Bicep resource definition
The dataConnectors resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
To create a Microsoft.SecurityInsights/dataConnectors resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.SecurityInsights/dataConnectors@2024-10-01-preview' = {
etag: 'string'
name: 'string'
kind: 'string'
// For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}
Microsoft.SecurityInsights/dataConnectors objects
Set the kind property to specify the type of object.
For APIPolling, use:
{
kind: 'APIPolling'
properties: {
connectorUiConfig: {
availability: {
isPreview: bool
status: '1'
}
connectivityCriteria: [
{
type: 'string'
value: [
'string'
]
}
]
customImage: 'string'
dataTypes: [
{
lastDataReceivedQuery: 'string'
name: 'string'
}
]
descriptionMarkdown: 'string'
graphQueries: [
{
baseQuery: 'string'
legend: 'string'
metricName: 'string'
}
]
graphQueriesTableName: 'string'
instructionSteps: [
{
description: 'string'
instructions: [
{
parameters: any(Azure.Bicep.Types.Concrete.AnyType)
type: 'string'
}
]
title: 'string'
}
]
permissions: {
customs: [
{
description: 'string'
name: 'string'
}
]
resourceProvider: [
{
permissionsDisplayText: 'string'
provider: 'string'
providerDisplayName: 'string'
requiredPermissions: {
action: bool
delete: bool
read: bool
write: bool
}
scope: 'string'
}
]
}
publisher: 'string'
sampleQueries: [
{
description: 'string'
query: 'string'
}
]
title: 'string'
}
pollingConfig: {
auth: {
apiKeyIdentifier: 'string'
apiKeyName: 'string'
authorizationEndpoint: 'string'
authorizationEndpointQueryParameters: any(Azure.Bicep.Types.Concrete.AnyType)
authType: 'string'
flowName: 'string'
isApiKeyInPostPayload: 'string'
isClientSecretInHeader: bool
redirectionEndpoint: 'string'
scope: 'string'
tokenEndpoint: 'string'
tokenEndpointHeaders: any(Azure.Bicep.Types.Concrete.AnyType)
tokenEndpointQueryParameters: any(Azure.Bicep.Types.Concrete.AnyType)
}
isActive: bool
paging: {
nextPageParaName: 'string'
nextPageTokenJsonPath: 'string'
pageCountAttributePath: 'string'
pageSize: int
pageSizeParaName: 'string'
pageTimeStampAttributePath: 'string'
pageTotalCountAttributePath: 'string'
pagingType: 'string'
searchTheLatestTimeStampFromEventsList: 'string'
}
request: {
apiEndpoint: 'string'
endTimeAttributeName: 'string'
headers: any(Azure.Bicep.Types.Concrete.AnyType)
httpMethod: 'string'
queryParameters: any(Azure.Bicep.Types.Concrete.AnyType)
queryParametersTemplate: 'string'
queryTimeFormat: 'string'
queryWindowInMin: int
rateLimitQps: int
retryCount: int
startTimeAttributeName: 'string'
timeoutInSeconds: int
}
response: {
eventsJsonPaths: [
'string'
]
isGzipCompressed: bool
successStatusJsonPath: 'string'
successStatusValue: 'string'
}
}
}
}
For AmazonWebServicesCloudTrail, use:
{
kind: 'AmazonWebServicesCloudTrail'
properties: {
awsRoleArn: 'string'
dataTypes: {
logs: {
state: 'string'
}
}
}
}
For AmazonWebServicesS3, use:
{
kind: 'AmazonWebServicesS3'
properties: {
dataTypes: {
logs: {
state: 'string'
}
}
destinationTable: 'string'
roleArn: 'string'
sqsUrls: [
'string'
]
}
}
For AzureActiveDirectory, use:
{
kind: 'AzureActiveDirectory'
properties: {
dataTypes: {
alerts: {
state: 'string'
}
}
tenantId: 'string'
}
}
For AzureAdvancedThreatProtection, use:
{
kind: 'AzureAdvancedThreatProtection'
properties: {
dataTypes: {
alerts: {
state: 'string'
}
}
tenantId: 'string'
}
}
For AzureSecurityCenter, use:
{
kind: 'AzureSecurityCenter'
properties: {
dataTypes: {
alerts: {
state: 'string'
}
}
subscriptionId: 'string'
}
}
For Dynamics365, use:
{
kind: 'Dynamics365'
properties: {
dataTypes: {
dynamics365CdsActivities: {
state: 'string'
}
}
tenantId: 'string'
}
}
For GCP, use:
{
kind: 'GCP'
properties: {
auth: {
projectNumber: 'string'
serviceAccountEmail: 'string'
workloadIdentityProviderId: 'string'
}
connectorDefinitionName: 'string'
dcrConfig: {
dataCollectionEndpoint: 'string'
dataCollectionRuleImmutableId: 'string'
streamName: 'string'
}
request: {
projectId: 'string'
subscriptionNames: [
'string'
]
}
}
}
For GenericUI, use:
{
kind: 'GenericUI'
properties: {
connectorUiConfig: {
availability: {
isPreview: bool
status: '1'
}
connectivityCriteria: [
{
type: 'string'
value: [
'string'
]
}
]
customImage: 'string'
dataTypes: [
{
lastDataReceivedQuery: 'string'
name: 'string'
}
]
descriptionMarkdown: 'string'
graphQueries: [
{
baseQuery: 'string'
legend: 'string'
metricName: 'string'
}
]
graphQueriesTableName: 'string'
instructionSteps: [
{
description: 'string'
instructions: [
{
parameters: any(Azure.Bicep.Types.Concrete.AnyType)
type: 'string'
}
]
title: 'string'
}
]
permissions: {
customs: [
{
description: 'string'
name: 'string'
}
]
resourceProvider: [
{
permissionsDisplayText: 'string'
provider: 'string'
providerDisplayName: 'string'
requiredPermissions: {
action: bool
delete: bool
read: bool
write: bool
}
scope: 'string'
}
]
}
publisher: 'string'
sampleQueries: [
{
description: 'string'
query: 'string'
}
]
title: 'string'
}
}
}
For IOT, use:
{
kind: 'IOT'
properties: {
dataTypes: {
alerts: {
state: 'string'
}
}
subscriptionId: 'string'
}
}
For MicrosoftCloudAppSecurity, use:
{
kind: 'MicrosoftCloudAppSecurity'
properties: {
dataTypes: {
alerts: {
state: 'string'
}
discoveryLogs: {
state: 'string'
}
}
tenantId: 'string'
}
}
For MicrosoftDefenderAdvancedThreatProtection, use:
{
kind: 'MicrosoftDefenderAdvancedThreatProtection'
properties: {
dataTypes: {
alerts: {
state: 'string'
}
}
tenantId: 'string'
}
}
For MicrosoftPurviewInformationProtection, use:
{
kind: 'MicrosoftPurviewInformationProtection'
properties: {
dataTypes: {
logs: {
state: 'string'
}
}
tenantId: 'string'
}
}
For MicrosoftThreatIntelligence, use:
{
kind: 'MicrosoftThreatIntelligence'
properties: {
dataTypes: {
microsoftEmergingThreatFeed: {
lookbackPeriod: 'string'
state: 'string'
}
}
tenantId: 'string'
}
}
For MicrosoftThreatProtection, use:
{
kind: 'MicrosoftThreatProtection'
properties: {
dataTypes: {
alerts: {
state: 'string'
}
incidents: {
state: 'string'
}
}
filteredProviders: {
alerts: [
'string'
]
}
tenantId: 'string'
}
}
For Office365, use:
{
kind: 'Office365'
properties: {
dataTypes: {
exchange: {
state: 'string'
}
sharePoint: {
state: 'string'
}
teams: {
state: 'string'
}
}
tenantId: 'string'
}
}
For Office365Project, use:
{
kind: 'Office365Project'
properties: {
dataTypes: {
logs: {
state: 'string'
}
}
tenantId: 'string'
}
}
For OfficeATP, use:
{
kind: 'OfficeATP'
properties: {
dataTypes: {
alerts: {
state: 'string'
}
}
tenantId: 'string'
}
}
For OfficeIRM, use:
{
kind: 'OfficeIRM'
properties: {
dataTypes: {
alerts: {
state: 'string'
}
}
tenantId: 'string'
}
}
For OfficePowerBI, use:
{
kind: 'OfficePowerBI'
properties: {
dataTypes: {
logs: {
state: 'string'
}
}
tenantId: 'string'
}
}
For PurviewAudit, use:
{
kind: 'PurviewAudit'
properties: {
connectorDefinitionName: 'string'
dataTypes: {
logs: {
state: 'string'
}
}
dcrConfig: {
dataCollectionEndpoint: 'string'
dataCollectionRuleImmutableId: 'string'
streamName: 'string'
}
sourceType: 'string'
tenantId: 'string'
}
}
For RestApiPoller, use:
{
kind: 'RestApiPoller'
properties: {
addOnAttributes: {
{customized property}: 'string'
}
auth: {
type: 'string'
// For remaining properties, see CcpAuthConfig objects
}
connectorDefinitionName: 'string'
dataType: 'string'
dcrConfig: {
dataCollectionEndpoint: 'string'
dataCollectionRuleImmutableId: 'string'
streamName: 'string'
}
isActive: bool
paging: {
pageSize: int
pageSizeParameterName: 'string'
pagingType: 'string'
}
request: {
apiEndpoint: 'string'
endTimeAttributeName: 'string'
headers: {
{customized property}: 'string'
}
httpMethod: 'string'
isPostPayloadJson: bool
queryParameters: {
{customized property}: any(Azure.Bicep.Types.Concrete.AnyType)
}
queryParametersTemplate: 'string'
queryTimeFormat: 'string'
queryTimeIntervalAttributeName: 'string'
queryTimeIntervalDelimiter: 'string'
queryTimeIntervalPrepend: 'string'
queryWindowInMin: int
rateLimitQPS: int
retryCount: int
startTimeAttributeName: 'string'
timeoutInSeconds: int
}
response: {
compressionAlgo: 'string'
convertChildPropertiesToArray: bool
csvDelimiter: 'string'
csvEscape: 'string'
eventsJsonPaths: [
'string'
]
format: 'string'
hasCsvBoundary: bool
hasCsvHeader: bool
isGzipCompressed: bool
successStatusJsonPath: 'string'
successStatusValue: 'string'
}
}
}
For ThreatIntelligence, use:
{
kind: 'ThreatIntelligence'
properties: {
dataTypes: {
indicators: {
state: 'string'
}
}
tenantId: 'string'
tipLookbackPeriod: 'string'
}
}
For ThreatIntelligenceTaxii, use:
{
kind: 'ThreatIntelligenceTaxii'
properties: {
collectionId: 'string'
dataTypes: {
taxiiClient: {
state: 'string'
}
}
friendlyName: 'string'
password: 'string'
pollingFrequency: 'string'
taxiiLookbackPeriod: 'string'
taxiiServer: 'string'
tenantId: 'string'
userName: 'string'
workspaceId: 'string'
}
}
CcpAuthConfig objects
Set the type property to specify the type of object.
For APIKey, use:
{
apiKey: 'string'
apiKeyIdentifier: 'string'
apiKeyName: 'string'
isApiKeyInPostPayload: bool
type: 'APIKey'
}
For AWS, use:
{
externalId: 'string'
roleArn: 'string'
type: 'AWS'
}
For Basic, use:
{
password: 'string'
type: 'Basic'
userName: 'string'
}
For GCP, use:
{
projectNumber: 'string'
serviceAccountEmail: 'string'
type: 'GCP'
workloadIdentityProviderId: 'string'
}
For GitHub, use:
{
installationId: 'string'
type: 'GitHub'
}
For JwtToken, use:
{
headers: {
{customized property}: 'string'
}
isCredentialsInHeaders: bool
isJsonRequest: bool
password: {
{customized property}: 'string'
}
queryParameters: {
{customized property}: 'string'
}
requestTimeoutInSeconds: int
tokenEndpoint: 'string'
type: 'JwtToken'
userName: {
{customized property}: 'string'
}
}
For None, use:
{
type: 'None'
}
For OAuth2, use:
{
accessTokenPrepend: 'string'
authorizationCode: 'string'
authorizationEndpoint: 'string'
authorizationEndpointHeaders: {
{customized property}: 'string'
}
authorizationEndpointQueryParameters: {
{customized property}: 'string'
}
clientId: 'string'
clientSecret: 'string'
grantType: 'string'
isCredentialsInHeaders: bool
isJwtBearerFlow: bool
redirectUri: 'string'
scope: 'string'
tokenEndpoint: 'string'
tokenEndpointHeaders: {
{customized property}: 'string'
}
tokenEndpointQueryParameters: {
{customized property}: 'string'
}
type: 'OAuth2'
}
For Oracle, use:
{
pemFile: 'string'
publicFingerprint: 'string'
tenantId: 'string'
type: 'Oracle'
userId: 'string'
}
For ServiceBus, use:
{
credentialsConfig: {
{customized property}: 'string'
}
storageAccountCredentialsConfig: {
{customized property}: 'string'
}
type: 'ServiceBus'
}
For Session, use:
{
headers: {
{customized property}: 'string'
}
isPostPayloadJson: bool
password: {
{customized property}: 'string'
}
queryParameters: {
{customized property}: any(Azure.Bicep.Types.Concrete.AnyType)
}
sessionIdName: 'string'
sessionLoginRequestUri: 'string'
sessionTimeoutInMinutes: int
type: 'Session'
userName: {
{customized property}: 'string'
}
}
Property values
AADDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'AzureActiveDirectory' (required) |
| properties |
AADIP (Azure Active Directory Identity Protection) data connector properties. |
AADDataConnectorProperties |
AADDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
AatpDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'AzureAdvancedThreatProtection' (required) |
| properties |
AATP (Azure Advanced Threat Protection) data connector properties. |
AatpDataConnectorProperties |
AatpDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
AlertsDataTypeOfDataConnector
ApiKeyAuthModel
| Name |
Description |
Value |
| apiKey |
API Key for the user secret key credential |
string (required) |
| apiKeyIdentifier |
API Key Identifier |
string |
| apiKeyName |
API Key name |
string (required) |
| isApiKeyInPostPayload |
Flag to indicate if API key is set in HTTP POST payload |
bool |
| type |
The auth type |
'APIKey' (required) |
ApiPollingParameters
ASCDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'AzureSecurityCenter' (required) |
| properties |
ASC (Azure Security Center) data connector properties. |
ASCDataConnectorProperties |
ASCDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| subscriptionId |
The subscription id to connect to, and get the data from. |
string |
Availability
| Name |
Description |
Value |
| isPreview |
Set connector as preview |
bool |
| status |
The connector Availability Status |
'1' |
AWSAuthModel
| Name |
Description |
Value |
| externalId |
AWS STS assume role external ID. This is used to prevent the confused deputy problem: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html' |
string |
| roleArn |
AWS STS assume role ARN |
string (required) |
| type |
The auth type |
'AWS' (required) |
AwsCloudTrailDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'AmazonWebServicesCloudTrail' (required) |
| properties |
Amazon Web Services CloudTrail data connector properties. |
AwsCloudTrailDataConnectorProperties |
AwsCloudTrailDataConnectorDataTypes
AwsCloudTrailDataConnectorDataTypesLogs
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
AwsCloudTrailDataConnectorProperties
| Name |
Description |
Value |
| awsRoleArn |
The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account. |
string |
| dataTypes |
The available data types for the connector. |
AwsCloudTrailDataConnectorDataTypes (required) |
AwsS3DataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'AmazonWebServicesS3' (required) |
| properties |
Amazon Web Services S3 data connector properties. |
AwsS3DataConnectorProperties |
AwsS3DataConnectorDataTypes
AwsS3DataConnectorDataTypesLogs
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
AwsS3DataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AwsS3DataConnectorDataTypes (required) |
| destinationTable |
The logs destination table name in LogAnalytics. |
string (required) |
| roleArn |
The Aws Role Arn that is used to access the Aws account. |
string (required) |
| sqsUrls |
The AWS sqs urls for the connector. |
string[] (required) |
BasicAuthModel
| Name |
Description |
Value |
| password |
The password |
string (required) |
| type |
The auth type |
'Basic' (required) |
| userName |
The user name. |
string (required) |
CcpAuthConfig
CcpResponseConfig
| Name |
Description |
Value |
| compressionAlgo |
The compression algorithm. For Example: 'gzip', 'multi-gzip', 'deflate'. |
string |
| convertChildPropertiesToArray |
The value indicating whether the response isn't an array of events / logs. By setting this flag to true it means the remote server will response with an object which each property has as a value an array of events / logs. |
bool |
| csvDelimiter |
The csv delimiter, in case the response format is CSV. |
string |
| csvEscape |
The character used to escape characters in CSV. |
string
Constraints:
Min length = 1
Max length = 1 |
| eventsJsonPaths |
The json paths, '$' char is the json root. |
string[] (required) |
| format |
The response format. possible values are json,csv,xml |
string |
| hasCsvBoundary |
The value indicating whether the response has CSV boundary in case the response in CSV format. |
bool |
| hasCsvHeader |
The value indicating whether the response has headers in case the response in CSV format. |
bool |
| isGzipCompressed |
The value indicating whether the remote server support Gzip and we should expect Gzip response. |
bool |
| successStatusJsonPath |
The value where the status message/code should appear in the response. |
string |
| successStatusValue |
The status value. |
string |
CodelessApiPollingDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'APIPolling' (required) |
| properties |
Codeless poling data connector properties |
ApiPollingParameters |
CodelessConnectorPollingAuthProperties
| Name |
Description |
Value |
| apiKeyIdentifier |
A prefix send in the header before the actual token |
string |
| apiKeyName |
The header name which the token is sent with |
string |
| authorizationEndpoint |
The endpoint used to authorize the user, used in Oauth 2.0 flow |
string |
| authorizationEndpointQueryParameters |
The query parameters used in authorization request, used in Oauth 2.0 flow |
any |
| authType |
The authentication type |
string (required) |
| flowName |
Describes the flow name, for example 'AuthCode' for Oauth 2.0 |
string |
| isApiKeyInPostPayload |
Marks if the key should sent in header |
string |
| isClientSecretInHeader |
Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow |
bool |
| redirectionEndpoint |
The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow |
string |
| scope |
The OAuth token scope |
string |
| tokenEndpoint |
The endpoint used to issue a token, used in Oauth 2.0 flow |
string |
| tokenEndpointHeaders |
The query headers used in token request, used in Oauth 2.0 flow |
any |
| tokenEndpointQueryParameters |
The query parameters used in token request, used in Oauth 2.0 flow |
any |
CodelessConnectorPollingConfigProperties
CodelessConnectorPollingPagingProperties
| Name |
Description |
Value |
| nextPageParaName |
Defines the name of a next page attribute |
string |
| nextPageTokenJsonPath |
Defines the path to a next page token JSON |
string |
| pageCountAttributePath |
Defines the path to a page count attribute |
string |
| pageSize |
Defines the paging size |
int |
| pageSizeParaName |
Defines the name of the page size parameter |
string |
| pageTimeStampAttributePath |
Defines the path to a paging time stamp attribute |
string |
| pageTotalCountAttributePath |
Defines the path to a page total count attribute |
string |
| pagingType |
Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp' |
string (required) |
| searchTheLatestTimeStampFromEventsList |
Determines whether to search for the latest time stamp in the events list |
string |
CodelessConnectorPollingRequestProperties
| Name |
Description |
Value |
| apiEndpoint |
Describe the endpoint we should pull the data from |
string (required) |
| endTimeAttributeName |
This will be used the query events from the end of the time window |
string |
| headers |
Describe the headers sent in the poll request |
any |
| httpMethod |
The http method type we will use in the poll request, GET or POST |
string (required) |
| queryParameters |
Describe the query parameters sent in the poll request |
any |
| queryParametersTemplate |
For advanced scenarios for example user name/password embedded in nested JSON payload |
string |
| queryTimeFormat |
The time format will be used the query events in a specific window |
string (required) |
| queryWindowInMin |
The window interval we will use the pull the data |
int (required) |
| rateLimitQps |
Defines the rate limit QPS |
int |
| retryCount |
Describe the amount of time we should try and poll the data in case of failure |
int |
| startTimeAttributeName |
This will be used the query events from a start of the time window |
string |
| timeoutInSeconds |
The number of seconds we will consider as a request timeout |
int |
CodelessConnectorPollingResponseProperties
| Name |
Description |
Value |
| eventsJsonPaths |
Describes the path we should extract the data in the response |
string[] (required) |
| isGzipCompressed |
Describes if the data in the response is Gzip |
bool |
| successStatusJsonPath |
Describes the path we should extract the status code in the response |
string |
| successStatusValue |
Describes the path we should extract the status value in the response |
string |
CodelessParameters
CodelessUiConnectorConfigProperties
CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem
| Name |
Description |
Value |
| type |
type of connectivity |
'IsConnectedQuery' |
| value |
Queries for checking connectivity |
string[] |
CodelessUiConnectorConfigPropertiesDataTypesItem
| Name |
Description |
Value |
| lastDataReceivedQuery |
Query for indicate last data received |
string |
| name |
Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder |
string |
CodelessUiConnectorConfigPropertiesGraphQueriesItem
| Name |
Description |
Value |
| baseQuery |
The base query for the graph |
string |
| legend |
The legend for the graph |
string |
| metricName |
the metric that the query is checking |
string |
CodelessUiConnectorConfigPropertiesInstructionStepsItem
| Name |
Description |
Value |
| description |
Instruction step description |
string |
| instructions |
Instruction step details |
InstructionStepsInstructionsItem[] |
| title |
Instruction step title |
string |
CodelessUiConnectorConfigPropertiesSampleQueriesItem
| Name |
Description |
Value |
| description |
The sample query description |
string |
| query |
the sample query |
string |
CodelessUiDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'GenericUI' (required) |
| properties |
Codeless UI data connector properties |
CodelessParameters |
DataConnectorDataTypeCommon
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
DCRConfiguration
| Name |
Description |
Value |
| dataCollectionEndpoint |
Represents the data collection ingestion endpoint in log analytics. |
string (required) |
| dataCollectionRuleImmutableId |
The data collection rule immutable id, the rule defines the transformation and data destination. |
string (required) |
| streamName |
The stream we are sending the data to. |
string (required) |
Dynamics365DataConnector
Dynamics365DataConnectorDataTypes
Dynamics365DataConnectorDataTypesDynamics365CdsActivities
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
Dynamics365DataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
Dynamics365DataConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
GCPAuthModel
| Name |
Description |
Value |
| projectNumber |
GCP Project Number |
string (required) |
| serviceAccountEmail |
GCP Service Account Email |
string (required) |
| type |
The auth type |
'GCP' (required) |
| workloadIdentityProviderId |
GCP Workload Identity Provider ID |
string (required) |
GCPAuthProperties
| Name |
Description |
Value |
| projectNumber |
The GCP project number. |
string (required) |
| serviceAccountEmail |
The service account that is used to access the GCP project. |
string (required) |
| workloadIdentityProviderId |
The workload identity provider id that is used to gain access to the GCP project. |
string (required) |
GCPDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'GCP' (required) |
| properties |
Google Cloud Platform data connector properties. |
GCPDataConnectorProperties |
GCPDataConnectorProperties
| Name |
Description |
Value |
| auth |
The auth section of the connector. |
GCPAuthProperties (required) |
| connectorDefinitionName |
The name of the connector definition that represents the UI config. |
string (required) |
| dcrConfig |
The configuration of the destination of the data. |
DCRConfiguration |
| request |
The request section of the connector. |
GCPRequestProperties (required) |
GCPRequestProperties
| Name |
Description |
Value |
| projectId |
The GCP project id. |
string (required) |
| subscriptionNames |
The GCP pub/sub subscription names. |
string[] (required) |
GenericBlobSbsAuthModel
GenericBlobSbsAuthModelCredentialsConfig
GenericBlobSbsAuthModelStorageAccountCredentialsConfig
GitHubAuthModel
| Name |
Description |
Value |
| installationId |
The GitHubApp auth installation id. |
string |
| type |
The auth type |
'GitHub' (required) |
InstructionStepsInstructionsItem
| Name |
Description |
Value |
| parameters |
The parameters for the setting |
any |
| type |
The kind of the setting |
'CopyableLabel'
'InfoMessage'
'InstructionStepsGroup' (required) |
IoTDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'IOT' (required) |
| properties |
IoT data connector properties. |
IoTDataConnectorProperties |
IoTDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| subscriptionId |
The subscription id to connect to, and get the data from. |
string |
JwtAuthModel
| Name |
Description |
Value |
| headers |
The custom headers we want to add once we send request to token endpoint. |
JwtAuthModelHeaders |
| isCredentialsInHeaders |
Flag indicating whether we want to send the user name and password to token endpoint in the headers. |
bool |
| isJsonRequest |
Flag indicating whether the body request is JSON (header Content-Type = application/json), meaning its a Form URL encoded request (header Content-Type = application/x-www-form-urlencoded). |
bool |
| password |
The password |
JwtAuthModelPassword (required) |
| queryParameters |
The custom query parameter we want to add once we send request to token endpoint. |
JwtAuthModelQueryParameters |
| requestTimeoutInSeconds |
Request timeout in seconds. |
int
Constraints:
Max value = 180 |
| tokenEndpoint |
Token endpoint to request JWT |
string (required) |
| type |
The auth type |
'JwtToken' (required) |
| userName |
The user name. If user name and password sent in header request we only need to populate the value property with the user name (Same as basic auth). If user name and password sent in body request we need to specify the Key and Value. |
JwtAuthModelUserName (required) |
JwtAuthModelPassword
JwtAuthModelQueryParameters
JwtAuthModelUserName
McasDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'MicrosoftCloudAppSecurity' (required) |
| properties |
MCAS (Microsoft Cloud App Security) data connector properties. |
McasDataConnectorProperties |
McasDataConnectorDataTypes
McasDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
McasDataConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
MdatpDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'MicrosoftDefenderAdvancedThreatProtection' (required) |
| properties |
MDATP (Microsoft Defender Advanced Threat Protection) data connector properties. |
MdatpDataConnectorProperties |
MdatpDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
Microsoft.SecurityInsights/dataConnectors
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
MstiDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'MicrosoftThreatIntelligence' (required) |
| properties |
Microsoft Threat Intelligence data connector properties. |
MstiDataConnectorProperties |
MstiDataConnectorDataTypes
MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed
| Name |
Description |
Value |
| lookbackPeriod |
The lookback period for the feed to be imported. |
string (required) |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
MstiDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
MstiDataConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
MTPDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'MicrosoftThreatProtection' (required) |
| properties |
MTP (Microsoft Threat Protection) data connector properties. |
MTPDataConnectorProperties |
MTPDataConnectorDataTypes
MTPDataConnectorDataTypesAlerts
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
MTPDataConnectorDataTypesIncidents
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
MTPDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
MTPDataConnectorDataTypes (required) |
| filteredProviders |
The available filtered providers for the connector. |
MtpFilteredProviders |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
MtpFilteredProviders
| Name |
Description |
Value |
| alerts |
Alerts filtered providers. When filters are not applied, all alerts will stream through the MTP pipeline, still in private preview for all products EXCEPT MDA and MDI, which are in GA state. |
String array containing any of:
'microsoftDefenderForCloudApps'
'microsoftDefenderForIdentity' (required) |
NoneAuthModel
| Name |
Description |
Value |
| type |
The auth type |
'None' (required) |
OAuthModel
| Name |
Description |
Value |
| accessTokenPrepend |
Access token prepend. Default is 'Bearer'. |
string |
| authorizationCode |
The user's authorization code. |
string |
| authorizationEndpoint |
The authorization endpoint. |
string |
| authorizationEndpointHeaders |
The authorization endpoint headers. |
OAuthModelAuthorizationEndpointHeaders |
| authorizationEndpointQueryParameters |
The authorization endpoint query parameters. |
OAuthModelAuthorizationEndpointQueryParameters |
| clientId |
The Application (client) ID that the OAuth provider assigned to your app. |
string (required) |
| clientSecret |
The Application (client) secret that the OAuth provider assigned to your app. |
string (required) |
| grantType |
The grant type, usually will be 'authorization code'. |
string (required) |
| isCredentialsInHeaders |
Indicating whether we want to send the clientId and clientSecret to token endpoint in the headers. |
bool |
| isJwtBearerFlow |
A value indicating whether it's a JWT flow. |
bool |
| redirectUri |
The Application redirect url that the user config in the OAuth provider. |
string |
| scope |
The Application (client) Scope that the OAuth provider assigned to your app. |
string |
| tokenEndpoint |
The token endpoint. Defines the OAuth2 refresh token. |
string (required) |
| tokenEndpointHeaders |
The token endpoint headers. |
OAuthModelTokenEndpointHeaders |
| tokenEndpointQueryParameters |
The token endpoint query parameters. |
OAuthModelTokenEndpointQueryParameters |
| type |
The auth type |
'OAuth2' (required) |
OAuthModelAuthorizationEndpointQueryParameters
OAuthModelTokenEndpointQueryParameters
Office365ProjectConnectorDataTypes
Office365ProjectConnectorDataTypesLogs
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
Office365ProjectDataConnector
Office365ProjectDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
Office365ProjectConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
OfficeATPDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'OfficeATP' (required) |
| properties |
OfficeATP (Office 365 Advanced Threat Protection) data connector properties. |
OfficeATPDataConnectorProperties |
OfficeATPDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
OfficeDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'Office365' (required) |
| properties |
Office data connector properties. |
OfficeDataConnectorProperties |
OfficeDataConnectorDataTypes
OfficeDataConnectorDataTypesExchange
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
OfficeDataConnectorDataTypesSharePoint
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
OfficeDataConnectorDataTypesTeams
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
OfficeDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
OfficeDataConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
OfficeIRMDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'OfficeIRM' (required) |
| properties |
OfficeIRM (Microsoft Insider Risk Management) data connector properties. |
OfficeIRMDataConnectorProperties |
OfficeIRMDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
OfficePowerBIConnectorDataTypes
OfficePowerBIConnectorDataTypesLogs
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
OfficePowerBIDataConnector
OfficePowerBIDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
OfficePowerBIConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
OracleAuthModel
| Name |
Description |
Value |
| pemFile |
Content of the PRM file |
string (required) |
| publicFingerprint |
Public Fingerprint |
string (required) |
| tenantId |
Oracle tenant ID |
string (required) |
| type |
The auth type |
'Oracle' (required) |
| userId |
Oracle user ID |
string (required) |
Permissions
PermissionsCustomsItem
| Name |
Description |
Value |
| description |
Customs permissions description |
string |
| name |
Customs permissions name |
string |
PermissionsResourceProviderItem
| Name |
Description |
Value |
| permissionsDisplayText |
Permission description text |
string |
| provider |
Provider name |
'microsoft.aadiam/diagnosticSettings'
'Microsoft.Authorization/policyAssignments'
'Microsoft.OperationalInsights/solutions'
'Microsoft.OperationalInsights/workspaces'
'Microsoft.OperationalInsights/workspaces/datasources'
'Microsoft.OperationalInsights/workspaces/sharedKeys' |
| providerDisplayName |
Permission provider display name |
string |
| requiredPermissions |
Required permissions for the connector |
RequiredPermissions |
| scope |
Permission provider scope |
'ResourceGroup'
'Subscription'
'Workspace' |
PurviewAuditConnectorDataTypes
PurviewAuditConnectorDataTypesLogs
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
PurviewAuditDataConnector
PurviewAuditDataConnectorProperties
| Name |
Description |
Value |
| connectorDefinitionName |
The connector definition name (the dataConnectorDefinition resource id). |
string |
| dataTypes |
The available data types for the connector. |
PurviewAuditConnectorDataTypes (required) |
| dcrConfig |
The DCR related properties. |
DCRConfiguration |
| sourceType |
The source type indicates which kind of data is relevant for this connector. |
string |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
RequiredPermissions
| Name |
Description |
Value |
| action |
action permission |
bool |
| delete |
delete permission |
bool |
| read |
read permission |
bool |
| write |
write permission |
bool |
RestApiPollerDataConnector
RestApiPollerDataConnectorProperties
RestApiPollerDataConnectorPropertiesAddOnAttributes
RestApiPollerRequestConfig
| Name |
Description |
Value |
| apiEndpoint |
The API endpoint. |
string (required) |
| endTimeAttributeName |
The query parameter name which the remote server expect to end query. This property goes hand to hand with startTimeAttributeName |
string |
| headers |
The header for the request for the remote server. |
RestApiPollerRequestConfigHeaders |
| httpMethod |
The HTTP method, default value GET. |
'DELETE'
'GET'
'POST'
'PUT' |
| isPostPayloadJson |
Flag to indicate if HTTP POST payload is in JSON format (vs form-urlencoded). |
bool |
| queryParameters |
The HTTP query parameters to RESTful API. |
RestApiPollerRequestConfigQueryParameters |
| queryParametersTemplate |
the query parameters template. Defines the query parameters template to use when passing query parameters in advanced scenarios. |
string |
| queryTimeFormat |
The query time format. A remote server can have a query to pull data from range 'start' to 'end'. This property indicate what is the expected time format the remote server know to parse. |
string |
| queryTimeIntervalAttributeName |
The query parameter name which we need to send the server for query logs in time interval. Should be defined with queryTimeIntervalPrepend and queryTimeIntervalDelimiter |
string |
| queryTimeIntervalDelimiter |
The delimiter string between 2 QueryTimeFormat in the query parameter queryTimeIntervalAttributeName. |
string |
| queryTimeIntervalPrepend |
The string prepend to the value of the query parameter in queryTimeIntervalAttributeName. |
string |
| queryWindowInMin |
The query window in minutes for the request. |
int |
| rateLimitQPS |
The Rate limit queries per second for the request.. |
int |
| retryCount |
The retry count. |
int |
| startTimeAttributeName |
The query parameter name which the remote server expect to start query. This property goes hand to hand with endTimeAttributeName. |
string |
| timeoutInSeconds |
The timeout in seconds. |
int |
RestApiPollerRequestConfigQueryParameters
RestApiPollerRequestPagingConfig
| Name |
Description |
Value |
| pageSize |
Page size |
int |
| pageSizeParameterName |
Page size parameter name |
string |
| pagingType |
Type of paging |
'CountBasedPaging'
'LinkHeader'
'NextPageToken'
'NextPageUrl'
'Offset'
'PersistentLinkHeader'
'PersistentToken' (required) |
SessionAuthModel
| Name |
Description |
Value |
| headers |
HTTP request headers to session service endpoint. |
SessionAuthModelHeaders |
| isPostPayloadJson |
Indicating whether API key is set in HTTP POST payload. |
bool |
| password |
The password attribute name. |
SessionAuthModelPassword (required) |
| queryParameters |
Query parameters to session service endpoint. |
SessionAuthModelQueryParameters |
| sessionIdName |
Session id attribute name from HTTP response header. |
string |
| sessionLoginRequestUri |
HTTP request URL to session service endpoint. |
string |
| sessionTimeoutInMinutes |
Session timeout in minutes. |
int |
| type |
The auth type |
'Session' (required) |
| userName |
The user name attribute key value. |
SessionAuthModelUserName (required) |
SessionAuthModelPassword
SessionAuthModelQueryParameters
SessionAuthModelUserName
TIDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'ThreatIntelligence' (required) |
| properties |
TI (Threat Intelligence) data connector properties. |
TIDataConnectorProperties |
TIDataConnectorDataTypes
TIDataConnectorDataTypesIndicators
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
TIDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
TIDataConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
| tipLookbackPeriod |
The lookback period for the feed to be imported. |
string |
TiTaxiiDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'ThreatIntelligenceTaxii' (required) |
| properties |
Threat intelligence TAXII data connector properties. |
TiTaxiiDataConnectorProperties |
TiTaxiiDataConnectorDataTypes
TiTaxiiDataConnectorDataTypesTaxiiClient
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
TiTaxiiDataConnectorProperties
| Name |
Description |
Value |
| collectionId |
The collection id of the TAXII server. |
string |
| dataTypes |
The available data types for Threat Intelligence TAXII data connector. |
TiTaxiiDataConnectorDataTypes (required) |
| friendlyName |
The friendly name for the TAXII server. |
string |
| password |
The password for the TAXII server. |
string |
| pollingFrequency |
The polling frequency for the TAXII server. |
'OnceADay'
'OnceAMinute'
'OnceAnHour' (required) |
| taxiiLookbackPeriod |
The lookback period for the TAXII server. |
string |
| taxiiServer |
The API root for the TAXII server. |
string |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
| userName |
The userName for the TAXII server. |
string |
| workspaceId |
The workspace id. |
string |
ARM template resource definition
The dataConnectors resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
To create a Microsoft.SecurityInsights/dataConnectors resource, add the following JSON to your template.
{
"etag": "string",
"name": "string",
"kind": "string"
// For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}
Microsoft.SecurityInsights/dataConnectors objects
Set the kind property to specify the type of object.
For APIPolling, use:
{
"kind": "APIPolling",
"properties": {
"connectorUiConfig": {
"availability": {
"isPreview": "bool",
"status": "1"
},
"connectivityCriteria": [
{
"type": "string",
"value": [ "string" ]
}
],
"customImage": "string",
"dataTypes": [
{
"lastDataReceivedQuery": "string",
"name": "string"
}
],
"descriptionMarkdown": "string",
"graphQueries": [
{
"baseQuery": "string",
"legend": "string",
"metricName": "string"
}
],
"graphQueriesTableName": "string",
"instructionSteps": [
{
"description": "string",
"instructions": [
{
"parameters": {},
"type": "string"
}
],
"title": "string"
}
],
"permissions": {
"customs": [
{
"description": "string",
"name": "string"
}
],
"resourceProvider": [
{
"permissionsDisplayText": "string",
"provider": "string",
"providerDisplayName": "string",
"requiredPermissions": {
"action": "bool",
"delete": "bool",
"read": "bool",
"write": "bool"
},
"scope": "string"
}
]
},
"publisher": "string",
"sampleQueries": [
{
"description": "string",
"query": "string"
}
],
"title": "string"
},
"pollingConfig": {
"auth": {
"apiKeyIdentifier": "string",
"apiKeyName": "string",
"authorizationEndpoint": "string",
"authorizationEndpointQueryParameters": {},
"authType": "string",
"flowName": "string",
"isApiKeyInPostPayload": "string",
"isClientSecretInHeader": "bool",
"redirectionEndpoint": "string",
"scope": "string",
"tokenEndpoint": "string",
"tokenEndpointHeaders": {},
"tokenEndpointQueryParameters": {}
},
"isActive": "bool",
"paging": {
"nextPageParaName": "string",
"nextPageTokenJsonPath": "string",
"pageCountAttributePath": "string",
"pageSize": "int",
"pageSizeParaName": "string",
"pageTimeStampAttributePath": "string",
"pageTotalCountAttributePath": "string",
"pagingType": "string",
"searchTheLatestTimeStampFromEventsList": "string"
},
"request": {
"apiEndpoint": "string",
"endTimeAttributeName": "string",
"headers": {},
"httpMethod": "string",
"queryParameters": {},
"queryParametersTemplate": "string",
"queryTimeFormat": "string",
"queryWindowInMin": "int",
"rateLimitQps": "int",
"retryCount": "int",
"startTimeAttributeName": "string",
"timeoutInSeconds": "int"
},
"response": {
"eventsJsonPaths": [ "string" ],
"isGzipCompressed": "bool",
"successStatusJsonPath": "string",
"successStatusValue": "string"
}
}
}
}
For AmazonWebServicesCloudTrail, use:
{
"kind": "AmazonWebServicesCloudTrail",
"properties": {
"awsRoleArn": "string",
"dataTypes": {
"logs": {
"state": "string"
}
}
}
}
For AmazonWebServicesS3, use:
{
"kind": "AmazonWebServicesS3",
"properties": {
"dataTypes": {
"logs": {
"state": "string"
}
},
"destinationTable": "string",
"roleArn": "string",
"sqsUrls": [ "string" ]
}
}
For AzureActiveDirectory, use:
{
"kind": "AzureActiveDirectory",
"properties": {
"dataTypes": {
"alerts": {
"state": "string"
}
},
"tenantId": "string"
}
}
For AzureAdvancedThreatProtection, use:
{
"kind": "AzureAdvancedThreatProtection",
"properties": {
"dataTypes": {
"alerts": {
"state": "string"
}
},
"tenantId": "string"
}
}
For AzureSecurityCenter, use:
{
"kind": "AzureSecurityCenter",
"properties": {
"dataTypes": {
"alerts": {
"state": "string"
}
},
"subscriptionId": "string"
}
}
For Dynamics365, use:
{
"kind": "Dynamics365",
"properties": {
"dataTypes": {
"dynamics365CdsActivities": {
"state": "string"
}
},
"tenantId": "string"
}
}
For GCP, use:
{
"kind": "GCP",
"properties": {
"auth": {
"projectNumber": "string",
"serviceAccountEmail": "string",
"workloadIdentityProviderId": "string"
},
"connectorDefinitionName": "string",
"dcrConfig": {
"dataCollectionEndpoint": "string",
"dataCollectionRuleImmutableId": "string",
"streamName": "string"
},
"request": {
"projectId": "string",
"subscriptionNames": [ "string" ]
}
}
}
For GenericUI, use:
{
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"availability": {
"isPreview": "bool",
"status": "1"
},
"connectivityCriteria": [
{
"type": "string",
"value": [ "string" ]
}
],
"customImage": "string",
"dataTypes": [
{
"lastDataReceivedQuery": "string",
"name": "string"
}
],
"descriptionMarkdown": "string",
"graphQueries": [
{
"baseQuery": "string",
"legend": "string",
"metricName": "string"
}
],
"graphQueriesTableName": "string",
"instructionSteps": [
{
"description": "string",
"instructions": [
{
"parameters": {},
"type": "string"
}
],
"title": "string"
}
],
"permissions": {
"customs": [
{
"description": "string",
"name": "string"
}
],
"resourceProvider": [
{
"permissionsDisplayText": "string",
"provider": "string",
"providerDisplayName": "string",
"requiredPermissions": {
"action": "bool",
"delete": "bool",
"read": "bool",
"write": "bool"
},
"scope": "string"
}
]
},
"publisher": "string",
"sampleQueries": [
{
"description": "string",
"query": "string"
}
],
"title": "string"
}
}
}
For IOT, use:
{
"kind": "IOT",
"properties": {
"dataTypes": {
"alerts": {
"state": "string"
}
},
"subscriptionId": "string"
}
}
For MicrosoftCloudAppSecurity, use:
{
"kind": "MicrosoftCloudAppSecurity",
"properties": {
"dataTypes": {
"alerts": {
"state": "string"
},
"discoveryLogs": {
"state": "string"
}
},
"tenantId": "string"
}
}
For MicrosoftDefenderAdvancedThreatProtection, use:
{
"kind": "MicrosoftDefenderAdvancedThreatProtection",
"properties": {
"dataTypes": {
"alerts": {
"state": "string"
}
},
"tenantId": "string"
}
}
For MicrosoftPurviewInformationProtection, use:
{
"kind": "MicrosoftPurviewInformationProtection",
"properties": {
"dataTypes": {
"logs": {
"state": "string"
}
},
"tenantId": "string"
}
}
For MicrosoftThreatIntelligence, use:
{
"kind": "MicrosoftThreatIntelligence",
"properties": {
"dataTypes": {
"microsoftEmergingThreatFeed": {
"lookbackPeriod": "string",
"state": "string"
}
},
"tenantId": "string"
}
}
For MicrosoftThreatProtection, use:
{
"kind": "MicrosoftThreatProtection",
"properties": {
"dataTypes": {
"alerts": {
"state": "string"
},
"incidents": {
"state": "string"
}
},
"filteredProviders": {
"alerts": [ "string" ]
},
"tenantId": "string"
}
}
For Office365, use:
{
"kind": "Office365",
"properties": {
"dataTypes": {
"exchange": {
"state": "string"
},
"sharePoint": {
"state": "string"
},
"teams": {
"state": "string"
}
},
"tenantId": "string"
}
}
For Office365Project, use:
{
"kind": "Office365Project",
"properties": {
"dataTypes": {
"logs": {
"state": "string"
}
},
"tenantId": "string"
}
}
For OfficeATP, use:
{
"kind": "OfficeATP",
"properties": {
"dataTypes": {
"alerts": {
"state": "string"
}
},
"tenantId": "string"
}
}
For OfficeIRM, use:
{
"kind": "OfficeIRM",
"properties": {
"dataTypes": {
"alerts": {
"state": "string"
}
},
"tenantId": "string"
}
}
For OfficePowerBI, use:
{
"kind": "OfficePowerBI",
"properties": {
"dataTypes": {
"logs": {
"state": "string"
}
},
"tenantId": "string"
}
}
For PurviewAudit, use:
{
"kind": "PurviewAudit",
"properties": {
"connectorDefinitionName": "string",
"dataTypes": {
"logs": {
"state": "string"
}
},
"dcrConfig": {
"dataCollectionEndpoint": "string",
"dataCollectionRuleImmutableId": "string",
"streamName": "string"
},
"sourceType": "string",
"tenantId": "string"
}
}
For RestApiPoller, use:
{
"kind": "RestApiPoller",
"properties": {
"addOnAttributes": {
"{customized property}": "string"
},
"auth": {
"type": "string"
// For remaining properties, see CcpAuthConfig objects
},
"connectorDefinitionName": "string",
"dataType": "string",
"dcrConfig": {
"dataCollectionEndpoint": "string",
"dataCollectionRuleImmutableId": "string",
"streamName": "string"
},
"isActive": "bool",
"paging": {
"pageSize": "int",
"pageSizeParameterName": "string",
"pagingType": "string"
},
"request": {
"apiEndpoint": "string",
"endTimeAttributeName": "string",
"headers": {
"{customized property}": "string"
},
"httpMethod": "string",
"isPostPayloadJson": "bool",
"queryParameters": {
"{customized property}": {}
},
"queryParametersTemplate": "string",
"queryTimeFormat": "string",
"queryTimeIntervalAttributeName": "string",
"queryTimeIntervalDelimiter": "string",
"queryTimeIntervalPrepend": "string",
"queryWindowInMin": "int",
"rateLimitQPS": "int",
"retryCount": "int",
"startTimeAttributeName": "string",
"timeoutInSeconds": "int"
},
"response": {
"compressionAlgo": "string",
"convertChildPropertiesToArray": "bool",
"csvDelimiter": "string",
"csvEscape": "string",
"eventsJsonPaths": [ "string" ],
"format": "string",
"hasCsvBoundary": "bool",
"hasCsvHeader": "bool",
"isGzipCompressed": "bool",
"successStatusJsonPath": "string",
"successStatusValue": "string"
}
}
}
For ThreatIntelligence, use:
{
"kind": "ThreatIntelligence",
"properties": {
"dataTypes": {
"indicators": {
"state": "string"
}
},
"tenantId": "string",
"tipLookbackPeriod": "string"
}
}
For ThreatIntelligenceTaxii, use:
{
"kind": "ThreatIntelligenceTaxii",
"properties": {
"collectionId": "string",
"dataTypes": {
"taxiiClient": {
"state": "string"
}
},
"friendlyName": "string",
"password": "string",
"pollingFrequency": "string",
"taxiiLookbackPeriod": "string",
"taxiiServer": "string",
"tenantId": "string",
"userName": "string",
"workspaceId": "string"
}
}
CcpAuthConfig objects
Set the type property to specify the type of object.
For APIKey, use:
{
"apiKey": "string",
"apiKeyIdentifier": "string",
"apiKeyName": "string",
"isApiKeyInPostPayload": "bool",
"type": "APIKey"
}
For AWS, use:
{
"externalId": "string",
"roleArn": "string",
"type": "AWS"
}
For Basic, use:
{
"password": "string",
"type": "Basic",
"userName": "string"
}
For GCP, use:
{
"projectNumber": "string",
"serviceAccountEmail": "string",
"type": "GCP",
"workloadIdentityProviderId": "string"
}
For GitHub, use:
{
"installationId": "string",
"type": "GitHub"
}
For JwtToken, use:
{
"headers": {
"{customized property}": "string"
},
"isCredentialsInHeaders": "bool",
"isJsonRequest": "bool",
"password": {
"{customized property}": "string"
},
"queryParameters": {
"{customized property}": "string"
},
"requestTimeoutInSeconds": "int",
"tokenEndpoint": "string",
"type": "JwtToken",
"userName": {
"{customized property}": "string"
}
}
For None, use:
{
"type": "None"
}
For OAuth2, use:
{
"accessTokenPrepend": "string",
"authorizationCode": "string",
"authorizationEndpoint": "string",
"authorizationEndpointHeaders": {
"{customized property}": "string"
},
"authorizationEndpointQueryParameters": {
"{customized property}": "string"
},
"clientId": "string",
"clientSecret": "string",
"grantType": "string",
"isCredentialsInHeaders": "bool",
"isJwtBearerFlow": "bool",
"redirectUri": "string",
"scope": "string",
"tokenEndpoint": "string",
"tokenEndpointHeaders": {
"{customized property}": "string"
},
"tokenEndpointQueryParameters": {
"{customized property}": "string"
},
"type": "OAuth2"
}
For Oracle, use:
{
"pemFile": "string",
"publicFingerprint": "string",
"tenantId": "string",
"type": "Oracle",
"userId": "string"
}
For ServiceBus, use:
{
"credentialsConfig": {
"{customized property}": "string"
},
"storageAccountCredentialsConfig": {
"{customized property}": "string"
},
"type": "ServiceBus"
}
For Session, use:
{
"headers": {
"{customized property}": "string"
},
"isPostPayloadJson": "bool",
"password": {
"{customized property}": "string"
},
"queryParameters": {
"{customized property}": {}
},
"sessionIdName": "string",
"sessionLoginRequestUri": "string",
"sessionTimeoutInMinutes": "int",
"type": "Session",
"userName": {
"{customized property}": "string"
}
}
Property values
AADDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'AzureActiveDirectory' (required) |
| properties |
AADIP (Azure Active Directory Identity Protection) data connector properties. |
AADDataConnectorProperties |
AADDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
AatpDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'AzureAdvancedThreatProtection' (required) |
| properties |
AATP (Azure Advanced Threat Protection) data connector properties. |
AatpDataConnectorProperties |
AatpDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
AlertsDataTypeOfDataConnector
ApiKeyAuthModel
| Name |
Description |
Value |
| apiKey |
API Key for the user secret key credential |
string (required) |
| apiKeyIdentifier |
API Key Identifier |
string |
| apiKeyName |
API Key name |
string (required) |
| isApiKeyInPostPayload |
Flag to indicate if API key is set in HTTP POST payload |
bool |
| type |
The auth type |
'APIKey' (required) |
ApiPollingParameters
ASCDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'AzureSecurityCenter' (required) |
| properties |
ASC (Azure Security Center) data connector properties. |
ASCDataConnectorProperties |
ASCDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| subscriptionId |
The subscription id to connect to, and get the data from. |
string |
Availability
| Name |
Description |
Value |
| isPreview |
Set connector as preview |
bool |
| status |
The connector Availability Status |
'1' |
AWSAuthModel
| Name |
Description |
Value |
| externalId |
AWS STS assume role external ID. This is used to prevent the confused deputy problem: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html' |
string |
| roleArn |
AWS STS assume role ARN |
string (required) |
| type |
The auth type |
'AWS' (required) |
AwsCloudTrailDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'AmazonWebServicesCloudTrail' (required) |
| properties |
Amazon Web Services CloudTrail data connector properties. |
AwsCloudTrailDataConnectorProperties |
AwsCloudTrailDataConnectorDataTypes
AwsCloudTrailDataConnectorDataTypesLogs
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
AwsCloudTrailDataConnectorProperties
| Name |
Description |
Value |
| awsRoleArn |
The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account. |
string |
| dataTypes |
The available data types for the connector. |
AwsCloudTrailDataConnectorDataTypes (required) |
AwsS3DataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'AmazonWebServicesS3' (required) |
| properties |
Amazon Web Services S3 data connector properties. |
AwsS3DataConnectorProperties |
AwsS3DataConnectorDataTypes
AwsS3DataConnectorDataTypesLogs
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
AwsS3DataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AwsS3DataConnectorDataTypes (required) |
| destinationTable |
The logs destination table name in LogAnalytics. |
string (required) |
| roleArn |
The Aws Role Arn that is used to access the Aws account. |
string (required) |
| sqsUrls |
The AWS sqs urls for the connector. |
string[] (required) |
BasicAuthModel
| Name |
Description |
Value |
| password |
The password |
string (required) |
| type |
The auth type |
'Basic' (required) |
| userName |
The user name. |
string (required) |
CcpAuthConfig
CcpResponseConfig
| Name |
Description |
Value |
| compressionAlgo |
The compression algorithm. For Example: 'gzip', 'multi-gzip', 'deflate'. |
string |
| convertChildPropertiesToArray |
The value indicating whether the response isn't an array of events / logs. By setting this flag to true it means the remote server will response with an object which each property has as a value an array of events / logs. |
bool |
| csvDelimiter |
The csv delimiter, in case the response format is CSV. |
string |
| csvEscape |
The character used to escape characters in CSV. |
string
Constraints:
Min length = 1
Max length = 1 |
| eventsJsonPaths |
The json paths, '$' char is the json root. |
string[] (required) |
| format |
The response format. possible values are json,csv,xml |
string |
| hasCsvBoundary |
The value indicating whether the response has CSV boundary in case the response in CSV format. |
bool |
| hasCsvHeader |
The value indicating whether the response has headers in case the response in CSV format. |
bool |
| isGzipCompressed |
The value indicating whether the remote server support Gzip and we should expect Gzip response. |
bool |
| successStatusJsonPath |
The value where the status message/code should appear in the response. |
string |
| successStatusValue |
The status value. |
string |
CodelessApiPollingDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'APIPolling' (required) |
| properties |
Codeless poling data connector properties |
ApiPollingParameters |
CodelessConnectorPollingAuthProperties
| Name |
Description |
Value |
| apiKeyIdentifier |
A prefix send in the header before the actual token |
string |
| apiKeyName |
The header name which the token is sent with |
string |
| authorizationEndpoint |
The endpoint used to authorize the user, used in Oauth 2.0 flow |
string |
| authorizationEndpointQueryParameters |
The query parameters used in authorization request, used in Oauth 2.0 flow |
any |
| authType |
The authentication type |
string (required) |
| flowName |
Describes the flow name, for example 'AuthCode' for Oauth 2.0 |
string |
| isApiKeyInPostPayload |
Marks if the key should sent in header |
string |
| isClientSecretInHeader |
Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow |
bool |
| redirectionEndpoint |
The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow |
string |
| scope |
The OAuth token scope |
string |
| tokenEndpoint |
The endpoint used to issue a token, used in Oauth 2.0 flow |
string |
| tokenEndpointHeaders |
The query headers used in token request, used in Oauth 2.0 flow |
any |
| tokenEndpointQueryParameters |
The query parameters used in token request, used in Oauth 2.0 flow |
any |
CodelessConnectorPollingConfigProperties
CodelessConnectorPollingPagingProperties
| Name |
Description |
Value |
| nextPageParaName |
Defines the name of a next page attribute |
string |
| nextPageTokenJsonPath |
Defines the path to a next page token JSON |
string |
| pageCountAttributePath |
Defines the path to a page count attribute |
string |
| pageSize |
Defines the paging size |
int |
| pageSizeParaName |
Defines the name of the page size parameter |
string |
| pageTimeStampAttributePath |
Defines the path to a paging time stamp attribute |
string |
| pageTotalCountAttributePath |
Defines the path to a page total count attribute |
string |
| pagingType |
Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp' |
string (required) |
| searchTheLatestTimeStampFromEventsList |
Determines whether to search for the latest time stamp in the events list |
string |
CodelessConnectorPollingRequestProperties
| Name |
Description |
Value |
| apiEndpoint |
Describe the endpoint we should pull the data from |
string (required) |
| endTimeAttributeName |
This will be used the query events from the end of the time window |
string |
| headers |
Describe the headers sent in the poll request |
any |
| httpMethod |
The http method type we will use in the poll request, GET or POST |
string (required) |
| queryParameters |
Describe the query parameters sent in the poll request |
any |
| queryParametersTemplate |
For advanced scenarios for example user name/password embedded in nested JSON payload |
string |
| queryTimeFormat |
The time format will be used the query events in a specific window |
string (required) |
| queryWindowInMin |
The window interval we will use the pull the data |
int (required) |
| rateLimitQps |
Defines the rate limit QPS |
int |
| retryCount |
Describe the amount of time we should try and poll the data in case of failure |
int |
| startTimeAttributeName |
This will be used the query events from a start of the time window |
string |
| timeoutInSeconds |
The number of seconds we will consider as a request timeout |
int |
CodelessConnectorPollingResponseProperties
| Name |
Description |
Value |
| eventsJsonPaths |
Describes the path we should extract the data in the response |
string[] (required) |
| isGzipCompressed |
Describes if the data in the response is Gzip |
bool |
| successStatusJsonPath |
Describes the path we should extract the status code in the response |
string |
| successStatusValue |
Describes the path we should extract the status value in the response |
string |
CodelessParameters
CodelessUiConnectorConfigProperties
CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem
| Name |
Description |
Value |
| type |
type of connectivity |
'IsConnectedQuery' |
| value |
Queries for checking connectivity |
string[] |
CodelessUiConnectorConfigPropertiesDataTypesItem
| Name |
Description |
Value |
| lastDataReceivedQuery |
Query for indicate last data received |
string |
| name |
Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder |
string |
CodelessUiConnectorConfigPropertiesGraphQueriesItem
| Name |
Description |
Value |
| baseQuery |
The base query for the graph |
string |
| legend |
The legend for the graph |
string |
| metricName |
the metric that the query is checking |
string |
CodelessUiConnectorConfigPropertiesInstructionStepsItem
| Name |
Description |
Value |
| description |
Instruction step description |
string |
| instructions |
Instruction step details |
InstructionStepsInstructionsItem[] |
| title |
Instruction step title |
string |
CodelessUiConnectorConfigPropertiesSampleQueriesItem
| Name |
Description |
Value |
| description |
The sample query description |
string |
| query |
the sample query |
string |
CodelessUiDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'GenericUI' (required) |
| properties |
Codeless UI data connector properties |
CodelessParameters |
DataConnectorDataTypeCommon
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
DCRConfiguration
| Name |
Description |
Value |
| dataCollectionEndpoint |
Represents the data collection ingestion endpoint in log analytics. |
string (required) |
| dataCollectionRuleImmutableId |
The data collection rule immutable id, the rule defines the transformation and data destination. |
string (required) |
| streamName |
The stream we are sending the data to. |
string (required) |
Dynamics365DataConnector
Dynamics365DataConnectorDataTypes
Dynamics365DataConnectorDataTypesDynamics365CdsActivities
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
Dynamics365DataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
Dynamics365DataConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
GCPAuthModel
| Name |
Description |
Value |
| projectNumber |
GCP Project Number |
string (required) |
| serviceAccountEmail |
GCP Service Account Email |
string (required) |
| type |
The auth type |
'GCP' (required) |
| workloadIdentityProviderId |
GCP Workload Identity Provider ID |
string (required) |
GCPAuthProperties
| Name |
Description |
Value |
| projectNumber |
The GCP project number. |
string (required) |
| serviceAccountEmail |
The service account that is used to access the GCP project. |
string (required) |
| workloadIdentityProviderId |
The workload identity provider id that is used to gain access to the GCP project. |
string (required) |
GCPDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'GCP' (required) |
| properties |
Google Cloud Platform data connector properties. |
GCPDataConnectorProperties |
GCPDataConnectorProperties
| Name |
Description |
Value |
| auth |
The auth section of the connector. |
GCPAuthProperties (required) |
| connectorDefinitionName |
The name of the connector definition that represents the UI config. |
string (required) |
| dcrConfig |
The configuration of the destination of the data. |
DCRConfiguration |
| request |
The request section of the connector. |
GCPRequestProperties (required) |
GCPRequestProperties
| Name |
Description |
Value |
| projectId |
The GCP project id. |
string (required) |
| subscriptionNames |
The GCP pub/sub subscription names. |
string[] (required) |
GenericBlobSbsAuthModel
GenericBlobSbsAuthModelCredentialsConfig
GenericBlobSbsAuthModelStorageAccountCredentialsConfig
GitHubAuthModel
| Name |
Description |
Value |
| installationId |
The GitHubApp auth installation id. |
string |
| type |
The auth type |
'GitHub' (required) |
InstructionStepsInstructionsItem
| Name |
Description |
Value |
| parameters |
The parameters for the setting |
any |
| type |
The kind of the setting |
'CopyableLabel'
'InfoMessage'
'InstructionStepsGroup' (required) |
IoTDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'IOT' (required) |
| properties |
IoT data connector properties. |
IoTDataConnectorProperties |
IoTDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| subscriptionId |
The subscription id to connect to, and get the data from. |
string |
JwtAuthModel
| Name |
Description |
Value |
| headers |
The custom headers we want to add once we send request to token endpoint. |
JwtAuthModelHeaders |
| isCredentialsInHeaders |
Flag indicating whether we want to send the user name and password to token endpoint in the headers. |
bool |
| isJsonRequest |
Flag indicating whether the body request is JSON (header Content-Type = application/json), meaning its a Form URL encoded request (header Content-Type = application/x-www-form-urlencoded). |
bool |
| password |
The password |
JwtAuthModelPassword (required) |
| queryParameters |
The custom query parameter we want to add once we send request to token endpoint. |
JwtAuthModelQueryParameters |
| requestTimeoutInSeconds |
Request timeout in seconds. |
int
Constraints:
Max value = 180 |
| tokenEndpoint |
Token endpoint to request JWT |
string (required) |
| type |
The auth type |
'JwtToken' (required) |
| userName |
The user name. If user name and password sent in header request we only need to populate the value property with the user name (Same as basic auth). If user name and password sent in body request we need to specify the Key and Value. |
JwtAuthModelUserName (required) |
JwtAuthModelPassword
JwtAuthModelQueryParameters
JwtAuthModelUserName
McasDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'MicrosoftCloudAppSecurity' (required) |
| properties |
MCAS (Microsoft Cloud App Security) data connector properties. |
McasDataConnectorProperties |
McasDataConnectorDataTypes
McasDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
McasDataConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
MdatpDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'MicrosoftDefenderAdvancedThreatProtection' (required) |
| properties |
MDATP (Microsoft Defender Advanced Threat Protection) data connector properties. |
MdatpDataConnectorProperties |
MdatpDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
Microsoft.SecurityInsights/dataConnectors
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
MstiDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'MicrosoftThreatIntelligence' (required) |
| properties |
Microsoft Threat Intelligence data connector properties. |
MstiDataConnectorProperties |
MstiDataConnectorDataTypes
MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed
| Name |
Description |
Value |
| lookbackPeriod |
The lookback period for the feed to be imported. |
string (required) |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
MstiDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
MstiDataConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
MTPDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'MicrosoftThreatProtection' (required) |
| properties |
MTP (Microsoft Threat Protection) data connector properties. |
MTPDataConnectorProperties |
MTPDataConnectorDataTypes
MTPDataConnectorDataTypesAlerts
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
MTPDataConnectorDataTypesIncidents
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
MTPDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
MTPDataConnectorDataTypes (required) |
| filteredProviders |
The available filtered providers for the connector. |
MtpFilteredProviders |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
MtpFilteredProviders
| Name |
Description |
Value |
| alerts |
Alerts filtered providers. When filters are not applied, all alerts will stream through the MTP pipeline, still in private preview for all products EXCEPT MDA and MDI, which are in GA state. |
String array containing any of:
'microsoftDefenderForCloudApps'
'microsoftDefenderForIdentity' (required) |
NoneAuthModel
| Name |
Description |
Value |
| type |
The auth type |
'None' (required) |
OAuthModel
| Name |
Description |
Value |
| accessTokenPrepend |
Access token prepend. Default is 'Bearer'. |
string |
| authorizationCode |
The user's authorization code. |
string |
| authorizationEndpoint |
The authorization endpoint. |
string |
| authorizationEndpointHeaders |
The authorization endpoint headers. |
OAuthModelAuthorizationEndpointHeaders |
| authorizationEndpointQueryParameters |
The authorization endpoint query parameters. |
OAuthModelAuthorizationEndpointQueryParameters |
| clientId |
The Application (client) ID that the OAuth provider assigned to your app. |
string (required) |
| clientSecret |
The Application (client) secret that the OAuth provider assigned to your app. |
string (required) |
| grantType |
The grant type, usually will be 'authorization code'. |
string (required) |
| isCredentialsInHeaders |
Indicating whether we want to send the clientId and clientSecret to token endpoint in the headers. |
bool |
| isJwtBearerFlow |
A value indicating whether it's a JWT flow. |
bool |
| redirectUri |
The Application redirect url that the user config in the OAuth provider. |
string |
| scope |
The Application (client) Scope that the OAuth provider assigned to your app. |
string |
| tokenEndpoint |
The token endpoint. Defines the OAuth2 refresh token. |
string (required) |
| tokenEndpointHeaders |
The token endpoint headers. |
OAuthModelTokenEndpointHeaders |
| tokenEndpointQueryParameters |
The token endpoint query parameters. |
OAuthModelTokenEndpointQueryParameters |
| type |
The auth type |
'OAuth2' (required) |
OAuthModelAuthorizationEndpointQueryParameters
OAuthModelTokenEndpointQueryParameters
Office365ProjectConnectorDataTypes
Office365ProjectConnectorDataTypesLogs
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
Office365ProjectDataConnector
Office365ProjectDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
Office365ProjectConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
OfficeATPDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'OfficeATP' (required) |
| properties |
OfficeATP (Office 365 Advanced Threat Protection) data connector properties. |
OfficeATPDataConnectorProperties |
OfficeATPDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
OfficeDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'Office365' (required) |
| properties |
Office data connector properties. |
OfficeDataConnectorProperties |
OfficeDataConnectorDataTypes
OfficeDataConnectorDataTypesExchange
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
OfficeDataConnectorDataTypesSharePoint
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
OfficeDataConnectorDataTypesTeams
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
OfficeDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
OfficeDataConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
OfficeIRMDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'OfficeIRM' (required) |
| properties |
OfficeIRM (Microsoft Insider Risk Management) data connector properties. |
OfficeIRMDataConnectorProperties |
OfficeIRMDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
OfficePowerBIConnectorDataTypes
OfficePowerBIConnectorDataTypesLogs
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
OfficePowerBIDataConnector
OfficePowerBIDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
OfficePowerBIConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
OracleAuthModel
| Name |
Description |
Value |
| pemFile |
Content of the PRM file |
string (required) |
| publicFingerprint |
Public Fingerprint |
string (required) |
| tenantId |
Oracle tenant ID |
string (required) |
| type |
The auth type |
'Oracle' (required) |
| userId |
Oracle user ID |
string (required) |
Permissions
PermissionsCustomsItem
| Name |
Description |
Value |
| description |
Customs permissions description |
string |
| name |
Customs permissions name |
string |
PermissionsResourceProviderItem
| Name |
Description |
Value |
| permissionsDisplayText |
Permission description text |
string |
| provider |
Provider name |
'microsoft.aadiam/diagnosticSettings'
'Microsoft.Authorization/policyAssignments'
'Microsoft.OperationalInsights/solutions'
'Microsoft.OperationalInsights/workspaces'
'Microsoft.OperationalInsights/workspaces/datasources'
'Microsoft.OperationalInsights/workspaces/sharedKeys' |
| providerDisplayName |
Permission provider display name |
string |
| requiredPermissions |
Required permissions for the connector |
RequiredPermissions |
| scope |
Permission provider scope |
'ResourceGroup'
'Subscription'
'Workspace' |
PurviewAuditConnectorDataTypes
PurviewAuditConnectorDataTypesLogs
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
PurviewAuditDataConnector
PurviewAuditDataConnectorProperties
| Name |
Description |
Value |
| connectorDefinitionName |
The connector definition name (the dataConnectorDefinition resource id). |
string |
| dataTypes |
The available data types for the connector. |
PurviewAuditConnectorDataTypes (required) |
| dcrConfig |
The DCR related properties. |
DCRConfiguration |
| sourceType |
The source type indicates which kind of data is relevant for this connector. |
string |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
RequiredPermissions
| Name |
Description |
Value |
| action |
action permission |
bool |
| delete |
delete permission |
bool |
| read |
read permission |
bool |
| write |
write permission |
bool |
RestApiPollerDataConnector
RestApiPollerDataConnectorProperties
RestApiPollerDataConnectorPropertiesAddOnAttributes
RestApiPollerRequestConfig
| Name |
Description |
Value |
| apiEndpoint |
The API endpoint. |
string (required) |
| endTimeAttributeName |
The query parameter name which the remote server expect to end query. This property goes hand to hand with startTimeAttributeName |
string |
| headers |
The header for the request for the remote server. |
RestApiPollerRequestConfigHeaders |
| httpMethod |
The HTTP method, default value GET. |
'DELETE'
'GET'
'POST'
'PUT' |
| isPostPayloadJson |
Flag to indicate if HTTP POST payload is in JSON format (vs form-urlencoded). |
bool |
| queryParameters |
The HTTP query parameters to RESTful API. |
RestApiPollerRequestConfigQueryParameters |
| queryParametersTemplate |
the query parameters template. Defines the query parameters template to use when passing query parameters in advanced scenarios. |
string |
| queryTimeFormat |
The query time format. A remote server can have a query to pull data from range 'start' to 'end'. This property indicate what is the expected time format the remote server know to parse. |
string |
| queryTimeIntervalAttributeName |
The query parameter name which we need to send the server for query logs in time interval. Should be defined with queryTimeIntervalPrepend and queryTimeIntervalDelimiter |
string |
| queryTimeIntervalDelimiter |
The delimiter string between 2 QueryTimeFormat in the query parameter queryTimeIntervalAttributeName. |
string |
| queryTimeIntervalPrepend |
The string prepend to the value of the query parameter in queryTimeIntervalAttributeName. |
string |
| queryWindowInMin |
The query window in minutes for the request. |
int |
| rateLimitQPS |
The Rate limit queries per second for the request.. |
int |
| retryCount |
The retry count. |
int |
| startTimeAttributeName |
The query parameter name which the remote server expect to start query. This property goes hand to hand with endTimeAttributeName. |
string |
| timeoutInSeconds |
The timeout in seconds. |
int |
RestApiPollerRequestConfigQueryParameters
RestApiPollerRequestPagingConfig
| Name |
Description |
Value |
| pageSize |
Page size |
int |
| pageSizeParameterName |
Page size parameter name |
string |
| pagingType |
Type of paging |
'CountBasedPaging'
'LinkHeader'
'NextPageToken'
'NextPageUrl'
'Offset'
'PersistentLinkHeader'
'PersistentToken' (required) |
SessionAuthModel
| Name |
Description |
Value |
| headers |
HTTP request headers to session service endpoint. |
SessionAuthModelHeaders |
| isPostPayloadJson |
Indicating whether API key is set in HTTP POST payload. |
bool |
| password |
The password attribute name. |
SessionAuthModelPassword (required) |
| queryParameters |
Query parameters to session service endpoint. |
SessionAuthModelQueryParameters |
| sessionIdName |
Session id attribute name from HTTP response header. |
string |
| sessionLoginRequestUri |
HTTP request URL to session service endpoint. |
string |
| sessionTimeoutInMinutes |
Session timeout in minutes. |
int |
| type |
The auth type |
'Session' (required) |
| userName |
The user name attribute key value. |
SessionAuthModelUserName (required) |
SessionAuthModelPassword
SessionAuthModelQueryParameters
SessionAuthModelUserName
TIDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'ThreatIntelligence' (required) |
| properties |
TI (Threat Intelligence) data connector properties. |
TIDataConnectorProperties |
TIDataConnectorDataTypes
TIDataConnectorDataTypesIndicators
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
TIDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
TIDataConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
| tipLookbackPeriod |
The lookback period for the feed to be imported. |
string |
TiTaxiiDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'ThreatIntelligenceTaxii' (required) |
| properties |
Threat intelligence TAXII data connector properties. |
TiTaxiiDataConnectorProperties |
TiTaxiiDataConnectorDataTypes
TiTaxiiDataConnectorDataTypesTaxiiClient
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
TiTaxiiDataConnectorProperties
| Name |
Description |
Value |
| collectionId |
The collection id of the TAXII server. |
string |
| dataTypes |
The available data types for Threat Intelligence TAXII data connector. |
TiTaxiiDataConnectorDataTypes (required) |
| friendlyName |
The friendly name for the TAXII server. |
string |
| password |
The password for the TAXII server. |
string |
| pollingFrequency |
The polling frequency for the TAXII server. |
'OnceADay'
'OnceAMinute'
'OnceAnHour' (required) |
| taxiiLookbackPeriod |
The lookback period for the TAXII server. |
string |
| taxiiServer |
The API root for the TAXII server. |
string |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
| userName |
The userName for the TAXII server. |
string |
| workspaceId |
The workspace id. |
string |
The dataConnectors resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
To create a Microsoft.SecurityInsights/dataConnectors resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
etag = "string"
name = "string"
kind = "string"
// For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}
Microsoft.SecurityInsights/dataConnectors objects
Set the kind property to specify the type of object.
For APIPolling, use:
{
kind = "APIPolling"
properties = {
connectorUiConfig = {
availability = {
isPreview = bool
status = "1"
}
connectivityCriteria = [
{
type = "string"
value = [
"string"
]
}
]
customImage = "string"
dataTypes = [
{
lastDataReceivedQuery = "string"
name = "string"
}
]
descriptionMarkdown = "string"
graphQueries = [
{
baseQuery = "string"
legend = "string"
metricName = "string"
}
]
graphQueriesTableName = "string"
instructionSteps = [
{
description = "string"
instructions = [
{
parameters = ?
type = "string"
}
]
title = "string"
}
]
permissions = {
customs = [
{
description = "string"
name = "string"
}
]
resourceProvider = [
{
permissionsDisplayText = "string"
provider = "string"
providerDisplayName = "string"
requiredPermissions = {
action = bool
delete = bool
read = bool
write = bool
}
scope = "string"
}
]
}
publisher = "string"
sampleQueries = [
{
description = "string"
query = "string"
}
]
title = "string"
}
pollingConfig = {
auth = {
apiKeyIdentifier = "string"
apiKeyName = "string"
authorizationEndpoint = "string"
authorizationEndpointQueryParameters = ?
authType = "string"
flowName = "string"
isApiKeyInPostPayload = "string"
isClientSecretInHeader = bool
redirectionEndpoint = "string"
scope = "string"
tokenEndpoint = "string"
tokenEndpointHeaders = ?
tokenEndpointQueryParameters = ?
}
isActive = bool
paging = {
nextPageParaName = "string"
nextPageTokenJsonPath = "string"
pageCountAttributePath = "string"
pageSize = int
pageSizeParaName = "string"
pageTimeStampAttributePath = "string"
pageTotalCountAttributePath = "string"
pagingType = "string"
searchTheLatestTimeStampFromEventsList = "string"
}
request = {
apiEndpoint = "string"
endTimeAttributeName = "string"
headers = ?
httpMethod = "string"
queryParameters = ?
queryParametersTemplate = "string"
queryTimeFormat = "string"
queryWindowInMin = int
rateLimitQps = int
retryCount = int
startTimeAttributeName = "string"
timeoutInSeconds = int
}
response = {
eventsJsonPaths = [
"string"
]
isGzipCompressed = bool
successStatusJsonPath = "string"
successStatusValue = "string"
}
}
}
}
For AmazonWebServicesCloudTrail, use:
{
kind = "AmazonWebServicesCloudTrail"
properties = {
awsRoleArn = "string"
dataTypes = {
logs = {
state = "string"
}
}
}
}
For AmazonWebServicesS3, use:
{
kind = "AmazonWebServicesS3"
properties = {
dataTypes = {
logs = {
state = "string"
}
}
destinationTable = "string"
roleArn = "string"
sqsUrls = [
"string"
]
}
}
For AzureActiveDirectory, use:
{
kind = "AzureActiveDirectory"
properties = {
dataTypes = {
alerts = {
state = "string"
}
}
tenantId = "string"
}
}
For AzureAdvancedThreatProtection, use:
{
kind = "AzureAdvancedThreatProtection"
properties = {
dataTypes = {
alerts = {
state = "string"
}
}
tenantId = "string"
}
}
For AzureSecurityCenter, use:
{
kind = "AzureSecurityCenter"
properties = {
dataTypes = {
alerts = {
state = "string"
}
}
subscriptionId = "string"
}
}
For Dynamics365, use:
{
kind = "Dynamics365"
properties = {
dataTypes = {
dynamics365CdsActivities = {
state = "string"
}
}
tenantId = "string"
}
}
For GCP, use:
{
kind = "GCP"
properties = {
auth = {
projectNumber = "string"
serviceAccountEmail = "string"
workloadIdentityProviderId = "string"
}
connectorDefinitionName = "string"
dcrConfig = {
dataCollectionEndpoint = "string"
dataCollectionRuleImmutableId = "string"
streamName = "string"
}
request = {
projectId = "string"
subscriptionNames = [
"string"
]
}
}
}
For GenericUI, use:
{
kind = "GenericUI"
properties = {
connectorUiConfig = {
availability = {
isPreview = bool
status = "1"
}
connectivityCriteria = [
{
type = "string"
value = [
"string"
]
}
]
customImage = "string"
dataTypes = [
{
lastDataReceivedQuery = "string"
name = "string"
}
]
descriptionMarkdown = "string"
graphQueries = [
{
baseQuery = "string"
legend = "string"
metricName = "string"
}
]
graphQueriesTableName = "string"
instructionSteps = [
{
description = "string"
instructions = [
{
parameters = ?
type = "string"
}
]
title = "string"
}
]
permissions = {
customs = [
{
description = "string"
name = "string"
}
]
resourceProvider = [
{
permissionsDisplayText = "string"
provider = "string"
providerDisplayName = "string"
requiredPermissions = {
action = bool
delete = bool
read = bool
write = bool
}
scope = "string"
}
]
}
publisher = "string"
sampleQueries = [
{
description = "string"
query = "string"
}
]
title = "string"
}
}
}
For IOT, use:
{
kind = "IOT"
properties = {
dataTypes = {
alerts = {
state = "string"
}
}
subscriptionId = "string"
}
}
For MicrosoftCloudAppSecurity, use:
{
kind = "MicrosoftCloudAppSecurity"
properties = {
dataTypes = {
alerts = {
state = "string"
}
discoveryLogs = {
state = "string"
}
}
tenantId = "string"
}
}
For MicrosoftDefenderAdvancedThreatProtection, use:
{
kind = "MicrosoftDefenderAdvancedThreatProtection"
properties = {
dataTypes = {
alerts = {
state = "string"
}
}
tenantId = "string"
}
}
For MicrosoftPurviewInformationProtection, use:
{
kind = "MicrosoftPurviewInformationProtection"
properties = {
dataTypes = {
logs = {
state = "string"
}
}
tenantId = "string"
}
}
For MicrosoftThreatIntelligence, use:
{
kind = "MicrosoftThreatIntelligence"
properties = {
dataTypes = {
microsoftEmergingThreatFeed = {
lookbackPeriod = "string"
state = "string"
}
}
tenantId = "string"
}
}
For MicrosoftThreatProtection, use:
{
kind = "MicrosoftThreatProtection"
properties = {
dataTypes = {
alerts = {
state = "string"
}
incidents = {
state = "string"
}
}
filteredProviders = {
alerts = [
"string"
]
}
tenantId = "string"
}
}
For Office365, use:
{
kind = "Office365"
properties = {
dataTypes = {
exchange = {
state = "string"
}
sharePoint = {
state = "string"
}
teams = {
state = "string"
}
}
tenantId = "string"
}
}
For Office365Project, use:
{
kind = "Office365Project"
properties = {
dataTypes = {
logs = {
state = "string"
}
}
tenantId = "string"
}
}
For OfficeATP, use:
{
kind = "OfficeATP"
properties = {
dataTypes = {
alerts = {
state = "string"
}
}
tenantId = "string"
}
}
For OfficeIRM, use:
{
kind = "OfficeIRM"
properties = {
dataTypes = {
alerts = {
state = "string"
}
}
tenantId = "string"
}
}
For OfficePowerBI, use:
{
kind = "OfficePowerBI"
properties = {
dataTypes = {
logs = {
state = "string"
}
}
tenantId = "string"
}
}
For PurviewAudit, use:
{
kind = "PurviewAudit"
properties = {
connectorDefinitionName = "string"
dataTypes = {
logs = {
state = "string"
}
}
dcrConfig = {
dataCollectionEndpoint = "string"
dataCollectionRuleImmutableId = "string"
streamName = "string"
}
sourceType = "string"
tenantId = "string"
}
}
For RestApiPoller, use:
{
kind = "RestApiPoller"
properties = {
addOnAttributes = {
{customized property} = "string"
}
auth = {
type = "string"
// For remaining properties, see CcpAuthConfig objects
}
connectorDefinitionName = "string"
dataType = "string"
dcrConfig = {
dataCollectionEndpoint = "string"
dataCollectionRuleImmutableId = "string"
streamName = "string"
}
isActive = bool
paging = {
pageSize = int
pageSizeParameterName = "string"
pagingType = "string"
}
request = {
apiEndpoint = "string"
endTimeAttributeName = "string"
headers = {
{customized property} = "string"
}
httpMethod = "string"
isPostPayloadJson = bool
queryParameters = {
{customized property} = ?
}
queryParametersTemplate = "string"
queryTimeFormat = "string"
queryTimeIntervalAttributeName = "string"
queryTimeIntervalDelimiter = "string"
queryTimeIntervalPrepend = "string"
queryWindowInMin = int
rateLimitQPS = int
retryCount = int
startTimeAttributeName = "string"
timeoutInSeconds = int
}
response = {
compressionAlgo = "string"
convertChildPropertiesToArray = bool
csvDelimiter = "string"
csvEscape = "string"
eventsJsonPaths = [
"string"
]
format = "string"
hasCsvBoundary = bool
hasCsvHeader = bool
isGzipCompressed = bool
successStatusJsonPath = "string"
successStatusValue = "string"
}
}
}
For ThreatIntelligence, use:
{
kind = "ThreatIntelligence"
properties = {
dataTypes = {
indicators = {
state = "string"
}
}
tenantId = "string"
tipLookbackPeriod = "string"
}
}
For ThreatIntelligenceTaxii, use:
{
kind = "ThreatIntelligenceTaxii"
properties = {
collectionId = "string"
dataTypes = {
taxiiClient = {
state = "string"
}
}
friendlyName = "string"
password = "string"
pollingFrequency = "string"
taxiiLookbackPeriod = "string"
taxiiServer = "string"
tenantId = "string"
userName = "string"
workspaceId = "string"
}
}
CcpAuthConfig objects
Set the type property to specify the type of object.
For APIKey, use:
{
apiKey = "string"
apiKeyIdentifier = "string"
apiKeyName = "string"
isApiKeyInPostPayload = bool
type = "APIKey"
}
For AWS, use:
{
externalId = "string"
roleArn = "string"
type = "AWS"
}
For Basic, use:
{
password = "string"
type = "Basic"
userName = "string"
}
For GCP, use:
{
projectNumber = "string"
serviceAccountEmail = "string"
type = "GCP"
workloadIdentityProviderId = "string"
}
For GitHub, use:
{
installationId = "string"
type = "GitHub"
}
For JwtToken, use:
{
headers = {
{customized property} = "string"
}
isCredentialsInHeaders = bool
isJsonRequest = bool
password = {
{customized property} = "string"
}
queryParameters = {
{customized property} = "string"
}
requestTimeoutInSeconds = int
tokenEndpoint = "string"
type = "JwtToken"
userName = {
{customized property} = "string"
}
}
For None, use:
{
type = "None"
}
For OAuth2, use:
{
accessTokenPrepend = "string"
authorizationCode = "string"
authorizationEndpoint = "string"
authorizationEndpointHeaders = {
{customized property} = "string"
}
authorizationEndpointQueryParameters = {
{customized property} = "string"
}
clientId = "string"
clientSecret = "string"
grantType = "string"
isCredentialsInHeaders = bool
isJwtBearerFlow = bool
redirectUri = "string"
scope = "string"
tokenEndpoint = "string"
tokenEndpointHeaders = {
{customized property} = "string"
}
tokenEndpointQueryParameters = {
{customized property} = "string"
}
type = "OAuth2"
}
For Oracle, use:
{
pemFile = "string"
publicFingerprint = "string"
tenantId = "string"
type = "Oracle"
userId = "string"
}
For ServiceBus, use:
{
credentialsConfig = {
{customized property} = "string"
}
storageAccountCredentialsConfig = {
{customized property} = "string"
}
type = "ServiceBus"
}
For Session, use:
{
headers = {
{customized property} = "string"
}
isPostPayloadJson = bool
password = {
{customized property} = "string"
}
queryParameters = {
{customized property} = ?
}
sessionIdName = "string"
sessionLoginRequestUri = "string"
sessionTimeoutInMinutes = int
type = "Session"
userName = {
{customized property} = "string"
}
}
Property values
AADDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'AzureActiveDirectory' (required) |
| properties |
AADIP (Azure Active Directory Identity Protection) data connector properties. |
AADDataConnectorProperties |
AADDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
AatpDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'AzureAdvancedThreatProtection' (required) |
| properties |
AATP (Azure Advanced Threat Protection) data connector properties. |
AatpDataConnectorProperties |
AatpDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
AlertsDataTypeOfDataConnector
ApiKeyAuthModel
| Name |
Description |
Value |
| apiKey |
API Key for the user secret key credential |
string (required) |
| apiKeyIdentifier |
API Key Identifier |
string |
| apiKeyName |
API Key name |
string (required) |
| isApiKeyInPostPayload |
Flag to indicate if API key is set in HTTP POST payload |
bool |
| type |
The auth type |
'APIKey' (required) |
ApiPollingParameters
ASCDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'AzureSecurityCenter' (required) |
| properties |
ASC (Azure Security Center) data connector properties. |
ASCDataConnectorProperties |
ASCDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| subscriptionId |
The subscription id to connect to, and get the data from. |
string |
Availability
| Name |
Description |
Value |
| isPreview |
Set connector as preview |
bool |
| status |
The connector Availability Status |
'1' |
AWSAuthModel
| Name |
Description |
Value |
| externalId |
AWS STS assume role external ID. This is used to prevent the confused deputy problem: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html' |
string |
| roleArn |
AWS STS assume role ARN |
string (required) |
| type |
The auth type |
'AWS' (required) |
AwsCloudTrailDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'AmazonWebServicesCloudTrail' (required) |
| properties |
Amazon Web Services CloudTrail data connector properties. |
AwsCloudTrailDataConnectorProperties |
AwsCloudTrailDataConnectorDataTypes
AwsCloudTrailDataConnectorDataTypesLogs
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
AwsCloudTrailDataConnectorProperties
| Name |
Description |
Value |
| awsRoleArn |
The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account. |
string |
| dataTypes |
The available data types for the connector. |
AwsCloudTrailDataConnectorDataTypes (required) |
AwsS3DataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'AmazonWebServicesS3' (required) |
| properties |
Amazon Web Services S3 data connector properties. |
AwsS3DataConnectorProperties |
AwsS3DataConnectorDataTypes
AwsS3DataConnectorDataTypesLogs
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
AwsS3DataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AwsS3DataConnectorDataTypes (required) |
| destinationTable |
The logs destination table name in LogAnalytics. |
string (required) |
| roleArn |
The Aws Role Arn that is used to access the Aws account. |
string (required) |
| sqsUrls |
The AWS sqs urls for the connector. |
string[] (required) |
BasicAuthModel
| Name |
Description |
Value |
| password |
The password |
string (required) |
| type |
The auth type |
'Basic' (required) |
| userName |
The user name. |
string (required) |
CcpAuthConfig
CcpResponseConfig
| Name |
Description |
Value |
| compressionAlgo |
The compression algorithm. For Example: 'gzip', 'multi-gzip', 'deflate'. |
string |
| convertChildPropertiesToArray |
The value indicating whether the response isn't an array of events / logs. By setting this flag to true it means the remote server will response with an object which each property has as a value an array of events / logs. |
bool |
| csvDelimiter |
The csv delimiter, in case the response format is CSV. |
string |
| csvEscape |
The character used to escape characters in CSV. |
string
Constraints:
Min length = 1
Max length = 1 |
| eventsJsonPaths |
The json paths, '$' char is the json root. |
string[] (required) |
| format |
The response format. possible values are json,csv,xml |
string |
| hasCsvBoundary |
The value indicating whether the response has CSV boundary in case the response in CSV format. |
bool |
| hasCsvHeader |
The value indicating whether the response has headers in case the response in CSV format. |
bool |
| isGzipCompressed |
The value indicating whether the remote server support Gzip and we should expect Gzip response. |
bool |
| successStatusJsonPath |
The value where the status message/code should appear in the response. |
string |
| successStatusValue |
The status value. |
string |
CodelessApiPollingDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'APIPolling' (required) |
| properties |
Codeless poling data connector properties |
ApiPollingParameters |
CodelessConnectorPollingAuthProperties
| Name |
Description |
Value |
| apiKeyIdentifier |
A prefix send in the header before the actual token |
string |
| apiKeyName |
The header name which the token is sent with |
string |
| authorizationEndpoint |
The endpoint used to authorize the user, used in Oauth 2.0 flow |
string |
| authorizationEndpointQueryParameters |
The query parameters used in authorization request, used in Oauth 2.0 flow |
any |
| authType |
The authentication type |
string (required) |
| flowName |
Describes the flow name, for example 'AuthCode' for Oauth 2.0 |
string |
| isApiKeyInPostPayload |
Marks if the key should sent in header |
string |
| isClientSecretInHeader |
Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow |
bool |
| redirectionEndpoint |
The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow |
string |
| scope |
The OAuth token scope |
string |
| tokenEndpoint |
The endpoint used to issue a token, used in Oauth 2.0 flow |
string |
| tokenEndpointHeaders |
The query headers used in token request, used in Oauth 2.0 flow |
any |
| tokenEndpointQueryParameters |
The query parameters used in token request, used in Oauth 2.0 flow |
any |
CodelessConnectorPollingConfigProperties
CodelessConnectorPollingPagingProperties
| Name |
Description |
Value |
| nextPageParaName |
Defines the name of a next page attribute |
string |
| nextPageTokenJsonPath |
Defines the path to a next page token JSON |
string |
| pageCountAttributePath |
Defines the path to a page count attribute |
string |
| pageSize |
Defines the paging size |
int |
| pageSizeParaName |
Defines the name of the page size parameter |
string |
| pageTimeStampAttributePath |
Defines the path to a paging time stamp attribute |
string |
| pageTotalCountAttributePath |
Defines the path to a page total count attribute |
string |
| pagingType |
Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp' |
string (required) |
| searchTheLatestTimeStampFromEventsList |
Determines whether to search for the latest time stamp in the events list |
string |
CodelessConnectorPollingRequestProperties
| Name |
Description |
Value |
| apiEndpoint |
Describe the endpoint we should pull the data from |
string (required) |
| endTimeAttributeName |
This will be used the query events from the end of the time window |
string |
| headers |
Describe the headers sent in the poll request |
any |
| httpMethod |
The http method type we will use in the poll request, GET or POST |
string (required) |
| queryParameters |
Describe the query parameters sent in the poll request |
any |
| queryParametersTemplate |
For advanced scenarios for example user name/password embedded in nested JSON payload |
string |
| queryTimeFormat |
The time format will be used the query events in a specific window |
string (required) |
| queryWindowInMin |
The window interval we will use the pull the data |
int (required) |
| rateLimitQps |
Defines the rate limit QPS |
int |
| retryCount |
Describe the amount of time we should try and poll the data in case of failure |
int |
| startTimeAttributeName |
This will be used the query events from a start of the time window |
string |
| timeoutInSeconds |
The number of seconds we will consider as a request timeout |
int |
CodelessConnectorPollingResponseProperties
| Name |
Description |
Value |
| eventsJsonPaths |
Describes the path we should extract the data in the response |
string[] (required) |
| isGzipCompressed |
Describes if the data in the response is Gzip |
bool |
| successStatusJsonPath |
Describes the path we should extract the status code in the response |
string |
| successStatusValue |
Describes the path we should extract the status value in the response |
string |
CodelessParameters
CodelessUiConnectorConfigProperties
CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem
| Name |
Description |
Value |
| type |
type of connectivity |
'IsConnectedQuery' |
| value |
Queries for checking connectivity |
string[] |
CodelessUiConnectorConfigPropertiesDataTypesItem
| Name |
Description |
Value |
| lastDataReceivedQuery |
Query for indicate last data received |
string |
| name |
Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder |
string |
CodelessUiConnectorConfigPropertiesGraphQueriesItem
| Name |
Description |
Value |
| baseQuery |
The base query for the graph |
string |
| legend |
The legend for the graph |
string |
| metricName |
the metric that the query is checking |
string |
CodelessUiConnectorConfigPropertiesInstructionStepsItem
| Name |
Description |
Value |
| description |
Instruction step description |
string |
| instructions |
Instruction step details |
InstructionStepsInstructionsItem[] |
| title |
Instruction step title |
string |
CodelessUiConnectorConfigPropertiesSampleQueriesItem
| Name |
Description |
Value |
| description |
The sample query description |
string |
| query |
the sample query |
string |
CodelessUiDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'GenericUI' (required) |
| properties |
Codeless UI data connector properties |
CodelessParameters |
DataConnectorDataTypeCommon
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
DCRConfiguration
| Name |
Description |
Value |
| dataCollectionEndpoint |
Represents the data collection ingestion endpoint in log analytics. |
string (required) |
| dataCollectionRuleImmutableId |
The data collection rule immutable id, the rule defines the transformation and data destination. |
string (required) |
| streamName |
The stream we are sending the data to. |
string (required) |
Dynamics365DataConnector
Dynamics365DataConnectorDataTypes
Dynamics365DataConnectorDataTypesDynamics365CdsActivities
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
Dynamics365DataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
Dynamics365DataConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
GCPAuthModel
| Name |
Description |
Value |
| projectNumber |
GCP Project Number |
string (required) |
| serviceAccountEmail |
GCP Service Account Email |
string (required) |
| type |
The auth type |
'GCP' (required) |
| workloadIdentityProviderId |
GCP Workload Identity Provider ID |
string (required) |
GCPAuthProperties
| Name |
Description |
Value |
| projectNumber |
The GCP project number. |
string (required) |
| serviceAccountEmail |
The service account that is used to access the GCP project. |
string (required) |
| workloadIdentityProviderId |
The workload identity provider id that is used to gain access to the GCP project. |
string (required) |
GCPDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'GCP' (required) |
| properties |
Google Cloud Platform data connector properties. |
GCPDataConnectorProperties |
GCPDataConnectorProperties
| Name |
Description |
Value |
| auth |
The auth section of the connector. |
GCPAuthProperties (required) |
| connectorDefinitionName |
The name of the connector definition that represents the UI config. |
string (required) |
| dcrConfig |
The configuration of the destination of the data. |
DCRConfiguration |
| request |
The request section of the connector. |
GCPRequestProperties (required) |
GCPRequestProperties
| Name |
Description |
Value |
| projectId |
The GCP project id. |
string (required) |
| subscriptionNames |
The GCP pub/sub subscription names. |
string[] (required) |
GenericBlobSbsAuthModel
GenericBlobSbsAuthModelCredentialsConfig
GenericBlobSbsAuthModelStorageAccountCredentialsConfig
GitHubAuthModel
| Name |
Description |
Value |
| installationId |
The GitHubApp auth installation id. |
string |
| type |
The auth type |
'GitHub' (required) |
InstructionStepsInstructionsItem
| Name |
Description |
Value |
| parameters |
The parameters for the setting |
any |
| type |
The kind of the setting |
'CopyableLabel'
'InfoMessage'
'InstructionStepsGroup' (required) |
IoTDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'IOT' (required) |
| properties |
IoT data connector properties. |
IoTDataConnectorProperties |
IoTDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| subscriptionId |
The subscription id to connect to, and get the data from. |
string |
JwtAuthModel
| Name |
Description |
Value |
| headers |
The custom headers we want to add once we send request to token endpoint. |
JwtAuthModelHeaders |
| isCredentialsInHeaders |
Flag indicating whether we want to send the user name and password to token endpoint in the headers. |
bool |
| isJsonRequest |
Flag indicating whether the body request is JSON (header Content-Type = application/json), meaning its a Form URL encoded request (header Content-Type = application/x-www-form-urlencoded). |
bool |
| password |
The password |
JwtAuthModelPassword (required) |
| queryParameters |
The custom query parameter we want to add once we send request to token endpoint. |
JwtAuthModelQueryParameters |
| requestTimeoutInSeconds |
Request timeout in seconds. |
int
Constraints:
Max value = 180 |
| tokenEndpoint |
Token endpoint to request JWT |
string (required) |
| type |
The auth type |
'JwtToken' (required) |
| userName |
The user name. If user name and password sent in header request we only need to populate the value property with the user name (Same as basic auth). If user name and password sent in body request we need to specify the Key and Value. |
JwtAuthModelUserName (required) |
JwtAuthModelPassword
JwtAuthModelQueryParameters
JwtAuthModelUserName
McasDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'MicrosoftCloudAppSecurity' (required) |
| properties |
MCAS (Microsoft Cloud App Security) data connector properties. |
McasDataConnectorProperties |
McasDataConnectorDataTypes
McasDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
McasDataConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
MdatpDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'MicrosoftDefenderAdvancedThreatProtection' (required) |
| properties |
MDATP (Microsoft Defender Advanced Threat Protection) data connector properties. |
MdatpDataConnectorProperties |
MdatpDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
Microsoft.SecurityInsights/dataConnectors
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
MstiDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'MicrosoftThreatIntelligence' (required) |
| properties |
Microsoft Threat Intelligence data connector properties. |
MstiDataConnectorProperties |
MstiDataConnectorDataTypes
MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed
| Name |
Description |
Value |
| lookbackPeriod |
The lookback period for the feed to be imported. |
string (required) |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
MstiDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
MstiDataConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
MTPDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'MicrosoftThreatProtection' (required) |
| properties |
MTP (Microsoft Threat Protection) data connector properties. |
MTPDataConnectorProperties |
MTPDataConnectorDataTypes
MTPDataConnectorDataTypesAlerts
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
MTPDataConnectorDataTypesIncidents
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
MTPDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
MTPDataConnectorDataTypes (required) |
| filteredProviders |
The available filtered providers for the connector. |
MtpFilteredProviders |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
MtpFilteredProviders
| Name |
Description |
Value |
| alerts |
Alerts filtered providers. When filters are not applied, all alerts will stream through the MTP pipeline, still in private preview for all products EXCEPT MDA and MDI, which are in GA state. |
String array containing any of:
'microsoftDefenderForCloudApps'
'microsoftDefenderForIdentity' (required) |
NoneAuthModel
| Name |
Description |
Value |
| type |
The auth type |
'None' (required) |
OAuthModel
| Name |
Description |
Value |
| accessTokenPrepend |
Access token prepend. Default is 'Bearer'. |
string |
| authorizationCode |
The user's authorization code. |
string |
| authorizationEndpoint |
The authorization endpoint. |
string |
| authorizationEndpointHeaders |
The authorization endpoint headers. |
OAuthModelAuthorizationEndpointHeaders |
| authorizationEndpointQueryParameters |
The authorization endpoint query parameters. |
OAuthModelAuthorizationEndpointQueryParameters |
| clientId |
The Application (client) ID that the OAuth provider assigned to your app. |
string (required) |
| clientSecret |
The Application (client) secret that the OAuth provider assigned to your app. |
string (required) |
| grantType |
The grant type, usually will be 'authorization code'. |
string (required) |
| isCredentialsInHeaders |
Indicating whether we want to send the clientId and clientSecret to token endpoint in the headers. |
bool |
| isJwtBearerFlow |
A value indicating whether it's a JWT flow. |
bool |
| redirectUri |
The Application redirect url that the user config in the OAuth provider. |
string |
| scope |
The Application (client) Scope that the OAuth provider assigned to your app. |
string |
| tokenEndpoint |
The token endpoint. Defines the OAuth2 refresh token. |
string (required) |
| tokenEndpointHeaders |
The token endpoint headers. |
OAuthModelTokenEndpointHeaders |
| tokenEndpointQueryParameters |
The token endpoint query parameters. |
OAuthModelTokenEndpointQueryParameters |
| type |
The auth type |
'OAuth2' (required) |
OAuthModelAuthorizationEndpointQueryParameters
OAuthModelTokenEndpointQueryParameters
Office365ProjectConnectorDataTypes
Office365ProjectConnectorDataTypesLogs
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
Office365ProjectDataConnector
Office365ProjectDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
Office365ProjectConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
OfficeATPDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'OfficeATP' (required) |
| properties |
OfficeATP (Office 365 Advanced Threat Protection) data connector properties. |
OfficeATPDataConnectorProperties |
OfficeATPDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
OfficeDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'Office365' (required) |
| properties |
Office data connector properties. |
OfficeDataConnectorProperties |
OfficeDataConnectorDataTypes
OfficeDataConnectorDataTypesExchange
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
OfficeDataConnectorDataTypesSharePoint
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
OfficeDataConnectorDataTypesTeams
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
OfficeDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
OfficeDataConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
OfficeIRMDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'OfficeIRM' (required) |
| properties |
OfficeIRM (Microsoft Insider Risk Management) data connector properties. |
OfficeIRMDataConnectorProperties |
OfficeIRMDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
AlertsDataTypeOfDataConnector |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
OfficePowerBIConnectorDataTypes
OfficePowerBIConnectorDataTypesLogs
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
OfficePowerBIDataConnector
OfficePowerBIDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
OfficePowerBIConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
OracleAuthModel
| Name |
Description |
Value |
| pemFile |
Content of the PRM file |
string (required) |
| publicFingerprint |
Public Fingerprint |
string (required) |
| tenantId |
Oracle tenant ID |
string (required) |
| type |
The auth type |
'Oracle' (required) |
| userId |
Oracle user ID |
string (required) |
Permissions
PermissionsCustomsItem
| Name |
Description |
Value |
| description |
Customs permissions description |
string |
| name |
Customs permissions name |
string |
PermissionsResourceProviderItem
| Name |
Description |
Value |
| permissionsDisplayText |
Permission description text |
string |
| provider |
Provider name |
'microsoft.aadiam/diagnosticSettings'
'Microsoft.Authorization/policyAssignments'
'Microsoft.OperationalInsights/solutions'
'Microsoft.OperationalInsights/workspaces'
'Microsoft.OperationalInsights/workspaces/datasources'
'Microsoft.OperationalInsights/workspaces/sharedKeys' |
| providerDisplayName |
Permission provider display name |
string |
| requiredPermissions |
Required permissions for the connector |
RequiredPermissions |
| scope |
Permission provider scope |
'ResourceGroup'
'Subscription'
'Workspace' |
PurviewAuditConnectorDataTypes
PurviewAuditConnectorDataTypesLogs
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
PurviewAuditDataConnector
PurviewAuditDataConnectorProperties
| Name |
Description |
Value |
| connectorDefinitionName |
The connector definition name (the dataConnectorDefinition resource id). |
string |
| dataTypes |
The available data types for the connector. |
PurviewAuditConnectorDataTypes (required) |
| dcrConfig |
The DCR related properties. |
DCRConfiguration |
| sourceType |
The source type indicates which kind of data is relevant for this connector. |
string |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
RequiredPermissions
| Name |
Description |
Value |
| action |
action permission |
bool |
| delete |
delete permission |
bool |
| read |
read permission |
bool |
| write |
write permission |
bool |
RestApiPollerDataConnector
RestApiPollerDataConnectorProperties
RestApiPollerDataConnectorPropertiesAddOnAttributes
RestApiPollerRequestConfig
| Name |
Description |
Value |
| apiEndpoint |
The API endpoint. |
string (required) |
| endTimeAttributeName |
The query parameter name which the remote server expect to end query. This property goes hand to hand with startTimeAttributeName |
string |
| headers |
The header for the request for the remote server. |
RestApiPollerRequestConfigHeaders |
| httpMethod |
The HTTP method, default value GET. |
'DELETE'
'GET'
'POST'
'PUT' |
| isPostPayloadJson |
Flag to indicate if HTTP POST payload is in JSON format (vs form-urlencoded). |
bool |
| queryParameters |
The HTTP query parameters to RESTful API. |
RestApiPollerRequestConfigQueryParameters |
| queryParametersTemplate |
the query parameters template. Defines the query parameters template to use when passing query parameters in advanced scenarios. |
string |
| queryTimeFormat |
The query time format. A remote server can have a query to pull data from range 'start' to 'end'. This property indicate what is the expected time format the remote server know to parse. |
string |
| queryTimeIntervalAttributeName |
The query parameter name which we need to send the server for query logs in time interval. Should be defined with queryTimeIntervalPrepend and queryTimeIntervalDelimiter |
string |
| queryTimeIntervalDelimiter |
The delimiter string between 2 QueryTimeFormat in the query parameter queryTimeIntervalAttributeName. |
string |
| queryTimeIntervalPrepend |
The string prepend to the value of the query parameter in queryTimeIntervalAttributeName. |
string |
| queryWindowInMin |
The query window in minutes for the request. |
int |
| rateLimitQPS |
The Rate limit queries per second for the request.. |
int |
| retryCount |
The retry count. |
int |
| startTimeAttributeName |
The query parameter name which the remote server expect to start query. This property goes hand to hand with endTimeAttributeName. |
string |
| timeoutInSeconds |
The timeout in seconds. |
int |
RestApiPollerRequestConfigQueryParameters
RestApiPollerRequestPagingConfig
| Name |
Description |
Value |
| pageSize |
Page size |
int |
| pageSizeParameterName |
Page size parameter name |
string |
| pagingType |
Type of paging |
'CountBasedPaging'
'LinkHeader'
'NextPageToken'
'NextPageUrl'
'Offset'
'PersistentLinkHeader'
'PersistentToken' (required) |
SessionAuthModel
| Name |
Description |
Value |
| headers |
HTTP request headers to session service endpoint. |
SessionAuthModelHeaders |
| isPostPayloadJson |
Indicating whether API key is set in HTTP POST payload. |
bool |
| password |
The password attribute name. |
SessionAuthModelPassword (required) |
| queryParameters |
Query parameters to session service endpoint. |
SessionAuthModelQueryParameters |
| sessionIdName |
Session id attribute name from HTTP response header. |
string |
| sessionLoginRequestUri |
HTTP request URL to session service endpoint. |
string |
| sessionTimeoutInMinutes |
Session timeout in minutes. |
int |
| type |
The auth type |
'Session' (required) |
| userName |
The user name attribute key value. |
SessionAuthModelUserName (required) |
SessionAuthModelPassword
SessionAuthModelQueryParameters
SessionAuthModelUserName
TIDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'ThreatIntelligence' (required) |
| properties |
TI (Threat Intelligence) data connector properties. |
TIDataConnectorProperties |
TIDataConnectorDataTypes
TIDataConnectorDataTypesIndicators
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
TIDataConnectorProperties
| Name |
Description |
Value |
| dataTypes |
The available data types for the connector. |
TIDataConnectorDataTypes (required) |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
| tipLookbackPeriod |
The lookback period for the feed to be imported. |
string |
TiTaxiiDataConnector
| Name |
Description |
Value |
| kind |
The data connector kind |
'ThreatIntelligenceTaxii' (required) |
| properties |
Threat intelligence TAXII data connector properties. |
TiTaxiiDataConnectorProperties |
TiTaxiiDataConnectorDataTypes
TiTaxiiDataConnectorDataTypesTaxiiClient
| Name |
Description |
Value |
| state |
Describe whether this data type connection is enabled or not. |
'Disabled'
'Enabled' (required) |
TiTaxiiDataConnectorProperties
| Name |
Description |
Value |
| collectionId |
The collection id of the TAXII server. |
string |
| dataTypes |
The available data types for Threat Intelligence TAXII data connector. |
TiTaxiiDataConnectorDataTypes (required) |
| friendlyName |
The friendly name for the TAXII server. |
string |
| password |
The password for the TAXII server. |
string |
| pollingFrequency |
The polling frequency for the TAXII server. |
'OnceADay'
'OnceAMinute'
'OnceAnHour' (required) |
| taxiiLookbackPeriod |
The lookback period for the TAXII server. |
string |
| taxiiServer |
The API root for the TAXII server. |
string |
| tenantId |
The tenant id to connect to, and get the data from. |
string (required) |
| userName |
The userName for the TAXII server. |
string |
| workspaceId |
The workspace id. |
string |