Microsoft.SecurityInsights dataConnectors 2021-09-01-preview

• Latest
• 2024-10-01-preview
• 2024-09-01
• 2024-04-01-preview
• 2024-03-01
• 2024-01-01-preview
• 2023-12-01-preview
• 2023-11-01
• 2023-10-01-preview
• 2023-09-01-preview
• 2023-08-01-preview
• 2023-07-01-preview
• 2023-06-01-preview
• 2023-05-01-preview
• 2023-04-01-preview
• 2023-03-01-preview
• 2023-02-01
• 2023-02-01-preview
• 2022-12-01-preview
• 2022-11-01
• 2022-11-01-preview
• 2022-10-01-preview
• 2022-09-01-preview
• 2022-08-01
• 2022-08-01-preview
• 2022-07-01-preview
• 2022-06-01-preview
• 2022-05-01-preview
• 2022-04-01-preview
• 2022-01-01-preview
• 2021-10-01
• 2021-10-01-preview
• 2021-09-01-preview
• 2021-03-01-preview
• 2020-01-01
• 2019-01-01-preview

Bicep resource definition

The dataConnectors resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/dataConnectors resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.SecurityInsights/dataConnectors@2021-09-01-preview' = {
  etag: 'string'
  name: 'string'
  kind: 'string'
  // For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}

Microsoft.SecurityInsights/dataConnectors objects

Set the kind property to specify the type of object.

For APIPolling, use:

{
  kind: 'APIPolling'
  properties: {
    connectorUiConfig: {
      availability: {
        isPreview: bool
        status: '1'
      }
      connectivityCriteria: [
        {
          type: 'string'
          value: [
            'string'
          ]
        }
      ]
      customImage: 'string'
      dataTypes: [
        {
          lastDataReceivedQuery: 'string'
          name: 'string'
        }
      ]
      descriptionMarkdown: 'string'
      graphQueries: [
        {
          baseQuery: 'string'
          legend: 'string'
          metricName: 'string'
        }
      ]
      graphQueriesTableName: 'string'
      instructionSteps: [
        {
          description: 'string'
          instructions: [
            {
              parameters: any(Azure.Bicep.Types.Concrete.AnyType)
              type: 'string'
            }
          ]
          title: 'string'
        }
      ]
      permissions: {
        customs: [
          {
            description: 'string'
            name: 'string'
          }
        ]
        resourceProvider: [
          {
            permissionsDisplayText: 'string'
            provider: 'string'
            providerDisplayName: 'string'
            requiredPermissions: {
              action: bool
              delete: bool
              read: bool
              write: bool
            }
            scope: 'string'
          }
        ]
      }
      publisher: 'string'
      sampleQueries: [
        {
          description: 'string'
          query: 'string'
        }
      ]
      title: 'string'
    }
    pollingConfig: {
      auth: {
        apiKeyIdentifier: 'string'
        apiKeyName: 'string'
        authorizationEndpoint: 'string'
        authorizationEndpointQueryParameters: any(Azure.Bicep.Types.Concrete.AnyType)
        authType: 'string'
        flowName: 'string'
        isApiKeyInPostPayload: 'string'
        isClientSecretInHeader: bool
        redirectionEndpoint: 'string'
        scope: 'string'
        tokenEndpoint: 'string'
        tokenEndpointHeaders: any(Azure.Bicep.Types.Concrete.AnyType)
        tokenEndpointQueryParameters: any(Azure.Bicep.Types.Concrete.AnyType)
      }
      isActive: bool
      paging: {
        nextPageParaName: 'string'
        nextPageTokenJsonPath: 'string'
        pageCountAttributePath: 'string'
        pageSize: int
        pageSizeParaName: 'string'
        pageTimeStampAttributePath: 'string'
        pageTotalCountAttributePath: 'string'
        pagingType: 'string'
        searchTheLatestTimeStampFromEventsList: 'string'
      }
      request: {
        apiEndpoint: 'string'
        endTimeAttributeName: 'string'
        headers: any(Azure.Bicep.Types.Concrete.AnyType)
        httpMethod: 'string'
        queryParameters: any(Azure.Bicep.Types.Concrete.AnyType)
        queryParametersTemplate: 'string'
        queryTimeFormat: 'string'
        queryWindowInMin: int
        rateLimitQps: int
        retryCount: int
        startTimeAttributeName: 'string'
        timeoutInSeconds: int
      }
      response: {
        eventsJsonPaths: [
          'string'
        ]
        isGzipCompressed: bool
        successStatusJsonPath: 'string'
        successStatusValue: 'string'
      }
    }
  }
}

For AmazonWebServicesCloudTrail, use:

{
  kind: 'AmazonWebServicesCloudTrail'
  properties: {
    awsRoleArn: 'string'
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
  }
}

For AmazonWebServicesS3, use:

{
  kind: 'AmazonWebServicesS3'
  properties: {
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
    destinationTable: 'string'
    roleArn: 'string'
    sqsUrls: [
      'string'
    ]
  }
}

For AzureActiveDirectory, use:

{
  kind: 'AzureActiveDirectory'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For AzureAdvancedThreatProtection, use:

{
  kind: 'AzureAdvancedThreatProtection'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For AzureSecurityCenter, use:

{
  kind: 'AzureSecurityCenter'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    subscriptionId: 'string'
  }
}

For Dynamics365, use:

{
  kind: 'Dynamics365'
  properties: {
    dataTypes: {
      dynamics365CdsActivities: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For GenericUI, use:

{
  kind: 'GenericUI'
  properties: {
    connectorUiConfig: {
      availability: {
        isPreview: bool
        status: '1'
      }
      connectivityCriteria: [
        {
          type: 'string'
          value: [
            'string'
          ]
        }
      ]
      customImage: 'string'
      dataTypes: [
        {
          lastDataReceivedQuery: 'string'
          name: 'string'
        }
      ]
      descriptionMarkdown: 'string'
      graphQueries: [
        {
          baseQuery: 'string'
          legend: 'string'
          metricName: 'string'
        }
      ]
      graphQueriesTableName: 'string'
      instructionSteps: [
        {
          description: 'string'
          instructions: [
            {
              parameters: any(Azure.Bicep.Types.Concrete.AnyType)
              type: 'string'
            }
          ]
          title: 'string'
        }
      ]
      permissions: {
        customs: [
          {
            description: 'string'
            name: 'string'
          }
        ]
        resourceProvider: [
          {
            permissionsDisplayText: 'string'
            provider: 'string'
            providerDisplayName: 'string'
            requiredPermissions: {
              action: bool
              delete: bool
              read: bool
              write: bool
            }
            scope: 'string'
          }
        ]
      }
      publisher: 'string'
      sampleQueries: [
        {
          description: 'string'
          query: 'string'
        }
      ]
      title: 'string'
    }
  }
}

For MicrosoftCloudAppSecurity, use:

{
  kind: 'MicrosoftCloudAppSecurity'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
      discoveryLogs: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For MicrosoftDefenderAdvancedThreatProtection, use:

{
  kind: 'MicrosoftDefenderAdvancedThreatProtection'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For MicrosoftThreatIntelligence, use:

{
  kind: 'MicrosoftThreatIntelligence'
  properties: {
    dataTypes: {
      bingSafetyPhishingURL: {
        lookbackPeriod: 'string'
        state: 'string'
      }
      microsoftEmergingThreatFeed: {
        lookbackPeriod: 'string'
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For MicrosoftThreatProtection, use:

{
  kind: 'MicrosoftThreatProtection'
  properties: {
    dataTypes: {
      incidents: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For Office365, use:

{
  kind: 'Office365'
  properties: {
    dataTypes: {
      exchange: {
        state: 'string'
      }
      sharePoint: {
        state: 'string'
      }
      teams: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For OfficeATP, use:

{
  kind: 'OfficeATP'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For OfficeIRM, use:

{
  kind: 'OfficeIRM'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For ThreatIntelligence, use:

{
  kind: 'ThreatIntelligence'
  properties: {
    dataTypes: {
      indicators: {
        state: 'string'
      }
    }
    tenantId: 'string'
    tipLookbackPeriod: 'string'
  }
}

For ThreatIntelligenceTaxii, use:

{
  kind: 'ThreatIntelligenceTaxii'
  properties: {
    collectionId: 'string'
    dataTypes: {
      taxiiClient: {
        state: 'string'
      }
    }
    friendlyName: 'string'
    password: 'string'
    pollingFrequency: 'string'
    taxiiLookbackPeriod: 'string'
    taxiiServer: 'string'
    tenantId: 'string'
    userName: 'string'
    workspaceId: 'string'
  }
}

Property values

AADDataConnector

Name	Description	Value
kind	The data connector kind	'AzureActiveDirectory' (required)
properties	AAD (Azure Active Directory) data connector properties.	AADDataConnectorProperties

AADDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

AatpDataConnector

Name	Description	Value
kind	The data connector kind	'AzureAdvancedThreatProtection' (required)
properties	AATP (Azure Advanced Threat Protection) data connector properties.	AatpDataConnectorProperties

AatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

AlertsDataTypeOfDataConnector

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon (required)

ApiPollingParameters

Name	Description	Value
connectorUiConfig	Config to describe the instructions blade	CodelessUiConnectorConfigProperties
pollingConfig	Config to describe the polling instructions	CodelessConnectorPollingConfigProperties

ASCDataConnector

Name	Description	Value
kind	The data connector kind	'AzureSecurityCenter' (required)
properties	ASC (Azure Security Center) data connector properties.	ASCDataConnectorProperties

ASCDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
subscriptionId	The subscription id to connect to, and get the data from.	string

Availability

Name	Description	Value
isPreview	Set connector as preview	bool
status	The connector Availability Status	'1'

AwsCloudTrailDataConnector

Name	Description	Value
kind	The data connector kind	'AmazonWebServicesCloudTrail' (required)
properties	Amazon Web Services CloudTrail data connector properties.	AwsCloudTrailDataConnectorProperties

AwsCloudTrailDataConnectorDataTypes

Name	Description	Value
logs	Logs data type.	AwsCloudTrailDataConnectorDataTypesLogs (required)

AwsCloudTrailDataConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

AwsCloudTrailDataConnectorProperties

Name	Description	Value
awsRoleArn	The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.	string
dataTypes	The available data types for the connector.	AwsCloudTrailDataConnectorDataTypes (required)

AwsS3DataConnector

Name	Description	Value
kind	The data connector kind	'AmazonWebServicesS3' (required)
properties	Amazon Web Services S3 data connector properties.	AwsS3DataConnectorProperties

AwsS3DataConnectorDataTypes

Name	Description	Value
logs	Logs data type.	AwsS3DataConnectorDataTypesLogs (required)

AwsS3DataConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

AwsS3DataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AwsS3DataConnectorDataTypes (required)
destinationTable	The logs destination table name in LogAnalytics.	string (required)
roleArn	The Aws Role Arn that is used to access the Aws account.	string (required)
sqsUrls	The AWS sqs urls for the connector.	string[] (required)

CodelessApiPollingDataConnector

Name	Description	Value
kind	The data connector kind	'APIPolling' (required)
properties	Codeless poling data connector properties	ApiPollingParameters

CodelessConnectorPollingAuthProperties

Name	Description	Value
apiKeyIdentifier	A prefix send in the header before the actual token	string
apiKeyName	The header name which the token is sent with	string
authorizationEndpoint	The endpoint used to authorize the user, used in Oauth 2.0 flow	string
authorizationEndpointQueryParameters	The query parameters used in authorization request, used in Oauth 2.0 flow	any
authType	The authentication type	string (required)
flowName	Describes the flow name, for example 'AuthCode' for Oauth 2.0	string
isApiKeyInPostPayload	Marks if the key should sent in header	string
isClientSecretInHeader	Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow	bool
redirectionEndpoint	The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow	string
scope	The OAuth token scope	string
tokenEndpoint	The endpoint used to issue a token, used in Oauth 2.0 flow	string
tokenEndpointHeaders	The query headers used in token request, used in Oauth 2.0 flow	any
tokenEndpointQueryParameters	The query parameters used in token request, used in Oauth 2.0 flow	any

CodelessConnectorPollingConfigProperties

Name	Description	Value
auth	Describe the authentication type of the poller	CodelessConnectorPollingAuthProperties (required)
isActive	The poller active status	bool
paging	Describe the poll request paging config of the poller	CodelessConnectorPollingPagingProperties
request	Describe the poll request config parameters of the poller	CodelessConnectorPollingRequestProperties (required)
response	Describe the response config parameters of the poller	CodelessConnectorPollingResponseProperties

CodelessConnectorPollingPagingProperties

Name	Description	Value
nextPageParaName	Defines the name of a next page attribute	string
nextPageTokenJsonPath	Defines the path to a next page token JSON	string
pageCountAttributePath	Defines the path to a page count attribute	string
pageSize	Defines the paging size	int
pageSizeParaName	Defines the name of the page size parameter	string
pageTimeStampAttributePath	Defines the path to a paging time stamp attribute	string
pageTotalCountAttributePath	Defines the path to a page total count attribute	string
pagingType	Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp'	string (required)
searchTheLatestTimeStampFromEventsList	Determines whether to search for the latest time stamp in the events list	string

CodelessConnectorPollingRequestProperties

Name	Description	Value
apiEndpoint	Describe the endpoint we should pull the data from	string (required)
endTimeAttributeName	This will be used the query events from the end of the time window	string
headers	Describe the headers sent in the poll request	any
httpMethod	The http method type we will use in the poll request, GET or POST	string (required)
queryParameters	Describe the query parameters sent in the poll request	any
queryParametersTemplate	For advanced scenarios for example user name/password embedded in nested JSON payload	string
queryTimeFormat	The time format will be used the query events in a specific window	string (required)
queryWindowInMin	The window interval we will use the pull the data	int (required)
rateLimitQps	Defines the rate limit QPS	int
retryCount	Describe the amount of time we should try and poll the data in case of failure	int
startTimeAttributeName	This will be used the query events from a start of the time window	string
timeoutInSeconds	The number of seconds we will consider as a request timeout	int

CodelessConnectorPollingResponseProperties

Name	Description	Value
eventsJsonPaths	Describes the path we should extract the data in the response	string[] (required)
isGzipCompressed	Describes if the data in the response is Gzip	bool
successStatusJsonPath	Describes the path we should extract the status code in the response	string
successStatusValue	Describes the path we should extract the status value in the response	string

CodelessParameters

Name	Description	Value
connectorUiConfig	Config to describe the instructions blade	CodelessUiConnectorConfigProperties

CodelessUiConnectorConfigProperties

Name	Description	Value
availability	Connector Availability Status	Availability (required)
connectivityCriteria	Define the way the connector check connectivity	CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem[] (required)
customImage	An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery	string
dataTypes	Data types to check for last data received	CodelessUiConnectorConfigPropertiesDataTypesItem[] (required)
descriptionMarkdown	Connector description	string (required)
graphQueries	The graph query to show the current data status	CodelessUiConnectorConfigPropertiesGraphQueriesItem[] (required)
graphQueriesTableName	Name of the table the connector will insert the data to	string (required)
instructionSteps	Instruction steps to enable the connector	CodelessUiConnectorConfigPropertiesInstructionStepsItem[] (required)
permissions	Permissions required for the connector	Permissions (required)
publisher	Connector publisher name	string (required)
sampleQueries	The sample queries for the connector	CodelessUiConnectorConfigPropertiesSampleQueriesItem[] (required)
title	Connector blade title	string (required)

CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem

Name	Description	Value
type	type of connectivity	'IsConnectedQuery'
value	Queries for checking connectivity	string[]

CodelessUiConnectorConfigPropertiesDataTypesItem

Name	Description	Value
lastDataReceivedQuery	Query for indicate last data received	string
name	Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder	string

CodelessUiConnectorConfigPropertiesGraphQueriesItem

Name	Description	Value
baseQuery	The base query for the graph	string
legend	The legend for the graph	string
metricName	the metric that the query is checking	string

CodelessUiConnectorConfigPropertiesInstructionStepsItem

Name	Description	Value
description	Instruction step description	string
instructions	Instruction step details	InstructionStepsInstructionsItem[]
title	Instruction step title	string

CodelessUiConnectorConfigPropertiesSampleQueriesItem

Name	Description	Value
description	The sample query description	string
query	the sample query	string

CodelessUiDataConnector

Name	Description	Value
kind	The data connector kind	'GenericUI' (required)
properties	Codeless UI data connector properties	CodelessParameters

DataConnectorDataTypeCommon

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

Dynamics365DataConnector

Name	Description	Value
kind	The data connector kind	'Dynamics365' (required)
properties	Dynamics365 data connector properties.	Dynamics365DataConnectorProperties

Dynamics365DataConnectorDataTypes

Name	Description	Value
dynamics365CdsActivities	Common Data Service data type connection.	Dynamics365DataConnectorDataTypesDynamics365CdsActivities (required)

Dynamics365DataConnectorDataTypesDynamics365CdsActivities

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

Dynamics365DataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	Dynamics365DataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

InstructionStepsInstructionsItem

Name	Description	Value
parameters	The parameters for the setting	any
type	The kind of the setting	'CopyableLabel' 'InfoMessage' 'InstructionStepsGroup' (required)

McasDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftCloudAppSecurity' (required)
properties	MCAS (Microsoft Cloud App Security) data connector properties.	McasDataConnectorProperties

McasDataConnectorDataTypes

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon (required)
discoveryLogs	Discovery log data type connection.	DataConnectorDataTypeCommon

McasDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	McasDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MdatpDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftDefenderAdvancedThreatProtection' (required)
properties	MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.	MdatpDataConnectorProperties

MdatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

Microsoft.SecurityInsights/dataConnectors

Name	Description	Value
etag	Etag of the azure resource	string
kind	Set to 'APIPolling' for type CodelessApiPollingDataConnector. Set to 'AmazonWebServicesCloudTrail' for type AwsCloudTrailDataConnector. Set to 'AmazonWebServicesS3' for type AwsS3DataConnector. Set to 'AzureActiveDirectory' for type AADDataConnector. Set to 'AzureAdvancedThreatProtection' for type AatpDataConnector. Set to 'AzureSecurityCenter' for type ASCDataConnector. Set to 'Dynamics365' for type Dynamics365DataConnector. Set to 'GenericUI' for type CodelessUiDataConnector. Set to 'MicrosoftCloudAppSecurity' for type McasDataConnector. Set to 'MicrosoftDefenderAdvancedThreatProtection' for type MdatpDataConnector. Set to 'MicrosoftThreatIntelligence' for type MstiDataConnector. Set to 'MicrosoftThreatProtection' for type MTPDataConnector. Set to 'Office365' for type OfficeDataConnector. Set to 'OfficeATP' for type OfficeATPDataConnector. Set to 'OfficeIRM' for type OfficeIRMDataConnector. Set to 'ThreatIntelligence' for type TIDataConnector. Set to 'ThreatIntelligenceTaxii' for type TiTaxiiDataConnector.	'AmazonWebServicesCloudTrail' 'AmazonWebServicesS3' 'APIPolling' 'AzureActiveDirectory' 'AzureAdvancedThreatProtection' 'AzureSecurityCenter' 'Dynamics365' 'GenericUI' 'MicrosoftCloudAppSecurity' 'MicrosoftDefenderAdvancedThreatProtection' 'MicrosoftThreatIntelligence' 'MicrosoftThreatProtection' 'Office365' 'OfficeATP' 'OfficeIRM' 'ThreatIntelligence' 'ThreatIntelligenceTaxii' (required)
name	The resource name	string (required)
scope	Use when creating a resource at a scope that is different than the deployment scope.	Set this property to the symbolic name of a resource to apply the extension resource.

MstiDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatIntelligence' (required)
properties	Microsoft Threat Intelligence data connector properties.	MstiDataConnectorProperties

MstiDataConnectorDataTypes

Name	Description	Value
bingSafetyPhishingURL	Data type for Microsoft Threat Intelligence Platforms data connector.	MstiDataConnectorDataTypesBingSafetyPhishingURL (required)
microsoftEmergingThreatFeed	Data type for Microsoft Threat Intelligence Platforms data connector.	MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed (required)

MstiDataConnectorDataTypesBingSafetyPhishingURL

Name	Description	Value
lookbackPeriod	lookback period	string (required)
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed

Name	Description	Value
lookbackPeriod	lookback period	string (required)
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MstiDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MstiDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MTPDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatProtection' (required)
properties	MTP (Microsoft Threat Protection) data connector properties.	MTPDataConnectorProperties

MTPDataConnectorDataTypes

Name	Description	Value
incidents	Data type for Microsoft Threat Protection Platforms data connector.	MTPDataConnectorDataTypesIncidents (required)

MTPDataConnectorDataTypesIncidents

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MTPDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MTPDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeATPDataConnector

Name	Description	Value
kind	The data connector kind	'OfficeATP' (required)
properties	OfficeATP (Office 365 Advanced Threat Protection) data connector properties.	OfficeATPDataConnectorProperties

OfficeATPDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeDataConnector

Name	Description	Value
kind	The data connector kind	'Office365' (required)
properties	Office data connector properties.	OfficeDataConnectorProperties

OfficeDataConnectorDataTypes

Name	Description	Value
exchange	Exchange data type connection.	OfficeDataConnectorDataTypesExchange (required)
sharePoint	SharePoint data type connection.	OfficeDataConnectorDataTypesSharePoint (required)
teams	Teams data type connection.	OfficeDataConnectorDataTypesTeams (required)

OfficeDataConnectorDataTypesExchange

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorDataTypesSharePoint

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorDataTypesTeams

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	OfficeDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeIRMDataConnector

Name	Description	Value
kind	The data connector kind	'OfficeIRM' (required)
properties	OfficeIRM (Microsoft Insider Risk Management) data connector properties.	OfficeIRMDataConnectorProperties

OfficeIRMDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

Permissions

Name	Description	Value
customs	Customs permissions required for the connector	PermissionsCustomsItem[]
resourceProvider	Resource provider permissions required for the connector	PermissionsResourceProviderItem[]

PermissionsCustomsItem

Name	Description	Value
description	Customs permissions description	string
name	Customs permissions name	string

PermissionsResourceProviderItem

Name	Description	Value
permissionsDisplayText	Permission description text	string
provider	Provider name	'microsoft.aadiam/diagnosticSettings' 'Microsoft.Authorization/policyAssignments' 'Microsoft.OperationalInsights/solutions' 'Microsoft.OperationalInsights/workspaces' 'Microsoft.OperationalInsights/workspaces/datasources' 'Microsoft.OperationalInsights/workspaces/sharedKeys'
providerDisplayName	Permission provider display name	string
requiredPermissions	Required permissions for the connector	RequiredPermissions
scope	Permission provider scope	'ResourceGroup' 'Subscription' 'Workspace'

RequiredPermissions

Name	Description	Value
action	action permission	bool
delete	delete permission	bool
read	read permission	bool
write	write permission	bool

TIDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligence' (required)
properties	TI (Threat Intelligence) data connector properties.	TIDataConnectorProperties

TIDataConnectorDataTypes

Name	Description	Value
indicators	Data type for indicators connection.	TIDataConnectorDataTypesIndicators (required)

TIDataConnectorDataTypesIndicators

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

TIDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	TIDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)
tipLookbackPeriod	The lookback period for the feed to be imported.	string

TiTaxiiDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligenceTaxii' (required)
properties	Threat intelligence TAXII data connector properties.	TiTaxiiDataConnectorProperties

TiTaxiiDataConnectorDataTypes

Name	Description	Value
taxiiClient	Data type for TAXII connector.	TiTaxiiDataConnectorDataTypesTaxiiClient (required)

TiTaxiiDataConnectorDataTypesTaxiiClient

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

TiTaxiiDataConnectorProperties

Name	Description	Value
collectionId	The collection id of the TAXII server.	string
dataTypes	The available data types for Threat Intelligence TAXII data connector.	TiTaxiiDataConnectorDataTypes (required)
friendlyName	The friendly name for the TAXII server.	string
password	The password for the TAXII server.	string
pollingFrequency	The polling frequency for the TAXII server.	'OnceADay' 'OnceAMinute' 'OnceAnHour' (required)
taxiiLookbackPeriod	The lookback period for the TAXII server.	string
taxiiServer	The API root for the TAXII server.	string
tenantId	The tenant id to connect to, and get the data from.	string (required)
userName	The userName for the TAXII server.	string
workspaceId	The workspace id.	string

ARM template resource definition

The dataConnectors resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/dataConnectors resource, add the following JSON to your template.

{
  "etag": "string",
  "name": "string",
  "kind": "string"
  // For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}

Microsoft.SecurityInsights/dataConnectors objects

Set the kind property to specify the type of object.

For APIPolling, use:

{
  "kind": "APIPolling",
  "properties": {
    "connectorUiConfig": {
      "availability": {
        "isPreview": "bool",
        "status": "1"
      },
      "connectivityCriteria": [
        {
          "type": "string",
          "value": [ "string" ]
        }
      ],
      "customImage": "string",
      "dataTypes": [
        {
          "lastDataReceivedQuery": "string",
          "name": "string"
        }
      ],
      "descriptionMarkdown": "string",
      "graphQueries": [
        {
          "baseQuery": "string",
          "legend": "string",
          "metricName": "string"
        }
      ],
      "graphQueriesTableName": "string",
      "instructionSteps": [
        {
          "description": "string",
          "instructions": [
            {
              "parameters": {},
              "type": "string"
            }
          ],
          "title": "string"
        }
      ],
      "permissions": {
        "customs": [
          {
            "description": "string",
            "name": "string"
          }
        ],
        "resourceProvider": [
          {
            "permissionsDisplayText": "string",
            "provider": "string",
            "providerDisplayName": "string",
            "requiredPermissions": {
              "action": "bool",
              "delete": "bool",
              "read": "bool",
              "write": "bool"
            },
            "scope": "string"
          }
        ]
      },
      "publisher": "string",
      "sampleQueries": [
        {
          "description": "string",
          "query": "string"
        }
      ],
      "title": "string"
    },
    "pollingConfig": {
      "auth": {
        "apiKeyIdentifier": "string",
        "apiKeyName": "string",
        "authorizationEndpoint": "string",
        "authorizationEndpointQueryParameters": {},
        "authType": "string",
        "flowName": "string",
        "isApiKeyInPostPayload": "string",
        "isClientSecretInHeader": "bool",
        "redirectionEndpoint": "string",
        "scope": "string",
        "tokenEndpoint": "string",
        "tokenEndpointHeaders": {},
        "tokenEndpointQueryParameters": {}
      },
      "isActive": "bool",
      "paging": {
        "nextPageParaName": "string",
        "nextPageTokenJsonPath": "string",
        "pageCountAttributePath": "string",
        "pageSize": "int",
        "pageSizeParaName": "string",
        "pageTimeStampAttributePath": "string",
        "pageTotalCountAttributePath": "string",
        "pagingType": "string",
        "searchTheLatestTimeStampFromEventsList": "string"
      },
      "request": {
        "apiEndpoint": "string",
        "endTimeAttributeName": "string",
        "headers": {},
        "httpMethod": "string",
        "queryParameters": {},
        "queryParametersTemplate": "string",
        "queryTimeFormat": "string",
        "queryWindowInMin": "int",
        "rateLimitQps": "int",
        "retryCount": "int",
        "startTimeAttributeName": "string",
        "timeoutInSeconds": "int"
      },
      "response": {
        "eventsJsonPaths": [ "string" ],
        "isGzipCompressed": "bool",
        "successStatusJsonPath": "string",
        "successStatusValue": "string"
      }
    }
  }
}

For AmazonWebServicesCloudTrail, use:

{
  "kind": "AmazonWebServicesCloudTrail",
  "properties": {
    "awsRoleArn": "string",
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    }
  }
}

For AmazonWebServicesS3, use:

{
  "kind": "AmazonWebServicesS3",
  "properties": {
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    },
    "destinationTable": "string",
    "roleArn": "string",
    "sqsUrls": [ "string" ]
  }
}

For AzureActiveDirectory, use:

{
  "kind": "AzureActiveDirectory",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For AzureAdvancedThreatProtection, use:

{
  "kind": "AzureAdvancedThreatProtection",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For AzureSecurityCenter, use:

{
  "kind": "AzureSecurityCenter",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "subscriptionId": "string"
  }
}

For Dynamics365, use:

{
  "kind": "Dynamics365",
  "properties": {
    "dataTypes": {
      "dynamics365CdsActivities": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For GenericUI, use:

{
  "kind": "GenericUI",
  "properties": {
    "connectorUiConfig": {
      "availability": {
        "isPreview": "bool",
        "status": "1"
      },
      "connectivityCriteria": [
        {
          "type": "string",
          "value": [ "string" ]
        }
      ],
      "customImage": "string",
      "dataTypes": [
        {
          "lastDataReceivedQuery": "string",
          "name": "string"
        }
      ],
      "descriptionMarkdown": "string",
      "graphQueries": [
        {
          "baseQuery": "string",
          "legend": "string",
          "metricName": "string"
        }
      ],
      "graphQueriesTableName": "string",
      "instructionSteps": [
        {
          "description": "string",
          "instructions": [
            {
              "parameters": {},
              "type": "string"
            }
          ],
          "title": "string"
        }
      ],
      "permissions": {
        "customs": [
          {
            "description": "string",
            "name": "string"
          }
        ],
        "resourceProvider": [
          {
            "permissionsDisplayText": "string",
            "provider": "string",
            "providerDisplayName": "string",
            "requiredPermissions": {
              "action": "bool",
              "delete": "bool",
              "read": "bool",
              "write": "bool"
            },
            "scope": "string"
          }
        ]
      },
      "publisher": "string",
      "sampleQueries": [
        {
          "description": "string",
          "query": "string"
        }
      ],
      "title": "string"
    }
  }
}

For MicrosoftCloudAppSecurity, use:

{
  "kind": "MicrosoftCloudAppSecurity",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      },
      "discoveryLogs": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For MicrosoftDefenderAdvancedThreatProtection, use:

{
  "kind": "MicrosoftDefenderAdvancedThreatProtection",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For MicrosoftThreatIntelligence, use:

{
  "kind": "MicrosoftThreatIntelligence",
  "properties": {
    "dataTypes": {
      "bingSafetyPhishingURL": {
        "lookbackPeriod": "string",
        "state": "string"
      },
      "microsoftEmergingThreatFeed": {
        "lookbackPeriod": "string",
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For MicrosoftThreatProtection, use:

{
  "kind": "MicrosoftThreatProtection",
  "properties": {
    "dataTypes": {
      "incidents": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For Office365, use:

{
  "kind": "Office365",
  "properties": {
    "dataTypes": {
      "exchange": {
        "state": "string"
      },
      "sharePoint": {
        "state": "string"
      },
      "teams": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For OfficeATP, use:

{
  "kind": "OfficeATP",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For OfficeIRM, use:

{
  "kind": "OfficeIRM",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For ThreatIntelligence, use:

{
  "kind": "ThreatIntelligence",
  "properties": {
    "dataTypes": {
      "indicators": {
        "state": "string"
      }
    },
    "tenantId": "string",
    "tipLookbackPeriod": "string"
  }
}

For ThreatIntelligenceTaxii, use:

{
  "kind": "ThreatIntelligenceTaxii",
  "properties": {
    "collectionId": "string",
    "dataTypes": {
      "taxiiClient": {
        "state": "string"
      }
    },
    "friendlyName": "string",
    "password": "string",
    "pollingFrequency": "string",
    "taxiiLookbackPeriod": "string",
    "taxiiServer": "string",
    "tenantId": "string",
    "userName": "string",
    "workspaceId": "string"
  }
}

Property values

AADDataConnector

Name	Description	Value
kind	The data connector kind	'AzureActiveDirectory' (required)
properties	AAD (Azure Active Directory) data connector properties.	AADDataConnectorProperties

AADDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

AatpDataConnector

Name	Description	Value
kind	The data connector kind	'AzureAdvancedThreatProtection' (required)
properties	AATP (Azure Advanced Threat Protection) data connector properties.	AatpDataConnectorProperties

AatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

AlertsDataTypeOfDataConnector

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon (required)

ApiPollingParameters

Name	Description	Value
connectorUiConfig	Config to describe the instructions blade	CodelessUiConnectorConfigProperties
pollingConfig	Config to describe the polling instructions	CodelessConnectorPollingConfigProperties

ASCDataConnector

Name	Description	Value
kind	The data connector kind	'AzureSecurityCenter' (required)
properties	ASC (Azure Security Center) data connector properties.	ASCDataConnectorProperties

ASCDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
subscriptionId	The subscription id to connect to, and get the data from.	string

Availability

Name	Description	Value
isPreview	Set connector as preview	bool
status	The connector Availability Status	'1'

AwsCloudTrailDataConnector

Name	Description	Value
kind	The data connector kind	'AmazonWebServicesCloudTrail' (required)
properties	Amazon Web Services CloudTrail data connector properties.	AwsCloudTrailDataConnectorProperties

AwsCloudTrailDataConnectorDataTypes

Name	Description	Value
logs	Logs data type.	AwsCloudTrailDataConnectorDataTypesLogs (required)

AwsCloudTrailDataConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

AwsCloudTrailDataConnectorProperties

Name	Description	Value
awsRoleArn	The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.	string
dataTypes	The available data types for the connector.	AwsCloudTrailDataConnectorDataTypes (required)

AwsS3DataConnector

Name	Description	Value
kind	The data connector kind	'AmazonWebServicesS3' (required)
properties	Amazon Web Services S3 data connector properties.	AwsS3DataConnectorProperties

AwsS3DataConnectorDataTypes

Name	Description	Value
logs	Logs data type.	AwsS3DataConnectorDataTypesLogs (required)

AwsS3DataConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

AwsS3DataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AwsS3DataConnectorDataTypes (required)
destinationTable	The logs destination table name in LogAnalytics.	string (required)
roleArn	The Aws Role Arn that is used to access the Aws account.	string (required)
sqsUrls	The AWS sqs urls for the connector.	string[] (required)

CodelessApiPollingDataConnector

Name	Description	Value
kind	The data connector kind	'APIPolling' (required)
properties	Codeless poling data connector properties	ApiPollingParameters

CodelessConnectorPollingAuthProperties

Name	Description	Value
apiKeyIdentifier	A prefix send in the header before the actual token	string
apiKeyName	The header name which the token is sent with	string
authorizationEndpoint	The endpoint used to authorize the user, used in Oauth 2.0 flow	string
authorizationEndpointQueryParameters	The query parameters used in authorization request, used in Oauth 2.0 flow	any
authType	The authentication type	string (required)
flowName	Describes the flow name, for example 'AuthCode' for Oauth 2.0	string
isApiKeyInPostPayload	Marks if the key should sent in header	string
isClientSecretInHeader	Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow	bool
redirectionEndpoint	The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow	string
scope	The OAuth token scope	string
tokenEndpoint	The endpoint used to issue a token, used in Oauth 2.0 flow	string
tokenEndpointHeaders	The query headers used in token request, used in Oauth 2.0 flow	any
tokenEndpointQueryParameters	The query parameters used in token request, used in Oauth 2.0 flow	any

CodelessConnectorPollingConfigProperties

Name	Description	Value
auth	Describe the authentication type of the poller	CodelessConnectorPollingAuthProperties (required)
isActive	The poller active status	bool
paging	Describe the poll request paging config of the poller	CodelessConnectorPollingPagingProperties
request	Describe the poll request config parameters of the poller	CodelessConnectorPollingRequestProperties (required)
response	Describe the response config parameters of the poller	CodelessConnectorPollingResponseProperties

CodelessConnectorPollingPagingProperties

Name	Description	Value
nextPageParaName	Defines the name of a next page attribute	string
nextPageTokenJsonPath	Defines the path to a next page token JSON	string
pageCountAttributePath	Defines the path to a page count attribute	string
pageSize	Defines the paging size	int
pageSizeParaName	Defines the name of the page size parameter	string
pageTimeStampAttributePath	Defines the path to a paging time stamp attribute	string
pageTotalCountAttributePath	Defines the path to a page total count attribute	string
pagingType	Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp'	string (required)
searchTheLatestTimeStampFromEventsList	Determines whether to search for the latest time stamp in the events list	string

CodelessConnectorPollingRequestProperties

Name	Description	Value
apiEndpoint	Describe the endpoint we should pull the data from	string (required)
endTimeAttributeName	This will be used the query events from the end of the time window	string
headers	Describe the headers sent in the poll request	any
httpMethod	The http method type we will use in the poll request, GET or POST	string (required)
queryParameters	Describe the query parameters sent in the poll request	any
queryParametersTemplate	For advanced scenarios for example user name/password embedded in nested JSON payload	string
queryTimeFormat	The time format will be used the query events in a specific window	string (required)
queryWindowInMin	The window interval we will use the pull the data	int (required)
rateLimitQps	Defines the rate limit QPS	int
retryCount	Describe the amount of time we should try and poll the data in case of failure	int
startTimeAttributeName	This will be used the query events from a start of the time window	string
timeoutInSeconds	The number of seconds we will consider as a request timeout	int

CodelessConnectorPollingResponseProperties

Name	Description	Value
eventsJsonPaths	Describes the path we should extract the data in the response	string[] (required)
isGzipCompressed	Describes if the data in the response is Gzip	bool
successStatusJsonPath	Describes the path we should extract the status code in the response	string
successStatusValue	Describes the path we should extract the status value in the response	string

CodelessParameters

Name	Description	Value
connectorUiConfig	Config to describe the instructions blade	CodelessUiConnectorConfigProperties

CodelessUiConnectorConfigProperties

Name	Description	Value
availability	Connector Availability Status	Availability (required)
connectivityCriteria	Define the way the connector check connectivity	CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem[] (required)
customImage	An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery	string
dataTypes	Data types to check for last data received	CodelessUiConnectorConfigPropertiesDataTypesItem[] (required)
descriptionMarkdown	Connector description	string (required)
graphQueries	The graph query to show the current data status	CodelessUiConnectorConfigPropertiesGraphQueriesItem[] (required)
graphQueriesTableName	Name of the table the connector will insert the data to	string (required)
instructionSteps	Instruction steps to enable the connector	CodelessUiConnectorConfigPropertiesInstructionStepsItem[] (required)
permissions	Permissions required for the connector	Permissions (required)
publisher	Connector publisher name	string (required)
sampleQueries	The sample queries for the connector	CodelessUiConnectorConfigPropertiesSampleQueriesItem[] (required)
title	Connector blade title	string (required)

CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem

Name	Description	Value
type	type of connectivity	'IsConnectedQuery'
value	Queries for checking connectivity	string[]

CodelessUiConnectorConfigPropertiesDataTypesItem

Name	Description	Value
lastDataReceivedQuery	Query for indicate last data received	string
name	Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder	string

CodelessUiConnectorConfigPropertiesGraphQueriesItem

Name	Description	Value
baseQuery	The base query for the graph	string
legend	The legend for the graph	string
metricName	the metric that the query is checking	string

CodelessUiConnectorConfigPropertiesInstructionStepsItem

Name	Description	Value
description	Instruction step description	string
instructions	Instruction step details	InstructionStepsInstructionsItem[]
title	Instruction step title	string

CodelessUiConnectorConfigPropertiesSampleQueriesItem

Name	Description	Value
description	The sample query description	string
query	the sample query	string

CodelessUiDataConnector

Name	Description	Value
kind	The data connector kind	'GenericUI' (required)
properties	Codeless UI data connector properties	CodelessParameters

DataConnectorDataTypeCommon

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

Dynamics365DataConnector

Name	Description	Value
kind	The data connector kind	'Dynamics365' (required)
properties	Dynamics365 data connector properties.	Dynamics365DataConnectorProperties

Dynamics365DataConnectorDataTypes

Name	Description	Value
dynamics365CdsActivities	Common Data Service data type connection.	Dynamics365DataConnectorDataTypesDynamics365CdsActivities (required)

Dynamics365DataConnectorDataTypesDynamics365CdsActivities

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

Dynamics365DataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	Dynamics365DataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

InstructionStepsInstructionsItem

Name	Description	Value
parameters	The parameters for the setting	any
type	The kind of the setting	'CopyableLabel' 'InfoMessage' 'InstructionStepsGroup' (required)

McasDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftCloudAppSecurity' (required)
properties	MCAS (Microsoft Cloud App Security) data connector properties.	McasDataConnectorProperties

McasDataConnectorDataTypes

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon (required)
discoveryLogs	Discovery log data type connection.	DataConnectorDataTypeCommon

McasDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	McasDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MdatpDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftDefenderAdvancedThreatProtection' (required)
properties	MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.	MdatpDataConnectorProperties

MdatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

Microsoft.SecurityInsights/dataConnectors

Name	Description	Value
apiVersion	The api version	'2021-09-01-preview'
etag	Etag of the azure resource	string
kind	Set to 'APIPolling' for type CodelessApiPollingDataConnector. Set to 'AmazonWebServicesCloudTrail' for type AwsCloudTrailDataConnector. Set to 'AmazonWebServicesS3' for type AwsS3DataConnector. Set to 'AzureActiveDirectory' for type AADDataConnector. Set to 'AzureAdvancedThreatProtection' for type AatpDataConnector. Set to 'AzureSecurityCenter' for type ASCDataConnector. Set to 'Dynamics365' for type Dynamics365DataConnector. Set to 'GenericUI' for type CodelessUiDataConnector. Set to 'MicrosoftCloudAppSecurity' for type McasDataConnector. Set to 'MicrosoftDefenderAdvancedThreatProtection' for type MdatpDataConnector. Set to 'MicrosoftThreatIntelligence' for type MstiDataConnector. Set to 'MicrosoftThreatProtection' for type MTPDataConnector. Set to 'Office365' for type OfficeDataConnector. Set to 'OfficeATP' for type OfficeATPDataConnector. Set to 'OfficeIRM' for type OfficeIRMDataConnector. Set to 'ThreatIntelligence' for type TIDataConnector. Set to 'ThreatIntelligenceTaxii' for type TiTaxiiDataConnector.	'AmazonWebServicesCloudTrail' 'AmazonWebServicesS3' 'APIPolling' 'AzureActiveDirectory' 'AzureAdvancedThreatProtection' 'AzureSecurityCenter' 'Dynamics365' 'GenericUI' 'MicrosoftCloudAppSecurity' 'MicrosoftDefenderAdvancedThreatProtection' 'MicrosoftThreatIntelligence' 'MicrosoftThreatProtection' 'Office365' 'OfficeATP' 'OfficeIRM' 'ThreatIntelligence' 'ThreatIntelligenceTaxii' (required)
name	The resource name	string (required)
type	The resource type	'Microsoft.SecurityInsights/dataConnectors'

MstiDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatIntelligence' (required)
properties	Microsoft Threat Intelligence data connector properties.	MstiDataConnectorProperties

MstiDataConnectorDataTypes

Name	Description	Value
bingSafetyPhishingURL	Data type for Microsoft Threat Intelligence Platforms data connector.	MstiDataConnectorDataTypesBingSafetyPhishingURL (required)
microsoftEmergingThreatFeed	Data type for Microsoft Threat Intelligence Platforms data connector.	MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed (required)

MstiDataConnectorDataTypesBingSafetyPhishingURL

Name	Description	Value
lookbackPeriod	lookback period	string (required)
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed

Name	Description	Value
lookbackPeriod	lookback period	string (required)
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MstiDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MstiDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MTPDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatProtection' (required)
properties	MTP (Microsoft Threat Protection) data connector properties.	MTPDataConnectorProperties

MTPDataConnectorDataTypes

Name	Description	Value
incidents	Data type for Microsoft Threat Protection Platforms data connector.	MTPDataConnectorDataTypesIncidents (required)

MTPDataConnectorDataTypesIncidents

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MTPDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MTPDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeATPDataConnector

Name	Description	Value
kind	The data connector kind	'OfficeATP' (required)
properties	OfficeATP (Office 365 Advanced Threat Protection) data connector properties.	OfficeATPDataConnectorProperties

OfficeATPDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeDataConnector

Name	Description	Value
kind	The data connector kind	'Office365' (required)
properties	Office data connector properties.	OfficeDataConnectorProperties

OfficeDataConnectorDataTypes

Name	Description	Value
exchange	Exchange data type connection.	OfficeDataConnectorDataTypesExchange (required)
sharePoint	SharePoint data type connection.	OfficeDataConnectorDataTypesSharePoint (required)
teams	Teams data type connection.	OfficeDataConnectorDataTypesTeams (required)

OfficeDataConnectorDataTypesExchange

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorDataTypesSharePoint

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorDataTypesTeams

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	OfficeDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeIRMDataConnector

Name	Description	Value
kind	The data connector kind	'OfficeIRM' (required)
properties	OfficeIRM (Microsoft Insider Risk Management) data connector properties.	OfficeIRMDataConnectorProperties

OfficeIRMDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

Permissions

Name	Description	Value
customs	Customs permissions required for the connector	PermissionsCustomsItem[]
resourceProvider	Resource provider permissions required for the connector	PermissionsResourceProviderItem[]

PermissionsCustomsItem

Name	Description	Value
description	Customs permissions description	string
name	Customs permissions name	string

PermissionsResourceProviderItem

Name	Description	Value
permissionsDisplayText	Permission description text	string
provider	Provider name	'microsoft.aadiam/diagnosticSettings' 'Microsoft.Authorization/policyAssignments' 'Microsoft.OperationalInsights/solutions' 'Microsoft.OperationalInsights/workspaces' 'Microsoft.OperationalInsights/workspaces/datasources' 'Microsoft.OperationalInsights/workspaces/sharedKeys'
providerDisplayName	Permission provider display name	string
requiredPermissions	Required permissions for the connector	RequiredPermissions
scope	Permission provider scope	'ResourceGroup' 'Subscription' 'Workspace'

RequiredPermissions

Name	Description	Value
action	action permission	bool
delete	delete permission	bool
read	read permission	bool
write	write permission	bool

TIDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligence' (required)
properties	TI (Threat Intelligence) data connector properties.	TIDataConnectorProperties

TIDataConnectorDataTypes

Name	Description	Value
indicators	Data type for indicators connection.	TIDataConnectorDataTypesIndicators (required)

TIDataConnectorDataTypesIndicators

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

TIDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	TIDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)
tipLookbackPeriod	The lookback period for the feed to be imported.	string

TiTaxiiDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligenceTaxii' (required)
properties	Threat intelligence TAXII data connector properties.	TiTaxiiDataConnectorProperties

TiTaxiiDataConnectorDataTypes

Name	Description	Value
taxiiClient	Data type for TAXII connector.	TiTaxiiDataConnectorDataTypesTaxiiClient (required)

TiTaxiiDataConnectorDataTypesTaxiiClient

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

TiTaxiiDataConnectorProperties

Name	Description	Value
collectionId	The collection id of the TAXII server.	string
dataTypes	The available data types for Threat Intelligence TAXII data connector.	TiTaxiiDataConnectorDataTypes (required)
friendlyName	The friendly name for the TAXII server.	string
password	The password for the TAXII server.	string
pollingFrequency	The polling frequency for the TAXII server.	'OnceADay' 'OnceAMinute' 'OnceAnHour' (required)
taxiiLookbackPeriod	The lookback period for the TAXII server.	string
taxiiServer	The API root for the TAXII server.	string
tenantId	The tenant id to connect to, and get the data from.	string (required)
userName	The userName for the TAXII server.	string
workspaceId	The workspace id.	string

Terraform (AzAPI provider) resource definition

The dataConnectors resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/dataConnectors resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  etag = "string"
  name = "string"
  kind = "string"
  // For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}

Microsoft.SecurityInsights/dataConnectors objects

Set the kind property to specify the type of object.

For APIPolling, use:

{
  kind = "APIPolling"
  properties = {
    connectorUiConfig = {
      availability = {
        isPreview = bool
        status = "1"
      }
      connectivityCriteria = [
        {
          type = "string"
          value = [
            "string"
          ]
        }
      ]
      customImage = "string"
      dataTypes = [
        {
          lastDataReceivedQuery = "string"
          name = "string"
        }
      ]
      descriptionMarkdown = "string"
      graphQueries = [
        {
          baseQuery = "string"
          legend = "string"
          metricName = "string"
        }
      ]
      graphQueriesTableName = "string"
      instructionSteps = [
        {
          description = "string"
          instructions = [
            {
              parameters = ?
              type = "string"
            }
          ]
          title = "string"
        }
      ]
      permissions = {
        customs = [
          {
            description = "string"
            name = "string"
          }
        ]
        resourceProvider = [
          {
            permissionsDisplayText = "string"
            provider = "string"
            providerDisplayName = "string"
            requiredPermissions = {
              action = bool
              delete = bool
              read = bool
              write = bool
            }
            scope = "string"
          }
        ]
      }
      publisher = "string"
      sampleQueries = [
        {
          description = "string"
          query = "string"
        }
      ]
      title = "string"
    }
    pollingConfig = {
      auth = {
        apiKeyIdentifier = "string"
        apiKeyName = "string"
        authorizationEndpoint = "string"
        authorizationEndpointQueryParameters = ?
        authType = "string"
        flowName = "string"
        isApiKeyInPostPayload = "string"
        isClientSecretInHeader = bool
        redirectionEndpoint = "string"
        scope = "string"
        tokenEndpoint = "string"
        tokenEndpointHeaders = ?
        tokenEndpointQueryParameters = ?
      }
      isActive = bool
      paging = {
        nextPageParaName = "string"
        nextPageTokenJsonPath = "string"
        pageCountAttributePath = "string"
        pageSize = int
        pageSizeParaName = "string"
        pageTimeStampAttributePath = "string"
        pageTotalCountAttributePath = "string"
        pagingType = "string"
        searchTheLatestTimeStampFromEventsList = "string"
      }
      request = {
        apiEndpoint = "string"
        endTimeAttributeName = "string"
        headers = ?
        httpMethod = "string"
        queryParameters = ?
        queryParametersTemplate = "string"
        queryTimeFormat = "string"
        queryWindowInMin = int
        rateLimitQps = int
        retryCount = int
        startTimeAttributeName = "string"
        timeoutInSeconds = int
      }
      response = {
        eventsJsonPaths = [
          "string"
        ]
        isGzipCompressed = bool
        successStatusJsonPath = "string"
        successStatusValue = "string"
      }
    }
  }
}

For AmazonWebServicesCloudTrail, use:

{
  kind = "AmazonWebServicesCloudTrail"
  properties = {
    awsRoleArn = "string"
    dataTypes = {
      logs = {
        state = "string"
      }
    }
  }
}

For AmazonWebServicesS3, use:

{
  kind = "AmazonWebServicesS3"
  properties = {
    dataTypes = {
      logs = {
        state = "string"
      }
    }
    destinationTable = "string"
    roleArn = "string"
    sqsUrls = [
      "string"
    ]
  }
}

For AzureActiveDirectory, use:

{
  kind = "AzureActiveDirectory"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For AzureAdvancedThreatProtection, use:

{
  kind = "AzureAdvancedThreatProtection"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For AzureSecurityCenter, use:

{
  kind = "AzureSecurityCenter"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    subscriptionId = "string"
  }
}

For Dynamics365, use:

{
  kind = "Dynamics365"
  properties = {
    dataTypes = {
      dynamics365CdsActivities = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For GenericUI, use:

{
  kind = "GenericUI"
  properties = {
    connectorUiConfig = {
      availability = {
        isPreview = bool
        status = "1"
      }
      connectivityCriteria = [
        {
          type = "string"
          value = [
            "string"
          ]
        }
      ]
      customImage = "string"
      dataTypes = [
        {
          lastDataReceivedQuery = "string"
          name = "string"
        }
      ]
      descriptionMarkdown = "string"
      graphQueries = [
        {
          baseQuery = "string"
          legend = "string"
          metricName = "string"
        }
      ]
      graphQueriesTableName = "string"
      instructionSteps = [
        {
          description = "string"
          instructions = [
            {
              parameters = ?
              type = "string"
            }
          ]
          title = "string"
        }
      ]
      permissions = {
        customs = [
          {
            description = "string"
            name = "string"
          }
        ]
        resourceProvider = [
          {
            permissionsDisplayText = "string"
            provider = "string"
            providerDisplayName = "string"
            requiredPermissions = {
              action = bool
              delete = bool
              read = bool
              write = bool
            }
            scope = "string"
          }
        ]
      }
      publisher = "string"
      sampleQueries = [
        {
          description = "string"
          query = "string"
        }
      ]
      title = "string"
    }
  }
}

For MicrosoftCloudAppSecurity, use:

{
  kind = "MicrosoftCloudAppSecurity"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
      discoveryLogs = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For MicrosoftDefenderAdvancedThreatProtection, use:

{
  kind = "MicrosoftDefenderAdvancedThreatProtection"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For MicrosoftThreatIntelligence, use:

{
  kind = "MicrosoftThreatIntelligence"
  properties = {
    dataTypes = {
      bingSafetyPhishingURL = {
        lookbackPeriod = "string"
        state = "string"
      }
      microsoftEmergingThreatFeed = {
        lookbackPeriod = "string"
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For MicrosoftThreatProtection, use:

{
  kind = "MicrosoftThreatProtection"
  properties = {
    dataTypes = {
      incidents = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For Office365, use:

{
  kind = "Office365"
  properties = {
    dataTypes = {
      exchange = {
        state = "string"
      }
      sharePoint = {
        state = "string"
      }
      teams = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For OfficeATP, use:

{
  kind = "OfficeATP"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For OfficeIRM, use:

{
  kind = "OfficeIRM"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For ThreatIntelligence, use:

{
  kind = "ThreatIntelligence"
  properties = {
    dataTypes = {
      indicators = {
        state = "string"
      }
    }
    tenantId = "string"
    tipLookbackPeriod = "string"
  }
}

For ThreatIntelligenceTaxii, use:

{
  kind = "ThreatIntelligenceTaxii"
  properties = {
    collectionId = "string"
    dataTypes = {
      taxiiClient = {
        state = "string"
      }
    }
    friendlyName = "string"
    password = "string"
    pollingFrequency = "string"
    taxiiLookbackPeriod = "string"
    taxiiServer = "string"
    tenantId = "string"
    userName = "string"
    workspaceId = "string"
  }
}

Property values

AADDataConnector

Name	Description	Value
kind	The data connector kind	'AzureActiveDirectory' (required)
properties	AAD (Azure Active Directory) data connector properties.	AADDataConnectorProperties

AADDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

AatpDataConnector

Name	Description	Value
kind	The data connector kind	'AzureAdvancedThreatProtection' (required)
properties	AATP (Azure Advanced Threat Protection) data connector properties.	AatpDataConnectorProperties

AatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

AlertsDataTypeOfDataConnector

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon (required)

ApiPollingParameters

Name	Description	Value
connectorUiConfig	Config to describe the instructions blade	CodelessUiConnectorConfigProperties
pollingConfig	Config to describe the polling instructions	CodelessConnectorPollingConfigProperties

ASCDataConnector

Name	Description	Value
kind	The data connector kind	'AzureSecurityCenter' (required)
properties	ASC (Azure Security Center) data connector properties.	ASCDataConnectorProperties

ASCDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
subscriptionId	The subscription id to connect to, and get the data from.	string

Availability

Name	Description	Value
isPreview	Set connector as preview	bool
status	The connector Availability Status	'1'

AwsCloudTrailDataConnector

Name	Description	Value
kind	The data connector kind	'AmazonWebServicesCloudTrail' (required)
properties	Amazon Web Services CloudTrail data connector properties.	AwsCloudTrailDataConnectorProperties

AwsCloudTrailDataConnectorDataTypes

Name	Description	Value
logs	Logs data type.	AwsCloudTrailDataConnectorDataTypesLogs (required)

AwsCloudTrailDataConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

AwsCloudTrailDataConnectorProperties

Name	Description	Value
awsRoleArn	The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.	string
dataTypes	The available data types for the connector.	AwsCloudTrailDataConnectorDataTypes (required)

AwsS3DataConnector

Name	Description	Value
kind	The data connector kind	'AmazonWebServicesS3' (required)
properties	Amazon Web Services S3 data connector properties.	AwsS3DataConnectorProperties

AwsS3DataConnectorDataTypes

Name	Description	Value
logs	Logs data type.	AwsS3DataConnectorDataTypesLogs (required)

AwsS3DataConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

AwsS3DataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AwsS3DataConnectorDataTypes (required)
destinationTable	The logs destination table name in LogAnalytics.	string (required)
roleArn	The Aws Role Arn that is used to access the Aws account.	string (required)
sqsUrls	The AWS sqs urls for the connector.	string[] (required)

CodelessApiPollingDataConnector

Name	Description	Value
kind	The data connector kind	'APIPolling' (required)
properties	Codeless poling data connector properties	ApiPollingParameters

CodelessConnectorPollingAuthProperties

Name	Description	Value
apiKeyIdentifier	A prefix send in the header before the actual token	string
apiKeyName	The header name which the token is sent with	string
authorizationEndpoint	The endpoint used to authorize the user, used in Oauth 2.0 flow	string
authorizationEndpointQueryParameters	The query parameters used in authorization request, used in Oauth 2.0 flow	any
authType	The authentication type	string (required)
flowName	Describes the flow name, for example 'AuthCode' for Oauth 2.0	string
isApiKeyInPostPayload	Marks if the key should sent in header	string
isClientSecretInHeader	Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow	bool
redirectionEndpoint	The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow	string
scope	The OAuth token scope	string
tokenEndpoint	The endpoint used to issue a token, used in Oauth 2.0 flow	string
tokenEndpointHeaders	The query headers used in token request, used in Oauth 2.0 flow	any
tokenEndpointQueryParameters	The query parameters used in token request, used in Oauth 2.0 flow	any

CodelessConnectorPollingConfigProperties

Name	Description	Value
auth	Describe the authentication type of the poller	CodelessConnectorPollingAuthProperties (required)
isActive	The poller active status	bool
paging	Describe the poll request paging config of the poller	CodelessConnectorPollingPagingProperties
request	Describe the poll request config parameters of the poller	CodelessConnectorPollingRequestProperties (required)
response	Describe the response config parameters of the poller	CodelessConnectorPollingResponseProperties

CodelessConnectorPollingPagingProperties

Name	Description	Value
nextPageParaName	Defines the name of a next page attribute	string
nextPageTokenJsonPath	Defines the path to a next page token JSON	string
pageCountAttributePath	Defines the path to a page count attribute	string
pageSize	Defines the paging size	int
pageSizeParaName	Defines the name of the page size parameter	string
pageTimeStampAttributePath	Defines the path to a paging time stamp attribute	string
pageTotalCountAttributePath	Defines the path to a page total count attribute	string
pagingType	Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp'	string (required)
searchTheLatestTimeStampFromEventsList	Determines whether to search for the latest time stamp in the events list	string

CodelessConnectorPollingRequestProperties

Name	Description	Value
apiEndpoint	Describe the endpoint we should pull the data from	string (required)
endTimeAttributeName	This will be used the query events from the end of the time window	string
headers	Describe the headers sent in the poll request	any
httpMethod	The http method type we will use in the poll request, GET or POST	string (required)
queryParameters	Describe the query parameters sent in the poll request	any
queryParametersTemplate	For advanced scenarios for example user name/password embedded in nested JSON payload	string
queryTimeFormat	The time format will be used the query events in a specific window	string (required)
queryWindowInMin	The window interval we will use the pull the data	int (required)
rateLimitQps	Defines the rate limit QPS	int
retryCount	Describe the amount of time we should try and poll the data in case of failure	int
startTimeAttributeName	This will be used the query events from a start of the time window	string
timeoutInSeconds	The number of seconds we will consider as a request timeout	int

CodelessConnectorPollingResponseProperties

Name	Description	Value
eventsJsonPaths	Describes the path we should extract the data in the response	string[] (required)
isGzipCompressed	Describes if the data in the response is Gzip	bool
successStatusJsonPath	Describes the path we should extract the status code in the response	string
successStatusValue	Describes the path we should extract the status value in the response	string

CodelessParameters

Name	Description	Value
connectorUiConfig	Config to describe the instructions blade	CodelessUiConnectorConfigProperties

CodelessUiConnectorConfigProperties

Name	Description	Value
availability	Connector Availability Status	Availability (required)
connectivityCriteria	Define the way the connector check connectivity	CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem[] (required)
customImage	An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery	string
dataTypes	Data types to check for last data received	CodelessUiConnectorConfigPropertiesDataTypesItem[] (required)
descriptionMarkdown	Connector description	string (required)
graphQueries	The graph query to show the current data status	CodelessUiConnectorConfigPropertiesGraphQueriesItem[] (required)
graphQueriesTableName	Name of the table the connector will insert the data to	string (required)
instructionSteps	Instruction steps to enable the connector	CodelessUiConnectorConfigPropertiesInstructionStepsItem[] (required)
permissions	Permissions required for the connector	Permissions (required)
publisher	Connector publisher name	string (required)
sampleQueries	The sample queries for the connector	CodelessUiConnectorConfigPropertiesSampleQueriesItem[] (required)
title	Connector blade title	string (required)

CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem

Name	Description	Value
type	type of connectivity	'IsConnectedQuery'
value	Queries for checking connectivity	string[]

CodelessUiConnectorConfigPropertiesDataTypesItem

Name	Description	Value
lastDataReceivedQuery	Query for indicate last data received	string
name	Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder	string

CodelessUiConnectorConfigPropertiesGraphQueriesItem

Name	Description	Value
baseQuery	The base query for the graph	string
legend	The legend for the graph	string
metricName	the metric that the query is checking	string

CodelessUiConnectorConfigPropertiesInstructionStepsItem

Name	Description	Value
description	Instruction step description	string
instructions	Instruction step details	InstructionStepsInstructionsItem[]
title	Instruction step title	string

CodelessUiConnectorConfigPropertiesSampleQueriesItem

Name	Description	Value
description	The sample query description	string
query	the sample query	string

CodelessUiDataConnector

Name	Description	Value
kind	The data connector kind	'GenericUI' (required)
properties	Codeless UI data connector properties	CodelessParameters

DataConnectorDataTypeCommon

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

Dynamics365DataConnector

Name	Description	Value
kind	The data connector kind	'Dynamics365' (required)
properties	Dynamics365 data connector properties.	Dynamics365DataConnectorProperties

Dynamics365DataConnectorDataTypes

Name	Description	Value
dynamics365CdsActivities	Common Data Service data type connection.	Dynamics365DataConnectorDataTypesDynamics365CdsActivities (required)

Dynamics365DataConnectorDataTypesDynamics365CdsActivities

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

Dynamics365DataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	Dynamics365DataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

InstructionStepsInstructionsItem

Name	Description	Value
parameters	The parameters for the setting	any
type	The kind of the setting	'CopyableLabel' 'InfoMessage' 'InstructionStepsGroup' (required)

McasDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftCloudAppSecurity' (required)
properties	MCAS (Microsoft Cloud App Security) data connector properties.	McasDataConnectorProperties

McasDataConnectorDataTypes

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon (required)
discoveryLogs	Discovery log data type connection.	DataConnectorDataTypeCommon

McasDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	McasDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MdatpDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftDefenderAdvancedThreatProtection' (required)
properties	MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.	MdatpDataConnectorProperties

MdatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

Microsoft.SecurityInsights/dataConnectors

Name	Description	Value
etag	Etag of the azure resource	string
kind	Set to 'APIPolling' for type CodelessApiPollingDataConnector. Set to 'AmazonWebServicesCloudTrail' for type AwsCloudTrailDataConnector. Set to 'AmazonWebServicesS3' for type AwsS3DataConnector. Set to 'AzureActiveDirectory' for type AADDataConnector. Set to 'AzureAdvancedThreatProtection' for type AatpDataConnector. Set to 'AzureSecurityCenter' for type ASCDataConnector. Set to 'Dynamics365' for type Dynamics365DataConnector. Set to 'GenericUI' for type CodelessUiDataConnector. Set to 'MicrosoftCloudAppSecurity' for type McasDataConnector. Set to 'MicrosoftDefenderAdvancedThreatProtection' for type MdatpDataConnector. Set to 'MicrosoftThreatIntelligence' for type MstiDataConnector. Set to 'MicrosoftThreatProtection' for type MTPDataConnector. Set to 'Office365' for type OfficeDataConnector. Set to 'OfficeATP' for type OfficeATPDataConnector. Set to 'OfficeIRM' for type OfficeIRMDataConnector. Set to 'ThreatIntelligence' for type TIDataConnector. Set to 'ThreatIntelligenceTaxii' for type TiTaxiiDataConnector.	'AmazonWebServicesCloudTrail' 'AmazonWebServicesS3' 'APIPolling' 'AzureActiveDirectory' 'AzureAdvancedThreatProtection' 'AzureSecurityCenter' 'Dynamics365' 'GenericUI' 'MicrosoftCloudAppSecurity' 'MicrosoftDefenderAdvancedThreatProtection' 'MicrosoftThreatIntelligence' 'MicrosoftThreatProtection' 'Office365' 'OfficeATP' 'OfficeIRM' 'ThreatIntelligence' 'ThreatIntelligenceTaxii' (required)
name	The resource name	string (required)
parent_id	The ID of the resource to apply this extension resource to.	string (required)
type	The resource type	"Microsoft.SecurityInsights/dataConnectors@2021-09-01-preview"

MstiDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatIntelligence' (required)
properties	Microsoft Threat Intelligence data connector properties.	MstiDataConnectorProperties

MstiDataConnectorDataTypes

Name	Description	Value
bingSafetyPhishingURL	Data type for Microsoft Threat Intelligence Platforms data connector.	MstiDataConnectorDataTypesBingSafetyPhishingURL (required)
microsoftEmergingThreatFeed	Data type for Microsoft Threat Intelligence Platforms data connector.	MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed (required)

MstiDataConnectorDataTypesBingSafetyPhishingURL

Name	Description	Value
lookbackPeriod	lookback period	string (required)
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed

Name	Description	Value
lookbackPeriod	lookback period	string (required)
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MstiDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MstiDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MTPDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatProtection' (required)
properties	MTP (Microsoft Threat Protection) data connector properties.	MTPDataConnectorProperties

MTPDataConnectorDataTypes

Name	Description	Value
incidents	Data type for Microsoft Threat Protection Platforms data connector.	MTPDataConnectorDataTypesIncidents (required)

MTPDataConnectorDataTypesIncidents

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MTPDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MTPDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeATPDataConnector

Name	Description	Value
kind	The data connector kind	'OfficeATP' (required)
properties	OfficeATP (Office 365 Advanced Threat Protection) data connector properties.	OfficeATPDataConnectorProperties

OfficeATPDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeDataConnector

Name	Description	Value
kind	The data connector kind	'Office365' (required)
properties	Office data connector properties.	OfficeDataConnectorProperties

OfficeDataConnectorDataTypes

Name	Description	Value
exchange	Exchange data type connection.	OfficeDataConnectorDataTypesExchange (required)
sharePoint	SharePoint data type connection.	OfficeDataConnectorDataTypesSharePoint (required)
teams	Teams data type connection.	OfficeDataConnectorDataTypesTeams (required)

OfficeDataConnectorDataTypesExchange

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorDataTypesSharePoint

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorDataTypesTeams

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	OfficeDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeIRMDataConnector

Name	Description	Value
kind	The data connector kind	'OfficeIRM' (required)
properties	OfficeIRM (Microsoft Insider Risk Management) data connector properties.	OfficeIRMDataConnectorProperties

OfficeIRMDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

Permissions

Name	Description	Value
customs	Customs permissions required for the connector	PermissionsCustomsItem[]
resourceProvider	Resource provider permissions required for the connector	PermissionsResourceProviderItem[]

PermissionsCustomsItem

Name	Description	Value
description	Customs permissions description	string
name	Customs permissions name	string

PermissionsResourceProviderItem

Name	Description	Value
permissionsDisplayText	Permission description text	string
provider	Provider name	'microsoft.aadiam/diagnosticSettings' 'Microsoft.Authorization/policyAssignments' 'Microsoft.OperationalInsights/solutions' 'Microsoft.OperationalInsights/workspaces' 'Microsoft.OperationalInsights/workspaces/datasources' 'Microsoft.OperationalInsights/workspaces/sharedKeys'
providerDisplayName	Permission provider display name	string
requiredPermissions	Required permissions for the connector	RequiredPermissions
scope	Permission provider scope	'ResourceGroup' 'Subscription' 'Workspace'

RequiredPermissions

Name	Description	Value
action	action permission	bool
delete	delete permission	bool
read	read permission	bool
write	write permission	bool

TIDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligence' (required)
properties	TI (Threat Intelligence) data connector properties.	TIDataConnectorProperties

TIDataConnectorDataTypes

Name	Description	Value
indicators	Data type for indicators connection.	TIDataConnectorDataTypesIndicators (required)

TIDataConnectorDataTypesIndicators

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

TIDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	TIDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)
tipLookbackPeriod	The lookback period for the feed to be imported.	string

TiTaxiiDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligenceTaxii' (required)
properties	Threat intelligence TAXII data connector properties.	TiTaxiiDataConnectorProperties

TiTaxiiDataConnectorDataTypes

Name	Description	Value
taxiiClient	Data type for TAXII connector.	TiTaxiiDataConnectorDataTypesTaxiiClient (required)

TiTaxiiDataConnectorDataTypesTaxiiClient

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

TiTaxiiDataConnectorProperties

Name	Description	Value
collectionId	The collection id of the TAXII server.	string
dataTypes	The available data types for Threat Intelligence TAXII data connector.	TiTaxiiDataConnectorDataTypes (required)
friendlyName	The friendly name for the TAXII server.	string
password	The password for the TAXII server.	string
pollingFrequency	The polling frequency for the TAXII server.	'OnceADay' 'OnceAMinute' 'OnceAnHour' (required)
taxiiLookbackPeriod	The lookback period for the TAXII server.	string
taxiiServer	The API root for the TAXII server.	string
tenantId	The tenant id to connect to, and get the data from.	string (required)
userName	The userName for the TAXII server.	string
workspaceId	The workspace id.	string