Microsoft.SecurityInsights dataConnectors 2024-09-01

• Latest
• 2024-10-01-preview
• 2024-09-01
• 2024-04-01-preview
• 2024-03-01
• 2024-01-01-preview
• 2023-12-01-preview
• 2023-11-01
• 2023-10-01-preview
• 2023-09-01-preview
• 2023-08-01-preview
• 2023-07-01-preview
• 2023-06-01-preview
• 2023-05-01-preview
• 2023-04-01-preview
• 2023-03-01-preview
• 2023-02-01
• 2023-02-01-preview
• 2022-12-01-preview
• 2022-11-01
• 2022-11-01-preview
• 2022-10-01-preview
• 2022-09-01-preview
• 2022-08-01
• 2022-08-01-preview
• 2022-07-01-preview
• 2022-06-01-preview
• 2022-05-01-preview
• 2022-04-01-preview
• 2022-01-01-preview
• 2021-10-01
• 2021-10-01-preview
• 2021-09-01-preview
• 2021-03-01-preview
• 2020-01-01
• 2019-01-01-preview

Bicep resource definition

The dataConnectors resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/dataConnectors resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.SecurityInsights/dataConnectors@2024-09-01' = {
  etag: 'string'
  name: 'string'
  kind: 'string'
  // For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}

Microsoft.SecurityInsights/dataConnectors objects

Set the kind property to specify the type of object.

For AmazonWebServicesCloudTrail, use:

{
  kind: 'AmazonWebServicesCloudTrail'
  properties: {
    awsRoleArn: 'string'
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
  }
}

For AzureActiveDirectory, use:

{
  kind: 'AzureActiveDirectory'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For AzureAdvancedThreatProtection, use:

{
  kind: 'AzureAdvancedThreatProtection'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For AzureSecurityCenter, use:

{
  kind: 'AzureSecurityCenter'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    subscriptionId: 'string'
  }
}

For MicrosoftCloudAppSecurity, use:

{
  kind: 'MicrosoftCloudAppSecurity'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
      discoveryLogs: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For MicrosoftDefenderAdvancedThreatProtection, use:

{
  kind: 'MicrosoftDefenderAdvancedThreatProtection'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For MicrosoftThreatIntelligence, use:

{
  kind: 'MicrosoftThreatIntelligence'
  properties: {
    dataTypes: {
      microsoftEmergingThreatFeed: {
        lookbackPeriod: 'string'
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For Office365, use:

{
  kind: 'Office365'
  properties: {
    dataTypes: {
      exchange: {
        state: 'string'
      }
      sharePoint: {
        state: 'string'
      }
      teams: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For PremiumMicrosoftDefenderForThreatIntelligence, use:

{
  kind: 'PremiumMicrosoftDefenderForThreatIntelligence'
  properties: {
    dataTypes: {
      connector: {
        state: 'string'
      }
    }
    lookbackPeriod: 'string'
    requiredSKUsPresent: bool
    tenantId: 'string'
  }
}

For RestApiPoller, use:

{
  kind: 'RestApiPoller'
  properties: {
    addOnAttributes: {
      {customized property}: 'string'
    }
    auth: {
      type: 'string'
      // For remaining properties, see CcpAuthConfig objects
    }
    connectorDefinitionName: 'string'
    dataType: 'string'
    dcrConfig: {
      dataCollectionEndpoint: 'string'
      dataCollectionRuleImmutableId: 'string'
      streamName: 'string'
    }
    isActive: bool
    paging: {
      pageSize: int
      pageSizeParameterName: 'string'
      pagingType: 'string'
    }
    request: {
      apiEndpoint: 'string'
      endTimeAttributeName: 'string'
      headers: {
        {customized property}: 'string'
      }
      httpMethod: 'string'
      isPostPayloadJson: bool
      queryParameters: {
        {customized property}: any(Azure.Bicep.Types.Concrete.AnyType)
      }
      queryParametersTemplate: 'string'
      queryTimeFormat: 'string'
      queryTimeIntervalAttributeName: 'string'
      queryTimeIntervalDelimiter: 'string'
      queryTimeIntervalPrepend: 'string'
      queryWindowInMin: int
      rateLimitQPS: int
      retryCount: int
      startTimeAttributeName: 'string'
      timeoutInSeconds: int
    }
    response: {
      compressionAlgo: 'string'
      convertChildPropertiesToArray: bool
      csvDelimiter: 'string'
      csvEscape: 'string'
      eventsJsonPaths: [
        'string'
      ]
      format: 'string'
      hasCsvBoundary: bool
      hasCsvHeader: bool
      isGzipCompressed: bool
      successStatusJsonPath: 'string'
      successStatusValue: 'string'
    }
  }
}

For ThreatIntelligence, use:

{
  kind: 'ThreatIntelligence'
  properties: {
    dataTypes: {
      indicators: {
        state: 'string'
      }
    }
    tenantId: 'string'
    tipLookbackPeriod: 'string'
  }
}

CcpAuthConfig objects

Set the type property to specify the type of object.

For APIKey, use:

{
  apiKey: 'string'
  apiKeyIdentifier: 'string'
  apiKeyName: 'string'
  isApiKeyInPostPayload: bool
  type: 'APIKey'
}

For AWS, use:

{
  externalId: 'string'
  roleArn: 'string'
  type: 'AWS'
}

For Basic, use:

{
  password: 'string'
  type: 'Basic'
  userName: 'string'
}

For GCP, use:

{
  projectNumber: 'string'
  serviceAccountEmail: 'string'
  type: 'GCP'
  workloadIdentityProviderId: 'string'
}

For GitHub, use:

{
  installationId: 'string'
  type: 'GitHub'
}

For JwtToken, use:

{
  headers: {
    {customized property}: 'string'
  }
  isCredentialsInHeaders: bool
  isJsonRequest: bool
  password: {
    {customized property}: 'string'
  }
  queryParameters: {
    {customized property}: 'string'
  }
  requestTimeoutInSeconds: int
  tokenEndpoint: 'string'
  type: 'JwtToken'
  userName: {
    {customized property}: 'string'
  }
}

For None, use:

{
  type: 'None'
}

For OAuth2, use:

{
  accessTokenPrepend: 'string'
  authorizationCode: 'string'
  authorizationEndpoint: 'string'
  authorizationEndpointHeaders: {
    {customized property}: 'string'
  }
  authorizationEndpointQueryParameters: {
    {customized property}: 'string'
  }
  clientId: 'string'
  clientSecret: 'string'
  grantType: 'string'
  isCredentialsInHeaders: bool
  isJwtBearerFlow: bool
  redirectUri: 'string'
  scope: 'string'
  tokenEndpoint: 'string'
  tokenEndpointHeaders: {
    {customized property}: 'string'
  }
  tokenEndpointQueryParameters: {
    {customized property}: 'string'
  }
  type: 'OAuth2'
}

For Oracle, use:

{
  pemFile: 'string'
  publicFingerprint: 'string'
  tenantId: 'string'
  type: 'Oracle'
  userId: 'string'
}

For ServiceBus, use:

{
  credentialsConfig: {
    {customized property}: 'string'
  }
  storageAccountCredentialsConfig: {
    {customized property}: 'string'
  }
  type: 'ServiceBus'
}

For Session, use:

{
  headers: {
    {customized property}: 'string'
  }
  isPostPayloadJson: bool
  password: {
    {customized property}: 'string'
  }
  queryParameters: {
    {customized property}: any(Azure.Bicep.Types.Concrete.AnyType)
  }
  sessionIdName: 'string'
  sessionLoginRequestUri: 'string'
  sessionTimeoutInMinutes: int
  type: 'Session'
  userName: {
    {customized property}: 'string'
  }
}

Property values

AADDataConnector

Name	Description	Value
kind	The data connector kind	'AzureActiveDirectory' (required)
properties	AAD (Azure Active Directory) data connector properties.	AADDataConnectorProperties

AADDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string

AatpDataConnector

Name	Description	Value
kind	The data connector kind	'AzureAdvancedThreatProtection' (required)
properties	AATP (Azure Advanced Threat Protection) data connector properties.	AatpDataConnectorProperties

AatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string

AlertsDataTypeOfDataConnector

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon

ApiKeyAuthModel

Name	Description	Value
apiKey	API Key for the user secret key credential	string (required)
apiKeyIdentifier	API Key Identifier	string
apiKeyName	API Key name	string (required)
isApiKeyInPostPayload	Flag to indicate if API key is set in HTTP POST payload	bool
type	The auth type	'APIKey' (required)

ASCDataConnector

Name	Description	Value
kind	The data connector kind	'AzureSecurityCenter' (required)
properties	ASC (Azure Security Center) data connector properties.	ASCDataConnectorProperties

ASCDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
subscriptionId	The subscription id to connect to, and get the data from.	string

AWSAuthModel

Name	Description	Value
externalId	AWS STS assume role external ID. This is used to prevent the confused deputy problem: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html'	string
roleArn	AWS STS assume role ARN	string (required)
type	The auth type	'AWS' (required)

AwsCloudTrailDataConnector

Name	Description	Value
kind	The data connector kind	'AmazonWebServicesCloudTrail' (required)
properties	Amazon Web Services CloudTrail data connector properties.	AwsCloudTrailDataConnectorProperties

AwsCloudTrailDataConnectorDataTypes

Name	Description	Value
logs	Logs data type.	AwsCloudTrailDataConnectorDataTypesLogs

AwsCloudTrailDataConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

AwsCloudTrailDataConnectorProperties

Name	Description	Value
awsRoleArn	The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.	string
dataTypes	The available data types for the connector.	AwsCloudTrailDataConnectorDataTypes

BasicAuthModel

Name	Description	Value
password	The password	string (required)
type	The auth type	'Basic' (required)
userName	The user name.	string (required)

CcpAuthConfig

Name	Description	Value
type	Set to 'APIKey' for type ApiKeyAuthModel. Set to 'AWS' for type AWSAuthModel. Set to 'Basic' for type BasicAuthModel. Set to 'GCP' for type GCPAuthModel. Set to 'GitHub' for type GitHubAuthModel. Set to 'JwtToken' for type JwtAuthModel. Set to 'None' for type NoneAuthModel. Set to 'OAuth2' for type OAuthModel. Set to 'Oracle' for type OracleAuthModel. Set to 'ServiceBus' for type GenericBlobSbsAuthModel. Set to 'Session' for type SessionAuthModel.	'APIKey' 'AWS' 'Basic' 'GCP' 'GitHub' 'JwtToken' 'None' 'OAuth2' 'Oracle' 'ServiceBus' 'Session' (required)

CcpResponseConfig

Name	Description	Value
compressionAlgo	The compression algorithm. For Example: 'gzip', 'multi-gzip', 'deflate'.	string
convertChildPropertiesToArray	The value indicating whether the response isn't an array of events / logs. By setting this flag to true it means the remote server will response with an object which each property has as a value an array of events / logs.	bool
csvDelimiter	The csv delimiter, in case the response format is CSV.	string
csvEscape	The character used to escape characters in CSV.	string Constraints: Min length = 1 Max length = 1
eventsJsonPaths	The json paths, '$' char is the json root.	string[] (required)
format	The response format. possible values are json,csv,xml	string
hasCsvBoundary	The value indicating whether the response has CSV boundary in case the response in CSV format.	bool
hasCsvHeader	The value indicating whether the response has headers in case the response in CSV format.	bool
isGzipCompressed	The value indicating whether the remote server support Gzip and we should expect Gzip response.	bool
successStatusJsonPath	The value where the status message/code should appear in the response.	string
successStatusValue	The status value.	string

DataConnectorDataTypeCommon

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

DCRConfiguration

Name	Description	Value
dataCollectionEndpoint	Represents the data collection ingestion endpoint in log analytics.	string (required)
dataCollectionRuleImmutableId	The data collection rule immutable id, the rule defines the transformation and data destination.	string (required)
streamName	The stream we are sending the data to.	string (required)

GCPAuthModel

Name	Description	Value
projectNumber	GCP Project Number	string (required)
serviceAccountEmail	GCP Service Account Email	string (required)
type	The auth type	'GCP' (required)
workloadIdentityProviderId	GCP Workload Identity Provider ID	string (required)

GenericBlobSbsAuthModel

Name	Description	Value
credentialsConfig	Credentials for service bus namespace, keyvault uri for access key	GenericBlobSbsAuthModelCredentialsConfig
storageAccountCredentialsConfig	Credentials for storage account, keyvault uri for access key	GenericBlobSbsAuthModelStorageAccountCredentialsConfig
type	The auth type	'ServiceBus' (required)

GenericBlobSbsAuthModelCredentialsConfig

Name	Description	Value

GenericBlobSbsAuthModelStorageAccountCredentialsConfig

Name	Description	Value

GitHubAuthModel

Name	Description	Value
installationId	The GitHubApp auth installation id.	string
type	The auth type	'GitHub' (required)

JwtAuthModel

Name	Description	Value
headers	The custom headers we want to add once we send request to token endpoint.	JwtAuthModelHeaders
isCredentialsInHeaders	Flag indicating whether we want to send the user name and password to token endpoint in the headers.	bool
isJsonRequest	Flag indicating whether the body request is JSON (header Content-Type = application/json), meaning its a Form URL encoded request (header Content-Type = application/x-www-form-urlencoded).	bool
password	The password	JwtAuthModelPassword (required)
queryParameters	The custom query parameter we want to add once we send request to token endpoint.	JwtAuthModelQueryParameters
requestTimeoutInSeconds	Request timeout in seconds.	int Constraints: Max value = 180
tokenEndpoint	Token endpoint to request JWT	string (required)
type	The auth type	'JwtToken' (required)
userName	The user name. If user name and password sent in header request we only need to populate the value property with the user name (Same as basic auth). If user name and password sent in body request we need to specify the Key and Value.	JwtAuthModelUserName (required)

JwtAuthModelHeaders

Name	Description	Value

JwtAuthModelPassword

Name	Description	Value

JwtAuthModelQueryParameters

Name	Description	Value

JwtAuthModelUserName

Name	Description	Value

McasDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftCloudAppSecurity' (required)
properties	MCAS (Microsoft Cloud App Security) data connector properties.	McasDataConnectorProperties

McasDataConnectorDataTypes

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon
discoveryLogs	Discovery log data type connection.	DataConnectorDataTypeCommon

McasDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	McasDataConnectorDataTypes
tenantId	The tenant id to connect to, and get the data from.	string

MdatpDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftDefenderAdvancedThreatProtection' (required)
properties	MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.	MdatpDataConnectorProperties

MdatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string

Microsoft.SecurityInsights/dataConnectors

Name	Description	Value
etag	Etag of the azure resource	string
kind	Set to 'AmazonWebServicesCloudTrail' for type AwsCloudTrailDataConnector. Set to 'AzureActiveDirectory' for type AADDataConnector. Set to 'AzureAdvancedThreatProtection' for type AatpDataConnector. Set to 'AzureSecurityCenter' for type ASCDataConnector. Set to 'MicrosoftCloudAppSecurity' for type McasDataConnector. Set to 'MicrosoftDefenderAdvancedThreatProtection' for type MdatpDataConnector. Set to 'MicrosoftThreatIntelligence' for type MstiDataConnector. Set to 'Office365' for type OfficeDataConnector. Set to 'PremiumMicrosoftDefenderForThreatIntelligence' for type PremiumMicrosoftDefenderForThreatIntelligence. Set to 'RestApiPoller' for type RestApiPollerDataConnector. Set to 'ThreatIntelligence' for type TIDataConnector.	'AmazonWebServicesCloudTrail' 'AzureActiveDirectory' 'AzureAdvancedThreatProtection' 'AzureSecurityCenter' 'MicrosoftCloudAppSecurity' 'MicrosoftDefenderAdvancedThreatProtection' 'MicrosoftThreatIntelligence' 'Office365' 'PremiumMicrosoftDefenderForThreatIntelligence' 'RestApiPoller' 'ThreatIntelligence' (required)
name	The resource name	string (required)
scope	Use when creating a resource at a scope that is different than the deployment scope.	Set this property to the symbolic name of a resource to apply the extension resource.

MstiDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatIntelligence' (required)
properties	Microsoft Threat Intelligence data connector properties.	MstiDataConnectorProperties

MstiDataConnectorDataTypes

Name	Description	Value
microsoftEmergingThreatFeed	Data type for Microsoft Threat Intelligence data connector.	MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed (required)

MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed

Name	Description	Value
lookbackPeriod	The lookback period for the feed to be imported. The date-time to begin importing the feed from, for example: 2024-01-01T00:00:00.000Z.	string (required)
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

MstiDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MstiDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string

NoneAuthModel

Name	Description	Value
type	The auth type	'None' (required)

OAuthModel

Name	Description	Value
accessTokenPrepend	Access token prepend. Default is 'Bearer'.	string
authorizationCode	The user's authorization code.	string
authorizationEndpoint	The authorization endpoint.	string
authorizationEndpointHeaders	The authorization endpoint headers.	OAuthModelAuthorizationEndpointHeaders
authorizationEndpointQueryParameters	The authorization endpoint query parameters.	OAuthModelAuthorizationEndpointQueryParameters
clientId	The Application (client) ID that the OAuth provider assigned to your app.	string (required)
clientSecret	The Application (client) secret that the OAuth provider assigned to your app.	string (required)
grantType	The grant type, usually will be 'authorization code'.	string (required)
isCredentialsInHeaders	Indicating whether we want to send the clientId and clientSecret to token endpoint in the headers.	bool
isJwtBearerFlow	A value indicating whether it's a JWT flow.	bool
redirectUri	The Application redirect url that the user config in the OAuth provider.	string
scope	The Application (client) Scope that the OAuth provider assigned to your app.	string
tokenEndpoint	The token endpoint. Defines the OAuth2 refresh token.	string (required)
tokenEndpointHeaders	The token endpoint headers.	OAuthModelTokenEndpointHeaders
tokenEndpointQueryParameters	The token endpoint query parameters.	OAuthModelTokenEndpointQueryParameters
type	The auth type	'OAuth2' (required)

OAuthModelAuthorizationEndpointHeaders

Name	Description	Value

OAuthModelAuthorizationEndpointQueryParameters

Name	Description	Value

OAuthModelTokenEndpointHeaders

Name	Description	Value

OAuthModelTokenEndpointQueryParameters

Name	Description	Value

OfficeDataConnector

Name	Description	Value
kind	The data connector kind	'Office365' (required)
properties	Office data connector properties.	OfficeDataConnectorProperties

OfficeDataConnectorDataTypes

Name	Description	Value
exchange	Exchange data type connection.	OfficeDataConnectorDataTypesExchange
sharePoint	SharePoint data type connection.	OfficeDataConnectorDataTypesSharePoint
teams	Teams data type connection.	OfficeDataConnectorDataTypesTeams

OfficeDataConnectorDataTypesExchange

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

OfficeDataConnectorDataTypesSharePoint

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

OfficeDataConnectorDataTypesTeams

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

OfficeDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	OfficeDataConnectorDataTypes
tenantId	The tenant id to connect to, and get the data from.	string

OracleAuthModel

Name	Description	Value
pemFile	Content of the PRM file	string (required)
publicFingerprint	Public Fingerprint	string (required)
tenantId	Oracle tenant ID	string (required)
type	The auth type	'Oracle' (required)
userId	Oracle user ID	string (required)

PremiumMdtiDataConnectorDataTypes

Name	Description	Value
connector	Data type for Premium Microsoft Defender for Threat Intelligence data connector.	PremiumMdtiDataConnectorDataTypesConnector (required)

PremiumMdtiDataConnectorDataTypesConnector

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

PremiumMdtiDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	PremiumMdtiDataConnectorDataTypes (required)
lookbackPeriod	The lookback period for the feed to be imported. The date-time to begin importing the feed from, for example: 2024-01-01T00:00:00.000Z.	string (required)
requiredSKUsPresent	The flag to indicate whether the tenant has the premium SKU required to access this connector.	bool
tenantId	The tenant id to connect to, and get the data from.	string

PremiumMicrosoftDefenderForThreatIntelligence

Name	Description	Value
kind	The data connector kind	'PremiumMicrosoftDefenderForThreatIntelligence' (required)
properties	Premium Microsoft Defender for Threat Intelligence data connector properties.	PremiumMdtiDataConnectorProperties

RestApiPollerDataConnector

Name	Description	Value
kind	The data connector kind	'RestApiPoller' (required)
properties	Rest Api Poller data connector properties.	RestApiPollerDataConnectorProperties

RestApiPollerDataConnectorProperties

Name	Description	Value
addOnAttributes	The add on attributes. The key name will become attribute name (a column) and the value will become the attribute value in the payload.	RestApiPollerDataConnectorPropertiesAddOnAttributes
auth	The a authentication model.	CcpAuthConfig (required)
connectorDefinitionName	The connector definition name (the dataConnectorDefinition resource id).	string (required)
dataType	The Log Analytics table destination.	string
dcrConfig	The DCR related properties.	DCRConfiguration
isActive	Indicates whether the connector is active or not.	bool
paging	The paging configuration.	RestApiPollerRequestPagingConfig
request	The request configuration.	RestApiPollerRequestConfig (required)
response	The response configuration.	CcpResponseConfig

RestApiPollerDataConnectorPropertiesAddOnAttributes

Name	Description	Value

RestApiPollerRequestConfig

Name	Description	Value
apiEndpoint	The API endpoint.	string (required)
endTimeAttributeName	The query parameter name which the remote server expect to end query. This property goes hand to hand with startTimeAttributeName	string
headers	The header for the request for the remote server.	RestApiPollerRequestConfigHeaders
httpMethod	The HTTP method, default value GET.	'DELETE' 'GET' 'POST' 'PUT'
isPostPayloadJson	Flag to indicate if HTTP POST payload is in JSON format (vs form-urlencoded).	bool
queryParameters	The HTTP query parameters to RESTful API.	RestApiPollerRequestConfigQueryParameters
queryParametersTemplate	the query parameters template. Defines the query parameters template to use when passing query parameters in advanced scenarios.	string
queryTimeFormat	The query time format. A remote server can have a query to pull data from range 'start' to 'end'. This property indicate what is the expected time format the remote server know to parse.	string
queryTimeIntervalAttributeName	The query parameter name which we need to send the server for query logs in time interval. Should be defined with queryTimeIntervalPrepend and queryTimeIntervalDelimiter	string
queryTimeIntervalDelimiter	The delimiter string between 2 QueryTimeFormat in the query parameter queryTimeIntervalAttributeName.	string
queryTimeIntervalPrepend	The string prepend to the value of the query parameter in queryTimeIntervalAttributeName.	string
queryWindowInMin	The query window in minutes for the request.	int
rateLimitQPS	The Rate limit queries per second for the request..	int
retryCount	The retry count.	int
startTimeAttributeName	The query parameter name which the remote server expect to start query. This property goes hand to hand with endTimeAttributeName.	string
timeoutInSeconds	The timeout in seconds.	int

RestApiPollerRequestConfigHeaders

Name	Description	Value

RestApiPollerRequestConfigQueryParameters

Name	Description	Value

RestApiPollerRequestPagingConfig

Name	Description	Value
pageSize	Page size	int
pageSizeParameterName	Page size parameter name	string
pagingType	Type of paging	'CountBasedPaging' 'LinkHeader' 'NextPageToken' 'NextPageUrl' 'Offset' 'PersistentLinkHeader' 'PersistentToken' (required)

SessionAuthModel

Name	Description	Value
headers	HTTP request headers to session service endpoint.	SessionAuthModelHeaders
isPostPayloadJson	Indicating whether API key is set in HTTP POST payload.	bool
password	The password attribute name.	SessionAuthModelPassword (required)
queryParameters	Query parameters to session service endpoint.	SessionAuthModelQueryParameters
sessionIdName	Session id attribute name from HTTP response header.	string
sessionLoginRequestUri	HTTP request URL to session service endpoint.	string
sessionTimeoutInMinutes	Session timeout in minutes.	int
type	The auth type	'Session' (required)
userName	The user name attribute key value.	SessionAuthModelUserName (required)

SessionAuthModelHeaders

Name	Description	Value

SessionAuthModelPassword

Name	Description	Value

SessionAuthModelQueryParameters

Name	Description	Value

SessionAuthModelUserName

Name	Description	Value

TIDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligence' (required)
properties	TI (Threat Intelligence) data connector properties.	TIDataConnectorProperties

TIDataConnectorDataTypes

Name	Description	Value
indicators	Data type for indicators connection.	TIDataConnectorDataTypesIndicators

TIDataConnectorDataTypesIndicators

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

TIDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	TIDataConnectorDataTypes
tenantId	The tenant id to connect to, and get the data from.	string
tipLookbackPeriod	The lookback period for the feed to be imported.	string

ARM template resource definition

The dataConnectors resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/dataConnectors resource, add the following JSON to your template.

{
  "etag": "string",
  "name": "string",
  "kind": "string"
  // For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}

Microsoft.SecurityInsights/dataConnectors objects

Set the kind property to specify the type of object.

For AmazonWebServicesCloudTrail, use:

{
  "kind": "AmazonWebServicesCloudTrail",
  "properties": {
    "awsRoleArn": "string",
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    }
  }
}

For AzureActiveDirectory, use:

{
  "kind": "AzureActiveDirectory",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For AzureAdvancedThreatProtection, use:

{
  "kind": "AzureAdvancedThreatProtection",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For AzureSecurityCenter, use:

{
  "kind": "AzureSecurityCenter",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "subscriptionId": "string"
  }
}

For MicrosoftCloudAppSecurity, use:

{
  "kind": "MicrosoftCloudAppSecurity",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      },
      "discoveryLogs": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For MicrosoftDefenderAdvancedThreatProtection, use:

{
  "kind": "MicrosoftDefenderAdvancedThreatProtection",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For MicrosoftThreatIntelligence, use:

{
  "kind": "MicrosoftThreatIntelligence",
  "properties": {
    "dataTypes": {
      "microsoftEmergingThreatFeed": {
        "lookbackPeriod": "string",
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For Office365, use:

{
  "kind": "Office365",
  "properties": {
    "dataTypes": {
      "exchange": {
        "state": "string"
      },
      "sharePoint": {
        "state": "string"
      },
      "teams": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For PremiumMicrosoftDefenderForThreatIntelligence, use:

{
  "kind": "PremiumMicrosoftDefenderForThreatIntelligence",
  "properties": {
    "dataTypes": {
      "connector": {
        "state": "string"
      }
    },
    "lookbackPeriod": "string",
    "requiredSKUsPresent": "bool",
    "tenantId": "string"
  }
}

For RestApiPoller, use:

{
  "kind": "RestApiPoller",
  "properties": {
    "addOnAttributes": {
      "{customized property}": "string"
    },
    "auth": {
      "type": "string"
      // For remaining properties, see CcpAuthConfig objects
    },
    "connectorDefinitionName": "string",
    "dataType": "string",
    "dcrConfig": {
      "dataCollectionEndpoint": "string",
      "dataCollectionRuleImmutableId": "string",
      "streamName": "string"
    },
    "isActive": "bool",
    "paging": {
      "pageSize": "int",
      "pageSizeParameterName": "string",
      "pagingType": "string"
    },
    "request": {
      "apiEndpoint": "string",
      "endTimeAttributeName": "string",
      "headers": {
        "{customized property}": "string"
      },
      "httpMethod": "string",
      "isPostPayloadJson": "bool",
      "queryParameters": {
        "{customized property}": {}
      },
      "queryParametersTemplate": "string",
      "queryTimeFormat": "string",
      "queryTimeIntervalAttributeName": "string",
      "queryTimeIntervalDelimiter": "string",
      "queryTimeIntervalPrepend": "string",
      "queryWindowInMin": "int",
      "rateLimitQPS": "int",
      "retryCount": "int",
      "startTimeAttributeName": "string",
      "timeoutInSeconds": "int"
    },
    "response": {
      "compressionAlgo": "string",
      "convertChildPropertiesToArray": "bool",
      "csvDelimiter": "string",
      "csvEscape": "string",
      "eventsJsonPaths": [ "string" ],
      "format": "string",
      "hasCsvBoundary": "bool",
      "hasCsvHeader": "bool",
      "isGzipCompressed": "bool",
      "successStatusJsonPath": "string",
      "successStatusValue": "string"
    }
  }
}

For ThreatIntelligence, use:

{
  "kind": "ThreatIntelligence",
  "properties": {
    "dataTypes": {
      "indicators": {
        "state": "string"
      }
    },
    "tenantId": "string",
    "tipLookbackPeriod": "string"
  }
}

CcpAuthConfig objects

Set the type property to specify the type of object.

For APIKey, use:

{
  "apiKey": "string",
  "apiKeyIdentifier": "string",
  "apiKeyName": "string",
  "isApiKeyInPostPayload": "bool",
  "type": "APIKey"
}

For AWS, use:

{
  "externalId": "string",
  "roleArn": "string",
  "type": "AWS"
}

For Basic, use:

{
  "password": "string",
  "type": "Basic",
  "userName": "string"
}

For GCP, use:

{
  "projectNumber": "string",
  "serviceAccountEmail": "string",
  "type": "GCP",
  "workloadIdentityProviderId": "string"
}

For GitHub, use:

{
  "installationId": "string",
  "type": "GitHub"
}

For JwtToken, use:

{
  "headers": {
    "{customized property}": "string"
  },
  "isCredentialsInHeaders": "bool",
  "isJsonRequest": "bool",
  "password": {
    "{customized property}": "string"
  },
  "queryParameters": {
    "{customized property}": "string"
  },
  "requestTimeoutInSeconds": "int",
  "tokenEndpoint": "string",
  "type": "JwtToken",
  "userName": {
    "{customized property}": "string"
  }
}

For None, use:

{
  "type": "None"
}

For OAuth2, use:

{
  "accessTokenPrepend": "string",
  "authorizationCode": "string",
  "authorizationEndpoint": "string",
  "authorizationEndpointHeaders": {
    "{customized property}": "string"
  },
  "authorizationEndpointQueryParameters": {
    "{customized property}": "string"
  },
  "clientId": "string",
  "clientSecret": "string",
  "grantType": "string",
  "isCredentialsInHeaders": "bool",
  "isJwtBearerFlow": "bool",
  "redirectUri": "string",
  "scope": "string",
  "tokenEndpoint": "string",
  "tokenEndpointHeaders": {
    "{customized property}": "string"
  },
  "tokenEndpointQueryParameters": {
    "{customized property}": "string"
  },
  "type": "OAuth2"
}

For Oracle, use:

{
  "pemFile": "string",
  "publicFingerprint": "string",
  "tenantId": "string",
  "type": "Oracle",
  "userId": "string"
}

For ServiceBus, use:

{
  "credentialsConfig": {
    "{customized property}": "string"
  },
  "storageAccountCredentialsConfig": {
    "{customized property}": "string"
  },
  "type": "ServiceBus"
}

For Session, use:

{
  "headers": {
    "{customized property}": "string"
  },
  "isPostPayloadJson": "bool",
  "password": {
    "{customized property}": "string"
  },
  "queryParameters": {
    "{customized property}": {}
  },
  "sessionIdName": "string",
  "sessionLoginRequestUri": "string",
  "sessionTimeoutInMinutes": "int",
  "type": "Session",
  "userName": {
    "{customized property}": "string"
  }
}

Property values

AADDataConnector

Name	Description	Value
kind	The data connector kind	'AzureActiveDirectory' (required)
properties	AAD (Azure Active Directory) data connector properties.	AADDataConnectorProperties

AADDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string

AatpDataConnector

Name	Description	Value
kind	The data connector kind	'AzureAdvancedThreatProtection' (required)
properties	AATP (Azure Advanced Threat Protection) data connector properties.	AatpDataConnectorProperties

AatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string

AlertsDataTypeOfDataConnector

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon

ApiKeyAuthModel

Name	Description	Value
apiKey	API Key for the user secret key credential	string (required)
apiKeyIdentifier	API Key Identifier	string
apiKeyName	API Key name	string (required)
isApiKeyInPostPayload	Flag to indicate if API key is set in HTTP POST payload	bool
type	The auth type	'APIKey' (required)

ASCDataConnector

Name	Description	Value
kind	The data connector kind	'AzureSecurityCenter' (required)
properties	ASC (Azure Security Center) data connector properties.	ASCDataConnectorProperties

ASCDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
subscriptionId	The subscription id to connect to, and get the data from.	string

AWSAuthModel

Name	Description	Value
externalId	AWS STS assume role external ID. This is used to prevent the confused deputy problem: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html'	string
roleArn	AWS STS assume role ARN	string (required)
type	The auth type	'AWS' (required)

AwsCloudTrailDataConnector

Name	Description	Value
kind	The data connector kind	'AmazonWebServicesCloudTrail' (required)
properties	Amazon Web Services CloudTrail data connector properties.	AwsCloudTrailDataConnectorProperties

AwsCloudTrailDataConnectorDataTypes

Name	Description	Value
logs	Logs data type.	AwsCloudTrailDataConnectorDataTypesLogs

AwsCloudTrailDataConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

AwsCloudTrailDataConnectorProperties

Name	Description	Value
awsRoleArn	The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.	string
dataTypes	The available data types for the connector.	AwsCloudTrailDataConnectorDataTypes

BasicAuthModel

Name	Description	Value
password	The password	string (required)
type	The auth type	'Basic' (required)
userName	The user name.	string (required)

CcpAuthConfig

Name	Description	Value
type	Set to 'APIKey' for type ApiKeyAuthModel. Set to 'AWS' for type AWSAuthModel. Set to 'Basic' for type BasicAuthModel. Set to 'GCP' for type GCPAuthModel. Set to 'GitHub' for type GitHubAuthModel. Set to 'JwtToken' for type JwtAuthModel. Set to 'None' for type NoneAuthModel. Set to 'OAuth2' for type OAuthModel. Set to 'Oracle' for type OracleAuthModel. Set to 'ServiceBus' for type GenericBlobSbsAuthModel. Set to 'Session' for type SessionAuthModel.	'APIKey' 'AWS' 'Basic' 'GCP' 'GitHub' 'JwtToken' 'None' 'OAuth2' 'Oracle' 'ServiceBus' 'Session' (required)

CcpResponseConfig

Name	Description	Value
compressionAlgo	The compression algorithm. For Example: 'gzip', 'multi-gzip', 'deflate'.	string
convertChildPropertiesToArray	The value indicating whether the response isn't an array of events / logs. By setting this flag to true it means the remote server will response with an object which each property has as a value an array of events / logs.	bool
csvDelimiter	The csv delimiter, in case the response format is CSV.	string
csvEscape	The character used to escape characters in CSV.	string Constraints: Min length = 1 Max length = 1
eventsJsonPaths	The json paths, '$' char is the json root.	string[] (required)
format	The response format. possible values are json,csv,xml	string
hasCsvBoundary	The value indicating whether the response has CSV boundary in case the response in CSV format.	bool
hasCsvHeader	The value indicating whether the response has headers in case the response in CSV format.	bool
isGzipCompressed	The value indicating whether the remote server support Gzip and we should expect Gzip response.	bool
successStatusJsonPath	The value where the status message/code should appear in the response.	string
successStatusValue	The status value.	string

DataConnectorDataTypeCommon

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

DCRConfiguration

Name	Description	Value
dataCollectionEndpoint	Represents the data collection ingestion endpoint in log analytics.	string (required)
dataCollectionRuleImmutableId	The data collection rule immutable id, the rule defines the transformation and data destination.	string (required)
streamName	The stream we are sending the data to.	string (required)

GCPAuthModel

Name	Description	Value
projectNumber	GCP Project Number	string (required)
serviceAccountEmail	GCP Service Account Email	string (required)
type	The auth type	'GCP' (required)
workloadIdentityProviderId	GCP Workload Identity Provider ID	string (required)

GenericBlobSbsAuthModel

Name	Description	Value
credentialsConfig	Credentials for service bus namespace, keyvault uri for access key	GenericBlobSbsAuthModelCredentialsConfig
storageAccountCredentialsConfig	Credentials for storage account, keyvault uri for access key	GenericBlobSbsAuthModelStorageAccountCredentialsConfig
type	The auth type	'ServiceBus' (required)

GenericBlobSbsAuthModelCredentialsConfig

Name	Description	Value

GenericBlobSbsAuthModelStorageAccountCredentialsConfig

Name	Description	Value

GitHubAuthModel

Name	Description	Value
installationId	The GitHubApp auth installation id.	string
type	The auth type	'GitHub' (required)

JwtAuthModel

Name	Description	Value
headers	The custom headers we want to add once we send request to token endpoint.	JwtAuthModelHeaders
isCredentialsInHeaders	Flag indicating whether we want to send the user name and password to token endpoint in the headers.	bool
isJsonRequest	Flag indicating whether the body request is JSON (header Content-Type = application/json), meaning its a Form URL encoded request (header Content-Type = application/x-www-form-urlencoded).	bool
password	The password	JwtAuthModelPassword (required)
queryParameters	The custom query parameter we want to add once we send request to token endpoint.	JwtAuthModelQueryParameters
requestTimeoutInSeconds	Request timeout in seconds.	int Constraints: Max value = 180
tokenEndpoint	Token endpoint to request JWT	string (required)
type	The auth type	'JwtToken' (required)
userName	The user name. If user name and password sent in header request we only need to populate the value property with the user name (Same as basic auth). If user name and password sent in body request we need to specify the Key and Value.	JwtAuthModelUserName (required)

JwtAuthModelHeaders

Name	Description	Value

JwtAuthModelPassword

Name	Description	Value

JwtAuthModelQueryParameters

Name	Description	Value

JwtAuthModelUserName

Name	Description	Value

McasDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftCloudAppSecurity' (required)
properties	MCAS (Microsoft Cloud App Security) data connector properties.	McasDataConnectorProperties

McasDataConnectorDataTypes

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon
discoveryLogs	Discovery log data type connection.	DataConnectorDataTypeCommon

McasDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	McasDataConnectorDataTypes
tenantId	The tenant id to connect to, and get the data from.	string

MdatpDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftDefenderAdvancedThreatProtection' (required)
properties	MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.	MdatpDataConnectorProperties

MdatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string

Microsoft.SecurityInsights/dataConnectors

Name	Description	Value
apiVersion	The api version	'2024-09-01'
etag	Etag of the azure resource	string
kind	Set to 'AmazonWebServicesCloudTrail' for type AwsCloudTrailDataConnector. Set to 'AzureActiveDirectory' for type AADDataConnector. Set to 'AzureAdvancedThreatProtection' for type AatpDataConnector. Set to 'AzureSecurityCenter' for type ASCDataConnector. Set to 'MicrosoftCloudAppSecurity' for type McasDataConnector. Set to 'MicrosoftDefenderAdvancedThreatProtection' for type MdatpDataConnector. Set to 'MicrosoftThreatIntelligence' for type MstiDataConnector. Set to 'Office365' for type OfficeDataConnector. Set to 'PremiumMicrosoftDefenderForThreatIntelligence' for type PremiumMicrosoftDefenderForThreatIntelligence. Set to 'RestApiPoller' for type RestApiPollerDataConnector. Set to 'ThreatIntelligence' for type TIDataConnector.	'AmazonWebServicesCloudTrail' 'AzureActiveDirectory' 'AzureAdvancedThreatProtection' 'AzureSecurityCenter' 'MicrosoftCloudAppSecurity' 'MicrosoftDefenderAdvancedThreatProtection' 'MicrosoftThreatIntelligence' 'Office365' 'PremiumMicrosoftDefenderForThreatIntelligence' 'RestApiPoller' 'ThreatIntelligence' (required)
name	The resource name	string (required)
type	The resource type	'Microsoft.SecurityInsights/dataConnectors'

MstiDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatIntelligence' (required)
properties	Microsoft Threat Intelligence data connector properties.	MstiDataConnectorProperties

MstiDataConnectorDataTypes

Name	Description	Value
microsoftEmergingThreatFeed	Data type for Microsoft Threat Intelligence data connector.	MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed (required)

MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed

Name	Description	Value
lookbackPeriod	The lookback period for the feed to be imported. The date-time to begin importing the feed from, for example: 2024-01-01T00:00:00.000Z.	string (required)
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

MstiDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MstiDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string

NoneAuthModel

Name	Description	Value
type	The auth type	'None' (required)

OAuthModel

Name	Description	Value
accessTokenPrepend	Access token prepend. Default is 'Bearer'.	string
authorizationCode	The user's authorization code.	string
authorizationEndpoint	The authorization endpoint.	string
authorizationEndpointHeaders	The authorization endpoint headers.	OAuthModelAuthorizationEndpointHeaders
authorizationEndpointQueryParameters	The authorization endpoint query parameters.	OAuthModelAuthorizationEndpointQueryParameters
clientId	The Application (client) ID that the OAuth provider assigned to your app.	string (required)
clientSecret	The Application (client) secret that the OAuth provider assigned to your app.	string (required)
grantType	The grant type, usually will be 'authorization code'.	string (required)
isCredentialsInHeaders	Indicating whether we want to send the clientId and clientSecret to token endpoint in the headers.	bool
isJwtBearerFlow	A value indicating whether it's a JWT flow.	bool
redirectUri	The Application redirect url that the user config in the OAuth provider.	string
scope	The Application (client) Scope that the OAuth provider assigned to your app.	string
tokenEndpoint	The token endpoint. Defines the OAuth2 refresh token.	string (required)
tokenEndpointHeaders	The token endpoint headers.	OAuthModelTokenEndpointHeaders
tokenEndpointQueryParameters	The token endpoint query parameters.	OAuthModelTokenEndpointQueryParameters
type	The auth type	'OAuth2' (required)

OAuthModelAuthorizationEndpointHeaders

Name	Description	Value

OAuthModelAuthorizationEndpointQueryParameters

Name	Description	Value

OAuthModelTokenEndpointHeaders

Name	Description	Value

OAuthModelTokenEndpointQueryParameters

Name	Description	Value

OfficeDataConnector

Name	Description	Value
kind	The data connector kind	'Office365' (required)
properties	Office data connector properties.	OfficeDataConnectorProperties

OfficeDataConnectorDataTypes

Name	Description	Value
exchange	Exchange data type connection.	OfficeDataConnectorDataTypesExchange
sharePoint	SharePoint data type connection.	OfficeDataConnectorDataTypesSharePoint
teams	Teams data type connection.	OfficeDataConnectorDataTypesTeams

OfficeDataConnectorDataTypesExchange

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

OfficeDataConnectorDataTypesSharePoint

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

OfficeDataConnectorDataTypesTeams

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

OfficeDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	OfficeDataConnectorDataTypes
tenantId	The tenant id to connect to, and get the data from.	string

OracleAuthModel

Name	Description	Value
pemFile	Content of the PRM file	string (required)
publicFingerprint	Public Fingerprint	string (required)
tenantId	Oracle tenant ID	string (required)
type	The auth type	'Oracle' (required)
userId	Oracle user ID	string (required)

PremiumMdtiDataConnectorDataTypes

Name	Description	Value
connector	Data type for Premium Microsoft Defender for Threat Intelligence data connector.	PremiumMdtiDataConnectorDataTypesConnector (required)

PremiumMdtiDataConnectorDataTypesConnector

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

PremiumMdtiDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	PremiumMdtiDataConnectorDataTypes (required)
lookbackPeriod	The lookback period for the feed to be imported. The date-time to begin importing the feed from, for example: 2024-01-01T00:00:00.000Z.	string (required)
requiredSKUsPresent	The flag to indicate whether the tenant has the premium SKU required to access this connector.	bool
tenantId	The tenant id to connect to, and get the data from.	string

PremiumMicrosoftDefenderForThreatIntelligence

Name	Description	Value
kind	The data connector kind	'PremiumMicrosoftDefenderForThreatIntelligence' (required)
properties	Premium Microsoft Defender for Threat Intelligence data connector properties.	PremiumMdtiDataConnectorProperties

RestApiPollerDataConnector

Name	Description	Value
kind	The data connector kind	'RestApiPoller' (required)
properties	Rest Api Poller data connector properties.	RestApiPollerDataConnectorProperties

RestApiPollerDataConnectorProperties

Name	Description	Value
addOnAttributes	The add on attributes. The key name will become attribute name (a column) and the value will become the attribute value in the payload.	RestApiPollerDataConnectorPropertiesAddOnAttributes
auth	The a authentication model.	CcpAuthConfig (required)
connectorDefinitionName	The connector definition name (the dataConnectorDefinition resource id).	string (required)
dataType	The Log Analytics table destination.	string
dcrConfig	The DCR related properties.	DCRConfiguration
isActive	Indicates whether the connector is active or not.	bool
paging	The paging configuration.	RestApiPollerRequestPagingConfig
request	The request configuration.	RestApiPollerRequestConfig (required)
response	The response configuration.	CcpResponseConfig

RestApiPollerDataConnectorPropertiesAddOnAttributes

Name	Description	Value

RestApiPollerRequestConfig

Name	Description	Value
apiEndpoint	The API endpoint.	string (required)
endTimeAttributeName	The query parameter name which the remote server expect to end query. This property goes hand to hand with startTimeAttributeName	string
headers	The header for the request for the remote server.	RestApiPollerRequestConfigHeaders
httpMethod	The HTTP method, default value GET.	'DELETE' 'GET' 'POST' 'PUT'
isPostPayloadJson	Flag to indicate if HTTP POST payload is in JSON format (vs form-urlencoded).	bool
queryParameters	The HTTP query parameters to RESTful API.	RestApiPollerRequestConfigQueryParameters
queryParametersTemplate	the query parameters template. Defines the query parameters template to use when passing query parameters in advanced scenarios.	string
queryTimeFormat	The query time format. A remote server can have a query to pull data from range 'start' to 'end'. This property indicate what is the expected time format the remote server know to parse.	string
queryTimeIntervalAttributeName	The query parameter name which we need to send the server for query logs in time interval. Should be defined with queryTimeIntervalPrepend and queryTimeIntervalDelimiter	string
queryTimeIntervalDelimiter	The delimiter string between 2 QueryTimeFormat in the query parameter queryTimeIntervalAttributeName.	string
queryTimeIntervalPrepend	The string prepend to the value of the query parameter in queryTimeIntervalAttributeName.	string
queryWindowInMin	The query window in minutes for the request.	int
rateLimitQPS	The Rate limit queries per second for the request..	int
retryCount	The retry count.	int
startTimeAttributeName	The query parameter name which the remote server expect to start query. This property goes hand to hand with endTimeAttributeName.	string
timeoutInSeconds	The timeout in seconds.	int

RestApiPollerRequestConfigHeaders

Name	Description	Value

RestApiPollerRequestConfigQueryParameters

Name	Description	Value

RestApiPollerRequestPagingConfig

Name	Description	Value
pageSize	Page size	int
pageSizeParameterName	Page size parameter name	string
pagingType	Type of paging	'CountBasedPaging' 'LinkHeader' 'NextPageToken' 'NextPageUrl' 'Offset' 'PersistentLinkHeader' 'PersistentToken' (required)

SessionAuthModel

Name	Description	Value
headers	HTTP request headers to session service endpoint.	SessionAuthModelHeaders
isPostPayloadJson	Indicating whether API key is set in HTTP POST payload.	bool
password	The password attribute name.	SessionAuthModelPassword (required)
queryParameters	Query parameters to session service endpoint.	SessionAuthModelQueryParameters
sessionIdName	Session id attribute name from HTTP response header.	string
sessionLoginRequestUri	HTTP request URL to session service endpoint.	string
sessionTimeoutInMinutes	Session timeout in minutes.	int
type	The auth type	'Session' (required)
userName	The user name attribute key value.	SessionAuthModelUserName (required)

SessionAuthModelHeaders

Name	Description	Value

SessionAuthModelPassword

Name	Description	Value

SessionAuthModelQueryParameters

Name	Description	Value

SessionAuthModelUserName

Name	Description	Value

TIDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligence' (required)
properties	TI (Threat Intelligence) data connector properties.	TIDataConnectorProperties

TIDataConnectorDataTypes

Name	Description	Value
indicators	Data type for indicators connection.	TIDataConnectorDataTypesIndicators

TIDataConnectorDataTypesIndicators

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

TIDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	TIDataConnectorDataTypes
tenantId	The tenant id to connect to, and get the data from.	string
tipLookbackPeriod	The lookback period for the feed to be imported.	string

Terraform (AzAPI provider) resource definition

The dataConnectors resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/dataConnectors resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  etag = "string"
  name = "string"
  kind = "string"
  // For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}

Microsoft.SecurityInsights/dataConnectors objects

Set the kind property to specify the type of object.

For AmazonWebServicesCloudTrail, use:

{
  kind = "AmazonWebServicesCloudTrail"
  properties = {
    awsRoleArn = "string"
    dataTypes = {
      logs = {
        state = "string"
      }
    }
  }
}

For AzureActiveDirectory, use:

{
  kind = "AzureActiveDirectory"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For AzureAdvancedThreatProtection, use:

{
  kind = "AzureAdvancedThreatProtection"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For AzureSecurityCenter, use:

{
  kind = "AzureSecurityCenter"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    subscriptionId = "string"
  }
}

For MicrosoftCloudAppSecurity, use:

{
  kind = "MicrosoftCloudAppSecurity"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
      discoveryLogs = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For MicrosoftDefenderAdvancedThreatProtection, use:

{
  kind = "MicrosoftDefenderAdvancedThreatProtection"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For MicrosoftThreatIntelligence, use:

{
  kind = "MicrosoftThreatIntelligence"
  properties = {
    dataTypes = {
      microsoftEmergingThreatFeed = {
        lookbackPeriod = "string"
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For Office365, use:

{
  kind = "Office365"
  properties = {
    dataTypes = {
      exchange = {
        state = "string"
      }
      sharePoint = {
        state = "string"
      }
      teams = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For PremiumMicrosoftDefenderForThreatIntelligence, use:

{
  kind = "PremiumMicrosoftDefenderForThreatIntelligence"
  properties = {
    dataTypes = {
      connector = {
        state = "string"
      }
    }
    lookbackPeriod = "string"
    requiredSKUsPresent = bool
    tenantId = "string"
  }
}

For RestApiPoller, use:

{
  kind = "RestApiPoller"
  properties = {
    addOnAttributes = {
      {customized property} = "string"
    }
    auth = {
      type = "string"
      // For remaining properties, see CcpAuthConfig objects
    }
    connectorDefinitionName = "string"
    dataType = "string"
    dcrConfig = {
      dataCollectionEndpoint = "string"
      dataCollectionRuleImmutableId = "string"
      streamName = "string"
    }
    isActive = bool
    paging = {
      pageSize = int
      pageSizeParameterName = "string"
      pagingType = "string"
    }
    request = {
      apiEndpoint = "string"
      endTimeAttributeName = "string"
      headers = {
        {customized property} = "string"
      }
      httpMethod = "string"
      isPostPayloadJson = bool
      queryParameters = {
        {customized property} = ?
      }
      queryParametersTemplate = "string"
      queryTimeFormat = "string"
      queryTimeIntervalAttributeName = "string"
      queryTimeIntervalDelimiter = "string"
      queryTimeIntervalPrepend = "string"
      queryWindowInMin = int
      rateLimitQPS = int
      retryCount = int
      startTimeAttributeName = "string"
      timeoutInSeconds = int
    }
    response = {
      compressionAlgo = "string"
      convertChildPropertiesToArray = bool
      csvDelimiter = "string"
      csvEscape = "string"
      eventsJsonPaths = [
        "string"
      ]
      format = "string"
      hasCsvBoundary = bool
      hasCsvHeader = bool
      isGzipCompressed = bool
      successStatusJsonPath = "string"
      successStatusValue = "string"
    }
  }
}

For ThreatIntelligence, use:

{
  kind = "ThreatIntelligence"
  properties = {
    dataTypes = {
      indicators = {
        state = "string"
      }
    }
    tenantId = "string"
    tipLookbackPeriod = "string"
  }
}

CcpAuthConfig objects

Set the type property to specify the type of object.

For APIKey, use:

{
  apiKey = "string"
  apiKeyIdentifier = "string"
  apiKeyName = "string"
  isApiKeyInPostPayload = bool
  type = "APIKey"
}

For AWS, use:

{
  externalId = "string"
  roleArn = "string"
  type = "AWS"
}

For Basic, use:

{
  password = "string"
  type = "Basic"
  userName = "string"
}

For GCP, use:

{
  projectNumber = "string"
  serviceAccountEmail = "string"
  type = "GCP"
  workloadIdentityProviderId = "string"
}

For GitHub, use:

{
  installationId = "string"
  type = "GitHub"
}

For JwtToken, use:

{
  headers = {
    {customized property} = "string"
  }
  isCredentialsInHeaders = bool
  isJsonRequest = bool
  password = {
    {customized property} = "string"
  }
  queryParameters = {
    {customized property} = "string"
  }
  requestTimeoutInSeconds = int
  tokenEndpoint = "string"
  type = "JwtToken"
  userName = {
    {customized property} = "string"
  }
}

For None, use:

{
  type = "None"
}

For OAuth2, use:

{
  accessTokenPrepend = "string"
  authorizationCode = "string"
  authorizationEndpoint = "string"
  authorizationEndpointHeaders = {
    {customized property} = "string"
  }
  authorizationEndpointQueryParameters = {
    {customized property} = "string"
  }
  clientId = "string"
  clientSecret = "string"
  grantType = "string"
  isCredentialsInHeaders = bool
  isJwtBearerFlow = bool
  redirectUri = "string"
  scope = "string"
  tokenEndpoint = "string"
  tokenEndpointHeaders = {
    {customized property} = "string"
  }
  tokenEndpointQueryParameters = {
    {customized property} = "string"
  }
  type = "OAuth2"
}

For Oracle, use:

{
  pemFile = "string"
  publicFingerprint = "string"
  tenantId = "string"
  type = "Oracle"
  userId = "string"
}

For ServiceBus, use:

{
  credentialsConfig = {
    {customized property} = "string"
  }
  storageAccountCredentialsConfig = {
    {customized property} = "string"
  }
  type = "ServiceBus"
}

For Session, use:

{
  headers = {
    {customized property} = "string"
  }
  isPostPayloadJson = bool
  password = {
    {customized property} = "string"
  }
  queryParameters = {
    {customized property} = ?
  }
  sessionIdName = "string"
  sessionLoginRequestUri = "string"
  sessionTimeoutInMinutes = int
  type = "Session"
  userName = {
    {customized property} = "string"
  }
}

Property values

AADDataConnector

Name	Description	Value
kind	The data connector kind	'AzureActiveDirectory' (required)
properties	AAD (Azure Active Directory) data connector properties.	AADDataConnectorProperties

AADDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string

AatpDataConnector

Name	Description	Value
kind	The data connector kind	'AzureAdvancedThreatProtection' (required)
properties	AATP (Azure Advanced Threat Protection) data connector properties.	AatpDataConnectorProperties

AatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string

AlertsDataTypeOfDataConnector

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon

ApiKeyAuthModel

Name	Description	Value
apiKey	API Key for the user secret key credential	string (required)
apiKeyIdentifier	API Key Identifier	string
apiKeyName	API Key name	string (required)
isApiKeyInPostPayload	Flag to indicate if API key is set in HTTP POST payload	bool
type	The auth type	'APIKey' (required)

ASCDataConnector

Name	Description	Value
kind	The data connector kind	'AzureSecurityCenter' (required)
properties	ASC (Azure Security Center) data connector properties.	ASCDataConnectorProperties

ASCDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
subscriptionId	The subscription id to connect to, and get the data from.	string

AWSAuthModel

Name	Description	Value
externalId	AWS STS assume role external ID. This is used to prevent the confused deputy problem: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html'	string
roleArn	AWS STS assume role ARN	string (required)
type	The auth type	'AWS' (required)

AwsCloudTrailDataConnector

Name	Description	Value
kind	The data connector kind	'AmazonWebServicesCloudTrail' (required)
properties	Amazon Web Services CloudTrail data connector properties.	AwsCloudTrailDataConnectorProperties

AwsCloudTrailDataConnectorDataTypes

Name	Description	Value
logs	Logs data type.	AwsCloudTrailDataConnectorDataTypesLogs

AwsCloudTrailDataConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

AwsCloudTrailDataConnectorProperties

Name	Description	Value
awsRoleArn	The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.	string
dataTypes	The available data types for the connector.	AwsCloudTrailDataConnectorDataTypes

BasicAuthModel

Name	Description	Value
password	The password	string (required)
type	The auth type	'Basic' (required)
userName	The user name.	string (required)

CcpAuthConfig

Name	Description	Value
type	Set to 'APIKey' for type ApiKeyAuthModel. Set to 'AWS' for type AWSAuthModel. Set to 'Basic' for type BasicAuthModel. Set to 'GCP' for type GCPAuthModel. Set to 'GitHub' for type GitHubAuthModel. Set to 'JwtToken' for type JwtAuthModel. Set to 'None' for type NoneAuthModel. Set to 'OAuth2' for type OAuthModel. Set to 'Oracle' for type OracleAuthModel. Set to 'ServiceBus' for type GenericBlobSbsAuthModel. Set to 'Session' for type SessionAuthModel.	'APIKey' 'AWS' 'Basic' 'GCP' 'GitHub' 'JwtToken' 'None' 'OAuth2' 'Oracle' 'ServiceBus' 'Session' (required)

CcpResponseConfig

Name	Description	Value
compressionAlgo	The compression algorithm. For Example: 'gzip', 'multi-gzip', 'deflate'.	string
convertChildPropertiesToArray	The value indicating whether the response isn't an array of events / logs. By setting this flag to true it means the remote server will response with an object which each property has as a value an array of events / logs.	bool
csvDelimiter	The csv delimiter, in case the response format is CSV.	string
csvEscape	The character used to escape characters in CSV.	string Constraints: Min length = 1 Max length = 1
eventsJsonPaths	The json paths, '$' char is the json root.	string[] (required)
format	The response format. possible values are json,csv,xml	string
hasCsvBoundary	The value indicating whether the response has CSV boundary in case the response in CSV format.	bool
hasCsvHeader	The value indicating whether the response has headers in case the response in CSV format.	bool
isGzipCompressed	The value indicating whether the remote server support Gzip and we should expect Gzip response.	bool
successStatusJsonPath	The value where the status message/code should appear in the response.	string
successStatusValue	The status value.	string

DataConnectorDataTypeCommon

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

DCRConfiguration

Name	Description	Value
dataCollectionEndpoint	Represents the data collection ingestion endpoint in log analytics.	string (required)
dataCollectionRuleImmutableId	The data collection rule immutable id, the rule defines the transformation and data destination.	string (required)
streamName	The stream we are sending the data to.	string (required)

GCPAuthModel

Name	Description	Value
projectNumber	GCP Project Number	string (required)
serviceAccountEmail	GCP Service Account Email	string (required)
type	The auth type	'GCP' (required)
workloadIdentityProviderId	GCP Workload Identity Provider ID	string (required)

GenericBlobSbsAuthModel

Name	Description	Value
credentialsConfig	Credentials for service bus namespace, keyvault uri for access key	GenericBlobSbsAuthModelCredentialsConfig
storageAccountCredentialsConfig	Credentials for storage account, keyvault uri for access key	GenericBlobSbsAuthModelStorageAccountCredentialsConfig
type	The auth type	'ServiceBus' (required)

GenericBlobSbsAuthModelCredentialsConfig

Name	Description	Value

GenericBlobSbsAuthModelStorageAccountCredentialsConfig

Name	Description	Value

GitHubAuthModel

Name	Description	Value
installationId	The GitHubApp auth installation id.	string
type	The auth type	'GitHub' (required)

JwtAuthModel

Name	Description	Value
headers	The custom headers we want to add once we send request to token endpoint.	JwtAuthModelHeaders
isCredentialsInHeaders	Flag indicating whether we want to send the user name and password to token endpoint in the headers.	bool
isJsonRequest	Flag indicating whether the body request is JSON (header Content-Type = application/json), meaning its a Form URL encoded request (header Content-Type = application/x-www-form-urlencoded).	bool
password	The password	JwtAuthModelPassword (required)
queryParameters	The custom query parameter we want to add once we send request to token endpoint.	JwtAuthModelQueryParameters
requestTimeoutInSeconds	Request timeout in seconds.	int Constraints: Max value = 180
tokenEndpoint	Token endpoint to request JWT	string (required)
type	The auth type	'JwtToken' (required)
userName	The user name. If user name and password sent in header request we only need to populate the value property with the user name (Same as basic auth). If user name and password sent in body request we need to specify the Key and Value.	JwtAuthModelUserName (required)

JwtAuthModelHeaders

Name	Description	Value

JwtAuthModelPassword

Name	Description	Value

JwtAuthModelQueryParameters

Name	Description	Value

JwtAuthModelUserName

Name	Description	Value

McasDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftCloudAppSecurity' (required)
properties	MCAS (Microsoft Cloud App Security) data connector properties.	McasDataConnectorProperties

McasDataConnectorDataTypes

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon
discoveryLogs	Discovery log data type connection.	DataConnectorDataTypeCommon

McasDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	McasDataConnectorDataTypes
tenantId	The tenant id to connect to, and get the data from.	string

MdatpDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftDefenderAdvancedThreatProtection' (required)
properties	MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.	MdatpDataConnectorProperties

MdatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string

Microsoft.SecurityInsights/dataConnectors

Name	Description	Value
etag	Etag of the azure resource	string
kind	Set to 'AmazonWebServicesCloudTrail' for type AwsCloudTrailDataConnector. Set to 'AzureActiveDirectory' for type AADDataConnector. Set to 'AzureAdvancedThreatProtection' for type AatpDataConnector. Set to 'AzureSecurityCenter' for type ASCDataConnector. Set to 'MicrosoftCloudAppSecurity' for type McasDataConnector. Set to 'MicrosoftDefenderAdvancedThreatProtection' for type MdatpDataConnector. Set to 'MicrosoftThreatIntelligence' for type MstiDataConnector. Set to 'Office365' for type OfficeDataConnector. Set to 'PremiumMicrosoftDefenderForThreatIntelligence' for type PremiumMicrosoftDefenderForThreatIntelligence. Set to 'RestApiPoller' for type RestApiPollerDataConnector. Set to 'ThreatIntelligence' for type TIDataConnector.	'AmazonWebServicesCloudTrail' 'AzureActiveDirectory' 'AzureAdvancedThreatProtection' 'AzureSecurityCenter' 'MicrosoftCloudAppSecurity' 'MicrosoftDefenderAdvancedThreatProtection' 'MicrosoftThreatIntelligence' 'Office365' 'PremiumMicrosoftDefenderForThreatIntelligence' 'RestApiPoller' 'ThreatIntelligence' (required)
name	The resource name	string (required)
parent_id	The ID of the resource to apply this extension resource to.	string (required)
type	The resource type	"Microsoft.SecurityInsights/dataConnectors@2024-09-01"

MstiDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatIntelligence' (required)
properties	Microsoft Threat Intelligence data connector properties.	MstiDataConnectorProperties

MstiDataConnectorDataTypes

Name	Description	Value
microsoftEmergingThreatFeed	Data type for Microsoft Threat Intelligence data connector.	MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed (required)

MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed

Name	Description	Value
lookbackPeriod	The lookback period for the feed to be imported. The date-time to begin importing the feed from, for example: 2024-01-01T00:00:00.000Z.	string (required)
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

MstiDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MstiDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string

NoneAuthModel

Name	Description	Value
type	The auth type	'None' (required)

OAuthModel

Name	Description	Value
accessTokenPrepend	Access token prepend. Default is 'Bearer'.	string
authorizationCode	The user's authorization code.	string
authorizationEndpoint	The authorization endpoint.	string
authorizationEndpointHeaders	The authorization endpoint headers.	OAuthModelAuthorizationEndpointHeaders
authorizationEndpointQueryParameters	The authorization endpoint query parameters.	OAuthModelAuthorizationEndpointQueryParameters
clientId	The Application (client) ID that the OAuth provider assigned to your app.	string (required)
clientSecret	The Application (client) secret that the OAuth provider assigned to your app.	string (required)
grantType	The grant type, usually will be 'authorization code'.	string (required)
isCredentialsInHeaders	Indicating whether we want to send the clientId and clientSecret to token endpoint in the headers.	bool
isJwtBearerFlow	A value indicating whether it's a JWT flow.	bool
redirectUri	The Application redirect url that the user config in the OAuth provider.	string
scope	The Application (client) Scope that the OAuth provider assigned to your app.	string
tokenEndpoint	The token endpoint. Defines the OAuth2 refresh token.	string (required)
tokenEndpointHeaders	The token endpoint headers.	OAuthModelTokenEndpointHeaders
tokenEndpointQueryParameters	The token endpoint query parameters.	OAuthModelTokenEndpointQueryParameters
type	The auth type	'OAuth2' (required)

OAuthModelAuthorizationEndpointHeaders

Name	Description	Value

OAuthModelAuthorizationEndpointQueryParameters

Name	Description	Value

OAuthModelTokenEndpointHeaders

Name	Description	Value

OAuthModelTokenEndpointQueryParameters

Name	Description	Value

OfficeDataConnector

Name	Description	Value
kind	The data connector kind	'Office365' (required)
properties	Office data connector properties.	OfficeDataConnectorProperties

OfficeDataConnectorDataTypes

Name	Description	Value
exchange	Exchange data type connection.	OfficeDataConnectorDataTypesExchange
sharePoint	SharePoint data type connection.	OfficeDataConnectorDataTypesSharePoint
teams	Teams data type connection.	OfficeDataConnectorDataTypesTeams

OfficeDataConnectorDataTypesExchange

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

OfficeDataConnectorDataTypesSharePoint

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

OfficeDataConnectorDataTypesTeams

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

OfficeDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	OfficeDataConnectorDataTypes
tenantId	The tenant id to connect to, and get the data from.	string

OracleAuthModel

Name	Description	Value
pemFile	Content of the PRM file	string (required)
publicFingerprint	Public Fingerprint	string (required)
tenantId	Oracle tenant ID	string (required)
type	The auth type	'Oracle' (required)
userId	Oracle user ID	string (required)

PremiumMdtiDataConnectorDataTypes

Name	Description	Value
connector	Data type for Premium Microsoft Defender for Threat Intelligence data connector.	PremiumMdtiDataConnectorDataTypesConnector (required)

PremiumMdtiDataConnectorDataTypesConnector

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

PremiumMdtiDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	PremiumMdtiDataConnectorDataTypes (required)
lookbackPeriod	The lookback period for the feed to be imported. The date-time to begin importing the feed from, for example: 2024-01-01T00:00:00.000Z.	string (required)
requiredSKUsPresent	The flag to indicate whether the tenant has the premium SKU required to access this connector.	bool
tenantId	The tenant id to connect to, and get the data from.	string

PremiumMicrosoftDefenderForThreatIntelligence

Name	Description	Value
kind	The data connector kind	'PremiumMicrosoftDefenderForThreatIntelligence' (required)
properties	Premium Microsoft Defender for Threat Intelligence data connector properties.	PremiumMdtiDataConnectorProperties

RestApiPollerDataConnector

Name	Description	Value
kind	The data connector kind	'RestApiPoller' (required)
properties	Rest Api Poller data connector properties.	RestApiPollerDataConnectorProperties

RestApiPollerDataConnectorProperties

Name	Description	Value
addOnAttributes	The add on attributes. The key name will become attribute name (a column) and the value will become the attribute value in the payload.	RestApiPollerDataConnectorPropertiesAddOnAttributes
auth	The a authentication model.	CcpAuthConfig (required)
connectorDefinitionName	The connector definition name (the dataConnectorDefinition resource id).	string (required)
dataType	The Log Analytics table destination.	string
dcrConfig	The DCR related properties.	DCRConfiguration
isActive	Indicates whether the connector is active or not.	bool
paging	The paging configuration.	RestApiPollerRequestPagingConfig
request	The request configuration.	RestApiPollerRequestConfig (required)
response	The response configuration.	CcpResponseConfig

RestApiPollerDataConnectorPropertiesAddOnAttributes

Name	Description	Value

RestApiPollerRequestConfig

Name	Description	Value
apiEndpoint	The API endpoint.	string (required)
endTimeAttributeName	The query parameter name which the remote server expect to end query. This property goes hand to hand with startTimeAttributeName	string
headers	The header for the request for the remote server.	RestApiPollerRequestConfigHeaders
httpMethod	The HTTP method, default value GET.	'DELETE' 'GET' 'POST' 'PUT'
isPostPayloadJson	Flag to indicate if HTTP POST payload is in JSON format (vs form-urlencoded).	bool
queryParameters	The HTTP query parameters to RESTful API.	RestApiPollerRequestConfigQueryParameters
queryParametersTemplate	the query parameters template. Defines the query parameters template to use when passing query parameters in advanced scenarios.	string
queryTimeFormat	The query time format. A remote server can have a query to pull data from range 'start' to 'end'. This property indicate what is the expected time format the remote server know to parse.	string
queryTimeIntervalAttributeName	The query parameter name which we need to send the server for query logs in time interval. Should be defined with queryTimeIntervalPrepend and queryTimeIntervalDelimiter	string
queryTimeIntervalDelimiter	The delimiter string between 2 QueryTimeFormat in the query parameter queryTimeIntervalAttributeName.	string
queryTimeIntervalPrepend	The string prepend to the value of the query parameter in queryTimeIntervalAttributeName.	string
queryWindowInMin	The query window in minutes for the request.	int
rateLimitQPS	The Rate limit queries per second for the request..	int
retryCount	The retry count.	int
startTimeAttributeName	The query parameter name which the remote server expect to start query. This property goes hand to hand with endTimeAttributeName.	string
timeoutInSeconds	The timeout in seconds.	int

RestApiPollerRequestConfigHeaders

Name	Description	Value

RestApiPollerRequestConfigQueryParameters

Name	Description	Value

RestApiPollerRequestPagingConfig

Name	Description	Value
pageSize	Page size	int
pageSizeParameterName	Page size parameter name	string
pagingType	Type of paging	'CountBasedPaging' 'LinkHeader' 'NextPageToken' 'NextPageUrl' 'Offset' 'PersistentLinkHeader' 'PersistentToken' (required)

SessionAuthModel

Name	Description	Value
headers	HTTP request headers to session service endpoint.	SessionAuthModelHeaders
isPostPayloadJson	Indicating whether API key is set in HTTP POST payload.	bool
password	The password attribute name.	SessionAuthModelPassword (required)
queryParameters	Query parameters to session service endpoint.	SessionAuthModelQueryParameters
sessionIdName	Session id attribute name from HTTP response header.	string
sessionLoginRequestUri	HTTP request URL to session service endpoint.	string
sessionTimeoutInMinutes	Session timeout in minutes.	int
type	The auth type	'Session' (required)
userName	The user name attribute key value.	SessionAuthModelUserName (required)

SessionAuthModelHeaders

Name	Description	Value

SessionAuthModelPassword

Name	Description	Value

SessionAuthModelQueryParameters

Name	Description	Value

SessionAuthModelUserName

Name	Description	Value

TIDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligence' (required)
properties	TI (Threat Intelligence) data connector properties.	TIDataConnectorProperties

TIDataConnectorDataTypes

Name	Description	Value
indicators	Data type for indicators connection.	TIDataConnectorDataTypesIndicators

TIDataConnectorDataTypesIndicators

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled'

TIDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	TIDataConnectorDataTypes
tenantId	The tenant id to connect to, and get the data from.	string
tipLookbackPeriod	The lookback period for the feed to be imported.	string