length = 1 Max length = 1 |
| eventsJsonPaths | The json paths, '$' char is the json root. | string[] (required) |
| format | The response format. possible values are json,csv,xml | string |
| hasCsvBoundary | The value indicating whether the response has CSV boundary in case the response in CSV format. | bool |
| hasCsvHeader | The value indicating whether the response has headers in case the response in CSV format. | bool |
| isGzipCompressed | The value indicating whether the remote server support Gzip and we should expect Gzip response. | bool |
| successStatusJsonPath | The value where the status message/code should appear in the response. | string |
| successStatusValue | The status value. | string |
DataConnectorDataTypeCommon
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
DCRConfiguration
| Name | Description | Value |
|---|---|---|
| dataCollectionEndpoint | Represents the data collection ingestion endpoint in log analytics. | string (required) |
| dataCollectionRuleImmutableId | The data collection rule immutable id, the rule defines the transformation and data destination. | string (required) |
| streamName | The stream we are sending the data to. | string (required) |
GCPAuthModel
| Name | Description | Value |
|---|---|---|
| projectNumber | GCP Project Number | string (required) |
| serviceAccountEmail | GCP Service Account Email | string (required) |
| type | The auth type | 'GCP' (required) |
| workloadIdentityProviderId | GCP Workload Identity Provider ID | string (required) |
GenericBlobSbsAuthModel
| Name | Description | Value |
|---|---|---|
| credentialsConfig | Credentials for service bus namespace, keyvault uri for access key | GenericBlobSbsAuthModelCredentialsConfig |
| storageAccountCredentialsConfig | Credentials for storage account, keyvault uri for access key | GenericBlobSbsAuthModelStorageAccountCredentialsConfig |
| type | The auth type | 'ServiceBus' (required) |
GenericBlobSbsAuthModelCredentialsConfig
| Name | Description | Value |
|---|
GenericBlobSbsAuthModelStorageAccountCredentialsConfig
| Name | Description | Value |
|---|
GitHubAuthModel
| Name | Description | Value |
|---|---|---|
| installationId | The GitHubApp auth installation id. | string |
| type | The auth type | 'GitHub' (required) |
JwtAuthModel
| Name | Description | Value |
|---|---|---|
| headers | The custom headers we want to add once we send request to token endpoint. | JwtAuthModelHeaders |
| isCredentialsInHeaders | Flag indicating whether we want to send the user name and password to token endpoint in the headers. | bool |
| isJsonRequest | Flag indicating whether the body request is JSON (header Content-Type = application/json), meaning its a Form URL encoded request (header Content-Type = application/x-www-form-urlencoded). | bool |
| password | The password | JwtAuthModelPassword (required) |
| queryParameters | The custom query parameter we want to add once we send request to token endpoint. | JwtAuthModelQueryParameters |
| requestTimeoutInSeconds | Request timeout in seconds. | int Constraints: Max value = 180 |
| tokenEndpoint | Token endpoint to request JWT | string (required) |
| type | The auth type | 'JwtToken' (required) |
| userName | The user name. If user name and password sent in header request we only need to populate the value property with the user name (Same as basic auth). If user name and password sent in body request we need to specify the Key and Value. |
JwtAuthModelUserName (required) |
JwtAuthModelHeaders
| Name | Description | Value |
|---|
JwtAuthModelPassword
| Name | Description | Value |
|---|
JwtAuthModelQueryParameters
| Name | Description | Value |
|---|
JwtAuthModelUserName
| Name | Description | Value |
|---|
McasDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'MicrosoftCloudAppSecurity' (required) |
| properties | MCAS (Microsoft Cloud App Security) data connector properties. | McasDataConnectorProperties |
McasDataConnectorDataTypes
| Name | Description | Value |
|---|---|---|
| alerts | Alerts data type connection. | DataConnectorDataTypeCommon (required) |
| discoveryLogs | Discovery log data type connection. | DataConnectorDataTypeCommon |
McasDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | McasDataConnectorDataTypes (required) |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
MdatpDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'MicrosoftDefenderAdvancedThreatProtection' (required) |
| properties | MDATP (Microsoft Defender Advanced Threat Protection) data connector properties. | MdatpDataConnectorProperties |
MdatpDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | AlertsDataTypeOfDataConnector |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
MstiDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'MicrosoftThreatIntelligence' (required) |
| properties | Microsoft Threat Intelligence data connector properties. | MstiDataConnectorProperties |
MstiDataConnectorDataTypes
| Name | Description | Value |
|---|---|---|
| microsoftEmergingThreatFeed | Data type for Microsoft Threat Intelligence data connector. | MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed (required) |
MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed
| Name | Description | Value |
|---|---|---|
| lookbackPeriod | The lookback period for the feed to be imported. The date-time to begin importing the feed from, for example: 2024-01-01T00:00:00.000Z. | string (required) |
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
MstiDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | MstiDataConnectorDataTypes (required) |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
NoneAuthModel
| Name | Description | Value |
|---|---|---|
| type | The auth type | 'None' (required) |
OAuthModel
| Name | Description | Value |
|---|---|---|
| accessTokenPrepend | Access token prepend. Default is 'Bearer'. | string |
| authorizationCode | The user's authorization code. | string |
| authorizationEndpoint | The authorization endpoint. | string |
| authorizationEndpointHeaders | The authorization endpoint headers. | OAuthModelAuthorizationEndpointHeaders |
| authorizationEndpointQueryParameters | The authorization endpoint query parameters. | OAuthModelAuthorizationEndpointQueryParameters |
| clientId | The Application (client) ID that the OAuth provider assigned to your app. | string (required) |
| clientSecret | The Application (client) secret that the OAuth provider assigned to your app. | string (required) |
| grantType | The grant type, usually will be 'authorization code'. | string (required) |
| isCredentialsInHeaders | Indicating whether we want to send the clientId and clientSecret to token endpoint in the headers. | bool |
| isJwtBearerFlow | A value indicating whether it's a JWT flow. | bool |
| redirectUri | The Application redirect url that the user config in the OAuth provider. | string |
| scope | The Application (client) Scope that the OAuth provider assigned to your app. | string |
| tokenEndpoint | The token endpoint. Defines the OAuth2 refresh token. | string (required) |
| tokenEndpointHeaders | The token endpoint headers. | OAuthModelTokenEndpointHeaders |
| tokenEndpointQueryParameters | The token endpoint query parameters. | OAuthModelTokenEndpointQueryParameters |
| type | The auth type | 'OAuth2' (required) |
OAuthModelAuthorizationEndpointHeaders
| Name | Description | Value |
|---|
OAuthModelAuthorizationEndpointQueryParameters
| Name | Description | Value |
|---|
OAuthModelTokenEndpointHeaders
| Name | Description | Value |
|---|
OAuthModelTokenEndpointQueryParameters
| Name | Description | Value |
|---|
OfficeDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'Office365' (required) |
| properties | Office data connector properties. | OfficeDataConnectorProperties |
OfficeDataConnectorDataTypes
| Name | Description | Value |
|---|---|---|
| exchange | Exchange data type connection. | OfficeDataConnectorDataTypesExchange (required) |
| sharePoint | SharePoint data type connection. | OfficeDataConnectorDataTypesSharePoint (required) |
| teams | Teams data type connection. | OfficeDataConnectorDataTypesTeams (required) |
OfficeDataConnectorDataTypesExchange
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
OfficeDataConnectorDataTypesSharePoint
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
OfficeDataConnectorDataTypesTeams
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
OfficeDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | OfficeDataConnectorDataTypes (required) |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
OracleAuthModel
| Name | Description | Value |
|---|---|---|
| pemFile | Content of the PRM file | string (required) |
| publicFingerprint | Public Fingerprint | string (required) |
| tenantId | Oracle tenant ID | string (required) |
| type | The auth type | 'Oracle' (required) |
| userId | Oracle user ID | string (required) |
PremiumMdtiDataConnectorDataTypes
| Name | Description | Value |
|---|---|---|
| connector | Data type for Microsoft Defender for Threat Intelligence Premium data connector. | PremiumMdtiDataConnectorDataTypesConnector (required) |
PremiumMdtiDataConnectorDataTypesConnector
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
PremiumMdtiDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | PremiumMdtiDataConnectorDataTypes (required) |
| lookbackPeriod | The lookback period for the feed to be imported. The date-time to begin importing the feed from, for example: 2024-01-01T00:00:00.000Z. | string (required) |
| requiredSKUsPresent | The flag to indicate whether the tenant has the premium SKU required to access this connector. | bool |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
PremiumMicrosoftDefenderForThreatIntelligence
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'PremiumMicrosoftDefenderForThreatIntelligence' (required) |
| properties | Microsoft Defender for Threat Intelligence Premium data connector properties. | PremiumMdtiDataConnectorProperties |
RestApiPollerDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'RestApiPoller' (required) |
| properties | Rest Api Poller data connector properties. | RestApiPollerDataConnectorProperties |
RestApiPollerDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| addOnAttributes | The add on attributes. The key name will become attribute name (a column) and the value will become the attribute value in the payload. | RestApiPollerDataConnectorPropertiesAddOnAttributes |
| auth | The a authentication model. | CcpAuthConfig (required) |
| connectorDefinitionName | The connector definition name (the dataConnectorDefinition resource id). | string (required) |
| dataType | The Log Analytics table destination. | string |
| dcrConfig | The DCR related properties. | DCRConfiguration |
| isActive | Indicates whether the connector is active or not. | bool |
| paging | The paging configuration. | RestApiPollerRequestPagingConfig |
| request | The request configuration. | RestApiPollerRequestConfig (required) |
| response | The response configuration. | CcpResponseConfig |
RestApiPollerDataConnectorPropertiesAddOnAttributes
| Name | Description | Value |
|---|
RestApiPollerRequestConfig
| Name | Description | Value |
|---|---|---|
| apiEndpoint | The API endpoint. | string (required) |
| endTimeAttributeName | The query parameter name which the remote server expect to end query. This property goes hand to hand with startTimeAttributeName |
string |
| headers | The header for the request for the remote server. | RestApiPollerRequestConfigHeaders |
| httpMethod | The HTTP method, default value GET. | 'DELETE' 'GET' 'POST' 'PUT' |
| isPostPayloadJson | Flag to indicate if HTTP POST payload is in JSON format (vs form-urlencoded). | bool |
| queryParameters | The HTTP query parameters to RESTful API. | RestApiPollerRequestConfigQueryParameters |
| queryParametersTemplate | the query parameters template. Defines the query parameters template to use when passing query parameters in advanced scenarios. | string |
| queryTimeFormat | The query time format. A remote server can have a query to pull data from range 'start' to 'end'. This property indicate what is the expected time format the remote server know to parse. | string |
| queryTimeIntervalAttributeName | The query parameter name which we need to send the server for query logs in time interval. Should be defined with queryTimeIntervalPrepend and queryTimeIntervalDelimiter |
string |
| queryTimeIntervalDelimiter | The delimiter string between 2 QueryTimeFormat in the query parameter queryTimeIntervalAttributeName. |
string |
| queryTimeIntervalPrepend | The string prepend to the value of the query parameter in queryTimeIntervalAttributeName. |
string |
| queryWindowInMin | The query window in minutes for the request. | int |
| rateLimitQPS | The Rate limit queries per second for the request.. | int |
| retryCount | The retry count. | int |
| startTimeAttributeName | The query parameter name which the remote server expect to start query. This property goes hand to hand with endTimeAttributeName. |
string |
| timeoutInSeconds | The timeout in seconds. | int |
RestApiPollerRequestConfigHeaders
| Name | Description | Value |
|---|
RestApiPollerRequestConfigQueryParameters
| Name | Description | Value |
|---|
RestApiPollerRequestPagingConfig
| Name | Description | Value |
|---|---|---|
| pageSize | Page size | int |
| pageSizeParameterName | Page size parameter name | string |
| pagingType | Type of paging | 'CountBasedPaging' 'LinkHeader' 'NextPageToken' 'NextPageUrl' 'Offset' 'PersistentLinkHeader' 'PersistentToken' (required) |
SessionAuthModel
| Name | Description | Value |
|---|---|---|
| headers | HTTP request headers to session service endpoint. | SessionAuthModelHeaders |
| isPostPayloadJson | Indicating whether API key is set in HTTP POST payload. | bool |
| password | The password attribute name. | SessionAuthModelPassword (required) |
| queryParameters | Query parameters to session service endpoint. | SessionAuthModelQueryParameters |
| sessionIdName | Session id attribute name from HTTP response header. | string |
| sessionLoginRequestUri | HTTP request URL to session service endpoint. | string |
| sessionTimeoutInMinutes | Session timeout in minutes. | int |
| type | The auth type | 'Session' (required) |
| userName | The user name attribute key value. | SessionAuthModelUserName (required) |
SessionAuthModelHeaders
| Name | Description | Value |
|---|
SessionAuthModelPassword
| Name | Description | Value |
|---|
SessionAuthModelQueryParameters
| Name | Description | Value |
|---|
SessionAuthModelUserName
| Name | Description | Value |
|---|
TIDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'ThreatIntelligence' (required) |
| properties | TI (Threat Intelligence) data connector properties. | TIDataConnectorProperties |
TIDataConnectorDataTypes
| Name | Description | Value |
|---|---|---|
| indicators | Data type for indicators connection. | TIDataConnectorDataTypesIndicators (required) |
TIDataConnectorDataTypesIndicators
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
TIDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | TIDataConnectorDataTypes (required) |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
| tipLookbackPeriod | The lookback period for the feed to be imported. | string |
Usage Examples
Terraform (AzAPI provider) resource definition
The dataConnectors resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/dataConnectors resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
etag = "string"
name = "string"
kind = "string"
// For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}
Microsoft.SecurityInsights/dataConnectors objects
Set the kind property to specify the type of object.
For AmazonWebServicesCloudTrail, use:
{
kind = "AmazonWebServicesCloudTrail"
properties = {
awsRoleArn = "string"
dataTypes = {
logs = {
state = "string"
}
}
}
}
For AzureActiveDirectory, use:
{
kind = "AzureActiveDirectory"
properties = {
dataTypes = {
alerts = {
state = "string"
}
}
tenantId = "string"
}
}
For AzureAdvancedThreatProtection, use:
{
kind = "AzureAdvancedThreatProtection"
properties = {
dataTypes = {
alerts = {
state = "string"
}
}
tenantId = "string"
}
}
For AzureSecurityCenter, use:
{
kind = "AzureSecurityCenter"
properties = {
dataTypes = {
alerts = {
state = "string"
}
}
subscriptionId = "string"
}
}
For MicrosoftCloudAppSecurity, use:
{
kind = "MicrosoftCloudAppSecurity"
properties = {
dataTypes = {
alerts = {
state = "string"
}
discoveryLogs = {
state = "string"
}
}
tenantId = "string"
}
}
For MicrosoftDefenderAdvancedThreatProtection, use:
{
kind = "MicrosoftDefenderAdvancedThreatProtection"
properties = {
dataTypes = {
alerts = {
state = "string"
}
}
tenantId = "string"
}
}
For MicrosoftThreatIntelligence, use:
{
kind = "MicrosoftThreatIntelligence"
properties = {
dataTypes = {
microsoftEmergingThreatFeed = {
lookbackPeriod = "string"
state = "string"
}
}
tenantId = "string"
}
}
For Office365, use:
{
kind = "Office365"
properties = {
dataTypes = {
exchange = {
state = "string"
}
sharePoint = {
state = "string"
}
teams = {
state = "string"
}
}
tenantId = "string"
}
}
For PremiumMicrosoftDefenderForThreatIntelligence, use:
{
kind = "PremiumMicrosoftDefenderForThreatIntelligence"
properties = {
dataTypes = {
connector = {
state = "string"
}
}
lookbackPeriod = "string"
requiredSKUsPresent = bool
tenantId = "string"
}
}
For RestApiPoller, use:
{
kind = "RestApiPoller"
properties = {
addOnAttributes = {
{customized property} = "string"
}
auth = {
type = "string"
// For remaining properties, see CcpAuthConfig objects
}
connectorDefinitionName = "string"
dataType = "string"
dcrConfig = {
dataCollectionEndpoint = "string"
dataCollectionRuleImmutableId = "string"
streamName = "string"
}
isActive = bool
paging = {
pageSize = int
pageSizeParameterName = "string"
pagingType = "string"
}
request = {
apiEndpoint = "string"
endTimeAttributeName = "string"
headers = {
{customized property} = "string"
}
httpMethod = "string"
isPostPayloadJson = bool
queryParameters = {
{customized property} = ?
}
queryParametersTemplate = "string"
queryTimeFormat = "string"
queryTimeIntervalAttributeName = "string"
queryTimeIntervalDelimiter = "string"
queryTimeIntervalPrepend = "string"
queryWindowInMin = int
rateLimitQPS = int
retryCount = int
startTimeAttributeName = "string"
timeoutInSeconds = int
}
response = {
compressionAlgo = "string"
convertChildPropertiesToArray = bool
csvDelimiter = "string"
csvEscape = "string"
eventsJsonPaths = [
"string"
]
format = "string"
hasCsvBoundary = bool
hasCsvHeader = bool
isGzipCompressed = bool
successStatusJsonPath = "string"
successStatusValue = "string"
}
}
}
For ThreatIntelligence, use:
{
kind = "ThreatIntelligence"
properties = {
dataTypes = {
indicators = {
state = "string"
}
}
tenantId = "string"
tipLookbackPeriod = "string"
}
}
CcpAuthConfig objects
Set the type property to specify the type of object.
For APIKey, use:
{
apiKey = "string"
apiKeyIdentifier = "string"
apiKeyName = "string"
isApiKeyInPostPayload = bool
type = "APIKey"
}
For AWS, use:
{
externalId = "string"
roleArn = "string"
type = "AWS"
}
For Basic, use:
{
password = "string"
type = "Basic"
userName = "string"
}
For GCP, use:
{
projectNumber = "string"
serviceAccountEmail = "string"
type = "GCP"
workloadIdentityProviderId = "string"
}
For GitHub, use:
{
installationId = "string"
type = "GitHub"
}
For JwtToken, use:
{
headers = {
{customized property} = "string"
}
isCredentialsInHeaders = bool
isJsonRequest = bool
password = {
{customized property} = "string"
}
queryParameters = {
{customized property} = "string"
}
requestTimeoutInSeconds = int
tokenEndpoint = "string"
type = "JwtToken"
userName = {
{customized property} = "string"
}
}
For None, use:
{
type = "None"
}
For OAuth2, use:
{
accessTokenPrepend = "string"
authorizationCode = "string"
authorizationEndpoint = "string"
authorizationEndpointHeaders = {
{customized property} = "string"
}
authorizationEndpointQueryParameters = {
{customized property} = "string"
}
clientId = "string"
clientSecret = "string"
grantType = "string"
isCredentialsInHeaders = bool
isJwtBearerFlow = bool
redirectUri = "string"
scope = "string"
tokenEndpoint = "string"
tokenEndpointHeaders = {
{customized property} = "string"
}
tokenEndpointQueryParameters = {
{customized property} = "string"
}
type = "OAuth2"
}
For Oracle, use:
{
pemFile = "string"
publicFingerprint = "string"
tenantId = "string"
type = "Oracle"
userId = "string"
}
For ServiceBus, use:
{
credentialsConfig = {
{customized property} = "string"
}
storageAccountCredentialsConfig = {
{customized property} = "string"
}
type = "ServiceBus"
}
For Session, use:
{
headers = {
{customized property} = "string"
}
isPostPayloadJson = bool
password = {
{customized property} = "string"
}
queryParameters = {
{customized property} = ?
}
sessionIdName = "string"
sessionLoginRequestUri = "string"
sessionTimeoutInMinutes = int
type = "Session"
userName = {
{customized property} = "string"
}
}
Property Values
Microsoft.SecurityInsights/dataConnectors
| Name | Description | Value |
|---|---|---|
| etag | Etag of the azure resource | string |
| kind | Set to 'AmazonWebServicesCloudTrail' for type AwsCloudTrailDataConnector. Set to 'AzureActiveDirectory' for type AADDataConnector. Set to 'AzureAdvancedThreatProtection' for type AatpDataConnector. Set to 'AzureSecurityCenter' for type ASCDataConnector. Set to 'MicrosoftCloudAppSecurity' for type McasDataConnector. Set to 'MicrosoftDefenderAdvancedThreatProtection' for type MdatpDataConnector. Set to 'MicrosoftThreatIntelligence' for type MstiDataConnector. Set to 'Office365' for type OfficeDataConnector. Set to 'PremiumMicrosoftDefenderForThreatIntelligence' for type PremiumMicrosoftDefenderForThreatIntelligence. Set to 'RestApiPoller' for type RestApiPollerDataConnector. Set to 'ThreatIntelligence' for type TIDataConnector. | 'AmazonWebServicesCloudTrail' 'AzureActiveDirectory' 'AzureAdvancedThreatProtection' 'AzureSecurityCenter' 'MicrosoftCloudAppSecurity' 'MicrosoftDefenderAdvancedThreatProtection' 'MicrosoftThreatIntelligence' 'Office365' 'PremiumMicrosoftDefenderForThreatIntelligence' 'RestApiPoller' 'ThreatIntelligence' (required) |
| name | The resource name | string (required) |
| parent_id | The ID of the resource to apply this extension resource to. | string (required) |
| type | The resource type | "Microsoft.SecurityInsights/dataConnectors@2025-09-01" |
AADDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'AzureActiveDirectory' (required) |
| properties | Microsoft Entra ID data connector properties. | AADDataConnectorProperties |
AADDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | AlertsDataTypeOfDataConnector |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
AatpDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'AzureAdvancedThreatProtection' (required) |
| properties | AATP (Azure Advanced Threat Protection) data connector properties. | AatpDataConnectorProperties |
AatpDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | AlertsDataTypeOfDataConnector |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
AlertsDataTypeOfDataConnector
| Name | Description | Value |
|---|---|---|
| alerts | Alerts data type connection. | DataConnectorDataTypeCommon (required) |
ApiKeyAuthModel
| Name | Description | Value |
|---|---|---|
| apiKey | API Key for the user secret key credential | string (required) |
| apiKeyIdentifier | API Key Identifier | string |
| apiKeyName | API Key name | string (required) |
| isApiKeyInPostPayload | Flag to indicate if API key is set in HTTP POST payload | bool |
| type | The auth type | 'APIKey' (required) |
ASCDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'AzureSecurityCenter' (required) |
| properties | ASC (Azure Security Center) data connector properties. | ASCDataConnectorProperties |
ASCDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | AlertsDataTypeOfDataConnector |
| subscriptionId | The subscription id to connect to, and get the data from. | string |
AWSAuthModel
| Name | Description | Value |
|---|---|---|
| externalId | AWS STS assume role external ID. This is used to prevent the confused deputy problem: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html' | string |
| roleArn | AWS STS assume role ARN | string (required) |
| type | The auth type | 'AWS' (required) |
AwsCloudTrailDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'AmazonWebServicesCloudTrail' (required) |
| properties | Amazon Web Services CloudTrail data connector properties. | AwsCloudTrailDataConnectorProperties |
AwsCloudTrailDataConnectorDataTypes
| Name | Description | Value |
|---|---|---|
| logs | Logs data type. | AwsCloudTrailDataConnectorDataTypesLogs (required) |
AwsCloudTrailDataConnectorDataTypesLogs
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
AwsCloudTrailDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| awsRoleArn | The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account. | string |
| dataTypes | The available data types for the connector. | AwsCloudTrailDataConnectorDataTypes (required) |
BasicAuthModel
| Name | Description | Value |
|---|---|---|
| password | The password | string (required) |
| type | The auth type | 'Basic' (required) |
| userName | The user name. | string (required) |
CcpAuthConfig
| Name | Description | Value |
|---|---|---|
| type | Set to 'APIKey' for type ApiKeyAuthModel. Set to 'AWS' for type AWSAuthModel. Set to 'Basic' for type BasicAuthModel. Set to 'GCP' for type GCPAuthModel. Set to 'GitHub' for type GitHubAuthModel. Set to 'JwtToken' for type JwtAuthModel. Set to 'None' for type NoneAuthModel. Set to 'OAuth2' for type OAuthModel. Set to 'Oracle' for type OracleAuthModel. Set to 'ServiceBus' for type GenericBlobSbsAuthModel. Set to 'Session' for type SessionAuthModel. | 'APIKey' 'AWS' 'Basic' 'GCP' 'GitHub' 'JwtToken' 'None' 'OAuth2' 'Oracle' 'ServiceBus' 'Session' (required) |
CcpResponseConfig
| Name | Description | Value |
|---|---|---|
| compressionAlgo | The compression algorithm. For Example: 'gzip', 'multi-gzip', 'deflate'. | string |
| convertChildPropertiesToArray | The value indicating whether the response isn't an array of events / logs. By setting this flag to true it means the remote server will response with an object which each property has as a value an array of events / logs. | bool |
| csvDelimiter | The csv delimiter, in case the response format is CSV. | string |
| csvEscape | The character used to escape characters in CSV. | string Constraints: Min length = 1 Max length = 1 |
| eventsJsonPaths | The json paths, '$' char is the json root. | string[] (required) |
| format | The response format. possible values are json,csv,xml | string |
| hasCsvBoundary | The value indicating whether the response has CSV boundary in case the response in CSV format. | bool |
| hasCsvHeader | The value indicating whether the response has headers in case the response in CSV format. | bool |
| isGzipCompressed | The value indicating whether the remote server support Gzip and we should expect Gzip response. | bool |
| successStatusJsonPath | The value where the status message/code should appear in the response. | string |
| successStatusValue | The status value. | string |
DataConnectorDataTypeCommon
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
DCRConfiguration
| Name | Description | Value |
|---|---|---|
| dataCollectionEndpoint | Represents the data collection ingestion endpoint in log analytics. | string (required) |
| dataCollectionRuleImmutableId | The data collection rule immutable id, the rule defines the transformation and data destination. | string (required) |
| streamName | The stream we are sending the data to. | string (required) |
GCPAuthModel
| Name | Description | Value |
|---|---|---|
| projectNumber | GCP Project Number | string (required) |
| serviceAccountEmail | GCP Service Account Email | string (required) |
| type | The auth type | 'GCP' (required) |
| workloadIdentityProviderId | GCP Workload Identity Provider ID | string (required) |
GenericBlobSbsAuthModel
| Name | Description | Value |
|---|---|---|
| credentialsConfig | Credentials for service bus namespace, keyvault uri for access key | GenericBlobSbsAuthModelCredentialsConfig |
| storageAccountCredentialsConfig | Credentials for storage account, keyvault uri for access key | GenericBlobSbsAuthModelStorageAccountCredentialsConfig |
| type | The auth type | 'ServiceBus' (required) |
GenericBlobSbsAuthModelCredentialsConfig
| Name | Description | Value |
|---|
GenericBlobSbsAuthModelStorageAccountCredentialsConfig
| Name | Description | Value |
|---|
GitHubAuthModel
| Name | Description | Value |
|---|---|---|
| installationId | The GitHubApp auth installation id. | string |
| type | The auth type | 'GitHub' (required) |
JwtAuthModel
| Name | Description | Value |
|---|---|---|
| headers | The custom headers we want to add once we send request to token endpoint. | JwtAuthModelHeaders |
| isCredentialsInHeaders | Flag indicating whether we want to send the user name and password to token endpoint in the headers. | bool |
| isJsonRequest | Flag indicating whether the body request is JSON (header Content-Type = application/json), meaning its a Form URL encoded request (header Content-Type = application/x-www-form-urlencoded). | bool |
| password | The password | JwtAuthModelPassword (required) |
| queryParameters | The custom query parameter we want to add once we send request to token endpoint. | JwtAuthModelQueryParameters |
| requestTimeoutInSeconds | Request timeout in seconds. | int Constraints: Max value = 180 |
| tokenEndpoint | Token endpoint to request JWT | string (required) |
| type | The auth type | 'JwtToken' (required) |
| userName | The user name. If user name and password sent in header request we only need to populate the value property with the user name (Same as basic auth). If user name and password sent in body request we need to specify the Key and Value. |
JwtAuthModelUserName (required) |
JwtAuthModelHeaders
| Name | Description | Value |
|---|
JwtAuthModelPassword
| Name | Description | Value |
|---|
JwtAuthModelQueryParameters
| Name | Description | Value |
|---|
JwtAuthModelUserName
| Name | Description | Value |
|---|
McasDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'MicrosoftCloudAppSecurity' (required) |
| properties | MCAS (Microsoft Cloud App Security) data connector properties. | McasDataConnectorProperties |
McasDataConnectorDataTypes
| Name | Description | Value |
|---|---|---|
| alerts | Alerts data type connection. | DataConnectorDataTypeCommon (required) |
| discoveryLogs | Discovery log data type connection. | DataConnectorDataTypeCommon |
McasDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | McasDataConnectorDataTypes (required) |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
MdatpDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'MicrosoftDefenderAdvancedThreatProtection' (required) |
| properties | MDATP (Microsoft Defender Advanced Threat Protection) data connector properties. | MdatpDataConnectorProperties |
MdatpDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | AlertsDataTypeOfDataConnector |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
MstiDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'MicrosoftThreatIntelligence' (required) |
| properties | Microsoft Threat Intelligence data connector properties. | MstiDataConnectorProperties |
MstiDataConnectorDataTypes
| Name | Description | Value |
|---|---|---|
| microsoftEmergingThreatFeed | Data type for Microsoft Threat Intelligence data connector. | MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed (required) |
MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed
| Name | Description | Value |
|---|---|---|
| lookbackPeriod | The lookback period for the feed to be imported. The date-time to begin importing the feed from, for example: 2024-01-01T00:00:00.000Z. | string (required) |
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
MstiDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | MstiDataConnectorDataTypes (required) |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
NoneAuthModel
| Name | Description | Value |
|---|---|---|
| type | The auth type | 'None' (required) |
OAuthModel
| Name | Description | Value |
|---|---|---|
| accessTokenPrepend | Access token prepend. Default is 'Bearer'. | string |
| authorizationCode | The user's authorization code. | string |
| authorizationEndpoint | The authorization endpoint. | string |
| authorizationEndpointHeaders | The authorization endpoint headers. | OAuthModelAuthorizationEndpointHeaders |
| authorizationEndpointQueryParameters | The authorization endpoint query parameters. | OAuthModelAuthorizationEndpointQueryParameters |
| clientId | The Application (client) ID that the OAuth provider assigned to your app. | string (required) |
| clientSecret | The Application (client) secret that the OAuth provider assigned to your app. | string (required) |
| grantType | The grant type, usually will be 'authorization code'. | string (required) |
| isCredentialsInHeaders | Indicating whether we want to send the clientId and clientSecret to token endpoint in the headers. | bool |
| isJwtBearerFlow | A value indicating whether it's a JWT flow. | bool |
| redirectUri | The Application redirect url that the user config in the OAuth provider. | string |
| scope | The Application (client) Scope that the OAuth provider assigned to your app. | string |
| tokenEndpoint | The token endpoint. Defines the OAuth2 refresh token. | string (required) |
| tokenEndpointHeaders | The token endpoint headers. | OAuthModelTokenEndpointHeaders |
| tokenEndpointQueryParameters | The token endpoint query parameters. | OAuthModelTokenEndpointQueryParameters |
| type | The auth type | 'OAuth2' (required) |
OAuthModelAuthorizationEndpointHeaders
| Name | Description | Value |
|---|
OAuthModelAuthorizationEndpointQueryParameters
| Name | Description | Value |
|---|
OAuthModelTokenEndpointHeaders
| Name | Description | Value |
|---|
OAuthModelTokenEndpointQueryParameters
| Name | Description | Value |
|---|
OfficeDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'Office365' (required) |
| properties | Office data connector properties. | OfficeDataConnectorProperties |
OfficeDataConnectorDataTypes
| Name | Description | Value |
|---|---|---|
| exchange | Exchange data type connection. | OfficeDataConnectorDataTypesExchange (required) |
| sharePoint | SharePoint data type connection. | OfficeDataConnectorDataTypesSharePoint (required) |
| teams | Teams data type connection. | OfficeDataConnectorDataTypesTeams (required) |
OfficeDataConnectorDataTypesExchange
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
OfficeDataConnectorDataTypesSharePoint
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
OfficeDataConnectorDataTypesTeams
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
OfficeDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | OfficeDataConnectorDataTypes (required) |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
OracleAuthModel
| Name | Description | Value |
|---|---|---|
| pemFile | Content of the PRM file | string (required) |
| publicFingerprint | Public Fingerprint | string (required) |
| tenantId | Oracle tenant ID | string (required) |
| type | The auth type | 'Oracle' (required) |
| userId | Oracle user ID | string (required) |
PremiumMdtiDataConnectorDataTypes
| Name | Description | Value |
|---|---|---|
| connector | Data type for Microsoft Defender for Threat Intelligence Premium data connector. | PremiumMdtiDataConnectorDataTypesConnector (required) |
PremiumMdtiDataConnectorDataTypesConnector
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
PremiumMdtiDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | PremiumMdtiDataConnectorDataTypes (required) |
| lookbackPeriod | The lookback period for the feed to be imported. The date-time to begin importing the feed from, for example: 2024-01-01T00:00:00.000Z. | string (required) |
| requiredSKUsPresent | The flag to indicate whether the tenant has the premium SKU required to access this connector. | bool |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
PremiumMicrosoftDefenderForThreatIntelligence
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'PremiumMicrosoftDefenderForThreatIntelligence' (required) |
| properties | Microsoft Defender for Threat Intelligence Premium data connector properties. | PremiumMdtiDataConnectorProperties |
RestApiPollerDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'RestApiPoller' (required) |
| properties | Rest Api Poller data connector properties. | RestApiPollerDataConnectorProperties |
RestApiPollerDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| addOnAttributes | The add on attributes. The key name will become attribute name (a column) and the value will become the attribute value in the payload. | RestApiPollerDataConnectorPropertiesAddOnAttributes |
| auth | The a authentication model. | CcpAuthConfig (required) |
| connectorDefinitionName | The connector definition name (the dataConnectorDefinition resource id). | string (required) |
| dataType | The Log Analytics table destination. | string |
| dcrConfig | The DCR related properties. | DCRConfiguration |
| isActive | Indicates whether the connector is active or not. | bool |
| paging | The paging configuration. | RestApiPollerRequestPagingConfig |
| request | The request configuration. | RestApiPollerRequestConfig (required) |
| response | The response configuration. | CcpResponseConfig |
RestApiPollerDataConnectorPropertiesAddOnAttributes
| Name | Description | Value |
|---|
RestApiPollerRequestConfig
| Name | Description | Value |
|---|---|---|
| apiEndpoint | The API endpoint. | string (required) |
| endTimeAttributeName | The query parameter name which the remote server expect to end query. This property goes hand to hand with startTimeAttributeName |
string |
| headers | The header for the request for the remote server. | RestApiPollerRequestConfigHeaders |
| httpMethod | The HTTP method, default value GET. | 'DELETE' 'GET' 'POST' 'PUT' |
| isPostPayloadJson | Flag to indicate if HTTP POST payload is in JSON format (vs form-urlencoded). | bool |
| queryParameters | The HTTP query parameters to RESTful API. | RestApiPollerRequestConfigQueryParameters |
| queryParametersTemplate | the query parameters template. Defines the query parameters template to use when passing query parameters in advanced scenarios. | string |
| queryTimeFormat | The query time format. A remote server can have a query to pull data from range 'start' to 'end'. This property indicate what is the expected time format the remote server know to parse. | string |
| queryTimeIntervalAttributeName | The query parameter name which we need to send the server for query logs in time interval. Should be defined with queryTimeIntervalPrepend and queryTimeIntervalDelimiter |
string |
| queryTimeIntervalDelimiter | The delimiter string between 2 QueryTimeFormat in the query parameter queryTimeIntervalAttributeName. |
string |
| queryTimeIntervalPrepend | The string prepend to the value of the query parameter in queryTimeIntervalAttributeName. |
string |
| queryWindowInMin | The query window in minutes for the request. | int |
| rateLimitQPS | The Rate limit queries per second for the request.. | int |
| retryCount | The retry count. | int |
| startTimeAttributeName | The query parameter name which the remote server expect to start query. This property goes hand to hand with endTimeAttributeName. |
string |
| timeoutInSeconds | The timeout in seconds. | int |
RestApiPollerRequestConfigHeaders
| Name | Description | Value |
|---|
RestApiPollerRequestConfigQueryParameters
| Name | Description | Value |
|---|
RestApiPollerRequestPagingConfig
| Name | Description | Value |
|---|---|---|
| pageSize | Page size | int |
| pageSizeParameterName | Page size parameter name | string |
| pagingType | Type of paging | 'CountBasedPaging' 'LinkHeader' 'NextPageToken' 'NextPageUrl' 'Offset' 'PersistentLinkHeader' 'PersistentToken' (required) |
SessionAuthModel
| Name | Description | Value |
|---|---|---|
| headers | HTTP request headers to session service endpoint. | SessionAuthModelHeaders |
| isPostPayloadJson | Indicating whether API key is set in HTTP POST payload. | bool |
| password | The password attribute name. | SessionAuthModelPassword (required) |
| queryParameters | Query parameters to session service endpoint. | SessionAuthModelQueryParameters |
| sessionIdName | Session id attribute name from HTTP response header. | string |
| sessionLoginRequestUri | HTTP request URL to session service endpoint. | string |
| sessionTimeoutInMinutes | Session timeout in minutes. | int |
| type | The auth type | 'Session' (required) |
| userName | The user name attribute key value. | SessionAuthModelUserName (required) |
SessionAuthModelHeaders
| Name | Description | Value |
|---|
SessionAuthModelPassword
| Name | Description | Value |
|---|
SessionAuthModelQueryParameters
| Name | Description | Value |
|---|
SessionAuthModelUserName
| Name | Description | Value |
|---|
TIDataConnector
| Name | Description | Value |
|---|---|---|
| kind | The data connector kind | 'ThreatIntelligence' (required) |
| properties | TI (Threat Intelligence) data connector properties. | TIDataConnectorProperties |
TIDataConnectorDataTypes
| Name | Description | Value |
|---|---|---|
| indicators | Data type for indicators connection. | TIDataConnectorDataTypesIndicators (required) |
TIDataConnectorDataTypesIndicators
| Name | Description | Value |
|---|---|---|
| state | Describe whether this data type connection is enabled or not. | 'Disabled' 'Enabled' (required) |
TIDataConnectorProperties
| Name | Description | Value |
|---|---|---|
| dataTypes | The available data types for the connector. | TIDataConnectorDataTypes (required) |
| tenantId | The tenant id to connect to, and get the data from. | string (required) |
| tipLookbackPeriod | The lookback period for the feed to be imported. | string |
Usage Examples
Terraform Samples
A basic example of deploying Data Connector.
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
azurerm = {
source = "hashicorp/azurerm"
}
}
}
provider "azurerm" {
features {
}
}
provider "azapi" {
skip_provider_registration = false
}
variable "resource_name" {
type = string
default = "acctest0001"
}
variable "location" {
type = string
default = "westeurope"
}
data "azurerm_client_config" "current" {
}
resource "azapi_resource" "resourceGroup" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
name = var.resource_name
location = var.location
}
resource "azapi_resource" "workspace" {
type = "Microsoft.OperationalInsights/workspaces@2022-10-01"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
location = var.location
body = {
properties = {
features = {
disableLocalAuth = false
enableLogAccessUsingOnlyResourcePermissions = true
}
publicNetworkAccessForIngestion = "Enabled"
publicNetworkAccessForQuery = "Enabled"
retentionInDays = 30
sku = {
name = "PerGB2018"
}
workspaceCapping = {
dailyQuotaGb = -1
}
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
resource "azapi_resource" "onboardingState" {
type = "Microsoft.SecurityInsights/onboardingStates@2023-06-01-preview"
parent_id = azapi_resource.workspace.id
name = "default"
body = {
properties = {
customerManagedKey = false
}
}
}
resource "azapi_resource" "dataConnector" {
type = "Microsoft.SecurityInsights/dataConnectors@2022-10-01-preview"
parent_id = azapi_resource.workspace.id
name = var.resource_name
body = {
kind = "MicrosoftThreatIntelligence"
properties = {
dataTypes = {
bingSafetyPhishingURL = {
lookbackPeriod = ""
state = "Disabled"
}
microsoftEmergingThreatFeed = {
lookbackPeriod = "1970-01-01T00:00:00Z"
state = "enabled"
}
}
tenantId = data.azurerm_client_config.current.tenant_id
}
}
schema_validation_enabled = false
response_export_values = ["*"]
depends_on = [azapi_resource.onboardingState]
}
Feedback
Was this page helpful?